1

§ Understanding the definition of information

security
§ Comprehend the history of computer security
and how it evolved into information security
§ Understand the key terms and critical concepts of
information security as presented in the chapter
§ Outline the phases of the security systems
development life cycle
§ Understand the roles of professionals involved in
information security within an organization
2
 According to a report by Serianu, a pan African based
cybersecurity and business consulting firm, Kenya’s
economy lost more than Ksh. 29.5 billion from cyber
attacks in 2018.
 The Communication Authority of Kenya further
reported that cyber threats rose over 10% in the
first quarter of 2019
 The National cybersecurity center in the period
2018-2019 has detected 51.9million threats as
compared to 2017-2018 where 22.1 million threats
were recorded.
 Ecommerce platforms like Jumia Technologies have
not been spared either with the platform reporting
to have lost Ksh, 118 million in the past two years
due to cyber fraud
 Barclays bank lost Ksh.11 million in April 2019
 Therefore cybersecurity is a key concern for many
companies in Kenya and around the world
 Cyber security in Kenya is governed by various
provisions of law including :
 Article 31 of the constitution of Kenya 2010,
 The Kenya information and communication Act No.2
of 1998
 the Computer Misuse and Cyber Crimes Act N0,5 of
2018 and the Data Protection Act No. 24 of 2019
 Began immediately after the first mainframes were
developed

 Created to aid code-breaking computations during

World War II

 Physical controls to limit access to sensitive military

locations to authorized personnel: badges, keys, and
facial recognition

 Rudimentary in defending against physical theft,

espionage, and sabotage

6
 Late 1970s: microprocessor expanded
computing capabilities and security threats
◦ From mainframe to PC
◦ Decentralized computing
◦ Need for sharing resources increased
◦ Major changed computing

7
 Networks of computers became more common;
so too did the need to interconnect networks

 Internet became first manifestation of a global

network of networks

 In early Internet deployments, security was treated

as a low priority

◦ Many of the problems that plague e-mail on the Internet

are the result to this early lack of security

8
 The Internet brings millions of computer networks
into communication with each other—many of
them unsecured

 Ability to secure a computer’s data influenced by

the security of every computer to which it is
connected

9
 “The quality or state of being secure—to be free
from danger”
 A successful organization should have multiple
layers of security in place:
◦ Physical security
◦ Personal security
◦ Operations security
◦ Communications security
◦ Network security
◦ Information security

10
 The protection of information and its critical
elements, including systems and hardware that use,
store, and transmit that information
 Necessary tools: policy, awareness, training,
education, technology
 C.I.A. triangle was standard based on confidentiality,
integrity, and availability
 C.I.A. triangle now expanded into list of critical
characteristics of information

11
 Confidentiality
◦ Is the concealment of information or resources. Only those with sufficient
privileges may access certain information. Confidentiality is about preventing
unauthorized users accessing information to which they are entitled. The
need for keeping information secret arises from the use of computers in
sensitive fields such as government and industry.
A crucial aspect of confidentiality is user identification and authentication.
Positive identification of each system user is essential to ensuring the
effectiveness of policies that specify who is allowed access to which data
items.

◦ some threats : Hackers , Masqueraders ,Unauthorized users , Unprotected

download of files, Trojan horses , LANs
 Integrity
◦ Integrity is the quality or state of being whole, complete, and
uncorrupted ,i.e. prevent/detect/deter improper modification of
information.
◦ Integrity refers to the trustworthiness of data or resources and is
usually phrased in terms of preventing improper or unauthorized
change. Integrity includes data integrity(the content of the information)
and origin integrity(the source of data).
◦ In a general system, integrity is about ensuring that the system state
has not been modified by those not authorized to do so.
◦ Integrity mechanism fall into two categories:
 Preventive
 detective
 Availability
◦ making information accessible to user access
without interference or obstruction
◦ Keep the system running and reachable
 CIA TRIAD
 Authentication-Authentication occurs when a
control provides proof that a user possesses the
identity that he or she claims. It allows your system
to know who you are.
 Authorization - provides assurance that the user has
been specifically and explicitly authorized by the
proper authority to access the contents of an
information aspects.
 Authorization refers to the right, privileges or
permissions that define what users can do on the
system
 Nonrrepudiation or accountability- the ability of a
system to confirm that a sender cannot convincingly
deny having sent something.
 Auditability- the ability of a system t trace all actions
related to a given asset
 Impossible to obtain perfect security—it is a
process, not an absolute

 Security should be considered balance between

protection and availability

 To achieve balance, level of security must allow

reasonable access, yet protect against threats

18
19
 The value of information comes from the
characteristics it possesses:
◦ Timeliness
 No value if it is too late
◦ Availability
 No interference or obstruction
 Required format
◦ Accuracy
 Free from mistakes
◦ Authenticity
 Quality or state of being genuine, i.e., sender of an email
◦ Confidentiality
 Disclosure or exposure to unauthorized individuals or system is
prevented

20
 Integrity
◦ Whole, completed, uncorrupted
◦ Cornerstone
◦ Size of the file, hash values, error-correcting codes,
retransmission
 Utility
◦ Having value for some purpose
 Possession
◦ Ownership
◦ Breach of confidentiality results in the breach of possession,
not the reverse

21
 Information System (IS) is entire set of software, hardware,
data, people, procedures, and networks necessary to use
information as a resource in the organization
 Software
◦ Perhaps most difficult to secure
◦ Easy target
◦ Exploitation substantial portion of attacks on information
 Hardware
◦ Physical security policies
◦ Securing physical location important
◦ Laptops
◦ Flash memory

22
 Data
◦ Often most valuable asset
◦ Main target of intentional attacks
 People
◦ Weakest link
◦ Social engineering
◦ Must be well trained and informed
 Procedures
◦ Threat to integrity of data
 Networks
◦ Locks and keys won’t work

23
 Computer can be subject of an attack and/or the
object of an attack

◦ When the subject of an attack, computer is used as

an active tool to conduct attack

◦ When the object of an attack, computer is the

entity being attacked
 2 types of attack
◦ Direct
 Hacker uses their computer to break into a system
◦ Indirect
 System is compromised and used to attack other systems

24
25
 What is a Threat? In computer security a
threat is a possible danger that might
exploit a vulnerability to breach security
and thus cause possible harm.
 A threat can be either "intentional" (i.e.,
intelligent; e.g., an individual cracker or a
criminal organization) or "accidental" (e.g.,
the possibility of a computer
malfunctioning
 1971 The first worm Bob Thomas, a developer
working on ARPANET, a precursor to the
Internet, wrote a program called Creeper that
passed from computer to computer, displaying
a message

 1986 The first virus for IBM PCs was

introduced. It was written by two brothers in
Pakistan, when they noticed that people were
copying their software. The virus put a copy of
itself and a copyright message on any floppy
disk copies their customers made.
 1988 :The Internet Worm Robert Morris, a 23-year-
old student, released a worm on the US DARPA
Internet. It spread to thousands of computers and,
due to an error, kept re-infecting computers many
times, causing them to crash.
 1999 Email viruses Melissa, a virus that forwards itself
by email, spread worldwide. Bubbleboy, the first virus
to infect a computer when email is viewed, appeared.
 2000 Denial-of-service attacks “Distributed denial-of-
service” attacks by hackers put Yahoo!, eBay, Amazon
and other high profile websites offline for several
hours. Love Bug became the most successful email
virus yet.
 2007: The Storm Worm Trojan horse is sent with e-mails that included
headlines about interesting newsworthy events. This threat to
computer security was especially dangerous and resilient as its packing
code was changed every 10 minutes, and its command and control
servers were altered after it was installed.

 2013: The network security of Target is compromised when hackers

access its servers and information about 110 million of its customers.
The hacking started on Nov. 27, but Target did not discover it until
Dec. 13. It was patched two days later, and the company announced
what had occurred on Dec. 19.The cost of the data breach is
estimated to be more than $200 million. A few months later, 81 million
Yahoo email customers became the victims of cyber criminals.
 It’s now a common sight to see a business
report a large data breach. According to
some of the latest statistics, more than
200 new viruses are being discovered
every month worldwide. For this reason,
businesses are making security a higher
priority, whether it be computer, IT, or
network security
 Grassroots effort: systems administrators attempt
to improve security of their systems

 Key advantage: technical expertise of individual

administrators

 Seldom works, as it lacks a number of critical

features:

◦ Participant support

◦ Organizational staying power

32
33
 Initiated by upper management

◦ Issue policy, procedures and processes

◦ Dictate goals and expected outcomes of project

◦ Determine accountability for each required action

 The most successful also involve formal

development strategy referred to as systems
development life cycle

34
 Systems development life cycle (SDLC) is
methodology and design for implementation of
information security within an organization
 Methodology is formal approach to problem-solving
based on structured sequence of procedures
 Using a methodology
◦ ensures a rigorous process
◦ avoids missing steps
 Goal is creating a comprehensive security
posture/program
 Traditional SDLC consists of six general phases

35
36
 The same phases used in traditional SDLC may be
adapted to support specialized implementation of
an IS project

 Identification of specific threats and creating

controls to counter them

 SecSDLC is a coherent program rather than a

series of random, seemingly unconnected actions

37
 Investigation
◦ Identifies process, outcomes, goals, and constraints of the
project

◦ Begins with enterprise information security policy

 Analysis

◦ Existing security policies, legal issues,

◦ Perform risk analysis

38
 Logical Design
◦ Creates and develops blueprints for information security

◦ Incident response actions: Continuity planning, Incident

response, Disaster recovery

◦ Feasibility analysis to determine whether project should

continue or be outsourced

 Physical Design
◦ Needed security technology is evaluated, alternatives
generated, and final design selected
39
 Implementation
◦ Security solutions are acquired, tested, implemented, and
tested again
◦ Personnel issues evaluated; specific training and education
programs conducted
◦ Entire tested package is presented to management for
final approval

 Maintenance and Change

◦ Most important
◦ Constant changing threats
◦ Constant monitoring, testing updating and implementing
change

40
 Wide range of professionals required to support a
diverse information security program

 Senior management is key component; also,

additional administrative support and technical
expertise required to implement details of IS
program

41
 Chief Information Officer (CIO)
◦ Senior technology officer
◦ Primarily responsible for advising senior executives
on strategic planning

 Chief Information Security Officer (CISO)

◦ Primarily responsible for assessment, management,
and implementation of IS in the organization
◦ Usually reports directly to the CIO

42
 Economic damage
 Negative publicity
 Loss of competitive advantage
 Reduced organizational viability
 Loss of customer confidence
 Legal liability
 Increased Internet Usage
 Lack of awareness of threats and risks .
 Unencrypted network traffic
 Complexity of security measurements and
administration
 Software bugs
 Availability of cracking tools