Information Assurance and Security

I. INTRODUCTION TO INFORMATION SECURITY

A. What is Security?
Security is “the quality or state of being secure—to be free from danger.”
Layers of security in place to protect its operations:

1. Physical security - to protect physical items, objects, or areas from unauthorized access and
misuse.
2. Personnel security - to protect the individual or group of individuals who are authorized to
access the organization and its operations
3. Operations security - to protect the details of a particular operation or series of activities
4. Communications security - to protect communications media, technology, and content
5. Network security - to protect networking components, connections, and contents
6. Information security - to protect the confidentiality, integrity and availability of information
assets, whether in storage, processing, or transmission. It is achieved via the application of
policy, education, training and awareness, and technology.

B. CNSS Security Model

The definition of information security presented in this text is based in part on the CNSS document called
the National Training Standard for Information Systems Security Professionals NSTISSI No.
4011.
McCumber Cube - The model, created by John McCumber in 1991, provides a graphical
representation of the architectural approach widely used in computer and information security

C. Components of an Information System

Information System (IS) is much more than computer hardware; it is the entire set of software,
hardware, data, people, procedures, and networks that make possible the use of information resources
in the organization.

Information System Components:

1. Software - comprises applications, operating systems, and assorted command utilities. Software
is perhaps the most difficult IS component to secure.
2. Hardware - is the physical technology that houses and executes the software, stores and
transports the data, and provides interfaces for the entry and removal of information from the
system.
 3. Data - Data stored, processed, and transmitted by a computer system must be protected. Data is
often the most valuable asset possessed by an organization and it is the main target of
intentional attacks.
4. People - been a threat to information security. People can be the weakest link in an
organization’s information security program.
5. Procedures - Another frequently overlooked component of an IS is procedures. Procedures are
written instructions for accomplishing a specific task.
6. Networks - The IS component that created much of the need for increased computer and
information security is networking. When information systems are connected to each other to
form local area networks (LANs), and these LANs are connected to other networks such as the
Internet, new security challenges rapidly emerge.

D. Approaches to Information Security Implementation

Bottom-up Approach - Information security can begin as a grassroots effort in which systems
administrators attempt to improve the security of their systems. This is often referred to as a bottom-up
approach.

Top-down approach—in which the project is initiated by upper-level managers who issue policy,
procedures and processes, dictate the goals and expected outcomes, and determine accountability for
each required action—has a higher probability of success.

E. The Systems Development Life Cycle

Methodology and Phases

The traditional SDLC consists of six general phases. If you have taken a system analysis and design
course, you may have been exposed to a model consisting of a different number of phases. SDLC models
range from having three to twelve phases, all of which have been mapped into the six presented here.

The waterfall model illustrates that each phase begins with the results and information gained from
the previous phase.

Investigation

The first phase, investigation, is the most important. What problem is the system being developed to
solve? The investigation phase begins with an examination of the event or plan that initiates the process.

Analysis
The analysis phase begins with the information gained during the investigation phase. This phase
consists primarily of assessments of the organization, its current systems, and its capability to support
the proposed systems.

Logical Design

In the logical design phase, the information gained from the analysis phase is used to begin creating a
systems solution for a business problem.

Physical Design

During the physical design phase, specific technologies are selected to support the alternatives identified
and evaluated in the logical design. The selected components are evaluated based on a make-or-buy
decision (develop the components in-house or purchase them from a vendor).

Implementation

In the implementation phase, any needed software is created. Components are ordered, received, and
tested. Afterward, users are trained and supporting documentation created.

Maintenance and Change

The maintenance and change phase is the longest and most expensive phase of the process. This phase
consists of the tasks necessary to support and modify the system for the remainder of its useful life
cycle.

F. The Security Systems Development Life Cycle

Investigation

The investigation phase of the SecSDLC begins with a directive from upper management, dictating the
process, outcomes, and goals of the project, as well as its budget and other constraints.

Analysis

In the analysis phase, the documents from the investigation phase are studied. The development team
conducts a preliminary analysis of existing security policies or programs, along with that of documented
current threats and associated controls.

Logical Design

The logical design phase creates and develops the blueprints for information security, and examines and
implements key policies that influence later decisions.

Physical Design
The physical design phase evaluates the information security technology needed to support the
blueprint outlined in the logical design generates alternative solutions, and determines a final design.

Implementation

The implementation phase in of SecSDLC is also similar to that of the traditional SDLC. The security
solutions are acquired (made or bought), tested, implemented, and tested again.

Maintenance and Change

Maintenance and change is the last, though perhaps most important, phase, given the current ever-
changing threat environment. Today’s information security systems need constant monitoring, testing,
modification, updating, and repairing.

II. THE NEED FOR SECURITY

A. Business Needs First

 Protecting the Functionality of an Organization

Both general management and IT management are responsible for
implementing information security that protects the organization’s ability
to function. Although many business and government managers shy away
from addressing information security because they perceive it to be a technically
complex task, in fact, implementing information security has more to do
with management than with technology.

 Enabling the Safe Operation of Applications

Today’s organizations are under immense pressure to acquire and operate
integrated, efficient, and capable applications. A modern organization
needs to create an environment that safeguards these applications, particularly
those that are important elements of the organization’s infrastructure—
operating system platforms, electronic mail (e-mail), and instant messaging
(IM) applications.

 Protecting Data that Organization Collect and Use

Without data, an organization loses its record of transactions and/or its
ability to deliver value to its customers. Any business, educational
institution, or government agency operating within the modern context of
connected and responsive services relies on information systems.

 Safeguarding Technology Assets in Organizations

 To perform effectively, organizations must employ secure infrastructure
services appropriate to the size and scope of the enterprise. For instance, a
small business may get by using an e-mail service provided by an ISP and
augmented with a personal encryption tool.

B. Threats

a threat is an object, person, or other entity that presents an ongoing danger to an asset.

C. Attacks

An attack is an act that takes advantage of a vulnerability to compromise a

controlled system. It is accomplished by a threat agent that damages or steals an
organization’s information or physical asset

A vulnerability is an identified weakness in a controlled system, where controls

are not present or are no longer effective.
1) Malicious Code
The malicious code attack includes the execution of viruses, worms,
Trojan horses, and active Web scripts with the intent to destroy or steal
information.

2) Hoaxes
A more devious attack on computer systems is the transmission of a
virus hoax with a real virus attached.

3) Back Doors
Using a known or previously unknown and newly discovered access
mechanism, an attacker can gain access to a system or network
resource through a back door. Sometimes these entries are left behind
by system designers or maintenance staff, and thus are called trap
doors.

4) Password Crack
Attempting to reverse-calculate a password is often called cracking. A
cracking attack is a component of many dictionary attacks (to be
covered shortly). It is used when a copy of the Security Account
Manager (SAM) data file, which contains hashed representation of the
user’s password, can be obtained.

5) Brute Force
The application of computing and network resources to try every
possible password combination is called a brute force attack. Since the
brute force attack is often used to obtain passwords to commonly used
accounts, it is sometimes called a password attack.

6) Dictionary
The dictionary attack is a variation of the brute force attack which
narrows the field by selecting specific target accounts and using a list of
commonly used passwords (the dictionary) instead of random
combinations.

7) Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS)

 In a denial-of-service (DoS) attack, the attacker sends a large number of
connection or information requests to a target. So many requests are
made that the target system becomes overloaded and cannot respond
to legitimate requests for service.

A distributed denial of-service (DDoS) is an attack in which a

coordinated stream of requests is launched against a target from many
locations at the same time.

8) Spoofing
Spoofing is a technique used to gain unauthorized access to computers,
wherein the intruder sends messages with a source IP address that has
been forged to indicate that the messages are coming from a trusted
host.

9) Man-in-the-Middle
In the well-known man-in-the-middle or TCP hijacking attack, an
attacker monitors (or sniffs) packets from the network, modifies them,
and inserts them back into the network.
10) Spam
Spam is unsolicited commercial e-mail. While many consider spam a
trivial nuisance rather than an attack, it has been used as a means of
enhancing malicious code attacks.

11) Mail Bombing

Another form of e-mail attack that is also a DoS is called a mail bomb,
in which an attacker routes large quantities of e-mail to the target.

12) Sniffers
A sniffer is a program or device that can monitor data traveling over a
network. Sniffers can be used both for legitimate network management
functions and for stealing information.

13) Social Engineering

 In the context of information security, social engineering is the process
of using social skills to convince people to reveal access credentials or
other valuable information to the attacker.
14) Phishing
Phishing is an attempt to gain personal or financial information from an
individual, usually by posing as a legitimate entity. Phishing attacks use
three primary techniques, often in combination with one another: URL
manipulation, Web site forgery, and phone phishing.

15) Pharming
Pharming is “the redirection of legitimate Web traffic (e.g., browser
requests) to an illegitimate site for the purpose of obtaining private
information. Pharming often uses Trojans, worms, or other virus
technologies to attack the Internet browser’s address bar so that the
valid URL typed by the user is modified to that of the illegitimate Web
site.

16) Timing Attack

A timing attack explores the contents of a Web browser’s cache and
stores a malicious cookie on the client’s system.

D. Secure Software Development

 Software Assurance and the SA Common Body of Knowledge

- A national effort is underway to create a common body of knowledge
focused on secure software development. The U.S. Department of Defense
(DoD) launched a Software Assurance Initiative in 2003.

 Software Design Principles

 Good software development should result in a finished product that
meets all of its design specifications.

1. Economy of mechanism: Keep the design as simple and small as

possible.
 2. Fail-safe defaults: Base access decisions on permission rather
than exclusion.
3. Complete mediation: Every access to every object must be
checked for authority.
4. Open design: The design should not be secret, but rather
depend on the possession of keys or passwords.
5. Separation of privilege: Where feasible, a protection mechanism
should require two keys to unlock, rather than one.
6. Least privilege: Every program and every user of the system
should operate using the least set of privileges necessary to
complete the job.
7. Least common mechanism: Minimize mechanisms (or shared
variables) common to more than one user and depended on by
all users.
8. Psychological acceptability: It is essential that the human
interface be designed for ease of use, so that users routinely and
automatically apply the protection mechanisms correctly.

 Software Development Security Problems

1. Buffer Overruns – is an application error that occurs when more

data is sent to a program buffer than it is designed to handle.
2. Command Injection – Command injection problems occur when
user input is passed directly to a compiler or interpreter.
3. Cross-site Scripting – Cross site scripting (or XSS) occurs when an
application running on a Web server gathers data from a user in
order to steal it.
4. Failure to Handle Errors – Failure to handle errors can cause a
variety of unexpected system behaviors. Programmers are expected
to anticipate problems and prepare their application code to handle
them.
5. Failure to Protect Network Traffic – Traffic on a wired network is also
vulnerable to interception in some situations. On networks using
hubs instead of switches, any user can install a packet sniffer and
collect communications to and from users on that network.
6. Failure to Store and Protect Data Securely – Access controls, the
subject of later chapters, regulate who, what, when, where, and
how individuals and systems interact with data.
7. Failure to Use Cryptographically Strong Random Numbers – Most
modern cryptosystems, like many other computer systems, use
random number generators.
8. Format String Problems – Some programmers may use data from
untrusted sources as a format string.56 An attacker may embed
characters that are meaningful as formatting directives (e.g., %x,
%d, %p, etc.) into malicious input
9. Neglecting Change Control – Developers use a process known as
change control to ensure that the working system delivered to users
represents the intent of the developers.
10. Improper File Access – Developers use a process known as change
control to ensure that the working system delivered to users
represents the intent of the developers.
11. Improper Use of SSL – SSL and its successor, Transport Layer
Security
(TLS), both need certificate validation to be truly secure. Failure to
use Hypertext Transfer Protocol Secure (HTTPS), to validate the
certificate authority and then validate the certificate itself, or to
validate the information against a certificate revocation list (CRL),
can compromise the security of SSL traffic.
12. Information Leakage – One of the most common methods of
obtaining inside and classified information is directly or indirectly
from an individual, usually an employee.
13. Interbugs – Integer bugs are usually exploited indirectly—that is,
triggering an integer bug enables an attacker to corrupt other areas
of memory, gaining control of an application.
14. Race Condition – A race condition is a failure of a program that
occurs
when an unexpected ordering of events in the execution of the
program results in a conflict over access to the same system
resource.
15. SQL Injection – SQL injection occurs when developers fail to
properly
validate user input before using it to query a relational database.
16. Trusting Network Address Resolution – The Domain Name System
(DNS) is a function of the World Wide Web that converts a URL
(Uniform Resource Locator) like www.course.com into the IP
address of the Web server host.
17. Unauthenticated Key Exchange – One of the biggest challenges in
private key systems, which involve two users sharing the same key,
is securely getting the key to the other party.
18. Use of Magic URLs and Hidden Forms – HTTP is a stateless protocol
where the computer programs on either end of the communication
channel cannot rely on a guaranteed delivery of any message.
19. Use of Weak Password-Based Systems – Failure to require sufficient
password strength, and to control incorrect password entry, is a
serious security issue. Password policy can specify the number and
type of characters, the frequency of mandatory changes, and even
the reusability of old passwords.
20. Poor Usability – Employees prefer doing things the easy way. When
faced with an “official way” of performing a task and an “unofficial
way”—which is easier—they prefer the easier method.