RAJALAKSHMI INSTITUTE OF TECHNOLOGY,

KUTHAMBAKKAM, CHENNAI - 600124

Department of Artificial Intelligence and Data Science

CW3551 DATA AND INFORMATION SECURITY

UNIT I INTRODUCTION 9
History, what is Information Security? Critical Characteristics of Information, NSTISSC Security
Model, Components of an Information System, Securing the Components, Balancing Security
and Access, The SDLC, The Security SDLC
INTRODUCTION
1. THE HISTORY OF INFORMATION SECURITY
• Computer security began immediately after the first mainframes were developed
– Groups developing code-breaking computations during World War II created the
first modern computers.
– Multiple levels of security were implemented.
• Physical controls limiting access to sensitive military locations to authorized personnel
• Rudimentary in defending against physical theft, espionage, and sabotage
Table 1-1 Key Dates in Information Security

Date Document

1968 Maurice Wilkes discusses password security in Time - Sharing Computer Systems.

1970 Willis H. Ware author the report Security Controls for Computer Systems: Report of
Defense Science Board Task Force on Computer Security—RAND R.609 which was not
declassified until 1979. I became known as the seminal work identifying the need for
computer Security.

1973 Schell, Downey, and Popek examine the need for additional security in military
systems in Preliminary Notes on the Design of Secure Military Computer Systems.

1975 The Federal Information Processing Standards (FIPS) examines DES (Digital
Encryption Standard) In the Federal Register.

1978 Bisbey and Hollingsworth publish their study “Protection Analysis: Final Report,”
which discussed the Protection Analysis project created by ARPA to better understand
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

the vulnerabilities of operating system security and examine the possibility of

automated vulnerability detection techniques in existing system software.

1968 Maurice Wilkes discusses password security in Time - Sharing Computer Systems.

1970 Willis H. Ware author the report Security Controls for Computer Systems: Report of
Defense Science Board Task Force on Computer Security—RAND R.609 which was not
declassified until 1979. I became known as the seminal work identifying the need for
computer Security.

1973 Schell, Downey, and Popek examine the need for additional security in military
systems in Preliminary Notes on the Design of Secure Military Computer Systems.

1975 The Federal Information Processing Standards (FIPS) examines DES (Digital
Encryption Standard) In the Federal Register.

1978 Bisbey and Hollingsworth publish their study “Protection Analysis: Final Report,”
which discussed the Protection Analysis project created by ARPA to better understand
the vulnerabilities of operating system security and examine the possibility of
automated vulnerability detection techniques in existing system software.

The 1960s
• During the 1960s, the Department of Defense’s Advanced Research Procurement Agency
(ARPA) began examining the feasibility of a redundant networked communications
system designed to support the military’s need to exchange information.
• Larry Roberts, known as the founder of the Internet, developed the project from its
inception.
• Advanced Research Projects Agency (ARPA) began to examine the feasibility of
redundant networked communications.
• Larry Roberts developed the ARPANET from its inception.
The 1970s and 80s
• ARPANET grew in popularity, as did its potential for misuse.
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

• Fundamental problems with ARPANET security were identified.

– No safety procedures for dial-up connections to ARPANET
– Nonexistent user identification and authorization to system
– Late 1970s: microprocessor expanded computing capabilities and security
threats
• Information security began with RAND Report R-609 (paper that started the study of
computer security and identified the role of management and policy issues in it).
• The scope of computer security grew from physical security to include:
– Securing the data
– Limiting random and unauthorized access to data
– Involving personnel from multiple levels of the organization in information
security
Figure 1-4 Illustration of computer network vulnerabilities from RAND Report R-609

The 1990s
• Networks of computers became more common, as did the need to connect them to each
other.
• Internet became the first global network of networks.
• Initially, network connections were based on de facto standards.
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

• In early Internet deployments, security was treated as a low priority.

• In 1993, DEFCON conference was established for those interested in information
security.
2000 to Present
• The Internet brings millions of unsecured computer networks into continuous
communication with each other.
• The ability to secure a computer’s data was influenced by the security of every computer
to which it is connected.
• Growing threat of cyber attacks has increased the awareness of need for improved
security.
– Nation-states engaging in information warfare
2. WHAT IS SECURITY?
• “A state of being secure and free from danger or harm; the actions taken to make
someone or something secure.”
• A successful organization should have multiple layers of security in place to protect:
– Operations
– Physical infrastructure
– People
– Functions
– Communications
– Information
• Information Security: The protection of information and its critical elements, including
systems and hardware that use, store, and transmit that information
• Includes information security management, data security, and network security
• C.I.A. triad
– Is a standard based on confidentiality, integrity, and availability, now viewed as
inadequate.
– Expanded model consists of a list of critical characteristics of information
Figure 1-5 Components of information security
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

Figure 1-5 The C.I.A. triad

Key Information Security Concepts

• Access - a subject or object’s ability to use, manipulate, modify, or affect another subject
or object.
• Asset - the organizational resource that is being protected.
• Attack - an intentional or unintentional act that can damage or otherwise compromise
information and the systems that support it.
• Control, Safeguard, or Countermeasure - Security mechanisms, policies, or
procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities,
and otherwise improve security within an organization.
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

• Exploit – a technique used to compromise a system.

• Exposure - a condition or state of being exposed.
• Loss: A single instance of an information asset suffering damage or destruction,
unintended or unauthorized modification or disclosure, or denial of use.
• Protection Profile or Security Posture-entire set of controls and safeguards that the
organization implements to protect the asset.
• Risk - the probability of an unwanted occurrence.
• Subjects and Objects – a computer can be either an agent entity used to conduct an
attack, or the target entity.
• Threat - a category of objects, people, or other entities that represents a danger to an
asset.
• Threat Agent – the specific instance or a component of a threat.
• Vulnerability - weaknesses or faults in a system or protection mechanism that expose
information to attack or damage.
• A computer can be the subject of an attack and/or the object of an attack.
• When it is the subject of an attack, the computer is used as an active tool to
conduct attack.
• When it is the object of an attack, the computer is the entity being attacked.
Figure 1-7 Key concepts in information security
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

Source. (top left to bottom right): © iStockphoto/tadija, Internet Explorer, ©

iStockphoto/darrenwise , Internet Explorer, Microsoft Excel.
3. CRITICAL CHARACTERISTICS OF INFORMATION
The value of information comes from the characteristics it possesses.
• Availability – Enables users who need to access information to do so without
interference or obstruction and in the required format. The information is said to be
available to an authorized user when and where needed and in the correct format.
• Accuracy – Free from mistake or error and having the value that the end user expects.
If information contains a value different from the user’s expectations due to the
intentional or unintentional modification of its content, it is no longer accurate.
• Authenticity –The quality or state of being genuine or original, rather than a
reproduction or fabrication. Information is authentic when it is the information that was
originally created, placed, stored, or transferred.
• Confidentiality – The quality or state of preventing disclosure or exposure to
unauthorized individuals or systems.
o Confidentiality of information ensures that only those with sufficient privileges
may access certain information. When unauthorized individuals or systems can
access information, confidentiality is breached. To protect the confidentiality of
information, a number of measures are used:
o Information classification
o Secure document storage
o Application of general security policies
o Education of information custodians and end users Example, a credit card
transaction on the Internet.
o The system attempts to enforce confidentiality by encrypting the card number
during transmission, by limiting the places where it might appear (in data bases,
log files, backups, printed receipts, and so on), and by restricting access to the
places where it is stored.
o Giving out confidential information over the telephone is a breach of
confidentiality if the caller is not authorized to have the information, it could
result in a breach of confidentiality.

• Integrity – The quality or state of being whole, complete, and uncorrupted. The integrity
of information is threatened when the information is exposed to corruption, damage,
destruction, or other disruption of its authentic state.
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

o Integrity means that data cannot be modified without authorization.

o Integrity is violated when an employee deletes important data files, when a
computer virus infects a computer, when an employee is able to modify his own
salary in a payroll database, when an unauthorized user vandalizes a website,
when someone is able to cast a very large number of votes in an online poll, and
so on.

• Utility – The quality or state of having value for some purpose or end. Information has
value when it serves a particular purpose. This means that if information is available, but
not in a format meaningful to the end user, it is not useful.
• Possession – The quality or state of having ownership or control of some object or item.
Information is said to be in possession if one obtains it, independent of format or other
characteristic. While a breach of confidentiality always results in a breach of possession,
a breach of possession does not always result in a breach of confidentiality.
4. NSTISSC SECURITY MODEL
• ‘National Security Telecommunications & Information systems security
committee’ document.
• It is now called the National Training Standard for Information security
professionals.
• The NSTISSC Security Model provides a more detailed perspective on security.
• While the NSTISSC model covers the three dimensions of information security, it omits
discussion of detailed guidelines and policies that direct the implementation of controls.
• Another weakness of using this model with too limited an approach is to view it from a
single perspective.
o The 3 dimensions of each axis become a 3x3x3 cube with 27 cells representing
areas that must be addressed to secure today’s Information systems.
o To ensure system security, each of the 27 cells must be properly addressed
during the security process.
o For example, the intersection between technology, Integrity & storage areas
requires a control or safeguard that addresses the need to use technology to
protect the Integrity of information while in storage.
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

o Understanding the technical aspects of information security requires that you

know the definitions of certain information technology terms and concepts. In
general, security is defined as “the quality or state of being secure—to be free
from danger.”
• Security is often achieved by means of several strategies usually undertaken
simultaneously or used in combination with one another.
Figure 1-9 The McCumber Cube

This graphic informs the fundamental approach of the chapter and can be used to illustrate the
intersection of information states (x-axis), key objectives of C.I.A. (y-axis), and the three primary
means to implement (policy, education, and technology).
5. COMPONENTS OF AN INFORMATION SYSTEM
• Information system (IS) is entire set of people, procedures, and technology that enable
business to use information.
– Software: The software component of an IS includes applications (programs),
operating systems, and assorted command utilities. Software is perhaps the most
difficult IS component to secure
– Hardware: Physical security policies deal with hardware as a physical asset and
with the protection of physical assets from harm or theft.
– Data: Data stored, processed, and transmitted by a computer system must be
protected. Data is often the most valuable asset of an organization and therefore
is the main target of inten- tional attacks.
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

– People: Though often overlooked in computer security considerations, people

have always been a threat to information security.
– Procedures: Procedures are another frequently overlooked component of an IS.
Procedures are written instructions for accomplishing a specific task.
– Networks: Networking is the IS component that created much of the need for
increased computer and information security.
6. SECURING COMPONENTS
• Protecting the components from potential misuse and abuse by unauthorized
users.
• Subject of an attack
– Computer is used as an active tool to conduct the attack.
• Object of an attack
– Computer itself is the entity being attacked
• Two types of attacks:
1. Direct attack
2. Indirect attack

1. Direct attack
When a Hacker uses his personal computer to break into a system. [Originate from the
threat itself]
2. Indirect attack
When a system is compromised and used to attack other system. [Originate from a
system or resource that itself has been attacked, and is malfunctioning or working under
the control of a threat].
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

7. BALANCING INFORMATION SECURITY AND ACCESS

• When considering information security, it is important to realize that it is impossible to
obtain perfect security. Security is not an absolute; it is a process not a goal.
• Security should be considered a balance between protection and availability.
• To achieve balance, the level of security must allow reasonable access yet protect against
threats.
Approaches to Information Security Implementation: Bottom-Up Approach
• Security can begin as a grass-roots effort when systems administrators attempt to
improve the security of their systems. This is referred to as the bottom-up approach.
• The key advantage of the bottom-up approach is the technical expertise of the individual
administrators.
• Unfortunately, this approach seldom works, as it lacks a number of critical features, such
as participant support and organizational staying power.
Approaches to Information Security Implementation: Top-Down Approach
• An alternative approach, which has a higher probability of success, is called the top-
down approach. The project is initiated by upper management who issue policy,
procedures, and processes; dictate the goals and expected outcomes of the project; and
determine who is accountable for each of the required actions.
• The top-down approach has strong upper-management support, a dedicated champion,
dedicated funding, clear planning, and the opportunity to influence organizational
culture.
• The most successful top-down approach also involves a formal development strategy
referred to as a systems development life cycle.
Figure 1-12 Approaches to information security implementation
The key concept here is the direction of the left and right side arrows to show where planning
is sourced and from which direction the pressure for success is driven
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

8. SECURITY IN THE SYSTEMS DEVELOPMENT LIFE CYCLE

• Systems Development Life Cycle (SDLC): methodology for design and implementation of
an information system
• Methodology: formal approach to solving a problem based on a structured sequence of
procedures
• Using a methodology:
– Ensures a rigorous process with a clearly defined goal
– Increases probability of success
• Traditional SDLC consists of six general phases
Figure 1-13 SDLC waterfall methodology
Very much a traditional SDLC diagram.
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

Investigation
• What problem is the system being developed to solve?
• Objectives, constraints, and scope of project are specified
• Preliminary cost-benefit analysis is developed
• At the end of all phases, a process is undertaken to assess economic, technical, and
behavioral feasibilities and ensure implementation is worth time and effort
Analysis
• The analysis phase begins with the information learned during the investigation phase.
• This phase consists primarily of assessments of the organization, the status of current
systems, and the capability to support the proposed systems.
• Analysts begin to determine what the new system is expected to do and how it will
interact with existing systems.
• This phase ends with the documentation of the findings and a feasibility analysis update.
Logical Design
• First and driving factor is business need
o Applications are selected to provide needed services
• Data support and structures capable of providing the needed inputs are identified
• Specific technologies are delineated to implement the physical solution
• Analysts generate estimates of costs and benefits to allow comparison of available
options
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

• Feasibility analysis performed at the end

Physical Design
• Specific technologies selected to support the alternatives identified and evaluated in the
logical design
• Selected components evaluated on make-or-buy decision
• Feasibility analysis performed
– Entire solution presented to organization’s management for approval
Implementation
• Needed software is created.
• Components are ordered, received, and tested.
• Users are trained and supporting documentation created.
• Feasibility analysis is prepared.
– Sponsors are presented with the system for a performance review and
acceptance test.
Maintenance and Change
• The maintenance and change phase is the longest and most expensive phase of the
process.
• This phase consists of the tasks necessary to support and modify the system for the
remainder of its useful life cycle.
• Even though formal development may conclude during this phase, the life cycle of the
project continues until it is determined that the process should begin again from the
investigation phase. When the current system can no longer support the changed
mission of the organization, the project is terminated and a new project is implemented.
Software Assurance
• Many organizations recognize need to include planning for security objectives in the
SDLC used to create systems
– Established procedures to create software more capable of being deployed in a
secure fashion
• This approach known as software assurance (SA)
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

• A national effort is under way to create a common body of knowledge focused on secure
software development
• U.S. Department of Defense and Department of Homeland Security supported the
Software Assurance Initiative which resulted in publication of Secure Software
Assurance (SwA) Common Body of Knowledge (CBK)
• SwA CBK serves as a strongly recommended guide to developing more secure
applications.
• SwA CBK is a work in progress, contains following sections:
– Nature of Dangers
– Fundamental Concepts and Principles
– Ethics, Law, and Governance
– Secure Software Requirements
– Secure Software Design
– Secure Software Construction
– Secure Software Verification, Validation, and Evaluation
– Secure Software Tools and Methods
– Secure Software Processes
– Secure Software Project Management
– Acquisition of Secure Software
– Secure Software Sustainment
Software Design Principles
Good software development results in secure products that meet all design specifications.
• Some commonplace security principles
– Keep design simple and small
– Access decisions by permission not exclusion
– Every access to every object checked for authority
– Design depends on possession of keys/passwords
– Protection mechanisms require two keys to unlock
– Programs/users utilize only necessary privileges
• Some commonplace security principles
– Minimize mechanisms common to multiple users
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

– Human interface must be easy to use so users routinely/automatically use

protection mechanisms.
9. THE NIST APPROACH TO SECURING THE SDLC
• NIST Special Publication 800-64 rev. 2 maintains that early integration of security in the
SDLC enables agencies to maximize return on investment through:
– Early identification and mitigation of security vulnerabilities and
misconfigurations
– Awareness of potential engineering challenges
– Identification of shared security services and reuse of security strategies and
tools
– Facilitation of informed executive decision making
The NIST Approach: Initiation
• Security at this point looked at in terms of business risks, with information security office
providing input
• Key security activities include:
o Delineation of business requirements in terms of confidentiality, integrity, and
availability
o Determination of information categorization and identification of known special
handling requirements to transmit, store, or create information
o Determination of any privacy requirements
The NIST Approach: Development/Acquisition
• Key security activities include:
– Conduct risk assessment and use results to supplement baseline security controls
– Analyze security requirements
– Perform functional and security testing
– Prepare initial documents for system certification and accreditation
– Design security architecture
The NIST Approach: Implementation/Assessment
• System installed and evaluated in operational environment
• Key security activities include:
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

– Integrate information system into its environment

– Plan and conduct system certification activities in synchronization with testing of
security controls
– Complete system accreditation activities
The NIST Approach: Operations and Maintenance
• Systems are in place and operating, enhancements and/or modifications to the system
are developed and tested, and hardware and/or software added or replaced
• Key security activities include:
– Conduct operational readiness review
– Manage configuration of system
– Institute process and procedure for assured operations and continuous
monitoring of information system’s security controls
– Perform reauthorization as required
The NIST Approach: Disposal
• Provides for disposal of system and closeout of any contracts in place
• Key security activities include:
– Building and executing disposal/transition plan
– Archival of critical information
– Sanitization of media
– Disposal of hardware and software
Security Professionals and the Organization
• It takes a wide range of professionals to support a diverse information security program.
• Wide range of professionals are required to support a diverse information security
program.
• Senior management is the key component.
• To develop and execute specific security policies and procedures, Additional
administrative support and technical expertise are required to implement details of the
IS program.
Senior Management
• Chief Information Officer
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

o The senior technology officer, although other titles such as Vice President of
Information, VP of Information Technology, and VP of Systems may be used.
o The CIO is primarily responsible for advising the Chief Executive Officer,
President, or company owner on the strategic planning that affects the
management of information in the organization.
• Chief Information Security Officer
o The individual primarily responsible for the assessment, management, and
implementation of securing the information in the organization.
o The CISO may also be referred to as the Manager for Security, the Security
Administrator, or a similar title.
Information Security Project Team
A number of individuals who are experienced in one or multiple requirements of both the
technical and nontechnical areas.
• The champion: A senior executive who promotes the project and ensures its support,
both financially and administratively, at the highest levels of the organization.
• The team leader: A project manager, who may be a departmental line manager or staff
unit manager, who understands project management, personnel management, and
information security technical requirements.
• Security policy developers: Individuals who understand the organizational culture,
policies, and requirements for developing and implementing successful policies.
• Risk assessment specialists: People who understand financial risk assessment
techniques, the value of organizational assets, and the security methods to be used.
• Security professionals: Dedicated, trained, and well-educated specialists in all aspects
of information security from both technical and nontechnical standpoints.
• Systems administrators: People with the primary responsibility for administering the
systems that house the information used by the organization.
• End users: Those whom the new system will most directly impact. Ideally, a selection of
users from various departments, levels, and degrees of technical knowledge assist the
team in focusing on the application of realistic controls applied in ways that do not
disrupt the essential business activities they seek to safeguard.
Data Responsibilities
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

• Data owners:
o Members of senior management who are responsible for the security and use of
a particular set of information. The data owners usually determine the level of
data classification (discussed later), as well as the changes to that classification
required by organizational change. The data owners work with subordinate
managers to oversee the day-to-day administration of the data.
• Data custodians:
o Working directly with data owners, data custodians are responsible for the
information and the systems that process, transmit, and store it. Depending on
the size of the organization, this may be a dedicated position, such as the CISO, or
it may be an additional responsibility of a systems administrator or other
technology manager. The duties of a data custodian often include overseeing data
storage and backups, implementing the specific procedures and policies laid out
in the security policies and plans, and reporting to the data owner.
• Data users:
o Everyone in the organization is responsible for the security of data, so data users
are included here as individuals with an information security role.
Communities of Interest
Each organization develops and maintains its own unique culture and values. Within that
corporate culture, there are communities of interest. These include:
• Information Security Management and Professionals
• Information Technology Management and Professionals
• Organizational Management and Professionals
Information Security: Is It an Art or a Science?
With the level of complexity in today’s information systems, the implementation of information
security has often been described as a combination of art and science.
The concept of the security artisan is based on the way individuals perceived systems
technologists since computers became commonplace.
Security as Art
• There are no hard and fast rules regulating the installation of various security
mechanisms.
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

• Nor are there many universally accepted complete solutions.

• While there are many manuals to support individual systems, once these systems are
interconnected, there is no magic user’s manual for the security of the entire system.
• This is especially true with the complex levels of interaction between users, policy, and
technology controls.
Security as Science
• We are dealing with technology developed by computer scientists and engineers—
technology designed to perform at rigorous levels of performance.
• Even with the complexity of the technology, most scientists would agree that specific
scientific conditions cause virtually all actions that occur in computer systems.
• Almost every fault, security hole, and systems malfunction is a result of the interaction
of specific hardware and software.
• If the developers had sufficient time, they could resolve and eliminate these faults.
Security as a Social Science
• There is a third view: security as a social science.
• Social science examines the behaviour of individuals as they interact with systems,
whether societal systems or in our case information systems.
• Security begins and ends with the people inside the organization and the people that
interact with the system planned or otherwise.
• End users that need the very information the security personnel are trying to protect
may be the weakest link in the security chain.
• By understanding some of the behavioural aspects of organizational science and change
management, security administrators can greatly reduce the levels of risk caused by
end users and create more acceptable and supportable security profiles.