SlideShare a Scribd company logo

Information System Security(lecture 1)

Download as PPT, PDF
Ali Habeeb, profile picture
Ali Habeeb

This document provides an introduction to information system security. It discusses key concepts like security, information security, vulnerabilities, threats, attacks, security policies, and security measures. The document outlines common security risks like interruption, interception, modification, masquerading, and repudiation. It explains that security policies provide guidelines for implementing security controls to protect information system assets from such risks according to the security principles of confidentiality, integrity, and availability.

TechnologyNews & Politics
1 of 20
Downloaded 421 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
Most read
15
Most read
16
17
Most read
18
19
20
Information System SecurityInformation System Security Lecture 1Lecture 1 Introduction to Information SystemIntroduction to Information System SecuritySecurity
22 OutlineOutline 1.1. What is Security?What is Security? 2.2. What is Information Security?What is Information Security? 3.3. Why Information System Security?Why Information System Security? 4.4. Vulnerability, Threat and AttackVulnerability, Threat and Attack 5.5. Security PoliciesSecurity Policies 6.6. Security MeasuresSecurity Measures 7.7. Security RequirementsSecurity Requirements 8.8. Security ServicesSecurity Services 9.9. Security MechanismsSecurity Mechanisms
33 1. What is security?1. What is security?  SecuritySecurity:: protecting general assetsprotecting general assets  Security can be realized through:Security can be realized through: 1.1. PreventionPrevention: take measures that prevent your assets from being damaged.: take measures that prevent your assets from being damaged. 2.2. DetectionDetection: take measures so that you can detect when, how, and by: take measures so that you can detect when, how, and by whom an asset has been damaged.whom an asset has been damaged. 3.3. ReactionReaction: take measures so that you can recover your assets or to recover: take measures so that you can recover your assets or to recover from a damage to your assetsfrom a damage to your assets  Examples: next slideExamples: next slide  There are many branches of Security: national security,There are many branches of Security: national security, economic security,economic security, information securityinformation security, etc., etc.
44 ExamplesExamples  Ex. 1 - Private propertyEx. 1 - Private property – Prevention: locks at doors, window bars, walls around the property.Prevention: locks at doors, window bars, walls around the property. – Detection: stolen items aren’t there any more, burglar alarms, CCTV, …Detection: stolen items aren’t there any more, burglar alarms, CCTV, … – Reaction: call the police,…Reaction: call the police,…
55 ExamplesExamples  Ex. 2 - eCommerceEx. 2 - eCommerce – Prevention: encrypt your orders, rely on the merchant to perform checksPrevention: encrypt your orders, rely on the merchant to perform checks on the caller,…on the caller,… – Detection: an unauthorized transaction appears on your credit cardDetection: an unauthorized transaction appears on your credit card statementstatement – Reaction: complain, ask for a new credit card number, …Reaction: complain, ask for a new credit card number, …
66 2. What is Information Security?2. What is Information Security?  Information securityInformation security:: is concerned with protecting informationis concerned with protecting information and information resources such as: books, faxes, computer data,and information resources such as: books, faxes, computer data, voice communications, etc.voice communications, etc.  Information security isInformation security is determining:determining:  whatwhat needs to be protected,needs to be protected, i.e.i.e., assets, assets  andand whywhy (Security requirements which include CIA),(Security requirements which include CIA),  whatwhat needs to be protected from (Threats, vulnerabilities, risks),needs to be protected from (Threats, vulnerabilities, risks),  andand howhow (Security measures) to protect it for as long as it exists(Security measures) to protect it for as long as it exists – Security measures which are implemented according to a security policySecurity measures which are implemented according to a security policy
77 3. What is Information System3. What is Information System Security (ISS)?Security (ISS)? InformationInformation SystemsSystems (assets)(assets)Security Measures Attackers Policies Taken from K. Martin’s lecture, RHUL
88 Information System SecurityInformation System Security  ISS is concerned with protecting Information systemISS is concerned with protecting Information system assets such as PCs, software, applications, etc.assets such as PCs, software, applications, etc.  In order to ensure the security of Information Systems, weIn order to ensure the security of Information Systems, we need to determine:need to determine: 1.1. Assets (i.e., Information systems) to be protectedAssets (i.e., Information systems) to be protected 2.2. Security requirements; CIASecurity requirements; CIA 3.3. Threats, vulnerabilities, risksThreats, vulnerabilities, risks 4.4. Security policiesSecurity policies 5.5. Security measuresSecurity measures
99 4. Vulnerability, Threat and4. Vulnerability, Threat and AttackAttack  AA vulnerabilityvulnerability: is a weakness in system design or: is a weakness in system design or implementation and can be in hardware or software.implementation and can be in hardware or software. – Example: a software bug exists in the OS, or no password rules are set.Example: a software bug exists in the OS, or no password rules are set.  AA threatthreat:: – Is a set of circumstances that has the potential to cause loss or harmIs a set of circumstances that has the potential to cause loss or harm – is an indication of potential undesirable eventis an indication of potential undesirable event – It refers to a situation in whichIt refers to a situation in which  a person could do something undesirable (an attacker initiating a denial-of-a person could do something undesirable (an attacker initiating a denial-of- service attack against an organization's email server), orservice attack against an organization's email server), or  a natural occurrence could cause an undesirable outcome (a fire damaging ana natural occurrence could cause an undesirable outcome (a fire damaging an organization's information technology hardware).organization's information technology hardware).
1010 4. Vulnerability, Threat and4. Vulnerability, Threat and AttackAttack  AA RiskRisk is the possibility of suffering harm or loss.is the possibility of suffering harm or loss.  AnAn attackattack: is a realization of a threat: is a realization of a threat  AnAn attackerattacker: is a person who exploit a vulnerability: is a person who exploit a vulnerability  An attacker must have means, opportunity, and motiveAn attacker must have means, opportunity, and motive – Synonyms: enemy, adversary, opponent, eavesdropper, intruderSynonyms: enemy, adversary, opponent, eavesdropper, intruder
1111 Vulnerability, Attack and ThreatVulnerability, Attack and Threat  AA hackerhacker:: – A person who have advanced knowledge of operating systems andA person who have advanced knowledge of operating systems and programming languagesprogramming languages – Might discover holes within systems and the reasons for such holesMight discover holes within systems and the reasons for such holes – Share what they discover but never intentionally damage dataShare what they discover but never intentionally damage data  AA crackercracker:: – The one who breaks into or violates the system integrity of remoteThe one who breaks into or violates the system integrity of remote machines with the malicious intent, i.e., gaining unauthorized accessmachines with the malicious intent, i.e., gaining unauthorized access – Might destroy vital data, deny legitimate users servicesMight destroy vital data, deny legitimate users services  AA passive adversarypassive adversary is an adversary who is capable only ofis an adversary who is capable only of reading from an unsecured channelreading from an unsecured channel  AnAn active adversaryactive adversary is an adversary who may also transmit, alter,is an adversary who may also transmit, alter, or delete information on an unsecured channelor delete information on an unsecured channel
1212 Common security attacksCommon security attacks  InterruptionInterruption, delay, denial of receipt or denial of service, delay, denial of receipt or denial of service – System assets or information become unavailable or are rendered unavailableSystem assets or information become unavailable or are rendered unavailable  Interception or snoopingInterception or snooping – Unauthorized party gains access to information by browsing through files orUnauthorized party gains access to information by browsing through files or reading communications.reading communications.  Modification or alterationModification or alteration – Unauthorized party changes information in transit or information stored forUnauthorized party changes information in transit or information stored for subsequent access.subsequent access.  Masquerade or spoofingMasquerade or spoofing – Spurious information is inserted into the system or network by making it appearsSpurious information is inserted into the system or network by making it appears as if it is from a legitimate entity.as if it is from a legitimate entity.  Repudiation of originRepudiation of origin – False denial that an entity created something.False denial that an entity created something.
1313 5. Security Policy5. Security Policy  AA security policysecurity policy states what is, and is not, allowedstates what is, and is not, allowed  Is a document describing a company’s security controls andIs a document describing a company’s security controls and activities.activities.  Does not specify technologies.Does not specify technologies.  Examples:Examples: – Policy: Password constructionPolicy: Password construction Account names must not be used inAccount names must not be used in passwords.passwords. – Policy: Confidentiality of Personal informationPolicy: Confidentiality of Personal information all personalall personal information must be treated as confidential.information must be treated as confidential.  A security Policy is a guideline for implementing securityA security Policy is a guideline for implementing security measures.measures.
1414 6. Security measures6. Security measures  Security measuresSecurity measures include techniques for ensuring:include techniques for ensuring: – Prevention: such asPrevention: such as encryptionencryption,, user authenticationuser authentication,, one timeone time passwordpassword,, anti-virusanti-virus,, firewalfirewall, etc.l, etc. – Detection: such asDetection: such as IDS (Intrusion Detection Systems)IDS (Intrusion Detection Systems), Monitoring tools,, Monitoring tools, Firewall log,Firewall log, digital signaturedigital signature, etc., etc. – Reaction (or recovery): Such as Backup systems, OS’s recovery points,Reaction (or recovery): Such as Backup systems, OS’s recovery points, etc.etc.  Encryption (lectures 2 & 3)Encryption (lectures 2 & 3)  Digital Signature (lecture 4)Digital Signature (lecture 4)  User Authentication (lecture 5)User Authentication (lecture 5)  Antivirus (lecture 7)Antivirus (lecture 7)  IDS and firewalls (Lectures 8 & 9)IDS and firewalls (Lectures 8 & 9) Database security (lecture 6)
1515 7. Security Requirements7. Security Requirements  Most important security requirements are:Most important security requirements are: – ConfidentialityConfidentiality: keeping information secret from all but those: keeping information secret from all but those who are authorized to see it.who are authorized to see it.  Also called secrecy or privacyAlso called secrecy or privacy – IntegrityIntegrity: ensuring information has not been altered by: ensuring information has not been altered by unauthorized or unknown means.unauthorized or unknown means. – AvailabilityAvailability :: keeping information accessible by authorized userskeeping information accessible by authorized users when requiredwhen required
1616 Security RequirementsSecurity Requirements  Other requirements:Other requirements: – Entity authenticationEntity authentication :: corroboration of the identity of an entitycorroboration of the identity of an entity (e.g., a person, a credit card, etc.)(e.g., a person, a credit card, etc.)  Identification, identity verificationIdentification, identity verification – Message authenticationMessage authentication : corroborating the source of: corroborating the source of information; also known asinformation; also known as data origin authenticationdata origin authentication..  Message authentication implicitly provides data integrityMessage authentication implicitly provides data integrity – Digital SignatureDigital Signature : a means to bind information to an entity: a means to bind information to an entity – Non-repudiationNon-repudiation:: preventing the denial of previous commitmentspreventing the denial of previous commitments or actionsor actions
1717 Security RequirementsSecurity Requirements – AuthorizationAuthorization : conveyance, to another party, of official sanction: conveyance, to another party, of official sanction to do or to be something.to do or to be something. – Access controlAccess control: restricting access to resources to privileged: restricting access to resources to privileged entities.entities. – ValidationValidation: a means to provide timeliness of authorization to use: a means to provide timeliness of authorization to use or manipulate information or resources.or manipulate information or resources.  These Requirements are referred to asThese Requirements are referred to as ISS objectivesISS objectives (another definition of ISS)(another definition of ISS)..
1818 8. Security services8. Security services  AnAn information security serviceinformation security service is a method to provide someis a method to provide some specific aspects of securityspecific aspects of security – ExamplesExamples  Confidentiality is a security objective (requirement), encryption is anConfidentiality is a security objective (requirement), encryption is an information security serviceinformation security service  Integrity is another security objective (requirement), a method to ensureIntegrity is another security objective (requirement), a method to ensure integrity is a security service.integrity is a security service.  BreakingBreaking a security service implies defeating the objective ofa security service implies defeating the objective of the intended service.the intended service.
1919 9. Security mechanisms9. Security mechanisms  AA security mechanismsecurity mechanism encompasses Protocols, algorithms,encompasses Protocols, algorithms, Non-cryptographic techniques (hardware protection) toNon-cryptographic techniques (hardware protection) to achieve specific security objectives (confidentiality, integrity,achieve specific security objectives (confidentiality, integrity, …).…).
2020

More Related Content

PPTX
INFORMATION SECURITY
Ahmed Moussa
 
PPTX
INFORMATION SECURITY SYSTEM
ANAND MURALI
 
PPTX
Introduction to Information Security
Shreedevi Tharanidharan
 
PPT
Introduction to Computer Networks Lecture slides ppt
Osama Yousaf
 
PPTX
Information Security Lecture #1 ppt
vasanthimuniasamy
 
PPT
Introduction to Information Security
Dr. Loganathan R
 
PPT
Cloud Computing Security Challenges
Yateesh Yadav
 
PPT
Information Assurance And Security - Chapter 1 - Lesson 1
MLG College of Learning, Inc
 
INFORMATION SECURITY
Ahmed Moussa
 
INFORMATION SECURITY SYSTEM
ANAND MURALI
 
Introduction to Information Security
Shreedevi Tharanidharan
 
Introduction to Computer Networks Lecture slides ppt
Osama Yousaf
 
Information Security Lecture #1 ppt
vasanthimuniasamy
 
Introduction to Information Security
Dr. Loganathan R
 
Cloud Computing Security Challenges
Yateesh Yadav
 
Information Assurance And Security - Chapter 1 - Lesson 1
MLG College of Learning, Inc
 

What's hot (20)

PPSX
Security policies
Nishant Pahad
 
PPT
IT Security management and risk assessment
CAS
 
PPTX
Introduction to Cybersecurity Fundamentals
Toño Herrera
 
PPTX
CYBER SECURITY
Vaishak Chandran
 
PPT
Computer security overview
CAS
 
PPT
Ethical hacking
Altacit Global
 
PPT
Information security management
UMaine
 
PPTX
Cyber Security Presentation "It Will Never Happen To Me"
Simon Salter
 
PPT
Network security
Gichelle Amon
 
PPTX
Cyber Security Awareness
Innocent Korie
 
PPTX
Information security management system
Arani Srinivasan
 
PDF
Basics of Cyber Security
Nikunj Thakkar
 
PPTX
Cyber Security Best Practices
Evolve IP
 
PPTX
Types of attacks
Vivek Gandhi
 
PPTX
Cyber crime ppt
MOE515253
 
PPTX
Introduction to information security
jayashri kolekar
 
PPTX
Cyber crime and security
Sharath Raj
 
PPTX
Data Privacy and Protection Presentation
mlw32785
 
PDF
Information Security Lecture Notes
FellowBuddy.com
 
PDF
Computer Security Threats
Quick Heal Technologies Ltd.
 
Security policies
Nishant Pahad
 
IT Security management and risk assessment
CAS
 
Introduction to Cybersecurity Fundamentals
Toño Herrera
 
CYBER SECURITY
Vaishak Chandran
 
Computer security overview
CAS
 
Ethical hacking
Altacit Global
 
Information security management
UMaine
 
Cyber Security Presentation "It Will Never Happen To Me"
Simon Salter
 
Network security
Gichelle Amon
 
Cyber Security Awareness
Innocent Korie
 
Information security management system
Arani Srinivasan
 
Basics of Cyber Security
Nikunj Thakkar
 
Cyber Security Best Practices
Evolve IP
 
Types of attacks
Vivek Gandhi
 
Cyber crime ppt
MOE515253
 
Introduction to information security
jayashri kolekar
 
Cyber crime and security
Sharath Raj
 
Data Privacy and Protection Presentation
mlw32785
 
Information Security Lecture Notes
FellowBuddy.com
 
Computer Security Threats
Quick Heal Technologies Ltd.
 
Ad

Viewers also liked (11)

PDF
Information system and security control
Cheng Olayvar
 
PPT
4 System For Information Security
Ana Meskovska
 
PDF
Plugging the Holes: Security and Compatability in Hadoop
Owen O'Malley
 
PDF
Information system development
Sanoob Sidiq
 
PPTX
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)
Biswajit Bhattacharjee
 
PPT
PROPRIETARY AND OPEN SOURCE SOFTWARE
Kak Yong
 
PPT
Security & control in management information system
Online
 
PPTX
InformationSecurity
learnt
 
PPT
Planning, design and implementation of information systems
Online
 
PDF
System Development Life Cycle & Implementation of MIS
George V James
 
PPT
Implementation of MIS and its methods
Poojith Chowdhary
 
Information system and security control
Cheng Olayvar
 
4 System For Information Security
Ana Meskovska
 
Plugging the Holes: Security and Compatability in Hadoop
Owen O'Malley
 
Information system development
Sanoob Sidiq
 
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)
Biswajit Bhattacharjee
 
PROPRIETARY AND OPEN SOURCE SOFTWARE
Kak Yong
 
Security & control in management information system
Online
 
InformationSecurity
learnt
 
Planning, design and implementation of information systems
Online
 
System Development Life Cycle & Implementation of MIS
George V James
 
Implementation of MIS and its methods
Poojith Chowdhary
 
Ad

Similar to Information System Security(lecture 1) (20)

PPT
Basic security concepts_chapter_1
abdifatah said
 
PPT
Basic Security Chapter 1
AfiqEfendy Zaen
 
PPT
ch01_overview_bywillialmstallings_nemo.ppt
blockchaincrc2023
 
PPT
ch01_overview_nemo cryptography concepts.ppt
MubeenaBegum11
 
PPTX
PPT0-Computer Security Concepts.pptx
PiBits
 
PDF
Basic security concepts_chapter_1_6perpage
nakomuri
 
PPTX
Introduction to Computer Security
Kamal Acharya
 
PPT
Ch01
n C
 
PPTX
LIS3353 SP12 Week 9
Amanda Case
 
PPT
Security practivce and their best way to lear
rahulshah641439
 
PPT
Introduction Network security
IGZ Software house
 
PPTX
IS Unit II.pptx
LAVANYAsrietacin
 
PPTX
System Security-Chapter 1
Vamsee Krishna Kiran
 
PPTX
EBRE TABOR UNIVERSITY Gafat Institute of Technology Department of Information...
shambelworku8
 
DOCX
E sec chaptr-1
123aleena
 
PPTX
Security in network computing
Manoj VNV
 
PDF
Sec0001 .pdf
mah902110
 
PPTX
unit 5 FCS efujhgdkkifevnurdviutfjiutdffgii
nickyy222333
 
PPT
ch01.pptch01.pptch01.pptch01.pptch01.ppt
kelumsd
 
PPT
Ia 124 1621324143 ia_124_lecture_01
ITNet
 
Basic security concepts_chapter_1
abdifatah said
 
Basic Security Chapter 1
AfiqEfendy Zaen
 
ch01_overview_bywillialmstallings_nemo.ppt
blockchaincrc2023
 
ch01_overview_nemo cryptography concepts.ppt
MubeenaBegum11
 
PPT0-Computer Security Concepts.pptx
PiBits
 
Basic security concepts_chapter_1_6perpage
nakomuri
 
Introduction to Computer Security
Kamal Acharya
 
Ch01
n C
 
LIS3353 SP12 Week 9
Amanda Case
 
Security practivce and their best way to lear
rahulshah641439
 
Introduction Network security
IGZ Software house
 
IS Unit II.pptx
LAVANYAsrietacin
 
System Security-Chapter 1
Vamsee Krishna Kiran
 
EBRE TABOR UNIVERSITY Gafat Institute of Technology Department of Information...
shambelworku8
 
E sec chaptr-1
123aleena
 
Security in network computing
Manoj VNV
 
Sec0001 .pdf
mah902110
 
unit 5 FCS efujhgdkkifevnurdviutfjiutdffgii
nickyy222333
 
ch01.pptch01.pptch01.pptch01.pptch01.ppt
kelumsd
 
Ia 124 1621324143 ia_124_lecture_01
ITNet
 

More from Ali Habeeb (20)

PPT
Anonymous Connections And Onion Routing
Ali Habeeb
 
PPT
Opinion Mining
Ali Habeeb
 
PPT
WAP
Ali Habeeb
 
PPT
USB 3.0
Ali Habeeb
 
PPTX
Blue Eyes
Ali Habeeb
 
PPT
Cloud Security
Ali Habeeb
 
PDF
Data-Centric Routing Protocols in Wireless Sensor Network: A survey
Ali Habeeb
 
PPTX
Web Security
Ali Habeeb
 
PPTX
Secure erasure code based distributed storage system with secure data forwarding
Ali Habeeb
 
PPT
Organizing User Search Histories
Ali Habeeb
 
PPTX
Detecting and Resolving Firewall Policy Anomalies
Ali Habeeb
 
PPT
Bit Torrent Protocol
Ali Habeeb
 
PPTX
A study of Data Quality and Analytics
Ali Habeeb
 
PPT
Adhoc and Sensor Networks - Chapter 10
Ali Habeeb
 
PPT
Adhoc and Sensor Networks - Chapter 09
Ali Habeeb
 
PPT
Adhoc and Sensor Networks - Chapter 08
Ali Habeeb
 
PPT
Adhoc and Sensor Networks - Chapter 07
Ali Habeeb
 
PPT
Adhoc and Sensor Networks - Chapter 06
Ali Habeeb
 
PPT
Adhoc and Sensor Networks - Chapter 05
Ali Habeeb
 
PPT
Adhoc and Sensor Networks - Chapter 04
Ali Habeeb
 
Anonymous Connections And Onion Routing
Ali Habeeb
 
Opinion Mining
Ali Habeeb
 
WAP
Ali Habeeb
 
USB 3.0
Ali Habeeb
 
Blue Eyes
Ali Habeeb
 
Cloud Security
Ali Habeeb
 
Data-Centric Routing Protocols in Wireless Sensor Network: A survey
Ali Habeeb
 
Web Security
Ali Habeeb
 
Secure erasure code based distributed storage system with secure data forwarding
Ali Habeeb
 
Organizing User Search Histories
Ali Habeeb
 
Detecting and Resolving Firewall Policy Anomalies
Ali Habeeb
 
Bit Torrent Protocol
Ali Habeeb
 
A study of Data Quality and Analytics
Ali Habeeb
 
Adhoc and Sensor Networks - Chapter 10
Ali Habeeb
 
Adhoc and Sensor Networks - Chapter 09
Ali Habeeb
 
Adhoc and Sensor Networks - Chapter 08
Ali Habeeb
 
Adhoc and Sensor Networks - Chapter 07
Ali Habeeb
 
Adhoc and Sensor Networks - Chapter 06
Ali Habeeb
 
Adhoc and Sensor Networks - Chapter 05
Ali Habeeb
 
Adhoc and Sensor Networks - Chapter 04
Ali Habeeb
 

Recently uploaded (20)

PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Teaching material agriculture food technology
LiaRayya
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
KodekX | Application Modernization Development
KodekX
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Cloud computing and distributed systems.
kkkkkhan
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 

Information System Security(lecture 1)

  • 1. Information System SecurityInformation System Security Lecture 1Lecture 1 Introduction to Information SystemIntroduction to Information System SecuritySecurity
  • 2. 22 OutlineOutline 1.1. What is Security?What is Security? 2.2. What is Information Security?What is Information Security? 3.3. Why Information System Security?Why Information System Security? 4.4. Vulnerability, Threat and AttackVulnerability, Threat and Attack 5.5. Security PoliciesSecurity Policies 6.6. Security MeasuresSecurity Measures 7.7. Security RequirementsSecurity Requirements 8.8. Security ServicesSecurity Services 9.9. Security MechanismsSecurity Mechanisms
  • 3. 33 1. What is security?1. What is security?  SecuritySecurity:: protecting general assetsprotecting general assets  Security can be realized through:Security can be realized through: 1.1. PreventionPrevention: take measures that prevent your assets from being damaged.: take measures that prevent your assets from being damaged. 2.2. DetectionDetection: take measures so that you can detect when, how, and by: take measures so that you can detect when, how, and by whom an asset has been damaged.whom an asset has been damaged. 3.3. ReactionReaction: take measures so that you can recover your assets or to recover: take measures so that you can recover your assets or to recover from a damage to your assetsfrom a damage to your assets  Examples: next slideExamples: next slide  There are many branches of Security: national security,There are many branches of Security: national security, economic security,economic security, information securityinformation security, etc., etc.
  • 4. 44 ExamplesExamples  Ex. 1 - Private propertyEx. 1 - Private property – Prevention: locks at doors, window bars, walls around the property.Prevention: locks at doors, window bars, walls around the property. – Detection: stolen items aren’t there any more, burglar alarms, CCTV, …Detection: stolen items aren’t there any more, burglar alarms, CCTV, … – Reaction: call the police,…Reaction: call the police,…
  • 5. 55 ExamplesExamples  Ex. 2 - eCommerceEx. 2 - eCommerce – Prevention: encrypt your orders, rely on the merchant to perform checksPrevention: encrypt your orders, rely on the merchant to perform checks on the caller,…on the caller,… – Detection: an unauthorized transaction appears on your credit cardDetection: an unauthorized transaction appears on your credit card statementstatement – Reaction: complain, ask for a new credit card number, …Reaction: complain, ask for a new credit card number, …
  • 6. 66 2. What is Information Security?2. What is Information Security?  Information securityInformation security:: is concerned with protecting informationis concerned with protecting information and information resources such as: books, faxes, computer data,and information resources such as: books, faxes, computer data, voice communications, etc.voice communications, etc.  Information security isInformation security is determining:determining:  whatwhat needs to be protected,needs to be protected, i.e.i.e., assets, assets  andand whywhy (Security requirements which include CIA),(Security requirements which include CIA),  whatwhat needs to be protected from (Threats, vulnerabilities, risks),needs to be protected from (Threats, vulnerabilities, risks),  andand howhow (Security measures) to protect it for as long as it exists(Security measures) to protect it for as long as it exists – Security measures which are implemented according to a security policySecurity measures which are implemented according to a security policy
  • 7. 77 3. What is Information System3. What is Information System Security (ISS)?Security (ISS)? InformationInformation SystemsSystems (assets)(assets)Security Measures Attackers Policies Taken from K. Martin’s lecture, RHUL
  • 8. 88 Information System SecurityInformation System Security  ISS is concerned with protecting Information systemISS is concerned with protecting Information system assets such as PCs, software, applications, etc.assets such as PCs, software, applications, etc.  In order to ensure the security of Information Systems, weIn order to ensure the security of Information Systems, we need to determine:need to determine: 1.1. Assets (i.e., Information systems) to be protectedAssets (i.e., Information systems) to be protected 2.2. Security requirements; CIASecurity requirements; CIA 3.3. Threats, vulnerabilities, risksThreats, vulnerabilities, risks 4.4. Security policiesSecurity policies 5.5. Security measuresSecurity measures
  • 9. 99 4. Vulnerability, Threat and4. Vulnerability, Threat and AttackAttack  AA vulnerabilityvulnerability: is a weakness in system design or: is a weakness in system design or implementation and can be in hardware or software.implementation and can be in hardware or software. – Example: a software bug exists in the OS, or no password rules are set.Example: a software bug exists in the OS, or no password rules are set.  AA threatthreat:: – Is a set of circumstances that has the potential to cause loss or harmIs a set of circumstances that has the potential to cause loss or harm – is an indication of potential undesirable eventis an indication of potential undesirable event – It refers to a situation in whichIt refers to a situation in which  a person could do something undesirable (an attacker initiating a denial-of-a person could do something undesirable (an attacker initiating a denial-of- service attack against an organization's email server), orservice attack against an organization's email server), or  a natural occurrence could cause an undesirable outcome (a fire damaging ana natural occurrence could cause an undesirable outcome (a fire damaging an organization's information technology hardware).organization's information technology hardware).
  • 10. 1010 4. Vulnerability, Threat and4. Vulnerability, Threat and AttackAttack  AA RiskRisk is the possibility of suffering harm or loss.is the possibility of suffering harm or loss.  AnAn attackattack: is a realization of a threat: is a realization of a threat  AnAn attackerattacker: is a person who exploit a vulnerability: is a person who exploit a vulnerability  An attacker must have means, opportunity, and motiveAn attacker must have means, opportunity, and motive – Synonyms: enemy, adversary, opponent, eavesdropper, intruderSynonyms: enemy, adversary, opponent, eavesdropper, intruder
  • 11. 1111 Vulnerability, Attack and ThreatVulnerability, Attack and Threat  AA hackerhacker:: – A person who have advanced knowledge of operating systems andA person who have advanced knowledge of operating systems and programming languagesprogramming languages – Might discover holes within systems and the reasons for such holesMight discover holes within systems and the reasons for such holes – Share what they discover but never intentionally damage dataShare what they discover but never intentionally damage data  AA crackercracker:: – The one who breaks into or violates the system integrity of remoteThe one who breaks into or violates the system integrity of remote machines with the malicious intent, i.e., gaining unauthorized accessmachines with the malicious intent, i.e., gaining unauthorized access – Might destroy vital data, deny legitimate users servicesMight destroy vital data, deny legitimate users services  AA passive adversarypassive adversary is an adversary who is capable only ofis an adversary who is capable only of reading from an unsecured channelreading from an unsecured channel  AnAn active adversaryactive adversary is an adversary who may also transmit, alter,is an adversary who may also transmit, alter, or delete information on an unsecured channelor delete information on an unsecured channel
  • 12. 1212 Common security attacksCommon security attacks  InterruptionInterruption, delay, denial of receipt or denial of service, delay, denial of receipt or denial of service – System assets or information become unavailable or are rendered unavailableSystem assets or information become unavailable or are rendered unavailable  Interception or snoopingInterception or snooping – Unauthorized party gains access to information by browsing through files orUnauthorized party gains access to information by browsing through files or reading communications.reading communications.  Modification or alterationModification or alteration – Unauthorized party changes information in transit or information stored forUnauthorized party changes information in transit or information stored for subsequent access.subsequent access.  Masquerade or spoofingMasquerade or spoofing – Spurious information is inserted into the system or network by making it appearsSpurious information is inserted into the system or network by making it appears as if it is from a legitimate entity.as if it is from a legitimate entity.  Repudiation of originRepudiation of origin – False denial that an entity created something.False denial that an entity created something.
  • 13. 1313 5. Security Policy5. Security Policy  AA security policysecurity policy states what is, and is not, allowedstates what is, and is not, allowed  Is a document describing a company’s security controls andIs a document describing a company’s security controls and activities.activities.  Does not specify technologies.Does not specify technologies.  Examples:Examples: – Policy: Password constructionPolicy: Password construction Account names must not be used inAccount names must not be used in passwords.passwords. – Policy: Confidentiality of Personal informationPolicy: Confidentiality of Personal information all personalall personal information must be treated as confidential.information must be treated as confidential.  A security Policy is a guideline for implementing securityA security Policy is a guideline for implementing security measures.measures.
  • 14. 1414 6. Security measures6. Security measures  Security measuresSecurity measures include techniques for ensuring:include techniques for ensuring: – Prevention: such asPrevention: such as encryptionencryption,, user authenticationuser authentication,, one timeone time passwordpassword,, anti-virusanti-virus,, firewalfirewall, etc.l, etc. – Detection: such asDetection: such as IDS (Intrusion Detection Systems)IDS (Intrusion Detection Systems), Monitoring tools,, Monitoring tools, Firewall log,Firewall log, digital signaturedigital signature, etc., etc. – Reaction (or recovery): Such as Backup systems, OS’s recovery points,Reaction (or recovery): Such as Backup systems, OS’s recovery points, etc.etc.  Encryption (lectures 2 & 3)Encryption (lectures 2 & 3)  Digital Signature (lecture 4)Digital Signature (lecture 4)  User Authentication (lecture 5)User Authentication (lecture 5)  Antivirus (lecture 7)Antivirus (lecture 7)  IDS and firewalls (Lectures 8 & 9)IDS and firewalls (Lectures 8 & 9) Database security (lecture 6)
  • 15. 1515 7. Security Requirements7. Security Requirements  Most important security requirements are:Most important security requirements are: – ConfidentialityConfidentiality: keeping information secret from all but those: keeping information secret from all but those who are authorized to see it.who are authorized to see it.  Also called secrecy or privacyAlso called secrecy or privacy – IntegrityIntegrity: ensuring information has not been altered by: ensuring information has not been altered by unauthorized or unknown means.unauthorized or unknown means. – AvailabilityAvailability :: keeping information accessible by authorized userskeeping information accessible by authorized users when requiredwhen required
  • 16. 1616 Security RequirementsSecurity Requirements  Other requirements:Other requirements: – Entity authenticationEntity authentication :: corroboration of the identity of an entitycorroboration of the identity of an entity (e.g., a person, a credit card, etc.)(e.g., a person, a credit card, etc.)  Identification, identity verificationIdentification, identity verification – Message authenticationMessage authentication : corroborating the source of: corroborating the source of information; also known asinformation; also known as data origin authenticationdata origin authentication..  Message authentication implicitly provides data integrityMessage authentication implicitly provides data integrity – Digital SignatureDigital Signature : a means to bind information to an entity: a means to bind information to an entity – Non-repudiationNon-repudiation:: preventing the denial of previous commitmentspreventing the denial of previous commitments or actionsor actions
  • 17. 1717 Security RequirementsSecurity Requirements – AuthorizationAuthorization : conveyance, to another party, of official sanction: conveyance, to another party, of official sanction to do or to be something.to do or to be something. – Access controlAccess control: restricting access to resources to privileged: restricting access to resources to privileged entities.entities. – ValidationValidation: a means to provide timeliness of authorization to use: a means to provide timeliness of authorization to use or manipulate information or resources.or manipulate information or resources.  These Requirements are referred to asThese Requirements are referred to as ISS objectivesISS objectives (another definition of ISS)(another definition of ISS)..
  • 18. 1818 8. Security services8. Security services  AnAn information security serviceinformation security service is a method to provide someis a method to provide some specific aspects of securityspecific aspects of security – ExamplesExamples  Confidentiality is a security objective (requirement), encryption is anConfidentiality is a security objective (requirement), encryption is an information security serviceinformation security service  Integrity is another security objective (requirement), a method to ensureIntegrity is another security objective (requirement), a method to ensure integrity is a security service.integrity is a security service.  BreakingBreaking a security service implies defeating the objective ofa security service implies defeating the objective of the intended service.the intended service.
  • 19. 1919 9. Security mechanisms9. Security mechanisms  AA security mechanismsecurity mechanism encompasses Protocols, algorithms,encompasses Protocols, algorithms, Non-cryptographic techniques (hardware protection) toNon-cryptographic techniques (hardware protection) to achieve specific security objectives (confidentiality, integrity,achieve specific security objectives (confidentiality, integrity, …).…).
  • 20. 2020

Editor's Notes

  • #7: Information security : Is more than setting up a firewall, running an anti-virus software, using passwords to control access to databases, or discovering vulnerabilities in your system software. Is determining: what needs to be protected, i.e. , assets such as PCs, softwares, applications, etc. Why assets need protection , i.e., s ecurity requirements such as Confidentiality, Integrity, and Availability (C.I.A.) what it needs to be protected from (e.g., threats, vulnerabilities, risks), how to protect assets, i.e., what security measures we need to protect assets Security measures include techniques for: Prevention: techniques, to prevent occurrence of threats, such as encryption, firewalls, etc. Detection: techniques, to discover illegal actions, or attempted illegal access, such as IDSs (Intrusion Detection Systems), monitoring tools, etc. Reaction or recovery: techniques to minimizes the damages and restore the CIA of damages assets (eg, backup of systems). Security measures are an implementation of a security policy.
  • #10: Vulnerabilities: is a weakness in system design or implementation and can be in hardware or software. hardware accidental: fires, floods, mice malicious: fires, theft software: accidental: Bugs (buffer overflows), bad design (fails to an insecure state) Malicious: deletion, spyware, trojans, A Threat is an indication of a potential undesirable event. It refers to a situation in which either a person could do something undesirable (e.g., initiating a denial-of-service attack against an organization's email server) or a natural occurrence could cause an undesirable outcome (a fire damaging an organization's information technology hardware). A Risk is the possibility of suffering harm or loss. It refers to a situation in which either a person could do something undesirable or a natural occurrence could cause an undesirable outcome resulting in a negative impact or consequence.
  • #11: Vulnerabilities: is a weakness in system design or implementation and can be in hardware or software. hardware accidental: fires, floods, mice malicious: fires, theft software: accidental: Bugs (buffer overflows), bad design (fails to an insecure state) Malicious: deletion, spyware, trojans, A Threat is an indication of a potential undesirable event. It refers to a situation in which either a person could do something undesirable (e.g., initiating a denial-of-service attack against an organization's email server) or a natural occurrence could cause an undesirable outcome (a fire damaging an organization's information technology hardware). A Risk is the possibility of suffering harm or loss. It refers to a situation in which either a person could do something undesirable or a natural occurrence could cause an undesirable outcome resulting in a negative impact or consequence.
  • #13: Denail: A refusal to comply with or satisfy a request Snooping : To pry into the private affairs of others Masquerade: to go about as if in disguise Spoofing: to deceive Spurious: not genuine or false Repudiation: the refusal to acknowledge a contract or debt
  • #15: Lectures 2 – 5 explain how to use cryptography as security measures. Lecture 6 shows another way to implement database-related security measures.
  • #16: ISS is about keeping confidentiality, integrity, and availability
  • #17: ISS is about keeping confidentiality, integrity, and availability
  • #18: ISS is about keeping confidentiality, integrity, and availability