Information

Security
SE-308
Course Books

Principles of Information Security 3rd

Edition by Michael E. Whitman and Herbert J.
Mattord

Computer Security: Art and Science,

Matthew Bishop

Cryptography and Network Security by

William Stalling 6th Edition, 2012
 Learning Objectives
• Learn basic concepts of Information Security

• Develop good understanding of security,

security issues, security policies, information
assets, threats and Software Attacks

• Ability to understand and plan security

information system

• Knowledge gained in this course will be

helpful in implementation and maintenance
of security policies
Week 1

Introduction to information
security
– Introduction
– History of an information security
– What is security
– How to achieve security
– Key information security concepts
– Components of information systems
– Information Flow
Introduction

Security is the prevention of certain types of

intentional actions from occurring in a system.
– These potential actions that could cause harm or
damage to something, are threats.
– When those dangers or risks become real and
cause harm, are attacks.
– Intentional attacks are carried out by an
attacker.
– Objects of attacks are assets.

For example, if someone threatens to steal your

wallet, that's a threat. But if they actually take your
wallet, that's an attack.
What is Information Security

• Information Security is the practice of

defending information from unauthorized access,
use, disclosure, modification, examine, recording
or destruction.
• It is a general term that can be used in the form
the data may take.
Goals of Security

Prevention
– Prevent attackers from violating security policy
Detection
– Detect attackers’ violation of security policy
Recovery
– Stop attack, assess and repair damage
Survivability
– Continue to function correctly even if attack
succeeds
Security Measures

Technology
– Hardware/software used to ensure security

Policy and practice

– Security requirements and activities.

Education, training, and awareness

– Understanding of threats and vulnerabilities
and how to protect against them.
The History of Information
Security
• (1930s-1940s) Code-breaking during World
War II.
• Post-World War II Era (1940s-1950s): Began
immediately after the first mainframes were
developed.

• Physical controls to limit access to sensitive

military locations to authorized personnel:
badges, keys, and facial recognition
The History of Information
Security
• One of 1st documented problems
– Early 1960s
– Not physical
– Accidental file switch
• Entire password file
• printed on every output file
R-609
• In 1967, Rand Report R-609 first report on
security controls for computer systems
• Scope of computer security grew from physical
security to include:
– Safety of data
– Limiting unauthorized access to data
– Involvement of employees from multiple
levels of an organization
• First identify the role of management and policy
issues.
• MULTICS: First OS containing security in its
core functions.
The Birth of the Internet
(1970s-1980s):
• Advanced Research Procurement Agency
(ARPA) began to examine networked
communications

• ARPANET is the first Internet

• The development of ARPANET, the modern

internet, introduced new security challenges.
Protocols like TCP/IP were developed with
limited security considerations.

• ARPANET grew in popularity as did its

potential for misuse
Public Key Cryptography
(1970s-1980s):
• The invention of public key cryptography
algorithms, modern encryption techniques,
allowing for secure communication over
public networks.
The 1990s

• Networks of computers became more

common; so too did the need to
interconnect networks

• Businesses and individuals faced new

threats such as viruses, malware, and
hacking.

• In early, security was treated as a low

priority Component.
2000 to Present

• The Internet brings millions of computer

networks into communication with each
other—many of them unsecured

• Realization of information security, its

importance and its use
How to Achieve Security
A successful organization should have multiple
layers of security in place:

– Physical security (Physical objects)

– Personal security (Individual or group of
individuals)
– Operations security (details of
operations/activities)
– Communications security(communication
media, technology & Content)
– Network security (Network components,
connections, contents)
– Information security (information assets)
Terminologies of Information
Security:
• Access: A subject or object’s ability to use,
manipulate, modify, or affect another subject or
object.
• Asset: Any organizational resource or object that
is being protected.
• Attack: An intentional action that can cause
damage.
• Exposure: A condition or state of being exposed.
In information security, exposure exists when a
vulnerability known to an attacker exists.
• Exploit: A technique used to compromise a
system. Exploits make use of existing software
tools or custom-made software components.
Terminologies of Information
Security Concepts:
• Risk: The probability that something unwanted
will happen.
• Threat: A category of objects, persons, or other
entities that threaten an asset.
• Threat agent: A threat agent refers to any
individual, group, organization, or automated
system that has the potential to exploit
vulnerabilities in a system or network

• Vulnerability: A weaknesses or fault in a system

or protection mechanism that opens it to attack or
damage. Some examples of vulnerabilities are a
flaw in a software package, an unprotected system
port, and an unlocked door.
Computer as Subject and
Object
Securing Components
• Computer can be subject of an attack
and/or the object of an attack
– When the subject of an attack, computer is
used as an active tool to conduct attack

– When the object of an attack, computer is

the entity being attacked
• 2 types of attack
– Direct
• Hacker uses their computer to break into a system
– Indirect
• System is compromised and used to attack other
systems
Information flow

• Path taken by data from sender to

receiver.
Critical Characteristics of
Information
• Availability
"Availability" means that information is there
when you need it.

• Authenticity:
Information should be real and trustworthy, and come
from reliable sources

• Confidentiality
Sensitive information should be protected from
unauthorized access or disclosure.
Critical Characteristics of
Information
• Integrity
Information must remain whole, accurate, and
uncorrupted to maintain trustworthiness.

• Possession
Refers to legal ownership or control over information
assets.

• Accuracy
Information must be free from errors or inaccuracies,
correctly representing real-world phenomena
Thank you!