INFORMATION SECURITY

By

Dr. Ch. Samson

Associate Professor, Dept of CSE

1
Michael E. Whitman and Hebert J Mattord
WITH EFFECT FROM THE ACADEMIC YEAR 2013–2014
CS 403
INFORMATION SECURITY
Instruction 3 Periods per week
Duration of University Examination 3 Hours
University Examination 75 Marks
Sessional 25 Marks

UNIT- I
Introduction: History, critical characteristics of information, NSTISSC security model, Components of an information system,
Securing the components, balancing security and access, The SDLC, The security SDLC
Need for Security: Business needs, Threats, Attacks-secure software development
UNIT-II
Legal, Ethical and Professional Issues: Law and ethics in information security, relevant U.S laws-international laws and legal bodies,
Ethics and information security
Risk Management: Overview, Risk Identification, risk assessment, Risk Control strategies, selecting a risk control strategy,
Quantitative versus qualitative risk control practices, Risk management discussion points, recommended risk control practices
UNIT-III
Planning for Security: Security policy, Standards and practices, Security blue print, Security education, Continuity strategies.
Security Technology: Firewalls and VPNs: Physical design, firewalls, protecting remote connections.
UNIT-IV
Security Technology: Intrusion detection, Access control and other security tools: Intrusion detection and prevention systems,
Scanning and analysis tools, Access control devices.
Cryptography: Foundations of cryptology, cipher methods, crypryptographic Algorithms, Cryptographic tools, Protocols for secure
communications, Attacks on cryptosystems
UNIT-V
Implementing Information Security: information security project management, technical topics of implementation , Non- technical
aspects of implementation, Security certification and accreditation
Security and Personnel: Positioning and staffing security function, Employment policies and practices, internal control strategies.
Information security Maintenance: Security management models. The maintenance model, Digital forensics
Suggesting Reading:
1. Michael E. Whitman and Hebert J Mattord, Principles of Information Security, 4th edition
Ed. Cengage Learning 2011
2. Thomas R Peltier, Justing Peltier, John Blackley, Information Security. Fundamentals, Auerbacj Publications 2010
3. Detmar W Straub, Seymor Goodman, Richard L Baskerville, Information Security. Policy proceses and practices PHI 2008
4. Marks Merkow and Jim Breithaupt, Information Security. Principle and Practices, Pearson Education, 2007
IS_UNIT-I_MVSR 3
 Introduction
Information security: a “well-informed sense of
assurance that the information risks and controls
are in balance.” — Jim Anderson, Inovant (2002)
Security professionals must review the origins of
this field to understand its impact on our
understanding of information security today

IS_UNIT-I_MVSR 4
 The History of Information Security
Computer security began immediately after the first
mainframes were developed
 Groups developing code-breaking computations
during World War II created the first modern
computers
 Multiple levels of security were implemented
Physical controls to limit access to sensitive military
locations to authorized personnel
Rudimentary in defending against physical theft,
espionage, and sabotage
IS_UNIT-I_MVSR 5
Figure 1-1 – The Enigma

Figure 1-1 The Enigma

Source: Courtesy of National Security Agency

IS_UNIT-I_MVSR 6
 The 1960s
Advanced Research Project Agency (ARPA) began
to examine feasibility of redundant networked
communications
Larry Roberts developed ARPANET from its
inception

IS_UNIT-I_MVSR 7
Figure 1-2 - ARPANET

Figure 1-2 Development of the ARPANET Program Plan3

Source: Courtesy of Dr. Lawrence Roberts

IS_UNIT-I_MVSR 8
 The 1970s and 80s
ARPANET grew in popularity as did its potential for
misuse
Fundamental problems with ARPANET security
were identified
No safety procedures for dial-up connections to
ARPANET
Nonexistent user identification and authorization to
system
Late 1970s: microprocessor expanded computing
capabilities and security threats
IS_UNIT-I_MVSR 9
 The 1970s and 80s (cont’d.)
Information security began with Rand Report R-609
(paper that started the study of computer security)
Scope of computer security grew from physical
security to include:
Safety of data
Limiting unauthorized access to data
Involvement of personnel from multiple levels of an
organization

IS_UNIT-I_MVSR 10
 MULTICS
Early focus of computer security research was a
system called Multiplexed Information and
Computing Service (MULTICS)
First operating system created with security as its
primary goal
Mainframe, time-sharing OS developed in mid-
1960s by General Electric (GE), Bell Labs, and
Massachusetts Institute of Technology (MIT)
Several MULTICS key players created UNIX
Primary purpose of UNIX was text processing
IS_UNIT-I_MVSR 11
 Table 1-1 Key Dates for Seminal Works in Early Computer Security

IS_UNIT-I_MVSR 12
 The 1990s
Networks of computers became more common; so
too did the need to interconnect networks
Internet became first manifestation of a global
network of networks
Initially based on de facto standards
In early Internet deployments, security was treated
as a low priority

IS_UNIT-I_MVSR 13
 2000 to Present
The Internet brings millions of computer networks
into communication with each other—many of them
unsecured
Ability to secure a computer’s data influenced by the
security of every computer to which it is connected
Growing threat of cyber attacks has increased the
need for improved security

IS_UNIT-I_MVSR 14
 What is Security?
“The quality or state of being secure—to be free
from danger”
A successful organization should have multiple
layers of security in place:
Physical security
Personal security
Operations security
Communications security
Network security
Information security

IS_UNIT-I_MVSR 15
 What is Security? (cont’d.)
The protection of information and its critical
elements, including systems and hardware that use,
store, and transmit that information
Necessary tools: policy, awareness, training,
education, technology
C.I.A. triangle
Was standard based on confidentiality, integrity, and
availability
Now expanded into list of critical characteristics of
information

IS_UNIT-I_MVSR 16
 Figure 1-3 Components of Information Security

IS_UNIT-I_MVSR 17
 Key Information Security Concepts
Access • Protection Profile or
Asset Security Posture
Attack • Risk
Control, Safeguard, or • Subjects and Objects
Countermeasure
• Threat
Exploit
• Threat Agent
Exposure
Loss • Vulnerability

IS_UNIT-I_MVSR 18
 Key Information Security Concepts
(cont’d.)
Computer can be subject of an attack and/or the
object of an attack
When the subject of an attack, computer is used as an
active tool to conduct attack
When the object of an attack, computer is the entity
being attacked

IS_UNIT-I_MVSR 19
 Figure 1-4 Information Security Terms

IS_UNIT-I_MVSR 20
Figure 1-5 – Subject and Object of Attack

Figure 1-5 Computer as the Subject and Object of an Attack

IS_UNIT-I_MVSR 21
Critical Characteristics of Information
The value of information comes from the
characteristics it possesses:
Availability
Accuracy
Authenticity
Confidentiality
Integrity
Utility
Possession

IS_UNIT-I_MVSR 22
 CNSS Security Model

Figure 1-6 The McCumber Cube

IS_UNIT-I_MVSR 23
Components of an Information System
Information system (IS) is entire set of components
necessary to use information as a resource in the
organization
Software
Hardware
Data
People
Procedures
Networks

IS_UNIT-I_MVSR 24
Balancing Information Security
and Access
Impossible to obtain perfect security—it is a process,
not an absolute
Security should be considered balance between
protection and availability
To achieve balance, level of security must allow
reasonable access, yet protect against threats

IS_UNIT-I_MVSR 25
Figure 1-6 – Balancing Security
and Access

Figure 1-8 Balancing Information Security and Access

IS_UNIT-I_MVSR 26
Approaches to Information
Security Implementation:
Bottom-Up Approach
Grassroots effort: systems administrators attempt to
improve security of their systems
Key advantage: technical expertise of individual
administrators
Seldom works, as it lacks a number of critical
features:
Participant support
Organizational staying power

IS_UNIT-I_MVSR 27
Approaches to Information
Security Implementation: Top-
Down Approach
Initiated by upper management
Issue policy, procedures, and processes
Dictate goals and expected outcomes of project
Determine accountability for each required action
The most successful also involve formal
development strategy referred to as systems
development life cycle

IS_UNIT-I_MVSR 28
 Figure 1-9 Approaches to Information Security Implementation

IS_UNIT-I_MVSR 29
The Systems Development Life
Cycle
Systems Development Life Cycle (SDLC):
methodology for design and implementation of
information system within an organization
Methodology: formal approach to problem solving
based on structured sequence of procedures
Using a methodology:
Ensures a rigorous process
Increases probability of success
Traditional SDLC consists of six general phases

IS_UNIT-I_MVSR 30
 Figure 1-10 SDLC Waterfall Methodology

IS_UNIT-I_MVSR 31
Investigation
What problem is the system being developed to
solve?
Objectives, constraints, and scope of project are
specified
Preliminary cost-benefit analysis is developed
At the end, feasibility analysis is performed to
assess economic, technical, and behavioral
feasibilities of the process

IS_UNIT-I_MVSR 32
Analysis
Consists of assessments of:
The organization
Current systems
Capability to support proposed systems
Analysts determine what new system is expected to
do and how it will interact with existing systems
Ends with documentation of findings and update of
feasibility analysis

IS_UNIT-I_MVSR 33
Logical Design
Main factor is business need
Applications capable of providing needed services are
selected
Data support and structures capable of providing the
needed inputs are identified
Technologies to implement physical solution are
determined
Feasibility analysis performed at the end

IS_UNIT-I_MVSR 34
Physical Design
Technologies to support the alternatives identified
and evaluated in the logical design are selected
Components evaluated on make-or-buy decision
Feasibility analysis performed
Entire solution presented to end-user representatives
for approval

IS_UNIT-I_MVSR 35
Implementation
Needed software created
Components ordered, received, and tested
Users trained and documentation created
Feasibility analysis prepared
Users presented with system for performance review
and acceptance test

IS_UNIT-I_MVSR 36
Maintenance and Change
Longest and most expensive phase
Consists of tasks necessary to support and modify
system for remainder of its useful life
Life cycle continues until the process begins again
from the investigation phase
When current system can no longer support the
organization’s mission, a new project is implemented

IS_UNIT-I_MVSR 37
The Security Systems
Development Life Cycle
The same phases used in traditional SDLC may be
adapted to support specialized implementation of an
IS project
Identification of specific threats and creating controls
to counter them
SecSDLC is a coherent program rather than a series
of random, seemingly unconnected actions

IS_UNIT-I_MVSR 38
Investigation
Identifies process, outcomes, goals, and constraints
of the project
Begins with Enterprise Information Security Policy
(EISP)
Organizational feasibility analysis is performed

IS_UNIT-I_MVSR 39
Analysis
Documents from investigation phase are studied
Analysis of existing security policies or programs,
along with documented current threats and
associated controls
Includes analysis of relevant legal issues that could
impact design of the security solution
Risk management task begins

IS_UNIT-I_MVSR 40
Logical Design
Creates and develops blueprints for information
security
Incident response actions planned:
Continuity planning
Incident response
Disaster recovery
Feasibility analysis to determine whether project
should be continued or outsourced

IS_UNIT-I_MVSR 41
Physical Design
Needed security technology is evaluated,
alternatives are generated, and final design is
selected
At end of phase, feasibility study determines
readiness of organization for project

IS_UNIT-I_MVSR 42
Implementation
Security solutions are acquired, tested,
implemented, and tested again
Personnel issues evaluated; specific training and
education programs conducted
Entire tested package is presented to management
for final approval

IS_UNIT-I_MVSR 43
Maintenance and Change
Perhaps the most important phase, given the ever-
changing threat environment
Often, repairing damage and restoring information is
a constant duel with an unseen adversary
Information security profile of an organization
requires constant adaptation as new threats emerge
and old threats evolve

IS_UNIT-I_MVSR 44
Security Professionals and the
Organization
Wide range of professionals required to support a
diverse information security program
Senior management is key component
Additional administrative support and technical
expertise are required to implement details of IS
program

IS_UNIT-I_MVSR 45
Senior Management
Chief Information Officer (CIO)
Senior technology officer
Primarily responsible for advising senior executives on
strategic planning
Chief Information Security Officer (CISO)
Primarily responsible for assessment, management,
and implementation of IS in the organization
Usually reports directly to the CIO

IS_UNIT-I_MVSR 46
Information Security Project
Team
A number of individuals who are experienced in one
or more facets of required technical and
nontechnical areas:
Champion
Team leader
Security policy developers
Risk assessment specialists
Security professionals
Systems administrators
End users

IS_UNIT-I_MVSR 47
Data Responsibilities
Data owner: responsible for the security and use of
a particular set of information
Data custodian: responsible for storage,
maintenance, and protection of information
Data users: end users who work with information to
perform their daily jobs supporting the mission of the
organization

IS_UNIT-I_MVSR 48
Communities of Interest
Group of individuals united by similar
interests/values within an organization
Information security management and professionals
Information technology management and
professionals
Organizational management and professionals

IS_UNIT-I_MVSR 49
Information Security: Is it an
Art or a Science?
Implementation of information security often
described as combination of art and science
“Security artesan” idea: based on the way
individuals perceive systems technologists since
computers became commonplace

IS_UNIT-I_MVSR 50
Security as Art
No hard and fast rules nor many universally
accepted complete solutions
No manual for implementing security through entire
system

IS_UNIT-I_MVSR 51
Security as Science
Dealing with technology designed to operate at high
levels of performance
Specific conditions cause virtually all actions that
occur in computer systems
Nearly every fault, security hole, and systems
malfunction are a result of interaction of specific
hardware and software
If developers had sufficient time, they could resolve
and eliminate faults

IS_UNIT-I_MVSR 52
Security as a Social Science
Social science examines the behavior of individuals
interacting with systems
Security begins and ends with the people that
interact with the system
Security administrators can greatly reduce levels of
risk caused by end users, and create more
acceptable and supportable security profiles

IS_UNIT-I_MVSR 53
Summary
Information security is a “well-informed sense of
assurance that the information risks and controls are
in balance”
Computer security began immediately after first
mainframes were developed
Successful organizations have multiple layers of
security in place: physical, personal, operations,
communications, network, and information

IS_UNIT-I_MVSR 54
Summary (cont’d.)
Security should be considered a balance between
protection and availability
Information security must be managed similarly to
any major system implemented in an organization
using a methodology like SecSDLC
Implementation of information security often
described as a combination of art and science

IS_UNIT-I_MVSR 55
 Introduction
 Best practices therefore dictate that image must be
compressed before it is encrypted. Unfortunately best
practices in compression do not assume security.
 This motivates the search for image compression
methods that operate on encrypted images.
 Compression alone is not sufficient as it has an open
access.
 Therefore to protect confidential compressed image, it
should be encrypted

IS_UNIT-I_MVSR 56
Thank you

IS_UNIT-I_MVSR 57