Information Security

and Privacy
Mentor: Ms. Komal Batool
Lecture 1
Few Important things
• Core Course for MS-IS
• Elective course for MS-DS
• Pre-Req for elective courses
• Covers one of the gold standard Certification-CISSP by ISC
About Me
• Ms. Komal Batool
• Ph.D. Scholar, MS-Information Security(NUST)
• Working with RISE since 2018
• PAF as IS Analyst for more than 4 years
• Faculty members at different national and international universities
• Official EC-Council Trainer
• CISSP, CHFI, CASE, CSCU and few other
• International publications including Impact factor journals 20 and more
• Lead, ATMs Communications
[email protected]
Feel free to drop me WhatsApp (voice notes/messages) +92-331-8852704
• Monday Friday –Thesis Students @ RISE Office
• Tuesday-Wednesday-Thursday before after 1pm before 5 pm I am available
• Rest you can google about me.
What I-P-S is going to be about?
• Security vs Privacy
• While the security of information refers to the protection of information
stored, processed and transmitted to comply with the functions and purposes
of the information systems in an organization, the privacy of information is
related to the protection of the information related to a subject's identity

• Information security protects a company's content and business objectives

from threats and attacks, while information privacy respects consumer rights
and keeps customer data secure. A business organization's privacy program
protects individual clients' personal information.
 WHAT IPS COVERS?
Answer=Information System
Security

Information Security Attributes: or qualities, i.e., Confidentiality, Integrity and Availability (CIA).
Information Systems are composed in three main portions, hardware, software and communications with
the purpose to help identify and apply information security industry standards, as mechanisms of
protection and prevention, at three levels or layers: physical, personal and organizational. Essentially,
procedures or policies are implemented to tell administrators, users and operators how to use products to
ensure information security within the organizations.
Information Systems Security
• ISS is a broad subject within the field of information
technology (IT) that focuses on protecting computers,
networks, and their users. Almost all modern
companies, as well as many families and individuals,
have justified concerns about digital risks to their well-
being. These threats come in all shapes and sizes,
including theft of private information in a database
hack, installation of malicious software on a machine
and intentional service disruptions.
Against What?
• THREATS
Adware Advanced persistent threat Arbitrary code execution Backdoors
Hardware backdoors Code injection Crimeware Cross-site scripting
Cryptojacking malware Botnets Data breach Drive-by download Browser
helper objects Viruses Data scraping Denial of service Eavesdropping Email
fraud Email spoofing Exploits Keyloggers Logic bombs Time bombs Fork
bombs Zip bombs Fraudulent dialers Malware Payload Phishing Polymorphic
engine Privilege escalation Ransomware Rootkits Bootkits Scareware
Shellcode Spamming Social engineering (security) Screen scraping Spyware
Software bugs Trojan horses Hardware Trojans Remote access trojans
Vulnerability Web shells Wiper Worms SQL injection Rogue security software
Zombie
What Defenses we have?
• Help me
This course…Bird’s eye of IS Domain
• Objective of this course is to cover the breath of the field of the
Information Security
• Course contents are largely inspired by:
— Certified Information Systems Security Professional
(CISSP)
— International Information Systems Security Certification Consortium (ISC)2
— https://www.isc2.org/cissp-training.aspx
— https://www.isc2.org/-/media/ISC2/Certifications/Ultimate-Guides/UltimateGuideCISSP-
Web.ashx?la=en&hash=B1BC457F4AAC49147D491152465CCB342FC56680
• Eight domains of security make up the CISSP Common Body of
Knowledge (CBK)
• Covers breath of the Information Systems Security
— An Inch Deep & A Mile Wide
 Recommended Books
• Official (ISC)2 Guide to the CISSP CBK
— 9th Edition
— 2021
•ALL-IN-ONE CISSP
EXAM GUIDE
— By Shon Harris
— Ninth Edition
— McGraw Hill, 2021
Success Story 1
• CISSP THOR VIDEOS
• Boson-CISSP
• CISSP Official App-LearnedZapp: Took 50-question exams on every domain from the
phone app and averaged it with the first two Boson test domain score percentages
to establish a baseline. (I used an Excel spreadsheet to document my scores and
averages)
• CISSP Official Study Guide: Utilize the official study guide to address the weaker
areas. I referenced my incorrect answers to the official guide. (I don't recommend
reading the entire book). Once you identify the top 2 or 3 weakest domains, try to
cover the categories and subcategories from the official exam outline.
• Read How to Think like a Manager by Luke Ahmed to understand better how the
exam questions and answers are structured.
• (Short read)
• Eleventh Hour CISSP Audiobook by Eric Conrad, Seth Misenar, and Joshua Feldman-
Listened to it while driving.
Success Story 2
• I just passed provisionally the CISSP exam. It took me 2 hours and
half and 125 questions to clear it.
• Thanks to this group for keeping me motivated towards this goal.
All the best !
• Materials used :
• Official Study Guide 9th Edition
• Official Practice Tests 3rd Edition
• Boson tests
• MindMap Videos
• Thor Videos and Practice Questions
• Pete Zerger Videos on Youtube
Grading policy
• Final Exam 40
• Mid Term 20
• Assignments 30
• Project 10
 • * Quiz at the end of almost every chapter
• * Midterm exam in 8th week of the semester
• *Tentative. May change later on.
TF and this Course
• TF
• All course related queries shall be handled by TF

• RESPECT!
Traditional 10 Security Domains of CISSP
1. Information Security Governance & Risk Management
2. Security Architecture & Design
3. Access Control
4. Cryptography
5. Telecommunications & Network Security
6. Software Development Security
7. Physical (Environmental) Security
8. Security Operations
9. Business Continuity & Disaster Recovery Planning
10.Legal, Regulations, Investigations & Compliance
 New 8 Domains of CISSP (April
1)
2015 onward)
Security and Risk Management
2) Asset Security
— Classification, Ownership, Handling, Destruction
3) Security Engineering
— Security Architecture, Cryptography, Physical
4) Communication and Network Security
5) Identity and Access Management
6) Security Assessment and Testing
— Logs & Code Review, Vulnerability Assessment, PenTesting
7) Security Operations
8) Software Development Security
Task 1
• Register your self on Cousera using your university official account
• Find courses on Cousera related to each domain

• NAME_SAPID_ASSIGNMENT1
• Follow proper documentation
1. Security & Risk Management
• Confidentiality, integrity, & availability concepts
• Security governance principles
• Governance, Risk Management & Compliance
• Legal and regulatory issues
• Security policies, standards, procedures and
guidelines
• Risk Management concepts
• Risk Assessment Methodologies
• Business Impact Analysis
• Responsibilities of IS Officer
• Professional ethics
2. Asset Security
• Information and asset classification
• Ownership (e.g. data owners, system owners)
• Privacy issues
• Appropriate data retention policies
• Data security controls
• Data handling requirements (e.g. markings,
labels, storage)
3. Security Engineering
• Engineering processes with secure design
principles
• Security models fundamental concepts
• Information systems security design
considerations
• Cryptography
• Physical security
• Site and facility design secure
principles
4.Communication and Network
Security
• Networking protocol stack
• Protocol vulnerabilities and network attacks
• Security protocols design
• Network security infrastructures
• Secure communication channels
5. Identity and Access Management
• Physical and logical access control
• Access control attacks
• Identification and authentication of people and devices
• Identity as a service (e.g. cloud identity)
• Third-party identity services
• Identity and access provisioning lifecycle
6.Security Assessment and
Testing
• Assessment and test strategies
• Security assessment process (e.g. management and
operational controls)
• Security control testing
• Test outputs (e.g. automated, manual)
• Log reviews and code reviews
• Security architectures vulnerabilities
7. Security Operations
• Security operations concepts
• Provisioning of resources
• Logging and monitoring activities
• Resource protection techniques
• Patch and vulnerability management
• Change management processes
• Incident management
• Investigations support and requirements
• Recovery strategies
• Disaster recovery processes and plans
• Business continuity planning and exercises
• Personnel safety concerns
8. Software Development Security
• Security in the software development lifecycle
• Development environment security controls
• Software security effectiveness
• Acquired software security impact
• Security requirements
• Security in design
• Secure development
• Security testing
Get yourself online
• Make your LinkedIn profile
Look at Security organizations local
chapters
• ISSA-International Systems Security Association
• ISACA-Information Security Audit and Control Association
• Society for Information Management
• InfraGard
• OWASP
• ASIS International
• High technology Crime Investigation Association
• Risk and Insurance Management Society
• Society of Information Risk Analysis
• Institute of internal auditors
• International Association of Privacy Professionals
• Disaster Recovery Institute International
• Computer Technology Investigators Network
 Reading for Quiz-1
• There will be a quiz in the next class

• Read the following link

• https://en.wikipedia.org/wiki/National_Security_Agency

• https://www.isc2.org/Certifications/CISSP#

• 10 minutes quiz
• MCQs
Assignment 2: Top 10 IS
Certifications
• Students are required to explore Top 10 different
certifications or professional trainings in the area
of information security.
• Prepare one page report for each
certification/training highlighting following
aspects:
— Certification Name,
— Certification Body,
— Brief Certification Contents,
— Cost of the Training,
— Potential Benefits of the Certification,
— Global Ranking,
— Your Ranking.
• Your report should be of maximum 10-
pages
Questions ???