Information Security

Course Detail
Objectives:
Upon completion of this course, participants will have gained
knowledge of information security concepts, basic components
and applications.
Class hour:
■ 3 Hours per week
■ Total Credit Hours: 45
Course Credit
■ Total Credit : 3
■ Internal Assessment: 30 Marks
■ Final : 45 Marks
 Course Outline- Units
1. Introduction to Information Security- 4
Hrs
2. Malicious code and application attacks - 8 Hrs
3. Cryptography and Key Management - 8 Hrs
4. Authentication and Access Control – 5
Hrs
5. Network Security- 5 Hrs
6. Auditing and Monitoring – 4 Hrs
7. Legal, Ethical and Professional issues in InfoSec – 6 Hrs
8. Disaster Recovery and Business Continuity – 5 hrs
 References
Lecture notes and Papers provided in the class.
Additional references
■ International Information Systems Security Certification
Consortium (ISC)2 CISSP Certification Books
■ Information Systems Audit and Control Association (ISACA)
CISA Certification Books.
■ EC Council Certified Ethical Hacker (CEH) Resources
 Detail Course Outline-1
Unit 1 4
■ The History of Information Security
■ What Is Information Security?
■ Critical Characteristics of Information
■ Information security concepts and practices ( CIA and other
practices)
■ Balancing Security and Access
Unit 2 8
■ Malicious code
■ Password attacks
■ DOS Attack
■ Application attacks
■ Web application security
■ Reconnaissance attack
■ Masquerading attack
 Detail Course Outline-2
Unit 3
8
■ Basics of cryptography
■ Symmetric Cryptography (DES, Triple DES, AES, Key distribution)
■ Asymmetric cryptography
• Public and private keys
• RSA
• Elliptic curve
• Hash function
• Digital signatures
• PKI
■ Applied cryptography
Unit 4 5
■ Overview of access control
■ Authentication and Authorization
■ Identification and authentication techniques
■ Access control techniques
■ Access control methodologies, implementations and administration
 Detail Course Outline-3
Unit 5 5
■ LAN security
■ Wireless security threats and mitigation
■ Internet threats and security
■ Remote access security management
■ Network attack and countermeasures

Unit 6
■ Auditing
■ Monitoring
■ Penetration-testing techniques
■ Inappropriate activities
■ Indistinct threats and countermeasures
 Detail Course Outline-4
Unit 7 6
■ Types of Law
■ Relevant Laws ( Computer Crime, IP, Licensing, Privacy)
■ International Laws and Legal Bodies
■ Ethical Concepts in Information Security
■ Codes of Ethics, Certifications, and Professional Organizations

Unit 8
■ Business continuity planning
■ Business impact assessment
■ BCP documentation
■ Nature of disaster
■ Disaster recovery planning
Unit 1
 Data, Information and
Knowledge
Data
recording of “something” measured
Raw material, just measured
Information
Information is the result of processing, manipulating and organizing
data in a way that adds to the knowledge of the receiver.
Processed data
Knowledge
Knowledge is normally processed by means of structuring, grouping,
filtering, organizing or pattern recognition.
Highly structured information
Information Systems is the collection of hardware, software,
data, people and procedures that are designed to generate
information that supports the day-to-day, operations.
 What is Information Security?
Information security is the process of protecting information from
unauthorized access, use, disclosure, destruction, modification,
or disruption
The protection of computer systems and information from harm,
theft, and unauthorized use.
Protecting the confidentiality, integrity and availability of
information
Information security is an essential infrastructure technology to
achieve successful information-based society
Highly information-based company without information security
will lose competitiveness

What kind of protection?

Protecting important document / computer
Protecting communication networks
Protecting Internet
Protection in ubiquitous world
 Cryptology =
Cryptography + Cryptanalysis
Cryptography : designing secure cryptosystems
Cryptography (from the Greek kryptós and gráphein, “to write”)
was originally the study of the principles and techniques by which
information could be concealed in ciphers and later revealed by
legitimate users employing the secret key.

Cryptanalysis : analyzing the security of cryptosystems

Cryptanalysis (from the Greek kryptós and analýein, “to loosen”
or “to untie”) is the science (and art) of recovering or forging
cryptographically secured information without knowledge of the
key.

Cryptology : science dealing with information security

Science concerned with data communication and storage in
secure and usually secret form. It encompasses both
cryptography and cryptanalysis.
 Historical Aspects of InfoSec -1
Earliest InfoSec was physical security
In early 1960, a systems administrator worked on Message of the
Day (MOTD) and another person with administrative privileges
edited the password file. The password file got appended to the
MOTD.
In the 1960s, ARPANET was developed to network computers in
distant locations
MULTICS operating systems was developed in mid-1960s by MIT,
GE, and Bell Labs with security as a primary goal
In the 1970s, Federal Information Processing Standards (FIPS)
examines DES (Data Encryption Standard) for information
protection
DARPA creates a report on vulnerabilities on military information
systems in 1978

13
 Historical Aspects of InfoSec -2
In the 1980s the security focus was concentrated on
operating systems as they provided remote
connectivity
In the 1990s, the growth of the Internet and the
growth of the LANs contributed to new threats to
information stored in remote systems
IEEE, ISO, ITU-T, NIST, ISACA, (ISC)2 and other
organizations started developing many standards for
secure systems
Information security is the protection of information
and the systems and hardware that use, store, and
transmit information

14
 CNSS Security Model

Technology

Education

Policy

Confidentiality

Integrity

Availability

Storage Processing Transmission

CNSS: (United States) Committee on National Security Systems 15

 Information Security Today

Modern information security is influenced by many external and internal

factors. It is a balance between meeting the expectations and regulations
of customers and government, and protecting the assets of the
shareholders in a cost effective manner.
 AIC Traid
Confidentiality - Is the concept
of protecting the secrecy and
privacy of information
Integrity - Is the concept of
protecting the “accuracy” of
information processing and data
from improper modification.
Availability - Is the concept of
ensuring that the systems and
data can be accessed when
required.
 Security Threats

Interruption/Denial of service
Interception: eavesdropping, wiretapping, theft …
Modification
Fabrication/Forgery
Unauthorized access
Denial of facts
 Security Services

Security services
▶A service that enhances information security using one or
more security mechanisms
Confidentiality/Secrecy ↔ Interception
Authentication ↔ Forgery
Integrity ↔ Modification
Non-repudiation ↔ Denial of facts
Access control ↔ Unauthorized access
Availability ↔ Interruption
 Security Needs for Communications
Confidentiality Authentication Availability

Interception Forgery Denial of Service

Is Private? Who am I dealing with? Wish to access!!

Integrity Non-Repudiation Access Control

Not
SENT !

Modification Claim Unauthorized access

Has been altered? Who sent/received it? Have you privilege?