Information Security Concepts PDF

# Information Security Prepared by: Pro. Tirth Bhadeshiya (FOCA Dept.) ## 1. Introduction - The technique of protecting internet-connected systems such as computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks is known as **cybersecurity**. - We can divide cybersecurity into two parts: one is cyber, and the other is security. - Cyber refers to the **technology** that includes systems, networks, programs, and data. And security is concerned with the **protection** of systems, networks, applications, and information. - In some cases, it is also called electronic information security or information technology security. ## Information security - Information Security is not only about securing information from unauthorized access. - Information Security is basically the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording, or destruction of information. - Information can be physical or electronic. - Information can be anything like your details or we can say your profile on social media, your data in your mobile phone, your biometrics, etc. - Thus, Information Security spans so many research areas like Cryptography, Mobile Computing, Cyber Forensics, Online Social Media, etc. - Information Security programs are built around 3 objectives, commonly known as CIA - Confidentiality, Integrity, Availability. ### 1. Confidentiality - - Means information is not disclosed to unauthorized individuals, entities, and processes. - For example, if we say I have a password for my Gmail account but someone saw while I was doing a login into my Gmail account. In that case, my password has been compromised, and Confidentiality has been breached. ### 2. Integrity - - Means maintaining accuracy and completeness of data. - This means data cannot be edited in an unauthorized way. - For example, if an employee leaves an organization, then in that case, data for that employee in all departments, like accounts, should be updated to reflect status to JOB LEFT so that data is complete and accurate, and in addition to this, only authorized personnel should be allowed to edit employee data. ### 3. Availability - - Means information must be available when needed. - This principle makes the information to be available and useful for its authorized people always. - It ensures that these accesses are not hindered by system malfunction or cyber-attacks. ## Threats - Threats are actions carried out primarily by hackers or attackers with malicious intent, to steal data, cause damage, or interfere with computer systems. - A threat can be anything that can take advantage of a vulnerability to breach security and negatively alter, erase, or harm objects. - A threat is any potential danger that can harm your systems, data, or operations. - In cybersecurity, threats include activities like **hacking, malware attacks, or data breaches** that aim to exploit vulnerabilities. - Recognizing and understanding these threats is crucial for implementing effective security measures. - By identifying potential threats, you can better protect your sensitive information and maintain the integrity of your digital assets. - Effective threat management is key to maintaining a secure and resilient cybersecurity posture. ## Types of Threats - A security threat is anything that can potentially harm computer systems and organizations. - This harm can come from physical actions, like someone stealing a computer with important information. - It can also come from non-physical actions, such as a virus attacking the computer system. - Threats having two types: 1. Physical Threat 2. Non-Physical Threat ### 1. Physical Threat - A physical danger to computer systems is something that could lead to data loss or physical damage. - It can be classified as: - **Inside/Internal:** These are like things that go wrong inside the chest, like faulty wires causing a spark (short circuit) or a fire. It can also be things like the power going out all the time (unstable power supply) or the chest getting rusty from being in a damp place (excess humidity). - **Outside/External:** These are like big events outside that could smash the chest, like a flood or an earthquake. - **People/Human:** These are like people messing with the chest, either on purpose (stealing information) or by accident (spilling drinks or making mistakes). ### 2. Non-Physical Threat - A physical danger to computer systems is something that could lead to data loss or physical damage. - It can be classified as: 1. Hampering of the business operations that depend on computer systems. 2. Sensitive data or information loss 3. Keeping track of other's computer system activities illegally. 4. Hacking id & passwords of the users, etc. ## Attacks Attacks classified mainly into four categories those are : | Category | Description | | - | - | | 1. Against Individuals | These include e-mail spoofing, spamming, cyber defamation, cyber harassments and cyber stalking. | | 2. Against Property | These include credit card frauds, internet time theft and intellectual property crimes. | | 3. Against Organizations | These include unauthorized accessing of computer, denial of service, computer contamination / virus attack, e-mail bombing, salami attack, logic bomb, trojan horse and data diddling. | | 4. Against Society | These include Forgery, CYber Terrorism, Web Jacking. | ### 1. Against Individuals | Category | Description | | - | - | | 1. E-Mail Spoofing | A spoofed email is one in which the e-mail header is forged so that the mail appears to originate from one source but actually has been sent from another source. | | 2. Spamming | Spamming means sending multiple copies of unsolicited mails or mass e-mails such as chain letters. | | 3. Cyber Defamation | This occurs when defamation takes place with the help of computers and/or Internet. E.g. someone publishes defamatory matter about someone on a website or sends e-mails containing defamatory information. | | 4. Harassment & Cyber stalking | Cyber Stalking means following an individual's activity over the internet. It can be done with the help of many protocols available such as e-mail, chat rooms, user net groups. | ### 2. Against Property | Category | Description | | - | - | | 1. Credit Card Fraud | As the name suggests, this is a fraud that happens by the use of a credit card. This generally happens if someone gets to know the card number or the card gets stolen. | | 2. Intellectual Property crimes | - Software piracy: Illegal copying of programs, distribution of copies of software. - Copyright infringement: Using copyrighted material without proper permission. - Trademarks violations: Using trademarks and associated rights without permission of the actual holder. - Theft of computer source code: Stealing, destroying, or misusing the source code of a computer. | | 3. Internet time theft | This happens by the usage of the Internet hours by an unauthorized person which is actually paid by another person. | ### 3. Against Organization(s) | Category | Description | | - | - | | 1. Unauthorized Accessing of Computer | Accessing computer/network without permission from owner. It can be of 2 forms: - Changing/deleting data: Unauthorized changing of data. - Computer voyeur: Criminal reads or copies confidential or proprietary information, but data is neither deleted nor changed. | | 2. Computer contamination / Virus attack | - A computer virus is a computer program that can infect other computer programs by modifying them in such a way as to include a (possibly evolved) copy of it. - Viruses can be file infecting or affecting the boot sector of the computer. Worms, unlike viruses do not need the host to attach themselves to. | | 3. Denial of Service(Dos) | When Internet server is flooded with continuous bogus requests so as to denying legitimate users to use server or to crash server. | | 4. Email Bombing | Sending large numbers of mails to the individual or company or mail servers thereby ultimately resulting into crashing. | | 5. Salami Attack | When negligible amounts are removed & accumulated in to something larger. These attacks are used for commission of financial crimes. | | 6. Logic Bomb | This is an unauthorized program which functions from inside what seems to be an authorized program, thereby concealing what it is actually doing. | | 7. Trojan Horse | A Trojan Horse (Trojan) is a type of malware that disguises itself as legitimate code or software. | | 8. Data diddling | This kind of an attack involves altering raw data just before it is processed by a computer and then changing it back after the processing is completed. | ### 4. Against Society | Category | Description | | - | - | | 1. Forgery | Currency notes, revenue stamps, mark sheets etc. can be forged using computers and high quality scanners and printers. | | 2. Cyber Terrorism | Use of computer resources to intimidate or coerce people and carry out the activities of terrorism. | | 3. Web Jacking | Hackers gain access and control over the website of another, even they change the content of the website for fulfilling political objectives or for money. | ## Assets - In information security, assets refer to anything valuable to an organization that needs protection from threats and vulnerabilities. - These assets can be tangible or intangible and can include data, hardware, software, and people. - Here are some common types of assets in information security: ### 1. Data: - **Personal Data:** Information about individuals, such as names, addresses, social security numbers, and financial details. - **Intellectual Property:** Proprietary information such as patents, trademarks, copyrights, and trade secrets. - **Business Data:** Information related to business operations, such as contracts, financial records, and strategic plans. ### 2. Hardware: - **Servers:** Centralized computers that store and manage data and applications. - **Computers and Workstations:** Devices used by employees to perform their daily tasks. - **Network Devices:** Routers, switches, and firewalls that manage network traffic and security. - **Mobile Devices:** Smartphones, tablets, and laptops used by employees. ### 3. Software: - **Operating Systems:** Software that manages hardware and software resources on computers and servers. - **Applications:** Programs used to perform specific tasks, such as word processing, spreadsheets, and database management. - **Security Software:** Tools like antivirus programs, intrusion detection systems, and firewalls that protect against threats. ### 4. Networks: - **Local Area Networks (LANs):** Internal networks that connect devices within a limited area. - **Wide Area Networks (WANs):** Networks that connect devices over large geographical areas. - **Wireless Networks:** Networks that use wireless signals to connect devices. ### 5. People: - **Employees:** Individuals who work for the organization and have access to its information and systems. - **Contractors:** External individuals or organizations that provide services to the company and may have access to its information. - **Customers:** Individuals or organizations that interact with the company and provide personal information. ### 6. Physical Assets: - **Buildings:** Facilities where the organization operates and stores its hardware and data. - **Security Equipment:** Devices such as locks, cameras, and alarms used to protect physical assets. ### 7. Documentation: - **Policies and Procedures:** Written guidelines that dictate how information security is managed within the organization. - **Compliance Records:** Documentation that demonstrates adherence to regulatory requirements. ## Fundamental Security Requirements - The fundamental requirements in information security are often summarized by the CIA triad, which stands for Confidentiality, Integrity, and Availability. - These three principles are the cornerstone of any information security strategy. ### 1. Confidentiality: - **Definition:** Ensuring that information is not disclosed to unauthorized individuals, entities, or processes. - **Measures:** Encryption, access control mechanisms, authentication processes, and data masking. - **Examples:** Using strong passwords, implementing multi-factor authentication, and encrypting sensitive data during transmission and storage. ### 2. Integrity: - **Definition:** Ensuring that information is accurate, reliable, and not altered or tampered with by unauthorized parties. - **Measures:** Hashing, digital signatures, checksums, and version control. - **Examples:** Implementing file integrity monitoring, using digital signatures to verify the authenticity of documents, and maintaining accurate audit logs. ### 3. Availability: - **Definition:** Ensuring that information and associated services are available to authorized users when needed. - **Measures:** Redundant systems, regular backups, disaster recovery plans, and maintenance of hardware and software. - **Examples:** Setting up redundant servers, performing regular data backups, and having a robust disaster recovery plan in place. ### 4. Authentication: - **Definition:** Verifying the identity of users, devices, or systems before granting access to resources. - **Measures:** Passwords, biometrics, smart cards, and multi-factor authentication. - **Examples:** Requiring users to enter a password and a one-time code sent to their phone to access an account. ### 5. Authorization: - **Definition:** Ensuring that authenticated users have permission to access and perform specific operations on resources. - **Measures:** Role-based access control (RBAC), access control lists (ACLs), and permissions. - **Examples:** Granting access to sensitive data only to employees who need it to perform their job duties. ### 6. Non-repudiation: - **Definition:** Ensuring that a party in a communication cannot deny the authenticity of their signature on a document or a message that they originated. - **Measures:** Digital signatures, logging, and auditing. - **Examples:** Using digital signatures to sign emails or documents, and maintaining detailed logs of all transactions. ### 7. Accountability: - **Definition:** Ensuring that actions of an entity can be traced uniquely to that entity. - **Measures:** Logging, monitoring, and auditing. - **Examples:** Keeping detailed logs of user activities and reviewing them regularly to detect and respond to suspicious behavior. ## Attack Tree - Attack trees are conceptual diagrams that show the variety of ways in which something can go wrong, and the reason why they might go wrong. - The approach uses a visual representation of interconnected issues, that lead to a single major fault, and as such they are an effective way of performing root cause analysis. - They are an adaption of the fault tree method used in safety analysis, an example of which is shown below. - In applying the same logic to cyber security, you can investigate the different ways that a system might be attacked, or how an attacker might achieve a specific objective. - Attack trees use a hierarchical representation of the steps needed for a successful attack. - Each of the steps gives a requirement for completion. - Where a successful attack is a complete set of requirements from nodes at the bottom of the tree to those at the top. - Each path in the tree should be unique, and there should be no loops in the design. ## Steps to Create Attack Tree ### Step 1: Identify the Goal Start by identifying the specific goal an attacker could have. For example, the goal could be to gain unauthorized access to a system, tamper with data, or cause a denial-of-service (DoS) attack. ### Step 2: Define the Root Node Create the root node of the attack tree, representing the identified goal. Use a descriptive keyword or phrase as the label for the root node. ### Step 3: Identify Attack Paths Identify different attack paths an attacker could follow to reach the goal. These paths represent a series of steps an attacker might take to exploit vulnerabilities. For each attack path, create child nodes connected to the root node. ### Step 4: Subdivide Attack Paths For each attack path, further subdivide it into smaller attack trees or sub-attack trees. These sub-attack trees represent individual elements, actions, or vulnerabilities that an attacker may exploit. Repeat this step recursively until you reach a level of detail that provides enough granularity for analysis. ### Step 5: Add Attack Techniques and Vulnerabilities For each node in the attack tree, add specific attack techniques, strategies, or vulnerabilities that an attacker could utilize or exploit. This helps identify potential weaknesses in the system and highlight areas requiring additional protection. ### Step 6: Assess and Analyze Analyze the attack tree to assess the likelihood and impact of each attack path. This analysis allows you to prioritize risks, identify critical vulnerabilities, and plan appropriate countermeasures. ## How to build the Attack Tree - An attack tree is built from two components, nodes and branches. - Nodes can be representative of any aspect of an attack. This is usually an action from an attacker (‘steal password’) or a state that the system reaches as a result of an action (‘get access to password manager’). - Branches represent the dependencies between the nodes, identifying a causal link between the completion of those nodes that are lower in the tree with those above them. In most attack trees, no contextual information is given to a branch in a tree when represented diagrammatically. Any context is held implicitly between the two nodes. - To start building an attack tree, the first thing to consider is the objective of an attacker, or your overarching security concerns. These concerns should be sufficiently broad to acknowledge that attackers will usually be able to take multiple approaches to achieve their objective. - This could range from broad concerns such as ‘Can authentication of employees be bypassed?’ to narrower questions like ‘How vulnerable is my firewall configuration?’ Once identified, this is placed at the top of the tree (also known as the root node). - The next step is to identify as many ways by which that end goal or core concern can be realized. - This can be defined in a variety of different ways, but is frequently represented as a set of technical capabilities required by the attacker. - You can also consider the targets (different end points at which the objectives can be achieved) or vectors (the means by which the objectives can be achieved). - This step should then be repeated for each new node created, until there are no further steps in the process. - The final nodes (that is, nodes with no steps beneath them) are known as leaf nodes. - When building an attack tree, there’s no need to worry about aesthetics (that is, whether or not it looks like a tree). There’s no need to have the same number of branches from each node, or for all paths from leaf nodes to the root node to be the same length. - In fact, your tree will most likely be asymmetrical since attacks may have different numbers of steps, or require more or less detail. ## Attack Surface - An attack surface is the total number of all possible entry points for unauthorized access into any system. Attack surfaces include all vulnerabilities and endpoints that can be exploited to carry out a security attack. - The attack surface is also the entire area of an organization or system that's susceptible to hacking. - For most modern businesses, the attack surface is complex and massive. The large number of devices, web applications, and network nodes create many potential cybersecurity threats. - IT leaders, despite their best efforts, can only see a subset of the security risks their organization faces. However, they should consistently monitor their organization’s attack surface to help identify potential threats. An attack surface’s size can change over time as new systems and devices are added or removed. - The attack surface of an application could include the following: - Admin interfaces. - Application programming interfaces (APIs). - Authentication entry points. - Data. - Data pathways. - Interfaces with other applications. - Local storage. - User interfaces. ## Types of Attack Surface - Physical attack surfaces - Digital attack surfaces - Social engineering attack surfaces ## How to Reduce your Attack Surface? - Once you know your attack surface, you can manage it and assess the associated risks. - When the attack surface is important, the inventory also helps you to prioritise the elements to protect. - The aim of knowing your attack surface is to then be able to reduce it (when possible) and put in place relevant protection. - Having the less possible attack points allows focusing the protection efforts and therefore strengthening their security. - To reduce your attack surface, general advice is: 1. To clean or delete all elements that are not used anymore. 2. To segment the network. 3. To monitor network and logs. 4. To make some tools and services only available through VPN or through authentication. 5. To follow the principle of least privilege. 6. To raise awareness of the staff about risks they are facing (including social engineering). ## 10 Common Attack Vectors - Malicious employees - Compromised credentials - Software vulnerabilities - Weak passwords - Poor encryption - Ransomware - Phishing - Misconfigured devices - Trust relationships - DDoS attacks

Information Security Concepts PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue