.

Chapter one
Introduction to Information
Assurance & Security concepts

1
 Contents
Definition of Computer Security
The goals of secure computing
What asset do we need to protect?
The threats to security
Controls and security mechanism

2
Security is “the quality or state of being secure
—to be free from danger.”
 In other words, protection against adversaries
—from those who would do harm, intentionally
or otherwise—is the objective.
National security, for example, is a
multilayered system that protects the
sovereignty of a state, its assets, its resources,
and its people.

3
What Is Security?

Security/Information security:
 The Committee on National Security Systems (CNSS)
defines information security as the protection of
information and its critical elements, including the
systems and hardware that use, store, and transmit that
information.
Computer Security:
 The protection afforded to an automated information
system in order to attain the applicable objectives of
preserving the integrity, availability and
confidentiality of information system resources(includes
hardware, Software, firmware, information/data, and
telecommunications). 4
A successful organization should have the
following multiple layers of security in place
to protect its operations:
◦ Physical security, to protect physical items,
objects, or areas from unauthorized access and
misuse.
◦ Personnel security, to protect the individual or
group of individuals who are authorized to access
the organization and its operations
◦ Operations security, to protect the details of a
particular operation or series of activities

5
◦ Communications security, to protect
communications media, technology, and content
◦ Network security, to protect networking
components, connections, and contents
◦ Information security, to protect the
confidentiality, integrity and availability of
information assets, whether in storage, processing,
or transmission.
◦ It is achieved via the application of policy,
education, training and awareness, and technology.

6
 Key Information Security Concepts

 Access: A subject or object’s ability to use, manipulate,

modify, or affect another subject or object.
Authorized users have legal access to a system, whereas
hackers have illegal access to a system. Access controls
regulate this ability.
 Asset: The organizational resource that is being protected.
An asset can be logical,such as a Web site, information, or
data; or an asset can be physical, such as a person,
computer system, or other tangible object.
 Assets, and particularly information assets, are the focus
of security efforts; they are what those efforts are
attempting to protect.
7
 Attack: An intentional or unintentional act that can
cause damage to or otherwise compromise information
and/or the systems that support it.
Attacks can be active or passive, intentional or
unintentional, and direct or indirect.
Someone casually reading sensitive information not
intended for his or her use is a passive attack.
A hacker attempting to break into an information
system is an intentional attack.
A direct attack is a hacker using a personal computer to
break into a system.
An indirect attack is a hacker compromising a system
8
 Control, safeguard, or countermeasure: Security
mechanisms, policies, or procedures that can successfully
counter attacks, reduce risk, resolve vulnerabilities, and
otherwise improve the security within an organization.
Loss: A single instance of an information asset suffering
damage or unintended or unauthorized modification or
disclosure.
When an organization’s information is stolen, it has suffered
a loss.
 Protection profile or security posture: The entire set of
controls and safeguards, including policy, education,
training and awareness, and technology, that the
organization implements (or fails to implement) to protect
the asset. 9
 Risk: The probability that something unwanted will
happen.
Organizations must minimize risk to match their risk
appetite —the quantity and nature of risk the
organization is willing to accept.
 Subjects and objects: A computer can be either the
subject of an attack—an agent entity used to
conduct the attack—or the object of an attack—the
target entity

10
 Threat: A category of objects, persons, or other entities
that presents a danger to an asset.
Threats are always present and can be purposeful or
undirected
 Vulnerability: A weaknesses or fault in a system or
protection mechanism that opens it to attack or damage.
Some examples of vulnerabilities are a flaw in a
software package, an unprotected system port, and an
unlocked door.
Some well-known vulnerabilities have been examined,
documented, and published; others remain latent (or
undiscovered).
11
Security Goals
 When we talk about computer security, we mean that we
are addressing three important aspects of any computer-
related system:
 Confidentiality, Integrity, and Availability.
1. Confidentiality:
 Confidentiality ensures that computer-related assets are
accessed only by authorized parties.
 That is, only those who should have access to something
will actually get that access.
 By "access," we mean not only reading but also viewing,
printing, or simply knowing that a particular asset exists.
 Confidentiality is sometimes called secrecy or privacy.
12
Information has confidentiality when it is protected
from disclosure or exposure to unauthorized
individuals or systems.
Confidentiality ensures that only those with the rights
and privileges to access information are able to do so.
2. Integrity
Integrity means that assets can be modified only by
authorized parties or only in authorized ways.
In this context, modification includes writing,
changing, changing status, deleting, and creating.
13
 For example, if we say that we have preserved the integrity of an
item, we may mean that the item is
 accurate
 unmodified
 modified only in acceptable ways
 modified only by authorized people
 modified only by authorized processes
 Consistent
3. Availability
Availability means that assets are accessible to authorized parties
at appropriate times.
In other words, if some person or system has legitimate access to a
particular set of objects, that access should not be prevented.
For this reason, availability is sometimes known by its opposite,
denial of service. 14
We say a data item, service, or system is
available if:
 There is a timely response to our request.
 Resources are allocated fairly so that some
requesters are not favored over others
 The service or system can be used easily
and in the way it was intended to be used.
 Concurrency is controlled; that is,
simultaneous access, deadlock
management, and exclusive access are
supported as required. 15
Note:
Security in computing addresses these three goals
16
Components of an Information System(assets)

An information system (IS) is much more

than computer hardware; it is the entire set
of software, hardware, data, people,
procedures, and networks that make
possible the use of information resources in
the organization.
These six critical components enable
information to be input, processed, output,
and stored.
17
 The assets of a computer system can be categorized as
hardware, software, data, and communication lines
and networks.
1) Hardware
Including computer systems and other data processing,
data storage, and data communications devices.
Threats include accidental and deliberate damage to
equipment as well as theft.
Hardware is the physical technology that houses and
executes the software, stores and transports the data,
and provides interfaces for the entry and removal of
information from the system.
18
 Physical security policies deal with hardware as a physical
asset and with the protection of physical assets from harm or
theft.
2) Software
Software includes the operating system,
utilities, and application programs.
The software component of the IS comprises
applications, operating systems, and assorted
command utilities.
 Software is perhaps the most difficult IS
component to secure.
The exploitation of errors in software
programming accounts for a substantial portion of 19
3. Data
Including files and databases, as well as
security-related data, such as password files.
Data stored, processed, and transmitted by a
computer system must be protected.
 Data is often the most valuable asset
possessed by an organization and it is the main
target of intentional attacks.
Systems developed in recent years are likely
to make use of database management systems.
20
4)Communication facilities and networks
Includes local and wide area network,
communication links, bridges ,routers and so on.
When information systems are connected to each
other to form local area networks (LANs), and
these LANs are connected to other networks such
as the Internet, new security challenges rapidly
emerge.

21
22
Vulnerabilities, Threats and attack
A vulnerability is a weakness in the security
system, for example, in procedures, design, or
implementation, that might be exploited to
cause loss or harm.
For instance, a particular system may be
vulnerable to unauthorized data manipulation
because the system does not verify a user's
identity before allowing data access.

23
The following general categories of vulnerabilities of
a computer system or network asset:
 It can be corrupted, so that it does the wrong
thing or gives wrong answers.
For example, stored data values may differ from
what they should be because they have been
improperly modified.
 It can become leaky. For example, someone who
should not have access to some or all of the
information available through the network obtains
such access.
 It can become unavailable or very slow. That is,
using the system or network becomes impossible or
impractical.

24
 It is sometimes easier to consider vulnerabilities as
they apply to all three broad categories of system
resources (hardware, software, and data)
1) Hardware Vulnerabilities
Hardware is more visible than software, largely
because it is composed of physical objects

25
2) Software Vulnerabilities
Software can be replaced, changed, or
destroyed maliciously, or it can be modified,
deleted, or misplaced accidentally
◦ Software Deletion
◦ Software Modification
◦ Software Theft
3) Data Vulnerabilities
Other Exposed Assets
Networks

26
Threat
A threat to a computing system is a set of
circumstances that has the potential to cause loss or
harm
A threat is a potential violation of security. The
violation need not actually occur for there to be a
threat.
The fact that the violation might occur means that
those actions that could cause it to occur must be
guarded against (or prepared for).
Those actions are called attacks. Those who execute
such actions, or cause them to be executed, are called
attackers.
27
A threat is blocked by control of a vulnerability.
We can view any threat as being one of three kinds:.
1. Unauthorized disclosure: is a threat to
confidentiality
2. Deception: is a threat to either system integrity or
data integrity
3. Disruption: is a threat to availability or system
integrity.

28
1) Unauthorized disclosure:
a) Interception
Interception is a common attack in the context
of communications.
On a shared local area network (LAN), such as
a wireless LAN or a broadcast Ethernet, any
device attached to the LAN can receive a copy
of packets intended for another device.
On the Internet, a determined hacker can gain
access to e-mail traffic and other data transfers

29
b) Exposure: This can be deliberate, as when an
insider intentionally releases sensitive
information, such as credit card numbers, to an
outsider. It can also be the result of a human,
hardware, or software error, which results in an
entity gaining unauthorized knowledge of
sensitive data.

30
2) Deception
a) Falsification: This refers to the altering or
replacing of valid data or the introduction of
false data into a file or database.
For example, a student may alter his or her
grades on a school database.
b) Repudiation: In this case, a user either
denies sending data or a user denies receiving
or possessing the data.

31
3) Disruption
a) Corruption: This is an attack on system
integrity. Malicious software in this context could
operate in such a way that system resources or
services function in an unintended manner.

32
33
When we prepare to test a system, we usually try
to imagine how the system can fail; we then look
for ways in which the requirements, design, or
code can enable such failures.
In the same way, when we prepare to specify,
design, code, or test a secure system, we try to
imagine the vulnerabilities that would prevent us
from reaching one or more of our three security
goals.

34
35
 There are many threats to a computer system,
including human-initiated and computer-initiated
ones.

 We have all experienced the results of inadvertent

human errors, hardware design flaws, and
software failures.

 But natural disasters are threats, too; they can

bring a system down when the computer room is
flooded or the data center collapses from an
earthquake, for example.
36
 Security attacks
A human who exploits a vulnerability perpetrates an attack
on the system.

An attack can also be launched by another system, as when

one system sends an overwhelming set of messages to
another, virtually shutting down the second system's ability to
function.

Unfortunately, we have seen this type of attack frequently, as

denial-of-service attacks flood servers with more messages
than they can handle.
37
 SECURITY ATTACKS
A security attacks, can be classified as
passive attacks and active attacks.
 A passive attack attempts to learn or make
use of information from the system but does
not affect system resources.
An active attack attempts to alter system
resources or affect their operation.

38
Passive Attacks
 Passive attacks are in the nature of eavesdropping on,
or monitoring of transmissions.
 The goal of the opponent is to obtain information that
is being transmitted.
 Two types of passive attacks are the release of
message contents and traffic analysis.
 The release of message contents is easily understood
(Figure 1.2a).
 A telephone conversation, an electronic mail message,
and a transferred file may contain sensitive or
39
A second type of passive attack, traffic
analysis. (Figure 1.2b).
Suppose that we had a way of masking
the contents of messages or other
information traffic so that opponents, even
if they captured the message, could not
extract the information from the message.
Passive attacks are very difficult to detect,
because they do not involve any alteration
of the data.
40
Active Attacks
Active attacks involve some modification of
the data stream or the creation of a false
stream and can be subdivided into 4
categories:
masquerade, replay, modification of
messages, and denial of service.
A masquerade takes place when one entity
pretends to be a different entity (Figure
1.3a).
41
 A masquerade attack usually includes one of the other
forms of active attack.

 For example, authentication sequences can be captured

and replayed after a valid authentication sequence has
taken place, thus enabling an authorized entity with
few privileges to obtain extra privileges by
impersonating an entity that has those privileges.

 Replay involves the passive capture of a data unit and

its subsequent retransmission to produce an
unauthorized effect (Figure 1.3b).
42
 Modification of messages simply means that some portion
of a legitimate message is altered, or that messages are delayed
or reordered, to produce an unauthorized effect (Figure 1.3c).

 For example, a message meaning “Allow John Smith to

read confidential file accounts” is modified to mean “Allow
Fred Brown to read confidential file accounts.”

 The denial of service prevents or inhibits the normal use or

management of communications facilities (Figure 1.3d).
 This attack may have a specific target; for example, an entity
43
44
45
46
47
48
49
Types of Threats/Attacks
Hacking Attack
Any attempt to gain unauthorized access
to your system
Denial of Service (DoS) Attack
Blocking access from legitimate users
Physical Attack
Stealing, breaking or damaging of
computing devices

50
Malware Attack:
A generic term for software that has
malicious purpose. Examples
Viruses
Trojan horses
Spy-wares
New ones: Spam/scam, identity theft, e-
payment frauds, etc.

51
Viruses
 “A small program that replicates and hides itself
inside other programs usually without your
knowledge.” Symantec Similar to biological virus:
Replicates and Spreads
Worms
 An independent program that reproduces by copying
itself from one computer to another
 It can do as much harm as a virus
 It often creates denial of service

52
Trojan horses
 (Ancient Greek tale of the city of Troy and the
wooden horse) - ??
 Secretly downloading a virus or some other type of
mal-ware on to your computers.
Spy-wares
 “A software that literally spies on what you do on
your computer.”
 Example: Simple Cookies and Key Loggers

53
COMPUTER SECURITY STRATEGY
Security strategy involves three aspects:
 Specification/policy: What is the security
scheme supposed to do?
Implementation/mechanisms: How does it do
it?
Correctness/assurance: Does it really work?

54
Security Policy
The first step in devising security services and
mechanisms is to develop a security policy.
 A security policy is an informal description of
desired system behavior.
Such informal policies may reference
requirements for security, integrity, and availability.
 is a formal statement of rules and practices that
specify or regulate how a system or organization
provides security services to protect sensitive and
critical system resources .
55
In developing a security policy, a security
manager needs to consider the following
factors:
 The value of the assets being protected
 The vulnerabilities of the system
 Potential threats and the likelihood of attacks

56
Security Implementation/mechani
Security implementation involves four complementary courses of
action:
 Prevention: An ideal security scheme is one in which no
attack is successful.
Although this is not practical in all cases, there is a wide range
of threats in which prevention is a reasonable goal.
For example, consider the transmission of encrypted data. If a
secure encryption algorithm is used, and if measures are in
place to prevent unauthorized access to encryption keys, then
attacks on confidentiality of the transmitted data will be
prevented.
57
Detection: In a number of cases, absolute
protection is not feasible, but it is practical to detect
security attacks.
 For example, there are intrusion detection systems
designed to detect the presence of unauthorized
individuals logged onto a system.
 Another example is detection of a denial of service
attack, in which communications or processing
resources are consumed so that they are unavailable
to legitimate users
58
Response: If security mechanisms detect an
ongoing attack, such as a denial of service
attack, the system may be able to respond in
such a way as to halt the attack and prevent
further damage.
Recovery: An example of recovery is the use
of backup systems, so that if data integrity is
compromised, a prior, correct copy of the data
can be reloaded.
59
Assurance and Evaluation
assurance is the degree of confidence one has that the
security measures, both technical and operational,
work as intended to protect the system and the
information it processes.
This encompasses both system design and system
implementation.
Thus, assurance deals with the questions, “Does the
security system design meet its requirements?” and
“Does the security system implementation meet its
specifications?”
60
Evaluation
is the process of examining a computer product or
system with respect to certain criteria.
 Evaluation involves testing and may also involve
formal analytic or mathematical techniques.
The central thrust of work in this area is the
development of evaluation criteria that can be applied
to any security system (encompassing security
services and mechanisms) and that are broadly
supported for making product comparisons.
61
 Methods of Defense
 To protect against harm, then, we can neutralize the threat, close the
vulnerability, or both.
 The possibility for harm to occur is called risk.
 We can deal with harm in several ways.

We can seek to
 prevent it, by blocking the attack or closing the vulnerability
 deter it, by making the attack harder but not impossible
 deflect it, by making another target more attractive (or this one less
so)
 detect it, either as it happens or some time after the fact
 recover from its effects

62
Security mechanism: Controls
How do we address these problems? We use
a control as a protective measure. That is, a
control is an action, device, procedure, or
technique that removes or reduces a
vulnerability
To consider the controls or countermeasures
that attempt to prevent exploiting a
computing system's vulnerabilities, we
begin by thinking about traditional ways to
enhance physical security.
63
 In the Middle Ages, castles and fortresses were built
to protect the people and valuable property inside.
The fortress might have had one or more security
characteristics, including
a strong gate or door, to repel invaders
heavy walls to withstand objects thrown or projected
against them.
a draw bridge to limit access to authorized people
Gate keepers to verify that only authorized people
and goods could enter.

64
 Computer security has the same characteristics.
We have many controls at our disposal. Some are
easier than others to use or implement. Some are
cheaper than others to use or implement.
And some are more difficult than others for
intruders to override.
Figure 1-6 illustrates how we use a combination
of controls to secure our valuable resources

65
66
In this section, we present an overview of the
controls available to us.
Encryption
Encryption is the formal name for the
scrambling process. We take data in their normal,
unscrambled state, called clear text, and
transform them so that they are unintelligible to
the outside observer; the transformed data are
called enciphered text or cipher text.

67
 Using encryption, security professionals can
virtually nullify the value of an interception and the
possibility of effective modification or fabrication.
 Encryption clearly addresses the need for
confidentiality of data. Additionally, it can be used
to ensure integrity; data that cannot be read
generally cannot easily be changed in a meaningful
manner.
 Encryption does not solve all computer security
problems, and other tools must complement its use.
68
Software Controls,
Programs must be secure enough to prevent
outside attack.
Program controls include the following:
Internal program controls: parts of the program
that enforce security restrictions, such as access
limitations in a database management program
operating system and network system
controls:
limitations enforced by the operating system or
network to protect each user from all other users 69
Independent control programs: application
programs, such as password checkers, intrusion
detection utilities, or virus scanners, that protect
against certain types of vulnerabilities
development controls: quality standards under
which a program is designed, coded, tested, and
maintained to prevent software faults from
becoming exploitable vulnerabilities

70
Hardware Controls
 Numerous hardware devices have been created to
assist in providing computer security.
These devices include a variety of means, such as
 hardware or smart card implementations of
encryption
 locks or cables limiting access or deterring theft
 devices to verify users' identities
 firewalls
 intrusion detection systems
 circuit boards that control access to storage media 71
Policies and Procedures
We can rely on agreed-on procedures or policies
among users rather than enforcing security through
hardware or software means.
Some of the simplest controls, such as frequent
changes of passwords, can be achieved at essentially
no cost but with tremendous effect.
Physical Controls
Physical controls include locks on doors, guards at
entry points, backup copies of important software and
data, and physical site planning that reduces the risk of
72
Effectiveness of Controls

Awareness of Problem
People using controls must be convinced of the
need for security.
That is, people will willingly cooperate with
security requirements only if they understand
why security is appropriate in a given situation.
However, many users are unaware of the need
for security

73
Likelihood of Use.
Controls must be used and used properly to be
effective. They must be efficient, easy to use, and
appropriate.
Periodic Review
The effectiveness of a control is an ongoing task.
Reports on periodic reviews of computer security.

74
Brief History and Mission of
Information System Security.
(assignments)

75