Information and Network Security

Dr.Nalini.N Professor and Head Department of Computer Science and Engineering Nitte Meenakshi Institute of Technology Bangalore-560 064 e-mail:nalinaniranjan@hotmail.com

Introduction to Information Security

Do not figure on opponents not attacking; worry about your own lack of preparation. -- Book of the Five Rings

Learning Objectives:
Understand what information security is and how it came to mean what it does today. Comprehend the history of computer security and how it evolved into information security. Understand the key terms and critical concepts of information security.

What Is Information Security?

Information security in todays enterprise is a well-informed sense of assurance that the information risks and controls are in balance. Jim Anderson, Inovant.

The History of Information Security

The need for computer security that is , the need to secure physical locations, hardware and software from outside threats began during world war II. Computer security began immediately after the first mainframes were developed Groups developing code-breaking computations during World War II created the first modern computers(Fig 1.1) Physical controls were needed to limit access to authorized personnel to sensitive military locations Only rudimentary controls were available to defend against physical theft, espionage, and sabotage.

The 1960s
Department of Defenses Advanced Research Project Agency (ARPA) began examining the feasibility of a redundant networked communications Larry Roberts developed the project from its inception.

The 1970s and 80s

ARPANET grew in popularity and use, and so did its potential for misuse. Fundamental problems with ARPANET security were identified: No safety procedures for dial-up connections to the ARPANET. User identification and authorization to the system were non-existent. In the late 1970s the microprocessor expanded computing capabilities and security threats.

Key Dates for Seminal Works in Early Computer Security

1968 Maurice Wilkies discusses password security in Time Sharing Computer Systems 1973 Schell, Downey and Popek examine the need for additional security in military systems in Preliminary Notes on the Design of Secure Military Computer Systems 1975 The Federal Information Processing Standards(FIPS) examines DES (Digital Encryption Standard) in the Federal Register 1978 Bisbey and Hollingsworth publish their study Protection Analysis: Final Report discussing the Protection analysis Project created by ARPA to understand better the vulnerabilities of operating system security and examine the possibility of automated vulnerability detection techniques in existing system software. 1979 Morris and Thompson author Password Security: A case History published in the Communications of the Association for Computing Machinery (ACM).The paper examines the history of a design for a password security scheme on a remotely accessed , time-sharing system. 1979 Dennis Ritchie publishes On the Security of UNIX and Protection of Data File Contents, discussing secure user IDs and secure group IDs, and the problems inherent in the system. 1984 Grampp and Morris wrote UNIX operating System Security: in this report, the authors examine four important handles to computer security: physical control of premises and computer facilities , management commitment to security objectives, education of employees, and administrative procedures aimed at increased security. 1984 Reeds and Weinberger publish File Security and the UNIX System Crypt Command. Their premise was No Technique can be secure against wiretapping or its equivalent on the computer. Therefore no technique can be secure against the systems administrator or other privileged usersthe nave user has no chance

R-609 The Start of the Study of Computer Security

Information Security began with Rand Report R-609 sponsored by Department of Defense. The scope of computer security grew from physical security to include:

Safety of the data Limiting random and unauthorized access to that data Involvement of personnel from multiple levels of the organization

MULTICS(Multiplexed Information and Computing Service)

Multics is noteworthy because it was the first and only operating system created with security as its primary goal. It was a mainframe, time sharing operating system developed in the mid 1960s by a consortium from General Electric (GE), Bell Labs, and the Massachusetts Institute of Technology (MIT). In 1969, not long after the restructuring of the MULTICS project, Several of its key players Ken Thompson, Dennis Ritchie, Rudd Canaday, and Doug Mcllro created a new operating system called UNIX. While the MULTICS system implemented multiple security levels and passwords, the UNIX system did not. Networks of computers became more common, so too did the need to interconnect the networks. Resulted in the Internet, the first manifestation of a global network of networks. In early Internet deployments, security was treated as a low priority. The Internet has brought millions of computer networks into communication with each other many of them unsecured As networked computers became the dominant style of computing, the ability to physically secure a networked computer was lost, and the stored information system became more exposed to security threats. The security of each computers stored information is now contingent on the level of security of every other computer to which it is connected. The quality or state of being secure--to be free from danger To be protected from adversaries-from those who would do harm intentionally or otherwise-is the objective. A successful organization should have multiple layers of security in place: Physical security Addresses the issues necessary to protect the physical items, objects, or areas of an organization from unauthorized access and misuse. Personal security Involves the protection of the individual or group of individuals who are authorized to access the organization and its operations. Operations security Focuses on the protection of the details of a particular operation or series of activities. Communications security Encompasses the protection of an organizations communications media, technology, and content. Network security Is the protection of networking components, connections, and contents. 4

The 1990s

The Present

What Is Security?

What Is Information Security?

According to National Security Telecommunications and Information Systems Security Committee (NSTISSC),Information Security is The protection of information and its critical elements, including the systems and hardware that use, store, and transmit that information Tools, such as policy, awareness, training, education, and technology are necessary The C.I.A. triangle was the standard based on confidentiality, integrity, and availability The C.I.A. triangle has expanded into a list of critical characteristics of information.

Components of Information Security

NSTISSC Security Model

The NSTISSC Security Model provides a more detailed perspective on security. While the NSTISSC model covers the three dimensions of information security, it omits discussion of detailed guidelines and policies that direct the implementation of controls. Another weakness of using this model with too limited an approach is to view it from a single perspective.

Key Concepts of Information Security

Confidentiality of information ensures that only those with sufficient privileges may access certain information. When unauthorized individuals or systems can access information, confidentiality is breached. To protect the confidentiality of information, a number of measures are used: Information classification Secure document storage Application of general security policies - Education of information custodians and end users Integrity is the quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when it is exposed to corruption, damage, destruction, or other disruption of its authentic state. Corruption can occur while information is being compiled, stored, or transmitted. Availability is the characteristic of information that enables user access to information without interference or obstruction and in a required format. A user in this definition may be either a person or another computer system. Availability does not imply that the information is accessible to any user; rather, it means availability to authorized users. Privacy: The information that is collected, used, and stored by an organization is to be used only for the purposes stated to the data owner at the time it was collected. This definition of privacy does focus on freedom from observation (the meaning usually associated with the word), but rather means that information will be used only in ways known to the person providing it.

Identification: An information system possesses the characteristic of identification when it is able to recognize individual users. Identification and authentication are essential to establishing the level of access or authorization that an individual is granted. Authentication occurs when a control provides proof that a user possesses the identity that he or she claims. Authorization:After the identity of a user is authenticated, a process called authorization provides assurance that the user (whether a person or a computer) has been specifically and explicitly authorized by the proper authority to access, update, or delete the contents of an information asset. Accountability: The characteristic of accountability exists when a control provides assurance that every activity undertaken can be attributed to a named person or automated process. For example, audit logs that track user activity on an information system provide accountability.

Information Security Terminology

Access: A Subject or objects ability to use, manipulate, modify or affect another subject or object is referred to as access. Authorized users have legal access to a system, whereas hackers have illegal access to a system. Asset: An Asset is the organizational resource that is being protected. An Asset can be logical, such as a Web site, information, or data; or an asset can be physical, such as a person, computer system, or another tangible object. Assets , and particularly information assets, are the focus of security efforts and are what is being protected. Attack: An attack is an intentional or unintentional attempt to cause damage to or otherwise compromise the information and /or the systems that support it. If some one casually reads sensitive information not intended for his or her use, this is considered a passive attack. If a hacker attempts to break into an information system, the attack is considered active. If a lightning strike causes a fire in a building, the attack is unintentional. Control, Safeguard and Countermeasure: These terms, all synonymous with control represent security mechanism, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve the security within an organization. Exploit: There are two common uses of this term in security. First, hackers may attempt to exploit a system or information by using it illegally for their personal gains. second, an exploit can be a targeted solution to misuse a specific hole or vulnerability, usually in software, that a hacker creates to formulate an attack. In this regard, an exploit is either the attempt to take advantage of a known vulnerability or weakness, or it is a method for taking advantage of a known vulnerability or weakness. In security, the latter is the more common usage. Exposure: The Exposure of an information system is a single instance when the system is open to damage. Vulnerabilities can cause an exposure to potential damage or attack from a threat. Total exposure is the degree to which an organizations assets are at risk of attack from a threat. Total exposure is sometimes quantified in dollars by applying a formula

based on the value of the asset, the likelihood of the loss(the risk), and the number of exposures . This term is sometimes used as a summation measure of risk across various areas of security in an organization. Hacking: Hacking can be defined positively and negatively 1. To write computer programs for enjoyment. 2. To gain access to a computer illegally In the early days of computing, computer enthusiasts were called hacks or hackers because they could tear apart the computer instruction code, or even the computer itself, to manipulate its output. The term hacker at one time expressed respect for anothers ability to make computing technology work as desired in the face of adversity. In recent years, the association with an illegal activity has negatively tinged the term. Object: An object is a passive entity in the information system that receives or contains information. Objects are assigned specific controls that restrict or prevent access by unauthorized subjects. Examples include printers, servers, databases or any other shared resource. Risk: Risk is the ability that something can happen. In information security, it could be the probability of a threat to a system, the probability of a vulnerability being discovered, or the probability of equipment or software malfunctioning. Risk can be measured in quantitative terms, as in a 25% chance of attack or in qualitative terms, as in a low probability of malfunction Security Blue Print: The Security Blue Print is the plan for the implementation of new security measures in the organization. Sometimes called a framework, the blueprint presents an organized approach to the security planning process. The security blueprint is the most significant work produced during the design phases of the SecSDLC. Security Model: A Security Model is a collection of specific security rules that represents the implementation of a security policy. Security posture or Security profile: The Security posture or Security Profile refers to the implementation of security in an organization. It is a general label for the combination of all policy, procedures, technology, and programs that make up the total security effort currently in place and is sometimes called the information security program. Subject: A subject is an active entity that interacts with an information system and causes information to move through the system for a specific purpose. A subject can be an individual, technical component, or computer process. Users, servers, and threads are examples of subjects. Threats: A Threat is a category of objects, persons or other entities that pose a potential danger to an asset. Threats are always present. Some threats manifest themselves in accidental occurrences, while others are purposeful. For example, all hackers represent a potential danger or threat to an unprotected information system. Severe storms are also a threat to building and their contents. Threat Agent: A Threat Agent is the specific instance or component of a threat. For example, you can think of all hackers in the world as collective threat, and Kevin Mitnick, who was convicted for hacking into phone systems, as a specific threat agent. Likewise a

specific lightening strike, hailstorm, or tornado is a threat agent that is part of the threat of severe storms. Vulnerability: Weakness or faults in a system or protection mechanism that expose information to attack or damage are known as vulnerabilities. They can range from a flaw in a software package, to an unprotected system port or an unlocked door. Vulnerabilities that have been examined, documented, and published are referred to as well-known vulnerabilities.

---------------------

End of Chapter ONE

---------------------