Scribd
Upload
65 views

What Is Information Security

The document discusses topics related to information security including why it is necessary, definitions of computer security and key concepts like confidentiality, integrity and availability. It also covers challenges, common terminology and a model for computer security.

Uploaded by

Umer Sabir
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
65 views

What Is Information Security

The document discusses topics related to information security including why it is necessary, definitions of computer security and key concepts like confidentiality, integrity and availability. It also covers challenges, common terminology and a model for computer security.

Uploaded by

Umer Sabir
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 19

Lec.

1
Topics will be covered in Lec. 1:

1. Why is the Information Security necessary?


2. What is Computer Security?
3. Objectives of Information Security (Confidentiality,
Integrity and Availability)
4. Level of Confidentiality, Integrity and Availability
5. The Challenges of Computer Security
6. Computer Security Terminology
7. A model for Computer Security
1. Why is the Information Security necessary?
1. Why is the Information Security necessary?

Computer Security deals with computer-related


assets that are subject to a variety of threats and for
which various measures are taken to protect those
assets.
2. What is Computer Security?
2. What is Computer Security?

Computer Security protection afforded to an


automated information system in order to attain the
applicable objectives of preserving the integrity,
availability and confidentiality of information system
resources (includes hardware, software, firmware,
information/data, and telecommunications).
3. Objectives of Information Security
(Confidentiality, Integrity and Availability)
3. Confidentiality, Integrity and Availability (CIA)

These objectives are heart of the Computer Security:

Confidentiality: This term covers two related concepts:


— Data confidentiality: Assures that private or confidential information is
not made available or disclosed to unauthorized individuals.
— Privacy: Assures that individuals control or influence what information
related to them may be collected and stored and by whom and to whom
that information may be disclosed. Integrity: This term covers two related concepts:
— Data integrity: Assures that information and programs are changed only
in a specified and authorized manner.
— System integrity: Assures that a system performs its intended function in
an unimpaired manner, free from deliberate or inadvertent unauthorized
manipulation of the system.
Availability: Assures that systems work promptly and service is not denied to
authorized users.
3. Confidentiality, Integrity and Availability (CIA)

FIPS 199 provides a useful characterization of these three objectives in terms of


requirements and the definition of a loss of security in each category:

Confidentiality: Preserving authorized restrictions on information access and


disclosure, including means for protecting personal privacy and proprietary
information. A loss of confidentiality is the unauthorized disclosure of
information.

Integrity: Guarding against improper information modification or destruction,


including ensuring information nonrepudiation and authenticity. A loss of integrity
is the unauthorized modification or destruction of information.

Availability: Ensuring timely and reliable access to and use of information. A loss
of availability is the disruption of access to or use of information or an information
system.
Additional Concepts Needed

Authenticity: The property of being genuine and being able to be verified and
trusted; confidence in the validity of a transmission, a message, or message
originator. This means verifying that users are who they say they are and that
each input arriving at the system came from a trusted source.

Accountability: The security goal that generates the requirement for actions
of an entity to be traced uniquely to that entity. This supports nonrepudiation,
deterrence, fault isolation, intrusion detection and prevention, and after-action
recovery and legal action
4. Level of Confidentiality, Integrity & Availability
5. The Challenges of Computer Security
5. Computer Security Challenges

1. not simple
2. must consider potential attacks
3. procedures used counter-intuitive
4. involve algorithms and secret info
5. must decide where to deploy mechanisms
6. battle of wits between attacker / admin
7. not perceived on benefit until fails
8. requires regular monitoring
9. too often an after-thought
10. regarded as impediment to using system
6. Computer Security Terminology
6. Computer Security Terminology
Adversary (threat agent)
An entity that attacks, or is a threat to, a system.
Attack
An assault on system security that derives from an intelligent threat; that is, an
intelligent act that is a deliberate attempt (especially in the sense of a method or
technique) to evade security services and violate the security policy of a system.
Countermeasure
An action, device, procedure, or technique that reduces a threat, a vulnerability, or
an attack by eliminating or preventing it, by minimizing the harm it can cause, or
by discovering and reporting it so that corrective action can be taken.
Risk
An expectation of loss expressed as the probability that a particular threat will
exploit a particular vulnerability with a particular harmful result.
Security Policy
A set of rules and practices that specify or regulate how a system or organization
provides security services to protect sensitive and critical system resources.
6. Computer Security Terminology

System Resource (Asset)


Data contained in an information system; or a service provided by a system; or a
system capability, such as processing power or communication bandwidth; or an
item of system equipment (i.e., a system component—
hardware, firmware, software, or documentation); or a facility that houses system
operations and equipment.
Threat
A potential for violation of security, which exists when there is a circumstance,
capability, action, or event, that could breach security and cause harm. That is, a
threat is a possible danger that might exploit a vulnerability.
Vulnerability
A flaw or weakness in a system’s design, implementation, or operation and
management that could be exploited to violate the system’s security policy.
7. A model for Computer Security
7. A Model of Computer Security
The assets of a computer system can be categorized as follows:
Hardware: Including computer systems and other data processing, data storage,
and data communications devices
Software: Including the operating system, system utilities, and applications.
Data: Including files and databases, as well as security-related data, such as
password files.
Communication facilities and networks: Local and wide area network
communication links, bridges, routers, and so on.

The vulnerabilities of system resources are as follows:


It can be corrupted, so that it does the wrong thing or gives wrong answers.
For example, stored data values may differ from what they should be because they
have been improperly modified.
It can become leaky. For example, someone who should not have access to some or
all of the information available through the network obtains such access.
It can become unavailable or very slow. That is, using the system or network
becomes impossible or impractical.
7. A Model of Computer Security

Security Concept and Relationships

You might also like