INFORMATION SYSTEMS

SECURITY

Setting the Scene

Security is one of the oldest problem that
governments ,commercial organizations and
almost every person has to face
The need of security exists since information
became a valuable resource
Introduction of computer systems to business
has escalated the security problem even more
The advances in networking and specially in
distributed systems made the need for
security even greater
The Computer Security Institute report, notes
that in year 2003 computer crime costs where
increased to more than 450 million dollars in
the USA alone.

Profiling Adversaries
Adversaries that target corporate system are numerous:
(enemies)

These can be general classified in the following categories:

Hackers

Employees (both malicious and unintentional)

Terrorists groups

Governments

Opposing Industries

Security

So now we know that we need security.

BUT

what is security anyway ?

Many people fail to understand the meaning of the word.

Many corporations install an antivirus software, and/or a

firewall and believe they are protected.

Are they ?

 Consider

some cases :

An internal employee wants to revenge the company and so

publishes private corporate information on the internet.

The terrorist attack on the twin towers (in USA) had as a result many
corporations to close. Why ?

An employee forgets his laptop in a caf. This laptop contains all

corporate private information.

HOW CAN A FIREWALL PROTECT FROM THE

PREVIOUS ?

 What
The

is Information Security ?

protection of information / data and its

critical elements including systems and
hardware that use, store, and transmit
information to ensure continual operation of
business without interruption.

Characteristics of Computer Intrusion

Any computer system can be a target - Hardware, Software, Storage, Data,

People/User

Any system is most vulnerable at its weakest point - Any system is most
vulnerable at its weakest point. A robber intent on stealing from a house will not
attempt to penetrate a two-inch-thick metal door if a window gives easier access

Intrusion - An incident of unauthorized access to data, computer system or IT

equipment.

Principle of Easiest Penetration - An intruder must be expected to use any

available means of penetration. Penetration may not necessarily be by the most
obvious means, nor via the one we have the most defense against.

This principle implies that computer security specialists must consider - All the
means of penetration, penetration analysis must be repeated especially whenever
the system or its security change, do not underestimate the attacker/think like an
attacker, strengthening one aspect of a system might weaken another

Vulnerabilities, Threats, Attacks, and Controls

A vulnerability is a weakness in the security

system (for example, in procedures, design, or
implementation), that might be exploited to
cause loss or harm.
A threat to a computing system is a set of
circumstances that has the potential to cause loss
or harm.
A human who exploits a vulnerability commits an
attack on the system.
How do we address these problems?

We use a control as a protective measure. That is, a

control is an action, device, procedure, or technique that
removes or reduces (mitigate) a vulnerability.

Vulnerabilities, Threats an Attacks

Wall holding back water

Threat is water to the left of the wall (a threat to the man)

- water could rise and overflow onto the man

Vulnerability is the crack in the wall

If the water rises to or beyond the level of the crack, it will

exploit the vulnerability and harm the man.

Threats

We can view any threat as being one of four kinds:

interception, interruption, modification, and fabrication.

Threats

An interception means that some unauthorized party

has gained access to an asset.

In an interruption, an asset of the system becomes

lost, unavailable, or unusable.

If an unauthorized party not only accesses but

tampers with an asset, the threat is a modification.

Finally, an unauthorized party might create a

fabrication of counterfeit objects on a computing
system.

Threats to Information Security

Method, Opportunity,
and Motive

A malicious attacker must have three things

(MOM):

method: the skills, knowledge, tools, and other

things with which to be able to pull off the attack

opportunity: the time and access to accomplish

the attack

Knowledge of systems are widely available

Systems available to the public are accessible to

them

Motive: a reason to want to perform this attack

against this system

Security Goals

Security Goals

When we talk about computer security, we mean that we are

addressing three important aspects of any computer-related
system: confidentiality, integrity, and availability (CIA)

Confidentiality ensures that computer-related assets are

accessed only by authorized parties.

Reading, viewing, printing, or even knowing their existence

Secrecy or privacy

Integrity means that assets can be modified only by

authorized parties or only in authorized ways.

Writing, changing, deleting, creating

Availability means that assets are accessible to authorized

parties at appropriate times. For this reason, opposite of
availability is sometimes known as denial of service.

Security Goals

(Contd)

Vulnerabilities of Computing
Systems

Hardware Vulnerabilities

adding devices, changing them, removing them, intercepting the

traffic to them, or flooding them with traffic until they can no longer
function. (many other ways to harm the hardware).

Software Vulnerabilities

Software can be replaced, changed, or destroyed maliciously, or it

can be modified, deleted, or misplaced accidentally. Whether
intentional or not, these attacks exploit the software's
vulnerabilities.

Vulnerabilities of Computing
Systems (Contd.)

Data Vulnerabilities

data have a definite value, even though that

value is often difficult to measure.

Ex1: confidential data leaked to a competitor

may narrow a competitive edge

Ex2: flight coordinate data used by an airplane

that is guided partly or fully by software

Can cost human lives if modified

Vulnerabilities of Computing
Systems (Contd.)

Principle of Adequate Protection: Computer

items must be protected only until they lose
their value. They must be protected to a degree
consistent with their value.

This principle says that things with a short life can

be protected by security measures that are
effective only for that short time.

Other Exposed Assets

Networks

Networks are specialized collections of hardware,

software, and data.

Can easily multiply the problems of computer

security

Insecure shared links

Inability to identify remote users (anonymity)

Key People

People can be crucial weak points in security. If

only one person knows how to use or maintain a
particular program, trouble can arise if that
person is ill, suffers an accident, or leaves the
organization (taking her knowledge with her).

Methods of Defense

Prevent it, by blocking the attack or closing the vulnerability

Preventive controls can be as simple as locks and access codes to sensitive areas of a building or
passwords for confidential information

Deter it, by making the attack harder but not impossible

Deflect it, by making another target more attractive (or this one less so)
Example Honey Pots

Detect it, either as it happens or some time after the fact

A security camera is a example of a detective control. A store manager who wants to monitor the use of
cash drawer by a particular clerk can easily look at video of the clerks actions throughout the day to
detect potential theft.
An access log file and an alert system can quickly detect and notify management of attempts by
employees or outsiders to access unauthorized information or parts of a building.

Recover from its effects (a.k.a corrective controls)

Back up data so that it could be restored to continue the functioning of the system in the event of a crash.

Methods of Defense
A sample log file (to detect)

Controls Available

Control attempt to prevent the exploitation of a

vulnerability

Computer Security has lots of controls

Simple or Difficulty

Inexpensive or Expensive

Type of Control
1.

Encryption formal name for the scrambling process

Deals with confidentially and integrity

Cleartext

Ciphertext

Protocols

Controls Available
2)

3)

(Contd)

Software Controls

Programs must be secure to prevent attacks

Program Controls:

Internal Program Controls - parts of the program that enforce security

restrictions, such as access limitations in a database management program

Operating System and Network System Controls - limitations enforced by

the operating system or network to protect each user from all other users

Independent Control Programs - application programs, such as password

checkers, intrusion detection utilities, or virus scanners, that protect
against certain types of vulnerabilities

Development Controls - quality standards under which a program is

designed, coded, tested, and maintained to prevent software faults from
becoming exploitable vulnerabilities

Hardware Controls - Numerous hardware devices have been created to

assist in providing computer security

Smart card implementations, locks, devices to verify user ID, firewalls, intrusion
detection systems, circuitry control that control access to storage media

Controls Available
4)

5)

(Contd)

Policies and Procedures

Sometimes, we can rely on agreed-on

procedures or policies among users rather than
enforcing security through hardware or
software means. such as company email use
policy and internet use policy.

Must be written and training should be provided

Physical Controls

locks on doors, guards at entry points, backup

copies of important software and data, and
physical site planning that reduces the risk of
natural disasters.

Effectiveness of Controls
depends on.

Awareness of Problem
People using controls must be convinced of the need for
security. That people will willingly cooperate with security
requirements only if they understand why security is
appropriate in a given situation,

Effectiveness of Controls
(Contd) on.
depends

Likelihood of Use
Of course, no control is effective unless it is used.
Principle

of Effectiveness:

Controls must be used and used properly to be effective. They must

be efficient, easy to use, and appropriate.
This principle implies that computer security controls must be
efficient enough, in terms of time, memory space, human activity, or
other resources used, that using the control does not seriously affect
the task being protected. Controls should be selective so that they
do not exclude legitimate accesses.

Effectiveness of Controls
(Contd) on.
depends

Overlapping Controls (layered defense)

Several different controls may apply to address a single
vulnerability (good)

Periodic Review
Just when the security specialist finds a way to secure assets
against certain kinds of attacks, the opposition doubles its
efforts in an attempt to defeat the security mechanisms.
Thus, judging the effectiveness of a control is an ongoing
task.

Social Engineering

The act of obtaining or attempting to obtain secure data by deceiving an

individual into revealing secure information.

Social engineering is successful because its victims inherently want to trust

other people and are naturally helpful.

The victims of social engineering are tricked into releasing information that
they do not realize will be used to attack a computer network.

For example, an employee in an enterprise may be tricked into revealing a

coworkers personal information such as employee number, address, contact
numbers or salary to someone who is pretending to be somebody that
represent or known to the coworker.

Social Engineering....

People are the Weakest Link

Security can be no stronger than its weakest link.

Often the weakest link in security is not technology, but the people who
use it.

A IT network may be protected by firewalls, intrusion detection and

other state-of-the-art security technologies. And yet, all it takes is one
person's intentional or unintentional (careless) activity and suddenly
entire network security or information security as a whole could be at
risk.

Therefore it is required that security professionals and management

not to overlook the weakest link in security systems that being the
human factor.

It is easy to become overly confident solely in the use of advanced

algorithms and technology. But History shows reliance on an advanced
technology is lost if the people operating the system are not fully
trained and managed.

People are the Weakest Link

A US company carried out an experiment. It scattered unauthorized
USB drives and disks in the car parks of US government agencies.
Some 60% of workers who found these devices plugged them into their
office computers. This percentage rose to 90% when an official logo
was printed on the device.
All of these agencies had policies strictly forbidding the unauthorized
introduction of USBs, but the employees plugged them in anyway.

People are the Weakest Link

Other Examples.

By using whats known as social engineering, hackers exploit

unsuspecting people who in good faith open up their doors to
unwanted strangers such as giving away passwords

Writing passwords down on sticky notes attached to the computer's

monitor, or on whiteboards nearby because they find difficult to
remember passwords

Leaving PCs unlocked while out at lunch

Leaving laptop computers / USB drives containing confidential

information unsecured or unattended in public places