Information Security

(Week 3)

Instructor: Muhammad Noman Sohail

 Importance of Data Security

Data security forms the cornerstone of information security, safeguarding sensitive information,
ensuring compliance, and maintaining trust. Key element in data security such confidentiality,
integrity and availability of sensitive information
 Significance within Information Security:
• Compliance: Adherence to regulations (GDPR, HIPAA, etc.).
• Risk Mitigation: Minimizing threats and potential breaches.
• Trust & Reputation: Building confidence among stakeholders.
 Role in Business Continuity
• Ensuring uninterrupted operations and mitigating disruptions.
 Continuous evolution to combat emerging threats

Target Data for Attackers:

• Trade Secrets, Customer Personal Information, Financial Information, Corporate Strategies and Plans,
Employee Information, Government Classified Information
 Why Data is Targeted by Cybercriminals?

 Financial Gain:
• Data such as financial records, credit card details, or bank account information holds direct monetary value.
• Ransomware attacks often demand payment in exchange for not disclosing or restoring access to stolen
information.
 Strategic Advantage:
• Theft of intellectual property (IP) provides competitors or adversaries with a significant advantage.
• Industrial espionage aims to gain access to proprietary technology, strategic plans, or product roadmaps.
 Personal Information Exploitation:
• Personal data like Social Security numbers is valuable for identity theft schemes.
• Privacy breaches lead to harmful consequences for affected individuals.
 Market Demand and Sale:
• Stolen data is sold on the dark web, including personal information, login credentials, and medical records.
 Easy Monetization:
• Data theft offers high potential returns for relatively low risk compared to other criminal activities.
 How much security?
• Total security is unachievable

• A trade-off: more security often means

• higher cost
• less convenience / productivity / functionality

• Security measures should be as invisible as possible

• cannot irritate users or slow down the software (too much)
• example: forcing a password change everyday
• users will find a workaround, or just stop using it

• Choose security level relevant to your needs

 How to get secure?
• Protection, detection, reaction
• Know your enemy: types of attacks, typical tricks,
commonly exploited vulnerabilities
• Attackers don’t create security holes and vulnerabilities
• they exploit existing ones
• Software security:
• Two main sources of software security holes:
architectural flaws and implementation bugs
• Think about security in all phases
of software development
• Follow standard software development procedures
 Protection, detection, reaction
An ounce of prevention is worth a pound of cure
• better to protect than to recover

Detection is necessary because total prevention

is impossible to achieve

Without some kind of reaction, detection is useless

• like a burglar alarm that no-one listens and responds to
 Protection, detection, reaction
• Each and every of the three elements is very important
• Security solutions focus too often on prevention only
• (Network/Host) Intrusion Detection Systems –
tools for detecting network and system level attacks
• For some threats, detection (and therefore reaction)
is not possible, so strong protection is crucial
• example: eavesdropping on Internet transmission
Is a particular security measure good?

(Questions proposed by Bruce Schneier)

• What problem does it solve?
• whether it really solves the problem you have
• How well does it solve the problem?
• will it work as expected?
• What new problems does it add?
• it adds some for sure
• What are the economic and social costs?
• cost of implementation, lost functionality or productivity
• Given the above, is it worth the costs?
 Security through obscurity … ?
• Security through obscurity – hiding design
or implementation details to gain security:
• keeping secret not the key, but the encryption
algorithm,
• hiding a DB server under a name different from “db”, etc.
• The idea doesn’t work
• it’s difficult to keep secrets (e.g. source code gets stolen)
• if security of a system depends on one secret, then,
once it’s no longer a secret, the whole system is compromised
• secret algorithms, protocols etc. will not get reviewed  flaws won’t be spotted and
fixed  less security
• Systems should be secure by design, not by obfuscation

• Security AND obscurity

 Aspects of Security
• Security attack
Any action that compromises the security of information owned by an
organization.
• Security mechanism
A process that is designed to detect, prevent or recover from a security attack.
• Security service
Services that enhances the security of the data processing systems and the
information transfers of an organization.
These services are intended to counter security attacks, and they make use of one or
more security mechanisms to provide the service.
 Security Services

□ Enhance security of data processing systems and information transfers of an organization

□ Intended to counter security attacks
□ Using one or more security mechanisms
□ X.800 defines a security service as
“a service provided by a protocol layer of communicating open systems, which
ensures adequate security of the systems or of data transfers”
 OSI Security Architecture

• International Telecommunication Union (ITU-T) recommends X.800, the

security architecture for OSI
• Defines a systematic way of defining and providing security requirements
 Security Attacks Classification

• Any action that compromises the security of information owned by an

organization
• Information security is about how to prevent attacks, or failing that, to
detect attacks
• Classification according to X.800
• Passive attack
• Active attack
 Security Attacks

Security Attacks

Snooping Modification Denial of Service

Traffic Analysis Masquerading Threat to Availability

Threat to Confidentiality Replaying

Repudiation

Threat to Integrity
 Protection

• In one protection model, computer consists of a collection of objects, hardware or

software
• Each object has a unique name and can be accessed through a well-defined set of
operations
• Protection problem - ensure that each object is accessed correctly and only by those
processes that are allowed to do so
 Principles of Protection
 Guiding principle – principle of least privilege
• Programs, users and systems should be given just enough privileges to
perform their tasks
• Limits damage if entity has a bug, gets abused
• Can be static (during life of system, during life of process)
• Or dynamic (changed by process as needed) – domain switching, privilege
escalation
• “Need to know” a similar concept regarding access to data
 Must consider “grain” aspect
• Rough-grained privilege management easier, simpler, but least privilege now
done in large chunks
• Fine-grained management more complex, more overhead, but more protective
• File ACL lists, RBAC
 Domain can be user, process, procedure
 Access Control Models
Mandatory Access Control (MAC)
It is a security model where access decisions to resources are determined by security labels assigned
by system administrators. These labels define the sensitivity levels of resources and are governed by
predetermined security policies.
 Based on security label system
 Users given security clearance and data is classified
 Used where confidentiality is of utmost importance
 MAC is considered a policy-based control
 Every object and subject is given a sensitivity label
o Classification level
• Secret, Top secret, Confidential, etc.
o Category
• Information warfare, Treasury, UN, etc.
 Access Control Models

Role-Based Access Control (RBAC)

 Permission is associated with roles aligned with the user responsibilities. Administrator manage
the access control based on roles.
 Enhanced Security:
• Access to resources is controlled using predefined roles.
• Users only access those resource according to their roles.
• Restrict the unauthorized access to sensitive information.

 RBAC ensures that users have the necessary access permissions based on their roles, making
access management more efficient and enhancing overall security by limiting unnecessary
access to sensitive data.
 Access Control Models
Discretionary Access Control (DAC)
 Allows the owner of the resource to specify which subjects can access which resources
 Access control is at the discretion of the owner
 DAC defines access control policy
• That restricts access to files and other system resources based on identity
 DAC can be implemented through Access Control Lists(ACLS)
 Access Control Models
Access Matrix:

Object
F1 F2 F3 Printer
Domain

D1 read read

D2 print

D3 read execute

Read Read
D4
write write