Chapter 1.

Computer Security Concepts

 Outline
1. What is Information Security?
2. Why is it important?
3. What can we do?
4. Security concepts
 What is Information Security?

Deals with several different "trust" aspects of

information and its protection

Def 1:
Information security, often referred to as InfoSec, refers
to the processes and tools designed and deployed to protect
sensitive business information from modification, disruption,
destruction, and inspection. (Ref: Cisco.com)
 What is Information Security?
Def 2:
Information security is the practice of preventing
unauthorized access, use, disclosure, disruption, modification,
inspection, recording or destruction of information.
The information or data may take any form, e.g. electronic or
physical. Information security's primary focus is the balanced
protection of the confidentiality, integrity and availability of data (also
known as the CIA triad) while maintaining a focus on efficient policy
implementation, all without hampering organization productivity.
This is largely achieved through a multi-step risk management
process that identifies assets, threat sources, vulnerabilities, potential
impacts, and possible controls, followed by assessment of the
effectiveness of the risk management plan. (Ref: wikipedia)
 What is Information Security?
• The U.S. Government’s
National Information Assurance Glossary defines INFOSEC as:
“Protection of information systems against unauthorized
access to or modification of information, whether in
storage, processing or transit, and against the denial of
service to authorized users or the provision of service to
unauthorized users, including those measures necessary
to detect, document, and counter such threats.”
 What is Information Security?
• Three widely accepted elements or areas of
focus (referred to as the “CIA Triad”):
– Confidentiality
– Integrity
– Availability (Recoverability)
• Includes Physical Security as well as Electronic
 Why is InfoSec Important?
• Information security is not an 'IT problem', it is
a business issue.
Main goals of Information Security

• Confidentiality:only authorized
entities have access to the data

• Integrity: there are no unauthorized

modifications of the data

• Availability: authorized entities can

access the data when and how they
are permitted to do so

(C-I-A Triad)
 What can we do?
• Security Assessment
– Identify areas of risk
– Identify potential for security breaches, collapses
– Identify steps to mitigate
• Security Application
– Expert knowledge (train, hire, other)
– Multi-layered Approach (there is no single solution)
– Policies and Procedures
 What can we do?
• Security Awareness
– Not just for the geeks!
– Security Training at all levels (external and/or internal)
– Continuing education and awareness – not a one-time shot!
– Make it part of the culture
What can we do?
What can we do?
What can we do?
What can we do?
 Principle of Least Privilege
• Every program and every privileged user of
the system should operate using the least
amount of privilegs necessary to complete the
job
 What can we do?
• Defense in depth
What can we do?
 Security Concepts
• Computer security
involves implementing measures to secure a single computer
(protecting the resources stored on that computer and protecting
that computer from threats)

• Network security
involves protecting all the resources on a network from threats
(computers on the network, network devices, network
transmission media, and the data being transmitted across the
network)
 Security Concepts
• Authentication
• Authorization
• Accounting
• Access control
• Nonrepudiation
– The ability to ensure that someone cannot deny
his/her actions
 Security Control Frameworks
• This is a notional construct outlining the organization’s
approach to security, including a list of specific security
processes, procedures, and solutions used by the
organization. Some frameworks:
– ISO 27001/27002
– COBIT
– ITIL
– RMF
– CSA STAR
 Summary
• Objective of InfoSec is Confidentiality, Integrity and
Availability…protect your systems and your data
• Threats are numerous, evolving, and their impact is
costly
• Security should be applied in layers (“road blocks”)
• Security Awareness at all levels must be maintained
• Failure to Secure is an Opportunity to Fail
Q&A
Questions (MQCs)
Q1. Message ………..means that the data
must arrive at the receiver exactly as sent

A. Confidentiality
B. Integrity
Answer: B
C. Authentication
D. None of the above
Q2. Cryptography does not concern itself with:

A. Availability
B. Authenticity Answer: A
C. Integrity
D. Confidentiality
Q3. An access control system that grants users
only those rights necessary for them to
perform their work is operating on which
security principle?

A. Discretionary Access
B. Least Privilege Answer: B
C. Mandatory Access
D. Separation of Duties
Q4. Which of the following is the verification
of a person’s identity?

A. Authorization
B. Accoutability Answer: C
C. Authentication
D. Password
Q5. John is concerned about social engineering. He
is particularly concerned that this technique could
be used by an attacker to obtain information about
the network, including possibly even passwords.
What countermeasure would be most effective in
combating social engineering?

A. SPI firewall
B. An IPS
Answer: C
C. User training
D. Strong policies
Q6. The application of which of the following
standards would BEST reduce the potential for
data breaches?

A. ISO 9000
B. ISO 20121
C. ISO 26000
Answer: D
D. ISO 27001
Q7. The first phase of hacking an IT system
is compromise of which foundation of
security?

A. Availability
B. Confidentiality Answer: B
C. Integrity
D. Authentication
Q8. The PRIMARY purpose of a security
awareness program is to?
A. Ensure that everyone understands the organization's policies
and procedures.
B. Communicate that access to information will be granted on a
need-to-know basis.
C. Warn all users that access to all systems will be monitored on
a daily basis.
D. Comply with regulations related to data and information
protection.

Answer: A
Q9. Which type of cyber attack is commonly
performed through emails?

A. Trojans
B. Phishing
Answer: B
C. Worms
D. Ransomware
Q10. The use of strong authentication, the
encryption of Personally Identifiable Information
(PII) on database servers, application security
reviews, and the encryption of data transmitted
across networks provide

A. Data integrity.
B. Defense in depth. Answer: B
C. Data availability.
D. Non-repudiation.