Unit - I

Information Security Overview

• Unit - I
• Information Security Overview : The Importance
of Information Protection, The Evolution of
Information Security, Justifying Security
Investment, Security Methodology, How to Build a
Security Program, The Impossible Job, The
Weakest Link, Strategy and Tactics, Business
Processes vs. Technical Controls.
• Risk Analysis: Threat Definition, Types of Attacks,
Risk Analysis.
• Secure Design Principles: The CIA Triad and Other
Models, Defense Models, Zones of Trust, Best
Practices for Network Defense.
 What is the importance of information protection? Explain.
Explain how is it important to protect information in any
organisation.
The Importance of Information Protection
• Information classified as policies, guidelines,
rules
• Depends on its importance, sensitivity,
vulnerability to theft and misuse
• Information can be classified in 5 levels
Public to private
 Classification
Depends on the aspects of use of information
Labeling
distribution
Duplication
Release
Storage
Encryption
Disposal
Methods of transmission
NDA sanctioning- Confidential information OR
Specialized information
 Example
• HIPAA (Health Insurance Portability and
Accountability Act of 1996)
PHI (Protected Health Information)
PII ( Personally Identifiable Information)
Financial Institutions
Federal Financial Institutions Examination Council
(FFIEC)
Information security provides
Confidentiality
Availability
Integrity
 Evolution of security
Write a short note on evolution of information security.
Explain the concepts of information security models.
 • Security model –
wide-open , closed and locked
• Uses of security models in applications
E-commerce
Business systems
Conceptual in terms of access of house
Intranet / extranet-----VPN
Internet application as Saas (Software as a service)
delivering application over the internet as a service
Example :
Saa Google Apps, Dropbox, Salesforce, Cisco WebEx,
S Concur, GoToMeeting , amazon web services
• Saas exploited with the threats / viruses /
worms / man-in-middle attacks
Threats – anything that may or may not harms
the computer system.
The social networking
Cloud computing – supports the delivery of
hosted services on the internet.
 Justifying security investment
How do you justify spending money on security? Explain
What are the benefits of strong security mechanism? Explain.
• Issues – FUD(Fear, Uncertainty, Doubts)
• ROI( Return On Investment)
• ALE ( Annualized Loss Expectancy)
• Insurance – difficult to quantify
ALE = (Number of Incidents per Year) X (Potential
Loss per Incident)
ROI = (ALE / Cost of Countermeasures) X 100%
• Security is not an investment that provides a
return, like a new factory or a financial
instrument. It's an expense that, hopefully,
pays for itself in cost savings. Security is about
loss prevention, not about earnings. The term
just doesn't make sense in this context.
Good security practices supports-
robustness
expansion and growth
protection
global communication
Benefits of security
Business agility (change)
Cost reduction
Portability
service availability
confidentiality
protection
 Business Agility
• Agility is the ability of an organization to adapt to
new conditions and to change its direction.
• Ease of Updates & Testing of New Solutions-
• Reduced risk of innovation—
• Easier budget allocation / cost reduction—
• Scale quickly / expansion and growth—
• Focus on strategic IT efforts—
 Cost reduction
• Web site outage / DOS
• Publicity of security incident
• Increasing attacks – APT( Advanced Persistnet
Threats)
 Security methodology
The basic assumptions of security are :
• We want to protect our assets.
• There are threats to our assets.
• We want to mitigate those threats.
3 Ds of security / aspects of security
defense – access control mechanisms –
statefull firewalls
network access control
web content filtering

detection –
audit trails
log files
system and network intrusion detection and prevention
Security information and event management (SIEM)
Security operation centre (SOC)

deterrence / prevention
Communication programs
Training programs
Employee signature
Describe three Ds of security in context of your own home.
 How to Build a Security Program? Explain
List and explain the components of building a security
program.
Authority
Framework
Assessment
Planning
Actions
Maintanance
• Explain any two components of building a
security program.
• Explain the following terminologies in context
to the security building program: security
program charter, Road map, Risk analysis ,
Gap analysis, Remediation plans
“The job of the attacker is always easier than the job of the
defender.” Explain.
Explain why the defender has the impossible job of protection than
the job of attacker.
Write a short note on weakest link. How to
reduce the vulnerabilities?
 Strategy and tactics
Describe the inter-relationship of strategy and tactics in security.
Differentiate between strategy and tactics in security.
 Business Processes Vs technical controls /tools
Distinguish between Business Processes Vs technical controls /tools