Chapter 1 Department of CSIT, AMIT

Chapter 1
Information Assurance and Security
Introduction
Information assurance
Information assurance (IA) is the practice of assuring information and managing risks related to the use,
processing, storage, and transmission of information or data and the systems and processes used for those
purposes. Information assurance includes protection of the integrity, availability, authenticity, non-repudiation
and confidentiality of user data. It uses physical, technical and administrative controls to accomplish these
tasks. While focused predominantly on information in digital form, the full range of IA encompasses not only
digital but also analog or physical form. These protections apply to data in transit, both physical and electronic
forms as well as data at rest in various types of physical and electronic storage facilities. Information assurance
as a field has grown from the practice of information security.

Overview
Information assurance is the process of adding business benefit through the use of IRM (Information Risk
Management) which increases the utility of information to authorized users, and reduces the utility of
information to those unauthorized. It is strongly related to the field of information security, and also with
business continuity.

IA relates more to the business level and strategic risk management of information and related systems, rather
than the creation and application of security controls. Therefore in addition to defending against malicious
hackers and code (e.g., viruses), IA practitioners consider corporate governance issues such as privacy,
regulatory and standards compliance, auditing, business continuity, and disaster recovery as they relate to
information systems. Further, while information security draws primarily from computer science, IA is an
interdisciplinary field requiring expertise in business, accounting, user experience, fraud examination, forensic
science, management science, systems engineering, security engineering, and criminology, in addition to
computer science. Therefore, IA is best thought of as a superset of information security (i.e. umbrella term),
and as the business outcome of Information Risk Management.

Information Assurance is also the term used by governments, including the government of the United
Kingdom, for the provision of holistic security to information systems. In this use of the term, the
interdisciplinary approach set out above is somewhat lessened in that, while security/ systems engineering,
business continuity/ enterprise resilience, forensic investigation and threat analysis is considered, management
science, accounting and criminology is not considered in developing mitigations to the risks developed in the
risk assessments conducted. HMG Information Assurance Standard 1&2, which has replaced HMG

1                              Compiled by: Dr. Azath Hussain 

Chapter 1 Department of CSIT, AMIT
Information Security Standard, sets out the principles and requirements of risk management in accordance with
the above principles and is one of the Information Assurance Standards currently used within the UK public
sector.

Information assurance process

The information assurance process typically begins with the enumeration and classification of the information
assets to be protected. Next, the IA practitioner will perform a risk assessment for those assets. Vulnerabilities
in the information assets are determined in order to enumerate the threats capable of exploiting the assets. The
assessment then considers both the probability and impact of a threat exploiting vulnerability in an asset, with
impact usually measured in terms of cost to the asset's stakeholders. The sum of the products of the threats'
impact and the probability of their occurring is the total risk to the information asset.

With the risk assessment complete, the IA practitioner then develops a risk management plan. This plan
proposes countermeasures that involve mitigating, eliminating, accepting, or transferring the risks, and
considers prevention, detection, and response to threats.

Countermeasures may include technical tools such as firewalls and anti-virus software, policies and procedures
requiring such controls as regular backups and configuration hardening, employee training in security
awareness, or organizing personnel into dedicated computer emergency response team (CERT) or computer
security incident response team (CSIRT). The cost and benefit of each countermeasure is carefully
considered. Thus, the IA practitioner does not seek to eliminate all risks, were that possible, but to manage
them in the most cost-effective way.

After the risk management plan is implemented, it is tested and evaluated, often by means of formal audits.
The IA process is an iterative one, in that the risk assessment and risk management plan are meant to be
periodically revised and improved based on data gathered about their completeness and effectiveness.

Information security
History:
Since the early days of communication, diplomats and military commanders understood that it was necessary
to provide some mechanism to protect the confidentiality of correspondence and to have some means of
detecting tampering. Julius Caesar is credited with the invention of the Caesar cipher c. 50 B.C., which was
created in order to prevent his secret messages from being read should a message fall into the wrong hands, but
for the most part protection was achieved through the application of procedural handling controls. Sensitive
information was marked up to indicate that it should be protected and transported by trusted persons, guarded

2                              Compiled by: Dr. Azath Hussain 

Chapter 1 Department of CSIT, AMIT
and stored in a secure environment or strong box. As postal services expanded, governments created official
organizations to intercept, decipher, read and reseal letters (e.g. the UK Secret Office and Deciphering Branch
in 1653).

In the mid-19th century more complex classification systems were developed to allow governments to manage
their information according to the degree of sensitivity. The British Government codified this, to some extent,
with the publication of the Official Secrets Act in 1889. By the time of the First World War, multi-tier
classification systems were used to communicate information to and from various fronts, which encouraged
greater use of code making and breaking sections in diplomatic and military headquarters. In the United
Kingdom this led to the creation of the Government Code and Cypher School in 1919. Encoding became more
sophisticated between the wars as machines were employed to scramble and unscramble information. The
volume of information shared by the Allied countries during the Second World War necessitated formal
alignment of classification systems and procedural controls. An arcane range of markings evolved to indicate
who could handle documents (usually officers rather than men) and where they should be stored as
increasingly complex safes and storage facilities were developed. Procedures evolved to ensure documents
were destroyed properly and it was the failure to follow these procedures which led to some of the greatest
intelligence coups of the war (e.g. U-570).

During the 1990s, the computer security industry witnessed a revolution in the mainstream emergence of the
hacking subculture. Hackers suddenly had different motives: greed, ideology, and revenge. In early 2002, a
Russian hacker was arrested for attempting to extort $10,000 from a U.S. bank after breaking into one of its
Web servers and stealing a customer list with names, addresses, and bank account numbers. Governments are
getting into the act too: Almost every civilized nation has some sort of information warfare program designed
to cripple the computing infra-structure of an adversary’s military. Finally, a huge number of attacks have
originated from disgruntled employees and former employees of companies who know and exploit the soft
spots in a corporate security policy.

The end of the 20th century and early years of the 21st century saw rapid advancements in
telecommunications, computing hardware and software, and data encryption. The availability of smaller, more
powerful and less expensive computing equipment made electronic data processing within the reach of small
business and the home user. These computers quickly became interconnected through the Internet.
The rapid growth and widespread use of electronic data processing and electronic business conducted through
the Internet, along with numerous occurrences of international terrorism, fueled the need for better methods of
protecting the computers and the information they store, process and transmit. The academic disciplines of

3                              Compiled by: Dr. Azath Hussain 

Chapter 1 Department of CSIT, AMIT
computer security and information assurance emerged along with numerous professional organizations – all
sharing the common goals of ensuring the security and reliability of information systems.

Information security, sometimes shortened to InfoSec, is the practice of defending information from
unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It
is a general term that can be used regardless of the form the data may take (electronic, physical, etc...)
Two major aspects of information security are:
• IT security: Sometimes referred to as computer security, Information Technology Security is
information security applied to technology (most often some form of computer system). It is
worthwhile to note that a computer does not necessarily mean a home desktop. A computer is any
device with a processor and some memory (even a calculator). IT security specialists are almost always
found in any major enterprise/establishment due to the nature and value of the data within larger
businesses. They are responsible for keeping all of the technology within the company secure from
malicious cyber attacks that often attempt to breach into critical private information or gain control of
the internal systems.
• Information assurance: The act of ensuring that data is not lost when critical issues arise. These issues
include but are not limited to: natural disasters, computer/server malfunction, physical theft, or any
other instance where data has the potential of being lost. Since most information is stored on computers
in our modern era, information assurance is typically dealt with by IT security specialists. One of the
most common methods of providing information assurance is to have an off-site backup of the data in
case one of the mentioned issues arises.
Governments, military, corporations, financial institutions, hospitals, and private businesses amass a great deal
of confidential information about their employees, customers, products, research and financial status. Most of
this information is now collected, processed and stored on electronic computers and transmitted across
networks to other computers.

Definitions:
1. "Preservation of confidentiality, integrity and availability of information. Note: In addition, other properties,
such as authenticity, accountability, non-repudiation and reliability can also be involved."
2. "The protection of information and information systems from unauthorized access, use, disclosure,
disruption, modification, or destruction in order to provide confidentiality, integrity, and availability."
3. "Ensures that only authorized users (confidentiality) have access to accurate and complete information
(integrity) when required (availability)."
4. "Information Security is the process of protecting the intellectual property of an organisation."

4                              Compiled by: Dr. Azath Hussain 

Chapter 1 Department of CSIT, AMIT
5. "...information security is a risk management discipline, whose job is to manage the cost of information risk
to the business."
6. "A well-informed sense of assurance that information risks and controls are in balance."
7. "Information security is the protection of information and minimises the risk of exposing information to
unauthorised parties."

Computer security
Computer security is a branch of computer technology known as information security as applied
to computers and networks. The objective of computer security includes protection of information and property
from theft, corruption, or natural disaster, while allowing the information and property to remain accessible
and productive to its intended users. The term computer system security means the collective processes and
mechanisms by which sensitive and valuable information and services are protected from publication,
tampering or collapse by unauthorized activities or untrustworthy individuals and unplanned events
respectively. The strategies and methodologies of computer security often differ from most other computer
technologies because of its somewhat elusive objective of preventing unwanted computer behavior instead of
enabling wanted computer behavior.
¾ Computer Security - generic name for the collection of tools designed to protect data and to thwart
hackers
¾ Network Security - measures to protect data during their transmission
¾ Internet Security - measures to protect data during their transmission over a collection of
interconnected networks

Why Security?
Computer security is required because most organizations can be damaged by hostile (unfriendly and not liking
or agreeing with something a hostile crowd) software or intruders. There may be several forms of damage
which are obviously interrelated. These include:
™ Damage or destruction of computer systems.

™ Damage or destruction of internal data.

™ Loss of sensitive information to hostile parties.

™ Use of sensitive information to steal items of monitory value.

™ Use of sensitive information against the organization's customers which may result in legal action by

customers against the organization and loss of customers.

™ Damage to the reputation of an organization.

™ Monitory damage due to loss of sensitive information, destruction of data, hostile use of sensitive data,

or damage to the organization's reputation.

5                              Compiled by: Dr. Azath Hussain 

Chapter 1 Department of CSIT, AMIT

Principles of Security (Goals)

These three concepts form what is often referred to as the CIA triad (Figure 1). The three concepts embody
the fundamental security objectives for both data and for information and computing services. FIPS PUB
199 provides a useful characterization of these three objectives in terms of requirements and the definition
of a loss of security in each category:

These three concepts such as Confidentiality, Integrity and Availability form, what is often referred to as the
CIA triad (Figure 1)

Fig 1: Key Security Concepts

The three concepts embody the fundamental security objectives for both data and for information and
computing services. FIPS PUB 199 provides a useful characterization of these three objectives in terms of
requirements and the definition of a loss of security in each category:

6                              Compiled by: Dr. Azath Hussain 

Chapter 1 Department of CSIT, AMIT
1. Confidentiality:

™ Confidentiality is a set of rules that limits access to information.

™ Measures undertaken to ensure confidentiality are designed to prevent sensitive information from
reaching the wrong people, while making sure that the right people can in fact get it.
™ Training can help familiarize authorized people with risk factors and how to guard against them.
Further aspects of training can include strong passwords and password-related best practices and
information about social engineering methods.
Historically, security and secrecy were closely related. Even today, many people still feel that the main
objective of computer security is to stop unauthorized users from learning sensitive information.
Confidentiality (privacy, secrecy) captures this aspect of computer security.
The terms privacy and secrecy are sometimes used to distinguish between the protection of personal data
(privacy) and the protection of data belonging to an organization (secrecy).
Confidentiality is the term used to prevent the disclosure of information to unauthorized individuals or
systems.
For example, a credit card transaction on the Internet requires the credit card number to be transmitted from
the buyer to the merchant and from the merchant to a transaction processing network. The system attempts
to enforce confidentiality by encrypting the card number during transmission, by limiting the places where it
might appear (in databases, log files, backups, printed receipts, and so on), and by restricting access to the
places where it is stored. If an unauthorized party obtains the card number in any way, a breach of
confidentiality has occurred.
Confidentiality is necessary (but not sufficient) for maintaining the privacy of the people whose personal
information a system holds.
Preserving authorized restrictions on information access and disclosure, including means for protecting
personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure of
information. “Prevention of unauthorized disclosure of information”.

7                              Compiled by: Dr. Azath Hussain 

Chapter 1 Department of CSIT, AMIT
2. Integrity:

™ Integrity is the assurance that the information is trustworthy and accurate.

™ Integrity involves maintaining the consistency, accuracy, and trustworthiness of data over its entire
life cycle.
™ Data must not be changed in transit, and steps must be taken to ensure that data cannot be altered by
unauthorized people (for example, in a breach of confidentiality).
™ This goal defines how we avoid our data from being altered. MiTM (Man in the middle attacks) is the
example threat for this goal.

Integrity is about making sure that everything is as it is supposed to be, and in the context of computer
security, the prevention of unauthorized modification of information.
However, additional qualifications like “being authorized to do what one does” or following the correct
procedures” have also been included under the term integrity, so that users of a system, even if authorized,
are not permitted to modify data items in such a way that assets or accounting records of the company are
lost or corrupted.
In Computer security, integrity means that data cannot be modified undetectably. This is not the same thing
as referential integrity in databases, although it can be viewed as a special case of Consistency as
understood in the classic ACID model of transaction processing. Integrity is violated when a message is
actively modified in transit. Computer/ Information security systems typically provide message integrity in
addition to data confidentiality
Guarding against improper information modification or destruction, and includes ensuring information non-
repudiation and authenticity. A loss of integrity is the unauthorized modification or destruction of
information. Prevention of unauthorized modification of information.

8                              Compiled by: Dr. Azath Hussain 

Chapter 1 Department of CSIT, AMIT
3. Availability:

™ It means that assets are accessible to authorized parties at appropriate times.

™ Availability is very much a concern beyond the traditional boundaries of computer security. We
want to ensure that a malicious attacker cannot prevent legitimate users from having reasonable
access to their systems.
For any information system to serve its purpose, the information must be available when it is needed. This
means that the computing systems used to store and process the information, the security controls used to
protect it, and the communication channels used to access it must be functioning correctly. High availability
systems aim to remain available at all times, preventing service disruptions due to power outages, hardware
failures, and system upgrades. Ensuring availability also involves preventing denial-of-service attacks.
Ensuring timely and reliable access to and use of information. A loss of availability is the disruption of
access to or use of information or an information system. Prevention of unauthorized withholding of
information or resources.

INFORMATION SECURITY
Information security means protecting information and information systems from unauthorized access, use,
disclosure, disruption, modification, perusal, inspection, recording or destruction.
The terms information security, computer security and information assurance are frequently used
interchangeably. These fields are interrelated often and share the common goals of protecting the
confidentiality, integrity and availability of information; however, there are some subtle differences between
them.

These differences lie primarily in the approach to the subject, the methodologies used, and the areas of
concentration. Information security is concerned with the confidentiality, integrity and availability of data
regardless of the form the data may take: electronic, print, or other forms. Computer security can focus on
ensuring the availability and correct operation of a computer system without concern for the information stored
or processed by the computer. Information assurance focuses on the reasons for assurance that information is
protected, and is thus reasoning about information security.

9                              Compiled by: Dr. Azath Hussain 

Chapter 1 Department of CSIT, AMIT
Governments, military, corporations, financial institutions, hospitals and private businesses amass a
great deal of confidential information about their employees, customers, products, research, and financial
status. Most of this information is now collected, processed and stored on electronic computers and transmitted
across networks to other computers. Should confidential information about a business' customers or finances or
new product line fall into the hands of a competitor, such a breach of security could lead to negative
consequences. Protecting confidential information is a business requirement, and in many cases also an ethical
and legal requirement

Enterprise security
What Is Enterprise security?
Introduction
Enterprise security is about building systems to remain dependable in the face of malice, error, or mischance.
As a discipline, it focuses on the tools, processes, and methods needed to design, implement, and test complete
systems, and to adapt existing systems as their environment evolves.

Enterprise security requires cross-disciplinary expertise, ranging from cryptography and computer security
through hardware tamper-resistance and formal methods to a knowledge of economics, applied psychology,
organizations and the law. System engineering skills, from business process analysis through software
engineering to evaluation and testing, are also important; but they are not sufficient, as they deal only with
error and mischance rather than malice.

Many security systems have critical assurance requirements. Their failure may endanger human life and the
environment (as with nuclear safety and control systems), do serious damage to major economic infrastructure
(cash machines and other bank systems), endanger personal privacy (medical record systems), undermine the
viability of whole business sectors (pay-TV), and facilitate crime (burglar and car alarms). Even the perception
that a system is more vulnerable than it really is (paying with a credit card over the Internet) can significantly
hold up economic development.

The conventional view is that while software engineering is about ensuring that certain things happen (‘John
can read this file’), security is about ensuring that they don’t (‘The Chinese government can’t read this file’).
Reality is much more complex. Security requirements differ greatly from one system to another. One typically
needs some combination of user authentication, transaction integrity and accountability, fault-tolerance,
message secrecy, and covertness. But many systems fail because their designers protect the wrong things, or
protect the right things but in the wrong way.

10                              Compiled by: Dr. Azath Hussain 

Chapter 1 Department of CSIT, AMIT
A Framework
Good Enterprise security requires four things to come together. There’s policy: what you’re supposed to
achieve. There’s mechanism: the ciphers, access controls, hardware tamper-resistance and other machinery that
you assemble in order to implement the policy. There’s assurance: the amount of reliance you can place on
each particular mechanism. Finally, there’s incentive: the motive that the people guarding and maintaining the
system have to do their job properly, and also the motive that the attackers have to try to defeat your policy.
All of these interact (see Fig. 1).

Figure 1: Enterprise Security Analysis Framework

As an example, let’s think of the 9/11 terrorist attacks. The hijackers’ success in getting knives through airport
security was not a mechanism failure but a policy one; at that time, knives with blades up to three inches were
permitted, and the screeners did their task of keeping guns and explosives off as far as we know. Policy has
changed since then: first to prohibit all knives, then most weapons (baseball bats are now forbidden but
whiskey bottles are OK); it’s flip-flopped on many details (butane lighters forbidden then allowed again).

Mechanism is weak, because of things like composite knives and explosives that don’t contain nitrogen.
Assurance is always poor; many tons of harmless passengers’ possessions are consigned to the trash each
month, while well below half of all the weapons taken through screening (whether accidentally or for test
purposes) are picked up.

Serious analysts point out major problems with priorities. For example, the TSA has spent $14.7 billion on
aggressive passenger screening, which is fairly ineffective, while $100 m spent on reinforcing cockpit doors
would remove most of the risk. The President of the Airline Pilots Security Alliance notes that most ground
staff aren’t screened, and almost no care is taken to guard aircraft parked on the ground overnight. As most

11                              Compiled by: Dr. Azath Hussain 

Chapter 1 Department of CSIT, AMIT
airliners don’t have locks, there’s not much to stop a bad guy wheeling steps up to a plane and placing a bomb
on board; if he had piloting skills and a bit of chutzpah, he could file a flight plan and make off with it. Yet
screening staff and guarding planes are just not a priority.

Why are such poor policy choices made? Quite simply, the incentives on the decision makers favour visible
controls over effective ones. The result is what Bruce Schneier calls ‘security theatre’— measures designed to
produce a feeling of security rather than the reality. Most players also have an incentive to exaggerate the
threat from terrorism: politicians to scare up the vote, journalists to sell more papers, companies to sell more
equipment, government officials to build their empires, and security academics to get grants. The upshot of all
this is that most of the damage done by terrorists to democratic countries comes from the overreaction.
Fortunately, electorates figure this out over time. In Britain, where the IRA bombed us intermittently for a
generation, the public reaction to the 7/7 bombings was mostly a shrug.

Cyber Defense
Definition - What does Cyber Defense mean?
Cyber defense is a computer network defense mechanism which includes response to actions and critical
infrastructure protection and information assurance for organizations, government entities and other possible
networks. Cyber defense focuses on preventing, detecting and providing timely responses to attacks or threats
so that no infrastructure or information is tampered with. With the growth in volume as well as complexity of
cyber attacks, cyber defense is essential for most entities in order to protect sensitive information as well as to
safeguard assets.

With the understanding of the specific environment, cyber defense analyzes the different threats possible to the
given environment. It then helps in devising and driving the strategies necessary to counter the malicious
attacks or threats. A wide range of different activities is involved in cyber defense for protecting the concerned
entity as well as for the rapid response to a threat landscape. These could include reducing the appeal of the
environment to the possible attackers, understanding the critical locations & sensitive information, enacting
preventative controls to ensure attacks would be expensive, attack detection capability and reaction and
response capabilities. Cyber defense also carries out technical analysis to identify the paths and areas the
attackers could target.

Cyber defense provides the much-needed assurance to run the processes and activities, free from worries about
threats. It helps in enhancing the security strategy utilizations and resources in the most effective fashion.
Cyber defense also helps in improving the effectiveness of the security resources and security expenses,
especially in critical locations.

12                              Compiled by: Dr. Azath Hussain 

Chapter 1 Department of CSIT, AMIT

Cyber Defence protects your most important business assets against attack.

By aligning the knowledge of the threats you face with an understanding of your environment, you are able to
maximise the effectiveness of your security spend and target your resources at the critical locations. All of this
is driven from your business strategy by identifying where it may be at risk from a range of threats from a
malicious insider right through to Advanced Persistent Threats (APT).

Cyber Defence covers a wide range of activities that are essential in enabling your business to protect itself
against attack and respond to a rapidly evolving threat landscape. This will include cyber deterrents to reduce
your appeal to the attackers, preventative controls that require their attacks to be more costly, attack detection
capability to spot when they are targeting you and reaction and response capabilities to repel them.

Typically a Cyber Defence engagement will include a range of services that are aimed at long term assurance
of your business, from the understanding of how security impacts your business strategy and priorities, through
to training and guidance that enables your employees to establish the right security culture. At the same time
the engagement will include specialist technical analysis and investigation to ensure that you can map out and
protect the paths the attackers will use to compromise your most sensitive assets. These activities will also
enable you to obtain evidence of any threats that may already have breached your defences and providing the
capability to manage or remove them as needed.

Using this blend of services, Cyber Defence provides the assurances you need to run your business free from
worry about the threats that it faces and to ensure that your security strategy utilises your resources in the most
effective manner.

Enterprise Security within an Enterprise Architecture Context:

Definitions:
Many of the terms used in Enterprise security are straightforward, but some are misleading or even
controversial. There are more detailed definitions of technical terms in the relevant chapters, which you can
find using the index.
The first thing we need to clarify is what we mean by system. In practice, this can denote:
1. a product or component, such as a cryptographic protocol, a smartcard or the hardware of a PC;
2. a collection of the above plus an operating system, communications and other things that go to make up an
organization’s infrastructure;

13                              Compiled by: Dr. Azath Hussain 

Chapter 1 Department of CSIT, AMIT
3. the above plus one or more applications (media player, browser, word processor, accounts / payroll package,
and so on);
4. any or all of the above plus IT staff;
5. any or all of the above plus internal users and management;
6. any or all of the above plus customers and other external users.

Enterprise Security Architecture: Establishing the Business Context

A business-driven approach to enterprise security architecture means that security is about enabling the
objective of an organization by controlling operational risk. This business-driven approach becomes a key
differentiator to existing security practices that are focused solely on identifying threats to an enterprise and
technical vulnerabilities in IT infrastructure, and subsequently implementing controls to mitigate the risks
introduced. A purely threat-based approach to risk management fails to enable effective security and business
operations. The term security will carry very different meanings to different organizations. For example,
consider security as it relates to a military organization and security related to an online retailer that processes
credit card information. The business models for these two organizations will be very different and, as a result,
the security programs should be unique and relevant to their underlying businesses. A military organization
may determine that the most critical asset to protect is the life of its soldiers as they are engaged in military
operations. To provide assurance as to the safety of a soldier, complex security architectures are needed to
protect information and information systems that could impact the soldiers' safety. Solutions could range from
ensuring that logistic systems that manage the delivery of supplies, food, and ammunitions remain available
and that data integrity is protected to protecting confidentiality of mission plans and military intelligence that,
if compromised, could cause considerable harm to war fighters. Conversely, an online retailer is likely most
concerned with compliance with standards set by the payment card industry. These standards are tailored to
protect the confidentiality of personal information and the integrity of transactions. An online retailer may have
lower thresholds for availability then a military logistics system. The needs for confidentiality, availability, and
integrity of data must be balanced and appropriate to the business activity.

Developing a security architecture begins with an understanding of the business, which is achieved by defining
business drivers and attributes. A business driver is related to the organization’s strategies, operational plans,
and key elements considered critical to success. A business attribute is a key property of the strategic
objectives that needs to be enabled or protected by the enterprise security program. An organization’s senior
executives, who set the long-term strategy and direction of the business, can typically provide knowledge
regarding business drivers. The drivers are often reflected in an organization’s mission and vision statement.
Consider our military organization, which may have a strategic objective of “operational excellence”. This
business driver can be distilled into relevant attributes that require assurance to satisfy the overarching business

14                              Compiled by: Dr. Azath Hussain 

Chapter 1 Department of CSIT, AMIT
driver. Conversely, the online retailer may have a strategic objective of being "customer focused", as expressed
in their vision statement to provide a superior online shopping experience.

Business attributes can generally be identified through an understanding of the business drivers that are set by
the top levels of an organization. Security architects will often conduct structured interviews with senior
management in order to identify business attributes by determining the essence of what is conveyed by high-
level business drivers. In the example of the business driver labelled “operational excellence”, the executives
might be referring to the availability, reliability, and safety of their operations and resources. In this case, the
business attributes defined are “available”, “safe”, and “reliable”. Each attribute is then linked to the business
driver they support. This pairing of a business driver and attribute results in the creation of a proxy asset.
Again, building on our example, a sample proxy asset is “operational excellence” with the attribute of
“available”. Each proxy asset is owned by the organization and is assessed as having value to them. The fact
that the proxy asset has value sets the requirement that it should be protected. The value of these proxy assets
is difficult to define given that they are often intangible and exist at a very high level. Despite being unable to
assign a monetary value to a proxy asset, it is still possible to identify risks that may act against the asset. Our
online retailer may have attributes of “confidential”, “reputable”, and “error-free”.

An inventory of proxy assets can be maintained by the security architect and will be considered as key assets to
the organization. This is later used to conduct a business threat and risk assessment to identify risks to the
business. It is through a business threat and risk assessment that the sometimes-competing aspects of
confidentiality, integrity, and availability can be reconciled. When the overall objective and needs of a business
are understood, through proxy assets, then impact can be understood as it relates to confidentiality, integrity,
and availability. Understanding of the business helps prioritize which of these elements is most important, and
which aspects of the business are most in need of protection.

Example 1 - A Bank
Banks operate a surprisingly large range of security-critical computer systems.

1. The core of a bank’s operations is usually a branch bookkeeping system. This keeps customer account
master files plus a number of journals that record the day’s transactions. The main threat to this system is the
bank’s own staff; about one percent of bankers are fired each year, mostly for petty dishonesty (the average
theft is only a few thousand dollars). The main defense comes from bookkeeping procedures that have evolved
over centuries. For example, each debit against one account must be matched by an equal and opposite credit
against another; so money can only be moved within a bank, never created or destroyed. In addition, large
transfers of money might need two or three people to authorize them. There are also alarm systems that look

15                              Compiled by: Dr. Azath Hussain 

Chapter 1 Department of CSIT, AMIT
for unusual volumes or patterns of transactions, and staff are required to take regular vacations during which
they have no access to the bank’s premises or systems.

2. One public face of the bank is its automatic teller machines. Authenticating transactions based on a
customer’s card and personal identification number— in such a way as to defend against both outside and
inside attack— is harder than it looks! There have been many epidemics of ‘phantom withdrawals’ in various
countries when local villains (or bank staff) have found and exploited loopholes in the system. Automatic teller
machines are also interesting as they were the first large scale commercial use of cryptography, and they
helped establish a number of crypto standards.

3. Another public face is the bank’s website. Many customers now do more of their routine business, such as
bill payments and transfers between savings and checking accounts, online rather than at a branch. Bank
websites have come under heavy attack recently from phishing — from bogus websites into which customers
are invited to enter their passwords. The ‘standard’ internet security mechanisms designed in the 1990s, such
as SSL/TLS, turned out to be ineffective once capable motivated opponents started attacking the customers
rather than the bank. Phishing is a fascinating Enterprise security problem mixing elements from
authentication, usability, psychology, operations and economics.

4. Behind the scenes are a number of high-value messaging systems. These are used to move large sums of
money (whether between local banks or between banks internationally); to trade in securities; to issue letters of
credit and guarantees; and so on. An attack on such a system is the
dream of the sophisticated white-collar criminal. The defense is a mixture of bookkeeping procedures, access
controls, and cryptography.

5. The bank’s branches will often appear to be large, solid and prosperous, giving customers the psychological
message that their money is safe. This is theatre rather than reality: the stone facade gives no real protection. If
you walk in with a gun, the tellers will give you all the cash you can see; and if you break in at night, you can
cut into the safe or strong room in a couple of minutes with an abrasive wheel. The effective controls these
days center on the alarm systems— which are in constant communication with a security company’s control
center. Cryptography is used to prevent a robber or burglar manipulating the communications and making the
alarm appear to say ‘all’s well’ when it isn’t.

16                              Compiled by: Dr. Azath Hussain 

Chapter 1 Department of CSIT, AMIT
Example 2 — A Military Base
Military systems have also been an important technology driver. They have motivated much of the academic
research that governments have funded into computer security in the last 20 years. As with banking, there is
not one single application but many.

1. Some of the most sophisticated installations are the electronic warfare systems whose goals include trying to
jam enemy radars while preventing the enemy from jamming yours. This area of information warfare is
particularly instructive because for decades, well-funded research labs have been developing sophisticated
counter measures, counter counter measures and so on — with a depth, subtlety and range of deception
strategies that are still not found elsewhere. As I write, in 2007, a lot of work is being done on adapting
jammers to disable improvised explosive devices that make life hazardous for allied troops in Iraq. Electronic
warfare has given many valuable insights: issues such as spoofing and service-denial attacks were live there
long before bankers and bookmakers started having problems with bad guys targeting their websites.

2. Military communication systems have some interesting requirements. It is often not sufficient to just
encipher messages: the enemy, on seeing traffic encrypted with somebody else’s keys, may simply locate the
transmitter and attack it. Low-probability-of-intercept (LPI) radio links are
one answer; they use a number of tricks that are now being adopted in applications such as copyright marking.
Covert communications are also important in some privacy applications, such as in defeating the Internet
censorship imposed by repressive regimes.

3. Military organizations have some of the biggest systems for logistics and inventory management, which
differ from commercial systems in having a number of special assurance requirements. For example, one may
have a separate stores management system at each different security level: a general system for things like jet
fuel and boot polish, plus a second secret system for stores and equipment whose location might give away
tactical intentions. (This is very like the businessman who keeps separate sets of books for his partners and for
the tax man, and can cause similar problems for the poor auditor.) There may also be intelligence systems and
command systems with even higher protection requirements. The general rule is that sensitive information may
not flow down to less restrictive classifications. So you can copy a file from a Secret stores system to a Top
Secret command system, but not vice versa. The same rule applies to intelligence systems which collect data
using wiretaps: information must flow up to the intelligence analyst from the target of investigation, but the
target must not know which of his communications have been intercepted. Managing multiple systems with
information flow restrictions is a hard problem and has inspired a lot of research. Since 9/11, for example, the
drive to link up intelligence systems has led people to invent search engines that can index material at multiple
levels and show users only the answers they are cleared to know.

17                              Compiled by: Dr. Azath Hussain 

Chapter 1 Department of CSIT, AMIT

4. The particular problems of protecting nuclear weapons have given rise over the last two generations to a lot
of interesting security technology, ranging from electronic authentication systems that prevent weapons being
used without the permission of the national command authority, through seals and alarm systems, to methods
of identifying people with a high degree of certainty using biometrics such as iris patterns. The civilian security
engineer can learn a lot from all this. For example, many early systems for inserting copyright marks into
digital audio and video, which used ideas from spread-spectrum radio, were vulnerable to desynchronisation
attacks that are also a problem for some spread-spectrum systems. Another example comes from munitions
management. There, a typical system enforces rules such as ‘Don’t put explosives and detonators in the same
truck’. Such techniques can be recycled in food logistics— where hygiene rules forbid raw and cooked meats
being handled together.

Example 3 — A Hospital
From soldiers and food hygiene we move on to healthcare. Hospitals have a number of interesting protection
requirements— mostly to do with patient safety and privacy.

1. Patient record systems should not let all the staff see every patient’s record, or privacy violations can be
expected. They need to implement rules such as ‘nurses can see the records of any patient who has been cared
for in their department at any time during the previous 90 days’. This can be hard to do with traditional
computer security mechanisms as roles can change (nurses move from one department to another) and there
are cross-system dependencies (if the patient records system ends up relying on the personnel system for
access control decisions, then the personnel system may just have become critical for safety, for privacy or for
both).

2. Patient records are often anonymized for use in research, but this is hard to do well. Simply encrypting
patient names is usually not enough as an enquiry such as ‘show me all records of 59 year old males who were
treated for a broken collarbone on September 15th 1966’ would usually be enough to find the record of a
politician who was known to have sustained such an injury at college. But if records cannot be anonymized
properly, then much stricter rules have to be followed when handling the data, and this increases the cost of
medical research.

3. Web-based technologies present interesting new assurance problems in healthcare. For example, as
reference books — such as directories of drugs — move online, doctors need assurance that life-critical data,
such as the figures for dosage per body weight, are exactly as published by the relevant authority, and have not
been mangled in some way. Another example is that as doctors start to access patients’ records from home or

18                              Compiled by: Dr. Azath Hussain 

Chapter 1 Department of CSIT, AMIT
from laptops or even PDAs during house calls, suitable electronic authentication and encryption tools are
starting to be required.

4. New technology can introduce risks that are just not understood. Hospital administrators understand the
need for backup procedures to deal with outages of power, telephone service and so on; but medical
practice is rapidly coming to depend on the net in ways that are often not documented. For example,
hospitals in Britain are starting to use online radiology systems: X-rays no longer travel from the X-ray
machine to the operating theatre in an envelope, but via a server in a distant town. So a network failure
can stop doctors operating just as much as a power failure. All of a sudden, the Internet turns into a
safety-critical system, and denial-of-service attacks might kill people.

Example 4 — The Home

You might not think that the typical family operates any secure systems. But consider the following.
1. Many families use some of the systems we’ve already described. You may use a web-based electronic
banking system to pay bills, and in a few years you may have encrypted online access to your medical records.
Your burglar alarm may send an encrypted ‘all’s well’ signal to the security company every few minutes,
rather than waking up the neighborhood when something happens.

2. Your car probably has an electronic immobilizer that sends an encrypted challenge to a radio transponder in
the key fob; the transponder has to respond correctly before the car will start. This makes theft harder and cuts
your insurance premiums. But it also increases the number of car thefts from homes, where the house is
burgled to get the car keys. The really hard edge is a surge in car-jackings: criminals who want a getaway car
may just take one at gunpoint.

3. Early mobile phones were easy for villains to ‘clone’: users could suddenly find their bills inflated by
hundreds or even thousands of dollars. The current GSM digital mobile phones authenticate themselves to the
network by a cryptographic challenge-response protocol similar to the ones used in car door locks and
immobilizers.

4. Satellite TV set-top boxes decipher movies so long as you keep paying your subscription. DVD players use
copy control mechanisms based on cryptography and copyright marking to make it harder to copy disks (or to
play them outside a certain geographic area). Authentication protocols can now also be used to set up secure
communications on home networks (including WiFi, Bluetooth and HomePlug).

19                              Compiled by: Dr. Azath Hussain 

Chapter 1 Department of CSIT, AMIT
5. In many countries, households who can’t get credit can get prepayment meters for electricity and gas, which
they top up using a smartcard or other electronic key which they refill at a local store. Many universities use
similar technologies to get students to pay for photocopier use, washing machines and even soft drinks.

6. Above all, the home provides a haven of physical security and seclusion. Technological progress will impact
this in many ways. Advances in locksmithing mean that most common house locks can be defeated easily;
does this matter? Research suggests that burglars aren’t worried by locks as much as by occupants, so perhaps
it doesn’t matter much— but then maybe alarms will become more important for keeping intruders at bay
when no-one’s at home. Electronic intrusion might over time become a bigger issue, as more and more devices
start to communicate with central services. The security of your home may come to depend on remote systems
over which you have little control.

***********************************************************************************

20                              Compiled by: Dr. Azath Hussain