Date and Information Security 1-2 Introduction

1.1 History
" By understanding the history of technology security, you might be able to
safeguard against potential threats. Information technology security protects
sensitive assets and property through the use of technology processes and training.
" The examination of the history of information security is important since it
enhances the understanding of the current state of the discipline and helps to
foresee its future.

Security goals form an integral part of the overall information security concept.
Security goals serve as evaluation criteria for information systems and IT security.
Hence, a value of. the goals analysis is in verifying the adequacy of security
evaluation criteria.

Information protection was achieved mainly through the control of physical access
to computers.
" Mainframe computers were protected by using multiple level of security and
maintain the data integrity.
1. Year 1960s

The largest security concerns at this interval were at the points of access. Anyone
with enough knowledge about how to work a computer could break into a facility
and start accessing sensitive data. In order to secure terminals, passwords and
multiple layers of security protection were added to devices.
It was the tine of cold war in the world. For performing complex and
sophisticated task, mainframe computers are connected other machines.
Department of Defense's Advanced Research Project Agency (ARPA) started
project for military. There were need of exchange information with other and
within the military department.
" Larry Roberts, the founder of the Internet, developed the project, which was called
ARPANET.
2. Year 1970s
ARPANET becomes popular and widely used for communication. ARPANET's
facilities
Purpose was always more academic than military, but, as more academic
connected to it.
There was no massive global network connecting every device that wanted to be
Connected, large organizations, especially governments, were starting to link
computers via telephone lines.

TECHNICAL PUBLICATIONS - an up-thrust for knowiedge

Data ard infomation Securty 1-3 Introduction

3. 1980s : From ARPANET to Internet

" The 1980s brought an increase in
high-profile attacks, including those at National
CSs, AT&T, and Los Alamos National
Laboratory.
" The movie war games, in which a rogue
computer program takes over nuclear
missiles systems under the guise of a game, was released in 1983. This was the
same year that the terms Trojan Horse and Computer Virus were first used.
" In 1985, The US department of defense published the
trusted computer system
evaluation criteria (The Orange Book) that provided guidance for security.
" 1987 was the birth year of commercial
antivirus, although there are competing
claims for the innovator of the first antivirus product.
4. Year 1990
With Internet becoming available to the public, more and
more people began
putting their personal information online. Because of this, organised crime entities
saw this as a potential source of revenue and started to steal data from
people and
goverrments via the web.
Towards the end of the 1990s, email was proliferating and while it,
promised to
revolutionize communication, it also opened up anew entry point for viruses.
5. Year 2000
With the internet available in more homes and offices across the
globe,
cybercriminals had more devices and software vulnerabilities to exploit than ever
before. And as more and more data was being kept digitally, there was more to
plunder.
" Information security continued to advance as the internet grew as well but,
unfortunately, so did viruses. Hackers quickly became able to create viruses that
could not only target specific organisations, but whole cities, states and even
continents as wel.

1.2 What is Information Security ?

How to protect the valuable assets? It is necessary to keep in safe place like a
bank to protect the valuable assets. But bank is not a safe place now a day. There
are so many examples where bank robbery in our country.
Bank robbery is the crime of stealing from a bank during opening hours.
Protecting assets was difficult and not always effective.
Now a day, protection is easier because many factors working against the
potential criminal. Very sophisticated alarm and camera systems silently protect
secure places like banks.

TECHNICAL PUBLICATIONs - an up-thrust for knowledge

Data and Information Security 1-4 Introduction

Traditionally information security provided by physical ie. rugged filing cabinets

with locks and administrative mechanisms ie. personnel screening procedures
during húring process.
Asset protection systems are designed to recover stolen cash and high value assets,
apprehend criminals and deter crime. The system has the capacity to track, protect
and manage critical assets in real-time.
The techniques of criminal investigation have become so effective that a person
can be iderntified by genetic material, voice, retinal pattern, fingerprints etc.
Use of networks and communications links requires measures to protect data
during transmission.
Data security is the science and study of methods of protecting data from
unauthorized disclosure and modification.
" Data and information security is about enabling collaboration while managing risk
with an approach that balances availability versus the confidentiality of data.
Computer security : Generic name for the collection of tools designed to protect
data and to hackers.
" Network security : Measures to protect data during their transmission.
Internet security : Measures to protect data during their transmission over a
collection of interconnected networks.

Physical security : To protect physical items, objects, or areas from unauthorized

access and misuse

Personnel security : To protect the individual or group of individuals who are

authorized to access the orgarnization and its operations
Operations security :To protect the details of a particular operation or series of
activities

The Committee on National Security Systems (CNSS) defines information security

as the protection of information and its critical elements, including the systems
and hardware that use, store, and transmit that information.
" Fig. 1.2.1 shows components of information security.
The CNSS model of information security evolved from a concept developed by the
computer security industry called the C.LA. triangle.
The CIA triad is a widely used information security model that can guide an
organization's efforts and policies aimed at keeping its data secure. The model has
nothing to do with the U.S. central intelligence agency; rather, the initials stand for
the three principles on which informnation rests :

TECHNICAL PUBLICATIONS- an up-thrust for knowledge

Data and Infomation Security 1-5 Introduction

Management of
information
security

Policy Network security

Computer and
data security

Fig. 1.2.1 Components of information security

Confidentiality : Only authorized users and processes should be able to access or
modify data
Integrity : Data should be maintained in a correct state and nobody should be
able to improperly modify it, either accidentally or maliciously.
" Availability : Authorized users should be able to access data whenever they need
to do so.

1.2.1 Security Goals

Security goals are as follows : 1. Confidentially 2. ntegrity 3. Availability.
1. Confidentiality
" Confidentiality ensures that no one can read the message exXcept intended receiver.
Confidentiality refers to limiting information access and disclosure to authorized
Users and preventing access by or disclosure to unauthorized ones.
Sensitive information should be kept secret from individuals who are not
authorized to see the information.
C
Underpinning the goal of confidentiality are authentication methods like user - IDs
and paswords that uniquely identity a data system's users, and supporting
control methods that limit each identified user's access to the data systerm's
resources.
Confidentiality is not only applied to storage of data but also applies to the
transmission of information.
Confidentiality means that people cannot read sensitive information, either while it
1S on a computer or while it is traveling across a network.
TECHNICAL PUBLICATIONS® - an up-thrust for
Data and Information Security 1-6 Introduction

2. Integrity
Integrity ensures that received message has not been altered in any way from
origin. It refers to the trustworthiness of information resources. Integrity should
not be altered without detection.
" It includes the concept of "data integrity" namely, that data have not been changed
inappropriately, whether by accident or deliberately malign activity.
" It also includes "origin" or "source integrity that is, that the data actually came
from the person or entity you think it did, rather than an imposter.
Integrity ensures that information is not changed or altered in transit. Under
certain attack models, an adversary may not have to power to impersonate an
authenticated party or understand a confidential communication, but may have the
ability to change the information being transmitted.
" On amore restrictive view, however, integrity of an information system includes
only preservation without corruption of whatever was transmitted or entered into
the system, right or wrong.
3. Availability
Availability refers, to the availability of information resources. An information
system that is not available when you need it is at least as bad as none at al.
Availability means that people who are authorized to use information are not
prevented from doing so. It may be much worse, depending on how reliant the
organization has become on a functioning computer and communications
infrastructure.

" Almost all moderm organizations are highly dependent on functioning information
systems. Many literally could not operate without them.
Availability, like other aspects of security, may be affected by purely technical
issues (e.g8. a malfurnctioning part of a computer or communications device),
natural phenomena (e.g. wind or water), or human causes (acidental or
deliberate).

1.2.2 Key Information Security Concepts

Access : Asubject or object's ability to use, manipulate, modify, or affect another
subject or object. Authorized users have legal access to asystem, whereas hackers
have illegal access to a system. Acess controls regulate this ability.
Asset means people, property and information. People may include employees
and customers along with other invited persons such as contractors or guests.
Property assets consist of both tangible and intangible items that can be assigned a
value.

TECHNICAL PUBLICATIONS - an up-thrust for kncowledge

Data and Information Security 1-7 Introduction

Intangible assets include reputation and proprietary information. Information may

include databases, software code, critical company records and many other
intangible items.
Attack : An attack on system security that derives from an intelligent threat : that
is an
intelligent act that is a deliberate attempt to evade security services and
violate the security policy of a system. Attacks can be active or passive,
intentional or unintentional and direct or indirect.
" Threat : A potential for violation of security, which
exists when there is a
circumstance, capability, action or event that could breach security and cause
harm. That is, a threat is a possible danger that might exploit a
" Control or countermeasure : Security
vulnerability.
mechanisms, policies, or procedures that can
successfully counter attacks, reduce risk, resolve vulnerabilities and otherwise
improve the security within an organization.
Vulnerability :Vulnerability refers to the security flaws in a system that allows an
attack to be successful. Weaknesses or gaps in asecurity program
that
exploited by threats to gain unauthorized access to an asset. Vulnerabilitycanis bea
weakness or gap in our protection efforts.
Vulnerability testing should be performed on an ongoing basis by the parties
responsible forresolving such vulnerabilities and helps to provide data used to
identify unexpected dangers to security that need to be addressed.
Risk : The potential for loss, damage or destruction of an asset as aresult of a
threat exploiting vulnerability. Risk is the intersection of assets, threats, and
vulnerabilities. The formula used to determine risk is,
Risk = Asset + Threat + Vulnerability
1.3 Critical Characteristics of Information
Good information is that which is used and which creates value. The value of
information comes from the characteristics it possesses.
When a characteristic of information changes, the value of that information either
increases, or, more commonly, decreases.
The critical characteristics of information are :
1. Availability : The accessibility of intormation. In computer security, access to
data is usually restricted to particular users, this making it unavailable to
unauthorized users.
2. Accuracy : Freedom from errors due to mistakes in data entry, as opposed to
errors that arise during the transmission or reproduction of information

TECHNICAL PUBLICATIONS an up-thrust for knowledge

1-8 Introduction
Data and Information Security
D

computer security accuracy is essential. Inaccurate information is

Obviously, in
at best useless, and at worst dangerous.
Authenticity : The data is original, rather than a reproduction. In computer
3. information is authentic; that is, that the
security, it is important to ensure that
original produced
information is exactly the same in content and state as the
by its creator.
access to information to authorized
4. Confidentiality : The restriction of sensitive
individuals alone.In computer security, it is essential that
clients, patients
information, especially personal information about employees,
persons. Such a breach of
and customers not be revealed to any unauthorized
confidentiality could be damaging to the persons involved.
reproduction of
5. Integrity :Freedom from errors incurred in the transmission orthe protection of
information. As described under accuracy, it is obvious that
the integrity of information is essential.
6. Utility : The usefulness of information. In computer security, utility depends
users.
on the content of the information and the needs of the Co

7. Possession : Ownership and control of information. Possession of information

means only that one possesses it; whether one can use it is a question of utility
or confidentiality. For instance, if information is stolen, but encrypted or stored
in an unreadable format, possession is breached by the thiet, but not
confidentiality. Likewise, such information would have no utility for the thief.
8. Accountability : The characteristic of accountability exists when a control named
provides assurance that every activity undertaken can be attributed to a
person or automated process. For example, audit logs that track user activity
on an information system provide accountability.
1.4 NSTISSC Security Model
NSTISS (The National Security Telecommunications and Information Systems
Security Committee) determines a standard model for security called the NSTISSC
model that relates between the three proposed security pillars (Confidentiality,
Integrity, Availability), security solutions (Policy, Technology, SETA) and
information states (Storage, Processing Iransmission) and how to assign the
pillars for any information state and by which solution at what point.
The basic objective of NSTISSC model is to secure data in three probable wavs : 1,
a) Using security services.
b) Maintaining information states
c) Setting security counter measures

TECHNICAL PUBLJCATIONS - an up-thrust for knowledoe

Introduction
Dataand Information Security
1-9
information is Introducton

the NSTISSC was renamed the Committee on National

This intormation security model was created by Security Systems (CNSS).
n. In computer John MCCumber called
that is, that the
Cube. McCumber
" The McCumber cube was originally seen as a Rubik-type
ginal produced
assess and evaluate information cubic model used to
security.
to authorized This model helps to build a secure system, by
that sensitive
taking into account the key security
objectives and goals related to the various scenarios
place and a whole range of security where the information takes
-lients, patients measures.
ch abreach of Currently, McCumber is referred to as the CNSS security model
national security systems committee. representing the
eproduction of " Fig. 14.1 shows CNSS or McCumber model.
e protection of
Policyeducaton
technology

atility depends
Confidentiality
of information P o l i
e cdyu c a ttieocnh n o l o g y
Confidentality
estion of utility
pted or stored Integrity
Iintegrity
thief, -but not
for the thief.
hen a control Availabilty Avalability
ed to a named
Storage Processing Transmission Storage Processing Transmission
kuser activity
Fig. 1.4.1 CNSS model
The McCumber Cube as represented in Fig. 1.4.1, shows three
three dimensions of each axis become a 3 x 3 x3 cube with 27 cellsdimensions. The
areas that must be addressed to secure today's information systems. representing
ation Systems
Hthe NSTISSC While the NSTISSCmodel covers the three dimensions of information security, it
Confidentiality, omits discussion of detailed guidelines arnd policies that direct the implementation
SETA) and of controls.
to assign the " Another weakness of using this model with too limited an approach is to view it
t.
from a single perspective.
pable ways : 1.5 Components of an Information System
An information system can be defined technically as a set of interrelated
components that collect (or retrieve), process, store and distribute information to
Support decision making and control in an organization.
TECHNICAL PUBLICA TIONS an up-thrust for
knowledge
introducton
1-10
Data and Information Security

essentially made up of five components hardware,

An information system is people. These five components integrate to
software, database, network and
process, output, feedback and control.
pertorm input,
information system.
Fig. 1.5.1 shows components of
Software
Data
Hardware

Information systems

Tele
People networks
Procedures

Fig. 1.5.1components of information system

Input' consists of
" Information systems activities are input, processing and output. packets
acquisition of the 'raw data', which is transformed into more meaningful
of 'information' by means of 'processing'
The processed information now flows to the users or activities also called as
'output!. The shortcomings are analyzed and the information is sent back to the
appropriate members of the organization to help them evaluate and refine the
input. This is termed as feedback'.
Hardware consists of input/output device, processor, operating system and media
devices. Software consists of various programs and procedures.
Database consists of data organized in the required structure. Network consists of
hubs, communication media and network devices. People consist of device
operators, network administrators and system specialist.
Information processing consists of input; data process, data storage, output and
control. During input stage data instructions are fed to the systems which during
process stage are worked upon by software programs and other queries. During
output stage, data is presented in structured format and reports.
1.6 Balancing Security and Access
Security should be taken as balance between the protection and availability. 10
achieve balance, level of security should allow reasonable access, yet protec
against threats.
Fig. 1.6.1 given below illustrates the basic idea of balancing between security and
access of information system.
TECHNICAL PUBLICATIONS an up-thrust for knowledge
Data and lIntormation Secunty 1- 11 Introduction

Security Access

Fig. 1.6.1
" It is impossible to obtain perfect security : It's a process, not an
should be considered balance between protection and availability.absolute. Security
To achieve balarnce, level of security must allow reasonable
access, the security
level must allow reasonable access, yet protect against threats.
1.7 System Development Life Cycle (SDLC)
The system development life cycle is a project management model that defines the
stages involved in bringing a project from inception to completion. Software
development teams, for example, deploy a variety of systems development life
cycle models that include waterfall, spiral and agile processes.
The system-development life cycle enables users to transform a newly-developed
project into an operational one.
SDLC is a multistep, iterative process, structured in a methodical way. This
process is used to model or provide a framework for technical and non-technical
activities to deliver a quality system which meets or exceeds a business's
expectations or manage decision-making progression.
Traditionally, the systems-development life cycle consisted of five stages. That has
now increased to seven phases. Increasing the number of steps helped systems
analysts to define clearer actions to achieve specific goals. Fig. 1.7.1 shows SDLC
phases.
" The SDLC highlights different stages (phrases Or steps) of the development
process. The life cycle approach is used So users can see and understand what
activities are involved within a given step. t is also used to let them know that at
any time, steps can be repeated or a previous step can be reworked when needing
to modify or improve the system.

TECHNICAL PUBLICATIONS8 - an up-thrust for knowledge

1- 12
Date and intormaion Secursty Introduction

7: Maintenance 1: Planning

6: Implementation, 2: Analysis
SDLC

5: Testing 3: Design

4: Development

Fig. 1.7.1 SDLC phases

1. Planning : The purpose of this phase is to find out the scope of the problem and
determine solutions. Resources, costs, time, benefits and other items should be
considered here.

2. Systems Analysis and Requirements : The second phase is where businesses will
work on the source of their problem or the need for a change. In the event of a
problem, possible solutions are submitted and analyzed to identify the best fit for
the ultimate goal(s) of the project. This is where teams consider the functional
requirements of the project or solution.
3. Systems Design : This phase describes the necessary specifications, features and
operations that will satisfy the functional requirements of the proposed system
which will be in place. This is the step for end users to discuss and determine
their specific business information needs for the proposed system.
4. Development : The fourth phase is when the real work begins, when a
programmer, network engineer and/or database developer are brought on to do
the major work on the project. This work includes using a flow chart to ensure
that the process of the system is properly organized. The development phase
marks the end of the initial section of the process.
5. Integration and Testing : It is normally carried out by a Quality Assurance (QA)
professional to determine if the proposed design meets the initial set of business
goals. Testing may be repeated, specifically to check for errors, bugs and
interoperability. This testing will be performed until the end user finds it
acceptable.
6. Lmplementation :The sixth phase is when the majority of the code for the program
is written. Additionally, this phase involves the actual installation of the
newly-developed system. This step puts the project into production by moving the
data and components from the old system and placing them in the new system.
TECHNICAL PUBLICATIONS -an up-thrust for knowiedge
Data and Information Security 1-13 Introduction

7. Operations and Maintenance : The seventh and final phase involves maintenance
and regular required updates. This step is when end users can
fine-tune the
system, if they wish, to boost performance, add new capabilities or meet
user
requirements additional
1.7.1 Secure SDLC
Security system development life cycde is defined as the series of
procedures in the software development cycde, designed to enable processes and
teams to create software and applications in a manner that development
security risks, eliminating security vulnerabilities and reducingsignificantly reduces
costs. The process,
like the traditional systems developmernt life cyce, is
phases.
divided into a number of
Security in development and support processes is an essential part of a
comprehernsive quality assurance and production control process and usually
involves training and continuous oversight by the most experienced staff.
" Rules for system and software development should be
developed should be
developed. These rules should incorporate secure software development
such as user authentication, session control, logging and data techniques
sanitization. validation and
Fig. 1.7.2 shows information security life cycle

7. Policy creation 1. Planning

2 Policy
6. Risk analysis Security mplementation
life
cycle

5. Security 3. Monitor
assessment

4. Intrusion
detection

Fig. 1.7.2
Security life cycle involves following phases :
1. Planning 2. Policy implementation
3. Monitoring 4. Intrusion detection

TECHNICAL PUBLICATIONS - an up-thrust for knowedge

Data and Infomnation Security 1-14 inbrotu

5. Security assessment 6. Risk analysis

7. Security policy creation.
Security categorization standards help organizations make the appropriate selection
of security controls for their information systems. Security planning ensures that
user fully document any agreed upon security controls, whether they are just
planned or in place.
The security plan also provides a complete characterization or description of the
information system and attachments of or references to key documents that
support the information security program of the agency.
Examples of documents that support the information security program include a
configuration management plan, a contingency plan, an incident response plan. a
security awareness and training plan, rules of behaviour, a risk assessment, a
security test and evaluation results, system interconnection agreements, security
authorizations and accreditations and a plan of action and milestones.
Policy implementation step provides the necessary security authorization of an
information system to process, store, or transmit information that is required.
This authorization is granted by a senior organization official and is based on the
verified effectiveness of security controls to some agreed upon level of assurance
and an identified residual risk to agency assets or operations.
Monitoring ensures that controls continue to be effective in their application
through periodic testing and evaluation. Security control monitoring such as
verifying the continued effectiveness of those controls over time and roporting the
security status of the information system to appropriate agency officials are
essential activities of acomprehensive information security program.
Assessment may be internal or external. The internal assessment is a controlled
network attack simulation that is used to gauge the exposure present on internal
systems, applications, and network devices.
The assessment provides a more structured approach to identifying vulnerabilities
that may go undetected. The goal of an external assessment is to quantify the
security risk that is associated with Internet-connected systems.
Preliminary risk assessment : This step results in an initial description of the
security needs of the system. A preliminary risk assessment should define the
threat environment in which the system will operate.

TECHNICAL PUBLICATIONS -an up-thrust for knowtedgs

transmissions. Ans. Q.2 system Ans. Q.1
analysis. destruction," 1.9 Answer
Q.9 Q.5 Q.1
:
PassiveWhat :
InformationWhat Two
from Keys
ls Marks
is
Two
attacks a informatlon b d d for
unauthorized
passive Multiple
types security
Questions
NICAL
TIONS
are Q.10
ofattack Q.6 Q.2
security Choice
passive in is
the access,
? defined
with Questions
nature
attacks ? b
use,
Answers
as
are ofdisclosure,
- "protecting
an
eavesdropping
release Q.11 Q.7
:
Q3
p-thrust

of
for disruption,
information
message
wledge b
on,
contents or
Q.12 Q.8 0.4
monitoringmodification, and
and information
traffic
of, or
Data and Information Security 1-17 Introduction

Q.3 Define information system.

Ans. : An information system can be defined
techrically as a set of interrelated
components that collect, process, store and distribute information to support decision
making and control in an organization.
0.4 List some common information integrity functions.
Ans. : Identification, authorization, concurrence, liability, endorsement,
of occurrence, registration.
validation, time
Q.5 Define an attack.
Ans. : An attack on system security that derives from an intelligent threat : That is an
intelligent act that is a deliberate attempt to evade security services and violate the
security policy of a system.
0,6 What is SDLC
Ans. : SDLC is a multistep, iterative process, structured in a methodical way. This
process is used to model or provide a framework for techical and non-technical
activities to deliver a quality system which meets or exceeds a business's expectations
or manage decision-making progression.
Q.7 What is computer security and network security?
Ans. : Computer security is a generic name for the collection of tools designed to
protect data and to thwart hackers
Network Security : It measures to protect data during their transmission.
Q,8 List the components of an infomation system.
Ans. : An information system is essentially made up of five components hardware,
software, database, network and people.
Q.9 What are the basic objective of NSTISSC model ?
Ans. : Basic objectives are as follows :
a) Using security services.
b) Maintaining information states
c) Setting security counter measures.
Q.10 What is Vulnerability ?
Ans. : Vulnerability refers to the security flaws in a system that allows an attack to be
successful. Weaknesses or gaps in a security program that can be exploited by threats
to gain unauthorized access to an asset. Vulnerability is a weakness or gap in our
protection efforts.
Q.11 List the names of security goals.
Ans.: The security goals are confidentially, integrity and availability.

TECHNICAL PUBLICATIONS - an up-thrust for knowedge

users.
Data
application
end of Q.13
Ans. modified,value Ans. Q.12
and
: :Information
information
accuracy.
that Explain
Number List Information
it
the isthe
general number noend
of longer Security
measures user has
security accurate. ofexpects.
accuracy
measures
are
policies If
information information when
for
protecting
and it
is 1-18
education free
classification, has
from
the been
confidentiality mistakes
ofintentionally
information
secure
or
errors
document or
of
custodians
information.
unintentionally and
itintroducton
storage, has
and the