Chapter -1-

Introduction to IAS

1
 Learning Objectives

 Upon completion of this chapter you should be able to:

 Understand what information security is and how it came to mean
what it does today.
 Comprehend the history of computer security and how it evolved
into information security.
 Understand the key terms and critical concepts of information
security as presented in the chapter.
 Outline the phases of the security systems development life cycle
 Understand the role professionals involved in information security
in an organizational structure.

2
 Introduction
• We are living in the information age.
• Without data/information, an organization loses
its record of transactions and/or its ability to
deliver value to its customers.
• Information is an asset that has value in any
organization.
• As an asset, information need to be secured
from an attack.

3
 Cont…
• Until a few decades ago, the information collected
by an organization was stored on physical files.
• The confidentiality of the files was achieved by
restricting the access to a few authorized and trusted
people in the organization.
• In the same way, only a few authorized people were
allowed to change the contents of the files.
• Availability was achieved by designating at least
one person who would have access to the files at all
times.
4
 Cont..
• With the advent of computers, information storage
became electronic.
• Instead of being stored on physical media, it was stored
in computers.
• The three security requirements, however, did not
change.
• The implementation of these requirements, however, is
different and more challenging.

5
• Enterprise Security includes the strategies,
techniques, and process of securing information
and IT assets against unauthorized access and
risks that may infringe the confidentiality,
integrity or availability of these systems. Building
on the traditional cybersecurity premise of
protecting digital assets at the local front,
enterprise security extends to the security of data
in transit across the connected network, servers,
and end-users.
6
It encompasses the technology, people, and processes
involved in maintaining a secure environment for digital
assets. Because it encompasses the enterprise, this
security has additional focus on the legal and cultural
requirements of securing data assets that belong to an
organization’s user base.
7
 Protecting Data
• The files stored in computers require
confidentiality, integrity and availability.
• To be secured, information needs to be hidden
from unauthorized access (Confidentiality),
protected from unauthorized change (Integrity)
and available to an authorized entity when it is
needed (Availability).
• An effective information security program is
essential to the protection of the integrity and
value of the organization’s data
Slide 8
Security Goals

9
 Vocabularies
• What is “Security”
• Dictionary.com says:
– 1. Freedom from risk or danger; safety.
– 2. Freedom from doubt, anxiety, or fear; confidence.
– 3. Something that gives or assures safety, as:
• 1. A group or department of private guards: Call building
security if a visitor acts suspicious.
• 2. Measures adopted by a government to prevent espionage,
sabotage, or attack.
• 3. Measures adopted, as by a business or homeowner, to
prevent a crime such as burglary or assault.
…etc.

10
• Information: Information is data endowed with
relevance and purpose.
– Converting data into information thus requires knowledge.
– Information should be:
• Accurate
• Timely
• Complete
• Verifiable
• Consistent
• available.

• Assurance- Actions taken that protect and defend

information and information systems by ensuring their
availability, integrity, authentication,
confidentiality and non-repudiation.
11
• Information Assurance (IA) is the study of how
to protect your information assets from
destruction, degradation, manipulation and
exploitation.
• Computer Security - generic name for the
collection of tools designed to protect data
and to prevent hackers
• Traditionally, computer facilities have been
physically protected for three reasons:
• To prevent theft of or damage to the hardware
• To prevent theft of or damage to the information
• To prevent disruption of service 12
• Computer security is applied to computing
devices such as
– computers and smartphones
– computer networks such as
• private and public networks, including the whole Internet.
• It includes physical security to prevent theft of
equipment, and information security to protect
the data on that equipment.
• It is sometimes referred to as "cyber security" or
"IT security.

13
 Cybersecurity
• Cybersecurity is the protection of internet-
connected systems such as hardware, software
and data from cyber threats (malicious attack).
– computers, servers, mobile devices, electronic
systems, networks, and data from malicious attacks.
• The practice is used by individuals and
enterprises to protect against unauthorized
access to data centres and other computerized
systems.
14
 Cybersecurity Cont…
• The term applies in a variety of contexts, from business
to mobile computing, and can be divided into a few
common categories.
– Network security is the practice of securing a computer
network from intruders, whether targeted attackers or
opportunistic malware.
–  Application security focuses on keeping software and
devices free of threats.
• Successful security begins in the design stage, well before a program
or device is deployed.

15
 Cybersecurity cont.…
• Information security protects the integrity and privacy of data,
both in storage and in transit.
• Operational security includes the processes and decisions for
handling and protecting data assets.
– The permissions users have when accessing a network and the
procedures that determine how and where data may be stored or shared
all fall under this umbrella.
• Disaster recovery and business continuity define how an
organization responds to a cyber-security incident or any other
event that causes the loss of operations or data.
– Disaster recovery policies dictate how the organization restores its
operations and information to return to the same operating capacity as
before the event.
– Business continuity is the plan the organization falls back on while trying
to operate without certain resources.
16
 Cont.…
• End-user education Human error is the leading cause of
data breaches. Therefore, you must equip staff with the
knowledge to deal with the threats they face.
• Staff awareness training will show employees how
security threats affect them and help them apply best-
practice advice to real-world situations.
• Teaching users to delete suspicious email attachments, not
plug in unidentified USB drives, and various other
important lessons is vital for the security of any
organization.

17
 What is Network Security?
• Security
– Protecting general assets
• Information Security
– Protecting information and
information resources
• Network Security
– Protecting data, hardware,
software on a computer
network

18
• Network Security - measures to protect data during their
transmission.
• Internet Security - measures to protect data during their
transmission over a collection of interconnected networks.
[These two securities are our focus study]
• Network and Internet security, which rely heavily on cryptographic
techniques.
• Cryptographic algorithms and protocols can be grouped into four main
areas:
– Symmetric encryption: Used to conceal the contents of blocks or streams of data of any
size, including messages, files, encryption keys, and passwords.
– Asymmetric encryption: Used to conceal small blocks of data, such as encryption keys
and hash function values, which are used in digital signatures.
– Data integrity algorithms: Used to protect blocks of data, such as messages, from
alteration.
– Authentication protocols: These are schemes based on the use of cryptographic
algorithms designed to authenticate the identity of entities .
19
• Computer data often travels from one computer to
another, leaving the safety of its protected physical
surroundings.
• Once the data is out of hand, people with bad intention
could modify or forge your data, either for enjoyment
or for their own benefit.
• Cryptography can reformat and transform our data,
making it safer on its trip between computers.
• The technology is based on the essentials of secret
codes, augmented by modern mathematics that protects
our data in powerful ways.

20
 Attacks
• Attacks on computer systems
– break-in to destroy information
– break-in to steal information
– blocking to operate properly
– malicious software
• Source of attacks
– Insiders
– Outsiders

21
 ASPECTS OF SECURITY
• There are 3 aspects of information security:
1. SECURITY ATTACK
– Why Security? (b/se of Threat)
– A threat is an object, person, or other entity that
represents a constant danger to an asset.
– Security attack is any action that compromises the
security of information owned by an organization.
– Information security is about how to prevent attacks, or
failing that, to detect attacks on information-based
systems often threat & attack.

22
 Types of Network Attacks
• Passive attacks- eg. eavesdropping
• Active attacks- eg. password guessing
• Denial of Service (DOS)
– Attacker sends a large number of connection or information
requests to a target machine, so many requests are made that
the target system cannot handle them successfully along with
other, legitimate requests for service.
– This may result in a system crash, or merely an inability to
perform ordinary functions.

23
 Types Attacks
• Network Security
– Active attacks
– Passive attacks
• Passive attacks
– interception of the messages
– What can the attacker do?
• use information internally
– hard to understand
• release the content
– can be understood
• traffic analysis
– hard to avoid
– Hard to detect, try to prevent
24
 Example Attacks
• INTERRUPTION
– An asset of the system is destroyed or becomes
unavailable or unusable. It is an attack on
availability.
– Examples:
• Destruction of some hardware
• Jamming wireless signals or cutting of a communication
line
• Disabling file management systems

25
• INTERCEPTION
– An unauthorized party gains access to an asset.
Attack on confidentiality.
– Examples:
• Wire tapping to capture data in a network.
• Illicitly copying data or programs
• Eavesdropping
• MODIFICATION
– When an unauthorized party gains access and
tampers an asset. Attack is on Integrity.
– Examples:
• Changing data file
• Altering a program and the contents of a message 26
• FABRICATION
– An unauthorized party inserts a counterfeit object into the system.
Attack on Authenticity.
– Also called impersonation
– Examples:
• Hackers gaining access to a personal email and sending message
• Insertion of records in data files
• Insertion of spurious messages in a network

27
 Network security Services
 Confidentiality: only sender, intended receiver should
“understand” message contents
– sender encrypts message
– receiver decrypts message
– Information about system or its users cannot be learned
by an attacker
 Authentication: sender, receiver want to confirm identity
of each other
 Message Integrity: sender, receiver want to ensure
message not altered (in transit, or afterwards) without
detection
 Access and Availability: services must be accessible and 28
available to users
 Who is vulnerable?
• Financial institutions and banks
• Internet service providers
• Pharmaceutical companies
• Government and defense agencies
• Contractors to various government agencies
• Multinational corporations
• ANYONE ON THE NETWORK

29
 Network Security Mechanisms
• Features designed to prevent, detect, and
recover from a security attack
• No single mechanism that will support all
services required
• However one particular element underlies
many of the security mechanisms in use:
– Cryptographic techniques-

30
Common security attacks and their countermeasures
• Software and hardware for access limitations into the
network
– Firewalls- Our focus
• Cryptographic Techniques- Hence our focus
• Exploiting software bugs, buffer overflows
– Intrusion Detection Systems
• Denial of Service
– Ingress filtering, IDS
• Security Policies / Access Control
– define who has access to which resources.
• TCP hijacking
– IPSec
• Packet sniffing
– Encryption (SSH, SSL, HTTPS) 31