Department of Computer Science and Engineering

Anjalai Ammal-Mahalingam Engineering College

Kovilvenni-614 403

IT8073 - INFORMATION SECURITY

IT8073 INFORMATION SECURITY LPTC
3003
OBJECTIVES:
• To understand the basics of Information Security
• To know the legal, ethical and professional issues in Information Security
• To know the aspects of risk management
• To become aware of various standards in this area
• To know the technological aspects of Information Security

UNIT I INTRODUCTION 9
History, What is Information Security?, Critical Characteristics of Information, NSTISSC
Security Model, Components of an Information System, Securing the Components, Balancing
Security and Access, The SDLC, The Security SDLC

UNIT II SECURITY INVESTIGATION 9

Need for Security, Business Needs, Threats, Attacks, Legal, Ethical and Professional Issues - An
Overview of Computer Security - Access Control Matrix, Policy-Security policies,
Confidentiality policies, Integrity policies and Hybrid policies

UNIT III SECURITY ANALYSIS 9

Risk Management: Identifying and Assessing Risk, Assessing and Controlling Risk - Systems:
Access Control Mechanisms, Information Flow and Confinement Problem

UNIT IV LOGICAL DESIGN 9

Blueprint for Security, Information Security Policy, Standards and Practices, ISO 17799/BS
7799, NIST Models, VISA International Security Model, Design of Security Architecture,
Planning for Continuity

UNIT V PHYSICAL DESIGN 9

Security Technology, IDS, Scanning and Analysis Tools, Cryptography, Access Control
Devices, Physical Security, Security and Personnel
TOTAL: 45 PERIODS

Information Security – Unit-I Page 1

OUTCOMES: At the end of this course, the students should be able to:
• Discuss the basics of information security
• Illustrate the legal, ethical and professional issues in information security
• Demonstrate the aspects of risk management.
• Become aware of various standards in the Information Security System
• Design and implementation of Security Techniques.

TEXT BOOKS:
1. Michael E Whitman and Herbert J Mattord, ―Principles of Information Security‖, Vikas
Publishing House, New Delhi, 2003

REFERENCES
1. Micki Krause, Harold F. Tipton, ― Handbook of Information Security Management‖, Vol 1-3
CRCPress LLC, 2004.
2. Stuart McClure, Joel Scrambray, George Kurtz, ―Hacking Exposed‖, Tata McGraw- Hill,
2003
3. Matt Bishop, ― Computer Security Art and Science‖, Pearson/PHI, 2002.

Information Security – Unit-I Page 2

 Unit - I
History, What is Information Security?, Critical Characteristics of Information, NSTISSC
Security Model, Components of an Information System, Securing the Components, Balancing
Security and Access, The SDLC, The Security SDLC.

1.1 What is Information Security?

James Anderson, executive consultant at Emagined Security, Inc., believes information security
is a ….
“well-informed sense of assurance that the information risks and controls are in balance.”
• The processes and tools designed and deployed to protect sensitive business information
from modification, disruption, destruction, and inspection.
1.2 The History Of Information Security
• The history of information security begins with computer security.
• The need for computer security—that is, the need to secure physical locations, hardware,
and software from threats— arose during World War II
• when the first mainframes, developed to aid computations for communication code
breaking, were put to use.
• Earlier versions of the German code machine Enigma were first broken by the Poles in
the 1930s. The British and Americans managed to break later, more complex versions during
World War II.

Information Security – Unit-I Page 3

• Multiple levels of security were implemented to protect these mainframes and maintain
the integrity of their data.
• Access to sensitive military locations, for example, was controlled by means of badges,
keys, and the facial recognition of authorized personnel by security guards.

Information Security – Unit-I Page 4

2000 to Present

1.3 Critical Characteristics of Information

Security: security is “the quality or state of being secure to be free from danger.”
In other words, protection against from those who would do harm,
intentionally or otherwise is the objective.

Multiple layers of security in place to protect organization operations:

 Physical security
 Communications security
 Personnel security
 Network security
 Operations security
 Information security
CIA Triangle :
The Committee on National Security Systems (CNSS) defines information security
as the protection of information and its critical elements, including the systems and
hardware that use, store, and transmit that information.
The CNSS model of information security evolved from a concept developed by the computer
security industry called the C.I.A. triangle.

Information Security – Unit-I Page 5

• The C.I.A. triangle has been the industry standard for computer security since the
development of the mainframe.
• Been the industry standard for computer security since the development of the
mainframe.
• It is based on the three characteristics of information that give it value to organizations:

❑Confidentiality

❑Integrity and

❑Availability
• The security of these three characteristics of
information is as important today as it has always
been, but the C.I.A. triangle model no longer
adequately addresses the constantly changing
environment.

Key Information Security Concepts

1. Access
2. Asset
3. Attack
4. Control, safeguard, or countermeasure
5. Exploit
6. Exposure
7. Loss
8. Protection profile or security posture
9. Risk
10. Subjects and objects
11. Threat
12. Threat agent
13. Vulnerability

Access - Authorized users have legal access to a system, whereas hackers have illegal access to a
system. Access controls regulate this ability.

Asset - The organizational resource that is being protected. An asset can be logical, such as a
Web site, information, or data; or an asset can be physical, such as a person, computer system.

Information Security – Unit-I Page 6

Attack - An intentional or unintentional act that can cause damage to or otherwise compromise
information and/or the systems that support it. Attacks can be active or passive, intentional or
unintentional, and direct or indirect.
Control, safeguard, or countermeasure
Security mechanisms, policies, or procedures that can successfully counter attacks,
reduce risk, resolve vulnerabilities to improve the security within an organization
Exploit
Threat agents may attempt to exploit a system or other information asset by using it
illegally for their personal gain.
Exposure
A condition or state of being exposed. In information security, exposure exists when a
vulnerability known to an attacker is present.
Loss
A single instance of an information asset suffering damage or unintended or unauthorized
modification or disclosure.
Protection profile or security posture
The entire set of controls and safeguards, including policy, education, training and
awareness, and technology, that the organization implements (or fails to implement) to protect
the asset.
Risk
The probability that something unwanted will happen.
Threat
A category of objects, persons, or other entities that presents a danger to an asset.

The value of information comes from the characteristics it possesses. When a characteristic of
information changes, the value of that information either increases, or, more commonly,
decreases. Some characteristics affect information’s value to users more than others do. This can
depend on circumstances.

Information Security – Unit-I Page 7

The expanded C.I.A. Triangle
Each critical characteristic of information is defined below.
 Availability
 Accuracy
 Authenticity
 Confidentiality
 Integrity
 Utility
 Possession

1. Availability:
Availability enables authorized users /persons / computer systems to access information
without interference or obstruction and to receive it in the required format.
2. Accuracy:

Information Security – Unit-I Page 8

 Information has accuracy when it is free from mistakes or errors and it has the value that
the end user expects. If information has been intentionally or unintentionally modified, it is no
longer accurate.
3. Authenticity:
Authenticity of information is the quality or state of being genuine or original, rather than
a reproduction or fabrication. Information is authentic when it is in the same state in which it was
created, placed, stored, or transferred. (Eg:) E-mail spoofing, the act of sending an e-mail
message with a modified field, is a problem for many people today.
4. Utility:
The utility of information is the quality or state of having value for some purpose or end.
Information has value when it can serve a purpose. If information is available, but is not in a
format meaningful to the end user, it is not useful.

5. Confidentiality:
Information has confidentiality when it is protected from disclosure or exposure to
unauthorized individuals or systems.Confidentiality ensures that only those with the rights and
privileges to access information are able to do so.When unauthorized individuals or systems can
view information, confidentiality is breached. To protect the confidentiality of information, you
can use a number of measures, including the following:
– Information classification
– Secure document storage
– Application of general security policies
– Education of information custodians and end users
6. Integrity:
Information has integrity when it is whole, complete, and uncorrupted. The integrity of
information is threatened when the information is exposed to corruption.Many computer viruses
and worms are designed with the explicit purpose of corrupting data. For this reason, a key
method for detecting a virus or worm is to look for changes in file integrity as shown by the size
of the file.
7. Possession :
The possession of information is the quality or state of ownership or control.Information
is said to be in one’s possession if one obtains it, independent of format or other characteristics.
1.4 NSTISSC Security Model (CNSS Security Model) ( McCumber Cube)
‘National Security Telecommunications & Information systems security committee’.

Information Security – Unit-I Page 9

It is now called the National Training Standard for Information security professionals.
The NSTISSC Security Model provides a more detailed perspective on security.
While the NSTISSC model covers the three dimensions of information security, it omits
discussion of detailed guidelines and policies that direct the implementation of controls.

Three dimensions:
1. Confidentiality, integrity, and availability (CIA triangle)
2. Policy, education, and technology
3. Storage, processing, and transmission

It tell about the comprehensive information security model, which has been a widely accepted
evaluation std for the security of information systems. The model, created by John McCumber in
1991, provides a graphical representation of the architectural approach widely used in computer
and information security.It is now known as the McCumber Cube.
The McCumber Cube in figure shows three dimensions. If extrapolated, the three dimensions of
each axis become a 3 3 3 cube with 27 cells representing areas to be secure the today’s
information systems.

Information Security – Unit-I Page 10

To ensure system security, each of the 27 areas must be properly addressed during the security
process. For example, the intersection between technology, integrity, and storage requires a
control or safeguard that addresses the need to use technology to protect the integrity of
information while in storage.
One such control might be a system for detecting host intrusion that protects the integrity
of information by alerting the security administrators to the potential modification of a critical
file.

1.5 Components of an Information System

• An information system (IS) is the entire set of software, hardware, data, people,
procedures, and networks that make possible to use information resources in the
organization.
• These six critical components enable information to be input, processed, output, and
stored.

• Information system (IS) is entire set of components necessary to use information as a

resource in the organization.
• These six critical components enable information to be input, processed, output, and
stored.

Information Security – Unit-I Page 11

 1. Software
2. Hardware
3. Data
4. People
5. Procedures
6. Networks
1. Software
• The software components of Information System (IS) comprise applications, operating
systems, and assorted command utilities.
• Software is perhaps the most difficult IS component to secure.
• The exploitation of errors in software programming accounts for a substantial portion of
the attacks on information. (we can also say attack on daily life)
• Software programs carries the lifeblood of information through an organization.
• These are often created under the demanding constraints of project management, which
limit time, cost, and manpower.
2. Hardware
• Hardware is the physical technology that executes the software, store and carries the data,
and provides interfaces for the entry and removal of information from the system.

Information Security – Unit-I Page 12

 • Physical security policies deal with hardware as a physical asset and with the protection
of these physical assets from harm or theft.
• Applying the traditional tools of physical security, such as locks and keys, restricts
access to and interaction with the hardware components of any information system.
• Securing the physical location of computers and the computers themselves is important
because a breach of physical security can result in a loss of information.
3. Data
• Stored data, processed, and transmitted through a computer system must be protected.
• Data is often the most valuable asset possessed by an organization and is the main target
of intentional attacks.
• The raw, unorganized, isolated potentially useful facts and figures that are later processed
and manipulated to produce information.
4. People
• Though often overlooked in computer security considerations, people have always been a
threat to information security.
• People can be the weakest link in an organization’s information security program.
• And unless policy, education and training, awareness, and technology are properly
employed to prevent people from accidentally or intentionally damaging or losing
information, they will remain the weakest link.
• There are many roles for people in information systems. common ones include :
• System Analyst
• Programmer
• Technician
• Engineer
• Network manager
• MIS (Manager of Information Systems)
• Data Entry Operator
5. Procedures
• Procedures are written instructions for accomplishing a specific task.
• When an unauthorized user obtains an organization’s procedures, this poses a threat to
the integrity of the information.
• A procedure is a series of documented actions taken to achieve something.

Information Security – Unit-I Page 13

 • A procedure is more than a single simple task.
• A procedure can be quite complex and involved, such as performing a backup, shutting
down a system, patching software.
(e.g.) A consultant to a bank learned how to wire funds by using the computer center’s
procedures.
6. Networks
• When Information Systems are connected to form Local Area Network (LANs), and
these LANs are connected to other networks such as the internet, new security challenges
rapidly emerge.
• Applying the traditional tools of physical security, such as locks and keys, to restrict
access to and interaction with the hardware components of an information system are still
important; but when computer systems are networked, this approach is no longer enough.
• Steps to provide network security are essential, as is the implementation of the alarm and
intrusion system to make system owners aware of ongoing compromises
1.6 Securing the Components
• Protecting the components from potential misuse and abuse by unauthorized users.
Subject of an attack :
• Computer is used as an active tool to conduct the attack.
Object of an attack :
• Computer itself is the entity being attacked.
Two types of attacks:
• 1. Direct attack
• 2. Indirect attack
1. Direct attack
• When a Hacker uses his personal computer to break into a system.[Originate from the
threat itself].
2. Indirect attack
• When a system is compromised and used to attack other system. [system that itself has
been attacked, and is malfunctioning or working under the control of a threat].
• A computer can, therefore, be both the subject and object of an attack.
• (eg): It is first the object of an attack and then compromised and used to attack other
systems, at which point it becomes the subject of an attack.

Information Security – Unit-I Page 14

1.7 Balancing Security and Access
• Has to provide the security and is also feasible to access the information for its
application.
• Information Security cannot be an absolute: it is a process, not a goal.
• Should balance protection and availability.
• An imbalance can occur when the end user are heavily focus on protecting and
administering the information systems.
• Both information security technologists and end users must recognize they have the same
goals to ensure the data is available when, where, and how it is needed, with minimal
delays or obstacles.

Information Security – Unit-I Page 15

Approaches to Information Security Implementation
• Securing information assets is in fact an incremental process that requires coordination,
time, and patience.
Bottom- up- approach :
• Information security can begin as a grassroots effort in which systems administrators
attempt to improve the security of their systems.
• The key advantage of the bottom-up approach is the technical expertise of the individual
administrators.
• Working with information systems on a day-to-day basis, these administrators possess in-
depth knowledge that can greatly enhance the development of an information security
system.
• They know and understand the threats to their systems and the mechanisms needed to
protect them successfully.
• As it lacks a number of critical features, such as participant support and organizational
staying power.
Top-down-approach :
• Project is initiated by upper level managers who issue policy & procedures & processes,
dictate the goals & expected outcomes of the project.
• Determine who is suitable for each of the required action that has a higher probability of
success.
• The most successful kind of top-down approach also involves a formal development
strategy referred to as a systems development life cycle.
1.8 The SDLC ( The systems development life cycle )
• SDLC – is a methodology for the design and implementation of an information system in
an organization.
• A methodology is a formal approach to solving a problem based on a structured sequence
of procedures.
• The traditional SDLC consists of six general phases.
• SDLC models range from having three to twelve phases, all of which have been mapped
into the six presented here.
• 6 phases:
1. Investigation
2. Analysis

Information Security – Unit-I Page 16

 3. Logical Design
4. Physical design
5. Implementation
6. Maintenance and change
The waterfall model pictured in Figure illustrates that each phase begins with the results and
information gained from the previous phase.

• At the end of each phase comes a structured review or reality check, during which the
team determines if the project should be
– continued,
– discontinued,
– outsourced,
– postponed,
– returned to an earlier phase
– additional expertise,
– organizational knowledge, or other resources.
• Once the system is implemented, it is maintained (and modified) over the remainder of its
operational life.
1. Investigation
• It is the most important phase, and it begins with an examination of the event or plan that
initiates the process.

Information Security – Unit-I Page 17

 • During the phase, the objectives, constraints, and scope of the project are specified.
• At the end of this phase, a feasibility analysis is performed, which assesses the economic,
technical and behavioral feasibilities of the process and ensures that implementation is
worth the organization’s time and effort.
2. Analysis
• It begins with the information gained during the investigation phase.
• It consists of the quality of the organization, the status of current systems, and the
capability to support the proposed systems.
• Analysts begin by determining what the new system is expected to do, and how it will
interact with existing systems.
3. Logical Design
• In this phase, the information gained from the analysis phase is used to begin creating a
systems solution for the business problem.
• Based on business needs, applications are selected that can provide needed services.
• Based on the applications needed, data support and structures capable of providing the
needed inputs are then chosen.
• In this phase, analysts generate several alternative solutions, each with corresponding
strengths and weaknesses, and cost and benefits.
• At the end of this phase, another feasibility analysis is performed.
4. Physical design
• In this phase, specific technologies are selected to support the solutions developed in the
logical design.
• The selected components are evaluated based on a make or buy decision.
• The final design integrates various components and technologies.
5. Implementation
• In this phase, any needed software is created. Components are ordered, received and
tested afterwards;
• users are trained and supporting documentation created.
• Once all the components are tested individually, they are installed and tested as a system.
• Again, a feasibility analysis is prepared, and the sponsors are then presented with the
system for a performance review and acceptance test.

Information Security – Unit-I Page 18

 6. Maintenance and change
• It is the longest and most expensive phase of the process.
• It consists of the tasks necessary to support and modify the system for the remainder of
its useful life cycle.
• Periodically, the system is tested for compliance, with business needs.
• Upgrades, updates, and patches are managed.
• As the needs of the organization change, the systems that support the organization must
also change.
• When a current system can no longer support the organization, the project is terminated,
and a new project is implemented.
1.9 The Security SDLC
• The same phases used in the traditional SDLC can be adapted to support the
implementation of an information security project.
Sec SDLC Phases
1. Investigation
• This phase begins with a directive from upper management, dictating the process,
outcomes, and goals of the project, as well as its budget and other constraints.
• Frequently, this phase begins with an enterprise information security policy, which
outlines the implementation of a security program within the organization.
• Teams of responsible managers, employees, and contractors are organized.
• Problems are analyzed.
• Scope of the project, as well as specific goals and objectives, and any additional
constraints not covered in the program policy, are defined.
• Finally, an organizational feasibility analysis is performed to determine whether the
organization has the resources and commitment necessary to conduct a successful
security analysis and design.
2.Analysis
• In this phase, the documents from the investigation phase are studied.
• The developed team conducts a preliminary analysis of existing security policies or
programs, along with that of documented current threats and associated controls.
• The risk management task also begins in this phase.
Risk management

Information Security – Unit-I Page 19

 • It is the process of identifying, assessing, and evaluating the levels of risk facing the
organization, specifically the threats to the organization’s security and to the information
stored and processed by the organization.
3. Logical design
• This phase creates and develops the blueprints for information security, and examines
and implements key policies.
• The team plans the incident response actions.
• Plans business response to disaster.
• Determines feasibility of continuing and outsourcing the project.
4. Physical design
• In this phase, the information security technology needed to support the blueprint
outlined in the logical design is evaluated.
• Alternative solutions are generated.
• Designs for physical security measures to support the proposed technological solutions
are created.
• At the end of this phase, a feasibility study should determine the readiness of the
organization for the proposed project.
• At this phase, all parties involved have a chance to approve the project before
implementation begins.
5. Implementation
• Similar to traditional SDLC
• The security solutions are acquired ( made or bought ), tested, implemented, and tested
again
• Personnel issues are evaluated and specific training and education programs are
conducted.
• Finally, the entire tested package is presented to upper management for final approval.
6. Maintenance and change
• Constant monitoring, testing, modification, updating, and repairing to meet changing
threats have been done in this phase.

Information Security – Unit-I Page 20

Security Professionals and the organization
Senior management
• Chief information Officer (CIO) is the responsible for
– Assessment
– Management
– And implementation of information security in the organization
Information Security Project Team
Champion - Promotes the project, Ensures its support, both financially & administratively.
Team Lead - Understands project management, Personnel management
Security policy developers - individuals who understand the organizational culture,
Requirements for developing & implementing successful policies.
Information Security Project Team
Risk assessment specialists -Individuals who understand financial risk, The value of
organizational assets.
Security Professionals - Trained, and well educated specialists in all aspects of information
security
System Administrators - Administrating the systems that house the information used by the
organization.
End users - an end user is someone who accesses computer systems and applications for the
purpose of doing their job.

Data Owners
• Responsible for the security and use of a particular set of information.
• Determine the level of data classification
• Work with subordinate managers to oversee the day-to-day administration of the data.
Data Custodians
• Responsible for the storage, maintenance, and protection of the information.
• Overseeing data storage and backups.

Information Security – Unit-I Page 21

 • Implementing the specific procedures and policies.
Data Users (End users)
• Work with the information to perform their daily jobs supporting the mission of the
organization.
• Everyone in the organization is responsible for the security of data, so data users are
included here as individuals with an information security role.
Key Terms in Information Security Terminology
Asset
• An asset is the organizational resource that is being protected.
• An Asset can be logical ,such as Website, information or data.
• Asset can be physical, such as person , computer system.
Attack
• An attack is an intentional or unintentional attempt to cause damage to or otherwise
compromise the information and /or the systems that support it.
• If someone casually reads sensitive information not intended for his use, this is
considered a passive attack.
• If a hacker attempts to break into an information system, the attack is considered active.
Risk
• Risk is the probability that something can happen. In information security, it could be the
probability of a threat to a system.
Security Blueprint
• It is the plan for the implementation of new security measures in the organization.
• Sometimes called a frame work, the blueprint presents an organized approach to the
security planning process.
Security Model
• A security model is a collection of specific security rules that represents the
implementation of a security policy.
Threats
• A threat is a category of objects, persons, or other entities that pose a potential danger to
an asset.
• Threats are always present. Some threats manifest themselves in accidental occurrences,
while others are purposeful.

Information Security – Unit-I Page 22

 • For example, all hackers represent potential danger or threat to an unprotected
information system. Severe storms are also a threat to buildings and their contents.
Threat agent
• A threat agent is the specific instance or component of a threat.
• For example, you can think of all hackers in the world as a collective threat, and Kevin
Mitnick, who was convicted for hacking into phone systems, as a specific threat agent.
• Likewise, a specific lightning strike, hailstorm, or tornado is a threat agent that is part of
the threat of severe storms.
Vulnerability
• Weaknesses or faults in a system or protection mechanism that expose information to
attack or damage are known as vulnerabilities.
• Vulnerabilities that have been examined, documented, and published are referred to as
well-known vulnerabilities.
Exposure
• The exposure of an information system is a single instance when the system is open to
damage.
• Vulnerabilities can cause an exposure to potential damage or attack from a threat.
• Total exposure is the degree to which an organization’s assets are at risk of attack from a
threat..

Information Security – Unit-I Page 23