Basics of

Information Security
Najeeb Ur Rehman, Assistant Professor, University of Gujrat
The art of war teaches us to rely not on the likelihood of the enemy's not
coming, but on our own readiness to receive him; not on the chance of
his not attacking, but rather on the fact that we have made our position
unassailable.
—The Art of War, Sun Tzu
• The combination of
space, time, and
strength that must be
considered as the
basic elements of this
theory of defense
makes this a fairly
complicated matter.
Consequently, it is not
easy to find a fixed
point of departure.
— On War, Carl Von
Clausewitz
Computer Security

• The protection afforded to an

automated information system in
order to attain the applicable
objectives of preserving the integrity,
availability and confidentiality of
information system resources
(includes hardware, software,
firmware, information/data, and
telecommunications)
[NIST 1995]
 Key
Security
Concepts
 Three Key Objectives

Confidentiality Integrity Availability Additional concepts

Data confidentiality Data integrity Authenticity
Privacy System integrity Accountability
• Confidentiality Example: When you log in to your email account, you use a
password to protect access to your messages. Only individuals who know the
password (ideally, only you) can view your emails. In this example:
• Your email messages represent sensitive information.
• The password serves as a form of authentication and encryption.
• Only authorized users with the correct password can access the emails, ensuring
confidentiality.
• Integrity Example: Before installing downloaded software, you calculate its hash
value using a cryptographic algorithm and compare it to the hash value provided
by the developer. If they match, the file hasn't been tampered with, ensuring its
integrity. This verification process helps prevent the installation of potentially
malicious or corrupted software, maintaining system integrity.
• The software file represents the information.
• Calculating and comparing hash values ensures the file's integrity.
• By verifying the integrity of the file, you mitigate the risk of installing malicious software
or corrupted files, thereby maintaining the integrity of your system and data.
• Availability Example: A company's website is hosted on multiple servers in
different locations. If one server experiences a technical issue or a cyber attack,
the traffic is automatically redirected to another server, ensuring the website
remains accessible to users. In this example:
• The company's website represents a critical resource.
• Multiple servers and automatic failover mechanisms provide redundancy.
• Users can access the website consistently, even if one server is unavailable,
maintaining availability.
Browser Activity

• 3 levels of impact from a security breach

• Low
• Moderate
• High
Computer Security Challenges

1. not simple
2. must consider potential attacks
3. procedures used counter-intuitive
4. involve algorithms and secret info
5. must decide where to deploy mechanisms
6. battle of wits between attacker / admin
7. not perceived on benefit until fails
8. requires regular monitoring
9. too often an after-thought
10. regarded as impediment to using system
Aspects of
Security
• 3 aspects of information security:
• security attack
• security mechanism: detect,
prevent, recover
• security service
• Terms
• threat – a potential for violation of
security
• attack – an assault on system
security, a deliberate attempt to
dodge security services
Passive Attacks

• Passive attacks do not affect system resources

• Eavesdropping, monitoring
• Two types of passive attacks
• Release of message contents
• Traffic analysis
• Passive attacks are very difficult to detect
• Message transmission apparently normal
• No alteration of the data
• Emphasis on prevention rather than detection
• By means of encryption
Passive Attacks (1)
Release of Message Contents
Passive Attacks (2)
Traffic Analysis
Active Attacks

• Active attacks try to alter system resources or affect

their operation
• Modification of data, or creation of false data
• Four categories
• Masquerade
• Replay
• Modification of messages
• Denial of service: preventing normal use
• A specific target or entire network
• Difficult to prevent
• The goal is to detect and recover
Active Attacks (1)
Masquerade
Active Attacks (2)
Replay
Active Attacks (3)
Modification of Messages
Active Attacks (4)
Denial of Service
Security Service
• enhance security of data processing systems and information transfers of an
organization
• intended to counter security attacks
• using one or more security mechanisms
• often replicates functions normally associated with physical documents
• which, for example, have signatures, dates; need protection from disclosure, tampering, or
destruction; be notarized or witnessed; be recorded or licensed