Unit-I

Introduction to
Information Security
 What is security?
 Understanding the technical aspects of information security requires that you know
the definitions of certain information technology terms and concepts. In general,
security is defined as “the quality or state of being secure—to be free from danger.”
Security is often achieved by means of several strategies usually undertaken
simultaneously or used in combination with one another.

Slide 2
 IT Security
 IT security is the protection of computer systems and networks from
information disclosure, theft of or damage to their hardware, software, or
electronic data, as well as from the disruption or misdirection of the services
they provide.
 IT security performs four important functions for an organization:
 Protects the organization’s ability to function
 Enables the safe operation of applications implemented on the
organization’s IT systems
 Protects the data the organization collects and uses
 Safeguards the technology assets in use at the organization

Slide 3
Specialized areas of security
• Physical security, which encompasses strategies to protect people, physical
assets, and the workplace from various threats including fire, unauthorized
access, or natural disasters
• Personal security, which overlaps with physical security in the protection of
the people within the organization
• Operations security, which focuses on securing the organization’s ability to
carry out its operational activities without interruption or compromise
• Communications security, which encompasses the protection of an
organization’s communications media, technology, and content, and its ability
to use these tools to achieve the organization’s objectives
• Network security, which addresses the protection of an organization’s data
networking devices, connections, and contents, and the ability to use that
network to accomplish the organization’s data communication functions
• Information security includes the broad areas of information security
management, computer and data security, and network security.

Slide 4
Where it has been used?
• Governments, military, financial institutions, hospitals, and private businesses.
• Protecting confidential information is a business requirement.

1.2.1 Information Security components:

• Confidentiality
• Integrity
• Availability(CIA)
CIA Triangle
The C.I.A. triangle - confidentiality, integrity, and availability - has expanded into a
more comprehensive list of critical characteristics of information. At the heart of the
study of information security is the concept of policy. Policy, awareness, training,
education, and technology are vital concepts for the protection of information and for
keeping information systems from danger.

Slide 5
Slide 6
Answer

7*6 = 4 2
9*9 = 8 1
5*3 = 1 5
6*2 = 1 2

Slide 7
 CRITICAL CHARACTERISTICS OF
INFORMATION

Confidentiality
Confidentiality of information ensures that only those with sufficient privileges may access
certain information. When unauthorized individuals or systems can access information,
confidentiality is breached. To protect the confidentiality of information, a number of
measures are used:
• Information classification
• Secure document storage
• Application of general security policies
• Education of information custodians and end users
Example, a credit card transaction on the Internet.
• The system attempts to enforce confidentiality by encrypting the card number during
transmission, by limiting the places where it might appear (in data bases, logSlide files,8
Integrity
Integrity is the quality or state of being whole, complete, and uncorrupted. The integrity
of information is threatened when it is exposed to corruption, damage, destruction, or
other disruption of its authentic state. Corruption can occur while information is being
compiled, stored, or transmitted.
• Integrity means that data cannot be modified without authorization.
• Eg: Integrity is violated when an employee deletes important data files, when a
computer virus infects a computer, when an employee is able to modify his own
salary in a payroll database, when an unauthorized user vandalizes a website, when
someone is able to cast a very large number of votes in an online poll, and so on

Slide 9
Availability
Availability is the characteristic of information that enables user access to
information without interference or obstruction and in a required format. A user in this
definition may be either a person or another computer system. Availability does not
imply that the information is accessible to any user; rather, it means availability to
authorized users.
• For any information system to serve its purpose, the information must be available
when it is needed.
• Eg: High availability systems aim to remain available at all times, preventing service
disruptions due to power outages, hardware failures, and system upgrades.

Slide 10
Privacy
The information that is collected, used, and stored by an organization is to be used
only for the purposes stated to the data owner at the time it was collected. This
definition of privacy does focus on freedom from observation (the meaning usually
associated with the word), but rather means that information will be used only in ways
known to the person providing it.

Identification
An information system possesses the characteristic of identification when it is able to
recognize individual users. Identification and authentication are essential to
establishing the level of access or authorization that an individual is granted.

Slide 11
Authentication
Authentication occurs when a control provides proof that a user possesses the identity

that he or she claims.

In computing, e-Business and information security it is necessary to ensure that the data,
transactions, communications or documents(electronic or physical) are genuine(i.e. they
have not been forged or fabricated)

Authorization
After the identity of a user is authenticated, a process called authorization provides
assurance that the user (whether a person or a computer) has been specifically and
explicitly authorized by the proper authority to access, update, or delete the contents of an
information asset.
Slide 12
Accountability
The characteristic of accountability exists when a control provides assurance that
every activity undertaken can be attributed to a named person or automated process.
For example, audit logs that track user activity on an information system provide
accountability.

Slide 13
Accuracy:
Information should have accuracy. Information has accuracy when it is free from
mistakes or errors and it has the value that the end users expects. If information contains a
value different from the user’s expectations, due to the intentional or unintentional
modification of its content, it is no longer accurate.

Utility
Information has value when it serves a particular purpose. This means that if
information is available, but not in a format meaningful to the end user, it is not useful. Thus,
the value of information depends on its utility. Possession The possession of Information
security is the quality or state of having ownership or control of some object or item.

Slide 14
How many times in a day, are the hands of a
clock in straight line but opposite in direction?

Slide 15
Answer
The hands of a clock point in opposite
directions (in the same straight line) 11 times
in every 12 hours. (Because between 5 and 7
they point in opposite directions at 6 o'clcok
only).
So, in a day, the hands point in the opposite
directions 22 times.

Slide 16
1.4 NSTISSC SECURITY MODEL
‘National Security Telecommunications & Information systems security committee’
document. It is now called the National Training Standard for Information security
professionals. The NSTISSC Security Model provides a more detailed perspective on
security. While the NSTISSC model covers the three dimensions of information security, it
omits discussion of detailed guidelines and policies that direct the implementation of
controls. Another weakness of using this model with too limited an approach is to view it
from a single perspective.
• The 3 dimensions of each axis become a 3x3x3 cube with 27 cells representing areas that
must be addressed to secure today’s Information systems.

Slide 17
• To ensure system security, each of the 27 cells must be properly addressed during
the security process.
• For example, the intersection between technology, Integrity & storage areas requires
a control or safeguard that addresses the need to use technology to protect the
Integrity of information while in storage.

Slide 18
COMPONENTS OF AN INFORMATION
SYSTEM
An information system (IS) is much more than computer hardware; it is the entire set
of software, hardware, data, people, procedures, and networks that make possible the
use of information resources in the organization. These six critical components enable
information to be input, processed, output, and stored. Each of these IS components
has its own strengths and weaknesses, as well as its own characteristics and uses. Each
component of the information system also has its own security requirements.

Slide 19
Slide 20
 • Software
• Hardware
• Data
• People
• Procedures
• Networks
Software
•The software components of IS comprises applications, operating systeAms, and assorted
•command utilities.
•Software programs are the vessels that carry the lifeblood of information through an
•organization. These are often created under the demanding constraints of project
management, which limit time, cost, and manpower.
Hardware
•Hardware is the physical technology that houses and executes the software, stores and
carries the data, and provides interfaces for the entry and removal of information from the
system.

Slide 21
• Physical security policies deal with hardware as a physical asset and with the
protection of these physical assets from harm or theft. Applying the traditional tools
of security, such as locks and keys, restricts access to and interaction with the
hardware components of an information system.
• Securing the physical location of computers and the computers themselves is
important because a breach of physical security can result in a loss of information.
Unfortunately, most information systems are built on hardware platforms that
cannot guarantee any level of information security if unrestricted access to the
hardware is possible.

Slide 22
Data
• Data stored, processed, and transmitted through a computer system must be
protected.
• Data is often the most valuable asset possessed by an organization and is the main
target
• of intentional attacks. The raw, unorganized, discrete(separate, isolated)
potentially-useful facts and figures that are later processed(manipulated) to
produce information.
People
There are many roles for people in information systems. Common ones include
• Systems Analyst
• Programmer
• Technician
• Engineer
• Network Manager
• MIS ( Manager of Information Systems )
• Data entry operator

Slide 23
Procedures
A procedure is a series of documented actions taken to achieve something. A procedure
is more than a single simple task. A procedure can be quite complex and involved, such
as performing a backup, shutting down a system, patching software.

Networks
•When information systems are connected to each other to form Local Area Network
•(LANs), and these LANs are connected to other networks such as the Internet, new
security challenges rapidly emerge.
•Steps to provide network security are essential, as is the implementation of alarm and
•intrusion systems to make system owners aware of ongoing compromises.

Slide 24
Slide 25
Answer

Slide 26
 Vulnerabilities
 A vulnerability is a weakness which can be exploited by a threat actor, such as an
attacker, to cross privilege boundaries (i.e. perform unauthorized actions) within a
computer system.
 Vulnerabilities are classified according to the asset class they are related to:-
 Hardware:- Susceptibility to humidity/dust ; Unprotected storage;
Over-heating.
 Software:- Insufficient testing; insecure coding; lack of audit trail;
Design flaw.
 Network:- Unprotected communication lines; Insecure network
architecture.
 Personnel:- Inadequate recruiting process; Inadequate security
awareness; insider threat
 Physical site:- Area subject to natural disasters (e.g. flood,
earthquake); interruption to power source
 Organizational:- Lack of regular audits; lack of continuity plans;

Slide 27
 Threats
 A threat is a potential negative action or event facilitated by a vulnerability that
results in an unwanted impact to a computer system or application.
 Any circumstance or event with the potential to adversely impact an IS through
unauthorized access, destruction, disclosure, modification of data, and/or denial
of service.
 A countermeasure is any step you take to ward off a threat to protect user, data, or
computer from harm.
 Various Security threats:-
 Users:- Identity Theft; Loss of Privacy; Exposure to Spam; Physical
Injuries.
 Hardware:- Power-related problems; theft; vandalism; and natural
disasters.
 Data:- Malwares; Hacking; Cybercrime; and Cyber-terrorism.

Slide 28
Threats to Information Security

Slide 29
 Threats(Keywords)
 Spam:-Unsolicited commercial e-mail/Junk e-mail
 Cookie:- Small text file that a Web server put on computer
 Web Bugs:-a small gif embedded in webpage/email
 Malwares:-Malicious Software
 Virus(require Some executables), Worms(Self executables), Spyware, Trojan
Horses, Botnet (Robot Network)
 Shoulder Surfing
 Hacking:-
 Sniffing:- finding user’s password(Password Sharing, Password Guessing or
Password Capture
 Social Engineering:- Dumpster Diving, Phishing(Email) & Vishing(Phone Calls)
 Spoofing
 DDoS:-Distributed Denial of Services.
 Cybercrime; and Cyber-terrorism.

Slide 30
Slide 31
Number of squares in the given
figure is
16 + 9 + 19 + 1 = 45.

Slide 32
 SECURING COMPONENTS
Protecting the components from potential misuse and abuse by unauthorized users.
Subject of an attack
Computer is used as an active tool to conduct the attack.
Object of an attack
Computer itself is the entity being attacked
Two types of attacks:
1.     Direct attack
2.     Indirect attack
1.  Direct attack
When a Hacker uses his personal computer to break into a system.[Originate from the
threat itself]
2.  Indirect attack
When a system is compromised and used to attack other system.[Originate from a
system or resource that itself has been attacked, and is malfunctioning or working
under the control of a threat].

Slide 33
Slide 34
 BALANCING INFORMATION SECURITY AND
ACCESS
  Has to provide the security and is also feasible to access the information for its
application. Information Security cannot be an absolute: it is a process, not a goal. Should
balance protection and availability.
  
Approaches to Information Security Implementation
 Bottom- up- approach.
•Top-down-approach
oHas higher probability of success.
o Project is initiated by upper level managers who issue policy & procedures &
processes.
o Dictate the goals & expected outcomes of the project.
o Determine who is suitable for each of the required action.

Slide 35
Slide 36
THE SYSTEMS DEVELOPMENT LIFE CYCLE
(SDLC)

Slide 37
SDLC Waterfall Methodology
SDLC-is a methodology for the design and implementation of an information system in
an organization.
• A methodology is a formal approach to solving a problem based on a structured
sequence of procedures.
• SDLC consists of 6 phases.
 Investigation
•  It is the most important phase and it begins with an examination of the event or plan
that initiates the process.
•    During this phase, the objectives, constraints, and scope of the project are specified.

At the conclusion of this phase, a feasibility analysis is performed, which assesses the
economic, technical and behavioral feasibilities of the process and ensures that
implementation is worth the organization’s time and effort.

Slide 38
 Analysis
•    It begins with the information gained during the investigation phase.
•   It consists of assessments (quality) of the organization, the status of current systems, and
the capability to support the proposed systems.
•   Analysts begin by determining what the new system is expected to do, and how it will
interact with existing systems.
•   This phase ends with the documentation of the findings and an update of the feasibility
analysis.

Logical Design
• In this phase, the information gained from the analysis phase is used to begin creating a
systems solution for a business problem.
• Based on the business need, applications are selected that are capable of providing
needed services.
• Based on the applications needed, data support and structures capable of providing the
needed inputs are then chosen.
• In this phase, analysts generate a number of alternative solutions, each with corresponding
Slide 39
strengths and weaknesses, and costs and benefits.
Physical design
•    In this phase, specific technologies are selected to support the solutions developed in the
logical design.
•   The selected components are evaluated based on a make-or-buy decision.
•  Final designs integrate various components and technologies.
Implementation
•    In this phase, any needed software is created.
•   Components are ordered, received and tested.
•   Afterwards, users are trained and supporting documentation created.
•   Once all the components are tested individually, they are installed and tested as a system.
•   Again a feasibility analysis is prepared, and the sponsors are then presented with the
system for a performance review and acceptance test.

Slide 40
Maintenance and change
•  It is the longest and most expensive phase of the process.
•  It consists of the tasks necessary to support and modify the system for the
remainder of its useful life cycle.
•  Periodically, the system is tested for compliance, with business needs.
• Upgrades, updates, and patches are managed.
• As the needs of the organization change, the systems that support the organization
must also change.
• When a current system can no longer support the organization, the project is
terminated and a new project is implemented.

Slide 41
What can travel around the world while staying
in a corner?

Slide 42
Answer

Stamp

Slide 43
 The Security Systems Development Life
Cycle (Sec SDLC )
The same phases used in the traditional SDLC can be adapted to support the
implementation of an information security project.
Investigation
-         This phase begins with a directive from upper management, dictating the process,
outcomes, and goals of the project, as well as its budget and other constraints.
-         Frequently, this phase begins with an enterprise information security policy, which
outlines the implementation of a security program within the organization.
-         Teams of responsible managers, employees, and contractors are organized.
-         Problems are analyzed.
-         Scope of the project, as well as specific goals and objectives, and any additional
constraints not covered in the program policy, are defined.
-         Finally, an organizational feasibility analysis is performed to determine whether the
organization has the resources and commitment necessary to conduct a successful security
analysis and design.

Slide 44
Analysis
-         In this phase, the documents from the investigation phase are studied.
-         The developed team conducts a preliminary analysis of existing security policies or
programs, along with that of documented current threats and associated controls.
-         The risk management task also begins in this phase.

-Risk management is the process of identifying, assessing, and evaluating the levels of risk
facing the organization, specifically the threats to the organization’s security and to the
information stored and processed by the organization.

Slide 45
Logical design
-         This phase creates and develops the blueprints for information security, and examines
and implements key policies.
-         The team plans the incident response actions.
-         Plans business response to disaster.
-         Determines feasibility of continuing and outsourcing the project.
Physical design
-         In this phase, the information security technology needed to support the blueprint
outlined in the logical design is evaluated.
-         Alternative solutions are generated.
-         Designs for physical security measures to support the proposed technological
solutions are created.
-         At the end of this phase, a feasibility study should determine the readiness of the
organization for the proposed project.
-         At this phase, all parties involved have a chance to approve the project before
implementation begins.

Slide 46
Implementation
-         Similar to traditional SDLC
-         The security solutions are acquired ( made or bought ), tested, implemented, and
tested again
-         Personnel issues are evaluated and specific training and education programs are
conducted.
-         Finally, the entire tested package is presented to upper management for final approval.

Maintenance and change

-         Constant monitoring, testing, modification, updating, and repairing to meet changing
threats have been done in this phase.

Slide 47
Security Professionals and the organization
Senior management
            Chief information Officer (CIO) is the responsible for
è Assessment
è Management
è And implementation of information security in the organization
Information Security Project Team
·        Champion
-         Promotes the project
-         Ensures its support, both financially & administratively.
·        Team Leader
- Understands project management
- Personnel management
- And information Security technical requirements.
·       

Slide 48
 Security policy developers
-         individuals who understand the organizational culture,
-         existing policies
-         Requirements for developing & implementing successful policies.
·        Risk assessment specialists
-         Individuals who understand financial risk assessment techniques.
-          The value of organizational assets,
-         and the security methods to be used.

Security Professionals
-         Dedicated
-         Trained, and well educated specialists in all aspects of information security from
both a technical and non technical stand point.
·        System Administrators
-         Administrating the systems that house the information used by the organization.
·        End users
 

Slide 49
Three types  
1.      Data owners
2.      Data custodians
3.      Data users
 
1. Data Owners
-         Responsible for the security and use of a particular set of information.
-         Determine the level of data classification
-         Work with subordinate managers to oversee the day-to-day administration of the data.
2. Data Custodians
-         Responsible for the storage, maintenance, and protection of the information.
-         Overseeing data storage and backups
-         Implementing the specific procedures and policies.
3. Data Users (End users)
            - Work with the information to perform their daily jobs supporting the mission of the
organization.
-         Everyone in the organization is responsible for the security of data, so data users are
included here as individuals with an information security role. 

Slide 50
Thank u
Slide 51