SlideShare a Scribd company logo
Chapter 1
Introduction to Computer/IS
Security
Outline
•What is Security?
•What is Information Security?
•What is Privacy?
•Security Requirements
•Challenges of Information Security?
•Risk Management
Introduction
“The most secure computers are those not
connected to the Internet and shielded from
any interference”-Introduction to computers by Rajmohan
Joshi page 264
Cont..
• Modern societies are highly dependent on ICT.
â–Ş Computation is embedded in a rapidly increasing
and variety of products.
â–Ş Global computer usage continues to grow rapidly,
especially in developing countries.
â–Ş With every passing day computers administer and
control more and more aspects of human life.
oBanks
oMedical (Biological Devices)
oTransportation etc.
• Conclusion:
â–Ş We are more and more dependent on ICT!
oImplies security and privacy are critical issues.
Security
• What is Security?
▪ “the quality or state of being secure or be free from
danger.”
â–Ş protection against adversaries:-from those who would
do harm, intentionally with a certain objective.
• Security is about
â–Ş Threats (bad things that may happen)
â–Ş Vulnerabilities (weaknesses in your defenses)
â–Ş Attacks (ways in which the threats may be actualized)
â–Ş Mechanisms to tackle attacks
Information Security
â–Ş Information security is the protection of information and
information systems from unauthorized access, use, disclosure,
disruption, modification, or destruction in order to provide
confidentiality, integrity, and availability.
â–Ş by development and deployment of security applications and
infrastructures
â–Ş It also refers to:
â–Ş Protecting information no matter where that information is, i.e. in
transit (on the network) or in a storage area.
â–Ş The detection and remediation of security breaches, as well as
documenting those events.
Information Assurance
â–Ş Information assurance: measures taken to protect and
defend information and information systems by ensuring their
availability, integrity, authentication, confidentiality e.t.c.
• incorporate protection, detection and reaction capabilities.
â–Ş IA includes:
• Physical security: protection of hardware, software, and data against
physical threats.
• Personnel security: measures taken to reduce the likelihood and severity
of accidental and intentional attacks by insiders and known outsiders.
• Operational security: involves the implementation of standard operational
security procedures that define the interaction between systems and users.
• IT security: technical features and functions that collectively contribute to
an IT infrastructure for achieving and sustain CIA.
Privacy
• Privacy means that your data, such as personal files and e-
mail messages, is not accessible by anyone without your
permission.
• Privacy deals with the measures that you can take to
restrict access to your data.
Why Information Security?
• Protect organizations and companies data and asset from
insider and outsider attack
• Prevent unauthorized people from accessing our valued
information’s, to manipulate with it or steal it.
• Protect your sensitive data from natural disaster and
accidental risks by using business continuity and disaster
recovery management.
• Regulatory compliance: adherence to laws, regulations,
guidelines and specifications relevant to its business
processes.
• Thwart identity theft etc.
Challenges of Information Security
• In developing a particular security mechanism or algorithm,
one must always consider potential security threats and attacks
on different security features.
• Having designed various security mechanisms, it is necessary to
decide where to use them.
• Security mechanisms typically involve more than a particular
algorithm or protocol.
• Security requires regular, even constant, monitoring, and this is
difficult in today’s short-term, overloaded environment.
• Lack of awareness about information security
Aspects of Computer/IS Security
The 3 aspects of computer/information security are:
â–Ş Security attack: Any action that compromises the security
of information owned by an organization.
â–Ş Security mechanism: A process (or a device incorporating
such a process) that is designed to detect, prevent, or
recover from a security attack.
oExamples: encryption, digital signature, IDS, access
control e.t.c
â–Ş Security service: A processing or communication service
that enhances the security of the data processing systems
and the information transfers of an organization.
Security Requirements/Services
• Are intended to counter security attacks, and they make
use of one or more security mechanisms to provide the
service.
• The main objectives of computer security is preserving
the CIA triad
Cont..
• Confidentiality
• Integrity
• Availability
• Authentication
• Non-repudiation
• Accountability etc.
Confidentiality
• protect unauthorized discloser of information
• the assurance that information is not disclosed
to unauthorized persons, processes or devices
• This can cover two aspects:
â–Ş protecting information stored in files
â–Ş protecting information while in transmission
• Example:
â–Ş An employee should not come to know the
salary of his manager
â–Ş The target coordinates of a missile should not
be improperly disclosed.
Integrity
• protect unauthorized modification of information.
• the assurance that data/information can not be
created, changed, or deleted without proper
authorization.
â–Ş System Integrity means that there is an external
consistency in the system: everything is as it is
expected to be
â–Ş Data integrity means that the data stored on a
computer is the same as the source documents
(changed only in a specified and authorized manner.)
• Example: an employee should not be able to modify the
employee's own salary
â–Ş The target coordinates of a missile should not be
improperly modified
Availability
• Information need to be available for
authorized parities whenever needed.
• Availability is the prevention of unauthorized
with holding of information.
• Timely, reliable access to data and
information services for authorized users.
• Used to guarantee access to information
• Denial of service attacks are a common form
of attack.
Authentication
• Who you are?
• Proving that a user is the person he /she claims to be.
• Factors of authentication
â–Ş Something you know (password)
â–Ş Something you have (Chip)
▪ Something you are- that proves the person’s
identity (biometric: fingerprint).
â–Ş Somewhere you are: related to you location
â–Ş Something you do : identification by observing your
unique physical actions
â–Ş Or the combination of those techniques (multi-
factor authentication)
Authorization
• What you can do?
• Determine access levels or privileges related
to system resources including files, services,
computer programs, data and application
features.
• Authentication and Authorization go hand in
hand.
Nonrepudiation
• Prevention of either the sender or the receiver
denying a transmitted message. (Proof of
sender’s identity and message delivery)
â–Ş neither can later deny having processed the
data.
â–Ş Security is strong when the means of
authentication cannot later be refuted: the
user cannot later deny that he or she
performed the activity.
• Can be guaranteed using digital signature.
What should we protect?
• One of the major goal of information/computer security as a
discipline and as a profession is to protect valuable assets.
â–Ş Assets: items of value
• Determining what to protect requires that we first identify
what has value and to whom.
• Assets include:
â–Ş Hardware
• Computer components
• Networks and communications channels
• Mobile devices
â–Ş Software
• Operating system
• Off-the-shelf Programs and apps
• Customized programs and Apps
â–Ş Data
• Files
• Databases
Asset Valuation
• The perceived value of an asset depends upon the ease
with which the asset can be replaced.
Individual applications Unique: difficult to replace
Data
Hardware Software
Easily Replaceable
Balancing Security and Access
• Information security is not absolute
â–Ş It is a process and not a goal
• No security- complete access to
assets
â–Ş Available to anyone, anytime
and anywhere (pose a danger to
security)
• Complete security- No access
â–Ş A completely secure
information system would not
allow anyone access
How to protect our Asset?
• To study methods of asset protection we use a
vulnerability-threat-control framework.
â–Ş Vulnerability
• A weakness in a system
• Can be exploited to cause harm or loss
• A human who exploits the vulnerability
perpetrating an attack on the system (cause a
harm/loss)
Cont..
Hardware
â–Ş susceptibility to humidity
â–Ş susceptibility to dust
â–Ş susceptibility to soiling etc.
Software
â–Ş insufficient testing, lack
of audit trail
â–Ş design flaw
Network
â–Ş unprotected communication
lines
â–Ş insecure network architecture
• Personnel
â–Ş inadequate recruiting process
â–Ş inadequate security awareness
• Physical site
â–Ş area subject to flood, unreliable
power source etc.
• Organizational
â–Ş lack of regular audits
â–Ş lack of continuity plans , lack
of security etc.
Vulnerabilities are classified according to the asset class they are
related to:
Cont..
â–Ş Threat
â–Ş A set of circumstances that has the potential to
cause harm or lose
â–Ş Can be natural, human or process threat
â–Ş Control
• An action, device or procedure or technique that
eliminate or reduce vulnerability
• Also called countermeasure (Physical,
Administrative and Technical )
Security Management and Risk Analysis
Cont..
• What and Why first?
• How only later?
• What need to secured and why (e.g. Assets, regulation,
attacks, etc) ?
• What technical solutions to use and how?
Risk
• Risk is the possibility that a particular threat will
adversely impact an information system by exploiting a
particular vulnerability.
â–Ş The assessment of risk must take into account the
consequences of an exploit.
• Risk analysis is the study of the cost of a particular
system against the benefits of the system.
• Risk management is a process for an organization to
identify and address the risks in their environment.
Risk Management Framework
• There are several risk management frameworks, and
each defines a procedure for an organization to follow
• One particular risk management procedure (from Viega
and McGraw) consists of six steps:
1. Assess assets
2. Assess threats
3. Assess vulnerabilities
4. Assess risks
5. Prioritize countermeasure options
6. Make risk management decisions
Risk Analysis
Cont..
Risk Treatment
• Once the risk has been identified and assessed, managing the
risk can be done through one of four techniques:
• Risk acceptance: risks not avoided or transferred are retained
by the organization.
• E.g. Sometimes the cost of insurance is greater than the
potential loss.
â–Ş Sometimes the loss is improbable, though catastrophic.
• Risk avoidance: not performing an activity that would incur
risk. E.g. disallow remote login.
• Risk mitigation: taking actions to reduce the losses due to a
risk; many technical countermeasures fall into this category.
• Risk transfer: shift the risk to someone else. E.g. most
insurance contracts, home security systems.

More Related Content

PDF
20210629_104540Information Security L1.pdf
PDF
IA 124 Lecture 01 2022 -23-1.pdf hahahah
PPTX
security system by desu star chapter 1.pptx
PPTX
IT Security & Risk
PDF
Basic security concepts_chapter_1_6perpage
PDF
Management Information Systems
 
PPTX
Information Security
PPTX
Information Security Bachelor in Information technology unit 1
20210629_104540Information Security L1.pdf
IA 124 Lecture 01 2022 -23-1.pdf hahahah
security system by desu star chapter 1.pptx
IT Security & Risk
Basic security concepts_chapter_1_6perpage
Management Information Systems
 
Information Security
Information Security Bachelor in Information technology unit 1

Similar to information security introduction for campus students.pdf (20)

PPT
InfoSecConcepts.ppt
PPT
Ia 124 1621324143 ia_124_lecture_01
 
PPT
Information security and other issues
PPTX
Date security introduction
PPT
chapter 1 security.ppt
PPTX
Chapter 1 compu secur.pptx of security service
DOCX
11What is Security 1.1 Introduction The central role of co.docx
PPT
Computer Securityyyyyyyy - Chapter 1.ppt
PPT
Basic Security Chapter 1
PPT
Basic security concepts_chapter_1
PPTX
CH01-CompSec4e.pptx
PPT
Information security introduction
PPTX
Information security FundameFundamentals.pptx
PPTX
informations_security_presentations.pptx
PPTX
Security and management
PPT
Information Security
PPTX
ISM-CS5750-01.pptx
PPTX
1. Introduction to Information Security.pptx
DOCX
Security ConceptsDr. Y. ChuCIS3360 Security in Computing.docx
PPTX
Information Security Lecture One for Basic
InfoSecConcepts.ppt
Ia 124 1621324143 ia_124_lecture_01
 
Information security and other issues
Date security introduction
chapter 1 security.ppt
Chapter 1 compu secur.pptx of security service
11What is Security 1.1 Introduction The central role of co.docx
Computer Securityyyyyyyy - Chapter 1.ppt
Basic Security Chapter 1
Basic security concepts_chapter_1
CH01-CompSec4e.pptx
Information security introduction
Information security FundameFundamentals.pptx
informations_security_presentations.pptx
Security and management
Information Security
ISM-CS5750-01.pptx
1. Introduction to Information Security.pptx
Security ConceptsDr. Y. ChuCIS3360 Security in Computing.docx
Information Security Lecture One for Basic
Ad

Recently uploaded (20)

PDF
Mark Klimek Lecture Notes_240423 revision books _173037.pdf
PPTX
Pharmacology of Heart Failure /Pharmacotherapy of CHF
PDF
2.FourierTransform-ShortQuestionswithAnswers.pdf
PPTX
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
PPTX
The Healthy Child – Unit II | Child Health Nursing I | B.Sc Nursing 5th Semester
PPTX
human mycosis Human fungal infections are called human mycosis..pptx
PDF
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
PDF
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
PPTX
Open Quiz Monsoon Mind Game Prelims.pptx
PDF
Open folder Downloads.pdf yes yes ges yes
PDF
TR - Agricultural Crops Production NC III.pdf
PDF
FourierSeries-QuestionsWithAnswers(Part-A).pdf
PDF
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
PDF
The Final Stretch: How to Release a Game and Not Die in the Process.
PDF
Basic Mud Logging Guide for educational purpose
PDF
Anesthesia in Laparoscopic Surgery in India
PDF
Origin of periodic table-Mendeleev’s Periodic-Modern Periodic table
PPTX
COMPUTERS AS DATA ANALYSIS IN PRECLINICAL DEVELOPMENT.pptx
PPTX
master seminar digital applications in india
PDF
Abdominal Access Techniques with Prof. Dr. R K Mishra
Mark Klimek Lecture Notes_240423 revision books _173037.pdf
Pharmacology of Heart Failure /Pharmacotherapy of CHF
2.FourierTransform-ShortQuestionswithAnswers.pdf
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
The Healthy Child – Unit II | Child Health Nursing I | B.Sc Nursing 5th Semester
human mycosis Human fungal infections are called human mycosis..pptx
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
Open Quiz Monsoon Mind Game Prelims.pptx
Open folder Downloads.pdf yes yes ges yes
TR - Agricultural Crops Production NC III.pdf
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
The Final Stretch: How to Release a Game and Not Die in the Process.
Basic Mud Logging Guide for educational purpose
Anesthesia in Laparoscopic Surgery in India
Origin of periodic table-Mendeleev’s Periodic-Modern Periodic table
COMPUTERS AS DATA ANALYSIS IN PRECLINICAL DEVELOPMENT.pptx
master seminar digital applications in india
Abdominal Access Techniques with Prof. Dr. R K Mishra
Ad

information security introduction for campus students.pdf

  • 1. Chapter 1 Introduction to Computer/IS Security
  • 2. Outline •What is Security? •What is Information Security? •What is Privacy? •Security Requirements •Challenges of Information Security? •Risk Management
  • 3. Introduction “The most secure computers are those not connected to the Internet and shielded from any interference”-Introduction to computers by Rajmohan Joshi page 264
  • 4. Cont.. • Modern societies are highly dependent on ICT. â–Ş Computation is embedded in a rapidly increasing and variety of products. â–Ş Global computer usage continues to grow rapidly, especially in developing countries. â–Ş With every passing day computers administer and control more and more aspects of human life. oBanks oMedical (Biological Devices) oTransportation etc. • Conclusion: â–Ş We are more and more dependent on ICT! oImplies security and privacy are critical issues.
  • 5. Security • What is Security? â–Ş “the quality or state of being secure or be free from danger.” â–Ş protection against adversaries:-from those who would do harm, intentionally with a certain objective. • Security is about â–Ş Threats (bad things that may happen) â–Ş Vulnerabilities (weaknesses in your defenses) â–Ş Attacks (ways in which the threats may be actualized) â–Ş Mechanisms to tackle attacks
  • 6. Information Security â–Ş Information security is the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. â–Ş by development and deployment of security applications and infrastructures â–Ş It also refers to: â–Ş Protecting information no matter where that information is, i.e. in transit (on the network) or in a storage area. â–Ş The detection and remediation of security breaches, as well as documenting those events.
  • 7. Information Assurance â–Ş Information assurance: measures taken to protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality e.t.c. • incorporate protection, detection and reaction capabilities. â–Ş IA includes: • Physical security: protection of hardware, software, and data against physical threats. • Personnel security: measures taken to reduce the likelihood and severity of accidental and intentional attacks by insiders and known outsiders. • Operational security: involves the implementation of standard operational security procedures that define the interaction between systems and users. • IT security: technical features and functions that collectively contribute to an IT infrastructure for achieving and sustain CIA.
  • 8. Privacy • Privacy means that your data, such as personal files and e- mail messages, is not accessible by anyone without your permission. • Privacy deals with the measures that you can take to restrict access to your data.
  • 9. Why Information Security? • Protect organizations and companies data and asset from insider and outsider attack • Prevent unauthorized people from accessing our valued information’s, to manipulate with it or steal it. • Protect your sensitive data from natural disaster and accidental risks by using business continuity and disaster recovery management. • Regulatory compliance: adherence to laws, regulations, guidelines and specifications relevant to its business processes. • Thwart identity theft etc.
  • 10. Challenges of Information Security • In developing a particular security mechanism or algorithm, one must always consider potential security threats and attacks on different security features. • Having designed various security mechanisms, it is necessary to decide where to use them. • Security mechanisms typically involve more than a particular algorithm or protocol. • Security requires regular, even constant, monitoring, and this is difficult in today’s short-term, overloaded environment. • Lack of awareness about information security
  • 11. Aspects of Computer/IS Security The 3 aspects of computer/information security are: â–Ş Security attack: Any action that compromises the security of information owned by an organization. â–Ş Security mechanism: A process (or a device incorporating such a process) that is designed to detect, prevent, or recover from a security attack. oExamples: encryption, digital signature, IDS, access control e.t.c â–Ş Security service: A processing or communication service that enhances the security of the data processing systems and the information transfers of an organization.
  • 12. Security Requirements/Services • Are intended to counter security attacks, and they make use of one or more security mechanisms to provide the service. • The main objectives of computer security is preserving the CIA triad
  • 13. Cont.. • Confidentiality • Integrity • Availability • Authentication • Non-repudiation • Accountability etc.
  • 14. Confidentiality • protect unauthorized discloser of information • the assurance that information is not disclosed to unauthorized persons, processes or devices • This can cover two aspects: â–Ş protecting information stored in files â–Ş protecting information while in transmission • Example: â–Ş An employee should not come to know the salary of his manager â–Ş The target coordinates of a missile should not be improperly disclosed.
  • 15. Integrity • protect unauthorized modification of information. • the assurance that data/information can not be created, changed, or deleted without proper authorization. â–Ş System Integrity means that there is an external consistency in the system: everything is as it is expected to be â–Ş Data integrity means that the data stored on a computer is the same as the source documents (changed only in a specified and authorized manner.) • Example: an employee should not be able to modify the employee's own salary â–Ş The target coordinates of a missile should not be improperly modified
  • 16. Availability • Information need to be available for authorized parities whenever needed. • Availability is the prevention of unauthorized with holding of information. • Timely, reliable access to data and information services for authorized users. • Used to guarantee access to information • Denial of service attacks are a common form of attack.
  • 17. Authentication • Who you are? • Proving that a user is the person he /she claims to be. • Factors of authentication â–Ş Something you know (password) â–Ş Something you have (Chip) â–Ş Something you are- that proves the person’s identity (biometric: fingerprint). â–Ş Somewhere you are: related to you location â–Ş Something you do : identification by observing your unique physical actions â–Ş Or the combination of those techniques (multi- factor authentication)
  • 18. Authorization • What you can do? • Determine access levels or privileges related to system resources including files, services, computer programs, data and application features. • Authentication and Authorization go hand in hand.
  • 19. Nonrepudiation • Prevention of either the sender or the receiver denying a transmitted message. (Proof of sender’s identity and message delivery) â–Ş neither can later deny having processed the data. â–Ş Security is strong when the means of authentication cannot later be refuted: the user cannot later deny that he or she performed the activity. • Can be guaranteed using digital signature.
  • 20. What should we protect? • One of the major goal of information/computer security as a discipline and as a profession is to protect valuable assets. â–Ş Assets: items of value • Determining what to protect requires that we first identify what has value and to whom. • Assets include: â–Ş Hardware • Computer components • Networks and communications channels • Mobile devices â–Ş Software • Operating system • Off-the-shelf Programs and apps • Customized programs and Apps â–Ş Data • Files • Databases
  • 21. Asset Valuation • The perceived value of an asset depends upon the ease with which the asset can be replaced. Individual applications Unique: difficult to replace Data Hardware Software Easily Replaceable
  • 22. Balancing Security and Access • Information security is not absolute â–Ş It is a process and not a goal • No security- complete access to assets â–Ş Available to anyone, anytime and anywhere (pose a danger to security) • Complete security- No access â–Ş A completely secure information system would not allow anyone access
  • 23. How to protect our Asset? • To study methods of asset protection we use a vulnerability-threat-control framework. â–Ş Vulnerability • A weakness in a system • Can be exploited to cause harm or loss • A human who exploits the vulnerability perpetrating an attack on the system (cause a harm/loss)
  • 24. Cont.. Hardware â–Ş susceptibility to humidity â–Ş susceptibility to dust â–Ş susceptibility to soiling etc. Software â–Ş insufficient testing, lack of audit trail â–Ş design flaw Network â–Ş unprotected communication lines â–Ş insecure network architecture • Personnel â–Ş inadequate recruiting process â–Ş inadequate security awareness • Physical site â–Ş area subject to flood, unreliable power source etc. • Organizational â–Ş lack of regular audits â–Ş lack of continuity plans , lack of security etc. Vulnerabilities are classified according to the asset class they are related to:
  • 25. Cont.. â–Ş Threat â–Ş A set of circumstances that has the potential to cause harm or lose â–Ş Can be natural, human or process threat â–Ş Control • An action, device or procedure or technique that eliminate or reduce vulnerability • Also called countermeasure (Physical, Administrative and Technical )
  • 26. Security Management and Risk Analysis
  • 27. Cont.. • What and Why first? • How only later? • What need to secured and why (e.g. Assets, regulation, attacks, etc) ? • What technical solutions to use and how?
  • 28. Risk • Risk is the possibility that a particular threat will adversely impact an information system by exploiting a particular vulnerability. â–Ş The assessment of risk must take into account the consequences of an exploit. • Risk analysis is the study of the cost of a particular system against the benefits of the system. • Risk management is a process for an organization to identify and address the risks in their environment.
  • 29. Risk Management Framework • There are several risk management frameworks, and each defines a procedure for an organization to follow • One particular risk management procedure (from Viega and McGraw) consists of six steps: 1. Assess assets 2. Assess threats 3. Assess vulnerabilities 4. Assess risks 5. Prioritize countermeasure options 6. Make risk management decisions
  • 32. Risk Treatment • Once the risk has been identified and assessed, managing the risk can be done through one of four techniques: • Risk acceptance: risks not avoided or transferred are retained by the organization. • E.g. Sometimes the cost of insurance is greater than the potential loss. â–Ş Sometimes the loss is improbable, though catastrophic. • Risk avoidance: not performing an activity that would incur risk. E.g. disallow remote login. • Risk mitigation: taking actions to reduce the losses due to a risk; many technical countermeasures fall into this category. • Risk transfer: shift the risk to someone else. E.g. most insurance contracts, home security systems.