Amity School of Engineering & Technology

Amity School of Engineering &

Technology
B. Tech (CSE), Semester 7
Subject: Cyber Security
Course Code: CSE436

(Dr. Vikas Kamra, Amity University, Noida)

Topics to be covered Amity School of Engineering & Technology

• Computing environment and security

• Cyber security models
• CIA triad
• The star model
• The Parkerian hexad
• computer security, information security, and
information assurance
Dr. Vikas Kamra, Amity University, Noida
Amity School of Engineering & Technology

Learning Objective:

The purpose of this course to accustom the students about the

threats, vulnerabilities, and their consequences. The objective is to
educate them about importance of cyber security, implications to
organizations and fundamentals to cyber security management.

Learning Outcome:

Describe various type of cyber Security Models.

Dr. Vikas Kamra, Amity University, Noida

Assessment Amity School of Engineering & Technology

Continuous Assessment/Internal Assessment 40% End Term Examination

60%

Components (Drop Attendance Class Test HA Quiz EE

down)

Weightage (%) 5 15 10 10 60

Dr. Vikas Kamra, Amity University, Noida

Computing Environment Amity School of Engineering & Technology

• Information System: Is much more then computer hardware. It is

entire set of hardware, software, Data, People and procedures
necessary to use information as a resource in organization.

Computing Environment component

Dr. Vikas Kamra, Amity University, Noida
Introduction Amity School of Engineering & Technology

• Computers and digital devices

are becoming integral to
conducting business
– Which also makes them a target of attack
• Devices needs to be secured
• Networks that computers and
devices use should also be secured

Dr. Vikas Kamra, Amity University, Noida

Amity School of Engineering & Technology

What is a “Secure” Computer System?

• To decide whether a computer system is “secure”, you must first decide what “secure” means
to you, then identify the threats you care about.
You Will Never Own a Perfectly Secure System!
• Threats - examples
– Viruses, trojan horses, etc.
– Denial of Service
– Stolen Customer Data
– Modified Databases
– Identity Theft and other threats to personal privacy
– Equipment Theft
– Espionage in cyberspace
– Hack-tivism
– Cyberterrorism
– …
Dr. Vikas Kamra, Amity University, Noida
Challenges of computer security Amity School of Engineering & Technology

1. Computer security is not simple

2. One must consider potential (unexpected) attacks
3. Procedures used are often counter-intuitive
4. Must decide where to deploy mechanisms
5. Involve algorithms and secret info (keys)
6. A battle of wits between attacker / admin
7. It is not perceived on benefit until fails
8. Requires constant monitoring
9. Too often an after-thought (not integral)
10. Regarded as impediment to using system Dr. Vikas Kamra, Amity University, Noida
Basic Components ofAmity Security:
School of Engineering & Technology
Confidentiality, Integrity, Availability (CIA)

C I
• CIA S
– Confidentiality: Who is authorized to use
data? A

– Integrity: Is data „good?” S = Secure

– Availability: Can access data whenever
need it?
◼ CIA or CIAAAN… ☺
(other security components added to CIA)
◼ Authentication

◼ Authorization

◼ Non-repudiation

◼ … Dr. Vikas Kamra, Amity University, Noida

CIA Triad Amity School of Engineering & Technology

Confidentiality – restrict
access to authorized
individuals
Integrity – data has not been
altered in an unauthorized
manner
Availability – information
can be accessed and
Availability modified by authorized
individuals in an appropriate
timeframe
Dr. Vikas Kamra, Amity University, Noida
Need to Balance CIA Amity School of Engineering & Technology

◼ Example 1: C vs. I+A

◼ Disconnect computer from Internet to increase confidentiality

◼ Availability suffers, integrity suffers due to lost updates

◼ Example 2: I vs. C+A

◼ Have extensive data checks by different people/systems to

increase integrity
◼ Confidentiality suffers as more people see data, availability

suffers due to locks on data under verification)

Dr. Vikas Kamra, Amity University, Noida

Confidentiality Amity School of Engineering & Technology

• “Need to know” basis for data access

– How do we know who needs what data?
Approach: access control specifies who can access what
– How do we know a user is the person she claims to be?
Need her identity and need to verify this identity
Approach: identification and authentication
• Analogously: “Need to access/use” basis for physical
assets
– E.g., access to a computer room, use of a desktop
• Confidentiality is:
– difficult to ensure
– easiest to assess in terms of success (binary in nature: Yes / No)
Dr. Vikas Kamra, Amity University, Noida
Integrity Amity School of Engineering & Technology

• Integrity vs. Confidentiality

– Concerned with unauthorized modification of assets (= resources)
Confidentiality - concered with access to assets
– Integrity is more difficult to measure than confidentiality
Not binary – degrees of integrity
Context-dependent - means different things in different contexts
Could mean any subset of these asset properties:
{ precision / accuracy / currency / consistency /
meaningfulness / usefulness / ...}
• Types of integrity—an example
– Quote from a politician
– Preserve the quote (data integrity) but misattribute (origin
integrity)

Dr. Vikas Kamra, Amity University, Noida

Availability (1)
Amity School of Engineering & Technology
• Not understood very well yet
Full implementation of availability is security’s next challenge”
E.g. Full implemenation of availability for Internet users (with
ensuring security)

• Complex
Context-dependent
Could mean any subset of these asset (data or service)
properties :
{ usefulness / sufficient capacity /
progressing at a proper pace /
completed in an acceptable period of time / ...}

Dr. Vikas Kamra, Amity University, Noida

Availability (2) Amity School of Engineering & Technology

• We can say that an asset (resource) is available if:

– Timely request response
– Fair allocation of resources (no starvation!)
– Fault tolerant (no total breakdown)
– Easy to use in the intended way
– Provides controlled concurrency (concurrency control,
deadlock control, ...)

Dr. Vikas Kamra, Amity University, Noida

Attacks on CIA Amity School of Engineering & Technology

Dr. Vikas Kamra, Amity University, Noida

Amity School of Engineering & Technology

The Parkerian Hexad Model

Why we need
Parkerian Hexad
model?

Dr. Vikas Kamra, Amity University, Noida

Limitation of CIA Amity School of Engineering & Technology

• Today, data is more valuable and complex than ever.

• The amount of data that is stored electronically has grown

exponentially over the last few years.

• In 2021, the amount of data created and replicated will surpass

100.8 zettabytes (1.8 trillion gigabytes) - growing by a factor of
29 in just five years.

Dr. Vikas Kamra, Amity University, Noida

Limitation of CIA Amity School of Engineering & Technology

• The CIA model also seems very technology driven and does
not focus enough on the human element of information
security.

• Humans are the biggest threat to security of data today

• Parkerian Hexad (PH) is built on the CIA model, its added

components provide a more comprehensive and complete
model for securing the data today.
Dr. Vikas Kamra, Amity University, Noida
The Parkerian Hexad Amity School of Engineering & Technology

• In 2002, Donn B. Parker,

currently a retired
information security
consultant and researcher,
introduced an expanded
version of the CIA model
the added three additional
elements.

Dr. Vikas Kamra, Amity University, Noida

Confidentiality Amity School of Engineering & Technology

Confidentiality

Dr. Vikas Kamra, Amity University, Noida

Confidentiality Amity School of Engineering & Technology

• Confidentiality is probably the most important element of

both the CIA model and the Parkerian Hexad.
• It refers to the property that information is not made
available or disclosed to unauthorized individuals, entities,
or processes .
• If your data is not confidential, it is not secure.
• Every organization has some form of sensitive information
where only certain people should be allowed access to it.
• If exposed, this information could have damaging effects on
the company and/or its customers.
Dr. Vikas Kamra, Amity University, Noida
Possession/Control
Amity School of Engineering & Technology

Possession/Control

Dr. Vikas Kamra, Amity University, Noida

Possession/Control Amity School of Engineering & Technology

• The possession/control component is one of Parker’s additions to the CIA

model.
• It was added to protect against the idea that confidential data can be possessed
and controlled by an unauthorized individual or party without actually
violating or breaching confidentiality.

• Parker defines this component as:

“a state of having in or taking into one’s control or holding at one’s disposal;
actual physical control of property by one who holds for himself, as distinguished
from custody; something owned or controlled.”
Dr. Vikas Kamra, Amity University, Noida
Integrity Amity School of Engineering & Technology

Integrity

Dr. Vikas Kamra, Amity University, Noida

Integrity Amity School of Engineering & Technology

• Integrity is an original component of the CIA triad.

• It is defined as the ability to prevent data from being changed in an

unauthorized or undesirable manner.

• This definition is not limited only to unauthorized parties or intrusions.

• This definition also includes people with authorized access to
information assets.

• It is a known fact that employees are one of the biggest threats to data
Dr. Vikas Kamra, Amity University, Noida
Integrity Amity School of Engineering & Technology

• Employees sometimes accidentally, delete files, enter inaccurate data,

save over the wrong file, edit the wrong files, etc.

• File corruption is another concern.

• File corruption can occur while information is being transmitted,

stored, or by viruses.
• To maintain integrity, there not only need to be measures in place to
prevent unauthorized and /or undesirable changes to data, but there also
needs to be ways to undo or recover from those changes when/if they
Dr. Vikas Kamra, Amity University, Noida
occur
Authenticity Amity School of Engineering & Technology

Authenticity

Dr. Vikas Kamra, Amity University, Noida

Authenticity Amity School of Engineering & Technology

• Authenticity is another one of Parker’s additions to the CIA

model.
• Authenticity refers to the assurance that a message,
transaction, or other exchange of information is from the
source it claims to be from.
• Authenticity involves proof of identity.
• Today, knowing exactly who you are communicating and sharing
data with is key when doing business over the web.
Dr. Vikas Kamra, Amity University, Noida
Authenticity Amity School of Engineering & Technology

• The internet has enabled us all the ability to do just about anything
and everything from our homes such as filing our taxes,
performing bank transfers, check credit reports and scores, and
paying bills.
• Because of these abilities, and many others, technologies were
developed to give customers the confidence in knowing that the
site they are visiting is legitimate and the communication is
secure.
• there are several ways to accomplish the goal of authenticity. One
of the most common methods used today is the use of digital
certificates. Dr. Vikas Kamra, Amity University, Noida
Availability Amity School of Engineering & Technology

Availability

Dr. Vikas Kamra, Amity University, Noida

Availability Amity School of Engineering & Technology

• Availability is the last component of the original CIA model.

• Availability is defined as the ability to have resources

available when needed.

• It is one of the simpler components to describe, but ironically,

it is one of the most difficult to safegard.
• Security professionals today are tasked with the responsibility
of securing networks and their resources while also
maintaining availability
Dr. Vikas Kamra, Amity University, Noida
Availability Amity School of Engineering & Technology

• In today’s world, if resources are not available, companies could face

very serious consequences such as ::
• loss of revenue,
• broken client relationships,
• failure to meet SLAs,
• danger to patient care (in EHR implementations)
• poor outcomes.
• Maintaining and ensuring availability of resources has become one of
the biggest tasks for any information support or security professional
Dr. Vikas Kamra, Amity University, Noida
Utility Amity School of Engineering & Technology

Utility

Dr. Vikas Kamra, Amity University, Noida

Utility Amity School of Engineering & Technology

• Utility simply refers to the usefulness of data.

• This is the last fundamental component of the Parkerian Hexad.
• It focuses on a much overlooked concept when it comes to data.
• The data may meet five of the six PH components (confidentiality,
integrity, availability, authenticity, possession/control), but is it in a
useful state?
• Utility is often confused or assumed with availability but the two
are distinct.

Dr. Vikas Kamra, Amity University, Noida

Utility Amity School of Engineering & Technology

• Parker gave a good brief description of his reasoning for adding

utility as a component:
“Information may be available and therefore usable but it doesn’t
necessarily have to be in a useful form to be defined as available ”

• Utility cannot be overlooked as a vital component to this model.

• If data it not a in a useful state or form, it is basically useless.

Dr. Vikas Kamra, Amity University, Noida

Tools for Information Security
Amity School of Engineering & Technology

• Authentication
• Access Control
• Encryption
• Passwords
• Backup
• Firewalls
• Virtual Private Networks (VPN)
• Physical Security
• Security Policies

Dr. Vikas Kamra, Amity University, Noida

Authentication Amity School of Engineering & Technology

• Persons accessing the information is

who they say they are
• Factors of identification:
– Something you know – user ID and
password
• User ID identifies you while the password
authenticates you
• Easy to compromise if weak password
– Something you have – key or card
• Can be lost or stolen
– Something you are – physical
characteristics (i.e., biometrics)
• Much harder to compromise
• A combination of at least 2 factors
is recommended
Dr. Vikas Kamra, Amity University, Noida
Access Control Amity School of Engineering & Technology

• Once authenticated – only provide

access to information necessary to
perform their job duties to read,
modify, add, and/or delete
information by:
– Access control list (ACL) created for
each resource (information)
• List of users that can read, write, delete
or add information
• Difficult to maintain all the lists
– Role-based access control (RBAC)
• Rather than individual lists
• Users are assigned to roles
• Roles define what they can access
• Simplifies administration

Dr. Vikas Kamra, Amity University, Noida

Encryption Amity School of Engineering & Technology

• An algorithm (program) encodes or scrambles

information during transmission or storage
• Decoded/unscrambled by only authorized
individuals to read it

• How is this done?

– Both parties agree on the encryption method
(there are many) using keys
• Symmetric key – sender and receiver have the
key which can be risky
• Public Key – use a public and private key
where the public key is used to send an
encrypted message and a private key that the
receiver uses to decode the message
Dr. Vikas Kamra, Amity University, Noida
Passwords Amity School of Engineering & Technology

• Single-factor authentication (user

ID/password) is the easiest to break
• Password policies ensure that this risk is
minimized by requiring:
– A certain length to make it harder to guess
– Contain certain characters – such as upper
and lower case, one number, and a special
character
– Changing passwords regularly and do not
a password to be reused
– Employees do not share their password
– Notifying the security department if they
feel their password has been
compromised.
– Yearly confirmation from employees that
they understand their responsibilities

Dr. Vikas Kamra, Amity University, Noida

Backup Amity School of Engineering & Technology

• Important information should be

backed up and store in a separate
location
– Very useful in the event that the primary
computer systems become unavailable
• A good backup plan requires:
– Understanding of the organizational
information resources
– Regular backups of all data
– Offsite storage of backups
– Test of the data restoration
• Complementary practices:
– UPS systems
– Backup processing sites

Dr. Vikas Kamra, Amity University, Noida

Firewalls Amity School of Engineering & Technology

• Can be a piece of hardware and/or software

• Inspects and stops packets of information that
don’t apply to a strict set of rules
– Inbound and outbound
• Hardware firewalls are connected to the
network
• Software firewalls run on the operating system
and intercepts packets as they arrive to a
computer
• Can implement multiple firewalls to allow
segments of the network to be partially secured
to conduct business
• Intrusion Detection Systems (IDS) watch for
specific types of activities to alert security
personnel of potential network attack

Dr. Vikas Kamra, Amity University, Noida

Virtual Private Networks (VPN) Amity School of Engineering & Technology

• Some systems can be made private

using an internal network to limit
access to them
– Can’t be accessed remotely and are
more secure
– Requires specific connections such as
being onsite
• VPN allows users to remotely
access these systems over a public
network like the Internet
– Bypasses the firewall
– Encrypts the communication or the
data exchanged Dr. Vikas Kamra, Amity University, Noida
Physical Security
Amity School of Engineering & Technology

• Protection of the actual equipment

– Hardware
– Networking components
• Organizations need to identify assets
that need to be physically secured:
– Locked doors
– Physical intrusion detection - e.g.,
using security cameras
– Secured equipment
– Environmental monitoring –
temperature, humidity, and airflow
for computer equipment
– Employee training
Dr. Vikas Kamra, Amity University, Noida
Security Policies Amity School of Engineering & Technology

• Starting point in developing an overall security plan

• Formal, brief, and high-level statement issued by
senior management
– Guidelines for employee use of the information
resources
– Embraces general beliefs, goals, objectives, and
acceptable procedures
– Includes company recourse if employees violate the
policy
• Security policies focus on confidentiality, integrity,
and availability
– Includes applicable government or industry regulations
• Bring Your Own Device (BYOD) policies for mobile
devices
– Use when accessing/storing company information
– Intellectual property implications
• Difficult to balance the need for security and
users’ needs

Dr. Vikas Kamra, Amity University, Noida

Amity School of Engineering & Technology

Personal Information Security

• Simple steps that individuals
can take to be more secure:
– Keep your software up to date
– Install antivirus software
– Use public networks carefully
– Backup your data
– Secure your accounts with two-
factor authentication
– Make your passwords long,
unique, and strong
– Be suspicious of strange links
and attachments
Dr. Vikas Kamra, Amity University, Noida
Text Books Amity School of Engineering & Technology

• Text Reading:
• Cybersecurity, Wiley Publishers, Nina Godbole and Sunit Belapur

• References:
• Cybersecurity: Managing Systems, Conducting Testing and Investigating
Intrusions, Wiley, Thomas J. Mowbray

• Cybersecurity and Cyberwar: What Everyone Needs to Know, Oxford University

Press, Peter W. Singer and Allan Friedman

• Enterprise Cybersecurity, Scott Donaldson and Stanley Siegel

• Cybersecurity: The Essential Body of Knowledge, Delmar Cengage Learning, Dan

Shoemaker and Wm. Arthur Conklin
Dr. Vikas Kamra, Amity University, Noida