Lets check your understanding of Information Security

What Is Information Security?

• The protection of the assets
of a computer system
• Hardware
• Software
• Data

Hardware: Software: Data:

• Computer • Operating system • Documents
• Devices (disk • Utilities (antivirus) • Photos
drives, memory, • Commercial • Music, videos
printer) applications (word • Email
• Network gear processing, photo • Class projects
editing)
• Individual applications
 3

Values of Assets

Off the shelf;

easily replaceable

Hardware: Software: Data:

• Computer • Operating system • Documents
• Devices (disk • Utilities (antivirus) • Photos
drives, memory, • Commercial • Music, videos
printer) applications (word • Email
• Network gear processing, photo • Class projects
editing)
• Individual
Unique; irreplaceable
applications
 4

Threat & Vulnerability

• Vulnerability
• Threat
• Attack
• Countermeasure
or control

The water is the threat, the crack the

vulnerability, and the finger the
control (for now).
The National Institute of Standards and technology (NIST) Computer Security Handbook
defines the term Computer Security as:
“The protection afforded to an automated information system in order to attain the
applicable objectives of preserving the integrity, availability and confidentiality of
information system resources” (includes hardware, software, firmware, information/data,
and telecommunications).

Confidentiality Integrity Availability

• preserving authorized • guarding against • ensuring timely and

restrictions on improper information reliable access to and
information access and modification or use of information
disclosure, including destruction, including
means for protecting ensuring information
personal privacy and nonrepudiation and
proprietary information authenticity
The CIA Triad
 Confidentiality
• It ensures that computer-related assets are accessed only by
authorized parties
• Access means reading, viewing, printing, or simply
knowing that a particular asset exists
• It is sometimes also called secrecy or privacy
 Integrity
• It means that assets can be modified only by authorized
parties only in authorized ways.
• The integrity of an item is preserved if it is:
– Precise, accurate, unmodified, modified only in acceptable ways,
modified by authorized people, modified by authorized processes,
consistent, meaningful and usable.
 Availability
• It applies to both data and data processing
• A data item, service or system is available if
– There is a timely response to our request
– Fair to all i.e. some requesters are not favored over others
– Fault tolerant
– There is controlled concurrency, deadlock management, and
exclusive access as required
 9

Access Control
Policy:
Who + What + How = Yes/No

Object
Mode of access (what)
Subject (how)
(who)
 10

Types of Threats
Threats

Natural Human
causes causes

Examples: Fire,
Benign Malicious
power failure
intent intent

Example:
Human error

Random Directed

Example: Malicious Example:

code on a general Impersonation
web site
 11

Advanced Persistent Threat (APT)

• Organized
• Directed
• Well financed
• Patient
• Silent

APT is a special type of threat that has only been

taken seriously by the broad security community
over the past decade. In general, security experts
believe that no one who becomes a high-priority
target can truly be safe from APT.
 12

Types of Attackers
Terrorist

Criminal-
Hacker
for-hire

Loosely
Individual connected
group

Organized
crime member

Each of these attacker types is associated with a different set of

resources, capabilities & motivations.

Understanding the different types will help later in considering threats.

 13

Types of Harm

Interception Interruption

Modification Fabrication

These are the primary types of harm against system data and functions. Understanding these possibilities is
important to considering threat and risk.
 Security Attacks
• Interruption: This is an attack on availability
• Interception: This is an attack on confidentiality
• Modification: This is an attack on integrity
• Fabrication: This is an attack on authenticity
 15

Controls/Countermeasures

Kind of Threat

t
no
ot

no
/
/n

us

d/
an

te
io
um

c
ic

ire
al
H

Physical
M

Procedural
Confidentiality

Technical
Protects
Integrity

e
yp
Availability

lT
tro
on
C

• The three dimensions by which a control can be

categorized.

• Thinking about controls in this way enables you to

easily map the controls against the threats they help
address.
 16

Different Types of Controls

In this simple representation of a networked system, it is easy to see all the touch points where controls can be placed, as well as some different
types of controls, including deterrence, deflection, response, prevention, and preemption.
 Method, Opportunity and Motive
• Method : the skills, knowledge, tools and other things with which to
be able to pull off the attack
• Opportunity : the time and access to accomplish the attack
• Motive : a reason to want to perform this attack against this system

DENY ANY OF THESE THREE THINGS AND

ATTACKS WILL NOT OCCUR
 18

Method, Opportunity and Motive

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 Methods of Defense
• Prevent it, by blocking the attack or closing the vulnerability
• Deter it, by making attack harder if not impossible
• Deflect it, by making another target more attractive
• Mitigate it, by making its impact less severe
• Detect it, either as it happens or some time after the fact
• Recover from its effects
 Methods of Defense
• Controls
– Encryption
– Hardware Controls
• Hardware/smart card implementations of encryption
• Locks or cables limiting access
• Devices to verify users’ identity
• Firewalls
• Intrusion detection systems
– Software Controls
• Internal program controls,
• OS and Network system controls
• Independent control program (anti virus, passwords etc.)
• Development control
– Policies and Procedures
– Physical Controls
 Effectiveness of Controls
• Awareness of Problem
– Highlighting Need of security
• Likelihood of Use
– They must be efficient, easy to use, and appropriate
• Overlapping Controls
– Use several different controls, layered defense
• Periodic reviews
– Judging the effectiveness of control is an ongoing task
 Others Exposed Assets
• Networks
– Network’s lack of physical proximity
– Use of insecure, shared media
– Inability to identify remote users positively
• Access
– Computer time
– Malicious access
– Denial of service to legitimate user
• Key People
23