Chapter 1

Introduction to Information Security

Information, Need and Importance of Information, information.

Classification, criteria for information classification, Compliance standards

Information can be defined as -

Information – It is data that is organized in a meaningful fashion.

OR
Information is that which informs, i.e., that from which data can be derived.

OR
Information is the data that is

a.) Accurate & timely.

b.) Specific & organized for the purpose.
c.) Presented within a context that gives its meaning.
d.) T h i s can lead to an increase in understanding and a decrease in uncertainty.

Information is a combination of three parts-

1. Data - It is a collection of all types of information which can be shared & used as per requirement. E.g.,
Personal data
2. Knowledge - It is based on data that is organized & summarized. The experienced employee in the organization
carries it.
3. Action - It is used to pass the required information to a person who needs it with the help of an Information
System.

Information System- It is a set of interrelated components that collect, process & distribute info to support
decision-making in an organization.

Fig. Information System

Need & Importance of Information

 Now a day’s use of computer & communication technology has increased. So we need a system that can
manage the information or data.
 Information is the lifeblood of every organization.
 An Information System includes hardware, software, data & application, etc., to manage information.
  In an organization, it is necessary to monitor different operations. Also used to document various
functions.
 Information is useful or needed for ensuring the smooth functioning of all the departments in the
company.
 Information benefits the business world by allowing organizations to work more efficiently &
maximize productivity.

Differentiate between Information & data.

Data Information
Data is used as input for the computer Information is the output of data.
system.
Data is unprocessed facts and figures. Information is processed data.
Data doesn’t depend on Information. Information depends on data.
Data is not specific. Information is specific.
Data is a single unit. A group of data that carries news and
meaning is called Information.
The information The information must carry a logical meaning.
Data is the raw material. Information is the product.

Types of Threats

1. Human error - an inappropriate or undesirable human decision or behavior that reduces or has the
potential for lowering effectiveness, safety, or system performance

2. Computer crime or computer abuse - Alternatively referred to as cybercrime, e-crime, electronic crime, or
hi-tech crime, computer crime is an act commonly performed by a knowledgeable computer

A user, sometimes called a hacker, illegally browses or steals a company's or individual’s private information.
Sometimes, this person or group of individuals may be malicious and destroy or otherwise corrupt the
computer or data files.
Cybercrimes are any crimes that involve a computer and a network. In some cases, the computer may have
been used to commit the crime, and in other cases, the computer may have been the target of the crime.

3. Natural disaster or political disaster - a natural event such as a flood, earthquake, or hurricane that causes
significant damage or loss of life, war, or Riots.

4. Failure of hardware or software - A malfunction within a computer system's electronic circuits or

electromechanical components (disks, tapes). Recovery from a hardware failure requires repair or
replacement of the offending part. A software failure means the inability of a program to continue processing
due to erroneous logic. Same as a crash, bomb
Types of Attacks

1. Trojan horse - A Trojan horse, or Trojan, in computing, is generally a non-self-replicating type of

malware program containing malicious code that, when executed, carries out actions determined by the
nature of the Trojan, typically causing loss or theft of data, and possible system harm.

2. Logic bomb - a set of instructions secretly incorporated into a program so that if a particular condition is
satisfied, they will be carried out, usually with harmful effects.

3. Computer virus - a piece of code capable of copying itself and typically has a detrimental
effect, such as corrupting the system or destroying data.

4. Denial of Service - In computing, a denial-of-service (DoS) or distributed denial-of-service (DDoS)

attack attempts to make a machine or network resource unavailable to its intended users.

5. Spoofing - Spoofing is the creation of TCP/IP packets using somebody else's IP address
.
6. Sniffing - Packet sniffing allows individuals to capture data as it is transmitted over a network.

7. Data leakage - The unauthorized transfer of classified information from a computer or data center to the
outside world. Data leakage can be accomplished by simply mentally remembering what was seen, by
physical removal of tapes, disks, and reports, or by subtle means such as data hiding

8. Salami Technique - unauthorized, covert process of taking small amounts (slices) of money or otherwise
numeric value from many sources in and with the aid of a computer.

Basic Principles of Information Security

Security-
Security means protecting information or system from unauthorized users like an attacker.
OR
Security protects information from unauthorized access, use, inspection, recording, and destruction.
OR
Information security is the process of protecting the intellectual property of an organization.

Protecting any organization following multi-layers of security is essential –

1.) Physical Security –
It will protect physical items like RAM, Hard disk, etc.
2.) Personal Security-
It will protect authorized individual users or groups in the organization.
3.) Operational Security –
It will protect details of a particular operation in the organization.
4.) Communication Security-
It will protect communication technology & content of the communication.
5.) Network Security-
It will protect networking components like routers, bridges, etc.
6.) Information Security-
It will protect all information assets.
Information Security is simply the process of keeping information secure: protecting its
availability, integrity & privacy.

Need for Security –

Information security management aims to ensure business continuity & reduce business damage by preventing &
minimizing the impact of security incidents.

An information security management system enables information to be shared, ensuring the protection of
information & computing assets.

 Information security is needed to protect the system from unauthorized access & modification.
 When computer applications were developed to handle financial & personal data, the need for security
existed.
 People realized that data on computers was critical.
 Organizations employed their mechanism to provide basic security mechanisms
e., g. User id & password for every user.
 As technology improved, people realized that basic security measures were insufficient.
 The Then internet took the world by storm & there are examples of what could happen if insufficient security
was built into applications.
 Hence we need security for –

a.) Protecting resources of organizations.

b.) To avoid business damage.
c.) To avoid unauthorized users accessing important information.
d.) To protect personal data.
e.) To protect sensitive information of the organization.
f.) Help to protect intellectual property.

The primary aims of information security are summarized in 3 principles.

Goals of Security

Information security is more than just computer security. It also includes a wide range of physical security means.
E.g., protecting assets from natural disasters or thefts.
System
Security
Data
security
H/W and S/W security

Application Security
server room access control

Administrative and

procedural security Physical

security
Security-related basic terms-
Security Layers

1. Digital signature - a digital code (generated and authenticated by public key encryption) attached to an
electronically transmitted document to verify its contents and the sender's identity.

2. Nonrepudiation- nonrepudiation is the assurance that someone cannot deny something.

Typically, nonrepudiation refers to the ability to ensure that a party to a contract or a communication cannot
deny the authenticity of their signature on a document or the sending of a message that they originated.

3. Cryptography - the art of writing or solving codes.

4. Encryption - Encryption is the conversion of data into a form, called a ciphertext, that cannot make
unauthorized people cannot easily understand.

5. Cipher–coded text

6. Decryption – Decryption converts encrypted data to its original condition to be understood.

7. Denial of Service - In computing, a denial-of-service (DoS) or distributed denial-of-

service (DDoS) attack is an attempt to make a machine or network resource unavailable to its intended
users.

8. Steganography - the practice of osages or information within other non-secret text or data.

9. Spoofing - Spoofing is the creation of TCP/IP packets using somebody else's IP address

Three Pillars of Information Security

1.) Confidentiality -
It means ensuring that the people with the right to it only see the information. Confidentiality refers to
limiting information access and disclosure to authorized users -- "the right people" -- and preventing access
by or disclosure to unauthorized ones -- "the wrong people."
 Authentication methods like user ID passwords, which uniquely identify data systems' users and data
systems' resources, are the goal of confidentiality.

2.) Integrity-
It means ensuring that information remains unaltered. This means watching out for alterations through
malicious action or even simple, innocent mistakes.
Integrity refers to the trustworthiness of information resources. Only
authorized individuals can create or change information.
It includes the concept of "data integrity" -- namely, that data have not been changed inappropriately, whether
by accident or deliberately malign activity. It also includes "origin" or "source integrity" -- that is, that the
data came from the person or entity you think it did, rather than an imposter.

3.) Availability-
It implies having access to your information when you need it. Availability refers, unsurprisingly, to the
availability of information resources. An information system that is unavailable when you need it is almost as
bad as none. It may be much worse, depending on how reliant the organization has become on a functioning
computer and communications infrastructure.
Information Classification

The organization will classify information to provide information security.

 The main reason for classifying information is that all data or information of an organization will not
have the same level of criticality.
 Some information may be essential & some may not be important.
 Aim of an organization is to improve confidentiality, integrity & availability (CIA) of
information to reduce risk related to information.
 Information classification is important while securing any trusted system like government
sectors.
 Information classification is used to prevent unauthorized access to a system
 Due to privacy laws or any other compliances information may be classified.
 Due to information classification, organizations can employ security policies.

Reasons / Advantages of classification of information-

1.) It helps organizations with security protection.

2.) It helps an organization to identify info like sensitive information and
critical info. 3.) It supports CIA – confidentiality, integrity, and availability.
4.) It will help organizations decide what type of protection is to be applied to what kind of information.
5.) Helps to protect intellectual property. 6.)
Helps to protect personal information.
7.) Helps to control private or sensitive information.
8.) Helps to protect confidential information from unauthorized access.
9.) Protecting information that supports public security & law enforcement.

Classification Levels-

1.) Open / Unclassified / Public –

 Information is not classified and not sensitive.
 Information accessible to both external & internal parties (employees) of the organization.
 It does not affect confidentiality.
 2.) Internal but unclassified –
 Information is accessible to both external parties & internal employees with controlled access rights.
 If information is disclosed, it will not damage the organization. 3.)
Confidential / Sensitive –
 Information is accessible only to the organization’s employees with strict access rights. 4.)
Secret / Highly sensitive-
 In this, unauthorized access to the information can cause damage to the country’s national
security.
5.) Top secret-
 Highest level of information classification.
 Eg. Info in defense organization.

Criteria for classification of information –

1.) Value –
 Common criteria for classification.
 Valuable information about the organization should be classified.
 Eg.in college student list is classified according to their department. 2.)
Age-
 In this information is classified according to period.
 Eg. Certain information is valid only for a certain period, so that information is not helpful
after the period.
3.) Useful Life –
 If the validity or deadline of information is over due to changes, then that information must
be declassified.
 Eg. Our earlier diploma scheme was an E scheme & now the current scheme is G., So the
information is classified accordingly.
4.) Personal Association-
 Information that is personally associated with a particular individual should be classified.

5.) Public-
 Information is classified on this factor also.
 Public information is not sensitive.
 If the unauthorized user accesses it, it will not affect the security.
 Eg. Information given on the website of any organization.
6.) Private-
 Important information about the organization can be kept separately.
 Unauthorized users cannot access it.
 Eg. Information related to projects in the organization is kept secret from other
organizations.
Data Obfuscation (DO)
 Data Obfuscation (DO) is a form of data masking where data is purposely scrambled to
prevent unauthorized access to sensitive material.
 This form of encryption results in unintelligible or confusing data.
 DO is also called data scrambling or privacy preservation.
 DO is a technique used to prevent intrusion of private & sensitive online data.
 DO is related to the encryption of data & it is the solution to information theft because it hides
original information with random characters.
 It is related to hiding the data so that it cannot be found.
 The use of personal information in government records, medical records& voter’s lists etc.
will create a threat to privacy. Hence many countries are focusing on safeguards for the privacy of
personal information.
 It is necessary for an organization to understand the risk & need for protection in terms of
privacy the publicized information.
 Hence the term data obfuscation is used, which modifies the data items without changing the
usefulness of the data.
 Data Obfuscation techniques-
a) Substitution
b) Shuffling
c) Number & data variance
d) Encryption
e) Deletion
f) Masking out
 Data obfuscation techniques can be classified by a number of criteria –
a) Usefulness
b) Effectiveness
c) Cost
d) Resiliency
 An excellent example of DO is an audit report on the medical system. In this report, only the required
field of patients is disclosed to the auditor. Details that are not required, such as the patient’s contact
number, and address are obfuscated.

Event Classification-
There are several types of events by which information is damaged.

1. Viruses-
Viruses can either copy themselves directly into executable files or can infect files that are opened
or processed by the target executable (e.g., Pdf document)
Viruses use a variety of infection mechanisms to replicate into new hosts & perform many
different types of actions.
2. Disaster-
 An event that causes permanent & substantial damage or destruction to the business's
property, equipment information, staff or services.
3. Crisis-
An abnormal situation presents some extraordinarily high risks to a business & that will develop
into a disaster unless carefully managed.
4. Catastrophe-
Major disruptions resulting from the destruction of critical equipment in processing.

Compliance Standards
1. Implementing an Information security Management System
2. ISO 27001
3. ISO 20000
4. ITIL Framework
5. COBIT Framework

1. Implementing an Information security Management System

An information security management system (ISMS) is a set of policies and procedures for
systematically managing an organization's sensitive data.
The objective of ISMS aims to provide a systematic approach to managing sensitive information to protect
it.
It encompasses employees, processes, and information
An ISMS is depicted in the following figure.
Security threats must be managed and controlled. Establishing a global policy that is broad security
policy with management involvement helps to do this. While doing this, four levels of documentation
emerge, as shown in the figure

ISMS Scope:
Business security policy and plans
Current business operations requirements
Future business plans and requirements
Legislative requirements
Obligations and responsibilities about security contained in SLAs
The business and IT risks and their management

A Sample List of IS Policies

 Overall ISMS policy
Access control policy
Email policy
Internet policy
Anti-virus policy
Information classification policy
Use of IT assets policy
Asset disposal policy

2. ISO 27001
ISO 27001 is a specification for creating an ISMS.
It does not mandate specific actions but includes suggestions for documentation, internal audits,
continual improvement, and corrective and preventive action.
ISO 27001 Part I

1. Code of practice for Information Security Management (ISM)

2. Best practices, guidance, and recommendations for
– Confidentiality
– Integrity
– Availability
ISO 27001 Part II
Specification for ISM

ISO 27001 describes the following processes:

– Definition of Information Security Policy
– Definition of Scope of ISMS
– Security Risk Assessment
– Manage the identified risk
– Select controls for implementation
– Prepare SoA (Statement of Applicability)
ISO 27001 uses PDCA (Plan-Do-Check-Act) approach, and this is used to improve the effectiveness of an
organization:

Fig.:PDCA Approach

Plan: This phase serves to plan the primary organization of information security, set objectives for
information security, and choose the appropriate security controls
 Do: This phase includes carrying out everything that was planned during the previous phase
Check: The purpose of this phase is to monitor the functioning of the ISMS through various channels and
check Whether the results meet the set objectives.
Act: This phase aims to improve everything identified as non-compliant in the previous step.

3. ISO 20000
ISO 20000 is a global standard that describes the requirements for an information technology service
management (ITSM) system.
The standard was developed to mirror the best practices described within the IT Infrastructure Library
(ITIL) framework.
ISO 20000 has two specifications.
ISO 20000-1.
o It is the specification for IT Service Management.
o It defines the processes and provides assessment criteria and recommendations for those responsible for IT
Service Management.
o It includes the following sections:
 Scope
 Terms and Definitions
 Requirements for a Management System
 Planning and Implementing Service Management
 Planning and Implementing New or Changed Services
 The Service Delivery Process
 Relationship Processes
 Resolution Processes
 Release Process
 Control Processes

ISO 20000-2
 It documents a code of practice that explains how to manage IT regarding ISO 20000-1 audits.
 It includes all the sections from part 1 except requirements for a management system.

4. ITIL Framework
ITIL stands for Information Technology Infrastructure Library (ITIL)
It is a collection of best practices in IT service management (ITSM),
It focuses on the service processes of IT and considers the central role of the user
ITIL is an approach to IT Service Management
A service is something that provides value to customers. Services that customers can directly utilize or
consume are known as Business Services.
Service Management is a set of specialized organizational capabilities for providing value to customers
in the form of services.
ITIL is organized around a service life cycle that includes.
1. Service Strategy
– Life cycle starts with service strategy understanding
– What are we going to provide?
– Can we afford it?
– Can we provide enough of it?
– How do we gain a competitive advantage?
– Perspective
o
Vision, mission, and strategic goals
– Position
– Plan
– Pattern
o
Must fit the organizational culture.
2. Service Design
– It ensures that new & changed services are designed effectively to meet customer
expectations by understanding.
– How are we going to provide it?
– How are we going to build it?
– How are we going to test it?
– How are we going to deploy it?
– Service catalog management
– Service Level Management
– Capacity management
– Availability management
– Service continuity management
– Information security management
– Supplier and Contract management
– Organizational change and communications
3. Service Transition
Through this life cycle phase, the design is built, tested & moved for production to enable the
business customer to achieve the desired value. It includes
– Change Management
– Service asset and configuration management
– Knowledge management and Service Knowledge Management System.
– Service release and deployment planning
– Performance and risk evaluation
– Testing
– Acquire, build, test, and pilot
– Service release acceptance test and pilot
– Deployment, de-commission, and transfer
–
4. Service Operation
Once the transition phase is completed, the Service operation then delivers the service on an
ongoing basis to see the overall daily health of the service. It includes
– Monitoring and event management
– Incident management
– Request fulfillment (Standard Changes)
– Problem management
– Access Management
– Service desk
– Infrastructure management
– Application management
– IT Operations
– Facilities management
5. Continual Service Improvement (CSI)
It measures & improves the service levels. It includes
– Measurement and control
– Service measurement
– Service assessment and analysis
– Process assessment and analysis
– Service Level Management
– Improvement planning
Advantages to an organization with ITIL framework:
improve resource utilization be
more competitive.
reduce re-work.
eliminate redundant work.
improve availability, reliability, and security of business-critical IT services, improve project
deliverables and time-scales.
 5. COBIT Framework
IT is a framework for information technology (IT) management and IT governance.
It stands for Control Objectives for Information and related Technology COBIT)
It is a supporting toolset that allows managers to bridge the gap between control requirements, technical
issues, and business risks
COBIT aims "to research, develop, publish and promote an authoritative, up-to-date, international set of
generally accepted information technology
control objectives for day-to-day are used by business managers, IT professionals, and assurance
professionals
COBIT provides an internal control system or framework to manage business requirements for effectiveness,
efficiency, confidentiality, integrity, availability, compliance, and reliability of the information.
Control objective is a statement of desired result or purpose to be achieved by implementing control
procedures in a particular activity.
The COBIT framework is based on the following principle:
To provide the information that the organization requires to achieve its objectives, the organization
requires investing in and managing and
 controlling IT resources using a structured set of processes to provide the services which
deliver the required enterprise information.


Fig.: COBIT Framework Principles

The following are certain criteria that COBIT refers to as business requirements for information:

1. Effectiveness: It means that the information is relevant, timely, correct, consistent, and applicable to the
business process.
2. Efficiency: It means that-» the information is optimal for productive as well as economical –use of
resources.
3. Confidentiality: It means that the information is protected from unauthorized use
4. Integrity: It means that the information is accurate and complete and valid for business.
5. Availability: It means that the information will be available whenever required by the business process.
6. Compliance: It means the information has fulfilled all laws, regulations and contractual arrangements,
externally imposed business criteria as well as internal policies.
7. Reliability: It means that the information is appropriate for mana