INFORMATION SECURITY o Security is not something you buy, it is something you do

o The architecture where an integrated combination of appliances, systems and

What is Information? solutions, software, alarms, and vulnerability scans working together
What is Information Security? o Monitored 24x7
What is RISK? o Having People, Processes, Technology, policies, procedures
An Introduction to ISO for information technology o Security is for PPT and not only for appliances or devices
User Responsibilities
❖ People “Who we are”
❖ What is Information?
o 'Information is an asset which, like other important business ❖ People who use or interact with the Information include:
assets, has value to an o Share Holders / Owners
organization and consequently needs to be suitably o Management
protected‟ o Employees
o Information can be o Business Partners
▪ Created o Service providers
▪ Stored o Contractors
▪ Destroyed o Customers / Clients
▪ Processed o Regulators etc…
▪ Transmitted ❖ Process “what we do”
▪ Used – (For proper & improper purposes) ❖ The processes refer to "work practices" or workflow. Processes
▪ Corrupted are the repeatable steps to accomplish business objectives.
▪ Lost Typical process in our IT Infrastructure could include:
▪ Stolen o Helpdesk / Service management
▪ Printed or written on paper o Incident Reporting and Management
▪ Stored electronically o Change Requests process
▪ Transmitted by post or using electronics means o Request fulfillment
▪ Shown on corporate videos o Access management
▪ Displayed / published on web o Identity management
▪ Verbal – spoken in conversations o Service Level / Third-party Services Management
o IT procurement process etc..
❖ What is Information Security? ❖ Technology “what we use to improve what we do”
o The quality or state of being secure to be free from danger ❖ Network Infrastructure:
o Security is achieved using several strategies o Cabling, Data/Voice Networks and equipment
o Security is achieved using several strategies simultaneously or o Telecommunications services (PABX), including VoIP services , ISDN ,
used in combination with one another Video Conferencing
o Security is recognized as essential to protect vital processes and the systems that o Server computers and associated storage devices
o Operating software for server computers
provide those processes
 o Communications equipment and related hardware. - Integrity: Safeguarding the accuracy and completeness of information and processing
o Intranet and Internet connections methods
o VPNs and Virtual environments
o Remote access services - Availability: Ensuring that authorized users have access to information and associated
o Wireless connectivity assets when required
❖ Application software:
o Finance and assets systems, including Accounting packages, Security breaches leads to…
Inventory management, HR systems, Assessment and reporting
• Reputation loss
systems
• Financial loss
o Software as a service (Sass) - instead of software as a packaged or
• Intellectual property loss
custom-made product. Etc.
• Legislative Breaches leading to legal actions (Cyber Law)
❖ Physical Security components:
• Loss of customer confidence
o CCTV Cameras
• Business interruption costs
o Clock in systems / Biometrics
o Environmental management Systems: Humidity Control, Ventilation , LOSS OF GOODWILL
Air Conditioning, Fire Control systems
o Electricity / Power backup • Information Security is “Organizational Problem” rather than “IT Problem”
❖ Access devices:
• More than 70% of Threats are Internal
o Desktop computers
• More than 60% culprits are First Time fraudsters
o Laptops, ultra-mobile laptops and PDAs
• Biggest Risk : People
o Thin client computing.
• Biggest Asset : People
o Digital cameras, Printers, Scanners, Photocopier etc.
• Social Engineering is major threat
• More than 2/3rd express their inability to determine ―Whether my systems are
INFORMATION SECURITY
currently compromised?”
1. Protects information from a range of threats
2. Ensures business continuity WHAT IS RISK?
3. Minimizes financial loss
4. Optimizes return on investments - Risk: A possibility that a threat exploits a vulnerability in an asset and causes damage or
5. Increases business opportunities loss to the asset.

Business survival depends on information security. - Threat: Something that can potentially cause damage to the organisation, IT Systems or
network.
ISO 27002:2005 defines Information Security as the preservation of:
- Vulnerability: A weakness in the organization, IT Systems, or network that can be
-Confidentiality: Ensuring that information is accessible only to those authorized to have exploited by a threat.
access
Relationship between Risk, Threats, and Vulnerabilities: Threats

• Employees
• External Parties
• Low awareness of security issues
• Growth in networking and distributed computing
• Growth in complexity and effectiveness of hacking tools and viruses
• Natural Disasters eg. fire, flood, earthquake

Threat Identification

❖ Elements of threats
❖ Agent: The catalyst that performs the threat.
Human
Machine
Nature
❖ Motive : Something that causes the agent to act.
Accidental Intentional
Only motivating factor that can be both accidental and intentional is
human
❖ Results : The outcome of the applied threat. The results normally lead to the
loss of CIA
Confidentiality
Integrity
Availability
 ❖ Confidentiality
o protect the data that has been transmitted
o Ensuring only those who ought to have access can do so.

INFORMATION/NETWORK SECURITY
• Network security is a broad term that covers a multitude of technologies, ❖ Integrity
devices and processes. In its simplest term, it is a set of rules and configurations o Ensuring that information cannot be modified without detection
designed to protect the integrity, confidentiality and accessibility of computer
networks and data using both software and hardware technologies. Every
organization, regardless of size, industry or infrastructure, requires a degree of
network security solutions in place to protect it from the ever-growing landscape
of cyber threats in the wild today.
• The protection afforded to an automated information system in order to attain
the applicable objectives of preserving the integrity, availability and
confidentiality of information system resources (includes hardware, software,
firmware, information/data, and telecommunications) -NIST

CIA TRIAD
❖ Availability of a method or technique) to evade security services and violate the security
o Ensuring information can be accessed when needed. policy of a system.

THE OSI SECURITY ARCHITECTURE

➢ SECURITY ATTACK
➢ SECURITY SERVICE
➢ SECURITY MECHANISM
❖ SECURITY ATTACK:
- Action that compromises the security of an individual/
Organization and if the attack is succesfuly launched then the effects of
the attacks would be loss of data or corruption of data or ransomware
attacks or injections of viruses warms or malicious software into the
network or defacing the servers and many effects are possible. The
❖ Additional
attackers only knows for what he has launched the attack is basically of
o Authenticity
o Accountability two types:
o Confidentiality (example: account information) 1. PASSIVE
o Integrity ( example: patients information) 2. ACTIVE
o Availability (example : authentication service)
1. PASSIVE ATTACK
- Attempts to learn or make use of information from the system
Levels of impact of security breach
- Does not affect the system resources
o Low effect of the attacked is negligible
- Eavesdropping or monitoring of transmission
o Medium significant loss or damage to the organization or individual - Goal: obtain information that is being transmitted
o High org severe effect, complete disaster Types
• Release of message contents
Threats and Attacks (RFC 2828) • Traffic analysis
Note in passive attacks it is just unauthorized reading or monitoring the
o Threat. A potential for violation of security, which exists when there is a
messages, for example is a confidential telephony conversation or a
circumstance, capability, action or event that could breach security and
cause harm. That is, a threat is apossible danger that might exploit a confidential email is being transmitted this attacker’s intention is just to
vulnerability. know what is being transmitted.
o Attack. An assault on system security that derives from an intelligent threat;
that is, an intelligent act that is a deliberate attempt (especially in the sense
EXAMPLE: Release of Message Contents (Reads contents of message nature of the communication that is taking place between Bob and Alice
form Bob to Alice) so that will come to know about some information or darth can guess
Alice and Bob are the legitimate guys in this example we what is the data being transmitted or what kind of data that has being
consider Darth to be an attacker transmitted base on the traffic
Bob is sending some messages to Alice somehow Bob and Alice are
connected to each other it may be through the internet or any other 2. ACTIVE ATTACK
communication facility. Whatever Bob is sending to Alice, Darth is getting - Active attacks involve some modification of the data stream or
a copy of the message he is reading the contents of the message which is the creation of a false stream.
sent from Bob to Alice so what Darth is going to do is Darth is going to
understand or know what is the data that is being transmitted between Subdivided into four categories ;
the sender and the receiver. 1. Masquerade
2. Replay
How to prevent this? 3. Modification of messages
If bob is encrypting the data before sending the data as such and Alice alone 4. Denial of Service
can decrypt then Darth will have no way to see what message is being
transmitted, but if the messages are not encrypted obviously Darth will be able
to know the data that has been communicated between the sender and the Masquerade (Message from Darth appears to be from Bob)
receiver. A masquerade attack is an attack that uses a fake identity, such as a
network identity, to gain unauthorized access to personal computer information
through legitimate access identification. If an authorization process is not fully
EXAMPLE: Traffic Analysis (Observe pattern of messages from Bob protected, it can become extremely vulnerable to a masquerade attack.
to Alice)
Bob realized that somebody may sniff the conversation or somebody ,ay EXAMPLE: What is the attack here then?
eavesdrop the conversation . Darth pretends to be Bob so the message what Darth is sending appears
What Bob and Alice have decided ? They have decided to do encryption to be from Bob. When Alice receives the message Alice thinks that the message is
before transmitting the data. Let’s assume in this example that Bob is from Bob but actually it is from the Darth.
sending some encrypted data to alice only Bob and Alice can understand
what data being transmitted because now the data is being encrypted. Replay (Capture message from Bob to Alice; later replay message to
The message is now encrypted if darth receives this encrypted message he
Alice)
will be definitely not be able to understand what is the data but still few
It is a category of network attack in which an attacker detects a data
information can be extracted like the location or the identity of the
transmission and fraudulently has it delayed or repeated. The delay or repeat of
communicating host or the length of the message that has been
the data transmission is carried out by the sender or by the malicious entity, who
transmitted between Bob and Alice. The frequency of message trasnfers
intercepts the data and retransmits it.
between Bob and Alice. This information will be useful in guessing the
 ❖ SECURITY SERVICE
Modification of Message (Darth modifies massage from Bob to - The processing or communication service that is provided by a
Alice) system to give a specific kind of protection to system resources; security
It is an attack on the integrity of the original data. It basically means that services implement security policies and are implemented by security
unauthorized parties not only gain access to data but also spoof the data by mechanisms.
1. AUTHENTICATION
triggering denial-of-service attacks, such as altering transmitted data packets or
2. ACCESS CONTROL
flooding the network with fake data.
3. DATA CONFIDENTIALITY
4. DATA INTEGRITY
Denial of Service (Darth disrupts service provided by the server) 5. NON- REPUDIATION
It is an attack meant to shut down a machine or network, making it
inaccessible to its intended users. DoS attacks accomplish this by flooding the 1. AUTHENTICATION
target with traffic, or sending it information that triggers a crash. - assurance that the communicating entity is the one that it claims
to be.
For example; If the entity is claiming that he/she is Alice a system could
Passive attack VS Active Attack have a authentication service proving that she is Alice.
➢ Peer entity Authentication
PASSIVE ATTACK ACTIVE ATTACK It is provided for use at the establishment of, or at times during the
• Hard to detect • Hard to prevent data transfer phase of, a connection. It attempts to provide confidence
• Neither sender nor receiver is • Difficult to prevent- that an entity is not performing either a masquerade or an unauthorized
aware of the attack physical,software and
• Encryption prevents the success network vulnerabilities replay of a previous connection.
of the passive attacks. • Detect and recover from any ➢ Data Origin Authentication
• More emphasis is on prevention disruption or delays In information security, message authentication or data origin
than detection • If the detection has a authentication is a property that a message has not been modified while
deterrent effect, it may also
contribute to prevention.
in transit (data integrity) and that the receiving party can verify the source
of the message.

2. ACCESS CONTROL
- Access control is a fundamental component of data security that
dictates who's allowed to access and use company information and
resources. Through authentication and authorization, access control
policies make sure users are who they say they are and that they have
appropriate access to company data.
 - Access control is a security measure which is put in place to 5. NON REPUDIATION
regulate the individuals that can view, use, or have access to a restricted - Non-Repudiation is a term that connects a person to a fact so
environment. Various access control examples can be found in the that they cannot deny that an action was taken.
security systems in our doors, key locks, fences, biometric systems, - A service that may be afforded by the appropriate application of
motion detectors, badge system, and so forth. a digital signature. Non-repudiation refers to the assurance that the
owner of a signature key pair that was capable of generating an existing
3. DATA CONFIDENTIALITY signature corresponding to certain data cannot convincingly deny having
- Data Confidentiality deals with protecting against the disclosure signed the data.
of information by ensuring that the data is limited to those authorized or - For example Alice and Bob,
by representing the data in such a way that its semantics remain Bob transmitted data or information to Alice but in the end of this
accessible only to those who possess some critical information (e.g., a key Bob claims that he didn’t send any documents/information on the other
for decrypting the enciphered data). hand Alice claims also that she didn’t receive any documents or data.
- Confidential data is defined as any information that is not That’s were Non repudiation security services occur.
intended for public dissemination
- Confidentiality refers to all forms of information including
personal information about people using services or employees or ❖ SECURITY MECHANISM
volunteers, information about the organisation, for example, its plans or ➢ SPECIFIC SECURITY MECHANISM
finances and information about other organisations, whether the
➢ PERVASIVE SECURITY MECHANISM
information is recorded or not.

4. DATA INTEGRITY 1. SPECIFIC SECURITY MECHANISM

- Data integrity is a fundamental component of information a. Encipherment
security. In its broadest use, “data integrity” refers to the accuracy and b. Digital signature
consistency of data stored in a database, data warehouse, data mart or c. Access control
other construct. d. Data integrity
- The term data integrity refers to the accuracy and consistency of
e. Authentication exchange
data. When creating databases, attention needs to be given to data
integrity and how to maintain it. A good database will enforce data f. Traffic padding
integrity whenever possible. For example, a user could accidentally try to g. Routing control
enter a phone number into a date field. h. Notarization
a. Encipherment instances of communication, spurious data units, and spurious data within
- This security mechanism deals with hiding and covering of data data units.
which helps data to become confidential. It is achieved by applying - The insertion of bits into gaps in a data stream to frustrate traffic
mathematical calculations or algorithms which reconstruct information analysis attempts.
into not readable form. It is achieved by two famous techniques named
cryptography and encipherment g. Routing Control
- Routing control means selecting and continuously changing
b. Digital Signature different available routes between sender and receiver to prevent the
- Digital signature is a cryptographic value that is calculated from opponent from eavesdropping on a particular route.
the data and a secret key known only by the signer. In real world, the - Enables selection of particular physically secure routes for certain
receiver of message needs assurance that the message belongs to the data and allows routing changes , especially when a breach of security is
sender and he should not be able to repudiate the origination of that suspected.
message.
- This security mechanism is achieved by adding digital data that is h. Notarization
not visible to eyes. It is form of electronic signature which is added by - This security mechanism involves use of trusted third party in
sender which is checked by receiver electronically. This mechanism is communication. It acts as mediator between sender and receiver so that
used to preserve data which is not more confidential but sender’s identity if any chance of conflict is reduced. This mediator keeps record of
is to be notified requests made by sender to receiver for later denied.

c&d: security service 2. PERVASIVE SECURITY MECHANISM

e. Authentication Exchange a. Trusted functionality that which is perceived to be correct with
- Mechanism intended to ensure the identity of an entity by means respect to some criteria (e.G., As established by a security policy).
of information exchange. b. Security label the marking bound to a resource (which may be a
data unit) that names or designates the security attributes of that
resource.
f. Traffic Padding
c. Event detection detection of security-relevant events.
- Traffic padding produces cipher text output continuously, even in
d. Security audit trail data collected and potentially used to facilitate
the absence of the plain text. A continuous random data stream is
a security audit, which is an independent review and examination
generated. When plain text is available, it is encrypted and transmitted.
of system records and activities.
When input plaintext is not present, random data are encrypted and
e. Security recovery deals with requests from mechanisms, such as
transmitted.
event handling and management functions, and takes recovery
- Traffic padding mechanisms are used to protect against traffic
actions
analysis attacks. Traffic padding refers to the generation of spurious
 NETWORK SECURITY MODEL CRYPTOGRAPHY

- SECURITY?? – INFORMATION SECURITY NOTES

- SECURITY GOALS:

Model for network Security

➢ Four major tasks.
1. Design an algorithm
2. Generate the secret information
3. Develop methods for distribution and sharing of information
4. Specify a protocol. CRYPTOGRAPHY
- Cryptography is the science and art of transforming messages to make
them secure and immune to attack.
- BASIC TERMS
1. PLAIN TEXT
2. CIPHER TEXT
3. CIPHER
4. ENCRYPTION&DECRYPTION
5. KEYS
 ENCRYPTION&DECRYPTION
Traditional Ciphers
1. Substitution Cipher
- A substitution technique is one in which the
letters/number/symbols of plaintext are replaced by other
letters/numbers/symbols.

Ex:
2. Transposition Cipher
- In the transposition technique, the positions of
letters/numbers/symbols/ in plaintext is changed with one
another.
CATEGORIES OF CRYPTOGRAPHY Ex:
A. SYMMETRIC KEY CRYPTOGRAPHY
B. ASYMMETRIC KEY CRYPTOGRAPHY

A. SYMMETRIC KEY CRYPTOGRAPHY

- also known as secret key. Sender and receiver uses same key and an
encryption/decryption algorithm to encrypt/decrypt data.i.e. the key is
shared.
B. ASSYMETRIC KEY CRYPTOGRAPHY
- Also known as public key cryptography. Sender and receiver uses
different keys for encryption & decryption namely PUBLIC & PRIVATE, SYMETRIC KEY CRYPTOGRAPHY ASSYMETRIC KEY CRYPTOGRAPHY
respectively. 1) The same algorithm with the same 1) One algorithm is used for
key is used for encryption and encryption and decryption with a pair
decryption. of keys, one for encryption and one
2) The key must be kept secret. for decryption.
3) It may be impossible or at least 2) One of the two keys must be kept
impractical to decipher a message if secret.
no other information is available. 3) It may be impossible or at least
impractical to decipher a message if
no other information is available.

APPLICATIONS
- Defense services
- Secure data manipulation
- E-commerce
- Business transactions
- Internet payment systems
- User identification systems
- Access control
- Data security

CONCLUSION:

By using of encryption techniques a fair unit of confidentiality,

authentication, integrity, access control, and availability of data is
maintained.