Information Security Third Class-Cybersecurity Asst. Prof. Dr.

Eman Hato

Introduction to Information Security

1. Security Definition
The Information is the set of data, software, networks, procedures and policies that
deal with processing and distribution of information in an organization. Each
component has its own strengths, weaknesses, and its own security requirements.
Information security is the ability of providing the security requirements in order to
protect and prevent unauthorized use of information resources.

2. Security Aspects
It is helpful to have a model that can be used as a foundation or a baseline. This
gives a consistent set of terminology and concepts for defining the security
requirements and characterizing the approaches to satisfying those requirements.
The security aspects focus on security mechanisms, attacks, and services. These can
be defined briefly as follows:
Security Mechanisms: A process (or a device incorporating such a process) that is
designed to detect, prevent, or recover from a security attack.
Security Attacks: Any action that compromises the security of information owned
by an organization
Security Services: A processing or communication service that enhances the
security of the data processing systems and the information transfers of an
organization. The services are intended to counter security attacks, and they make
use of one or more security mechanisms to provide the service.

First Course 2023-2024 1

Information Security Third Class-Cybersecurity Asst. Prof. Dr. Eman Hato

3. Security Services
Security services (also called security goals) are processing services that are
provided by a system to give a specific kind of protection to system resources.
Security services are implemented by security mechanisms.
Security services are addressing three important aspects to define security
objectives of any computer system: Confidentiality, Integrity, and Availability
which form what is referred to as the CIA triad as shown in Figure (1).

 Confidentiality ensures that computer resources are accessed only by authorized

parties. That is, only those who should have access to something will actually get
that access. The "access" means not only reading but also viewing, printing, or
simply knowing that a particular resource exists. Confidentiality is sometimes
called secrecy or privacy.
 Integrity means that resources can be modified only by authorized parties or
only in authorized ways. The modification includes writing, changing, deleting,
and creating.
 Availability means that resources are accessible to authorized parties at
appropriate times. In other words, if some person or system has legal access to a
particular set of objects, that access should not be prevented.

Confidentiality
Unauthorized access is prevented

Integrity Availability
Data cannot be Data cannot be available
modified to unauthorized

Figure (1): CIA triad

First Course 2023-2024 2

Information Security Third Class-Cybersecurity Asst. Prof. Dr. Eman Hato

Although the use of the CIA triad to define security objectives is well established,
additional concepts are needed to present a complete picture. Two of the most
commonly mentioned are as follows:

 Authenticity: the property of being able to be verified and trusted; confidence in

the validity of a transmission or a message originator. This means verifying that
users are who they say they are and that each input arriving at the system came
from a trusted source.
 Accountability: is the property that ensures that the actions of an entity can be
traced. Accountability guarantees that all operations carried out by individuals,
systems or processes can be identified and that the trace to the author and the
operation is kept (traceability).

4. Security Attacks

Security attacks can be classified into three groups related to the security goals as
shown in Figure (2).

Figure (2): The security attacks

First Course 2023-2024 3

Information Security Third Class-Cybersecurity Asst. Prof. Dr. Eman Hato

The security attacks can also be classified in to passive attacks and active attacks as
shown in the Figure (2). A passive attack attempts to learn or make use of
information from the system but does not affect system resources.
An active attack attempts to alter system resources or affect their operation.

Passive Attacks

Attacks
Types

Active Attacks

Figure (2): The attacks types

Table below shows the relationship between this and the previous categorization.

Attacks Passive/Active Threatening

Snooping
Passive Confidentiality
Traffic analysis
Modification
Masquerading
Active Integrity
Replaying
Repudiation
Denial of service Active Availability

First Course 2023-2024 4

Information Security Third Class-Cybersecurity Asst. Prof. Dr. Eman Hato

4.1 Passive Attacks

A Passive attack attempts to learn or make use of information from the system but
does not affect system resources. Passive Attacks are in the nature of
eavesdropping on or monitoring of transmission. The goal of the opponent is to
obtain information is being transmitted. Types of passive attacks are as following:

 The Snooping
Snooping refers to unauthorized access to or interception of data. For example, a
file transferred through the Internet may contain confidential information. An
unauthorized entity may intercept the transmission and use the contents for her
own benefit. To prevent snooping, the data can be encrypted by encipherment
techniques.

John read the content of message

John
which Bob sent to Alice

Bob Internet Alice

 Traffic analysis
Suppose that we had a way of masking of information, so that the attacker even
if captured the message could not extract any information from the message.
The opponent could determine the location and identity of communicating host
and could observe the frequency and length of messages being exchanged. This
information might be useful in guessing the nature of the communication that
was taking place.

First Course 2023-2024 5

Information Security Third Class-Cybersecurity Asst. Prof. Dr. Eman Hato

John observe the pattern of

John message exchange between Bob
& Alice

Bob Internet Alice

Note: passive attacks are very difficult to detect, because they do not involve any
alteration of the data and neither the sender nor receiver is aware that a third party
has read the messages or observed the traffic pattern. However, it is feasible to
prevent the success of these attacks, usually by means of encryption. Thus, the
passive attacks are prevented rather than detected.

4.2 Active Attacks

Active attacks attempt to alter system resources or effect their operations. Active
attacks involve some modification of the data stream or creation of false statement.
Types of active attacks are as following:
 Masquerade
Masquerade attack takes place when one entity pretends to be different entity. A
Masquerade attack involves one of the other forms of active attacks.

John John pretends to be Bob

Bob Internet Alice

First Course 2023-2024 6

Information Security Third Class-Cybersecurity Asst. Prof. Dr. Eman Hato

 Modification of messages
It means that some portion of a message is altered or that message is delayed or
reordered to produce an unauthorized effect. For example, a message meaning
"Allow Alice to read confidential file X" is modified as "Allow John to read
confidential file X".

John Modifies the message and then

send to Alice

Bob Internet Alice

 Replay
It involves the passive capture of a message and its subsequent the transmission
to produce unauthorized effect.

Capture the message and then resend to

John
Alice (can send multiple times)

Bob Internet Alice

First Course 2023-2024 7

Information Security Third Class-Cybersecurity Asst. Prof. Dr. Eman Hato

 Denial of Service
It prevents normal use of communication facilities. This attack may have a
specific target. For example, an entity may crush all messages directed to a
particular destination. Another form of service denial is the disarrangement of
the network by disabling the network or by overloading it by messages so as to
degrade performance.

John Disabling the network

Bob Internet Alice

Note: Active attacks present the opposite characteristics of passive attacks. It is

quite difficult to prevent active attacks absolutely because of the wide variety of
physical, software, and network vulnerabilities. Instead, the goal is to detect active
attacks and to recover from any delays caused by them. If the detection has a
deterrent effect, it may also contribute to prevention.

4.3 Threats and Vulnerabilities

Vulnerability is a weakness in the security system, for example, in procedures,
design, or implementation that might be exploited to cause loss or harm.
A threat to a computing system is a set of circumstances that has the potential to
cause loss or harm.
To see the difference between a threat and vulnerability consider the Figure below.
Here, a wall is holding water back. The water to the left of the wall is a threat to the
First Course 2023-2024 8
Information Security Third Class-Cybersecurity Asst. Prof. Dr. Eman Hato

man on the right of the wall: The water could rise, overflowing onto the man, or it
could stay under the height of the wall. So the threat of harm is the potential for
the man to get wet or get hurt. However, the small crack in the wall is a
vulnerability that threatens the man's security. If the water rises to the level of the
crack, it will exploit the vulnerability and harm the man.

5. Security Mechanisms
Security mechanisms are used to provide some of the security services. Some of
examples of these mechanisms are:

 Encipherment (Encryption): The use of mathematical algorithms to transform

data into a form that is not readily intelligible. The transformations of the data
depend on an algorithm and zero or more encryption keys.
 Digital Signature: A cryptographic transformation of a data unit that allows a
recipient of the data unit to prove the source and integrity of the data unit and
protect against forgery.
 Access Control: A variety of mechanisms that enforce access rights to resources.
 Authentication Exchange: A mechanism that ensure the identity of an entity by
means of information exchange.

First Course 2023-2024 9