ِِٰ ّ ‫ب ِْس ِِم ٱ‬

ِ‫َلل ٱ ِّلر ْ ٰمْح ِِِٰ ٱ ّلر ِِح ِي‬

Information Security 1
Syed Muhammad Mehdi
CS-RCET-UET
Outline

• Network Security
• Information Security
• Characteristics of information communication
• Components of a system and security
Security

• Meant to be safe from

unwanted danger or
threat.
Network Security

• Refers to the security to

make a network secure.
• To protect the network’s
assets such as data,
devices, communications
against hackers, misuse,
viruses or attacks.
• Measures to protect data
during its transmission
Network Security [1]

Measures and controls that ensure

confidentiality, integrity, and availability
of information system assets including
hardware, software, firmware, and
information being processed, stored, and
communicated.”
Network Security [2]

• Computer Security
• Information Security
• Internet Security
• Database Security
• Software Security
• OS Security
Network Security [3]

• Network security is the practice of preventing and

protecting against unauthorized intrusion into corporate
networks.
• It revolves around:
• Protection
• Detection
• Reaction
Network Security [4]

• Protection:
take preventive steps in designing and deploying a network and make it as correct
and secure as it could be.
• Detection:
it must be detected and identified if any of the network system’s assest show
problem.
• Reaction:
after the identification, the system should respond the problem, correct it and
finally returned to some safe state.
Essential Security Requirements
Information Security

• Network security is related to the effective communication of

information from source to destination.
• Measures are adopted for security to prevent unauthorized access,
misuse, modification, disclosure or destruction of information
throughout the transmission.
• Information security is designed to protect the confidentiality,
integrity and availability of network system and data from those
with malicious intentions.
Information Security [1]

Confidentiality Integrity Availability

• Preserving • Guarding against • Ensuring timely

authorized improper and reliable access
restrictions on information to and use of
information access modification or information
and disclosure, destruction,
including means including ensuring
for protecting information
personal privacy nonrepudiation
and proprietary and authenticity
information
Information Security [2] | Confidentiality

• Confidentiality is the property of preventing

disclosure(expose) of information to unauthorized individuals
or systems.
• Information is available only to people with rightful access.
• Ensuring that only those with the rights and privileges to
access a particular set of information are able to do so.
• Measures undertaken to ensure confidentiality are designed
to prevent sensitive information from reaching the wrong
people, while making sure that the right people can in fact
get it.
Information Security [2] | Confidentiality [1]

Following methods are used to ensure confidentiality of

information:
• Data encryption
• User IDs and passwords considered a standard procedure
• Biometric verification

• Data Confidentiality
• Privacy
Information Security [3] | Privacy

• Privacy means different things to different people, is the

right to be left alone and right to be free of unreasonable
personal instructions.
• Information privacy – The right to determine when and up to
what extent information about oneself can be shared with
others.
• Organizational privacy – Governments agencies,
corporations, and other organizations may desire to keep
their activities or secrets from being revealed to other
organizations or individuals.
Information Security [4] | Integrity

• Information can only be changed by authorized personnel.

• The quality or state of being whole, complete and
uncorrupted is the integrity of information.
• Integrity can be violated by a virus or a user.
• Integrity involves maintaining the consistency, accuracy, and
trustworthiness of data over its entire life cycle.
• Data must not be changed in transit, and steps must be
taken to ensure that data cannot be altered by unauthorized
people (for example, in a breach of confidentiality). These
measures include file permissions and user access controls.
Information Security [5] | Integrity [1]

• Integrity check can be done through:

• File size
• File hashing
• Hashing is the transformation of a string of characters into a
usually shorter fixed-length value or key that represents the
original string.
Prevention:
• Some means must be in place to detect any changes in data
that might occur as a result of non-human-caused events
such as an electromagnetic pulse (EMP) or server crash.
• Some data might include checksums, even cryptographic
checksums, for verification of integrity.
Information Security [6] | Integrity [1]

• Data Integrity
• System Integrity
Information Security [7] | Availability

• Availability refers to the availability of network, computer,

information or resources as and when required without any
problem while keeping confidentiality and integrity
maintained.
• Enables users who need to access information to do so
without interference or obstruction(obstacle) and receive it
in required format.
• Availability is best ensured by rigorously maintaining
all hardware, performing hardware repairs immediately
when needed and maintaining a correctly functioning
operating system environment that is free of software
conflicts.
Information Security [8] | Accuracy

• Information is accurate, when it is free from mistakes or

errors and it has the value that the end user expects.
Information Security [9] | Authenticity

• Authenticity of information is the quality or state of being

genuine or original, rather than a reproduction or
fabrication.
• E-mail spoofing is a technique commonly used for spam e-
mail and phishing to hide the origin of an e-mail message.
• The unauthorized use of a third-party domain name as the
sender's name in an e-mail message.
Information Security [10] | Accountability

The security goal that generates the requirement for actions

of an entity to be traced uniquely to that entity. This supports
nonrepudiation, deterrence, fault isolation, intrusion
detection and prevention, and after-action recovery and legal
action.
Levels of Security Breach Impact

Low Moderate High

The loss has a
The loss has
The loss will have serious effect,
severe or
a limited impact, e.g., significance
catastrophic
e.g., a degradation on
adverse effect on
degradation in mission or
operations,
mission or minor significant harm
organizational
damage or minor to individuals but
assets or on
financial loss or no loss of life or
individuals (e.g.,
minor harm threatening
loss of life)
injuries
Examples of Security Requirements |
Confidentiality

• Student grade information is an asset whose confidentiality is

considered to be very high
• The US FERPA Act: grades should only be available to students, their
parents, and their employers (when required for the job)
• Student enrollment information: may have moderate
confidentiality rating; less damage if enclosed
• Directory information: low confidentiality rating; often available
publicly
Examples of Security Requirements |
Integrity

• A hospital patient’s allergy information (high integrity data): a

doctor should be able to trust that the info is correct and current
• If a nurse deliberately falsifies the data, the database should be restored to
a trusted basis and the falsified information traced back to the person who
did it
• An online newsgroup registration data: moderate level of integrity
• An example of low integrity requirement: anonymous online poll
(inaccuracy is well understood)
Examples of Security Requirements |
Availability

• A system that provides authentication: high availability

requirement
• If customers cannot access resources, the loss of services could result in
financial loss
• A public website for a university: a moderate availably
requirement; not critical but causes embarrassment
• An online telephone directory lookup: a low availability
requirement because unavailability is mostly annoyance (there are
alternative sources)
Security Challenges

1. Computer security is not simple

2. One must consider potential (unexpected) attacks
3. Procedures used are often counter-intuitive
4. Must decide where to deploy mechanisms
5. Involve algorithms and secret info (keys)
6. A battle of wits between attacker / admin
7. It is not perceived on benefit until fails
8. Requires constant monitoring
9. Too often an after-thought (not integral)
10. Regarded as impediment to using system
Security Terminology
Computer Security Terminology, from RFC 2828, Internet Security Glossary, May 2000
Adversary (threat agent)
Individual, group, organization, or government that conducts or has the intent to conduct detrimental activities.
Attack
Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or the
information itself.
Countermeasure
A device or techniques that has as its objective the impairment of the operational effectiveness of undesirable or adversarial activity, or
the prevention of espionage, sabotage, theft, or unauthorized access to or use of sensitive information or information systems.
Risk
A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of 1) the adverse
impacts that would arise if the circumstance or event occurs; and 2) the likelihood of occurrence.
Security Policy
A set of criteria for the provision of security services. It defines and constrains the activities of a data processing facility in order to
maintain a condition of security for systems and data.
System Resource (Asset)
A major application, general support system, high impact program, physical plant, mission critical system, personnel, equipment, or a
logically related group of systems.
Threat
Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or
reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access,
destruction, disclosure, modification of information, and/or denial of service.
Vulnerability
Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or
triggered by a threat source.
Security Concepts and Relationships

Owners Threat agents

value
wish to abuse
wish to impose and/or
minimize may damage
give
rise to
countermeasures assets

to
reduce

to to
risk threats
that
increase

Figure 1.2 Security Concepts and Relationships

Vulnerabilities, Threats and Attacks

• Categories of vulnerabilities
• Corrupted (loss of integrity)
• Leaky (loss of confidentiality)
• Unavailable or very slow (loss of availability)
• Threats
• Capable of exploiting vulnerabilities
• Represent potential security harm to an asset
• Attacks (threats carried out)
• Passive – attempt to learn or make use of information from the system that does
not affect system resources
• Active – attempt to alter system resources or affect their operation
• Insider – initiated by an entity inside the security parameter
• Outsider – initiated from outside the perimeter
Threat Consequences

• Unauthorized disclosure: threat to confidentiality

• Exposure (release data), interception, inference, intrusion
• Deception: threat to integrity
• Masquerade, falsification (alter data), repudiation
• Disruption: threat to integrity and availability
• Incapacitation (destruction), corruption (backdoor logic), obstruction (infer
with communication, overload a line)
• Usurpation: threat to integrity
• Misappropriation (theft of service), misuse (hacker gaining unauthorized
access)
 Threat Consequence Threat Action (Attack)
Unauthorized Exposure: Sensitive data are directly released to an
Disclosure unauthorized entity.
A circumstance or Interception: An unauthorized entity directly accesses

Consequences and Actions event whereby an

entity gains access to
data for which the
sensitive data traveling between authorized sources and
destinations.
Inference: A threat action whereby an unauthorized entity
entity is not indirectly accesses sensitive data (but not necessarily the
authorized. data contained in the communication) by reasoning from
characteristics or byproducts of communications.
Intrusion: An unauthorized entity gains access to sensitive
data by circumventing a system's security protections.
Deception Masquerade: An unauthorized entity gains access to a
A circumstance or system or performs a malicious act by posing as an
event that may result authorized entity.
in an authorized entity Falsification: False data deceive an authorized entity.
receiving false data Repudiation: An entity deceives another by falsely denying
and believing it to be responsibility for an act.
true.
Disruption Incapacitation: Prevents or interrupts system operation by
A circumstance or disabling a system component.
event that interrupts Corruption: Undesirably alters system operation by
or prevents the correct adversely modifying system functions or data.
operation of system Obstruction: A threat action that interrupts delivery of
services and system services by hindering system operation.
functions.
Usurpation Misappropriation: An entity assumes unauthorized logical
A circumstance or or physical control of a system resource.
event that results in Misuse: Causes a system component to perform a function
control of system or service that is detrimental to system security.
services or functions
by an unauthorized
entity.
Security issues in components of a system

Basic Components of a system are

• Software
• Hardware
• Data
• People
• Procedures/Policies/Rules
Security issues in components of a system [1]
Software
Bugs, Weaknesses and Holes.
• An error or defect in software or hardware that causes a program to
malfunction
• Security Hole (something you need to fix now)
• Security Warning (something you need to fix soon)
• Security Note (something you need to fix when you get around to it, or just
some information that you should consider)
Patches and Service Packs.
• A patch is a piece of software designed to fix problems or update a computer
program and its supporting data. This includes fixing security vulnerabilities and
other bugs.
• A service pack is a collection of updates, fixes and/or enhancements to a
software program delivered in the form of a single installable package.
Security issues in components of a system [2]
Hardware

• It Houses and Executes a software.

• Stores and carries the data.
• Provides Interfaces for the entry and removal of information from
the system.
• Physical security policies deal with the hardware.
• Stolen Away, Damage, Data Corruption
Security issues in components of a system [3]
Data

• The most important and valuable thing for any organization.

• Main object of intentional attacks.
• Must be protected from unauthorized access.
• Integrity, accuracy, authenticity and availability of data should be
maintained.
Security issues in components of a system [4]
People

• Users, Administrators, Designers etc.

• People who are directly or indirectly related to the system.
• Physical and medical states of people.
• Intentions of individuals to harm or damage the system.
Security issues in components of a system [5]
Procedures

• Rules, Policies, procedures that are followed for the desired

working of a whole system.
• These policies may relate to the terms and services, disclaimer,
privacy.
• Procedures are the daily basis tasks that are followed to achieve
the goals.
• Violation of all these by the system or even by the people are
breaches to security.
Security issues in components of a system [6]
Security issues in components of a system [6]
Availability Confidentiality Integrity
Equipment is stolen or
An unencrypted CD-
Hardware disabled, thus denying
ROM or DVD is stolen.
service.
A working program is
modified, either to
Programs are deleted, An unauthorized copy cause it to fail during
Software
denying access to users. of software is made. execution or to cause it
to do some unintended
task.
An unauthorized read
of data is performed. Existing files are
Files are deleted,
Data An analysis of modified or new files
denying access to users.
statistical data reveals are fabricated.
underlying data.
Messages are destroyed Messages are modified,
Communication or deleted. Messages are read. The delayed, reordered, or
Lines and Communication lines traffic pattern of duplicated. False
Networks or networks are messages is observed. messages are
rendered unavailable. fabricated.
Fundamental Security Design Principles

The National Centers of Academic

Excellence in Information Economy of
mechanism
Fail-safe
defaults
Complete
mediation
Open design
Assurance/Cyber Defense, which is
jointly sponsored by the U.S. Least
Separation of Least Psychological
National Security Agency and the U. privilege privilege
common
mechanism
acceptability
S. Department of Homeland
Security, list the following as
Isolation Encapsulation Modularity Layering
fundamental security design
principles [NCAE13]:
Least
astonishment
Fundamental Security Design Principles [2]

• Economy of mechanism: the design of security measures should

be as simple as possible
• Simpler to implement and to verify
• Fewer vulnerabilities
• Fail-safe default: access decisions should be based on
permissions; i.e., the default is lack of access
• Complete mediation: every access should checked against an
access control system
• Open design: the design should be open rather than secret (e.g.,
encryption algorithms)
Fundamental Security Design Principles [3]

• Isolation
• Public access should be isolated from critical resources (no connection
between public and critical information)
• Users files should be isolated from one another (except when desired)
• Security mechanism should be isolated (i.e., preventing access to those
mechanisms)
• Encapsulation: similar to object concepts (hide internal
structures)
• Modularity: modular structure
Fundamental Security Design Principles [4]

• Layering (defense in depth): use of multiple, overlapping

protection approaches
• Least astonishment: a program or interface should always
respond in a way that is least likely to astonish a user
Fundamental Security Design Principles [5]

• Separation of privilege: multiple privileges should be needed to

do achieve access (or complete a task)
• Least privilege: every user (process) should have the least
privilege to perform a task
• Least common mechanism: a design should minimize the function
shared by different users (providing mutual security; reduce
deadlock)
• Psychological acceptability: security mechanisms should not
interfere unduly with the work of users
Google Classroom

3i7s4bk
https://classroom.google.com/c/NjU0MTEwNzk1NzE5?cjc=3i7s4bk
The End