Information Security

Definition
 Information Security
• Information is an important part of an
organization or a business that requires
more attention to preserve its Integrity,
Privacy and Availability
• Information security refers to the protection
of information,
• It is the process of securing ,protecting and
safeguarding your information from
unauthorized access, use and modification.
What is Information Security?
 Information Security
Information security is the process of protecting
information from unauthorized access, use,
disclosure, destruction, modification, or disruption
The protection of computer systems and information
from harm, theft, and unauthorized use.
Protecting the confidentiality, integrity and
availability of information
Information security is an essential infrastructure
technology to achieve successful information-based
society
Highly information-based company without
information security will lose competitiveness 3
 Goals of Information Security?

Confidentiality: Process of securing information

from unauthorized acess. Only an authorized person
can access the network resources to get the valuable
information provided on the network. For e.g Credit
Card transaction.
A B

Integrity: Refers to the accuracy of information or

data. In other words, securing the info from
unauthorized modification.
Availability: Information must be available when it
is needed. 4
 Need for Information Security
• Protecting the functionality of an
organization.
• Enabling the safe operation of applications.
• Protecting data that organization collect and
use means protect data in motion and at rest.
• Safeguarding technology assets in
organizations. Must add secure
infrastructure services based on the size and
scope of the enterprise.
 What kind of protection?
Protecting important document /
computer
Protecting communication networks
Protecting Internet
Protection in ubiquitous world
 Role of Security in Internet & Web Services
• Internet is used for performing various tasks such as
exchanging data and info as well as conducting online
shopping and bank transactions.
• All critical info needs to be secured against unauthorised
access from illegal and malicious sources.
• Security is implemented in a website through
authentication and authorization.
• Web service allows a website to communicate with other
websites irrespective of the programming languages in
which they are created. It does not have any interface only
logic.
• Web services requests and responses are sent as XML
documents which are in text format. To secure web
services i) Using encryption and message-based security
ii) Using authentication and access controls for web
services.
 Definitions
• Computer Security - generic name for the
collection of tools designed to protect data and
to thwart hackers

• Network Security - measures to protect data

during their transmission

• Internet Security - measures to protect data

during their transmission over a collection of
interconnected networks
 Vulnerability, Threat and Attack
• A vulnerability:- is a weakness in security system
– Can be in design, implementation, etc.
– Can be hardware, or software

• A threat:- is a set of circumstances that has the potential

to cause loss or harm
– Or it’s a potential violation of security
– Threat can be:
• Accidental (natural disasters, human error, …)
• Malicious (attackers, insider fraud, …)

• An attack:- is the actual violation of security

Vulnerability, Threat and Attack
• saa

Deterrent Control : Admin Policies, guidelines, laws, regulations

Detective Control: to locate problems after they have occurred
 Aspects of Security
• Consider 2 aspects of information security:

– security attack
– security service
 Security Attack
• Any action that compromises the security of
information owned by an organization
• Information security is about how to prevent
attacks, or failing that, to detect attacks on
information-based systems
• often threat & attack used to mean same thing
• have a wide range of attacks
• can focus of generic types of attacks
– passive
– active
Security Attack
Passive Attacks
 Passive Attack
• Passive attacks are in the nature of
eavesdropping on, or monitoring of,
transmissions.
• The goal of the opponent is to obtain
information that is being transmitted. Two
types of passive attacks are release of
message contents and traffic analysis.
Passive Attacks
 Passive Attacks
1. Release of message contents
The release of message contents is easily understood . A
telephone conversation, an electronic mail message, and
a transferred file may contain sensitive or confidential
information.
2. Traffic Analysis
The opponent could determine the location and identity of
communicating hosts and could observe the frequency
and length of messages being exchanged. This
information might be useful in guessing the nature of the
communication that was taking place.
Active Attacks
 Active Attacks
• Active attacks involve some modification
of the data stream or the creation of a
false stream and can be subdivided into
four categories: masquerade, replay,
modification of messages, and denial of
service.
Active Attacks
 Active Attacks
1. Masquerade
A masquerade takes place when one entity pretends to be a
different entity .
For example, authentication sequences can be captured and
replayed after a valid authentication sequence has taken
place, thus enabling an authorized entity with few
privileges to obtain extra privileges by impersonating an
entity that has those privileges.
2. Replay
involves the passive capture of a data unit and its
subsequent retransmission to produce an unauthorized
effect
Active Attacks
 Active Attacks
3. Modification of messages
It simply means that some portion of a
legitimate message is altered, or that
messages are delayed or reordered, to
produce an unauthorized effect
4. The denial of service
prevents or inhibits the normal use or
management of communications facilities
 Security Service

– Enhance security of data processing systems

and information transfers of an organization
– Intended to counter security attacks
– Using one or more security mechanisms
 Security Services
• Authentication - assurance that the
communicating entity is the one claimed
• Access Control - prevention of the
unauthorized use of a resource
• Data Confidentiality –protection of data from
unauthorized disclosure
• Data Integrity - assurance that data is delivered
to the intended recipient without any
modification
• Non-Repudiation - protection against denial by
one of the parties in a communication
 WEB SERVICES
• A Web service is a method of communication
between two electronic devices over a network.
• Web Services are a general model for building
applications and can be implemented for any operation
system that supports communication over the Internet
• The evolution of SOAP(Simple Object Access Protocol)
has expanded the boundaries of the Internet. SOAP and
HTTP enable you to log on to external systems and
execute remote function calls.
• Web services work by basically using HTTP and SOAP
to make business data available on the Web.
 WEB SERVICES

Basic structure of a Web service.

Model for Network Security
 Model for Network Security
• using this model requires us to:
1. design a suitable algorithm for the security
transformation
2. generate the secret information (keys)
used by the algorithm
3. develop methods to distribute and share
the secret information
4. specify a protocol enabling the principals
to use the transformation and secret
information for a security service
 Benefits of ISMS
• ISMS is a standard of International standard of
organization(ISO),which compatible with other standards
prevailing in the market
• Helps to protect and secure information in an organization
because information is its virtual resource
• Maintain the security of data and information
• Protect and maintain integrity, confidentiality and availability
of information.
• Provide efficient organizational management.
• Provide high –level information security
• Encouraging clients including individual and other
organization , to invest in an organization.