Information Security

Aliyah Awais
 COMPUTER SECURITY

The protection afforded to an automated information system in

order to attain the applicable objectives of preserving the
integrity, availability, and confidentiality of information system
resources (includes hardware, software, firmware,
information/data, and telecommunications).
 System Components
● An information system (IS) is the entire set of people, procedures, and technology that enable businesses
to use information.

– Software

– Hardware

– Data

– People

– Procedures

– Networks
 Security Objectives

CIA triad is three foundational

principles used by cybersecurity
professionals to establish
appropriate control to mitigate
● Threats
● Risks
● Vulnerabilities
 Key Security Concepts
CIA Triad is a model that helps inform how organizations “consider
risk” when setting up systems and security policies.
● Confidentiality: preserving authorized restrictions on information
access and disclosure, including means for protecting personal
privacy and proprietary information.
● Integrity: guarding against improper information modification or
destruction, including ensuring information nonrepudiation and
authenticity.
● Availability: ensuring timely and reliable access to and use of
information.
The NIST (National Institute of Standards and Technology)
Internal/Interagency Report NISTIR 7298 (Glossary of Key
Information Security Terms , May 2013) defines the term
computer security as follows:
“ Measures and controls that ensure confidentiality, integrity, and availability of
information system assets, including hardware, software, firmware, and information being
processed, stored, and communicated.”
How Controls , Frameworks and Compliance Related
● Security controls are safeguards designed to reduce specific security risks.

● So they are used alongside frameworks to ensure that security goals and
processes are implemented correctly and that organizations meet regulatory
compliance requirements.
Security Layers
Eight Security Dimensions Address the Breadth of Vulnerabilities
 ITU -Recommendations
The security architecture logically divides a complex set of end-to-end network security-related features
into separate architectural components.
This separation allows for a systematic approach to end-to-end security that can be used for the planning
of new security solutions as well as for assessing the security of the existing networks.

The security architecture addresses three essential questions with regard to end-to-end security:
What kinds of protection are needed and against what threats?

What are the distinct types of network equipment and facility groupings that need to be protected?

What are the distinct types of network activities that need to be protected?

These questions are addressed by three architectural components -components: security Security Dimensions, Security
Layers and Security Planes.
 Challenges of Computer Security

● Computer security is not as simple as it might first appear to the novice.

● In developing a particular security mechanism and moral algorithm, one must

always consider potential attacks on those security features.

● Procedures used to provide particular services are often counterintuitive.

● Physical and logical placement needs to be determined.

● Security mechanisms typically involve more than a particular algorithm or

protocol and also require that participants be in possession of some secret
information, which raises questions about the creation, distribution, and
protection of that secret information.
 Challenges of Computer Security

● Attackers only need to find a single weakness, while the designer must find
and eliminate all weaknesses to achieve perfect security.

● Security is still too often an afterthought to be incorporated into a system after

the design is complete, rather than being an integral part of the design
process.

● Security requires regular and constant monitoring.

● There is a natural tendency on the part of users and system managers to

perceive little benefit from security investment until a security failure occurs.
● Many users and even security administrators view strong security as an
impediment to efficient and user-friendly operation of an information system or
use of information.
 Computer Security Terminology
Computer Security Terminology, from RFC 2828, Internet Security Glossary, May 2000
Adversary (threat agent)
Individual, group, organization, or government that conducts or has the intent to conduct
detrimental activities.

Attack
Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy
information system resources or the information itself.

Countermeasure
A device or technique that has as its objective the impairment of the operational effectiveness
of undesirable or adversarial activity, or the prevention of espionage, sabotage, theft, or
unauthorized access to or use of sensitive information or information systems.

Risk
A measure of the extent to which an entity is threatened by a potential circumstance or event
and is typically a function of 1) the adverse impacts that would arise if the circumstance or
event occurred; and 2) the likelihood of occurrence.
 Computer Security Termonology
Security Policy
A set of criteria for the provision of security services. It defines and constrains the activities of a data processing facility in
order to maintain a condition of security for systems and data.

System Resource (Asset)

A major application, general support system, high impact program, physical plant, mission critical system, personnel,
equipment, or a logically related group of systems.

Threat
Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions,
image, or reputation), organizational assets, individuals, other organizations, or the nation through an information system
via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.

Vulnerability
Weakness in an information system, system security procedures, internal controls, or implementation that could be
exploited or triggered by a threat source.
 Computer Systems Assets

Hardware: computer systems and other data processing, data storage, and data communications devices.

Software: including the operating system, system utilities, and applications.

Data: including files and databases, as well as security-related data, such as password files.

Communication facilities and networks: local and wide area network communication links, bridges, routers, and so on.
Computer and Network Assets, with Examples of Threats
 Incident Response (Countermeasure)
Finally, a countermeasure is any means taken to deal with a security attack.

Ideally, a countermeasure can be devised to prevent a particular type of attack from succeeding.

When prevention is not possible or fails in some instance, the goal is to detect the attack and then
recover from the effects of the attack.

A countermeasure may itself introduce new vulnerabilities. In any case, residual vulnerabilities may
remain after the imposition of countermeasures.

Such vulnerabilities may be exploited by threat agents representing a residual level of risk to the assets.
Owners will seek to minimize that risk given other constraints.
 Vulnerabilities, Threats and Attacks

Categories of vulnerabilities

● Corrupted (loss of integrity)

● Leaky (loss of confidentiality)
● Unavailable or very slow (loss of availability)
Threats
● Capable of exploiting vulnerabilities
● Represent potential security harm to an asset

Attacks (threats carried out)

● Passive: attempt to learn or make use of information from the system that does not affect system
resources, like “Traffic Analysis.”
● Active: attempt to alter system resources or affect their operation.
● Insider: initiated by an entity inside the security parameter.
● Outsider: initiated from outside the perimeter.
 Passive Attacks

This attack attempts to learn or make use of

information from the system but does not affect
the system resources.

Like Eavesdropping, or monitoring of,

transmissions

The goal of attacker is to obtain information that is

being transmitted over

Two types:

a. Release of message contents

b. Traffic analysis
 Active Attacks

Attempts to alter system

resources or affect their
operation

Involve some modification

of the data stream or the
creation of a false stream

Four categories:

● Replay
● Masquerade
● Modification of
messages
● Denial of service
 Threat Consequence Threat Action (Attack)

Unauthorized Disclosure Exposure: Sensitive data are directly released to an

A circumstance or event whereby an entity gains access unauthorized entity.
to data for which the entity is not authorized. Interception: An unauthorized entity directly accesses
sensitive data travelling between authorized sources and
destinations.
Inference: A threat action whereby an unauthorized
entity indirectly accesses sensitive data (but not
necessarily the data contained in the communication) by
reasoning from characteristics or by-products of
communications.
Intrusion: An unauthorized entity gains access to
sensitive data by circumventing a system’s security
protections.

Deception Masquerade: An unauthorized entity gains access to a

A circumstance or event that may result in an authorized system or performs a malicious act by posing as an
entity receiving false data and believing it to be true. authorized entity.
Falsification: False data deceive an authorized entity.
Repudiation: An entity deceives another by falsely
denying responsibility for an act.
Disruption Incapacitation: Prevents or interrupts system operation
A circumstance or event that interrupts or prevents the correct by disabling a system component.
operation of system services and functions. Corruption: Undesirably alters system operation by
adversely modifying system functions or data.
Obstruction: A threat action that interrupts delivery of
system services by hindering system operation.

Usurpation Misappropriation: An entity assumes unauthorized

A circumstance or event that results in control of system logical or physical control of a system resource.
services or functions by an unauthorized entity. Misuse: Causes a system component to perform a
function or service that is detrimental to system security.
 Security Requirements
Access Control: Limit information system access to authorized users, processes acting on behalf of authorized users, or
devices (including other information systems) and to the types of transactions and functions that authorized users are
permitted to exercise.

Awareness and Training: (i) Ensure that managers and users of organizational information systems are made aware of
the security risks associated with their activities and of the applicable laws, regulations, and policies related to the security
of organizational information systems; and (ii) ensure that personnel are adequately trained to carry out their assigned
information security-related duties and responsibilities.

Audit and Accountability: (i) Create, protect, and retain information system audit records to the
extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate
information system activity; and (ii) ensure that the actions of individual information system users can be uniquely traced to
those users so they can be held accountable for their actions.
 Security Requirements
Certification, Accreditation, and Security Assessments: (i) Periodically assess the security controls in
organizational information systems to determine if the controls are effective in their application; (ii) develop
and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in
organizational information systems; (iii) authorize the operation of organizational information systems and
any associated information system connections; and (iv) monitor information system security controls on
an ongoing basis to ensure the continued effectiveness of the controls.
Configuration Management: (i) Establish and maintain baseline configurations and inventories of
organizational information systems (including hardware, software, firmware, and documentation)
throughout the respective system development life cycles; and (ii) establish and enforce security
configuration settings for information technology products employed in organizational information systems.

Contingency Planning: Establish, maintain, and implement plans for emergency response, backup
operations, and postdisaster recovery for organizational information systems to ensure the availability of
critical information resources and continuity of operations in emergency situations.
 Security Requirements
Identification and Authentication: Identify information system users, processes acting on behalf of users, or
devices, and authenticate (or verify) the identities of those users, processes, or devices as a prerequisite to
allowing access to organizational information systems.

Incident Response: (i) Establish an operational incident-handling capability for organizational information
systems that includes adequate preparation, detection, analysis, containment, recovery, and user-response
activities; and (ii) track, document, and report incidents to appropriate organizational officials and/or authorities.

Maintenance: (i) Perform periodic and timely maintenance on organizational information systems; and (ii) provide
effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system
maintenance.

Media Protection: (i) Protect information system media, both paper and digital; (ii) limit access to
information on information system media to authorized users; and (iii) sanitize or destroy information system
media before disposal or release for reuse.
 Security Requirements
Physical and Environmental Protection: (i) Limit physical access to information systems, equipment,
and the respective operating environments to authorized individuals; (ii) protect the physical plant and
support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv)
protect information systems against environmental hazards; and (v) provide appropriate environmental
controls in facilities containing information systems.

Planning: Develop, document, periodically update, and implement security plans for organizational
information systems that describe the security controls in place or planned for the information systems
and the rules of behaviour for individuals accessing the information systems.

Personnel Security: (i) Ensure that individuals occupying positions of responsibility within organizations
(including third-party service providers) are trustworthy and meet established security criteria for those
positions; (ii) ensure that organizational information and information systems are protected during and
after personnel actions such as terminations and transfers; and (iii) employ formal sanctions for personnel
failing to comply with organizational security policies and procedures.
 Security Requirements
Risk Assessment: Periodically assess the risk to organizational operations
(including mission, functions, image, or reputation), organizational assets, and
individuals, resulting from the operation of organizational information systems and the
associated processing, storage, or transmission of organizational information.
Systems and Services Acquisition: (i) Allocate sufficient resources to adequately
protect organizational information systems; (ii) employ system development life cycle
processes that incorporate information security considerations; (iii) employ software
usage and installation restrictions; and (iv) ensure that third-party providers employ
adequate security measures to protect information, applications, and/or services
outsourced from the organization.
 Security Requirements
System and Communications Protection: (i) Monitor, control, and protect organizational
communications (i.e., information transmitted or received by organizational information systems) at the
external boundaries and key internal boundaries of the information systems; and (ii) employ architectural
designs, software development techniques, and systems engineering principles that promote effective
information security within organizational information systems.

System and Information Integrity: (i) Identify, report, and correct information and information system
flaws in a timely manner; (ii) provide protection from malicious code at appropriate locations within
organizational information systems; and (iii) monitor information system security alerts and advisories and
take appropriate actions in response.
 Fundamental Security Design Principles

● Economy of mechanism
● Fail-safe defaults
● Complete mediation
● Open design
● Separation of privilege
● Least privilege
● Least common mechanism
● Psychological acceptability
● Isolation
● Encapsulation
● Modularity
● Layering
● Least astonishment
 Fundamental Security Design Principles

The failsafe security principle ensures that, in the event of a failure, the system defaults to a state that does not compromise security.
This means that when a system encounters an issue, it should maintain or revert to a secure state rather than leaving the system open
to threats or vulnerabilities.

For example:

● If a door lock system malfunctions, it should remain locked rather than unlocked.
● If access control software fails, it should deny access by default rather than granting it.

This principle is crucial for minimizing security risks during unexpected failures or malfunctions.
 Fundamental Security Design Principles

The open design principle asserts that the security of a system should not rely on the secrecy of its design or implementation. Instead,
systems should be designed to remain secure even if every detail about the system (except for confidential information like passwords
or cryptographic keys) is publicly known.

Key aspects of the open design principle:

● Transparency: The system’s architecture, protocols, and design are open for review, which encourages community scrutiny
and helps identify vulnerabilities more quickly.
● Resilience: Even with full knowledge of how the system works, attackers should not be able to compromise it easily.
● Auditing and trust: Open design allows for independent verification and testing of security features, increasing trust in the
system's robustness.

This principle is often applied in open-source software, where code is publicly available, and the system remains secure through
rigorous security practices rather than obscurity.
 Fundamental Security Design Principles

Layering (also known as defense in depth) is a security principle that involves implementing multiple layers of defense to protect
systems and data. The idea is that if one layer of security is breached, other layers will still provide protection, making it harder for
attackers to compromise the system.

Each layer addresses different vulnerabilities and risks, and they work together to slow down or mitigate threats. Common layers in
cybersecurity include:

1. Physical Security: Locks, biometric access, and surveillance.

2. Network Security: Firewalls, intrusion detection systems (IDS), and encryption.
3. Endpoint Security: Antivirus software and device control.
4. Application Security: Secure coding practices and patch management.
5. Data Security: Encryption and access control.

By using multiple overlapping security measures, layering reduces the likelihood of a successful attack.
 Fundamental Security Design Principles

Encapsulation is a principle in both security and software design that involves restricting access to certain components or data and
exposing only what is necessary. In cybersecurity, encapsulation ensures that sensitive information is hidden from unauthorized users,
preventing them from manipulating or viewing it directly.

In the context of object-oriented programming (OOP), encapsulation refers to:

● Hiding internal implementation details of an object and exposing only the necessary methods and properties through a
defined interface.
● Keeping data safe from unauthorized access by bundling it with methods that restrict how it's accessed or modified.

In cybersecurity, encapsulation is applied by:

● Using firewalls, encryption, or access controls to limit access to sensitive data or systems.
● Ensuring that different parts of a system are isolated, so a breach in one component doesn’t easily spread to others.

Encapsulation adds a layer of protection by controlling how resources are accessed and manipulated, contributing to the overall
security of systems.
 Fundamental Security Design Principles

The Principle of Least Astonishment (PoLA) states that a system or interface should behave in a way that users expect, minimizing
surprises. The design and functionality should align with users' intuitions and prior experiences to avoid confusion and errors.

In security, this principle ensures that:

● Features work consistently and predictably, reducing the risk of users inadvertently compromising security.
● User interfaces and system behaviours are designed to avoid confusion that could lead to security vulnerabilities.

For example, if a password field does not obscure typed characters, users would be astonished because it's against common practice,
and it could lead to a security lapse.
 Attack Surface
An attack surface consists of the reachable and exploitable vulnerabilities in a system [BELL16, MANA11,
HOWA03]. Examples of attack surfaces are the following:
Open ports on outward facing Web and other servers, and code listen on those ports.
Services available on the inside of a firewall
Code that processes incoming data, e-mail, XML, office documents, and
industry-specific custom data exchange formats
Interfaces, SQL, and web forms
An employee with access to sensitive information vulnerable to a social engineering attack
 Attack Surface
Attack surfaces can be categorized as follows:

Network attack surface: This category refers to vulnerabilities over an enterprise network, wide area network, or the
Internet. Included in this category are network protocol vulnerabilities, such as those used for a denial-of-service attack,
disruption of communications links, and various forms of intruder attacks.

Software attack surface: This refers to vulnerabilities in application, utility, or operating system code. A particular focus in
this category is Web server software.

Human attack surface: This category refers to vulnerabilities created by personnel or outsiders, such as social
engineering, human error, and trusted insiders.
 Attack Tree
An attack tree is a branching,
hierarchical data structure that
represents a set of potential
techniques for exploiting security
vulnerabilities.
 Computer Security Strategy
Security Policy: A formal statement of rules and practices that specify or regulate how a system or organization provides
security services to protect sensitive and critical system resources.

Security Implementation:
Involves four complementary courses of action:

● Prevention
● Detection
● Response
● Recovery

Assurance:
Encompassing both system design and system implementation, assurance is an attribute of an information system that
provides grounds for having confidence that the system operates such that the system’s security policy is enforced.

Evaluation:

● Process of examining a computer product or system with respect to certain criteria.

● It involves testing and may also involve formal analytical or mathematical techniques.
 Standards
Standards have been developed to cover management practices and the overall
architecture of security mechanisms and services.

● The most important of these organizations are:

● National Institute of Standards and Technology (NIST): NIST is a U.S. federal agency that deals with
measurement science, standards, and technology related to U.S. government use and to the promotion of
U.S. private sector innovation.
● Internet Society (ISOC): ISOC is a professional membership society that provides leadership in addressing
issues that confront the future of the Internet and is the organization home for the groups responsible for
Internet infrastructure standards.
● International Telecommunication Union (ITU-T): ITU is a United Nations agency in which governments and
the private sector coordinate global telecom networks and services.
● International Organization for Standardization (ISO): ISO is a nongovernmental organization whose work
results in international agreements that are published as International Standards.
 Summary
● Computer security concepts
● Definition
● Challenges
● Model
● Threats, attacks, and assets
● Threats and attacks
● Threats and assets
● Security functional requirements
● Standards
● Fundamental security design principles
● Attack surfaces and attack trees
a. Attack surfaces
b. Attack trees
● Computer security strategy
a. Security policy
b. Security implementation
c. Assurance and evaluation