[go: up one dir, main page]
Scribd
Upload
33 views24 pages

Week#01.... Lecture#01

Uploaded by

graphicsra41
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
33 views24 pages

Week#01.... Lecture#01

Uploaded by

graphicsra41
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 24

Information

Security
SE-308
Course Books

Principles of Information Security 3rd


Edition by Michael E. Whitman and Herbert J.
Mattord

Computer Security: Art and Science,


Matthew Bishop

Cryptography and Network Security by


William Stalling 6th Edition, 2012
Learning Objectives
• Learn basic concepts of Information Security

• Develop good understanding of security,


security issues, security policies, information
assets, threats and Software Attacks

• Ability to understand and plan security


information system

• Knowledge gained in this course will be


helpful in implementation and maintenance
of security policies
Week 1

Introduction to information
security
– Introduction
– History of an information security
– What is security
– How to achieve security
– Key information security concepts
– Components of information systems
– Information Flow
Introduction

Security is the prevention of certain types of


intentional actions from occurring in a system.
– These potential actions that could cause harm or
damage to something, are threats.
– When those dangers or risks become real and
cause harm, are attacks.
– Intentional attacks are carried out by an
attacker.
– Objects of attacks are assets.

For example, if someone threatens to steal your


wallet, that's a threat. But if they actually take your
wallet, that's an attack.
What is Information Security

• Information Security is the practice of


defending information from unauthorized access,
use, disclosure, modification, examine, recording
or destruction.
• It is a general term that can be used in the form
the data may take.
Goals of Security

Prevention
– Prevent attackers from violating security policy
Detection
– Detect attackers’ violation of security policy
Recovery
– Stop attack, assess and repair damage
Survivability
– Continue to function correctly even if attack
succeeds
Security Measures

Technology
– Hardware/software used to ensure security

Policy and practice


– Security requirements and activities.

Education, training, and awareness


– Understanding of threats and vulnerabilities
and how to protect against them.
The History of Information
Security
• (1930s-1940s) Code-breaking during World
War II.
• Post-World War II Era (1940s-1950s): Began
immediately after the first mainframes were
developed.

• Physical controls to limit access to sensitive


military locations to authorized personnel:
badges, keys, and facial recognition
The History of Information
Security
• One of 1st documented problems
– Early 1960s
– Not physical
– Accidental file switch
• Entire password file
• printed on every output file
R-609
• In 1967, Rand Report R-609 first report on
security controls for computer systems
• Scope of computer security grew from physical
security to include:
– Safety of data
– Limiting unauthorized access to data
– Involvement of employees from multiple
levels of an organization
• First identify the role of management and policy
issues.
• MULTICS: First OS containing security in its
core functions.
The Birth of the Internet
(1970s-1980s):
• Advanced Research Procurement Agency
(ARPA) began to examine networked
communications

• ARPANET is the first Internet

• The development of ARPANET, the modern


internet, introduced new security challenges.
Protocols like TCP/IP were developed with
limited security considerations.

• ARPANET grew in popularity as did its


potential for misuse
Public Key Cryptography
(1970s-1980s):
• The invention of public key cryptography
algorithms, modern encryption techniques,
allowing for secure communication over
public networks.
The 1990s

• Networks of computers became more


common; so too did the need to
interconnect networks

• Businesses and individuals faced new


threats such as viruses, malware, and
hacking.

• In early, security was treated as a low


priority Component.
2000 to Present

• The Internet brings millions of computer


networks into communication with each
other—many of them unsecured

• Realization of information security, its


importance and its use
How to Achieve Security
A successful organization should have multiple
layers of security in place:

– Physical security (Physical objects)


– Personal security (Individual or group of
individuals)
– Operations security (details of
operations/activities)
– Communications security(communication
media, technology & Content)
– Network security (Network components,
connections, contents)
– Information security (information assets)
Terminologies of Information
Security:
• Access: A subject or object’s ability to use,
manipulate, modify, or affect another subject or
object.
• Asset: Any organizational resource or object that
is being protected.
• Attack: An intentional action that can cause
damage.
• Exposure: A condition or state of being exposed.
In information security, exposure exists when a
vulnerability known to an attacker exists.
• Exploit: A technique used to compromise a
system. Exploits make use of existing software
tools or custom-made software components.
Terminologies of Information
Security Concepts:
• Risk: The probability that something unwanted
will happen.
• Threat: A category of objects, persons, or other
entities that threaten an asset.
• Threat agent: A threat agent refers to any
individual, group, organization, or automated
system that has the potential to exploit
vulnerabilities in a system or network

• Vulnerability: A weaknesses or fault in a system


or protection mechanism that opens it to attack or
damage. Some examples of vulnerabilities are a
flaw in a software package, an unprotected system
port, and an unlocked door.
Computer as Subject and
Object
Securing Components
• Computer can be subject of an attack
and/or the object of an attack
– When the subject of an attack, computer is
used as an active tool to conduct attack

– When the object of an attack, computer is


the entity being attacked
• 2 types of attack
– Direct
• Hacker uses their computer to break into a system
– Indirect
• System is compromised and used to attack other
systems
Information flow

• Path taken by data from sender to


receiver.
Critical Characteristics of
Information
• Availability
"Availability" means that information is there
when you need it.

• Authenticity:
Information should be real and trustworthy, and come
from reliable sources

• Confidentiality
Sensitive information should be protected from
unauthorized access or disclosure.
Critical Characteristics of
Information
• Integrity
Information must remain whole, accurate, and
uncorrupted to maintain trustworthiness.

• Possession
Refers to legal ownership or control over information
assets.

• Accuracy
Information must be free from errors or inaccuracies,
correctly representing real-world phenomena
Thank you!

You might also like