MOI UNIVERSITY

SCHOOL OF INFORMATION SCIENCE

INF 440: ICT SECURITY
Aim: This course is designed to equip the learner with knowledge and skills in information
security management issues.
Expected Learnin O!tc"me#
By the end of the course, the learner should be able to:
Identify and manage ICT security risks
Identify and implement secure network design
!lan and implement disaster reco"ery measures and
!lan and implement ICT security policies.
!re#requisite: I$% &&': Business (pplications !rogramming, I$% &)*: Computer $etworks
C"!r#e C"ntent
+ey concepts in Information ,ecurity. Information ,ecurity in $etworked -nterprises. Threats and
"ulnerabilities analysis. -ffecti"e ,ystem (dministration. !olicies. .isk management. ICT ,ecurity
planning. /perational issues in ICT security 0incident handling, training, backups etc1. !hysical security.
!ersonnel issues. Types and uses of security de"ices. $etwork ,ecurity 0identification and authentication,
logical access control, .outers, !ro2ies, and %irewalls audit trails and cryptography1.
3etection of security breaches. Business Continuity and 3isaster .eco"ery !lanning. ,ecurity for
-lectronic Commerce, %inancial $etworks, Intranets and -2tranets. ,ecurity (cross 3ifferent /perating
,ystems and !latforms.
A##e##ment
Continuous (ssessment Tests 0C(Ts1: 4*5
-nd of ,emester 6ritten -2aminations: )*5
Learnin Materia$#
In%"rmati"n S&#tem# Sec!rit& Hand'""( )I#aca
1
LECTURE *
+ART I: ,e& c"ncept# in In%"rmati"n Sec!rit&
In%"rmati"n #ec!rit& is the practice of defending information from unauthori7ed access, use, disclosure,
disruption, modification, perusal, inspection, recording or destruction.
It is also defined as preser"ation of confidentiality, integrity and a"ailability of information. /ther
properties, such as authenticity, accountability, non#repudiation and reliability can also be in"ol"ed.
Two ma8or aspects of information security are:
IT #ec!rit&: 0(lso computer security1, It is responsible for keeping all of the technology within
the company secure from malicious cyber attacks that often attempt to breach into critical pri"ate
information or gain control of the internal systems.
In%"rmati"n a##!rance: The act of ensuring that data is not lost when critical issues arise. These
issues include: natural disasters, computer9ser"er malfunction, physical theft, or any other
instance where data has the potential of being lost.
-a#ic princip$e#
C"n%identia$it&
Is a set of rules or a promise that limits access or places restrictions on certain types of information.
Confidentiality refers to limiting information access and disclosure to authori7ed users ## :the right
people: ## and pre"enting access by or disclosure to unauthori7ed ones ## :the wrong people.:
(uthentication methods like user#I3s and passwords, that uniquely identify data systems; users and
control access to data systems; resources, underpin the goal of confidentiality.
Interit&
3ata integrity means maintaining and assuring the accuracy and consistency of data o"er its entire
life#cycle.
3ata cannot be modified in an unauthori7ed or undetected manner.
Integrity is "iolated when a message is acti"ely modified in transit.
A.ai$a'i$it&
This means that the computing systems used to store and process the information, the security controls
used to protect it, and the communication channels used to access it must be functioning correctly.
<igh a"ailability systems aim to remain a"ailable at all times, pre"enting ser"ice disruptions due to
power outages, hardware failures, and system upgrades.
-nsuring a"ailability in"ol"es pre"enting denial#of#ser"ice attacks, such as a flood of incoming
messages to the target system essentially forcing it to shut down.
N"n)rep!diati"n
It implies that one party of a transaction cannot deny ha"ing recei"ed a transaction nor can the other party
deny ha"ing sent a transaction.
+re.enti"n .#/ detecti"n
,ecurity efforts to assure confidentiality, integrity and a"ailability can be di"ided into
those oriented to pre"ention and
those focused on detection whose aim is to rapidly disco"er and correct lapses that could not be ##
or at least were not ## pre"ented.
It is critical to remember that :appropriate: or :adequate: le"els of confidentiality, integrity and
a"ailability depend on the conte2t, 8ust as does the appropriate balance between pre"ention and detection.
2
The nature of the efforts that the information systems support the natural, technical and human risks to
those endea"ors go"erning legal, professional and customary standards ## all of these will condition how
CI( standards are set in a particular situation.
C"mm"n Term#
Ri#( is the likelihood that something bad will happen that causes harm to an informational asset 0or
the loss of the asset1.
V!$nera'i$it& is a weakness that could be used to endanger or cause harm to an informational asset.
( t0reat is anything 0manmade or act of nature1 that has the potential to cause harm.
The likelihood that a threat will use a "ulnerability to cause harm creates a risk. 6hen a threat does
use a "ulnerability to inflict harm, it has an impact
Impact is a loss of a"ailability, integrity, and confidentiality, and possibly other losses 0lost income,
loss of life, loss of real property1. It should be pointed out that it is not possible to identify all risks,
nor is it possible to eliminate all risk. The remaining risk is called :re#id!a$ ri#(:.
( risk assessment is carried out by a team of people who ha"e knowledge of specific areas of the
business.
T0e ri#(# in in%"rmati"n #&#tem#
!hysical loss of data. =ou may lose immediate access to your data for reasons ranging from floods to
loss of electric power. =ou may also lose access to your data for more subtle reasons: the second disk
failure, for e2ample, while your .(I3 array reco"ers from the first.
>nauthori7ed access to your own data and client or customer data. .emember, if you ha"e
confidential information from clients or customers, you?re often contractually obliged to protect that
data as if it were your own.
Interception of data in transit. .isks include data transmitted between company sites, or between the
company and employees, partners, and contractors at home or other locations.
=our data in someone else?s hands. 3o you share your data with third parties, including contractors,
partners, or your sales channel@ 6hat protects your data while it is in their hands@
3ata corruption. Intentional corruption might modify data so that it fa"ors an e2ternal party: think
Tro8an horses or keystroke loggers on !Cs. >nintentional corruption might be due to a software error
that o"erwrites "alid data.
-mail Interception
-mail ,poofing
6eb 3ata Interception
$etwork A Bolume In"asion
Carketing 3ata 9 ,pam A Dunk Cail
Biruses, 6orms, Tro8an <orses
!assword Cracking
Cail bomb
3enial of ,er"ice 03o,1
!iracy of Intellectual !roperty
Information Security Principles of Success
'. There Is $o ,uch Thing as (bsolute ,ecurity # Ei"en enough time, tools, skills, and inclination, a
hacker can break through any security measure
F. CI( triad # !rotect the confidentiality of data
3
&. 3efense in depth # ,ecurity implemented in o"erlapping layers that pro"ide the three elements needed
to secure assets: pre"ention, detection, and response. The weaknesses of one security layer are offset
by the strengths of two or more layers
4. 6hen Geft on Their /wn, !eople Tend to Cake the 6orst ,ecurity 3ecisions # Takes little to
con"ince someone to gi"e up their credentials in e2change for tri"ial or worthless goods.
Cany people are easily con"inced to double#click on the attachment
H. %unctional and (ssurance .equirements # %unctional requirements # 3escribe what a system should
do.
(ssurance requirements # 3escribe how functional requirements should be implemented and
tested
Does the system do the right things in the right way?
Verification: the process of confirming that one or more predetermined requirements or
specifications are met
Validation: a determination of the correctness or quality of the mechanisms used in meeting the
needs
). ,ecurity Through /bscurity Is $ot an (nswer # Cany people belie"e that if hackers don?t know how
software is secured, security is better. (lthough this seems logical, it?s actually !ntr!e/ /bscuring
security leads to a false sense of security, which is often more dangerous than not addressing security
at all
I. ,ecurity J .isk Canagement:# ,ecurity is not concerned with eliminating all threats within a system
or facility but with e$iminatin (n"1n t0reat# and minimi2in $"##e# if an attacker succeeds in
e2ploiting a "ulnerability.
Ri#( ana$&#i# and ri#( manaement are centra$ t0eme# to securing information systems.
.isk assessment and risk analysis are concerned with p$acin an ec"n"mic .a$!e "n a##et# t" 'e#t
determine appr"priate c"!ntermea#!re# that protect them from losses
K. Sec!rit& C"ntr"$#: !re"entati"e, 3etecti"e, and .esponsi"e # ( security mechanism ser"es a
purpose by pre.entin a c"mpr"mi#e, detectin t0at a c"mpr"mi#e "r c"mpr"mi#e attempt is
underway, or re#p"ndin t" a c"mpr"mi#e while it is happening or after it has been disco"ered.
L. Comple2ity Is The -nemy of ,ecurity: The more comple2 a system gets, the harder it is to secure
'*. %ear, >ncertainty, and 3oubt 0%>31 3o $ot 6ork in ,elling ,ecurity: Information security managers
must 8ustify all in"estments in security using techniques of the trade.
''. 6hen spending resources can be 8ustified with good, solid business rationale, security requests are
rarely denied
'F. !eople, process, and technology controls are essential elements of security practices including
operations security, applications de"elopment security, physical security, and cryptography
'&. /pen 3isclosure of Bulnerabilities Is Eood for ,ecurity:# +eeping a gi"en "ulnerability secret from
users and from the software de"eloper can only lead to a false sense of security. The need to know
trumps the need to keep secrets in order to gi"e users the right to protect themsel"es
'4. Computer security specialists must not only know the technical side of their 8obs but also must
understand the principles behind information security
These principles are mi2ed and matched to describe why certain security functions and operations e2ist in
the real world of IT
Exerci#e
6hat are the elements of a good security program@
6hy is it difficult to secure information systems@
4
+ART II
In%"rmati"n Sec!rit& in Net1"r(ed Enterpri#e#
=our typical security engineer may say it must ha"e %ire1a$$#, intr!#i"n detecti"n or any number of
security focused technologies.
Ceanwhile a security tester may suggest that it is c"nd!ctin penetrati"n te#tin to pro"ide assurances
that security widgets are working well.
Information security is about adopting the right measures and controls for a gi"en entity at a gi"en point
in time. Threats change and "ulnerabilities are introduced or remo"ed, demanding that security e"ol"es
simply to keep pace.
*: App"intin a #ec!rit& "%%icer
-"ery organi7ation should assign a security officer e"en if the role is gi"en to an indi"idual who wears
multiple hats. Garger organi7ations may establish a dedicated position # the chief security officer who
presides o"er a team of specialists addressing the different areas of information security.
The security officer is the central point for managing proacti"e and reacti"e information security tasks.
The day to day acti"ities for the indi"idual resources that work in the domain will depend on the si7e and
focus of an organi7ation but ultimately the security officer role should be accountable for the following:
Strate& ## identifying the security posture an organisation wishes to maintain and how this will be
achie"ed.
Operati"n# ## monitoring of security alerts and management of security assets, for e2ample intrusion
detection, 8ump hosts, firewalls and scanning tools.
Arc0itect!re ## ensuring security is designed into the businesses technology and processes.
C"n#!$tati"n ## pro"iding consultation to pro8ects or business units by way of requirements, re"iews,
recommendations and risk assessment.
Ana$&#i# ## researching products or specific technical issues to assist in pro"isioning of technology or
remediation of "ulnerabilities.
Te#tin ## pro"iding security testing such as penetration testing for pro8ects and rolling assurance
e2ercises.
Emerenc& Re#p"n#e ## responding to emergency security incidents such as the compromise of
information assets or the loss of ser"ice through a denial of ser"ice attack.
+r"ramme manaer ## acting as the business sponsor for a rolling security programme of work.
3: Sec!rit& rep"rtin
.eporting pro"ides a :heartbeat: for information security across an organisation. It ensures the right
people remain up to date on the latest incidents, threats and initiati"es that will influence the security
posture.
.egular reporting ensures those that are accountable for securing information assets are aware of the risks
they may ha"e inherited and the rigour in the controls that protect them.
,ecurity reports must be written for their audience and this is an area where security professionals often
fall down.
The content must be accurate but presented at a le"el that can be consumed by the target audience.
.eports destined for technologists with an appreciation of the hands on should be literal and e2plain any
"ulnerabilities and controls in technical terms.
Those intended for managers with a technical background should be e2plained conceptually and include
references to technical detail that supports any conclusions.
5
Those intended for parties outside the technology group such as the C-/ or chief risk officer should
wholly focus on the business impact where the conclusions are 8ustified by a well#designed and
established.
4: 5e.e$"p ".ernance
%or an organisation to maintain a consistent security posture people within that organisation must ha"e
clear instructions that tells them how to beha"e. Eo"ernance ensures that people are aware how they
should conduct themsel"es and if well constructed encourages them to beha"e in a way that maintains or
may e"en impro"e security. There are useful standards such as those produced by International ,tandards
/rganisation, $ational Institute for ,tandards and Technology and the Eo"ernment Communications .
4: 5e.e$"p a #ec!rit& incident manaement p$an
-"ery organisation will e2perience a security incident. The impact of that incident and the likelihood of it
repeating is directly impacted by how an organisation manages it.
6as the incident clearly identified, "alidated and contained@
6as the "ulnerability that led to it identified and is there a plan to remediate or apply additional
countermeasures@
6as the incident reported to an appropriate authority inside the organisation and do any e2ternal
parties need to be notified@
These are but a few questions that are answered through a well formed security incident management
plan.
The plan should identify a front door for people reporting potential incidents. %rom there it should define
an auditable process that "alidates the incident and initiates a response team well placed to deal with it.
The owner of the plan is the security officer who remains a central part of the response team.
The plan will dictate how the incidents progress is recorded and what if any information is disclosed to a
wider audience. Typically it will empower the response team to operate outside go"ernance, bypassing
change control and other processes that are designed for business as usual rather than an unforeseen
emergency.
6: Initiate a #ec!rit& pr"ramme "% 1"r(
,ecurity initiati"es require a "ehicle to carry them through design, build and implementation. Erouping
them all in a single program of work allows for budgets to be managed more easily and ensures the
in"estment in information security is transparent. >pgrades of security de"ices such as firewalls and
anti"irus may be included in the programme, as well as any capital in"estment in information security,
such as an identity and access management system.
The security programme should be primarily focussed on enhancing information security and be funded
at a le"el that an organisation considers appropriate. The security officer should ha"e a list of initiati"es in
order of priority and the allocated budget should fund those at the top of the list.
7: A##e## t0e #ec!rit& "% a$$ initiati.e#
(n unfortunately common obser"ation is that organisations in"est hea"ily in security controls in one area
but due to budgetary constraints ignore others. %or e2ample the website may ha"e e2tensi"e technical
controls and recei"e frequent security testing while the :trusted: third party connections are left
unchecked. /ften this is due to incorrect assumptions being made by the business on what the security
implications of an action are.
( security assessment should be focused on empowering the business to decide whether an initiati"e
should progress, change direction, be re"iewed at a more detailed le"el or in the most se"ere cases be
halted.
8: C"mp$ete peri"d)'a#ed a##!rance ta#(#
6
6hile assessing the security of all initiati"es is a proacti"e way of ensuring security is built in, it is also
important to be reacti"e. 6ith the best intent and design, it is possible for "ulnerabilities to be introduced
into a technical en"ironment through human error or as the result of an aggregation of technical
anomalies. Completing periodic assurance tasks is intended to identify and manage "ulnerabilities that
may not ha"e been foreseen.
/ne of the most commonly practiced assurance measures is penetration testing. It pro"ides a high le"el of
assurance that the tested technology would be resistant to a targeted attack by an skilled attacker. It is
howe"er relati"ely e2pensi"e and often tightly scoped. Ei"en the speciali7ed nature of security testing it
could be worth considering using a third party security practitioner. ( practitioner can ensure that the
scope is appropriate and that the tester is reputable.
9: +r".ide #ec!rit& trainin
,ecurity training is a widely recognised requirement for a mature organisation but all too often the bare
minimum is pro"ided, such as an induction session which ensures e"eryone knows they shouldn;t write
their password down.
Induction training is a great idea but beyond making people aware of the security policy, it should be
different for different roles. Cembers of the e2ecuti"e face different threats and employ different
countermeasures to those holding a position on the help#desk. The former will likely require a one on one
sessions while the later may be inducted as part of a group.
6hile security training may seem e2pensi"e, it is probably one of the best returns on in"estment for an
organisation. Euarding against one phishing attempt may be the difference between winning the ne2t big
contract or reco"ering from an embarrassing information leak.
:: 5e.e$"p a 10i#t$e'$"1er pr"ce##
,ecuring an organisation is not limited to the practices of security specialists. It includes e"eryone from
those cleaning the office 0often with unparalleled access1 to those on the board. It includes partner
organisations and their staff and their partners and so the list goes on. (long with supporting 0or
opposing1 security controls, staff and third party affiliates are a useful source of information about
security e"ents. They may obser"e "ulnerabilities or e"en be aware of "ulnerabilities being e2ploited.
This information is e2tremely "aluable and should be captured and processed to aid in impro"ing ones
security posture.
.eporting of shortcomings is not always something that a hierarchy does particularly well. There is little
incenti"e for a middle manager to report a shortcoming in an area he9she is responsible for. It may lead to
embarrassment or additional work and for these reasons potential risks can be swept under the rug. (
solution is to de"elop a whistleblower process which allows anyone to report a percei"ed security issue to
an information security authority in confidence without fear of repercussions.
*0: C"n#ider #ec!rit& %!ncti"na$$&
( challenge that faces many organisations is the apparent power that security practitioners require to do
their 8ob. They often ha"e super user rights on a system to pro"ide o"ersight or control access and they
often report to senior management e"en though they aren;t necessarily e2ecuti"e le"el managers
themsel"es. ,ecurity is a functional requirement rather than a hierarchical one.
In designing security roles and responsibilities the function of that role must be considered as a focus on
hierarchy will weaken an organisation;s ability manage information security well. It can mean the remo"al
of critical information flows as security reports are summarised into something more general. It can risk
unnecessary spending on security products to imply progress in the absence of consultation to the right
le"el.
N-
In order for each of these items to be effecti"e they must in"ol"e an e2perienced security practitioner and
such people aren;t that easy to find.
7
-ngineers can build the firewalls and testers can break them but in the first instance someone is required
who can decide whether the firewall is required or not.
8