SlideShare a Scribd company logo

Information Security

Download as PPT, PDF
D
Dhilsath Fathima

This presentation provides the basics of information security concepts and concepts of Secure SDLC

Education
1 of 62
Introduction to Information Security By M.Dhilsath Fathima Veltech University
What is Security? • “The quality or state of being secure—to be free from danger” • A successful organization should have multiple layers of security in place: – Physical security – Personal security – Operations security – Communications security – Network security – Information security
What is Information Security? • The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information • Necessary tools: policy, awareness, training, education, technology • C.I.A. triangle was standard based on confidentiality, integrity, and availability • C.I.A. triangle now expanded into list of critical characteristics of information
Critical Characteristics of Information • The value of information comes from the characteristics it possesses: – Confidentiality – Integrity – Availability – Authorization. – Authentication – Identification – Accountability
CONFIDENTIALITY(Secrecy/Privacy) • When we talk about confidentiality of information, we are talking about protecting the information from disclosure to unauthorized parties. • Information has value, especially in today’s world. Bank account statements, personal information, credit card numbers, trade secrets, government documents. Every one has information they wish to keep a secret. Protecting such information is a very major part of information security. • A very key component of protecting information confidentiality would be encryption. Encryption ensures that only the right people (people who knows the key) can read the information. Encryption is VERY widespread in today’s environment and can be found in almost every major protocol in use. A very prominent example will be SSL/TLS(secure Socket Layer/Transport Layer Security), a security protocol for communications over the internet that has been used in conjunction with a large number of internet protocols to ensure security.
Integrity (Truthfulness) • Integrity means that data cannot be modified without authorization. • Integrity is the quality or state of being whole, complete, and uncorrupted. • The integrity of information is threatened when it is exposed to corruption, damage, destruction, or other disruption of its authentic state. Corruption can occur while information is being compiled, stored, or transmitted. • Eg: Integrity is violated when an employee deletes important data files, when a computer virus infects a computer, when an employee is able to modify his own salary in a payroll database, when an unauthorized user vandalizes a website, when someone is able to cast a very large number of votes in an online poll, and so on.
Availability(Accessible) • Availability is the characteristic of information that enables user access to information without interference or obstruction and in a required format. • A user in this definition may be either a person or another computer system. Availability does not imply that the information is accessible to any user; rather, it means availability to authorized users. • For any information system to serve its purpose, the information must be available when it is needed. • Eg: High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades.
Authorization(Approval) • Authorization to access information and other computing services begins with administrative policies and procedures. The policies prescribe what information and computing services can be accessed, by whom, and under what conditions, what actions they will be allowed to perform (run, view, create, delete, or change). The access control mechanisms are then configured to enforce these policies. This is called authorization. • To be effective, policies and other security controls must be enforceable and upheld. Effective policies ensure that people are held accountable for their actions. All failed and successful authentication attempts must be logged, and all access to information must leave some type of audit trail.
Authentication(Verification/Validation) • Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. • Logically, authentication precedes authorization (although they may often seem to be combined). The two terms are often used synonymously but they are two different processes. • Authentication is a process in which the credentials provided are compared to those on file in a database of authorized users’ information on a local operating system or within an authentication server. • If the credentials match, the process is completed and the user is granted authorization for access.
Identification(Recognition) • Identification: It is how you identify someone, i.e., how you would call that person or company. • Could be the name, the account number in a bank, the username in some specific system. • Ex: One -Time Password
Accountability(Answerability) • The characteristic of accountability exists when a control provides assurance that every activity undertaken can be attributed to a named person or automated process. • For example, audit logs that track user activity on an information system provide accountability.
Figure 1-4 – NSTISSC Security Model NSTISSC Security Model
• The National Security Telecommunications and Information Systems Security Committee (NSTISSC) . • It was established by President Bush under National Security Directive 42 (NSD 42) entitled, "National Policy for the Security of National Security Telecommunications and Information Systems," dated 5 July 1990. • The NSTISSC provides a forum for the discussion of policy issues, sets national policy, and propagate direction, operational procedures, and guidance for the security of national security systems through the NSTISSC Issuance System.
• The NSTISSC Security Model provides a more detailed perspective on security. • While the NSTISSC model covers the three dimensions of information security, it omits discussion of detailed guidelines and policies that direct the implementation of controls. • The 3 dimensions of each axis become a 3x3x3 cube with 27 cells representing areas that must be addressed to secure today’s Information systems. • To ensure system security, each of the 27 cells must be properly addressed during the security process. • For ex,the intersection between technology, Integrity & storage areas requires a control or safeguard that addresses the need to use technology to protect the Integrity of information while in storage.
• Assume that a security model is needed for protection of information in your organization. • Using the NSTISSC model, examine each of the cells and write a brief statement on how you would address the three components represented in that cell.
National security systems contain classified information : a. involves intelligence activities; b. involves cryptographic activities related to national security; c. involves command and control of military forces; d. involves equipment that is an integral part of a weapon or weapons system(s); or e. is critical to the direct fulfillment of military or intelligence missions (not including routine administrative and business applications).
Example of security policies • Physical computer security policies such as physical access controls. • Network security policies (for example, e-mail and Internet policies). • Data security policies (access control and integrity controls, Anti-virus software, Firewalls are software- or hardware-based devices that can be deployed between networks to protect an organization from external or internal network attacks.). • Implement networking services such as DNS server to easily find and access network services, and DHCP server for automatic, centralized IP address management • Computer security awareness and training. • Monitoring and Logging Policy • Encrypted Authentication Policy • Antivirus Policy • Encryption guidelines
Emerging security technologies • Hardware authentication- Good authentication requires three things from users: what they know, such as a password; who they are, such as a username; and what they have, such as a token. • User-behavior analytics- "Users can be identified and automatically signed up for the training appropriate for the policies they were violating.“ • Data loss prevention- A key to data loss prevention is technologies such as encryption and tokenization. • Protocol verification
Security Education • Bachelor of Science in Cyber Security - Computer Systems Security • Bachelor of Science in Cyber Security - Information Assurance • Master of Science in Cyber security Policy • Master of Science in Homeland Security – Cyber security Policy • Awareness Activities – Awareness for CBSE/NCERT & State level educational Institutes: – Cyber Security Awareness Programs – Development of Multilingual Websites: – Awareness Campaigns through Print and Electronic Media:
Components of an Information System Information System (IS) is entire set of software, hardware, data, people, procedures, and networks necessary to use information as a resource in the organization
SOFTWARE • The software components of IS comprises applications, operating systems, and assorted command utilities. • Software programs are the vessels that carry the lifeblood of information through an organization. These are often created under the demanding constraints of project management, which limit time, cost, and manpower.
Hardware • Hardware is the physical technology that houses and executes the software, stores and carries the data, and provides interfaces for the entry and removal of information from the system. • Physical security policies deal with hardware as a physical asset and with the protection of these physical assets from harm or theft. Applying the traditional tools of physical security, such as locks and keys, restricts access to and interaction with the hardware components of an information system. • Securing the physical location of computers and the computers themselves is important because a breach of physical security can result in a loss of information. Unfortunately, most information systems are built on hardware platforms that cannot guarantee any level of information security if unrestricted access to the hardware is possible.
Example of Physical security policies: • Intruder Alarm Systems including area surveillance sensors, volumetric sensors, high security perimeter protection, infra-red devices, etc. • Access Control Systems including card systems, biometrics, turnstiles, trap doors, etc • Closed Circuit Television (CCTV) Systems including video surveillance, cameras, 360-degree surveillance domes, switching matrixes, IP video, digital recording, image analysis, privacy zone protection, etc.
Examples Wide Area Surveillance A Wide Area Surveillance Sensor provides continuous views of expansive areas. high security perimeter protection
Data • Data stored, processed, and transmitted through a computer system must be protected. • Data is often the most valuable asset possessed by an organization and is the main target of intentional attacks. • The raw, unorganized, discrete(separate, isolated) potentially-useful facts and figures that are later processed(manipulated) to produce information.
People • There are many roles for people in information systems. Common ones include – Systems Analyst – Programmer – Technician – Engineer – Network Manager – MIS ( Manager of Information Systems ) – Data entry operator
Procedures • A procedure is a series of documented actions taken to achieve something. • A procedure is more than a single simple task. A procedure can be quite complex and involved, such as performing a backup, shutting down a system, patching software.
Networks • When information systems are connected to each other to form Local Area Network (LANs), and these LANs are connected to other networks such as the Internet, new security challenges rapidly emerge. • Steps to provide network security are essential, as is the implementation of alarm and intrusion systems to make system owners aware of ongoing compromises.
SECURING COMPONENTS • Modern computer systems, linked by national and global networks, face a variety of threats and attacks that can result in significant financial and information losses. • These threats vary considerably, from threats to data integrity resulting from accidental, unintentional errors and omissions to threats from malicious hackers attempting to crash a system.
Securing Components • Computer can be subject of an attack and/or the object of an attack • Subject of an attack- When the subject of an attack, computer is used as an active tool to conduct attack. • Object of an attack-When the object of an attack, computer is the entity being attacked
Securing Components
ATTACK • An attack is an intentional threat and is an action performed by an entity with the intention to violate security. Examples of attacks are destruction, modification, fabrication, interruption or interception of data. An attack is a violation of data integrity and often results in disclosure of information, a violation of the confidentiality of the information, or in modification of the data. • An attacker can gain access to sensitive information by attacking in several steps, where each step involves an illegal access to the system. An intentional threat can be caused by an insider or outsider, can be a spy, hacker, corporate raider, or a disgruntled employee.
TYPES OF ATTACK • Any attack on the security of a system can be a – direct attack – indirect attack. • A direct attack aims directly at the desired part of the data or resources. Several components in a system may be attacked before the intended (final) information can be accessed.
TYPES OF ATTACK • In an indirect attack, information is received from or about the desired data/resource without directly attacking that resource. Indirect attacks are often troublesome in database systems where it is possible to derive confidential information by posing indirect questions to the database. Such an indirect attack is often called inference.
TYPES OF ATTACK • Passive attacks are made by monitoring a system performing its tasks and collecting information. In general, it is very hard to detect passive attacks since they do not interact or disturb normal system functions. Monitoring network traffic, CPU and disk usage, etc are examples of passive attacks. • Encryption of network traffic can only partly solve the problem since even the presence of traffic on a network may reveal some information. Traffic analysis such as measuring the length, time and frequency of transmissions can be very valuable to detect unusual activities.
TYPES OF ATTACK Active Attack • An active attack changes the system behavior in some way. Examples of an active attack can be to insert new data, to modify, duplicate or delete existing data in a database, to deliberately abuse system software causing it to fail and to steal magnetic tapes, etc. • A simple operation such as the modification of a negative acknowledgment (NACK) from a database server into a positive acknowledgment (ACK) could result in great confusion and/or damage. Active attacks are easier to detect if proper precautions are taken.
Securing Components Two types of attacks • Direct attack (object of an attack ) – When a Hacker uses his personal computer to break into a system.[Originate from the threat itself] • Indirect attack (Subject of an attack ) – When a system is compromised and used to attack other system. [Originate from a system or resource that itself has been attacked, and is malfunctioning or working under the control of a threat]. • A computer can, therefore, be both the subject and object of an attack when ,for example, it is first the object of an attack and then compromised and used to attack other systems, at which point it becomes the subject of an attack.
Securing Components(Cont..)
Few Techniques Or Tools That Will Help In Implementing These Security Mechanisms. • Physical Access Security-protect network equipment such as servers, switches, and routers is to keep them in a locked, climate controlled, and fire protected environment • Login / Password Security • Anti-Virus Software • Remote Access Security(a location not directly attached to the network. ) • Internet Firewalls • Encryption • Data Backups • Disaster Recovery Plan • Audits
Growth of Threat: Growth in the tools available. 0 5,000 10,000 15,000 20,000 25,000 1980 1981 1982 1983 1984 1985 1986 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 Year HackerTools Source: PestPatrol.com Categories: • Binder • Carding • Cracking Tool • Flooder • Key Generator • Mail Bomber • Mailer • Misc Tool • Packer • Password Cracker • Password Cracking Word List • Phreaking Tool • Port Scanner • Probe Tool • Sniffer • Spoofer • Trojan • Trojan Creation Tool • Virus Creation Tool • Virus Source • Virus Tutorial • War Dialer Categories: • Binder • Carding • Cracking Tool • Flooder • Key Generator • Mail Bomber • Mailer • Misc Tool • Packer • Password Cracker • Password Cracking Word List • Phreaking Tool • Port Scanner • Probe Tool • Sniffer • Spoofer • Trojan • Trojan Creation Tool • Virus Creation Tool • Virus Source • Virus Tutorial • War Dialer
The Systems Development Life Cycle • Systems development life cycle (SDLC) is methodology and design for implementation of information security within an organization. • Methodology is formal approach to problem-solving based on structured sequence of procedures. • A methodology is, in simple terms, a set of steps, guidelines, activities and/or principles to follow in a particular situation. • Goal is creating a comprehensive security posture/program. • Traditional SDLC consists of six general phases.
Investigation • What problem is the system being developed to solve? • Objectives, constraints and scope of project are specified • Preliminary cost-benefit analysis is developed • At the end, feasibility analysis is performed to assesses economic, technical, and behavioral feasibilities of the process.
Investigation(Cont..) Feasibility study • To analyze whether the software will meet organizational requirements. • To determine whether the software can be implemented using the current technology and within the specified budget and schedule. • To determine whether the software can be integrated with other existing software. – Feasibility defines in the three views for making particular software for the client. – a) Technical b) financial c) social feasibility.
Analysis • Consists of assessments of the organization, status of current systems, and capability to support proposed systems. • Analysts determine what new system is expected to do and how it will interact with existing systems. • Ends with documentation of findings(Software Requirement Specification) and update of feasibility analysis.
What is SRS? • SRS is a complete reading base documentation focus on the particular desired software to the specific client or customer. After collecting the necessary data from SDLC we have to summarize the useful and appropriate data for making desired software. • SRS has some objectives which is help to the software developer as well as the customer for making a successfully software. • Characteristics of SRS- 1) complete - focuses on summarized from for a particular software specification. 2) traceable 3) appropriate for the developer 4) modifiable 5) simple language 6) software requirement view .
Logical Design • Main factor is business need; applications capable of providing needed services are selected • Data support and structures capable of providing the needed inputs are identified • Technologies to implement physical solution are determined • Feasibility analysis performed at the end
Physical Design • Technologies to support the alternatives identified and evaluated in the logical design are selected • Components evaluated on make-or-buy decision • Feasibility analysis performed; entire solution presented to end-user representatives for approval. • Ends with DDS - Design Document Specification
Implementation • Needed software created; components ordered, received, assembled, and tested • Users trained and documentation created • Feasibility analysis prepared; users presented with system for performance review and acceptance test
Maintenance and Change • Consists of tasks necessary to support and modify system for remainder of its useful life • Life cycle continues until the process begins again from the investigation phase • When current system can no longer support the organization’s mission, a new project is implemented
NEED OF SECURESDLC In the past software product stakeholders did not view software security has high priority. It was believed that a secure network infrastructure would provide the level of protection needed against malicious attacks. In recent history network security alone has proved inadequate against such attacks.  Users have been successful in penetrating valid channels of authentication through techniques such as cross site scripting, Structured Query Language (SQL) Injection, and Buffer Overflow exploitation.  In such cases system assets were compromised and both data and organizational integrity were damaged. The Gartner Group reports that more than 70 percent of current business security vulnerabilities are found within software applications rather than the network boundaries . A focus of application security emerged in order to reduce the risk of poor software development, integration, and deployment. Through this need software assurance quickly became an Information Assurance (IA) focus area in the financial, government, and manufacturing sectors to reduce the risk of unsecure code.
Secure SDLC • Goal –More security for riskier applications –Ensures that you work the most critical issues first –Scales to hundreds or thousands of applications –Identification of specific threats and creating controls to counter them. • Tools and Methodology –Security profiling tools can gather facts • Size, complexity, security mechanisms, dangerous calls –Questionnaire to gather risk information • Asset value, available functions, users, environment, threats –Risk-based approach • Evaluates likelihood and consequences of successful attack
Phases of Secure SDLC Requirements and use cases Design Test plans Code Test results Field feedback Security requirements Risk analysis Risk-based security tests Static analysis (tools) Penetration testing Design Review Iterative approach Code Review Risk = Threat x Vulnerability x Cost What do we need to test, And how Code review tools
Phases of Secure SDLC
ANALYSIS PHASE CREATE APPLICATION SECURITY PROJECT PLAN Define the plan to ensure security at the end Ideally done at start of project Can also be started before or after development is complete Based on the risk category Identify Risk activities at each phase Necessary people and expertise required Who has responsibility for risks Ensure time and budget for security activities Establish framework for establishing the “line of sight”
REQUIREMENTS PHASE • Get the security requirements and policy right • Start with a generic set of security requirements –Must include all security mechanisms –Must address all common vulnerabilities( quality of being easily hurt or attacked) –Can be use (or misuse) cases –Should address all driving requirements (regulation, standards, best practices, etc.) • Tailoring examples… –Specify how authentication will work –Detail the access control matrix (roles, assets, functions, permissions) –Define the input validation rules –Choose an error handling and logging approach
DESIGN REVIEWS Better to find flaws early Security design reviews Check to ensure design meets requirements Also check to make sure they didn’t miss a requirement Assemble a team Experts in the technology Security-minded team members Do a high-level penetration test against the design(A penetration test can help determine whether a system is vulnerable to attack, if the defenses were sufficient, and which defenses (if any) the test defeated.) Be sure to do root cause analysis on any flaws identified
PENETRATION TEST • Pen tests can be automated with software applications or they can be performed manually. Either way, the process includes gathering information about the target before the test (reconnaissance), identifying possible entry points, attempting to break in (either virtually or for real) and reporting back the findings. • The main objective of penetration testing is to determine security weaknesses. A pen test can also be used to test an organization's security policy compliance, its employees' security awareness and the organization's ability to identify and respond to security incidents. • Penetration tests are sometimes called white hat attacks because in a pen test, the good guys are attempting to break in.
DEVELOPMENT Develop the coding for application and Find the flaws in the code early Many different techniques Static (against source or compiled code) Security focused static analysis tools Peer review process Formal security code review Dynamic (against running code) Scanning Penetration testing Goal Ensure completeness (across all vulnerability areas) Ensure accuracy (minimize false alarms)
APPLICATION SECURITY TESTING Identify security flaws during testing Develop security test cases Based on requirements Be sure to include “negative” tests Test all security mechanisms and common vulnerabilities Flaws feed into defect tracking and root cause analysis. “Every security flaw is a process problem” Tracking security defects Find the source of the problem Bad or missed requirement, design flaw, poor implementation, etc… ISSUE: can you track security defects the same way as other defects
Deployment and Configuration Management • Ensure the application configuration is secure • Security is increasingly “data-driven” –XML files, property files, scripts, databases, directories • How do you control and audit this data? –Design configuration data for audit –Put all configuration data in Document –Audit configuration data regularly –Don’t allow configuration changes in the field

Recommended

Security policies
Security policiesSecurity policies
Security policiesNishant Pahad
 
Introduction to Information Security
Introduction to Information Security Introduction to Information Security
Introduction to Information Security Shreedevi Tharanidharan
 
Information risk management
Information risk managementInformation risk management
Information risk managementAkash Saraswat
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
Information Security- Threats and Attacks presentation by DHEERAJ KATARIA
Information Security- Threats and Attacks presentation by DHEERAJ KATARIAInformation Security- Threats and Attacks presentation by DHEERAJ KATARIA
Information Security- Threats and Attacks presentation by DHEERAJ KATARIADheeraj Kataria
 
Information security and Attacks
Information security and AttacksInformation security and Attacks
Information security and AttacksSachin Darekar
 
02 Legal, Ethical, and Professional Issues in Information Security
02 Legal, Ethical, and Professional Issues in Information Security02 Legal, Ethical, and Professional Issues in Information Security
02 Legal, Ethical, and Professional Issues in Information Securitysappingtonkr
 

Recommended

Security policies
Security policiesSecurity policies
Security policiesNishant Pahad
 
Introduction to Information Security
Introduction to Information Security Introduction to Information Security
Introduction to Information Security Shreedevi Tharanidharan
 
Information risk management
Information risk managementInformation risk management
Information risk managementAkash Saraswat
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
Information Security- Threats and Attacks presentation by DHEERAJ KATARIA
Information Security- Threats and Attacks presentation by DHEERAJ KATARIAInformation Security- Threats and Attacks presentation by DHEERAJ KATARIA
Information Security- Threats and Attacks presentation by DHEERAJ KATARIADheeraj Kataria
 
Information security and Attacks
Information security and AttacksInformation security and Attacks
Information security and AttacksSachin Darekar
 
02 Legal, Ethical, and Professional Issues in Information Security
02 Legal, Ethical, and Professional Issues in Information Security02 Legal, Ethical, and Professional Issues in Information Security
02 Legal, Ethical, and Professional Issues in Information Securitysappingtonkr
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Fabiha Shahzad
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network SecurityJohn Ely Masculino
 
Data security
Data securityData security
Data securitySoumen Mondal
 
Information security
Information security Information security
Information security razendar79
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITYAhmed Moussa
 
Information security
Information securityInformation security
Information securityLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and StandardsDirectorate of Information Security | Ditjen Aptika
 
Information security
Information securityInformation security
Information securityavinashbalakrishnan2
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Controlidingolay
 
The CIA triad.pptx
The CIA triad.pptxThe CIA triad.pptx
The CIA triad.pptxGulnurAzat
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security elmuhammadmuhammad
 
cyber security presentation.pptx
cyber security presentation.pptxcyber security presentation.pptx
cyber security presentation.pptxkishore golla
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Securitychauhankapil
 
Security policy
Security policySecurity policy
Security policyDhani Ahmad
 
Software security
Software securitySoftware security
Software securityRoman Oliynykov
 
Types of attacks
Types of attacksTypes of attacks
Types of attacksVivek Gandhi
 
Intruders
IntrudersIntruders
IntrudersDr.Florence Dayana
 
Data security
Data securityData security
Data securityAbdulBasit938
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionCAS
 
Cybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurityCybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecuritysommerville-videos
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information SecurityDr. Loganathan R
 
Sdlc model
Sdlc modelSdlc model
Sdlc modelDhilsath Fathima
 

More Related Content

What's hot

Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Fabiha Shahzad
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network SecurityJohn Ely Masculino
 
Information security
Information security Information security
Information security razendar79
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITYAhmed Moussa
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Controlidingolay
 
The CIA triad.pptx
The CIA triad.pptxThe CIA triad.pptx
The CIA triad.pptxGulnurAzat
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security elmuhammadmuhammad
 
cyber security presentation.pptx
cyber security presentation.pptxcyber security presentation.pptx
cyber security presentation.pptxkishore golla
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Securitychauhankapil
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionCAS
 
Cybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurityCybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecuritysommerville-videos
 

What's hot (20)

Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network Security
 
Data security
Data securityData security
Data security
 
Information security
Information security Information security
Information security
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
 
Information security
Information securityInformation security
Information security
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and Standards
 
Information security
Information securityInformation security
Information security
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Control
 
The CIA triad.pptx
The CIA triad.pptxThe CIA triad.pptx
The CIA triad.pptx
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
 
cyber security presentation.pptx
cyber security presentation.pptxcyber security presentation.pptx
cyber security presentation.pptx
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Security
 
Security policy
Security policySecurity policy
Security policy
 
Software security
Software securitySoftware security
Software security
 
Types of attacks
Types of attacksTypes of attacks
Types of attacks
 
Intruders
IntrudersIntruders
Intruders
 
Data security
Data securityData security
Data security
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
 
Cybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurityCybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurity
 

Viewers also liked

Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information SecurityDr. Loganathan R
 
7 Software Development Security
7 Software Development Security7 Software Development Security
7 Software Development SecurityAlfred Ouyang
 
Profession & professionalism
Profession & professionalismProfession & professionalism
Profession & professionalismDhilsath Fathima
 
engineer's are responsible for safety
engineer's are responsible for safetyengineer's are responsible for safety
engineer's are responsible for safetyDhilsath Fathima
 
Engineering as social experimentation
Engineering as social experimentation Engineering as social experimentation
Engineering as social experimentation Dhilsath Fathima
 

Viewers also liked (6)

Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
 
Sdlc model
Sdlc modelSdlc model
Sdlc model
 
7 Software Development Security
7 Software Development Security7 Software Development Security
7 Software Development Security
 
Profession & professionalism
Profession & professionalismProfession & professionalism
Profession & professionalism
 
engineer's are responsible for safety
engineer's are responsible for safetyengineer's are responsible for safety
engineer's are responsible for safety
 
Engineering as social experimentation
Engineering as social experimentation Engineering as social experimentation
Engineering as social experimentation
 

Similar to Information Security

crisc_wk_5.pptx
crisc_wk_5.pptxcrisc_wk_5.pptx
crisc_wk_5.pptxdotco
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxdotco
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxTechnocracy2
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security conceptsG Prachi
 
Presentation2 (2)
Presentation2 (2)Presentation2 (2)
Presentation2 (2)ITNet
 
Cyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxCyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxTikdiPatel
 
SECURITY AND CONTROL
SECURITY AND CONTROLSECURITY AND CONTROL
SECURITY AND CONTROLshinydey
 
Information and network security 2 nist security definition
Information and network security 2 nist security definitionInformation and network security 2 nist security definition
Information and network security 2 nist security definitionVaibhav Khanna
 
BAIT1103 Chapter 1
BAIT1103 Chapter 1BAIT1103 Chapter 1
BAIT1103 Chapter 1limsh
 
System Security Sem 2(Module 1).pptx
System Security Sem 2(Module 1).pptxSystem Security Sem 2(Module 1).pptx
System Security Sem 2(Module 1).pptxrahulkumarcscsf21
 
Information Security
Information Security Information Security
Information Security Alok Katiyar
 
information security (network security methods)
information security (network security methods)information security (network security methods)
information security (network security methods)Zara Nawaz
 
Information security ist lecture
Information security ist lectureInformation security ist lecture
Information security ist lectureZara Nawaz
 
Information security
Information securityInformation security
Information securitySanjay Tiwari
 
Computer Security Primer - Eric Vanderburg - JURINNOV
Computer Security Primer - Eric Vanderburg - JURINNOVComputer Security Primer - Eric Vanderburg - JURINNOV
Computer Security Primer - Eric Vanderburg - JURINNOVEric Vanderburg
 
Presentation topic Software Security.pptx
Presentation topic Software Security.pptxPresentation topic Software Security.pptx
Presentation topic Software Security.pptxrehanmughal18
 

Similar to Information Security (20)

crisc_wk_5.pptx
crisc_wk_5.pptxcrisc_wk_5.pptx
crisc_wk_5.pptx
 
internet security and cyber lawUnit1
internet security and cyber lawUnit1internet security and cyber lawUnit1
internet security and cyber lawUnit1
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security concepts
 
Presentation2 (2)
Presentation2 (2)Presentation2 (2)
Presentation2 (2)
 
Cyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxCyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptx
 
SECURITY AND CONTROL
SECURITY AND CONTROLSECURITY AND CONTROL
SECURITY AND CONTROL
 
Information and network security 2 nist security definition
Information and network security 2 nist security definitionInformation and network security 2 nist security definition
Information and network security 2 nist security definition
 
security in is.pptx
security in is.pptxsecurity in is.pptx
security in is.pptx
 
BAIT1103 Chapter 1
BAIT1103 Chapter 1BAIT1103 Chapter 1
BAIT1103 Chapter 1
 
System Security Sem 2(Module 1).pptx
System Security Sem 2(Module 1).pptxSystem Security Sem 2(Module 1).pptx
System Security Sem 2(Module 1).pptx
 
Information Security
Information Security Information Security
Information Security
 
information security (network security methods)
information security (network security methods)information security (network security methods)
information security (network security methods)
 
Information security ist lecture
Information security ist lectureInformation security ist lecture
Information security ist lecture
 
Unit 1.pptx
Unit 1.pptxUnit 1.pptx
Unit 1.pptx
 
Information security
Information securityInformation security
Information security
 
ISM-CS5750-01.pptx
ISM-CS5750-01.pptxISM-CS5750-01.pptx
ISM-CS5750-01.pptx
 
Computer Security Primer - Eric Vanderburg - JURINNOV
Computer Security Primer - Eric Vanderburg - JURINNOVComputer Security Primer - Eric Vanderburg - JURINNOV
Computer Security Primer - Eric Vanderburg - JURINNOV
 
Presentation topic Software Security.pptx
Presentation topic Software Security.pptxPresentation topic Software Security.pptx
Presentation topic Software Security.pptx
 

More from Dhilsath Fathima

Dwdm unit 1-2016-Data ingarehousing
Dwdm unit 1-2016-Data ingarehousingDwdm unit 1-2016-Data ingarehousing
Dwdm unit 1-2016-Data ingarehousingDhilsath Fathima
 
Unit 3 part ii Data mining
Unit 3 part ii Data miningUnit 3 part ii Data mining
Unit 3 part ii Data miningDhilsath Fathima
 
business analysis-Data warehousing
business analysis-Data warehousingbusiness analysis-Data warehousing
business analysis-Data warehousingDhilsath Fathima
 
Moral autonomy & consensus &controversy
Moral autonomy & consensus &controversyMoral autonomy & consensus &controversy
Moral autonomy & consensus &controversyDhilsath Fathima
 
Data extraction, cleanup & transformation tools 29.1.16
Data extraction, cleanup & transformation tools 29.1.16Data extraction, cleanup & transformation tools 29.1.16
Data extraction, cleanup & transformation tools 29.1.16Dhilsath Fathima
 

More from Dhilsath Fathima (8)

Dwdm unit 1-2016-Data ingarehousing
Dwdm unit 1-2016-Data ingarehousingDwdm unit 1-2016-Data ingarehousing
Dwdm unit 1-2016-Data ingarehousing
 
Unit 3 part ii Data mining
Unit 3 part ii Data miningUnit 3 part ii Data mining
Unit 3 part ii Data mining
 
Unit 3 part i Data mining
Unit 3 part i Data miningUnit 3 part i Data mining
Unit 3 part i Data mining
 
business analysis-Data warehousing
business analysis-Data warehousingbusiness analysis-Data warehousing
business analysis-Data warehousing
 
Moral autonomy & consensus &controversy
Moral autonomy & consensus &controversyMoral autonomy & consensus &controversy
Moral autonomy & consensus &controversy
 
Virtues
VirtuesVirtues
Virtues
 
Data extraction, cleanup & transformation tools 29.1.16
Data extraction, cleanup & transformation tools 29.1.16Data extraction, cleanup & transformation tools 29.1.16
Data extraction, cleanup & transformation tools 29.1.16
 
Business analysis
Business analysisBusiness analysis
Business analysis
 

Recently uploaded

THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONHumphrey A Beña
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management systemChristalin Nelson
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Mark Reed
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfphamnguyenenglishnb
 
ACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfSpandanaRallapalli
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfErwinPantujan2
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management SystemChristalin Nelson
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Celine George
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...Postal Advocate Inc.
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxCarlos105
 
Culture Uniformity or Diversity IN SOCIOLOGY.pptx
Culture Uniformity or Diversity IN SOCIOLOGY.pptxCulture Uniformity or Diversity IN SOCIOLOGY.pptx
Culture Uniformity or Diversity IN SOCIOLOGY.pptxPoojaSen20
 
FILIPINO PSYCHology sikolohiyang pilipino
FILIPINO PSYCHology sikolohiyang pilipinoFILIPINO PSYCHology sikolohiyang pilipino
FILIPINO PSYCHology sikolohiyang pilipinojohnmickonozaleda
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designMIPLM
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Celine George
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptxmary850239
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)lakshayb543
 

Recently uploaded (20)

THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
 
Raw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptxRaw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptx
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management system
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
 
ACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdf
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management System
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
 
Culture Uniformity or Diversity IN SOCIOLOGY.pptx
Culture Uniformity or Diversity IN SOCIOLOGY.pptxCulture Uniformity or Diversity IN SOCIOLOGY.pptx
Culture Uniformity or Diversity IN SOCIOLOGY.pptx
 
FILIPINO PSYCHology sikolohiyang pilipino
FILIPINO PSYCHology sikolohiyang pilipinoFILIPINO PSYCHology sikolohiyang pilipino
FILIPINO PSYCHology sikolohiyang pilipino
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-design
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
 

Information Security

  • 2. What is Security? • “The quality or state of being secure—to be free from danger” • A successful organization should have multiple layers of security in place: – Physical security – Personal security – Operations security – Communications security – Network security – Information security
  • 3. What is Information Security? • The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information • Necessary tools: policy, awareness, training, education, technology • C.I.A. triangle was standard based on confidentiality, integrity, and availability • C.I.A. triangle now expanded into list of critical characteristics of information
  • 4.
  • 5. Critical Characteristics of Information • The value of information comes from the characteristics it possesses: – Confidentiality – Integrity – Availability – Authorization. – Authentication – Identification – Accountability
  • 6. CONFIDENTIALITY(Secrecy/Privacy) • When we talk about confidentiality of information, we are talking about protecting the information from disclosure to unauthorized parties. • Information has value, especially in today’s world. Bank account statements, personal information, credit card numbers, trade secrets, government documents. Every one has information they wish to keep a secret. Protecting such information is a very major part of information security. • A very key component of protecting information confidentiality would be encryption. Encryption ensures that only the right people (people who knows the key) can read the information. Encryption is VERY widespread in today’s environment and can be found in almost every major protocol in use. A very prominent example will be SSL/TLS(secure Socket Layer/Transport Layer Security), a security protocol for communications over the internet that has been used in conjunction with a large number of internet protocols to ensure security.
  • 7. Integrity (Truthfulness) • Integrity means that data cannot be modified without authorization. • Integrity is the quality or state of being whole, complete, and uncorrupted. • The integrity of information is threatened when it is exposed to corruption, damage, destruction, or other disruption of its authentic state. Corruption can occur while information is being compiled, stored, or transmitted. • Eg: Integrity is violated when an employee deletes important data files, when a computer virus infects a computer, when an employee is able to modify his own salary in a payroll database, when an unauthorized user vandalizes a website, when someone is able to cast a very large number of votes in an online poll, and so on.
  • 8. Availability(Accessible) • Availability is the characteristic of information that enables user access to information without interference or obstruction and in a required format. • A user in this definition may be either a person or another computer system. Availability does not imply that the information is accessible to any user; rather, it means availability to authorized users. • For any information system to serve its purpose, the information must be available when it is needed. • Eg: High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades.
  • 9. Authorization(Approval) • Authorization to access information and other computing services begins with administrative policies and procedures. The policies prescribe what information and computing services can be accessed, by whom, and under what conditions, what actions they will be allowed to perform (run, view, create, delete, or change). The access control mechanisms are then configured to enforce these policies. This is called authorization. • To be effective, policies and other security controls must be enforceable and upheld. Effective policies ensure that people are held accountable for their actions. All failed and successful authentication attempts must be logged, and all access to information must leave some type of audit trail.
  • 10. Authentication(Verification/Validation) • Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. • Logically, authentication precedes authorization (although they may often seem to be combined). The two terms are often used synonymously but they are two different processes. • Authentication is a process in which the credentials provided are compared to those on file in a database of authorized users’ information on a local operating system or within an authentication server. • If the credentials match, the process is completed and the user is granted authorization for access.
  • 11. Identification(Recognition) • Identification: It is how you identify someone, i.e., how you would call that person or company. • Could be the name, the account number in a bank, the username in some specific system. • Ex: One -Time Password
  • 12. Accountability(Answerability) • The characteristic of accountability exists when a control provides assurance that every activity undertaken can be attributed to a named person or automated process. • For example, audit logs that track user activity on an information system provide accountability.
  • 13. Figure 1-4 – NSTISSC Security Model NSTISSC Security Model
  • 14. • The National Security Telecommunications and Information Systems Security Committee (NSTISSC) . • It was established by President Bush under National Security Directive 42 (NSD 42) entitled, "National Policy for the Security of National Security Telecommunications and Information Systems," dated 5 July 1990. • The NSTISSC provides a forum for the discussion of policy issues, sets national policy, and propagate direction, operational procedures, and guidance for the security of national security systems through the NSTISSC Issuance System.
  • 15. • The NSTISSC Security Model provides a more detailed perspective on security. • While the NSTISSC model covers the three dimensions of information security, it omits discussion of detailed guidelines and policies that direct the implementation of controls. • The 3 dimensions of each axis become a 3x3x3 cube with 27 cells representing areas that must be addressed to secure today’s Information systems. • To ensure system security, each of the 27 cells must be properly addressed during the security process. • For ex,the intersection between technology, Integrity & storage areas requires a control or safeguard that addresses the need to use technology to protect the Integrity of information while in storage.
  • 16. • Assume that a security model is needed for protection of information in your organization. • Using the NSTISSC model, examine each of the cells and write a brief statement on how you would address the three components represented in that cell.
  • 17. National security systems contain classified information : a. involves intelligence activities; b. involves cryptographic activities related to national security; c. involves command and control of military forces; d. involves equipment that is an integral part of a weapon or weapons system(s); or e. is critical to the direct fulfillment of military or intelligence missions (not including routine administrative and business applications).
  • 18. Example of security policies • Physical computer security policies such as physical access controls. • Network security policies (for example, e-mail and Internet policies). • Data security policies (access control and integrity controls, Anti-virus software, Firewalls are software- or hardware-based devices that can be deployed between networks to protect an organization from external or internal network attacks.). • Implement networking services such as DNS server to easily find and access network services, and DHCP server for automatic, centralized IP address management • Computer security awareness and training. • Monitoring and Logging Policy • Encrypted Authentication Policy • Antivirus Policy • Encryption guidelines
  • 19. Emerging security technologies • Hardware authentication- Good authentication requires three things from users: what they know, such as a password; who they are, such as a username; and what they have, such as a token. • User-behavior analytics- "Users can be identified and automatically signed up for the training appropriate for the policies they were violating.“ • Data loss prevention- A key to data loss prevention is technologies such as encryption and tokenization. • Protocol verification
  • 20. Security Education • Bachelor of Science in Cyber Security - Computer Systems Security • Bachelor of Science in Cyber Security - Information Assurance • Master of Science in Cyber security Policy • Master of Science in Homeland Security – Cyber security Policy • Awareness Activities – Awareness for CBSE/NCERT & State level educational Institutes: – Cyber Security Awareness Programs – Development of Multilingual Websites: – Awareness Campaigns through Print and Electronic Media:
  • 21. Components of an Information System Information System (IS) is entire set of software, hardware, data, people, procedures, and networks necessary to use information as a resource in the organization
  • 22. SOFTWARE • The software components of IS comprises applications, operating systems, and assorted command utilities. • Software programs are the vessels that carry the lifeblood of information through an organization. These are often created under the demanding constraints of project management, which limit time, cost, and manpower.
  • 23. Hardware • Hardware is the physical technology that houses and executes the software, stores and carries the data, and provides interfaces for the entry and removal of information from the system. • Physical security policies deal with hardware as a physical asset and with the protection of these physical assets from harm or theft. Applying the traditional tools of physical security, such as locks and keys, restricts access to and interaction with the hardware components of an information system. • Securing the physical location of computers and the computers themselves is important because a breach of physical security can result in a loss of information. Unfortunately, most information systems are built on hardware platforms that cannot guarantee any level of information security if unrestricted access to the hardware is possible.
  • 24. Example of Physical security policies: • Intruder Alarm Systems including area surveillance sensors, volumetric sensors, high security perimeter protection, infra-red devices, etc. • Access Control Systems including card systems, biometrics, turnstiles, trap doors, etc • Closed Circuit Television (CCTV) Systems including video surveillance, cameras, 360-degree surveillance domes, switching matrixes, IP video, digital recording, image analysis, privacy zone protection, etc.
  • 25. Examples Wide Area Surveillance A Wide Area Surveillance Sensor provides continuous views of expansive areas. high security perimeter protection
  • 26. Data • Data stored, processed, and transmitted through a computer system must be protected. • Data is often the most valuable asset possessed by an organization and is the main target of intentional attacks. • The raw, unorganized, discrete(separate, isolated) potentially-useful facts and figures that are later processed(manipulated) to produce information.
  • 27. People • There are many roles for people in information systems. Common ones include – Systems Analyst – Programmer – Technician – Engineer – Network Manager – MIS ( Manager of Information Systems ) – Data entry operator
  • 28. Procedures • A procedure is a series of documented actions taken to achieve something. • A procedure is more than a single simple task. A procedure can be quite complex and involved, such as performing a backup, shutting down a system, patching software.
  • 29. Networks • When information systems are connected to each other to form Local Area Network (LANs), and these LANs are connected to other networks such as the Internet, new security challenges rapidly emerge. • Steps to provide network security are essential, as is the implementation of alarm and intrusion systems to make system owners aware of ongoing compromises.
  • 30. SECURING COMPONENTS • Modern computer systems, linked by national and global networks, face a variety of threats and attacks that can result in significant financial and information losses. • These threats vary considerably, from threats to data integrity resulting from accidental, unintentional errors and omissions to threats from malicious hackers attempting to crash a system.
  • 31. Securing Components • Computer can be subject of an attack and/or the object of an attack • Subject of an attack- When the subject of an attack, computer is used as an active tool to conduct attack. • Object of an attack-When the object of an attack, computer is the entity being attacked
  • 33. ATTACK • An attack is an intentional threat and is an action performed by an entity with the intention to violate security. Examples of attacks are destruction, modification, fabrication, interruption or interception of data. An attack is a violation of data integrity and often results in disclosure of information, a violation of the confidentiality of the information, or in modification of the data. • An attacker can gain access to sensitive information by attacking in several steps, where each step involves an illegal access to the system. An intentional threat can be caused by an insider or outsider, can be a spy, hacker, corporate raider, or a disgruntled employee.
  • 34. TYPES OF ATTACK • Any attack on the security of a system can be a – direct attack – indirect attack. • A direct attack aims directly at the desired part of the data or resources. Several components in a system may be attacked before the intended (final) information can be accessed.
  • 35. TYPES OF ATTACK • In an indirect attack, information is received from or about the desired data/resource without directly attacking that resource. Indirect attacks are often troublesome in database systems where it is possible to derive confidential information by posing indirect questions to the database. Such an indirect attack is often called inference.
  • 36. TYPES OF ATTACK • Passive attacks are made by monitoring a system performing its tasks and collecting information. In general, it is very hard to detect passive attacks since they do not interact or disturb normal system functions. Monitoring network traffic, CPU and disk usage, etc are examples of passive attacks. • Encryption of network traffic can only partly solve the problem since even the presence of traffic on a network may reveal some information. Traffic analysis such as measuring the length, time and frequency of transmissions can be very valuable to detect unusual activities.
  • 37. TYPES OF ATTACK Active Attack • An active attack changes the system behavior in some way. Examples of an active attack can be to insert new data, to modify, duplicate or delete existing data in a database, to deliberately abuse system software causing it to fail and to steal magnetic tapes, etc. • A simple operation such as the modification of a negative acknowledgment (NACK) from a database server into a positive acknowledgment (ACK) could result in great confusion and/or damage. Active attacks are easier to detect if proper precautions are taken.
  • 38. Securing Components Two types of attacks • Direct attack (object of an attack ) – When a Hacker uses his personal computer to break into a system.[Originate from the threat itself] • Indirect attack (Subject of an attack ) – When a system is compromised and used to attack other system. [Originate from a system or resource that itself has been attacked, and is malfunctioning or working under the control of a threat]. • A computer can, therefore, be both the subject and object of an attack when ,for example, it is first the object of an attack and then compromised and used to attack other systems, at which point it becomes the subject of an attack.
  • 40. Few Techniques Or Tools That Will Help In Implementing These Security Mechanisms. • Physical Access Security-protect network equipment such as servers, switches, and routers is to keep them in a locked, climate controlled, and fire protected environment • Login / Password Security • Anti-Virus Software • Remote Access Security(a location not directly attached to the network. ) • Internet Firewalls • Encryption • Data Backups • Disaster Recovery Plan • Audits
  • 41. Growth of Threat: Growth in the tools available. 0 5,000 10,000 15,000 20,000 25,000 1980 1981 1982 1983 1984 1985 1986 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 Year HackerTools Source: PestPatrol.com Categories: • Binder • Carding • Cracking Tool • Flooder • Key Generator • Mail Bomber • Mailer • Misc Tool • Packer • Password Cracker • Password Cracking Word List • Phreaking Tool • Port Scanner • Probe Tool • Sniffer • Spoofer • Trojan • Trojan Creation Tool • Virus Creation Tool • Virus Source • Virus Tutorial • War Dialer Categories: • Binder • Carding • Cracking Tool • Flooder • Key Generator • Mail Bomber • Mailer • Misc Tool • Packer • Password Cracker • Password Cracking Word List • Phreaking Tool • Port Scanner • Probe Tool • Sniffer • Spoofer • Trojan • Trojan Creation Tool • Virus Creation Tool • Virus Source • Virus Tutorial • War Dialer
  • 42. The Systems Development Life Cycle • Systems development life cycle (SDLC) is methodology and design for implementation of information security within an organization. • Methodology is formal approach to problem-solving based on structured sequence of procedures. • A methodology is, in simple terms, a set of steps, guidelines, activities and/or principles to follow in a particular situation. • Goal is creating a comprehensive security posture/program. • Traditional SDLC consists of six general phases.
  • 43.
  • 44. Investigation • What problem is the system being developed to solve? • Objectives, constraints and scope of project are specified • Preliminary cost-benefit analysis is developed • At the end, feasibility analysis is performed to assesses economic, technical, and behavioral feasibilities of the process.
  • 45. Investigation(Cont..) Feasibility study • To analyze whether the software will meet organizational requirements. • To determine whether the software can be implemented using the current technology and within the specified budget and schedule. • To determine whether the software can be integrated with other existing software. – Feasibility defines in the three views for making particular software for the client. – a) Technical b) financial c) social feasibility.
  • 46. Analysis • Consists of assessments of the organization, status of current systems, and capability to support proposed systems. • Analysts determine what new system is expected to do and how it will interact with existing systems. • Ends with documentation of findings(Software Requirement Specification) and update of feasibility analysis.
  • 47. What is SRS? • SRS is a complete reading base documentation focus on the particular desired software to the specific client or customer. After collecting the necessary data from SDLC we have to summarize the useful and appropriate data for making desired software. • SRS has some objectives which is help to the software developer as well as the customer for making a successfully software. • Characteristics of SRS- 1) complete - focuses on summarized from for a particular software specification. 2) traceable 3) appropriate for the developer 4) modifiable 5) simple language 6) software requirement view .
  • 48. Logical Design • Main factor is business need; applications capable of providing needed services are selected • Data support and structures capable of providing the needed inputs are identified • Technologies to implement physical solution are determined • Feasibility analysis performed at the end
  • 49. Physical Design • Technologies to support the alternatives identified and evaluated in the logical design are selected • Components evaluated on make-or-buy decision • Feasibility analysis performed; entire solution presented to end-user representatives for approval. • Ends with DDS - Design Document Specification
  • 50. Implementation • Needed software created; components ordered, received, assembled, and tested • Users trained and documentation created • Feasibility analysis prepared; users presented with system for performance review and acceptance test
  • 51. Maintenance and Change • Consists of tasks necessary to support and modify system for remainder of its useful life • Life cycle continues until the process begins again from the investigation phase • When current system can no longer support the organization’s mission, a new project is implemented
  • 52. NEED OF SECURESDLC In the past software product stakeholders did not view software security has high priority. It was believed that a secure network infrastructure would provide the level of protection needed against malicious attacks. In recent history network security alone has proved inadequate against such attacks.  Users have been successful in penetrating valid channels of authentication through techniques such as cross site scripting, Structured Query Language (SQL) Injection, and Buffer Overflow exploitation.  In such cases system assets were compromised and both data and organizational integrity were damaged. The Gartner Group reports that more than 70 percent of current business security vulnerabilities are found within software applications rather than the network boundaries . A focus of application security emerged in order to reduce the risk of poor software development, integration, and deployment. Through this need software assurance quickly became an Information Assurance (IA) focus area in the financial, government, and manufacturing sectors to reduce the risk of unsecure code.
  • 53. Secure SDLC • Goal –More security for riskier applications –Ensures that you work the most critical issues first –Scales to hundreds or thousands of applications –Identification of specific threats and creating controls to counter them. • Tools and Methodology –Security profiling tools can gather facts • Size, complexity, security mechanisms, dangerous calls –Questionnaire to gather risk information • Asset value, available functions, users, environment, threats –Risk-based approach • Evaluates likelihood and consequences of successful attack
  • 54. Phases of Secure SDLC Requirements and use cases Design Test plans Code Test results Field feedback Security requirements Risk analysis Risk-based security tests Static analysis (tools) Penetration testing Design Review Iterative approach Code Review Risk = Threat x Vulnerability x Cost What do we need to test, And how Code review tools
  • 56. ANALYSIS PHASE CREATE APPLICATION SECURITY PROJECT PLAN Define the plan to ensure security at the end Ideally done at start of project Can also be started before or after development is complete Based on the risk category Identify Risk activities at each phase Necessary people and expertise required Who has responsibility for risks Ensure time and budget for security activities Establish framework for establishing the “line of sight”
  • 57. REQUIREMENTS PHASE • Get the security requirements and policy right • Start with a generic set of security requirements –Must include all security mechanisms –Must address all common vulnerabilities( quality of being easily hurt or attacked) –Can be use (or misuse) cases –Should address all driving requirements (regulation, standards, best practices, etc.) • Tailoring examples… –Specify how authentication will work –Detail the access control matrix (roles, assets, functions, permissions) –Define the input validation rules –Choose an error handling and logging approach
  • 58. DESIGN REVIEWS Better to find flaws early Security design reviews Check to ensure design meets requirements Also check to make sure they didn’t miss a requirement Assemble a team Experts in the technology Security-minded team members Do a high-level penetration test against the design(A penetration test can help determine whether a system is vulnerable to attack, if the defenses were sufficient, and which defenses (if any) the test defeated.) Be sure to do root cause analysis on any flaws identified
  • 59. PENETRATION TEST • Pen tests can be automated with software applications or they can be performed manually. Either way, the process includes gathering information about the target before the test (reconnaissance), identifying possible entry points, attempting to break in (either virtually or for real) and reporting back the findings. • The main objective of penetration testing is to determine security weaknesses. A pen test can also be used to test an organization's security policy compliance, its employees' security awareness and the organization's ability to identify and respond to security incidents. • Penetration tests are sometimes called white hat attacks because in a pen test, the good guys are attempting to break in.
  • 60. DEVELOPMENT Develop the coding for application and Find the flaws in the code early Many different techniques Static (against source or compiled code) Security focused static analysis tools Peer review process Formal security code review Dynamic (against running code) Scanning Penetration testing Goal Ensure completeness (across all vulnerability areas) Ensure accuracy (minimize false alarms)
  • 61. APPLICATION SECURITY TESTING Identify security flaws during testing Develop security test cases Based on requirements Be sure to include “negative” tests Test all security mechanisms and common vulnerabilities Flaws feed into defect tracking and root cause analysis. “Every security flaw is a process problem” Tracking security defects Find the source of the problem Bad or missed requirement, design flaw, poor implementation, etc… ISSUE: can you track security defects the same way as other defects
  • 62. Deployment and Configuration Management • Ensure the application configuration is secure • Security is increasingly “data-driven” –XML files, property files, scripts, databases, directories • How do you control and audit this data? –Design configuration data for audit –Put all configuration data in Document –Audit configuration data regularly –Don’t allow configuration changes in the field

Editor's Notes

  1. What Is Security? In general, security is “the quality or state of being secure--to be free from danger.” It means to be protected from adversaries--from those who would do harm, intentionally or otherwise. What Is Security? A successful organization should have the following multiple layers of security in place for the protection of its operations: Physical security - to protect the physical items, objects, or areas of an organization from unauthorized access and misuse. Personal security – to protect the individual or group of individuals who are authorized to access the organization and its operations. Operations security – to protect the details of a particular operation or series of activities. Communications security – to protect an organization’s communications media, technology, and content. Network security – to protect networking components, connections, and contents.
  2. What Is Information Security? Information security, therefore, is the protection of information and its critical elements, including the systems and hardware that use, store, and transmit that information. But to protect the information and its related systems from danger, tools, such as policy, awareness, training, education, and technology are necessary. The C.I.A. triangle has been considered the industry standard for computer security since the development of the mainframe. It was solely based on three characteristics that described the utility of information: confidentiality, integrity, and availability. The C.I.A. triangle has expanded into a list of critical characteristics of information.
  3. Critical Characteristics Of Information The value of information comes from the characteristics it possesses. Availability - enables users who need to access information to do so without interference or obstruction and in the required format. The information is said to be available to an authorized user when and where needed and in the correct format. Accuracy- free from mistake or error and having the value that the end-user expects. If information contains a value different from the user’s expectations due to the intentional or unintentional modification of its content, it is no longer accurate. Authenticity - the quality or state of being genuine or original, rather than a reproduction or fabrication. Information is authentic when it is the information that was originally created, placed, stored, or transferred. Confidentiality - the quality or state of preventing disclosure or exposure to unauthorized individuals or systems. Integrity - the quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when the information is exposed to corruption, damage, destruction, or other disruption of its authentic state. Utility - the quality or state of having value for some purpose or end. Information has value when it serves a particular purpose. This means that if information is available, but not in a format meaningful to the end-user, it is not useful. Possession - the quality or state of having ownership or control of some object or item. Information is said to be in possession if one obtains it, independent of format or other characteristic. While a breach of confidentiality always results in a breach of possession, a breach of possession does not always result in a breach of confidentiality.
  4. This graphic informs the fundamental approach of the chapter and can be used to illustrate the intersection of information states (x-axis), key objectives of C.I.A. (y-axis) and the three primary means to implement (policy, education and technology).
  5. Components Of An Information System To fully understand the importance of information security, it is necessary to briefly review the elements of an information system. An Information System (IS) is much more than computer hardware; it is the entire set of software, hardware, data, people, and procedures necessary to use information as a resource in the organization.
  6. Securing The Components When considering the security of information systems components, it is important to understand the concept of the computer as the subject of an attack as opposed to the computer as the object of an attack. When a computer is the subject of an attack, it is used as an active tool to conduct the attack. When a computer is the object of an attack, it is the entity being attacked.
  7. It is important to note that the same computer can be both the subject and object of an attack, especially in multi-user systems.
  8. The Systems Development Life Cycle Information security must be managed in a manner similar to any other major system implemented in the organization. The best approach for implementing an information security system in an organization with little or no formal security in place, is to use a variation of the Systems Development Life Cycle (SDLC): the Security Systems Development Life Cycle (SecSDLC). Methodology The SDLC is a methodology for the design and implementation of an information system in an organization. A methodology is a formal approach to solving a problem based on a structured sequence of procedures. Using a methodology ensures a rigorous process, and avoids missing those steps that can lead to compromising the end goal. The goal is creating a comprehensive security posture.
  9. Very much a traditional SDLC diagram.
  10. Investigation The first phase, investigation, is the most important. What is the problem the system is being developed to solve? This phase begins with an examination of the event or plan that initiates the process. The objectives, constraints and scope of the project are specified. A preliminary cost/benefit analysis is developed to evaluate the perceived benefits and the appropriate levels of cost an organization is willing to expend to obtain those benefits. A feasibility analysis is performed to assesses the economic, technical, and behavioral feasibilities of the process and to ensure that implementation is worth the organization’s time and effort.
  11. Analysis The analysis phase begins with the information learned during the investigation phase. This phase consists primarily of assessments of the organization, the status of current systems, and the capability to support the proposed systems. Analysts begin to determine what the new system is expected to do, and how it will interact with existing systems. This phase ends with the documentation of the findings and a feasibility analysis update.
  12. Logical Design In the logical design phase, the information gained from the analysis phase is used to begin creating a solution system for a business problem. Then, based on the business need, select applications capable of providing needed services. Based on the applications needed, select data support and structures capable of providing the needed inputs. Finally, based on all of the above, select specific technologies to implement the physical solution. In the end, another feasibility analysis is performed.
  13. Physical Design During the physical design phase, specific technologies are selected to support the alternatives identified and evaluated in the logical design. The selected components are evaluated based on a make-or-buy decision (develop in-house or purchase from a vendor). Final designs integrate various components and technologies. After yet another feasibility analysis, the entire solution is presented to the end-user representatives for approval.
  14. Implementation In the implementation phase, any needed software is created or purchased Components are ordered, received and tested. Afterwards, users are trained and supporting documentation created. Again a feasibility analysis is prepared, and the users are then presented with the system for a performance review and acceptance test.
  15. Maintenance and Change The maintenance and change phase is the longest and most expensive phase of the process. This phase consists of the tasks necessary to support and modify the system for the remainder of its useful life cycle. Even though formal development may conclude during this phase, the life cycle of the project continues until it is determined that the process should begin again from the investigation phase. When the current system can no longer support the changed mission of the organization, the project is terminated and a new project is implemented.
  16. Scheme to measure lots of apps across an organization. prioritize based on most risky. Cat 1 – 5: Based on hurricane scale. 1) Internal app, no sensitive assets 5) Internet app with personal info. Use this scale to drive the plan for building new apps.
  17. Activities: Design review, pen test, … Who has responsibility: Ask the class who has app security responsibility in their org?
  18. Take LMCO standard and tailor it Refine: “You will do access control” Into: This is the access control matrix & this is how it will be enforced. - we will use netegrity to implement this policy
  19. Not trying to reinvent the whole SDLC, just trying to insert a few key activities that will help generate more secure code.
  20. Goal is to find flaws… - put up next slide
  21. If the requirements (Security) are written down the normal testing process should work.