Information Security

Objectives
• Understand the definition of information
security
• Comprehend the history of computer security
and how it evolved into information security
• Understand the key terms and concepts of
information security
• Outline the phases of the security systems
development life cycle
• Understand the roles of professionals
involved in information security within an
organization
 Introduction

• Information security, sometimes

shortened to InfoSec, is the practice of
preventing unauthorized access, use,
disclosure, disruption, modification,
inspection, recording or destruction of
information.
 IT security
• Sometimes referred to as computer security, information technology security
is information security applied to technology (most often some form of
computer system).

• It is worthwhile to note that a computer does not necessarily mean a home

desktop. A computer is any device with a processor and some memory.

• Such devices can range from non-networked standalone devices as simple

as calculators, to networked mobile computing devices such as smartphones
and tablet computers.

• IT security specialists are almost always found in any major

enterprise/establishment due to the nature and value of the data within larger
businesses. They are responsible for keeping all of the technology within the
company secure from malicious cyber attacks that often attempt to breach
into critical private information or gain control of the internal systems.
 The History of Information Security

• Began immediately after the first mainframes

were developed
• Groups developing code-breaking computations
during World War II created the first modern
computers
• Physical controls to limit access to sensitive
military locations to authorized personnel
• Rudimentary in defending against physical theft,
espionage, and sabotage
 The 1960s

• Advanced Research Procurement Agency

(ARPA) began to examine feasibility of
redundant networked communications

• Larry Roberts developed ARPANET from its

inception
 The 1970s and 80s
• ARPANET grew in popularity as did its potential
for misuse
• Fundamental problems with ARPANET security
were identified
– No safety procedures for dial-up connections to
ARPANET
– Non-existent user identification and authorization
to system
• Late 1970s: microprocessor expanded
computing capabilities and security threats
 R-609
• Information security began with Rand Report R-
609 (paper that started the study of computer
security)
• Scope of computer security grew from physical
security to include:
– Safety of data
– Limiting unauthorized access to data
– Involvement of personnel from multiple levels of
an organization
 The 1990s

• Networks of computers became more

common; so too did the need to interconnect
networks

• Internet became first manifestation of a global

network of networks

• In early Internet deployments, security was

treated as a low priority
 The Present

• The Internet brings millions of computer

networks into communication with each other—
many of them unsecured

• Ability to secure a computer’s data influenced

by the security of every computer to which it is
connected
 What is Security?
• “The quality or state of being secure—to be free
from danger”
• A successful organization should have multiple
layers of security in place:
– Physical security
– Personal security
– Operations security
– Communications security
– Network security
– Information security
 What is Information Security?

• The protection of information and its critical

elements, including systems and hardware that
use, store, and transmit that information
• Necessary tools: policy, awareness, training,
education, technology
• C.I.A. triangle was standard based on
confidentiality, integrity, and availability
• C.I.A. triangle now expanded into list of critical
characteristics of information
 Critical Characteristics of Information

• The value of information comes from the

characteristics it possesses:
– Availability
– Accuracy
– Authenticity
– Confidentiality
– Integrity
– Utility
– Possession
Components of an Information System

• Information System (IS) is entire set of

software, hardware, data, people, procedures,
and networks necessary to use information as
a resource in the organization
 Securing Components

• Computer can be subject of an attack and/or

the object of an attack

– When the subject of an attack, computer is

used as an active tool to conduct attack

– When the object of an attack, computer is the

entity being attacked
Figure 1-5 – Subject and Object
of Attack
 Balancing Information Security and
Access
• Impossible to obtain perfect security—it is a
process, not an absolute

• Security should be considered balance

between protection and availability

• To achieve balance, level of security must allow

reasonable access, yet protect against threats
Figure 1-6 – Balancing Security
and Access
 Approaches to Information Security
Implementation: Bottom-Up Approach
• Grassroots effort: systems administrators
attempt to improve security of their systems
• Key advantage: technical expertise of individual
administrators
• Seldom works, as it lacks a number of critical
features:
– Participant support
– Organizational staying power
 Approaches to Information Security
Implementation: Top-Down Approach
• Initiated by upper management
– Issue policy, procedures and processes
– Dictate goals and expected outcomes of project
– Determine accountability for each required
action
• The most successful also involve formal
development strategy referred to as systems
development life cycle
 The Systems Development Life Cycle
• Systems development life cycle (SDLC) is methodology
and design for implementation of information security
within an organization
• Methodology is formal approach to problem-solving
based on structured sequence of procedures
• Using a methodology
– ensures a rigorous process
– avoids missing steps
• Goal is creating a comprehensive security
posture/program
• Traditional SDLC consists of six general phases
 Investigation

• What problem is the system being developed

to solve?
• Objectives, constraints and scope of project
are specified
• Preliminary cost-benefit analysis is developed

• At the end, feasibility analysis is performed to

assesses economic, technical, and behavioral
feasibilities of the process
 Analysis

• Consists of assessments of the organization,

status of current systems, and capability to
support proposed systems

• Analysts determine what new system is

expected to do and how it will interact with
existing systems

• Ends with documentation of findings and

update of feasibility analysis
 Logical Design
• Main factor is business need; applications
capable of providing needed services are
selected
• Data support and structures capable of
providing the needed inputs are identified
• Technologies to implement physical solution
are determined
• Feasibility analysis performed at the end
 Physical Design

• Technologies to support the alternatives

identified and evaluated in the logical design
are selected

• Components evaluated on make-or-buy

decision

• Feasibility analysis performed; entire solution

presented to end-user representatives for
approval
 Implementation

• Needed software created; components ordered,

received, assembled, and tested

• Users trained and documentation created

• Feasibility analysis prepared; users presented

with system for performance review and
acceptance test
 Maintenance and Change

• Consists of tasks necessary to support and

modify system for remainder of its useful life

• Life cycle continues until the process begins

again from the investigation phase

• When current system can no longer support the

organization’s mission, a new project is
implemented
 The Security Systems Development
Life Cycle
• The same phases used in traditional SDLC
may be adapted to support specialized
implementation of an IS project

• Identification of specific threats and creating

controls to counter them

• SecSDLC is a coherent program rather than a

series of random, seemingly unconnected
actions
 Investigation
• Identifies process, outcomes, goals, and
constraints of the project

• Begins with enterprise information security

policy

• Organizational feasibility analysis is performed

 Analysis
• Documents from investigation phase are
studied

• Analyzes existing security policies or programs,

along with documented current threats and
associated controls

• Includes analysis of relevant legal issues that

could impact design of the security solution

• The risk management task begins

 Logical Design
• Creates and develops blueprints for
information security
• Incident response actions planned:
– Continuity planning
– Incident response
– Disaster recovery
• Feasibility analysis to determine whether
project should continue or be outsourced
 Physical Design

• Needed security technology is evaluated,

alternatives generated, and final design selected

• At end of phase, feasibility study determines

readiness of organization for project
 Implementation

• Security solutions are acquired, tested,

implemented, and tested again

• Personnel issues evaluated; specific training

and education programs conducted

• Entire tested package is presented to

management for final approval
 Maintenance and Change

• Perhaps the most important phase, given the

ever-changing threat environment

• Often, reparation and restoration of information

is a constant duel with an unseen adversary

• Information security profile of an organization

requires constant adaptation as new threats
emerge and old threats evolve
 Security Professionals and the
Organization
• Wide range of professionals required to
support a diverse information security program

• Senior management is key component; also,

additional administrative support and technical
expertise required to implement details of IS
program
 Senior Management
• Chief Information Officer (CIO)
– Senior technology officer
– Primarily responsible for advising senior
executives on strategic planning
• Chief Information Security Officer (CISO)
– Primarily responsible for assessment,
management, and implementation of IS in the
organization
– Usually reports directly to the CIO
 Information Security Project Team
• A number of individuals who are experienced in
one or more facets of technical and non-
technical areas:
– Champion/Chairman
– Team leader
– Security policy developers
– Risk assessment specialists
– Security professionals
– Systems administrators
– End users
 Data Ownership

• Data Owner: responsible for the security and

use of a particular set of information

• Data Custodian: responsible for storage,

maintenance, and protection of information

• Data Users: end users who work with

information to perform their daily jobs
supporting the mission of the organization
 Communities Of Interest

• Group of individuals united by similar

interest/values in an organization

– Information Security Management and

Professionals

– Information Technology Management and

Professionals

– Organizational Management and Professionals

 Security managements
• Security management for networks is
different for all kinds of situations.
• A home or small office may only require
basic security while large businesses may
require high-maintenance and advanced
software and hardware to prevent
malicious attacks from hacking and
spamming.
 Types of Attacks
• Networks are subject to attacks from malicious
sources.
• Attacks can be from two categories: "Passive"
when a network intruder intercepts data traveling
through the network, and "Active" in which an
intruder initiates commands to disrupt the
network's normal operation or to conduct
reconnaissance and lateral movement to find and
gain access to assets available via the network
 Passive Attacks
• Telephone tapping (also wire tapping or
wiretapping
– Telephone tapping (also wire tapping or wiretapping in
American English) is the monitoring of telephone and Internet
conversations by a third party, often by covert means.
– The wire tap received its name because, historically, the
monitoring connection was an actual electrical tap on the
telephone line.
– Legal wiretapping by a government agency is also called
lawful interception. Passive wiretapping monitors or records
the traffic, while active wiretapping alters or otherwise
affects it.
 Passive Attacks
• Port scanner
– A port scanner is an application designed to probe a
server or host for open ports. This is often used by
administrators to verify security policies of their networks
and by attackers to identify network services running on a
host and exploit vulnerabilities.
– A port scan or portscan is a process that sends client
requests to a range of server port addresses on a host,
with the goal of finding an active port; this is not a
nefarious process in and of itself. The majority of uses of
a port scan are not attacks, but rather simple probes to
determine services available on a remote machine.
 Passive Attacks
• Idle scan
– The idle scan is a TCP port scan method that consists of
sending spoofed packets to a computer to find out what
services are available. This is accomplished by
impersonating another computer called a "zombie" (that
is not transmitting or receiving information) and observing
the behavior of the ''zombie'' system.

In computer science, a zombie is a computer connected to the Internet that has

been compromised by a hacker, computer virus or Trojan horse program and
can be used to perform malicious tasks of one sort or another under remote
direction.
 Active Attacks
• Denial-of-service attack
– Denial-of-service (DoS) attacks typically flood servers,
systems or networks with traffic in order to overwhelm
the victim resources and make it difficult or impossible for
legitimate users to use them. While an attack that
crashes a server can often be dealt with successfully by
simply rebooting the system, flooding attacks can be
more difficult to recover from.
 Active Attacks
• Denial-of-service attack
– Degradation in network performance, especially
when attempting to open files stored on the
network or accessing websites;
– Inability to reach a particular website;
– Difficulty in accessing any website; and
– A higher than usual volume of spam email.
 Active Attacks
• Denial-of-service attack
– Experts recommend a number of strategies for enterprises
to defend against a denial-of-service attack, starting with
preparing an incident response plan well in advance of any
attack.
– Once there is suspicion that a DoS attack is underway,
enterprises should contact their internet service provider
(ISP) to determine whether the incident is an actual DoS
attack or degradation of performance caused by some other
factor.
– The ISP can help mitigate the attack by rerouting or
throttling malicious traffic and using load balancers to reduce
the effect of the attack.
 Active Attacks
• Types of Denial-of-service attack
• UDP Flood
– User Datagram Protocol is a sessionless
networking protocol. One common DDoS attack
method is referred to as a UDP flood. Random
ports on the target machine are flooded with
packets that cause it to listen for applications on
that those ports and report back with a ICMP
packet.
The Internet Control Message Protocol (ICMP) is a supporting protocol in
the Internet protocol suite. It is used by network devices, like routers, to send error
messages and operational information indicating, for example, that a requested
service is not available or that a host or router could not be reached.
 Active Attacks
• Types of Denial-of-service attack
• UDP Flood
– User Datagram Protocol is a sessionless
networking protocol. One common DDoS attack
method is referred to as a UDP flood. Random
ports on the target machine are flooded with
packets that cause it to listen for applications on
that those ports and report back with a ICMP
packet.
The Internet Control Message Protocol (ICMP) is a supporting protocol in
the Internet protocol suite. It is used by network devices, like routers, to send error
messages and operational information indicating, for example, that a requested
service is not available or that a host or router could not be reached.
 Active Attacks
• SYN Flood Attack
– “three-way handshake”, which is a reference to how TCP
connections work, are the basis for this form of attack. The
SYN-ACK communication process works like this:
– First, a “synchronize”, or SYN message, is sent to the host
machine to start the conversation.
– Next, the request is “acknowledged” by the server. It sends
an ACK flag to the machine that started the “handshake”
process and awaits for the connection to be closed.
– The connection is completed when the requesting
machine closes the connection.
 Active Attacks
• SYN Flood Attack
– A SYN flood attack will send repeated spoofed requests
from a variety of sources at a target server.
– The server will respond with an ACK packet to complete
the TCP connection, but instead of closing the
connection the connection is allowed to timeout.
– Eventually, and with a strong enough attack, the host
resources will be exhausted and the server will go offline.
 Active Attacks
• Ping of Death
– Ping of death (”POD”) is a denial of service attack that
manipulates IP protocol by sending packets larger than
the maximum byte allowance, which under IPv4 is 65,535
bytes.
– Large packets are divided across multiple IP packets –
called fragments – and once reassembled create a
packet larger than 65,535 bytes.
– The resulting causes servers to reboot or crash.
 Active Attacks
• Peer-to-Peer Attacks
– Peer-to-Peer servers present an opportunity for
attackers.
– What happens is instead of using a botnet to siphon
traffic towards the target, a peer-to-peer server is
exploited to route traffic to the target website.
– When done successfully, people using the file-sharing
hub are instead sent to the target website until the
website is overwhelmed and sent offline.
 Active Attacks
• Degradation of Service Attacks
– The purpose of this attack is to slow server response times.
– A DDoS attack seeks to take a website or server offline. That
is not the case in a degradation of service attack. The goal
here is to slow response time to a level that essentially makes
the website unusable for most people.
– Zombie computers are leveraged to flood a target machine
with malicious traffic that will cause performance and page-
loading issues.
– These types of attacks can be difficult to detect because the
goal is not to take the website offline, but to degrade
performance. They are often confused with simply an increase
in website traffic.
 Active Attacks
• Application Level Attacks
– Application level attacks target areas that have more
vulnerabilities.
– Rather than attempt to overwhelm the entire server, an
attacker will focus their attack on one – or a few –
applications.
– Web-based email apps, WordPress, Joomla, and forum
software are good examples of application specific
targets.