Fundamental of

Information Security

Delivered By
Namra Mukhtar
Lecturer, USKT
 Course Book

Principles of Information Security

Fourth edition
Authors: Michael E. Whitman, Herbert J. Mattord

Email:
[email protected]
 Grading Criteria

 Quizzes 10%
 Assignments 10%
 Presentation/viva 10%
 Mid 30%
 Final 40%
 Contents

 What is information?

 History of Information Security

 What is Security?

 What is Information Security?

 The CIA Triad

 Examples of Information Security Incidents

 How to handle security Incidents

15-4
 What is Data?
 Data:
The word data is derived from the Latin word 'Datum' meaning something given.
Data can be defined as a raw form of information.

Graphs

Sounds
Data Text

Data Representation

Videos

15-5
 Data Types?

Primary data refers to

the data collected by
the researcher or the
analyzer on his own.

15-6
 Data Types...

It does not include

numbers(non-numerical
data) or any statistics.
Example: What is the
purpose of your
business?

15-7
 Data Types...

Quantitative data deals

with numbers answering
the question of how much
or how many.
Example: How many
employees have you
employed at your
business? 15-8
Data Types...

Secondary data refers

to the data collected
by a third person and
not the researcher
himself.

15-9
Data Types...

Internal data is the data

of an organization that is
internally accessible. It
includes finances,
personnel, facts and
figures that the company
gets from its software
and applications.
15-10
Data Types...

External data is stored

outside the company's
database. It usually
comes from customers
or competitors. More
like, this type of data
is statistics from
surveys and research.
15-11
 What is information?
 Historically information is derived from the Latin
word 'Informare' meaning 'giving form to'. The
processed form of data that is statistically analyzed,
structured and organized in a specific manner is
called information.

 Once we convert data into information, it becomes

free of all the unnecessary details, however, this is a
complicated process. Thus the transformation process
of data into information includes analyzing details
about the raw data collected, structuring and giving
meaningful insights to the collected numbers and
making it more meaningful to the reader.
15-12
 Data, Information and
Knowledge

DATA INFORMATION KNOWLEDGE

Once human experiences and
Data is unrefined and Information is structured and
insights are applied to data and
unstructured. meaningful.
information, it becomes knowledge.

Data is a mixture of facts, Information is flow of ideas which

Knowledge is the mixture of ideas,
numbers and records of events. help in decision making and
experiences and contextual
It is one of the basic elements of understanding. It is basically message
information.
analysis. with meaning.

15-13
 The History of Information Security
 These days, information flows throughout computer systems like fish
flow through the sea. This presents a wealth of opportunities for people to
steal data;
 1960s: Organizations start to protect their computers
 1970s: The first hacker attacks begin:
The internet as we know it today
wouldn't exist until the end of the 1980s, Government link computers via
telephone lines. Recognizing this, people started to seek ways to infiltrate
phone lines connected to computers, so that they could steal data. These
people became the first groups of hackers.
 1980s: Governments become proactive in the fight against
cybercrime:
A small group of teenagers from Milwaukee, known as
"the 414s," broke into over 60 military and corporate computer systems and
stole over $70 million from U.S. banks.

15-14
 The History of Information Security….

 1990s: Organized crime gets involved in hacking:

After the worldwide web was made available in 1989, people
started putting their personal information online; organized crime entities saw this as a potential revenue
source, and started to steal data from people and governments via the web.

 2000s: Cybercrime becomes treated like a crime:

Jeanson James Ancheta, for example, who used hacking to steal less
than a millionth of a percent of the amount that "the 414s" stole, was sentenced to five years of jail time. By
2010, high-profile hackers were getting decades in prison for cybercrimes.

 2010s: Information security becomes serious:

Security experts started to realize that the best way to protect data
was to make it truly inaccessible to hackers.

15-15
 What is Security?
 Security:
The quality or state of being secure to be free from danger.
 Security consists of two areas:
1. Physical
2. Information
 Physical security:
It is the protection of people, hardware, software, network information and data from
physical actions, intrusions and other events that could damage an organization and its assets. Safeguarding
the physical security of a business means protecting it from threat actors, as well as accidents and natural
disasters, such as fires, floods, earthquakes and severe weather.
 There are three parts to physical security:
1. Access control
2. Surveillance
3. Testing
15-16
 Physical Security….
 Access control:
Controlling access to office buildings, research centers, laboratories, data centers and other
locations is vital to physical security. An example of a physical security breach is an attacker gaining entry
to an organization and using a Universal Serial Bus (USB) flash drive to copy and steal data or
put malware on the systems.
 Surveillance:
Surveillance involves the technologies and tactics used to monitor activity in and around
facilities and equipment. Many companies install CCTV cameras to secure the perimeter of their buildings.
Cameras, thermal sensors, motion detectors and security alarms are only some examples of surveillance
technology.
 Testing:
Testing is a reliable way to increase physical security. Companies that have strong security
protocols test their policies to see if they need to be updated or changed. Such tests can include red
teaming, where a group of ethical hackers try to infiltrate a company's cybersecurity protocols.

15-17
 What is Information Security?
Definition:
Information security is also referred to as infosec. It includes strategies used to manage the
processes, tools and policies that protect both digital and nondigital assets. When implemented effectively,
infosec can maximize an organization's ability to prevent, detect and respond to threats.
 Infosec encompasses several specialized categories of security technology, including:
Application Security:
To protect applications from threats that seek to manipulate, access, steal, modify or
delete software and its related data. Application security uses a combination of software, hardware and
policies that are called countermeasures such as application firewalls, encryption, and biometric
authentication systems.
Cloud Security:
It is a set of policies and technologies designed to protect data and infrastructure in a
cloud computing environment. Two key concerns of cloud security are identity and access management
and data privacy. Penetration testing, network protocol maintenance, man-in-the-middle (MitM) detection
and application scanning are some tools infosec professionals use to secure the confidentiality of
information. 15-18
 Information Security…..
 End Point Security:
Endpoint security refers to the practice of protecting individual devices (endpoints) such as computers,
smartphones, tablets, and servers from cyber threats. It involves implementing security measures like
antivirus software, firewalls, and encryption to safeguard these devices from unauthorized access,
malware, and data breaches.
Internet security:
It is the protection of software applications, web browsers and virtual private networks
that use the internet. Techniques such as encryption, for example, protect data from attacks such as
malware, phishing, MitM and denial-of-service attacks.
 Mobile security:
It is referred to as wireless security. It protects mobile devices, such as smartphones,
tablets and laptops, and the networks they connect to from theft, data leakage and other attacks.
 Network security:
It defends the network infrastructure and the devices connected to it from threats such as
unauthorized access, malicious use and modifications.

15-19
 The CIA Triad
 The letters in the triad stand for;
C confidentiality
I integrity
A availability

 These principles should apply to all data protected by the CIA triad (also called CIA triangle). The
CIA security triangle shows the fundamental goals that must be included in information security
measures.

15-20
 The CIA Triad…
 Confidentiality:

Confidentiality is the protection of information from unauthorized access.

Confidentiality requires measures to ensure that only authorized people are allowed to access the
information. For example, confidentiality is maintained for a computer file if authorized users are able to
access it, while unauthorized persons are blocked from accessing it.

15-21
 The CIA Triad…
 Integrity

The CIA triad goal of integrity is having correct and accurate data in your database. It is
possible for information to change because of careless access and use, errors in the information system,
or unauthorized access and use. In the CIA triad, integrity is maintained when the information remains
unchanged during storage, transmission, and usage not involving modification to the information.
Integrity relates to information security because accurate and consistent information is a result of proper
protection.

15-22
 The CIA Triad…

 Availability:

The CIA triad goal of availability is the situation where information is available when and
where it is rightly needed. The main concern in the CIA triad is that the information should be available
when authorized users need to access it.

15-23
 Information Security Incidents
 An InfoSec incident is the unauthorized access, use, disclosure, data breach, modification or
destruction of information. It can be a suspected, attempted, successful, or upcoming threat of that
unauthorized access.
 Phishing:
According to the FBI’s Internet Crime Report, phishing was once again the most common
cybercrime in 2020, and phishing incidents nearly doubled year-over-year. Phishing attacks rely on
human error, so employee training is critical to preventing a data breach due to phishing. Employees
need to know not to click on suspicious links or download anything suspicious.
 Brute-Force Attacks:
In these attacks, hackers use software to repeatedly and systematically attempt
password combinations until they find one that works. Given the sophistication of password cracking
rigs, relying on a combination of letters, symbols, and numbers is no longer enough to provide strong
protection. Limiting login attempts and enabling two-factor authentication are better preventative
measures against brute-force attacks.

15-24
 Information Security Incidents….
 Malware:
Malicious software, infects devices without users knowing it’s there. Examples include
Trojan horses, spyware, ransomware, and viruses and can have costly consequences. In 2021, Colonial
Pipeline, the biggest oil supplier in the US, got caught up in a ransomware incident, lost days of business,
and ultimately paid off their attackers approximately $5 million dollars in bitcoin.
According to Bloomberg, the hackers got into the system via a leaked password on an old account that
allowed employees to access company servers remotely through a VPN (virtual private network), and it
did not require two-factor or multi-factor authentication. Once the hackers were in, they placed the
malware, encrypted the company’s data, and demanded a ransom.
 SQL Injections:
Structured Query Language (SQL) injections are when a hacker puts malicious code
into a server to manipulate a company’s database. The goal is to access private company data, like
customer information and credit card numbers.

15-25
 Information Security Incidents….
 Cross-Site Scripting:
These attacks occur when a hacker exploits vulnerabilities by inserting
malicious code usually JavaScript into the user’s browser. This can allow them to gain access to
the browser and a user’s sensitive information.
 Man-in-the-Middle Attacks:
Hackers position themselves as middlemen between users and
eavesdrop, intercept, and/or manipulate communication between two parties. This often occurs on
unsecured networks, like public Wi-Fi.
 Denial-of-Service (DoS) Attacks:

A DoS attack overwhelms a website with a flood of traffic using

bots in an attempt to crash the system and deny access to real users. Sometimes hackers will
initiate a DoS attack to test a system’s integrity, especially when they manage a large consumer-
facing website.

15-26
 DDOS attack is faster than DOS Attack

DDOS Attack

DOS Attack

15-27
 Examples of Information Security Incidents
 Colonial Pipeline ransomware exploitation, both Alibaba and LinkedIn have experienced large data
breaches in recent years.
 In 2019, Alibaba experienced a leak of more than 1 billion pieces of user data when a developer
scraped customer info including user names and cell-phone numbers from their Chinese shopping site,
Taobao. The information did not end up on the black market, but after the eight-month-long theft was
discovered, the culprits were caught and ultimately fined and sent to prison. It was reported in June
2021 that the theft of LinkedIn information for 700 million users representing approximately 93% of
their user base was exposed when a hacker bundled data for sale on the black market. The hacker
scraped data using the site’s API and captured information that included email addresses, phone
numbers, geolocation information, and other social media details that could lead to follow-on social
engineering attacks.
15-28
15-29