Introduction to Information Security

P. R. Prasad
Head – Dept. of Electronics
Avanthi Degree & PG College
 What is Information ?
Information
 An Organized, meaningful and usefeul
interpretation of data

Data Interpretatio
Process
n
What is Information Systems
What is Information Security
 Need for Information Security
Protects the organization‘s ability to function
 Enables the safe operation of applications implemented
on the organization‘s IT systems.
Protects the data the organization collects and uses
Safeguards the technology assets in use at the
organization
• ISMS is required to monitor the network
 Benefits of ISMS
• ISMS is a standard of International standard of organization(ISO),
which is compatible with other standards prevailing in the market
• Helps to protect and secure information in an organization because
information is its virtual resource
• Maintain the security of data and information

• Protect and maintain integrity, confidentiality and availability of

information.
• Provide efficient organizational management.
• Provide high –level information security
• Encouraging clients includingindividual and other organization to
invest in an organization.
Intrusion Detection System
Threats to Information Security
 Information Assurance
• Information assurance defines and applies a collection of
policies, standards, methodologies, services, and
mechanisms to maintain mission integrity with respect to
people, process, technology, information, and supporting
infrastructure.
• Information assurance for
provides
integrity, availability, possession, confidentiality,
utility,authenticity,
nonrepudiation, authorized use, and privacy of information
in all forms and during all exchanges.
Information Assurance Model
Three Dimension(3D) of information
security

•Information state
•Security services
•Security countermeasures
Information States
Security Services
 Security Counter Measures
Technology is ever Technolog
encompasses
evolving. more than the adjunctive
y crypto
systems of the past.
Technology, in a security context now
includes hardware, software and firmware
that comprise a system or network.
Technology, from a security perspective now
includes devises such are firewalls, routers,
intrusion detection monitors, and other
security components.
 Security Counter Measures
Policies and Practice : Operations as security
countermeasure, goes beyond policy and practices required
for use in secure systems.

Operations encompass the procedures employed by system

users, the configurations implemented by system
administrators.

Operations also address areas such as personnel and

operational security.
 Security Counter Measures
People are the heart and soul of secure
systems.
People require awareness, literacy, training
and education in sound security practices in
order for systems to be secured.
 CYBER
SECURITY
C
Y
B
E
R
S
E
C
U
R
I
T
Y
C
Y
B
E
R
S
E
C
U
R
I
T
Y
C
Y
B
E
R
S
E
C
U
R
I
T
Y
Measures to maintain Cyber Security
 Introduction to Application Security
 IS employed in organization must have proper
security measures.
 Attackers not only target the servers & OS but also
applications that include browser, multimedia
programs & document readers.
 Attacker mostly target client side applications by
using malware through email
 Vendors has various challenges to prevent any
malicious activity to secure systems.
Challenges for Application Security
Vendor Challenges for Application Security
Flash Plug-in

IE Firefox Safari Chrome

Windows Mac OS X Linux

 Biggest challenges for software Vendors

 Availability of Various OS platforms and

different versions of Application software
 Developing secure application for each
platform is difficult task
 Compatibility is major problem in providing
security
 Different platforms and vendors have
different security considerations.
User Challenges for Application Security
Data Security Considerations
 Data Backup Security Consideration
Reasons for loss of data
 Failures of hardware or faults in hardware
systems
 Fault in Media or software
 Hacking of data or attack of virus
 Failure of power – resulting in data loss
 Erroneous human activities
 Data Backup Security Consideration
So data backup is must & should be regular
 Should you backup entire system or some files
 Do organization have backup policy
 Frequency of backup
 Storage media used
 Incremental or Differential backup
Data Archival Security Considerations
 Data Archival
 Data Archival is a process of separating older
data(currently inactive but may be required in
future) from currently active, fresh and new
data.
 Data Archival is not same as data backup-
Instead it is called data retaining
 It requires moving of selected part of data to
different storage location.
 Benefits of Data Archival

 Reduction in the cost

 Saving of storage in online system
 Reduced access complexity
 Improved system performance
Guess??? What is this
 Data Disposal Security Consideration

• Data Disposal is an act of permanently

deleting or destroying data stored for some
security reasons.
• Destruction means completely wiping of data.
• The process of completely wiping of data is
called Data Disposal
Data Disposal methods
 Overwriting
• Overwriting is not method of selecting an item
and deleting it.
• It is method of writing many number of times
to delete the data.
• A minimum of 3 times the disk is overwritten.
• Overwriting is enabled by appropriate
programs
• Device becomes less secured
 Degaussing
• Degaussing is a method in which the Magnetic
drives – Hard drives and Tapes are
demagnetized to destroy the data completely.
• After demagnetization the drive cannot be
used again.
• Degaussing can be done by the service
provider only
 Destroying
• Destroying is method in which the drives are
completely shredded into pieces.
• Large shredding machines are required.
• Shredding can also be hired as a services
Security Technologies
 Security Technologies ???
• Technologies used to enable security of
application and data in an organization is
called Security Technologies.
Security Technologies

Firewalls VPN IDS Access Control

 Firewalls
Firewall is device(s) used to permit or deny
network transmissions on the basis of certain
rules criteria
• Monitors the traffic flow in the network
• Checks the IP address and contents of packets
• Blocks unauthorized access
• Hardware firewall & Software firewall
Software Vs Hardware Firewall

Hardware Firewall Software Firewall

Types of Firewall Techniques
 Packet filters
• It is also called Network layer firewall. It
allows passing or blocking of packets unless
they are matched with the rule set
• State full Firewall
• Stateless Firewall
 Application Layer Firewall
• This firewall intercepts all packets that are
sent or received from an application.
• Prevents unwanted outside traffic from
reaching the protected machines.
• Restricts worms & Trojans.
 Circuit-Level Gateway
• Circuit-level gateways work at the session layer of
the OSI model.
• They monitor TCP handshaking between packets to
determine whether a requested session is legitimate.
Information passed to a remote computer through a
circuit-level gateway
• Firewall technology supervises TCP handshaking
among packets to confirm a session is genuine.
• Inexpensive & hides data.
 Proxy Server
• Controls and monitors the outbound traffic
• Blocks unauthorized packets
• Hides true network address and intercepts all
messages entering & leaving the network.
• The firewall evaluates the requests by hacker
based on specific rules and guidelines and
block the hacker.
 Virtual Private Network (VPN)
• A virtual private network (VPN) extends a private network
across a public network, and enables users to send and
receive data across shared or public networks as if their
computing devices were directly connected to the private
network
• VPN technology was developed to allow remote users and
branch offices to access corporate applications and
resources.
• A VPN is created by establishing a virtual point-to-point
connection through the use of dedicated circuits
VPN
Types of VPNs
 PPTP VPN(Dial-up VPN)
• Point-to-Point Tunneling protocol.
• Most commonly used VPN protocol.
• The authorized user connects to the VPN server
through the internet and log on to the network using
its VPN password (Dial-up).
• A dedicated line is set up
• No additional cost.
• No extra hardware or software.
• Does not use encryption & so not secured
PPTP VPN
 Site-to-site VPN
• No dedicated line
• Allows different sites of the same organization
each having its own real network to connect
to form a VPN
• The routing, encryption and decryption is
done by the routers on both sides.
• Can work with hardware or software based
firewalls.
Site-to-Site VPN
 MPLS VPN
• Multi Protocol Label switching
• Designed to improve store & forward speed of routers.
• Economical and fast
• Ping time is 10 ms
 Access Controls

• Access control is a security feature through

which the system permits or revokes the right
to access any data or resource in a system.
• The permission to access resource is called
authorization.
Types of Access Control
Security Threats
 Virus
• A computer virus is a type of computer program that,
when executed, replicates itself by modifying other
computer programs and inserting its own code.
When this replication succeeds, the affected areas
are then said to be "infected" with a computer virus.
• Through Infected medias
• Through emails and accessing social websites
• As a part of another program
 Types of Virus
• Polymorphic Virus

I’m a
I Like You

I’m a
I Like Ya

Who
Like Ya
 Types of Virus
• Stealth: It masks itself from application in
order to avoid detection.

Boot
Reco
rd Virus
 Multipartite
• Effects in multiple ways.
Memory

Multipartite Virus

Disk Files

Boot Sector
 Other Virus Types
• Retroviruses
• Armored
• Companion
• Phage
• Macro virus
Trojan Horses
Logic Bombs
• Logic bombs refer to
program or code that are
executed when a pre-
defined event occurs. It
displays a message to user
and occur at time the user
is accessing the internet or
making use of application
Worms
• It is the threats that are
self sufficient to replicate
themselves and do not
need any host application
to get transmitted.
• They are also capable of
delivering virus to a
system
• Not only RAM also takes
use of TCP/IP etc
Malware
Stopping Malware
 Security Threats to E-Commerce
• Internet being a public domain is open to all.
• Each and every transaction that occurs on the
internet can be tracked, monitored, logged
and stored.
• The information that is shared over the
internet for carrying out transaction is
constantly under the security threats.
• These threats may rise from internal and
external sources.
 Some top security threats from
internal and external sources
• Unauthorized internal user – access confidential information
by using stolen password.
• Former employees – who have maintained access to the
information sources directly by creating alternative
passwords.
• Weak access points in information infrastructure and security
that can expose company information and trade secrets
• Management that undermines security may be the greatest
risk to e-commerce
 E-Cash
• E-Cash refers to electronic transfer of money in
the form of a block of data representing money
that is transferred online.
• It includes computer networks, Internet and
digitally stored value system
• E-Cash bears a digital signature for
authentication purposes and is sent over the
network in the form of data or tokens
 E-Cash
• When the buyer needs to make a
transaction the wallet program
communicates with the bank.
• The bank authenticates the user
and after the user is found valid, it
transfers the requested e-cash to
the customer.
• The e-cash is then paid to the
seller using the wallet programs
to complete the transaction
• The e-cash company may or may
not charge a small amount as
merchant transaction charges.
 Electronic Payment System
• It is an online monetary transactions which are called e-payment
schemes.

Online Online & offline Online & offline Online

 EPS Schemes
Secure Electronic Payment Protocol / Secure Electronic Transaction
(SEPP/SET)

• It is developed by Netscape, IBM, VISA & Mastercard.

• Secure credit card based protocol
• Common structure:
– Customer digitally signs a purchase along with price and encrypts in
bank’s public key
– Merchant submits a sales request with price to bank.
– Bank compares purchase and sales request. If price match, bank
authorizes sales
• Avoids merchant fraud, ensures money but no goods
atomicity
 EPS Schemes
Secure Courier e-payment
• It is the earliest payment
scheme.
• Secure payment between the
users of banks and the sellers.
• This scheme encrypts the data
and authenticates the
individual consumer and the
buyer at the time of electronic
transaction
Check Free Wallet
• Enables buyers and customers to
make transactions in an easy and
safe manner.
• Based on Client /Server
architecture.
• Uses public-private key
encryption technology that uses
Rivest Shamir Ademan (RSA)
algorithm
 EPS schemes
Cyber Cash VeriSign
• It is a digital cash software • Authenticates the user by
system that guarantees verifying the digital
payment by the buyers before signature
the delivery of goods.
• IBM introduced the concept
• It allows secured mechanism
of digital ID into its web
to send credit card
information over the internet
browser and internet
as it encrypts the details. connection secure server.
• Uses third party for decryption
UNIT - 2
Credit / Debit / smart Cards
Credit / Debit / smart Cards
Credit / Debit / smart Cards
 Measures for Safe use
• Privacy: The information provided by a user
must be secured from other unknown users.
• Integrity: The information sent by the user
must not be tampered or altered.
• Authentication: The sender & receiver of
information must prove their identities to each
another.
• Non-Repudiation: It is the proof that the
information was indeed received.
 What is Digital Signature
• Hash value of a message when encrypted with the
private key of a person is his digital signature on
that e-Document.

• Digital Signature of a person therefore varies from

document to document thus ensuring authenticity
of each word of that document.

• As the public key of the signer is known, anybody

can verify the message and the digital signature.
 Basic Requirements or Components
Private Key
The private key is one which is accessible only to the
signer. It is used to generate the digital signature which is
then attached to the message.

Public Key
The public key is made available to all those who
receive the signed messages from the sender. It is used
for verification of the received message.
Basic Requirements or components
• A subscriber of the private key and public key pair makes the
public key available to all those who are intended to receive
the signed messages from the subscriber.

• But in case of any dispute between the two sides, there must
be some entity with the receiver which will allow the receiver
of the message to prove that the message was indeed sent by
the subscriber of the key pair. This can be done with the Digital
Signature Certificate.
How it works
 Cryptography and Encryption
Cryptography ensures secure transfer of data over an unsecured
network, such as internet.
 To ensure secure transmission, data should look entirely different from

original data.
 Plain Text
Cipher Text
 Converting plain text to cipher text is called Encryption
 Reverse process is called Decryption
 Cryptography and Encryption

Plain Text Encryption Cipher Text Decryption Plain Text

Key Key
 Private Key encryption
• A Single key is used for both encryption and
decryption of data.
• Key is shared between the sender & the
intended recipient but hidden from remaining
users.
• The sender uses the private key to encrypt the
data and then sends the encrypted data to
intended recipient
 Private Key encryption
– On receiving the, recipient decrypts using the
same key.
– Both the parties should know which key must be
used.
– The sender and the receiver can share the private
key by generating the key at the senders end,
encrypting using public key and then sending to
recipient.
– The length of the secret key determines the
strength of the encryption.
 Private Key encryption
Plain Text
Plain Text

Internet
Encrypt with Decrypt with
secret key secret key

Ciphertext
 Public Key Encryption
• Two keys are used to encrypt & decrypt data.
• Key used to encrypt is called public key.
• Key used to decrypt is called private key.
• First public and private keys must be generated to use
public key encryption.
• The public key is made available to anyone who wants
to send the data.
• The sender uses public key to encrypt and send the
encrypted data to receiver.
• The receiver uses the private key and decrypts the
data
 Public Key encryption

Plaintext Plaintext

Encrypt with Internet Decrypt with

public key private key
Ciphertext
 Information security Governance and Risk
Management
• IS are subjected to serious threats that can
have adverse effects on business operations.
• One must protect all information assets from
threats.
• It is accountability of managers to provide
protection.
• Participation of individuals helps in effectively
mitigating the risk to a large extent.
Effective management of organizational security

• Senior managers being assigned the responsibility of

managing risks.
• Executives recognizing the risk for information security that
can harm operations of the organization its assets,
individuals, reputation and may be clients.
• Organization wide risk tolerance level being established.
This should include guidelines about what will be the
impact of risk tolerance on the current decision making
process
• Risk management programs being implemented effectively
throughout the organization where senior managers and
executives are accountable for taking risk management
decision and implementation
 Risk Management

Framing
• Sense a threat & inform to
all the related activities that
execute in a serial manner
to be ready to control and
avert a possible damage.
Assessing
• Analyze the level of risks
and the level of security
provided with our
organization and its IS.
• The possible damages from
a threat can also assessed in
this activity.
 Risk Management

Monitoring Responding
• Continuous checking of IS • Taking preventive or
and keeping an eye on corrective measures so that
other threats that may be systems can be kept
encountered by protected from any kind of
organization. threats whether internal or
• Defines proper guidelines external.
for the maintenance of
security of your systems.
 Risk Management Process

Assess

Information & Information &

communication flows communication flows

Frame

Monitor Respond
Introduction to Security Policies and
Cyber Laws
 Need for Information Security policy
Objective
• To protect Integrity, Confidentiality and availability of
information.
• Information is an asset.
• It is a part of any organization overall asset security policy
• It is a business process that allows management with the
process required to perform the fiduciary.
• The information security professionals of an organization are
responsible to implement security policies that the business
and mission requirements of an organization
 Introduction to Indian cyber law
• An Ethical hacker must get a signed legal document from the
target organization.
• The hacker should know when and where to use their skills
and must understand the consequences of misusing it.
• Cybercrimes involve criminal activities such as fraud, theft,
forgery and defamation which is subjected to IPC.
• All the cybercrimes are addressed by IT Act 2000
• A separate set of laws known as cyber laws or internet laws
has been designed to regulate cybercrimes.
• Two categories of Cyber laws are framed.
 Two categories of cyber law
• Computer as Target: Specifies that a computer is used as a
tool to attack other computers such as virus and worm
attacks.
• Computer as Weapon: Specifies that a computer is used as
weapon to commit crimes such as credit card frauds, cyber
terrorism and pornography
 Objective and Scope of the IT Act, 2000
• It was legislated on May 17, 2000.
• 94 sections grouped into 13 chapters
• Four schedules included.
• It aims at the regulation of use of IT.
• It legalizes and regulates the system of electronic data
interchange, electronic communication and e-Commerce.
• The act covers use of all the computer systems & networks
located in India.
• Later amended in 2008.
• Now it has 124 sections and 14 chapters
• Replaced Schedules I & II and deleted III & IV.
 Objective and Scope of the IT Act, 2000
• India is the 12th country in the world to adopt cyber laws.
• IT act 2000 addresses issues such as legal recognition and
securing of electronic records and digital signatures and issue
of digital signature certificates.
• The amendment in 2008 has brought several additional new
sections in it regarding offences such as cyber terrorism and
data protection
 Chapters of IT ACT 2000
Chapter 1 deals with the important definitions of the terms used in the regulation. It sets the
scope of meaning of key terms of which the Act comprises.
Chapter 2 covers regulations regarding digital signature. It provides legal recognition to
digital signature.
Chapter 3 deals with electronic governance. It legalizes the use of electronic records in
government organizations and establishments.
Chapter 4 Involves attribution, acknowledgement and dispatch of electronic records and
their certifying authority.
Chapter 5 comprises secure e-records & digital signatures. It establishes rues & regulations
related to the electronic gazettes.

Chapter 6 covers regulations of certifying authority

 Chapters of IT ACT 2000
Chapter 7 deals with digital signature and details its certification with the duties of
subscribers

Chapter 8 involves duties of subscribers

Chapter 9 comprises penalties and adjudication by the cyber regulations appellate Tribunal.
It covers penalty for damaging a computer and computer systems.

Chapter 10 deals about the establishment of the CRAT to secure justice in such cases.

Chapter 11 deals with the offences

Chapter 12 – Intermediaries not to be liable in certain cases

Chapter 13 – Miscellaneous
Intellectual Property Rights (IPR)
Intellectual Property Rights (IPR)
Intellectual Property Rights (IPR)
Intellectual Property Rights (IPR)
Intellectual Property Rights (IPR) or
IPR Laws
Intellectual Property Rights (IPR)
Intellectual Property Rights (IPR)
Intellectual Property Rights (IPR)
Intellectual Property Rights (IPR)
Intellectual Property Rights (IPR)
Intellectual Property Rights (IPR)
Intellectual Property Rights (IPR)
Intellectual Property Rights (IPR)
Intellectual Property Rights (IPR)
Intellectual Property Rights (IPR)