LECTURE ONE

Information Assurance and Security 1

Lecture Outline
1.1 Introduction
1.2 Objectives
1.3 Fundamental Aspects
1.4 Security Mechanisms (Countermeasures)
1.5 Operational Issues
1.6 Policy
1.7 Attacks
1.8 Security Domains
1.9 Forensics
1.10 Information States
1.11 Security Services
1.12 Threat Analysis Model
1.13 Vulnerabilities
1.16 Summary
1.17 Model Exams and Questions
1.18 Further Readings

1.1 Introduction
Systems assurance is an essential component of any project involving
systems. Its aim is to plan the range of engineering activities that will ensure
that systems comply with the applicable requirements, from design to
implementation.
1.2 Objective
The primary objectives of the U.S. Department of Labor (DOL) information
security effort are:

1. Ensuring the confidentiality of sensitive information processed by,

stored in, and moved through information systems and applications
belonging to DOL. Examples of sensitive information processed by DOL
include:
a) Personally, identifiable information (PII) and other Privacy Act
protected records
b) Pre-release economic statistics
c) Information provided by companies and citizens under the
assumption of confidentiality.
d) Pre-award contract financial information
2. Ensuring the integrity of the DOL information such that decisions and
actions taken based upon the data processed by, stored in, and moved
through DOL information systems can be made with the assurance that
the information has not been manipulated, the source of the changes
to information can be determined as best as possible.
3. Ensuring the availability of the DOL information systems and
applications during routine operations and in crisis situations to
support the DOL Mission.

1.3 Fundamental Aspects

Presentation of Financial Statements sets out the overall requirements
for financial statements, including how they should be structured, the
minimum requirements for their content and overriding concepts such as
going concern, the accrual basis of accounting and the current/non-current
distinction. The standard requires a complete set of financial statements to
comprise a statement of financial position, a statement of profit or loss and
other comprehensive income, a statement of changes in equity and a
statement of cash flows.
IAS 1 was reissued in September 2007 and applies to annual periods
beginning on or after 1 January 2009. IAS 1 will be superseded by IFRS 18
Presentation and Disclosure in Financial Statements, which becomes
effective for annual periods beginning on or after 1 January 2027.
Computer Configuration
Computer Configuration refers to the computer-wide settings that are
applied during system boot-up and are applicable to all users logging into the
system. It includes subfolders such as Software Settings, Windows Settings,
and Administrative Templates for configuring various aspects of the system.
The Computer Configuration section is used for computer-wide
settings. Many of these settings are applied when the system first boots up.
These settings will apply to any user who logs into the system. The Computer
Configuration section contains three subfolders:
■ Software Settings – By default, there is nothing to be configured here.
■ Windows Settings – These are general Windows settings that can be
configured for all users. There are sub nodes for Name Resolution Policy,
Scripts (Startup/Shutdown), Deployed Printers, Security Settings, and Policy-
based QoS.
■ Administrative Templates – These are registry-based settings that can be
set for the system. There are sub nodes for Control Panel, Network, Printers,
System, and Windows Components.

What is Defense in Depth?

Defense in depth is a strategy that leverages multiple security
measures to protect an organization’s assets. The thinking is that if one line
of defense is compromised, additional layers exist as a backup to ensure that
threats are stopped along the way. Defense in depth addresses the security
vulnerabilities inherent not only with hardware and software but also with
people, as negligence or human error are often the cause of a security
breach.
Today’s cyber threats are growing rapidly in scale and sophistication.
Defense in depth is a comprehensive approach that employs a combination
of advanced security tools to protect an organization’s endpoints, data,
applications, and networks. The goal is to stop cyber threats before they
happen, but a solid defense-in-depth strategy also thwarts an attack that is
already underway, preventing additional damage from taking place.
Antivirus software, firewalls, secure gateways, and virtual private
networks (VPNs) serve as traditional corporate network defenses and are
certainly still instrumental in a defense-in-depth strategy. However, more
sophisticated measures, such as the use of machine learning (ML) to detect
anomalies in the behavior of employees and endpoints, are now being used
to build the strongest and most complete defense possible.
A changing work environment and threat landscape
Defense in depth is needed now more than ever as more employees
work from home and as organizations increasingly rely on cloud-based
services. With employees working from home, organizations must address
the security risks associated with employees using their own devices for
work and their home Wi-Fi connection to enter the corporate network.
Even with IT resources in place, vulnerabilities are inherent in devices
used for both work and personal use—vulnerabilities exploited by cyber
criminals. Further, with more companies using cloud-hosted, Software-as-a-
Service (SaaS) applications, many of which are mission-critical, the privacy
and security of an increasing amount of data entered through websites
remain difficult to manage.

Defense in depth is similar to physical security

The concept of defense in depth is no different from physical security,
such as that used for a building or to start work in an office environment.
Building security has many layers, some of which may be considered
redundant:
1. An employee uses a key card to enter the building.
2. A security guard keeps watch in the lobby.
3. Security cameras record all movements in the lobby, on each
floor, and in the elevator.
4. Once arriving at her floor, an employee must use her key card
to open the door to the office floor.
5. Once at her desk, the employee turns on her computer and
enters her password and temporary four-digit code (two-factor
authentication) to log in to the company network.
These are, of course, just a handful of security steps that the employee
must take to begin work for the day. Some of these may seem unnecessary
and some measures may seem stronger than others, but taken together,
they are analogous to a defense-in-depth strategy in place within
organizations.
Common cybersecurity issues
1. The following are some common issues organizations have to deal with
when implementing a cybersecurity strategy:
2. Anti-malware software has not been updated or is not installed on all
devices.
3. Employees have not been trained and are falling victim to phishing
schemes.
4. Software patches are not being updated or are ignored.
5. Security policies are not enforced or even known by employees.
6. Missing or poorly implemented encryption.
7. Remote employees are connecting to unsecured networks, such as the
public internet.
8. Physical security flaws, such as unsecured server rooms.
 9. Business partners, such as cloud service providers, are not fully secure.
Types of Encryption Systems
There are many different types of encryption algorithms and methods to
pick from, so how do you know which one is the safest pick for your
cybersecurity needs? Let’s begin with the most common types of encryption
systems: symmetric vs asymmetric encryption
 Symmetric Encryption
In this type of encryption, there is only one key, and all parties involved use
the same key to encrypt and decrypt information. By using a single key, the
process is straightforward, as per the following example: you encrypt an
email with a unique key, send that email to your friend Tom, and he will use
the same symmetric key to unlock/decrypt the email.
 Asymmetric Encryption
Asymmetric encryption, on the other hand, was created to solve the
inherent issue of symmetric encryption: the need of sharing a single
encryption key that is used both for encrypting and decrypting data.

Activity 1
Show on the Venn Diagram the difference and similarities of Symmetry
Encryption and Asymmetric Encryption.

1.4 Security Mechanisms (Countermeasures)

In computer security a countermeasure is an action, device, procedure,
or technique that reduces a threat, vulnerability, or attack, eliminating or
preventing it by minimizing the harm it can cause. It can also include
discovering and reporting vulnerabilities so that corrective action can be
taken.
Countermeasures are devices, signals, and techniques deployed to impair
or eliminate the operational effectiveness of an attack by an enemy force.
Those enemy actions may be immediate threats and also include use of
electronic warfare via intrusive radio-frequency (RF) or infrared signals,
jamming technologies, and more.
Advanced countermeasures range from physical chaff, flare, and decoy
expendables to acoustic, infrared, and laser countermeasures. Electronic
countermeasures (ECM) can also jam, modify, and/or deceive opponents’
attacks using RF communications, and radar countermeasures systems.
Internet of drone’s security: Taxonomies, open issues, and future directions
We classify the countermeasures, as shown in Fig. 2.1 as follows:

Figure 2.1 Countermeasures

 Drone operating system security countermeasures: They

represent countermeasures that provide security to the drone
operating system and test its security properties.
  Technical countermeasures: A countermeasure is considered
technical if it involves technologies such as cryptographic tools and
IDSs. Technical countermeasures can be classified as cyber and
physical countermeasures.

Activity 2
Give at least 5 example of security countermeasures and
explain how it’s important one by one.

1.5 Operational Issues

Operational security (OPSEC) is a security and risk management
process that prevents sensitive information from getting into the wrong
hands.
Another OPSEC meaning is a process that identifies seemingly
innocuous actions that could inadvertently reveal critical or sensitive data to
a cyber criminal. OPSEC is both a process and a strategy, and it encourages
IT and security managers to view their operations and systems from the
perspective of a potential attacker. It includes analytical activities and
processes like behavior monitoring, social media monitoring, and security
best practice.
A crucial piece of what Is OPSEC is the use of risk management to
discover potential threats and vulnerabilities in organizations’ processes, the
way they operate, and the software and hardware their employees use.
Looking at systems and operations from a third party’s point of view enables
OPSEC teams to discover issues they may have overlooked and can be
crucial to implementing the appropriate countermeasures that will keep their
most sensitive data secure.
Operational Security
Operational security (OPSEC) is a security and risk management
process that prevents sensitive information from getting into the wrong
hands.
Another OPSEC meaning is a process that identifies seemingly
innocuous actions that could inadvertently reveal critical or sensitive data to
a cyber criminal.
OPSEC Important
OPSEC is important because it encourages organizations to closely
assess the security risks they face and spot potential vulnerabilities that a
typical data security approach may not. OPSEC security enables IT and
security teams to fine-tune their technical and non-technical processes while
reducing their cyber risk and safeguarding them against malware-based
attacks.
An effective OPSEC program Is important to prevent the inadvertent or
unintended exposure of classified or sensitive data. It enables organizations
to prevent the details of their future activities, capabilities, and intentions
from being made public. However, the key to achieving this is understanding
what this information is about, where it is located, what level of protection is
applied to it, what the impact would be if it is compromised, and how the
organization would respond.
If such information is leaked, attackers may be able to cause major
damage. For example, they may be able to build wider cyberattacks and
commit identity fraud or theft if employees reuse their login credentials
across multiple online services.
The 5 Steps of Operational Security
1. Identify sensitive data
Understanding what data organizations have and the sensitive data they
store on their systems is a crucial first step to OPSEC security. This includes
identifying information such as customer details, credit card data, employee
details, financial statements, intellectual property, and product research. It is
vital for organizations to focus their resources on protecting this critical data.
2. Identify possible threats
With sensitive information identified, organizations then need to
determine the potential threats presented to this data. This includes third
parties that may want to steal the data, competitors that could gain an
advantage by stealing information, and insider threats or malicious insiders
like disgruntled workers or negligent employees.
3. Analyze the vulnerabilities
Organizations then need to analyze the potential vulnerabilities in their
security defenses that could provide an opportunity for the threats to
materialize. This involves assessing the processes and technology solutions
that safeguard their data and identifying loopholes or weaknesses that
attackers could potentially exploit.
4. Threat level
 Each identified vulnerability then has to have a level of threat attributed
to it. The vulnerabilities should be ranked based on the likelihood of
attackers targeting them, the level of damage caused if they are exploited,
and the amount of time and work required to
uuhhhuuzuiuuuuuzzuuzzzh345555556666666689mitigate and repair the
damage. The more damage that could be inflicted and the higher the
chances of an attack occurring, the more resources and priority that
organizations should place in mitigating the risk.
5. Devise a plan to mitigate the threats
This information provides organizations with everything they need to
devise a plan to mitigate the threats identified. The final step in OPSEC is
putting countermeasures in place to eliminate threats and mitigate cyber
risks. These typically include updating hardware, creating policies around
safeguarding sensitive data, and providing employee training on security
best practice and corporate data policies.

An OPSEC process plan must be simple to understand, straightforward to

Implement and follow, and be updated as the security threat landscape
evolves.
Best Practices for OPSEC
OPSEC uses risk management processes to identify potential threats and
vulnerabilities before they are exploited and cause problems for
organizations. Businesses can build and implement a comprehensive and
robust OPSEC program by following these best practices:
1. Change management processes: Organizations must implement
specific change management processes that their employees can
follow in case network changes are performed. These changes must be
controlled and logged so that organizations can appropriately audit and
monitor the amendments.
2. Restrict device access: Organizations must restrict access to their
networks to only devices that absolutely require it. Military agencies
and other government organizations deploy a “need to know” basis
around their networks, and this theory also must be applied to
corporate networks. Network device authentication should be used as
a common rule of thumb when it comes to access and information
sharing.
3. Deploy least privilege access: Employees need to be assigned the
minimum level of access to data, networks, and resources that they
require to do their jobs successfully. This means deploying the principle
of least privilege, which ensures that any program, process, or user
only has the bare minimum privilege required to perform its function.
This is crucial to organizations ensuring better security levels,
 preventing insider threats, minimizing the attack surface, limiting the
risk of malware, and improving their audit and compliance readiness.
4. Implement dual control: Users responsible for managing their
networks should not be made in charge of security. Organizations must
ensure that teams or individuals responsible for maintaining their
corporate networks are separate from those who set security policies.
5. Deploy automation: Humans are often the weakest link in an
organization’s security processes. Human error can result in mistakes,
data inadvertently ending up in the wrong hands, important details
being overlooked or forgotten, and critical processes being bypassed.
6. Plan for disaster: A critical part of any security defense is to plan for
disaster and institute a solid incident response plan. Even the most
robust OPSEC security needs to be supported with plans that identify
potential risks and outline how an organization will go about
responding to cyberattacks and mitigating the potential damages.

Activity 3
Identify the correct answer. Write on the space provided .

What are the five steps of operational security?

1. ___________
2. ___________
3. ___________
4. ___________
5. ___________

Security and risk management process that prevents sensitive

information from getting into the wrong hands.

6. ___________

A critical part of any security defense is to plan for disaster

and institute a solid incident response plan.

7. __________

Organizations must restrict access to their networks to only

devices that absolutely require it.

8. __________

Implement dual control: Users responsible for managing their

networks should not be made in charge of security.

9. __________

Employees need to be assigned the minimum level of access

to data, networks, and resources that they require to do their
jobs successfully.
1.6 Policy
The purpose of IA is to reduce information risks by ensuring the information
on which the business makes decisions is reliable. This purpose is achieved
by following:
 Risk management: Businesses face legal fines and penalties if the
information in the network is compromised. IA enables risk assessment
to identify vulnerabilities and the potential impact on the business in
terms of compliance, cost and operational continuity. The goal is to
mitigate potential threats.
 Encryption at rest and in transit: IA mandates end-to-end
encryption to protect privacy by ensuring no human or computer can
read data at rest and in transit except the intended parties. The goal is
to help businesses stay compliant with regulatory requirements and
standards.
 Data integrity: Bad business decisions usually stem from bad data. IA
focuses on auditing data collection and tracking process, improving
transparency in the organizational process. The goal is to manage data
in a way that a future audit can retrace the process, leading to better
decision-making.
An Information Security Policy (ISP) is a set of rules that guide
individuals when using IT assets. Companies can create information security
policies to ensure that employees and other users follow security protocols
and procedures. Security policies are intended to ensure that only authorized
users can access sensitive systems and information.
Creating an effective security policy and taking steps to ensure
compliance is an important step towards preventing and mitigating security
threats. To make your policy truly effective, update it frequently based on
company changes, new threats, conclusions drawn from previous breaches,
and changes to security systems and tools.
 Make your information security strategy practical and reasonable. To meet
the needs and urgency of different departments within the organization, it is
necessary to deploy a system of exceptions, with an approval process,
enabling departments or individuals to deviate from the rules in specific

Activity 4
Get one whole sheet of paper and write at least three hundred words
reflection paper about Information Security Policy and it’s purpose.

circumstances.
1.7 Attacks
A cyberattack is a malicious and deliberate attempt by an individual or
organization to breach the information system of another individual or
organization. Usually, the attacker seeks some type of benefit from
disrupting the victim’s network.
How often do cyber attacks occur?
Cyber attacks hit businesses every day. Former Cisco CEO John
Chambers once said, “There are two types of companies: those that have
been hacked, and those who don’t yet know they have been hacked.”
According to the Cisco Annual Cybersecurity Report, the total volume of
events has increased almost fourfold between January 2016 and October
2017.
Why do people launch cyber attacks?
Cybercrime has increased every year as people try to benefit from
vulnerable business systems. Often, attackers are looking for ransom: 53
percent of cyber attacks resulted in damages of $500,000 or more.
Cyberthreats can also be launched with ulterior motives. Some
attackers look to obliterate systems and data as a form of “hacktivism.”
What is a botnet?
 A botnet is a network of devices that has been infected with malicious
software, such as a virus. Attackers can control a botnet as a group without
the owner’s knowledge with the goal of increasing the magnitude of their
attacks. Often, a botnet is used to overwhelm systems in a distributed-
denial-of-service attack (DDoS) attack.

Common types of cyber attacks

1. Malware
Malware is a term used to describe malicious software, including spyware,
ransomware, viruses, and worms. Malware breaches a network through a
vulnerability, typically when a user clicks a dangerous link or email
attachment that then installs risky software. Once inside the system,
malware can do the following:
 Blocks access to key components of the network (ransomware)
 Installs malware or additional harmful software
 Covertly obtains information by transmitting data from the hard drive
(spyware)
 Disrupts certain components and renders the system inoperable

2. Phishing
Phishing is the practice of sending fraudulent communications that
appear to come from a reputable source, usually through email. The goal is
to steal sensitive data like credit card and login information or to install
malware on the victim’s machine. Phishing is an increasingly common
cyberthreat.
3. Man-in-the-middle attack
Man-in-the-middle (MitM) attacks, also known as eavesdropping
attacks, occur when attackers insert themselves into a two-party transaction.
Once the attackers interrupt the traffic, they can filter and steal data.
Two common points of entry for MitM attacks:
 On unsecure public Wi-Fi, attackers can insert themselves between a
visitor’s device and the network. Without knowing, the visitor passes
all information through the attacker.
 Once malware has breached a device, an attacker can install software
to process all of the victim’s information.

4. Denial-of-service attack
A denial-of-service attack floods systems, servers, or networks with
traffic to exhaust resources and bandwidth. As a result, the system is unable
to fulfill legitimate requests. Attackers can also use multiple compromised
devices to launch this attack. This is known as a distributed-denial-of-service
(DDoS) attack.
5. SQL injection
A Structured Query Language (SQL) injection occurs when an attacker
inserts malicious code into a server that uses SQL and forces the server to
reveal information it normally would not. An attacker could carry out a SQL
injection simply by submitting malicious code into a vulnerable website
search box.
6. Zero-day exploit
A zero-day exploit hits after a network vulnerability is announced but
before a patch or solution is implemented. Attackers target the disclosed
vulnerability during this window of time. Zero-day vulnerability threat
detection requires constant awareness.
7. DNS Tunneling
DNS tunneling utilizes the DNS protocol to communicate non-DNS
traffic over port 53. It sends HTTP and other protocol traffic over DNS. There
are various, legitimate reasons to utilize DNS tunneling. However, there are
also malicious reasons to use DNS Tunneling VPN services. They can be used
to disguise outbound traffic as DNS, concealing data that is typically shared
through an internet connection. For malicious use, DNS requests are
manipulated to exfilrate data from a compromised system to the attacker’s
infrastructure. It can also be used for command and control callbacks from
the attacker’s infrastructure to a compromised system.
 Activity 5

Identifies answer on each question and write it on a blank provided.

__________1. Attackers target the disclosed vulnerability during this window

of time.

__________2. It sends HTTP and other protocol traffic over DNS.

__________3. The goal is to steal sensitive data like credit card and login
information or to install malware on the victim’s machine.

__________4. Once the attackers interrupt the traffic, they can filter and
steal data.

__________5. An attacker could carry out a SQL injection simply by

submitting malicious code into a vulnerable website search box.

1.8 Security Domains

Seven Domains of IT Infrastructure Seven domains can be found in a
typical IT infrastructure. They are as follows: User Domain, Workstation
Domain, LAN Domain, LAN-to-WAN Domain, Remote Access Domain, WAN
Domain, and System/Application Domain. Each of these domains is viewed
as portals for attackers if countermeasures are missing or fail. It is very
imperative for businesses to protect each of these seven domains. It only
takes one unprotected domain for an attacker to gain access to private data.
Domain of a typical IT Infrastructure
1. User Domain
The User Domain covers all the users (of any rank) that have access to the
other six domains.
RISKS:
 User can destroy data in application(intentionally or not) and delete all
 User can find that his girlfriend cheated on him and use her password
to delete all of her work so that she would be fired.
 User can insert infected CD or USB flash drive into the work computer
 2. Workstation Domain.
A computer of an individual user where the production takes place.
RISKS:
 The workstation’s OS can have a known software vulnerability that
allows a hacker to connect remotely and steal data.
 A workstation’s browser can have a software vulnerability which allows
unsigned scripts to silently install malicious software.
 A workstation’s hard drive can fail causing lost data.

3. LAN Domain
Contains all of the workstations, hubs, switches, and routers. The LAN is a
trusted zone
RISKS:
 A worm can spread through the LAN and infect all computers in it.
 LAN server OS can have a known software vulnerability.
 An unauthorized user can access the organization’s workstations in a
LAN
WAN Domain.
 Stands for Wide Area Network and consists of the Internet and semi-
private lines
RISKS:
 Service provider can have a major network outage.
 Server can receive a DOS or DDOS attack.
 A FTP server can allow anonymously uploaded illegal software

4. LAN / WAN Domain

The boundary between the trusted and un-trusted zones. The zones are
filtered with a firewall
RISKS:
 A hacker can penetrate your IT infrastructure and gain access to your
internal network.
 Weak ingress/egress traffic filtering can degrade performance.
 A firewall with unnecessary ports open can allow access from the
Internet

5. System / Application Storage Domain.

This domain is made up of user-accessed servers such as email and
database

RISKS:
 A fire can destroy primary data
 A DOS attack can cripple the organization’s email
 A database server can be attacked by SQL injection, corrupting the
data
 Remote Access Domain
 The domain in which a mobile user can access the local network
remotely, usually through a VPN
RISKS:
 Communication circuit outage can deny connection.
 Remote communication from office can be unsecured.
 VPN tunneling between remote computer and ingress/egress router
can be hacked

Activity 6

Provide at least two ricks of typical IT infrastructure on the following given.

1. User Domain
 ____________________________________________________________
 ____________________________________________________________
2. LAN / WAN Domain
 ____________________________________________________________
 ____________________________________________________________
3. LAN Domain
 ____________________________________________________________
 ____________________________________________________________
1.9 Forensics
As technology advances, new opportunities bring with them potential
threats in the form of cyberattacks, digital vulnerabilities and data loss.
Auditing risks and protecting and securing digital information have become
more important than ever.

What is computer forensics?

Computer forensics, also known as digital forensics, computer forensic
science or cyber forensics, combines computer science and legal forensics to
gather digital evidence in a way that is admissible in a court of law.

How computer forensics has evolved?

Computer forensics first gained prominence in the early 1980s with the
invention of the personal computer. As technology became a staple in
everyday life, criminals identified an opening and began committing crimes
on electronic devices.

Why computer forensics matters?

Like physical crime scene evidence, digital evidence must be collected
and handled correctly. Otherwise, the data and metadata may be lost or
deemed inadmissible in a court of law.
For example, investigators and prosecutors must demonstrate a proper
chain of custody for digital evidence—they must document how it was
handled, processed and stored. And they must know how to collect and store
the data without altering it a challenge given that seemingly harmless
actions such as opening, printing or saving files can change metadata
permanently.

How computer forensics works?

There are four main steps to computer forensics.
  Device identification
The first step is identifying the devices or storage media that might
contain data, metadata or other digital artifacts relevant to the investigation.
These devices are collected and placed in a forensics lab or other secure
facility to follow protocol and help ensure proper data recovery.
 Data preservation
Forensic experts create an image, or bit-for-bit copy, of the data to be
preserved. Then, they safely store both the image and the original to protect
them from being altered or destroyed.
Experts collect two kinds of data: persistent data, stored on a device’s
local hard disk drive and volatile data, located in memory or in transit (for
example, registries, cache and random access memory (RAM). Volatile data
must be handled especially carefully since it’s ephemeral and can be lost if
the device shuts down or loses power.
 Forensic analysis
Next, forensics investigators analyze the image to identify relevant digital
evidence. This can include intentionally or unintentionally deleted files,
internet browsing history, emails and more.
To uncover “hidden” data or metadata others might miss, investigators
use specialized techniques including live analysis, which evaluates still-
running systems for volatile data, and reverse steganography, which exposes
data hidden by using steganography, a technique for concealing sensitive
information within ordinary-seeming messages.
 Reporting
As a final step, forensic experts create a formal report outlining their
analysis, and share the investigation findings and any conclusions or
recommendations. Though reports vary by case, they are often used to
present digital evidence in a court of law.

Use cases for digital forensics

There are several areas in which organizations or law enforcement
officials might start a digital forensics investigation:
a) Criminal investigations: Law enforcement agencies and computer
forensics specialists can use computer forensics to solve computer-
related crimes, like cyberbullying, hacking or identity theft, as well as
crimes in the physical world, including robbery, kidnapping, murder
and more. For example, law enforcement officials might use computer
 forensics on a murder suspect’s personal computer to locate potential
clues or evidence hidden in their search histories or deleted files.
b) Civil litigation: Investigators can also use computer forensics in civil
litigation cases, like fraud, employment disputes or divorces. For
example, in a divorce case, a spouse’s legal team might use computer
forensics on a mobile device to reveal a partner’s infidelity and receive
a more favorable ruling.
c) The protection of intellectual property: Computer forensics can
help law enforcement officials investigate intellectual property theft,
like stealing trade secrets or copyrighted material. Some of the most
high-profile computer forensics cases involve intellectual property
protection, notably when departing employees steal confidential
information to sell it to another organization or set up a competing
company. By analyzing digital evidence, investigators can identify who
stole the intellectual property and hold them accountable.
d) National security: Computer forensics have become an important
national security tool as cybercrimes continue escalating among
nations. Governments or law enforcement agencies like the FBI now
use computer forensics techniques following cyberattacks to uncover
evidence and shore up security vulnerabilities.

Computer forensics, cybersecurity and DFIR

Again, computer forensics and cybersecurity are closely related
disciplines that often collaborate on protecting digital networks from
cyberattacks. Cybersecurity is both proactive and reactive, focusing on
cyberattack prevention and detection, as well as cyberattack response and
remediation.
Computer forensics are almost entirely reactive, springing into action in the
event of a cyberattack or crime. But computer forensic investigations often
provide valuable information that cybersecurity teams can use to prevent
future cyberattacks.

DFIR: Computer forensics + incident response

When computer forensics and incident response the detection and
mitigation of cyberattacks in progress are conducted independently they can
interfere with each other, with negative results for an organization.
a) Forensic data collection happens alongside threat mitigation.
Incident responders use computer forensic techniques to collect and
preserve data while they’re containing and eradicating the threat,
ensuring the proper chain of custody is followed and that valuable
evidence isn’t altered or destroyed.
 b) Post-incident review includes examination of digital evidence.
In addition to preserving evidence for legal action, DFIR teams use it to
reconstruct cybersecurity incidents from start to finish to learn what
happened, how it happened, the extent of the damage and how similar
attacks can be avoided.
DFIR can lead to faster threat mitigation, more robust threat recovery and
improved evidence for investigating criminal cases, cybercrimes, insurance
claims and more.

Activity 7
Multiple Choice: Encircle the best answer.
1. Law enforcement agencies and computer forensics specialists can
use computer forensics to solve computer-related crimes.
a. Criminal investigations
b. The protection of intellectual property
c. Civil litigation
d. Corporate security
2. Computer forensics have become an important national security tool
as cybercrimes continue escalating among nations.
a. Litigation
b. Corporate security
c. National security
d. The protection of intellectual property
3. The first step is identifying the devices or storage media that might
contain data, metadata or other digital artifacts relevant to the
investigation.
a. Reporting
b. Forensic analysis
c. Device identification
d. Data preservation
4. Uncover “hidden” data or metadata others might miss, investigators
use specialized techniques including live analysis.
a. Reporting
b. Device identification
c. Data preservation
d. Forensic analysis
5. Computer forensics first gained prominence in the early _____ with
1.10 Information States
Information security is about keeping that data safe. Although you’ll be
responsible for storing customer data, algorithm outputs or protected health
information.
In short, information assurance focuses on gathering data. Information
security is about keeping that data safe. In most organizations, these two
jobs are combined into one department or even one worker. You’ll need to
understand cyber security, database management and security engineering
to succeed in this field. A relevant master’s or bachelor’s degree is highly
recommended to ensure you learn the broad range of skills necessary to
work as a cyber security officer. Don’t be confused: Although you’ll be
responsible for storing customer data, algorithm outputs or protected health
information, you won’t actually be in charge of gathering the data yourself.
You’ll be more like the owner of a long-term storage facility, and your
company’s users will be the tenants who actually bring you items meaning
data for safeguarding.
Most computer security experts work directly for a company rather than
freelancing or reporting to an agency with multiple clients. A master’s degree
in information assurance and security opens a wide range of doors for you.
You’ll work typical office hours, although some overtime may be required.
Dressing professionally and keeping yourself up-to-date on security trends
will be expected in most positions. Entry-level jobs include working as a
security analyst, database manager or information integrity specialist. As
you advance your career, you might find yourself working as a director of
information security or a chief information security officer (CISO).

Three states of information

This section identifies three fundamental states that information can be in
at a time. It is essential to distinctively identify each state, as corresponding
security measures vary for each of these states. To address each separately,
the information residing in either of three states at a time in a computational
environment are identified. These three states are listed as information in
transit, information in process, and information in storage. Information in
transit refers to the status where an underlying network (wired or wireless)
facilitates the transmission of data from one place (source) to another
(destination). Information in process refers to the case when data is
processed so that it transforms from source format to destination format.
And information in storage refers to the mostly stagnant form of data that
resides on a storage media for future reference. As these brief descriptions
imply, information in each state has different properties than information in
other states. As an example, information in transit is different from
information in process and information in storage.
1. Information in transit
The first state of information is information in transit. This state refers to the
situation when information handled is transferred from one place (source) to
another place (destination). As depicted in Figure 2.2, in the context of
information in transit state, the information residing in source side is
transmitted to destination via an underlying network. The underlying
network infrastructure could be of various types, such as cable network,
wireless network, etc., and does not differentiate the type of data being
transferred, as each data piece is processed in the bit level of granularity.
This enables the transfer of information in various possible formats, such as
plaintext, still image, movie, voice, etc.

Figure 2.2 Information in transit.

Though Figure 2.2 illustrates information being transmitted from source

to destination, more than usual, the roles change and the source becomes
destination and the destination becomes source. This is because of the
inherently full duplex property of communication in most of the times.
It should also be noted that if information in transit is considered only in
isolation, then it should not change the format of data being transferred. This
explains why in Figure 2.2 both sender and destination sides label
information exactly the same way. And to guarantee this unchanging
property of data, integrity mechanisms are inherently built in network
systems that facilitate information in transit. If a more complex system is
designed and implemented by combining information in transit and
information in process states, then labeling of each information entity will
have to be modified accordingly. In particular, these entities will label
information as Information1 and Information2 on each side so as to indicate
the changing content of the information itself. This phenomenon is explained
further in Section 2.3 and is depicted later in Figure 2.4
Figure 2.3 Information Process

Sending a memo that has text, pictures, and videos in it as part of a business
operation from company headquarters to a branch office is an example of
the case where information is transmitted from source (the company
headquarters) to destination (the branch office).

2. Information in process
This state focuses on how one operates on data to change its form. It is
very common in computational operations today to process data such that it
no longer possesses its original format. As an example, one may compress
data so that it occupies less space, another may encrypt it so that it
becomes unintelligible to unintended third parties, yet another combines
compression and encryption so as to benefit from combined effects of the
two.
Information in process is represented graphically in Figure 2.2 where a
series of operations are applied to input data to yield the output data. The
expectation in the end of the process in this figure is that the output
(Information2) will be different from input (Information1). This is a
fundamental difference from Figure 1, where information on each side was
expected to be the same.
3. Information in storage
Information in storage state refers to the case when information rests in a
storage media of choice for making it available in the future. Figure 2.3
depicts the last state of information which is called information in storage.
Figure 2.4 Information in storage.

The expectation at this state is to ensure that the information remains

intact in the storage and moreover no unauthorized party can access to it.
These efforts involve authentication of the users who can access the
information, as well as integrity of information being stored. The requirement
to keep the data intact prevent its integrity while in storage, explains why
the information is labeled the same in both user and storage sides in Figure
2.3. This is a similar requirement that was mentioned while explaining the
information in transit, as was depicted in Figure 2.4. Yet, as information in
process inherently changes the format of data, the labeling of information on
each side of the process was different for information in process (see Figure
2.3).

1.11 Security Services

The key principles of information assurance are referred to as the CIA
triad, an acronym for Confidentiality, Integrity, and Availability. Each of these
components represents a fundamental objective of data security. These
pillars of information assurance can be applied in different ways, depending
on the sensitivity of the organization’s information and information systems.
In the sections below, we’ll dive into each component of the CIA triad;
1. Confidentiality
This aspect is closely related to privacy and the use of encryption. Data
confidentiality means that only authorized users can access the data.
Additionally, it protects against unauthorized disclosure of information. After
all, when information is kept confidential, it means that other parties cannot
compromise it.
 Confidential data is not disclosed to people who don’t require them or who
shouldn’t have access to them. Ensuring confidentiality means information is
organized in terms of access control and data sensitivity. A breach of
confidentiality can occur through various means, such as hacking or social
engineering.
Sometimes safeguarding data confidentiality involves security awareness
training for those who are privy to sensitive information. Training helps
familiarize authorized parties with risk factors and how to protect against
them. Other aspects of training include information on social engineering,
strong passwords, and password-related practices that can limit remote
access.

2. Integrity
Data integrity refers to the assurance that the data is not tampered with
or degraded across its lifecycle. It is the certainty that the data is not
subjected to either intentional or unintentional unauthorized modification.
Integrity could be compromised at two points during the transmission
process. These include the upload and transmission of data or the data
storage in the database or collection.
Buggy programs can affect productivity. Therefore, the principle of
integrity is designed to ensure that data can be trusted to be accurate.
Various aspects help maintain data integrity, including cyber essentials such
as antivirus programs and firewalls, programs that restrict access to sensitive
data or operations, also known as user access controls, and employee
education and awareness of unsafe acts.

3. Availability
Data availability means that the information is available and easily
accessible to authorized users when it is needed. For a system to
demonstrate availability, it should have properly functioning communication
channels, computing systems, and security controls.

For instance, critical systems such as power generation, medical

equipment, and safety systems usually have extreme requirements in
relation to availability. These systems should be resilient against cyber
threats and have protection against hardware failures, power outages, and
other events that may affect system availability.
When an individual needs data to perform a job and is ready to utilize it,
the data must be readily accessible in a sensible and reliable manner so that
the task can be completed on time and the organization can continue its
processes.
Other Principles
In addition to these three key aspects of information assurance, there are
two other principles, including;

4. Authenticity
The authenticity principle involves the verification of the identity of users
before giving them access to the information. Methods of ensuring
authentication include two-factor authentication, biometrics, password
management, and other techniques.
The primary goal of this principle is to prevent identity theft. Therefore
authenticity means ensuring that those who can access information are who
they say they are. It may also be used to identify other devices.

5. Non-Repudiation
The information system needs to provide proof of delivery confirming that
data was properly transmitted.
The non-repudiation principle means if someone has access to the
organization’s information systems, they can’t deny having completed an
action within the systems because there are methods proving that they did
the action. It keeps the information systems up-to-date and encrypts digital
signatures to remove deniability and guarantee communication transmission.
The primary goal of this principle Is to guarantee that the digital
signatures are those of the intended parties, thus allowing authorization for
the protected information.

Conclusion
An Information Security Management System (ISMS) is designed to
give your organization a framework that protects your information and
information systems against security threats. Therefore, every element of an
information security program and security control put in place by an
organization should be designed to achieve one or more of these three key
aspects.
 Activity 8
Get another sheet of paper. Write the questions below and
provide answer on every question.

1. It is principle involves the verification of the identity of

users before giving them access to the information.
2. This means that the information is available and easily
accessible to authorized users when it is needed.
3. It is the primary goal of this principle Is to guarantee
that the digital signatures are those of the intended
parties.
4. This aspect is closely related to privacy and the use of
encryption.
5. Refers to the assurance that the data is not tampered
with or degraded across its lifecycle.

Information assurance and cybersecurity is the management and protection

of knowledge, information and data. It combines two fields:
 • Information assurance, which focuses on ensuring the availability,
integrity, authentication, confidentiality and nonrepudiation of
information and systems. These measures may include auditing and
assessing risks to different systems and incorporating protection,
detection and reaction capabilities.
• Information cybersecurity, which centers on the protection of
information and information systems from unauthorized access, use,
disclosure, disruption, modification or destruction. This could include
security applications and infrastructure like firewalls, intrusion
prevention and other countermeasures.
Information systems play an important role in the infrastructure that
supports commerce, banking, telecommunications, healthcare and national
security, driving the need for qualified professionals in the information
assurance and cybersecurity field

Activity 9
On a clean white coupon bond, draw and illustrates the following given.
1. Three states of information
2. Information in process
3. Information in storage

1.12 Threat Analysis Model

A threat analysis is a process used to determine which components of
the system need to be protected and the types of security risks (threats)
they should be protected from (Figure 9.1). This information can be used to
determine strategic locations in the network architecture and design where
security can reasonably and effectively be implemented.
Figure 2.4 Threat Analysis

A threat analysis typically consists of identifying the assets to be protected,

as well as identifying and evaluating possible threats. Assets may include,
but are not restricted to:
•User hardware (workstations/PCs)
•Servers

•Specialized devices
•Network devices (hubs, switches, routers, OAM&P)
•Software (OS, utilities, client programs)
•Services (applications, IP services)
•Data (local/remo te, stored, archived, databases, data in-transit);
And threats may include, but are not restricted to:
•Unauthorized access to data/services/software/hardware
•Unauthorized disclosure of information
•Denial of service
•Theft of data/services/software/hardware
•Corruption of data/services/software/hardware
•Viruses, worms, Trojan horses
•Physical damage
One method to gather data about security and privacy for your environment
is to list the threats and assets on a worksheet. This threat analysis
worksheet can then be distributed to users, administration, and
management, even as part of the requirements analysis process, to gather
information about potential security problems.
 Activity 9
Draw and illustrate on a clean white coupon bond the Treat Analysis
Model and explain it on the front of the class.

1.13 Vulnerabilities
Vulnerability in cybersecurity is a flaw or weakness in a system that
cybercriminals exploit to gain unauthorized access or cause harm. These
vulnerabilities often stem from coding errors or misconfigurations and can be
leveraged to disrupt operations, steal data, or compromise security. Once
identified, vulnerabilities are registered as CVEs (Common Vulnerabilities and
Exposures) and assessed for their potential risk.
Flaws
A flaw is unintended functionality. This may either be a result of poor
design or through mistakes made during implementation. Flaws may go
undetected for a significant period of time. The majority of common attacks
we see today exploit these types of vulnerabilities. Between 2014 and 2015,
nearly 8,000 unique and verified software vulnerabilities were disclosed in
the US National Vulnerability Database (NVD).
Vulnerabilities are actively pursued and exploited by the full range of
attackers. Consequently, a market has grown in software flaws, with ‘zero-
day’ vulnerabilities (that is recently discovered vulnerabilities that are not
yet publicly known) fetching hundreds of thousands of pounds
Zero-day vulnerabilities
Zero-days are frequently used in bespoke attacks by the more capable
and resourced attackers. Once the zero-days become publicly known,
reusable attacks are developed and they quickly become a commodity
capability. This poses a risk to any computer or system that has not had the
relevant patch applied, or updated its antivirus software. The ability for an
attacker to find and attack software flaws or subvert features depends on the
nature of the software and their technical capabilities. Some target platforms
are relatively simple to access, for example web applications could, by
design, be capable of interacting with the Internet and may provide an
opportunity for an attacker.
Features
A feature is intended functionality which can be misused by an
attacker to breach a system. Features may improve the user’s experience,
help diagnose problems or improve management, but they can also be
exploited by an attacker.
When Microsoft introduced macros into their Office suite in the late
1990s, macros soon became the vulnerability of choice with the Melissa
worm in 1999 being a prime example. Macros are still exploited today; the
Dridex banking Trojan that was spreading in late 2014 relies on spam to
deliver Microsoft Word documents containing malicious macro code, which
then downloads Dridex onto the affected system.
JavaScript, widely used in dynamic web content, continues to be used
by attackers. This includes diverting the user’s browser to a malicious
website and silently downloading malware, and hiding malicious code to pass
through basic web filtering.
User error
A computer or system that has been carefully designed and
implemented can minimize the vulnerabilities of exposure to the Internet.
Unfortunately, such efforts can be easily undone (for example by an
inexperienced system administrator who enables vulnerable features, fails to
fix a known flaw, or leaves default passwords unchanged).
More generally, users can be a significant source of vulnerabilities.
They make mistakes, such as choosing a common or easily guessed
password, or leave their laptop or mobile phone unattended. Even the most
cyber aware users can be fooled into giving away their password, installing
malware, or divulging information that may be useful to an attacker (such as
who holds a particular role within an organization, and their schedule). These
details would allow an attacker to target and time an attack appropriately.
Types of Security Vulnerabilities
Security vulnerabilities come in various forms, each posing unique risks
attackers can exploit. Understanding these vulnerabilities is crucial for
maintaining a secure environment. Let’s discuss several different types of
vulnerabilities.
Figure 2.5 Types of vulnerability.

• Unpatched Software: Failing to update software leaves known bugs

attackers can exploit to execute malicious code.
• Misconfigurations: Default settings or unnecessary services can
open doors for unauthorized access.
• Weak Credentials: Easily guessed passwords provide an easy entry
point for attackers.
• Phishing-Prone Users: Users tricked by phishing attacks may
inadvertently expose systems to risks.
• Trust Relationship Exploits: Attackers exploit trusted connections
between systems to spread breaches.
• Compromised Credentials: Stolen credentials enable unauthorized
access to sensitive systems.
• Malicious Insiders: Employees or vendors intentionally misuse their
access to compromise data.
• Poor Encryption: Weak or absent encryption allows attackers to
intercept and steal sensitive information.
Other Vulnerability Examples
• Application Vulnerabilities: Flaws in software due to coding errors,
lack of validation, or outdated components.
• Zero-Day Vulnerabilities: Unknown security flaws are exploited by
attackers before the vendor can issue a fix.
 • Ransomware: Attackers exploit various vulnerabilities to deploy
ransomware, encrypting data and demanding payment for decryption
keys.
• Application Vulnerabilities: Flaws in software due to coding errors,
lack of validation, or outdated components.
• Cloud Vulnerabilities: Security gaps in cloud environments due to
misconfigurations or insecure APIs.
• IoT Vulnerabilities: Flaws in connected devices that attackers can
exploit to access networks.
• Supply Chain Vulnerabilities: Security gaps in the supply chain
where attackers insert malicious components.
Difference Between Vulnerabilities, Exploits, and Risk
A vulnerability is a flaw in an asset’s design, implementation,
operation, or management that a threat could exploit. An exploit is the
method used to exploit a vulnerability; a risk is the potential for loss when
that threat occurs.

Activity 10
Present the different types of vulnerability and explain in a front of class.

1.16 Summary

Information assurance (IA) is the practice of assuring information and

managing risks related to the use, processing, storage and transmission
of information. Information assurance includes protection of the
integrity, availability, authenticity, non-repudiation and confidentiality of
user data.

Undetected loopholes in the network can lead to unauthorized access,

editing, copying or deleting of valuable information. This is where
information assurance plays a key role.
 1.17 Model Exam and Questions
Identify the correct answer. Write on the space provided .
What are the five steps of operational security?
1. __________
2. ___________
3. __________
4. ___________
5. ___________
Security and risk management process that prevents sensitive information
from getting into the wrong hands.
6. ____________
The goal is to steal sensitive data like credit card and login information or to
install malware on the victim’s machine.
7. _____________
Once the attackers interrupt the traffic, they can filter and steal data.
8. _____________
Provide at least two ricks of typical IT infrastructure on the following given.
User Domain
9. ____________________________________________________________
10. ____________________________________________________________
11-20 Draw and illustrate on a clean white coupon bond the Treat Analysis
Model and explain it on the front of the class. Each missed or wrong is
automatically deducted one points.

Multiple Choice: Encircle the best answer.

21. Law enforcement agencies and computer forensics specialists can use
computer forensics to solve computer-related crimes.

a. Criminal investigations
b. The protection of intellectual property
c. Civil litigation
d. Corporate security

a. Corporate security
 1.17 Model Exam and Questions
22. Computer forensics have become an important national security tool as
cybercrimes continue escalating among nations.

a. Litigation
b. Corporate security
c. National security
d. The protection of intellectual property

23. The first step is identifying the devices or storage media that might
contain data, metadata or other digital artifacts relevant to the
investigation.

a. Reporting
b. Forensic analysis
c. Device identification
d. Data preservation

24. Uncover “hidden” data or metadata others might miss, investigators use
specialized techniques including live analysis.

a. Reporting
b. Device identification
c. Data preservation
d. Forensic analysis

25. Computer forensics first gained prominence in the early _____ with the
invention of the personal computer.

a. 1980s
b. 1890s
c. 8091s
d. 9081s
 2.18 Further Readings
1. Abdelouahid Derhab Vehicular Communications Volume 39,
February 2023, 100552

2. Jatinder N. D. Gupta, IAS 1 (2003) superseded SIC-18 Consistency –

Alternative Method.

3. Sushil Sharma IFRIC 17 Distributions of Non-cash Assets to Owners