Chapter 1

Introduction to Information Security [12 Marks]

1.1 Information, Need and Importance of Information, information Classification, criteria for
information classification

Information can be defined as -

Information – It is data that is organized in meaningful fashion.

OR

Information is that which informs i.e. that from which data can be derived.

OR

Information is the data that is

a.) Accurate & timely.

b.) Specific & organized for purpose.
c.) Presented within a context that gives its meaning.
d.) Can lead to an increase in understanding and decrease in uncertainty.
OR

Information is a combination of three parts-

1. Data - It is a collection of all types of information which can be shared & used as per requirement.
Eg. Personal data
2. Knowledge - It is based on data that is organized & summarized. It is carried by experienced employee
in organization.
3. Action - It is used to pass the required information to a person who needs it with help of Information
System.

Information System- It is a set of interrelated components that collect process & distribute info to support
decision making in organization.

Fig. Information System

Need & Importance of Information

 Now a day’s use of computer & communication technology has increased. So we need a system
that can manage the information or data.
 Information is life blood of every organization.
 An Information System includes hardware, software, data & application etc. to manage
information.
 In organization it is needed to monitor different operations. Also used to document different
operations.
 Information is useful or needed for ensuring smooth functioning of all the departments in
company.
 Information benefits business world by allowing organizations to work more efficiently &
maximize productivity.

Differentiate between Information & data

Data
data is used as input for the computer
system.
Data is unprocessed facts figures..
Data doesn’t depend on Information.
Data is not specific.
Data is a single unit.
Data doesn’t carry a meaning.
Data is the raw material
Information
Information is the output of data.
Information is processed data
Information depends on data.
Information is specific.
A group of data which carries news and
meaning is called Information.
Information must carry a logical meaning.
Information is the product.

Types of Threats

1. Human error - an inappropriate or undesirable human decision or behavior that reduces or has
the potential for reducing, effectiveness, safety or system performance

2. Computer crime or computer abuse - Alternatively referred to as cybercrime, e-crime, electronic

crime, or hi-tech crime, computer crimes an act commonly performed by a knowledgeable computer
user, sometimes referred to as a hacker that illegally browses or steals a company's or individuals
 private information. In some cases, this person or group of individuals may be malicious and destroy
or otherwise corrupt the computer or data files.
Cybercrimes are any crimes that involve a computer and a network. In some cases, the computer
may have been used in order to commit the crime, and in other cases, the computer may have been
the target of the crime.

3. Natural disaster or political disaster - a natural event such as a flood, earthquake, or hurricane that
causes great damage or loss of life, any war, Riots.

4. Failure of hardware or software - A malfunction within the electronic circuits or

electromechanical components (disks, tapes) of a computer system. Recovery from a hardware
failure requires repair or replacement of the offending part. A software failure means the inability of
a program to continue processing due to erroneous logic. Same as crash, bomb

Types of Attacks

1. Trojan horse - A Trojan horse, or Trojan, in computing is generally a non-self-replicating type

of malware program containing malicious code that, when executed, carries out actions
determined by the nature of the Trojan, typically causing loss or theft of data, and possible
system harm.

2. Logic bomb - a set of instructions secretly incorporated into a program so that if a particular
condition is satisfied they will be carried out, usually with harmful effects.

3. Computer virus - a piece of code which is capable of copying itself and typically has a
detrimental effect, such as corrupting the system or destroying data.

4. Denial of Service - In computing, a denial-of-service (DoS) or distributed denial-of-

service (DDoS) attack is an attempt to make a machine or network resource unavailable to its
intended users.

5. Spoofing - Spoofing is the creation of TCP/IP packets using somebody else's IP address
.
6. Sniffing - Packet sniffing allows individuals to capture data as it is transmitted over a network.

7. Data leakage - The unauthorized transfer of classified information from a computer or

datacenter to the outside world. Data leakage can be accomplished by simply mentally
remembering what was seen, by physical removal of tapes, disks and reports or by subtle means
such as data hiding

8. Salami Technique - unauthorized, covert process of taking small amounts (slices) of money or
otherwise numeric value from many sources in and with the aid of a computer.
Basic Principles of Information Security

Security-
Security means to protect information or system from unauthorized users like attacker.
OR
Security is the practice of protecting information from unauthorized access, use , inspection ,
recording , destruction.
OR
Information security is the process of protecting intellectual property of an organization.

Protecting any organization following multi layers of security are important –

1.) Physical Security –
It will protect physical items like RAM, Hard disk, etc.
2.) Personal Security-
It will protect authorized individual users or groups in organization.
3.) Operational Security –
It will protect details of particular operation in organization.
4.) Communication Security-
It will protect communication technology & content of communication.
5.) Network Security-
It will protect networking component like router, bridge etc.
6.) Information Security-
It will protect all information assets.
Information Security is simply the process of keeping information secure: protecting its
availability, integrity & privacy.

Need of Security –

The purpose of information security management is to ensure business continuity & reduce business damage
by preventing & minimizing the impact of security incidents.

An information security management system enables information to be shared, ensuring the protection of
information & computing assets.

 Information security is needed to protect the system from unauthorized access & modification.
 When computer applications were developed to handle financial & personal data, the need for
security exists.
 People realized that data on computers was extremely important.
 Organizations employed their own mechanism in order to provide basic security mechanism. Eg.
User id & password for every user.
 As technology improved people realized that the basic security measures were not quite enough.
 Then internet took the world by storm & there were any examples of what could happen if there was
insufficient security built in applications.
 Hence we need security for –
a.) Protecting resources of organizations.
b.) To avoid business damage.
 c.) To avoid unauthorized user to access important information.
d.) To protect personal data.
e.) To protect sensitive information of organization.
f.) Help to protect intellectual property.

The basic aims of information security are summarized in 3 principles.

Goals of Security

Information security is more than just computer security. It also includes wide range of physical security
means. E.g. protecting assets from natural disasters or thefts.

System Security
Data security
H/W and S/W security

Application Security
server room access control

Administrative and procedural security

Physical security

Security Layers

Security related basic terms-

 1. Digital signature - a digital code (generated and authenticated by public key encryption) which
is attached to an electronically transmitted document to verify its contents and the sender's
identity.

2. Non repudiation - Nonrepudiation is the assurance that someone cannot deny something.
Typically, nonrepudiation refers to the ability to ensure that a party to a contract or a
communication cannot deny the authenticity of their signature on a document or the sending of a
message that they originated.

3. Cryptography - the art of writing or solving codes.

4. Encryption - Encryption is the conversion of data into a form, called a cipher text that cannot be
easily understood by unauthorized people.

5. Cipher - coded text

6. Decryption - Decryption is the process of converting encrypted data back into its original form,
so it can be understood.

7. Denial of Service - In computing, a denial-of-service (DoS) or distributed denial-of-

service (DDoS) attack is an attempt to make a machine or network resource unavailable to its
intended users.

8. Steganography - the practice of concealing messages or information within other non-secret text
or data.

9. Spoofing - Spoofing is the creation of TCP/IP packets using somebody else's IP address

Three Pillars of Information Security

1.) Confidentiality -
It means making sure that information is only seen by people who have the rights to see it.
Confidentiality refers to limiting information access and disclosure to authorized users -- "the right
people" -- and preventing access by or disclosure to unauthorized ones -- "the wrong people."
 Authentication methods like user-IDs and passwords, that uniquely identify data systems' users and
control access to data systems' resources, underpin the goal of confidentiality

2.) Integrity-
It means ensuring that information remains unaltered. This means watching out for alterations
through malicious action or even simple innocent mistake.
Integrity refers to the trustworthiness of information resources.
Only authorized individual can create or change information.
It includes the concept of "data integrity" -- namely, that data have not been changed inappropriately,
whether by accident or deliberately malign activity. It also includes "origin" or "source integrity" --
that is, that the data actually came from the person or entity you think it did, rather than an imposter.

3.) Availability-
It implies having access to your information when you need it. Availability refers, unsurprisingly, to
the availability of information resources. An information system that is not available when you need
it is almost as bad as none at all. It may be much worse, depending on how reliant the organization
has become on a functioning computer and communications infrastructure.
Information Classification
Organization will classify information to provide information security.
 The main reason for classifying information is that all data or information of organization will
not have same level of criticality.
 Some information may be important & some may not be important.
 Aim of an organization is to improve confidentiality, integrity & availability (CIA) of
information to reduce risk related to information.
 Information classification is important while securing any trusted system like government
sectors.
 Information classification is used to prevent unauthorized access to a system
 Due to privacy laws or any other compliances information may be classified.
 Due to information classification organization can employ security policies.

Reasons / Advantages of classification of information-

1.) It helps organizations for security protection.

2.) It helps organization to identify info like sensitive info, critical info.
3.) It supports CIA – confidentiality, integrity, availability.
4.) It will help organization to make decision what type of protection is to be applied to what type of
information.
5.) Helps to protect intellectual property.
6.) Helps to protect personal information.
7.) Helps to control private or sensitive information.
8.) Helps to protect confidential information from unauthorized access.
9.) Protecting information that supports public security & law enforcements.

Classification Levels-

1.) Open / Unclassified / Public –

 Information is not classified and not sensitive.
 Information accessible to both external & internal parties (employee) of organization.
 It does not affect confidentiality.
2.) Internal but unclassified –
  Information is accessible to both external parties & internal employees with controlled access
rights.
 If information is disclosed it will not create damage to the organization.
3.) Confidential / Sensitive –
 Information is accessible only to the employee of the organization with strict access rights.
4.) Secret / Highly sensitive-
 In this unauthorized access to the information can cause damage to the country’s national
security.
5.) Top secret-
 Highest level of information classification.
 Eg. Info in defense organization.

Criteria for classification of information –

1.) Value –
 Common criteria for classification.
 Valuable information of organization should be classified.
 Eg.in college student list is classified according to their department.
2.) Age-
 In this information is classified according to time period.
 Eg. Certain information is valid only for certain period so after the period is over that
information is not useful.
3.) Useful Life –
 If validity or deadline of information is over due to changes in information then that
information must be declassified.
 Eg. Our earlier diploma scheme was E scheme & now current scheme is G. So information is
classified accordingly.
4.) Personal Association-
 Information which is personally associated with particular individual then such information
should be classified.

5.) Public-
 Information is classified on this factor also.
 Public information is not sensitive.
 If it is accessed by unauthorized user it will not affect the security.
 Eg. Information given on website of any organization.
6.) Private-
 Important information of organization can be kept separately.
 Unauthorized user cannot access it.
 Eg. Information related to project going on in organization is kept secret from other
organization.
Data Obfuscation (DO)
 Data Obfuscation (DO) is a form of data masking where data is purposely scrambled to
prevent unauthorized access to sensitive material.
 This form of encryption results in unintelligible or confusing data.
 DO is also called as data scrambling or privacy preservation.
 DO is a technique used to prevent intrusion of private & sensitive online data.
 DO is related to encryption of data & it is the solution to information theft because it hides
original information with random characters.
 It is related to hiding the data so that it cannot be found.
 The use of personal information in government records, medical records& voter’s list etc.
will create threat to privacy. Hence many countries are focusing on safeguards for privacy of
personal information.
 It is necessary for organization to understand the risk & need of protection in terms of
privacy to the publicized information.
 Hence the term data obfuscation is used which modifies the data items without changing the
usefulness of the data.
 Data Obfuscation techniques-
a) Substitution
b) Shuffling
c) Number & data variance
d) Encryption
e) Deletion
f) Masking out
 Data obfuscation techniques can be classified by number of criteria –
a) Usefulness
b) Effectiveness
c) Cost
d) Resiliency
 A good example of DO is audit report on medical system. In this report only required field of
patients are disclosed to the auditor. Details which are not required such as patient’s contact
number ,address are obfuscated.

Event Classification-
There are several types of events by which information is damaged.

1. Viruses-
Viruses can either copy themselves directly into executable files or can infect files that are
opened or processed by the target executable (e.g. Pdf document)
Viruses use a variety of infection mechanisms to replicate into new hosts & perform many
different types of actions.
2. Disaster-
 An event that causes permanent & substantial damage or destruction to the property,
equipment information, staff or services of the business.
3. Crisis-
An abnormal situation that presents some extraordinary high risks to a business & that will
develop into a disaster unless carefully managed.
4. Catastrophe-
Major disruptions resulting from the destruction of critical equipment in processing.