Lecture 01- What is Information Security.pdf

Full Transcript

CSSY1208
Introduction to Information
Security
Lecture 1: What is Information Security?
Textbook :
The Basics of Information Security Understanding the Fundamentals
of InfoSec in Theory and Practice

Second Edition,
Jason Andress
Elsevier Publication

Referenced Book :
Cryptography and Network Security
6th Edition, William Stallings, Pearson Publication

2
 Outline
CHAPTER-1- What is Information Security?

Defining information security
Information security Goals
CIA
Attack types
Basic terminologies related to information security concept.
Risk Management process
Incident response strategy
Defense in Depth: Layers.

3
 Introduction
Information security is “protecting information and information systems
from unauthorized access, use, disclosure, disruption, modification, or
destruction”

In short, information security means protecting our assets.

Example: protecting our system from attackers, virus/worms, natural
disasters, adverse environmental conditions, power failures, theft or other
undesirable states.

4
Information Security goals

5
The Confidentiality, Integrity, and
Availability Triad
Three of the primary concepts in
information security are confidentiality,
integrity, and availability, commonly
known as the CIA triad, as shown in
previous figure.

The CIA triad gives us a model by which we
can think about and discuss security
concepts, and tends to be very focused on
security, as it pertains to data.

6
 Defining Information Security (cont’d.)
Confidentiality
o This aim states that information/systems should only be read, known, and
learnt by authorized people
o This is about keeping information private, secret and out of the hands of
unauthorized people
o Confidentiality can be compromised by:
1. Loss of a laptop containing data.
2. A person looking over our shoulder while we type a password.
3. An e-mail attachment being sent to the wrong person.
4. An attacker penetrating our systems.

7
 Defining Information Security (cont’d.)
Integrity
Integrity refers to the ability to prevent our data from being changed in an
unauthorized or undesirable manner.
Examples:
1. 1.The unauthorized change or deletion of our data or portions of our
data.
2. 2.File permission in Linux and Windows for purposes of preventing
unauthorized changes.

8
Defining Information Security (cont’d.)
Availability
That information or systems should be available to authorised people
when needed.
Loss of availability can happen due to a wide variety of cases such as:
1. Power loss,
2. Operating system or application problems,
3. Network attacks
4. Denial of service (DoS) attack.

9
Defining Information Security (cont’d.)
Although the use of CIA to define the security objectives is a well established,
additional security concepts is needed to present a complete picture.
Most commonly mentioned concepts are:
▪ 1. Authenticity
▪ 2. Accountability

▪ Authenticity: the property of being able to be verified and trusted.
This means verifying that users are who they say and that each input
arriving at the system came from trusted source.

▪ Accountability: the security goal that generates the requirement for
actions of an entity to be traced uniquely to the entity.

10
Attacks
A useful means of classifying security attacks is in term of passive attack

and active attack.

1. A passive attack: attempts to learn or make use of information

from the system but does not affect system resources.

2. Active attack: attempts to alter system resources or affect their

operation.

11
 Attacks

When we look at what exactly Types of attack payloads

makes up an attack.

we can break it down according to

the type of attack that it

represents, the risk the attack

represents, and the controls we

might use to mitigate it.

12
Types of Interception Interruption Modification Fabrication
attack
Definition An unauthorised Information or A resource is False entities are
party has gained systems are not altered in an created
the ability to read available when unauthorised way
or know a needed by
particular piece of legitimate user
information

Breach of Confidentiality Availability Integrity Integrity

Examples Unauthorised An attacker An attacker an attacker adds
access to launches a changes a value in false sales records
stored Denial of Service a database from to a database in
information attack against a 100 to 1000 in order to commit
sniffing website order to commit some type of fraud
illegal copying Cutting some type of fraud
communications
line
Disabling a file
management
system.

13
Security attacks

Information source Information destination

Normal

14
Security attacks

information
information source
destination

n

interruption

15
Security attacks

information
information source
destination

attacker

interception

16
Security attacks

information
information source
destination

attacker

Modification

17
Security attacks

information
information source
destination

attacker

Fabrication

18
Information Security Terminology

19
Information Security Terminology
Three options for dealing with risk
1. Accept
2. Mitigate or Reduce
3. Transfer (insurance)

20
Risk management
The Risk management process consists of
five steps:
First, we need to identify our important
assets.

The risk management process
21
Identify threats
Second, Once we have enumerated our
critical assets, we can then begin to
identify the threats that might affect
them.

The risk management process
22
Assess vulnerabilities

Third, assess vulnerabilities, we need to
do so in the context of potential threats.
Any given asset may have thousands or
millions of threats that could impact it,
but only a small fraction of these will
actually be relevant.

The risk management process
23
Assess risks

Fourth, assess the overall risk.
As we discussed earlier in this
chapter, risk is the conjunction of
a threat and a vulnerability.
A vulnerability with no matching
threat or a threat with no matching
vulnerability do not constitute a
risk.

The risk management process
24
Mitigating risks

Fifth, In order to help us mitigate
risk, we can put measures in place
to help ensure that a given type of
threat is accounted for. These
measures are referred to as
controls.

The risk management process
25
 Mitigating risks(cont’d.)
Controls are divided into three categories:

26
 Incident response
In the event that our risk management efforts fail, incident response exists
to react to such events.

The incident response process, at a high level, consists of:

Preparation: This involves having the policies and procedures that
govern incident response and handling in place, conducting training.

Detection and analysis: The detection and analysis phase is where the
action begins to happen in our incident response process.

Containment: To ensure that the situation does not cause any more
damage than it already has.

Eradication : Attempt to remove the effects of the issue from our
environment.

Recovery: recover to a better state that were in which we were prior to
the incident.

Post incident activity - we attempt to determine specifically what
happened, why it happened, and what we can do to keep it from
happening again.

27
 Defense in depth

Defense in depth is a strategy to formulate a multilayered defense that will
allow us to still achieve a successful defense if one or more of our defensive
measures fail.

28
 Layers

Defense in depth
When we look at the layers we might place in our defense in depth strategy, we
will likely find that they vary given the particular situation and environment we
are defending.
a strictly logical information security perspective, we would want to look at the
external network, network perimeter, internal network, host, application, and
data layers as areas to place our defenses.

29
Thank You