DIS UNIT 2 PDF
Uploaded by
hodaidsDIS UNIT 2 PDF
Uploaded by
hodaidsCW3551 DATA AND INFORMATION SECURITY UNIT 2
UNIT II SECURITY INVESTIGATION
SYLLABUS:
Need for Security, Business Needs, Threats, Attacks, Legal, Ethical
and Professional Issues – An Overview of Computer Security - Access
Control Matrix, Policy-Security policies, Confidentiality policies,
Integrity policies and Hybrid policies
PART A
1. Show with the help of points the 4 important functions for an
organization based on the information security.
Information security performs four important functions for an
organization:
1. Protecting the organization’s ability to function
2. Enabling the safe operation of applications running on the
organization’s IT systems
3. Protecting the data the organization collects and uses
4. Safeguarding the organization’s technology assets
2. Analyze the assets in the organization that requires protection.
Secure infrastructure services appropriate to the size and scope of the
enterprise
An integrated system of software, encryption methodologies, and legal
agreements that can be used to support the entire information
infrastructure.
An organization’s network, caching network appliances, which are
devices that store local copies of Internet content, such as Web pages
that are frequently accessed by employees.
Other assets that require protection include the ability of the
organization to function, the safe operation of applications, and
technology assets.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 1
CW3551 DATA AND INFORMATION SECURITY UNIT 2
3. Construct with the help of a table any 4 threats with its examples.
4. Examine the meaning of the sentence “data in motion and data at
rest”.
Data in motion, or data in transit, on the other hand, is data moving
from one location to another, whether it's between computers, virtual
machines, from an endpoint to cloud storage, or through a private or
public network.
Once it arrives at its destination, data in motion becomes data at rest
5. What is meant by the term “Information Extortion”?
Information extortion occurs when an attacker or trusted insider
steals information from a computer system and demands
compensation for its return or for an agreement not to disclose it.
Information extortion consists of theft of a company's property or
information as an attempt to receive a payment in exchange for
returning the information or property back to its owner, as with
ransomware.
Extortion is common in credit card number theft.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 2
CW3551 DATA AND INFORMATION SECURITY UNIT 2
6. Give the definition of software piracy.
The most common IP breach is the unlawful use or duplication of
software-based intellectual property, more commonly known as
software piracy.
Software piracy can be defined as the use of software that is not
properly licensed. That might include copying, modifying, distributing
or selling the software in ways that contravene copyright laws or
license terms.
7. Illustrate the technical mechanisms that have been used to enforce
copyright laws.
The most common tool, a license agreement window that usually pops
up during the installation of new software, establishes that the user
has read and agrees to the license agreement.
Another effort to combat piracy is the online registration process.
Individuals who install software are often asked or even required to
register their software to obtain technical support or the use of all
features.
8. Analyze the major differences between a Threat and an Attack.
Threat Attack
Threats can be intentional or
The attack is intentional.
unintentional.
Threats may or may not be
The attack is malicious.
malicious.
Circumstances that can cause The objective is to cause
damage. damage.
The chance for information
Information may or may not
alteration and damage is very
be altered or damaged.
high.
The threat is comparatively
Comparatively easy to detect.
hard to detect.
Can be blocked by control of Cannot be blocked by just
vulnerabilities. controlling the vulnerabilities.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 3
CW3551 DATA AND INFORMATION SECURITY UNIT 2
Threat Attack
Can be initiated by the system An attack is always initiated by
itself as well as by outsiders. an outsider (system or user).
These can be classified
Can be classified into
into Viruses,spyware, Phishing,
Physical, internal, external,
Worms, Spam, Botnets, DoS
human, and non-physical
attacks, Ransomware, and
threatsats.
Breaches.
9. Express the logic behind using a license agreement window and the
use of online registration process to combat piracy
The term licensing agreement refers to a legal, written contract
between two parties wherein the property owner gives permission to
another party to use their brand, patent, or trademark.
To combat piracy is the online registration process. Individuals who
install software are often asked or even required to register their
software to obtain technical support or the use of all features. Some
believe that this process compromises personal privacy, because
people never really know exactly what information is obtained from
their computers and sent to the software manufacturer.
10. Discuss about malware.
Deliberate software attacks occur when an individual or group
designs and deploys software to attack a system. Most of this
software is referred to as malicious code or malicious software, or
sometimes malware.
These software components or programs are designed to damage,
destroy, or deny service to the target systems.
11. Name the most common methods of virus transmission.
One of the most common methods of virus transmission is via e-
mail attachment files.
Among the most common types of information system viruses are
the macro virus, which is embedded in automatically executing
macro code used by word processors, spread sheets, and database
applications, and the boot virus, which infects the key operating
system files located in a computer’s boot sector.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 4
CW3551 DATA AND INFORMATION SECURITY UNIT 2
12. Formulate which management groups are responsible for
implementing information security to protect the organization‟s
ability to function.
Both general management and IT management are responsible for
implementing information security that protects the organization’s
ability to function.
Responsibility for information security may be assigned to a Chief
Security Officer, Chief Technical Officer, or to an IT Operations
manager whose team includes IT operators and security analysts.
13. Evaluate the measures that individuals can take to protect
themselves from shoulder surfing
1. Make two-step verification available
Use two-factor authentication whenever possible, such as with a
one-time password (OTP), a mobile device proof, or the Microsoft or
Google authentication tools.
2. Construct a physical wall or shield
To prevent someone standing behind you from seeing your
password or ATM PIN, try to conceal it with your body. Make sure
no one can hear you if you need to chat on the phone regarding an
OTP or credit card details.
3. Avoid logging into services that other users utilize
Never use a computer in a public location, including an airport,
railway station, library, or even a display in an electronics store, to
sign into any of your accounts. Secret data may be taken.
4. Avoid using Wi-Fi in public areas
People are advised not to login into personal accounts on unsafe
public Wi-Fi networks, such as social networking, banks, and
retail websites. The data can always be viewed, even when the Wi-
Fi link is using WEP, the weakest protocol.
5. Construct a privacy wall
On your laptop and phone, use privacy barriers or shields to
ensure that only one person may view what is on the screen.
6. Avoid using the same passwords repeatedly
Many of them make frequent use of the same password across
other accounts. Try to use a different password for each account.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 5
CW3551 DATA AND INFORMATION SECURITY UNIT 2
14. Define the meaning of the term „Electronic Theft‟.
E-Theft means the transfer of the Client's or insured entity's money,
securities, or other property of value to a person, place, or account
beyond the Client's or insured entity's control as a direct result of a
Data Security Event
15. Express about the password attacks.
Password attacks are one of the most common forms of corporate and
personal data breach.
A password attack is simply when a hacker try to steal your password.
password attack An attempt to repeatedly guess passwords
Types of Password Attack
o Brute-force attack.
o Man-in-the-middle attack
o Phishing.
o Password spraying
16. State the various types of malware?
The more common instances of malware are viruses and worms,
Trojan horses, logic bombs, and back doors.
How do worms differ from viruses?
Basis of
Sr.No. WORMS VIRUS
Comparison
A Virus is a malicious
A Worm is a form of executable code
malware that replicates attached to another
1. Definition itself and can spread to executable file which
different computers via can be harmless or
Network. can modify or delete
data.
The main objective of
worms is to eat the
system resources. It
The main objective of
consumes system
2. Objective viruses is to modify
resources such as
the information.
memory and bandwidth
and made the system slow
in speed to such an extent
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 6
CW3551 DATA AND INFORMATION SECURITY UNIT 2
that it stops responding.
It doesn’t need a host to
It requires a host is
3. Host replicate from one
needed for spreading.
computer to another.
It is less harmful as
4. Harmful It is more harmful.
compared.
Detection Worms can be detected Antivirus software is
5. and and removed by the used for protection
Protection Antivirus and firewall. against viruses.
Controlled Worms can be controlled Viruses can’t be
6.
by by remote. controlled by remote.
Worms are executed via Viruses are executed
7. Execution
weaknesses in the system. via executable files.
Worms generally comes
Viruses generally
from the downloaded files
8. Comes from comes from the shared
or through a network
or downloaded files.
connection.
Hampering computer Pop-up windows
performance by slowing linking to malicious
down it websites
Automatic opening and Hampering
running of programs computer
Sending of emails performance by
9. Symptoms without your knowledge slowing down it
Affected the After booting,
performance of web starting of unknown
browser programs.
Error messages Passwords get
concerning to system changed without
and operating system your knowledge
Keep your operating Installation of
system and system in Antivirus software
10. Prevention updated state Never open email
Avoid clicking on links attachments
from untrusted or Avoid usage of
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 7
CW3551 DATA AND INFORMATION SECURITY UNIT 2
unknown websites pirated software
Avoid opening emails Keep your operating
from unknown sources system updated
Use antivirus software Keep your browser
and a firewall updated as old
versions are
vulnerable to
linking to malicious
websites
Boot sector virus,
Internet worms, Instant
Direct Action virus,
messaging worms, Email
Polymorphic virus,
worms, File sharing
11. Types Macro virus, Overwrite
worms, Internet relay chat
virus, File Infector
(IRC) worms are different
virus are different
types of worms.
types of viruses
Examples of worms Examples of viruses
12. Examples include Morris worm, include Creeper,
storm worm, etc. Blaster, Slammer, etc.
It does not need human It needs human action
13. Interface
action to replicate. to replicate.
Its spreading speed is
Its spreading speed is
14. Speed slower as compared to
faster.
worms.
Do Trojan horses carry viruses or worms?
True trojans aren't technically viruses because they don't replicate.
But many viruses and worms use trojan tactics to infect a system.
Although trojans aren't technically viruses, they can be as destructive.
Many people use the term 'trojan' to refer only to non-replicating
malicious programs
17. Interpret the following terms: Macro Virus & Boot Virus
The most common types of information system viruses are the macro
virus, which is embedded in automatically executing macro code used
by word processors, spread sheets, and database applications, and
the boot virus, which infects the key operating system files located in
a computer’s boot sector.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 8
CW3551 DATA AND INFORMATION SECURITY UNIT 2
18. Analyze about common place security principles.
Commonplace security principles:
Economy of mechanism: Keep the design as simple and small as
possible.
Fail-safe defaults: Base access decisions on permission rather than
exclusion.
Complete mediation: Every access to every object must be checked
for authority.
Open design: The design should not be secret, but rather depend on
the possession of keys or passwords.
Separation of privilege: Where feasible, a protection mechanism
should require two keys to unlock, rather than one.
Least privilege: Every program and every user of the system should
operate using the least set of privileges necessary to complete the job.
Least common mechanism: Minimize mechanisms (or shared
variables) common to more than one user and depended on by all
users.
Psychological acceptability: It is essential that the human interface
be designed for ease of use, so that users routinely and automatically
apply the protection mechanisms correctly.
19. List any five attacks that is used against controlled systems.
ND 2023
Malware is the most common form of cybersecurity threat, primarily
because it comes in many forms.
These include ransomware, which is also part of the list. Other
examples are adware, spyware, trojan, and worms.
20. What is the difference between a denial-of-service attack and a
distributed denial-of-service attack? Which is more dangerous?
Why?
DOS DDOS
DOS Stands for Denial of service DDOS Stands for Distributed
attack. Denial of service attack.
In Dos attack single system targets In DDoS multiple systems attacks
the victim system. the victims system..
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 9
CW3551 DATA AND INFORMATION SECURITY UNIT 2
DOS DDOS
Victim PC is loaded from the packet Victim PC is loaded from the packet
of data sent from a single location. of data sent from Multiple location.
Dos attack is slower as compared to DDoS attack is faster than Dos
DDoS. Attack.
It is difficult to block this attack as
Can be blocked easily as only one multiple devices are sending
system is used. packets and attacking from
multiple locations.
In DOS Attack only single device is In DDoS attack, The volumeBots
used with DOS Attack tools. are used to attack at the same time.
DOS Attacks are Easy to trace. DDOS Attacks are Difficult to trace.
DDoS attacks allow the attacker to
Volume of traffic in the Dos attack is
send massive volumes of traffic to
less as compared to DDos.
the victim network.
Types of DOS Attacks are: Types of DDOS Attacks are:
1. Buffer overflow attacks 1.Volumetric Attacks
2. Ping of Death or ICMP flood 2.Fragmentation Attacks
3. Teardrop Attack 3.Application Layer Attacks
4. Flooding Attack 4.Protocol Attack.
A DDoS attack is more dangerous because it comes from multiple
locations, it can be deployed much faster than a DoS attack that
originates from a single location. The increased speed of attack makes
detecting it more difficult, meaning increased damage or even a
catastrophic outcome.
21. What is intellectual property?
Intellectual property is ―the ownership of ideas and control over the
tangible or virtual representation of those ideas‖ .
Many organizations are in business to create intellectual property
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 10
CW3551 DATA AND INFORMATION SECURITY UNIT 2
o trade secrets
o copyrights
o trademarks
o patents
22. Express the logic behind the use of online registration process to
combat piracy ND 2023
To combat piracy is the online registration process.
Individuals who install software are often asked or even required to
register their software to obtain technical support or the use of all
features.
Some believe that this process compromises personal privacy,
because people never really know exactly what information is
obtained from their computers and sent to the software
manufacturer.
23. What is a policy? How it is different from law?
Policies: A body of expectations that describe acceptable and
unacceptable employee behaviors in the workplace.
It functions as organizational laws, complete with penalties,
judicial practices, and sanctions to require complaints.
The difference between policy and a law, however, is that ignorance
of a policy is an acceptable defense.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 11
CW3551 DATA AND INFORMATION SECURITY UNIT 2
PART B
1. Discuss in detail about the need for Security, business need in information
security.
Need For Security
o Key reasons why information security is important:
o Business Needs First
o Protecting the Functionality of an Organization
o Enabling the Safe Operation of Applications
o Protecting Data that Organizations Collect and Use
o Safeguarding Technology Assets in Organizations
Need For Security
The purpose of information security management is to ensure business
continuity and reduce business damage by preventing and minimizing the
impact of security incidents.
An Information Security Management System (ISMS) enables information
to be shared, whilst ensuring the protection of information and computing
assets.
Information security is essential for protecting sensitive and valuable data
from unauthorized access, use, disclosure, disruption, modification, or
destruction.
Key reasons why information security is important:
Protecting Confidential Information:
Confidential information, such as personal data, financial records, trade
secrets, and intellectual property, must be kept secure to prevent it from
falling into the wrong hands. This type of information is valuable and can
be used for identity theft, fraud, or other malicious purposes.
Complying with Regulations:
Many industries, such as healthcare, finance, and government, are
subject to strict regulations and laws that require them to protect
sensitive data. Failure to comply with these regulations can result in legal
and financial penalties, as well as damage to the organization’s
reputation.
Maintaining Business Continuity:
Information security helps ensure that critical business operations can
continue in the event of a disaster, such as a cyber-attack or natural
disaster. Without proper security measures in place, an organization’s
data and systems could be compromised, leading to significant downtime
and lost revenue.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 12
CW3551 DATA AND INFORMATION SECURITY UNIT 2
Protecting Customer Trust:
Customers expect organizations to keep their data safe and secure.
Breaches or data leaks can erode customer trust, leading to a loss of
business and damage to the organization’s reputation.
Preventing Cyber-attacks:
Cyber-attacks, such as viruses, malware, phishing, and ransomware, are
becoming increasingly sophisticated and frequent. Information security
helps prevent these attacks and minimizes their impact if they do occur.
Protecting Employee Information:
Organizations also have a responsibility to protect employee data, such as
payroll records, health information, and personal details. This information
is often targeted by cybercriminals, and its theft can lead to identity theft
and financial fraud.
Business Needs First
Information security performs four important functions for an organization:
1. Protecting the organization’s ability to function
2. Enabling the safe operation of applications running on the organization’s
IT systems
3. Protecting the data the organization collects and uses
4. Safeguarding the organization’s technology assets
Protecting the Functionality of an Organization
Both general management and IT management are responsible for
implementing information security that protects the organization’s ability
to function.
Managing information security has more to do with policy and its
enforcement than with the technology of its implementation.
A lot of information security is good management for information
technology.
Each of an organization’s communities of interest must address
information security in terms of business impact and the cost of business
interruption, rather than isolating security as a technical problem.
Enabling the Safe Operation of Applications
Today’s organizations are under immense pressure to acquire and operate
integrated, efficient, and capable applications.
A modern organization needs to create an environment that safeguards
these applications, particularly those that are important elements of the
organization’s infrastructure—operating system platforms, electronic mail
(e-mail), and instant messaging (IM) applications.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 13
CW3551 DATA AND INFORMATION SECURITY UNIT 2
Organizations acquire these elements from a service provider or they
build their own.
Once an organization’s infrastructure is in place, management must
continue to oversee it, and not relegate its management to the IT
department.
Protecting Data that Organizations Collect and Use
Without data, an organization loses its record of transactions and/or its
ability to deliver value to its customers.
Any business, educational institution, or government agency operating
within the modern context of connected and responsive services relies on
information systems.
Even when transactions are not online, information systems and the data
they process enable the creation and movement of goods and services.
Therefore, protecting data in motion and data at rest are both critical
aspects of information security.
The value of data motivates attackers to steal, sabotage, or corrupt it.
An effective information security program implemented by management
protects the integrity and value of the organization’s data.
Safeguarding Technology Assets in Organizations
To perform effectively, organizations must employ secure infrastructure
services appropriate to the size and scope of the enterprise.
For instance, a small business may get by using an e-mail service
provided by an ISP and augmented with a personal encryption tool.
When an organization grows, it must develop additional security services.
For example, organizational growth could lead to the need for public key
infrastructure (PKI), an integrated system of software, encryption
methodologies, and legal agreements that can be used to support the
entire information infrastructure.
Into each of the digital certificates, a certificate authority embeds an
individual’s or an organization’s public encryption key, along with other
identifying information, and then cryptographically signs the certificate
with a tamper-proof seal, thus verifying the integrity of the data within
the certificate and validating its use.
In general, as an organization’s network grows to accommodate changing
needs, more robust technology solutions should replace security
programs the organization has outgrown.
An example of a robust solution is a firewall, a mechanism that keeps
certain kinds of network traffic out of a private network.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 14
CW3551 DATA AND INFORMATION SECURITY UNIT 2
Another example is caching network appliances, which are devices that
store local copies of Internet content, such as Web pages that are
frequently accessed by employees.
The appliance displays the cached pages to users, rather than accessing
the pages from the server each time.
2. Define threat and explain the various types of threat.
Threat
In information security, a threat is an event or occurrence that would
impact the organization in a negative way.
This means it could damage core processes, its mission, image, or even
reputation.
Threats can come from outside or inside the organization.
Types of Threats
Compromises to Intellectual Property
Deliberate Software Attacks
1. Virus
2. Worms
3. Trojan Horses
4. Back Door or Trap Door
5. Polymorphic Threats
6. Virus and Worm Hoaxes
Deviations in Quality of Service
Internet Service Issues
Communications and Other Service Provider Issues
Power Irregularities
Espionage or Trespass
Forces of Nature
1. Fire
2. Flood
3. Earthquake
4. Lightning
5. Landslide or mudslide
6. Tornado or severe windstorm
7. Hurricane or typhoon
8. Tsunami
9. Electrostatic discharge (ESD)
10. Dust contamination
Human Error or Failure
Information Extortion
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 15
CW3551 DATA AND INFORMATION SECURITY UNIT 2
Missing, Inadequate, or Incomplete Organizational Policy or Planning
Missing, Inadequate, or Incomplete Controls
Sabotage or Vandalism
Theft
Technical Hardware Failures or Errors
Technical Software Failures or Errors
Technological Obsolescence.
Compromises to Intellectual Property
Many organizations create, or support the development of, intellectual
property (IP) as part of their business operations.
Intellectual property is defined as ―the ownership of ideas and control
over the tangible or virtual representation of those ideas.
Use of another person’s intellectual property may or may not involve
royalty payments or permission, but should always include proper credit
to the source.
Intellectual property can be trade secrets, copyrights, trademarks, and
patents.
The unauthorized appropriation of IP constitutes a threat to information
security.
Employees may have access privileges to the various types of IP, and may
be required to use the IP to conduct day-to-day business.
Organizations often purchase or lease the IP of other organizations, and
must abide by the purchase or licensing agreement for its fair and
responsible use.
The most common IP breach is the unlawful use or duplication of
software-based intellectual property, more commonly known as software
piracy.
Software piracy can be defined as the use of software that is not properly
licensed. That might include copying, modifying, distributing or selling
the software in ways that contravene copyright laws or license terms.
If the user copies the program to another computer without securing
another license or transferring the license, he or she has violated the
copyright.
The Offline, Violating Software Licenses, describes a classic case of this
type of copyright violation.
Software licenses are strictly enforced by a number of regulatory and
private organizations, and software publishers use several control
mechanisms to prevent copyright infringement.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 16
CW3551 DATA AND INFORMATION SECURITY UNIT 2
The most common tool, a license agreement window that usually pops up
during the installation of new software, establishes that the user has read
and agrees to the license agreement.
Another effort to combat piracy is the online registration process.
Individuals who install software are often asked or even required to
register their software to obtain technical support or the use of all
features.
Some believe that this process compromises personal privacy, because
people never really know exactly what information is obtained from their
computers and sent to the software manufacturer.
Deliberate Software Attacks
Deliberate software attacks occur when an individual or group designs
and deploys software to attack a system. Most of this software is referred
to as malicious code or malicious software, or sometimes malware.
These software components or programs are designed to damage, destroy,
or deny service to the target systems.
Some of the more common instances of malicious code are viruses and
worms, Trojan horses, logic bombs, and back doors.
Prominent among the history of notable incidences of malicious code are
the denial-of-service attacks
1. Virus
A computer virus consists of segments of code that perform malicious
actions.
The code attaches itself to an existing program and takes control of that
program’s access to the targeted computer.
The virus-controlled target program then carries out the virus’s plan by
replicating itself into additional targeted systems.
Many times users unwittingly help viruses get into a system.
Opening infected e-mail or some other seemingly trivial action can cause
anything from random messages popping up on a user’s screen to the
complete destruction of entire hard drives of data.
Computer viruses are passed from machine to machine via physical
media, e-mail, or other forms of computer data transmission.
When these viruses infect a machine, they may immediately scan the
local machine for e-mail applications, or even send themselves to every
user in the e-mail address book.
One of the most common methods of virus transmission is via e-mail
attachment files.
Most organizations block e-mail attachments of certain types and also
filter all e-mail for known viruses.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 17
CW3551 DATA AND INFORMATION SECURITY UNIT 2
Among the most common types of information system viruses are the
macro virus, which is embedded in automatically executing macro code
used by word processors, spread sheets, and database applications, and
the boot virus, which infects the key operating system files located in a
computer’s boot sector.
2. Worms
A worm is a malicious program that replicates itself constantly, without
requiring another program environment.
Worms can continue replicating themselves until they completely fill
available resources, such as memory, hard drive space, and network
bandwidth.
Code Red, Sircam, Nimda, and Klez are examples of a class of worms that
combines multiple modes of attack into a single package.
News-making attacks, such as MS-Blaster, MyDoom, and Netsky, are
variants of the multifaceted attack worms and viruses that exploit
weaknesses in the leading operating systems and applications.
The complex behaviour of worms can be initiated with or without the user
downloading or executing the file.
Once the worm has infected a computer, it can redistribute itself to all e-
mail addresses found on the infected system.
Furthermore, a worm can deposit copies of itself onto all Web servers that
the infected system can reach, so that users who subsequently visit those
sites become infected.
Worms also take advantage of open shares found on the network in which
an infected system is located, placing working copies of the worm code
onto the server so that users of those shares are likely to become infected.
3. Trojan Horses
Trojan horses are software programs that hide their true nature and
reveal their designed behaviour only when activated.
Figure 2.1 outlines a typical Trojan horse attack.
Around January 20, 1999, Internet e-mail users began receiving e-mail
with an attachment of a Trojan horse program named Happy99.exe.
When the e-mail attachment was opened, a brief multimedia program
displayed fireworks and the message ―Happy 1999.‖ While the fireworks
display was running, the Trojan horse program was installing itself into
the user’s system. The program continued to propagate itself by following
up every e-mail the user sent with a second e-mail to the same recipient
that contained the Happy99 Trojan horse program.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 18
CW3551 DATA AND INFORMATION SECURITY UNIT 2
Figure 2.1 – Trojan Horse Attack
4. Back Door or Trap Door
A virus or worm can have a payload that installs a back door or trap
door component in a system, which allows the attacker to access the
system with special privileges.
Examples of these kinds of payloads include Subseven and Back Orifice.
5. Polymorphic Threats
One of the biggest challenges to fighting viruses and worms has been the
emergence of polymorphic threats.
A polymorphic threat is one that over time changes the way it appears
to antivirus software programs, making it undetectable by techniques
that look for preconfigured signatures.
These viruses and worms actually evolve, changing their size and other
external file characteristics to elude detection by antivirus software
programs.
6. Virus and Worm Hoaxes
Well-meaning people can disrupt the harmony and flow of an organization
when they send group e-mails warning of supposedly dangerous viruses
that don’t exist.
When people fail to follow virus-reporting procedures, the network
becomes overloaded, and much time and energy is wasted as users
forward the warning message to everyone they know, post the message on
bulletin boards, and try to update their antivirus protection software.
A number of Internet resources enable individuals to research viruses to
determine if they are fact or fiction.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 19
CW3551 DATA AND INFORMATION SECURITY UNIT 2
Deviations in Quality of Service
An organization’s information system depends on the successful
operation of many interdependent support systems, including power
grids, telecom networks, parts suppliers, service vendors, and even the
janitorial staff and garbage haulers.
Any one of these support systems can be interrupted by storms, employee
illnesses, or other unforeseen events.
Deviations in quality of service can result from incidents such as a
backhoe taking out a fibre-optic link for an ISP.
The backup provider may be online and in service, but may be able to
supply only a fraction of the bandwidth the organization needs for full
service.
This degradation of service is a form of availability disruption.
Irregularities in Internet service, communications, and power supplies
can dramatically affect the availability of information and systems.
1. Internet Service Issues
In organizations that rely heavily on the Internet and the World Wide Web
to support continued operations, Internet service provider failures can
considerably undermine the availability of information.
Many organizations have sales staff and telecommuters working at
remote locations.
When these offsite employees cannot contact the host systems, they must
use manual procedures to continue operations.
When an organization places its Web servers in the care of a Web hosting
provider, that provider assumes responsibility for all Internet services as
well as for the hardware and operating system software used to operate
the Web site.
These Web hosting services are usually arranged with an agreement
providing minimum service levels known as a Service Level Agreement
(SLA).
When a service provider fails to meet the SLA, the provider may accrue
fines to cover losses incurred by the client, but these payments seldom
cover the losses generated by the outage.
2. Communications and Other Service Provider Issues
Other utility services can affect organizations as well.
Among these are telephone, water, wastewater, trash pickup, cable
television, natural or propane gas, and custodial services.
The loss of these services can impair the ability of an organization to
function.
For instance, most facilities require water service to operate an air-
conditioning system.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 20
CW3551 DATA AND INFORMATION SECURITY UNIT 2
If a wastewater system fails, an organization might be prevented from
allowing employees into the building.
3. Power Irregularities
Irregularities from power utilities are common and can lead to
fluctuations such as power excesses, power shortages, and power losses.
This can pose problems for organizations that provide inadequately
conditioned power for their information systems equipment.
When voltage levels spike (experience a momentary increase), or surge
(experience a prolonged increase), the extra voltage can severely damage
or destroy equipment.
Equally disruptive are power shortages from a lack of available power.
A momentary low voltage or sag, or a more prolonged drop in voltage,
known as a brownout, can cause systems to shut down or reset, or
otherwise disrupt availability.
Complete loss of power for a moment is known as a fault, and a more
lengthy loss as a blackout.
Because sensitive electronic equipment—especially networking
equipment, computers, and computer-based systems—are vulnerable to
fluctuations, controls should be applied to manage power quality.
The more expensive uninterruptible power supply (UPS) can protect
against spikes and surges as well as against sags and even blackouts of
limited duration.
Espionage or Trespass
Espionage or trespass is a well-known and broad category of electronic
and human activities that can breach the confidentiality of information.
When an unauthorized individual gains access to the information an
organization is trying to protect, that act is categorized as espionage or
trespass.
Attackers can use many different methods to access the information
stored in an information system. Some information gathering techniques
are quite legal, for example, using a Web browser to perform market
research. These legal techniques are called, collectively, competitive
intelligence.
When information gatherers employ techniques that cross the threshold
of what is legal or ethical, they are conducting industrial espionage.
Some forms of espionage are relatively low tech.
One example, called shoulder surfing, is pictured in Figure 2.2.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 21
CW3551 DATA AND INFORMATION SECURITY UNIT 2
Figure 2.2 – Shoulder Surfing
This technique is used in public or semipublic settings when individuals
gather information they are not authorized to have by looking over
another individual’s shoulder or viewing the information from a distance.
Instances of shoulder surfing occur at computer terminals, desks, ATM
machines, on the bus or subway where people use smartphones and
tablet PCs, or other places where a person is accessing confidential
information.
Measures that individuals can take to protect themselves from
shoulder surfing
1.Make two-step verification available
Use two-factor authentication whenever possible, such as with a
one-time password (OTP), a mobile device proof, or the Microsoft or
Google authentication tools.
2.Construct a physical wall or shield
To prevent someone standing behind you from seeing your
password or ATM PIN, try to conceal it with your body. Make sure
no one can hear you if you need to chat on the phone regarding an
OTP or credit card details.
3.Avoid logging into services that other users utilize
Never use a computer in a public location, including an airport,
railway station, library, or even a display in an electronics store, to
sign into any of your accounts. Secret data may be taken.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 22
CW3551 DATA AND INFORMATION SECURITY UNIT 2
4.Avoid using Wi-Fi in public areas
People are advised not to login into personal accounts on unsafe
public Wi-Fi networks, such as social networking, banks, and
retail websites. The data can always be viewed, even when the Wi-
Fi link is using WEP, the weakest protocol.
5.Construct a privacy wall
On your laptop and phone, use privacy barriers or shields to
ensure that only one person may view what is on the screen.
6.Avoid using the same passwords repeatedly
Many of them make frequent use of the same password across
other accounts. Try to use a different password for each account.
The classic perpetrator of espionage or trespass is the hacker. Hackers
are ―people who use and create computer software [to] gain access to
information illegally.
See Figure 2-3 for hacker profile.
Figure 2.3 – Hacker Profile
In the real world, a hacker frequently spends long hours examining the
types and structures of the targeted systems and uses skill, guile, or
fraud to attempt to bypass the controls placed around information that is
the property of someone else.
There are generally two skill levels among hackers.
The first is the expert hacker, or elite hacker, who develops software
scripts and program exploits used by those in the second category, the
novice or unskilled hacker.
The expert hacker is usually a master of several programming languages,
networking protocols, and operating systems and also exhibits a mastery
of the technical environment of the chosen targeted system.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 23
CW3551 DATA AND INFORMATION SECURITY UNIT 2
Once an expert hacker chooses a target system, the likelihood that he or
she will successfully enter the system is high.
Expert hackers, dissatisfied with attacking systems directly, have turned
their attention to writing software. These programs are automated
exploits that allow novice hackers to act as script kiddies—hackers of
limited skill who use expertly written software to attack a system—or
packet monkeys—script kiddies who use automated exploits to engage
in distributed denial-of-service attacks.
The good news is that if an expert hacker can post a script tool where a
script kiddie or packet monkey can find it, then systems and security
administrators can find it, too.
The developers of protection software and hardware and the service
providers who keep defensive systems up to date also keep themselves
informed of the latest in exploit scripts.
As a result of preparation and continued vigilance, attacks conducted by
scripts are usually predictable and can be adequately defended against.
There are other terms for system rule breakers that may be less familiar.
The term cracker is now commonly associated with an individual who
cracks or removes software protection that is designed to prevent
unauthorized duplication.
With the removal of the copyright protection, the software can be easily
distributed and installed.
The terms hacker and cracker in current usage denote criminal intent.
A phreaker hacks the public telephone network to make free calls or
disrupt services.
Forces of Nature
Forces of nature, can present some of the most dangerous threats,
because they usually occur with very little warning and are beyond the
control of people.
These threats, which include events such as fires, floods, earthquakes,
and lightning as well as volcanic eruptions and insect infestations, can
disrupt not only the lives of individuals but also the storage,
transmission, and use of information.
Some of the more common threats are
1. Fire:
Usually a structural fire that damages a building housing computing
equipment that comprises all or part of an information system, as well
as smoke damage and/or water damage from sprinkler systems or fire
fighters.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 24
CW3551 DATA AND INFORMATION SECURITY UNIT 2
This threat can usually be mitigated with fire casualty insurance
and/or business interruption insurance.
2. Flood:
An overflowing of water onto an area that is normally dry, causing
direct damage to all or part of the information system or to the
building that houses all or part of the information system.
A flood might also disrupt operations through interruptions in access
to the buildings that house all or part of the information system.
This threat can sometimes be mitigated with flood insurance and/or
business interruption insurance.
3. Earthquake:
A sudden movement of the earth’s crust caused by the release of
stress accumulated along geologic faults or by volcanic activity.
Earthquakes can cause direct damage to all or part of the information
system or, more often, to the building that houses it, and can also
disrupt operations through interruptions in access to the buildings
that house all or part of the information system.
This threat can sometimes be mitigated with specific casualty
insurance and/or business interruption insurance, but is usually a
separate policy.
4 Lightning:
An abrupt, discontinuous natural electric discharge in the
atmosphere.
Lightning usually directly damages all or part of the information
system an/or its power distribution components.
It can also cause fires or other damage to the building that houses all
or part of the information system, and disrupt operations by
interfering with access to the buildings that house all or part of the
information system.
This threat can usually be mitigated with multipurpose casualty
insurance and/or business interruption insurance.
5 Landslide or mudslide:
The downward sliding of a mass of earth and rock directly damaging
all or part of the information system or, more likely, the building that
houses it.
Land- or mudslides also disrupt operations by interfering with access
to the buildings that house all or part of the information system.
This threat can sometimes be mitigated with casualty insurance
and/or business interruption insurance.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 25
CW3551 DATA AND INFORMATION SECURITY UNIT 2
6 Tornado or severe windstorm:
A rotating column of air ranging in width from a few yards to more
than a mile and whirling at destructively high speeds, usually
accompanied by a funnel-shaped downward extension of a
cumulonimbus cloud.
Storms can directly damage all or part of the information system or,
more likely, the building that houses it, and can also interrupt access
to the buildings that house all or part of the information system.
This threat can sometimes be mitigated with casualty insurance
and/or business interruption insurance.
7 Hurricane or typhoon:
A severe tropical cyclone originating in the equatorial regions of the
Atlantic Ocean or Caribbean Sea or eastern regions of the Pacific
Ocean (typhoon), traveling north, northwest, or northeast from its
point of origin, and usually involving heavy rains.
These storms can directly damage all or part of the information
system or, more likely, the building that houses it.
Organizations located in coastal or low-lying areas may experience
flooding (see above).
These storms may also disrupt operations by interrupting access to
the buildings that house all or part of the information system.
This threat can sometimes be mitigated with casualty insurance
and/or business interruption insurance.
8 Tsunami:
A very large ocean wave caused by an underwater earthquake or
volcanic eruption.
These events can directly damage all or part of the information system
or, more likely, the building that houses it.
Organizations located in coastal areas may experience tsunamis.
Tsunamis may also cause disruption to operations through
interruptions in access or electrical power to the buildings that house
all or part of the information system.
This threat can sometimes be mitigated with casualty insurance
and/or business interruption insurance.
9 Electrostatic discharge (ESD):
Usually, static electricity and ESD are little more than a nuisance.
Static electricity can draw dust into clean-room environments or
cause products to stick together.
The cost of ESD-damaged electronic devices and interruptions to
service can range from only a few cents to several millions of dollars
for critical systems.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 26
CW3551 DATA AND INFORMATION SECURITY UNIT 2
While not usually viewed as a threat, ESD can disrupt information
systems, but it is not usually an insurable loss unless covered by
business interruption insurance.
10 Dust contamination:
Because dust contamination can shorten the life of information
systems or cause unplanned downtime, this threat can disrupt
normal operations.
Since it is not possible to avoid force of nature threats, organizations
must implement controls to limit damage, and they must also prepare
contingency plans for continued operations, such as disaster recovery
plans, business continuity plans, and incident response plans.
Human Error or Failure
This category includes acts performed without intent or malicious
purpose by an authorized user.
When people use information systems, mistakes happen. Inexperience,
improper training, and the incorrect assumptions are just a few things
that can cause these misadventures.
One of the greatest threats to an organization’s information security is the
organization’s own employees.
Employees are the threat agents closest to the organizational data.
Because employees use data in everyday activities to conduct the
organization’s business, their mistakes represent a serious threat to the
confidentiality, integrity, and availability of data.
This is because employee mistakes can easily lead to the following:
revelation of classified data, entry of erroneous data, accidental deletion
or modification of data, storage of data in unprotected areas, and failure
to protect information.
Leaving classified information in unprotected areas, such as on a
desktop, on a Web site, or even in the trash can, is as much a threat to
the protection of the information as is the individual who seeks to exploit
the information, because one person’s carelessness can create a
vulnerability and thus an opportunity for an attacker.
However, if someone damages or destroys data on purpose, the act
belongs to a different threat category.
Much human error or failure can be prevented with training and ongoing
awareness activities, but also with controls, ranging from simple
procedures, such as requiring the user to type a critical command twice,
to more complex procedures, such as the verification of commands by a
second party.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 27
CW3551 DATA AND INFORMATION SECURITY UNIT 2
Information Extortion
Information extortion occurs when an attacker or trusted insider steals
information from a computer system and demands compensation for its
return or for an agreement not to disclose it.
Extortion is common in credit card number theft.
Missing, Inadequate, or Incomplete Organizational Policy or Planning
Missing, inadequate, or incomplete organizational policy or planning
makes an organization vulnerable to loss, damage, or disclosure of
information assets when other threats lead to attacks. Information
security is, at its core, a management function.
The organization’s executive leadership is responsible for strategic
planning for security as well as for IT and business functions—a task
known as governance.
Missing, Inadequate, or Incomplete Controls
Missing, inadequate, or incomplete controls—that is, security safeguards
and information asset protection controls that are missing,
misconfigured, antiquated, or poorly designed or managed—make an
organization more likely to suffer losses when other threats lead to
attacks.
For example, if a small organization installs its first network using small
office/home office (SOHO) equipment and fails to upgrade its network
equipment as it becomes larger, the increased traffic can affect
performance and cause information loss.
Routine security audits to assess the current levels of protection help to
ensure the continuous protection of organization’s assets.
Sabotage or Vandalism
This category of threat involves the deliberate sabotage of a computer
system or business, or acts of vandalism to either destroy an asset or
damage the image of an organization.
These acts can range from petty vandalism by employees to organized
sabotage against an organization.
Vandalism to a Web site can erode consumer confidence, thus
diminishing an organization’s sales and net worth, as well as its
reputation.
Compared to Web site defacement, vandalism within a network is more
malicious in intent and less public.
A much more sinister form of hacking is cyber terrorism.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 28
CW3551 DATA AND INFORMATION SECURITY UNIT 2
Cyber terrorists hack systems to conduct terrorist activities via network
or Internet pathways.
The United States and other governments are developing security
measures intended to protect the critical computing and communications
networks as well as the physical and power utility infrastructures.
Theft
The threat of theft—the illegal taking of another’s property, which can be
physical, electronic, or intellectual—is a constant.
The value of information is diminished when it is copied without the
owner’s knowledge.
Physical theft can be controlled quite easily by means of a wide variety of
measures, from locked doors to trained security personnel and the
installation of alarm systems.
Electronic theft, however, is a more complex problem to manage and
control.
E-Theft means the transfer of the Client's or insured entity's money,
securities, or other property of value to a person, place, or account
beyond the Client's or insured entity's control as a direct result of a Data
Security Event
When someone steals a physical object, the loss is easily detected; if it
has any importance at all, its absence is noted.
When electronic information is stolen, the crime is not always readily
apparent.
If thieves are clever and cover their tracks carefully, no one may ever
know of the crime until it is far too late.
Technical Hardware Failures or Errors
Technical hardware failures or errors occur when a manufacturer
distributes equipment containing a known or unknown flaw.
These defects can cause the system to perform outside of expected
parameters, resulting in unreliable service or lack of availability.
Some errors are terminal—that is, they result in the unrecoverable loss of
the equipment.
Some errors are intermittent, in that they only periodically manifest
themselves, resulting in faults that are not easily repeated, and thus,
equipment can sometimes stop working, or work in unexpected ways.
Murphy’s Law (and yes, there really was a Murphy) says that if something
can possibly go wrong, it will. In other words, it’s not if something will
fail, but when.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 29
CW3551 DATA AND INFORMATION SECURITY UNIT 2
One of the best-known hardware failures is that of the Intel Pentium II
chip which had a defect that resulted in a calculation error under certain
circumstances.
Technical Software Failures or Errors
Large quantities of computer code are written, debugged, published, and
sold before all their bugs are detected and resolved.
Sometimes, combinations of certain software and hardware reveal new
bugs.
These failures range from bugs to untested failure conditions.
Sometimes these bugs are not errors, but rather purposeful shortcuts left
by programmers for benign or malign reasons.
Software bugs are so commonplace that entire Web sites are dedicated to
documenting them.
Technological Obsolescence
Antiquated or out dated infrastructure can lead to unreliable and
untrustworthy systems.
Management must recognize that when technology becomes outdated,
there is a risk of loss of data integrity from attacks.
Management’s strategic planning should always include an analysis of
the technology currently in use. Ideally, proper planning by management
should prevent technology from becoming obsolete, but when
obsolescence is manifest, management must take immediate action.
IT professionals play a large role in the identification of probable
obsolescence.
3. Define Attacks. Discuss in detail about various types of attacks in
information security.
Attacks
1. Malicious Code
2. Hoaxes
3. Back Doors
4. Password Crack
5. Brute Force
6. Dictionary
7. Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS)
8. Spoofing
9. Man-in-the-Middle
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 30
CW3551 DATA AND INFORMATION SECURITY UNIT 2
10. Spam. Mail Bombing
11. Sniffers
12. Social Engineering
13. Pharming.
14. Timing Attack.
Attack
An attack is an act that takes advantage of a vulnerability to
compromise a controlled system.
It is accomplished by a threat agent that damages or steals an
organization’s information or physical asset.
A vulnerability is an identified weakness in a controlled system,
where controls are not present or are no longer effective.
Types of attacks
1. Malicious Code
The malicious code attack includes the execution of viruses,
worms, Trojan horses, and active Web scripts with the intent to
destroy or steal information.
The malicious code attack is the polymorphic, or multivector,
worm.
These attack programs use up to six known attack vectors to
exploit a variety of vulnerabilities in commonly found information
system devices.
Other forms of malware include covert software applications—bots,
spyware, and adware.
A bot (an abbreviation of robot) is ―an automated software program
that executes certain commands when it receives a specific input.
Bots are often the technology used to implement Trojan horses,
logic bombs, back doors, and spyware.‖
Spyware is ―any technology that aids in gathering information
about a person or organization without their knowledge.
Spyware is placed on a computer to secretly gather information
about the user and report it.
The various types of spyware include
(1) a Web bug, a tiny graphic on a Web site that is referenced
within the Hypertext Markup Language (HTML) content of a
Web page or e-mail to collect information about the user
viewing the HTML content;
(2) a tracking cookie, which is placed on the user’s computer to
track the user’s activity on different
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 31
CW3551 DATA AND INFORMATION SECURITY UNIT 2
Adware is ―any software program intended for marketing purposes
such as that used to deliver and display advertising banners or
popups to the user’s screen or tracking the user’s online usage or
purchasing activity.‖
Each of these hidden code components can be used to collect
information from or about the user which could then be used in a
social engineering or identity theft attack.
2. Hoaxes
A more devious attack on computer systems is the transmission of a virus
hoax with a real virus attached.
When the attack is masked in a seemingly legitimate message,
unsuspecting users more readily distribute it.
Even though these users are trying to do the right thing to avoid
infection, they end up sending the attack on to their coworkers and
friends and infecting many users along the way.
3. Back Doors
Using a known or previously unknown and newly discovered access
mechanism, an attacker can gain access to a system or network resource
through a back door.
Sometimes these entries are left behind by system designers or
maintenance staff, and thus are called trap doors.
A trap door is hard to detect, because very often the programmer who
puts it in place also makes the access exempt from the usual audit
logging features of the system.
4. Password Crack
Attempting to reverse-calculate a password is often called cracking.
A cracking attack is a component of many dictionary attacks,
It is used when a copy of the Security Account Manager (SAM) data file,
which contains hashed representation of the user’s password, can be
obtained.
A password can be hashed using the same algorithm and compared to
the hashed results. If they are the same, the password has been cracked.
5. Brute Force
The application of computing and network resources to try every possible
password combination is called a brute force attack. Since the brute
force attack is often used to obtain passwords to commonly used
accounts, it is sometimes called a password attack.
If attackers can narrow the field of target accounts, they can devote more
time and resources to these accounts. That is one reason to always
change the manufacturer’s default administrator account names and
passwords.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 32
CW3551 DATA AND INFORMATION SECURITY UNIT 2
Controls that limit the number of unsuccessful access attempts allowed
per unit of elapsed time are very effective against brute force attacks.
6. Dictionary
The dictionary attack is a variation of the brute force attack which
narrows the field by selecting specific target accounts and using a list of
commonly used passwords (the dictionary) instead of random
combinations.
Organizations can use similar dictionaries to disallow passwords during
the reset process and thus guard against easy-to-guess passwords.
In addition, rules requiring numbers and/or special characters in
passwords make the dictionary attack less effective.
7. Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS)
In a denial-of-service (DoS) attack, the attacker sends a large number of
connection or information requests to a target (see Figure 2-4).
Figure 2.4 – Hacker Profile
So many requests are made that the target system becomes overloaded
and cannot respond to legitimate requests for service.
The system may crash or simply become unable to perform ordinary
functions.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 33
CW3551 DATA AND INFORMATION SECURITY UNIT 2
A distributed denial-of-service (DDoS) is an attack in which a
coordinated stream of requests is launched against a target from many
locations at the same time.
Most DDoS attacks are preceded by a preparation phase in which many
systems, perhaps thousands, are compromised.
The compromised machines are turned into zombies, machines that are
directed remotely (usually by a transmitted command) by the attacker to
participate in the attack.
DDoS attacks are the most difficult to defend against, and there are
presently no controls that any single organization can apply.
There are, however, some cooperative efforts to enable DDoS defenses
among groups of service providers; among them is the Consensus
Roadmap for Defeating Distributed Denial of Service Attacks.
To use a popular metaphor, DDoS is considered a weapon of mass
destruction on the Internet.
DOS DDOS
DOS Stands for Denial of service DDOS Stands for Distributed
attack. Denial of service attack.
In Dos attack single system In DDoS multiple systems attacks
targets the victim system. the victims system..
Victim PC is loaded from the Victim PC is loaded from the
packet of data sent from a single packet of data sent from Multiple
location. location.
Dos attack is slower as compared DDoS attack is faster than Dos
to DDoS. Attack.
It is difficult to block this attack as
Can be blocked easily as only one multiple devices are sending
system is used. packets and attacking from
multiple locations.
In DDoS attack,The volumeBots
In DOS Attack only single device is
are used to attack at the same
used with DOS Attack tools.
time.
DDOS Attacks are Difficult to
DOS Attacks are Easy to trace.
trace.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 34
CW3551 DATA AND INFORMATION SECURITY UNIT 2
DOS DDOS
DDoS attacks allow the attacker to
Volume of traffic in the Dos attack
send massive volumes of traffic to
is less as compared to DDos.
the victim network.
Types of DOS Attacks are: Types of DDOS Attacks are:
1. Buffer overflow attacks 1. Volumetric Attacks
2. Ping of Death or ICMP flood 2. Fragmentation Attacks
3. Teardrop Attack 3. Application Layer Attacks
4. Flooding Attack 4. Protocol Attack.
A DDoS attack is more dangerous because it comes from multiple
locations, it can be deployed much faster than a DoS attack that
originates from a single location. The increased speed of attack makes
detecting it more difficult, meaning increased damage or even a
catastrophic outcome.
8. Spoofing
Spoofing is a technique used to gain unauthorized access to computers,
wherein the intruder sends messages with a source IP address that has
been forged to indicate that the messages are coming from a trusted host.
To engage in IP spoofing, hackers use a variety of techniques to obtain
trusted IP addresses, and then modify the packet headers (see Figure 2-5)
to insert these forged addresses.
Newer routers and firewall arrangements can offer protection against IP
spoofing.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 35
CW3551 DATA AND INFORMATION SECURITY UNIT 2
Figure 2.5 – IP Spoofing
9. Man-in-the-Middle
In the man-in-the-middle or TCP hijacking attack, an attacker
monitors (or sniffs) packets from the network, modifies them, and inserts
them back into the network.
This type of attack uses IP spoofing to enable an attacker to impersonate
another entity on the network.
It allows the attacker to eavesdrop as well as to change, delete,
reroute, add, forge, or divert data.
A variant of TCP hijacking, involves the interception of an encryption
key exchange, which enables the hacker to act as an invisible man-in-
the-middle—that is, an eavesdropper—on encrypted communications.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 36
CW3551 DATA AND INFORMATION SECURITY UNIT 2
Figure 2-6 illustrates these attacks by showing how a hacker uses
public and private encryption keys to intercept messages.
Figure 2.6 – Man-in-the-Middle Attack
10. Spam
Spam is unsolicited commercial e-mail.
While many consider spam a trivial nuisance rather than an attack, it
has been used as a means of enhancing malicious code attacks.
The most significant consequence of spam, however, is the waste of
computer and human resources.
Many organizations attempt to cope with the flood of spam by using e-
mail filtering technologies.
Other organizations simply tell the users of the mail system to delete
unwanted messages.
11. Mail Bombing
Another form of e-mail attack that is also a DoS is called a mail
bomb, in which an attacker routes large quantities of e-mail to the
target.
This can be accomplished by means of social engineering or by
exploiting various technical flaws in the Simple Mail Transport
Protocol (SMTP).
The target of the attack receives an unmanageably large volume of
unsolicited e-mail.
By sending large e-mails with forged header information, attackers
can take advantage of poorly configured e-mail systems on the
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 37
CW3551 DATA AND INFORMATION SECURITY UNIT 2
Internet and trick them into sending many e-mails to an address
chosen by the attacker.
If many such systems are tricked into participating in the event, the
target e-mail address is buried under thousands or even millions of
unwanted e-mails.
12. Sniffers
A sniffer is a program or device that can monitor data traveling over a
network.
Sniffers can be used both for legitimate network management
functions and for stealing information.
Unauthorized sniffers can be extremely dangerous to a network’s
security, because they are virtually impossible to detect and can be
inserted almost anywhere.
This makes them a favourite weapon in the hacker’s arsenal.
Sniffers often work on TCP/IP networks, where they’re sometimes
called packet sniffers.
Sniffers add risk to the network, because many systems and users
send information on local networks in clear text.
A sniffer program shows all the data going by, including passwords,
the data inside files—such as word-processing documents—and
screens full of sensitive data from applications.
13. Social Engineering
In the context of information security, social engineering is the
process of using social skills to convince people to reveal access
credentials or other valuable information to the attacker.
There are several social engineering techniques, which usually involve
a perpetrator posing as a person higher in the organizational hierarchy
than the victim.
To prepare for this false representation, the perpetrator may have used
social engineering tactics against others in the organization to collect
seemingly unrelated information that, when used together, makes the
false representation more credible.
For instance, anyone can check a company’s Web site, or even call the
main switchboard to get the name of the CIO; an attacker may then
obtain even more information by calling others in the company and
asserting his or her (false) authority by mentioning the CIO’s name.
Social engineering attacks may involve individuals posing as new
employees or as current employees requesting assistance to prevent
getting fired.
Sometimes attackers threaten, cajole, or beg to sway the target.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 38
CW3551 DATA AND INFORMATION SECURITY UNIT 2
Another social engineering attack called the advance-fee fraud (AFF),
and internationally known as the 4-1-9 fraud, is named after a section
of the Nigerian penal code.
The perpetrators of 4-1-9 schemes often name fictitious companies,
such as the Nigerian National Petroleum Company. Alternatively, they
may invent other entities, such as a bank, government agency, or a
nongovernmental organization.
This scam is notorious for stealing funds from credulous individuals,
first by requiring that people who wish to participate in the proposed
money-making venture send money up front, and then by soliciting an
endless series of fees.
These 4-1-9 schemes are even suspected to involve kidnapping,
extortion, and murder.
14. Phishing
Phishing is an attempt to gain personal or financial information
from an individual, usually by posing as a legitimate entity.
A variant is spear phishing, a label that applies to any highly targeted
phishing attack.
While normal phishing attacks target as many recipients as possible, a
spear phisher sends a message that appears to be from an employer, a
colleague, or other legitimate correspondent, to a small group or even
one specific person.
This attack is sometimes used to target those who use a certain
product or Web site.
Phishing attacks use three primary techniques, often in combination
with one another: URL manipulation, Web site forgery, and phone
phishing.
In URL manipulation, attackers send an HTML embedded e-mail
message, or a hyperlink whose HTML code opens a forged Web
site.
In the forged Web site the page looks legitimate; indeed, When
victims type their banking ID and password the attacker records
that information and displays a message that the Web site is now
offline. The attackers can use the recorded credentials to perform
transactions, including funds transfers, bill payments, or loan
requests.
Phone phishing is pure social engineering. The attacker calls a
victim on the telephone and pretends to be someone they are not
(a practice sometimes called pretexting) in order to gain access to
private or confidential information such as health or employment
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 39
CW3551 DATA AND INFORMATION SECURITY UNIT 2
records or financial information. They may impersonate someone
who is known to the potential victim only by reputation.
15. Pharming
Pharming is ―the redirection of legitimate Web traffic (e.g., browser
requests) to an illegitimate site for the purpose of obtaining private
information.
Pharming often uses Trojans, worms, or other virus technologies to
attack the Internet browser’s address bar so that the valid URL
typed by the user is modified to that of the illegitimate Web site.
Pharming may also exploit the Domain Name System (DNS) by
causing it to transform the legitimate host name into the invalid
site’s IP address; this form of pharming is also known as DNS
cache poisoning.
16. Timing Attack
A timing attack explores the contents of a Web browser’s cache
and stores a malicious cookie on the client’s system.
The cookie (which is a small quantity of data stored by the Web
browser on the local system, at the direction of the Web server) can
allow the designer to collect information on how to access
password-protected sites.
Another attack by the same name involves the interception of
cryptographic elements to determine keys and encryption
algorithms.
4. Discuss in detail about Legal, Ethical and Professional Issues in
information security investigation.
LEGAL, ETHICAL AND PROFESSIONAL ISSUES
Law and Ethics in Information Security
Organizational Liability and the Need for Counsel
Policy Versus Law
Types of Law
RELEVANT U.S. LAWS
Privacy
Export and Espionage Laws
U.S. Copyright Law
Financial Reporting
Freedom of Information Act of 1966 (FOIA)
State and Local Regulations
INTERNATIONAL LAWS AND LEGAL BODIES
Council of Europe Convention on Cybercrime
Agreement on Trade-Related Aspects of Intellectual Property Rights
Digital Millennium Copyright Act (DMCA)
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 40
CW3551 DATA AND INFORMATION SECURITY UNIT 2
LEGAL, ETHICAL AND PROFESSIONAL ISSUES
The information security professional plays an important role in an
organization’s approach to managing liability for privacy and security
risks.
To minimize liability and reduce risks from electronic and physical
threats, and to reduce all losses from legal action, information
security practitioners must thoroughly understand the current legal
environment, stay current with laws and regulations, and watch for
new and emerging issues.
Law and Ethics in Information Security
Laws are rules that mandate or prohibit certain behaviour; they are
drawn from ethics, which define socially acceptable behaviours.
The key difference between laws and ethics is that laws carry the
authority of a governing body, and ethics do not.
Ethics in turn are based on cultural mores: the fixed moral attitudes
or customs of a particular group.
Some ethical standards are universal.
For example, murder, theft, assault, and arson are actions that
deviate from ethical and legal codes throughout the world.
Organizational Liability and the Need for Counsel
Liability is the legal obligation of an entity that extends beyond
criminal or contract law; it includes the legal obligation to make
restitution, to compensate for wrongs committed.
The bottom line is that if an employee, acting with or without the
authorization of the employer, performs an illegal or unethical act that
causes some degree of harm, the employer can be held financially
liable for that action.
An organization increases its liability if it refuses to take measures
known as due care.
Due care standards are met when an organization makes sure that
every employee knows what is acceptable or unacceptable behaviour,
and knows the consequences of illegal or unethical actions.
Due diligence requires that an organization make a valid effort to
protect others and continually maintains this level of effort.
Under the U.S. legal system, any court can assert its authority over an
individual or organization if it can establish jurisdiction—that is, the
court’s right to hear a case if a wrong is committed in its territory or
involves its citizenry.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 41
CW3551 DATA AND INFORMATION SECURITY UNIT 2
This is sometimes referred to as long arm jurisdiction—the long arm
of the law extending across the country or around the world to draw
an accused individual into its court systems.
Policy Versus Law
Within an organization, information security professionals help
maintain security via the establishment and enforcement of policies.
These policies—guidelines that describe acceptable and unacceptable
employee behaviours in the workplace—function as organizational
laws, complete with penalties, judicial practices, and sanctions to
require compliance.
The difference between a policy and a law, however, is that ignorance
of a policy is an acceptable defence.
Thus, for a policy to become enforceable, it must meet the following
five criteria:
1. Dissemination (distribution)—The organization must be able to
demonstrate that the relevant policy has been made readily
available for review by the employee. Common dissemination
techniques include hard copy and electronic distribution.
2. Review (reading)—The organization must be able to demonstrate
that it disseminated the document in an intelligible form, including
versions for illiterate, non-English reading, and reading-impaired
employees. Common techniques include recordings of the policy in
English and alternate languages.
3. Comprehension (understanding)—The organization must be able
to demonstrate that the employee understood the requirements
and content of the policy. Common techniques include quizzes and
other assessments.
4. Compliance (agreement)—The organization must be able to
demonstrate that the employee agreed to comply with the policy
through act or affirmation. Common techniques include logon
banners, which require a specific action (mouse click or keystroke)
to acknowledge agreement, or a signed document clearly indicating
the employee has read, understood, and agreed to comply with the
policy.
5. Uniform enforcement—The organization must be able to
demonstrate that the policy has been uniformly enforced,
regardless of employee status or assignment. Only when all of
these conditions are met can an organization penalize employees
who violate the policy without fear of legal retribution.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 42
CW3551 DATA AND INFORMATION SECURITY UNIT 2
Types of Law
1. Civil law comprises a wide variety of laws that govern a nation or
state and deal with the relationships and conflicts between
organizational entities and people.
2. Criminal law addresses activities and conduct harmful to society,
and is actively enforced by the state. Law can also be categorized
as private or public.
3. Private law encompasses family law, commercial law, and labor
law, and regulates the relationship between individuals and
organizations.
4. Public law regulates the structure and administration of
government agencies and their relationships with citizens,
employees, and other governments. Public law includes criminal,
administrative, and constitutional law.
RELEVANT U.S. LAWS
Historically, the United States has been a leader in the development
and implementation of information security legislation to prevent
misuse and exploitation of information and information technology.
The implementation of information security legislation contributes to a
more reliable business environment, which in turn, enables a stable
economy.
General Computer Crime Laws
There are several key laws relevant to the field of information security
and of particular interest to those who live or work in the United
States.
The Computer Fraud and Abuse Act of 1986 (CFA Act) is the
cornerstone of many computer-related federal laws and enforcement
efforts.
It was amended in October 1996 by the National Information
Infrastructure Protection Act of 1996, which modified several
sections of the previous act and increased the penalties for selected
crimes.
The punishment for offenses prosecuted under this statute varies from
fines to imprisonment up to 20 years, or both.
The severity of the penalty depends on the value of the information
obtained and whether the offense is judged to have been committed:
o For purposes of commercial advantage
o For private financial gain
o In furtherance of a criminal act
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 43
CW3551 DATA AND INFORMATION SECURITY UNIT 2
The previous law, along with many others, was further modified by the
USA PATRIOT Act of 2001, which provides law enforcement agencies
with broader latitude in order to combat terrorism-related activities.
Another key law is the Computer Security Act of 1987.
It was one of the first attempts to protect federal computer systems by
establishing minimum acceptable security practices.
The National Bureau of Standards, in cooperation with the National
Security Agency, is responsible for developing these security
standards and guidelines.
Privacy
Many organizations are collecting, swapping, and selling personal
information as a commodity, and many people are looking to
governments for protection of their privacy.
The ability to collect information, combine facts from separate
sources, and merge it all with other information has resulted in
databases of information that were previously impossible to set up.
One technology that was proposed in the past was intended to
monitor or track private communications. Known as the Clipper Chip,
it used an algorithm with a two-part key that was to be managed by
two separate government agencies, and it was reportedly designed to
protect individual communications while allowing the government to
decrypt suspect transmissions.
Privacy of Customer Information
o Some regulations in the U.S. legal code stipulate the
responsibilities of common carriers (organizations that process or
move data for hire) to protect the confidentiality of customer
information, including that of other carriers.
o The Privacy of Customer Information Section of the common
carrier regulation states that any proprietary information shall be
used explicitly for providing services, and not for any marketing
purposes, and that carriers cannot disclose this information except
when necessary to provide their services.
o The only other exception is when a customer requests the
disclosure of information, and then the disclosure is restricted to
that customer’s information only.
This law does allow for the use of aggregate information.
Aggregate information is created by combining pieces of non
private data—often collected during software updates and via
cookies—that when combined may violate privacy.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 44
CW3551 DATA AND INFORMATION SECURITY UNIT 2
While common carrier regulation regulates public carriers in order to
protect individual privacy, the Federal Privacy Act of 1974 regulates
government agencies and holds them accountable if they release
private information about individuals or businesses without
permission.
The following agencies, regulated businesses, and individuals are
exempt from some of the regulations so that they can perform their
duties:
Bureau of the Census
National Archives and Records Administration
Congress
Comptroller General
Federal courts with regard to specific issues using appropriate
court orders
Credit reporting agencies
Individuals or organizations that demonstrate that information
is necessary to protect the health or safety of that individual
The Electronic Communications Privacy Act of 1986 is a collection
of statutes that regulates the interception of wire, electronic, and oral
communications. These statutes work in conjunction with the Fourth
Amendment of the U.S. Constitution, which protects individuals
from unlawful search and seizure.
The Health Insurance Portability and Accountability Act Of 1996
(HIPAA), also known as the Kennedy-Kassebaum Act, protects the
confidentiality and security of health care data by establishing and
enforcing standards and by standardizing electronic data interchange.
HIPAA affects all health care organizations, including doctors’
practices, health clinics, life insurers, and universities, as well as
some organizations that have self-insured employee health programs.
HIPAA specifies stiff penalties for organizations that fail to comply with
the law, with fines up to $250,000 and/or 10 years imprisonment for
knowingly misusing client information.
How does HIPAA affect the field of information security?
Beyond the basic privacy guidelines, the act requires organizations to
use information security mechanisms, as well as policies and
procedures, to protect health care information.
It also requires a comprehensive assessment of information security
systems, policies, and procedures where health care information is
handled or maintained.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 45
CW3551 DATA AND INFORMATION SECURITY UNIT 2
Electronic signatures have become more common, and HIPAA provides
guidelines for the use of these signatures based on security standards
that ensure message integrity, user authentication, and
nonrepudiation.
HIPAA has five fundamental principles:
1. Consumer control of medical information
2. Boundaries on the use of medical information
3. Accountability for the privacy of private information
4. Balance of public responsibility for the use of medical information
for the greater good measured against impact to the individual
5. Security of health information
The Financial Services Modernization Act or Gramm-Leach-Bliley
Act of 1999 contains a number of provisions focusing on facilitating
affiliation among banks, securities firms, and insurance companies.
Specifically, this act requires all financial institutions to disclose their
privacy policies on the sharing of non-public personal information. It
also requires due notice to customers, so that they can request that
their information not be shared with third parties.
Identity Theft - Related to the legislation on privacy is the growing
body of law on identity theft. The Federal Trade Commission (FTC)
describes identity theft as ―occurring when someone uses your
personally identifying information, like your name, Social Security
number, or credit card number, without your permission, to commit
fraud or other crimes.
While numerous states have passed identity theft laws, at the federal
level the primary legislation is the Fraud and Related Activity in
Connection with Identification Documents, Authentication
Features, and Information, which criminalizes creation,
reproduction, transfer, possession, or use of unauthorized or false
identification documents or document-making equipment. The
penalties for such offenses range from 1 to 25 years in prison, and
fines as determined by the courts.
The FTC recommends that people take the following four steps when
they suspect they are victims of identity theft:
1. Report to the three dominant consumer reporting companies that
your identity is threatened so that they may place a fraud alert on
your record. This informs current and potential creditors to follow
certain procedures before taking credit-related actions.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 46
CW3551 DATA AND INFORMATION SECURITY UNIT 2
2. If you know which accounts have been compromised, close them. If
new accounts are opened using your identity without your
permission, you can obtain a document template online that may
be used to dispute these new accounts.
3. Register your concern with the FTC. There is a form to register a
complaint at the FTC’s identity theft site.
4. Report the incident to either your local police or police in the
location where the identity theft occurred. Use your copy of the
FTC ID Theft complaint form to make the report. Once your police
report has been filed, be sure to get a copy or acquire the police
report number.
Export and Espionage Laws
To meet national security needs and to protect trade secrets and other
state and private assets, several laws restrict which information and
information management and security resources may be exported
from the United States.
These laws attempt to stem the theft of information by establishing
strong penalties for these crimes.
To protect American ingenuity, intellectual property, and competitive
advantage, Congress passed the Economic Espionage Act in 1996.
This law attempts to prevent trade secrets from being illegally shared.
The Security and Freedom through Encryption Act of 1999
provides guidance on the use of encryption and provides protection
from government intervention. The acts include provisions that:
Reinforce an individual’s right to use or sell encryption algorithms,
without concern for regulations requiring some form of key
registration. Key registration is the storage of a cryptographic key (or
its text equivalent) with another party to be used to break the
encryption of data. This is often called ―key escrow.‖
U.S. Copyright Law
Intellectual property is a protected asset in the United States. The U.S.
copyright laws extend this privilege to the published word, including
electronic formats.
Fair use allows copyrighted materials to be used to support news
reporting, teaching, scholarship, and a number of similar activities, as
long as the use is for educational or library purposes, is not for profit,
and is not excessive.
As long as proper acknowledgement is provided to the original author
of such works, including a proper description of the location of source
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 47
CW3551 DATA AND INFORMATION SECURITY UNIT 2
materials (citation), and the work is not represented as one’s own, it is
entirely permissible to include portions of someone else’s work as
reference.
Financial Reporting
The Sarbanes-Oxley Act of 2002 is a critical piece of legislation that
affects the executive management of publicly traded corporations and
public accounting firms.
This law seeks to improve the reliability and accuracy of financial
reporting, as well as increase the accountability of corporate
governance, in publicly traded companies.
Penalties for non-compliance range from fines to jail terms.
Executives working in firms covered by this law seek assurance on the
reliability and quality of information systems from senior information
technology managers.
In turn, IT managers are likely to ask information security managers
to verify the confidentiality and integrity of those information systems
in a process known in the industry as sub-certification.
Freedom of Information Act of 1966 (FOIA)
The Freedom of Information Act allows any person to request access
to federal agency records or information not determined to be a matter
of national security.
Agencies of the federal government are required to disclose any
requested information on receipt of a written request.
This requirement is enforceable in court. Some information is,
however, protected from disclosure, and the act does not apply to
state or local government agencies or to private businesses or
individuals, although many states have their own version of the FOIA.
State and Local Regulations
In addition to the national and international restrictions placed on
organizational use of computer technology, each state or locality may
have a number of its own applicable laws and regulations.
Information security professionals must therefore understand state
laws and regulations and ensure that the organization’s security
policies and procedures comply with those laws and regulations.
For example, in 1991 the state of Georgia passed the Georgia
Computer Systems Protection Act, which seeks to protect
information, and which establishes penalties for the use of
information technology to attack or exploit information systems.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 48
CW3551 DATA AND INFORMATION SECURITY UNIT 2
INTERNATIONAL LAWS AND LEGAL BODIES
Council of Europe Convention on Cybercrime
The Council of Europe adopted the Convention on Cybercrime in
2001.
It created an international task force to oversee a range of security
functions associated with Internet activities for standardized
technology laws across international borders.
It also attempts to improve the effectiveness of international
investigations into breaches of technology law.
This convention has been well received by advocates of intellectual
property rights because it emphasizes prosecution for copyright
infringement.
The United States is technically not a ―member state of the council of
Europe‖ but does participate in the Convention.
The overall goal of the convention is to simplify the acquisition of
information for law enforcement agencies in certain types of
international crimes.
3
Agreement on Trade-Related Aspects of Intellectual Property Rights
The Agreement on Trade-Related Aspects of Intellectual Property
Rights (TRIPS), created by the World Trade Organization (WTO) and
negotiated over the years 1986–1994, introduced intellectual property
rules into the multilateral trade system.
It is the first significant international effort to protect intellectual
property rights.
It outlines requirements for governmental oversight and legislation of
WTO member countries to provide minimum levels of protection for
intellectual property.
The WTO TRIPS agreement covers five issues:
1. How basic principles of the trading system and other international
intellectual property agreements should be applied
2. How to give adequate protection to intellectual property rights
3. How countries should enforce those rights adequately in their own
territories
4. How to settle disputes on intellectual property between members of
the WTO
5. Special transitional arrangements during the period when the new
system is being introduced.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 49
CW3551 DATA AND INFORMATION SECURITY UNIT 2
Digital Millennium Copyright Act (DMCA)
The Digital Millennium Copyright Act (DMCA) is the American
contribution to an international effort by the World Intellectual
Properties Organization (WIPO) to reduce the impact of copyright,
trademark, and privacy infringement, especially when accomplished
via the removal of technological copyright protection measures.
This law was created in response to the 1995 adoption of Directive
95/46/EC by the European Union, which added protection for
individuals with regard to the processing of personal data and the use
and movement of such data.
The United Kingdom has implemented a version of this law called the
Database Right, in order to comply with Directive 95/46/EC.
The DMCA includes the following provisions:
o Prohibits the circumvention protections and countermeasures
implemented by copyright owners to control access to protected
content
o Prohibits the manufacture of devices to circumvent protections and
countermeasures that control access to protected content
o Bans trafficking in devices manufactured to circumvent
protections and countermeasures that control access to protected
content
o Prohibits the altering of information attached or imbedded into
copyrighted material
o Excludes Internet service providers from certain forms of
contributory copyright infringement
5 Discuss in detail about Ethics and Information Security along with
Ethics and Education.
Ethics and Information Security
Professional associations—such as the Association for Computing
Machinery (ACM) and the Information Systems Security Association—and
certification agencies—such as the International Information Systems
Security Certification Consortium, Inc., or (ISC)—work to establish the
profession’s ethical codes of conduct.
Ethical Differences across Cultures
Cultural differences can make it difficult to determine what is and is not
ethical—especially when it comes to the use of computers.
Studies on ethics and computer use reveal that people of different
nationalities have different perspectives; difficulties arise when one
nationality’s ethical behaviour violates the ethics of another national
group.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 50
CW3551 DATA AND INFORMATION SECURITY UNIT 2
A study published in 1999 examined computer use ethics of eight
nations: Singapore, Hong Kong, the United States, England, Australia,
Sweden, Wales, and the Netherlands.
The scenarios were grouped into three categories of ethical computer use:
software license infringement, illicit use, and misuse of corporate
resources.
1. Software License Infringement
Among study participants, attitudes toward piracy were generally
similar; however, participants from the United States and the
Netherlands showed statistically significant differences in attitudes
from the overall group.
Participants from the United States were significantly less tolerant
of piracy, while those from the Netherlands were significantly more
permissive.
Although other studies have reported that the Pacific Rim countries
of Singapore and Hong Kong are hotbeds of software piracy, this
study found tolerance for copyright infringement in those countries
to be moderate, as were attitudes in England, Wales, Australia, and
Sweden.
This could mean that the individuals surveyed understood what
software license infringement was, but felt either that their use was
not piracy, or that their society permitted this piracy in some way.
Peer pressure, the lack of legal disincentives, the lack of punitive
measures, and number of other reasons could a explain why users
in these alleged piracy centres disregarded intellectual property
laws despite their professed attitudes toward them.
Even though participants from the Netherlands displayed a more
permissive attitude toward piracy, that country only ranked third in
piracy rates of the nations surveyed in this study.
2. Illicit Use
The study respondents unilaterally condemned viruses, hacking,
and other forms of system abuse.
There were, however, different degrees of tolerance for such
activities among the groups.
Students from Singapore and Hong Kong proved to be significantly
more tolerant than those from the United States, Wales, England,
and Australia.
Students from Sweden and the Netherlands were also significantly
more tolerant than those from Wales and Australia, but
significantly less tolerant than those from Hong Kong.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 51
CW3551 DATA AND INFORMATION SECURITY UNIT 2
The low overall degree of tolerance for illicit system use may be a
function of the easy correspondence between the common crimes of
breaking and entering, trespassing, theft, and destruction of
property and their computer-related counterparts.
3. Misuse of Corporate Resources
The scenarios used to examine the levels of tolerance for misuse of
corporate resources each presented a different degree of non
company use of corporate assets without specifying the company’s
policy on personal use of company resources.
In general, individuals displayed a rather lenient view of personal
use of company equipment.
Only students from Singapore and Hong Kong view personal use of
company equipment as unethical.
There were several substantial differences in this category, with
students from the Netherlands revealing the most lenient views.
With the exceptions of those from Singapore and Hong Kong, it is
apparent that many people, regardless of cultural background,
believe that unless an organization explicitly forbids personal use
of its computing resources, such use is acceptable.
It is interesting to note that only participants among the two Asian
samples, Singapore and Hong Kong, reported generally intolerant
attitudes toward personal use of organizational computing
resources.
ETHICS AND EDUCATION
Attitudes toward the ethics of computer use are affected by many factors
other than nationality.
Differences are found among individuals within the same country, within
the same social class, and within the same company.
Key studies reveal that the overriding factor in levelling the ethical
perceptions within a small population is education.
Employees must be trained and kept aware of a number of topics related
to information security, not the least of which are the expected
behaviours of an ethical employee.
This is especially important in information security, as many employees
may not have the formal technical training to understand that their
behaviour is unethical or even illegal.
Proper ethical and legal training is vital to creating an informed, well
prepared, and low-risk system user.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 52
CW3551 DATA AND INFORMATION SECURITY UNIT 2
Deterring Unethical and Illegal Behaviour
There are three general causes of unethical and illegal behaviour:
1. Ignorance
Ignorance of the law is no excuse; however, ignorance of
policy and procedures is.
The first method of deterrence is education. This is accomplished
by means of designing, publishing, and disseminating organization
policies and relevant laws, and also obtaining agreement to comply
with these policies and laws from all members of the organization.
Reminders, training, and awareness programs keep the policy
information in front of the individual and thus better support
retention and compliance.
2. Accident
Individuals with authorization and privileges to manage
information within the organization are most likely to cause harm
or damage by accident.
Careful planning and control helps prevent accidental modification
to systems and data.
3. Intent
Criminal or unethical intent goes to the state of mind of the person
performing the act; it is often necessary to establish criminal intent
to successfully prosecute offenders.
Protecting a system against those with intent to cause harm or
damage is best accomplished by means of technical controls, and
vigorous litigation or prosecution if these controls fail.
Whatever the cause of illegal, immoral, or unethical behavior, one
thing is certain: it is the responsibility of information security
personnel to do everything in their power to deter these acts and to
use policy, education and training, and technology to protect
information and systems.
Many security professionals understand the technology aspect of
protection but underestimate the value of policy. However, laws and
policies and their associated penalties only deter if three conditions
are present:
o Fear of penalty—Potential offenders must fear the penalty.
Threats of informal reprimand or verbal warnings may not have the
same impact as the threat of imprisonment or forfeiture of pay.
o Probability of being caught—Potential offenders must believe
there is a strong possibility of being caught. Penalties will not deter
illegal or unethical behaviour unless there is reasonable fear of
being caught.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 53
CW3551 DATA AND INFORMATION SECURITY UNIT 2
o Probability of penalty being administered—Potential
offenders must believe that the penalty will in fact be
administered.
6. Discuss in detail about Codes of Ethics and Professional Organizations in
Information Security.
Codes of Ethics and Professional Organizations
A number of professional organizations have established codes of conduct or
codes of ethics that members are expected to follow.
Codes of ethics can have a positive effect on people’s judgment regarding
computer use.
It is the responsibility of security professionals to act ethically and according
to the policies and procedures of their employers, their professional
organizations, and the laws of society.
It is likewise the organization’s responsibility to develop, disseminate, and
enforce its policies.
Major IT Professional Organizations
Many of the major IT professional organizations maintain their own codes of
ethics. Refer Table 2.1
1. Association of Computing Machinery (ACM)
The Association of Computing Machinery (ACM) (www.acm.org) is a
respected professional society that was established in 1947 as ―the
world’s first educational and scientific computing society.‖
It is one of the few organizations that strongly promotes education and
provides 3 discounts for student members.
The ACM’s code of ethics requires members to perform their duties in
a manner befitting an ethical computing professional.
The code contains specific references to protecting the confidentiality
of information, causing no harm, protecting the privacy of others, and
respecting the intellectual property and copyrights of others.
The ACM also publishes a wide variety of professional computing
publications, including the highly regarded Communications of the
ACM.
2. International Information Systems Security Certification Consortium,
Inc. (ISC)2
The International Information Systems Security Certification
Consortium, Inc. (ISC)2 (www. isc2.org) is a nonprofit organization
that focuses on the development and implementation of information
security certifications and credentials.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 54
CW3551 DATA AND INFORMATION SECURITY UNIT 2
The (ISC)2 manages a body of knowledge on information security and
administers and evaluates examinations for information security
certifications.
The code of ethics put forth by (ISC)2 is primarily designed for
information security professionals who have earned an (ISC)2
certification, and has four mandatory canons: ―Protect society, the
commonwealth, and the infrastructure; act honorably, honestly,
justly, responsibly, and legally; provide diligent and competent service
to principals; and advance and protect the profession.‖
This code enables (ISC)2 to promote reliance on the ethicality and
trustworthiness of the information security professional as the
guardian of information and systems.
3. System Administration, Networking, and Security Institute (SANS)
The System Administration, Networking, and Security Institute
(SANS) (www.sans.org), which was founded in 1989, is a professional
research and education cooperative organization with a current
membership of more than 156,000 security professionals, auditors,
system administrators, and network administrators.
SANS offers a set of certifications called the Global Information
Assurance Certification, or GIAC.
All GIAC-certified professionals are required to acknowledge that
certification and the privileges that come from it carry a corresponding
obligation to uphold the GIAC Code of Ethics.
Those certificate holders that do not conform to this code face
punishment, and may lose GIAC certification.
4. Information Systems Audit and Control Association (ISACA)
The Information Systems Audit and Control Association (ISACA)
(www.isaca.org) is a professional association that focuses on auditing,
control, and security.
The membership comprises both technical and managerial
professionals.
ISACA provides IT control practices and standards, and although it
does not focus exclusively on information security, it does include
many information security components within its areas of
concentration.
ISACA also has a code of ethics for its professionals, and it requires
many of the same high standards for ethical performance as the other
organizations and certifications.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 55
CW3551 DATA AND INFORMATION SECURITY UNIT 2
5. Information Systems Security Association (ISSA)
The Information Systems Security Association (ISSA)
(www.issa.org) is a nonprofit society of information security
professionals.
As a professional association, its primary mission is to bring together
qualified information security practitioners for information exchange
and educational development.
ISSA provides a number of scheduled conferences, meetings,
publications, and information resources to promote information
security awareness and education.
ISSA also promotes a code of ethics, similar in content to those of
(ISC)2, ISACA, and the ACM, whose focus is ―promoting management
practices that will ensure the confidentiality, integrity, and availability
of organizational information resources.‖
Table 2.1 Professional Organizations of Interest to Information Security
Professionals
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 56
CW3551 DATA AND INFORMATION SECURITY UNIT 2
6. Describe in detail an overview of Computer Security
The Basic Components
o Confidentiality
o Integrity
o Availability
Threats
Policy and Mechanism
o Goals of Security
Assumptions and Trust
Assurance
o Specification
o Design
o Implementation
Operational Issues
o Cost-Benefit Analysis
o Risk Analysis
o Laws and Customs
Human Issues
o Organizational Problems
o People Problems
Figure 2.7 - The security life cycle.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 57
CW3551 DATA AND INFORMATION SECURITY UNIT 2
An overview of Computer Security
Figure 2.7 depicts the Security Life Cycle
The Basic Components
Computer security rests on confidentiality, integrity, and availability.
o Confidentiality
Confidentiality is the concealment of information or resources.
The need for keeping information secret arises from the use of
computers in institutions with sensitive information such as
government and industry.
For example, military and civilian institutions in the
government often restrict access to information to those who
need that information.
Access control mechanisms support confidentiality.
One access control mechanism for preserving confidentiality is
cryptography, which transforms data to make it
incomprehensible.
A cryptographic key controls access to the untransformed data,
but then the cryptographic key itself becomes another datum to be
protected.
Resource hiding is another important aspect of confidentiality.
Organizations often wish to conceal their network configuration as
well as what systems they are using.
o Integrity
Integrity refers to the trustworthiness of data or resources, and it
is usually phrased in terms of preventing improper or
unauthorized change.
Integrity includes data integrity (the content of the information)
and origin integrity (the source of the data, often called
authentication).
The source of the information may bear on its accuracy and
credibility and on the trust that people place in the information.
This dichotomy illustrates the principle that the aspect of integrity
known as credibility is central to the proper functioning of a
system.
Integrity mechanisms fall into two classes:
o prevention mechanisms
o detection mechanisms.
Prevention mechanisms seek to maintain the integrity of the data
by blocking any unauthorized attempts to change the data or any
attempts to change the data in unauthorized ways.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 58
CW3551 DATA AND INFORMATION SECURITY UNIT 2
Detection mechanisms do not try to prevent violations of integrity;
they simply report that the data’s integrity is no longer
trustworthy.
Detection mechanisms may analyze system events (user or system
actions) to detect problems or (more commonly) may analyze the
data itself to see if required or expected constraints still hold.
The mechanisms may report the actual cause of the integrity
violation or they may simply report that the file is now corrupt.
o Availability
Availability refers to the ability to use information or resources.
The aspect of availability that is relevant to security is that
someone may deliberately arrange to deny access to data or to a
service by making it unavailable or unusable.
System designs usually assume a statistical model to analyze
expected patterns of use, and mechanisms ensure availability
when that statistical model holds.
Attempts to block availability, called denial of service (DoS)
attacks, can be the most difficult to detect.
Threats
A threat is a potential violation of security.
Those actions that could cause it to occur must be guarded.
Those actions are called attacks. Those who execute such actions,
or cause them to be executed, are called attackers.
The three security services —
o Confidentiality
o Integrity
o availability.
Shirey [1739] divides threats into four broad classes:
o disclosure, or unauthorized access to information;
o deception, or acceptance of false data;
o disruption, or interruption or prevention of correct operation;
o usurpation, or unauthorized control of some part of a system.
These four broad classes encompass many common threats.
1. Snooping or eavesdropping,
o The unauthorized interception of information, is a form of
disclosure.
o It is passive, suggesting simply that some entity is listening to
(or reading) communications or browsing through files or
system information.
o Passive wiretapping is a form of snooping in which a network
is monitored.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 59
CW3551 DATA AND INFORMATION SECURITY UNIT 2
o Confidentiality services seek to counter this threat.
2. Modification or alteration,
o An unauthorized change of information.
o Unlike snooping, modification is active;
o Active wiretapping is a form of modification in which data moving
across a network is altered, new data is injected, or parts of the data
are deleted; the term ―active‖ distinguishes it from snooping (―passive‖
wiretapping).
o An example is the man-in-the-middle attack, in which an intruder
reads messages from the sender and sends (possibly modified)
versions to the recipient, in hopes that the recipient and sender will
not realize the presence of the intermediary.
o Integrity services (called ―authentication services‖) seek to counter this
threat.
3. Masquerading or spoofing,
o An impersonation of one entity by another, is a form of both deception
and usurpation.
o It lures a victim into believing that the entity with which it is
communicating is a different entity.
o For example, if a user tries to log into a computer across the Internet
but instead reaches another computer that claims to be the desired
one, the user has been spoofed.
o Integrity services (called ―authentication services‖) seek to counter this
threat.
4. Repudiation of origin,
o A false denial that an entity sent (or created) something, is a form of
deception.
o For example, suppose a customer sends a letter to a vendor agreeing
to pay a large amount of money for a product. The vendor ships the
product and then demands payment. The customer denies having
ordered the product and, according to a law in the customer’s state, is
therefore entitled to keep the unsolicited shipment without payment.
The customer has repudiated the origin of the letter. If the vendor
cannot prove that the letter came from the customer, the attack
succeeds.
o Integrity mechanisms try to cope with this threat.
5. Denial of receipt,
o A false denial that an entity received some information or message, is
a form of deception.
o Suppose a customer orders an expensive product, but the vendor
demands payment before shipment.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 60
CW3551 DATA AND INFORMATION SECURITY UNIT 2
o The customer pays, and the vendor ships the product.
o The customer then asks the vendor when he will receive the product.
o If the customer has already received the product, the question
constitutes a denial of receipt attack.
o Integrity and availability mechanisms attempt to guard against these
attacks
6. Delay,
o A temporary inhibition of a service, is a form of usurpation,
although it can play a supporting role in deception.
o Typically, delivery of a message or service requires some time t; if
an attacker can force the delivery to take more than time t, the
attacker has successfully delayed delivery.
o Availability mechanisms seek to counter this threat.
7. Denial of service,
o The attacker prevents a server from providing a service.
o Availability mechanisms seek to counter this threat.
Policy and Mechanism
A security policy is a statement of what is, and what is not, allowed.
Policies often require some procedural mechanisms that technology
cannot enforce.
A security mechanism is a method, tool, or procedure for enforcing a
security policy. Mechanisms can be nontechnical, such as requiring
proof of identity before changing a password;
Goals of Security
o Given a security policy’s specification of “secure” and “non
secure” actions, security mechanisms can prevent the attack,
detect the attack, or recover from the attack. The strategies may be
used together or separately.
Prevention means that an attack will fail.
o For example, if one attempts to break into a host over the Internet
and that host is not connected to the Internet, the attack has been
prevented.
o Typically, prevention involves implementation of mechanisms that
restrict users to specific actions.
o Preventative mechanisms such as passwords (which aim
o to prevent unauthorized users from accessing the system), have
become widely accepted.
Detection indicates the effectiveness of preventative measures, and is
Especially useful when an attack cannot be prevented.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 61
CW3551 DATA AND INFORMATION SECURITY UNIT 2
o Detection mechanisms accept that an attack will occur; the goal is
to determine that an attack is under way, or has occurred, and
report it. The attack may be monitored, however, to provide
o data about its nature, severity, and results.
o Typical detection mechanisms monitor various aspects of the
system, looking for actions or information indicating an
attack.
o A good example of such a mechanism is one that gives a warning
when a user enters an incorrect password three times.
Recovery has two forms.
o The first is to stop an attack and to assess and repair any damage
caused by that attack.
o As an example, if the attacker deletes a file, one recovery
mechanism would be to restore the file from backup media.
o In a second form of recovery, the system continues to function
correctly while an attack is under way.
o It draws on techniques of fault tolerance as well as techniques of
security and is typically used in safety-critical systems.
Assumptions and Trust
To determine whether a policy correctly describes the required level
and type of security for the site, Security rests on assumptions
specific to the type of security required and the environment in
which it is to be employed.
Assumption 1 - the policy is a correct description of what
constitutes a ―secure‖ system.
Assumption 2 - the security policy can be enforced by security
mechanisms. These mechanisms are either secure, precise, or
broad
Let P be the set of all possible states. Let Q be the set of secure
states. Let the security mechanisms restrict the system to some set
of states R (thus, R P).
A security mechanism is secure if R Q; it is precise if R = Q; and
it is broad if there are states r such that r R and r Q.
Assurance
Trust cannot be quantified precisely.
System specification, design, and implementation can provide a
basis for determining ―how much‖ to trust a system. This aspect of
trust is called assurance.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 62
CW3551 DATA AND INFORMATION SECURITY UNIT 2
It is an attempt to provide a basis for bolstering (or substantiating
or specifying) how much one can trust a system.
Assurance in the computer world is similar. It requires specific
steps to ensure that the computer will function properly.
The sequence of steps includes detailed specifications of the
desired (or undesirable) behaviour; an analysis of the design of the
hardware, software, and other components to show that the
system will not violate the specifications; and arguments or proofs
that the implementation, operating procedures, and maintenance
procedures will produce the desired behaviour.
o Specification
A specification is a (formal or informal) statement of the desired
functioning of the system. It can be highly mathematical, using
any of several languages defined for that purpose.
o Design
The design of a system translates the specifications into
components that will implement them. The design is said to satisfy
the specifications if, under all relevant circumstances, the design
will not permit the system to violate those specifications.
o Implementation
Given a design, the implementation creates a system that satisfies
that design. If the design also satisfies the specifications, then by
transitivity the implementation will also satisfy the specifications.
Operational Issues
Any useful policy and mechanism must balance the benefits of the
protection against the cost of designing, implementing, and using the
mechanism.
o Cost-Benefit Analysis
Like any factor in a complex system, the benefits of computer
security are weighed against their total cost (including the
additional costs incurred if the system is compromised).
If the data or resources cost less, or are of less value, than their
protection, adding security mechanisms and procedures is not
cost effective because the data or resources can be
reconstructed more cheaply than the protections themselves.
Unfortunately, this is rarely the case.
o Risk Analysis
To determine whether an asset should be protected, and to
what level, requires analysis of the potential threats against
that asset and the likelihood that they will materialize.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 63
CW3551 DATA AND INFORMATION SECURITY UNIT 2
The level of protection is a function of the probability of an
attack occurring and the effects of the attack should it succeed.
If an attack is unlikely, protecting against it typically has a
lower priority than protecting against a likely one.
If the unlikely attack would cause long delays in the company’s
production of widgets but the likely attack would be only a
nuisance, then more effort should be put into preventing the
unlikely attack.
o Laws and Customs
Laws restrict the availability and use of technology and affect
procedural controls.
Hence, any policy and any selection of mechanisms must take
into account legal considerations.
Human Issues
o Organizational Problems
Security provides no direct financial rewards to the user.
It limits losses, but it also requires the expenditure of resources
that could be used elsewhere.
Unless losses occur, organizations often believe they are
wasting money and effort on security.
After a loss, the value of these controls suddenly becomes
appreciated.
Furthermore, security controls often add complexity to
otherwise simple operations.
o People Problems
The heart of any security system is people.
This is particularly true in computer security, which deals
mainly with technological controls that can usually be
bypassed by human intervention.
People who might attack an organization and are not authorized
to use that organization’s systems are called outsiders and can
pose a serious threat.
Experts agree, however, that a far more dangerous threat comes
from disgruntled employees and other insiders who are
authorized to use the computers.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 64
CW3551 DATA AND INFORMATION SECURITY UNIT 2
8. Discuss in detail about Access Control Matrix in information Security.
Access Control Matrix
o Protection State
o Access Control Matrix Model
Access Control by Boolean Expression Evaluation
Access Controlled by History
o Copying, Owning, and the Attenuation of Privilege
Copy Right
Own Right
Principle of Attenuation of Privilege
Access Control Matrix
A protection system describes the conditions under which a system
is secure.
The access control matrix model arose both in operating systems
research and in database research; it describes allowed accesses
using a matrix.
o Protection State
The state of a system is the collection of the current values of
all memory locations, all secondary storage, and all registers
and other components of the system.
The subset of this collection that deals with protection is the
protection state of the system.
An access control matrix is one tool that can describe the
current protection state.
o Access Control Matrix Model
The simplest framework for describing a protection system is
the access control matrix model, which describes the rights of
subjects over all entities in a matrix.
The set of all protected entities (that is, entities that are
relevant to the protection state of the system) is called the set of
objects O.
The set of subjects S is the set of active objects, such as
processes and users.
In the access control matrix model, the relationship between
these entities is captured by a matrix A with rights drawn from
a set of rights R in each entry A[s, o], where
and A[s, o] R.
The subject s has the set of rights A[s, o] over the object o.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 65
CW3551 DATA AND INFORMATION SECURITY UNIT 2
The set of protection states of the system is represented by the
triple (S,O,A).
Figure 2–8 shows the protection state of a system. Here,
process 1, which owns file 1, can read or write file 1 and can
read file 2; process 2 can append to file 1 and read file 2, which
it owns.
Process 1 can communicate with process 2 by writing to it, and
process 2 can read from process 1. Each process owns itself
and has read, write, and execute rights over itself.
Figure 2.8 An access control matrix. The system has two processes and two
files. The set of rights is (read, write, execute, append, own).
Figure 2–9 shows an example access control matrix for three systems on a
local area network (LAN).
Figure 2–9 Rights on a LAN. The set of rights is fftp, mail, nfs, owng.
At the micro level, access control matrices can model programming language
accesses; in this case, the objects are the variables and the subjects are the
procedures (or modules).
The access control matrix is shown in Figure 2–10.
Figure 2–10 Rights in a program
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 66
CW3551 DATA AND INFORMATION SECURITY UNIT 2
The Bernstein conditions
The Bernstein conditions ensure that data is consistent. They state
that any number of readers may access a datum simultaneously, but
if a writer is accessing the datum, no other writers or any reader can
access the datum until the current writing is complete.
Access Control by Boolean Expression Evaluation
Miller and Baldwin [1347] use an access control matrix to control access
to fields in a database. The values are determined by Boolean
expressions.
Their objects are records and fields; the subjects are users authorized to
access the databases.
Types of access are defined by the database and are called verbs; for
example, the Structured Query Language (SQL) would have the verbs
insert and update.
Each rule, corresponding to a function, is associated with one or more
verbs. Whenever a subject attempts to access an object using a right
(verb) r, the Boolean expression (rule) associated with r is evaluated; if it
is true, access is allowed while if it is false, access is not allowed.
The Access Restriction Facility (ARF) program exemplifies this approach.
It defines subjects as having attributes such as a name, a level, a role,
membership in groups, and access to programs, but the user can assign
any meaning desired to any attribute.
For example,
Verbs have a default rule, either ―closed‖ (access denied unless explicitly
granted; represented by the 0 rule) or ―open‖ (access granted unless
explicitly denied; represented by the 1 rule):
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 67
CW3551 DATA AND INFORMATION SECURITY UNIT 2
Access Controlled by History
A common problem when running downloaded programs (such as web
applets or plug-ins) is that the program may access the system in
unauthorized ways, such as deleting or modifying configuration and
control files.
Abadi and Fournet address this by conditioning access rights of a
procedure on the rights of those pieces of code that executed earlier in the
process.
They associate a set of rights (the ―static rights‖) with each piece of code
and another set of rights (the ―current rights‖) with each process as it
executes.
When a piece of code runs, the rights of the executing code are the
intersection of the code’s static rights and the process’s current rights.
Thus, the specific rights that a process has at any point in time is a
function of the pieces of code it has executed
Copying, Owning, and the Attenuation of Privilege
Copy Right
Own Right
Principle of Attenuation of Privilege
Copy Right
The copy right (often called the grant right) allows the possessor to grant
rights to another.
By the principle of attenuation, only those rights the grantor possesses
may be copied.
EXAMPLE:
Let c be the copy right, and suppose a subject p has r rights over an object f.
Then the following command allows p to copy r over f to another subject q
only if p has a copy right over f:
If p does not have c rights over f, this command will not copy the r rights to
q.
Own Right
The own right is a special right that enables possessors to add or delete
privileges for themselves.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 68
CW3551 DATA AND INFORMATION SECURITY UNIT 2
It also allows the possessor to grant rights to others, although to whom
they can be granted may be system- or implementation-dependent.
The owner of an object is usually the subject that created the object or a
subject to which the creator gave ownership.
Principle of Attenuation of Privilege.
A subject may not increase its rights, nor grant rights it does not possess
to another subject.
9. Explain in detail about security policies and its types in information
security.
Security Policies
The Nature of Security Policies
Types of Security Policies
The Role of Trust
Types of Access Control
Policy Languages
o High-Level Policy Languages
o Low-Level Policy Languages
Security Policies
A security policy defines “secure” for a system or a set of systems.
Security policies can be informal or highly mathematical in nature.
The Nature of Security Policies
A security policy is a statement that partitions the states of the system
into a set of authorized, or secure, states and a set of unauthorized, or
non secure, states.
A secure system is a system that starts in an authorized state and
cannot enter an unauthorized state.
Consider the finite-state machine in Figure 2.11.
Figure 2.11 A simple finite-state machine.
It consists of four states and five transitions. The security policy
partitions the states into a set of authorized states A = [s1, s2] and a
set of unauthorized states UA = [s3, s4].
This system is not secure, because regardless of which authorized
state it starts in, it can enter an unauthorized state. However, if the
edge from s1 to s3 were not present, the system would be secure,
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 69
CW3551 DATA AND INFORMATION SECURITY UNIT 2
because it could not enter an unauthorized state from an authorized
state.
A breach of security occurs when a system enters an unauthorized
state.
Three basic properties relevant to security
Confidentiality
o Let X be a set of entities and let I be some information. Then I has
the property of confidentiality with respect to X if no member of
X can obtain information about I.
Integrity
o Let X be a set of entities and let I be some information or a
resource. Then I has the property of integrity with respect to X if
all members of X trust I.
Availability
o Let X be a set of entities and let I be a resource. Then I has the
property of availability with respect to X if all members of X can
access I.
.
Types of Security Policies
A military security policy (also called a governmental security
policy) is a security policy developed primarily to provide
confidentiality. The name comes from the military’s need to keep
some information secret, such as the date that a troop ship will
sail.
A commercial security policy is a security policy developed
primarily to provide integrity. The name comes from the need of
commercial firms to prevent tampering with their data, because
they could not survive such compromises.
Some integrity policies use the notion of a transaction. Like
database specifications, they require that actions occur in such
away as to leave the database in a consistent state. These policies,
called transaction-oriented integrity security policies, are
critical to organizations that require consistency of databases
Confidentiality Policy - With respect to Confidentiality, it
identifies those states in which information leaks to those not
authorized to receive it. This includes the leakage of rights and the
illicit transmission of information without leakage of rights, called
information flow. For example, a contractor working for a company
may be authorized to access proprietary information during the
lifetime of a nondisclosure agreement, but when that
nondisclosure agreement expires, the contractor can no longer
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 70
CW3551 DATA AND INFORMATION SECURITY UNIT 2
access that information. This aspect of the security policy is often
called a Confidentiality policy.
Integrity Policy - With respect to integrity, a security policy
identifies authorized ways in which information may be altered and
entities authorized to alter it. Those parts of the security policy
that describe the conditions and manner in which data can be
altered are called the integrity policy.
Availability Policy - With respect to availability, a security policy
describes what services must be provided
Types of Access Control
1. If an individual user can set an access control mechanism to allow
or deny access to an object, that mechanism is a discretionary
access control (DAC), also called an identity-based access control
(IBAC).
2. When a system mechanism controls access to an object and an
individual user cannot alter that access, the control is a
mandatory access control (MAC), occasionally called a rule-based
access control.
3. An originator controlled access control (ORCON or ORGCON) bases
access on the creator of an object (or the information it contains).
The goal of this control is to allow the originator of the file (or of the
information it contains) to control the dissemination of the
information.
Policy Languages
A policy language is a language for representing a security policy.
o High-Level Policy Languages
High-level policy languages express policy constraints on
entities using abstractions
A high-level policy language is an unambiguous expression
of policy.
Such precision requires a mathematical or programmatic
formulation of policy; common English is not precise
enough.
It provides support for several different types of policies:
authorization policies, delegation policies, information
filtering policies, obligation policies, and refrain
policies.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 71
CW3551 DATA AND INFORMATION SECURITY UNIT 2
Authorization policies specifications, enforced by controllers
associated with the objects that are the targets of actions, fall
into two classes. The first defines allowed actions and the
second disallowed actions.
Delegation policy specifications describe the delegation of
rights. Here, the network engineers are delegated the authority
to enable, disable, and reconfigure
Information filtering policy specifications control the
dissemination of information.
Refrain policy specifications are similar to the authorization
denial policy specifications except that they are enforced by the
subjects, not the target controllers.
The obligation policy specifications requires that specific
actions be taken when certain events occur.
o Low-Level Policy Languages
Low-level policy languages express constraints in terms of input
or invocation options to programs existing on the systems.
A low-level policy language is simply a set of inputs or
arguments to commands that set, or check, constraints on a
system.
10. Explain in detail about Confidentiality policies and its types in
information security.
Confidentiality Policies
o Goals of Confidentiality Policies
o The Bell-LaPadula Model
Informal Description
Example: Trusted Solaris Formal Model
Example Model Instantiation: Multics
o Tranquillity
Confidentiality Policies
o Goals of Confidentiality Policies
A confidentiality policy, also called an information flow policy,
prevents the unauthorized disclosure of information
o The Bell-LaPadula Model
The Bell-LaPadula Model corresponds to military-style
classifications.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 72
CW3551 DATA AND INFORMATION SECURITY UNIT 2
Informal Description
The simplest type of confidentiality classification is a set of security
clearances arranged in a linear (total) ordering (see Figure 2.12).
Figure 2.12 - At the left is the basic confidentiality classification
system. The four security levels are arranged with the most sensitive
at the top and the least sensitive at the bottom. In the middle are
individuals grouped by their security clearances, and at the right is a
set of documents grouped by their security levels.
These clearances represent sensitivity levels. The higher the security
clearance, the more sensitive the information.
A subject has a security clearance.
The Bell-LaPadula security model combines mandatory and
discretionary access controls.
Let L(S) = ls be the security clearance of subject S, and let L(O) = l o be
the security classification of object O. For all security classifications li,
i = 0, ..., k -1, li < li+1:
Simple Security Condition, Preliminary Version:
S can read O if and only if lo ≤ ls and S has discretionary
read access to O.
*-Property (Star Property), Preliminary Version:
S can write O if and only if lo ≥ ls and S has discretionary
write access to O.
Basic Security Theorem, Preliminary Version:
Let S be a system with a secure initial state s0, and let T be
a set of state transformations. If every element of T
preserves the simple security condition, preliminary version,
and the *-property, preliminary version, then every state si,
i > 0, is secure.
Let C(S) be the category set of subject S, and let C(O) be the category
set of object O.
Simple Security Condition:
S can read O if and only if S dom O and S has discretionary read
access to O.
*-Property:
S can write to O if and only if Odom S and S has discretionary write
access to O.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 73
CW3551 DATA AND INFORMATION SECURITY UNIT 2
Basic Security Theorem:
Let S be a system with a secure initial state s0, and let T be a set
of state transformations. If every element of T preserves the simple
security condition and the *-property, then every state si, i ≥ 0, is
secure.
o Tranquility
The principle of tranquility states that subjects and objects may
not change their security levels once they have been
instantiated.
The tranquility principle actually has two forms:
The principle of strong tranquility states that security
levels do not change during the lifetime of the system.
The principle of weak tranquility states that security
levels do not change in a way that violates the rules of a
given security policy.
11. Explain in detail about Integrity policies and different models in
information security
Integrity is the protection of system data from intentional or accidental
unauthorized changes.
The challenges of the security program are to ensure that data is
maintained in the state that is expected by the users.
Although the security program cannot improve the accuracy of the
data that is put into the system by users. It can help ensure that any
changes are intended and correctly applied.
An additional element of integrity is the need to protect the process or
program used to manipulate the data from unauthorized modification.
A critical requirement of both commercial and government data
processing is to ensure the integrity of data to prevent fraud and
errors.
It is imperative, therefore, no user be able to modify data in a way that
might corrupt or lose assets or financial records or render decision
making information unreliable.
Examples of government systems in which integrity is crucial include
air traffic control system, military fire control systems, social security
and welfare systems.
Examples of commercial systems that require a high level of integrity
include medical prescription system, credit reporting systems,
production control systems and payroll systems.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 74
CW3551 DATA AND INFORMATION SECURITY UNIT 2
Protecting against Threats to Integrity:
Like confidentiality, integrity can also be arbitrated by hackers,
masquerade’s, unprotected downloaded files, LANs, unauthorized
user activities, and unauthorized programs like Trojan Horse and
viruses, because each of these threads can lead to unauthorized
changes to data or programs.
For example, unauthorized user can corrupt or change data and
programs intentionally or accidentally if their activities on the
system are not properly controlled.
Generally, three basic principles are used to establish integrity
controls:
o Need-to-know access: User should be granted access only into
those files and programs that they need in order to perform
their assigned jobs functions.
o Separation of duties: To ensure that no single employee has
control of a transaction from beginning to end, two or more
people should be responsible for performing it.
o Rotation of duties: Job assignment should be changed
periodically so that it becomes more difficult for the users to
collaborate to exercise complete control of a transaction and
subvert it for fraudulent purposes.
Integrity Models – Integrity models are used to describe what needs to
be done to enforce the information integrity policy.
There are three goals of integrity, which the models address in various
ways:
Preventing unauthorized users from making modifications to data or
programs.
Preventing authorized users from making improper or unauthorized
modifications.
Maintaining internal and external consistency of data and programs.
The Biba Model
The higher the level, the more confidence one has that a program
will execute correctly.
Data at a higher level is more accurate and/or reliable than data at
a lower level.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 75
CW3551 DATA AND INFORMATION SECURITY UNIT 2
Low-Water-Mark Policy
Whenever a subject accesses an object, the low-water-mark policy
changes the integrity level of the subject to the lower of the subject
and the object.
Ring Policy
The ring policy ignores the issue of indirect modification and
focuses on direct modification only.
Biba‟s Model (Strict Integrity Policy)
The strict integrity policy model is the dual of the Bell-LaPadula
Model,and is most commonly called ―Biba’s model.‖
Lipner‟s Integrity Matrix Model
Lipner provides two security levels, in the following order (higher to
lower):
Audit Manager (AM): system audit and management functions are
at this level.
System Low (SL): any process can read information at this level.
Five categories:
Development (D): production programs under development and
testing, but not yet in production use
Production Code (PC): production processes and programs
Production Data (PD): data covered by the integrity policy
System Development (SD): system programs under development,
but not yet in production use
Software Tools (T): programs provided on the production system
not related to the sensitive or protected data
The security levels for subjects are summarized in Figure 2,13.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 76
CW3551 DATA AND INFORMATION SECURITY UNIT 2
Figure 2.13 Security levels for subjects
The security levels for objects are summarized in Figure 2,14.
Figure 2.14 Security levels for Objects
Lipner‟s Full Model
Lipner then augmented the security classifications with three integrity
classifications (highest to lowest):
System Program (ISP): the classifications for system programs
Operational (IO): the classifications for production programs and
development software
System Low (ISL): the classifications at which users log in
.
12. Discuss in detail about Hybrid Security Policies .
List Computer Security Hybrid Policies and explain. ND 2023
Hybrid Policies
Chinese Wall Model
Security policy that refers equally to confidentiality and integrity
Describes policies that involve conflict of interest in business
Def: The objects of the database are items of information related to a
company
Def: A Company Dataset (CD) contains objects related to a single
company
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 77
CW3551 DATA AND INFORMATION SECURITY UNIT 2
Def: A Conflict Of Interest (COI) class contains the datasets of
companies in competition
CW-Simple Security Condition
S can read O iff either
1. There is an object O such that S has accessed O’ and CD(O’) =
CD(O) or
2 For all objects O’, where PR(S) is
the set of previously read objects by S.
3 O is a sanitized object.
Subject affects:
a. Once a subject reads any object in a COI class, the only other objects that
the subject can read in that class are the same objects, i.e. once one object
is read, no other objects in another class can be read.
b. The minimum number of subjects needed to access each object in a class
is the number of objects in that class.
CW-Simple Security Condition
S can read O iff either
1. There is an object O such that S has accessed O’ and CD(O’) = CD(O)
2. For all objects O’, where PR(S) is the
set of previously read objects by S.
3. O is a sanitized object.
CW-*-Property
A subject S may write to an object O iff both of the following conditions hold
1. The CW-Simple security conditions permits S to read O
2. unsanitized objects O’, S can read O’ CD(O’) = CD(O)
This prevents one subject from writing sensitive information in the shared
common object from an unshared object.
PREPARED BY: Dr. S. ARTHEESWARI, Prof. & HEAD/AI&DS 78
You might also like
- Test Bank for Computer Security Principles and Practice, 5th Edition by William Stallings Lawrie Brown 2No ratings yetTest Bank for Computer Security Principles and Practice, 5th Edition by William Stallings Lawrie Brown 2145 pages
- CEH: Certified Ethical Hacker v11 : Exam Cram Notes - First Edition - 2021From EverandCEH: Certified Ethical Hacker v11 : Exam Cram Notes - First Edition - 2021No ratings yet
- Your System's Sweetspots: CEO's Advice on Basic Cyber Security: CEO's Advice on Computer ScienceFrom EverandYour System's Sweetspots: CEO's Advice on Basic Cyber Security: CEO's Advice on Computer ScienceNo ratings yet
- CYBER SECURITY HANDBOOK Part-1: Hacking the Hackers: Unraveling the World of CybersecurityFrom EverandCYBER SECURITY HANDBOOK Part-1: Hacking the Hackers: Unraveling the World of CybersecurityNo ratings yet
- Summary Chapter 8 Securing Informatin SystemNo ratings yetSummary Chapter 8 Securing Informatin System6 pages
- System Information and Technology Weekly Assignment: Chapter 8 Summary Securing Information Systems (Aileen Irmina P. 19/440371/EK/22297)No ratings yetSystem Information and Technology Weekly Assignment: Chapter 8 Summary Securing Information Systems (Aileen Irmina P. 19/440371/EK/22297)3 pages
- Stay Safe!: A Basic Guide to Information Technology SecurityFrom EverandStay Safe!: A Basic Guide to Information Technology SecurityNo ratings yet
- Ethical Hacking: A Beginner's Guide to Cybersecurity. Master the Basics of Computer Systems, Networks, and Security to Protect Yourself OnlineFrom EverandEthical Hacking: A Beginner's Guide to Cybersecurity. Master the Basics of Computer Systems, Networks, and Security to Protect Yourself OnlineNo ratings yet
- Cybersecurity Threats and Digital Safety: Protecting Yourself in a Connected WorldFrom EverandCybersecurity Threats and Digital Safety: Protecting Yourself in a Connected WorldNo ratings yet
- Cybersecurity for Beginners : Learn the Fundamentals of Cybersecurity in an Easy, Step-by-Step Guide: 1From EverandCybersecurity for Beginners : Learn the Fundamentals of Cybersecurity in an Easy, Step-by-Step Guide: 1No ratings yet
- Complete Download of Test Bank for Computer Security: Principles and Practice, 4th Edition, William Stallings, Lawrie Brown Full Chapters in PDF DOCX100% (15)Complete Download of Test Bank for Computer Security: Principles and Practice, 4th Edition, William Stallings, Lawrie Brown Full Chapters in PDF DOCX31 pages
- 2_Safety and security of data in ICT systemsNo ratings yet2_Safety and security of data in ICT systems36 pages
- Test Bank for Computer Security: Principles and Practice, 4th Edition, William Stallings, Lawrie Brown pdf download100% (4)Test Bank for Computer Security: Principles and Practice, 4th Edition, William Stallings, Lawrie Brown pdf download39 pages
- Lesson 8 COMPUTER AND DATA SECURITY Notes (1)No ratings yetLesson 8 COMPUTER AND DATA SECURITY Notes (1)26 pages
- Basic Security Concepts ICT PresentationNo ratings yetBasic Security Concepts ICT Presentation25 pages
- 1.1 List and Describe The Most Common Threats Against Contemporary Information SystemsNo ratings yet1.1 List and Describe The Most Common Threats Against Contemporary Information Systems11 pages
- Test Bank for Computer Security: Principles and Practice, 4th Edition, William Stallings, Lawrie Brown instant download100% (3)Test Bank for Computer Security: Principles and Practice, 4th Edition, William Stallings, Lawrie Brown instant download45 pages
- Managing Information Resources and Security: Unintentional ThreatsNo ratings yetManaging Information Resources and Security: Unintentional Threats10 pages
- Test Bank for Computer Security: Principles and Practice, 4th Edition, William Stallings, Lawrie Brown - Available For One-Click Instant Download100% (10)Test Bank for Computer Security: Principles and Practice, 4th Edition, William Stallings, Lawrie Brown - Available For One-Click Instant Download37 pages
- Chapter 06 Ethics and Computer Security 062021No ratings yetChapter 06 Ethics and Computer Security 06202131 pages
- WK-10-Information Security and Cyber CrimeNo ratings yetWK-10-Information Security and Cyber Crime27 pages
- Test Bank for Computer Security: Principles and Practice, 4th Edition, William Stallings, Lawrie Brown pdf download100% (4)Test Bank for Computer Security: Principles and Practice, 4th Edition, William Stallings, Lawrie Brown pdf download40 pages
- Computer Security and Safety, Ethics, and PrivacyNo ratings yetComputer Security and Safety, Ethics, and Privacy41 pages
- Solved Problems: EE160: Analog and Digital Communications33% (3)Solved Problems: EE160: Analog and Digital Communications145 pages
- Architectures and Algorithms For DSP Systems (Crl702) : Centre For Applied Research in Electronics Iit DelhiNo ratings yetArchitectures and Algorithms For DSP Systems (Crl702) : Centre For Applied Research in Electronics Iit Delhi8 pages
- Mini Project: A Simple Xerox Machine Controller: 23 JAN 2021 SECR1013 Digital LogicNo ratings yetMini Project: A Simple Xerox Machine Controller: 23 JAN 2021 SECR1013 Digital Logic19 pages
- C Programing: Applications of C ProgrammingNo ratings yetC Programing: Applications of C Programming13 pages
- Product Catalog: Measurement & InstrumentationNo ratings yetProduct Catalog: Measurement & Instrumentation304 pages
- Cable Landing Station: Gargi Choudhury 8/29/2015100% (1)Cable Landing Station: Gargi Choudhury 8/29/201516 pages
- BEE(Micro project - Half Wave Rectifier)No ratings yetBEE(Micro project - Half Wave Rectifier)9 pages
- How To Manually Configure An Existing EPM 11.1.2.4 To Use Java 1.7No ratings yetHow To Manually Configure An Existing EPM 11.1.2.4 To Use Java 1.74 pages
- A320 STD 1.6.0 Service Bulletin (D00621300)No ratings yetA320 STD 1.6.0 Service Bulletin (D00621300)11 pages
