Scribd
Upload
158 views38 pages

Week1. Introduction To Information Security. Basic Terminology

This document provides an overview of the topics to be covered in a 15-week information security course. It will introduce basic terminology, security concepts like confidentiality and integrity, and types of threats. Students will learn about attacks and how to protect against them. The course objectives are to provide a foundation in security principles and evaluation methods through weekly lectures, labs, and assignments over the semester.

Uploaded by

Абзал Калдыбеков
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
158 views38 pages

Week1. Introduction To Information Security. Basic Terminology

This document provides an overview of the topics to be covered in a 15-week information security course. It will introduce basic terminology, security concepts like confidentiality and integrity, and types of threats. Students will learn about attacks and how to protect against them. The course objectives are to provide a foundation in security principles and evaluation methods through weekly lectures, labs, and assignments over the semester.

Uploaded by

Абзал Калдыбеков
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 38

Week1.

Introduction to Information
Security. Basic Terminology.

Lecture slides by Zhanbolat Seitkulov

January IITU, Information Security 1


Teaching
•  Lectures – by Me (15 lectures on a weekly
basis)
•  Labs and Practical sessions – also by Me

•  Contact
Email: [email protected]
Office 802 or 112

January IITU, Information Security 2


Some information to help you to take
this module

January IITU, Information Security 3


Course Objectives
•  15 lectures – one per week
–  Provide overview of Security Principles
•  Encryption, Network Security, Software Security, Data and
Network Protection methods
•  Laboratory works and Quizzes
•  Prerequisites:
–  Information systems
–  Networking
•  Programming and Basic Mathematical skills
•  Attendance is desirable!
January IITU, Information Security 4
What you can get from this course
•  Why protect? What protect? How protect?
•  Sorts of threats against modern computers
and networks
–  Network attacks, types of worms and viruses
•  How the above problems is being solved in the
industry
–  Concepts of encryption, hardware and software
protection (firewall, IDS, policies and procedures)

January IITU, Information Security 5


Syllabus at a glance
•  Basic terminology.
•  Classical Encryption. Early cryptography. Rotor machines: Enigma and its
relatives.
•  Block ciphers and the Data Encryption Standard.
•  Basic concepts in Number Theory and Finite Fields
•  Advanced Encryption Standard
•  Public Key Cryptography and RSA.
•  Cryptographic Hash Function
•  Digital Signatures
•  User Identification and Authentication
•  Access Control (Authorization)
•  Network Firewalls
•  Risk Management

January IITU, Information Security 6


How to take this course: reading
Basic literature (Required Reading!):
•  Cryptography and Network Security by
William Stallings, 5th edition, 2006
•  Security in Computing by Charles P. Pfleeger
and Shari Lawrence Pfleeger, 4th edition, 2006

January IITU, Information Security 7


How to take this course: schedule
•  Attend all lectures
•  Submit assignments on time
–  Do not leave until the last minute
–  Marks will be deducted for late submission (-10% for
each day)
–  Cannot mark what is not there
–  Plagiarism … will be detected!
•  Penalty will be given according to the University’s plagiarism
policy
•  See assignment description for submission date

January IITU, Information Security 8


Assessment
•  First term
–  Laboratory works (5x10%) = 50%
–  Quizzes (5x5%) = 25%
–  Term Exam 25%
•  The same for the second term
•  Overall mark:
–  30% - 1st term
–  30% - 2nd term
–  40% - Final Examination
January IITU, Information Security 9
Questions?

January IITU, Information Security 10


Basic Concepts and Terminology
•  Vulnerability
•  Threat
•  Attack
•  Security concepts:
–  Confidentiality, Integrity, Availability
•  Security Service

January IITU, Information Security 11


Vulnerability
•  Some state of the system of being open to
attacks or injuries.
•  Example in house analogy:
–  “Open Door” is the vulnerability for thieves

January IITU, Information Security 12


Threat
•  A statement of an intention to injure, damage
or any other enemy action.
•  A potential for violation of security.
•  In case of “house” example:
–  “Loss of Money” is a threat

January IITU, Information Security 13


•  4 kind of threats:
–  Interception
–  Interruption
–  Modification
–  Fabrication

January IITU, Information Security 14


•  Interception – unauthorized access to a data.
•  For example,
–  Illegal copying of program or data files

Source: https://genesisdatabase.wordpress.com/
January IITU, Information Security 15
•  Interruption – a data of the system becomes
lost, unavailable, or unusable.
•  Examples include
–  Erasure of a program or data file
–  Malicious destruction of a hardware device

Source: https://genesisdatabase.wordpress.com/
January IITU, Information Security 16
•  Modification – unauthorized, change tamper
with a data.
•  For example,
–  Someone might change the values in a database

Source: https://genesisdatabase.wordpress.com/
January IITU, Information Security 17
•  Fabrication – E.g. Unauthorized insertion to a
existing database.

Source: https://genesisdatabase.wordpress.com/
January IITU, Information Security 18
Attack
•  An assault on system security
•  A deliberate attempt to evade security
services

•  Kind of attacks:
–  Passive attacks
–  Active attacks

January IITU, Information Security 19


Passive Attacks

Source: Cryptography and Network Security by Stallings


January IITU, Information Security 20
Passive Attacks (cont.)

Source: Cryptography and Network Security by Stallings


January IITU, Information Security 21
Active Attacks

Source: Cryptography and Network Security by Stallings


January IITU, Information Security 22
Active Attacks (cont.)

Source: Cryptography and Network Security by Stallings


January IITU, Information Security 23
Why to attack? (MOM)
•  Method: skills, knowledge, tools, etc.
•  Opportunity: time and access
•  Motive: fame, money, etc.

January IITU, Information Security 24


Key Security Concepts
•  Used to prevent weaknesses from being
exploited
– Confidentiality – access only by authorized users;
E.g. Student grades
– Integrity – modify only by authorized users; E.g.
Patient information
– Availability – E.g. Users want to check their
accounts

January IITU, Information Security 25


Relationship between Confidentiality,
Integrity, and Availability

January IITU, Information Security 26


How to avoid security attacks?
•  Think about vulnerabilities

January IITU, Information Security 27


•  Viruses, worms, trojans

January IITU, Information Security 28


•  Servers, server rooms, laptops, etc. (Physical
Security)

January IITU, Information Security 29


•  Data protection
–  The most important thing in majority of
information systems

January IITU, Information Security 30


How to protect? 3Ds of Security
•  Defense – reducing risks and saving costs of
incidents (E.g. Firewalls, antivirus software,
spam filters, etc.)
•  Deterrence – punishing makes attackers think
twice (E.g. Laws, organizational policies and
procedures)
•  Detection – need alert if security incident
occurs (E.g. Audit logs, intrusion detection
system, network traffic monitoring)
January IITU, Information Security 31
How to protect? Security Service
•  Enhance security of data processing systems
and information transfers of an organization
•  Intended to counter security attacks
–  Using one or more security mechanisms
•  Often replicates functions normally associated
with physical documents
–  E.g. have signatures, dates; need protection from
disclosure

January IITU, Information Security 32


Security Services
•  X.800:
–  “a service provided by a protocol layer of
communicating open systems, which ensures
adequate security of the systems or of data
transfers”
•  RFC 2828:
–  “a processing or communication service provided
by a system to give a specific kind of protection to
system resources”

January IITU, Information Security 33


Security Services (X.800)
•  Authentication – assure that communication entity is
the one claimed
•  Access Control – prevention of the unauthorized use of
a resource
•  Data Confidentiality – protection of data from
unauthorized disclosure
•  Data Integrity – assure that data received is as sent by
an authorized entity
•  Non-Repudiation – protection against denial by one of
the parties in a communication
•  Availability – resource accessible/usable.

January IITU, Information Security 34


Security Mechanisms (X.800)
•  Features designed to protect, prevent, or
recover from a security attack
•  No single mechanism that will support all
services required

•  Specific security mechanisms:


–  Encipherment, digital signatures, access controls,
data integrity, authentication

January IITU, Information Security 35


Summary
•  Basic Information Security Terminology
•  Key Security Concepts
–  Confidentiality, Integrity, Availability
•  Subject of attacks? Hardware, Software and Data
•  How to avoid attacks?
–  Think about vulnerabilities
•  How to protect?
–  3 Ds: Defense, Deter, Detect
–  Security Services

January IITU, Information Security 36


Reading
•  Cryptography and Network Security by
Stallings
•  Chapter 1:
–  Sections 1.1, 1.3, 1.4, 1.5, 1.8

January IITU, Information Security 37


Introduction to Information
Security. Basic Terminology.
Lecture slides by Zhanbolat Seitkulov

January IITU, Information Security 38

You might also like