Chapter Two

Fundamentals of IS Security

Introduction to Information Security

1
IS Security Fundamentals
A. Confidentiality
 Information has confidentiality when it is protected from disclosure or
exposure to unauthorized individuals or systems.
 It ensures that only those with the rights and privileged to access
information's are able to do so.
 When unauthorized individuals or systems can view information
confidentiality is breached(loss of confidentiality).

2
IS Security Fundamentals (cont.)
Threats to Confidential Information
 Breaches of confidentiality can come from both inside and outside of a
business.
 Outside threats include:
 Theft

 Hacking

 Commercial espionage

 Inside threats can come from:

 Employees disclosing information either by accident or through outside business
transactions.
 Former employees, particularly if they are disgruntled.

 Information disclosed as part of negotiations with an outside entity that eventually fall
3 apart.
 Protecting Confidential Information
 To protect confidentiality of information you can use a number of
measures including the following:
 Information classification (Label confidential information)
 Train staff to know what is confidential and what is not.
 Put in place rules and procedures. Your staff need to know how to handle
and administer confidential information.
 Secure document storage
 Have a digital device policy
 Sign a non-disclosure agreement

4
 B. Integrity
 Information has integrity when it is whole, complete and uncorrupted.

 The integrity of information is threatened when the information is exposed

to corruption, damage, destruction or other disruption of its authentic state.
 Corruption can occur while information is being stored or transmitted.

 When information is modified in unexpected ways, the result is known as

loss of integrity.
 Information integrity is the corner stone of information systems because
information has no value or use if user can’t verify its integrity.

5
  Key methods for assuring information integrity are:-

 Standard Data Definitions

 Cleaning and Monitoring Data

 Keep an Audit Trail

 Audit the Audit Trails

 Encrypting The Data

 Always Validate Input Data

 Implement Access Controls

 Always Backup Data

 Adopting Security Best Practices

 Educate Your Workforce

6  Log changes of data

 C. Availability
 Enable authorized users persons or computer systems to access information
with out interference or obstruction and to receive it in the required
format.
 The assurance that the service will be available when it is needed.

 Information can be erased or become inaccessible, resulting in loss of

availability. This means that people who are authorized to get information
cannot get what they need.
 It is the way of assuring information and communication services will be
ready for use when expected.

7
  Factors that affect the availability of information and information security
system(threats):-
 Infrastructure failure

 Infrastructure overload

 Malicious activity

 Data inconsistency

 Poor data quality

 Files stored in personal directories may not be available to other employee value
needed.
 Hardware failures could affect the availability of company resource

 A failure in the data circuit could prohibit system access

 Upgrades in the software may prohibit access.

8
  How to ensure Availability?
 Improve your physical infrastructure

 Speed up recovery times (Automate failover)

 Eliminate corrupted data

 Embrace redundancy: a failure in one of the disks, servers or databases that hosts
your data will not lead to a disruption in availability.
 Back up data

9
 Components of Information Security

10
 The CIA Triad

NB. we can also call them as Security Goal

11
 Principles of IS Security
 Information security principles denote the basic guideline that should be used when designing a
secure system.

 There are many best practices in information security that are specific to certain industries or business
but some apply broadly.

1. Balance protection with utility:-

 Maximum security requires by definition a “closed system” whereas maximum utility requires

“openness.”
 It deals in information system security the way of finding a balance between resource availability,

the confidentiality and integrity of the resources.

 Rather than trying to protect against all kinds of threats focus on insulating the most vital systems

and then finding acceptable ways to protect the rest with out making them useless.

2. Split up the users and resources:-

 know who is allowed to see and do particular things this means that a system administrator needs to

assign access by a persons job types and may need to further refine those limits according to

12 organizational separations.
 Contd.
3. Assign minimum privileges:-
 An individual should be assigned the minimum privileged needed to carry out his
or her responsibilities, if a persons responsibilities change so will the privilege.
 Assigning minimum privilege reduce the chance just from design will walk out
the door with all the marketing data.

4. Use independent defenses:-

 Using one really good defense such as authentication protocols is only good until
someone breaches it.
 When several independent defenses are employed an attacker must use several
different strategies to get through them.
 Introducing this type of complexity doesn’t provide 100% protection against
attacks but it does reduce the chances of successful attacks.
13
 Contd.
5. Plan for failures:-
 This will help minimize its actual consequences should it occur.
 Having backup systems in place before hand allows constantly monitor security measures
and react quickly to a breach.
 If the break is not serious the business or organizations can keep operating on backup while
the problem is addressed.

6. Record:-
 A security system will never be breached but when a security break does take place the
event should be recorded.
 In fact IT staff often record as much as they can even when a breach isn’t happening.
 Sometimes the causes of breaches aren’t apparent after the fact. So it is important to have
data to track backwards.
 Data from breaches will eventually help to improve the system and prevent future attacks-
even if it doesn't initially make sense.
14
 Contd.

7. Run frequent tastes:-

 Hackers are constantly running their craft. Which means information security must
evolve to keep up.

 IT professionals run tests conduct risk assessments reread the disaster recovery plan,
check the business continuity plan in case of attack and then do it all over again.

15
 Balancing Information Security and Access
 Impossible to obtain perfect
security. it is a process, not an
absolute.

 Security should be considered

balance between protection and
availability.

 To achieve balance, level of

security must allow reasonable
access, yet protect against threats

16
 The Security Trinity
 The three legs of the "security trinity“

 Prevention

 Detection, and

 Response

 The security trinity should be the foundation for all security policies

and measures that an organization develops and deploys.

17
 Cont.
1. Prevention:- is the foundation of the security trinity.

 To provide some level of security, it is necessary to implement

measures to prevent the exploitation of vulnerabilities.

 In developing network security schemes, organizations should
emphasize preventative measures over detection and response.
 It is easier, more efficient, and much more cost-effective to prevent a

security breach than to detect or respond to one.

2. Detection:- Once preventative measures are implemented, procedures need

to be put in place to detect potential problems or security breaches, in the

event preventative measures fail.
 The sooner a problem is detected the easier it is to correct and cleanup.

18
Cont.
3. Response:- Organizations need to develop a plan that identifies the

appropriate response to a security breach.

 The plan should be in writing and should identify who is

responsible for what actions and the varying responses and

levels of escalation.

19
 IS Security Policy
 What is a security policy?

 Why do we need them?

 Types of security policy?

 What makes a security policy effective(criteria)?

 Who involved In policy?

 Designing a policy?

20
 What is Security Policy?
 A policy is
 A plan or course of action, as of a government, political party, or

business, intended to influence and determine decisions, actions, and other

matters
 Policies are organizational laws

 Is a document or set of document that states an organizations intentions and

decisions on what and how electronic information should be secured.
 A statement of what is and what is not allowed

 It is also a set of rules laid down by the security authority governing the use
and provisions of security services and facilities.

21
 The Key Components to an Information Security Policy
 Purpose
 Scope
 Information security objectives
 Authority & Access Control Policy
 Classification of Data (high risk, confidential, public)
 Data Support & Operations
 Security Awareness Sessions
 Responsibilities, Rights and Duties of Personnel
 Reference to Relevant Legislation
 Other items that it may include:
 Virus Protection Procedure, Intrusion Detection Procedure, Remote Work
Procedure, Technical Guidelines, Audit, Employee Requirements,
Consequences for Non-compliance, Disciplinary Actions, Terminated
Employees, Physical Security of IT, References to Supporting Documents
and so on.
 Conclusion

22
 Why do we need a security policy?
 Provides a inclusive framework for the selection and implementation of security
measures.
 It’s a Communication means among different stakeholders.
 Management of resources
 people, skills, money, time
 Conveys the importance of security to all members of the organization
 Helps create a “security culture”
 Shared beliefs and values concerning security
 Legal obligation
 Helps promote “trust relationships” between the organizations and its business
partners / clients.

23
 Types of Security Policy?
 Computer-Oriented:
 Information Security Policies that implement access control (Discretionary Access
Control, Mandatory Access Control)
 Operating systems
 Networks
 Application

 Human Oriented:
 Scope: department, organization
 Applied by IS users

 Individual:
 application or system (e.g. email policy)
 “use policies”

24
 Cont.
 Modular:
 comprehensive document with multiple annexes containing specific (e.g.
per application or system) policies
 can be in hypertext form

 Comprehensive:
 one document addressing all applications, processes and systems
- big volume, not easy to use
- contain high level security guidelines

25
 Cont.
Management defines three types of security policy:
 General or security program policy
 Issue-specific security policies
 Systems-specific security policies

26
 General or security program policy
 A security program policy (SPP) is also known as a general security
policy, IT security policy, or information security policy.
 Sets the strategic direction, scope, and tone for all security efforts
within the organization .
 An executive-level document, usually drafted by or with, the CIO of
the organization and is usually 2 to 10 pages long.

27
 Issue-specific security policies(ISSP)
 As various technologies and processes are implemented, certain
guidelines are needed to use them properly
 The ISSP:
 addresses specific areas of technology
 requires frequent updates
 contains an issue statement on the organization’s position on an issue
 Three approaches:
 Create a number of independent ISSP documents
 Create a single comprehensive ISSP document
 Create a modular ISSP document

28
 ISSP Structure

29
 ISSP Structure
 Statement of Policy
 The policy should begin with a clear statement of purpose. The introductory
section should outline the scope and applicability of the policy.
 What does this policy address?
 Who is responsible and accountable for policy implementation?
 What technologies and issues does the policy document address?
 Authorized Access and Usage of Equipment
 This section of the policy statement addresses who can use the technology
governed by the policy, and what it can be used for.
 This section defines “fair and responsible use” of equipment and other
organizational assets and should also address key legal issues, such as protection
of personal information and privacy.
 Prohibited Usage of Equipment
 While the policy section described above detailed what the issue or technology
can be used for, this section outlines what it cannot be used for. Unless a
particular use is clearly prohibited, the organization cannot penalize its
employees.

30
 Cont.
 Systems Management
 There may be some overlap between an ISSP and a systems-specific policy, but
this section of the policy statement focuses on the users relationship to systems
management.
 It is important to identify all responsibilities delegated to both users or the
systems administrators, to avoid confusion.
 Violations of Policy
 Once guidelines on equipment use have been outlined and responsibilities have
been assigned, the individuals to whom the policy applies must understand the
penalties and repercussions of violating the policy.
 Violations of policy should carry appropriate penalties.
 This section should also provide instructions on how individuals in the
organization can report observed or suspected violations, either openly or
anonymously.
 Policy Review and Modification
 Since any document is only as good as its frequency of review, each policy
should contain procedures and a timetable for periodic review.
 Limitations of Liability
 The final section is a general statement of liability or set of disclaimers.
 The policy should state that if employees violate a company policy or any law
using company technologies, the company will not protect them and the company
is not liable for their actions.
31
 Systems-Specific Policy (SysSP)
 While issue-specific policies are formalized as written documents,
distributed to users, and agreed to in writing, SysSPs are frequently codified
as standards and procedures used when configuring or maintaining systems.
 Systems-specific policies fall into two groups:
1) Access control lists (ACLs) consists of the access control lists,
matrices, and capability tables governing the rights and privileges of a
particular user to a particular system.
2) Configuration Rules comprise the specific configuration codes entered
into security systems to guide the execution of the system

32
 15 Must-Have Information Security Policies
 Acceptable Encryption and Key Management Policy
 Acceptable Use Policy
 Clean Desk Policy
 Data Breach Response Policy
 Disaster Recovery Plan Policy
 Personnel Security Policy
 Data Backup Policy
 User Identification, Authentication, and Authorization Policy
 Incident Response Policy
 End User Encryption Key Protection Policy
 Risk Assessment Standards and Procedures
 Remote Access Policy
 Secure Systems Management Policy
 Monitoring and Logging Policy
 Change Management Policy

33
 What makes a security policy effective(criteria)?
 Dissemination(distribution)- the organization must be able to validate that the
policy has been made readily available for review by the employee. Common
dissemination techniques includes hard copy and electronic distribution.

 Review(reading):-the organizations must be able to validate that it disseminated the

document in an intelligible form, including versions for illiterate, non-English reading
and reading impaired employees, common techniques include according the policy in
English and other language.

 Comprehension(understanding):-the organization must be able to validate that the

employee understood the requirements and content of the policy. Common
techniques include quizzes and other assessments.

34
 Cont.
 Compliance(agreement):-the organization must be able to validate that the

employees agrees to comply with the policy through act or affirmation. Common
techniques includes logon banners which require a specific action(mouse click or
keystroke) to acknowledge agreement or signed document clearly indicating the
employee has read understood and to comply with the policy.

 Uniform enforcement:- the organization must be able to validate that the policy

has been uniformly enforced regardless of employee status or assignment

35
 Who involved In Policy?
 Security experts
 design, review and update the policy
 System / network administrators
 implement security controls, guidelines
 Management
 set security goals
 provide resources
 Users
 follow security procedures
 Auditors
 monitor compliance

36
 Designing a Security Policy
 Economy of mechanism: the design of security measures should be as
simple as possible
 Simpler to implement and to verify
 Fewer vulnerabilities
 Fail-safe default: access decisions should be based on permissions; i.e., the
default is lack of access
 Complete mediation: every access should checked against an access control
system
 Open design: the design should be open rather than secret (e.g., encryption
algorithms)

37
 Cont.
 Isolation
 Public access should be isolated from critical resources (no connection
between public and critical information)
 Users files should be isolated from one another (except when desired)
 Security mechanism should be isolated (i.e., preventing access to those
mechanisms)
 Encapsulation: similar to object concepts (hide internal structures)
 Modularity: modular structure
 Least common mechanism: a design should minimize the function shared
by different users (providing mutual security; reduce deadlock)

38
 Cont.
 Layering (defense in depth): use of multiple, overlapping protection
approaches
 Least astonishment: a program or interface should always respond in a
way that is least likely to astonish a user
 Separation of privilege: multiple privileges should be needed to do
achieve access (or complete a task)
 Least privilege: every user (process) should have the least privilege to
perform a task
 Psychological acceptability: security mechanisms should not interfere
unduly with the work of users

39
 Approaches to Information Security Implementation
 Two type of implementation
 bottom-up
 top-down
Bottom Up Approach To Security Implementation
 Security can begin as a grass-roots effort when systems administrators
attempt to improve the security of their systems. This is referred to as
the bottom-up approach.
 The key advantage of the bottom-up approach is the technical
expertise of the individual administrators.
 Unfortunately, this approach seldom works, as it lacks a number of
critical features, such as participant support and organizational staying
power.

40
 cont.
Top-down Approach to Security Implementation
 An alternative approach, which has a higher probability of success, is called the
top-down approach. The project is initiated by upper management who issue
policy, procedures and processes, dictate the goals and expected outcomes of the
project, and determine who is accountable for each of the required actions.
 The top-down approach has strong upper management support, a dedicated
champion, dedicated funding, clear planning and the opportunity to influence
organizational culture.
 The most successful top-down approach also involves a formal development
strategy referred to as a systems development life cycle.

41
 General information security services
 Authentication:
 The assurance that the communicating entity is the one that it claims to be.
 Access control
 The prevention of unauthorized use of a resource (i.e., this service controls who
can have access to a resource, under what conditions access can occur, and what
those accessing the resource are allowed to do).
 Data confidentiality
 The protection of data from unauthorized disclosure.

 Data integrity
 The assurance that data received are exactly as sent by an authorized entity (i.e., contain no
modification, insertion, deletion, or replay).

 Non-repudiation
 Provides protection against denial by one of the entities involved in a communication of
having participated in all or part of the communication.

42