Lecture 1 Introduction to Security

Systems
BSc (Hons) Information Systems Level 3
Learning Objectives
Upon completion of this material, you should be able to:

ƒ Understand the definition of information security

ƒ Understand the key terms and critical concepts of
information security
ƒ Outline the phases of the security systems development
life cycle
ƒ Understand the key terms used in security systems

2
The Present

ƒ The Internet brings millions of computer networks into

communication with each other—many of them
unsecured

ƒ Ability to secure a computer’s data influenced by the

security of every computer to which it is connected

3
What is Security?

ƒ “The quality or state of being secure—to be free from

danger”
ƒ A successful organization should have multiple layers of
security in place:
ƒ Physical security
ƒ Personal security
ƒ Operations security
ƒ Communications security
ƒ Network security
ƒ Information security
4
What is Information Security?

ƒ The protection of information and its critical elements,

including systems and hardware that use, store, and
transmit that information
ƒ Necessary tools: policy, awareness, training, education,
technology
ƒ C.I.A. triangle was standard based on confidentiality,
integrity, and availability
ƒ C.I.A. triangle now expanded into list of critical
characteristics of information

5
6
Critical Characteristics of Information
ƒ The value of information comes from the characteristics it
possesses:
ƒ Timeliness
ƒ No value if it is too late
ƒ Availability
ƒ No interference or obstruction
ƒ Required format
ƒ Accuracy
ƒ Free from mistakes
ƒ Authenticity
ƒ Quality or state of being genuine, i.e., sender of an email
ƒ Confidentiality
ƒ Disclosure or exposure to unauthorized individuals or system is prevented

7
 Critical Characteristics of Information
ƒ Integrity
ƒ Whole, completed, uncorrupted
ƒ Cornerstone
ƒ Size of the file, hash values, error-correcting codes,
retransmission
ƒ Utility
ƒ Having value for some purpose
ƒ Possession
ƒ Ownership
ƒ Breach of confidentiality results in the breach of possession, not
the reverse

8
Components of an Information System

ƒ Information System (IS) is entire set of software, hardware, data,

people, procedures, and networks necessary to use information as
a resource in the organization
ƒ Software
ƒ Perhaps most difficult to secure
ƒ Easy target
ƒ Exploitation substantial portion of attacks on information
ƒ Hardware
ƒ Physical security policies
ƒ Securing physical location important
ƒ Laptops
ƒ Flash memory

9
 Components of an Information System
ƒ Data
ƒ Often most valuable asset
ƒ Main target of intentional attacks
ƒ People
ƒ Weakest link
ƒ Social engineering
ƒ Must be well trained and informed
ƒ Procedures
ƒ Threat to integrity of data
ƒ Networks
ƒ Locks and keys won’t work

10
Securing Components
ƒ Computer can be subject of an attack and/or the object
of an attack

ƒ When the subject of an attack, computer is used as an

active tool to conduct attack

ƒ When the object of an attack, computer is the entity being

attacked
ƒ 2 types of attack
ƒ Direct
ƒ Hacker uses their computer to break into a system
ƒ Indirect
ƒ System is compromised and used to attack other systems

11
Figure 1-5 – Subject and Object of
Attack

12
Balancing Information Security and Access

ƒ Impossible to obtain perfect security—it is a process, not

an absolute

ƒ Security should be considered balance between

protection and availability

ƒ To achieve balance, level of security must allow

reasonable access, yet protect against threats

13
Figure 1-6 – Balancing Security and
Access

14
 Approaches to Information Security
Implementation: Bottom-Up Approach
ƒ Grassroots effort: systems administrators attempt to
improve security of their systems

ƒ Key advantage: technical expertise of individual

administrators

ƒ Seldom works, as it lacks a number of critical features:

ƒ Participant support

ƒ Organizational staying power

15
Approaches to Information Security
Implementation: Top-Down Approach

ƒ Initiated by upper management

ƒ Issue policy, procedures and processes

ƒ Dictate goals and expected outcomes of project

ƒ Determine accountability for each required action

ƒ The most successful also involve formal development

strategy referred to as systems development life cycle

16
The Systems Development Life Cycle
ƒ Systems development life cycle (SDLC) is methodology
and design for implementation of information security within
an organization
ƒ Methodology is formal approach to problem-solving based
on structured sequence of procedures
ƒ Using a methodology
ƒ ensures a rigorous process
ƒ avoids missing steps
ƒ Goal is creating a comprehensive security posture/program
ƒ Traditional SDLC consists of six general phases
17
18
The Security Systems Development Life Cycle

ƒ The same phases used in traditional SDLC may be

adapted to support specialized implementation of an IS
project

ƒ Identification of specific threats and creating controls to

counter them

ƒ SecSDLC is a coherent program rather than a series of

random, seemingly unconnected actions

19
The Security Systems Development Life Cycle

ƒ Investigation
ƒ Identifies process, outcomes, goals, and constraints of the
project

ƒ Begins with enterprise information security policy

ƒ Analysis

ƒ Existing security policies, legal issues,

ƒ Perform risk analysis

20
 The Security Systems Development Life Cycle

ƒ Logical Design
ƒ Creates and develops blueprints for information security

ƒ Incident response actions: Continuity planning, Incident

response, Disaster recovery

ƒ Feasibility analysis to determine whether project should

continue or be outsourced

ƒ Physical Design
ƒ Needed security technology is evaluated, alternatives
generated, and final design selected
Principles of Information Security, 2nd Edition 21
 The Security Systems Development Life Cycle
ƒ Implementation
ƒ Security solutions are acquired, tested, implemented, and
tested again
ƒ Personnel issues evaluated; specific training and education
programs conducted
ƒ Entire tested package is presented to management for final
approval

ƒ Maintenance and Change

ƒ Most important
ƒ Constant changing threats
ƒ Constant monitoring, testing updating and implementing
change

22
Information Security Project Team

ƒ A number of individuals who are experienced in one or

more facets of technical and non-technical areas:
ƒ Team leader: project manager, departmental level
manager
ƒ Security policy developers
ƒ Risk assessment specialists
ƒ Security professionals
ƒ Systems administrators
ƒ End users

23
Data Ownership

ƒ Data Owner: responsible for the security and use of a

particular set of information

ƒ Data Custodian: responsible for storage, maintenance,

and protection of information

ƒ Data Users: end users who work with information to

perform their daily jobs supporting the mission of the
organization

24
 Key Concepts of Information
Security
ƒ Confidentiality
ƒ Confidentiality of information ensures that only those
with sufficient privileges may access certain information
ƒ To protect confidentiality of information, a number of
measures may be used including:
ƒ Information classification
ƒ Secure document storage
ƒ Application of general security policies
ƒ Education of information custodians and end users

25
Key Concepts of Information
Security
ƒ Integrity

ƒ Integrity is the quality or state of being whole, complete,

and uncorrupted

ƒ The integrity of information is threatened when it is

exposed to corruption, damage, destruction, or other
disruption of its authentic state

ƒ Corruption can occur while information is being

compiled, stored, or transmitted
26
 Key Concepts of Information
Security
ƒ Availability

ƒ Availability is making information accessible to user

access without interference or obstruction in the
required format

ƒ A user in this definition may be either a person or

another computer system

ƒ Availability means availability to authorized users

27
 Key Concepts of Information
Security
ƒ Privacy

ƒ Information is to be used only for purposes known to

the data owner

ƒ This does not focus on freedom from observation, but

rather that information will be used only in ways known
to the owner

28
 Key Concepts of Information
Security
ƒ Identification

ƒ Information systems possess the characteristic of

identification when they are able to recognize individual
users

ƒ Identification and authentication are essential to

establishing the level of access or authorization that an
individual is granted
29
 Key Concepts of Information
Security
ƒ Authentication

ƒ Authentication occurs when a control provides proof

that a user possesses the identity that he or she claims

30
 Key Concepts of Information
Security
ƒ Authorization

ƒ After the identity of a user is authenticated, a process

called authorization provides assurance that the user
(whether a person or a computer) has been specifically
and explicitly authorized by the proper authority to
access, update, or delete the contents of an information
asset

31
 Key Concepts of Information
Security
ƒ Accountability

ƒ The characteristic of accountability exists when a

control provides assurance that every activity
undertaken can be attributed to a named person or
automated process

32
Other Key Terms

ƒ Access ƒ Security Blueprint

ƒ Asset ƒ Security Model
ƒ Attack ƒ Security Posture or
ƒ Control, Safeguard or Security Profile
Countermeasure ƒ Subject
ƒ Exploit
ƒ Threats
ƒ Exposure
ƒ Threat Agent
ƒ Hacking
ƒ Vulnerability
ƒ Object
ƒ Risk

33
 Key Terms
ƒ Attack: deliberate act that exploits a vulnerability to
achieve the compromise of a controlled system
ƒ Accomplished by a threat agent that damages or steals an
organization’s information or physical asset
ƒ Exploit: technique or mechanism used to compromise a
system
ƒ Vulnerability: identified weakness of a controlled system in
which necessary controls are not present or are no longer
effective
Threats to Information Security
Some Common Attacks
ƒ Malicious code „ Spoofing
ƒ Hoaxes „ Man-in-the-middle
ƒ Back doors „ Spam
ƒ Password crack „ Mail bombing
ƒ Brute force „ Sniffer
ƒ Dictionary „ Social engineering
ƒ Denial-of-service „ Buffer overflow
(DoS) and distributed „ Timing
denial-of-service
(DDoS)
 Attacks
ƒ An attack is the deliberate act that exploits
vulnerability
ƒ It is accomplished by a threat-agent to damage or
steal an organization’s information or physical
asset
ƒ An exploit is a technique to compromise a system
ƒ A vulnerability is an identified weakness of a controlled
system whose controls are not present or are no longer
effective
ƒ An attack is then the use of an exploit to achieve the
compromise of a controlled system
37
 Malicious Code
ƒ This kind of attack includes the
execution of viruses, worms, Trojan
horses, and active web scripts with
the intent to destroy or steal
information
ƒ The state of the art in attacking
systems in 2002 is the multi-vector
worm using up to six attack vectors
to exploit a variety of vulnerabilities
in commonly found information
system devices

38
39
 Attack Descriptions
ƒ IP Scan and Attack – Compromised system scans random or local
range of IP addresses and targets any of several vulnerabilities
known to hackers or left over from previous exploits

ƒ Web Browsing - If the infected system has write access to any Web
pages, it makes all Web content files infectious, so that users who
browse to those pages become infected

ƒ Virus - Each infected machine infects certain common executable or

script files on all computers to which it can write with virus code that
can cause infection

40
 Attack Descriptions
ƒ Unprotected Shares - using file shares to copy viral component to
all reachable locations

ƒ Mass Mail - sending e-mail infections to addresses found in address

book

ƒ Simple Network Management Protocol - SNMP vulnerabilities

used to compromise and infect

ƒ Hoaxes - A more devious approach to attacking computer systems is

the transmission of a virus hoax, with a real virus attached

41
 Attack Descriptions
ƒ Back Doors - Using a known or previously unknown and newly discovered
access mechanism, an attacker can gain access to a system or network
resource

ƒ Password Crack - Attempting to reverse calculate a password

ƒ Brute Force - The application of computing and network resources to try

every possible combination of options of a password

ƒ Dictionary - The dictionary password attack narrows the field by selecting

specific accounts to attack and uses a list of commonly used passwords
(the dictionary) to guide guesses

42
 Attack Descriptions
ƒ Denial-of-service (DoS) –
ƒ attacker sends a large number of connection or information requests to a target
ƒ so many requests are made that the target system cannot handle them
successfully along with other, legitimate requests for service
ƒ may result in a system crash, or merely an inability to perform ordinary
functions

ƒ Distributed Denial-of-service (DDoS) - an attack in which a

coordinated stream of requests is launched against a target from
many locations at the same time

43
44
 Attack Descriptions
ƒ Spoofing - technique used to gain unauthorized access
whereby the intruder sends messages to a computer with an
IP address indicating that the message is coming from a
trusted host

ƒ Man-in-the-Middle - an attacker sniffs packets from the

network, modifies them, and inserts them back into the
network

ƒ Spam - unsolicited commercial e-mail - while many consider

spam a nuisance rather than an attack, it is emerging as a
vector for some attacks
45
46
47
 Attack Descriptions
ƒ Mail-bombing - another form of e-mail attack that is also a
DoS, in which an attacker routes large quantities of e-mail to
the target

ƒ Sniffers - a program and/or device that can monitor data

traveling over a network. Sniffers can be used both for
legitimate network management functions and for stealing
information from a network

ƒ Social Engineering - within the context of information security,

the process of using social skills to convince people to reveal
access credentials or other valuable information to the attacker

48
 Attack Descriptions
ƒ “People are the weakest link. You can have the
best technology; firewalls, intrusion-detection
systems, biometric devices ... and somebody can
call an unsuspecting employee. That's all she
wrote, baby. They got everything.”

ƒ “brick attack” – the best configured firewall in the

world can’t stand up to a well placed brick

49
 Attack Descriptions
ƒ Buffer Overflow –
ƒ application error occurs when more data is sent to a
buffer than it can handle
ƒ when the buffer overflows, the attacker can make the
target system execute instructions, or the attacker can
take advantage of some other unintended consequence
of the failure
ƒ Usually the attacker fill the overflow buffer with
executable program code to elevate the attacker’s
permission to that of an administrator.

50
 Attack Descriptions
ƒ Ping of Death Attacks --
ƒ A type of DoS attack
ƒ Attacker creates an ICMP packet that is larger than the
maximum allowed 65,535 bytes.
ƒ The large packet is fragmented into smaller packets and
reassembled at its destination.
ƒ Destination user cannot handle the reassembled
oversized packet, thereby causing the system to crash or
freeze.

51
 Attack Descriptions
ƒ Timing Attack –
ƒ relatively new
ƒ works by exploring the contents of a web browser’s
cache
ƒ can allow collection of information on access to
password-protected sites
ƒ another attack by the same name involves attempting to
intercept cryptographic elements to determine keys and
encryption algorithms

52
 Summary

ƒ Unlike any other aspect of IT, information security’s primary mission to ensure
things stay the way they are
ƒ Information security performs four important functions:
ƒ Protects organization’s ability to function
ƒ Enables safe operation of applications implemented on organization’s IT
systems
ƒ Protects data the organization collects and uses

ƒ Safeguards the technology assets in use at the

organization

53
 Summary

ƒ Threat: object, person, or other entity representing a

constant danger to an asset

ƒ Management effectively protects its information

through policy, education, training, and technology
controls

ƒ Attack: a deliberate act that exploits vulnerability

54
Summary

ƒ Information security is a “well-informed sense of

assurance that the information risks and controls are in
balance.”

ƒ Computer security began immediately after first

mainframes were developed

ƒ Successful organizations have multiple layers of security

in place: physical, personal, operations, communications,
network, and information.

55
Summary

ƒ Security should be considered a balance between

protection and availability

ƒ Information security must be managed similar to any

major system implemented in an organization using a
methodology like SecSDLC

ƒ Implementation of information security often described as

a combination of art and science

56