Information Security

Information Security
 Information is an important part of an
organization or a business that requires more
attention to preserve its Integrity, Privacy and
Availability
 Information security refers to the protection of
information,
 It is the process of securing ,protecting and
safeguarding your information from
unauthorized access, use and modification.
What is Information Security?
 Information Security
Information security is the process of protecting
information from unauthorized access, use,
disclosure, destruction, modification, or disruption
The protection of computer systems and information
from harm, theft, and unauthorized use.
Protecting the confidentiality, integrity and
availability of information
Information security is an essential infrastructure
technology to achieve successful information-based
society
Highly information-based company without
information security will lose competitiveness 3
 What kind of protection?
Protecting important document /
computer
Protecting communication networks
Protecting Internet
Protection in ubiquitous world
 Definitions
 Computer Security - generic name for the
collection of tools designed to protect data and
to thwart hackers

 Network Security - measures to protect data

during their transmission

 Internet Security - measures to protect data

during their transmission over a collection of
interconnected networks
 Vulnerability, Threat and Attack
 A vulnerability:- is a weakness in security system
 Can be in design, implementation, etc.

 Can be hardware, or software

 A threat:- is a set of circumstances that has the potential

to cause loss or harm
 Or it’s a potential violation of security

 Threat can be:

• Accidental (natural disasters, human error, …)

• Malicious (attackers, insider fraud, …)

 An attack:- is the actual violation of security

 Aspects of Security
 Consider 2 aspects of information security:

 security attack
 security service
 Security Attack
 Any action that compromises the security of
information owned by an organization
 Information security is about how to prevent
attacks, or failing that, to detect attacks on
information-based systems
 often threat & attack used to mean same thing
 have a wide range of attacks
 can focus of generic types of attacks
 passive
 active
Security Attack
Passive Attacks
 Passive Attack
 Passive attacks are in the nature of
eavesdropping on, or monitoring of,
transmissions.
 The goal of the opponent is to obtain
information that is being transmitted. Two
types of passive attacks are release of
message contents and traffic analysis.
Passive Attacks
1. Release of message contents
The release of message contents is easily understood . A
telephone conversation, an electronic mail message, and
a transferred file may contain sensitive or confidential
information.
2. Traffic Analysis
The opponent could determine the location and identity of
communicating hosts and could observe the frequency
and length of messages being exchanged. This
information might be useful in guessing the nature of the
communication that was taking place.
Active Attacks
 Active Attacks
 Active attacks involve some modification
of the data stream or the creation of a
false stream and can be subdivided into
four categories: masquerade, replay,
modification of messages, and denial of
service.
Active Attacks
1. Masquerade
A masquerade takes place when one entity pretends to be a
different entity .
For example, authentication sequences can be captured and
replayed after a valid authentication sequence has taken
place, thus enabling an authorized entity with few privileges
to obtain extra privileges by impersonating an entity that
has those privileges.
2. Replay
involves the passive capture of a data unit and its subsequent
retransmission to produce an unauthorized effect
Active Attacks
3. Modification of messages
It simply means that some portion of a
legitimate message is altered, or that
messages are delayed or reordered, to
produce an unauthorized effect
4. The denial of service
prevents or inhibits the normal use or
management of communications facilities
 Security Service

 Enhance security of data processing systems

and information transfers of an organization
 Intended to counter security attacks
 Using one or more security mechanisms
 Security Services
 Authentication - assurance that the
communicating entity is the one claimed
 Access Control - prevention of the
unauthorized use of a resource
 Data Confidentiality –protection of data from
unauthorized disclosure
 Data Integrity - assurance that data is delivered
to the intended recipient without any modification
 Non-Repudiation - protection against denial by
one of the parties in a communication
 WEB SERVICES
 A Web service is a method of communication
between two electronic devices over a network.
 Web Services are a general model for building
applications and can be implemented for any operation
system that supports communication over the Internet
 The evolution of SOAP(Simple Object Access Protocol)
has expanded the boundaries of the Internet. SOAP and
HTTP enable you to log on to external systems and
execute remote function calls.
 Web services work by basically using HTTP and SOAP
to make business data available on the Web.
Basic structure of a Web service.
Model for Network Security
 Model for Network Security
 using this model requires us to:
1. design a suitable algorithm for the security
transformation
2. generate the secret information (keys)
used by the algorithm
3. develop methods to distribute and share
the secret information
4. specify a protocol enabling the principals
to use the transformation and secret
information for a security service
Need for information Security
 The purpose of information security management is to
ensure business continuity and reduce business
damage by preventing and minimizing the impact of
security incidents.
 The Audit Commission Update report (1998) shows that
fraud or cases of IT abuse often occur due to the
absence of basic controls, with one half of all detected
frauds found by accident.
 An Information Security Management System (ISMS)
enables information to be shared, ensuring the
protection of information and computing assets.
 Benefits of ISMS
 ISMS is a standard of International standard of
organization(ISO),which compatible with other standards
prevailing in the market
 Helps to protect and secure information in an organization
because information is its virtual resource
 Maintain the security of data and information
 Protect and maintain integrity, confidentiality and availability of
information.
 Provide efficient organizational management.
 Provide high –level information security
 Encouraging clients including individual and other
organization , to invest in an organization.
 Information Assurance
 Information assurance defines and applies a collection
of policies, standards, methodologies, services, and
mechanisms to maintain mission integrity with respect to
people, process, technology, information, and
supporting infrastructure.
 Information assurance provides for confidentiality,
integrity, availability, possession, utility, authenticity,
nonrepudiation, authorized use, and privacy of
information in all forms and during all exchanges.
 IA Core Principles
 Confidentiality
– ensures the disclosure of information only Integrity
– ensures that information remains in its original form; information
remains true to the creators intention.
 Availability
– information or information resource is ready for use within stated
operational parameters Possession
– information or information resource remains in the custody of
authorized personnel
 Authenticity
– information or information resources conforms to reality; it is not
misrepresented as something it is not
Scope of IA
Information Assurance
Model
 Three dimension of
information security

 Information state
 Security services
 Security countermeasures
Information Assurance versus
Information Security
 Both involve people, processes, techniques, and
technology Information assurance and information
security are often used interchangeably (incorrectly)
 Information Security is focused on the confidentiality,
integrity, and availability of information (electronic and
non-electronic)
 IA has broader implications and explicitly includes
reliability, access control, and nonrepudiation as well as
a strong emphasis on strategic risk management
 ISO information security management standards (ISMS)
are more closely aligned with IA
 Why is Cyber Security
Important?
 Governments, military, corporations, financial
institutions, hospitals and other businesses collect,
process and store a great deal of confidential
information on computers and transmit that data
across networks to other computers.
 With the growing volume and sophistication of
cyber attacks, ongoing attention is required to
protect sensitive business and personal
information, as well as safeguard national
security. 
 Cyber Security
 Cyber security is the protection of information and
information systems against the potential threats
on the internet
 Cyber security means securing the information
related to the use of internet
 Security on the internet must involve information
or information system.
 Specific measure to maintain cyber security
 Viruses and identity threat
 Protection of applications and individual privacy
 Protection from online Predators and cyberbullies
(cyberharassment)
 Security Risk Analysis
 Risk: a quantified measure of the likelihood of a threat being
realised.
 Risk Analysis involves the identification and assessment of
the levels of risk, calculated from
 Values of assets

 Threats to the assets

 Their vulnerabilities and likelihood of exploitation

 Risk Management involves the identification, selection and

adoption of security measures justified by
 The identified risks to assets

 The reduction of these risks to acceptable levels

 Security risk analysis, otherwise known as risk
assessment, is fundamental to the security of any
organization. It is essential in ensuring that controls
and expenditure are fully commensurate with the
risks to which the organization is exposed.
 Goals of Risk Analysis
 All assets have been identified
 All threats have been identified
 Their impact on assets has been valued

 All vulnerabilities have been identified and

assessed
 Common Terminology of
Security risk analysis
 Assets
 Threats
 Vulnerabilities
 Countermeasures
 Expected losses
 impact
Key elements of risk analysis
 Impact statement
 Effectiveness measure
 Recommended countermeasures
 Risk Assessment

Business Objectives:

 FOCUS on key assets

 PROTECT against likely threats
 PRIORITISE future actions
 BALANCE cost with benefits
 IDENTIFY / JUSTIFY appropriate
 Risk Impact

 Monetary losses
 Loss of personal privacy
 Loss of commercial confidentiality
 Legal actions
 Public embarrassment
 Danger to personal safety
 Risk Analysis Steps
 Decide on scope of analysis
 Set the system boundary

 Identification of assets & business processes

 Identification of threats and valuation of their
impact on assets (impact valuation)
 Identification and assessment of
vulnerabilities to threats
 Risk assessment
 Problems of Measuring Risk
Businesses normally wish to measure in money, but
 Many of the entities do not allow this
 Valuation of assets

• Value of data and in-house software - no market value

• Value of goodwill and customer confidence
 Likelihood of threats

• How relevant is past data to the calculation of future

probabilities?
 The nature of future attacks is unpredictable

 The actions of future attackers are unpredictable

 Measurement of benefit from security measures

• Problems with the difference of two approximate

quantities
 How does an extra security measure affect a ~10 -5

probability of attack?