Chapter One: Introduction to

Information Security
Index
A. Introduction
A.1 Why are Computer and Information Security Important?
B. Security Goals
B.1 Confidentiality
B.2 Integrity
B.3 Availability
C. Threats, Vulnerabilities and Controls
C.1 Threats
C.2 Vulnerabilities
C.3 Controls
D. Risk Management
D.1 Introduction
D.2 Procedures
D.3 Executive Management

2
A. Introduction
• What is Information Security?
– The concepts, techniques, technical measures, and
administrative measures used to protect information
assets from deliberate or inadvertent(unintended)
unauthorized acquisition, damage, disclosure,
manipulation, modification, loss, or use.
– Information security means protecting information and
information systems from unauthorized access, use,
disclosure, disruption (interruption/disorder), modification or
destruction (damage).

3
B. Security Goals:
?When is any System Secure

4
B. Security Goals:
?When is any System Secure
• B.1. Confidentiality: computer-related assets are
accessed only by authorized parties. Confidentiality
is sometimes called secrecy or privacy

• B.2. Integrity: assets can be modified only by

authorized parties or only in authorized ways

• B.3. Availability: assets are accessible to

authorized parties at appropriate times

5
B.1. Confidentiality
• It is not trivial to ensure confidentiality. For
example,
Who determines which people or systems are
authorized to access the current system?
By "accessing" data, do we mean that an
authorized party can access a single bit? pieces of
data out of context?
Can someone who is authorized disclose those data
to other parties?

6
B.2. Integrity
• It is much harder to ensure integrity. One reason is that
integrity means different things in different context
• For example, if we say that we have preserved the
integrity of an item, we may mean that the item is:
 precise
 accurate
 unmodified
 modified only in acceptable ways
 modified only by authorized people and processes
 consistent

7
B.3. Availability
Availability applies both to data and to services (i.e., to
information and to information processing), and it is
similarly complex
We say a data item, service, or system is available if
 There is a timely response to our request
 There is a fair allocation of resources, so that some requesters are
not favored over others
 The service or system involved are fault tolerant - hardware or
software faults lead to graceful cessation of service or to work-a
rounds rather than to crashes and abrupt loss of information
 The service or system can be used easily and in the way it was
intended to be used
8
B.3. Availability
• The security community is just beginning to
understand what availability implies and how to
ensure it
• A small, centralized control of access is fundamental
to preserving confidentiality and integrity, but it is not
clear that a single access control point can enforce
availability
• Much of computer security's past success has focused
on confidentiality and integrity; full implementation
of availability is security's next great challenge
9
B. Security Goals:
Relationship of Security Goals
• A secure system must meet all three requirements.
• The challenge is how to find the right balance
among the goals, which often conflict:
 For example, it is easy to preserve a particular object's
confidentiality in a secure system simply by
preventing everyone from reading that object
 However, this system is not secure, because it does not
meet the requirement of availability for proper access
 => There must be a balance between confidentiality
and availability
10
Review Questions
1. What are the three basic principles of information security. Define each one?
2. Among the fundamental challenges in information security are confidentiality, integrity,
and availability, or CIA. Give an example where confidentiality is required,
but not integrity. Give an example where integrity is required, but not
confidentiality. Give an example where availability is the overriding concern.

3. From a bank’s perspective, which is usually more important, the integrity of its
customer’s data or the confidentiality of the data? From the perspective of the
bank’s customer, which is more important?

4. Some authors distinguish between secrecy, privacy, and confidentiality. In this usage,
secrecy is equivalent to our use of the term confidentiality, whereas privacy is
secrecy applied to personal data and confidentiality refers to an obligation not
to divulge certain information. Discuss an example where privacy is required.
Discuss an example where confidentiality (in this sense) is required

11
C. Threats, Vulnerabilities and Controls

 C.1. Threats: Something that can potentially

cause damage to information assets.

 C.2. Vulnerabilities: A weakness in the

organization, computer system, or network that
can be exploited by threat.

 C.3. Control: an action, device, procedure, or

technique that remove or reduce a vulnerabilities.
12
C. Threats, Vulnerabilities and Controls

A threat is blocked by control of a vulnerability

13
C.1. Threats
• Definition: Something that can potentially
cause damage to information assets.
• A malicious attacker must have three things:
Method: the skills, knowledge, tools, and other
things with which to be able to pull off the attack.
Opportunity: the time and the access to accomplish
the attack.
Motive: a reason to want to perform this attack
against this system.
14
C.1. Threats:
Types
1.Interception: some
unauthorized party has
gained access to an
asset, the outside party
can be a person, a
program, or computing
system.
 Example: illicit copying of
program or data files, or
wiretapping to obtain data ~ an attack on confidentiality
in a network
15
C.1. Threats:
Types
2. Interruption: an asset of
the system becomes lost,
unavailable, or unusable.
 Example: malicious
destruction of a hardware
device, erasure of a
program or data file, denial
of service attacks

~ an attack on availability

16
C.1. Threats:
Types
3. Modification: alteration
the values in a database, or
programs to perform
additional computation, or
modify data being
transmitted electronically.
 Example: someone might
change the values in a
database, alter a program so
that it performs an
additional computation ~ an attack on integrity

17
C.1. Threats:
Types

4. Fabrication: An
unauthorized party might
create a fabrication of
counterfeit objects on a
computing system.
 Example: the intruder may
insert spurious transactions
to a network
communication system, or
add records to an existing
~ an attack on authenticity
database

18
C.1. Threats:
Examples
Steal, alter,
or delete
confidential
files

Steal
hardware
devices
Internet
Virus
infection Unauthorize
d access
from the
Internet
Operation Unauthorized
mistake break-in

Unauthorized
access to the
Internet

19
Computer and Network Assets
Examples of Threats

20
C.2. Vulnerabilities
 Definition: A weakness in the organization, computer system,
or network that can be exploited by threat.
 Examples:
 Security policy is not set.
 Roles and responsibilities are vague(unclear).
 Security training of employees are inadequate (insufficient).
Organizatio
 Building entrance are not checked thoroughly.
n
 There is not protection against computer viruses.
 A software bug exists in the server OS.
 No password rules are set. Compute
r System
 Confidential data are sent over the network.
Network

21
C.2. Vulnerabilities:
Example 1: Building
Threats of building break-ins: Vulnerabilities:
1. Theft of keys, ID cards, passwords, etc. 1. Lost ID cards are not reported.
2. Following an authorized person. 2. No guards to check entry.
3. Pretending to be a sweeper or deliveryman. 3. Sweeper’s ID is not checked.

1. Entering with stolen ID

cards

2. Following a
person who unlocks
the door

3. Entering with a
stolen uniform of a
deliveryman
C.2. Vulnerabilities:
Example 2: Within the Office
Threats in the Office: Vulnerabilities:
1. Theft of documents or disks, and/or 1. Sensitive documents are not stored in
making copies. locked cabinet.
2. Theft of hardware. 2. Computers are not locked to desks.
3. Theft of discarded documents 3. Sensitive documents are not shredded.

1. Theft of documents or disks

2. Theft of computers

3. Picking up documents from a trash box

C.2. Vulnerabilities:
Example 3: Computer System
Threats to a computer system: Vulnerabilities:
1. Illegally operate on an already logged-in 1. Computers are left unattended in a
computers. logged-in state.
2. Information theft from a client or server. 2. No password is set.
3. Change a system setting or account 3. Easy passwords are set on server.

3. Change a user
Personne
account
l
Database XXXX: user

administrator
1. Illegal use of
logged-in
computers.
2. Theft of information on the
disk
C.2. Vulnerabilities:
Example 4: Network
Threats using networks: Vulnerabilities:
1. Intrusion through security holes in a 1. Router’s and firewall’s access list is
router or firewall. improperly configured..
2. Intrusion through wireless LAN’s access 2. Access point is not configured to prevent
point. illegal access..
3. Theft or alteration of data during 3. Transmitted data are not encrypted.
transmission on the network
2. Intrusion through an access 3. Theft of data on the
point Internet
Data

Firewall router Internet

Access 1. Intrusion through

point
configuration mistakes in a
firewall or router
C.2. Vulnerabilities:
Example 5: Software
Software threats: Vulnerabilities:
1. Buffer overflow attacks. 1. Bugs in OSs or applications.
2. Malicious code 2. No protection against computer viruses.
3. Denial of Service (DoS) attack 3. Security hole exists in the server.

1. When receiving IDs 2. When a mail 3. With too much

that are too long, the infected with a access, the server
system stops. computer virus is stops
(overflow) opened
ID: aaaaa- To: %%%
aaaaa From: $$$
--------
--------
--------
Attach: xxx
virus
C.3. Controls
• Definition: an action, device, procedure, or
technique that remove or reduce a
vulnerabilities
• Harm occurs when a threat is realized against a
vulnerability. To protect against harm, we can
neutralize the threat, close the vulnerability, or
both
• The possibility for harm to occur is called risk

27
C.3. Controls:
Methods of Defense
SOFTWARE/HARDWARE
ENCRYPTION CONTROLS
Encryption provides S/W controls:
~ confidentiality for data ~ Internal program ctrls
~ integrity ~ Operating system ctrls
~ basis for protocol METHODS OF ~ Development ctrls
DEFENSE H/W controls:
~ h/w devices :
POLICIES - smartcard (encryption)
- circuit board ctrl disk
drives in PCs
~ frequent changes
of password
~ training PHYSICAL CONTROLS
~ codes of ethics
~ locks of doors
~ backup copies of important s/w and data
~ physical site planning (reduce natural disasters)

28
C.3. Controls:
?What makes a system secure

1. System Access Control: Ensuring that unauthorized

users don’t get into the system.
2. Data Access Controls: Monitoring who can access
what data, and for what purpose.
3. System and Security Administration: Performing the
offline procedures that make or break a secure system
~ by clearly stated system administrator responsibilities,
~ by training users appropriately etc.
4. System Design: Taking advantage of basic h/w and
s/w security characteristics.
29
Review Questions
1. Define Threats, Vulnerabilities, Controls
2. What are the types of Threats?
3. What are the methods of defense from Threats

30
D. Risk Management
• “Risk management is the process of
identifying vulnerabilities and threats to the
information resources used by an organization
in achieving business objectives, and deciding
what countermeasures, if any, to take in
reducing risk to an acceptable level, based on
the value of the information resource to the
organization.” CISA Review Manual 2006

31
D.1. Risk Analysis
Relationship between threat, vulnerability, and loss

Threat Loss Vulnerability

(threat) + (vulnerability) = (loss)

computer virus + no anti-virus software installed = data destruction

Risk: a possibility that a threat exploits a vulnerability in an asset an

causes damage or loss to the asset.

32
D.1. Risk Analysis
• What may happen if you omit the analysis?
 Cannot detect vulnerabilities.
 Introduce countermeasures without specific reason.
 Remake the whole system.
 Take huge cost and time.
• Risk analysis leads you to ….
 Identify threats to your system.
 Estimate damages and possibility of occurrence.
 Develop countermeasures to minimize threats.
33
D.2. Procedures
Risk analysis: Estimation of threats and vulnerabilities of information assets.
Risk assessment: Overall process of risk analysis and risk evaluation.
Risk management: Process of identifying, controlling, and minimizing or
eliminating security risks that may affect information systems.
Determination of Risk Management
scope of
information Risk assessment
security
Risk Analysis
Developmen
Creation of t of Identificatio Estimation Risk Risk Risk
executive systematic n of of threats evaluatio treatme acceptanc
policy risk information and n nt e
assessment assets vulnerabiliti
method es

Risk List of Risk Risk

assessment assets analysis assessme
procedures table nt report

Inventory of assets

34
D.3. Executive Management
• Executive Management can choose to:
– “Accept the risk”?
 do nothing !
– “Mitigate the risk”?
 Administrative Control
 Logical Control
 Physical Control
– “Deny the risk”?
 Confidentiality
 Integrity
 Authenticity

35
Real Story
 Government's Computer Security Report Card
The U.S. Congress requires to supply annual reports to the Office of Management and
Budget (OMB) on the state of computer security in the agencies. The agencies must
report efforts to protect their computer networks against crackers, terrorists, and other
attackers. In November 2001, two-thirds of the government agencies received a grade
of F (the lowest possible) on the computer security report card based on the OMB
data. The good news is that in 2005 only 8 of 24 agencies received grades of F and 7
agencies received a grade of A. The bad, and certainly sad, news is that the average
grade was D+. Also disturbing is that the grades of 7 agencies fell from 2004 to 2005.
Among the failing agencies were Defense, State, Homeland Security, and Veterans
Affairs. The Treasury Department received a D-. A grades went to Labor, Social
Security Administration, and the National Science Foundation, among others.
(Source: U.S. House of Representatives Government Reform Committee.)111

36
Terms and Concepts
• Integrity
• Availability
• Risk
• Risk Management
• Risk Assessment
• Risk Analysis
• Information Assets
• Authorized
• Malware
37
Terms and Concepts
• Malicious
• Cybercrime
• Threats
• Vulnerabilities
• Control
• Confidentiality

38
Security Policies
• A security policy is an overall general statement produced
by senior management (or a selected policy board or
committee) that dictates what role security plays within
the organization.
• A well designed policy addresses:
• What is being secured? - Typically an asset.
• Who is expected to comply with the policy? - Typically
employees.
• Where is the vulnerability, threat or risk? Typically an
issue of integrity or responsibility.

39
Types of Security Policies
• Organizational
– Management establishes how a security program will be set up, lays out the
program's goals, assigns responsibilities, shows the strategic and tactical value
of security, and outlines how enforcement should be carried out.
• Issue-specific
– Addresses specific security issues that management feels need more detailed
explanation and attention to make sure a comprehensive structure is built and
all employees understand how they are to comply with these security issues
– E.g.: An e-mail policy might state that management can read any employee's e-
mail messages that reside on the mail server, but not when they reside on the
user's workstation
• System-specific
– Presents the management's decisions that are specific to the actual computers,
networks, applications, and data.
– This type of policy may provide an approved software list, which contains a
list of applications that may be installed on individual workstations.

40
Standards

• Standards refer to mandatory activities,

actions, rules, or regulations.
• Standards can give a policy its support and
reinforcement in direction.
• Standards could be internal, or externally
mandated (government laws and regulations )

41
Review Questions
1. One control against accidental software deletion is to save all old
versions of a program. Of course, this control is prohibitively expensive
in terms of cost of storage. Suggest a less costly control against
accidental software deletion. Is your control effective against all possible
causes of software deletion? If not, what threats does it not cover?

2. Suppose a program to print paychecks secretly leaks a list of names of

employees earning more than a certain amount each month. What
controls could be instituted to limit the vulnerability of this leakage?

3. Consider a program that allows a surgeon in one city to assist in an

operation on a patient in another city via an Internet connection. Who
might want to attack the program? What types of harm might they want
to cause? What kinds of vulnerabilities might they exploit to cause
harm?
42