CBS3002

Information Security
 MODULE - 1
• Confidentiality, integrity and availability.

• Security violation and threats

• Security policy and procedure

• Assumptions and Trust

• Security Assurance

• Implementation and Operational Issues

• Security Life Cycle.

CIA : TRIAD
 CIA : TRIAD
What is CIA Triad?
CIA Triad, is a model designed to guide
policies for information security within an
organization.
The model is also sometimes referred to as
AIC Triad
❑ Confidentiality
❑ Integrity
❑ Availability
 CIA : TRIAD
• Confidentiality:
is a set of rules that limits access to information.
Information can only be seen by user.
EX: ATM ----> Password
• Integrity:
is the assurance that the information is trustworthy
and accurate.
Information cannot be changed with user permission
EX: Bank ---> SMS Alert
• Availability:
is a guarantee of reliable access to the information
by authorized people
Information is available when user needed
Ex: Bank Account ---> Balance
 Confidentiality
• Confidentiality is the first pillar of the CIA TRIAD and
is concerned with controlling access to critical data
and preventing any unauthorized disclosure of it.
• Confidentiality is the process of keeping an
organization or individual’s data private and
ensuring only authorized people can access it.
Example:
(A). In an organization only authorized payroll
employees should get access to the database of
employees’ payroll.
• within that group of authorized users, additional
limitations are implemented so that only certain
users can perform particular tasks.
 Confidentiality

(B). Confidentiality is the personal information of

e- commerce customers.

• Sensitive information like credit card details,

contact information, shipping details, or other
personal information needs to be secured to
prevent unauthorized access and exposure.
 Confidentiality
Violation of confidentiality
can happen in many ways.
• It can occur through direct attacks, which are
specifically designed to gain illegal access to
systems, databases, applications, etc.
• For example:
escalation of system privileges, network
reconnaissance, electronic eavesdropping, man-
in-the-middle attacks, etc.
• Human error can also be a reason for violation
just as much as inadequate security measures.
 Confidentiality
How to Protect Confidentiality
• There are several countermeasures that can be
taken to protect confidentiality.

• It includes data classification and labelling;

strong authentication mechanisms, tight access
controls, steganography, data encryption during
a process, transit, and storage, remote wipe
capabilities, and education and training
on cybersecurity for all.
 Integrity
• Integrity is all about making sure that data has
not been messed with or manipulated, and
therefore it is authentic, correct, and reliable.
For example:
In e-commerce, customers expect products,
pricing, and other related details to be accurate
and that it will not be altered once the order is
placed.
In banking, a sense of trust regarding banking
information and account balances has to be
established by ensuring that these details are
authentic and have not been tampered with.
 Integrity
• Like confidentiality, integrity can be
compromised in different ways.

• It can happen directly through the intrusion of

detection systems, modification of configuration
files, change of system logs to avoid detection)
or human errors.
 Integrity
How to protect Integrity
• Countermeasures like encryption, digital
signatures, hashing, and digital certificates can
help maintain data integrity.

• Aside from these, intrusion detection systems,

strong authentication mechanisms, version
control, auditing, and access controls can ensure
integrity.
 Integrity
• It is a given that integrity also closely ties in
with the concept of non-repudiation, which
means that one will not be able to deny
certain actions as being not true.

For example:
• If an email with a digital signature was sent
or received, the integrity will be maintained
for these kinds of online transactions that
happen.
 Availability
• Systems, applications, and data will lose their value if
they are not accessible by their authorized users
whenever they require them.
• Availability is the accessibility of networks, systems,
applications, and data by authorized users in a timely
fashion whenever resources are required.

• Availability can be compromised if there is a

hardware or software failure, natural disasters, power
failure, or human error.
• DDoS attacks are one of the more common reasons
for the violation of availability.
 Availability
• Availability can be ensured through network,
server, application, and service redundancy.

• Hardware fault tolerance in servers and storage

is another good countermeasure to avoid
violation of availability.

• DoS protection solutions, system upgrades,

regular software patching, comprehensive
disaster recovery plans, backups, etc. are all ways
to ensure availability.
CIA : TRIAD
 Security Threats
Define Security Threat?

Cyber threats are sometimes incorrectly

confused with vulnerabilities

The threat is not a security problem that exists

in an implementation or organization
 Security Threats
Types of Security Threats
➢ Malware Attack

➢ Social engineering Attacks

➢ Software supply chain Attacks

➢ Advanced persistent Threats (APT)

➢ Distributed denial of service (DDoS)

➢ Man-in-the-middle attack (MitM)

➢ Password attacks
 Security Threats
What is Malware Attack?
Attackers use many methods to get
malware into a user’s device, most often social
engineering.
Users may be asked to take an action, such
as clicking a link or opening an attachment.
In other cases, malware uses vulnerabilities
in browsers or operating systems to install
themselves without the user’s knowledge or
consent.
 Security Threats

• Once malware is installed, it can monitor user

activities, send confidential data to the attacker.

• It assist the attacker in penetrating other targets

within the network, and even cause the user’s
device to participate in a botnet leveraged by the
attacker for malicious intent.
 Security Threats
• Malware attacks include:
✓ Trojan virus

✓Ransomware

✓Wiper malware

✓Worms

✓Spyware

✓Fileless malware

✓Application or website manipulation

 Security Threats
(1) Trojan virus —
Tricks a user into thinking it is a harmless file. A
Trojan can launch an attack on a system and can
establish a backdoor, which attackers can use.
(2) Ransomware —
Prevents access to the data of the victim and
threatens to delete or publish it unless a ransom is paid.
(3) Wiper malware —
Intends to destroy data or systems, by
overwriting targeted files or destroying an entire file
system. Wipers are usually intended to send a political
message, or hide hacker activities after data exfiltration.
 Security Threats
(4) Worms —
This malware is designed to exploit backdoors and
vulnerabilities to gain unauthorized access to operating systems.
After installation, the worm can perform various attacks,
including Distributed Denial of Service (DDoS).
(5) Spyware —
This malware enables malicious actors to gain unauthorized
access to data, including sensitive information like payment
details and credentials. Spyware can affect mobile phones,
desktop applications, and desktop browsers.
(6) Fileless malware —
This type of malware does not require installing software on
the operating system.
 Security Threats
It makes native files such as PowerShell and WMI
editable to enable malicious functions, making them
recognized as legitimate and difficult to detect.

(7) Application or website manipulation —

OWASP outlines the top 10 application security

risks, ranging from broken access controls and security
misconfiguration through injection attacks and
cryptographic failures.
Once the vector is established through service
account acquisition, more malware, credential, or APT
attacks are launched.
 Security Threats

II. Social engineering attacks:

Social engineering attacks work by

psychologically manipulating users into
performing actions desirable to an attacker, or
divulging sensitive information.
 Security Threats
Social engineering attacks include:
✓Phishing
✓Spear Phishing
✓Malvertising
✓Drive- by Downloads
✓Scareware security software
✓Baiting
✓Vishing
✓Whaling
✓Pretexting
✓Scareware
✓Diversion theft
✓Honey trap
✓Tailgating or piggybacking
✓Pharming
 Security Threats - Social engineering attacks
(1) Phishing —
• Attackers send fraudulent correspondence that
seems to come from legitimate sources, usually
via email.
• The email may urge the user to perform an
important action or click on a link to a malicious
website, leading them to hand over sensitive
information to the attacker, or expose themselves
to malicious downloads.
• Phishing emails may include an Email attachment
infected with malware.
 Security Threats - Social engineering attacks
(2) Spear phishing —
A variant of phishing in which attackers
specifically target individuals with security
privileges or influence, such as system
administrators or senior executives.

(3) Malvertising —
online advertising controlled by hackers,
which contains malicious code that infects a
user’s computer when they click, or even just
view the ad.
Malvertising has been found on many
leading online publications.
 Security Threats - Social engineering attacks
(4) Drive-by downloads —
Attackers can hack websites and insert malicious
scripts into PHP or HTTP code on a page.
When users visit the page, Malware is directly
installed on their computer; or, The attacker’s script redirects
users to a malicious site, which performs the download.
Drive-by downloads rely on vulnerabilities in browsers
or operating systems.

(5) Scareware security software —

Pretends to scan for malware and then regularly shows
the user fake warnings and detections.
Attackers may ask the user to pay to remove the fake
threats from their computer or to register the software.
Users who comply transfer their financial details to an
attacker.
 Security Threats - Social engineering attacks
(6) Baiting —
Occurs when a threat actor tricks a target into using
a malicious device, placing a malware-infected physical
device, like a USB, where the target can find it.
Once the target inserts the device into their
computer, they unintentionally install the malware.
(7) Vishing —
Voice phishing (vishing) attacks use social
engineering techniques to get targets to divulge financial
or personal information over the phone.
(8) Whaling—
This phishing attack targets high-profile
employees (whales), such as the chief executive officer
(CEO) or chief financial officer (CFO).
The threat actor attempts to trick the target into
disclosing confidential information.
 Security Threats - Social engineering attacks
(9) Pretexting —
occurs when a threat actor lies to the target to gain access
to privileged data.
A pretexting scam may involve a threat actor pretending
to confirm the target’s identity by asking for financial or
personal data.
(10) Scareware —
A threat actor tricks the victim into thinking they
inadvertently downloaded illegal content or that their computer
is infected with malware.
Next, the threat actor offers the victim a solution to fix the
fake problem, tricking the victim into downloading and
installing malware.
(11) Diversion theft —
Threat actors use social engineers to trick a courier or
delivery company into going to a wrong drop-off or pickup
location, intercepting the transaction.
 Security Threats - Social engineering attacks
12) Honey trap —
A social engineer assumes a fake identity as an
attractive person to interact with a target online.
The social engineer fakes an online relationship and
gathers sensitive information through this relationship.
13) Tailgating or piggybacking —
Occurs when a threat actor enters a secured building by
following authorized personnel.
Typically, the staff with legitimate access assumes the
person behind is allowed entrance, holding the door open for
them.
14) Pharming —
An online fraud scheme during which a cybercriminal
installs malicious code on a server or computer.
The code automatically directs users to a fake website,
where users are tricked into providing personal data.
 Security Threats – Supply Chain Attacks
III. Software supply chain attacks
A software supply chain attack is a cyber
attack against an organization that targets weak
links in its trusted software update and supply chain.
A supply chain is the network of all
individuals, organizations, resources, activities, and
technologies involved in the creation and sale of a
product.
A software supply chain attack exploits the
trust that organizations have in their third-party
vendors, particularly in updates and patching.
 Security Threats – Supply Chain Attacks
Types of software supply chain attacks:
• Compromise of software build tools or dev/test
infrastructure
• Compromise of devices or accounts owned by
privileged third-party vendors
• Malicious apps signed with stolen code signing
certificates or developer IDs
• Malicious code deployed on hardware or
firmware components
• Malware pre-installed on devices such as
cameras, USBs, and mobile phones
 Security Threats -APT
IV. Advanced persistent threats (APT)
• When an individual or group gains unauthorized
access to a network and remains undiscovered
for an extended period of time, attackers may
exfiltrate sensitive data, deliberately avoiding
detection by the organization’s security staff.

• APTs require sophisticated attackers and involve

major efforts, so they are typically launched
against nation states, large corporations, or
other highly valuable targets.
 Security Threats -APT
• Backdoor/trojan horse malware —
Extensive use of this method enables APTs to
maintain long-term access.

• Odd database activity —

for example, a sudden increase in database
operations with massive amounts of data.

• Unusual data files —

the presence of these files can indicate data has
been bundled into files to assist in an exfiltration
process.
 Security Threats - APT
Common indicators of an APT (Advanced Persistent
Threat) presence include:
• New account creation —
The P in Persistent comes from an attacker
creating an identity or credential on the network
with elevated privileges.
• Abnormal activity —
Legitimate user accounts typically perform in
patterns.
Abnormal activity on these accounts can
indicate an APT is occurring, including noting a stale
account which was created then left unused for a
time suddenly being active.
 Security Threats - DDOS
V. Distributed denial of service (DDoS)
• The objective of a denial of service (DoS) attack is
to overwhelm the resources of a target system
and cause it to stop functioning, denying access to
its users.

• Distributed denial of service (DDoS) is a variant of

DoS in which attackers compromise a large
number of computers or other devices, and use
them in a coordinated attack against the target
system.
 Security Threats -DDOS

• DDoS attacks are often used in combination with

other cyberthreats.

• These attacks may launch a denial of service to

capture the attention of security staff and create
confusion, while they carry out more subtle
attacks aimed at stealing data or causing other
damage.
 Security Threats -DDOS
Methods of DDoS attacks include:
• Botnets — systems under hacker control that have been
infected with malware. Attackers use these bots to carry
out DDoS attacks. Large botnets can include millions of
devices and can launch attacks at devastating scale.
• Smurf attack — sends Internet Control Message Protocol
(ICMP) echo requests to the victim’s IP address. The ICMP
requests are generated from ‘spoofed’ IP addresses.
Attackers automate this process and perform it at scale to
overwhelm a target system.
• TCP SYN flood attack — attacks flood the target system
with connection requests. When the target system
attempts to complete the connection, the attacker’s device
does not respond, forcing the target system to time out.
This quickly fills the connection queue, preventing
legitimate users from connecting.
 Security Threats - MitM
(VI) Man-in-the-middle attack (MitM)
• Session hijacking —
an attacker hijacks a session between a
network server and a client. The attacking computer
substitutes its IP address for the IP address of the
client. The server believes it is corresponding with
the client and continues the session.
• Replay attack —
a cybercriminal eavesdrops on network
communication and replays messages at a later time,
pretending to be the user. Replay attacks have been
largely mitigated by adding timestamps to network
communications.
 Security Threats - MitM
• IP spoofing —
an attacker convinces a system that it is
corresponding with a trusted, known entity.
The system thus provides the attacker with
access. The attacker forges its packet with the IP
source address of a trusted host, rather than its own
IP address.
• Eavesdropping attack —
attackers leverage insecure network
communication to access information transmitted
between the client and server.
These attacks are difficult to detect because
network transmissions appear to act normally.
 Security Threats - MitM
• Bluetooth attacks
Because Bluetooth is often open in
promiscuous mode, there are many attacks,
particularly against phones, that drop contact
cards and other malware through open and
receiving Bluetooth connections.
Usually this compromise of an endpoint is a
means to an end, from harvesting credentials to
personal information.
 Security Threats - Password attacks
• A hacker can gain access to the password information
of an individual by ‘sniffing’ the connection to the
network, using social engineering, guessing, or
gaining access to a password database.
• An attacker can ‘guess’ a password in a random or
systematic way.
Password attacks include:
Brute-force password guessing — an attacker uses
software to try many different passwords, in hopes of
guessing the correct one. The software can use some
logic to trying passwords related to the name of the
individual, their job, their family, etc.
 Security Threats - Password attacks
• Dictionary attack —
a dictionary of common passwords is used to
gain access to the computer and network of the
victim. One method is to copy an encrypted file that
has the passwords, apply the same encryption to a
dictionary of regularly used passwords, and contrast
the findings.
• Pass-the-hash attack —
an attacker exploits the authentication protocol
in a session and captures a password hash (as
opposed to the password characters directly) and
then passes it through for authentication and lateral
access to other networked systems. In these attack
types, the threat actor doesn’t need to decrypt the
hash to obtain a plain text password.
 Security Violations
What is security violation?
• A security violation or infraction is any breach of
security regulations, requirements, procedures
or guidelines, whether or not a compromise
results.
• No matter how minor, any security infraction
must be reported immediately to the security
office so that the incident may be evaluated and
any appropriate action taken.
 How to protect yourself against a security
breach
• Use strong passwords:
which combine random strings of upper
and lower-case letters, numbers, and symbols.
They are much more difficult to crack than
simpler passwords.

• Use different passwords on different accounts:

If you use the same password, a hacker
who gains access to one account will be able to
get into all your other accounts.
How to protect yourself against a security
breach
• Close accounts you don't use rather than leaving
them dormant:
That reduces your vulnerability to a security
breach.
If you don't use an account, you might never
realize that it has been compromised, and it could act
as a back door to your other accounts.
• Change your passwords regularly:
One feature of many publicly reported security
breaches is that they occurred over a long period,
and some were not reported until years after the
breach.
How to protect yourself against a security
breach
• If you throw out a computer, wipe the old hard
drive properly:
Don't just delete files; use a data
destruction program to wipe the drive completely,
overwriting all the data on the disk.
• Back up your files:
Some data breaches lead to the
encryption of files and a ransomware demand to
make them available again to the user. If you have
a separate backup on a removable drive, your
data is safe in the event of a breach.
How to protect yourself against a security
breach
• Secure your phone:
Use a screen lock and update your phone's
software regularly.
Don’t root or jailbreak your phone. Rooting a
device gives hackers the opportunity to install their
own software and to change the settings on your
phone.
• Secure your computer and other devices by using
anti-virus and anti-malware software.
Kaspersky Antivirus is a good choice to keep your
computer free from infection and ensure that hackers
can't get a foothold in your system.
How to protect yourself against a security
breach
• Be careful where you click:
Unsolicited emails which include links to
websites may be phishing attempts. Some may
purport to be from your contacts.
• When you're accessing your accounts, make sure
you're using the secure HTTPS:
protocol and not just HTTP.
• Monitoring your bank statements and credit
reports helps keep you safe:
Stolen data can turn up on the dark web years
after the original data breach
 Security Policy and Mechanism
Define Security Policy?
A security policy is a statement of what is,
and what is not, allowed.
Define Security Mechanism?
A security mechanism is a method, tool, or
procedure for enforcing a security policy.
Mechanisms can be nontechnical, such as
requiring proof of identity before changing a
password
in fact
Policies often require some procedural
mechanisms that technology cannot enforce
 Security Policy and Mechanism
EXAMPLE:
Suppose a university’s computer science
laboratory has a policy that prohibits any student
from copying another student’s homework files.
The computer system provides mechanisms
for preventing others from reading a user’s files.
person fails to use these mechanisms to
protect her homework files, and Bill copies them.
A breach of security has occurred, because
Bill has violated the security policy.
person failure to protect her files does not
authorize Bill to copy them
 Security Policy and Mechanism
• In this above example:
- Student could easily have protected her
files.
- In other environments, such protection may
not be easy.
For example, the Internet provides only the
most rudimentary security mechanisms, which are
not adequate to protect information sent over that
network.
Nevertheless, acts such as the recording of
passwords and other sensitive information violate
an implicit security policy of most sites (specifically,
that passwords are a user’s confidential property
and cannot be recorded by anyone)
 Security Policy and Mechanism
• Policies may be presented mathematically, as a list
of allowed (secure) and disallowed (nonsecure)
states.
• we will assume that any given policy provides an
axiomatic description of secure states and non
secure states.
• In practice, policies are rarely so precise; they
normally describe in English what users and staff
are allowed to do.
• The ambiguity inherent in such a description
leads to states that are not classified as “allowed”
or “disallowed.
 Security Policy and Mechanism
• For example:
consider the homework policy discussed above.
• If someone looks through another user’s directory
without copying homework files,
is that a violation of security?
• The answer depends on site custom, rules,
regulations, and laws,
all of which are outside our focus and may
change over time.
 Security Policy and Mechanism
• When two different sites communicate or
cooperate, the entity they compose has a
security policy based on the security policies of
the two entities.
• If those policies are inconsistent, either or both
sites must decide what the security policy for the
combined site should be.
The inconsistency often manifests itself as a
security breach.
 Security Policy and Mechanism
For example:
• If proprietary documents were given to a
university, the policy of confidentiality in the
corporation would conflict with the more open
policies of most universities.
• The university and the company must develop a
mutual security policy that meets both their
needs in order to produce a consistent policy.
• Two sites communicate through an independent
third party, such as an Internet service provider,
the complexity of the situation grows rapidly.
 GOALS OF SECURITY
• Given a security policy’s specification of “secure”
and “nonsecure” actions, these security
mechanisms can prevent the attack, detect the
attack, or recover from the attack.
• The strategies may be used together or
separately.
• Prevention means that an attack will fail.
For example, if one attempts to break into
a host over the Internet and that host is not
connected to the Internet, the attack has been
prevented.
 GOALS OF SECURITY
• Prevention involves implementation of
mechanisms that users cannot override and that
are trusted to be implemented in a correct,
unalterable way, so that the attacker cannot
defeat the mechanism by changing it.

• Simple preventative mechanisms, such as

passwords (which aim to prevent unauthorized
users from accessing the system), have become
widely accepted
 GOALS OF SECURITY
• Detection is most useful when an attack cannot
be prevented, but it can also indicate the
effectiveness of preventative measures.
• Detection mechanisms accept that an attack will
occur;
• The goal is to determine that an attack is under
way, or has occurred, and report it.
• The attack may be monitored, however, to
provide data about its nature, severity, and
results.
 GOALS OF SECURITY
• Example: such a mechanism is one that gives a
warning when a user enters an incorrect
password three times.
• The login may continue, but an error message in
a system log reports the unusually high number
of mistyped passwords.
• Detection mechanisms do not prevent
compromise of parts of the system, which is a
serious drawback.
• The resource protected by the detection
mechanism is continuously or periodically
monitored for security problems.
 GOALS OF SECURITY
• Recovery has two forms.
• The first is to stop an attack and to assess and
repair any damage caused by that attack.
Example:
• if the attacker deletes a file, one recovery
mechanism would be to restore the file from
backup tapes.
• Recovery is far more complex, because the nature
of each attack is unique.
• The type and extent of any damage can be
difficult to characterize completely.
 GOALS OF SECURITY
• In a second form of recovery, the system
continues to function correctly while an attack is
under way.
• This type of recovery is quite difficult to
implement because of the complexity of
computer systems.
• It draws on techniques of fault tolerance as well
as techniques of security and is typically used in
safety-critical systems.
• The system may disable nonessential
functionality
 Assumptions and Trust
• How do we determine if the policy correctly
describes the required level and type of security
for the site?
ANS:
• This question lies at the heart of all security,
computer and otherwise.

• Security rests on assumptions specific to the type

of security required and the environment in which
it is to be employed
 Assumptions and Trust
EXAMPLE:
• Opening a door lock requires a key.
• The assumption is that the lock is secure against
lock picking.
• This assumption is treated as an axiom and is
made because most people would require a key to
open a door lock.
• A good lock picker, however, can open a lock
without a key.
• Hence, in an environment with a skilled,
untrustworthy lock picker, the assumption is
wrong and the consequence invalid.
 Assumptions and Trust
• If the lock picker is trustworthy, the assumption is
valid.
• The term “trustworthy” implies that the lock picker
will not pick a lock unless the owner of the lock
authorizes the lock picking.
• This is another example of the role of trust.
• A welldefined exception to the rules provides a
“back door” through which the security mechanism
(the locks) can be bypassed.
• The trust resides in the belief that this back door
will not be used except as specified by the policy.
• If it is used, the trust has been misplaced and the
security mechanism (the lock) provides no security.
 Assumptions and Trust
• Like the lock example:
A policy consists of a set of axioms that the policy
makers believe can be enforced.
Designers of policies always make two assumptions.
• First, the policy correctly and unambiguously
partitions the set of system states into “secure”
and “nonsecure” states.
• Second, the security mechanisms prevent the
system from entering a “nonsecure” state.
• If either assumption is erroneous, the system will
be nonsecure
 Assumptions and Trust
• Two assumptions are fundamentally different.
• The first assumption asserts that the policy is a
correct description of what constitutes a “secure”
system.
Example:
Bank policy shift Money – Authorize person
• The second assumption says that the security
policy can be enforced by security mechanisms.
These mechanisms are either secure, precise, or
broad.
 Assumptions and Trust

Q = set of secure states (as specified by the security policy).

R = security mechanisms restrict the system to some set of
states.
P = set of all possible states.
 Assumptions and Trust
Trusting that mechanisms work requires several
assumptions.
1. Each mechanism is designed to implement one or
more parts of the security policy.

2. The union of the mechanisms implements all aspects

of the security policy.

3. The mechanisms are implemented correctly.

4. The mechanisms are installed and administered

correctly.
 Security Assurance
• Trust cannot be quantified precisely.

• System specification, design, and implementation

can provide a basis for determining “how much”
to trust a system.

• This aspect of trust is called assurance.

• It is an attempt to provide a basis for bolstering

(or substantiating or specifying) how much one
can trust a system.
Security Assurance
 Security Assurance
• The three technologies (certification,
manufacturing standards, and preventative
sealing) provide some degree of assurance that
the aspirin is not contaminated.

• The degree of trust the purchaser has in the

purity of the aspirin is a result of these three
processes.
 Security Assurance
• Assurance in the computer world is similar.
• It requires specific steps to ensure that the computer
will function properly.
• The sequence of steps includes detailed
specifications of the desired (or undesirable)
behavior;
• an analysis of the design of the hardware, software,
and other components to show that the system will
not violate the specifications;
• and arguments or proofs that the implementation,
operating procedures, and maintenance procedures
will produce the desired behavior
Security Assurance
 Security Assurance
Specification:
• A specification is a (formal or informal) statement
of the desired functioning of the system.
• It can be highly mathematical, using any of several
languages defined for that purpose.
• It can also be informal,
for example, English to describe what the
system should do under certain conditions.
• The specification can be low-level, combining
program code with logical and temporal
relationships to specify ordering of events.
• The defining quality is a statement of what the
system is allowed to do or what it is not allowed to
do.
 Security Assurance
Specification - EXAMPLE:
• A company is purchasing a new computer for
internal use.
• They need to trust the system to be invulnerable
to attack over the Internet.
• One of their (English) specifications would read
“The system cannot be attacked over the
Internet.”
• Specifications are used not merely in security but
also in systems designed for safety, such as
medical technology
 Security Assurance

Specification –
• A major part of the derivation of specifications
is determination of the set of requirements
relevant to the system’s planned use
 Security Assurance

Design:
• The design of a system translates the
specifications into components that will
implement them.

• The design is said to satisfy the specifications if,

under all relevant circumstances, the design will
not permit the system to violate those
specifications.
 Security Assurance
EXAMPLE:
• A design of the computer system for the
company mentioned above had no network
interface cards, no modem cards, and no network
drivers in the kernel.

• This design satisfied the specification because the

system would not connect to the Internet.

• Hence it could not be attacked over the Internet.

 Security Assurance
Implementation:
• Given a design, the implementation creates a
system that satisfies that design.
• If the design also satisfies the specifications, then
by transitivity the implementation will also satisfy
the specifications.
• The difficulty at this step is the complexity of
proving that a program correctly implements the
design and, in turn, the specifications.
• DEFINITION: A program is correct if it
implementation performs as specified.
 Security Assurance
• Proofs of correctness require each line of source
code to be checked for mathematical correctness.

• Each line is seen as a function, transforming the

input (constrained by preconditions) into some
output.

• Each routine is represented by the composition of

the functions derived from the lines of code
making up the routine.
 Security Assurance
verify the correctness of a system
✓There are three difficulties in this process.
• First, the complexity of programs makes their
mathematical verification difficult.
• Second, program verification assumes that the
programs are compiled correctly, linked and
loaded correctly, and executed correctly
• Third, if the verification relies on conditions on
the input, the program must reject any inputs
that do not meet those conditions. Otherwise,
the program is only partially verified
 Operational Issues
• Any useful policy and mechanism must balance
the benefits of the protection against the cost of
designing, implementing, and using the
mechanism.

• This balance can be determined by analyzing the

risks of a security breach and the likelihood of it
occurring.

• Such an analysis is, to a degree, subjective,

because in very few situations can risks be
rigorously quantified.
 Operational Issues

1) Cost-Benefit Analysis

2) Risk Analysis

3) Laws and Customs

 Operational Issues
1.) Cost-Benefit Analysis
• Like any factor in a complex system, the benefits
of computer security are weighed against their
total cost.
• If the data or resources cost less, or are of less
value, than their protection, adding security
mechanisms and procedures is not cost-
effective because the data or resources can be
reconstructed more cheaply than the
protections themselves.
• Unfortunately, this is rarely the case.
 Operational Issues
1.) Cost-Benefit Analysis
EXAMPLE:
• A database provides salary information to a
second system that prints checks.
• If the data in the database is altered, the
company could suffer grievous financial loss;
• Hence, even a cursory cost-benefit analysis
would show that the strongest possible integrity
mechanisms should protect the data in the
database.
 Operational Issues
1.) Cost-Benefit Analysis
• Now suppose the company has several branch
offices, and every day the database downloads a
copy of the data to each branch office.
• The branch offices use the data to recommend
salaries for new employees.
• However, the main office makes the final decision
using the original database (not one of the copies).
• In this case, guarding the integrity of the copies is
not particularly important, because branch offices
cannot make any financial decisions based on the
data in their copies.
• Hence, the company cannot suffer any financial
loss.
 Operational Issues
2.) Risk Analysis:
• To determine whether an asset should be
protected, and to what level, requires analysis
of the potential threats against that asset and
the likelihood that they will materialize.

• The level of protection is a function of the

probability of an attack occurring and the
effects of the attack should it succeed
 Operational Issues
2.) Risk Analysis - Example:
First, risk is a function of environment.
• Attackers from a foreign country are not a
threat to the company when the computer is
not connected to the Internet.
• If foreign attackers wanted to break into the
system, they would need physically to enter the
company (and would cease to be “foreign”
because they would then be “local”).
• But if the computer is connected to the
Internet, foreign attackers become a threat
because they can attack over the Internet.
 Operational Issues
Second, the risks change with time.
• If a company’s network is not connected to the Internet,
there seems to be no risk of attacks from other hosts on
the Internet.
• However, despite any policies to the contrary, someone
could connect a modem to one of the company
computers and connect to the Internet through the
modem.
• Third, many risks are quite remote but still exist. In the
modem example, the company has sought to minimize the
risk of an Internet connection.
• Hence, this risk is “acceptable” but not nonexistent. As a
practical matter, one does not worry about acceptable
risks; instead, one worries that the risk will become
 Operational Issues
3.) Laws and Customs
• Laws restrict the availability and use of technology
and affect procedural controls.
• Any policy and any selection of mechanisms must take
into account legal considerations.
Example:
U.S. software company worked with a computer
manufacturer in London, the U.S. company could not
send cryptographic software to the manufacturer.
The U.S. Company first would have to obtain a
license to export the software from the United States.
Any security policy that depended on the London
manufacturer using that cryptographic software would
need to take this into account.
 Operational Issues
• Suppose the law makes it illegal to read a
user’s file without the user’s permission.

• An attacker breaks into the system and begins

to download users’ files.

• If the system administrators notice this and

observe what the attacker is reading, they will
be reading the victim’s files without his
permission and therefore will be violating the
law themselves.
 Operational Issues
• Laws are not the only constraints on policies and selection
of mechanisms.

• Society distinguishes between legal and acceptable

practices. It may be legal for a company to require all its
employees to provide DNA samples for authentication
purposes, but it is not socially acceptable.

• Requiring the use of Social Security numbers as passwords

is legal (unless the computer is one owned by the U.S.
government) but also unacceptable.

• These practices provide security but at an unacceptable

cost, and they encourage users to evade or otherwise
overcome the security mechanisms.
 Operational Issues
• The issue that laws and customs raise is the issue
of psychological acceptability.
• A security mechanism that would put users and
administrators at legal risk would place a burden
on these people that few would be willing to bear;
thus, such a mechanism would not be used.
• An unused mechanism is worse than a nonexistent
one, because it gives a false impression that a
security service is available.
• Hence, users may rely on that service to protect
their data, when in reality their data is
unprotected.
 Security Life Cycle

• Each stage of the cycle feeds back to the

preceding stage, and through that stage to all
earlier stages.

• The operation and maintenance stage is critical

to the life cycle.
Security Life Cycle