ICT-3107: Information & Data Security

for
3rd Year 1st Semester of B.Sc (Hons.) in ICT

Lecture File: 01
Overview of Information Security

Prepared by:
Professor K M Akkas Ali
[email protected], [email protected]

Institute of Information Technology (IIT)

Jahangirnagar University, Dhaka-1342
 Recommended Books

1. Information Security: The Complete Reference (2nd

Edition)- Mark Rhodes-Ousley
2. Database Security, 1st Edition by Alfred Basta,

Prepared by: K M Akkas Ali, Professor, IIT, JU

Melissa Zgola
3. Database Security and Auditing: Protecting Data
Integrity and Accessibility, 1st Edition by Hasan A.
Afyouni
4. Information Security Management: Concepts and
Practice (New York, McGraw-Hill, 2013)
5. Principles of Information Security, 6th Edition by
Michael E. Whitman and Herbert J. Mattord,
Publisher: Cengage Learning

Slide-2
 Lecture File-01
Overview of Information Security

Topics to be Discussed:
 A Model for Information Security

Prepared by: K M Akkas Ali, Professor, IIT, JU

 Data Vs. Database Vs. Information
 Significance of Information in Our Life
 Information System, Components & Security
 Multiple Layers of Information Security
 Core Information Security Principles
 Information Security Attacks
 Importance of Information Protection
 The Evolution of Information Security

Slide-3
Introduction: Objective of the Lecture
 The Internet has changed dramatically from its origins.
 It has grown from a small number of universities and
government agencies to a worldwide network with
more than two billion users.

Prepared by: K M Akkas Ali, Professor, IIT, JU

 As it has grown, it has changed how people
communicate and do business. It has brought many
opportunities and benefits.
 As there is no Internet government or central
authority, Internet is full of challenges also.
 Today, people working in cyberspace must deal with
new and constantly evolving threats.
 Intelligent and aggressive cybercriminals, terrorists,
and scam artists lurk in the shadows. Connecting your
computers or devices to the Internet immediately
exposes them to attack that result in frustration and
Slide-4 hardship.
Introduction: Objective of the Lecture
 In order to be safe in cyber space, the world needs
people who understand computer-systems security
and who can protect computers and networks from

Prepared by: K M Akkas Ali, Professor, IIT, JU

criminals and terrorists.
 This lecture gives an overview of information systems
security concepts and terms that you must
understand to stop these attacks.

Slide-5
A Model for Information Security

Prepared by: K M Akkas Ali, Professor, IIT, JU

Figure: A model for information
security

Slide-6
Model for Information Security: An Example

Prepared by: K M Akkas Ali, Professor, IIT, JU

Figure: An example of the general model for information security

Slide-7
Slide-8

Prepared by: K M Akkas Ali, Professor, IIT, JU

What is Data?
 Data is an unorganized set of values collected together
for some purpose (e.g., to gain knowledge or to make
decisions).
 Data needs to be processed before it can be turned into something
useful.

Prepared by: K M Akkas Ali, Professor, IIT, JU

 When data is processed, it provides information (see the figure
below).

Data is
Data processed Information

Figure: Processing data produces information

 Data is often ambiguous, meaningless or have little

meaning until they are sorted or until we calculate
something meaningful from them.
 For instance, consider the number 220874. We could interpret
this in any number of ways. For example, it might be: Your
class ID, your date of birth (e.g. 22 August 1974), your annual
salary, and so on.
Slide-9
What is a Database?
A huge collection of interrelated and structured data
(usually in tabular structure) is called a database:

 A database-
 is an application package that is used for storage and retrieval of data
 can be very large

Prepared by: K M Akkas Ali, Professor, IIT, JU

 touches every aspects of our lives
 Database should support
 Definition (what will be the structure or pattern of data, their type, size, index, constraints etc.)
 Construction (It supports inserting, updating and deleting data in the database)

 Manipulation (it supports accessing and manipulating data in a database based on user’s need)

 Databases are organized by fields, records and files.

 A database system-
 simplifies the tasks of managing the data
 extracting useful information in a timely fashion
 allows access to data contained in a database
 The example of a database is a telephone directory that
contains names, addresses and telephone numbers of
the people stored in the computer storage.
Slide-10
What is Information?
 Data and information are closely related and are often
used interchangeably.
 Information is nothing but refined data.
 Processed, organized, summarised or manipulated data that
is useful for decision making is called information.

Prepared by: K M Akkas Ali, Professor, IIT, JU

 That data is called information which is-
 Accurate- collected from a dependable source and entered without errors.
 Timely- It means that the recipients receive the information when they
need it and within the required time frame.
 Useful- useful to the purpose of the information system.
 Relevant- presented within a context that gives it meaning and relevance.
 Secure- protected from deliberate or accidental damage or loss.

 Data are processed to create information. The recipient receives

the information and then makes a decision and takes an action,
which may triggers other actions.
Slide-11
Significance of Information
 Information is valuable because it can affect behavior, a
decision, or an outcome.
 For example, if a manager is told his/her company's net
profit decreased in the past month, he/she may use this

Prepared by: K M Akkas Ali, Professor, IIT, JU

information as a reason to cut financial spending for the
next month.
 There are many areas where information plays an
important role:
 Education
 Research & Development (R & D)
 Decision Making
 Business and Industry
 Government
 Day to Day Life
Slide-12
Significance of Information in Education
 Several goals of education is-
- To improve literacy rate
- To create a learning society
- To enhance skills of the people

Prepared by: K M Akkas Ali, Professor, IIT, JU

 In order to achieve these goals, information is vital
(e.g. content and curriculum development, creation of material and
methods of technology and learning is heavily based on information).

Slide-13
Significance of Information in R & D
 Information is a life blood for research.
- The innovations and inventions depend largely on information. (e.g.,
drug discovery for a disease).
- New ideas are generated through previous work by research.

Prepared by: K M Akkas Ali, Professor, IIT, JU

- Across the globe, many R & D institutions have established
information centers to gather, organize and provide access to
information.

Slide-14
Significance of Information in Decision Making
 Information is important in making decision of an
organization (decision-making capability).
 For example:

Prepared by: K M Akkas Ali, Professor, IIT, JU

 In government, in order to reduce the gender gap,
what they need is information, that means, Census
data that help for identifying problems and offer better
solutions.
 In management, information is crucial for taking a right
decision. For example, to overcome the problem of job
attrition in companies.
 If a person have enough information, he will be in a
better position to arrive at right decision (job,
education, etc.,)

Slide-15
Significance of Information in Business & Industry
 Information is vitally important to the successful
functioning of any organization.
 Customer information helps an organization to offer

Prepared by: K M Akkas Ali, Professor, IIT, JU

the right product or services needed by the customers.
 Supplier information is required to provide the product
or services needed by the company.
 Right information is required in an organization for
SWOT analysis. That is, it is required to determine its
Strengths, Weaknesses, Opportunities, and Threats for
knowing its internal and external position as well as for
securing and growing its business.
 The information is also important because it helps the
organization to devise better strategies for dealing with
their competitors.
Slide-16
What is an Information System?
 An information system can be defined technically as a
set of interrelated components that collect (or retrieve),
process, store, and distribute information from one
point to another for individuals and organizations.

Prepared by: K M Akkas Ali, Professor, IIT, JU

 An information system helps managers to support
decision making, coordination and control in an
organization.
 In addition, it may also help managers and workers to
analyze problems, visualize complex subjects, and create
new products.
 Two types of information system used in recent and past
time are:
1. Manual Information System (e.g., telephone directory)
2. Computer-Based Information System (more flexible than manual
ones and a lot faster. e.g., school management system )

Slide-17
Function of an Information System
 In an information system, three activities are required
to produce information:
1. Input


Prepared by: K M Akkas Ali, Professor, IIT, JU

Input captures or collects raw data from within the organization or
from its external environment.
2. Processing
 Processing converts this raw input into a more meaningful form.

3. Output
 Output transfers the processed
information to the people who
will use it or to the activities for
which it will be used.
Figure: Functions of an information system

 Information systems also require feedback, which is output

that is returned to appropriate members of the organization
Slide-18 to help them evaluate or correct the input stage.
Components of an Information System
There are five components that must come together in order to produce
a computer-based information system:

1) Hardware:
 It refers to all physical components that includes the computer itself, storage

Prepared by: K M Akkas Ali, Professor, IIT, JU

devices, communication devices etc.
2) Software:
 It refers to computer programs that instructs the hardware to perform specific
task.
3) Data:
 Data are facts or raw materials that are used by programs to produce useful
information.
4) Network:
 It refers to communication hardware and software.
5) People:
 The people involved with an information system are end users and specialists.
This component influence the success or failure of information systems.

Slide-19
What Does Security Mean?
 Security means the prevention of and protection against
assault, damage, fire, fraud, invasion of privacy, theft,
unlawful entry, and other such occurrences caused by
deliberate action.

Prepared by: K M Akkas Ali, Professor, IIT, JU

 Therefore, the quality or state of being free from danger or
threat is called security.

Slide-20
Multiple Layers of Security
 A successful organization should have multiple layers of
security in place:
 Physical Security

Prepared by: K M Akkas Ali, Professor, IIT, JU

 Personal Security
 Operations Security
 Communications Security
 Network Security
 Information Security

Slide-21
Multiple Layers of Security
Physical Security:
 Physical security involves measures taken to protect tangible
assets, infrastructure, personnel, and areas of an organization

Prepared by: K M Akkas Ali, Professor, IIT, JU

from unauthorized access, use, theft, vandalism, or harm.
 This type of security encompasses a wide range of strategies,
including:
 Access control systems
 Security guards
 Surveillance cameras
 Fencing and barriers
 Alarm systems
 Physical security is essential for businesses, residences,
government facilities, and public spaces to deter potential
threats and ensure the safety of individuals and property.
Slide-22
Multiple Layers of Security
Personal Security:
 Personal security refers to the state of being safe from danger or
harm. It is the protection of oneself and one's property from

Prepared by: K M Akkas Ali, Professor, IIT, JU

threats such as theft, violence, or cyber attacks.
 Examples of personal security measures include:
 Locking doors and windows to prevent break-ins
 Carrying pepper spray or a personal alarm for self-defense
 Using strong passwords and two-factor authentication to secure
online accounts
 Being aware of one's surroundings and avoiding dangerous situations
 These examples illustrate how personal security involves taking
proactive steps to prevent harm and protect oneself. By being
prepared and taking precautions, individuals can reduce their
risk of becoming a victim of crime or cyber attacks.
Slide-23
Multiple Layers of Security
Operations Security
 Operations Security means to protect sensitive information
related to an organization’s operations, plans, and activities.
 This type of security aims to prevent adversaries from

Prepared by: K M Akkas Ali, Professor, IIT, JU

gathering intelligence that could be used to exploit
vulnerabilities or compromise security.
 Strategies for operational security include:
 Limiting access to classified or sensitive information
 Implementing need-to-know principles
 Conducting risk assessments and threat analyses
 Maintaining operational secrecy and discretion
 Operational security is particularly crucial for military,
government, and corporate entities involved in sensitive or
classified activities.
Slide-24
Multiple Layers of Security
Communications Security:
 Communication Security refers to measures and controls taken
to protect information derived from telecommunications,
ensuring its authenticity and preventing unauthorized access.

Prepared by: K M Akkas Ali, Professor, IIT, JU

 Communication Security includes-
 cryptosecurity [i.e., encryption or decryption]
 transmission security
 emission security [i.e., intercept and analysis of emanations from
equipment]
 physical security of communication materials

Slide-25
Multiple Layers of Security
Network Security:
 Network security refers to any activities designed to protect a
network. It means to protect networking components (both the
hardware and software components), connections and contents (data and information

Prepared by: K M Akkas Ali, Professor, IIT, JU

exchanging through the network).
 Network security issues include-
 protecting data from unauthorized access
 protecting data from damage and development
 implementing policies for recovery them from breaches and data
losses
 The above issues protect the usability, reliability, integrity, and
safety of your network and data.

 An effective network security mechanism needs two strategies:

1. To identifying threats
2. To choose the most effective set of tools to stop the threats from
entering on your network.

Slide-26
Multiple Layers of Security
Information Security:
 Information security means protecting information (data) and
information systems from unauthorized access, use, disclosure,

Prepared by: K M Akkas Ali, Professor, IIT, JU

disruption, modification, or destruction.
 This type of security involves:
 Data encryption
 Access controls and permissions
 Secure data storage
 Employee training and awareness programs
 Incident response and management protocols
 Effective information security measures are essential for
preventing data leaks, identity theft, and other forms of
cybercrime that can have serious consequences for individuals
and organizations alike.
Slide-27
What is Database Security?
 Database security refers to the collective
measures, policies, and practices for protecting
and securing data inside a database as well

Prepared by: K M Akkas Ali, Professor, IIT, JU

as protecting database, database management
software, physical and/or virtual database server and
the underlying hardware, computing or network
infrastructure that is used to access the database
from unauthorized access, use, manipulation, or
destruction and also from malicious cyber-attacks.
 Database security establishes and preserves several key
aspects of a database like confidentiality, integrity, and
availability.
 Generally, database security is planned, implemented and
maintained by a database administrator and or other
information security professional.
What is Database Security?
Some technologies for database security include:
 Disk Encryption
 It refers to encryption technology that encrypts data on a hard disk drive.
 Hardware based Mechanisms for Protecting Data

Prepared by: K M Akkas Ali, Professor, IIT, JU

 Software based security solutions encrypt the data to prevent them from being
stolen. However, a malicious program or a hacker may corrupt the data in order
to make it unrecoverable, making the system unusable. Hardware-based security
solutions can prevent read and write access to data and hence offers very strong
protection against tampering and unauthorized access.
 Backups
 Backups are used to ensure data which is lost can be recovered.
 Data Masking
 It is the process of obscuring or masking specific data within a database to ensure
that data security is maintained and sensitive information is not exposed to
unauthorized personnel.
 Data Erasure
 It is a method of software-based overwriting that completely destroys all
electronic data residing on a hard drive or other digital media to ensure that no
Slide-29 sensitive data is leaked when an asset is retired or reused.
What is Information Security?
 Information security is the protection of information
and its critical elements, including systems and
hardware that use, store, and transmit that

Prepared by: K M Akkas Ali, Professor, IIT, JU

information.
 Information security is achieved through the use of
technology, processes, and training.
 We are living in the information age. We need to keep
information secure about every aspect of our lives.
 Necessary tools for information security:
 Policy
 Awareness
 Training
 Education
 Technology
Slide-30
What is Information Security?
 Information is one of the most important asset that
has a value like any other asset. For an organization,
information is valuable and should be appropriately

Prepared by: K M Akkas Ali, Professor, IIT, JU

protected.
 To be secured, information needs to be-
- hidden from unauthorized access (confidentiality)
- protected from unauthorized change (integrity)
- available to an authorized entity when it is needed
(availability)

Slide-31
Importance of Information Security
 Connecting to the Internet gave anyone instant access
to the Web and its many resources, no matter where
you are.

Prepared by: K M Akkas Ali, Professor, IIT, JU

 Cyberspace is the new place to meet, socialize, and
share ideas. You can chat with friends, family, business
contacts, and people from everywhere.
 But when you connect to cyberspace, you also open the
door to a lot of bad guys, because you don’t really know
who the person at the other end is.
 They want to find you and steal your data while hiding
their identity.
 Therefore cyberspace also brings along many risks and
threats. Every computer that connects to the Internet is
at risk. All users must defend their information from
attackers.
Slide-32
Importance of Information Security
 With the growth in e-commerce, more people are
making online purchases with credit cards.
 This requires people to enter private data into e-
commerce Web sites.

Prepared by: K M Akkas Ali, Professor, IIT, JU

 Consumers should be careful to protect their personal
identity and private data.
 Because of this danger, IT is in great need of proper
security controls.
 This need has created a great demand for information
security professionals. The goal is to both protect
national security and business information from the
enemy.
 Cyber Security is the duty of every government that
wants to ensure its national security.
 It’s the responsibility of every organization that needs
to protect its information.
Slide-33
 And it’s the job of each of us to protect our own data.
A Model for Information Security
 A model for
information
security is
shown in the
figure.

Prepared by: K M Akkas Ali, Professor, IIT, JU

 A message is
to be
transferred
from one
party to
another across
some sort of
Internet Figure: A model for information
service. security
 The two parties, who are the principals in this transaction, must cooperate for the
exchange to take place.
 A logical information channel is established by defining a route through the Internet
from source to destination and by the cooperative use of communication protocols (e.g.,
TCP/IP) by the two principals.
Slide-34
A Model for Information Security
 Security aspects come into play when it is necessary or desirable
to protect the information transmission from an opponent who
may present a threat to confidentiality, authenticity, and so on.
 All of the techniques for providing security have two components:

Prepared by: K M Akkas Ali, Professor, IIT, JU

1. A security-related transformation on the information to be sent.
Examples include the encryption of the message, which scrambles the
message so that it is unreadable by the opponent, and the addition of a
code based on the contents of the message, which can be used to verify
the identity of the sender.
2. Some secret information shared by the two principals and, it is hoped,
unknown to the opponent.
An example is an encryption key used in conjunction with the
transformation to scramble the message before transmission and
unscramble it on reception.

Slide-35
 A Model for Information Security
 A trusted third party may be needed to achieve secure
transmission. For example, a third party may be responsible for
distributing the secret information to the two principals while
keeping it from any opponent. Or a third party may be needed
to arbitrate disputes between the two principals concerning the

Prepared by: K M Akkas Ali, Professor, IIT, JU

authenticity of a message transmission.
 This general model shows that there are four basic tasks in
designing a particular security service:
1. Design an algorithm for performing the security-related
transformation. The algorithm should be such that an opponent
cannot defeat its purpose.
2. Generate the secret information to be used with the algorithm.
3. Develop methods for the distribution and sharing of the secret
information.
4. Specify a protocol to be used by the two principals that makes
use of the security algorithm and the secret information to
achieve a particular security service.
Slide-36
Critical Characteristics of Information Security
 Information is an asset that has a value like any other
asset. As an asset, information needs to be secured
from attacks.

Prepared by: K M Akkas Ali, Professor, IIT, JU

 The value of information comes from the
characteristics it possesses:
 Availability
 Accuracy
 Authenticity
 Confidentiality
 Integrity
 Utility
 Possession

Slide-37
Core Information Security Principles: CIA Triad
 The core concepts of information security are
confidentiality, integrity, and availability. These principals
are known as the CIA triad and are the foundation for
combating the DAD triad.

Prepared by: K M Akkas Ali, Professor, IIT, JU

Confidentiality:
 Confidential information should not be
accessible to unauthorized users. That is,
messages sent by Alice to Bob should not be
readable by Eve.
Integrity:
 Ensuring that data may only be modified
through an authorized means. That is, Bob
should be able to detect when data sent by Alice
has been modified by Eve.
Availability:
Figure: CIA Triad  Authorized users should be able to access data
for legitimate purposes as necessary.
Slide-38
Core Information Security Principles: DAD Triad
 Malicious hackers have developed their own triad, the DAD
triad, to counter the CIA triad of security professionals.
 Each leg of the DAD triad is targeted at defeating the
mechanisms associated with one leg of the CIA triad.

Prepared by: K M Akkas Ali, Professor, IIT, JU

 Having a good understanding of the CIA triad also means
understanding the DAD triad that opposes the CIA triad.

Disclosure:
 Unauthorized individuals gain access to
confidential information.
Alteration:
 Data is modified through some
unauthorized mechanism.
Denial of Service:
 Authorized users cannot gain access to
a system for legitimate purposes.

Slide-39 Figure: DAD Triad

Aspect of Information Security
 Three aspects of information security are:
1. Security Attack:
 Any action that compromises the security of information

Prepared by: K M Akkas Ali, Professor, IIT, JU

owned by an organization is termed as security attack.
2. Security Service:
 Security service enhances the security of data processing
systems and information transfers of an organization. It is
intended to counter security attacks using one or more
security mechanisms.
3. Security Mechanism:
 To detect, prevent, or recover the information and
information system from various security threats, security
mechanisms are used.

Slide-40
Three Phases of Information Security
 All the tasks that have to be done in information
security can be broken down into three phases:
1. Protection, where we configure our systems and

Prepared by: K M Akkas Ali, Professor, IIT, JU

networks as correctly as possible.
2. Detection, where we identify that the configuration
has changed or that some network traffic indicates a
problem.
3. Reaction, after identifying quickly, we respond to any
problem and return to a safe state as rapidly as
possible.

Slide-41
The Evolution of Information Security
 The requirements of information security within an
organization have undergone three major changes in
the last several decades.

Prepared by: K M Akkas Ali, Professor, IIT, JU

1. Before the advent of data processing equipment
2. With the introduction of the computer
3. With the introduction of distributed systems and the
use of networks and communications facilities

Slide-42
The Evolution of Information Security
 Before the advent of data processing equipment:
 Before the advent of data processing equipment, the
security of information of an organization was provided
primarily by physical and administrative means.

Prepared by: K M Akkas Ali, Professor, IIT, JU

 An example of the former is the use of rugged filing
cabinets with a combination of lock for storing sensitive
documents.
 An example of the latter is personnel screening
procedures used during the hiring process.

Slide-43
The Evolution of Information Security
 With the introduction of the computer:
 With the introduction of the computer, the need for
automated tools for protecting files and other
information stored on the computer became evident.

Prepared by: K M Akkas Ali, Professor, IIT, JU

 The generic name for the collection of tools designed to
protect data and to thwart hackers is computer
security.

Slide-44
The Evolution of Information Security
 With the introduction of distributed systems and the
use of networks and communications facilities:
 With the introduction of distributed systems and the

Prepared by: K M Akkas Ali, Professor, IIT, JU

use of networks and communications facilities, the
security for carrying data between terminal user and
computer and between computer and computer
becomes more challenges.
 Network security measures are needed to protect data
during their transmission.

Slide-45
Kinds of Security Attacks
Any action that compromises the security of information owned by
an organization is termed as security attack.

The three goals of information security- confidentiality, integrity, and

availability - can be threatened by security attacks.

Prepared by: K M Akkas Ali, Professor, IIT, JU

 They can be classified using different approaches. Two approaches
are mentioned here.

Category of attacks based on the security goals:

There are three groups of attacks based on the security goals. These are:
1. Attacks Threatening Confidentiality
2. Attacks Threatening Integrity
3. Attacks Threatening Availability

Category of attacks based on their effects on the system:

There are two groups of attacks based on their effects on the system. These are:
1. Passive Attacks
2. Active Attacks
Slide-46
Attacks Based on the Security Goals
Figure below shows the taxonomy of attacks based on the security
goals:

1. Attacks Threatening Confidentiality

Prepared by: K M Akkas Ali, Professor, IIT, JU

- Snooping
- Traffic analysis

2. Attacks Threatening Integrity

- Modification
- Masquerading
- Replaying
- Repudiation

3. Attacks Threatening Availability

- Denial of service

Figure: Taxonomy of attacks with relation to security goals

Slide-47
Attacks Based on the Security Goals
Threatening Confidentiality:
In general, there are two types of attacks threaten the
confidentiality of information:

Prepared by: K M Akkas Ali, Professor, IIT, JU

1. Snooping

2. Traffic analysis

Slide-48
Attacks Based on the Security Goals

Threatening Confidentiality:

Prepared by: K M Akkas Ali, Professor, IIT, JU

Snooping:

 It refers to unauthorized access to data or interception of data.

 For example, a file transferred through the internet may
contain confidential information. An unauthorized entity (say,
Eve) may intercept the transmission and use the contents for
her own benefit.
 To prevent snooping, the data can be made nonintelligible to
the interceptor by using cryptography.

Slide-49
Attacks Based on the Security Goals
Threatening Confidentiality:
Traffic Analysis:
 In a traffic analysis attack, a hacker tries to access the same
network as you for capturing all your network traffic.

Prepared by: K M Akkas Ali, Professor, IIT, JU

 From there, the hacker can analyze that traffic to learn something
about you or your company. So, unlike with other more popular attacks,
a hacker is not actively trying to hack into your systems or crack your
password. Therefore, we classify this attack as a passive attack.

 By analyzing the traffic, the attacker can learn, for example,

when and how many messages were sent.
 By searching for patterns in captured traffic, an attacker can,
for example, figure out when you typically wake up and go to
sleep. Add the device name and location to that, and now the
attacker knows when you leave your house and when you
usually come back.

Slide-50
Attacks Based on the Security Goals

s Threatening Integrity:

The integrity of data can be threatened by several kinds of attacks:

Prepared by: K M Akkas Ali, Professor, IIT, JU

1. Modification
2. Masquerading
3. Replaying
4. Repudiation

Slide-51
Attacks Based on the Security Goals
Attacks Threatening Integrity:

Prepared by: K M Akkas Ali, Professor, IIT, JU

Modification:

 After intercepting or accessing information, the attacker

modifies the information to make it beneficial to herself.
 Sometimes the attacker simply deletes or delays the message
to harm the system or to benefit from it.
 For example, a customer sends a message to a bank to do
some transaction. The attacker intercepts the message and
changes the type of transaction to benefit herself. It means
that the attacker intercepts the message and changes it.

Slide-52
 Attacks Based on the Security Goals
ks Threatening Integrity:
Masquerading :
 Masquerading or spoofing happens when the attacker

Prepared by: K M Akkas Ali, Professor, IIT, JU

impersonates somebody else. For example, an attacker might
steal the bank card and PIN of a customer and pretend that
she is that customer.
 Sometimes the attacker pretends instead to be the receiver
entity. For example, a user tries to contact a bank, but
another site pretends that it is the bank and obtains some
information from the user.

 A hacker can concoct a fake website. Through a security hole in the genuine
website, he may allow his IP address to substitute for that of the real one. The
innocent traffic going to the legitimate website is funneled to the fake website.
When orders or queries arrive, the hacker can make all kinds of alterations—
direct the traffic to a third website, change the nature of the orders, and so on.
An imposter who sends a false message is spoofing. That is, spoofing is the act of
sending a message while pretending to be the authorized user.
Slide-53
Attacks Based on the Security Goals

s Threatening Integrity:

Prepared by: K M Akkas Ali, Professor, IIT, JU

Replaying:

 Replaying means the attacker obtains a copy

of a message sent by a user and later tries to replay it.
 For example, a person sends a request to her bank to ask for
payment to the attacker, who has done a job for her. The
attacker intercepts the message and sends it again to the
bank to receive another payment from the bank.

Slide-54
 Attacks Based on the Security Goals

ks Threatening Integrity:
Repudiation:
 It means that sender of the message might later deny that

Prepared by: K M Akkas Ali, Professor, IIT, JU

she has sent the message; the receiver of the message might
later deny that he has received the message.
 This type of attack is different from other attacks because it is
performed by one of the two parties involved in the
communication: the sender or the receiver.
 An example of denial by the sender could occur when a
customer asking her bank to send some money to a third
party but later denying that she has made such a request.
 An example of denial by the receiver could occur when a
person buy a product from a manufacturer and pays for it
electronically, but the manufacturer later denies having
received the payment and asks to be paid.
Slide-55
Attacks Based on the Security Goals
s Threatening Availability:
Denial of Service:

Prepared by: K M Akkas Ali, Professor, IIT, JU

 Denial of service (DoS) is a very common attack. It may slow
down or totally interrupt the service of a system.
 The attacker can use several strategies to achieve this. For
example,
- The attacker might send so many bogus requests to a server that it
crashes because of the heavy load.
- The attacker might intercept and delete a server’s response to a
client, making the client to believe that the server is not responding.
- The attacker may also intercept requests from the clients, causing
the clients to send requests many times and overload the system.

Slide-56
Passive Attacks:
 In a passive attack, the attacker goal is just to obtain information. This means
that the attack does not modify or harm the system. The system continues
with its normal operation.
 The attack may harm the sender or receiver of the message, but the system is
not affected. They do not involve any alteration of data. For this reason, it is

Prepared by: K M Akkas Ali, Professor, IIT, JU

difficult to detect this type of attack until the sender or the receiver finds out
about the leaking of confidential information.

 Passive attacks can be prevented by encipherment of the data.

 Example: Snooping and traffic analysis are the example of passive attacks
that threaten confidentiality.
 Eve, as a passive attacker, can obtain
message contents by eavesdropping
on, or monitoring of, transmissions to
the message from Bob to Alice as
shown in the figure.

Slide-57
Active Attacks:
 An active attack may change the data or harm the system and
system resources or affect their operation.
 Active attacks are normally easier to detect than to prevent.
 Active attacks present the opposite characteristics of passive

Prepared by: K M Akkas Ali, Professor, IIT, JU

attacks.
 Whereas passive attacks are difficult to detect, measures are available
to prevent their success.
 On the other hand, active attacks are normally easier to detect than to
prevent absolutely, because of the wide variety of potential physical,
software , and network vulnerabilities.

Example:
 Attacks that threaten the integrity and
availability are active attacks. These are
modification, masquerading, replaying,
repudiation and denial of service attacks.

Slide-58
Relationship Between Categories of Attacks
Table below shows the relationship between two categories of security attacks:
1. Attacks Threatening Confidentiality 1. Active Attacks:
- Snooping - Modification
- Traffic analysis - Masquerading
2. Attacks Threatening Integrity - Replaying

Prepared by: K M Akkas Ali, Professor, IIT, JU

- Modification - Repudiation
- Masquerading - Denial of
- Replaying service
- Repudiation 2. Passive Attacks:
- Snooping
3. Attacks Threatening Availability - Traffic analysis
- Denial of service

Slide-59 Table: Categorization of passive and active attacks

 Discussion Points
 A Model for Information Security
 Data Vs. Database Vs. Information

Prepared by: K M Akkas Ali, Professor, IIT, JU

 Significance of Information in Our Life
 Information System, Components & Security
 Multiple Layers of Information Security
 Core Information Security Principles
 Information Security Attacks
 Importance of Information Protection
 The Evolution of Information Security

Slide-60
Slide-61
Thank you…
Have a question?

Prepared by: K M Akkas Ali, Professor, IIT, JU