MODULE 2

INFORMATION SECURITY

Learning Objectives:
At the end of the module, the students are expected to:
 Define the terms information security
 Identify reasons why it is very difficult to defend software attacks.

INTRODUCTION
This module will explain the concepts and principles of Information security, list out the
challenges of securing information, help you to identify the IT assets that are to be protected,
explain the various threats, vulnerabilities and issues in Information Security and teach you
how to solve these security issues.

What is information security?

Information security is defined as “protecting information and information systems from
unauthorized access, use, disclosure, disruption, modification, or destruction,” In a general
sense, security means protecting our assets. This may mean protecting them from attackers
invading our networks, natural disasters, adverse environmental conditions, power failures,
theft or vandalism, or other undesirable states. Ultimately, we will attempt to secure ourselves
against the most likely forms of attack, to the best extent we reasonably can, given our
environment. The following picture shows the components of information security.
Difficulties in Defending against Attacks
The challenge of keeping computers secure has never been greater, not only because of the
number of attacks but also because of the difficulties faced in defending against these
attacks. These difficulties include the following:

 Speed of attacks—with modern tools at their disposal, attackers can quickly scan
systems to find weaknesses and launch attacks with unprecedented speed. For example,
the Slammer worm infected 75,000 computers in the first 11 minutes after it was released,
and the number of infections doubled every 8.5 seconds. At its peak, Slammer was
scanning 55 million computers per second looking for another computer to infect.

 Greater sophistication of attacks—Attacks are becoming more complex, making them

more difficult to detect and defend against. Attackers today use common Internet tools and
protocols to send malicious data or commands to attack computers, making it difficult to
distinguish an attack from legitimate traffic. Other attack tools vary their behavior, so the
same attack appears differently each time, further complicating detection.

 Simplicity of attack tools— In the past, an attacker needed to have a technical

knowledge of attack tools before they could be used. Today, however, many attack tools
are freely available and do not require technical knowledge.

 Attackers can detect vulnerabilities more quickly and more readily exploit these
vulnerabilities— The number of newly discovered system vulnerabilities doubles
annually. This has resulted in an increasing number of zero-day attacks. While most
attacks take advantage of vulnerabilities that someone has already uncovered, a zero-day
attack occurs when an attacker discovers and exploits a previously unknown flaw.
Providing “zero days” of warning, a zero-day attack can be especially crippling to networks
and computers because the attack runs rampant while precious time is spent trying to
identify the vulnerability.

 Delays in patching hardware and software products—Software vendors are often

overwhelmed with trying to keep pace with updating their products against attacks. For
example, the flood of potential malware each month has increased to the point that the
traditional signature-based defense method of detecting viruses and other malware is
increasingly seen as an insufficient defense. (A signature-based defense identifies
malware on a computer by matching it to an antivirus signature file that must be updated
regularly.)

 Most attacks are now distributed attacks, instead of coming from only one source -
Attackers can now use thousands of computers in an attack against a single computer or
network. This “many-against-one” approach makes it impossible to stop an attack by
identifying and blocking a single source.
 User confusion— Increasingly, users are called upon to make difficult security decisions
regarding their computer systems, sometimes with little or no information to direct them.

Concepts of Information Security

Three of the primary concepts in information security are
confidentiality, integrity, and availability, commonly known
as the confidentiality, integrity, and availability (CIA) triad.

The CIA Triad

Confidentiality

Confidentiality is a concept similar to, but not the same as,

privacy. Confidentiality is a necessary component of privacy and refers to our ability to protect
our data from those who are not authorized to view it. Confidentiality is a concept that may
be implemented at many levels of a process. As an example, if we consider the case of a
person withdrawing money from an ATM, the person in question will likely seek to maintain
the confidentiality of the personal identification number (PIN) that allows him, in combination
with his ATM card, to draw funds from the ATM.

Integrity

Integrity refers to the ability to prevent our data from being changed in an unauthorized or
undesirable manner. This could mean the unauthorized change or deletion of our data or
portions of our data, or it could mean an authorized, but undesirable, change or deletion of
our data. To maintain integrity, we not only need to have the means to prevent unauthorized
changes to our data but also need the ability to reverse authorized changes that need to be
undone.

Availability

The final leg of the CIA triad is availability. Availability refers to the ability to access our data
when we need it. Loss of availability can refer to a wide variety of breaks anywhere in the
chain that allows us access to our data.

Categories of Attacks

Attacks and Defenses

Although there are a variety of attacks that can be launched against a computer or network,
the same basic steps are used in most attacks. Protecting computers against these steps in
an attack calls for five fundamental security principles.
Steps of an Attack
There are various types of attacks. One way to categorize these attacks is by the five steps
that make up an attack, as seen in the Figure. The steps are the following:
1. Probe for information — the first step in an attack is to probe the system for any
information that can be used to attack it. This type of “reconnaissance” is essential to provide
information, such as the type of hardware used, version of software or firmware, and even
personal information about the users, that can then be used in the next step. Actions that
take place in probing for information include ping sweeps of the network to determine if a
system responds, port scanning for seeing what ports may be open, queries that send failure
messages back to a system when a delivery problem has been detected, and password
guessing.
2. Penetrate any defenses — once a potential system has been identified and information
about it has been gathered, the next step is to launch the attack to penetrate the defenses.
These attacks come in a variety of forms, such as manipulating or breaking a password.
3. Modify security settings — modifying the security settings is the next step after the
system has been penetrated. This allows the attacker to re-enter the compromised system
more easily. Also known as privilege escalation tools, there are many programs that help
accomplish this task.
4. Circulate to other systems — once the network or system has been compromised, the
attacker then uses it as a base to attack other networks and computers. The same tools that
are used to probe for information are then directed toward other systems.
5. Paralyze networks and devices—If the attacker chooses, he or she may also work to
maliciously damage the infected computer or network. This may include deleting or modifying
files, stealing valuable data, crashing the computer, or performing denial-of-service attacks.
 Steps of Attack

Defenses against Attacks

Although multiple defenses may be necessary to withstand an attack, these defenses should
be based on five fundamental security principles: protecting systems by layering, limiting,
diversity, obscurity, and simplicity. This section examines each of these principles, which
provide a foundation for building a secure system.

Layering
Information security must likewise be created in layers, because one defense mechanism
may be relatively easy for an attacker to circumvent. Instead, a security system must have
layers, making it unlikely that an attacker has the tools and skills to break through all the
layers of defenses. A layered approach can also be useful in resisting a variety of attacks.
Layered security provides the most comprehensive protection.
Layered security, in an IT context, means protecting digital assets with several layers of
security. The concept behind layered security is simple. If a hacker manages to breach one
security measure, all sensitive data is still protected by the other layers of security that are in
place. This makes it harder for a hacker to perform a successful attack. In this layered
approach, each layer of security can work together to ensure enhanced protection against
threats.

Limiting
Limiting access to information reduces the threat against it. Only those who must use data
should have access to it. In addition, the amount of access granted to someone should be
limited to what that person needs to know. For example, access to the human resource
database for an organization should be limited to approve employees, including department
managers and vice presidents.

Diversity (Composed of different elements)

Diversity is closely related to layering. Just as it is important to protect data with layers of
security, so too must the layers be different (diverse) so that if attackers penetrate one layer,
they cannot use the same techniques to break through all other layers. A jewel thief, for
instance, might be able to foil the security camera by dressing in black clothes but should not
be able to use the same technique to trick the motion detection system.

Obscurity (Difficult to understand)

Obscuring what goes on inside a system or organization and avoiding clear patterns of
behavior make attacks from the outside much more difficult. An example of obscurity would
be not revealing the type of computer, operating system, software, and network connection
a computer uses. An attacker who knows that information can more easily determine the
weaknesses of the system to attack it.
Simplicity
Because attacks can come from a variety of sources and in many ways, information security
is by its very nature complex. The more complex something becomes, the more difficult it is
to understand. A security guard who does not understand how motion detectors interact with
infrared trip lights may not know what to do when one system alarm shows an intruder but
the other does not.

REFERENCES:

Principles of Information Security, 6th Edition

Michael E. Whitman, Ph.D., CISM, CISSP, Herbert J. Mattord, Ph.D., CISM, CISSP
2018, 2016, 2012 Cengage Learning
https://www.pdfdrive.com/principles-of-information-security-d158355751.html

Enterprise Information Systems Assurance and System Security

Merrill Warkentin, Rayford B. Vaughn
Idea Group Publishing, 2006
https://www.pdfdrive.com/enterprise-information-systems-assurance-and-system-security-managerial-and-technical-issues-
d158329781.html

Management of Information Security, 6th Edition

Michael E. Whitman, Ph.D., CISM, CISSP, Herbert J. Mattord, Ph.D., CISM, CISSP
2014, 2010 Cengage Learning
https://www.pdfdrive.com/download.pdf?id=185805439&h=c7f97c2ae6b9b73eff6adb10104e63b9&u=cache&ext=pdf

Online Reference
https://www.snia.org/sites/default/education/tutorials/2009/spring/security/EricHibbard-Introduction-Information-Assurance.pdf