Professional Documents
Culture Documents
Cyber Security •
•
Information security
Information assurance
• Cyber security
Unit: 1 • Security risk analysis
Subject
Cyber Security Devanshu Dube
(AMCANC 0201) MCA
Course Details
MCA – 2nd Semester
Topic Objective
1
INFORMATION SYSTEM(CO1) INFORMATION SYSTEM(CO1)
What is Cyber Security What is Cyber Security
• Cybernetics : • Cyber security is the practice of defending computers,
servers, mobile devices, electronic systems, networks, and
• is a transdisciplinary approach for exploring regulatory data from malicious attacks. It's also known as information
systems, their structures, constraints, and possibilities. technology security or electronic information security.
• refers to “the study of mechanical and electronic systems
designed to replace human systems.” • It is the practice of defending information from unauthorized
access, use, disclosure, disruption, modification, perusal
• Cyber inspection, recording or destruction.
is a prefix that denotes a relationship with information
technology (IT). Anything relating to computing, such as the • In computer security a threat is a possible danger that might
exploit a vulnerability to breach security and thus cause
internet, falls under the cyber category.
possible harm.
20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 5 20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 6
Hardware Software
“An arrangement that processes data and provides
meaningful information.”
20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 7 20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 8
2
INFORMATION SYSTEM(CO1) INFORMATION SYSTEM(CO1)
OAS
Office Automation Systems
20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 11 20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 12
3
INFORMATION SYSTEM(CO1) INFORMATION SYSTEM(CO1)
Classification of IS
1. Operations support systems process data generated by
Information Systems
business operations
Based on decision Making
Major categories are:-
i) Transaction processing systems
Operations Management
Support Support ii) Process control systems
System System iii) Office automation systems
20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 13 20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 14
20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 15 20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 16
4
INFORMATION SYSTEM(CO1) INFORMATION SYSTEM(CO1)
1. Operations Support System (contd..):-
2. Management support systems provide information and
support needed for effective decision making by managers
ii) Process control systems monitor and control physical/industrial
processes. Major categories are:-
Example- i) Management information systems (MIS) : It generates
Making day-to-day decisions information for monitoring performance and maintaining
Controlling operational processes. coordination.
This system automates the adjustment of a production process.
Routine information for routine decisions
iii) Office automation systems automate office procedures and enhance Operational efficiency
office communications and productivity. An office automation system Use transaction data as main input
is a network of various tools, technologies, and people required to
conduct clerical and managerial tasks. Databases integrate MIS in different functional areas
Example- Example- Production manager can check the report of cost and time of
Mail production.
Video Conferencing
20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 17 20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 18
End-users are more involved in creating a DSS than an MIS Expert system: Provides adequate knowledge and expert advice for
making various managerial decisions.
Expert System = knowledge base + software modules
Example -Sales manager can set sales targets for the coming year by
considering the existing market conditions. Knowledge Management System (KMS): For sharing knowledge, KMS
uses a group of collaboration systems, such as the Intranet. Provides
two types of knowledge-
iii) Executive information systems (EIS) or Executive Support i. Explicit knowledge - Information that is documented, stored,
System(ESS) : and coded with the help of an IS.
ii. Tacit knowledge - Information based on processes and
Provides critical information to the executive and top-level
procedures stored in the human mind.
managers for making strategic decisions.
20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 19 20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 20
5
INFORMATION SYSTEM(CO1) INFORMATION SYSTEM(CO1)
Summary of Information Systems
Other categories of Information Systems :
a) End user computing systems
b) Business information systems
d) Strategic information systems
1. Waterfall model
2. Prototyping model
3. Evolutionary model
4. Spiral model
5. Incremental model
20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 23 20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 24
6
Development of IS (CO1) Development of IS (CO1)
Waterfall model: Waterfall Model: Stages of Waterfall Model
This method is also called linear sequential model.
• Feasibility check: Technical and financial feasibility check about
Feasibility Check system development.
• Requirement and specifications: Gathering knowledge about the
Requirement Enquiry required system and developing the specifications needed.
• Design: Converting the requirements and specifications into a
Design system model.
• Coding: Coding is the process of designing a bridge between the
understanding of the user and the system. This is also called
Coding
programming.
• Testing: Ensuring that the system performance is according to the
Testing user requirements. This is done after a system is set for use.
• Maintenance: Changes in the system after testing or use to correct
Maintenance the shortcomings or further requirements.
20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 25 20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 26
• It approaches feasibility analysis before requirement analysis, • The prototype may be a usable program but is not suitable as
which is not practical. the final software product.
• It tests the system after implementing and designing; • The code for the prototype is thrown away. However
therefore, any change required after testing can be hard to be experience gathered helps in developing the actual system.
introduced.
• The development of a prototype might involve extra cost, but
• Any feedback to the previous process has not been overall cost might turnout to be lower than that of an
approached. equivalent system developed using the waterfall model.
20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 27 20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 28
7
Development of IS (CO1) Development of IS (CO1)
Prototyping Model :
Changed Evolutionary Model :
Rapid Prototype Requirements
• Evolutionary model approaches to improve the classic
waterfall model by providing scope of feedback and
Analysis improvement at every stage of the system development.
Retirement
20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 29 20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 30
8
Development of IS (CO1) Development of IS (CO1)
Spiral Model : Stages of Spiral Model Incremental Model
• User/client communication: Interaction with the client or users of • Incremental model approaches system development through
the system to identify the requirements and specifications in the
system various incremental steps, where every step tries to add more
functions in the system development process.
• System planning: Planning the system to be developed and
preparing a rough draft and schedule of the development process
• Each step of system development is a separate group of
• Risk analysis: Identifying the problems in the plan and developing
solutions to check them activities.
• Engineering: Involves system hardware and software design,
coding and testing the system • This model can also be called Continuous Improvement
Model.
• Construction and finalization: Involves system building and
testing to release it for use
• System evaluation: Evaluation by user or client to use the system.
Note- All these phases are repeated in the process of system
development until users approve the system.
20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 33 20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 34
9
INFORMATION SYSTEM(CO1) Faculty Video Links, Youtube & NPTEL
Video Links and Online Courses Details
IS as Discipline
IS is an interdisciplinary field influenced by Computer Science,
• Youtube/other Video Links:
Political Science, Psychology, Operations Research, Linguistics,
Sociology, and Organizational Theory. ₋ https://www.youtube.com/watch?v=Y3zoHFdzQbs
₋ https://www.youtube.com/watch?v=cILODMGbtbk
20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 37 20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 38
INFORMATION SECURITY
CO1
10
Information Security(CO1) INTRODUCTION TO INFORMATION
SECURITY(CO1)
In today’s Session you will be aware of INFORMATION SECURITY
The quality or state of being secure to be free from danger
• Information Security
Security is achieved using several strategies
• Need and Importance of Information Security
• Threats, Types and Impact Security is achieved using several strategies simultaneously or
used in combination with one another
• Vulnerability and Risk
Security is recognized as essential to protect vital processes and
the systems that provide those processes
Security is not something you buy, it is something you do
20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 41 20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 42
Security is for PPT and not only for appliances or devices TECHNOLOGY
11
INTRODUCTION TO INFORMATION INTRODUCTION TO INFORMATION
SECURITY(CO1) SECURITY(CO1)
People “Who we are” Process “what we do”
People who use or interact with the Information The processes refer to "work practices" or workflow.
P include: P Processes are the repeatable steps to accomplish business
objectives. Typical process in our IT Infrastructure could
E Share Holders / Owners R include:
O Management Helpdesk / Service management
O
Employees
P C
Incident Reporting and Management
Business Partners Change Requests process
L Service providers E Request fulfillment
E Contractors S Access management
Customers / Clients Identity management
S
Regulators etc… Service Level / Third-party Services Management
IT procurement process etc...
20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 45 20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 46
12
INTRODUCTION TO INFORMATION INTRODUCTION TO INFORMATION
SECURITY(CO1) SECURITY(CO1)
ISO 27002:2005 defines Information Security as the preservation of: Security breaches leads to…
Ensuring that information is • Reputation loss
– Confidentiality accessible only to those • Financial loss
authorized to have access
• Intellectual property loss
Safeguarding the accuracy • Legislative Breaches leading to legal actions (Cyber Law)
and completeness of
information and processing • Loss of customer confidence
– Integrity
methods • Business interruption costs
Ensuring that authorized
users have access to LOSS OF GOODWILL
– Availability information and associated
assets when required
Devanshu Dube AMCANC0201 CYBER
20 April 2022 49 20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 50
SECURITY UNIT 1
13
INTRODUCTION TO INFORMATION INTRODUCTION TO INFORMATION
SECURITY(CO1) SECURITY(CO1)
Components of a Threat
Types of Damage – Threat agents---criminals, terrorists, subversive or secret groups, state
sponsored, disgruntled employees,, hackers, pressure groups, commercial
• Interruption---destroyed/unavailable services/resources groups
• Interception---unauthorized party snooping or getting access to a – Capability---software, technology, facilities, education and training, methods,
resource books and manuals
– Threat inhibitors---fear of capture, fear of failure, level of technical difficulty,
• Modification--- unauthorized party modifying a resource cost of participation, sensitivity to public perception, law enforcement
• Fabrication---unauthorized party inserts a fake asset/resource activity, target vulnerability, target profile, public perception, peer perception
– Threat amplifiers---peer pressure, fame, access to information, changing high
technology, deskilling through scripting, skills and education levels, law
enforcement activity, target vulnerability, target profile, public perception,
peer perception
– Threat catalysts---events, technology changes, personal circumstances
– Threat agent motivators---political, secular, personal gain, religion, power,
terrorism, curiosity
20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 53
20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 54
14
INTRODUCTION TO INFORMATION Noida Institute of Engineering and
SECURITY(CO1) Technology, Greater Noida
Vulnerabilities
• “Some weakness of a system that could allow security
to be allowed.”
• Types of vulnerabilities INFORMATION ASSURANCE
– Physical vulnerabilities
– Natural vulnerabilities CO1
– Hardware/software vulnerabilities
– Media vulnerabilities (e.g., stolen/damaged disk/tapes)
– Emanation vulnerabilities---due to radiation
– Communication vulnerabilities
– Human vulnerabilities
20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 59 20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 60
15
INFORMATION ASSURANCE AND CYBER INFORMATION ASSURANCE AND CYBER
SECURITY(CO1) SECURITY(CO1)
The Role of Operations Security Attributes of IA
• Balance ease of use against required mechanisms needed
Confidentiality - Render the information unintelligible except by
for system controls. authorized entities
• Value of data (monetary value) Integrity - Data has not been altered in an unauthorized manner
since it was created, transmitted, or stored.
• Ongoing operational need for the data
• Reduced vulnerabilities and threats to ongoing
Availability - Timely, reliable access to data and information
operations services for authorized users
Non-repudiation - assurance the sender of data is provided
with proof of delivery and the recipient is provided with proof of
the sender’s identity, so neither can later deny having processed
the data.
Authentication - Establishes the validity of a transmission,
message, or originator, or a means of verifying an individual’s
authorization to receive specific categories of information.
20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 61 20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 62
16
INFORMATION ASSURANCE AND CYBER INFORMATION ASSURANCE AND CYBER
SECURITY(CO1) SECURITY(CO1)
What is cyber security?
• Cyber security standards are security standards which enable
organizations to practice safe security techniques to minimize the
number of successful cyber security attacks.
Cyber Security
• Cyber security refers to the technologies and processes designed to
protect computers, networks and data from unauthorized access,
vulnerabilities and attacks delivered via the Internet by cyber
Action against cyber crime criminals.
20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 67 20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 68
17
INFORMATION ASSURANCE AND CYBER INFORMATION ASSURANCE AND CYBER
SECURITY(CO1) SECURITY(CO1)
Why should we care? How can we protect?
• It is a criminal activity committed on the internet. • Read Privacy policy carefully when you submit the data through
internet.
• Cyber crime-Where computer is either a tool or target or both.
• Encryption: lots of website uses SSL (secure socket layer)to encrypt
a data.
20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 69 20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 70
20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 71 20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 72
18
INFORMATION ASSURANCE AND CYBER Old Question Papers
SECURITY(CO1)
Conclusion • http://www.aktuonline.com/papers/mca-3-sem-cyber-security-
• The only system which is truly secure is one which is switched off rca305-2020.html
and unplugged. • http://www.aktuonline.com/papers/mca-3-sem-cyber-security-rca-
305-2018-19.html
• So , only way to be safe is Pay attention and Act smart. • http://www.aktuonline.com/papers/mca-3-sem-cyber-security-rca-
305-2017-18.html
20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 73 20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 74
19
RISKS(CO1) RISK(Contd…)
Risks Risks
• Risks are potential problem/uncertainty that might affect the • Two risk Strategies :
successful completion of a software project. 1. Reactive strategy
• Risk analysis and management are intended to help a software Software team does nothing till the risk becomes real.
team understand and manage uncertainty during the development
process. 2. Proactive strategy
• The work product is called a Risk Mitigation, Monitoring, and Risk management begins long before technical work starts.
Management Plan (RMMM). Risks are identified and prioritized by importance. Then team builds
a plan to avoid risks if they can or minimize their probability of
occurrence or establish plan if risks become real.
20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 77 20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 78
RISK(Contd…) RISK(Contd…)
Risks Risks
Categories of risks 3.Business risk
1. Project risks • Threatens the viability of the software to be built.
o Threatens the project plan. • Eg of business risk
o If project risk becomes real, it is likely project schedule will slip
and the costs will increase 1. Building an excellent product that no one wants.
o Identifies problems related to budgetary, schedule , personnel 2. Building a product that no longer fits into the overall business
and resource strategy.
3. Building a product that the sales force do not how to sell.
2. Technical risk 4. Change of management
o Threatens the quality of the software to be produced. 5. Losing budgetary
o Identifies problems related to design, implementation,
maintenance etc
20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 79 20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 80
20
RISK MANAGEMENT(CO1) RISK MANAGEMENT(Contd…)
Risk management Risk management
• Risk management
• Risk is the potential that a given threat will exploit vulnerabilities of – Risk assessment
an asset or group of assets and thereby cause harm to the
• Risk identification---decision driver analysis, assumption
organization
analysis, decomposition
• Risk management--- “Process of identifying, controlling and • Risk analysis---cost models, network analysis, decision
minimizing or eliminating security risks that may affect information analysis, quality factor analysis
systems, for an acceptable cost.” --- assessment of risk and the
• Risk prioritization---risk leverage, component risk reduction
implementation of procedures and practices designed to control
the level of risk – Risk control
• Risk assessment--- “ assessment of threats to, impact on and • Risk management planning---risk avoidance, transfer,
vulnerabilities of information and information processing facilities reduction, element planning, plan integration
and the likelihood of their occurrence.”---identification of the risk, • Risk resolution---Simulations, benchmarks, analysis, staffing
analysis of the risk in terms of performance, cost, and other quality • Risk monitoring---Top 10 tracking, risk assessment,
factors; risk prioritization in terms of exposure and leverage corrective action
20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 81 20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 82
21
SECURITY RISK ANALYSIS(CO1) SECURITY RISK ANALYSIS
Security Risk Analysis
Guidelines
• Security risk analysis, otherwise known as risk assessment, is Risk Analysis (cont.....)
fundamental to the security of any organization. It is essential in
ensuring that controls and expenditure are fully commensurate • There are a number of distinct approaches to risk analysis.
with the risks to which the organization is exposed.
• However, many conventional methods for performing security risk – Quantitative
analysis are becoming more and more untenable in terms of – Qualitative.
usability, flexibility, and critically... in terms of what they produce for
the user.
20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 85 20 April 2022 86
Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1
20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 87 20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 88
22
SECURITY RISK ANALYSIS INFORMATION SYSTEM(CO1)
What is Cyber Security
Balancing the Risk • Job Opportunities: At the time of placement with traditional degree,
knowledge of cyber security will be added advantage. Below are listed some
job areas where students can be placed once they attain expert knowledge in
security
Cost of Cost of
Security Insecurity
20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 89 20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 90
20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 91 20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 92
23
SECURITY RISK ANALYSIS Old Question Papers
20 April 2022 93 20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 94
Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1
Summary References
20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 95 20 April 2022 Devanshu Dube AMCANC0201 CYBER SECURITY UNIT 1 96
24