Session Topic: Session Number 3

Information Security Terminologies

Speaker: Manjunath Hiregange

IC 624: Cyber Security in Industrial Automation

Disclaimer:
 Agenda

• Introduction to Fundamental of Information Security

• Types and classes of attacks
• Additional System Security Concepts
• Policies, Standards, Guidelines, Procedures
• Malicious Codes and Attacks
Disclaimer:

2
Disclaimer:

CIA Triad

3
 CONFIDENTIALITY
Disclaimer:

4
Disclaimer:

INTEGRITY

5
 AVAILABILITY
Disclaimer:

6
 IDENTIFICATION
Disclaimer:

7
 AUTHENTICATION
Disclaimer:

8
 AUTHORIZATION
Disclaimer:

9
 ACCOUNTABILITY
Disclaimer:

10
 Disclaimer:

AUDITING

11
 NONREPUDIATION
Disclaimer:

12
 RELATED TERMINOLOGIES

• Asset
• Threat
• As defined by NIST SP 800-53,1 a threat is “any circumstance or event with the potential to adversely
Impact agency operations (including mission, functions, image, or reputation), agency assets, or
individuals through an information system via unauthorized access, destruction, disclosure,
modification of information, and/or denial of service.”

• Safeguard
• Vulnerability
• According to NIST SP 800-53, vulnerability is “weakness in an information system, system security
procedures, internal controls, or implementation that could be exploited or triggered by a threat
source.”
Disclaimer:

13
 CONTROLS

• Vulnerability can be decreased by applying controls that will mitigate

the effect of an attack. Controls can be partitioned into the following
categories:
• Corrective controls minimize the effect of an attack and the degree of
resulting damage.

• Detective controls discern if attacks have occurred, or are occurring, and

initiate control measures.

• Deterrent controls reduce the potential for an attack to occur.

• Preventive controls prevent a threat from exploiting a vulnerability.

Disclaimer:

14
 THREAT MATRIX
Disclaimer:

15
 TYPES OF ATTACK

• Passive Attack
• Active Attack
• Close-In Attack
• Insider Attack
• Distribution Attack
Disclaimer:

16
 ADDITIONAL SYSTEM SECURITY CONCEPTS
• Complete Mediation
• Defense in depth
• Economy of mechanism
• Fail-safe
• Least common mechanism
• Least privilege
• Leveraging existing components
• Open design
• Psychological acceptability
• Separation of duties
Disclaimer:

• Weakest link
17
 COMPLETE MEDIATION

Complete mediation requires that when an entity (a user or process)

requests access to an object, such as a file or document in a
computer system, the entity must go through a valid authorization
process that cannot be circumvented.
circumvented” means to avoid something, especially cleverly or illegally

complete mediation means that whenever someone (like a user or a program)

wants to access something (like a file or a document) on a computer, they must
follow a proper authorization process. This process ensures that they have the right
permissions and can’t bypass the rules. It’s like needing a valid ticket to enter a
concert – no shortcuts allowed!
Disclaimer:

18
 DEFENSE IN DEPTH
• NIST SP 800-82 defines a defense-in-depth architecture strategy as
These are like guards at the entrance, checking who’s allowed in. It’s like having alarms that go off if someone tries to break in.
“the use of firewalls, the creation ofthink
demilitarized zones and intrusion detection capabilities, along
of this as a buffer area – like a waiting room before entering the main part of a building.
with effective security policies, training programs, and incident response mechanisms.”

• ANSI/ISA-62443-1-1 (99.01.01)-20075 describes defense in depth as:

The provision of multiple security protections, especially in layers, with the intent to delay, if not
prevent, an attack.
Delaying Attacks: Each layer slows down attackers. It’s like having a maze before reaching the treasure
NOTE Defense in depth implies layers of security and detection, even on single systems, and
provides the following features:
attackers have to deal with each security layer without getting caugh
– Attackers are faced with breaking through or bypassing each layer without being detected.
Some layers stop attacks altogether. Like a dragon guarding the chest.
– A flaw in one layer can be mitigated by capabilities in other layers.
If one layer fails, others can still protect.
– System security becomes a set of layers within the overall network security.
Disclaimer:

19
 ECONOMY OF MECHANISM

• Economy of mechanism advances the concept that the design and

implementation of defensive mechanisms should be straightforward,
understandable, and not unnecessarily complex.

economy of mechanism” means that when we create security systems or

defenses, we should keep things simple and easy to understand
Disclaimer:

20
 FAIL-SAFE
• NIST SP 800-123 explains the term fail-safe as follows: “If a failure occurs, the
system should fail in a secure manner, that is, security controls and settings
remain in effect and are enforced. It is usually better to lose functionality rather
than security.”

• Also, a fail-safe design should ensure that when a system recovers from a
failure, it should recover in a secure state, where only authorized users have
access to sensitive information.
Disclaimer:

21
 LEAST COMMON MECHANISM

• Least common mechanism refers to having the least possible

sharing of common security mechanisms among users or processes.
Having many users sharing common security mechanisms can result
in unknown or unauthorized access paths to sensitive data.
Disclaimer:

22
 LEAST PRIVILEGE

• In the principle of least privilege, a user or process is given the

minimum amount of privileges, authorization, and so on, for the
smallest amount of time that will permit the user or process to
accomplish assigned tasks.

principle of least privilege” means giving someone or something only the bare minimum
permissions they need to get their job done
Disclaimer:

23
 LEVERAGING EXISTING COMPONENTS

• Leveraging existing components refers to using the security

mechanisms that are already in place in the most efficient and
effective manner and to their maximum capabilities.

• This process can be accomplished by periodically reviewing the

configuration of the security devices and by optimizing their
operational performance.
Using What’s Already There:
Imagine you have a toolbox with various tools – hammers, screwdrivers, and wrenches. Instead of buying new tools, you’d use what’s already in your toolbox,
right? That’s leveraging existing components.
In security, it means using the security features and tools that are already set up in your system. Like using the locks and alarms you already have, rather than
adding new ones.
Efficiency and Effectiveness:
Think of this as using your phone’s flashlight instead of buying a separate one. It’s efficient – you’re not wasting resources.
Effectiveness means getting the most out of what you have. Like using your phone’s camera to scan QR codes – it’s handy and effective.
Periodic Review:
Imagine checking your car’s tires regularly. Periodic review means looking at your security setup now and then.
Disclaimer:

Are the locks still working? Are the alarms up to date? It’s like making sure your car is roadworthy.
Optimizing Performance:
Think of this as tuning your guitar strings. You adjust them to get the best sound.
24
In security, it’s about fine-tuning your existing tools – making sure they work at their best. Like adjusting your home security cameras for better coverage.
 OPEN DESIGN

• Open design proposes that making designs and security approaches

careful and detailed examination
available to examination and scrutiny by a variety of parties will
ensure that they are robust and
strong, healthy
are performing as required.

• The alternative to open design is to keep designs proprietary and

confidential in the hope that by doing so they will be more secure
from compromise. In almost all cases, open design results in more
effective and reliable mechanisms.
Disclaimer:

25
 PSYCHOLOGICAL ACCEPTABILITY

• Psychological acceptability is concerned with making the interface

and interaction with access control mechanisms intuitive and easy
for the user to understand and operate.

“psychological acceptability” means designing security systems in a way that feels natural
and easy for users to understand and use.

Interface and Interaction:

Imagine using a smartphone – the buttons, icons, and menus you interact with. That’s
the interface.
Interaction is how you tap, swipe, or type on the screen. It’s like playing a game – your
moves interact with the game.
Disclaimer:

26
 SEPARATION OF DUTIES

• Separation of duties requires that functions, roles, or responsibilities

should be distinct and independent from each other so that no entity
can solely control sensitive operations.
separation of duties” means dividing tasks or jobs so that no single person or
entity has complete control over important actions. Imagine a team working
together – each member has their specific role. It’s like having different keys
to open different doors, ensuring that no one person can access everything.
So, separation of duties keeps things fair and secure!
Disclaimer:

27
 WEAKEST LINK

• As with any group of protection mechanisms, it is important to

identify the weakest element in the group. Once the weakest link is
identified, actions can be taken to bolster that element and mitigate
any corresponding risk. support or improve it
Disclaimer:

28
 Policies, Standards, Guidelines, and Procedures
Disclaimer:

29
 policy is like a set of rules or guidelines that everyone
in an organization must follow
Policies

• Is a statement of the intent of management for the organization and

compliance is mandatory.
• It provides top-down requirements.
Disclaimer:

30
 Standards

• A standard details how specific methods must be applied in a

consistent manner.
• Conformance to standards is normally compulsory.
obeying rules or standards
Disclaimer:

31
 Guidelines

• Guidelines also detail methods to use to create secure information

systems, but are considered to be recommendations and
conformance is not compulsory.
Disclaimer:

32
 Procedures

• Procedures are step-by-step actions that must be taken to implement

policies and standards. Procedures describe compulsory activities.
Disclaimer:

33
 Malicious Code and Attacks

• NIST SP 800-53 - Software or firmware intended to perform an unauthorized

process that will have an adverse impact on the confidentiality, integrity, or
availability of an information system. A virus, worm, Trojan horse, or other code-
based entity that infects a host. Spyware and some forms of adware are also
examples of malicious code.
Viruses: These spread and infect other
files, like a contagious disease.
Worms: They multiply and spread
across networks, like digital worms.
Trojan Horses: They pretend to be
something harmless but secretly
cause damage.
Spyware and Adware: These watch
what you do online or bombard you
Disclaimer:

with ads.

34
 Viruses and Worms

• ANSI/ISA-62443-1-1 –
• virus - “self-replicating or self-reproducing program that spreads by inserting
copies of itself into other executable code or documents,”
• worm - “computer program that can run independently, can propagate a
complete working version of itself onto other hosts on a network, and may
consume computer resources destructively.”
Disclaimer:

35
 Trojan Horse

• A Trojan horse conceals additional code in a program that is used for

a valid purpose. Then, the hidden code, which could be a virus, can
perform malicious acts. Trojan horses can be transmitted through
emails or downloads from websites.
Disclaimer:

36
 Logic Bomb

• A logic bomb is a type of Trojan horse that does not execute until a
preset condition is met; for example, at a specific time and date or
when some activity is performed on the host computer.
Disclaimer:

37
 Mobile Code

• Software that is obtained or downloaded over a network from a

remote source onto a local computer is known as mobile code.
• This mobile code can be used for valid applications or can contain a
virus that could do harm to a computer system.
Disclaimer:

38
 Back Door

• In a back-door attack, an individual attempts to gain access to a

computer system by circumventing its protection mechanisms.
Disclaimer:

39
 Scanning

• A scan can yield the following information:

• Open ports
• Services that are running
• Types of system software
• Domain names
• Existence of intrusion detection systems
• Protocols being used
• Existence of firewalls and perimeter devices
Disclaimer:

40
 Man-in-the-Middle

• In a successful attack, the attacker can intercept data between the

two parties, modify it, and then pass it on without the knowledge of
the sender or receiver.
Disclaimer:

41
 Social Engineering
Disclaimer:

42
 Guessing Passwords
Disclaimer:

43
 Denial of Service/Distributed Denial of Service
Disclaimer:

44
 Disclaimer:

Replay

45
 Dumpster Diving

• In dumpster diving, an individual sorts through discarded material in

a dumpster in the hope of finding sensitive information that can be
used later to attack an organization’s computer system.
• In many cases, user’s manuals, technical manuals, correspondence,
organization charts, and other related material could provide
valuable information to an attacker.
Disclaimer:

46