0% found this document useful (0 votes)
32 views55 pages

DH-INT1472-CLC-Chapter 1 - Introduction To Information Security

Uploaded by

Ngọc Long
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
32 views55 pages

DH-INT1472-CLC-Chapter 1 - Introduction To Information Security

Uploaded by

Ngọc Long
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 55

POSTS AND TELECOMMUNICATIONS

INSTITUTE OF TECHNOLOGY

COURSE LECTURE NOTES


FUNDAMENTALS OF INFORMATION SECURITY

CHAPTER 1 – INTRODUCTION TO
INFORMATION SECURITY

Lecturer: Assoc.Dr. Hoàng Xuân Dậu


E-mail: [email protected]
Faculty: Information Security
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

REFERENCES
1. Hoàng Xuân Dậu, Bài giảng An toàn và bảo mật hệ thống thông
tin, Học viện Công nghệ BC-VT, 2021.
2. David Kim, Michael G. Solomon, Fundamentals of Information
Systems Security, Jones & Bartlettlearning, 2012.
3. Michael E. Whitman, Herbert J. Mattord, Principles of information
security, 4th edition, Course Technology, Cengage Learning,
2012.
4. Matt Bishop, Introduction to Computer Security, Prentice Hall,
2004.
5. William Stallings, Cryptography and Network Security: Principles
and Practice, Pearson, 2016.
6. Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone,
Handbook of Applied Cryptography, CRC Press, October 1996.

Page 2
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

COURSE ASSESSMENT

❖ Mark components:
▪ Class attendant: 10%
▪ Midterm exam: 10%
▪ Minor project: 20%
▪ Final exam: 60%

Page 3
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

COURSE TOPICS

1. Introduction to information security


2. Common attacks and malwares
3. Cryptographic Techniques for Information
Security
4. Techniques and Technologies for Information
Security
5. Information security management, laws and
policies.

Page 4
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

Content of Chapter 1

❖ Introduction to information security (IS) and


information systems security (ISS)
❖ Requirements of information systems security
❖ Seven domains of information technology
infrastructure and information security threats
❖ General model for ensuring security of
information.

Page 5
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

1.1 Introduction to IS and ISS

Why do we need to ensure the security of


information and information systems?

Page 6
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

1.1 Introduction to IS and ISS

❖ There are major 2 reasons:


▪ We are living in a connected world, and
▪ There have been many risks and threats to the security of information,
systems and networks.

Page 7
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

Reasons to ensure the security of information and IS

❖ Because of we are living in a connected world:


▪ Most of communication and computation devices have Internet
connection;
▪ “Deep and width” connected systems are becoming very popular;
• Smart community
• Smart city
• Smart home,…
▪ Concepts of Internet of Things (IoT) and Internet of Everything (IoE)
are becoming ‘hot’;
▪ Not-connected systems have limited functionality.

Page 8
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

Reasons to ensure the security of information and IS


❖ Smart community

Page 9
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

Reasons to ensure the security of information and IS


❖ Smart city

Page 10
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

Reasons to ensure the security of information and IS

❖ Smart
home

Page 11
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

Reasons to ensure the security of information and IS

Page 12
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

Reasons to ensure the security of information and IS

Page 13
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

Reasons to ensure the security of information and IS

Page 14
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

Reasons to ensure the security of information and IS

❖ There have been many risks and threats to the security of


information, systems and networks:
▪ Being attacked by hackers;
▪ Being attacked or abused by users;
▪ Being infected by malicious software (viruses, worms,...);
▪ Risks of eavesdropping, theft and alteration of information;
▪ Vulnerabilities or defects of hardware or software.

Page 15
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

Reasons to ensure the security of information and IS

Connected
world with
many risks
and threats

Page 16
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

Reasons to ensure the security of information and IS

Common
risks and
threats to the
security of
information
and systems

Page 17
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

Introduction to the information system

❖ What is an information system (IS)?


▪ An information system is
• An integrated system of components
• For collection, storage, processing and transfer of information, knowledge
and digital products.
▪ Organizations and enterprises use information systems for
implementation and management of their activities, including:
• Interact with customers;
• Interact with suppliers;
• Interact with regulatory agencies;
• Promote brands and products;
• Compete with market competitors.

Page 18
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

Introduction to the information system

A model
of an
information
system

Page 19
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

Introduction to the information system

❖ Types of information systems (tower model) based on users:


▪ Transactional Processing Systems for Workers;
▪ Management Information Systems for Middle Managers;
▪ Decision Support Systems for Senior Managers;
▪ Executive Information Systems for Executives.

Page 20
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

Introduction to the information system

Tower
model of
information
systems:

Page 21
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

Introduction to the information system

❖ Typical information systems:


▪ Data warehouses
▪ Enterprise resource planning systems
▪ Enterprise systems
▪ Expert systems
▪ Search engines
▪ Geographic information system
▪ Global information system
▪ Office automation systems.

Page 22
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

Introduction to the information system

❖ A Computer-Based Information System is an information


system that uses computer technologies to carry out tasks.
❖ Components of the computer-based information system:
▪ Hardware is for collection, storage, processing and representation of
data;
▪ Software runs on hardware to process the data;
▪ Database for data storage;
▪ Network for information and data communications;
▪ Procedures are sets of instructions to combine above components for
data processing in order to produce expected output results.

Page 23
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

Information security and its components

❖ What is information security?


▪ Information security is the protection against the unauthorized access,
use, disclosure, modification or destruction of information.

Page 24
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

Information security and its components

❖ Two areas of information security:


▪ Information technology (IT) security
• Also called computer security, or broader as security for IT-based systems.
• IT-based systems of an organization needs to be protected from network
attacks.
▪ Information assurance
• Ensure information is not lost when problems occur (natural disasters,
system failures, theft, sabotage, etc.);
• Usually use off-site backups for this purpose.

Page 25
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

Information security and its components

❖ Components of information security:


▪ Computer and data security
▪ Network security
▪ Management of information security
▪ Information security policy.

Page 26
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

Information security and its components

4 components
of
information
security

Page 27
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

Information security and its components

❖ Computer and data security:


▪ Ensuring the security of operating
systems, applications, and services;
▪ Access control issues;
▪ Data encryption and security issues;
▪ Malware prevention issues;
▪ Backing up to create data redundancy,
ensuring that data stored in computer is
not lost when an incident occurs.

Page 28
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

Information security and its components

❖ Network security:
▪ Firewalls, proxies for packet filtering
and access control;
▪ Virtual private network and information
transmission security techniques such
as SSL/TLS, PGP;
▪ Techniques and systems to detect and
prevent attacks and intrusions;
▪ Network monitoring.

Page 29
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

Information security and its components

❖ Management of information
security:
▪ Risk management
• Identification
• Evaluate
▪ Implement information security
management
• Plannning
• Execute the plan
• Monitor implementation results
• Implement controls.

Page 30
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

Information security and its components

❖ Information security policy:


▪ Physical security policy
▪ Organizational security policy
▪ Logical security policy.

Page 31
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

What is Information Systems Security?

❖ Information Systems
Security (ISS) is the
insurance of the security
requirements of information
systems, including:
▪ Confidentiality
▪ Integrity
▪ Availability

Page 32
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

What is Information Systems Security?

ISS model

Page 33
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

ISS Requirements - Confidentiality

❖ Confidentiality ensures that


only authorized users can
access information and
systems;
❖ Confidential information
may include:
▪ Private data of users;
▪ Copyright information or
products of enterprises or
organizations;
▪ National security information.

Page 34
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

ISS Requirements - Confidentiality

❖ Confidentiality can be ensured by an encrypted channel,


such as VPN (Virtual Private Network)

Page 35
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

ISS Requirements - Integrity

❖ Integrity ensures that information can only be modified by


the authorized users.
❖ The integrity is related to the validity and accuracy of data;
▪ In some organizations, information has very high value, such as digital
music copyright, software copyright, invention copyright,...
▪ Any unauthorized modifications will cause bad effect on the value of
these information.
❖ Data is integrity if:
▪ Data is not modified;
▪ Data is valid, and;
▪ Data is accurate.

Page 36
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

ISS Requirements - Integrity

Integrity
ensures that
information
can only be
modified by
authorized
users

Page 37
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

ISS Requirements - Availability

❖ Availability ensures that information can be accessed by


legal users whenever they need;
❖ Availability can be measured by the following factors:
▪ Service uptime
▪ Service downtime
▪ Service rate A = (Uptime)/(Uptime + Downtime)
▪ Average time between incidents
▪ Average stop time for maintenance
▪ Recovery time after incidents.

Page 38
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

ISS Requirements - Availability

Availability examples

Page 39
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

Seven domains in IT infrastructure and threats

❖ IT infrastructure can be divided into 7 domains:


▪ User domain
▪ Workstation domain
▪ LAN domain
▪ LAN-to-WAN domain
▪ WAN domain
▪ Remote Access domain
▪ Systems/Applications domain.

Page 40
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

Seven domains in IT infrastructure and threats


7 domains of IT infrastructure

Page 41
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

Threats of IT infrastructure

❖ Threats to user domain:


▪ Lack of awareness of security issues
▪ Disregard safety policies
▪ Violate security policy
▪ Put CD / DVD / USB with personal files into the
system
▪ Download photos, music, videos
▪ Destruct data, applications and systems
▪ Malicious attacks from dissatisfied employees
▪ Employees can blackmail or dispossess
important information.

Page 42
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

Threats of IT infrastructure

❖ Threats to workstation domain:


▪ Unauthorized access to workstation
▪ Unauthorized access to systems, applications and
data
▪ Security vulnerabilities in workstation operating
system
▪ Security vulnerabilities in workstation applications
▪ Risks from viruses, malicious code and other
malware
▪ Users put CD / DVD / USB with personal files into
the system
▪ Users download photos, music, videos.

Page 43
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

Threats of IT infrastructure

❖ Threats to LAN domain:


▪ Unauthorized access to physical LANs
▪ Unauthorized access to systems, applications,
and data
▪ Security vulnerabilities in the operating system
▪ Security vulnerabilities in the server software
applications
▪ Threat from rogue users in WLAN
▪ Confidentiality of data in WLANs can be
threatened
▪ The instructions and configuration standards for
LAN servers have not been complied with.

Page 44
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

Threats of IT infrastructure

❖ Threats to LAN-to-WAN domain:


▪ Unauthorized probing and scanning of
service ports
▪ Unauthorized access
▪ Security flaws in routers, firewalls and other
network devices
▪ Local users (in the LAN) can download files
with unidentified content from unknown
sources.

Page 45
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

Threats of IT infrastructure

❖ Threats to WAN domain:


▪ Risk from the fact that data can be accessed in
the open and public environment
▪ Most data is transmitted in clear form (cleartext
/ plaintext)
▪ Vulnerable to eavesdropping
▪ Vulnerable to malicious attacks
▪ Vulnerable to Denial of Service (DoS) and
Denial of Service (DDoS) attacks
▪ Attackers can be free, easily send emails with
virus attachments, worms and malware.

Page 46
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

Threats of IT infrastructure

❖ Threats to Remote access domain:


▪ Brute force attacks on usernames and
passwords
▪ Attacks on login system and access
control
▪ Unauthorized access to IT systems,
applications and data
▪ Confidential information can be stolen
remotely
▪ Data leakage due to breach of data
classification standards.

Page 47
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

Threats of IT infrastructure

❖ Threats to System/Application
domain:
▪ Unauthorized access to the data center,
computer room, or cable cabinets
▪ Difficulties in managing servers required
high availability
▪ Vulnerabilities in managing software
application of the operating system
▪ Security issues in the virtual environment
of cloud computing
▪ Damage or loss of data.

Page 48
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

General model for information system security

❖ Principles of information security, systems and networks:


▪ Defense in Depth: Create multiple layers of protection, combining the
performance of each layer to ensure maximum security for information,
systems and networks.
▪ A class, a defensive tool often does not guarantee safety.
▪ There are no absolute secure information systems:
• Usually absolute secure information systems are closed systems and are of
little or no value to users.
• It is necessary to be balanced among security, usability and investment
costs.

Page 49
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

General model for information system security

❖ Balance among security, usability and costs

Page 50
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

General model for information system security

❖ Layered Security Model or Defence in Depth

Page 51
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

General model for information system security

❖ Layered
Security
Model
or
Defence
in Depth

Page 52
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

General model for information system security

Page 53
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

General model for information system security

❖ Layered Security Model or Defence in Depth

Page 54
COURSE LECTURE NOTES FUNDAMENTALS OF INFORMATION SECURITY
CHAPTER 1 – INTRODUCTION TO INFORMATION SECURITY

General model for information system security

❖ Typical defensive layers:


▪ Plan security
• Physical security
• Policies and procedures
▪ Network security
• Security cells and DMZ
• Firewalls an
▪ System integrity
• System hardening
• User account management
• Patch management
• Malware detection and prevention.

Page 55

You might also like