PRINCIPLES OF INFOMATION

SYSTEM SECURITY
BISF 2107 BSD 2206 BAC 2209

By Purity Mureithi
1. What is Security?
2. What is Information Security?
3. Why Information System Security?
4. Vulnerability, Threat and Attack
5. Security Policies
6. Security Measures
7. Security Elements
8. Security Services
9. Security Mechanisms
1. What is Security?
 Security: is protecting general assets
 Security can be realized through:
1. Prevention: take measures that prevent your assets from being
damaged
2. Detection: take measures so that you can detect when, how, and by
whom an asset has been damaged.
3. Reaction: take measures so that you can recover your assets or to
recover from a damage to your assets
 There are many branches of Security: national security, economic
security, information security.
Examples
Examples 1
 Physical Private property
 Prevention: locks at doors, window bars, walls around the property
 Detection: burglar alarms, CCTV
 Reaction: call the police…
Example 2
 Ecommerce
 Prevention: encrypt your orders, rely on the merchant to perform checks on the
caller
Detection: an unauthorized transaction appears on your credit card statement,
firewall
Reaction: complain, ask for a new credit card number, …
2. What is Information Security?
It is the protection of information and information systems from
unauthorized access, use, disclosure, disruption, modification or
destruction in order to ensure confidentiality, Integrity and availability.
or
 It is protecting information and information resources such as: books, computer
data, voice communications from unauthorized access, etc
 Information security is determining:
 what needs to be protected i.e., assets
 and why (Security elements which include CIA),
 what needs to be protected from (Threats, vulnerabilities, risks)
 and how (Security measures) to protect it for as long as it exists
- Security measures are implemented according to a security policy security.
3. Why Information System Security (ISS)?
Why Security?
Cyberspace (internet, work environment, intranet) is becoming a dangerous
place for all organizations and individuals to protect their sensitive data or
reputation.
 This is because of the numerous people and machines accessing it.
 Recent studies have shown a big danger is coming from internal threats or
from disappointed employees, another internal threat is that information
material can be easy accessible over the intranet.
 One important indicator is the IT skills of a person that wants to hack or to
breach your security has decreased but the success rate of it has increased,
this is because of three main factors −
 Hacking tools that can be found very easily by everyone just by googling
and they are endless.
 Technology with the end-users has increased rapidly within these years,
like internet bandwidth and computer processing speeds.
 Access to hacking information manuals.
Since locking down all networks is not an available option, the only response the security
managers can give is to harden their networks, applications and operating systems to a
reasonable level of safety, and conducting a business disaster recovery plan.
ISS is concerned with protecting Information systems assets such as PCs, software,
applications, etc.
In order to ensure the security of information systems we need to determine:
i. Assets (i.e. Information systems) to be protected – NIST defines Information Systems
as a discrete set of information resources organized for the collection, processing,
maintenance, use, sharing, dissemination, or disposition of information.
ii. Security elements: CIA
iii. Threats, vulnerabilities, risks
iv. Security policies
v. Security measures
What to Secure?
First of all, is to check the physical security by setting control systems like
motion alarms, door accessing systems, humidity sensors, temperature
sensors. All these components decrease the possibility of a computer to be
stolen or damaged by humans and environment itself.
People having access to computer systems should have their own user id
with password protection.
Monitors should be screen saver protected to hide the information from
being displayed when the user is away or inactive.
Secure your network especially wireless, passwords should be used.
Internet equipment eg. routers to be protected with password.
Data that you use to store information which can be financial, or non-
financial be encrypted.
Information should be protected in all types of its representation in
transmission by encrypting it.
4. Vulnerability, Threat and Attack
 A Vulnerability: It is a weakness, a design problem or implementation
error in a system that can lead to an unexpected and undesirable event
regarding security system. E.g. A software bug exists in the OS or no
password rules are set
 A threat: Is a set of circumstances that has the potential to cause loss or
harm
- Is an indication of a potential undesirable event
- It refers to a situation in which:
 A person could do something undesirable (an attacker initiating a
denial of service attack against an organizations email server) or
 A natural occurrence could cause an undesirable outcome (a fire
damaging an organization’s information technology hardware).
Cont…Vulnerability, Threat and Attack
A Risk: Is the possibility of suffering harm or loss.
An attack: Is a realization of a threat / Is an assault on the system
security that is delivered by a person or a machine to a system. It
violates security.
An attacker: is a person who exploits a vulnerability
An attacker must have means, opportunity and motive
 Synonyms: enemy, adversary, opponent, eavesdropper, intruder.
Cont… Vulnerability, Threat and Attack
 A hacker:
 Is a Person who exploits a computer system for a reason which can
be money, a social cause, fun etc. Might discover weaknesses within
systems and the reasons for such weaknesses.
Hackers can be classified into different categories such as white hat,
black hat, and grey hat, based on their intent of hacking a system
Types of Hackers
White Hat Hackers
White Hat hackers are also known as Ethical Hackers. They never intent to harm a system,
rather they try to find out weaknesses in a computer or a network system as a part of
penetration testing and vulnerability assessments.
Ethical hacking is not illegal and it is one of the demanding jobs available in the IT industry.
There are numerous companies that hire ethical hackers for penetration testing and
vulnerability assessments.
Black Hat Hackers
Black Hat hackers, also known as crackers, are those who hack in order to gain unauthorized
access to a system and harm its operations or steal sensitive information.
Black Hat hacking is always illegal because of its bad intent which includes stealing corporate
data, violating privacy, damaging the system, blocking network communication, etc.
Grey Hat Hackers
Grey hat hackers are a blend of both black hat and white hat hackers. They act without
malicious intent but for their fun, they exploit a security weakness in a computer system or
network without the owner’s permission or knowledge.
Their intent is to bring the weakness to the attention of the owners and getting appreciation
or a little bounty from the owners.
Miscellaneous Hackers
 Apart from the above well-known classes of hackers, we have the following categories of hackers based on
what they hack and how they do it:
 Red Hat Hackers: they are again a blend of both black hat and white hat hackers. They are usually on the
level of hacking government agencies, top-secret information hubs and generally anything that falls under
the category of sensitive information.
 Blue Hat Hackers: Is someone outside computer security consulting firms who is used to bug-test a system
prior to its launch. They look for loopholes that can be exploited and try to close these gaps. Microsoft also
uses the term BlueHat to represent a series of security briefing events.
 Elite Hackers: This is a social status among hackers, which is used to describe the most skilled. Newly
discovered exploits will circulate among these hackers.
 Script Kiddie: A script kiddie is a non-expert who breaks into computer systems by using pre-packaged
automated tools written by others, usually with little understanding of the underlying concept, hence the
term Kiddie.
 Neophyte: A neophyte, "n00b", or "newbie" or "Green Hat Hacker" is someone who is new to hacking or
phreaking and has almost no knowledge or experience of the workings of technology and hacking.
 Hacktivist: A hacktivist is a hacker who utilizes technology to announce a social, ideological, religious, or
political message. In general, most hacktivism involves website defacement or denial of-service attacks.
5. Security measures/Security Controls
 Security Controls – The management, operational, and technical controls (i.e., safeguards or
countermeasures) prescribed for a system to protect the confidentiality, availability, and integrity
of the system and its information.
Security measures include techniques for ensuring:
 Prevention: such as encryption, user authentication, one time password, anti- virus, firewall,
etc.
 Detection: such as IDS (Intrusion Detection Systems) Monitoring tools, Firewall log, digital
signature, etc.
 Reaction (or recovery): Such as Backup systems, OS’s recovery points, etc.
 Encryption
 Digital Signature
 User Authentication
 Antivirus
 IDS and firewalls
Database security
6. Security Policy
 A Security policy: states what is and is not allowed
 Is a document describing a company’s security controls and activities
 Does not specify technologies.
• E.g.
- Policy: Password construction: Account names must not be used in
passwords.
- Policy: Confidentiality of personal information all personal information
must be treated as confidential.
 A Security policy: is a guideline for implementing security measures.
7. Three Security ISS Objectives
The general state in Computer Security has the ability to detect and
prevent attacks and to be able to recover.
If these attacks are successful as such then it has to contain the
disruption of information and services and check if they are kept low
or tolerable.
Different objectives in Computer Security
In order to fulfil these requirements, we come to the three main
objectives which are confidentiality, integrity, and availability.
a) Confidentiality
 Keeping information secret from all but those who are authorized to see it or
access it. Also called secrecy or privacy.
OR
It is the concealment of information or resources. Also, there is a need to keep
information secret from other third parties that want to have access to it, so just
the right people can access it.
OR
Preserving authorized restrictions on information access and disclosure, including
means for protecting personal privacy and proprietary information.
Example in real life − Let’s say there are two people communicating via an
encrypted email they know the decryption keys of each other and they read the
email by entering these keys into the email program. If someone else can read
these decryption keys when they are entered into the program, then the
confidentiality of that email is compromised.
b) Integrity
Integrity is the trustworthiness of data in the systems or resources by
the point of view of preventing unauthorized and improper changes.
OR
Guarding against improper information modification or destruction
and ensuring information non-repudiation and authenticity.
Generally, Integrity is composed of two sub-elements:
Data Integrity – The property that data has not been altered in an
unauthorized manner. Data integrity covers data in storage, during
processing and while in transit.
System Integrity – The quality that a system has when it performs
its intended function in an unimpaired manner, free from
unauthorized manipulation of the system, whether intentional or
accidental.
Example in real life − Let’s say you are doing an online payment of 5
USD, but your information is tampered without your knowledge in a
way by sending to the seller 500 USD, this would cost you too much.
In this case cryptography plays a very major role in ensuring data
integrity.
Commonly used methods to protect data integrity includes hashing
the data you receive and comparing it with the hash of the original
message. However, this means that the hash of the original data must
be provided in a secure way.
c) Availability
Availability refers to the ability to accessing a resource when it is needed,
as such the information has value only if the authorized people can access
at right time.
OR
Ensuring timely and reliable access to the use of information
Denying access to data nowadays has become a common attack.
Imagine a downtime of a live server how costly it can be.
• Example in real life − Let’s say a hacker has compromised a webserver of a
bank and put it down. You as an authenticated user want to do an e-
banking transfer but it is impossible to access it, the undone transfer is a
money lost for the bank.
8. Security services
 An information security service is a method to provide some specific
aspects of security
- Examples
 Confidentiality is a security objective, encryption is an
information security service.
 Integrity is another security objective, a method to ensure
Integrity is security service.
 Breaking a security service implies defeating the objective of the
intended service.
9. Security Mechanisms
 A security mechanism encompasses: Protocols, algorithms, Non-
cryptographic techniques (hardware protection) to achieve specific
security objectives (Confidentiality, Integrity and Availability).
 Computer Security - Terminologies
Unauthorized access − An unauthorized access is when someone gains access to a
server, website, or other sensitive data using someone else's account details.
Antivirus or Antimalware − Is a software that operates on different OS which is used
to prevent from malicious software.
Social Engineering − Is a technique that a hacker uses to steal data from a person for
different purposes by psychological manipulation combined with social scenes.
Virus − It is a malicious software that installs on your computer without your consent
for a bad purpose.
Firewall − It is a software or hardware which is used to filter network traffic based on
rules.
Access control: restricting access to resources to privileged entities.
 Validation: a means to provide timeliness of authorization to use or manipulate
information or resources.
Cont.
Authorization: conveyance, to another party, of official sanction to
do or to be something.
Entity authentication: validation of the identity of an entity
(e.g., a person, a credit card, etc.)
-Identification, identity verification
 Message authentication: validating the source of information; also
known as data origin authentication.
- Message authentication provides data
 Digital Signature: a means to bind information to an entity
THANK YOU