25-Sep-19

Information and Network

Security

Why study information security ?

Being an IT expert requires knowledge about IT security

Analogy: Building architects must have knowledge about fire safety

Developing IT systems without considering security will lead to vulnerable IT

systems

Global IT infrastructure is vulnerable to cyber attacks System :a set of

things working
IT experts without security skills are part of the problem
together as parts of
a mechanism
Learn about IT security to become part of the solution !

1
 25-Sep-19

Course Content

Information IP Network Types of Mitigating Cryptography

in Risk Network
Security architecture Security security
Management. Management
Basics Review. Threats threats Action

Information and Network Security

Course Information (Lecture 1)

• Course Books:
Principles of Information Security by Whitman & Mattord
NETWORK SECURITY ESSENTIALS: APPLICATIONS AND STANDARDS by
William Stallings
• Class Group : infosec2019subscribe@googlegroups.com

2
 25-Sep-19

Course Objective

• Importance of Information Security for every one.

• Academics + Industry ( Demand and Supply)
• Get grip on information and Network security principles and best practices in
real life.

Some Important Concepts and Terms

Security
“the state of being free from danger or threat.”

 Assets
“anything of value to the organization “
Not all assets have the same value. An organization must classify its assets.

 Vulnerability
a weakness in a system or a design that might be exploited.

 Threat
is a potential danger to Assets.

3
 25-Sep-19

Some Important Concepts and Terms (contd..)

Risk
Risk is the potential for uncontrolled loss of an Asset.
 Attack
An attack is an action that compromises the security of information
 Countermeasure
is a safeguard that mitigates against potential risks. Countermeasures are typically administrative,
technical, and physical controls.
 Security (Action ) is about protecting assets from damage or harm

4
 25-Sep-19

Components of an Information System

• Information system (IS) is entire set of software, hardware, data,
people, procedures, and networks necessary to use information as a
resource in the organization

• Data, Application, User… most important security layers.

5
 25-Sep-19

Information Security

• Information ( or Data) is an asset that must be protected.

• The value of information comes from the characteristics it possesses.
When a characteristic of information changes, the value of that
information either increases, or, more commonly, decreases.
• Information security, to protect the confidentiality, integrity and
availability of information assets, whether in storage, processing, or
transmission. It is achieved via the application of policy, education,
training and awareness, and technology.

Security Goals
• The CIA triad has become the de facto standard model for keeping
your organization secure.

6
 25-Sep-19

Security Goals C.I.A

Confidentiality
Protection of data from unauthorized disclosure. A loss of
confidentiality is the unauthorized disclosure of information.

Integrity
Assurance that data received is as sent by an authorized entity. A
loss of integrity is the unauthorized modification or destruction of information

Availability
• The information created and stored by an organization needs to
be available to authorized entities. A loss of availability is the disruption of
access to or use of information or an information system.

Generic Tools for implementing C I A

7
 25-Sep-19

Network Security
• Network security, a subset of Information security, aims to protect
any data that is being sent through devices in your network to
ensure that the information is not changed or intercepted.
• The role of network security is to protect the organization’s IT
infrastructure from all types of cyber threats.

The Need for Information Security

Why not simply solve all security problems once for all?

Reasons why that’s impossible:

• Rapid innovation constantly generates new technology with new vulnerabilities
• More activities go online
• Crime follows the money
• Information security is a second thought when developing IT Systems
• More effective and efficient attack technique and tools are being developed

Conclusion: Information security doesn’t have a final goal, it’s a continuing process

8
 25-Sep-19

The Need for Information Security

Security has become more complex than ever as the motives and
capabilities of threat actors continue to evolve while allowing the
miscreants to often stay (at least) one step ahead of those of us in the
Information security space. In addition, the concept of location of data
is becoming blurred by concepts of cloud computing and content-data
Networks .

The Bigger Picture

Information Security
Teams makes the policies
and Network /Systems
(OS, Applications , DB)
Teams implement the
policies.

9
 25-Sep-19

Classifying Assets
• Reason to classify an asset is so that you can take specific action,
based on policy, with regard to assets in a given class.

• By classifying data and labeling it (such as labeling “top secret” data

on a hard disk), we can then focus the appropriate amount of
protection or security on that data.
• More security for top secret data than for unclassified data, for
instance.

Asset Classification
Not all assets have the same value. An organization must classify its assets

10
 25-Sep-19

Some Known characters of Network Security literature

Generic characters can be users ,
Client server machines , Routers etc.
communicating over an unsecure
channel .

How it Fits All in Network Security

• Alice wants only Bob to be able to understand a message that she has
sent, even though they are communicating over an "insecure" medium
where an intruder (Trudy, the intruder) may intercept, read, and perform
computations on whatever is transmitted from Alice to Bob.
• Bob also wants to be sure that the message that he receives from Alice
was indeed sent by Alice, and Alice wants to make sure that the person
with whom she is communicating is indeed Bob.

• Alice and Bob also want to make sure that the contents of Alice's message
have not been altered in transit.

• Given these considerations, we can identify the desirable properties of

secure communication:

11
 25-Sep-19

OSI Security Architecture

The OSI Security Architecture is a framework that provides a systematic way of defining the requirements for security
and characterizing the approaches to satisfying those requirements. The document defines security attacks,
mechanisms, and services, and the relationships among these categories.

12
 25-Sep-19

Security Attacks
• Security attack: Any action that compromises the security of
information owned by an organization

• Passive Attacks
A Passive attack attempts to learn or make use of information from
the system but does not affect system resources. The goal of the
opponent is to obtain information is being transmitted.

Difficult to Detect . Countermeasure is to prevent than detect.

Security Attacks (Contd.)

• Active Attacks

An Active attack attempts to alter system resources or effect their

operations. Active attack involve some modification of the data stream
or creation of false statement.

Easier to detect difficult to prevent , goal is to defend ,detect and

recover.

13
25-Sep-19

14
25-Sep-19

15
25-Sep-19

16