Information Security

Spring 2022

www.faisalak.info
[email protected]

Office: 06, SS-B Block, BUITEMS

 Course Syllabus

Course Title: Information Security (3 hours lecture,

0 hours lab)

Instructor: Dr. Faisal Khan (backup – Ms. Ayesha

Iftikhar)

Course Objective: To learn basics of information security, in

both management aspect and technical aspect. Students
understand of various types of security incidents and attacks,
and learn methods to prevent, detect and react incidents and
attacks. Students will also learn basics of cryptography
which are one of the key technology to implement security
functions.
2
 Course Syllabus

Textbook: ”Computer Security: Principles and

Practice," William Stallings and Lawrie Brown,
Third Edition or later.

Grading:
Quizzes (2 x 7.5%) 15%
HW 10%
Midterm 25%
Final 50%

3
 Course Syllabus
Course Outline:
Information security foundations
Security design principles; security mechanisms,
Symmetric and asymmetric cryptography,
Hash functions, digital signatures, key management,
authentication and access control
Software security, vulnerabilities and protections,
Security policies, Policy formation and enforcement,
Risk assessment, cybercrime, law and ethics in
information security

4
 Attacks, Services, and Mechanisms
* Security Attack: Any action that compromises the security
of information (e.g., stealing information).

* Security Mechanism: A mechanism that is designed to

detect, prevent, or recover from a security attack. (e.g.,
encryption)

• Security Service: A service that enhances the security of

data processing systems and information transfers. A
security service makes use of one or more security
mechanisms (SSL for Web browsers and servers).

• Service - prevents Attacks - by using Mechanisms

5
 Security Objectives
(PI and 3 A's)

* Privacy (Confidentiality)
* Integrity (has not been altered or deleted)
* Availability (accessibility - permanence, non-erasure)
- Denial of Service Attacks
- Virus that deletes files

* Authentication (who created or sent the data)

- Non-repudiation (the buy-order is final) [attribution]
* Authorization (access control, prevent misuse of resources)

Ref: ISO X.800 and IETF RFC 2424

6
 Availability Privacy

Integrity, Authentication Authentication, Authorization

7
Not included above: Theft of Services. Example, a
botnet uses your computer to send spam email, or
participate in a distributed denial-of-service attack
(DDoS)

8
 Security Functional Requirements

Minimum Security Requirements for Federal Information and

Information Systems – FIPS 200

1. Access Control: Limit information system access

2. Awareness and Training: Awareness of normal users and
Awareness of IT team
3. Audit and Accountability: Maintain audit records
4. Certification, Accreditation, and Security Assessments
5. Configuration Management: Establish & maintain baseline configurations
6. Contingency Planning: Emergency backup and post-disaster

9
Security Functional Requirements contd..

7. Identification and Authentication: Users and processes

8. Incident Response: Establish an incident handling capability
9. Maintenance: Periodic and timely maintenance of information systems
10. Media Protection: How to use, store and transmit information
11. Physical and Environmental Protection: Limit physical access and provide
protection against environmental hazards
12. Planning: Develop, document, update and implement security plan for the
organization
13. Personnel Security: Ensure individuals are trustworthy, information
protection on termination / relieving of employee

10
Security Functional Requirements contd..

14. Risk Assessment: Assess risk to organization from information systems

15. Systems and Services Acquisition: Allocate sufficient resources to
adequately protect information systems
16. System and Communication Protection: Protect the network and softwares
17. System and Information Integrity: Identify, correct and report system flaws

11
 Fundamental Security Design Principles

National Centers of Academic

Excellence in Information Assurance/Cyber Defense – NCAE13

• Economy of mechanism: Security measures should be simple

• Fail-safe default: Access based on permission rather than exclusion
• Complete mediation: Every access must be checked
• Open design: Security mechanisms should be open rather than secret
• Separation of privilege: Multiple attributes required to access a resource
(e.g., multifactor authentication)
• Least privilege: Every user / process should use least privileges to perform
a task

12
 Fundamental Security Design
Principles contd..
• Least common mechanism: Minimize the functions shared by diff users
• Psychological acceptability: Security mechanism should not interfere unduly

with the work of users (user may turn off security)

13
 Security Implementation

• Prevention: implement mechanisms to avoid attacks

• Detection: implement mechanisms to detect attacks e.g., IDS, software
integrated alerts
• Response: halt the attack and prevent further damage
• Recovery: reliable backup and recovery mechanism

14
 Information Security Summary

• Specification/policy: What is the security scheme supposed to

do?
• Implementation/mechanisms: How does it do it?
• Correctness/assurance: Does it really work?

15
 Security Standards
Internet - Internet Engineering Task Force (IETF)
De Facto (PGP email security system, Kerberos-MIT)
ITU (X.509 Certificates)
National Institute of Standards and Technology (SHA)
IEEE
Department of Defense, Nat. Computer Security Center
Export Controls ( U.S. Dept. of Commerce)
- High Performance Computers
- Systems with “Hard” Encryption

16