This document provides an introduction to information security. It discusses the key concepts of security including the layers of security (physical, personal, operations, etc.) and defines information security as protecting information systems and data. The document outlines the critical characteristics of information security - confidentiality, integrity, availability, authorization, authentication, identification, and accountability. It then provides more detail on each of these concepts. The document also discusses emerging security technologies, education in cybersecurity, and the components that make up an information system including software, hardware, data, people, procedures, and networks. It covers types of attacks, securing system components, and the systems development life cycle as a methodology for implementing security.

1. Introduction
to
Information Security
By
M.Dhilsath Fathima
Veltech University

2. What is Security?
• “The quality or state of being secure—to be
free from danger”
• A successful organization should have multiple
layers of security in place:
– Physical security
– Personal security
– Operations security
– Communications security
– Network security
– Information security

3. What is Information Security?
• The protection of information and its critical
elements, including systems and hardware that
use, store, and transmit that information
• Necessary tools: policy, awareness, training,
education, technology
• C.I.A. triangle was standard based on
confidentiality, integrity, and availability
• C.I.A. triangle now expanded into list of critical
characteristics of information

5. Critical Characteristics of
Information
• The value of information comes from the
characteristics it possesses:
– Confidentiality
– Integrity
– Availability
– Authorization.
– Authentication
– Identification
– Accountability

6. CONFIDENTIALITY(Secrecy/Privacy)
• When we talk about confidentiality of information, we are talking about
protecting the information from disclosure to unauthorized parties.
• Information has value, especially in today’s world. Bank account
statements, personal information, credit card numbers, trade secrets,
government documents. Every one has information they wish to keep a
secret. Protecting such information is a very major part of information
security.
• A very key component of protecting information confidentiality would be
encryption. Encryption ensures that only the right people (people who
knows the key) can read the information. Encryption is VERY
widespread in today’s environment and can be found in almost every
major protocol in use. A very prominent example will be
SSL/TLS(secure Socket Layer/Transport Layer Security), a security
protocol for communications over the internet that has been used in
conjunction with a large number of internet protocols to ensure security.

7. Integrity (Truthfulness)
• Integrity means that data cannot be modified without authorization.
• Integrity is the quality or state of being whole, complete, and
uncorrupted.
• The integrity of information is threatened when it is exposed to
corruption, damage, destruction, or other disruption of its authentic
state. Corruption can occur while information is being compiled, stored,
or transmitted.
• Eg: Integrity is violated when an employee deletes important data files,
when a computer virus infects a computer, when an employee is able to
modify his own salary in a payroll database, when an unauthorized user
vandalizes a website, when someone is able to cast a very large
number of votes in an online poll, and so on.

8. Availability(Accessible)
• Availability is the characteristic of information that enables user
access to information without interference or obstruction and in
a required format.
• A user in this definition may be either a person or another
computer system. Availability does not imply that the information is
accessible to any user; rather, it means availability to authorized
users.
• For any information system to serve its purpose, the information must
be available when it is needed.
• Eg: High availability systems aim to remain available at all times,
preventing service disruptions due to power outages, hardware
failures, and system upgrades.

9. Authorization(Approval)
• Authorization to access information and other computing services
begins with administrative policies and procedures. The policies
prescribe what information and computing services can be accessed,
by whom, and under what conditions, what actions they will be
allowed to perform (run, view, create, delete, or change). The
access control mechanisms are then configured to enforce these
policies. This is called authorization.
• To be effective, policies and other security controls must be
enforceable and upheld. Effective policies ensure that people are
held accountable for their actions. All failed and successful
authentication attempts must be logged, and all access to information
must leave some type of audit trail.

10. Authentication(Verification/Validation)
• Authentication is the process of determining whether someone or
something is, in fact, who or what it is declared to be.
• Logically, authentication precedes authorization (although they may
often seem to be combined). The two terms are often used
synonymously but they are two different processes.
• Authentication is a process in which the credentials provided are
compared to those on file in a database of authorized users’
information on a local operating system or within an authentication
server.
• If the credentials match, the process is completed and the user is
granted authorization for access.

11. Identification(Recognition)
• Identification: It is how you identify someone, i.e., how you
would call that person or company.
• Could be the name, the account number in a bank, the
username in some specific system.
• Ex: One -Time Password

12. Accountability(Answerability)
• The characteristic of accountability exists
when a control provides assurance that
every activity undertaken can be attributed
to a named person or automated process.
• For example, audit logs that track user
activity on an information system provide
accountability.

13. Figure 1-4 – NSTISSC Security
Model
NSTISSC Security Model

14. • The National Security Telecommunications and
Information Systems Security Committee (NSTISSC) .
• It was established by President Bush under National Security
Directive 42 (NSD 42) entitled, "National Policy for the
Security of National Security Telecommunications and
Information Systems," dated 5 July 1990.
• The NSTISSC provides a forum for the discussion of policy
issues, sets national policy, and propagate direction,
operational procedures, and guidance for the security of
national security systems through the NSTISSC Issuance
System.

15. • The NSTISSC Security Model provides a more detailed perspective
on security.
• While the NSTISSC model covers the three dimensions of
information security, it omits discussion of detailed guidelines and
policies that direct the implementation of controls.
• The 3 dimensions of each axis become a 3x3x3 cube with 27 cells
representing areas that must be addressed to secure today’s
Information systems.
• To ensure system security, each of the 27 cells must be properly
addressed during the security process.
• For ex,the intersection between technology, Integrity & storage areas
requires a control or safeguard that addresses the need to use
technology to protect the Integrity of information while in storage.

16. • Assume that a security model is needed for protection of information in
your organization.
• Using the NSTISSC model, examine each of the cells and write a brief
statement on how you would address the three components
represented in that cell.

17. National security systems contain
classified information :
a. involves intelligence activities;
b. involves cryptographic activities related to national
security;
c. involves command and control of military forces;
d. involves equipment that is an integral part of a weapon
or weapons system(s); or
e. is critical to the direct fulfillment of military or intelligence
missions (not including routine administrative and
business applications).

18. Example of security policies
• Physical computer security policies such as physical access controls.
• Network security policies (for example, e-mail and Internet policies).
• Data security policies (access control and integrity controls, Anti-virus
software, Firewalls are software- or hardware-based devices that can be
deployed between networks to protect an organization from external or
internal network attacks.).
• Implement networking services such as DNS server to easily find and
access network services, and DHCP server for automatic, centralized IP
address management
• Computer security awareness and training.
• Monitoring and Logging Policy
• Encrypted Authentication Policy
• Antivirus Policy
• Encryption guidelines

19. Emerging security technologies
• Hardware authentication- Good authentication requires three things
from users: what they know, such as a password; who they are, such
as a username; and what they have, such as a token.
• User-behavior analytics- "Users can be identified and automatically
signed up for the training appropriate for the policies they were
violating.“
• Data loss prevention- A key to data loss prevention is technologies
such as encryption and tokenization.
• Protocol verification

20. Security Education
• Bachelor of Science in Cyber Security - Computer Systems
Security
• Bachelor of Science in Cyber Security - Information
Assurance
• Master of Science in Cyber security Policy
• Master of Science in Homeland Security – Cyber security
Policy
• Awareness Activities
– Awareness for CBSE/NCERT & State level educational Institutes:
– Cyber Security Awareness Programs
– Development of Multilingual Websites:
– Awareness Campaigns through Print and Electronic Media:

21. Components of an Information System
Information System (IS) is entire set of software,
hardware, data, people, procedures, and networks
necessary to use information as a resource in the
organization

22. SOFTWARE
• The software components of IS comprises
applications, operating systems, and
assorted command utilities.
• Software programs are the vessels that carry the
lifeblood of information through an
organization. These are often created under the
demanding constraints of project management,
which limit time, cost, and manpower.

23. Hardware
• Hardware is the physical technology that houses and executes the
software, stores and carries the data, and provides interfaces for the
entry and removal of information from the system.
• Physical security policies deal with hardware as a physical asset and with the
protection of these physical assets from harm or theft. Applying the traditional
tools of physical security, such as locks and keys, restricts access to and
interaction with the hardware components of an information system.
• Securing the physical location of computers and the computers
themselves is important because a breach of physical security can result in a
loss of information. Unfortunately, most information systems are built on
hardware platforms that cannot guarantee any level of information security if
unrestricted access to the hardware is possible.

24. Example of Physical security policies:
• Intruder Alarm Systems including area surveillance
sensors, volumetric sensors, high security perimeter
protection, infra-red devices, etc.
• Access Control Systems including card systems,
biometrics, turnstiles, trap doors, etc
• Closed Circuit Television (CCTV) Systems including
video surveillance, cameras, 360-degree surveillance
domes, switching matrixes, IP video, digital recording,
image analysis, privacy zone protection, etc.

25. Examples
Wide Area Surveillance
A Wide Area Surveillance Sensor
provides continuous views of expansive
areas.
high security perimeter
protection

26. Data
• Data stored, processed, and transmitted through a
computer system must be protected.
• Data is often the most valuable asset possessed by an
organization and is the main target of intentional attacks.
• The raw, unorganized, discrete(separate, isolated)
potentially-useful facts and figures that are later
processed(manipulated) to produce information.

27. People
• There are many roles for people in information systems.
Common ones include
– Systems Analyst
– Programmer
– Technician
– Engineer
– Network Manager
– MIS ( Manager of Information Systems )
– Data entry operator

28. Procedures
• A procedure is a series of documented
actions taken to achieve something.
• A procedure is more than a single simple
task. A procedure can be quite complex
and involved, such as performing a
backup, shutting down a system, patching
software.

29. Networks
• When information systems are connected to each other
to form Local Area Network (LANs), and these LANs are
connected to other networks such as the Internet, new
security challenges rapidly emerge.
• Steps to provide network security are essential, as is the
implementation of alarm and intrusion systems to make
system owners aware of ongoing compromises.

30. SECURING COMPONENTS
• Modern computer systems, linked by national and
global networks, face a variety of threats and
attacks that can result in significant financial and
information losses.
• These threats vary considerably, from threats to
data integrity resulting from accidental,
unintentional errors and omissions to threats from
malicious hackers attempting to crash a system.

31. Securing Components
• Computer can be subject of an attack and/or
the object of an attack
• Subject of an attack- When the subject of an
attack, computer is used as an active tool to
conduct attack.
• Object of an attack-When the object of an attack,
computer is the entity being attacked

32. Securing Components

33. ATTACK
• An attack is an intentional threat and is an action
performed by an entity with the intention to violate security.
Examples of attacks are destruction, modification,
fabrication, interruption or interception of data. An attack
is a violation of data integrity and often results in
disclosure of information, a violation of the
confidentiality of the information, or in modification of
the data.
• An attacker can gain access to sensitive information by
attacking in several steps, where each step involves an
illegal access to the system. An intentional threat can be
caused by an insider or outsider, can be a spy, hacker,
corporate raider, or a disgruntled employee.

34. TYPES OF ATTACK
• Any attack on the security of a system can be a
– direct attack
– indirect attack.
• A direct attack aims directly at the desired part
of the data or resources. Several components in
a system may be attacked before the intended
(final) information can be accessed.

35. TYPES OF ATTACK
• In an indirect attack, information is
received from or about the desired
data/resource without directly attacking
that resource. Indirect attacks are often
troublesome in database systems where it
is possible to derive confidential
information by posing indirect questions to
the database. Such an indirect attack is
often called inference.

36. TYPES OF ATTACK
• Passive attacks are made by monitoring a system performing its
tasks and collecting information. In general, it is very hard to detect
passive attacks since they do not interact or disturb normal system
functions. Monitoring network traffic, CPU and disk usage, etc are
examples of passive attacks.
• Encryption of network traffic can only partly solve the problem since
even the presence of traffic on a network may reveal some
information. Traffic analysis such as measuring the length, time and
frequency of transmissions can be very valuable to detect unusual
activities.

37. TYPES OF ATTACK
Active Attack
• An active attack changes the system behavior in some way. Examples
of an active attack can be to insert new data, to modify, duplicate or
delete existing data in a database, to deliberately abuse system
software causing it to fail and to steal magnetic tapes, etc.
• A simple operation such as the modification of a negative
acknowledgment (NACK) from a database server into a positive
acknowledgment (ACK) could result in great confusion and/or damage.
Active attacks are easier to detect if proper precautions are taken.

38. Securing Components
Two types of attacks
• Direct attack (object of an attack )
– When a Hacker uses his personal computer to break into a
system.[Originate from the threat itself]
• Indirect attack (Subject of an attack )
– When a system is compromised and used to attack other system.
[Originate from a system or resource that itself has been attacked,
and is malfunctioning or working under the control of a threat].
• A computer can, therefore, be both the subject and object of an attack
when ,for example, it is first the object of an attack and then
compromised and used to attack other systems, at which point it
becomes the subject of an attack.

39. Securing Components(Cont..)

40. Few Techniques Or Tools That Will Help In
Implementing These Security Mechanisms.
• Physical Access Security-protect network equipment such
as servers, switches, and routers is to keep them in a
locked, climate controlled, and fire protected environment
• Login / Password Security
• Anti-Virus Software
• Remote Access Security(a location not directly attached to
the network. )
• Internet Firewalls
• Encryption
• Data Backups
• Disaster Recovery Plan
• Audits

41. Growth of Threat: Growth in the tools available.
0
5,000
10,000
15,000
20,000
25,000
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
Year
HackerTools
Source: PestPatrol.com
Categories:
• Binder
• Carding
• Cracking Tool
• Flooder
• Key Generator
• Mail Bomber
• Mailer
• Misc Tool
• Packer
• Password Cracker
• Password Cracking Word List
• Phreaking Tool
• Port Scanner
• Probe Tool
• Sniffer
• Spoofer
• Trojan
• Trojan Creation Tool
• Virus Creation Tool
• Virus Source
• Virus Tutorial
• War Dialer
Categories:
• Binder
• Carding
• Cracking Tool
• Flooder
• Key Generator
• Mail Bomber
• Mailer
• Misc Tool
• Packer
• Password Cracker
• Password Cracking Word List
• Phreaking Tool
• Port Scanner
• Probe Tool
• Sniffer
• Spoofer
• Trojan
• Trojan Creation Tool
• Virus Creation Tool
• Virus Source
• Virus Tutorial
• War Dialer

42. The Systems Development Life Cycle
• Systems development life cycle (SDLC) is methodology and
design for implementation of information security within an
organization.
• Methodology is formal approach to problem-solving based
on structured sequence of procedures.
• A methodology is, in simple terms, a set of steps,
guidelines, activities and/or principles to follow in a
particular situation.
• Goal is creating a comprehensive security
posture/program.
• Traditional SDLC consists of six general phases.

44. Investigation
• What problem is the system being developed to
solve?
• Objectives, constraints and scope of project
are specified
• Preliminary cost-benefit analysis is developed
• At the end, feasibility analysis is performed to
assesses economic, technical, and behavioral
feasibilities of the process.

45. Investigation(Cont..)
Feasibility study
• To analyze whether the software will meet organizational
requirements.
• To determine whether the software can be implemented using the
current technology and within the specified budget and schedule.
• To determine whether the software can be integrated with other
existing software.
– Feasibility defines in the three views for making particular
software for the client.
– a) Technical b) financial c) social feasibility.

46. Analysis
• Consists of assessments of the organization,
status of current systems, and capability to
support proposed systems.
• Analysts determine what new system is
expected to do and how it will interact with
existing systems.
• Ends with documentation of findings(Software
Requirement Specification) and update of
feasibility analysis.

47. What is SRS?
• SRS is a complete reading base documentation focus on
the particular desired software to the specific client or
customer. After collecting the necessary data from SDLC
we have to summarize the useful and appropriate data for
making desired software.
• SRS has some objectives which is help to the software
developer as well as the customer for making a
successfully software.
• Characteristics of SRS-
1) complete - focuses on summarized from for a particular software
specification.
2) traceable
3) appropriate for the developer
4) modifiable
5) simple language
6) software requirement view .

48. Logical Design
• Main factor is business need; applications
capable of providing needed services are
selected
• Data support and structures capable of providing
the needed inputs are identified
• Technologies to implement physical solution are
determined
• Feasibility analysis performed at the end

49. Physical Design
• Technologies to support the alternatives identified
and evaluated in the logical design are selected
• Components evaluated on make-or-buy decision
• Feasibility analysis performed; entire solution
presented to end-user representatives for
approval.
• Ends with DDS - Design Document
Specification

50. Implementation
• Needed software created; components ordered,
received, assembled, and tested
• Users trained and documentation created
• Feasibility analysis prepared; users presented
with system for performance review and
acceptance test

51. Maintenance and Change
• Consists of tasks necessary to support and
modify system for remainder of its useful life
• Life cycle continues until the process begins
again from the investigation phase
• When current system can no longer support the
organization’s mission, a new project is
implemented

52. NEED OF SECURESDLC
In the past software product stakeholders did not view software security
has high priority. It was believed that a secure network infrastructure
would provide the level of protection needed against malicious attacks.
In recent history network security alone has proved inadequate against
such attacks.
 Users have been successful in penetrating valid channels of
authentication through techniques such as cross site scripting, Structured
Query Language (SQL) Injection, and Buffer Overflow exploitation.
 In such cases system assets were compromised and both data and
organizational integrity were damaged.
The Gartner Group reports that more than 70 percent of current business
security vulnerabilities are found within software applications rather than
the network boundaries .
A focus of application security emerged in order to reduce the risk of
poor software development, integration, and deployment. Through this
need software assurance quickly became an Information Assurance (IA)
focus area in the financial, government, and manufacturing sectors to
reduce the risk of unsecure code.

53. Secure SDLC
• Goal
–More security for riskier applications
–Ensures that you work the most critical issues first
–Scales to hundreds or thousands of applications
–Identification of specific threats and creating
controls to counter them.
• Tools and Methodology
–Security profiling tools can gather facts
• Size, complexity, security mechanisms, dangerous calls
–Questionnaire to gather risk information
• Asset value, available functions, users, environment, threats
–Risk-based approach
• Evaluates likelihood and consequences of successful attack

54. Phases of Secure SDLC
Requirements
and use cases
Design Test plans
Code
Test
results
Field
feedback
Security
requirements
Risk
analysis
Risk-based
security tests
Static
analysis
(tools)
Penetration
testing
Design
Review
Iterative approach
Code
Review
Risk = Threat x Vulnerability x Cost
What do we need to test,
And how Code review tools

55. Phases of Secure SDLC

56. ANALYSIS PHASE
CREATE APPLICATION SECURITY PROJECT
PLAN
Define the plan to ensure security at the end
Ideally done at start of project
Can also be started before or after development is complete
Based on the risk category
Identify Risk activities at each phase
Necessary people and expertise required
Who has responsibility for risks
Ensure time and budget for security activities
Establish framework for establishing the “line of sight”

57. REQUIREMENTS PHASE
• Get the security requirements and policy right
• Start with a generic set of security requirements
–Must include all security mechanisms
–Must address all common vulnerabilities( quality of being easily hurt or
attacked)
–Can be use (or misuse) cases
–Should address all driving requirements (regulation,
standards, best practices, etc.)
• Tailoring examples…
–Specify how authentication will work
–Detail the access control matrix (roles, assets, functions,
permissions)
–Define the input validation rules
–Choose an error handling and logging approach

58. DESIGN REVIEWS
Better to find flaws early
Security design reviews
Check to ensure design meets requirements
Also check to make sure they didn’t miss a
requirement
Assemble a team
Experts in the technology
Security-minded team members
Do a high-level penetration test against the design(A
penetration test can help determine whether a system is
vulnerable to attack, if the defenses were sufficient, and
which defenses (if any) the test defeated.)
Be sure to do root cause analysis on any flaws
identified

59. PENETRATION TEST
• Pen tests can be automated with software applications or
they can be performed manually. Either way, the process
includes gathering information about the target before the
test (reconnaissance), identifying possible entry points,
attempting to break in (either virtually or for real) and
reporting back the findings.
• The main objective of penetration testing is to determine
security weaknesses. A pen test can also be used to test
an organization's security policy compliance, its
employees' security awareness and the organization's
ability to identify and respond to security incidents.
• Penetration tests are sometimes called white hat attacks
because in a pen test, the good guys are attempting to
break in.

60. DEVELOPMENT
Develop the coding for application and Find the
flaws in the code early
Many different techniques
Static (against source or compiled code)
Security focused static analysis tools
Peer review process
Formal security code review
Dynamic (against running code)
Scanning
Penetration testing
Goal
Ensure completeness (across all vulnerability areas)
Ensure accuracy (minimize false alarms)

61. APPLICATION SECURITY
TESTING
Identify security flaws during testing
Develop security test cases
Based on requirements
Be sure to include “negative” tests
Test all security mechanisms and common vulnerabilities
Flaws feed into defect tracking and root cause analysis.
“Every security flaw is a process problem”
Tracking security defects
Find the source of the problem
Bad or missed requirement, design flaw, poor implementation, etc…
ISSUE: can you track security defects the same way as other
defects

62. Deployment and Configuration
Management
• Ensure the application configuration is secure
• Security is increasingly “data-driven”
–XML files, property files, scripts, databases, directories
• How do you control and audit this data?
–Design configuration data for audit
–Put all configuration data in Document
–Audit configuration data regularly
–Don’t allow configuration changes in the field