Introduction to Information Security and

Assurance
Week 1
Even Semester 2021/2022
Department of Informatics UBAYA

Program Studi Teknik Informatika

Fakultas Teknik – Universitas Surabaya
ULS

• All slides and assignments can be

downloaded/uploaded from: ULS
• You need your Gooaya account to login

2
Say NO to Plagiarism
• Plagiarism (mencontoh/memberi contoh) in any
assessment (Quiz/PractiseWork) will be penalized by
giving 0 to
ALL assessments
• Plagiarism in UTS/UAS (Mid Term Test/Final Term
Test) will be penalized by giving 0 to ALL PREVIOUS
UTS/UAS (OTHER SUBJECTS)
• DON’T RISK IT !
3
Mark
Grade %

NTS Assignment(s) 30%

Quiz 30%
Project UTS (UTS) 40%
NAS Assignment(s) 30%
Quiz 30%
Project UAS (UAS) 40%
Introduction
Hi, I miss Hi, I hate you
you

Hi, I miss you

Hi, I hate you

 Point of view

 What is information security and assurance ?

 Why is it important ?
 What can we do ?
 What is information security ?
1. Information security means protecting information and information
systems from unauthorized access, use, disclosure, disruption,
modification, or destruction
2. Keep all informations in all its locations free from threats
(Y. Cherdantseva, 2013).
3. Deals with :
– Security of end systems (Operating system, files/Data, records,
databases, logs, etc)
– Security of information in transit over network (e-commerce
transactions, online banking, file transfers, etc)
 What is information assurance ?

1. The information is really being used in the way intended and

by the people intended.
2. Information Assurance Advisory Council (IAAC) :
“Operations undertaken to protect and defend information and information
systems by ensuring their availability, integrity, authentication, confidentiality
and non-repudiation”
 What is information assurance ?
• Assurance is to indicate "how much" to trust a system and  is achieved by ensuring that
– The required functionality is present and correctly  implemented
– There is sufficient protection against unintentional errors
– There is sufficient resistance to intentional penetration or  by-pass
• Basis for determining this aspect of trust
– Specification : Requirements analysis, Statement of desired functionality
– Design : Translate specification into components that satisfy the specification
– ImplementationPrograms/systems that satisfy a design
 Why is it important ?
1. The information security threat landscape has changed significantly.
2. Malicious programs or threats can alter our data values and destroying
the integrity of the data
3. Denial of Service (DoS) attacks (ex: DDoS) by someone can shut down
a server and/or network, making your system unavailable.
 What can we do ?
Control
A set of layered technical, administrative, and physical devices,
policies, and other methods used to prevent a threat from
achieving its objective or to detect a threat and respond
effectively.
What can we do ?
Technical Control
• Network
– Firewalls
– Intrusion prevention/detection
– Log Management
• Endpoint
– Anti Malware
– Firewalls
– Strong access controls
What can we do ?
• Prevention
– To prevent someone from violating a security policy 
• Detection
– To detect activities in violation of a security policy
– Verify the efficacy of the prevention mechanism
• Response
– Stop policy violations (attacks)
– Assess and repair damage
– Ensure availability in presence of an ongoing attack
– Fix vulnerabilities for preventing future attack
– Retaliation against the attacker
BASIC COMPONENT OF SECURITY
CIA TRIAD
• Confidentiality
– Keeping data and resources secret or hidden
– allowing only authorized subjects to view data
• Integrity
– Maintaining the accuracy and trustworthiness of data
– Ensuring authorized modifications; 
– Includes correctness and trustworthiness
– May refer to Data integrity and Origin integrity
• Availability
– Ensuring authorized access to data and resources when desired
– Insuring data is available when and where it is needed for business operation.
BASIC COMPONENT OF SECURITY
AAA

• Authentication 
– Verifying the identity of a subject
• Authorization 
– Determining what subject can access after
authentication
• Accountability 
– What subject did what, where, and when
Security Threats and Attacks
• A threat/vulnerability is a potential violation of security.
– Flaws in design, implementation, and operation.
• An attack is any action that violates security.
– Active adversary
• An attack has an implicit concept of “intent”
– Router mis-configuration or server crash can also cause
loss of availability, but they are not attacks
Classify Security Attacks as
• Passive attacks - eavesdropping on, or monitoring of,
transmissions to:
– obtain message contents, or
– monitor traffic flows
• Active attacks – modification of data stream to:
– masquerade of one entity as some other
– replay previous messages
– modify messages in transit
– denial of service
Owen and Louise wants to
communicate securely
Secure Secure
sender receiver

Data, Data
Channel
Data control message

Eny
Owen Eny (intruder) may intercept, Louise
delete, add messages
 Activity - Quest
• Which part of the CIA triad has been broken?
• Alice is buying books from an online retail site, and she finds that she is able to
change the price of a book from £19.99 to £1.99.
• Cynthia is working on her university applications online, when the admissions
website crashes. She is unable to turn in her application on time.
• Tony gets his phone bill in the mail. The bill was supposed to be for £80, but
the mail person spilled water on the bill, smearing the ink. The bill now asks for
£8.
• Kim has taken her A-Level exam and is waiting to get her results by email. By
accident, Kim’s results are sent to Karen.
• Rob opens his fitness tracking app to start logging a workout. The app
crashes, and he is unable to log his workout.
ETCHICAL HACKING

 What is hacking ?

 Who is a hacker ?

 What is ethical hacking ?

What is hacking ?
1. Exploiting the vulnerabilities in a system,
compromising the security to gain unauthorized
command and control over the system resources
2. Can be used to steal information for any use like
sending it to competitors, regulatory bodies or
publicizing the sensitive information
Who is hacker ?
1. The one who is smart enough to get the information
such as business data, personal data, credit card
information
2. Hackers use different techniques and tools to take the
system without permissions.
3. Their intention can be either doing illegal things for fun
or sometimes they are paid to hack (legally)
Who is hacker ?
1. Black Hats : Hacker with malicious ad destructive
activities with extraordinary skills, also known as
crackers
2. White Hats : Security analyst or individulas with
hacking skills using them for defensive purpose
3. Gray Hats : Work for both, offensively and defensively
4. Suicide Hackers : Who aim for destruction without
worrying about punishment
5. Cyber Terrorists : Religious or political beliefs attacking
on large scale to create fear
Who is hacker ?
6. State Sponsored Hackers : Employed by government
to penetrate and gain top secret information
7. Script Kiddies : Unskilled hackers, hacking and
compromising systems using tools are scripts made by
real hackers
8. Hacktivists : Hackers promoting political agenda,
traditionally by defacing or disabling the websites
Hacking Phase

Reconnaissance

Scanning Gaining Access

Maintaining Access Clearing Tracks

Reconnaissance
 Initial Phase of attack
 Gathering information about the target
 Two types of reconnaissance
1. Active, Gaining information directly to target.
• Via calls, emails, technical department
2. Passive, Gaining information without interacting the target directly.
• Searching for target’s social media for gaining
information
Scanning
a. Scan the network by information acquired during the
initial phase of reconnaissance.
b. The tools are dialler, port scanners, network mappers,
client tools (ping).
c. Finally get the information of ports including port status,
operating system information, device type, live
machines and other information.
Gaining Access
a. Hacker gets the system !
b. Including control over an operating system, application
or computer network.
c. Techniques : password cracking, denial of service,
session hijacking or buffer overflow
Maintaning Access
a. Maintain the access, ownership & control over the
compromised systems
b. Attacker prevents the owner from being owned by any
other hacker.
c. Using backdoors, rootkits, Trojans to retain their
ownership
d. Attacker may steal information by uploading the
information to the remote server, manipulate the data
and configuration
Clearing Tracks
a. Hide identity of hacker by hide the malicious activities
b. Remain undetected, remain unnoticed and wipe all
evidence that indicates hacker identity
c. Attacker overwrites the system, application and other
related logs to avoid suspicion
WHAT IS ETHICAL HACKING ?
a. Important and crucial component of risk assessment,
auditing, counter frauds.
b. Etchical hacking and penetration testing are common
terms in information security environment
c. Great challenge for security experts and analyst to
defense of cybercrimes.
PHASE OF ETHICAL HACKING
1. Footprinting & Reconnaissance
2. Scanning
3. Enumeration
4. System hacking
5. Escalation of Privileges
6. Covering Tracks
Skills of an ethical hacker
1. Technical skills
• Has in-depth knowledge of almost all operating systems
• Skilled at networking, basic and detailed concepts, technologies
and knowledge of hardware and software
• Strong command over security areas, related issues and
technical domains
2. Non-technical skills
– Learning ability
– Problem-solving and communication skills
– Awareness of laws, standards and regulations
– Commited to security policies
Activity
• Group of 3
• Find a true story about the most wanted hacker with hilarious
criminal case.
• Explain the detail and the chain of custody, especially in technical
perspective.
• Make a short video or podcast to explain the detail.
• Share the link to ULS.
Enjoy your study
See you!