Information Security
Rabie A. Ramadan
GUC, Cairo
[email protected]
Room C7 -310
Lecture 2
DAD Triad

Complement of CIA Triad
• Disclosure
• Alteration, and
• Denial
2
DAD Triad




Disclosure
• Unauthorized individuals gain access to confidential
information
Alteration
• Data is modified through some unauthorized
mechanism
Denial
• Authorized users cannot gain access to a system for
legitimate purposes
DAD activities may be malicious or accidental
Network Security

Security considerations include:
• Physical security
• Operating System security
• Windows, Linux, UNIX
• Communication security
• Encryption
• Firewalls
• Intrusion detection systems
Threats , vulnerability, Risk , and
Attacks

Crossing the water to the right is a Threat
to the man.
• Ex. The existence of a particular virus
for example

Crossing the water through the wall crack
is a Vulnerability.
• Ex. (Computer) Open ports
5
Threats , vulnerability, Risk , and
Attacks

Risk
• Occurs when a threat and a
corresponding vulnerability both
exist

Somebody or another system destroyed
the wall is an Attack
• Ex. (Computer) sending an
overwhelming set of messages to
another system to block it.
6
Threats , vulnerability, Risk ,
and Attacks
Threats
7
Threats to Security

Hacker
• Anyone who attempts to penetrate the security of an
information system, regardless of intent
• Early definition included anyone very proficient in computer
use

Malicious insider
• Someone from within the organization that attempts to go
beyond the rights and permissions that they legitimately hold
• Security professionals and system administrators are
particularly dangerous
Threats to Security

Malicious code object
•
•
•

Virus, a program that attaches itself to a program or file so it can
spread from one computer to another, leaving infections as it travels.
Worm, a program that takes advantage of file or information transport
features on your system, which allows it to travel unaided. The biggest
danger with a worm is its capability to replicate itself on your system.
e.g. sending itself to all of the e-mail list in your computer.
Trojan horse, a program that at first glance will appear to be useful
software but will actually do damage once installed or run on your
computer. It usually appears that is coming from a trusted source
A computer program that carries out malicious actions
when run on a system
Threat + Vulnerability = Risk
Risk analysis, assessment , and managing are
required
10
Risk Analysis

Actions involved in risk analysis:

Security professionals formalize the risk
analysis process
• Determine which assets are most valuable
• Identify risks to assets
• Determine the likelihood of each risk occurring
• Take action to manage the risk
Asset Valuation

Step 1 in risk analysis process: Asset valuation
• Identify the information assets in the organization
• Hardware, software, and data
• Assign value to those assets using a valuation method
Asset Valuation

Common Valuation Methods
• Replacement cost valuation
• Replacement cost (also called current cost accounting or
CCA) values assets based on what it would cost to replace
them if they were acquired today.
• For example, if Utility Company were placing this same
plant today, the materials would cost $530,000 and the
installation would cost $56,000. The replacement cost value
is $586,000.
Asset Valuation
•
Original cost valuation
• Original cost (also called historic cost accounting or
HCA) values assets based on what the company actually
spent for the assets when they were acquired.
• Example: In 1990, Utility Company spent $500,000 to
purchase the materials for its fixed lines and $50,000 to
install them. The original cost value of these assets is
$550,000 before depreciation.
14
Asset Valuation
•
•
Depreciated valuation
• Uses the original cost less an allowance for value
deterioration (original value – how much drop in its
price since purchased)
Qualitative valuation
• Assigns priorities to assets without using dollar values
15
Risk Assessment

Step 2 in risk analysis process: Risk assessment

Risk assessment techniques:
• Qualitative
• Quantitative
Risk Assessment

Qualitative Risk Assessment:
• Focuses on analyzing intangible properties of an asset
rather than financial value
• Prioritizes risks to aid in the assignment of security
resources
• Relatively easy to conduct
Risk Assessment

Quantitative Risk Assessment
•
•
•
•
•

Assigns dollar values to each risk based on measures such as:
• asset value (AV),
exposure factor (EF), expected portion (%) that can be destroyed by a
given risk
annualized rate of occurrence(ARO), number of times you expect the risk
to occur
single loss expectancy (SLE), amount of damage each time the risk occur
(AV* EF)
annualized loss expectancy (ALE) amount of damage each year from a
given risk (ARO * SLE)
Uses potential loss amount to decide if it is worth
implementing a security measure
Managing Risks

Risk Avoidance

Risk Mitigation
• Used when a risk overwhelms the benefits gained from
having a particular mechanism available
• Avoid any possibility of risk by disabling the
mechanism that is vulnerable
• Disabling e-mail is an example of risk avoidance
• Used when a threat poses a great risk to a system
• Takes preventative measures to reduce the risk
• A firewall is an example of risk mitigation
Managing Risk

Risk Acceptance

Risk Transference

Combinations of the above techniques are
often used
• Do nothing to prevent or avoid the risk
• Useful when risk or potential damage is small
• Ensure that someone else is liable if damage occurs
• Buy insurance for example
Security Tradeoffs

Security can be seen as a tradeoff between risks
and benefits
• Cost of implementing the security mechanism and the
amount of damage it may prevent

Tradeoff considerations:
• user convenience
• business goals
• expenses
Threats , vulnerability, Risk , and
Attacks
Attacks
22
Attacks

•
•

•
Passive Attacks
Attempts to learn or make use of information from the system
but does not affect system resources.
Eavesdropping or monitoring of transmissions
Active Attacks
Attempts to alter system resources or affect their operation.
23
Passive Attacks

Release of message contents / snooping
24
Passive Attacks (Cont.)

Traffic Analysis/ spoofing

Passive Attacks are hard to be detected
25
Active Attacks

•
Masquerade
One entity pretends to be a different entity
26
Active Attacks (Cont.)

•
Replay Attack
Passive capture of a data unit and its subsequent retransmission
to produce an unauthorized effect.
27
Active Attacks (Cont.)

Modification Attack
•
Some portion of a legitimate message is altered, or that messages
are reordered, to produce an unauthorized effect
28
Active Attacks (Cont.)

•
Denial of Service
Prevents or inhibits the normal use or management of
communications facilities
29