Fundamentals of

Information
Security
Information Security refers to the process of protecting information from
unauthorized access, use, disclosure, disruption, modification, or destruction. It
aims to ensure that information remains confidential, accurate, and available
to authorized users only.

Foundation means the basic principles or the starting point. The foundation of
information security teaches us the key ideas that help us build secure
systems.
Main Goals (CIA Triad)
Integrity
Ensures the information is correct and
has not been changed by an
unauthorized person. For example, no
Confidentiality
one should be able to change your exam
Ensures that sensitive information is marks without permission.
only accessible to authorized people.
For example, your bank details should
Availability
only be visible to you and your bank.
Ensures that information and systems
are available when needed. For example,
you should be able to access your email
whenever you want.

Why It's Important:

Helps protect personal and financial data.

Prevents identity theft and hacking.
Keeps companies, systems, and data secure and working properly.

Common Tools:

Passwords for user identification.

Firewalls to block harmful access.
Antivirus software to detect and remove threats.
Encryption to hide information.
Security Design Principles
These are general rules used by system designers to build secure systems that are hard to break
into.

Least Privilege
Users should only get the minimum level of access they need to perform their job. For
example, a cashier should not be allowed to change system settings.

Fail-Safe Defaults
By default, access should be denied, and only allowed when permission is clearly granted.
This ensures no one accidentally gets more access than needed.

Economy of Mechanism
Systems should be kept simple. The simpler the system, the fewer places there are for
security holes to hide.

Complete Mediation
Every access to a resource (like a file or printer) should be checked for permission every time,
not just the first time.
 1 2

Open Design Separation of Privilege

Security should not depend on secrecy of the system's design. To perform sensitive actions, multiple approvals or conditions
A good system stays secure even if everyone knows how it should be required. For example, transferring large sums of
works. money may require two managers' approval.

3 4

Least Common Psychological

Mechanism Acceptability
Reduce the amount of shared mechanisms (such as files or Security should be easy to use. If it is too hard, users will
programs) among users to prevent security risks. ignore or bypass it.
Security Mechanisms
Security mechanisms are the actual tools or methods used to enforce information security. They
ensure that the security principles are followed.

Authentication
Verifies the identity of a user (e.g., using a username and password).

Authorization
Determines what a user is allowed to do after they are authenticated (e.g., read-only or
edit access).

Encryption
Converts data into a coded form so unauthorized users can't read it.

Firewalls
Monitor and control incoming and outgoing network traffic based on security rules.

Antivirus Software
Detects and removes malicious software from systems.

Access Control
Ensures that only authorized users can access specific resources.

Intrusion Detection Systems (IDS)

Monitors the system for suspicious activity.

Data Backup
Regularly copies data to another location to protect it from loss.
Symmetric and Asymmetric
Cryptography
Cryptography is the technique of protecting information by converting it into an unreadable format that can only be decoded by
someone with the correct key.

Symmetric Asymmetric
Cryptography: Cryptography:
Uses the same key for both encryption and decryption. Uses two different keys 3 a public key (to encrypt) and a
Fast and efficient for large amounts of data. private key (to decrypt).

The main challenge is securely sharing the key with others. More secure for sending data over the internet.

Example: Encrypting files on your computer with a password. Only the person with the private key can read the message.
Example: Secure email communication or digital signatures.

Feature Symmetric Asymmetric

Keys Used One key Two keys (public + private)

Speed Fast Slower

Security Medium High

Use Case Encrypting files Secure communication

Encryption, Hash Function,
and Digital Signature

Encryption Hash Function

Encryption is the process of converting A hash function is a method used to
normal data (called plaintext) into coded convert any input data into a short, fixed-
data (called ciphertext) so that only length value called a hash.
authorized users can understand it.
Important Points:
How Encryption It is a one-way function: you cannot
Works: turn the hash back into the original
1. Encrypt: The sender uses a key to turn input.
the data into unreadable form. Even a small change in the input
2. Decrypt: The receiver uses a key to results in a completely different hash.
convert it back to readable form. Used to verify that data has not been
Common Uses: changed.

Securing emails and messages (e.g., Applications:

WhatsApp) Storing passwords securely in
Online transactions and banking databases
Protecting files and documents Checking that downloaded files are
complete and unchanged
Used in blockchain technology

Digital Signature
A digital signature is a special kind of electronic stamp used to prove that a message or
document is from a specific person and has not been changed.

How It Works:
1. The sender creates a hash of the message.
2. The hash is encrypted using the sender's private key.
3. The receiver uses the sender's public key to check the hash and confirm it matches.

Benefits:
Confirms the identity of the sender.
Ensures the message was not changed.
Provides legal proof (non-repudiation).

Used In:
Emails
Electronic contracts

Secure documents
Key Management and
Authentication

Key Management Authentication and

Key management involves the handling of encryption keys during
Access Control
their entire lifecycle to ensure they remain secure. Authentication is the process of confirming a user's identity.
Access Control is the process of deciding what the user can do
Stages in Key Management:
once identified.
1. Key Generation: Creating secure keys using software or
hardware.
Types of Authentication:

2. Key Storage: Keeping keys safe in secure storage areas. Knowledge-based: Passwords or PINs

3. Key Distribution: Securely sharing keys with others. Biometric: Fingerprints, facial recognition

4. Key Usage: Using keys for encryption, decryption, or signing. Token-based: OTPs, smart cards

5. Key Rotation: Regularly changing keys to maintain security.

Types of Access Control:
6. Key Deletion: Securely removing keys when they are no longer
needed. 1. Discretionary Access Control (DAC): Users control who can
access their resources.
Challenges: 2. Mandatory Access Control (MAC): Admin strictly controls

Keeping keys secret access based on security levels.

Managing large numbers of keys 3. Role-Based Access Control (RBAC): Access is given based on
the user's role (e.g., teacher, student, admin).
Preventing loss or theft of keys
Importance:
Solutions:
Prevents unauthorized access
Use of Key Management Systems (KMS)
Ensures only trusted users can perform certain tasks
Hardware devices like HSM (Hardware Security Modules)
Protects sensitive information and systems

Final Summary
Information security is all about protecting data, systems, and users. From understanding the basics of the CIA triad to implementing
secure design principles, security mechanisms, and encryption, every part plays a key role in building a secure digital world. Technologies
like hash functions, digital signatures, and access control ensure trust, privacy, and integrity in modern computing.

By mastering these foundational topics, we can better understand how to design and manage secure systems that protect users and
data from threats.