What is

Information
Security?
Outlines

• Security in practice
• Models for data security
• Attacks
• Defense in depth
Security in
practice
• In 2018, 20,373 BEC/E-mail Account Compromise (EAC) complaints with adjusted losses of over $1.2
billion (spoofed email, a spoofed phone call or a spoofed text ).
• In 2018, 100 complaints with a combined reported loss of $100M. In the Payroll Diversion scam.
• In 2018, 51,146 extortion-related complaints with adjusted losses of over $83 million which represents a
242% increase in extortion related complaints from 2017.
 Department of Justice (Office of Cybercrime)

Cyber crime report 2016 – 2017

• 3,951complaints for cybercrime and cyber-related offenses.

• 53.92% higher.
 Critical Infrastructure areas

• Telecommunications
• Electrical power systems
• Water supply systems
• Gas and oil pipelines
• Transportation
• Government services
• Emergency services
• Banking and finance
Information Security

• Protecting information and information systems from unauthorized

access, use, disclosure, disruption, modification, or destruction.
What is a secure computer system?

• To decide whether a computer system is “secure”, you must first

decide what “secure” means to you, then identify the threats you
care about

You Will Never Own a Perfectly Secure System!

Threats - examples

• Viruses, trojan horses, etc.

• Denial of Service
• Stolen Customer Data
• Modified Databases
• Identity Theft and other threats to personal privacy
• Equipment Theft
• Espionage in cyberspace
• Hack-tivism
• Cyberterrorism
• ….
Security means…

• Invading our networks

• Natural disasters
• Adverse environmental conditions
• Power failures,
• Theft or vandalism
• People
 When are we secure?

Defining when we are insecure is a much easier task such as:

• Not patching our systems
• Using weak passwords such as “password” or “1234”
• Downloading programs from the Internet
• Opening e-mail attachments from unknown senders n Using wireless networks
without encryption.
Components of
Information
Security
 Other security components added to CIA

CIA or CIAAAN… 
 Authentication
 Authorization
 Non- repudiation
 Need to balance CIA

 Example 1: C vs. I+A

 Disconnect computer from Internet to increase confidentiality
 Availability suffers, integrity suffers due to lost updates

 Example 2: I vs. C+A

 Have extensive data checks by different people/systems to increase integrity
 Confidentiality suffers as more people see data, availability suffers due to locks on data under
verification)
Confidentiality

• Refers to our ability to protect our data from those who are not
authorized to view it.
• Who is authorized to use data?
• “Need to know” basis for data access
• How do we know who needs what data?
Approach: access control specifies who can access what

• How do we know a user is the person she claims to be?

Need her identity and need to verify this identity
Approach: identification and authentication

• Analogously: “Need to access/use” basis for physical assets

• E.g., access to a computer room, use of a desktop

• Confidentiality is:
• difficult to ensure
• easiest to assess in terms of success (binary in nature: Yes / No)
Integrity

• Ability to prevent our data from being changed in an unauthorized

or undesirable manner.
• Concerned with access to assets
• More difficult to measure than confidentiality
Not binary – degrees of integrity
 Integrity vs. Confidentiality

Context-dependent - means different things in different contexts

Could mean any subset of these asset properties:
{ precision / accuracy / currency / consistency /
meaningfulness / usefulness / ...}
 Availability

• Ability to access our data when we need it.

 We can say that an asset (resource) is available
if:

• Timely request response

• Fair allocation of resources (no starvation!)
• Fault tolerant (no total breakdown)
• Easy to use in the intended way
• Provides controlled concurrency (concurrency control, deadlock control, ...)
The Parkerian
Hexad
 Possession or Control

• Refers to the physical disposition of the media on which the data is stored
 Authenticity

• Allows us to talk about the proper attribution as to the owner or creator of the
data in question.
 Utility

• Refers to how useful the data is to us

Types of
Attacks
Interception

• Allow unauthorized users to access our data, applications, or

environments, and are primarily an attack against confidentiality.
Interruption

• Cause our assets to become unusable or unavailable for our use, on

a temporary or permanent basis.
• Attacks often affect availability but can be an attack on integrity as
well.
Modification

• Involves tampering with our asset .

 Fabrication

• Involve generating data, processes, communications, or other similar

activities with a system.
Threats, Vulnerabilities, and Risk

Threats
• Something that has the potential to cause us harm.
Vulnerabilities

• Weaknesses that can be used to harm us.

• Holes that can be exploited by threats in order to cause us harm.
 Risk

• Likelihood that something bad will happen

Controls

Physical
• Controls that protect the physical environment in which our systems
sit, or where our data is stored.
Logical

• Technical controls, are those that protect the systems, networks, and
environments that process, transmit, and store our data.
• Include items such as passwords, encryption, logical access
controls, firewalls, and intrusion detection systems.
Administrative

• Based on rules, laws, policies, procedures, guide- lines, and other

items that are “paper” in nature.
Defense in Depth

• strategy common to both military maneuvers and information

security.
Defense in
Depth
Defenses in
each Layer
Activity

Example: Taal volcano eruption

What were the cities vulnerability, threat, risk and ways to control it?
Reference:

• Andress, J. 2011. The Basics of Information Security.

THANK YOU