UNIVERSITY OF ELDORET

SCHOOL OF SCIENCE

COMP 425 : CRYPTOGRAPHY AND INFORMATION SYSTEMS SECURITY

Course Content
Key concepts in Information Security. Information Security in Networked Enterprises. Threats and
vulnerabilities analysis. Risk management. Effective System. Policies. ICT Security planning.
Operational issues in ICT security (incident handling, training, backups etc). Physical security. Types and
uses of security devices. Business Continuity and Disaster Recovery Planning. Network Security;
(identification and authentication, logical access control, Routers, Proxies, and Firewalls audit trails and
cryptography, Auditing Information Systems

Assessment
Continuous Assessment Tests (CATs): 30%
End of Semester Written Examinations: 70%

Learning Materials

Information Systems Security Handbook -Isaca

1
LECTURE 1
PART I: Key concepts in Information Security

Information security is the practice of defending information from unauthorized access, use, disclosure,
disruption, modification, perusal, inspection, recording or destruction.
It is also defined as preservation of confidentiality, integrity and availability of information. Other
properties, such as authenticity, accountability, non-repudiation and reliability can also be involved.
Two major aspects of information security are:
 IT security: (Also computer security), It is responsible for keeping all of the technology within
the company secure from malicious cyber attacks that often attempt to breach into critical private
information or gain control of the internal systems.
 Information assurance: The act of ensuring that data is not lost when critical issues arise. These
issues include: natural disasters, computer/server malfunction, physical theft, or any other
instance where data has the potential of being lost.

Basic principles
Confidentiality
Is a set of rules or a promise that limits access or places restrictions on certain types of information.
Confidentiality refers to limiting information access and disclosure to authorized users -- "the right
people" -- and preventing access by or disclosure to unauthorized ones -- "the wrong people." 
Authentication methods like user-IDs and passwords, that uniquely identify data systems' users and
control access to data systems' resources, underpin the goal of confidentiality.

Integrity
 Data integrity means maintaining and assuring the accuracy and consistency of data over its entire
life-cycle.
 Data cannot be modified in an unauthorized or undetected manner.
 Integrity is violated when a message is actively modified in transit.

Availability
This means that the computing systems used to store and process the information, the security controls
used to protect it, and the communication channels used to access it must be functioning correctly.
 High availability systems aim to remain available at all times, preventing service disruptions due to
power outages, hardware failures, and system upgrades.
 Ensuring availability involves preventing denial-of-service attacks, such as a flood of incoming
messages to the target system essentially forcing it to shut down.

Non-repudiation
It implies that one party of a transaction cannot deny having received a transaction nor can the other party
deny having sent a transaction.

Prevention vs. detection

Security efforts to assure confidentiality, integrity and availability can be divided into
 those oriented to prevention and
 those focused on detection whose aim is to rapidly discover and correct lapses that could not be --
or at least were not -- prevented. 
It is critical to remember that "appropriate" or "adequate" levels of confidentiality, integrity and
availability depend on the context, just as does the appropriate balance between prevention and detection.

2
The nature of the efforts that the information systems support; the natural, technical and human risks to
those endeavors; governing legal, professional and customary standards -- all of these will condition how
CIA standards are set in a particular situation.

Common Terms
 Risk is the likelihood that something bad will happen that causes harm to an informational asset (or
the loss of the asset).
 Vulnerability is a weakness that could be used to endanger or cause harm to an informational asset.
 A threat is anything (manmade or act of nature) that has the potential to cause harm.
 The likelihood that a threat will use a vulnerability to cause harm creates a risk. When a threat does
use a vulnerability to inflict harm, it has an impact
 Impact is a loss of availability, integrity, and confidentiality, and possibly other losses (lost income,
loss of life, loss of real property). It should be pointed out that it is not possible to identify all risks,
nor is it possible to eliminate all risk. The remaining risk is called "residual risk".
 A risk assessment is carried out by a team of people who have knowledge of specific areas of the
business.

The risks in information systems

 Physical loss of data. You may lose immediate access to your data for reasons ranging from floods to
loss of electric power. You may also lose access to your data for more subtle reasons: the second disk
failure, for example, while your RAID array recovers from the first.
 Unauthorized access to your own data and client or customer data. Remember, if you have
confidential information from clients or customers, you’re often contractually obliged to protect that
data as if it were your own.
 Interception of data in transit. Risks include data transmitted between company sites, or between the
company and employees, partners, and contractors at home or other locations.
 Your data in someone else’s hands. Do you share your data with third parties, including contractors,
partners, or your sales channel? What protects your data while it is in their hands?
 Data corruption. Intentional corruption might modify data so that it favors an external party: think
Trojan horses or keystroke loggers on PCs. Unintentional corruption might be due to a software error
that overwrites valid data.
 Email Interception
 Email Spoofing
 Web Data Interception
 Network & Volume Invasion
 Marketing Data / Spam & Junk Mail
 Viruses, Worms, Trojan Horses
 Password Cracking
 Mail bomb
 Denial of Service (DoS)
 Piracy of Intellectual Property

Information Security Principles of Success

1. There Is No Such Thing as Absolute Security - Given enough time, tools, skills, and inclination, a
hacker can break through any security measure
2. CIA triad - Protect the confidentiality of data
3. Defense in depth - Security implemented in overlapping layers that provide the three elements needed
to secure assets: prevention, detection, and response. The weaknesses of one security layer are offset
by the strengths of two or more layers

3
4. When Left on Their Own, People Tend to Make the Worst Security Decisions - Takes little to
convince someone to give up their credentials in exchange for trivial or worthless goods.
 Many people are easily convinced to double-click on the attachment
5. Functional and Assurance Requirements - Functional requirements - Describe what a system should
do.
 Assurance requirements - Describe how functional requirements should be implemented and
tested

Does the system do the right things in the right way?

 Verification: the process of confirming that one or more predetermined requirements or
specifications are met
 Validation: a determination of the correctness or quality of the mechanisms used in meeting the
needs
6. Security Through Obscurity Is Not an Answer - Many people believe that if hackers don’t know how
software is secured, security is better. Although this seems logical, it’s actually untrue. Obscuring
security leads to a false sense of security, which is often more dangerous than not addressing security
at all
7. Security = Risk Management:- Security is not concerned with eliminating all threats within a system
or facility but with eliminating known threats and minimizing losses if an attacker succeeds in
exploiting a vulnerability.
Risk analysis and risk management are central themes to securing information systems.
Risk assessment and risk analysis are concerned with placing an economic value on assets to best
determine appropriate countermeasures that protect them from losses
8. Security Controls: Preventative, Detective, and Responsive - A security mechanism serves a
purpose by preventing a compromise, detecting that a compromise or compromise attempt is
underway, or responding to a compromise while it is happening or after it has been discovered.
9. Complexity Is The Enemy of Security: The more complex a system gets, the harder it is to secure
10. Fear, Uncertainty, and Doubt (FUD) Do Not Work in Selling Security: Information security managers
must justify all investments in security using techniques of the trade.
11. When spending resources can be justified with good, solid business rationale, security requests are
rarely denied
People, process, and technology controls are essential elements of security practices including
operations security, applications development security, physical security, and cryptography
12. Open Disclosure of Vulnerabilities Is Good for Security:- Keeping a given vulnerability secret from
users and from the software developer can only lead to a false sense of security. The need to know
trumps the need to keep secrets in order to give users the right to protect themselves
13. Computer security specialists must not only know the technical side of their jobs but also must
understand the principles behind information security

These principles are mixed and matched to describe why certain security functions and operations exist in
the real world of IT

Exercise
What are the elements of a good security program?
Why is it difficult to secure information systems?

4
PART II
Information Security in Networked Enterprises
Your typical security engineer may say it must have firewalls, intrusion detection or any number of
security focused technologies.
Meanwhile a security tester may suggest that it is conducting penetration testing to provide assurances
that security widgets are working well.

Information security is about adopting the right measures and controls for a given entity at a given point
in time. Threats change and vulnerabilities are introduced or removed, demanding that security evolves
simply to keep pace.

1: Appointing a security officer

Every organization should assign a security officer even if the role is given to an individual who wears
multiple hats. Larger organizations may establish a dedicated position - the chief security officer who
presides over a team of specialists addressing the different areas of information security.
The security officer is the central point for managing proactive and reactive information security tasks.
The day to day activities for the individual resources that work in the domain will depend on the size and
focus of an organization but ultimately the security officer role should be accountable for the following:
 Strategy -- identifying the security posture an organisation wishes to maintain and how this will be
achieved.
 Operations -- monitoring of security alerts and management of security assets, for example intrusion
detection, jump hosts, firewalls and scanning tools.
 Architecture -- ensuring security is designed into the businesses technology and processes.
 Consultation -- providing consultation to projects or business units by way of requirements, reviews,
recommendations and risk assessment.
 Analysis -- researching products or specific technical issues to assist in provisioning of technology or
remediation of vulnerabilities.
 Testing -- providing security testing such as penetration testing for projects and rolling assurance
exercises.
 Emergency Response -- responding to emergency security incidents such as the compromise of
information assets or the loss of service through a denial of service attack.
 Programme manager -- acting as the business sponsor for a rolling security programme of work.

2: Security reporting
Reporting provides a "heartbeat" for information security across an organisation. It ensures the right
people remain up to date on the latest incidents, threats and initiatives that will influence the security
posture.
Regular reporting ensures those that are accountable for securing information assets are aware of the risks
they may have inherited and the rigour in the controls that protect them.
Security reports must be written for their audience and this is an area where security professionals often
fall down.
The content must be accurate but presented at a level that can be consumed by the target audience.
Reports destined for technologists with an appreciation of the hands on should be literal and explain any
vulnerabilities and controls in technical terms.
Those intended for managers with a technical background should be explained conceptually and include
references to technical detail that supports any conclusions.
Those intended for parties outside the technology group such as the CEO or chief risk officer should
wholly focus on the business impact where the conclusions are justified by a well-designed and
established.

5
3: Develop Governance
For an organisation to maintain a consistent security posture people within that organisation must have
clear instructions that tells them how to behave. Governance ensures that people are aware how they
should conduct themselves and if well constructed encourages them to behave in a way that maintains or
may even improve security. There are useful standards such as those produced by International Standards
Organisation, National Institute for Standards and Technology and the Government Communications .

4: Develop a security incident management plan

Every organisation will experience a security incident. The impact of that incident and the likelihood of it
repeating is directly impacted by how an organisation manages it.
 Was the incident clearly identified, validated and contained?
 Was the vulnerability that led to it identified and is there a plan to remediate or apply additional
countermeasures?
 Was the incident reported to an appropriate authority inside the organisation and do any external
parties need to be notified?
These are but a few questions that are answered through a well formed security incident management
plan.
The plan should identify a front door for people reporting potential incidents. From there it should define
an auditable process that validates the incident and initiates a response team well placed to deal with it.
The owner of the plan is the security officer who remains a central part of the response team.
The plan will dictate how the incidents progress is recorded and what if any information is disclosed to a
wider audience. Typically it will empower the response team to operate outside governance, bypassing
change control and other processes that are designed for business as usual rather than an unforeseen
emergency.

5: Initiate a security programme of work

Security initiatives require a vehicle to carry them through design, build and implementation. Grouping
them all in a single program of work allows for budgets to be managed more easily and ensures the
investment in information security is transparent. Upgrades of security devices such as firewalls and
antivirus may be included in the programme, as well as any capital investment in information security,
such as an identity and access management system.
The security programme should be primarily focussed on enhancing information security and be funded
at a level that an organisation considers appropriate. The security officer should have a list of initiatives in
order of priority and the allocated budget should fund those at the top of the list.

6: Assess the security of all initiatives

An unfortunately common observation is that organisations invest heavily in security controls in one area
but due to budgetary constraints ignore others. For example the website may have extensive technical
controls and receive frequent security testing while the "trusted" third party connections are left
unchecked. Often this is due to incorrect assumptions being made by the business on what the security
implications of an action are.
A security assessment should be focused on empowering the business to decide whether an initiative
should progress, change direction, be reviewed at a more detailed level or in the most severe cases be
halted.

7: Complete period-based assurance tasks

While assessing the security of all initiatives is a proactive way of ensuring security is built in, it is also
important to be reactive. With the best intent and design, it is possible for vulnerabilities to be introduced
into a technical environment through human error or as the result of an aggregation of technical
anomalies. Completing periodic assurance tasks is intended to identify and manage vulnerabilities that
may not have been foreseen.

6
One of the most commonly practiced assurance measures is penetration testing. It provides a high level of
assurance that the tested technology would be resistant to a targeted attack by an skilled attacker. It is
however relatively expensive and often tightly scoped. Given the specialized nature of security testing it
could be worth considering using a third party security practitioner. A practitioner can ensure that the
scope is appropriate and that the tester is reputable.

8: Provide security training

Security training is a widely recognised requirement for a mature organisation; but all too often the bare
minimum is provided, such as an induction session which ensures everyone knows they shouldn't write
their password down.
Induction training is a great idea but beyond making people aware of the security policy, it should be
different for different roles. Members of the executive face different threats and employ different
countermeasures to those holding a position on the help-desk. The former will likely require a one on one
sessions while the later may be inducted as part of a group.
While security training may seem expensive, it is probably one of the best returns on investment for an
organisation. Guarding against one phishing attempt may be the difference between winning the next big
contract or recovering from an embarrassing information leak.

9: Develop a whistleblower process

Securing an organisation is not limited to the practices of security specialists. It includes everyone from
those cleaning the office (often with unparalleled access) to those on the board. It includes partner
organisations and their staff and their partners and so the list goes on. Along with supporting (or
opposing) security controls, staff and third party affiliates are a useful source of information about
security events. They may observe vulnerabilities or even be aware of vulnerabilities being exploited.
This information is extremely valuable and should be captured and processed to aid in improving ones
security posture.
Reporting of shortcomings is not always something that a hierarchy does particularly well. There is little
incentive for a middle manager to report a shortcoming in an area he/she is responsible for. It may lead to
embarrassment or additional work and for these reasons potential risks can be swept under the rug. A
solution is to develop a whistleblower process which allows anyone to report a perceived security issue to
an information security authority in confidence; without fear of repercussions.

10: Consider security functionally

A challenge that faces many organisations is the apparent power that security practitioners require to do
their job. They often have super user rights on a system to provide oversight or control access and they
often report to senior management even though they aren't necessarily executive level managers
themselves. Security is a functional requirement rather than a hierarchical one.
In designing security roles and responsibilities the function of that role must be considered as a focus on
hierarchy will weaken an organisation's ability manage information security well. It can mean the removal
of critical information flows as security reports are summarised into something more general. It can risk
unnecessary spending on security products to imply progress in the absence of consultation to the right
level.
NB
In order for each of these items to be effective they must involve an experienced security practitioner and
such people aren't that easy to find.
Engineers can build the firewalls and testers can break them but in the first instance someone is required
who can decide whether the firewall is required or not.

7
COMP 425 : INFORMATION SYSTEMS SECURITY

CAT 1

a) Explain four basic dimensions of systems security. [4 MKS]

b) Explain how RSA cryptosystems work. [4 MKS]
c) Using an example, explain how a virus infection occurs on files. [4 MKS]
d) Why would you hire an external auditor for your systems? [6 MKS]
e) Discuss three main access control methods employed in computer systems [6 MKS]
f) Discuss the concept of birthday attacks as used in Information cryptography. [6 MKS]