Lecture 3: Information Security

Summary

This lecture discusses information security concepts, including assets, attacks, vulnerabilities, and risk. It covers various types of vulnerabilities like technical, social, and physical. The lecture is beneficial for understanding the key elements of information security threats.

Full Transcript

1

University of Science and Technology
Faculty of Computer Science and Information Technology
Department of Information and Communication Technology

Lecture (3)

Instructor: Mashair Omer

2

Globality:

Globality require that you have to:
 Protect your information assets.
 Narrow the window of exposure
Who might attack you?
 Hackers: a few talented people provide tools for thousands
of kids.
 Customers: themselves/ through stolen passwords.
 Insiders: through malice/carelessness/overwork.
 Competitors: DOS attack make you bad

3

Cont.

Why attacking is possible?
Because our systems are Vulnerable.
What Vulnerable means?
A ‘Vulnerable State’ is any state which enables a user to
read,or modify information without authorization or grant
or deny an entity access to a resource without authorization.
without authorization means ‘’in violation of the system’s
security policy’’

4

Key Information Security Concepts:

A number of terms and concepts that are essential to
information security are illustrated below.
 Asset: The organizational resource that is being protected.
An asset can be logical, such as a Web site, information, or
data; or an asset can be physical, such as a person, computer
system, or other tangible object.
 Attack: An intentional or unintentional act that can cause
damage to or otherwise compromise information and/or the
systems that support it. Attacks can be active or passive,
intentional or unintentional, and direct or indirect.

Cont.
5

 Control, safeguard, or countermeasure: Security mechanisms,
policies, or procedures that can successfully counter attacks,
reduce risk, resolve vulnerabilities, and otherwise improve the
security within an organization.
 Exploit: A technique used to compromise a system.
 Risk: The probability that something unwanted will happen.
Organizations must minimize risk to match their risk
appetite—the quantity and nature of risk the organization is
willing to accept.
 Subjects and objects: A computer can be either the subject of
an attack—an agent entity used to conduct the attack—or the
object of an attack—the target entity.

6

Cont.

 Threat: A category of objects, persons, or other entities that
presents a danger to an asset.
 Vulnerability: A weaknesses or fault in a system or
protection mechanism that opens it to attack or damage. Some
examples of vulnerabilities are a flaw in a software package,
an unprotected system port, and an unlocked door. Some wellknown vulnerabilities have been examined, documented, and
published; others remain latent (or undiscovered).

7

Classes of Vulnerabilities :

The systems vulnerabilities can be classified as:

 Technical vulnerabilities.
 Social vulnerabilities (Social Engineering
attacks).
 Physical vulnerabilities (system access,
Network Access)

8

1. Technical Vulnerabilities:

These vulnerabilities caused by the weaknesses in the
technology used and expose the system to be attacked,
examples include:
 TCP/IP security holes: syn flooding, IP spoofing attacks.
 Service vulnerabilities: Email bombs, spam attacks.
 Bad configuration

: back doors (trap doors).

 Software Bugs

: buffer over-flow attack.

 Internet topology

: hijacking, smurf, DDoS attacks.

9

2.

Social Vulnerabilities :
(Social Engineering attacks)

The process of using social skills to convince
people to reveal access credentials or other
valuable information to the attacker .

10

3. Physical Vulnerabilities:

The technical hardware failures or errors
occur when a manufactures distributes to
users equipment containing a known or
unknown flaw. These defects can cause the
system to perform outside of expected
parameters resulting in unreliable service or
lack of availability