RUC-501(Cyber Security)

Cyber security refers to the protection of Internet connected systems, including hardware, software
and data from cyber attacks. Cyber security focuses on protecting computers, networks, programs
and data from unintended or unauthorized access, change or destruction.

The general security objectives comprise the following:

(i) Availability
(ii) Integrity, which may include authenticity and non-repudiation
(iii) Confidentiality

Need of Cyber Security

We are living in a digital era. Whether it is booking a hotel room, or booking a seat in restaurant, or
even in a cab, we are using Internet and constantly generating data. This data is generally saved on
cloud which are Huge data servers or Data Center that you can access online. So with tons of data to
exploit, hackers are having their golden time. This vulnerability raises the need of such security
which can strengthen the systems in a better way.

Information System

An information system is a set of interrelated elements or component that collects (input),

manipulate (process) and disseminate (output) data and information and provide feedback
mechanism to meet an objective.

Information systems and technologies have become a vital component for successful business
organization.

Examples:- University admission Process, Bank Systems.

The major components of Information Systems

1. Users
2. Hardware
3. Software
4. Database
5. Set of Methods

Types of Information System

1. Transaction Processing System

2. Management Information System
3. Workflow System
4. Decision Support System
5. Expert System

1. Transaction Processing System

A transaction processing system is an information system for business transactions involving the
collection, modification and retrieval of all transaction data. E.g. airline reservation system,
electronic transfer of funds, bank account processing.

Transaction-Transactions are the basic business operations such as customer orders, purchase
orders, receipts, time cards, invoices, and payroll checks in an organization.

Types of TPS

i. Batch Processing System

Batch processing is where the information is collected and stored as a batch but not processed
immediately. Batch processing is useful for enterprise that need to process large amounts of data
using limited resources. Example: Payment by cheque, Credit card transactions, etc.

ii. Online transaction processing(OLTP):

OLTP is a system whereby each transaction is processed immediately, without delay of
accumulating transactions into batches. The request raised by either customer or any other person
are instantly processed by the system.
In OLTP, any failure to online systems becomes a costly overhead as all the date requested are
retrieved and stored online.
E.g. ATM’s, Railway Reservation.

2. Management Information System

MIS is used in those organizations where information is required in the form of reports,
presentation by management to take decisions. An MIS gathers data from multiple online
systems, analyzes the information, and reports data to aid in management decision-making.
TPS is only concerned with processing a business transaction. In MIS, the requirement is much
higher as different areas like accounts, inventory, sales, purchase, marketing etc. needs to be
tightly integrated to provide collective information to management.

3. Workflow Management System

 A workflow management system (WFMS) is a software system for the set-up, performance and
monitoring of a defined sequence of tasks, arranged as a workflow. WFMS helps to define,
administer and coordinate different business processes. These are used to manage and control
the interrelated activities required to perform a business goal. Workflow system operates by
performing a set if tasks in a predefined manner.

4. Decision Support Systems

A decision support system (DSS) is an information system that supports business or

organizational decision-making activities. A DSS analyzes business data and presents it in such a
way that the user can make business decisions more easily.
Three defining characteristics of DSSs are:

1. An easy-to-use interactive interface

2. models that enable sensitivity analysis, what if analysis, goal seeking, and risk analysis
3. Data from multiple sources - internal and external sources plus data added by the decision maker
who may have insights relevant to the decision situation

What-if analysis refers to changing assumptions or data in the model to see the impacts of the
changes on the outcome.

The main difference between management information system and decision support system is that
MIS supports structured decision making while the DSS provides support for unstructured or
semi-structured decisions. MIS provides such as daily, weekly, and quarterly report of the employee
working hours. Whereas DSS supports unstructured and semi-structured decisions such as whether to
make-or-buy-or-outsource products, or what new products to develop and introduce into existing
markets.

Example- If Management needs to decide which product company should be or which

discontinued, then DSS is used.

MIS provides information to support lower and middle layer managerial decisions or operations.
DSS provides information to support specific situations.

MIS uses a large volume of data as the input and gives out a summarized report. DSS uses a low
volume of data and the output is decision analysis.

Expert System

Expert system is an information system that emulates the decision-making ability of a human
expert. Expert systems are designed to solve complex problems by reasoning through bodies of
knowledge, represented mainly as if–then rules rather than through conventional procedural code.
These systems use Artificial Intelligence to solve the problem that requires human expertise.

An Expert system is divided into 2 subsystems:-

1. The Inference Engine- It applies the rules to the known facts to deduce new facts.
2. The Knowledge Base- Represents Facts and Rules. Eg. If-then

Example-

MYCIN is an expert system which provides the expert guidance to individual for medical diagnosis.
MYCIN uses artificial intelligence to identify bacteria causing infections, and to recommend
antibiotics.

Development Cycle of Information System

The Systems development life cycle (SDLC) is the traditional systems development method used
by most organizations today. The SDLC is a structured framework that consists of sequential
processes by which information systems are developed. SDLC include following steps-

1. System investigation
2. Systems analysis
3. Systems design
4. Development
5. Testing and Integration
6. Implementation
7. Operation and maintenance

1. System Investigation
It is the first stage of information system development cycle. The purpose of this phase is to find out
the scope of the problem and determine solutions. Resources, time, cost, benefits are considered in
this step.
The preliminary investigation includes the following tasks:
a. List problems, opportunities and directives.
b. Negotiate preliminary scope.
c. Assess project worth.
d. Plan the project.
e. Present the project and plan.

1.1 Feasibility study

The next task in the systems investigation stage is the feasibility study. The feasibility study
determines the probability of success of the proposed systems development project and assesses the
project’s technical, economic, and behavioral feasibility. The feasibility study is critically important
to the systems development process because, done properly, the study can prevent organizations
from making costly mistakes (like creating systems that will not work, will not work efficiently, or
that people can’t or won’t use).

Types of feasibility-

1. Technical feasibility
Technical feasibility determines if the hardware, software, and communications components can be
developed and/or acquired to solve the business problem. Technical feasibility also determines if
the organization’s existing technology can be used to achieve the project’s performance objectives.

2. Economic feasibility
Economic feasibility determines if the project is an acceptable financial risk and if the organization
can afford the expense and time needed to complete the project.

3. Behavioral feasibility.
Behavioral feasibility addresses the human issues of the project. All systems development projects
introduce change into the organization, and people generally fear change. In fact, employees may
overtly or covertly resist a new system.

The result of Investigation phase is System requirement Specification. A software requirements

specification (SRS) is a detailed description of a software system to be developed with its
functional and non-functional requirements.
Functional Requirement specifies what the system should do. Non functional requirement is
a requirement that specifies criteria that can be used to judge the operation of a system, rather than
specific behaviors.
A system may be required to present the user with a display of the number of records in a database.
This is a functional requirement. How up-to-date [update] this number needs to be, is a non-
functional requirement. If the number needs to be updated in real time, the system architects must
ensure that the system is capable of updating the [displayed] record count within an acceptably short
interval of the number of records changing.

2. System Analysis
It is an in-depth study of end user information needs that produces functional requirements that are
used as the basis for the design of a new information system. This stage defines the business
problem, identifies its causes, specifies the solution, and identifies the information requirements that
the solution must satisfy.
The systems analysis stage produces the following information:
• Strengths and weaknesses of the existing system
• Functions that the new system must have to solve the business problem
• User information requirements for the new system
The output of system analysis is the set of functional requirements.

3. System Design
Systems analysis describes what a system must do to solve the business problem, and systems
design describes how the system will accomplish this task. The deliverable of the systems
design phase is the technical design that specifies the following:-
• System outputs, inputs, and user interfaces
• Hardware, software, databases, telecommunications, personnel, and procedures
• How these components are integrated

System design can be viewed as the design of user interface, data, process and system specification
.The output of system design is the set of system specifications.

Systems design encompasses two major aspects of the new system:

• Logical systems design states what the system will do, with abstract specifications. Logical
design specifications include the design of outputs, inputs, processing, databases,
telecommunications, controls, security.
• Physical systems design states how the system will perform its functions, with actual physical
specifications. Physical design specification includes the design of hardware, software, database,
telecommunications, and procedures.

For example, the logical telecommunications design may call for a wide area network connecting
the company’s plants. The physical telecommunications design will specify the types of
communications hardware (e.g., computers and routers), software (e.g., the network operating
system), media (e.g., fiber optics and satellite), and bandwidth (e.g., 100 Mbps).

4. Development
Systems developers utilize the system specifications to acquire the software needed for the system
to meet its functional objectives and solve the business problem. Organizations may buy the
software or construct it in-house. Although many organizations tend to purchase packaged software,
many other firms continue to develop custom software in-house.

For example, Wal-Mart builds practically all their software in-house. The chief benefit of custom
developed software is that the systems are better suited than packaged applications for an
organization’s new and existing business processes needs. For many organizations, custom software
is more expensive than packaged applications. But if a packaged application does not closely fit the
company needs then the savings are often diluted when programmer has to extend the functionality
of the purchased packages.

5. Testing and Integration

In this phase, all the subsystems are integrated and then tested with some predefined input set. The
output of the newly developed system is tested with expected output. If both the output matches,
then the product is sent for next phase otherwise the developers again work on the application till
desired result are not produced. Testing and development executes side by side. Throughout the
development stage, testing is done from time to time as and when required.

6. Implementation

When the output of the developed system meets the desired output, then the product is ready for the
implementation phase. In this phase, the newly developed application is transitioned to the
production environment where it is intended to be used by its end users. After the application
implementation is completed, a full documentation of the design and functionality of the application
is done for future references.

7. Operation and Maintenance

Once a system is fully implemented and being operated by end user, the maintenance function
begins. Systems maintenance is the monitoring, evaluating and modifying of operational
information system to make desirable or necessary improvements.
Introduction to Information Security

Information security: a “well defined sense of assurance that the information risks and controls are
in balance.”-- James Anderson.
Three basic security elements important to information security are confidentiality, integrity, and
availability. Elements relating to the people who use that information are authentication,
authorization, and non-repudiation.

Confidentiality
Confidentiality is the assurance that information is shared only among authorized persons or
organizations.
Measures undertaken to ensure confidentiality are designed to prevent sensitive information from
reaching the wrong people, while making sure that the right people can in fact get it. When
information is read or copied by someone not authorized to do so, the result is known as loss of
confidentiality. For some types of information, confidentiality is a very important attribute.

Examples include research data, medical and insurance records, new product specifications, and
corporate investment strategies.
Measures taken to ensure confidentiality are encryption of the data and limiting the places where it
might appear.

Integrity
Integrity means assurance that the information is authentic and complete. Data integrity means
maintaining and assuring the accuracy and consistency of data over its entire life-cycle.
Information can be corrupted when it is available on an insecure network. When information is
modified in unexpected ways, the result is known as loss of integrity. This means that unauthorized
changes are made to information, whether by human error or intentional tampering. Integrity is
particularly important for critical safety and financial data used for activities such as electronic
funds transfers, air traffic control, and financial accounting.
Measures taken to ensure integrity are message authentication and Integrity codes.

Availability
Available is assurance that the systems responsible for delivering, storing and processing
information are accessible when needed, by those who need them. Availability of information refers
to ensuring that authorized parties are able to access the information when needed
Information can be erased or become inaccessible, resulting in loss of availability. This means that
people who are authorized to get information cannot get what they need. Availability is often the
most important attribute in service-oriented businesses that depend on information (for example,
airline schedules and online inventory systems). Availability of the network itself is important to
anyone whose business or education relies on a network connection. When users cannot access the
network or specific services provided on the network, they experience a denial of service.

Measures taken to ensure availability are backing up of information into a new system.

Authentication and Authorization

To make information available to those who need it and who can be trusted with it, organizations
use authentication and authorization.
Authentication is a process of proving that a user is the person he or she claims to be. That proof
may involve something the user knows (such as a password), something the user has (such as a
“smartcard”), or something about the user that proves the person’s identity (such as a fingerprint).
Authorization is the act of determining whether a particular user (or computer system) has the right
to carry out a certain activity, such as reading a file or running a program. Authentication and
authorization go hand in hand. Users must be authenticated before carrying out the activity they are
authorized to perform.
Authentication means confirming your own identity wile authorization means granting access to the
system.
Non Repudiation
Security is strong when the means of authentication cannot later be refuted—the user cannot later
deny that he or she performed the activity. This is known as non-repudiation.

Threats to Information System

Threats: An object, person or entity that represents constant danger to an asset.

Threats Classification

Threats can be classified into following categories:

1. Acts of Human Error or Failure/ Inadvertent Acts

These are the acts that happen by mistake. They are not deliberately performed.
Examples: Deviation from service quality, communication error.

2. Deliberate Acts of Espionage or Trespass

These are the acts in which protected information is accessed by unauthorized individuals.
Example- Shoulder surfing. It occurs anywhere person accesses confidential information.
Hackers use skill, fraud to bypass controls protecting others’ information.

3. Deliberate Acts of Theft

These acts include illegal taking of another’s physical, electronic, or intellectual property.
Physical theft is controlled relatively easily. Electronic theft is more complex problem since
evidence of crime not readily apparent.

4. Deliberate Software Attacks

 Malicious software (malware) designed to damage, destroy, or deny service to target systems.
Example-Viruses, worms, Trojan horses, logic bombs, back doors, and denial-of-service attacks,
zero day exploit.

5. Forces of Nature
Natural disasters are among the most dangerous threat because they are unexpected and come
with no warning. They disrupt not only individual lives, but also storage, transmission, and use
of information.

6. Management Failures
These failures happen when management is deviated from giving quality of service. Example-
Situations where products or services not delivered as expected.

7. Technical Failure
Technical Failures are classified into two types:
Technical Hardware Failure- It occurs when manufacturer distributes equipment with flaws that
may be known or unknown to the manufacturer.

Technical Software Failure- It occurs when there is some problem in source code of the software.
Example- Bugs, Unknown Loopholes, Zero day exploit.
These can cause the system to perform in an undesirable or unexpected way. Some of these are
unrecoverable while some occur periodically.

Category of Threats Examples

1.Acts of Human Error or Failure
2. Deliberate Acts of Espionage or Trespass
3. Deliberate Acts of Theft
4. Deliberate Software Attacks
5. Forces of Nature
6. Management Failures
7. Technical Hardware Failure
8. Technical Software Failure
Accidents, Employee Mistakes
Unauthorized individuals and/or data collection
Illegal confiscation of equipment or
information
Viruses, worms, Trojan horses, logic bombs,
back doors, and denial-of-service attacks
Fire, flood, earthquake, lightening
Power and WAN services issues
Equipment Failure
Bugs, code error, unknown loophole

Cyber Security and Information Assurance

Cyber Security
Cyber Security focuses on preventing and defending against cyber attacks that seek to damage
digital devices and their networks. The main work in cyber security is that of risk assessment and
management. Potential threats to computer networks are analyzed and evaluated to determine the
level of threat they pose. Preventing cyber attacks is an important part of a cyber security expert's
work.
 Information Assurance
This field of work has been around a lot longer than cyber security. That's why it has a broader
focus. Information assurance deals with the protection of both digital and non-digital
information. This includes not just the data stored in a computer but also hard copy records. The
main job of an information assurance manager is to make sure that the information framework
within a particular organization performs according to expectations so that the information is
kept secure from non-authorized personnel.
Information assurance encompasses higher-level concepts such as strategy, law, policy, risk
management, training, and other disciplines that transcend a particular medium or domain. And
Cyber security is a sub-set of information security, which itself is a sub-discipline of information
assurance.
Vulnerabilities are introduced in the information system at three points namely a development,
design and distribution phases. The major stages involved in developing a vulnerable free
information system are:-
(i) Test the entity
(ii) Supervise the installation
(iii) Manage customer driven changes

Test the Entity Supervise the Manage customer

installation driven changes

Fig1. Security in the software

Security Risk Analysis/ Security assessment

Security assessment identifies existing IT vulnerabilities and recommends countermeasures for

mitigating potential risks. Risk is an uncertainty about a consequence. There are three types of plan
for risk mitigation.
(i) Incident Response Plan (IRP) - Actions to take while incident is in progress.
(ii) Disaster Recovery Plan (DRP) – It includes all the preparations for the recovery process,
strategies to limit losses during disaster.
(iii) Business Continuity Plan (BCP) - It includes activities, if catastrophic event occurs.

Types
• Non-Intrusive
1. Security Audit
2. Risk Assessment
3. Risk Analysis
• Intrusive
1. Vulnerability Scan
2. Penetration Testing / Ethical Hacking
1. Non-Intrusive Security assessment -
Compliance is fulfilling a set of standards. In the information security domain, International
Standard Organization has issued various standards providing important guidelines standards.
(i) Security Audit- Audit identifies non-compliances with accepted practice and identifies new
risks. If new risks are detected, audit notifies the parties responsible for restoring conformity.
An audit is the verification of conformity with a particular strategy, plan, standard, regulation,
or guidelines.

Best Practice Comparison Present

Model Operation


Degree of Conformance

Specification of Preventive Measures

Fig2. Analysis of Gap

(ii) Risk Assessment - Risk assessment has two procedures namely risk identification and risk
estimation.

Risk identification is done by comparing the current operation with the requirements of ideal
practice. Analysis of the risk identifies the gaps between the best practices specified by the
model and the current operations.

Risk estimation determines the probability and impact of the threats, as determined by risk
identification. The impact or severity of any threats is determined by the quantitative terms of
money and time lost. Risk estimation must state the probability of occurrence and known cause
and effect relationship to each resource. If the rate of occurrence is high, then even the harm
might be minor, a counter measure might make good business sense. A catastrophic threat is not
necessarily dangerous if it only happens only once in several years. If the expense is greater than
any possible harm, then the counter measure is not included in the security response.
In order to estimate the risk involved, The Annualized Loss Expectancy (ALE) is calculated.
ALE is defined as the expected monetary loss that can be expected for an asset due to a risk over
a one year period.
The formula for determining annualized loss expectancy is

ALE = Annual Rate of happening * Cost per happening

ALE is useful in prioritizing or comparing separate risk issues which often have different
frequencies and per-event impacts.
(iii) Risk Analysis - Risk analysis provides a cost/benefit comparison, which compares the
annualized cost of safeguards to the potential cost of loss. First the team must carry out the
project sizing to understand what assets and threats should be evaluated. Assessment is focussed
on physical security, technical security and personal security.
It is very difficult to quantify the values of intangible assets, which may change over time. If a
company finds out that the total or residual risk is too high, it may decide to buy insurance. And
if the risk is too low, it may decide to avoid the issue. Many companies go through risk
mitigation to decrease the level of risk to some acceptable level. For ex, Firewall, Trainings,
intrusion detection systems represents the type of risk mitigation. Risk Analysis can be
categorized into two types-:

1. Qualitative Risk Analysis

Qualitative Risk Analysis is concerned with discovering the probability of risk occurrence and
the impact the risk will have if it does work. Probability is the likelihood that the risk event will
occur and the impact is the significance of the consequence of risk event.
The Qualitative risk analysis is subjective, as it is carried out by individuals participating in a
project based on their personal perceptions of the risk likelihood and consequences. The purpose
of such analysis is to increase the awareness of the most likely and severe risks, identify weak
spots of a project and create risk responses to reduce the effect that these risks will have on a
project. Some of these techniques are:
 Brain Storming, Interviewing
 SWOT Analysis (Strength, Weaknesses, Opportunity, and threats analysis)
 Risk Rating Scale
Rating Scale- A qualitative risk analysis prioritizes the identified project risks using a pre-
defined rating scale. Risks will be scored based on their probability or likelihood of occurring
and the impact on project objectives. Probability/likelihood is commonly ranked on a zero to one
scale.

2. Quantitative Risk Analysis

Quantitative risk analysis is a numerical analysis of the probability and impact of the highest risk
on the project. It is focused on creating realistic time and cost targets, and calculating the
probability of achieving project objectives. It further includes following investigation:
- Determination of the type of probability distribution. That will be used.
- Sensitivity Analysis- Determining which risks has most impact on the project.
- Monte Carlo Analysis- Determining how much quantified risk the project has through
expected monetary value. Monte Carlo method let us see all the possible outcomes of our
decisions and assess the impact risk, allowing for better decision allowing for better
decision making under uncertainty.
 Risk management and
Planning

Risk Identification Qualitative Risk Analysis

Risk Monitoring Quantitative Risk

and Control Analysis

Risk Response
Planning

Fig3. Risk Analysis

2. Intrusive Security Assessment

1. Vulnerability Scan- Scan the network using automated tools to identify security holes in the
network. These security holes could be on the internal or external to the system. Vulnerability
assessments are performed by using an off-the-shelf software package, such as Nessus or OpenVas
to scan an IP address or range of IP addresses for known vulnerabilities.

In Nessus, we can know the OS type of remote system. For example, the software has signatures for
the Heartbleed bug or missing Apache web server patches and will scan the network and alert if
found. The Heartbleed bug allows anyone on the Internet to read the memory of the systems
protected by the vulnerable versions of the OpenSSL software. It is a toolkit for TLS and SSL
protocols implements basic cryptographic functions using a general purpose cryptography
library. This compromises the secret keys used to identify the service providers. This allows
attackers to eavesdrop on communications, steal data directly from the services and users and to
impersonate services and users. The software then produces a report that lists out found
vulnerabilities and (depending on the software and options selected) will give an indication of the
severity of the vulnerability and basic remediation steps. Scans can be scheduled daily, weekly,
monthly or yearly. It’s important to keep in mind that these scanners use a list of known
vulnerabilities, meaning they are already known to the security community, hackers and the software
vendors. There are vulnerabilities that are unknown to the public at large and these scanners will not
find them.

2. Penetration Scan

Penetration testing (Pen-Testing) is done to exploit the bug and discover the depth of the problem
and find out exactly what type of information could be revealed if it was exploited. Penetration
testing is designed to assess your security before an attacker does. Penetration testing tools
simulate real-world attack scenarios to discover and exploit security gaps that could lead to
stolen records, compromised credentials.

Process

A penetration test starts with the security professional enumerating the target network to
find vulnerable systems and/or accounts. This means scanning each system on the network
for open ports that have services running on them. It is extremely rare that an ent ire network
has every service configured correctly, properly password protected, and fully patched.
Once the penetration tester has a good understanding of the network and the vulnerabilities
that are present, he/she will use a penetration testing tool to exploit vulnerability in order to
gain unwelcomed access. However, Security professionals do not just target systems. Often,
a pen tester targets users on a network through phishing emails, pre -text calling, or onsite
social engineering.