Professional Documents
Culture Documents
Information Security is not only about securing information from unauthorized access.
Information Security is basically the practice of preventing unauthorized access, use, disclosure,
disruption, modification, inspection, recording or destruction of information. Information can be
physical or electronic one. Information can be anything like your details or we can say your
profile on social media, your data in mobile phone, your biometrics etc. Thus Information
Security spans so many research areas like Cryptography, Mobile Computing, Cyber Forensics,
Online Social Media etc.
Information Security programs are built around 3 objectives, commonly known as CIA –
Confidentiality, Integrity, and Availability.
1. CONFIDENTIALITY:
Means information is not disclosed to unauthorized individuals, entities and process.
For example if we say I have a password for my Gmail account but someone saw while I
was doing a login into Gmail account. In that case my password has been compromised and
Confidentiality has been breached.
2. INTEGRITY:
Means maintaining accuracy and completeness of data. This means data cannot be
edited in an unauthorized way. For example if an employee leaves an organization then in
that case data for that employee in all departments like accounts, should be updated to reflect
status to JOB LEFT so that data is complete and accurate and in addition to this only
authorized person should be allowed to edit employee data.
3. AVAILABILITY:
Means information must be available when needed. For example if one needs to access
information of a particular employee to check whether employee has outstand the number of
leaves, in that case it requires collaboration from different organizational teams like network
operations, development operations, incident response and policy/change management.
Denial of service attack is one of the factor that can hamper the availability of information.
Apart from this there is one more principle that governs information security programs.
This is Non repudiation.
NON REPUDIATION:
Means one party cannot deny receiving a message or a transaction nor can the other
party deny sending a message or a transaction. For example in cryptography it is sufficient to
show that message matches the digital signature signed with sender’s private key and that
sender could have a sent a message and nobody else could have altered it in transit. Data
Integrity and Authenticity are pre-requisites for Non repudiation.
AUTHENTICITY:
Means verifying that users are who they say they are and that each input arriving at
destination is from a trusted source. This principle if followed guarantees the valid and
genuine message received from a trusted source through a valid transmission. For example if
take above example sender sends the message along with digital signature which was
generated using the hash value of message and private key. Now at the receiver side this
digital signature is decrypted using the public key generating a hash value and message is
again hashed to generate the hash value. If the 2 value matches then it is known as valid
transmission with the authentic or we say genuine message received at the recipient side.
ACCOUNTABILITY:
Means that it should be possible to trace actions of an entity uniquely to that entity. For
example as we discussed in Integrity section not every employee should be allowed to do
changes in other employee’s data. For this there is a separate department in an organization
that is responsible for making such changes and when they receive request for a change then
that letter must be signed by higher authority for example Director of college and person that
is allotted that change will be able to do change after verifying his bio metrics, thus
timestamp with the user (doing changes) details get recorded. Thus we can say if a change
goes like this then it will be possible to trace the actions uniquely to an entity.
At the core of Information Security is Information Assurance, which means the act of
maintaining CIA of information, ensuring that information is not compromised in any way
when critical issues arise. These issues are not limited to natural disasters, computer/server
malfunctions etc.
Thus, the field of information security has grown and evolved significantly in recent years. It
offers many areas for specialization, including securing networks and allied infrastructure,
securing applications and databases, security testing, information systems auditing, business
continuity planning etc.
Active attacks:
An Active attack attempts to alter system resources or affect their operations. Active attacks
involve some modification of the data stream or the creation of false statements. Types of active
attacks are as follows:
Masquerade
Modification of messages
Repudiation
Replay
Denial of Service
Masquerade:
A masquerade attack takes place when one entity pretends to be a different entity. A
Masquerade attack involves one of the other forms of active attacks. If an authorization
procedure isn’t always absolutely protected, it is able to grow to be extraordinarily liable to a
masquerade assault. Masquerade assaults may be performed using the stolen passwords and
logins, with the aid of using finding gaps in programs, or with the aid of using locating a
manner across the authentication process.
Modification of messages:
It means that some portion of a message is altered or that message is delayed or reordered to
produce an unauthorized effect. Modification is an attack on the integrity of the original data. It
basically means that unauthorized parties not only gain access to data but also spoof the data by
triggering denial-of-service attacks, such as altering transmitted data packets or flooding the
network with fake data. Manufacturing is an attack on authentication. For example, a message
meaning “Allow JOHN to read confidential file X” is modified as “Allow Smith to read
confidential file X”.
Repudiation:
This attack occurs when the network is not completely secured or the login control has been
tampered with. With this attack, the author’s information can be changed by actions of a
malicious user in order to save false data in log files, up to the general manipulation of data on
behalf of others, similar to the spoofing of e-mail messages.
Replay:
It involves the passive capture of a message and its subsequent transmission to produce an
authorized effect. In this attack, the basic aim of the attacker is to save a copy of the data
originally present on that particular network and later on use this data for personal uses. Once
the data is corrupted or leaked it is insecure and unsafe for the users.
Denial of Service –
It prevents the normal use of communication facilities. This attack may have a specific target.
For example, an entity may suppress all messages directed to a particular destination. Another
form of service denial is the disruption of an entire network either by disabling the network or
by overloading it with messages so as to degrade performance.
Passive attacks: A Passive attack attempts to learn or make use of information from the system
but does not affect system resources. Passive Attacks are in the nature of eavesdropping on or
monitoring transmission. The goal of the opponent is to obtain information that is being
transmitted. Types of Passive attacks are as follows:
The release of message content
Traffic analysis
The release of message content:
Telephonic conversation, an electronic mail message, or a transferred file may contain sensitive
or confidential information. We would like to prevent an opponent from learning the contents of
these transmissions.
Traffic analysis –
Suppose that we had a way of masking (encryption) information, so that the attacker even if
captured the message could not extract any information from the message.
The opponent could determine the location and identity of communicating host and could
observe the frequency and length of messages being exchanged. This information might be
useful in guessing the nature of the communication that was taking place.
The most useful protection against traffic analysis is encryption of SIP traffic. To do this, an
attacker would have to access the SIP proxy (or its call log) to determine who made the call.
Encryption – Process of converting electronic data into another form, called ciphertext, which
cannot be easily understood by anyone except the authorized parties. This assures data security.
Decryption– Process of translating code to data.
The message is encrypted at the sender’s side using various encryption algorithms and
decrypted at the receiver’s end with the help of the decryption algorithms.
When some message is to be kept secure like username, password, etc., encryption and
decryption techniques are used to assure data security.
Types of Encryption
1. Symmetric Encryption– Data is encrypted using a key and the decryption is also done
using the same key.
2. Asymmetric Encryption-Asymmetric Cryptography is also known as public-key
cryptography. It uses public and private keys to encrypt and decrypt data. One key in the
pair which can be shared with everyone is called the public key. The other key in the pair
which is kept secret and is only known by the owner is called the private key. Either of
the keys can be used to encrypt a message; the opposite key from the one used to encrypt
the message is used for decryption.
Public key:
Key which is known to everyone. Ex-public key of A is 7, this information is known to
everyone.
Private Key:
Key which is only known to the person who’s private key it is.
Authentication:
Authentication is any process by which a system verifies the identity of a user who wishes to
access it.
Non- repudiation:
Non-repudiation means to ensure that a transferred message has been sent and received by
the parties claiming to have sent and received the message. Non-repudiation is a way to
guarantee that the sender of a message cannot later deny having sent the message and that the
recipient cannot deny having received the message.
Integrity:
To ensure that the message was not altered during the transmission.
Message digest:
The representation of text in the form of a single string of digits, created using a formula
called a one way hash function. Encrypting a message digest with a private key creates a digital
signature which is an electronic means of authentication..