NEHRU INSTITUTE OF ENGINEERING AND TECHNOLOGY

Thirumalayampalayam, Coimbatore-641105
An ISO 14001:2015 & 9001:2015 Certified Institution
(Approved by AICTE, New Delhi and Affiliated to Anna University, Chennai)
Re Accredited by NAAC with A+ and Recognized by UGC with 2(f) and 12(B)
NBA Accredited UG Programmes: AERO | CSE

DEPARTMENT OF COMPUTER SCIENCE AND BUSINESS SYSTEMS

Year: IV Semester: VII

Sub Code / Title: IT8073 / Information Security

UNIT1-INTRODUCTION

History What is Security? Critical Characteristics of Information NSTISSC Security Model Components
of an Information System Securing Components Balancing Information Security and Access The Systems
Development Life Cycle (SDLC) The Security Systems Development Life Cycle (Sec SDLC )
1.1 HISTORY

 Julius Caesar-Caesar Cipher c50 B.C., which was created in order to prevent his
secretmessagesfrombeing,read shouldamessagefallintothewronghands.

 The end of the 20th century and early years of the 21 st century saw rapid advancements
intelecommunications,computinghardware andsoftware,anddataencryption.

Introduction

Informationtechnologyisthevehiclethatstoresandtransportsinformation—acompany’s most
valuable resource—from one business unit to another. But what happens if thevehicle breaks
down, even for a little while? As businesses have become more fluid, the
conceptofcomputersecurityhasbeen replacedbytheconcept ofinformationsecurity.

Because this new concept covers a broader range of issues, from the protection of data
tothe protection of human resources, information security is no longer the sole responsibility of
adiscrete group of people in the company; rather, it is the responsibility of every employee,
andespeciallymanagers.

Organizationsmustrealizethatinformationsecurityfundingandplanningdecisionsinvolve
more than just technical managers: Rather, the process should involve three
distinctgroupsofdecision makers,orcommunities ofinterest:

 Informationsecuritymanagersandprofessionals

 Informationtechnologymanagersandprofessionals

 Nontechnical business managers and

professionalsThesecommunitiesofinterestfulfillthefollowi

ngroles:

 Theinformationsecuritycommunityprotectstheorganization’sinformationassetsfrom
themanythreatstheyface.

 Theinformationtechnologycommunitysupportsthebusinessobjectivesoftheorganizationby
supplyingandsupportinginformationtechnologyappropriatetothebusiness’needs.

 Thenontechnicalgeneralbusinesscommunityarticulatesandcommunicatesorganizationalpol
icyand objectivesandallocates resourcestotheother groups.
1.2 WHATISSECURITY?

Understanding the technical aspects of information security requires that you know
thedefinitions of certain information technology terms and concepts. In general, security is
definedas“thequalityorstateofbeingsecure—tobefreefrom danger.”

Securityisoftenachievedbymeansofseveralstrategiesusuallyundertakensimultaneouslyorus
ed in combinationwith oneanother.

Specializedareasofsecurity

 Physical security, which encompasses strategies to protect people, physical assets,

andtheworkplacefromvariousthreatsincludingfire,unauthorizedaccess,ornaturaldisasters

 Personal security, which overlaps with physical security in the protection of the
peoplewithintheorganization

 Operationssecurity, which focusesonsecuring theorganization’sabilityto carryout its

operationalactivitieswithoutinterruptionorcompromise

 Communicationssecurity,whichencompassestheprotectionofanorganization’scommunic
ations media, technology, and content, and its ability to use these tools
toachievetheorganization’s objectives

 Network security, which addresses the protection of an organization’s data

networkingdevices, connections, and contents, and the ability to use that network to
accomplish theorganization’sdatacommunication functions

 Informationsecurity includes the broad areas of information security

management,computerand datasecurity,and network security.

Whereithasbeenused?

 Governments,military,financialinstitutions,hospitals,andprivatebusinesses.

 Protectingconfidentialinformationisabusinessrequirement.

1.2.1 InformationSecuritycomponents:

 Confidentiality

 Integrity

 Availability(CIA)
CIATriangle

The C.I.A. triangle - confidentiality, integrity, and availability - has expanded into a
morecomprehensivelistofcriticalcharacteristicsofinformation.Attheheartofthestudyofinformations
ecurityistheconceptofpolicy.Policy,awareness,training,education,andtechnology are vital
concepts for the protection of information and for keeping informationsystemsfrom danger.

1.3 CRITICALCHARACTERISTICSOFINFORMATION

 Confidentiality

 Integrity

 Availability

 Privacy

 Identification

 Authentication

 Authorization

 Accountability
  Accuracy

UtilityPos

session

1.3.1 Confidentiality

Confidentiality of information ensures that only those with sufficient privileges

mayaccess certain information. When unauthorized individuals or systems can access
information,confidentiality is breached. To protect the confidentiality of information, a number
of measuresareused:

 Informationclassification

 Securedocumentstorage

 Applicationofgeneralsecuritypolicies

 Education of information custodians and end

usersExample,acreditcardtransactionontheInternet.

 The system attempts to enforce confidentiality by encrypting the card

numberduring transmission, by limiting the places where it might appear (in data
bases,log files, backups, printed receipts, and so on), and by restricting access to
theplaceswhereit is stored.

 Givingoutconfidentialinformationoverthetelephoneisabreachofconfidentiality if
thecaller is notauthorized tohave theinformation, itcouldresultin abreach
ofconfidentiality.

Integrity

Integrityisthequalityorstateofbeingwhole,complete,anduncorrupted.Theintegrityof
information is threatened when it is exposed to corruption, damage, destruction, or
otherdisruption of its authentic state. Corruption can occur while information is being
compiled,stored,ortransmitted.

 Integritymeansthatdatacannotbemodifiedwithoutauthorization.

 Eg: Integrity is violated when an employee deletes important data files, when a
computervirus infects a computer, when an employee is able to modify his own salary in
a payrolldatabase, when an unauthorized user vandalizes a website, when someone is able
to cast averylargenumberofvotes inan onlinepoll,and soon.
1.3.2 Availability

Availability is the characteristic of information that enables user access to

informationwithout interference or obstruction and in a required format. A user in this definition
may beeither a person or another computer system. Availability does not imply that the
information isaccessibleto anyuser; rather,it meansavailabilitytoauthorized users.

 Foranyinformationsystemtoserveitspurpose,theinformationmustbeavailablewhenitis
needed.

 Eg: High availability systems aim to remain available at all times, preventing
servicedisruptionsduetopower outages,hardware failures,andsystemupgrades.

Privacy

The information that is collected, used, and stored by an organization is to be used

onlyfor the purposes stated to the data owner at the time it was collected. This definition of
privacydoes focus on freedom from observation (the meaning usually associated with the word),
butrathermeansthatinformationwillbeusedonlyinwaysknowntothepersonprovidingit.

Identification

An information system possesses the characteristic of identification when it is able

torecognize individual users. Identification and authentication are essential to establishing the
levelofaccess orauthorizationthat an individualis granted.

Authentication

Authentication occurswhena controlprovidesproof thata user possessesthe

identitythatheorsheclaims.

 In computing, e-Business and information security it is necessary to ensure that the

data,transactions, communications or documents(electronic or physical) are genuine(i.e.
theyhavenot beenforged orfabricated)

Authorization

After the identity of auser is authenticated,aprocess called authorization

providesassurance that the user (whether a person or a computer) has been specifically and
explicitlyauthorized by the proper authority to access, update, or delete the contents of an
informationasset.

Accountability

The characteristic of accountability exists when a control provides assurance that

everyactivity undertaken can be attributed to a named person or automated process. For example,
auditlogsthattrackuser activityonan informationsystemprovideaccountability.
1.3.3 Accuracy

Informationshouldhaveaccuracy.Informationhasaccuracywhenitisfreefrommistakes or
errors and it has the value that the end users expects. If information contains a valuedifferent
from the user’s expectations, due to the intentional or unintentional modification of itscontent,it
is no longeraccurate.

Utility

Information has value when it serves a particular purpose. This means that if
informationis available, but not in a format meaningful to the end user, it is not useful. Thus, the
value ofinformationdepends on its utility.

Possession

The possession of Information security is the quality or state of having ownership

orcontrolofsomeobject oritem.

1.4 NSTISSCSECURITYMODEL

‘NationalSecurityTelecommunications&Informationsystemssecuritycommittee’
document.

ItisnowcalledtheNationalTrainingStandardforInformationsecurityprofessionals.

TheNSTISSCSecurityModelprovidesamoredetailedperspectiveonsecurity.

WhiletheNSTISSCmodelcoversthethreedimensionsofinformationsecurity,itomitsdiscussionofdeta
iledguidelinesandpoliciesthat directtheimplementationofcontrols.

Anotherweaknessofusingthismodelwithtoolimitedanapproachistoviewitfromasingleperspective.

 The3dimensionsofeachaxisbecomea3x3x3cubewith27cellsrepresentingareas
thatmustbeaddressedtosecuretoday’sInformationsystems.

 To ensure system security, each of the 27 cells must be properly addressed during
thesecurityprocess.

 Forexample,theintersectionbetweentechnology,Integrity&storageareasrequiresa
control or safeguard that addresses theneed to use technology to protect
theIntegrityofinformationwhileinstorage.
1.5 COMPONENTSOFANINFORMATION SYSTEM

 Software

 Hardware

 Data

 People

 Procedures

 Networks

1.5.1 Software

 The software components of IS comprises applications, operating systems, and

assortedcommandutilities.

 Software programs are the vessels that carry the lifeblood of information through
anorganization.Theseareoftencreatedunderthedemandingconstraintsofprojectmanagement
,which limittime,cost,andmanpower.

1.5.2 Hardware

 Hardware is the physical technology that houses and executes the software, stores
andcarries the data, and provides interfaces for the entry and removal of information from
thesystem.

 Physicalsecuritypoliciesdealwithhardwareasaphysicalassetandwiththeprotectionoftheseph
ysicalassetsfromharmortheft.Applyingthetraditionaltoolsofphysical
 security,suchaslocksandkeys,restrictsaccesstoandinteractionwiththehardwarecomponentsofan
information system.

 Securing the physical location of computers and the computers themselves is

importantbecause a breach of physical security can result in a loss of information.
Unfortunately,most information systems are built on hardware platforms that cannot
guarantee any levelofinformationsecurityif unrestricted accesstothehardwareispossible.

1.5.3 Data

 Datastored,processed,andtransmittedthroughacomputersystemmustbeprotected.

 Data is often the most valuable asset possessed by an organization and is the main
targetofintentional attacks.

 The raw, unorganized, discrete(separate, isolated) potentially-useful facts and figures

thatarelaterprocessed(manipulated)to produceinformation.

1.5.4 People

Therearemanyrolesforpeopleininformationsystems.Commononesinclude

 SystemsAnalyst

 Programmer

 Technician

 Engineer

 NetworkManager

 MIS(ManagerofInformationSystems)

 Dataentryoperator

1.5.5 Procedures

A procedure is a series of documented actions taken to achieve something. A procedure

ismorethanasinglesimpletask.Aprocedurecanbequitecomplexandinvolved,suchasperformingabac
kup,shuttingdown asystem,patchingsoftware.

1.5.6 Networks

 When information systems are connected to each other to form Local Area
Network(LANs), and these LANs are connected to other networks such as the Internet,
newsecuritychallenges rapidlyemerge.
  Stepstoprovidenetworksecurityareessential,asistheimplementationofalarmandintrusionsys
temstomakesystemownersawareofongoingcompromises.

1.6 SECURINGCOMPONENTS

Protectingthecomponentsfrompotentialmisuseandabusebyunauthorizedusers.

 Subjectofanattack

Computerisusedas anactivetooltoconducttheattack.

 Objectofanattack

Computeritselfistheentitybeingattacked

Twotypesofattacks:

1. Directattack

2. Indirectattack

Internet
StolenInformation
REMOTE
SYSTEM
SYSTEM Hackerrequest

Hackerusingacomputer Remotesystemthat

asthesubjectofattack istheobjectofanattack

Figure1.6.1Attack
 1. Directattack

When a Hacker uses his personal computer to break into a system.

[Originatefromthethreat itself]

2. Indirectattack

Whenasystemiscompromisedand usedtoattackothersystem.

[Originatefromasystemorresourcethatitselfhasbeenattacked,andismalfunctioningorworkingun
derthecontrol ofathreat].

A computer can, therefore, be both the subject and object of an attack

when ,forexample, it is first the object of an attack and then compromised and used to attack
othersystems,at whichpoint itbecomes thesubjectofanattack.

1.7 BALANCINGINFORMATIONSECURITYANDACCESS

 Hastoprovidethesecurityandisalsofeasibletoaccesstheinformationforitsapplication.

 InformationSecuritycannotbeanabsolute:itisaprocess,notagoal.

 Shouldbalanceprotectionandavailability.

ApproachestoInformationSecurityImplementation

 Bottom-up-approach.

 Top-down-approach

 Hashigherprobabilityofsuccess.

 Projectisinitiatedbyupperlevelmanagerswhoissuepolicy&procedures&processes.

 Dictatethegoals &expectedoutcomesoftheproject.

 Determinewhoissuitableforeachoftherequiredaction.
1.8 THE SYSTEMS DEVELOPMENT LIFE CYCLE

(SDLC)SDLCWaterfall Methodology

SDLC-isamethodologyforthedesignandimplementationofaninformationsysteminanorganization.

 Amethodologyisaformalapproachtosolvingaproblembasedonastructuredsequenceofprocedur
es.

 SDLCconsistsof6phases.

Investigation

Analysis

Logicaldesign

Physicaldesign

Implementation

Repeat Maintenanceand
change

Figure1.8.1SystemsDevelopmentLifeCycle
1.8.1 Investigation

 It is the most important phase and itbeginswithan

examinationoftheeventorplanthatinitiates theprocess.

 Duringthisphase,theobjectives,constraints,and scopeoftheprojectarespecified.

 At the conclusion of this phase, a feasibility analysis is performed, which assesses

theeconomic,technicalandbehavioralfeasibilitiesoftheprocessandensuresthatimplementa
tionisworth theorganization’s timeandeffort.

1.8.2 Analysis

 Itbeginswiththeinformationgainedduringtheinvestigationphase.

 Itconsistsofassessments(quality)oftheorganization,thestatusofcurrentsystems,andthecap
abilityto support theproposed systems.

 Analysts begin by determining what the new system is expected to do, and how it
willinteractwith existingsystems.

 This phase ends with the documentation of the findings and an update of the
feasibilityanalysis.

1.8.3 LogicalDesign

 In this phase, the information gained from the analysis phase is used to begin creating
asystemssolution forabusinessproblem.

 Based on the business need, applications are selected that are capable of
providingneededservices.

 Based on the applications needed, data support and structures capable of providing
theneededinputs arethen chosen.

 Inthisphase,analystsgenerateanumberofalternativesolutions,eachwithcorrespondingstren
gthsand weaknesses,andcosts andbenefits.

 Attheendofthisphase,anotherfeasibilityanalysisisperformed.

1.8.4 Physicaldesign

 Inthisphase,specifictechnologiesareselectedtosupportthesolutionsdevelopedinthelogical
design.

 Theselectedcomponentsareevaluatedbasedonamake-or-buydecision.

 Finaldesignsintegratevariouscomponentsandtechnologies.
1.8.5 Implementation

 Inthisphase,anyneededsoftwareiscreated.

 Componentsareordered,receivedandtested.

 Afterwards,usersaretrainedandsupportingdocumentationcreated.

 Onceallthecomponentsaretestedindividually,theyareinstalledandtestedasasystem.

 Againafeasibilityanalysisisprepared,andthesponsorsarethenpresentedwiththesystemfora
performancereviewandacceptancetest.

1.8.6 Maintenanceandchange

 Itisthelongestandmost expensivephaseoftheprocess.

 Itconsistsofthetasksnecessarytosupportandmodify thesystemfortheremainderofitsuseful
lifecycle.

 Periodically,thesystemistestedforcompliance,withbusinessneeds.

 Upgrades,updates,andpatchesaremanaged.

 Astheneedsoftheorganizationchange,thesystemsthatsupporttheorganizationmustalsocha
nge.

 Whenacurrentsystemcannolongersupporttheorganization,
theprojectisterminatedandanewproject is implemented.

1.9 THESECURITYSYSTEMSDEVELOPMENT LIFECYCLE (SECSDLC)

ThesamephasesusedinthetraditionalSDLCcanbeadaptedtosupporttheimplementationofan
informationsecurityproject.

1.9.1 Sec SDLC

phasesInvestigation

 Thisphasebeginswithadirectivefromuppermanagement,dictatingtheprocess,outcomes,an
dgoalsoftheproject,aswellasitsbudget andotherconstraints.

 Frequently, this phase begins with anenterpriseinformationsecuritypolicy,

whichoutlinestheimplementationofasecurityprogramwithintheorganization.

 Teamsofresponsiblemanagers,employees,andcontractorsareorganized.
  Problemsareanalyzed.

 Scopeoftheproject,aswellasspecificgoalsandobjectives,andany
additionalconstraintsnotcovered intheprogrampolicy,are defined.

 Finally, an organizational feasibility analysis is performed to determine whether

theorganizationhastheresourcesandcommitmentnecessary toconducta
successfulsecurityanalysis and design.

Analysis

 Inthisphase,thedocumentsfromtheinvestigationphasearestudied.

 Thedevelopedteamconductsapreliminaryanalysisofexistingsecuritypoliciesorprograms,a
longwiththatofdocumentedcurrentthreatsandassociated controls.

 Theriskmanagementtaskalsobeginsinthisphase.

Risk management is the process of identifying, assessing, and evaluating the levels
ofrisk facing the organization, specifically the threats to the organization’s security and to
theinformationstored and processed bytheorganization.

Logicaldesign

 Thisphasecreatesanddevelopstheblueprintsforinformationsecurity,andexaminesandimpl
ements keypolicies.

 Theteamplanstheincidentresponseactions.

 Plansbusinessresponsetodisaster.

 Determinesfeasibilityofcontinuingandoutsourcingtheproject.

Physicaldesign

 Inthisphase,theinformationsecuritytechnologyneededtosupporttheblueprintoutlinedin
thelogical designis evaluated.

 Alternativesolutionsaregenerated.

 Designsforphysicalsecuritymeasurestosupporttheproposedtechnologicalsolutionsarecrea
ted.

 Attheendofthisphase,afeasibility study
shoulddeterminethereadinessoftheorganizationfortheproposed project.
  Atthisphase,allpartiesinvolvedhaveachancetoapprovetheprojectbeforeimplementationbe
gins.

Implementation

 SimilartotraditionalSDLC

 Thesecuritysolutionsareacquired(madeorbought),tested,implemented,andtestedagain

 Personnelissuesareevaluatedandspecifictrainingandeducationprogramsareconducted.

 Finally,theentiretestedpackageispresentedtouppermanagementforfinalapproval.

Maintenanceandchange

 Constantmonitoring,testing,modification,updating,andrepairingtomeetchangingthreatsh
avebeen donein this phase.

1.9.2 Security Professionals and the

organizationSeniormanagement

ChiefinformationOfficer(CIO)istheresponsiblefor

 Assessment

 Management

 Andimplementationofinformationsecurityintheorganization

InformationSecurityProjectTeam

 Champion

- Promotestheproject

- Ensuresitssupport,bothfinancially&administratively.

 TeamLeader

- Understandsprojectmanagement

- Personnelmanagement

- AndinformationSecuritytechnicalrequirements.
  Securitypolicydevelopers

- individualswhounderstandtheorganizationalculture,

- existingpolicies

- Requirementsfordeveloping&implementingsuccessfulpolicies.

 Riskassessmentspecialists

- Individualswhounderstandfinancialriskassessmenttechniques.

- Thevalueoforganizationalassets,

- andthesecuritymethods tobeused.

 SecurityProfessionals

- Dedicated

- Trained,andwelleducatedspecialistsinallaspectsofinformationsecurity
frombothatechnicaland non technical stand point.

 SystemAdministrators

- Administratingthesystemsthathousetheinformationusedbytheorganization.

 Endusers

Dataowners

Threetypes Data

custodiansData

DataOwners users

- Responsibleforthesecurityanduseofaparticularsetofinformation.

- Determinethelevelofdataclassification

- Workwithsubordinatemanagerstooverseetheday-to-dayadministrationofthedata.

DataCustodians

- Responsibleforthestorage,maintenance,andprotectionoftheinformation.

- Overseeingdatastorageandbackups
- Implementingthespecificproceduresandpolicies.
DataUsers (Endusers)

- Work with the information to perform their daily jobs supporting the mission of
theorganization.

- Everyone in the organization is responsible for the security of data, so data users
areincludedhere as individualswith aninformation securityrole.

1.9.3 KeyTermsinInformationSecurityTerminology

 Asset

-Anassetistheorganizationalresourcethatisbeingprotected.

-AnAssetcanbelogical ,suchas

Website,informationordata

-Assetcanbephysical,suchas

person,computersystem

 Attack

- An attack is an intentional or unintentional attempt to cause damage to or

otherwisecompromise the information and /or the systems that support it. If someone
casuallyreads sensitive information not intended for his use, this is considered a passive
attack.Ifahackerattemptstobreakintoaninformationsystem,theattackisconsideredactive.

 Risk

- Risk is the probability that something can happen. In information security, it could
betheprobabilityofathreat to asystem.

 SecurityBlueprint

- It is the plan for the implementation of new security measures in the

organization.Sometimes called a frame work, the blueprint presents an organized
approach to thesecurityplanningprocess.

 SecurityModel

-
Asecuritymodelisacollectionofspecificsecurityrulesthatrepresentstheimplementationofase
curitypolicy.
 Threats

- Athreatisacategoryofobjects,persons,orotherentitiesthatposeapotentialdangerto an asset.
Threats are always present. Some threats manifest themselves in accidentaloccurrences,
while others are purposeful. For example, all hackers represent potentialdanger or threat
to an unprotected information system. Severe storms are also a threat tobuildingsand
theircontents.

 Threatagent

- A threat agent is the specific instance or component of a threat. For example, you
canthink of all hackers in the world as a collective threat, and Kevin Mitnick, who
wasconvictedforhackingintophonesystems,asaspecificthreatagent.Likewise,aspecific
lightning strike, hailstorm, or tornado is a threat agent that is part of the
threatofseverestorms.

 Vulnerability

- Weaknesses or faults in a system or protection mechanism that expose information

toattack or damage are known as vulnerabilities. Vulnerabilities that have been
examined,documented,andpublishedare referredtoaswell-known vulnerabilities.

 Exposure

- The exposure of an information system is a single instance when the system is open
todamage. Vulnerabilities can cause an exposure to potential damage or attack from
athreat. Total exposureis the degree to which an organization’s assets are at risk
ofattackfromathreat..