BSE/BIT/BCS 3106

Information System and

Network Security
Chapter 1

INTRODUCTION
By: Mr. Joseph Wanambwa
Tel: +256703600655
Email: [email protected]

Information System and Network

Security - Chapter 1 Slide No. 1
Learning Objectives:
Upon completion of this chapter you should be able to:
– Understand what information systems and Network
security is and how it came to mean what it does
today.
– Comprehend the history of computer security and
how it evolved into information security.
– Understand the key terms and critical concepts of
information systems and Network security as
presented in the chapter.
– Outline the phases of the security systems
development life cycle.
– Understand the role professionals involved in
information security in an organizational structure.
Slide 2
I. Definition of Terms
1. Information: Processed data
2. Information System: An integrated
communications network of people and
machines that assembles, processes, and
distributes data.
3. Security: In general, security is “the quality or
state of being secure--to be free from danger.”
 It means to be protected from adversaries--from
those who would do harm, intentionally or
otherwise.

Slide 3
Definition of Terms cont…
1. Information security: protecting information and
information systems from unauthorized access,
use, disclosure, disruption, modification,
perusal, inspection, recording or destruction.

2. Network Security: Provisions and 

policies adopted by an organization to prevent
and monitor unauthorized access, misuse,
modification, or denial of a computer
network and network-accessible resources.

Information Systems and Network Security- Chapter 1 Slide 4

II. The History Of Information Security
Computer security began immediately after the first
mainframes were developed
Groups developing code-breaking computations
during World War II created the first modern
computers
Physical controls were needed to limit access to
authorized personnel to sensitive military locations
Only rudimentary controls were available;
These included; Badges, keys, and facial
recognition of authorized personnel controlled
access to sensitive military locations.

Slide 5
The 1960s
 During the 1960s, the Department of Defense’s
Advanced Research Procurement Agency (ARPA)
began examining the feasibility of a redundant
networked communications system designed to
support the military’s need to exchange information.

Larry Roberts, known as the Founder of the Internet,

developed the project from its inception.

Slide 6
The 1970s and 80s
ARPANET grew in popularity as did its potential
for misuse
Read more about;
- ARPANET,
- R-600,
- Evolution of the Internet, and
- Network computing

Slide 7
III. LAYERS OF SECURITY
What is Security? “The quality or state of being
secure--to be free from danger”
To be protected from adversaries
A successful organization should have multiple
layers of security in place:
– Physical security - to protect the physical items,
objects, or areas of an organization from unauthorized
access and misuse.
– Personal security – to protect the individual or group of
individuals who are authorized to access the
organization and its operations.

Slide 8
Layers of Security cont…
- Operations security – to protect the details of a
particular operation or series of activities.

- Communications security – to protect an

organization’s communications media, technology,
and content.

- Network security – to protect networking

components, connections, and contents.

Information Systems and Network Security- Chapter 1 Slide 9

So What is Information Security
The protection of information and its critical
elements, including the systems and hardware that
use, store, and transmit that information

The C.I.A. triangle has been considered the industry

standard for computer security since the
development of the mainframe. It was solely based
on three characteristics that described the utility of
information: confidentiality, integrity, and
availability.

Slide 10
IV. Critical Characteristics Of Information
The C.I.A. triangle has expanded into a list of
critical characteristics of information;

1. Confidentiality
2. Integrity
3. Availability
4. Authenticity
5. Non-repudiation

Information Systems and Network Security- Chapter 1 Slide 11

Critical Characteristics cont …
 Confidentiality is the term used to prevent the
disclosure of information to unauthorized individuals or
systems. For example, a credit card transaction on the
Internet – confidentiality enforced through PIN
encryption.
 Integrity: In information security, integrity means that
data cannot be modified undetectably. Integrity is
violated when a message is actively modified in
transit. Information security systems typically provide
message integrity in addition to data confidentiality.

Slide 12
Critical Characteristics cont …
 Availability: For any information system to serve its
purpose, the information must be available when it is
needed. This means that the computing systems
used to store and process the information, the
security controls used to protect it, and the
communication channels used to access it must be
functioning correctly.
 High availability systems aim to remain available at
all times, preventing service disruptions due to power
outages, hardware failures, and system upgrades.
Ensuring availability also involves preventing denial-
of-service attacks.

Slide 13
Critical Characteristics cont …
 Authenticity: It is necessary to ensure that the data,
transactions, communications or documents
(electronic or physical) are genuine. It is also
important for authenticity to validate that both parties
involved are who they claim they are.
 Non-repudiation: This implies one's intention to
fulfill their obligations to a contract. It also implies
that one party of a transaction cannot deny having
received a transaction nor can the other party deny
having sent a transaction.

Slide 14
V. Components of an Information System
 To fully understand the importance of information
security, you need to know the elements of an
information system

 An Information System (IS) is much more than

computer hardware; it is the entire set of software,
hardware, data, people, and procedures necessary
to use information as a resource in the
organization
 Read more about the components

Slide 15
Securing the Components
The computer can be either or both the subject of
an attack and/or the object of an attack

When a computer is
– the subject of an attack, it is used as an active
tool to conduct the attack
– the object of an attack, it is the entity being
attacked

Slide 16
Figure 1-1 – Subject and Object of Attack

Slide 17
Balancing Security and Access
It is impossible to obtain perfect security - it is not
an absolute; it is a process
Security should be considered a balance
between protection and availability

To achieve balance, the level of security must

allow reasonable access, yet protect against
threats

Slide 18
Figure 1-2 – Balancing Security &Access

Slide 19
Bottom Up Approach
 Security from a grass-roots effort - systems
administrators attempt to improve the security of
their systems

 Key advantage - technical expertise of the

individual administrators
 Seldom works, as it lacks a number of critical
features:
– participant support
– organizational staying power

Slide 20
Approaches to Security Implementation

Slide 21
Top-down Approach
 Initiated by upper management:
– issue policy, procedures, and processes
– dictate the goals and expected outcomes of
the project
– determine who is accountable for each of the
required actions
 This approach has strong upper management
support, a dedicated champion, dedicated
funding, clear planning, and the chance to
influence organizational culture
 May also involve a formal development strategy
referred to as a systems development life cycle
– Most successful top-down approach
Slide 22
VI. NEED FOR SECURITY
Information security performs four important functions for
an organization:
1. Protects the organization’s ability to function
 “information security is a management issue in
addition to a technical issue, it is a people issue in
addition to the technical issue.”
 To assist management in addressing the needs for
information security, communities of interest must
communicate in terms of business impact and the
cost of business interruption and avoid arguments
expressed only in technical terms.

Slide 23
Need for Security Cont …
2. ENABLE THE SAFE OPERATION OF
APPLICATIONS
 Today’s organizations are under immense pressure to
create and operate integrated, efficient, and capable
applications.

 The modern organization needs to create an

environment that safeguards applications using the
organization’s IT systems, particularly the environment
of the organization’s infrastructure.

Slide 24
Need for Security cont …
3. PROTECTING DATA
 Many organizations realize that one of their most
valuable assets is their data, because without data, an
organization loses its record of transactions and/or its
ability to deliver value to its customers.

 Protecting data in motion and data at rest are both

critical aspects of information security.

 An effective information security program is essential to

the protection of the integrity and value of the
organization’s data.
Slide 25
Need for Security Cont …
4. SAFEGUARDING TECHNOLOGY
 To perform effectively, organizations must add
secure infrastructure services based on the size and
scope of the enterprise.

 When an organization grows and more capabilities

are needed, additional security services may have to
be provided locally.

Slide 26
VII. ACCESS CONTROL
 The term Access Control is something of an
ambiguous term. To some it could be interpreted as
controlling the access to a system from an external
source.. Eg: through Logging into the system

 Access control is the collection of mechanisms that

permits managers of a system to exercise a directing
or restraining influence over the behavior, use, and
content of a system. It permits management to
specify what users can do, which resources they can
access, and what operations they can perform on a
system.
Slide 27
ACCESS CONTROL cont…
 Mandatory Access Control takes a hierarchical
approach to controlling access to resources, access to
all resource objects (such as data files) is controlled
by settings defined by the system administrator. It is
not possible under MAC enforcement for users to
change the access control of a resource.
 MAC begins with security labels assigned to all
resource objects on the system, which contain two
pieces of information - a classification (top secret,
confidential etc) and a category (which is essentially
an indication of the management level, department or
project to which the object is available).

Slide 28
Access control cont…
If the user's credentials match the MAC
security label properties of the object access
is allowed.
Mandatory Access Control is by far the most
secure access control environment but does
not come without a price. Firstly, MAC
requires a considerable amount of planning
before it can be effectively implemented.
Eg; Intra -departmental access, Internet café
access controllers/Timers
Slide 29
Access control cont…
 Discretionary Access Control (DAC) allows each
user to control access to their own data. DAC is
typically the default access control mechanism for
most desktop operating systems.
 Each resource object on a DAC based system has
an Access Control List (ACL) associated with it. An
ACL contains a list of users and groups to which the
user has permitted access together with the level of
access for each user or group.
 Eg: Read, Write or Full control access.
 A user can only set access permissions for
resources which they already own.
Slide 30
Access control cont…
 Role Based Access Control (RBAC), also known
as Non discretionary Access Control, takes more of a
real world approach to structuring access control.
Access under RBAC is based on a user's job
function within the organization to which the
computer system belongs.
 Essentially, RBAC assigns permissions to particular
roles in an organization. Users are then assigned to
that particular role. For example, an accountant in a
company will be assigned to the Accountant role,
gaining access to all the resources permitted for all
accountants on the system.

Slide 31
VIII. AUTHENTICATION
 Authentication involves the prevention of
unauthorized access to computer systems.
Authentication takes a variety of forms, ranging from
verifying account credentials (using, amongst other
things, a login name and password) to physical
identity verification (using biometrics such as finger
print scanning technology) to identifying that the
client system from which a user is attempting to
connect to a server is really the authorized client
system.

Slide 32
Types of Authentication
1. User Name and password: These are unique
identifiers for a logon process. which if entered
correctly will permit access to the system.
 Identification is confirmed through a logon process.
Read more about rules of creating a secure and
safe user name and password.

Logon or Security Server

Slide 33
Password cont …
Password Authentication Protocol (PAP)

Slide 34
Types of Authentication Cont…
2. Challenge Handshake Authentication Protocol (CHAP) is
used at the startup of a link and periodically verifies the
identity of the remote node using a three-way handshake.
 After the PPP link establishment phase is complete, the local
router sends a "challenge" message to the remote node.
 The remote node responds with a value calculated using a
one-way hash function, Message Digest 5 (MD5). This
response is based on the password and challenge message.
 The local router checks the response against its own
calculation of the expected hash value. If the values match,
the authentication is acknowledged, otherwise the connection
is immediately terminated.

Slide 35
CHAP Cont…
Logon Request
1

3 2
Challenge
Encrypts
Encrypts Value
Value 5
Response
4
6
Server
Client
7 Compare
Authorize or Fail encrypted
Results

Slide 36
CHAP Cont…

Can Be Implemented In Windows Server Under Configure

identity authentication and data encryption settings

Slide 37
Types of Authentication cont…
3. Certificates: Are another common form of
authentication. A server or certificate authority
can issue a certificate that will be accepted by the
challenging system. Certificates can either be
physical access devices such as smart cards or
electronic certificates that are used as part of the
logon process. A simple way to think of them is
hall passes at school. If you have a hall pass, you
can enter the hall way of the school. If your pass
is invalid, the hallway monitor can send you to the
principal’s office.

Slide 38
Certificate illustration
Client

3 Valid Certificate

Application Server
1
Authentication 2 Certificate

Security Server

Slide 39
Types of Authentication Cont…
4. Kerberos Authentication: Provides an
authentication process that does not require the
transmission of username and password though the
use of a symmetric-key authentication protocol. The
term symmetric key in this context is used to refer to
the fact that the same key is used for both the
encryption and decryption processes.
 The Kerberos Authentication process relies on a third
entity called the Key Distribution Center.

Slide 40
Kerberos Cont…
 The following provides a step by step breakdown
of the Kerberos authentication process:
1. User requests access to service running on a
different server.
2. KDC authenticates user and sends a ticket to be
used between the user and the service on the
server
3. User’s workstation sends a ticket to service to
authenticate and use the requested service.

Slide 41
Kerberos Picture

2 KDC

User Workstation 3

Server Providing
services to user

Slide 42
Types of Authentication cont…
5. Biometrics
 Bio – life, metrics - measure
 Biometrics verifies (authenticates) an individuals
identity by analyzing unique personal attribute
(something they ARE)
 Require enrollment before being used,
EXPENSIVE and COMPLEX
 Can be based on
– behavior (signature dynamics) – might change over
time
– Physical attribute (fingerprints, iris, retina scans)
– We will talk about the different types of biometrics later
Slide 43
Biometric cont…
 Fingerprint
 Palm Scan
 Hand Geometry
 Retina Scan
 Iris Scan
 Keyboard Dynamics
 Voice Print
 Facial Scan
 Hand Topography

Slide 44
Types of Authentication cont…
6. Smart Cards: Is a type of badge or card that can
allow access to multiple resources including
buildings, parking lots, and computers. Each area or
computer has a reader in which the card can be
inserted or scanned.
 The card contains information about the user’s
identity, and access privileges.
 The reader is connected to the workstation and
validates against the security system.
 Increased security of the authentication process
since one must be in physical possession of the
card.

Slide 45