Introduction To Information Security

This document outlines the topics that will be covered in a course on information security including risk analysis, access control, cryptography, business continuity planning, data classification, computer security, telecommunications security, legal issues, and information ethics. The course will cover concepts, methods, techniques, and considerations for each topic.

Uploaded by

mahmoodghanem

Available Formats

Download as PPTX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

25 views

Introduction To Information Security

Uploaded by

mahmoodghanem

Available Formats

Download as PPTX, PDF, TXT or read online on Scribd

You are on page 1/ 51

CS 620

Introduction to Information
Security

Dr. Mahmoud Ghanem

Department of Computer Science
Arab Academy for Science, Technology and Maritime
Transport (AASTMT)
Port Training Institute (PTI)
Part I
(Overview, Access, Control,
Cryptography, Risk Analysis)
Part II
(Business Continuity
Planning, Data Classification,
Security Awareness, Computer
and System Security)
Part III
(Telecommunications Security,
Organization Architecture, Legal
Regulatory Investigation)
Part IV
(Investigation, Application
program Security, Physical
Security, Operations Security)
Part V
(Information Ethics, Policy
Development)
Computer Security Act of 1987
Requires:
• Sensitive systems and data
must be identified
• Plans for ensuring security
and control of such
systems must be created
• Personnel training
programs must be
developed and in place
Development of Security
Program
• Objectives
• Policies
• Connectivity, Corporate Structure, and
Security
• Plans
• Responsibilities
Security Policy Goals

• Avoidance
• Deterrence
• Detection
• Correction
Risk Analysis

• Identify sensitivity of data

• Determine value of systems and
information
• Assess threats and vulnerabilities (sabotage,
environment, errors)
Purposes of Risk Analysis
• No significant intentional or accidental
threat is overlooked
• Assure that cost-benefit analysis is
reasonable
Contingency Plan
• Purpose: Protect, detect, recover

• Criticality: Formulated, communicated to

ALL employees, tested regularly
Legal Issues
• Licenses
• Fraud/Misuse
• Privacy
• Copyright
• Trade Secrets
• Employee Agreements
Access Control
Collection of mechanisms to restrain
or prohibit use of information and
systems
Includes: Functions, implementation,
good practices, environmental
constraints
Considerations
• Ownership of Data
• Custodian of Data
• Accountability
• Reconciliation
• Rule of Least Privilege
User Authentication and
Password Management
• Access Control
• Knowledge-Based Authentication
• Token-Based Authentication
• Characteristic-Based Authentication
• Password Management
Access Control
• Policies
• Procedures
• Standards
• Control
Cryptography
Definition: Use of secret codes to
provide integrity/confidentiality
of information during transfer
and storage
Considerations:
-Complexity
-Secrecy
- Characteristics of key
Definition:

Encryption: plaintext to
ciphertext
Decryption: From ciphertext to
plaintext
Key Management
• Public vs. Private
• Selecting Key
• Management of the Keys
• Protection of Keys
• Testing of Keys
• Updating Keys
• Error Detection
Risk Management

Includes ideas, models, methods,

techniques to control risk
Includes:
-Assessment
-Reduction
-Protective measures
-Risk Acceptance
-Insurance
Considerations of Risk
Assessment
• Annual Loss Expectancy(ALE)
• Asset Valuation/Inventory
• Types of Attacks/Threats
• Availability of Resources/Denial of Service
• Detection
• Exposure
• Passive Threats
• Perils
• Prevention
• Analysis/Assessment/Management of Risk
• Data Valuation
Classification of People/Assets

Should Include:
-People
-Procedures
-Data/Information
-Software
-Hardware
Threat and Exposure Assessment

• Density/Volume of Information
• Accessibility of Systems
• Complexity
• Electronic Vulnerability
• Media Vulnerability
• Human Factors
Safeguards and Counter
Measures
• Prevent Exposures
• Detect Attempted Threats
• Correct the Causes of Threats
Business Continuity Planning (1)
• Planning and Analysis Methods
• Rates of Occurrence of Disabling Events
• Availability and Use of Planning Tools/Aids
• Identification of Business Success
factors(BSF) and Critical
capabilities(Critical or Key Success Factors
(CSF/KSF)
Business Continuity Planning (2)
• Alternative Sources of Supply
• Legal and Regulatory Requirements
Backups and Procedures
• Importance for Recovery
• Data Value
• Manuals and Documentation
• Back Up Frequency
• On-Line Systems
• Equipment
The Three C’s

-Catastrophe
-Contingency
-Continuation

BE PREPARED!!!
Off-site Backups and Storage
Two Control Points:

1. When backup material is being

transferred to/from the site
2. When backup material is stored at
the site
(also consider in-house storage)
Data Classification
• Elements and Objectives of a Classification
Scheme
• Criteria used to Classify Data
• Procedures to be Used
• Differences Between Government and
Commercial Programs
• Limitations
• Program Implementation
To Be Included:
• Distinguish Between Classification and Sensitivity
• Classified vs. Sensitive
• Data Elements
• Handling of Data
• Identify Criteria
• Classification Schemes
• Rule of Users Managers
• Effect of Data Aggregation on Classification
• Techniques for Avoiding Disclosure
Security Awareness
Include:
• Corporate Policies, Procedures, Intentions
• Areas Where Remedial Actions are Needed
• Assessment of Threats and Vulnerabilities
• Technology Trends
• Behaviors to be Encouraged
• User Motives
• Applicable Laws and Regulation
• Available/Applicable Communication
Channels/Media
Administrative/Organizational
Controls
• Policies
• Awareness
• Employee Non-Disclosure Considerations
• Employee Training
• Telecommuting Considerations
• Effects of Technological Changes/Updates
Personnel Considerations
• Human Motives for Criminal Action
• Employee Selection
• Professional Certificates
• Working Environment
• Technological Updates (Effect on Users)
• Employee Separation
Computer and System Security

Professionals Should
• Understand:
Computer Organizations, Architectures,
Designs
• Source and Origin of Security
Requirements
• Advantages/Disadvantages of Various
Architectures
• Security Features/Functions of Various
Components
• Choices to be Considered When Selecting
Common Flaws and Penetration
Methods
• Operating Systems Flaws
• Penetration Techniques(Trojan Horses,
Virus, Salami Attack, Deception)
Viruses
• Design
• Protection
• Recovery
• Prevention
• Counter Measures
Telecommunications Security
• Objectives
• hazards and Exposures
• Effects of Topology, Media, Protocols,
Switching
• Hazards and Classes of Attack
• Defenses and Protective Measures
Methods
• Aborted Connection
• Active Wiretapping
• Between - The - Lines Entry
• Call Back
• Emanations
• Covert Channel
• Cross-Talk
• Eavesdropping
• Electronic Funds Transfer(EFT)
• Handshaking
Considerations
• Transmission Technologies
• Bandwidth
• Connectivity Potential
• Geographical Scope
• Noise Immunity
• Security
• Applications
• Relative Cost
System Security Officer
• Organizational Knowledge (Structural and
Behavioral)
• Technical Knowledge
• Accounting/Audit Concepts
• Personnel Administration Matters
• Laws/Legislation
• Strategic/Tactical Planning
• Labor/Negotiation/Strategies/Tactics
Computer Security Incidence
Response
• Goals
• Constituency
• Structure
• Management Support/Funding
• Charter
• Handbook of Operations
• Staffing
Legal/Regulatory
• Federal Laws/Regulations
• State Laws/Regulations
• International Issues
• Organizational/Agency Considerations
• Personal Behavior
• Remedies to Constituents
• Civil vs. Criminal Law
• Pending Legislation
Computer Crime
• Fraud
• Embezzlement
• Unauthorized Access
• “White Collar” Crime
• Theft of Hardware/Copying Software
• Physical Abuse
• Misuse of Information
• Privacy/Confidentiality Violations
• Intellectual Property
• Negligence
• License Agreements
Investigation
• Legal Requirements for Maintaining a Trail
of Evidence
• Interrogation Techniques
• Legal Limits on Interrogation Methods
Permitted
Application Program Security
• Distribution of Controls Between
Application and System
• Controls Specific to Key, Common, or
Industry Applications
• Criteria for Selection and Application
• Tests for Adequacy
• Standards for Good Practice
Software Controls
• Development
• Maintenance
• Assurance
• Specification and Verification
• Database Security Controls
• Accounting/Auditing
Physical Security
• Site/Building Location
• External characteristics/Appearance
• Location of Computer Centers
• Construction Standards
• Electrical Power(UPS)
• Water/Fire Considerations
• Traffic/Access Control
• Air Conditioning/Exhaust
• Entrances/Exits
• Furnishings
• Storage of Media/Supplies
Operations Security
• Resources to be Protected
• Privileges to be Restricted
• Available Control Mechanisms
• Potential for Abuse of Access
• Appropriateness of Controls
• Acceptable Norms of Good Practice
Information Ethics
Doing the Right Thing!!
• Privacy/Confidentiality
• Common Good
• Professional Societies
• Professional Certifications
Policy Development
Considerations:
• Have Longevity
• Be Jargon Free
• Be Independent of Jobs, Titles, or Positions
• Set Objectives
• Fix Responsibility
• Provide Resources
• Allocate Staff
• Be Implemented Using Standards and
Guidelines
That’s All Folks
(and not a minute too soon!!)

I’m Looking Forward to working

With You!!!!

Information Security Governance & Risk Management
70% (10)
Information Security Governance & Risk Management
37 pages
8.securing Information Systems
No ratings yet
8.securing Information Systems
25 pages
Unit 1 CYBER SECURITY (AUC-002)
No ratings yet
Unit 1 CYBER SECURITY (AUC-002)
49 pages
Design and Implementation of 3-Factor Authentication System For ATM Security by Okwobena Omamuzou Lucky
100% (2)
Design and Implementation of 3-Factor Authentication System For ATM Security by Okwobena Omamuzou Lucky
71 pages
CS 620 Introduction To Information Security: Dr. Karen Forcht Department of Computer Science James Madison University
No ratings yet
CS 620 Introduction To Information Security: Dr. Karen Forcht Department of Computer Science James Madison University
51 pages
Week1 Introduction to Cybersecurity (1)
No ratings yet
Week1 Introduction to Cybersecurity (1)
51 pages
Lec 5-8
No ratings yet
Lec 5-8
48 pages
CISSP Student Guide V2.0
83% (6)
CISSP Student Guide V2.0
913 pages
Information Security Audit and Features
No ratings yet
Information Security Audit and Features
45 pages
Module 2 - Information Security Concepts
No ratings yet
Module 2 - Information Security Concepts
32 pages
CNIT 125: Information Security Professional (Cissp Preparation)
No ratings yet
CNIT 125: Information Security Professional (Cissp Preparation)
62 pages
Week 16 -F
No ratings yet
Week 16 -F
15 pages
CISSP Study Plan
No ratings yet
CISSP Study Plan
6 pages
Security +: The Risk Formula
No ratings yet
Security +: The Risk Formula
12 pages
Audit of IT Security 061cab1246c98f6 59791303
No ratings yet
Audit of IT Security 061cab1246c98f6 59791303
42 pages
Cyber Security Essentials 1
No ratings yet
Cyber Security Essentials 1
115 pages
Cyber Security
No ratings yet
Cyber Security
628 pages
Cissp Accsess Controls
No ratings yet
Cissp Accsess Controls
42 pages
InfoSecRevision (2)
No ratings yet
InfoSecRevision (2)
20 pages
Is Security Audit
No ratings yet
Is Security Audit
52 pages
CISSP Program Overview
No ratings yet
CISSP Program Overview
19 pages
Week 1
No ratings yet
Week 1
42 pages
On Unit 1
No ratings yet
On Unit 1
97 pages
Data Secuirity
No ratings yet
Data Secuirity
35 pages
IS Chap 1
No ratings yet
IS Chap 1
30 pages
Cyber Security Essentials 1 1
No ratings yet
Cyber Security Essentials 1 1
136 pages
Lo3 Riskmanagement MCQ
No ratings yet
Lo3 Riskmanagement MCQ
31 pages
Lecture-3
No ratings yet
Lecture-3
28 pages
CHAPTER 5 - Controls of AIS
No ratings yet
CHAPTER 5 - Controls of AIS
26 pages
Administrating Security
No ratings yet
Administrating Security
27 pages
Information Security: Code: ETCS-401
No ratings yet
Information Security: Code: ETCS-401
27 pages
Topic 3 - Information security program development and management
No ratings yet
Topic 3 - Information security program development and management
24 pages
IS Lecture 3
No ratings yet
IS Lecture 3
58 pages
Unit1 - Introduction and Unit 7 Information Security
No ratings yet
Unit1 - Introduction and Unit 7 Information Security
150 pages
CISSP
No ratings yet
CISSP
713 pages
Information Systems Controls
No ratings yet
Information Systems Controls
25 pages
Lecture 01 Information Security
No ratings yet
Lecture 01 Information Security
45 pages
Operating System Security: CSCI620M03/CSCI445M02/ITEC445 M02 Instructor: Qian Wang
No ratings yet
Operating System Security: CSCI620M03/CSCI445M02/ITEC445 M02 Instructor: Qian Wang
30 pages
Computer Security
No ratings yet
Computer Security
22 pages
Risk - Assessment & Forensic Analysis
No ratings yet
Risk - Assessment & Forensic Analysis
15 pages
How I Passed The CISSP Test: Lessons Learned in Certification
No ratings yet
How I Passed The CISSP Test: Lessons Learned in Certification
713 pages
Management Information System: Unit 5
No ratings yet
Management Information System: Unit 5
34 pages
Oman Presentation MDS 19th June
No ratings yet
Oman Presentation MDS 19th June
173 pages
Educause Security 2018
No ratings yet
Educause Security 2018
105 pages
Managing Digital Firms: Information Security: Unit 4
No ratings yet
Managing Digital Firms: Information Security: Unit 4
37 pages
Start With A Great Information Security Plan!
No ratings yet
Start With A Great Information Security Plan!
28 pages
Module-3: Information Security Management
No ratings yet
Module-3: Information Security Management
28 pages
Content
No ratings yet
Content
40 pages
SY0-071-Module 5 Powerpoint Slides
No ratings yet
SY0-071-Module 5 Powerpoint Slides
113 pages
Controls Against Program Threats & Authentication: By-Tushar Wamanse Roll No. 22, Msc-I, Sem-Ii
No ratings yet
Controls Against Program Threats & Authentication: By-Tushar Wamanse Roll No. 22, Msc-I, Sem-Ii
21 pages
Chapter 7
No ratings yet
Chapter 7
26 pages
Lesson 1 Introduction To Information Security
No ratings yet
Lesson 1 Introduction To Information Security
42 pages
Database Security: System Vulnerability and Abuse
No ratings yet
Database Security: System Vulnerability and Abuse
7 pages
DIS Unit-1
No ratings yet
DIS Unit-1
52 pages
Week 10 Cybersecurity
No ratings yet
Week 10 Cybersecurity
47 pages
5.0 Forensics Lecture 9
No ratings yet
5.0 Forensics Lecture 9
13 pages
Security and Protection
No ratings yet
Security and Protection
17 pages
CSCI 620 Lecture1
No ratings yet
CSCI 620 Lecture1
30 pages
ISACA Cybersecurity Nexus Cybersecurity Fundamentals Certificate ( PDFDrive )
No ratings yet
ISACA Cybersecurity Nexus Cybersecurity Fundamentals Certificate ( PDFDrive )
16 pages
CISSP Domain 1 Study Guide Security and Risk Management: CISSP Study Guide - Updated 2024, #1
From Everand
CISSP Domain 1 Study Guide Security and Risk Management: CISSP Study Guide - Updated 2024, #1
Gandiv
No ratings yet
Challenges and Ethical Issues in Artificial Intelligence
From Everand
Challenges and Ethical Issues in Artificial Intelligence
akosnemeth
No ratings yet
GitHub Mikeroyal Digital Forensics Guide Digital Forensics Guide
No ratings yet
GitHub Mikeroyal Digital Forensics Guide Digital Forensics Guide
30 pages
Xapp1239 Fpga Bitstream Encryption PDF
No ratings yet
Xapp1239 Fpga Bitstream Encryption PDF
16 pages
Axel Wirth, Christopher Gates, Jason Smith - Medical Device Cybersecurity for Engineers and Manufacturers
No ratings yet
Axel Wirth, Christopher Gates, Jason Smith - Medical Device Cybersecurity for Engineers and Manufacturers
303 pages
Venkata Sai Sandeep Vennam_10 yrs_Senior Identity & Access Management Engineer
0% (1)
Venkata Sai Sandeep Vennam_10 yrs_Senior Identity & Access Management Engineer
4 pages
155- Digital tools and challenges in human resource development and its potential within the maritime sector through bibliometric analysis
No ratings yet
155- Digital tools and challenges in human resource development and its potential within the maritime sector through bibliometric analysis
15 pages
external-debug-security
No ratings yet
external-debug-security
22 pages
Nokia 6233
No ratings yet
Nokia 6233
1 page
Flow Chart
No ratings yet
Flow Chart
34 pages
Curso CCSA - Aula 10 - V1.0
No ratings yet
Curso CCSA - Aula 10 - V1.0
40 pages
Business Email Imposters
No ratings yet
Business Email Imposters
2 pages
Huawei Mass Transit Solution Pre-Sales Training Slides
No ratings yet
Huawei Mass Transit Solution Pre-Sales Training Slides
58 pages
LO4 Build A Small Wireless LAN
No ratings yet
LO4 Build A Small Wireless LAN
43 pages
NIST - Digital Forensics and Incident Response (DFIR) Framework For Operational Technology (OT)
100% (1)
NIST - Digital Forensics and Incident Response (DFIR) Framework For Operational Technology (OT)
61 pages
Tata Tele Service Annual Report
No ratings yet
Tata Tele Service Annual Report
180 pages
Mitch
No ratings yet
Mitch
2 pages
DoDM 8140 03
No ratings yet
DoDM 8140 03
32 pages
5-Red Teaming Exchange
No ratings yet
5-Red Teaming Exchange
121 pages
Google Nortonlifelock Login
No ratings yet
Google Nortonlifelock Login
7 pages
Digital
No ratings yet
Digital
23 pages
Usarmy Comsec
No ratings yet
Usarmy Comsec
248 pages
Security Policy Template
No ratings yet
Security Policy Template
12 pages
Snowbe Security Plan
No ratings yet
Snowbe Security Plan
9 pages
LEGAL-IMPLICATIONS-OF-CYBERSECURITY-BREACHES-IN-INDIA-FRAMEWORKS-AND-LIABILITIES-by-Kritin-Sardana-Dikshant-Sharma
No ratings yet
LEGAL-IMPLICATIONS-OF-CYBERSECURITY-BREACHES-IN-INDIA-FRAMEWORKS-AND-LIABILITIES-by-Kritin-Sardana-Dikshant-Sharma
18 pages
Information Assurance and Security 1 Prelim Quiz 1: Question Text
No ratings yet
Information Assurance and Security 1 Prelim Quiz 1: Question Text
59 pages
Cybersecurity Risk Assessment Specialist Demo
No ratings yet
Cybersecurity Risk Assessment Specialist Demo
4 pages
Best Cyber Insights of 2024
No ratings yet
Best Cyber Insights of 2024
261 pages
QUESTIONS IMP FCP
No ratings yet
QUESTIONS IMP FCP
20 pages
Cybersecurity Finance Case Study Executive Summary Target 2k8v86l
No ratings yet
Cybersecurity Finance Case Study Executive Summary Target 2k8v86l
9 pages
Thesis On Corporate Governance and Risk Management PDF
100% (1)
Thesis On Corporate Governance and Risk Management PDF
8 pages