Chapter One

Introduction to Information Security

1
Security
The quality or state of being secure—to be free from danger.

In other words, protection against adversaries—from those who would do

harm, intentionally or otherwise.

Security for information technology (IT) refers to the methods, tools and

personnel used to defend an organization's digital assets.

The goal of IT security is to protect these assets, devices and services from

being disrupted, stolen or exploited by unauthorized users, otherwise

known as threat actors.

A successful organization should have multiple layers of security in

2 place:-
 Cont…
 Physical security :-to protect the physical items, objects or areas of an

organization ,from unauthorized access and misuse

 Personal Security :- to protect the individuals or group of individuals who

are authorized to access the organization and its operation

 Operational security :- to protect the details of a particular operation or a

series of activities from unauthorized access.

 Communication security :- to protect an organizations communication

media, technology and content from unauthorized access

 Network security:-to protect networking components, connections and

contents
3
 Information Security
 The protection of information and its critical elements, including systems and
hardware that use, store that information
 Protecting information and information systems from unauthorized access, use,
disclosure, disruption, modification, perusal, inspection, recording or
destruction.

Information security = confidentiality + integrity + availability +

authentication

 It is a well-informed sense of assurance that the information risks and controls

are in balance.

 The terms information security, computer security and information assurance are

frequently incorrectly used interchangeably.

4
 Cont…
 Information security is concerned with the confidentiality, integrity and

availability of data regardless of the form the data may take: electronic, print, or

other forms.

 Computer security can focus on ensuring the availability and correct operation of

a computer system without concern for the information stored or processed by

the computer.

 Information security offers many areas for specialization including: securing

network(s) and allied infrastructure, securing applications and databases,

security testing, information systems auditing, business continuity

planning and digital forensics science, etc.

 Information assurance, which focuses on ensuring the availability, integrity,

5
authentication, confidentiality, and non-repudiation of information and systems.
 Goals of Security

To
Toensure
ensure:CIA
:CIA
Confidentiality
Confidentiality Safeguards
Safeguards information
information from
from
being
being accessed
accessed byby individuals
individuals without
without the
the
proper
proper clearance,
clearance, access
access level,
level, and
and need
need toto
know.
know.
Integrity:
Integrity: Results
Results from
from the
the protection
protection ofof
unauthorized
unauthorized modification
modification or or destruction
destruction of
of
information.
information.
Availability:
Availability: Information
Information services
services are are
accessible
accessiblewhen
whenthey
theyare
areneeded.
needed.

6
 Key Information Security Concepts
 Access: A subject or object’s ability to use, manipulate, modify, or

affect another subject or object. Authorized users have legal access to

a system, whereas hackers have illegal access to a system. Access
controls regulate this ability.
 Asset: The organizational resource that is being protected. An asset

can be logical, such as a Web site, information, or data; or an asset can

be physical, such as a person, computer system, or other tangible
object.
 Assets, and particularly information assets, are the focus of security

efforts; they are what those efforts are attempting to protect.

7  Attack: An intentional or unintentional act that can cause damage to

 Cont…
 Control, safeguard, or countermeasure: Security mechanisms, policies,

or procedures that can successfully counter attacks, reduce risk, resolve

vulnerabilities, and otherwise improve the security within an organization.
 Exposure: A condition or state of being exposed. In information security,

exposure exists when a vulnerability known to an attacker is present.

 Loss: A single instance of an information asset suffering damage or

unintended or unauthorized modification or disclosure.

 Risk: The probability that something unwanted will happen.
Organizations must minimize risk to match their risk appetite the
quantity and nature of risk the organization is willing to accept.

8
 Cont…
 Threat: A category of objects, persons, or other entities that presents a

danger to an asset. Threats are always present and can be purposeful or

undirected.
 Vulnerability: A weaknesses or fault in a system or protection

mechanism that opens it to attack or damage. Some examples of

vulnerabilities are a flaw in a software package, an unprotected system
port, and an unlocked door.
 Authentication:- is the assurance that the communicating entity is the

one that it claims to be.(Authentication is verifying who you are)

 Authentication serves as proof that you are who you say you are

9 or what you claim to be.

 Contd.
 Authorization:- refers to the ability to control the level of access that

individuals or entities have to a network or system and how much

information they can receive. Authorization is granting or denying access to
a service based on who you say you are.
 Confidentiality:- can also be called privacy or secrecy and refers to the

protection of information from unauthorized disclosure. (Accessed only by

authorized user).
 Usually achieved either by restricting access to the information or by

encrypting the information so that it is not meaningful to unauthorized

individuals or entities.
 Availability:- Availability enables authorized users. persons or computer

systems to access information without interference or obstruction and to

10
receive it in the required format.
 Contd.
 Accuracy :-Information has accuracy when it is free from mistakes or

errors and it has the value that the end user expects. If information has
been intentionally or unintentionally modified, it is no longer accurate.
 Authenticity:- Authenticity of information is the quality or state of

being genuine or original, rather than a reproduction or fabrication.

Information is authentic when it is in the same state in which it was
created, placed, stored, or transferred.
 Utility:- The utility of information is the quality or state of having

value for some purpose or end. Information has value when it can serve
a purpose. If information is available, but is not in a format meaningful

11 to the end user, it is not useful.

 Contd.

 Data Integrity:- refers to the assurance of data received are exactly

as sent by an authorized entity.

 Integrity is the process of validating that the data provided by an

authenticated source has not been changed..
 Possession :-The possession of information is the quality or state of

ownership or control.
 Information is said to be in one’s possession if one obtains it,

independent of format or other characteristics.

12
 Components of an Information System
 An information system (IS) is the entire set of software, hardware,
data, people, procedures, and networks that make possible the use of
information resources in the organization.
 Software:-The software component of the IS comprises applications,
operating systems, and assorted command utilities. Software is
perhaps the most difficult IS component to secure .

13
 Cont…
 Hardware:-Hardware is the physical technology that houses and

executes the software, stores and transports the data, and provides
interfaces for the entry and removal of information from the system.
 Data:-Data stored, processed, and transmitted by a computer system

must be protected. Data is often the most valuable asset possessed by

an organization and it is the main target of intentional attacks.
 People:-Though often overlooked in computer security considerations,

people have always been a threat to information security. Unless

policy, education and training, awareness, and technology are properly
employed to prevent people from accidentally or intentionally

14
damaging or losing information, they will remain the weakest link.
 Cont…
 Procedures:-Another frequently overlooked component of an IS is
procedures. Procedures are written instructions for accomplishing a
specific task. When an unauthorized user obtains an organization’s
procedures, this poses a threat to the integrity of the information.
 Networks:- The IS component that created much of the need for
increased computer and information security is networking. When
information systems are connected to each other to form local area
networks (LANs), and these LANs are connected to other networks
such as the Internet, new security challenges rapidly emerge.
 The physical technology that enables network functions is becoming
more and more accessible to organizations of every size.
 Applying the traditional tools of physical security, such as locks and
keys, to restrict access to and interaction with the hardware
components of an information system are still important; but when
computer systems are networked, this approach is no longer enough.
15
 Information Security Mechanisms
 A mechanism that is designed to detect, prevent or recover

from a security attack.

 Are technical tools and techniques that are used to implement

security services. A mechanism might operate by itself, or with

others, to provide a particular service.

16
 Cont…
 Encipherment: is hiding or covering data and can provide confidentiality. It makes

use of mathematical algorithms to transform data into a form that is not readily
intelligible.
 The transformation and subsequent recovery of the data depend on an algorithm and

zero or more encryption keys.

 Cryptography and Steganography techniques are used for enciphering.

 Data integrity: The data integrity mechanism appends a short check value to the

data which is created by a specific process from the data itself.

 The receiver receives the data and the check value.

 The receiver then creates a new check value from the received data and compares the

newly created check value with the one received.

 If the two check values match, the integrity of data is being preserved.

17  Else either creation, omission or manipulation has been done

 Cont…
 Digital Signature: A digital signature is a way by which the sender

can electronically sign the data and the receiver can electronically
verify it.
 It is an electronic equivalent of hand written signature.

 It has three purposes

 Authentication : A digital signature gives the receiver reason to believe the

message was created and sent by the claimed sender.

 Non –repudiation :- With digital signature , the sender can not deny having

sent the message latter on.

 Integrity: A digital signature ensures the message was not altered in transit.

18
 Cont…
 The sender uses a process in which the sender owns a private key

related to the public key that he or she has announced publicly.

 The receiver uses the sender's public key to prove the message is

indeed signed by the sender who claims to have sent the message.
 Authentication exchange: A mechanism intended to ensure the

identity of an entity by means of information exchange.

 Authentication is the ability to prove that a user or application is

genuinely who that person or what that application claims to be.

 The two entities exchange some messages to prove their identity to

each other.
19
 Cont…
 This can be done by using any one or more of the

following:
A password or character sequence known only to you or the

program
A key card or other physical authorization unique to you

Your fingerprints, signature, or other item that identifies only

you
Authentication techniques range from quite simple to very

complex. The traditional use of passwords is a middle-of-

20
the road example of an authentication method
 Cont…
 Notarization: The use of a trusted third party to control the

communication between the two parties.

 It prevents repudiation. The receiver involves a trusted third

party to store the request to prevent the sender from later

denying that he or she has made such a request.
 Routing control: Enables selection of particular physically

secure routes for certain data and allows routing changes

which means selecting and continuously changing different
available routes between the sender and the receiver to prevent
21 the attacker from traffic analysis on a particular route.
 Cont…
 Auditing is the process of recording and checking events to detect

whether any unexpected or unauthorized activity has taken place,

or whether any attempt has been made to perform such activity.
 Authorization protects critical resources in a system by limiting

access only to authorized users and their applications.

 It prevents the unauthorized use of a resource or the use of a

resource in an unauthorized manner.

22
 Why Is Computer and Network Security Important?

1. To protect company assets:- One of the primary goals of computer and network

security is the protection of company assets (hardware, software and/or information).

2. To gain a competitive advantage:- Developing and maintaining effective security

measures can provide an organization with a competitive advantage over its

competition

3. To comply with regulatory requirements and fiduciary responsibilities:-

organizations that rely on computers for their continuing operation must develop

policies and procedures that address organizational security requirements.

 Such policies and procedures are necessary not only to protect company assets

but also to protect the organization from liability (danger)

4. To keep your job:-Security should be part of every network or systems

23
administrator's job. Failure to perform adequately can result in termination.
 Cont…
 This state of security can be guaranteed if the following four protection

mechanisms are in place:

 Deterrence: is usually the first line of defense against intruders /who may

try to gain access.

 It works by creating an atmosphere intended to frighten intruders.

 This may involve warnings of severe consequences if security is breached.

 Prevention: is the process of trying to stop intruders from gaining access to

the resources of the system.

 Barriers include firewalls, and use of access items like keys, access cards,

biometrics, and others to allow only authorized users to use and access a
facility.
24
 Cont…

 Detection: occurs when the intruder has succeeded or is in the

process of gaining access to the system.

 Signals from the detection process include alerts to the existence

of an intruder.
Sometimes these alerts can be real time or stored for further

analysis by the security personnel.

 Response: is an aftereffect mechanism that tries to respond to the

failure of the first three mechanisms.

It works by trying to stop and/or prevent future damage or access

to a facility.
25
 Security Principles
 Some of information security principles are :-

 Least privilege

 Economy of mechanism

 Complete mediation

 Open design

 Separation of privilege

 Least common mechanism

 Psychological acceptability

 Fail-safe defaults

26
 Cont…
 Least Privilege

 The principle of least privilege states that a subject should be given

only those privileges that it needs in order to complete its task..

 A good example of the use of this principle is role-based access

control.
 The system security policy can identify and define the various roles

of users or processes. Each role is assigned only those permissions

needed to perform its functions.
 If a subject does not need an access right, the subject should not

have that right.

 This is the analogue of the “need to know” rule: if the subject does
27
not need access to an object to perform its task, it should not have
 Cont…
 Economy of Mechanism

 The principle of economy of mechanism states that security

mechanisms should be as simple as possible.
 Complex mechanisms may not be correctly:
Understood
 Modeled
 Configured
 Implemented
Used

 If a design and implementation are simple, fewer possibilities exist

for errors. The checking and testing process is less complex, because
28 fewer components and cases need to be tested.
 Cont…
 Separation of Privilege

 The principle of separation of privilege states that a systems should

not grant permission based on a single condition.

Separation of duty

Two persons rule

 For example, company checks for more than $75,000 must be signed

by two officers of the company.

 If either does not sign, the check is not valid. The two conditions are

the signatures of both officers.

29
 Cont…
 Least Common Mechanism

 The principle of least common mechanism states that mechanisms used to

access resources should not be shared.

 Sharing resources provides a channel along which information can be

transmitted, and so such sharing should be minimized.

 Minimize the amount of mechanism common to more than one user and

depended on by all users.

 Fail-Safe Defaults

 The principle of fail-safe defaults states that, unless a subject is given

explicit access to an object, it should be denied access to that object.

 This principle requires that the default access to an object is none.

Whenever access, privileges, or some security-related attribute is not

30
explicitly granted, it should be denied.
 Ensuring Security
 The key areas to consider when safeguarding your information and assets are

listed below:

 Update your software

 New versions of software are released to address security problems that have

been found. Updating your software ensures you take full advantage of all
the security upgrades.
 If you do not update the software you can put your computer at risk of

viruses and other problems because the software is no longer supported.

 Use anti-virus software.

 Anti-virus companies spend their time ensuring their software helps stops

known viruses. If you have a current and up-to-date version, you can be
assured that the software is looking out for problems and blocking them.
31
 Cont…
 Be suspicious of unsolicited phone calls or emails.

 Unsolicited emails and phone calls are trying to get you to do

something that will benefit someone else.

 It might be just spam trying to get you to buy things, or it might be

trying to get you to access something that will put a virus on your
computer or give others access to your information.
 Back up your data

 If you have a problem with your computer and it needs to be reset

or even replaced, you will still have access to your information if

you have backed it up.
32
 Cont…
 Use legitimate software.

 You should always use legitimate software that you have purchased

from a vendor or downloaded from the company’s website.

 Set strong passwords and use different passwords for different
accounts.
 A password that is strong and changed regularly makes it harder for

people to access your information.

 If you use the same password for all your accounts and one account

is compromised, the person accessing your account is more likely to

be able to guess all your other passwords and access those accounts
too.
33
 Security Policy
 What is a security policy?

 Why do we need them?

 What makes a security policy effective(criteria)?

 Who involved In policy?

 Designing a policy?

34
 What is Security Policy?

 Is a document or set of documents that states an organizations

intentions and decisions on what and how electronic

information should be secured.

 A statement of what is and what is not allowed

 It is also a set of rules laid down by the security authority

governing the use and provisions of security services and

facilities. Eg
 Access control policy.
 Network security policy.
 Data security policy.
 Physical security policy.
 Disaster recovery and business continuity policy.
35
 Password policy.
 Cont…
 Objectives

 Reduced risk

 Compliance with laws and regulations

 Assurance of operational continuity, information integrity, and

confidentiality
 Policies are the least expensive means of control and often the most

difficult to implement
 Basic rules for shaping a policy

 Policy should never conflict with law

 Policy must be able to stand up in court if challenged

36  Policy must be properly supported and administered

 Why do we need a security policy?
 Provides a comprehensive framework for the selection and
implementation of security measures
 It’s a communication means among different stakeholders

 Management of resources

 people, skills, money, time

 Conveys the importance of security to all members of the organization

 Helps create a “security culture”

 Shared beliefs and values concerning security

 Helps promote “trust relationships” between the organizations and

its business partners / clients

37
 What makes a security policy effective(criteria)?
 Dissemination(distribution)- the organization must be able to
demonstrate that the policy has been made readily available for review by
the employee. Common dissemination techniques includes hard copy and
electronic distribution.
 Review(reading):-the organizations must be able to demonstrate that it
disseminated the document in an intelligible form, including versions for
illiterate, non-English reading and reading impaired employees, common
techniques include according the policy in English and other language.
 Comprehension(understanding):-the organization must be able to
demonstrate that the employee understood the requirements and content
of the policy. Common techniques include quizzes and other assessments.

38
 Cont…
 Compliance(agreement):-the organization must be able to demonstrate that

the employees agrees to comply with the policy through act or affirmation.

 Common techniques includes logon banners which require a specific

action(mouse click or keystroke) to acknowledge agreement or signed

document clearly indicating the employee has read understood and to comply

with the policy.

 Uniform enforcement:- the organization must be able to demonstrate that the

policy has been uniformly enforced regardless of employee status or

assignment
39
 Who involved In IS Policy?
Security experts
design, review and update the policy
System / network administrators
implement security controls, guidelines
Management
set security goals
provide resources
Users
follow security procedures
Auditors
monitor compliance

40
 ou !
nk Y
Th a

41