Information Security Management

Dr Hasan Tahir
[email protected]

Lecture 1
 Computer Security
• Computer security, also known as cyber security or
IT security, is the protection of computer systems from
the theft or damage to hardware/ software/ information,
as well as from disruption or misdirection of the services
they provide.

• Cryptography is the practice and study of techniques for

ensuring secure communication.

• National Institute of Standards and Technology (NIST)

produces many standards and procedures for the
security industry.
 Security: Core Elements
• Computation device - PC, laptop, tablet, smartphone,
watch, tv,… Remember the word asset
• Information – The basic building block of all
communications. This is what the attacker is after
• Internet Security – Protect against fraud and attacks on
the internet
– Establishing trust between parties
– Ensuring secrecy of communications
– Protect against malicious entities, software and exploits
• Communication Security – prevention of unauthorized
access to telecommunications traffic
– Intercepting traffic
– Service Interruption
 Threat Vs Attack
• Vulnerability is a weakness which allows an attacker to
reduce a system’s security assurance.
– a system weakness or flaw,
Attackers view of a
– attacker access to the flaw, vulnerability
– attacker capability to exploit
• Threat - A potential for violation of security. Hence a
threat is a possible danger that might exploit a
vulnerability.
• Attack - an intelligent act that is a deliberate attempt to
evade security services and violate the security policy of
a system.
 OSI Security Architecture
• Consists of three elements
Security Attack – Any action that can cause a
compromise
Security Service - A processing or communication
service that enhances security. Security services
are intended to counter security attacks, and they
make use of one or more security mechanisms to
provide the service.
Security Mechanism – A process designed to
detect, prevent or recover from an attack
  Security Attack
Passive Attacks
Passive attacks are in the nature of eavesdropping on, or
monitoring of, transmissions. The goal of the opponent is to
obtain information that is being transmitted.
Happens through traffic analysis, silent listening/
eavesdropping, release of message content (by somebody
else)
Active Attacks
Active attacks involve some modification of the data stream
or the creation of a false stream. Generally happens
through masquerading, replay, modification of messages,
and denial of service.
Masquerading
Takes place when one entity pretends to be a different
entity. Happens through defeating authentication, obtaining
privileges etc.

Replay
Capture a message and replay it later

Modification of messages
Messages are entirely or partially modified.

Denial of Service
Block services to cause unavailability of services.
Particularly dangerous in internet systems like e-health
systems.
  Security Services: CIA triad
• Three security goals that need to be addressed
• Confidentiality
– Data Confidentiality
– Privacy
• Integrity
– Data integrity
– System Integrity
• Availability
 Confidentiality

Confidentiality: Preserving authorized restrictions

on information access and disclosure, including
means for protecting personal privacy and
proprietary information. A loss of confidentiality is
the unauthorized disclosure of information.
 Integrity

Guarding against improper information

modification or destruction. A loss of integrity is the
unauthorized modification or destruction of
information.
Ideally should protect against intentional and
unintentional modification.

no modification, no insertion, no deletion, no replay

 Availability
Ensuring timely and reliable access to and use of
information. A loss of availability is the disruption of
access to or use of information or an information
system.

Particularly targets Denial of Service attacks

 Other Goals
• Authentication - verifying that users are who they
say they are and that each input arriving at the
system came from a trusted source.
• Authorization - the function of specifying access
rights/privileges to resources.
• Nonrepudiation - is the assurance that a party
cannot deny a particular action.
  Security Mechanisms
• Security mechanisms are used to implement security
services.
• Encipherment
• Digital signature
• Access Control mechanisms
• Data Integrity mechanisms
• Authentication Exchange
 Purpose of ISM

• Strategic alignment—Aligning information security with business strategy

to support organizational objectives
• Risk management—Executing appropriate measures to mitigate risks and
reduce potential impacts on information resources to an acceptable level
• Value delivery—Optimizing security investments in support of business
objectives
• Resource management—Using information security knowledge and
infrastructure efficiently and effectively
• Performance measurement—Monitoring and reporting on information
security processes to ensure that objectives are achieved
• Integration—Integrating all relevant assurance factors to ensure that
processes operate as intended from end to end
Traditional Approach

“It is enough to communicate to the world of

stakeholders why we exist and what constitutes
success”
Modern Approach
“It is no longer enough to communicate to the
world of stakeholders why we exist and what
constitutes success, we must also communicate
how we are going to protect our existence”
 Who is responsible
• Enterprise security means viewing adequate
security as a non-negotiable requirement of
being in business.
• Integral and transparent part of enterprise
governance
• Must complement or encompass the IT
governance framework.
 What is the responsibility
• Advising corporate leaders
• Monitoring and assessing security risks to the business
• Coordinating security matters across the enterprise
• Ensuring the business can recover from a security incident
• Authoring and publishing security policies
• Monitoring and reporting on efficacy of security measures
• Creation of a security culture that will use security to the benefit of
the business
• Representing the business to the external security community
• Having an understanding of the security eco-system.
• Ensure compliance with relevant standards and guidelines