Information Security is the practice of
defending information from unauthorised
access, use, disclosure, disruption,
modification, recording or destruction.
Why Information Security?
• Information is critical to any business and
paramount to the survival of any organisation in
today‟s globalised digital economy.
• Governments, military, corporations, financial
institutions, etc. amass huge confidential
information about their employees, customers,
research & financial status. Most of this
information is stored on computers and
transmitted across networks to other computers.
• Conventional warfare has been replaced by
digital or cyber war. Rivals continue attempts to
gain access to the adversaries information.
• Bradley Manning, US soldier: involved in the biggest
breach of classified data (7 Lakh Classified files,
battlefield videos & diplomatic cables) in US History
for providing files to Wikileaks.
• A hacker stole a database from South Carolina‟s
Deptt. Of Revenue, exposing 3.6 million Social
Security numbers and 3.8 Lakh payment card
records. More than 6.5 Lakh businesses were also
• As per recent article of Indiatimes: As India‟s 108 bn
$ IT Service industry is becoming the world‟s
favoured outsourcing centre, India is emerging as a
top destination for cyber data theft.
In 1980 a computer cracked a 3-character
password within one minute.
DID YOU KNOW?
In 2004 a computer virus infected 1
million computers within one hour.
In 1999 a team of computers cracked a 56-
character password within one day.
REASONS FOR ATTACKS
• Fraud: These attacks are after credit card
numbers, bank accounts,
passwords…anything of use of themselves or
sell for profit
• Activism: Activists disagree with a particular
political or social stance one takes, and want
only to create chaos and embarrass the
• Industrial Espionage: Specific proprietary
information is targeted either in rivalry or to
FORMS OF THREAT
• Computer Viruses
• Trojan Horse
• Address Book Theft
• Domain Name System Poisoning
• Zombies (Enslaving of Computers), IP Spoofing
(Replicating IP adress)
• Password grabbers
• Network Worms
• Hijacked Home Pages
• Denial of Service attacks
• Identity theft
Top Three Security Threats
• Malware (Malicious Software)
• Internet- Facing Applications
• Social Engineering
Social Engineering is the art of deceptively
influencing a person face to face, over the phone, via e
mail, etc. to get the desired information. For an
organisation with more than 30 employees one expert
puts the success rate of social engineering at 100%.
•Convincing an employees to share a company
password over the phone or chat
•Tricking someone into opening a malicious e mail
•Sending a “free” hardware that‟s been pre- infected
Pillars of Information Security: CIA
Preventing disclosure of information to
unauthorised individuals or systems. For
eg. A Credit Card transaction. The system
attempts to enforce confidentiality by
encrypting the card number during
transmission from buyer to seller.
Maintaining and assuring the accuracy
and consistency of data over its entire life-
cycle. This means the data cannot be
modified in an unauthorised or undetected
The information must be available
when it is needed, to ensure its utility. This
means that the computing systems used
to store and process the information, the
security controls used to protect it , and
the communication channels used to
access it must be functioning correctly.
MEASURES FOR INFORMATION
Use a strong password
• A strong password is the best way to protect yourself
against identity theft and unauthorized access to your
Protect confidential information
• Varied people have access to information that must not
be shared, including the password. Familiarize yourself
with the applicable laws and policies which govern these
records and act accordingly.
Make sure operating system and virus protection are up-
• This will avoid vulnerability to hackers and others looking
to steal information.
Use secure and supported applications
• Any software you install has the potential to be exploited
by hackers, so be very careful to only install applications
from a trusted source. The use of pirated software is
Be wary of suspicious e-mails
• Don't become a phishing victim. Never click on a link in
an email; if you're tempted, cut and paste the url into
your browser. That way, there's a good chance your
browser will block the page if it's bad. And don't open
email attachments until you've verified their legitimacy
with the sender.
Store confidential information only on HSU servers
• CDs, DVDs, and USB drives are all convenient ways to
store data; the trouble is, they're just as convenient for
thieves as for you. Wherever possible, store confidential
information in your network folder or other protected
central space. If you must store confidential information
locally, you must encrypt it and then delete it as soon as
you no longer need it.
Back up your data … and make sure you can restore it
• If your computer becomes infected, the hardware fails,
you may be unable to retrieve important information. So
make sure your data is backed up regularly - and test
that backup from time to time to make sure that the
restore works correctly.
Protect information in all its forms
• Protecting your digital data is important. But paper
and the human voice remain important elements
of the security mix. Keep confidential printed
information in locked file cabinets and shredded
when no longer required. If you're talking about
confidential information on the phone, take
appropriate steps to ensure you're not overheard.
Learn to be security-aware
• Being aware and alert to the environment can
prevent any disaster.
• Classified documents should be kept in special filing cabinets,
special vaults etc.
• It should be in the personal custody of the concern authorised
• These should be kept locked when not in use.
• These should be numbered and logged
• When passing from one authorised person to the next , written
signed receipt should be taken.
• Shouldn‟t be taken out of premises ideally , otherwise they
should be sent only in sealed boxes in double sealed cover
• Never discuss office matters at public places
• Do not carry home sensitive information
• Do not use the phone to discuss sensitive information
• Be careful of strangers
• Wherever it is felt that something had happened, it
should be immediately discussed so as to initiate
damage control exercises
• Do not take unusual precautions –this will
attract attention – act normal
• Persons having the confidential information
should be made personally responsible for
protecting the same
• Security must be sensible or low profile
• Security should be organised in depth
• Enforce control of copies of documents
• Proper control of waste paper and destruction
• Check all meeting places for „bugs‟
• Be wary of consultants
• Edit your journals
• Nothing will remain secret, if more than two
persons share the same