INFORMATION SECURITY AND PRIVACY

_____________

INTRODUCTION
_____________

Earlier systems where embedded with little or no security, as technology

and time evolved the importance of data increased. With increasing
importance in the data, the chances of data being more inclined towards
financial and transactional data, it became necessary to ensure that the
data was secure. Millions of data points is generated the real need of
data security was understood.

Organisations have now started implementing various mechanisms in order

to ensure security. Various infrastructure and mechanisms evolved
eventually with time.

With internet taking the world by storm, there are multiple examples
taking place around.

Examples:
- Intruder capturing credit card details from a user by creating a dummy
website
- A Russian attacker managed to get/capture 300,000 credit card numbers
from a database and asking the merchant for extortion

_____________

SECURITY MODELS
_____________

Various security models developed since inception were:

1. No Security
2. Security through obscurity: The system is secure simply by the
population not being aware whether the system ever existed
3. Host Security
- Security for each host is enforced individually
- Safe approach but not so scalable
- Major complexity is the diversity of the organisations making it
harder to implement

4. Network Security: This model focuses into providing control points

over network access to various hosts and services.

 _____________

SECURITY MANAGEMENT
_____________

Security management stands for good security policies being in place. A

good security management/ policy is tough to achieve but it is necessary
to provide proper implementation in ensuring adequate security. Four key
aspects for security management are:

- Affordability: The cost and the efforts the security implementation

might cost
- Functionality: Mechanism that ensures security
- Cultural Issues: Whether the policy gets along with the people in the
working environment and working style
- Legality: Whether the policy meets the legal aspects
_____________

PRINCIPLES OF SECURITY
_____________

Considering the aspects for security management and cases of security

breaches happening in real life. It is necessary to classify the
principles related to security. Below mentioned are the principles of
security:
- Confidentiality
- Integrity
- Authentication
- Non-repudiation
- Access Control
- Availability
A. Confidentiality

- Specifies that only the sender and the recipient (intended) should be
able to access the message
- It gets compromised if any unauthorised person gets to access the
message
- Consider User A sending some message to User B. As per confidentiality,
only User A and User B are supposed to know the message. However, User
C gets the access which is undesired, hence defeats the motive of
confidentiality

A.1 Breach of Confidentiality

- From the above example mentioned, when an unauthorised person/

individual gets the access of the information other than the sender and
the intended recipient, is breach of confidentiality
- As per the example, other than User A and User B, the information is
also accessed by User C without the permission or knowledge of User A
and User B, this type of attack is called interception

B. Integrity

-Data Integrity, which stands for 0 tolerance for data modification. As

in, where the data which was sent by the user, User A (the sender) is
received as it is by User B (the recipient) without any tampering/
modification in the data is Integrity

- User A and User B ensures that the data is not tampered. For example,
amount in cheque, signature, name of the payee etc.

B.1 Breach of Integrity

- When the contents of the message are tampered or are not the same as
the messenger had sent before it reaches the receiver, we call it as
the integrity of the message is compromised
- For example, User A sends a cheque to User B with an amount to be
mentioned as $100 in it, however User C gets the access of the cheque
and adds one more zero to make it $1000, User B being unaware the
content of the message was changed.
- This type of breach or attack is known as modification
C. Authentication

- Authentication process ensures that the origin of the message is

correctly identified.
- Principle of Authentication, ensures suppose User B is to receive a
message, it is important to validate that the message origin was from
User A and not User C who was posing as User A.
- Examples: OTP validation
C.1 Breach of Authentication

- For instance, suppose User C poses as User A and sends a message to

User B, User B unaware of the fact that the message was actually from
User C and not A.
- This can happen while sending funds, where User C poses like User A and
bank happily transfers the amount considering it to be user A.
- This breach of authentication/ attack is known as Fabrication

D. Non-Repudiation

- There are instances where User A sends a message to User B, later

refuses whether User A had sent any message to User B or not.
- For instance, User A could send funds transfer request to User B over
the internet. Bank performs the fund transfer as per A’s instructions.
A could claim that he/she never sent the funds transfer message to the
bank. Thus, A repudiates or denies the funds transfer instruction.
- The principle of Non-Repudiation defeats such possibilities of denying
something.

E. Access Control

- Access Control determines who should be able to access what.

- For example, User A being on a higher management end can access the
websites, while User B being a student can access only few.
- Access control mechanism can be setup to ensure this and can be broadly
related to two areas: role management and rule management.
- Role management focuses on the user side
- Rule management focuses on the resource side
- An Access Control List can be used as access control matrix
F. Availability

- Simple rule for availability states that, all the information must be
made available to authorised parties at all times.

F.1 Breach of Availability

- For example, due to the intentional actions of unauthorised User C, an

authorised User A may not be able to contact a server computer B.
- This defeats the principle of availability and is known as interruption