Introduction To Information

Security
LAV GUPTA
ASSISTANT PROFESSOR/CS

0
 Introduction to information security

What is information security?

• Processes and methodologies designed and implemented to protect print, electronic,

or any other form of confidential, private and sensitive information or data from
unauthorized access, misuse, disclosure, destruction, modification, or disruption (SANS
institute)
The scope is much broader – how about medical device capture? Incapacitating systems?

• The protection of information and its critical elements, including systems and
hardware that process, use, store, and transmit that information (Committee on National
Security Systems)
• How? Of course, you have legal, accepted methods to do your job.

Information Systems Security

1
 Information System

• Information system (IS) is the entire set of people, procedures, and technology that
enable business to use information.

People

Data Processes

Information
System

Hardware Networks

Software

Why is protecting this information a big deal?

2
 A holistic approach to information security

• Such an approach to information security will include:

• Data security Protect data from unauthorized access or alteration – cloud

data security, browser data, email
• Information security Protect information and information systems

• Software security Robust against attack

Protect network infrastructure so that hardware, software and users
• Network security perform their functions in a secure environment

• Cybersecurity Protect data and systems in networks connected to the Internet

IT Registrar Awards Committee
• Management of information security All Student Department Top 5
Records wise grades students

Data Information Information

Data
Is it an art or a science?
3
 What are we protecting?

A successful organization should have multiple layers of security in place to protect:

• Physical Infrastructure – processors, storage
• Networks and communications – routers, switches, gateways, firewalls and IDPS
• People – from accidentally damaging or losing information – social engineering
• Software – holes, bugs, weaknesses. Should be integrated into SDLC
• Data – stored, processed, transmitted
• Information: intelligence for business decisions?
• Procedures – educate to use safely
• Virtual Resources

4
 Information Security Models

The C.I.A. triad

• Is a model based on confidentiality, integrity, and availability, now viewed as
inadequate.

• Confidentiality: access of data by authorized

users and processes
• Integrity: assurance in the accuracy of the data
• Availability: When needed by authorized users

• Expanded model consists of a list of critical characteristics of information

5
 Characteristics of information

The value of information comes from the characteristics it possesses:

• Confidentiality
• Integrity
• Availability Expanded CIA Model
• Authentication
• Authorization
• Non-Repudiation
• Possession
• Utility

6
 McCumber Cube

Security Measures
Source: Pearson

7
 Defense-in-Depth Security Model

Source: Infocyte
Defense in depth is a concept used in Information security in which multiple layers
of security controls (defense) are placed throughout an information system.

8
 The Bell-LaPadula Model

• Used for access control and confidentiality. Based on state machine. System move
from state to state, Avoid falling into an insecure state. Used in DoD

Source: Skillset

9
 The Biba Model

• For data integrity, defines integrity levels, authentication for users

• No read down. No write up (can’t even request data from higher level)

10
 Brewer and Nash Model

• Rule based model

• Mathematical theory used for dynamic rules
• Avoids conflicts of interests

11
Next… The value of information

12