Information Systems Security

Introduction to
Information Systems
Security
Lecture 1
 Outline

1. Attack Examples
2. What is Information Systems Security?
3. ISS Objectives
4. Security terms
5. Security Policies
6. Conclusion

2
 1. Attack Examples

◼ Oct. 2021, Sinclair Broadcast Group

– data encrypted on some servers, data stolen,
multiple local TV Stations stopped working
◼ anchors reported news without teleprompters and
video graphics

WCIV (channel 36):went

live
• using MyFi hotspot on
cell phone under a tent
• without internet/phones

(image source: https://twitter.com/SEisbergWCIV/ 3

status/1450130216110772224/photo/1)
Attack Examples

◼ Dec 2016, Hacking CNN’s teleprompter

– a kid penetrated CNN’s internal networks and
change W. Blitzer’s teleprompter

◼ Aug 2022, Leak of classified military documents

related to MBDA Missile Systems (Nato’s)

4
Attack Examples

◼ June 2022, a Google Cloud Armor customer was

targeted with a series of HTTPS DDoS attacks
which peaked at 46 million requests per second.
– 10 sec of attack’s traffic = Wikipedia’s daily
requests
– Targeted by 5,256 source IP @s from 132
countries

5
‫!‪Attack Examples - Consequences‬‬

‫◼‬ ‫‪Mar 2019,‬‬

‫كشف الجهاز المركزي للرقابة المالية عن قيام رئيس دائرة ‪ xxx‬في المؤسسة العامة ‪ YYY‬بالتزوير‬
‫واختالس المال العام بمبلغ تجاوز ‪ 176‬مليون ليرة سورية‪.‬‬
‫‪....‬‬

‫"‪...‬كما حمل التقرير المسؤولية لرؤساء دائرة أو شعبة الحاسب اآللي‬

‫المتعاقبين وعددهم ‪ 8‬رؤساء عن التقصير واإلهمال في أداء عملهم من‬
‫خالل إبقائهم لنوافذ حواسيبهم التي يعملون عليها في دائرة الحاسب والتي‬
‫تملك سماحية مدير نظام (مفتوحة) مما مكن رئيس دائرة ‪ xxx‬من ترحيل‬
‫إيصاالت الجباية من خالل استعمال هذه النوافذ المفتوحة (دون حيطة أو‬
‫حذر) في إنشاء‪...‬‬ ‫‪6‬‬
 ‫!‪Attack Examples- Consequences‬‬

‫‪ ...‬حسابات إضافية بسماحية مدير ‪ xxx‬وتعديل سماحيات بعض الحسابات‬

‫الموجودة على برنامج الجباية من مجمدة إلى مدير نظام لتعديل بعض‬
‫الحسابات مما سمح له بتشتيت المعلومات إضافة الستخدامها في ترحيل‬
‫إيصاالت الجباية وتمكينه من التالعب والتزوير في بيانات هذه اإليصاالت‪.‬‬
‫ولفت التقرير إلى ثبوت تقصير وإهمال كل من مدير المعلوماتية (م‪.‬ا) في أداء‬
‫عمله من خالل اإلبقاء على وجود عدة عاملين في الحاسب يملكون سماحية‬
‫مدير نظام خالفاً لمتطلبات أمن المعلومات لما لصفة مدير نظام من صالحيات‬
‫مكنت رئيس دائرة ‪ xxx‬من التالعب والتزوير بالبيانات والحسابات واختالس‬
‫المال العام‪".‬‬
‫‪7‬‬
 Outline

1. Attack Examples
2. What is Information Systems Security?
3. ISS Objectives
4. Security terms
5. Security Policies
6. Conclusion

8
 2. What is ISS?

◼ Information system
set of applications, services, information technology
assets, or other information-handling components
◼ Information Systems Security (ISS)
is the protection of information systems against
unauthorized access to or modification of information,
whether in storage, processing or transit, and against
the denial of service to authorized users, including those
measures necessary to detect, document, and counter
such threats.
9
 What is ISS?

◼ part of information security

◼ Information security includes
– Computer security
– Information systems security
– Database security
– Network security
– Web security
– Digital forensics
– Information security management
– … 10
 What is ISS?

◼ information security [ISO 27000: 2018]

– preservation of confidentiality, integrity and
availability of information
– also preservation of authenticity, accountability,
non-repudiation, and reliability

11
 Outline

1. Attack Examples
2. What is Information Systems Security?
3. ISS Objectives
4. Security terms
5. Security Policies
6. Conclusion

12
 ISS Objectives

1. Confidentiality: property that information

is not made available or disclosed to
unauthorized individuals, entities, or
processes
– Privacy: individual’s information is under her/his
control
– means: encryption, access control

13
 ISS Objectives

2. Integrity: covers two related concepts

– Data integrity: assures that information and
programs are changed only in a specified and
authorized manner
– System integrity: assures that a system
performs its intended function as specified,
free from unauthorized manipulation
– means: cryptographic checksums, access
control,…
14
 ISS Objectives

3. Availability
– property of being accessible and usable on
demand by an authorized entity.
– means: protection from disruption, intentional
deletion, …

15
 ISS Objectives

◼ Other Objectives:
4. Authenticity
◼ property that an entity is what it claims to be

– 2 related terms are usually used

◼ Entity authentication
– corroboration of the identity of an entity (e.g., a
person, a credit card)
◼ Message authentication
– corroborating the source of information;
◼ also known as data origin authentication. 16
ISS Objectives

5. Non-repudiation
◼ preventing the denial of previous commitments
or actions

6. Accountability
◼ the ability to identify entities responsible for past
actions.

17
 Outline

1. Attack Examples
2. What is Information Systems Security?
3. ISS Objectives
4. Security terms
5. Security Policies
6. Conclusion

18
4. Security Terms

◼ A vulnerability: is a weakness in system

design/implementation/operation and can be in
hardware or software.
– Example: a software bug exists in the OS, or
no password rules are set.
◼ A threat:
– Something that can potentially cause damage
– Refers to a situation in which either a person could do
something undesirable
– or a natural occurrence could cause an undesirable
outcome
19
 Security terms

◼ Vulnerabilities: Examples
– Unprotected data under transmission
– Mistakes in firewall or router
– Software bugs exist.
– Passwords posted near the computer

◼ Threats: Examples
– Virus
– Illegal Passwords use
– Illegal access to the Internet
– Pretending to be a desk helper
20
 Security terms

◼ A Risk: the expected loss due to harmful future

events,
◼ An attack: is a realization of a threat
◼ An attacker: is a person who exploits a
vulnerability
◼ An attacker must have means, opportunity, and
motive
– Synonyms: enemy, adversary, opponent,
eavesdropper, intruder
21
 Threats from hackers

hackers are They Conduct illegal access only to satisfy

computer or their interest, or try out their technology
network expert (no damage to other people)

They cause damage by stealing

information from networks/servers
they accessed illegally, or by Crackers
forcing services to shutdown

Examples of threats from crackers’ actions:

• Illegally use IDs or passwords that they stole
• Illegally access servers and steal personal information, etc.
22
• Destroy systems
 Types of Attack

◼ Interruption, delay, denial of receipt or denial of

service
– System assets or information become unavailable or are
rendered unavailable
◼ Interception or snooping
– Unauthorized party gains access to information by
browsing through files or reading communications.
◼ Modification or alteration
– Unauthorized party changes information in transit or
information stored for subsequent access.

23
 Types of Attack

◼ Masquerade or spoofing
– Spurious information is inserted into the system or
network by making it appears as if it is from a
legitimate entity.
◼ Repudiation
– False denial that an entity created something.
◼ Traffic analysis
– Monitoring traffic in order to get information about
exchanged data (regardless the content itself)
◼ Replay attack
– Intercepting a message in order to re-send it later
24
 Countermeasures

◼ include techniques for ensuring:

– Prevention: such as encryption, user
authentication, one time password, anti-
virus, firewall, etc.
– Detection: such as IDS (Intrusion Detection
Systems), Monitoring tools, Firewall log,
digital signature, etc.
– Reaction (or recovery): Such as Backup
systems, OS’s recovery points, etc.

25
Security terms - Relationships

26
ISS- another definition

– What needs to be protected, i.e., assets

– Why (security requirements which include CIA),
– What we need to protect from (Threats,
vulnerabilities, risks)
– and how (Countermeasures) to protect it for as
long as it exists
– Then operate, monitor, review, improve
– All steps are implemented according to the
security policy
27
 5. Security Policy

◼ a document describing intentions and direction of

an organization regarding information security
– Example 1:
◼ personal information must be treated as
confidential.
◼ services must be available 24/7

◼ states what is/is not allowed

– Example 1:
◼ account names must not be used in passwords.
28
 Security Policy

◼ security policy does not specify technologies.

◼ A security Policy is a guideline for

implementing security measures.

29
Security Lifecycle
- develop sec policy
Analyze - Draw blueprints
- Determine sec requirements (objectives)
- Analyze threats, vulnerabilities (i.e., risks)

- Design architecture,
Design
- Choose countermeasures
- Continue developing sec policy

- Implement countermeasures
Implement - Test
- Carry out training and awareness

Operate - Monitor
- review
30
 6. Conclusion

◼ Security terms
– ISS
– Security objectives
– Security Policy
– Vulnerabilities and Threats,
– Security measures

◼ Next lectures:
– Covering these terms in detail

31
Questions?

32
Case Study 1 – Hospital system

33
Case Study 2 – Online bank

34