Welcome to my blog

Showing posts with label it2042. Show all posts
Showing posts with label it2042. Show all posts

Tuesday, 5 January 2021

IT8073 Information Security

IT8073 Information Security Notes


 UNIT I
   INTRODUCTION
History, What is Information Security?, Critical Characteristics of Information, NSTISSC Security Model, Components of an Information System, Securing the Components, Balancing Security and Access, The SDLC, The Security SDLC
1.1 THE HISTORY OF INFORMATION SECURITY
The history of information security begins with computer security. The need for computer security—that is, the need to secure physical locations, hardware, and software from threats—arose during World War II when the first mainframes, developed to aid computations for communication code breaking were put to use.
Multiple levels of security were implemented to protect these mainframes and maintain the integrity of their data. Access to sensitive military locations, for example, was controlled by means of badges, keys, and the facial recognition of authorized personnel by security guards.
The 1960s
§  During the Cold War, many more mainframes were brought online to accomplish more complex and sophisticated tasks.
§  It became necessary to enable these mainframes to communicate via a less cumbersome process than mailing magnetic tapes between computer centers.
§  In response to this need, the Department of Defense’s Advanced Research Project Agency (ARPA) began examining the feasibility of a redundant, networked communications system to support the military’s exchange of information.
§  Larry Roberts, known as the founder of the Internet, developed the project—which was called ARPANET—from its inception.
§  ARPANET is the predecessor to the Internet (see Figure 1-2 for an excerpt from the ARPANET Program Plan).
The 1970s and 80s
§  During the next decade, ARPANET became popular and more widely used, and the potential for its misuse grew.
§  Because of the range and frequency of computer security violations and the explosion in the numbers of hosts and users on ARPANET, network security was referred to as network insecurity
§  In 1978, a famous study entitled “Protection Analysis: Final Report” was published. It focused on a project undertaken by ARPA to discover the vulnerabilities of operating system security.
§  The movement toward security that went beyond protecting physical locations began with a single paper sponsored by the Department of Defense, the Rand Report R-609, which attempted to define the multiple controls and mechanisms necessary for the protection of a multilevel computer system.
§  In 1967, systems were being acquired at a rapid rate and securing them was a pressing concern for both the military and defense contractors.
§  Multiplexed Information and Computing Service (MULTICS) was the first operating system to integrate security into its core functions. It was a mainframe, time-sharing operating system.
§  In mid-1969, not long after the restructuring of the MULTICS project, created a new
§  operating system called UNIX. While the MULTICS system implemented multiple security levels and passwords, the UNIX system did not.
§  In the late 1970s, the microprocessor brought the personal computer and a new age of computing. The PC became the workhorse of modern computing. This decentralization of data processing systems in the 1980s gave rise to networking— that is, the interconnecting of personal computers and mainframe computers, which enabled the entire computing community to make all their resources work together.
The 1990s
§  This gave rise to the Internet, the first global network of networks. The Internet was made available to the general public in the 1990s, having previously been the domain of government, academia, and dedicated industry professionals.
§  The Internet brought connectivity to virtually all computers that could reach a phone line or an Internet-connected local area network (LAN).
§  As networked computers became the dominant style of computing, the ability to physically secure a networked computer was lost, and the stored information became more exposed to security threats.
2000 to Present
§  Today, the Internet brings millions of unsecured computer networks into continuous communication with each other.
§  Recent years have seen a growing awareness of the need to improve information security, as well as a realization that information security is important to national defense. The growing threat of cyber attacks have made governments and companies more aware of the need to defend the computer-controlled control systems of utilities and other critical infrastructure.
 
1.2 WHAT IS SECURITY?
In general, security is “the quality or state of being secure—to be free from danger.” In other words, protection against adversaries—from those who would do harm, intentionally or otherwise.
A successful organization should have the following multiple layers of security in place to protect its operations:
§  Physical security, to protect physical items, objects, or areas from unauthorized access
§  and misuse
§  Personnel security, to protect the individual or group of individuals who are authorized to access the organization and its operations
§  Operations security, to protect the details of a particular operation or series of activities
§  Communications security, to protect communications media, technology, and content
§ Network security, to protect networking components, connections, and contents Information security, to protect the confidentiality, integrity and availability of information assets, whether in storage, processing, or transmission. It is achieved via the application of policy, education, training and awareness, and technology.
The Committee on National Security Systems (CNSS) defines information security as the protection of information and its critical elements, including the systems and hardware that use, store, and transmit that information. Figure 1.1 shows that information security includes the broad areas of information security management, computer and data security, and network security. The CNSS model of information security evolved from a concept developed by the computer security industry called the C.I.A. triangle.
The C.I.A. triangle based on the three characteristics of information that give it value to organizations: confidentiality, integrity, and availability
The threats to the confidentiality, integrity, and availability of information have evolved into a vast collection of events, including accidental or intentional damage, destruction, theft, unintended or unauthorized modification, or other misuse from human or nonhuman threats.


Key Information Security Concepts
Some of these terms are:
Access: A subject or object’s ability to use, manipulate, modify, or affect another subject or object. Authorized users have legal access to a system, whereas hackers have
illegal access to a system. Access controls regulate this ability.
Asset: The organizational resource that is being protected. An asset can be logical, such as a Web site, information, or data; or an asset can be physical, such as a person, computer system, or other tangible object. Assets, and particularly information assets, are the focus of security efforts; they are what those efforts are attempting to protect.
Attack: An intentional or unintentional act that can cause damage to or otherwise compromise information and/or the systems that support it. Attacks can be active or passive, intentional or unintentional, and direct or indirect.
A hacker attempting to break into an information system is an intentional attack. A lightning strike that causes a fire in a building is an unintentional attack. A direct attack is a hacker using a personal computer to break into a system. An indirect attack is a hacker compromising a system and using it to attack other systems.
Direct attacks originate from the threat itself. Indirect attacks originate from a compromised system or resource that is malfunctioning or working under the control of a threat.
Control, safeguard, or countermeasure: Security mechanisms, policies, or procedures
that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise
improve the security within an organization.
Exploit: A technique used to compromise a system. This term can be a verb or a noun.
Threat agents may attempt to exploit a system or other information asset by using it illegally for their personal gain. Or, an exploit can be a documented process to take advantage of a vulnerability or exposure, usually in software, that is either inherent in the software or is created by the attacker. Exploits make use of existing software tools
or custom-made software components.
Exposure: A condition or state of being exposed. In information security, exposure exists when a vulnerability known to an attacker is present.
Loss: A single instance of an information asset suffering damage or unintended or unauthorized modification or disclosure. When an organization’s information is stolen,
it has suffered a loss.
Protection profile or security posture: The entire set of controls and safeguards, including policy, education, training and awareness, and technology, that the organization implements (or fails to implement) to protect the asset. The terms are sometimes used interchangeably with the term security program, although the security
program often comprises managerial aspects of security, including planning, personnel,
and subordinate programs.
Risk: The probability that something unwanted will happen. Organizations must minimize risk to match their risk appetite—the quantity and nature of risk the organization is willing to accept.
Subjects and objects: A computer can be either the subject of an attack—an agent entity used to conduct the attack—or the object of an attack—the target entity, as shown in Figure 1.2. A computer can be both the subject and object of an attack, when, for example, it is compromised by an attack (object), and is then used to attack other systems (subject).
Figure 1.2 Computer as the Subject and Object of an Attack

Threat: A category of objects, persons, or other entities that presents a danger to an asset. Threats are always present and can be purposeful or undirected. For example, hackers purposefully threaten unprotected information systems, while severe storms incidentally threaten buildings and their contents.
Threat agent: The specific instance or a component of a threat.
Vulnerability: A weaknesses or fault in a system or protection mechanism that opens it to attack or damage. Some examples of vulnerabilities are a flaw in a software package, an unprotected system port, and an unlocked door.
 
1.3 CRITICAL CHARACTERISTICS OF INFORMATION
The value of information comes from the characteristics it possesses. When a characteristic of information changes, the value of that information either increases, or, more commonly, decreases. Some characteristics affect information’s value to users more than others do.
Each critical characteristic of information—that is, the expanded C.I.A. triangle—is defined in the sections below.
1. Availability
Availability enables authorized users—persons or computer systems—to access information without interference or obstruction and to receive it in the required format.
For example, research libraries that require identification before entrance. Librarians protect the contents of the library so that they are available only to authorized patrons. The librarian must accept a patron’s identification before that patron has free access to the book stacks.
2. Accuracy
Information has accuracy when it is free from mistakes or errors and it has the value that the end user expects. If information has been intentionally or unintentionally modified, it is no longer accurate.
for example, a checking account. You assume that the information contained in your checking account is an accurate representation of your finances. Incorrect information in your checking account can result from external or internal errors. Or, you may accidentally enter an incorrect amount into your account register. Either way, an inaccurate bank balance could cause you to make mistakes, such as bouncing a check.
3. Authenticity
Authenticity of information is the quality or state of being genuine or original, rather than a reproduction or fabrication. Information is authentic when it is in the same state in which it was created, placed, stored, or transferred.
For example, When you receive e-mail, you assume that a specific individual or group created and transmitted the e-mail—you assume you know the origin of the e-mail. This is not always the case. E-mail spoofing, the act of sending an e-mail message with a modified field, is a problem for many people today, because often the modified field is the address of the originator. Spoofing the sender’s address can fool e-mail recipients into thinking that messages are legitimate traffic, thus inducing them to open e-mail they otherwise might not have. Spoofing can also alter data being transmitted across a network, as in the case of user data protocol (UDP) packet spoofing, which can enable the attacker to get access to data stored on computing systems.
Pretending to be someone you are not is sometimes called pretexting when it is undertaken by law enforcement agents or private investigators. When used in a phishing
attack, e-mail spoofing lures victims to a Web server that does not represent the organization it purports to, in an attempt to steal their private data such as account numbers and passwords.
4. Confidentiality
Information has confidentiality when it is protected from disclosure or exposure to unauthorized individuals or systems. Confidentiality ensures that only those with the rights and privileges to access information are able to do so. When unauthorized individuals or systems can view information, confidentiality is breached. To protect the confidentiality of information, you can use a number of measures, including the following:
Information classification
Secure document storage
Application of general security policies
Education of information custodians and end users
5. Integrity
Information has integrity when it is whole, complete, and uncorrupted. The integrity of information is threatened when the information is exposed to corruption damage, destruction, or other disruption of its authentic state. Corruption can occur while information is being stored or transmitted. Many computer viruses and worms are designed with the explicit purpose of corrupting data.
Noise in the transmission media, for instance, can also cause data to lose its integrity. Transmitting data on a circuit with a low voltage level can alter and corrupt the data. Redundancy bits and check bits can compensate for internal and external threats to the integrity of information.
During each transmission, algorithms, hash values, and the error-correcting codes ensure the integrity of the information. Data whose integrity has been compromised is
retransmitted.
6. Utility
The utility of information is the quality or state of having value for some purpose or end. Information has value when it can serve a purpose. If information is available, but is not in a format meaningful to the end user, it is not useful.
7. Possession
The possession of information is the quality or state of ownership or control. Information is said to be in one’s possession if one obtains it, independent of format or
other characteristics. While a breach of confidentiality always results in a breach of possession, a breach of possession does not always result in a breach of confidentiality. For example, assume a company stores its critical customer data using an encrypted file system. An employee who has quit decides to take a copy of the tape backups to sell the customer records to the competition. The removal of the tapes from their secure environment is a breach of possession. But, because the data is encrypted, neither the employee nor anyone else can read it without the proper decryption methods; therefore, there is no breach of confidentiality.
 
1.4 NSTISSC SECURITY MODEL
National Security Telecommunications & Information systems security committee’ document.
It is now called the National Training Standard for Information security professionals.
The NSTISSC Security Model provides a more detailed perspective on security.
While the NSTISSC model covers the three dimensions of information security, it omits discussion of detailed guidelines and policies that direct the implementation of controls.
Another weakness of using this model with too limited an approach is to view it from a single perspective.
The 3 dimensions of each axis become a 3x3x3 cube with 27 cells representing areas that must be addressed to secure today’s Information systems.
To ensure system security, each of the 27 cells must be properly addressed during the security process.
For example, the intersection between technology, integrity, and storage requires a control or safeguard that addresses the need to use technology to protect the integrity of information while in storage.
One such control might be a system for detecting host intrusion that protects the integrity of information by alerting the security administrators to the potential modification of a critical file.
-For ex,the intersection between technology, Integrity & storage areas requires a control or safeguard that addresses the  need to use technology to protect the Integrity of information while in storage.

Figure 1.3 The McCumber Cube

 1.5 COMPONENTS OF AN INFORMATION SYSTEM

An information system (IS) is much more than computer hardware; it is the entire set of software, hardware, data, people, procedures, and networks that make possible the use of information resources in the organization (Fig 1.4). These six critical components enable information to be input, processed, output, and stored. Each of these IS components has its own strengths and weaknesses, as well as its own characteristics and uses. Each component of the information system also has its own security requirements.


Figure 1.4 Components of an Information System

Software

The software components of IS comprises applications, operating systems, and assorted command utilities. Software programs are the vessels that carry the lifeblood of information through an organization. These are often created under the demanding constraints of project management, which limit time, cost, and manpower.

 

Hardware

Hardware is the physical technology that houses and executes the software, stores and carries the data, and provides interfaces for the entry and removal of information from the system. Physical security policies deal with hardware as a physical asset and with the protection of these physical assets from harm or theft. Applying the traditional tools of physical security, such as locks and keys, restricts access to and interaction with the hardware components of an information system. Securing the physical location of computers and the computers themselves is important because a breach of physical security can result in a loss of information. Unfortunately, most information systems are built on hardware platforms that cannot guarantee any level of information security if unrestricted access to the hardware is possible.

 

Data

·        Data stored, processed, and transmitted through a computer system must be protected.

·        Data is often the most valuable asset possessed by an organization and is the main target of intentional attacks.

·        The raw, unorganized, discrete(separate, isolated) potentially-useful facts and figures that are later processed(manipulated) to produce information.

 

People

There are many roles for people in information systems. Common ones include

·        Systems Analyst

·        Programmer

·        Technician

·        Engineer

·        Network Manager

·        MIS ( Manager of Information Systems )

·        Data entry operator

 

Procedures

A procedure is a series of documented actions taken to achieve something. A procedure is more than a single simple task. A procedure can be quite complex and involved, such as performing a backup, shutting down a system, patching software.

 

Networks

·        When information systems are connected to each other to form Local Area Network (LANs), and these LANs are connected to other networks such as the Internet, new security challenges rapidly emerge.

·        Steps to provide network security are essential, as is the implementation of alarm and intrusion systems to make system owners aware of ongoing compromises.

 

1.6 SECURING COMPONENTS

Protecting the components from potential misuse and abuse by unauthorized users.

Subject of an attack

Computer is used as an active tool to conduct the attack.

Object of an attack

Computer itself is the entity being attacked

Two types of attacks:

1. Direct attack

2. Indirect attack


Figure 1.5 Attack

1. Direct attack

When a Hacker uses his personal computer to break into a system.[Originate from the threat itself]

2. Indirect attack

When a system is compromised and used to attack other system.

[Originate from a system or resource that itself has been attacked, and is malfunctioning or working under the control of a threat].

A computer can, therefore, be both the subject and object of an attack when, for example, it is first the object of an attack and then compromised and used to attack other systems, at which point it becomes the subject of an attack.

 

1.7 BALANCING INFORMATION SECURITY AND ACCESS

§      Has to provide the security and is also feasible to access the information for its  application.

§      Information Security cannot be an absolute: it is a process, not a goal.

§      Should balance protection and availability.

Approaches to Information Security Implementation

§         Bottom- up- approach.

§        Top-down-approach

ü  Has higher probability of success.

ü  Project is initiated by upper level managers who issue policy & procedures &

processes.

ü  Dictate the goals & expected outcomes of the project.

ü  Determine who is suitable for each of the required action.

Fig 6 Approaches to Information Security Implementation



 1.8 The Systems Development Life Cycle (SDLC)


Fig 7 SDLC Waterfall Methodology


-         It is the most important phase and it begins with an examination of the event or plan that initiates the process.

-         During this phase, the objectives, constraints, and scope of the project are specified.

-         At the conclusion of this phase, a feasibility analysis is performed, which assesses the economic, technical and behavioral feasibilities of the process and ensures that implementation is worth the organization’s time and effort.

Analysis

-         It begins with the information gained during the investigation phase.

-         It consists of assessments (quality) of the organization, the status of current systems, and the capability to support the proposed systems.

-         Analysts begin by determining what the new system is expected to do, and how it will interact with existing systems.

-         This phase ends with the documentation of the findings and an update of the feasibility analysis.

Logical Design

-         In this phase, the information gained from the analysis phase is used to begin creating a systems solution for a business problem.

-         Based on the business need, applications are selected that are capable of providing needed services.

-         Based on the applications needed, data support and structures capable of providing the needed inputs are then chosen.

-         In this phase, analysts generate a number of alternative solutions, each with corresponding strengths and weaknesses, and costs and benefits.

-         At the end of this phase, another feasibility analysis is performed.

 

Physical design

-         In this phase, specific technologies are selected to support the solutions developed in the logical design.

-         The selected components are evaluated based on a make-or-buy decision.

-         Final designs integrate various components and technologies.

Implementation

-         In this phase, any needed software is created.

-         Components are ordered, received and tested.

-         Afterwards, users are trained and supporting documentation created.

-         Once all the components are tested individually, they are installed and tested as a system.

-         Again a feasibility analysis is prepared, and the sponsors are then presented with the system for a performance review and acceptance test.

Maintenance and change

-         It is the longest and most expensive phase of the process.

-         It consists of the tasks necessary to support and modify the system for the remainder of its useful life cycle.

-         Periodically, the system is tested for compliance, with business needs.

-         Upgrades, updates, and patches are managed.

-         As the needs of the organization change, the systems that support the organization must also change.

-         When a current system can no longer support the organization, the project is terminated and a new project is implemented.

 

The Security Systems Development Life Cycle (Sec SDLC )

-         The same phases used in the traditional SDLC can be adapted to support the implementation of an information security project.

Investigation

-         This phase begins with a directive from upper management, dictating the process, outcomes, and goals of the project, as well as its budget and other constraints.

-         Frequently, this phase begins with an enterprise information security policy, which outlines the implementation of a security program within the organization.

-         Teams of responsible managers, employees, and contractors are organized.

-         Problems are analyzed.

-         Scope of the project, as well as specific goals and objectives, and any additional constraints not covered in the program policy, are defined.

-         Finally, an organizational feasibility analysis is performed to determine whether the organization has the resources and commitment necessary to conduct a successful security analysis and design.

Analysis

-         In this phase, the documents from the investigation phase are studied.

-         The developed team conducts a preliminary analysis of existing security policies or programs, along with that of documented current threats and associated controls.

-         The risk management task also begins in this phase.

-Risk management is the process of identifying, assessing, and evaluating the levels of risk facing the organization, specifically the threats to the organization’s security and to the information stored and processed by the organization.

 

Logical design

-         This phase creates and develops the blueprints for information security, and examines and implements key policies.

-         The team plans the incident response actions.

-         Plans business response to disaster.

-         Determines feasibility of continuing and outsourcing the project.

Physical design

-         In this phase, the information security technology needed to support the blueprint outlined in the logical design is evaluated.

-         Alternative solutions are generated.

-         Designs for physical security measures to support the proposed technological solutions are created.

-         At the end of this phase, a feasibility study should determine the readiness of the organization for the proposed project.

-         At this phase, all parties involved have a chance to approve the project before implementation begins.

Implementation

-         Similar to traditional SDLC

-         The security solutions are acquired ( made or bought ), tested, implemented, and tested again

-         Personnel issues are evaluated and specific training and education programs are conducted.

-         Finally, the entire tested package is presented to upper management for final approval.

Maintenance and change

-         Constant monitoring, testing, modification, updating, and repairing to meet changing threats have been done in this phase.

 

Security Professionals and the organization

Senior management

            Chief information Officer (CIO) is the responsible for

è Assessment

è Management

è And implementation of information security in the organization

Information Security Project Team

·        Champion

-         Promotes the project

-         Ensures its support, both financially & administratively.

·        Team Leader

- Understands project management

- Personnel management

- And information Security technical requirements.

·        Security policy developers

-         individuals who understand the organizational culture,

-         existing policies

-         Requirements for developing & implementing successful policies.

·        Risk assessment specialists

-         Individuals who understand financial risk assessment techniques.

-          The value of organizational assets,

-         and the security methods to be used.

·        Security Professionals

-         Dedicated

-         Trained, and well educated specialists in all aspects of information security from both a technical and non technical stand point.

·        System Administrators

-         Administrating the systems that house the information used by the organization.

·        End users

 

Three types  

1.      Data owners

2.      Data custodians

3.      Data users

 

1. Data Owners

-         Responsible for the security and use of a particular set of information.

-         Determine the level of data classification

-         Work with subordinate managers to oversee the day-to-day administration of the data.

2. Data Custodians

-         Responsible for the storage, maintenance, and protection of the information.

-         Overseeing data storage and backups

-         Implementing the specific procedures and policies.

3. Data Users (End users)

            - Work with the information to perform their daily jobs supporting the mission of the organization.

-         Everyone in the organization is responsible for the security of data, so data users are included here as individuals with an information security role.

 

Key Terms in Information Security Terminology

 Asset

            -An asset is the organizational resource that is being protected.

            -An Asset can be logical ,such as

è Website, information or data

           - Asset can be physical, such as

è person , computer system

Attack

-         An attack is an intentional or unintentional attempt to cause damage to or otherwise compromise the information and /or the systems that support it. If someone casually reads sensitive information not intended for his use, this is considered a passive attack. If a hacker attempts to break into an information system, the attack is considered active.

Risk

-         Risk is the probability that something can happen. In information security, it could be the probability of a threat to a system.

Security Blueprint

-         It is the plan for the implementation of new security measures in the organization. Sometimes called a frame work, the blueprint presents an organized approach to the security planning process.

Security Model

            - A security model is a collection of specific security rules that represents the implementation of a security policy.

Threats

            -A threat is a category of objects, persons, or other entities that pose a potential danger to an asset. Threats are always present. Some threats manifest themselves in accidental occurrences, while others are purposeful. For example, all hackers represent potential danger or threat to an unprotected information system. Severe storms are also a threat to buildings and their contents.

Threat agent

-         A threat agent is the specific instance or component of a threat. For example, you can think of all hackers in the world as a collective threat, and Kevin Mitnick, who was convicted for hacking into phone systems, as a specific threat agent. Likewise, a specific lightning strike, hailstorm, or tornado is a threat agent that is part of the threat of severe storms.

Vulnerability

-         Weaknesses or faults in a system or protection mechanism that expose information to attack or damage are known as vulnerabilities. Vulnerabilities that have been examined, documented, and published are referred to as well-known vulnerabilities.

Exposure

-         The exposure of an information system is a single instance when the system is open to damage. Vulnerabilities can cause an exposure to potential damage or attack from a threat. Total exposure  is the degree to which an organization’s assets are at risk of attack from a threat..