Wolkite University College of Computing and Informatics Department of IT

Chapter One

Introduction to Information Security

Definition of Information System Security

 Information security means protecting information and information systems from

unauthorized access, use, disclosure, disruption/problem/disturbance, modification,
perusal/ reading/examining, inspection, recording or destruction/destroying.

Information security = confidentiality + integrity + availability + authentication.

 well-informed sense of assurance that the information risks and controls are in balance.
 The terms information security, computer security and information assurance are
frequently incorrectly used interchangeably.
 Information security is concerned with the confidentiality, integrity and availability
of data regardless of the form the data may take: electronic, print, or other forms.
 Computer security can focus on ensuring the availability and correct operation of
a computer system without concern for the information stored or processed by the
computer.
 Information security offers many areas for specialization including: securing network(s)
and allied/complete infrastructure, securing applications and databases, security testing,
information systems auditing, business continuity planning and digital forensics science,
etc.

Information systems security, more commonly referred to as INFOSEC, refers to the processes
and methodologies involved with keeping information confidential, available, and assuring its
integrity.

It also refers to:

 Access controls, which prevent unauthorized personnel from entering or accessing a

system.
 Protecting information, no matter where that information is, i.e. in transit (such as in an
email) or in a storage area.
 The detection and remediation of security breaches, as well as documenting those events.

WHAT IS SECURITY?
In general, security is defined as “the quality or state of being secure—to be free from danger.”
Security is often achieved by means of several strategies usually undertaken simultaneously or
used in combination with one another.

1
IAS Chapter 1 Lecture Note Prepared by Abraham A
Wolkite University College of Computing and Informatics Department of IT

Specialized areas of security

 Information security includes the broad areas of information security management,
computer and data security, and network security.
 Physical security, which encompasses strategies to protect people, physical assets, and
the workplace from various threats including fire, unauthorized access, or natural
disasters
 Personal security, which overlaps with physical security in the protection of the people
within the organization
 Operations security, which focuses on securing the organization’s ability to carry out its
operational activities without interruption or compromise
 Communications security, which encompasses the protection of an organization’s
communications media, technology, and content, and its ability to use these tools to
achieve the organization’s objectives
 Network security, which addresses the protection of an organization’s data networking
devices, connections, and contents, and the ability to use that network to accomplish the
organization’s data communication functions
Where it has been used?
 Governments, military, financial institutions, hospitals, and private businesses.
 Protecting confidential information is a business requirement.
Information Security components are:
 Confidentiality
 Integrity
 Availability(CIA)
CIA Triangle
 The confidentiality, integrity, and availability(C.I.A.) triangle - has expanded into
a more comprehensive list of critical characteristics of information.
 At the heart of the study of information security is the concept of policy. Policy,
awareness, training, education, and technology are vital concepts for the
protection of information and for keeping information systems from danger.

2
IAS Chapter 1 Lecture Note Prepared by Abraham A
Wolkite University College of Computing and Informatics Department of IT

Critical Concepts/Characteristics of Information Security

Elements used to measure the security of a network.
-Confidentiality - Integrity -Availability
- Privacy - Identification - Authentication
- Authorization - Accountability -Accuracy
- Utility - Possession

Confidentiality: Also, be called privacy or secrecy and refers to the protection of information
from unauthorized disclosure.
Usually achieved either by restricting access to the information or by encrypting the information
so that it is not meaningful to unauthorized individuals or entities.

To protect the confidentiality of information, a number of measures are used:

 Information classification
 Secure document storage
 Application of general security policies
 Education of information custodians/care and end users
Example, a credit card transaction on the Internet.

3
IAS Chapter 1 Lecture Note Prepared by Abraham A
Wolkite University College of Computing and Informatics Department of IT

 The system attempts to enforce confidentiality by encrypting the card number

during transmission, by limiting the places where it might appear (in databases,
log files, backups, printed receipts, and so on), and by restricting access to the
places where it is stored.
 Giving out confidential information over the telephone is a breach of
confidentiality if the caller is not authorized to have the information, it could
result in a breach of confidentiality.
Integrity: refers to the assurance of data received are exactly as sent by an authorized entity.
 Integrity means that data cannot be modified without authorization.
 Data integrity is achieved by preventing unauthorized or improper changes to data,
ensuring internal and external consistency, and ensuring that other data attributes (such as
timeliness and completeness) are consistent with requirements.
 Integrity is the quality or state of being whole, complete, and uncorrupted. The integrity
of information is threatened when it is exposed to corruption, damage, destruction, or
other disruption of its authentic state. Corruption can occur while information is being
compiled, stored, or transmitted.
Example: Integrity is violated
o when an employee deletes important data files,
o when a computer virus infects a computer,
o when an employee is able to modify his own salary in a payroll database,
o when an unauthorized user vandalizes a website,
o when someone is able to cast a very large number of votes in an online poll, and so on.
Availability:
 Availability is the characteristic of information that enables user access to information
without interference or obstruction and in a required format. A user in this definition may
be either a person or another computer system. Availability does not imply that the
information is accessible to any user; rather, it means availability to authorized users.
 It refers to whether the network, system, hardware, and software are reliable and can
recover quickly and completely in the event of an interruption in service.
Example: High availability systems aim to remain available at all times, preventing service
disruptions due to power outages/period, hardware failures, and system upgrades.
Privacy:
 The information that is collected, used, and stored by an organization is to be used only
for the purposes stated to the data owner at the time it was collected. It focus on freedom
from observation but rather means that information will be used only in ways known to
the person providing it.
Identification

4
IAS Chapter 1 Lecture Note Prepared by Abraham A
Wolkite University College of Computing and Informatics Department of IT

 Is simply the process of identifying one's self to another entity or determining the identity
of the individual or entity with whom you are communicating?
 It is able to recognize individual users. Identification and authentication are essential to
establishing the level of access or authorization that an individual is granted.
Authentication
 Is the assurance that the communicating entity is the one that it claims to be.
 Authentication occurs when a control provides proof that a user possesses the identity
that he or she claims.
 Authentication is required when communicating over a network or logging onto a
network.
Access Control(Authorization): -
 It refers to the ability to control the level of access that individuals or entities have to a
network or system and how much information they can receive.
 Your level of authorization basically determines what you're allowed to do once
you are authenticated and allowed access to a network, system, or some other
resource such as data or information.
 Access control is the determination of the level of authorization to a system,
network, or information (i.e., classified, secret, or top-secret).
 After the identity of a user is authenticated, a process called authorization provides
assurance that the user (whether a person or a computer) has been specifically and
explicitly authorized by the proper authority to access, update, or delete the contents of an
information asset.
Accountability
 It refers to the ability to track or audit what an individual or entity is doing on a network
or system.
 The characteristic of accountability exists when a control provides assurance that every
activity undertaken can be attributed to a named person or automated process.
 Does the system maintain a record of functions performed, files accessed, and
information altered?
For example, audit logs that track user activity on an information system provide accountability.
Accuracy
 Information should have accuracy. Information has accuracy when it is free from
mistakes or errors and it has the value that the end users expects. If information contains
a value different from the user’s expectations, due to the intentional or unintentional
modification of its content, it is no longer accurate.

Utility:

5
IAS Chapter 1 Lecture Note Prepared by Abraham A
Wolkite University College of Computing and Informatics Department of IT

 Information has value when it serves a particular purpose. This means that if information
is available, but not in a format meaningful to the end user, it is not useful. Thus, the
value of information depends on its utility.
Possession
 The possession of Information security is the quality or state of having ownership or
control of some object or item.
Non-Repudiation: -

 It refers to the ability to prevent individuals or entities from denying (repudiating) that
information, data, or files were sent or received or that information or files were accessed
or altered, when in fact they were.

 is crucial to e-commerce.

History of Computer Security and Information Security

  Began immediately after the first mainframes were developed

 Groups developing code-breaking computations during World War II created the
first modern computers

Figure 1-1 – The

Enigma

6
IAS Chapter 1 Lecture Note Prepared by Abraham A
Wolkite University College of Computing and Informatics Department of IT

The 1960s
 Advanced Research Procurement Agency (ARPA) began to examine
feasibility of redundant networked communications
 Larry Roberts developed ARPANET from its inception

Figure 1-2 - ARPANET

The 1970s and 80s

 ARPANET grew in popularity as did its potential for misuse
 Fundamental problems with ARPANET security were identified
 No safety procedures for dial-up connections to ARPANET
 Non-existent user identification and authorization to system
 Late 1970s: microprocessor expanded computing capabilities and security threats

R-609
 Information security began with Rand Report R-609 (paper that started the study of
computer security)

7
IAS Chapter 1 Lecture Note Prepared by Abraham A
Wolkite University College of Computing and Informatics Department of IT

 Scope of computer security grew from physical security to include:

o Safety of data
o Limiting unauthorized access to data
o Involvement of personnel from multiple levels of an organization

The 1990s
 Networks of computers became more common; so too did the need to
interconnect networks
 Internet became first manifestation of a global network of networks
 In early Internet deployments, security was treated as a low priority

The Present
 The Internet brings millions of computer networks into communication with each
other—many of them unsecured
 Ability to secure a computer’s data influenced by the security of every computer
to which it is connected
 The same problems apply for emerging networked computer systems, e.g.,
smartphones

Summary
 Information security is a “well-informed sense of assurance that the information
risks and controls are in balance.”
 Security should be considered a balance between protection and availability.
 Computer security began immediately after first mainframes were developed

Computer Security

 Computer Systems today have some of the best security systems ever, they are more
vulnerable than ever before.

 Computer Security generic name for the collection of tools designed to protect data and
to hackers from attacking the organizational assets.

 Computer and network security comes in many forms, including encryption algorithms,
access to facilities, digital signatures, and using fingerprints and face scans as passwords.

 The OSI security architecture provides a systematic frame work for defining security
attacks, mechanisms and services.

8
IAS Chapter 1 Lecture Note Prepared by Abraham A
Wolkite University College of Computing and Informatics Department of IT

 The OSI security architecture focuses on security attacks, mechanisms and services.

o Security attack: - Any action that compromises the security of information

owned by an organization.
o Security mechanism: - A process (or a device incorporating such a process)
that is designed to detect, prevent, or recover from a security attack.
o Security service: - A processing or communication service that enhances the
security of the data processing systems and the information transfers of an
organization.
o The services are intended to counter security attacks, and they make use of one
or more security mechanisms to provide the service.

 “The protection afforded to an automated information system in order to attain the

applicable objectives of preserving the integrity, availability, and confidentiality of
information system resources (includes hardware, software, firmware, information/data,
and telecommunications)”

Why Is Computer and Network Security Important?

1. To protect company assets: - One of the primary goals of computer and network
security is the protection of company assets (hardware, software and/or information).

2. To gain a competitive advantage: - Developing and maintaining effective security

measures can provide an organization with a competitive advantage over its competition

3. To comply with regulatory requirements and fiduciary/trust responsibilities:

Organizations that rely on computers for their continuing operation must develop policies
and procedures that address organizational security requirements.

o Such policies and procedures are necessary not only to protect company assets but
also to protect the organization from liability

4. To keep your job: - Security should be part of every network or systems administrator's
job. Failure to perform adequately can result in termination.

Vulnerabilities (Attack Surface)

 Vulnerabilities are weak points or loopholes in security that an attacker can exploit in
order to gain access to the network or to resources on the network. Vulnerability is not
the attack, but rather the weak point that is exploited. 

Vulnerability is the intersection of three elements:

 A system susceptibility or flaw,

 attacker access to the flaw, and

9
IAS Chapter 1 Lecture Note Prepared by Abraham A
Wolkite University College of Computing and Informatics Department of IT

 attacker capability to exploit the flaw

o To be vulnerable, an attacker must have at least one applicable tool or technique

that can connect to a system weakness.

o A security risk may be classified as a vulnerability. But there are vulnerabilities

without risk, for example when the affected asset has no value.

 A vulnerability with one or more known instances of working and fully-implemented

attacks is classified as an exploitable vulnerability, a vulnerability for which
an exploit exists.

Fig Threat agents, attack vectors, weakness, controls, IT asset and business impact
Vulnerability Classification: Classified according to the asset class they related to:

1. Hardware

o Susceptibility to humidity

o Susceptibility to dust

o Susceptibility to soiling

o Susceptibility to unprotected storage

2. Software

 Insufficient testing
 Lack of audit trail

10
IAS Chapter 1 Lecture Note Prepared by Abraham A
Wolkite University College of Computing and Informatics Department of IT

3. Network

o Unprotected communication lines

o Insecure network architecture

4. Personnel

o Inadequate recruiting process

o Inadequate security awareness

5. Site

o Area subject to flood

o Unreliable power source

6. Organizational

o Lack of regular audits

o Lack of continuity plans

Vulnerabilities in Common Network Access Procedures & Protocols

 The primary protocol used in operating systems today is the TCP/IP protocol stack.
 The wide use of this protocol helps to integrate different operating system architectures
such as Microsoft and UNIX.
 Many organizations make use of this interoperability and use various TCP/IP utilities to
run programs, transfer information, and reveal/describe information.
 Due to the nature of these utilities, various security risks and threats exist.
 Users often use the same passwords for mixed environments.
 Sometimes, passwords are automatically synchronized.
 If hackers can crack the password on systems other than Microsoft systems, they could
also use that password to logon to a Microsoft system.

Some of the protocols are:

Telnet

 Telnet protocol allows a user to log onto a system over the network and use that system
as though the user was sitting at a terminal that was directly connected.
 The telnet command provides a user interface to a remote system.
 When using the Microsoft telnet client to log on to the Microsoft Windows 2000 Telnet
service, it uses the NTLM (NT LAN Manager) protocol to log the client on.
 NTLM protocol was the default for network authentication in the Windows 4.0 operating
system.

11
IAS Chapter 1 Lecture Note Prepared by Abraham A
Wolkite University College of Computing and Informatics Department of IT

 In a Windows network, NTLM is a suite of Microsoft security protocols that

provides authentication, integrity, and confidentiality to users

 When logging on to a system from a Microsoft telnet client to UNIX TELNET daemon
(A daemon (pronounced DEE-muhn) is a program that runs continuously and exists for
the purpose of handling periodic service requests that a computer system expects to
receive. The daemon program forwards the requests to other programs (or processes) as
appropriate.) service or vice versa, the user name and password are sent over the network
in plain text.
 Since the user name and password characters are not encrypted, it is possible for an
electronic eavesdropper to capture a user name and password for a system for which a
telnet connection is being established.

File Transfer Protocol (FTP)

 It allows users to connect to remote systems and transfer files back and forth.
 As part of establishing a connection to a remote computer, FTP relies on a user name and
password combination for authentication.
 Use of FTP poses a security problem similar to use of the Telnet protocol because
passwords typed to FTP are transmitted over the network in plain text, one character per
packet. These packets can be intercepted.
 This capability is particularly useful for software or document distribution to the public.
 To use anonymous FTP, a user passes a remote computer name as an argument to FTP
and then specifies "anonymous" as a user name. It is a common way to get access to a
server in order to view or download files that are publicly available. If someone tells you
to use anonymous FTP and gives you the server name, just remember to use the word
"anonymous" for your user ID. Usually, you can enter anything as a password.
 Problems with anonymous FTP are:

 There is often no record of who has requested what information.

 The threat of denial-of-service attacks. That is, for deliberate or accidental denial-
of-service attacks, authorized users may be denied access to a system if too many
file transfers are initiated simultaneously.

 It is important to securely set up the anonymous FTP account on the server because
everyone on the network will have potential access.
 If the anonymous FTP account is not securely configured and administered, crackers may
be capable of adding and modifying files.

Trivial File Transfer Protocol(TFTP)

12
IAS Chapter 1 Lecture Note Prepared by Abraham A
Wolkite University College of Computing and Informatics Department of IT

 It is a file transfer program that is frequently used to allow diskless hosts to boot over the
network.
 Microsoft Windows 2000 implements a client utility to make use of TFTP services on
UNIX flavors.
 Because TFTP has no user authentication, it may be possible for unwanted file transfer to
occur.
 The use of TFTP to steal password files is a significant threat.

Commands Revealing User Information

 It is not uncommon to find interoperability between Microsoft products and various

flavors of UNIX. 
 Commands that reveal user and system information pose a threat because crackers can
use that information to break into a system.
 Some of these commands whose output makes a system vulnerable to break-ins include:
o Finger
o Rexec

Finger

 The finger client utility on Windows NT and Windows 2000 can be used to connect to a
finger daemon service running on a UNIX-based computer to display information about
users.
 When the finger client utility is invoked with a name argument, the password file is
searched on a UNIX server.
 Every user with a first name, last name, or user name that matches the name argument is
returned.
 When the finger program is run with no arguments, information for every user currently
logged on to the system is displayed.
 User information can be displayed for remote computers as well as for the local
computer.
 The output of finger typically includes logon name, full name, home directory, last logon
time, and in some cases when the user received mail and/or read mail.
 Personal information, such as telephone numbers, is often stored in the password file so
that this information is available to other users.
 Making personal information about users available poses a security threat because a
password cracker can make use of this information.
 In addition, finger can reveal logon activity.

Rexec

 The rexec utility is provided as a client on Microsoft Windows NT and Windows 2000.

13
IAS Chapter 1 Lecture Note Prepared by Abraham A
Wolkite University College of Computing and Informatics Department of IT

 The rexec client utility allows remote execution on UNIX-based systems running the
rexecd service.
 A client transmits a message specifying the user name, the password, and the name of a
command to execute.
 The rexecd program is susceptible to abuse because it can be used to probe a system for
the names of valid accounts.
 In addition, passwords are transmitted unencrypted over the network.

Protocol Design

 Communication protocols sometimes have weak points. Attackers use these to gain
information and eventually gain access to systems. Some known issues are:
 TCP/IP: - The TCP/IP protocol stack has some weak points that allows:
 IP address spoofing
 TCP connection request (SYN) attacks
 ATM: - Security can be compromised by what is referred to as "manhole
manipulation “, direct access to network cables and connections in underground
parking garages and elevator shafts.
 Frame relay: - Similar to the ATM issue.

Weak Password

 Password selection will always be a contentious point as long as users have to select one.
 Users usually select commonly used passwords because they are easy to remember, like
anything from birthday to the names of loved ones. This creates a vulnerability.
 A password is the key to a computer, a key much sought-after by hackers, as a means of
getting a foothold into a system.
 A weak password may give a hacker access not only to a computer, but to the entire
network to which the computer is connected.
 Users should treat their passwords like the keys to their homes.
 Switches and routers are easily managed by an HTTP Web interface or through a
command line interface.
 Coupled to the use of weak passwords it allows anybody with some technical knowledge
to take control of the device.

Modem

 If a computer has a modem connected to the Internet, the user needs to take appropriate
precautions because modem connections can be a significant vulnerability.
 Hackers commonly use a tool known as a "war dialer" to identify the modems at a target
organization.

14
IAS Chapter 1 Lecture Note Prepared by Abraham A
 Wolkite University College of Computing and Informatics Department of IT

 A war dialer is a computer program that automatically dials phone numbers within a
specified range of numbers.
 Most organizations have a block of sequential phone numbers.
 By dialing all numbers within the targeted range, the war dialer identifies which numbers
are for computer modems and determines certain characteristics of those modems.
 The hacker then uses other tools to attack the modem to gain access to the computer
network.
 Anyone can download effective war dialers from the Internet at no cost.

Security in Action

NETWORK
Client
DNS Network Services FTP/Telnet SMTP/POP Web Server
Configuration

VULNERABILITAS
IP & Port Web Server Sniffing KeyStroke Password
Email Exploit DoS Attack Trojan Attack MITM Attack
Scanning Exploit Traffic Logging Cracking

PREVENT
Hardening AntiVirus Using Using Using
Using SSH Using IPSec
Host Applications Firewall GPG/PGP Certificate

DETECTION
Intrusion Spyware
System Log Backup and Finding
Detection HoneyPot Detection and
Analysis Restore Hidden Data
System Removal

Internal External
attacker attacker

15
IAS Chapter 1 Lecture Note Prepared by Abraham A

Corporate Assets Incorrect