Professional Documents
Culture Documents
Security Lo1-1
Security Lo1-1
Security Lo1-1
Learning Outcomes
• “The wonderful thing about the Internet is that you’re connected to everyone
else… The terrible thing about the Internet is that your connected to
everyone else…”
• Dr. Vinton Cerf - co-designer of the TCP/IP protocols and the architecture of the Internet.
• Access to the information and services the Internet provides, comes risk.
• Risk of information loss, or corruption, of data theft and worse. These risks
have to be mitigated with security solutions.
IT Threats
• A threat is an event that could exploit a vulnerability (an attack waiting to happen) and cause a
negative impact on the network.
• Threats in the digital world typically mimic threats in the physical world.
• Theft, vandalism, eavesdropping are all threats that have moved from the real world into
cyberspace, typically via the Internet.
• There are some significant differences however, in terms of the distance these attacks can be
carried out, the automation involved, and the propagation(Spreading) of attack techniques.
IT security risks
• Risks:
• unauthorised use of a system
• unauthorised removal or copying of data or code from a system
• damage to or destruction of physical system assets and environment
• damage to or destruction of data or code inside or outside the system
• naturally occurring risks.
Unauthorised use of a system
• Someone may damage the hardware in the ICT system. A hard disk holds a lot of data.
• If the disk was sabotaged, the data would become inaccessible. The hardware in an ICT system can
be worth many hundreds of thousands of pounds.
• If any of it is damaged or stolen then it will take time to replace it.
• The cost of replacement is usually covered by insurance, so the main problem is the time delay in
installing replacement equipment.
• This delay can result in lost business and, as a consequence, the organisation may lose money.
Consequential loss may not be covered by insurance, so this is a ‘real’ loss. Damage to data or code
Data or software should only be altered or deleted by someone who is authorised to do so. A
hacker may damage – i.e. amend or delete – the data or software.
Damage to or destruction of data or code inside or outside the
system
• Data or software should only be altered or deleted by someone who is authorised to do so.
• A hacker may damage – i.e. amend or delete – the data or software.
• Data and software may also be damaged by virus attack.
Naturally occurring risks
• Human actions
• E.g. Human error, employee that disregards policy.
• Systems issues
• E.g. Out of date or incorrectly configured/installed anti virus and firewall, confusion
over backup policy could result in accidental overwrite, poor group policy
configuration, incorrect user access levels.
Organisational security
• Business continuance(Maintain essential functions during/after an attack)
• Backup/restoration of data
• Audits
• Testing procedures e.g. data, network, systems, operational impact of
security breaches, WANs, intranets, wireless access systems.
Training should be given so that employees know
what to do, for example, if they suspect a virus
Organisational security:
attack:
Business continuance • Who should they contact first?
• Should they turn their ICT system off?
• Employees who are responsible for data recovery should also know the
procedures to follow.
• The aim should be to plan ahead so that the whole system can be up and running
again within a specified time-scale, e.g. 24 hours.
• Then, if the worst case scenario happens, disaster recovery should be as smooth
as possible. The contingency plan has to be developed from a full risk analysis,
so that every eventuality is taken into consideration.
Audits could include:
– Review and management
■ eg access to systems.
Organisational security:
– Establishment and review of
Audits personal, corporate and
technical trust.
• An organisation that is unaware of how and– where
Vetting of staff.
security breaches might
– Forensic
occur could soon be faced with a situation that analysis
will be costly, andofcould
systems
be
very embarrassing. ■ Use of custom forensics or existing
sysadmin tools.
• Instead, a security audit should be conducted to check what might go
wrong, and to plan improvements before a hacker – or some other
individual – takes advantage of the situation.
Organisational security:
Testing procedures
• Network security: This involves looking for vulnerabilities in the network
infrastructure (resources and policies).
• System software security: Asses weaknesses in software (operating system,
database system, and other software) that are depended on.
• Client-side application security: Ensure that the client (browser or any such
app/tool) cannot be manipulated.
• Server-side application security: Server code and its technologies are
robust enough to fend off any intrusion.
Organisational security:
Testing procedures - operational impact
• Costs
• If data is lost, costs are incurred in recovering the data.
• If software is corrupted, a copy should be available, but the replacement will take time and incur staff costs.
• Depending on how serious a breach was experienced, there may be a need to consult specialists, and this too will incur extra costs
• Loss of business
• A security breach can result in the collapse of an ICT system.
• The time during which normal service is not available is called downtime.
• Organisations that rely on an ICT system to take orders will suffer a loss of business during the downtime. Some customers will
come back later, but some will not; they will already have taken their business elsewhere.
• If a security breach causes data loss, and it proves difficult to recover that data, then the result can be disastrous for an
organisation.
Confidentiality
Security Key Concepts
• Information exchanged between the client and service provider cannot be read by an unauthorized party. This
often means that only authorized users and processes should be able to access or modify data.
• Encryption is the fundamental technology for ensuring confidentiality Messages in transit.
• Confidentiality vs. Privacy
Confidentiality: Obligation of provider to restrict access.
Privacy: individual right to control access.
• Confidentiality: When you log in, you’re asked for a password. If it’s been a while since your last log-in, you
may be asked to input a code that’s been sent to you or some other form of two-factor authentication.
Integrity
• In information security, data integrity means maintaining and assuring the accuracy and completeness of data over its
entire lifecycle. (Boritz, 2005)
• Integrity measures protect information from unauthorized alteration. These measures provide assurance in the
accuracy and completeness of data. The need to protect information includes both data that is stored on systems and
data that is transmitted between systems such as email. In maintaining integrity, it is not only necessary to control
access at the system level, but to further ensure that system users are only able to alter information that they are
legitimately authorized to alter.
• This means that data cannot be modified in an unauthorized or undetected manner.
• Sometimes it’s as simple as a read-only file. Sometimes, it involves hashing or data checksums, which allow data to
be audited to ensure the data hasn’t been compromised. In other cases, integrity might be protected physically from
outside sources that might corrupt it.
Availability
• For any information system to serve its purpose, the information must be available when it is
needed.
• High availability systems aim to remain available at all times, preventing service disruptions due to
power outages, hardware failures, and system upgrades.
• Ensuring availability also involves preventing denial-of-service attacks, such as a flood of
incoming messages to the target system, essentially forcing it to shut down(Loukas, n.d.).
• Availability: You can log into your account whenever you want, and you may even be able to
contact customer support at any time of the day or night
Non-repudiation
• Biometrics may also be used for authentication. For example, many smartphones have a fingerprint sensor that allows you to
unlock your phone with a simple tap of your thumb or finger. Some facilities have retinal scanners, which require an eye scan to
allow authorized individuals to access secure areas. Apple's Face ID (introduced with the iPhone X) authenticates users by facial
recognition.
Authorization
• Once a user has been authenticated, the authorization process determines what permissions they have. Permissions are what the employee
of organization is able to do and access in the organization, and without them every employee would have the same abilities and access to
the same information.
• There are many techniques to implement authorization; the frequently used methods are
• Principle of least privilege (POLP)
• The principle of least privilege is the idea that at any user, program, or process should have only the bare minimum privileges necessary to
perform its function. For example, a user account created for pulling records from a database doesn’t need admin rights, while a
programmer whose main function is updating lines of legacy code doesn’t need access to financial records. The principle of least privilege
can also be referred to as the principle of minimal privilege (POMP) or the principle of least authority (POLA). Following the principle of
least privilege is considered a best practice in information security.
• User Account with Least Privilege: With the principle of least privilege, an employee whose job is to enter info into a database only needs
the ability to add records to that database. If malware infects that employee’s computer or if the employee clicks a link in a phishing email,
the malicious attack is limited to making database entries. If that employee has root access privileges, however, the infection can spread
system-wide.
• Access control lists(ACL)
Accountability
• Accountability means making sure every action can be tracked back to a single person, not just a group
• Every information asset should be "owned" by an individual in the organization who is primarily responsible
each one.
• improve accountability by - Defining policy which describes specific responsibility, awareness programs
• Individuals must be aware of what is expected of them and guide continual improvement.
Passive Attack
Active Attack
Information Security Principles (Merkow and
Principle 1: There Is No Such Thing As Absolute Security
Breithaupt, 2014)
• In 2003, the art collection of the Whitworth Gallery in Manchester, England,
included three famous paintings by Van Gogh, Picasso, and Gauguin. Valued at
more than $7 million, the paintings were protected by closed-circuit television
(CCTV), a series of alarm systems, and 24-hour rolling patrols.
• Yet in late April 2003, thieves broke into the museum, evaded the layered security
system, and made off with the three masterpieces. Several days later, investigators
discovered the paintings in a nearby public restroom along with a note from the
thieves saying, “The intention was not to steal, only to highlight the woeful
security.”
Principle 1: There Is No Such Thing As Absolute Security
• The burglars’ lesson translates to the information security arena and illustrates
the first principle of information security (IS):
• “Given enough time, tools, skills, and inclination, a malicious person can
break through any security measure.”
• As with software, no safe is burglar proof; security measures simply buy
time. Of course, buying time is a powerful tool.
• Resisting attacks long enough provides the opportunity to catch the attacker
in the act and to quickly recover from the incident
Principle 1: There Is No Such Thing As Absolute Security
• This principle applies to the physical world as well and is best illustrated
with an analogy of safes or vaults that businesses commonly use to protect
their assets.
• Safes are rated according to their resistance to attacks using a scale that
describes how long it could take a burglar to open them.
Principle 2: The Three Security Goals Are Confidentiality, Integrity, and Availability
• All information security measures try to address at least one of three goals:
• Protect the confidentiality of data
• Preserve the integrity of data
• Promote the availability of data for authorized use
• The principle of information security protection of confidentiality,
integrity, and availability cannot be overemphasized: This is central to all
studies and practices in IS.
Principle 2: The Three Security Goals Are Confidentiality, Integrity, and Availability
• These goals form the confidentiality, integrity, availability (CIA) triad, the
basis of all security programs Information security professionals who
create policies and procedures (often referred to as governance models)
must consider each goal when creating a plan to protect a computer
system
Confidentiality
• ISO/IEC 27000: 2012 defines integrity as “the property of accuracy and completeness of
assets .
• Integrity models keep data pure and trustworthy by protecting system data from changes,
whether they are intentional, unauthorized, or accidental. Integrity models have three goals:
• Prevent unauthorized users from making modifications to data or programs
• Prevent authorized users from making improper or unauthorized modifications
• Maintain internal and external consistency of data and programs
• An example of integrity checks is balancing a batch of transactions to make sure that all the
information is present and accurately accounted for.
Integrity
THE RECEIVER OF THE THE INFORMATION CAN BE INTEGRITY IS IMPLEMENTED CHANGES IN DATA MIGHT ALSO
INFORMATION MUST HAVE EDITED BY AUTHORIZED USING SECURITY MECHANISM OCCUR AS A RESULT OF NON-
THE INFORMATION THE PERSONS ONLY AND REMAINS SUCH AS DATA ENCRYPTION HUMAN-CAUSED EVENTS SUCH AS
CREATOR INTENDED HIM TO IN ITS ORIGINAL STATE WHEN AND HASHING, VERSION AN ELECTROMAGNETIC PULSE
HAVE. AT REST. CONTROL (EMP) OR SERVER CRASH,
Availability
• ISO/IEC 27000:2012 defines Availability as “the property of being accessible and usable
upon demand by an authorized entity.
• Availability models keep data and resources available for authorized use, especially during
emergencies or disasters. In essence, availability means making sure systems keep running
and information stays accessible.
• Information security professionals usually address three common challenges to availability:
• Denial of service (DoS)
• Loss of information system capabilities because of natural disasters
• Equipment failures during normal use
• Availability is implemented using methods such as
• Hardware maintenance, software patching and network
optimization. Processes such as redundancy, failover, RAID
and high-availability clusters are used to mitigate serious
consequences when hardware issues do occur.
Availability • Dedicated hardware devices can be used to guard against
downtime and unreachable data due to malicious actions such
as distributed denial-of-service (DDoS) attacks, such as a
flood of incoming messages to the target system, essentially
forcing it to shut down
• Availability for Executive Managers
Non-Repudiation
• A bank would never leave its assets inside an unguarded safe alone. Typically, access to the safe requires passing
through layers of protection that might include
• Furthermore, the room where the safe resides could be monitored by closed circuit
television, motion sensors, and alarm systems that can quickly detect unusual activity.
• The sound of an alarm might trigger the doors to automatically lock, the police to be
notified, or the room to fill with tear gas.
Principle 3: Defense in Depth as Strategy
• The primary reason identity theft, viruses, worms, and stolen passwords
are so common is that people are easily duped into giving up the secrets
technologies use to secure systems.
• Generally the weakest Link in the Information security chain is People
• One of the best method – Creating awareness
Principle 5: Computer Security Depends on Two Types of Requirements: Functional and Assurance
• Example
• Consider car safety testing as an example. Verification testing for seat belt
functions might include conducting stress tests on the fabric, testing the
locking mechanisms, and making certain the belt will fit the intended
application, thus completing the functional tests.
• Validation, or assurance testing, might then include crashing the car with
crash-test dummies inside to “prove” that the seat belt is indeed safe when
used under normal conditions and that it can survive under harsh
conditions.
Principle 6: Security Through Obscurity Is Not an Answer
• Security through obscurity means that hiding the details of the security mechanisms is sufficient to
secure the system alone.
• An example of security through obscurity might involve closely guarding the written specifications for
security functions and preventing all but the most trusted people from seeing it. Obscuring security
leads to a false sense of security, which is often more dangerous than not addressing security at all.
• If the security of a system is maintained by keeping the implementation of the system a secret, the
entire system collapses when the first person discovers how the security mechanism works—and
someone is always determined to discover these secrets.
• The better bet is to make sure no one mechanism is responsible for the security of the entire system.
Again, this is defense in depth in everything related to protecting data and resources.
Principle 7: Security = Risk Management
• All security work is a careful balance between the level of risk and the expected
reward of expending a given amount of resources.
• The measures taken in an organization to reduce risk to an acceptable level can, at
times, become excessively expensive.
• A careful balance must be struck between the cost or business impact of a risk if it
occurs and the cost of the measures taken to reduce its likelihood or impact.
• Security is concerned not with eliminating all threats within a system or facility, but
with eliminating known threats and minimizing losses if an attacker succeeds in
exploiting a vulnerability.
Principle 7: Security = Risk Management
• Risk analysis and risk management are central themes to securing information systems. When risks are well understood,
four outcomes are possible:
• The risks are mitigated (countered).
• The level of risk is reduced through additional measure
• Insurance is acquired against the losses that would occur if a system were compromised.
• The risks are accepted and the consequences are managed
• After determining a risk rating, one of the following actions could be required:
• Extreme risk: Immediate action is required.
• High risk: Senior management’s attention is needed.
• Moderate risk: Management responsibility must be specified.
• Low risk: Management is handled by routine procedures.
Principle 8: The Three Types of Security Controls Are Preventative, Detective, and Responsive
• But with dual control, one person acts as a countermeasure to the other:
Chances are less likely that both people will make an error in judgment or
act maliciously. Likewise, no one person in an organization should have
the ability to control or close down a security activity.
• This is commonly referred to as separation of duties.
• Process controls
Principle 11: People, Process, and Technology Are All Needed to Adequately Secure a System or Facility
• Technology can fail, and without people to notice and fix technical
problems, computer systems would stall permanently. An example of this
type of waste is installing an expensive firewall system and then turning
around and opening all the ports that are intended to block certain traffic
from entering the network.
Principle 12: Open Disclosure of Vulnerabilities Is Good for Security!
• A raging and often heated debate within the security community and
software developing centers concerns whether to let users know about a
problem before a fix or patch can be developed and distributed.
• Principle 6 tells us that security through obscurity is not an answer
• Users have a right to know about defects in the products they purchase
• The need to know trumps the need to keep secrets, to give users the right
to protect themselves.
Proposing a method to assess and treat IT security risks. (M1)
2. Identify risks
• Create a list of business assets such as files, media, portable devices as well ISO 27001 risk
as content such as Intellectual Property.
3. Analyse risks
assessments
• Identify threats and vulnerabilities to each asset (ISO = International
4. Evaluate risks Organization for
• Order security risks from high to low Standardization)
5. Select risk treatment options
• Define exactly who is going to implement each control, in which timeframe,
with which budget, etc.