Fundamentals:

Information Security &

Threats
Module 1
 Fundamentals: Information Security and
Threats

Introduction to Information Security - Information Assets & Threats - Common Vulnerabilities

and Exposures (CVE). Elements of Information Security - Principles and Concepts – Data

Security - Types of Controls

 IT – BPM

• Plays Major role in the Indian socio- economic status

• It leads to the mass investments and increases the GDP of the nation

• This industry has brought the doubled revenue in recent decades by enabling entrepreneurial

ventures
 CLASSIFICATION

Influencing factors

• Sector the organisation is serving

• Type as well as range of offering the organisation provides

• Geographic spread of operations

• Revenues and size of operations

 ORGANISATIONS

Multi-national Indian Service Global In-house

Companies Providers Centres
Multi-national Companies (MNCs):

• headquarters outside India but operate in multiple locations worldwide, including those in
India.

• They cater to external clients (both domestic and/or global).

Indian Service Providers (ISPs):

• headquarters in India, while having offices at many international locations.

• most have a client base which is global as well as domestic, there are some that have focused
on serving only the Indian clients.

Global In-house Centres (GIC):

• needs of their parent company only and do not serve external clients.

• This model allows the organisation the option to keep IT Operations in-house and at the same
time, take advantage of expanding their global footprint and offering opportunities for
innovation in a cost effective manner.
 Sub-Sectors within the IT-BPM Industry

IT Services (ITS)
 Custom Application Development (CAD) Business Process Management (BPM)
 Hardware Deployment and Support  Customer Interaction and Support
 Software Deployment and Support  (CIS)
 IT Consulting  Finance and Accounting (F&A)
 System Integration  Human Resource Management
 Information Systems Outsourcing  (HRM)
 Software Testing  Knowledge Services
 Network Consultation and Integration  Procurement and Logistics
 Education and Training

IT-BPM Industry

Engineering and R&D (ER&D)

Software Products (SPD)
 Embedded Services
 Product Development
 Engineering Services
 IT SERVICES
• The number of people directly • Growth in IT service exports
1.5 million employed in ITS sub-sector >14% in FY 2014

• Number of Organisations in the • India’s position in IT global

1600 ITS sub-sector 1 landscape

• Total amount of ITS sub-sector • Total contribution of ITS sub-

USD52 Billion Export Revenues IN FY 2014 60% sector in industry Exports

Growth of the ITS sub-sector in INR

9.7% terms in the domestic market in FY 2014
 PROFILE OF THE IT SEVICE SUB SECTOR

Vertical Profile:

 BFSI is the largest driver in this space claiming half of the entire IT Services export.

 Other industry verticals like Healthcare, Retail and Media have started making big investments
in IT services and are turning into key verticals for the IT Services sub-sector.
 TRENDS IN IT SERVICES

44 % 49% PROJECT ORIENTED

OUTSOURCING
6%

SUPPORT AND
TRAINING
 Trends in IT

TRENDS DESCRIPTION

Building end to end capabilities in core

Movement up the value chain verticals by adding higher end services
such as consulting
Adopting and becoming leading in cloud
New delivery channels driving growth computing mobile applications , social
media and analytics

Movement to tier II cities to maintain

Continued locational advantage
cost advantages

One stop destination for clients

Increased penetration as well as spread
(adding BPM and consulting) adding
in industry verticals
expertise in new industry verticles

New service offerings Growth in RIM and information security

INFORMATION SECURITY
 INFORMATION SECURITY

• Protects from unauthorised access, use, disclosure, disruption, modification, perusal,

inspection, recording, or destruction.

• The core function is to ensure the confidentiality, integrity and availability of data to the
‘right’ users within/outside of the organisation.

• Application Security are responsible for ensuring stable and secure functioning of the
applications by knowing threats, Securing the network, host and application Incorporating
security into the software development process
RISK

• Risk Management roles are responsible for assessing, measuring, and managing the security
risks to information security of an organisation.

Audit

• conducting assessments for security threats and vulnerabilities, determine deviations from
acceptable pre-defined configurations, enterprise or local policy, assess the level of risk, develop
and/or recommend appropriate mitigation countermeasures in operational and non-operational
situations.

Compliance

• Key responsibilities also include measuring the maturity of an organisation to ensure that proper
security controls are incorporated when developing and running Information-security systems.
These also perform scheduled/unscheduled audits on the organisation’s security systems and
processes and ensure compliance.
Security Testing
• Security Testing involves devising testing standards and cases of confidentiality, integrity,
authentication, availability, authorisation and non-repudiation of information.
• Security Testing professionals perform scheduled and adhoc tests to assess vulnerability and/or safety
of anorganisation’s information systems.
Incident Management
• Incident Management roles work towards restoring normal service operations in an organisation to
minimize the adverse effect on business operations, thus ensuring that the best possible level of
service quality and availability is maintained.
• Incident management professionals manage and protect computer assets, networks and information
systems to answer the key question “what to do, when things go wrong.
• Business Continuity Management/Disaster Recovery (BCP/DR): BCP/DR roles are
responsible for improving system availability and integration of IT operational risk
management strategies for an organisation.
• Development, implementation, testing, and maintenance of the business
continuity management plan
• Recommendation and proof of concept for recovery options Assessments and
audits for BCP/DR

Network Security
• Network Security roles are responsible for defining and implementing overall
network security that includes baseline configuration, change control, security
standards and process implementation.
Privacy
• Privacy roles are responsible for defining and managing data/information/IP policies
etc. for an organisation. These roles require knowledge of information security norms
and data privacy norms and regulations. Note on Information Security occupation:
Information Security related job roles may be performed in any of the following
setups:
• Consulting
• Managed Services
• Internal function within the organisation
• In each of these set-ups, the essential functions and the highlighted tracks remain the
same, however, the delivery style and hence skills vary slightly, depending upon the
set-up. Privacy professionals help define and implement privacy standards, build
privacy awareness to protect an organisation’s information assets.
IT Forensics
• IT Forensics roles involve collect, process, preserve, analyse and present computer-
related evidence in support of network vulnerability mitigation, and/or criminal, fraud,
counter-intelligence or law-enforcement investigations.
 Information Security
• They protects from the information theft , cyber attacks from hackers in private as
well as government organisations by using security tools and techniques.

• The security analysts are the responsible for keeping information from data
breaches and keeping track of those who can access and who have accessed data
with the special software.

• an entry level analyst may operate the software to monitor and analyze information.
• At senior level positions, one may carry out investigative work to determine
whether a security breach has occurred.

• At higher levels people design systems and architecture to address these

vulnerabilities.
 Security analyst’s attentions on

Risk Assessment Vulnerability Assessment Defense Planning

 Role of a security analyst in information technology

• Protect information and information systems from unauthorized access;

use; disclosure; disruption; modification; perusal; inspection; recording or
destruction.

• Perform investigations to determine whether or not data has been

compromised, the extent of it and related vulnerabilities.

• Ensure the confidentiality, integrity and availability of data to the 'right'

users within/ outside of the organization.

• Risk assessment

• Vulnerability assessment

• Defense planning
Major Skills of Security Analyst
 Understanding security policy
 Data & Traffic Analysis
 Identifying Security Events –> How & when to alarm
 Incident Response
Foundation and Background
 Network infrastructure knowledge
 Diverse device configuration ability
 Security configuration knowledge
 Data management & teamwork
Challenges for Security Analyst
 Not tied to a product or solution
 Complex knowledge – Not one specific process is correct or product solution
 Diverse set of skills are needed
INFORMATION ASSETS
& THREATS
 INFORMATION ASSETS & THREATS

Security concerning IT and information is normally categorized in three categories to

facilitate the management of information.

Confidentiality Integrity Availability

Ensuring authorized
Prevention of Prevention of access of
unauthorized unauthorized information
disclosure or use of modification of assets when required
information assets information assets for the duration
required
 THREATS TO INFORMATION ASSETS

• Risk is the potential threat, and process of understanding and responding to factors that may lead to
a failure in the confidentiality, integrity or availability of an information system constitute risk
management.

• The key concerns in information assets security are:

• theft

• fraud/ forgery

• unauthorized information access

• interception or modification of data and

• data management systems

 VULNERABILITIES

• Vulnerability is a weakness in an information system, system security procedures, internal controls,

or implementation that could be exploited or triggered by a threat source.

• ‘Threat agent or actor’ refers to the intent and method targeted at the intentional exploitation of the
vulnerability or a situation and method that may accidentally trigger the vulnerability.

• A ‘threat vector’ is a path or a tool that a threat actor uses to attack the target.

• ‘Threat targets’ are anything of value to the threat actor such as PC, laptop, PDA, tablet, mobile
phone, online bank account or identity.
 THREAT CLASSIFICATION

Microsoft has proposed a threat classification called STRIDE from the initials of threat categories:

• Spoofing of user identity

• Tampering

• Repudiation

• Information disclosure (privacy breach or data leak)

• Denial of Service (D.o.S.)

• Elevation of privilege
 THREAT AGENTS CLASSIFICATION
• Non-Target specific: Non-Target specific threat agents are computer viruses, worms, Trojans and logic
bombs.

• Employees: staff, contractors, operational/ maintenance personnel or security guards who are annoyed
with the company.

• Organized crime and criminals: criminals target information that is of value to them, such as bank
accounts, credit cards or intellectual property that can be converted into money. Criminals will often
make use of insiders to help them.

• Corporations: corporations are engaged in offensive information warfare or competitive intelligence.

Partners and competitors come under this category.

• Unintentional human error: accidents, carelessness etc.

• Intentional human error: insider, outsider etc.

• Natural: Flood, fire, lightning, meteor, earthquakes etc.

 Taxonomy of malicious programs or software threats
Malicious programs / Software Threats

Needs host program Independent

Trapdoors
Worm Zombie
Logic Bombs
Trojan Horses

Viruses
 TYPES OF SECURITY ATTACKS

• VIRUS
• WORM
• TROJAN
 VIRUS

• Virus is a malicious program able to inject its code into other programs/ applications or data files
and the targeted areas become "infected".
• Installation of a virus is done without user's consent, and spreads in form of executable code
transferred from one host to another.
Types of viruses include
 Resident virus; embeds itself in the memory on a target host. In such way it
becomes activated every time the OS starts or executes a specific action.

 Non-resident virus; actively seeks targets for infections either on local,

removable or network locations. Upon further infection it exits.

 Boot sector virus; infects storage device’s master boot record (MBR).

 Macro virus; virus written in macro language, embedded in Word, Excel,

Outlook etc. documents.

 File-infecting virus (file infector); When the infected file is being executed, the
virus seeks out other files on the host and infects them with malicious code

 Polymorphic virus; affects data types and functions; self-encrypted virus to

avoid detection
Types of viruses include
 Metamorphic virus; this virus is capable of changing its own code with each
infection.

 Stealth virus; memory resident virus that utilizes various mechanisms to avoid
detection

 Companion virus – does not modify any files instead creates a copy of the file
and places a different extension on it, usually .com

 Cavity virus - uses the empty spaces within the program files itself.

This way the length of the program code is not being changed and the
virus can more easily avoid detection
 WORM

• Worm is a malicious program category, exploiting operating system vulnerabilities to spread itself.

• In its design, worm is quite similar to a virus - considered even its sub-class.

• Unlike the viruses though worms can reproduce/ duplicate and spread by itself.
 WORM (Continued..)
Types of Worms

The most common categorization of worms relies on the method how they spread:

Email worms:

 spread through email messages, especially through those with attachments.

Internet worms:

 spread directly over the internet by exploiting access to open ports or system vulnerabilit
Network worms:

 spread over open and unprotected network shares.

Multi-vector worms:

 having two or more various spread capabilities.

 TROJAN

• Computer Trojan or Trojan Horses are named after the mythological Trojan horse owing to their
similarity in operation strategy.

• Trojans are a type of malware software that masquerades itself as a not-malicious even useful
application but it will actually do damage to the host computer after its installation.

• Unlike virus, Trojans do not self-replicate unless end user intervene to install.
 Types of Trojan
• Remote Access Trojans (RAT) aka Backdoor. Trojan

• Trojan-DDoS – create a zombie network that can be used in a DDoS attack

• Trojan-Proxy – Hijacks and turns the host computer into a proxy server

• Trojan-FTP

• Destructive Trojan – like virus

• Security Software Disabler Trojan – disables antivirus, entry level trojans

• Info Stealer (Data Sending/ Stealing Trojan) – log key strokes, screen shots and web cam image
monitoring internet activity

• Keylogger Trojan – record every keystroke of the end user.

• Trojan-PSW (Password Stealer) – to steal passwords

 Types of Trojan
• Trojan-Banker to steal online banking information

• Trojan-IM,.. etc.. – steal data from messengers like Skype.

• Trojan Game Thief –steal information about online gaming account

• Trojan Mail Finder - harvest any emails found on the infected computer.

• Trojan Dropper – different types of standalone malware (trojans, worms and backdoor) compressed.

• Trojan Downloader – download other malicious programs to the target computer.

• Trojan FakeAV – misrepresent the security status of computer .

• Trojan Arcbomb – flood the disk with large amount of empty data

• Trojan Clicker – Boost the visit counters on these sites.

• Cryptolock Trojan – encrypts and locks individual files

• Trojan Spy – tracking data via keystrokes, collecting screenshots, listing active processes/services on
the host or stealing passwords.
.
 Other security threats
Malware

• Malware refers to software viruses, spyware, adware, worms, Trojans, ransomeware etc.

• They are designed to cause damage to a targeted computer or cause a certain degree of operational
disruption.

Rootkit

• Rootkit are malicious software designed to hide certain processes or programs from detection.

• Usually acquires and maintains privileged system access while hiding its presence in the same
time.

• It acts as a conduit by providing the attacker with a backdoor to a system

 Other security threats (Continued…)
Spyware

• Spyware is a software that monitors and collects information about a particular user, computer or
organization without user’s knowledge.

• There are different types of spyware, namely system monitors, trojans (keyloggers, banker trojans,
inforstealers), adware, tracking cookies etc.

Tracking cookies

• Tracking cookies are a specific type of cookies that are distributed, shared and read across two or
more unrelated websites for the purpose of gathering information or potentially to present.
 Other security threats (Continued…)

Riskware

• Riskware is a term used to describe potentially dangerous software whose installation may pose a
risk to the computer.

Adware

• Adware in general term adware is software generating or displaying certain advertisements to the
user.

• This kind of adware is very common for freeware and shareware software and can analyze end user
internet habits and then tailor the advertisements directly to users’ interests.
 Other security threats (Continued…)
Creepware

• Creepware is a term used to describe activities like spying others through webcams (very often
combined with capturing pictures), tracking online activities of others and listening to
conversation over the computer's microphone and stealing passwords and other data.

Blended threat

• Blended threat defines an exploit that combines elements of multiple types of malware
components.

• Usage of multiple attack vectors and payload types targets to increase the severity of the
damage causes and as well the speed of spreading.
 NETWORK ATTACKS

Network attack is usually defined as an intrusion on the network infrastructure that will first analyze
the environment and collect information in order to exploit the existing open ports or vulnerabilities.

This may include unauthorized access to organization resources.

 NETWORK ATTACKS (Continued..)

Characteristics of network attacks:

• Passive attacks: they refer to attack where the purpose is only to learn and get some
information from the system, but the system resources are not altered or disabled in any way.
• Active attacks: in this type of network attack, the perpetrator accesses and either alters,
disables or destroys resources or data.
• Outside attack: when attack is performed from outside of the organization by unauthorized
entity it is said to be an outside attack.
• Inside attack: if an attack is performed from within the company by an "insider" that already
has certain access to the network it is considered to be an inside attack.
• Others such as end users targeted attacks (like phishing or social engineering): these attacks
are not directly referred to as network attacks, but are important to know due to their
widespread occurrences.
 What types of attack are there?

Spear
Social Phishing Social Watering hole
phishing
engineering attack phishing attack
attack

Vishing (voice
Network
Whaling phishing or Port scanning Spoofing
sniffing
VoIP phishing

DoS attack Buffer Man-in-

ICMP smurf
& DDoS overflow Botnet themiddle
Denial of serv
attack attack attack

Session Cross-side
SQL injection Bluetooth
hijacking scripting attack
attack related attacks
attack (XSS attack)
 SPOOFING
It is a technique used to masquerade a person, program or an address as another by falsifying
the data with purpose of unauthorized acces

A few of the common spoofing types include:

• IP Address spoofing – process of creating IP packets with forged source IP address to

impersonate legitimate system. This kind of spoofing is often used in DoS attacks (Smurf
Attack).

• ARP spoofing (ARP Poisoning) – process of sending fake ARP messages in the network.

• The purpose of this spoofing is to associate the MAC address with the IP address of another
legitimate host causing traffic redirection to the attacker host.

• This kind of spoofing is often used in man-in-the-middle attacks.

 SPOOFING (Continued…)

• DNS spoofing (DNS Cache Poisoning) – an attack where the wrong data is inserted into DNS
Server cache, causing the DNS server to divert the traffic by returning wrong IP addresses as results
for client queries.

• Email spoofing – a process of faking the email's sender "from" field in order to hide real origin of
the email. This type of spoofing is often used in spam mail or during phishing attack.

• Search engine poisoning – attackers take advantage of high profile news items or popular events
that may be of specific interest for certain group of people to spread malware and viruses.
 NETWORK SNIFFING (Packet Sniffing)

• A process of capturing the data packets travelling in the network.This may include unauthorized
access to organization resources.

• Network sniffing can be used both by IT professionals to analyse and monitor the traffic for
example, in order to find unexpected suspicious traffic, but as well by perpetrators to collect data
send over clear text that is easily readable with use of network sniffers (protocol analysers).

• Best counter measure against sniffing is the use of encrypted communication between the hosts.
 Denial of Service Attack (DoS Attack) and Distributed Denial of Service
Attack (DDoS Attack

• An attack designed to cause an interruption or suspension of services of a specific host/ server by

flooding it with large quantities of useless traffic or external communication requests.

• When the DoS attack succeeds the server is not able to answer even to legitimate requests
anymore, this can be observed in numbers of ways – slow response of the server, slow network
performance, unavailability of software or web page, inability to access data, website or other
resources.

• Distributed Denial of Service Attack (DDoS) occurs where multiple compromised or infected
systems (botnet) flood a particular host with traffic simultaneously.
Few of the most common DoS attack types:
• ICMP flood attack (Ping Flood) – attacker sends ICMP ping request to the host

without waiting for the answer.

• Ping of Death (PoD) – malformed or otherwise corrupted malicious ping to

the host machine.

• Smurf attack – works similar to ping flood with difference that source IP address of

the attacker host is spoofed with IP address of other legitimate non-malicious computers.

[spoofed victim host receives large number of ICMP replies]

• ICMP Smurf Denial of Service SYN flood attack [TCP SYN packet sent by the attacker

to remote host but the attacker never responds to SYN-ACK packet ]

Few of the most common DoS attack types:
• Buffer overflow attack - the victim host is being provided with traffic/ data that is out of range of the
processing specs of the victim host, protocols or applications, overflowing the buffer and overwriting the
adjacent memory

• Botnet - multiple systems submit as many request as possible to the victim machine in order to overload it
with incoming packets.

• spread viruses and spyware and as well to steal personal and confidential information

• Man-in-the-middle attack - form of active monitoring or eavesdropping on victims’ connections and

communication between victim hosts. Both parties are not aware of the attacker presence and believing the
replies they get are legitimate

• Session hijacking attack - exploit of the valid computer session in order to gain unauthorized access to
information on a computer system

• Cross-side scripting attack (XSS attack) - exploits the XSS vulnerabilities found in web server
applications in order to inject a client side script onto the webpage

• SQL injection attack - inject a code/ string for execution that exceeds the allowed and expected input to the
SQL database
Bluetooth related attacks
• Bluesnarfing - allows the malicious user to gain unauthorized access to information on a
device through its bluetooth connection

• Bluejacking - allows the malicious user to send unsolicited (often spam) messages over
bluetooth enabled devices.

• Bluebugging - attacker to initiate phone calls on the victim's phone as well as read
through the address book, messages and eavesdrop on phone conversations.
Common Vulnerabilities
and Exposures (CVE)
Common Vulnerabilities and Exposures (CVE)
Common Vulnerabilities and Exposures (CVE) is a catalogue of known security threats. Threats
are divided into two categories:

• Vulnerabilities and

• Exposures.

Vulnerabilities

• A vulnerability is a mistake in software code that provides an attacker with direct access to a
system or network.

• The catalogue’s main purpose is to standardize the way each known vulnerability or exposure is
identified. This is important because standard IDs allow security administrators to quickly access
technical information about a specific threat across multiple CVE-compatible information sources.
ELEMENTS OF INFORMATION
SECURITY
 Elements of Information Security
Network Security

 Network security refers to any activity designed to protect your network. Specifically, these activities protect
the usability, reliability, integrity and safety of your network and data.
 Network security is accomplished through hardware and software. The software must be constantly updated
and managed to protect you from emerging threats.
 The mobility factor for Wireless networks adds more challenges to security, namely monitoring and
maintenance of secure traffic transport of mobile nodes. This concerns both homogenous and heterogeneous
mobility (inter technology), the latter requires homogenization of the security level of all networks visited by
the mobile
 From the terminal’s side, it is important to protect its resources (battery, disk, CPU) against misuse and
ensure the confidentiality of its data. In an ad hoc or sensor network, it becomes essential to ensure terminal’s
integrity as it plays a dual role of router and terminal.
 A network security system usually consists of many components. Ideally, all components work together,
which minimizes maintenance and improves security.
Network security components often include:

• Anti-virus and anti-spyware

• Firewall to block unauthorized access to your network

• Intrusion Prevention Systems (IPS) to identify fast-spreading threats, such as zero-day or

zero-hour attacks

• Virtual Private Networks (VPNs) to provide secure remote access

• Communication security
 Application Security
• Application security (AppSec) is the use of software, hardware and procedural methods to protect

applications from external threats.

• AppSec is the operational solution to the problem of software risk.

• AppSec helps identify, fix and prevent security vulnerabilities in any kind of software application
irrespective of the function, language or platform.

As a best practice, AppSec employs proactive and preventative methods to manage software risk, and
align an organization’s security investments with the reality of today’s threats. It has three distinct
elements:

• Measurable reduction of risk in existing applications

• Prevention of introduction of new risks

• Compliance with software security mandates

 The Application Security market has reached sufficient maturity to allow
organizations of all sizes to follow a well-established roadmap:

• Begin with software security testing to find and assess potential vulnerabilities:

• Follow remediation procedures to prioritize and fix them.

• Train developers on secure coding practices.

• Leverage ongoing threat intelligence to keep up-to-date.

• Develop continuous methods to secure applications throughout the development life

cycle.

• Instantiate policies and procedures that in still good governance.

 Communications Security
Communications Security (COMSEC) ensures the security of telecommunications
confidentiality and integrity – the two information assurance (IA) pillars. Generally, COMSEC may
refer to the security of any information that is transmitted, transferred or communicate

There are five COMSEC security types:

Crypto security:
This encrypts data, rendering it unreadable until the data is decrypted.
Emission Security (EMSEC):
This prevents the release or capture of emanations from equipment, such as cryptographic
equipment, thereby preventing unauthorized interception.
Physical Security:
This ensures the safety of, and prevents unauthorized access to, cryptographic information,
documents and equipment.
Traffic-Flow Security:
This hides messages and message characteristics flowing on a network.
Transmission Security (TRANSEC):
This protects transmissions from unauthorized access, thereby preventing interruption and harm.
Principles and Concepts
-Data Security
 Principles and Concepts – Data Security

Critical Information Characteristics

• Confidentiality
• Integrity
• Availability
 Principles and Concepts – Data Security
Information States
• Information has three basic states, at any given moment, information is being
transmitted, stored or processed.
• The three states exist irrespective of the media in which information resides.

Transmission

Information
States

Transmission Transmission
Basic information security concepts:

• Identification
• Authentication
• Authorization
• Confidentiality
• Integrity
• Availability
• Non-repudiation
 Identification
 Identification is the first step in the ‘identify-authenticate-authorize’ sequence that is performed
every day countless times by humans and computers alike when access to information or
information processing resources are required.

 While particulars of identification systems differ depending on who or what is being identified,
some intrinsic properties of identification apply regardless of these particular. Just three of these
properties are the scope, locality, and uniqueness of IDs.

 Two user accounts should never use the same name on the same system — not only because
you would not be able to enforce access controls based on non-unique and ambiguous user
names, but also because you would not be able to establish accountability for user actions.
 Authentication
Authentication happens right after identification and before authorization. It
verifies the authenticity of the identity declared at the identification stage. In other words, it
is at the authentication stage that you prove you are indeed the person or the system you
claim to be.

The three methods of authentication are

• what you know,
• what you have and
• what you are.
 Authorization
 Authorization is the process of ensuring that a user has sufficient rights to perform the
requested operation, and preventing those without sufficient rights from doing the same.
 After declaring identity at the identification stage and proving it at the authentication stage,
users are assigned a set of authorizations (also referred to as rights, privileges or
permissions) that define what they can do on the system.
 These authorizations are most commonly defined by the system’s security policy and are set
by the security or system administrator.

These privileges extremes:

• “permit nothing”
• “permit everything” and
• include anything in between.
 Confidentiality
Confidentiality means persons authorized have access to receive or use information,
documents etc. Unauthorized access to confidential information may have devastating
consequences, not only in national security applications, but also in commerce and industry.
Main mechanisms of protection of confidentiality in information systems
• Cryptography
• access controls
Examples of threats to confidentiality:
• malware
• intruders
• Social engineering
• insecure networks and
• poorly administered systems.
 Integrity
Integrity is concerned with the trustworthiness, origin, completeness and correctness of
information as well as the prevention of improper or unauthorized modification of
information.
Integrity in the information security context refers not only to integrity of
information itself but also to the origin integrity i.e. integrity of the source of information.

Integrity protection mechanisms may be grouped into two broad types:

• Preventive mechanisms - access controls that prevent unauthorized modification of
information
• Detective mechanisms - which are intended to detect unauthorized modifications when
preventive mechanisms have failed
 Availability
• Availability of information, although usually mentioned last, is not the least important pillar of
information security.
• Who needs confidentiality and integrity if the authorized users of information cannot access and
use it? Who needs sophisticated encryption and access
• Controls if the information being protected is not accessible to authorized users when they need
it?
• Availability is just as important and as necessary a component of information security as
confidentiality and integrity.
• Attacks against availability are known as denial of service (DoS) attacks.
• Natural and manmade disasters obviously may also affect availability as well as confidentiality
and integrity of information though their frequency and severity greatly differ.
 Non-repudiation
Non-repudiation in the information security context refers to one of the properties of
cryptographic digital signatures that offers the possibility of proving whether a particular
message has been digitally signed by the holder of a particular digital signature’s private key.

The following types of non-repudiation services are defined in international standard ISO
14516:2002 (guidelines for the use and management of trusted third party services).

Approval: non-repudiation of approval provides proof of who is responsible for approval of the
contents of a message.

Sending: non-repudiation of sending provides proof of who sent the message.

Origin: non-repudiation of origin is a combination of approval and sending.

Submission: non-repudiation of submission provides proof that a delivery agent has accepted the
message for transmission.
Receipt:
Non-repudiation of receipt provides proof that the recipient received the message.
Knowledge:
Non-repudiation of knowledge provides proof that the recipient recognized the content of
the received message.
Delivery:
Non-repudiation of delivery is a combination of receipt and knowledge, as it provides proof
that the recipient received and recognized the content of the message.
Transport:
Non-repudiation of transport provides proof for the message originator that a delivery agent
has delivered the message to the intended recipient.
Types of Controls
 Types of Controls
Central to information security is the concept of controls, which may be categorized by
their functionality and plane of application.

By functionality:
• Preventive controls
• Detective controls
• Corrective controls
• Deterrent controls
• Recovery controls
• Compensating controls
 Preventive controls

Preventive controls are the first controls met by an adversary. These try to prevent
security violations and enforce access control.
Like other controls, these may be physical, administrative or technical.
Examples:
• Doors,
• Security procedures and
• Authentication requirements
 Detective controls
Detective controls
• Detective controls are in place to detect security violations and alert the defenders.
• They come into play when preventive controls have failed
Detective controls include,
• cryptographic checksums
• file integrity checkers
• audit trails
• logs and
• similar mechanisms.
 Corrective controls
 Corrective controls try to correct the situation after a security violation has occurred. Although a
violation occurred, but the data remains secure, so it makes sense to try and fix the situation.

 Corrective controls vary widely,

• depending on the area being targeted, and
• they may be technical or administrative in nature.
 Deterrent controls
 Deterrent controls are intended to discourage potential attackers.

Examples:
• Monitoring and logging as well as the visible practice of sound information security
management.
 Recovery controls
 Recovery controls are somewhat like corrective controls, but they are applied in more serious
situations to recover from security violations and restore information and information processing
resources.
Recovery controls may include,
• disaster recovery and business continuity mechanisms
• backup systems and data
• emergency key management arrangements and similar controls.
 Compensating controls
 Compensating controls are intended to be alternative arrangements for other controls when the
original controls have failed or cannot be used.
• When a second set of controls addresses the same threats that are addressed by another set of
controls, it acts as a compensating control.
 Types of controls (Continued..)
By plane of application:
• Physical controls
• Administrative controls
• Technical controls

Physical controls include doors, secure facilities, fire extinguishers, flood protection and air
conditioning.
Administrative controls are the organization’s policies, procedures and guidelines intended to
facilitate information security.
Technical controls are the various technical measures, such as firewalls, authentication systems,
intrusion detection systems and file encryption among others.
 Access Control Structures
 Logical access control models are the abstract foundations upon which actual access control
mechanisms and systems are built.
 Access control is among the most important concepts in computer security. Access control
models define how computers enforce access of subjects (such as users, other computers,
applications, servers and devices).

Three main access control models exist:

• Discretionary Access Control model
• Mandatory Access Control model
• Role Based Access Control model
Discretionary Access Control (DAC)

 The Discretionary Access Control model is the most widely used of the three models.
 In the DAC model, the owner (creator) of information (file or directory) has the discretion to decide
about and set access control restrictions on the object in question.

The advantage and disadvantage of DAC is its flexibility.

Users may decide who can access information and what they can do with it — read, write, delete,
rename, execute and so on. At the same time, this flexibility is also a disadvantage of DAC because users may
make wrong decisions regarding access control restrictions or maliciously set insecure or inappropriate
permissions.
Mandatory Access Control (MAC)

Mandatory access control, as its name suggests, takes a stricter approach to access control. In systems
utilizing MAC, users have little or no discretion as to what access permissions they can set on their
information.
Use of MAC:
Data classification levels (such as public, confidential, secret and top secret) and
Security clearance labels corresponding to data classification levels
Role-Based Access Control (RBAC)
• In the role based access control model, rights and permissions are assigned to roles instead of
individual users.
• This added layer of abstraction permits easier and more flexible administration and
enforcement of access controls.
Centralized vs. Decentralized Access Control
• In environments with centralized access control, a single, central entity makes access control
decisions and manages the access control system whereas in distributed access control
environments, these decisions are made and enforced in a decentralized manner.
• Both approaches have their pros and cons, and it is generally inappropriate to say that one is
better than the other.
• The selection of a particular access control approach should be made only after careful
consideration of an organization’s requirements and associated risks.
 Security Vulnerability Management
• Security vulnerability management is the current evolutionary step of vulnerability assessment systems that
began in the early 1990s with the advent of the network security scanner S.A.T.A.N.
• (Security Administrator’s Tool for Analysing Networks) followed by the 1st commercial vulnerability
scanner from ISS.
• A vulnerability can occur anywhere in the IT environment, and can be the result of many different root
causes.
• Security vulnerability management is a closed-loop workflow that generally includes identifying networked
systems and associated applications, auditing (scanning) the systems and applications for vulnerabilities and
remediating the vulnerabilities.
 Security Vulnerability Management (Continued..)

• Any IT infrastructure components may present existing or new security concerns and weaknesses i.e.
vulnerabilities.
• It may be product/ component faults or it may be inadequate configuration.
• Vulnerability management is the process of identifying those vulnerabilities and reacting appropriately to
mitigate the risk.
 Vulnerability Assessment
Includes assessment the environment for known vulnerabilities, and to assess IT
components, using the security configuration policies (by device role) that have been defined for
the environment.

Network based vulnerability assessment (VA) has been the primary method employed to
baseline networks, servers and hosts. The primary strength of VA is breadth of coverage. Thorough
and accurate vulnerability assessments can be accomplished for managed systems via credentialed
access.

Database scanners check database configuration and properties to verify whether they comply
with database security best practices.

Web application scanners test an application’s logic for “abuse” cases that can break or exploit
the application. Additional tools can be leveraged to perform more in-depth testing and analysis.

All three scanning technologies (network, application and database) assess a different class of
security weaknesses, and most organizations need to implement all three.
Risk assessment
• Larger issues should be expressed in the language of risk (e.g. ISO 27005), specifically expressing impact
in terms of business impact.
• The business case for any remedial action should incorporate considerations relating to the reduction of risk
and compliance with policy.
Risk analysis
“Fixing” the issue may involve acceptance of the risk, shifting of the risk to another party or reducing the risk by
applying remedial action, which could be anything from a configuration change to implementing a new
infrastructure. e.g.
• Data loss prevention,
• Firewalls
• Host intrusion prevention software
Vulnerability enumeration
• Common Vulnerabilities and Exposures (CVE)
• Common Vulnerability Scoring System (CVSS)
• Common Weakness Enumeration (CWE)
 Remediation Planning
Prioritization

Vulnerability and security configuration assessments typically generate very long

remediation work lists, and this remediation work needs to be prioritized.

Root Cause Analysis (RCA)

• An RCA is an analysis of a failure to determine the first (or root) failure that cause the
ultimate condition in which the system finds itself.

• For example, in an application crash one should be thinking, why did it crash this way?

• A security analyst’s job in performing an RCA is to keep asking the inquisitive "why" until
one runs out of room for questions, and then they are faced with the problem at the root of
the situation.