INFORMATION SECURITY o Security is not something you buy, it is something you do

o The architecture where an integrated combination of appliances, systems and

What is Information? solutions, software, alarms, and vulnerability scans working together
What is Information Security? o Monitored 24x7
What is RISK? o Having People, Processes, Technology, policies, procedures
An Introduction to ISO for information technology o Security is for PPT and not only for appliances or devices
User Responsibilities
❖ People “Who we are”
❖ What is Information?
o 'Information is an asset which, like other important business ❖ People who use or interact with the Information include:
assets, has value to an o Share Holders / Owners
organization and consequently needs to be suitably o Management
protected‟ o Employees
o Information can be o Business Partners
▪ Created o Service providers
▪ Stored o Contractors
▪ Destroyed o Customers / Clients
▪ Processed o Regulators etc…
▪ Transmitted ❖ Process “what we do”
▪ Used – (For proper & improper purposes) ❖ The processes refer to "work practices" or workflow. Processes
▪ Corrupted are the repeatable steps to accomplish business objectives.
▪ Lost Typical process in our IT Infrastructure could include:
▪ Stolen o Helpdesk / Service management
▪ Printed or written on paper o Incident Reporting and Management
▪ Stored electronically o Change Requests process
▪ Transmitted by post or using electronics means o Request fulfillment
▪ Shown on corporate videos o Access management
▪ Displayed / published on web o Identity management
▪ Verbal – spoken in conversations o Service Level / Third-party Services Management
o IT procurement process etc..
❖ What is Information Security? ❖ Technology “what we use to improve what we do”
o The quality or state of being secure to be free from danger ❖ Network Infrastructure:
o Security is achieved using several strategies o Cabling, Data/Voice Networks and equipment
o Security is achieved using several strategies simultaneously or o Telecommunications services (PABX), including VoIP services , ISDN ,
used in combination with one another Video Conferencing
o Security is recognized as essential to protect vital processes and the systems that o Server computers and associated storage devices
o Operating software for server computers
provide those processes
 o Communications equipment and related hardware. - Integrity: Safeguarding the accuracy and completeness of information and processing
o Intranet and Internet connections methods
o VPNs and Virtual environments
o Remote access services - Availability: Ensuring that authorized users have access to information and associated
o Wireless connectivity assets when required
❖ Application software:
o Finance and assets systems, including Accounting packages, Security breaches leads to…
Inventory management, HR systems, Assessment and reporting
• Reputation loss
systems
• Financial loss
o Software as a service (Sass) - instead of software as a packaged or
• Intellectual property loss
custom-made product. Etc.
• Legislative Breaches leading to legal actions (Cyber Law)
❖ Physical Security components:
• Loss of customer confidence
o CCTV Cameras
• Business interruption costs
o Clock in systems / Biometrics
o Environmental management Systems: Humidity Control, Ventilation , LOSS OF GOODWILL
Air Conditioning, Fire Control systems
o Electricity / Power backup • Information Security is “Organizational Problem” rather than “IT Problem”
❖ Access devices:
• More than 70% of Threats are Internal
o Desktop computers
• More than 60% culprits are First Time fraudsters
o Laptops, ultra-mobile laptops and PDAs
• Biggest Risk : People
o Thin client computing.
• Biggest Asset : People
o Digital cameras, Printers, Scanners, Photocopier etc.
• Social Engineering is major threat
• More than 2/3rd express their inability to determine ―Whether my systems are
INFORMATION SECURITY
currently compromised?”
1. Protects information from a range of threats
2. Ensures business continuity WHAT IS RISK?
3. Minimizes financial loss
4. Optimizes return on investments - Risk: A possibility that a threat exploits a vulnerability in an asset and causes damage or
5. Increases business opportunities loss to the asset.

Business survival depends on information security.
ISO 27002:2005 defines Information Security as the preservation of:
-Confidentiality: Ensuring that information is accessible only to those authorized to have
access
- Threat: Something that can potentially cause damage to the organisation, IT Systems or
network.
- Vulnerability: A weakness in the organization, IT Systems, or network that can be
exploited by a threat.
Relationship between Risk, Threats, and Vulnerabilities: Threats

• Employees
• External Parties
• Low awareness of security issues
• Growth in networking and distributed computing
• Growth in complexity and effectiveness of hacking tools and viruses
• Natural Disasters eg. fire, flood, earthquake

Threat Identification

❖ Elements of threats
❖ Agent: The catalyst that performs the threat.
Human
Machine
Nature
❖ Motive : Something that causes the agent to act.
Accidental Intentional
Only motivating factor that can be both accidental and intentional is
human
❖ Results : The outcome of the applied threat. The results normally lead to the
loss of CIA
Confidentiality
Integrity
Availability
 ❖ Confidentiality
o protect the data that has been transmitted
o Ensuring only those who ought to have access can do so.

INFORMATION/NETWORK SECURITY
• Network security is a broad term that covers a multitude of technologies, ❖ Integrity
devices and processes. In its simplest term, it is a set of rules and configurations o Ensuring that information cannot be modified without detection
designed to protect the integrity, confidentiality and accessibility of computer
networks and data using both software and hardware technologies. Every
organization, regardless of size, industry or infrastructure, requires a degree of
network security solutions in place to protect it from the ever-growing landscape
of cyber threats in the wild today.
• The protection afforded to an automated information system in order to attain
the applicable objectives of preserving the integrity, availability and
confidentiality of information system resources (includes hardware, software,
firmware, information/data, and telecommunications) -NIST

CIA TRIAD
❖ Availability of a method or technique) to evade security services and violate the security
o Ensuring information can be accessed when needed. policy of a system.

THE OSI SECURITY ARCHITECTURE

➢ SECURITY ATTACK
➢ SECURITY SERVICE
➢ SECURITY MECHANISM
❖ SECURITY ATTACK:
- Action that compromises the security of an individual/
Organization and if the attack is succesfuly launched then the effects of
the attacks would be loss of data or corruption of data or ransomware
attacks or injections of viruses warms or malicious software into the
network or defacing the servers and many effects are possible. The
❖ Additional
attackers only knows for what he has launched the attack is basically of
o Authenticity
o Accountability two types:
o Confidentiality (example: account information) 1. PASSIVE
o Integrity ( example: patients information) 2. ACTIVE
o Availability (example : authentication service)
1. PASSIVE ATTACK
- Attempts to learn or make use of information from the system
Levels of impact of security breach
- Does not affect the system resources
o Low effect of the attacked is negligible
- Eavesdropping or monitoring of transmission
o Medium significant loss or damage to the organization or individual - Goal: obtain information that is being transmitted
o High org severe effect, complete disaster Types
• Release of message contents
Threats and Attacks (RFC 2828) • Traffic analysis
Note in passive attacks it is just unauthorized reading or monitoring the
o Threat. A potential for violation of security, which exists when there is a
messages, for example is a confidential telephony conversation or a
circumstance, capability, action or event that could breach security and
cause harm. That is, a threat is apossible danger that might exploit a confidential email is being transmitted this attacker’s intention is just to
vulnerability. know what is being transmitted.
o Attack. An assault on system security that derives from an intelligent threat;
that is, an intelligent act that is a deliberate attempt (especially in the sense
EXAMPLE: Release of Message Contents (Reads contents of message
form Bob to Alice)
Alice and Bob are the legitimate guys in this example we
consider Darth to be an attacker
Bob is sending some messages to Alice somehow Bob and Alice are
connected to each other it may be through the internet or any other
communication facility. Whatever Bob is sending to Alice, Darth is getting
a copy of the message he is reading the contents of the message which is
sent from Bob to Alice so what Darth is going to do is Darth is going to
understand or know what is the data that is being transmitted between
the sender and the receiver.
How to prevent this?
If bob is encrypting the data before sending the data as such and Alice alone
can decrypt then Darth will have no way to see what message is being
transmitted, but if the messages are not encrypted obviously Darth will be able
to know the data that has been communicated between the sender and the
receiver.
EXAMPLE: Traffic Analysis (Observe pattern of messages from Bob
to Alice)
Bob realized that somebody may sniff the conversation or somebody ,ay
eavesdrop the conversation .
What Bob and Alice have decided ? They have decided to do encryption
before transmitting the data. Let’s assume in this example that Bob is
sending some encrypted data to alice only Bob and Alice can understand
what data being transmitted because now the data is being encrypted.
The message is now encrypted if darth receives this encrypted message he
will be definitely not be able to understand what is the data but still few
information can be extracted like the location or the identity of the
communicating host or the length of the message that has been
transmitted between Bob and Alice. The frequency of message trasnfers
between Bob and Alice. This information will be useful in guessing the
nature of the communication that is taking place between Bob and Alice
so that will come to know about some information or darth can guess
what is the data being transmitted or what kind of data that has being
transmitted base on the traffic
2. ACTIVE ATTACK
- Active attacks involve some modification of the data stream or
the creation of a false stream.
Subdivided into four categories ;
1. Masquerade
2. Replay
3. Modification of messages
4. Denial of Service
Masquerade (Message from Darth appears to be from Bob)
A masquerade attack is an attack that uses a fake identity, such as a
network identity, to gain unauthorized access to personal computer information
through legitimate access identification. If an authorization process is not fully
protected, it can become extremely vulnerable to a masquerade attack.
EXAMPLE: What is the attack here then?
Darth pretends to be Bob so the message what Darth is sending appears
to be from Bob. When Alice receives the message Alice thinks that the message is
from Bob but actually it is from the Darth.
Replay (Capture message from Bob to Alice; later replay message to
Alice)
It is a category of network attack in which an attacker detects a data
transmission and fraudulently has it delayed or repeated. The delay or repeat of
the data transmission is carried out by the sender or by the malicious entity, who
intercepts the data and retransmits it.
 ❖ SECURITY SERVICE
Modification of Message (Darth modifies massage from Bob to - The processing or communication service that is provided by a
Alice) system to give a specific kind of protection to system resources; security
It is an attack on the integrity of the original data. It basically means that services implement security policies and are implemented by security
unauthorized parties not only gain access to data but also spoof the data by mechanisms.
1. AUTHENTICATION
triggering denial-of-service attacks, such as altering transmitted data packets or
2. ACCESS CONTROL
flooding the network with fake data.
3. DATA CONFIDENTIALITY
4. DATA INTEGRITY
Denial of Service (Darth disrupts service provided by the server) 5. NON- REPUDIATION
It is an attack meant to shut down a machine or network, making it
inaccessible to its intended users. DoS attacks accomplish this by flooding the 1. AUTHENTICATION
target with traffic, or sending it information that triggers a crash. - assurance that the communicating entity is the one that it claims
to be.
For example; If the entity is claiming that he/she is Alice a system could
Passive attack VS Active Attack have a authentication service proving that she is Alice.
➢ Peer entity Authentication
PASSIVE ATTACK ACTIVE ATTACK It is provided for use at the establishment of, or at times during the
• Hard to detect • Hard to prevent data transfer phase of, a connection. It attempts to provide confidence
• Neither sender nor receiver is • Difficult to prevent- that an entity is not performing either a masquerade or an unauthorized
aware of the attack physical,software and
• Encryption prevents the success network vulnerabilities replay of a previous connection.
of the passive attacks. • Detect and recover from any ➢ Data Origin Authentication
• More emphasis is on prevention disruption or delays In information security, message authentication or data origin
than detection • If the detection has a authentication is a property that a message has not been modified while
deterrent effect, it may also
contribute to prevention.
in transit (data integrity) and that the receiving party can verify the source
of the message.

2. ACCESS CONTROL
- Access control is a fundamental component of data security that
dictates who's allowed to access and use company information and
resources. Through authentication and authorization, access control
policies make sure users are who they say they are and that they have
appropriate access to company data.
 - Access control is a security measure which is put in place to
regulate the individuals that can view, use, or have access to a restricted
environment. Various access control examples can be found in the
security systems in our doors, key locks, fences, biometric systems,
motion detectors, badge system, and so forth.
3. DATA CONFIDENTIALITY
- Data Confidentiality deals with protecting against the disclosure
of information by ensuring that the data is limited to those authorized or
by representing the data in such a way that its semantics remain
accessible only to those who possess some critical information (e.g., a key
for decrypting the enciphered data).
- Confidential data is defined as any information that is not
intended for public dissemination
- Confidentiality refers to all forms of information including
personal information about people using services or employees or
volunteers, information about the organisation, for example, its plans or
finances and information about other organisations, whether the
information is recorded or not.
5. NON REPUDIATION
- Non-Repudiation is a term that connects a person to a fact so
that they cannot deny that an action was taken.
- A service that may be afforded by the appropriate application of
a digital signature. Non-repudiation refers to the assurance that the
owner of a signature key pair that was capable of generating an existing
signature corresponding to certain data cannot convincingly deny having
signed the data.
- For example Alice and Bob,
Bob transmitted data or information to Alice but in the end of this
Bob claims that he didn’t send any documents/information on the other
hand Alice claims also that she didn’t receive any documents or data.
That’s were Non repudiation security services occur.
❖ SECURITY MECHANISM
➢ SPECIFIC SECURITY MECHANISM
➢ PERVASIVE SECURITY MECHANISM

4. DATA INTEGRITY 1. SPECIFIC SECURITY MECHANISM

- Data integrity is a fundamental component of information a. Encipherment
security. In its broadest use, “data integrity” refers to the accuracy and b. Digital signature
consistency of data stored in a database, data warehouse, data mart or c. Access control
other construct. d. Data integrity
- The term data integrity refers to the accuracy and consistency of
e. Authentication exchange
data. When creating databases, attention needs to be given to data
integrity and how to maintain it. A good database will enforce data f. Traffic padding
integrity whenever possible. For example, a user could accidentally try to g. Routing control
enter a phone number into a date field. h. Notarization
a. Encipherment
- This security mechanism deals with hiding and covering of data
which helps data to become confidential. It is achieved by applying
mathematical calculations or algorithms which reconstruct information
into not readable form. It is achieved by two famous techniques named
cryptography and encipherment
b. Digital Signature
- Digital signature is a cryptographic value that is calculated from
the data and a secret key known only by the signer. In real world, the
receiver of message needs assurance that the message belongs to the
sender and he should not be able to repudiate the origination of that
message.
- This security mechanism is achieved by adding digital data that is
not visible to eyes. It is form of electronic signature which is added by
sender which is checked by receiver electronically. This mechanism is
used to preserve data which is not more confidential but sender’s identity
is to be notified
c&d: security service
e. Authentication Exchange
- Mechanism intended to ensure the identity of an entity by means
of information exchange.
f. Traffic Padding
- Traffic padding produces cipher text output continuously, even in
the absence of the plain text. A continuous random data stream is
generated. When plain text is available, it is encrypted and transmitted.
When input plaintext is not present, random data are encrypted and
transmitted.
- Traffic padding mechanisms are used to protect against traffic
analysis attacks. Traffic padding refers to the generation of spurious
instances of communication, spurious data units, and spurious data within
data units.
- The insertion of bits into gaps in a data stream to frustrate traffic
analysis attempts.
g. Routing Control
- Routing control means selecting and continuously changing
different available routes between sender and receiver to prevent the
opponent from eavesdropping on a particular route.
- Enables selection of particular physically secure routes for certain
data and allows routing changes , especially when a breach of security is
suspected.
h. Notarization
- This security mechanism involves use of trusted third party in
communication. It acts as mediator between sender and receiver so that
if any chance of conflict is reduced. This mediator keeps record of
requests made by sender to receiver for later denied.
2. PERVASIVE SECURITY MECHANISM
a. Trusted functionality that which is perceived to be correct with
respect to some criteria (e.G., As established by a security policy).
b. Security label the marking bound to a resource (which may be a
data unit) that names or designates the security attributes of that
resource.
c. Event detection detection of security-relevant events.
d. Security audit trail data collected and potentially used to facilitate
a security audit, which is an independent review and examination
of system records and activities.
e. Security recovery deals with requests from mechanisms, such as
event handling and management functions, and takes recovery
actions
 NETWORK SECURITY MODEL CRYPTOGRAPHY

- SECURITY?? – INFORMATION SECURITY NOTES

- SECURITY GOALS:

Model for network Security

➢ Four major tasks.
1. Design an algorithm
2. Generate the secret information
3. Develop methods for distribution and sharing of information
4. Specify a protocol. CRYPTOGRAPHY
- Cryptography is the science and art of transforming messages to make
them secure and immune to attack.
- BASIC TERMS
1. PLAIN TEXT
2. CIPHER TEXT
3. CIPHER
4. ENCRYPTION&DECRYPTION
5. KEYS
 ENCRYPTION&DECRYPTION
Traditional Ciphers
1. Substitution Cipher
- A substitution technique is one in which the
letters/number/symbols of plaintext are replaced by other
letters/numbers/symbols.

Ex:
2. Transposition Cipher
- In the transposition technique, the positions of
letters/numbers/symbols/ in plaintext is changed with one
another.
CATEGORIES OF CRYPTOGRAPHY Ex:
A. SYMMETRIC KEY CRYPTOGRAPHY
B. ASYMMETRIC KEY CRYPTOGRAPHY

A. SYMMETRIC KEY CRYPTOGRAPHY

- also known as secret key. Sender and receiver uses same key and an
encryption/decryption algorithm to encrypt/decrypt data.i.e. the key is
shared.
B. ASSYMETRIC KEY CRYPTOGRAPHY
- Also known as public key cryptography. Sender and receiver uses
different keys for encryption & decryption namely PUBLIC & PRIVATE, SYMETRIC KEY CRYPTOGRAPHY
respectively. 1) The same algorithm with the same
key is used for encryption and
decryption.
2) The key must be kept secret.
3) It may be impossible or at least
impractical to decipher a message if
no other information is available.
ASSYMETRIC KEY CRYPTOGRAPHY
1) One algorithm is used for
encryption and decryption with a pair
of keys, one for encryption and one
for decryption.
2) One of the two keys must be kept
secret.
3) It may be impossible or at least
impractical to decipher a message if
no other information is available.

APPLICATIONS
- Defense services
- Secure data manipulation
- E-commerce
- Business transactions
- Internet payment systems
- User identification systems
- Access control
- Data security

CONCLUSION:

By using of encryption techniques a fair unit of confidentiality,

authentication, integrity, access control, and availability of data is
maintained.