INFORMATION SYSTEMS

SECURITY AND CRYPTOGRAPHY

Lecturer : Mr Oguna
Course Outline
• Lecture 1: Introduction to information systems security, and
terminologies
• Lecture 2: Threats to information systems and computer security
• Lecture 3: Information Systems Access Control
• Lecture 4: Security Architecture and Design
• Lecture 5: Network and telecommunications
• Lecture 6: Cryptography
• Lecture 7: Risk management and ethics
Course Outline
• Lecture 8: Information Security classification and program
development
• Lecture 9: Application security
• Lecture 10: Physical security
• Lecture 11:Business Continuity Planning
• Lecture 12:Business continuity and disaster recovery planning
• Lecture 13:Legal, Regulations, Compliance and Investigations
LECTURE ONE: INTRODUCTION TO INFORMATION
SYSTEMS SECURITY, AND TERMINOLOGIES

, Cheswick and Bellovin (1994) define computer security to be

"Keeping anyone from doing things you do not want them to do to, with, on,
or from your computers or any peripheral devices".

Using this definition, computers are seen to be targets that can be attacked ("do
to"), or tools that can be used ("do . . . with, on, or from"). From this
perspective, computer security is distinguished from information security.

"Computer security is not a goal, it is a means toward a goal: information

security".
1.2 Lecture objectives:

At the end of the lecture you should be able:

• Define key information security terminologies
• Outline the importance of information security
• Distinguish the components that make up any computer network
• Describe the benefits of networking
 1.4 Definitions
• Computer Systems: This refers to the entire spectrum of information technology, including
application and support systems.
• Computer Security: The protection afforded to an automated information system in order
to attain the applicable objectives of preserving the integrity, availability and confidentiality
of information system resources (includes hardware, software, firmware, information/data,
and telecommunications).
• Security system: a set of things put in place or done to prevent negative consequences
• Safety: Protecting assets from accidents
• Security: Preventing assets from intentional actions.
• Access control: Ensuring that users access only those resources and services that they are
entitled to access and that qualified users are not denied access to services that they
legitimately expect to receive.
• Nonrepudiation: Ensuring that the originators of messages cannot deny that they in
fact sent the messages.
• Authentication: Ensuring that users are the persons they claim to be.
1.4 Definitions
• Privacy: Ensuring that individuals maintain the right to control what information is
collected about them, how it is used, who has used it, who maintains it, and what purpose
it is used for
• Assets: These are objects of attacks, small (your wallet) or large (national infrastructure).
• Threat: potential occurrence that can have an undesired effect on the system
• Vulnerability: characteristics of the system that make it possible for a threat to potentially
occur
• Risk: measure of the possibility of security breaches and severity of the damage
• Attack: This refers to action of malicious intruder that exploits vulnerabilities of the system
to cause damage or loss. It can also be interpreted as intentional unwarranted actions, or a
specific way to attempt to break a security system.
• Attacker: A person or system that performs intentional & unwarranted actions. Note that
attackers can be good guys or bad (police or criminals).
• Countermeasures: These refer to individual, discrete, & independent security components
which together make up a security system.
1.5 The Importance of Information
Security
• To protect an organization's valuable resources, such as information,
hardware, and software.
• Through the selection and application of appropriate safeguards,
security helps the organization's mission by protecting:
• its physical and financial resources,
• reputation,
• legal position,
• employees,
• and other tangible and intangible assets.
Management's responsibilities
1. Know what general level or type of security is employed on the
external system
2. Seek assurance that the external system provides adequate security
for using the organization's needs
3. Understand that security measures can sometimes affect system
performance, employee morale, or retraining requirements.

All of these have to be considered in addition to the basic cost of the

control itself.
1.6 Principles of Information Security

• 1.6.1 Confidentiality
Confidentiality is the concealment of information or resources. The
need for keeping information secret arises from the use of computers
in sensitive fields such as government and industry.
Access control mechanisms support confidentiality. One access control
mechanism for preserving confidentiality is cryptography, which
scrambles data to make it incomprehensible. A cryptographic key
controls access to the unscrambled data, but then the cryptographic
key itself becomes another datum to be protected.
Resource hiding is another important aspect of confidentiality.
1.6 Principles of Information Security

• 1.6.2 Integrity
Integrity refers to the trustworthiness of data or resources, and it is
usually phrased in terms of preventing improper or unauthorized
change. Integrity includes data integrity - the content of the
information - and origin integrity - the source of the data, often called
authentication.
The source of the information may bear on its accuracy and credibility
and on the trust that people place in the information.
Integrity mechanisms
• Prevention mechanisms seek to maintain the integrity of the data by
blocking any unauthorized attempts to change the data or any
attempts to change the data in unauthorized ways.
• Detection mechanisms do not try to prevent violations of integrity;
they simply report that the data’s integrity is no longer trustworthy.
Detection mechanisms may analyze system events (user or system
actions) to detect problems or (more commonly) may analyze the
data itself to see if required or expected constraints still hold.
1.6 Principles of Information Security

• 1.6.3 Availability
Availability refers to the ability to use the information or resource
desired. Availability is an important aspect of reliability as well as of the
system design because an unavailable system is at least as bad as no
system at all. The aspect of availability that is relevant to security is that
someone may deliberately arrange to deny access to data or to a service
by making it unavailable.
Attempts to block availability, (name this type of attack), can be the most
difficult to detect, because the analyst must determine if the unusual
access patterns are attributable to deliberate manipulation of resources
or of environment.
 Computer security is not restricted to these three broad concepts. Additional ideas
that are often considered part of the taxonomy of computer security include:

• Access control -- Ensuring that users access only those resources and
services that they are entitled to access and that qualified users are not
denied access to services that they legitimately expect to receive.
• Nonrepudiation -- Ensuring that the originators of messages cannot deny
that they in fact sent the messages.
• Authentication -- Ensuring that users are the persons they claim to be.
• Privacy -- Ensuring that individuals maintain the right to control what
information is collected about them, how it is used, who has used it, who
maintains it, and what purpose it is used for.
Note:
• Privacy is a property of individuals;
• confidentiality is a property of data; and
• security is a property assigned to computer hardware and software
systems.

From a practical perspective, the concepts are interwoven. A system

that does not maintain data confidentiality or individual privacy could
be theoretically or even mathematically "secure," but it probably
wouldn't be wise to deploy anywhere in the real world.
 1.7 Goals of Security
• 1.7.1 Prevention
• Prevention means that an attack will fail. For example, if one attempts to break into a
host over the Internet and that host is not connected to the Internet, the attack has
been prevented. simple preventative mechanisms, such as passwords (which aim to
prevent unauthorized user from accessing the system), have become widely accepted.
• 1.7.2 Detection
• Detection mechanisms accept that an attack will occur; the goal is to determine that
an attack is underway, or has occurred, and report it. The attack may be monitored,
however, to provide data about its nature, severity and results.
• 1.7.3 Recovery
• Recovery has two forms: The first is to stop an attack and to assess and repair any
damage caused by that attack e.g. recover a deleted file, In some cases, retaliation (by
attacking the attacker’s system or taking legal steps to hold the attacker accountable) is
part of recovery. In a second form of recovery, the system continues to function
correctly while an attack is underway. . It draws on the techniques of fault tolerance as
well as techniques of security and is typically used in safety-critical systems.
• 1.8 Activities

Using your general knowledge attempt the following questions:

A graduate student accidentally releases a program that spreads from computer

system to computer system. It deletes no files but requires much time to implement
the necessary defenses. The graduate student is convicted. Despite demands that he
be sent to prison for the maximum time possible (to make an example of him), the
judge sentences him to pay a fine and perform community service.

• What factors do you believe caused the judge to hand down the sentence he did?
• What would you have done were you the judge, and
• What extra information would you have needed to make your decision?
1.9 Self – Test Questions

a) A respected computer scientist has said that no computer can ever

be made perfectly secure. Why might she have said this?

b) For each of the following statements, give an example of a situation

in which the statement is true:
a) Prevention is more important than detection and recovery.
b) Detection is more important than prevention and recovery.
c) Recovery is more important than prevention and detection.
1.10 Summary

• In this lecture, you have learnt:

• The basic terminologies relating to information security.

• The importance of information security

• The goals and principles of information security

1.11 Suggestion for further reading

• Charles P Fleeger, Security in Computing, Prentice Hall, 3rd Edition.

William Stallings: Cryptography & Network Security Principles and
Practice, Prentice Hall, 3rd Edition

• Bruce Schneier, Beyond Fear.