UNIT - IV

Syllabus:
Information Security Basic Concepts, an Example of a Security Attack, Cloud Software
Security Requirements, Rising Security Threats. Data Security and Storage: Aspects of
Data Security, Data Security Mitigation, Provider Data and Its Security.

Information Security:

Information security is the practice of protecting information by mitigating information risks. It

involves the protection of information systems and the information processed, stored and
transmitted by these systems from unauthorized access, use, disclosure, disruption, modification
or destruction. This includes the protection of personal information, financial information, and
sensitive or confidential information stored in both digital and physical forms. Effective
information security requires a comprehensive and multi-disciplinary approach, involving
people, processes, and technology.

Information Security is not only about securing information from unauthorized access.
Information Security is basically the practice of preventing unauthorized access, use, disclosure,
disruption, modification, inspection, recording or destruction of information. Information can
be a physical or electronic one. Information can be anything like your details or we can say
your profile on social media, your data on mobile phone, your biometrics etc. Thus Information
Security spans so many research areas like Cryptography, Mobile Computing, Cyber Forensics,
Online Social Media, etc.

During First World War, Multi-tier Classification System was developed keeping in mind the
sensitivity of the information. With the beginning of Second World War, formal alignment of
the Classification System was done. Alan Turing was the one who successfully decrypted
Enigma Machine which was used by Germans to encrypt warfare data.

Effective information security requires a comprehensive approach that considers all aspects of
the information environment, including technology, policies and procedures, and people. It also
requires ongoing monitoring, assessment, and adaptation to address emerging threats and
vulnerabilities.

Why we use Information Security?

We use information security to protect valuable information assets from a wide range of threats,
including theft, espionage, and cybercrime. Information security is necessary to ensure the
confidentiality, integrity, and availability of information, whether it is stored digitally or in
other forms such as paper documents. Here are some key reasons why information security is
important:

1. Protecting sensitive information: Information security helps protect sensitive

information from being accessed, disclosed, or modified by unauthorized individuals.
This includes personal information, financial data, and trade secrets, as well as
confidential government and military information.
2. Mitigating risk: By implementing information security measures, organizations can
mitigate the risks associated with cyber threats and other security incidents. This
includes minimizing the risk of data breaches, denial-of-service attacks, and other
malicious activities.
3. Compliance with regulations: Many industries and jurisdictions have specific
regulations governing the protection of sensitive information. Information security
 measures help ensure compliance with these regulations, reducing the risk of fines and
legal liability.
4. Protecting reputation: Security breaches can damage an organization’s reputation and
lead to lost business. Effective information security can help protect an organization’s
reputation by minimizing the risk of security incidents.
5. Ensuring business continuity: Information security helps ensure that critical business
functions can continue even in the event of a security incident. This includes
maintaining access to key systems and data, and minimizing the impact of any
disruptions.

Information Security programs are built around 3 objectives, commonly known as CIA
(Confidentiality, Integrity, Availability).

1. Confidentiality – means information is not disclosed to unauthorized individuals,

entities and process. For example if we say I have a password for my Gmail account but
someone saw while I was doing a login into Gmail account. In that case my password
has been compromised and Confidentiality has been breached.
2. Integrity – means maintaining accuracy and completeness of data. This means data
cannot be edited in an unauthorized way. For example if an employee leaves an
organization then in that case data for that employee in all departments like accounts,
should be updated to reflect status to JOB LEFT so that data is complete and accurate
and in addition to this only authorized person should be allowed to edit employee data.
3. Availability – means information must be available when needed. For example if one
needs to access information of a particular employee to check whether employee has
outstand the number of leaves, in that case it requires collaboration from different
organizational teams like network operations, development operations, incident
response and policy/change management.
Denial of service attack is one of the factor that can hamper the availability of
information.

Apart from this there is one more principle that governs information security programs. This is
Non repudiation.

 Non repudiation – means one party cannot deny receiving a message or a transaction
nor can the other party deny sending a message or a transaction. For example in
cryptography it is sufficient to show that message matches the digital signature signed
with sender’s private key and that sender could have a sent a message and nobody else
could have altered it in transit. Data Integrity and Authenticity are pre-requisites for Non
repudiation.

 Authenticity – means verifying that users are who they say they are and that each input
arriving at destination is from a trusted source. This principle if followed guarantees the
valid and genuine message received from a trusted source through a valid transmission.
For example if take above example sender sends the message along with digital
signature which was generated using the hash value of message and private key. Now at
the receiver side this digital signature is decrypted using the public key generating a
hash value and message is again hashed to generate the hash value. If the 2 value
matches then it is known as valid transmission with the authentic or we say genuine
message received at the recipient side
 Accountability – means that it should be possible to trace actions of an entity uniquely
to that entity. For example as we discussed in Integrity section Not every employee
should be allowed to do changes in other employees data. For this there is a separate
department in an organization that is responsible for making such changes and when
 they receive request for a change then that letter must be signed by higher authority for
example Director of college and person that is allotted that change will be able to do
change after verifying his bio metrics, thus timestamp with the user (doing changes)
details get recorded. Thus we can say if a change goes like this then it will be possible to
trace the actions uniquely to an entity.

Advantages to implementing an information classification system in an organization’s

information security program:

1. Improved security: By identifying and classifying sensitive information, organizations

can better protect their most critical assets from unauthorized access or disclosure.
2. Compliance: Many regulatory and industry standards, such as HIPAA and PCI-DSS,
require organizations to implement information classification and data protection
measures.
3. Improved efficiency: By clearly identifying and labeling information, employees can
quickly and easily determine the appropriate handling and access requirements for
different types of data.
4. Better risk management: By understanding the potential impact of a data breach or
unauthorized disclosure, organizations can prioritize resources and develop more
effective incident response plans.
5. Cost savings: By implementing appropriate security controls for different types of
information, organizations can avoid unnecessary spending on security measures that
may not be needed for less sensitive data.
6. Improved incident response: By having a clear understanding of the criticality of
specific data, organizations can respond to security incidents in a more effective and
efficient manner.

There are some potential disadvantages to implementing an information classification

system in an organization’s information security program:

1. Complexity: Developing and maintaining an information classification system can be

complex and time-consuming, especially for large organizations with a diverse range of
data types.
2. Cost: Implementing and maintaining an information classification system can be costly,
especially if it requires new hardware or software.
3. Resistance to change: Some employees may resist the implementation of an
information classification system, especially if it requires them to change their usual
work habits.
4. Inaccurate classification: Information classification is often done by human, so it is
possible that some information may be misclassified, which can lead to inadequate
protection or unnecessary restrictions on access.
5. Lack of flexibility: Information classification systems can be rigid and inflexible,
making it difficult to adapt to changing business needs or new types of data.
6. False sense of security: Implementing an information classification system may give
organizations a false sense of security, leading them to overlook other important security
controls and best practices.
7. Maintenance: Information classification should be reviewed and updated frequently, if
not it can become outdated and ineffective.
Uses of Information Security:
Information security has many uses, including:

1. Confidentiality: Keeping sensitive information confidential and protected from

unauthorized access.
2. Integrity: Maintaining the accuracy and consistency of data, even in the presence of
malicious attacks.
3. Availability: Ensuring that authorized users have access to the information they need,
when they need it.
4. Compliance: Meeting regulatory and legal requirements, such as those related to data
privacy and protection.
5. Risk management: Identifying and mitigating potential security threats to prevent harm
to the organization.
6. Disaster recovery: Developing and implementing a plan to quickly recover from data
loss or system failures.
7. Authentication: Verifying the identity of users accessing information systems.
8. Encryption: Protecting sensitive information from unauthorized access by encoding it
into a secure format.
9. Network security: Protecting computer networks from unauthorized access, theft, and
other types of attacks.
10. Physical security: Protecting information systems and the information they store from
theft, damage, or destruction by securing the physical facilities that house these systems.

Issues of Information Security:

Information security faces many challenges and issues, including:

1. Cyber threats: The increasing sophistication of cyber-attacks, including malware,

phishing, and ransom ware, makes it difficult to protect information systems and the
information they store.
2. Human error: People can inadvertently put information at risk through actions such as
losing laptops or smartphones, clicking on malicious links, or using weak passwords.
3. Insider threats: Employees with access to sensitive information can pose a risk if they
intentionally or unintentionally cause harm to the organization.
4. Legacy systems: Older information systems may not have the security features of
newer systems, making them more vulnerable to attack.
5. Complexity: The increasing complexity of information systems and the information
they store makes it difficult to secure them effectively.
6. Mobile and IoT devices: The growing number of mobile devices and internet of things
(IoT) devices creates new security challenges as they can be easily lost or stolen, and
may have weak security controls.
7. Integration with third-party systems: Integrating information systems with third-party
systems can introduce new security risks, as the third-party systems may have security
vulnerabilities.
8. Data privacy: Protecting personal and sensitive information from unauthorized access,
use, or disclosure is becoming increasingly important as data privacy regulations
become stricter.
9. Globalization: The increasing globalization of business makes it more difficult to
secure information, as data may be stored, processed, and transmitted across multiple
countries with different security requirements.
Security Attack:

Nearly every day brings a new headline about one high-profile data breach or another. But
many more incidents go unnoticed because organizations don't know how to detect them.

Here are some signs enterprises can look for to uncover security incidents:

Unusual behavior from privileged user accounts. Any anomalies in the behavior of a
privileged user account can indicate someone is using it to gain a foothold in a company's
network.

Unauthorized insiders trying to access servers and data. Many insiders test the waters to
determine exactly what resources they can access. Warning signs include unauthorized users
attempting to access servers and data, requesting access to data that isn't related to their jobs,
logging in at abnormal times from unusual locations or logging in from multiple locations in a
short time frame.

Anomalies in outbound network traffic. It's not just traffic that comes into a network that
organizations should worry about. Organizations should monitor for traffic leaving their
systems as well. This could include insiders uploading large files to personal cloud applications;
downloading large files to external storage devices, such as USB flash drives; or sending large
numbers of email messages with attachments outside the company.

Traffic sent to or from unknown locations. For a company that only operates in one country,
any traffic sent to other countries could indicate malicious activity. Administrators should
investigate any traffic to unknown networks to ensure it's legitimate.

Excessive consumption. An increase in the performance of server memory or hard drives may
mean an attacker is accessing them illegally.

Changes in configuration. Changes that haven't been approved, including reconfiguration of

services, installation of startup programs or firewall changes, are a sign of possible malicious
activity. The same is true of scheduled tasks that have been added.

Hidden files. These can be considered suspicious because of their file names, sizes or locations,
which indicate the data or logs may have been leaked.

Unexpected changes. These include user account lockouts, password changes or sudden
changes in group memberships.

Abnormal browsing behavior. This could be unexpected redirects, changes in the browser
configuration or repeated pop-ups.

Suspicious registry entries. This happens mostly when malware infects Windows systems. It's
one of the main ways malware ensures it remains in an infected system.
Cloud Software Security Requirements:

Cloud Security Objectives:

Regardless of environment, protecting sensitive data requires implementing and enforcing

security controls to reduce the risk to the CIA of that data. Because of the technology for
implementing clouds, the use of shared physical equipment, lack of visibility into the security
management of the system, and reliance on the maturity of vendor processes and procedures,
the risk in implementing a system in the vendor-operated federal cloud is likely higher than in
an agency’s dedicated computer center.

Similar to traditional computing environments, cloud computing implementations are subject to

local physical threats as well as external threats. These threat sources include accidents, natural
disasters, and external loss of service, hostile governments, criminal organizations, and terrorist
groups. Additional threat sources are intentional or unintentional introduction of vulnerabilities
through internal or external authorized or unauthorized human and system access, including but
not limited to, employees, contractors, and intruders. The characteristics of cloud computing,
including multi-tenancy and the variety of service and deployment models, underscore the need
to consider data and systems protection within the context of logical as well as physical
boundaries.

Cloud computing implementations include the following major security objectives:

 Preventing unauthorized access to cloud computing infrastructure resources. This

includes implementing security domains that have logical separation between computing
resources, e.g., logical separation of customer workloads running on the same server by
VM monitors (hypervisors) in a multi-tenant environment and using secure-by-default
configurations.
 Managing hypervisor threat vectors. Hypervisor attack threat vectors include CSP
users and CSP employees. Hypervisor vulnerabilities include poor configurations,
missed or delayed security patching, or unauthorized activities from a privileged user.
Because hypervisor exploitation can have disastrous results, CMS mandates that all
hypervisor solutions must be Type 1 (native / bare metal)-based products. Industry best
practices should be implemented where available or the vendor’s own published
guidelines should be used.
 Minimizing shared network access. Most CSPs have some common network
infrastructure components between various cloud customers; these shared network
infrastructure components present significant risk because a single breach of a shared
component could compromise all users of a CSP’s service. Thus, configurations must
adhere to best practices, and exceptions must be well understood, documented, and
accepted by users of a CSP’s service.
 Managing privileged user access. CSP privileged users with access to the hypervisor
should be kept at a minimum. CSPs should ensure the timely removal of access based
on a CSP employee termination event or when access is no longer required (e.g., a job
transfer). CSP targets for managing privileged user access in both cases should be real-
time removal of access, audit records should be available to CMS auditors that establish
when a request was made, and the actual removal of privilege.
 Ensuring that appropriate security safeguards are deployed at the CSP. CMS
should conduct independent assessments to verify that appropriate safeguards are in
place. This includes traditional perimeter security measures in combination with the
additional safeguards required for cloud computing.
 Defining trust boundaries between CSPs and the CMS consumers. It is crucial to
clearly document the responsibility for providing security and that the consequences for
 non-deployment of agreed-upon security controls by the CSP are well-defined in
contracts and SLAs.

Rising Security Threats:

Cyber threats have changed drastically over the past few years. Top trends in cyber security risk
include:

 Intellectual property theft (IP theft involves stealing people or companies of their ideas,
inventions, and creative expressions, known as “intellectual property” which could
include everything ranging from trade secrets to proprietary products),
 Cyber extortion risk (cyber extortionis a kind of cyber-attack coupled with a demand for
money to avert or stop the attack),
 Malware and ransomware attacks (malware or malicious software, refers to a variety of
forms of hostile or intrusive software, including computer viruses, worms, Trojan
horses, ransomware, spyware, adware, scareware, and other malicious programs etc.,
which act against the requirements of the computer user, and it is specifically designed
to disrupt, damage, or gain unauthorized access to a system),
 Industrial IoT technologies hacks (hacking - a practice of modifying or altering software
and hardware technology to accomplish a goal that is considered to be outside of the
creator's original objective),
 DDoS attacks (a type of attack where multiple compromised systems, often infected
with a Trojan virus, are used to target a single system causing a Denial of Service (DoS)
attack. Now, in a distributed denial-of-service attack (DDoS attack), the incoming traffic
that floods the victim’s system originates from different sources. This effectively makes
it impossible to stop the attack simply by blocking a single source), and
 Data breach (a security incident in which sensitive or confidential data is viewed,
copied, transmitted, stolen, or used by an unauthorized individual).

Data storage security involves protecting storage resources and the data stored on them – both
on-premises and in external data centers and the cloud – from accidental or deliberate damage
or destruction and from unauthorized users and uses. It’s an area that is of critical importance to
enterprises because the majority of data breaches are ultimately caused by a failure in data
storage security.

Data Security and Storage

Secure Data Storage:

Secure Data Storage collectively refers to the manual and automated computing processes and
technologies used to ensure stored data security and integrity. This can include physical
protection of the hardware on which the data is stored, as well as security software.

Secure data storage applies to data at rest stored in computer/server hard disks, portable devices
– like external hard drives or USB drives – as well as online/cloud, network-based storage area
network (SAN) or network attached storage (NAS) systems.

How Secure Data Storage is achieved:

 Data encryption
 Access control mechanism at each data storage device/software
 Protection against viruses, worms and other data corruption threats
 Physical/manned storage device and infrastructure security
  Enforcement and implementation of layered/tiered storage security architecture

Secure data storage is essential for organizations which deal with sensitive data, both in order to
avoid data theft, as well as to ensure uninterrupted operations.

Data Security vs Data Protection:

Storage security and data security are closely related to data protection. Data security primarily
involves keeping private information out of the hands of anyone not authorized to see it. It also
includes protecting data from other types of attacks, such as ransomware that prevents access to
information or attacks that alter data, making it unreliable.

Data protection is more about making sure data remains available after less nefarious incidents,
like system or component failures or even natural disasters.

But the two overlap in their shared need to ensure the reliability and availability of information,
as well as in the need to recover from any incidents that might threaten an organization’s data.
Storage professionals often find themselves dealing with data security and data protection
issues at the same time, and some of the same best practices can help address both concerns.

Threats to Data Security:

Before looking at how to implement data storage security, it is important to understand the
types of threats organizations face.

Threat agents can be divided into two categories: external and internal.

External threat agents include:

 Nation states
 Terrorists
  Hackers, cybercriminals, organized crime groups
 Competitors carrying out “industrial espionage”

Internal threat agents include:

 Malicious insiders
 Poorly trained or careless staff
 Disgruntled employees

Other threats include:

 Fire, flooding and other natural disasters

 Power outages

Storage Vulnerabilities:

Another huge driver of interest in data storage security is the vulnerabilities inherent in storage
systems. They include the following:

 Lack of encryption — While some high-end NAS and SAN devices include automatic
encryption, plenty of products on the market do not include these capabilities. That
means organizations need to install separate software or an encryption appliance in
order to make sure that their data is encrypted.

 Cloud storage — A growing number of enterprises are choosing to store some or all of
their data in the cloud. Although some argue that cloud storage is more secure than on-
premises storage, the cloud adds complexity to storage environments and often requires
storage personnel to learn new tools and implement new procedures in order to ensure
that data is adequately secured.

 Incomplete data destruction — When data is deleted from a hard drive or other
storage media, it may leave behind traces that could allow unauthorized individuals to
recover that information. It’s up to storage administrators and managers to ensure that
any data erased from storage is overwritten so that it cannot be recovered.

 Lack of physical security — Some organizations don’t pay enough attention to

the physical security of their storage devices. In some cases they fail to consider that an
insider, like an employee or a member of a cleaning crew, might be able to access
physical storage devices and extract data, bypassing all the carefully planned network-
based security measures.

Data Storage Security Principles:

At the highest level, data storage security seeks to ensure “CIA” – confidentiality, integrity, and
availability.

 Confidentiality: Keeping data confidential by ensuring that it cannot be accessed either

over a network or locally by unauthorized people is a key storage security principle for
preventing data breaches.
 Integrity: Data integrity in the context of data storage security means ensuring that the
data cannot be tampered with or changed.
  Availability: In the context of data storage security, availability means minimizing the
risk that storage resources are destroyed or made inaccessible either deliberately – say
during a DDoS attack – or accidentally, due to a natural disaster, power failure, or
mechanical breakdown.

Data Security Best Practices:

In order to respond to these technology trends and deal with the inherent security vulnerabilities
in their storage systems, experts recommend that organizations implement the following data
security best practices:

1. Data storage security policies — Enterprises should have written policies specifying
the appropriate levels of security for the different types of data that it has. Obviously,
public data needs far less security than restricted or confidential data, and the
organization needs to have security models, procedures and tools in place to apply
appropriate protections. The policies should also include details on the security
measures that should be deployed on the storage devices used by the organization.
2. Access control — Role-based access control is a must-have for a secure data storage
system, and in some cases, multi-factor authentication may be appropriate.
Administrators should also be sure to change any default passwords on their storage
devices and to enforce the use of strong passwords by users.
3. Encryption — Data should be encrypted both while in transit and at rest in the storage
systems. Storage administrators also need to have a secure key management systems for
tracking their encryption keys.
4. Data loss prevention — Many experts say that encryption alone is not enough to
provide full data security. They recommend that organizations also deploy data loss
prevention (DLP) solutions that can help find and stop any attacks in progress.
5. Strong network security — Storage systems don’t exist in a vacuum; they should be
surrounded by strong network security systems, such as firewalls, anti-malware
protection, security gateways, intrusion detection systems and possibly advanced
analytics and machine learning based security solutions. These measures should prevent
most cyberattacks from ever gaining access to the storage devices.
6. Strong endpoint security — Similarly, organizations also need to make sure that they
have appropriate security measures in place on the PCs, smartphones and other devices
that will be accessing the stored data. These endpoints, particularly mobile devices, can
otherwise be a weak point in an organization’s cyberdefenses.
7. Redundancy — Redundant storage, including RAID technology, not only helps to
improve availability and performance, in some cases, it can also help organizations
mitigate security incidents.
8. Backup and recovery — Some successful malware or ransomware attacks compromise
corporate networks so completely that the only way to recover is to restore from
backups. Storage managers need to make sure that their backup systems and
processes are adequate for these type of events, as well as for disaster recovery
purposes. In addition, they need to make sure that backup systems have the same level
of data security in place as primary systems.