21CSE282T

INFORMATION SECURITY
Course Outcomes (CO)
At the end of this course, learners will be able to:

CO-1 Discuss the basics of information security

CO-2 Illustrate the legal, ethical, and professional issues in information
security
CO-3 Demonstrate the aspects of risk management
CO-4 Become aware of various standards in the Information Security System

CO-5 Design and implementation of Security Techniques

Unit Wise Syllabus
• Unit-1 – Introduction
• Unit-2 - Security Investigation
• Unit-3 - Security Analysis
• Unit-4 - Logical Design
• Unit-5 - Physical Design
 Unit I
• History
• What is Information Security?
• Critical Characteristics of Information
• NSTISSC Security Model
• Components of an Information System
• Securing the Components
• Balancing Security and Access
• The SDLC, The Security SDLC
History
• Information Security starts from computer security

• Computer Security - to secure physical locations, hardware and software from threats

• In early days, the information security focus on only physical security (protection of building sites
and equipment )and simple document classification scheme
• physical theft of equipment, Spying and destroying the products

• Access to sensitive military locations was controlled by keys, badges and facial recognition by
security guards – Manual Process

• In 1960, the first document security problem occurred where software glitch mixed two files and
entire password was printed in every output file
1960’s
• Mainframe used in large quantity
• Communication between mainframes is too complex
• ARPANET(Advanced research Project Agency)- DoD(Department of Defense)- encryption
devices
• Larry Roberts (Founder of Internet)
• Predecessor of Internet
The 1970s and 1980s
 ARPANET grew in popularity as did its potential for misuse

 Fundamental problems with ARPANET security were identified

 No safety procedures for dial-up connections to ARPANET

 Non-existent user identification and authorization to system

 No sufficient control to protect data from unauthorized remote users

 Vulnerability of password structure and formats

 Late 1970s: microprocessor expanded computing capabilities and security threats

7
R-609
• Information security began with Rand Report R-609 (paper that
started the study of computer security)
• Scope of computer security grew from physical security to
include:
– Safety of data
– Limiting unauthorized access to data
– Involvement of personnel from multiple levels of an organization

8
MULTICS
• Multiplexed Information and Computing Service
• First Operating system to integrate security into core functions
• Mainframe, time-sharing OS
• UNIX
The 1990s
• Networks of computers became more common; so too did the need to
interconnect networks

• Internet became first manifestation of a global network of

networks

• In early Internet deployments, security was treated as a low priority

• As networked computers became the dominant style of computing,

rather than physical security, stored information security is exposed to
threats.
10
The Present
• The Internet brings millions of computer networks into
communication with each other—many of them unsecured

• Ability to secure a computer’s data influenced by the security of

every computer to which it is connected

• The same problems apply for emerging networked computer systems

(e.g., smartphones, IoT devices)

11
What is Security?
• Definitions:
– Book: “The quality or state of being secure—to be free from danger”
– James Anderson, Inovant: “Well-informed sense that information risks and controls
are in balance”
– Rita Summers, IBM Systems Journal, 1984: “Includes concepts,
techniques and measures that are used to protect computing
systems and the information they maintain against deliberate or accidental
threats”

• Successful companies should have multiple security “tiers”:

– Physical security
– Personal security
– Operations security-prevent sensitive informtion
– Communications security-unauthorized access to telecommunications traffic
– Network security-to protect the usability and integrity of your network and data.
It includes both hardware and software 12
What is Information Security?
• The Committee on National Security Systems(CNSS) defines
information security as
• “Protection of information and its critical elements, including
systems and hardware that use, store, and transmit that information.
• Necessary tools:
– Policy- policy is a set of ideas or plans
– Awareness
– Training-teaching, or developing in oneself or others
– Education-acquiring knowledge
– Technology
1
3
Components of Information Security

• The CNSS model of

information security evolved
from a concept developed by
the computer security
industry called the C.I.A.
triangle.

• This standard is based on the

three characteristics of
information that give it value
to organizations:
confidentiality, integrity, and
availability.
C I A Triad
• Confidentiality
• allows authorized users to access sensitive and protected data.
• Specific mechanisms ensure confidentiality and safeguard data from harmful
intruders.
• Integrity
• methods of ensuring that data is accurate, real, and safeguarded from unauthorized
user modification or destruction. - is not modified or deleted by unauthorized parties.
• Data integrity also refers to the accuracy and validity of data over its entire lifecycle.
• Availability
• Availability means guaranteeing reliable access to information by authorized
personnel.-available or accessible by an authorized user whenever it is needed
Key Information Security Concepts
• Access
• A subject or object’s ability to use, manipulate, modify, or affect another subject or object. Authorized and
unauthorized access
• Asset
• The organizational resource that is being protected. Asset may be physical or logical- An asset can be
logical -eg.Web site, software information, or data;
• Asset can be physical- e.g.person, computer system, hardware, or other tangible object.

• Attack
• An intentional or unintentional act that can damage or otherwise compromise information and the systems
that support it. Active and passive attack- environmental hazards, and computer failures.
• Control, safeguard or countermeasure
• Security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve
vulnerabilities, and otherwise improve security within an organization
Key Information Security Concepts
• Exploit
• A technique used to compromise a system
• Exposure
• A condition or state of being exposed; when a vulnerability is known to an attacker.
• Loss
• A single instance of an information asset suffering damage or destruction, unintended or
unauthorized modification or disclosure, or denial of use.
• Protection profile or security posture
• The entire set of controls and safeguards, including policy, education, training and awareness,
and technology, that the organization implements to protect the asset
Key Information Security Concepts
• Risk
• The probability of an unwanted occurrence, such as an adverse event or loss
• Subjects and objects
• A computer can be either the subject of an attack—an agent entity used to conduct the attack
—or the object of an attack: the target entity
• Threat
• A category of objects, people, or other entities that represents a danger to an asset
• Threat Agent
• The specific instance or a component of a threat.
• Vulnerability
• A weakness or fault in a system or protection mechanism that opens it to attack or damage.
 3.Critical characteristics of information
The value of information comes from the characteristics it possesses.
• Availability
• Accuracy
• Authenticity
• Confidentiality
• Integrity
• Utility
• Possession
 Critical characteristics of information
• Availability – Enables users who need to access information to do so
without interference or obstruction and in the required format. The
information is said to be available to an authorized user when and where
needed and in the correct

• Accuracy – Free from mistake or error and having the value that the end
user expects. If information contains a value different from the user’s
expectations due to the intentional or unintentional modification of its
content, it is no longer accurate

• Authenticity –The quality or state of being genuine or original, rather than a

reproduction or fabrication. Information is authentic when it is the
information that was originally created, placed, stored, or transferred.- is
important to ensure that information and communication come from a
trusted source
Critical characteristics of information
 Critical characteristics of information
• Integrity – The quality or state of being whole, complete, and uncorrupted. The
integrity of information is threatened when the information is exposed to corruption,
damage, destruction, or other disruption of its authentic state.
 Critical characteristics of information
• Utility – The quality or state of having value for some purpose or end. Information
has value when it serves a particular purpose. This means that if information is
available, but not in a format meaningful to the end user, it is not useful.
• Utility is an attribute of information that describes how data has value or usefulness
for an end purpose. Information serves a purpose for employees within an
organization. Each employee may view specific data points as containing different
levels of utility, based on their need to use the data for achieving their job
functions.
• Possession – The quality or state of having ownership or control of some object
or item. Information is said to be in possession if one obtains it, independent of
format or other characteristic. While a breach of confidentiality always results in a
breach of possession, a breach of possession does not always result in a breach of
confidentiality.
Security in System Life
Cycle
The Systems Development Life Cycle (SDLC)
• An SDLC is a methodology for the design and implementation of an information
system.

• Methodology ensures- rigorous process-goals, increases prob(success)

• Adopt a Methodology-decide the key milestones-team is selected and made

accountable for accomplishing the project goals.

• The traditional SDLC consists of six general phases.

• The waterfall model illustrates that each phase begins with the results and
information gained from the previous phase.

• End of each phase the team determines if the project should be continued,
discontinued, outsourced, postponed, or returned to an earlier phase
SDLC contd..
• This determination depends on whether the project is
proceeding as expected/needs additional expertise,
organizational knowledge, or other resources.

• Once the system is implemented, it is maintained and

modified over the remainder of its working life.

• Any information systems implementation may have

multiple iterations as the cycle is repeated over time.

• Only by constant examination and renewal can any system,

especially an information security program, perform up to
expectations in a constantly changing environment.
SDLC waterfall model
SDLC contd..
• Investigation :
• The first phase, investigation, is the most important.
• What problem is the system being developed to solve? The
investigation phase begins by examining the event or plan
that initiates the process.
• During this phase, the objectives, constraints, and scope of
the project are specified.
• A preliminary cost-benefit analysis evaluates the perceived
benefits and their appropriate levels of cost.
• At the conclusion of this phase and at every phase
afterward, a process will be undertaken to assess
economic, technical, and behavioral feasibilities and ensure
that implementation is worth the organization’s time and
effort.
SDLC contd..
• Analysis:
• The analysis phase begins with the information gained
during the investigation phase.
• This phase consists primarily of assessments of the
organization, its current systems, and its capability to
support the proposed systems.
• Analysts begin by determining what the new system is
expected to do and how it will interact with existing
systems. This phase ends with documentation of the
findings and an update of the feasibility analysis.
SDLC contd..
• Logical Design :
• Information gained from the analysis phase is used to begin
creating a systems solution for a business problem.
• The driving factor must be the business need.
• Based on need, applications are selected to provide services, and
the team chooses data support and structures capable of providing
the needed inputs.
• Finally, based on all of this, specific technologies are delineated to
implement the physical solution. The logical design, therefore, is
the blueprint for the desired solution.
• The logical design is implementation independent, meaning that it
contains no reference to specific technologies, vendors, or
products. Instead, it addresses how the proposed system will solve
the problem at hand.
• In this stage, analysts generate estimates of costs and benefits to
allow for a general comparison of available options. At the end of
this phase, another feasibility analysis is performed.
SDLC contd..
• Physical Design :
• here specific technologies are selected to support the
alternatives identified and evaluated in the logical design.
• The selected components are evaluated based on a make-
or-buy decision—the option to develop components in-
house or purchase them from a vendor.
• Final designs integrates various components and
technologies.
• After yet another feasibility analysis, the entire solution is
presented to the organization’s management for approval.
SDLC contd..
Implementation
• In the implementation phase, any needed software
is created.
• Components are ordered, received, and tested. Afterward,
users are trained and supporting documentation created.
• Once all components are tested individually, they are
installed and tested as a system. A feasibility analysis is
again prepared, and the sponsors are then presented with
the system for a performance review and acceptance test.
SDLC contd..
• Maintenance and Change :
• longest and most expensive.
• Consists of the tasks necessary to support and modify the system for
the remainder of its useful life cycle.
• Even though formal development may conclude during this phase, the
life cycle of the project continues until the team determines that the
process should begin again from the investigation phase.
• At periodic points, the system is tested for compliance, and the
feasibility of continuance versus discontinuance is evaluated. Upgrades,
updates, and patches are managed.
• As the needs of the organization change, the systems that support the
organization must also change.
• The people who manage and support the systems must continually
monitor their effectiveness in relation to the organization’s
environment.
• When a current system can no longer support the evolving mission of
the organization, the project is terminated and a new project is
SecSDLC
The Security Systems Development Life
Cycle (SecSDLC)
• It may differ in intent and specific activities, but the
overall methodology is similar to the SDLC
• The SecSDLC process involves the identification of
specific threats and creating specific controls to
counter those threats
• It unifies the process and makes a coherent program
rather than a series of random,unconnected actions.
The Systems Development Life Cycle
• Systems Development Life Cycle (SDLC):
• Methodology for design and implementation of information system
• Methodology:
• Formal approach to problem solving

Principles of Information
Security, Fourth Edition
• Based on structured sequence of procedures
• Using a methodology:
• Ensures a rigorous process
• Increases probability of success
• Traditional SDLC consists of six general phases
36
 Figure 1-10 SDLC Waterfall Methodology

Principles of Information Security, Fourth Edition 37

Investigation
• What problem is the system being developed to solve?
• Objectives, constraints, and scope of project specified
• Preliminary cost-benefit analysis developed
• At end

Principles of Information
Security, Fourth Edition
• Feasibility analysis performed
• Assess economic, technical, and behavioural feasibilities

38
Analysis
• Documents from investigation phase are studied
• Analysis of existing security policies or programs
• Analysis of documented current threats and associated controls
• Analysis of relevant legal issues that could impact design of the security solution

Principles of Information
Security, Fourth Edition
• Risk management task begins

39
Logical Design
• Creates and develops blueprints for information security
• Incident response actions planned:
• Continuity planning
• Incident response

Principles of Information
Security, Fourth Edition
• Disaster recovery
• Feasibility analysis to determine whether project should be continued or
outsourced

40
Physical Design
• Needed security technology is evaluated
• Alternatives are generated
• Final design is selected
• At end of phase, feasibility study determines readiness of organization for project

Principles of Information
Security, Fourth Edition
41
Implementation
• Needed software created
• Components ordered, received, and tested
• Users trained and documentation created
• Feasibility analysis prepared

Principles of Information
Security, Fourth Edition
• Users presented with system for performance review and acceptance test

42
Maintenance and Change
• Perhaps the most important phase, given the ever-changing threat environment
• Often, repairing damage and restoring information is a constant duel with an
unseen adversary
• Information security profile of an organization requires constant adaptation as

Principles of Information
new threats emerge and old threats evolve

Security, Fourth Edition

43
4.NSTISSC SECURITY MODEL
It is now called the National Training Standard for Information security
professionals.
NSTISSC SECURITY MODEL
NSTISSC SECURITY MODEL
NSTISSC SECURITY MODEL

• The NSTISSC Security Model provides a more detailed perspective

on security.

• While the NSTISSC model covers the three dimensions of

information security, it omits discussion of detailed guidelines and
policies that direct the implementation of controls.

• Another weakness of using this model with too limited an approach

is to view it from a single perspective.
NSTISSC SECURITY MODEL
NSTISSC SECURITY MODEL
Components of information system
Components of information system
Components of information system
Components of information system
Components of information system
There are many roles for people in information systems.
Common ones include

 Systems Analyst
 Programmer
 Technician
 Engineer
 Network Manager
 MIS ( Manager of Information Systems )
 Data entry operator
Components of information system
A procedure is a series of documented actions taken to achieve something. A procedure is
more than a single simple task. A procedure can be quite complex and involved, such as
performing a backup, shutting down a system, patching software.
Components of information system

When information systems are connected to each other to form Local Area Network
(LANs), and these LANs are connected to other networks such as the Internet, new
security challenges rapidly emerge.
SECURING COMPONENTS

Protecting the components from potential misuse and abuse by unauthorized users.

ü Subject of an attack

Computer is used as an active tool to conduct the attack.

ü Object of an attack

Computer itself is the entity being attacked

Two types of attacks:

Direct attack
Indirect attack
1.Direct attack

When a Hacker uses his personal computer to break into a system.[Originate from the threat itself]

2. Indirect attack

When a system is compromised and used to attack other system.

An indirect attack is a type of attack that is not aimed directly at the target but rather at something related to the target
BALANCING INFORMATION SECURITY AND ACCESS

Has to provide the security and is also feasible to access the information for its application.
Approaches to Information Security Implementation
 Bottom- up- approach.
Bottom-Up Approach
• The responsibility of the system administrator, cyber engineer, or network security professional does not include top-level management positions. T
main duty of such individuals is to secure the information system by using their expertise, knowledge, education, and training to build a highly secu
model.
• Advantages of the Bottom-up Approach
• The individual or team addresses the intricate security of the information system using their expertise. The company threat is identified to mitigate t
possible potential threat.
• The existing team or individual is assigned instead of new hire which is a way to save time, and money in a complex plan. It is a great way to use
available valuable resources.

ü Top-down-approach

- Has higher probability of success.

- Project is initiated by upper level managers who issue policy & procedures & processes.

- Dictate the goals & expected outcomes of the project.

- Determine who is suitable for each of the required action.

A 20-person consulting firm dispatched a small team to Australia to finish a client project. During their
stay, an employee used a corporate debit card at a nearby ATM. A month after returning to the uk, the
firm got overdraft alerts from their bank. They discovered fraudulent withdrawals totaling $13,000, all of
which originated in australia. There was an extra $1,000 overdraft fee.

SCENARIO: When the bookkeeper began receiving inadequate fund notices for frequently recurring debts,
the CEO of a boutique hotel realized their company had fallen victim to wire fraud. A study of the
accounting records revealed a severe problem. A few weeks prior, the CEO had clicked on a link in an
email that they mistook for an IRS notification. It was not. When they clicked the link and submitted their
credentials, the cybercriminals obtained the CEO's login information, granting them complete access to
sensitive corporate and personal information.

Attack
Impact
Reponse
Lesson learned
Dicuss
resources
ATTACK:
Social engineering, phishing attack. A phishing attack is a form of social engineering by which cyber
criminals attempt to trick individuals by creating and sending fake emails that appear to be from an
authentic source, such as a business or colleague. The email might ask you to confirm personal account
information such as a password or prompt you to open a malicious attachment that infects your computer
with malware.
RESPONSE: The hotel’s cash reserves were depleted. The fraudulent transfers amounted to more than $1
million. The hotel also contacted a cybersecurity firm to help them mitigate the risk of a repeat attack.

IMPACT: The business lost $1 million to an account in China. The funds were not recovered.

LESSONS LEARNED: 1 Teach staff about the dangers of clicking on unsolicited email links and attachments,
and the need to stay alert for warning signs of fraudulent emails. Engage in regular email security
training. 2 Implement stringent wire transfer protocols and include a secondary form of validation. 3
Have a cyber incident response plan ready to implement!

DISCUSS: • Knowing how the firm responded, what would you have done differently? • What are some
steps you think the firm could have taken to prevent this incident? • Is your business susceptible to this
kind of attack? How are you going to reduce your risk? RESOURCES: • NIST Small Business Cybersecurity
Corner: https://www.nist.gov/itl/smallbusinesscyber • National Cybersecurity Alliance:
https://staysafeonline.org/cybersecure-business
https://www.nist.gov/itl/smallbusinesscyber/cybersecurity-basics/case-study-series