UNIT - I

History, What is Information Security?, Critical Characteristics of Information, NSTISSC

Security Model, Components of an Information System, Securing the Components, Balancing
Security and Access, The SDLC, The Security SDLC.
Important Questions
PART A
1. Define information security. (Pg.1)
2. List the critical characteristics of information.(Pg 3)
3. Explain the phases of SDLC and how are they refined to include security (Pg.9)
4. Explain the approaches to information security implementation. (pg 8)
5. What are the multiple layers of security? (Pg 2)
6.What is subject and object of an attack? (Pg 6)
7.CIA Triangle(pg 12)
8. How does exploit differ from vulnerability?(pg 12)

PART B
1.
2.
3.
4.
5.

Various components of an information system.(pg 5)

Components of System Development Life Cycle (SDLC) with neat sketch. (pg 8)
Critical Characteristics of Information.(pg 3)

NSTISSC Security Model (pg 5)

Balancing security and Access (pg 7)

What Is Information Security?

Information security in todays enterprise is a well-informed sense of assurance that the
information risks and controls are in balance. Jim Anderson, Inovant (2002).
The History of Information Security
Computer security began immediately after the first mainframes were developed
Physical controls were needed to limit access to authorized personnel to sensitive military
locations
The 1960s
Department of Defenses Advanced Research Project Agency (ARPA) began examining the
feasibility of a redundant networked communications.
The 1970s and 80s
ARPANET grew in popularity as did its potential for misuse.
1

R-609 The Start of the Study of Computer Security

The US DoD formed a task force which discussed sharing of resources during 1967.They
focused on securing classified information systems.
MULTICS Multiplexed Information & Computing Service
It is an operating system (now obsolete) , the first and only OS created with security as its
primary goal. It was a mainframe, time sharing OS developed in mid 1960s as a joint venture by
General Electric, Bells Lab & MIT.
The 1990s
Originally Internet was used as a domain by govt, academia and dedicated industry
professionals was made more available to general public in 1990s.
The Present
The Internet has brought millions of computer networks into communication with each other
many of them unsecured.
Ability to secure each computer now is influenced by the security on every computer to
which it is connected.
What Is Security?
The quality or state of being secure--to be free from danger, to be protected from
adversaries.
A successful organization should have multiple layers of security in place:

Physical security

Personal security

Operations security

Communications security

Network security

Physical Security Addresses the issues necessary to protect physical items, objects or areas of
an org. from unauthorized access and misuse.
Personal Security Involves protection of individual / group of individuals who are authorized
to access the organizations info and its operations.
Operations Security Focuses on protection of details of a particular operation or series of
activities.
Communications Security Includes the protection of an organizations communications
media, technology and content.
2

Network Security involves the protection of networking components, connections and

contents.

What Is Information Security?

The protection of information and its critical elements, including the systems and hardware
that use, store, and transmit that information.
Tools, such as policy, awareness, training, education, and technology are necessary.
Information security includes the broad areas of information security management, computer
and data security and n/w security.
The NSTISSC (National Security for Telecommunication & Information Systems Security
Committee) model for information security evolved from a std developed by computer
security industry known as CIA triangle.
The C.I.A. triangle was the standard based on confidentiality, integrity, and availability. The
C.I.A. triangle has expanded into a list of critical characteristics of information. The CIA
triangle model no longer adequately addresses the constantly changing or evolving
environment of computer industry.
Such evolving threats include accidental / intentional damage, destruction, theft, unintended /
unauthorized modification or other misuses from human / non human threats.
Due to these evolving threats, a more robust intellectual model, that addresses the
complexities of current information security environment, should be developed.

Critical Characteristics of Information

The value of information comes from the characteristics it possesses. If the characteristic of info
changes, its value may either increase / decrease. Timeliness of info is usually a critical factor, as
the info would lose its value if delivered late.
The following are the critical characteristics of info:

Availability

Accuracy

Authenticity

Confidentiality

Integrity

Utility
3

Possession

Availability: Enables authorized users persons / computer systems to access info without
interference / obstruction and to receive it in required format.
Eg.- Entry into a research library may require identification before entering. Access is
provided only to authorize patrons. Once authorized, patrons have access to info, in their
required format, familiar language etc.
Accuracy: Info, free from mistakes / errors, which possesses value as required by end user is
said to be accurate. If info contains a value different from users expectations, due to intentional /
unintentional modification of its contents, it is inaccurate.
For eg., in users bank account, if bank teller, mistakenly adds / subtracts, value of info will
change. Also the wrong amount entered accidentally by user too will show wrong info. Such
mistakes would lead to cheque bouncing etc.
Authenticity: It is the quality / state of being genuine / original, rather than a reproduction /
fabrication. Authentic info is the one that was originally created, placed, stored / transferred.
Email spoofing is an attack thru which attacker spoofs the originators address. This makes the
recipient to open the mail because of spoofed address, thinking it to be a legitimate traffic.
Confidentiality: Info is said to be confidential, when disclosure / exposure to unauthorized
individuals / systems is prevented. Only those with the rights and privileges are able to access the
info.
For eg, confidential info could be mistakenly emailed to an outsider rather than someone inside
the organization. Confidential info may also be given away by users when they fill out an online
survey, they give out their pieces of personal history for access to online privileges.

Integrity: Info has integrity, when it is whole, complete & uncorrupted. Integrity is said to be
compromised when info is corrupted, damaged, destroyed or disrupted from its authentic state.
Viruses and worms affect the file integrity during storage / transmission. Such file corruption can
be detected by keeping a watch on files size.
Utility: It is the quality / state of having value for some purpose / end. Info is useful only when it
serves its purpose, else it is useless.
For eg. census info can be overwhelming to a normal citizen, whereas the same could be handy
for a politician.
Possession: It is the quality / state of having ownership / control of some object / item. Info is
said to be in ones possession if one obtains it, independent of format or other characteristics.

NSTISSC Security Model

The security document presented under NSTISSC model provides a comprehensive

model for info security and is becoming the evaluation std for the security of info
systems.
This model shows 3 dimensions. On extrapolating, the 3 dimensions of each axis
becomes a 3X3X3 cube with 27 cells representing areas that must be addressed to secure
todays info systems.
To ensure system security, each of the 27 cells must be properly addressed during the
security process.
For eg, the intersection between the technology, integrity and storage areas requires a
control or safeguard that addresses the need to use technology to protect integrity of
info, while in storage.

Components of an Information System

An Information System (IS) is much more than computer hardware; it is the entire set of
software, hardware, data, people, and procedures necessary to use information as a resource
in the organization.
These sets enable info to be i/p, processed, o/p and stored.
Software: It includes applications, operating systems and assorted command utilities. S/W is
most difficult information system component to secure. Errors in s/w programs can be easily
exploited to extract secure info.
Hardware: It is the physical technology that houses and executes the s/w, stores and
data, provides interfaces for the entry and removal of info from the system.
5

carries

Physical security policies deal with h/w as a physical asset and protect it from harm / theft.
Traditional tools like lock / key could restrict access.
Data: Data, stored, processed and transmitted thru a computer should be protected. It is the
most valuable asset of any organization and also the main target of intentional attacks.
People: People have always been a threat to info security. They can be the weakest link in an
organizations info security program.
Policy, education & training, awareness and technology should be properly employed to prevent
people from accidentally / intentionally damaging / losing info. The practices of social engg
should also be checked.
Procedures: They are written instructions for accomplishing specific task. Informations
integrity may be compromised if it falls in the hands of unauthorized user.
In banking applns, if no proper authentication is present, lot of amt could easily be transferred to
unauthorized accts.
Networks: This IS component created much of the need for increased computer and info
security. When info systems are connected to form LANs, these LANs connect to other n/ws
such as Internet, new security challenges emerge.
Securing computers thru physical means with locks & keys to restrict access and interaction to
info systems, though are important, with rapid n/w growth, it no longer holds.
Securing the Components
Security of info and its systems includes securing all components and protecting them from
potential misuse and abuse by unauthorized users.
In such scenario, the computer should be considered as the subject of attack rather the object of
the attack.
When a computer is

the subject of an attack, it is used as an active tool to conduct the attack.

the object of an attack, it is the entity being attacked.

Types of attacks
i. Direct A hacker uses his personal computer to break into a system. They originate from
threat itself.
ii. Indirect Occurs when a system is compromised and used to attack other systems, such as
DDOS. They originate from a system / resource that itself has been attacked and is
malfunctioning / working under the control of a threat.

Therefore a computer becomes the object during compromise (take over), then after being
compromised, becomes subject of attack, where it is used to attack other systems.
Balancing Security and Access
Even with best planning & implementation, perfect info security cannot be obtained. It is a
process and it cannot be absolute, also not a goal.
Security should be considered as a balance between protection and availability. It should be
made to provide unrestricted access, available to anyone, anywhere, anytime thru any means.
But the same act poses hazard to infos integrity. If complete info security is implemented
upon the system, then free access may not be possible.
To achieve balance, to operate an info system to the satisfaction of both user and security
professional, the level of security must allow reasonable access, yet protect against threats.
An imbalance occurs when users needs are undermined because of too much focus on
system protection.
Both these groups should exercise patience and cooperation, when interacting with each
other, as they, together share the same overall goals of the organization, which is to ensure
that data is available when, where and how it is needed with minimal delays / obstacles.

Approaches to Info Security Implementation

7

Implementation of info security in an organization should begin from either top / bottom level.
The advantage in this bottom-up approach is the technical expertise of individual
administrators.
By working with info systems day to day, these administrators possess in depth knowledge
which greatly enhances the development of an info security system. They know and understand
the threats to their systems and the mechanisms needed to protect them. Disadvantage here is,
lack of participant support and organizational staying power.
On the contrary, in top-down approach, the project is initiated by upper level managers, who
issue policy, procedures and processes, dictate the goals and expected outcome of project and
determine who is accountable for each of the required actions.

SDLC - The Systems Development Life Cycle

SDLC is a methodology for the design and implementation of an info system in an organization.
A methodology is a formal approach to solving a problem based on a structured sequence of
procedures.
Methodology ensures the process to be rigorous and avoid missing of any steps that could lead to
compromise of end goal, and leads to the creation of comprehensive info security posture.
Methodology increases success probability by establishing key mile stones, by selecting a team
of individuals and make them accountable for accomplishment of project goals.

The SDLC may be event-driven, i.e., started in response to some occurrence or plan-driven, i.e.,
as a result of a carefully developed implementation strategy.
Once the need is recognized, SDLC methodology ensures that development proceeds in an
orderly & comprehensive fashion.
Each phase ends with structured review / reality check, during which the decision of continuing /
discontinuing, outsourcing or postponement of the project is decided, depending on the need for
additional expertise, organizational knowledge or resources.
Process starts with investigation of problem faced by organization, continues with analysis of
current organizational practices mentioned in investigation, then proceeds to logical & physical
design phases where solns are identified and associated with evaluation criteria.
During implementation, solns are evaluated, selected and acquired thru a make / buy process.
These solns, whether made / bought, are tested, installed and tested again.
Users of system are trained & documentation is developed. Finally system becomes mature and
is maintained / modified over the remainder of its operational life.
Generally the implementation of info system may involve multiple iterations / cycles.
Investigation: This phase begins with an examination of an event / plan that initiates the
process. The objectives, constraints, and scope of the project are specified. A preliminary
cost/benefit analysis is performed to evaluate perceived benefits and cost to be incurred for such
benefits.
At conclusion, a feasibility analysis is performed to assess the economic, technical, and
behavioral feasibilities of the process and to ensure that implementation is worth the
organizations time and effect.
9

Analysis: This phase begins with info gained during the investigation phase. Here, assessment of
the organization, status of current systems and the capability to support the proposed system are
analyzed.
Analysts should determine what the new system is expected to do and how the new system will
interact with existing systems. This phase ends with the documentation of the findings and a
feasibility analysis update.
Logical Design: The info gained from analysis phase is used to begin creating a systems soln for
a business problem. The soln provided should drive the business. Applns, capable of providing
needed service to business are selected.
Then based on applns, data support and structures capable of providing needed i/p is chosen.
Finally specific technologies needed to implement the physical soln are listed out. Thus a blue
print for desired soln is provided in this phase. Logical design should be implementation
independent and contain no reference to specific technologies, vendors / products.
This phase addresses how the proposed system will solve the given problem. A no. of alternative
solns, each with corresponding strength and weakness are developed along with cost-benefit
analysis, thus allowing for general comparison of available options.
At end, another feasibility analysis is performed.
Physical Design: Specific technologies are selected to support the alternative solns that are
identified and evaluated in the logical design. Selected components are evaluated based on a
make / buy decision. Final designs integrate various components and technologies.
Another feasibility analysis is conducted, after which the entire soln is presented to
organizational mgmt for approval.
Implementation: Any needed s/w is created. Components are ordered, received & tested. Users
are trained and support documents are created.
After individual testing of each component gets over, they are installed and tested as a system.
Again a feasibility analysis is prepared and the sponsors are presented with the system for a
performance review and acceptance test.
Maintenance & Change: It is the longest & most expensive phase of process. It consists of
tasks necessary to support and modify the system for the remainder of its useful life cycle.
Though formal development stops, the life cycle continues until the process begins again from
the investigation phase. Periodically the system is tested for compliance, and the feasibility of
continuance and discontinuance is evaluated. Upgrades, updates and patches are managed.
When the current system can no longer support the evolving mission of the organization, the
project is terminated and a new project is implemented.
Security Systems Development Life Cycle
10

The same phases used in the traditional SDLC are adapted to support the specialized
implementation of a security project.
SDLC & SecSDLC processes differ in intent and specific activities but the overall methodology
is the same. Basic process is identification of threats and to develop controls to counter them.
The SecSDLC is a coherent program rather than a series of random, seemingly unconnected
actions.
Investigation: This phases initiative is given by upper mgmt, dictating the process, outcomes
and goals of project as well as its budget and other constraints.
Teams of responsible managers, employees and contractors are organized. Problems are
analyzed and the scope of project, its specific goals, objectives and constraints, not covered in
program policy, are defined.
Finally, an organizational feasibility analysis is performed to determine whether the org. has
resources and commitment, necessary to conduct a successful security analysis and design.
Analysis: Documents from investigation phase are studied. Development team conducts a
preliminary analysis of existing security policies or programs, along with documented current
threats and associated controls.
It includes an analysis of relevant legal issues that could impact the design of the security
solution. Privacy laws dealing with personal info should be carefully considered.
The risk management task which deals with identifying, assessing, and evaluating the levels of
risk, specifically threats to organizations security and to the stored & processed info also begins
in this phase.
Logical Design: This phase creates and develops blueprint for info security and examines and
implements key policies that influence later decisions. Incident Response Action, in the event of
catastrophic loss is discussed and the following questions are answered:
* Continuity planning how will business continue in the event of loss?
* Incident response What steps are taken, when an attack occurs?
* Disaster Recovery What must be done to recover info & vital systems
immediately after a disastrous event?
Next a feasibility analysis determines whether or not the project should be continued / out
sourced.
Physical Design: The info security technology needed to support the blue print outlined in
logical design is evaluated, alternate solutions are generated and a final design is decided.
The info security blue print may be revisited to keep it in line with the changes needed when
physical design is completed.
Criteria for determining the definition of successful solution are prepared. Physical security
measures to support the proposed technological solution are designed.

11

Feasibility analysis is conducted, which determines the readiness of the org for proposed project.
Champion & sponsors are presented with the design. All parties involved should approve it,
before implementation starts.
Implementation: Security solutions are made / bought, tested, implemented and tested again.
Personnel issues are evaluated and education & training programs are conducted. Entire tested
package is presented to upper mgmt for final approval.
Maintenance & Change: Because of ever changing threat environment, this phase is most
important.
Info security system needs constant monitoring, testing modification, updating & repairing.

C.I.A. triangle
The C.I.A. triangle was the standard based on confidentiality, integrity, and availability.
The C.I.A. triangle has expanded into a list of critical characteristics of information

How does exploit differ from vulnerability?

An exploit is a technique to compromise a system

A vulnerability is an identified weakness of a controlled system whose controls are
not present or are no longer effective

12