Information Security

Lecture 02 & 03
Delivered By: Dr.Ahthasham Sajid
Dated: 2nd September 2024
Email: [email protected]
 Agenda
• Course Overview
• Course Objectives
• Difference between Data, Wisdom and Knowledge
• What is Information Security?
• Need of Information Security
• History of Information Security
• Why We Use Information Security
 Course Overview

• This course consists of Information security and their related concepts are
covered such as confidentiality, integrity, and availability along with various types
of security threats, vulnerability, and attacks. Furthermore, this course also
covered the cryptographic techniques and their concepts.
 Textbooks
• William Stallings, Network Security
Essentials, 2/E
• One or two chapters from CNS3e

• William Stallings, Cryptography and Network

Security: Principles and Practice, 3/E
• Network management security from NSE2e

4
 Course Objectives

• To familiarize students with the Information Security.

• Student will learn the concept of cryptographic techniques for protection of

sensitive information during transmission and storage.

• Students will learn to analyze the networks threats, which may allow an attacker
to compromise the security of an information system.

• Students will learn to understand Risk management.

 Marks Distribution
• Mid 20%
• Final 40 %
• Sessional 40 %
 Surprise Quizzes 20 %
Assignments / Term Project 20%
Data ,Information , Wisdom and
Knowledge
• Data represents a fact or statement of event without relation to other
things.
• Ex: It is raining.

• Information embodies the understanding of a relationship of some

sort, possibly cause and effect.
• Ex: The temperature dropped 15 degrees and then it started raining.
• Knowledge represents a pattern that connects and generally provides
a high level of predictability as to what is described or what will
happen next.
• Ex: If the humidity is very high and the temperature drops substantially the atmospheres
is often unlikely to be able to hold the moisture so it rains.
 What is Information Security?

• Information security is the practice of protecting information by mitigating

information risks. It involves the protection of information systems and the
information processed, stored and transmitted by these systems.

• This includes the protection of Personal information, Financial information, and

sensitive or confidential information stored in both digital and physical forms.

• Effective information security requires a comprehensive and multi-disciplinary

approach, involving people, processes, and technology.
 Need of Information Security

• Information Security is basically the practice of preventing unauthorized access,

use, disclosure, disruption, modification, inspection, recording or destruction of
information. Information can be a physical or electronic one.

• Information can be anything like Your details or we can say your profile on social
media, your data on mobile phone, your biometrics etc. Thus Information
Security spans so many research areas like Cryptography, Mobile Computing,
Cyber Forensics, Online Social Media, etc.
 History of Information Security

• During 1st World War, Multi-tier Classification System was developed keeping in
mind the sensitivity of the information. With the beginning of 2nd World War,
formal alignment of the Classification System was done. Alan Turing was the one
who successfully decrypted Enigma Machine which was used by Germans to
encrypt warfare data.
 Why we use Information
Security?
• Here are some key reasons why information security is important:
• Protecting Sensitive Information: Information security helps protect sensitive
information from being accessed, disclosed, or modified by unauthorized individuals.
This includes personal information, financial data, and trade secrets, as well as
confidential government and military information.
• Mitigating Risk: By implementing information security measures, organizations can
mitigate the risks associated with cyber threats and other security incidents. This
includes minimizing the risk of data breaches, denial-of-service attacks, and other
malicious activities.
• Compliance with Regulations: Many industries and jurisdictions have specific regulations
governing the protection of sensitive information. Information security measures help
ensure compliance with these regulations, reducing the risk of fines and legal liability.

• Protecting Reputation: Security breaches can damage an organization’s reputation and lead
to lost business. Effective information security can help protect an organization’s reputation
by minimizing the risk of security incidents.

• Ensuring Business Continuity: Information security helps ensure that critical business
functions can continue even in the event of a security incident. This includes maintaining
access to key systems and data, and minimizing the impact of any disruptions.
 Critical Characteristics of
Information
 Confidentiality
 Privacy
 Authentication
 Authorization
 Utility (useful)
 Integrity
 Identification
 Accountability (Audit Logs)
 Possession (Ownership)
 Availability
 Accuracy
10/21/2024
 CIA Triangle

• Confidentiality makes sure that only authorized personnel are given access or
permission to modify data.

• Integrity helps maintain the trustworthiness of data by having it in the correct

state and immune to any improper modifications.

• Availability means that the authorized users should be able to access data
whenever required.

10/21/2024
 CIA Model

10/21/2024
 Identification

• An information system possesses the characteristic of identification when it is

able to recognize individual users. Identification and authentication are essential
to establishing the level of access or authorization that an individual is granted.

10/21/2024
 Authentication

• Authentication occurs when a control provides proof that a user possesses the
identity that he or she claims.

• In computing, e-Business and information security it is necessary to ensure that

the data, transactions, communications or documents(electronic or physical) are
genuine(i.e. they have not been forged or fabricated).

10/21/2024
 Authorization

• After the identity of a user is authenticated, a process called authorization

provides assurance that the user (whether a person or a computer) has been
specifically and explicitly authorized by the proper authority to access, update, or
delete the contents of an information asset.

10/21/2024
 Accountability

• The characteristic of accountability exists when a control provides assurance that

every activity undertaken can be attributed to a named person or automated
process. For example, audit logs that track user activity on an information system
provide accountability.

10/21/2024
 Accuracy

• Information should have accuracy. Information has accuracy when it is free from
mistakes or errors and it has the value that the end users expects. If information
contains a value different from the user’s expectations, due to the intentional or
unintentional modification of its content, it is no longer accurate.

10/21/2024
 Issues of Information Security :
• Cyber Threats: The increasing sophistication of cyber attacks, including malware, phishing,
and Ransomware, makes it difficult to protect information systems and the information they
store.

• Human Error: People can inadvertently put information at risk through actions such as losing
laptops or smartphones, clicking on malicious links, or using weak passwords.

• Insider Threats: Employees with access to sensitive information can pose a risk if they
intentionally or unintentionally cause harm to the organization.

• Legacy Systems: Older information systems may not have the security features of newer
systems, making them more vulnerable to attack.
10/21/2024
• Complexity: The increasing complexity of information systems and the information they store makes it
difficult to secure them effectively.

• Mobile and IoT devices: The growing number of mobile devices and internet of things (IoT) devices

creates new security challenges as they can be easily lost or stolen, and may have weak security controls.

• Integration with third-party systems: Integrating information systems with third-party systems can

introduce new security risks, as the third-party systems may have security vulnerabilities.

• Data Privacy: Protecting personal and sensitive information from unauthorized access, use, or disclosure

is becoming increasingly important as data privacy regulations become more strict.

• Globalization: The increasing globalization of business makes it more difficult to secure information, as

data may be stored, processed, and transmitted across multiple countries with different security
requirements.

10/21/2024
 Intellectual property

• Intellectual property is a category of property that includes intangible creations

of the human intellect. There are many types of intellectual property, and some
countries recognize more than others. The best-known types are patents,
copyrights, trademarks, and trade secrets

10/21/2024
10/21/2024
 Ethical issues in Information Security

• Ethical issues faced by organizations in information technology are generally concerned

with privacy, property rights, or the effects of an activity on society.
• Privacy

• Access Rights

• Prevention of Loss

• Patents

• Copyrights

• Trade Secret

• Piracy
10/21/2024
10/21/2024
10/21/2024
10/21/2024
 Access Rights

• Access right becomes a high priority issue for the IT and cyberspace with the
great advancement in technology.

• E-commerce and Electronic payment systems evolution on the internet

heightened this issue for various corporate organizations and government
agencies. Network on the internet cannot be made secure from unauthorized
access.

10/21/2024
 Component of Access Control

10/21/2024
10/21/2024
10/21/2024
10/21/2024
 Privacy
• when, and to what extent, information about oneself can be communicated to others.

• Personal privacy in information technology relates to debates about:

• Private communications, such as emails, voicemails, or recordings.

• Privacy of the body, such as medical information or videotaping.

• Personal information, such as where one lives, where they work, or how many children they
have.
• Information about one's possessions, such as if one owns their home or how much their
house is worth.

10/21/2024
 Patent
• A patent can preserve the unique and secret aspect of an idea. Obtaining a patent is very difficult
as compared with obtaining a copyright.

• A thorough disclosure is required with the software. The patent holder has to reveal the full
details of a program to a proficient programmer for building a program.

10/21/2024
10/21/2024
10/21/2024
10/21/2024
 Copyright

• The information security specialists are to be familiar with necessary concept of

the copyright law. Copyright law works as a very powerful legal tool in protecting
computer software, both before a security breach and surely after a security
breach.

10/21/2024
10/21/2024
10/21/2024
 Trade Secret

• Trade secrets are intellectual property (IP) rights on confidential information

which may be sold or licensed. In general, to qualify as a trade secret, the
information must be: commercially valuable because it is secret, be known only
to a limited group of persons

• Unlike a patent, a trade secret is not publicly known.

10/21/2024
10/21/2024
10/21/2024
 Piracy

• Piracy refers to the unauthorized duplication of copyrighted content that is then

sold at substantially lower prices in the 'grey' market. The ease of access to
technology has meant that over the years, piracy has become more rampant.

10/21/2024
10/21/2024
10/21/2024
10/21/2024
 Legal issues in Information Security

• Information technology organizations are also bound to follow laws issued by the
Government. If a company fails to provide satisfactory service to the client or
cheats the client, the organization is held guilty in court.

10/21/2024
 Violation of Contracts:

• When a client or organization decides to work with each other, the details are
finalized by creating a contract. The contract contains the work duration, the
purpose of the work, and other details related to the project. Before getting the
client on board, it is necessary to discuss the contract and get all the details
approved by the client.

• Later, if the client or the organization violates the contract, they may face legal
issues. Either party can file an issue in court and get the conflict solved according to
the computer acts defined by the Government.
10/21/2024
 Negligence of Contracts:

• If a company fails to fulfill the client's requirements (as mentioned in the

contract), it is considered negligence of the contract. In such cases, the
company will also be considered guilty and will have to prove itself in
court.

• Information technology needs to ensure they deliver the correct services

to the client within the mentioned time duration to avoid such legal
issues.
10/21/2024