-Definition of Information Security
-Evolution of Information Security
-Basics Principles of Information Security
-Critical Concepts of Information Security
-Components of the Information System
-Balancing Information Security and Access
-Implementing IT Security
-The system Development Life cycle
-Security professional in the organization
1. Information Security
Unit - 1
Introduction to Information Security
Date:
Presented By:
Rubal Sagwal
Department of Computer Engineering
NIT, Kurukshetra
Book Ref :
1Rubal_CN
2. Contents
• Definition of Information Security
• Evolution of Information Security
• Basics Principles of Information Security
• Critical Concepts of Information Security
• Components of the Information System
• Balancing Information Security and Access
• Implementing IT Security
• The system Development Life cycle
• Security professional in the organization
Rubal_CN 2
5. Cyber Space
• “Cyberspace” does not have a single agreed
definition, some things can be said,
• First, cyberspace is not a physical place, although many
elements of cyberspace are indeed physical,
• Second, cyberspace includes but is not limited to the
Internet—cyberspace also includes computers (some of
which are attached to the Internet and some not) and
networks (some of which may be part of the Internet
and some not).
• Third, cyberspace includes many intangibles, such as
information and software and how different elements
of cyberspace are connected to each other
Rubal_CN 5
6. Cyber Space
• So a rough definition might be that :
• cyberspace consists of objects based on or dependent
on computing and communication technology;
• The information that these objects use, store, handle, or
process; and
• The interconnections among these various elements.
Rubal_CN 6
7. What is Security
• “The quality or state of being secure—to be free from
danger”
• A successful organization should have multiple layers of
security in place:
1. Physical security - to protect physical items, objects,
or areas from unauthorized access and misuse
2. Personnel security - to protect the individual or
group of individuals who are authorized to access the
organization and its operations
3. Operations security - to protect the details of a
particular operation or series of activities
Rubal_CN 7
8. What is Security
4. Communications security - to protect
communications media, technology, and content
5. Network security - to protect networking
components, connections, and contents
6. Information security - to protect the
confidentiality, integrity and availability of
information assets, whether in storage, processing,
or transmission.
Rubal_CN 8
9. Cyber Security
• Cyber security means protecting cyberspace from
any attack or cybercrime, it can be any cyber or
physical attack.
• Maintaining :
• Confidentiality
• Integrity
• Availability
Rubal_CN 9
11. Computer Security
• Computer Security – the protection of the items
you value, called the assets of the computer or
computer system.
Rubal_CN 11
12. Assets
• There are many types of assets:
• Hardware
• Software
• Data
• People
• Processes,
• or combinations of these.
To determine what to protect, we must first identify
what has value and to whom.
Rubal_CN 12
13. • A computer device (including hardware,
added components, and accessories) is certainly an
asset. Because most computer hardware is pretty
useless without programs, the software – is also
an asset.
• Software includes the operating system,
utilities and device handlers; applications such as
word processing, media players or email handlers.
• Even programs that you may have written
yourself.
Rubal_CN 13
Assets
14. • The thing that makes your computer unique and
important to you is its content:
• Photos
• Tunes
• Papers
• Email messages
• Projects
• Calendar information
• E-books
• Contact information
• Code you created, etc.
• Thus, data items on a computer are assets, too.
Rubal_CN 14
Assets
17. • The state of being protected against the
unauthorized access, use, disclosure, disruption,
modification, inspection, recording or destruction
of information.
Rubal_CN 17
Information Security
18. • Began immediately after the first mainframes were
developed
• Groups developing code-breaking computations
during World War II created the first modern
computers
• Physical controls to limit access to sensitive military
locations to authorized personnel
• Rudimentary in defending against physical theft,
espionage, and sabotage
Rubal_CN 18
Evolution of Information Security
19. • It was during the 1960s when organisations first started
to become more protective of their computers. During
this time, there was no internet or network to worry
about, so security was largely focused on more physical
measures, and preventing access to people with
enough knowledge about how to work a computer.
• In order to do this, passwords and multiple layers of
security protection were added to devices. Fire safety
measures were also implemented, to ensure that the
stored data was protected. After all, there was no
iCloud available back in those days, so computers had
to be secured by other means.
Rubal_CN 19
Evolution of Information Security - 1960
20. • Cybersecurity’s history began with a research
project during the 1970s, on what was then known
as the ARPANET (The Advanced Research Projects
Agency Network). A researcher named Bob
Thomas created a computer program which was
able to move ARPANET’s network, leaving a small
trail wherever it went. He named the program
‘CREEPER’, because of the printed message that
was left when travelling across the network: ‘I’M
THE CREEPER: CATCH ME IF YOU CAN’.
Rubal_CN 20
Evolution of Information Security - 1970
21. • Ray Tomlinson – the man who invented email –
later designed a program which took CREEPER to
the next level, making it self-replicating and the
first ever computer worm. Fortunately, he then
wrote another program called Reaper which
chased CREEPER and deleted it, providing the first
example of antivirus software.
Rubal_CN 21
Evolution of Information Security - 1970
22. • In 1986, employed German computer hacker
Marcus Hess to steal US military secrets. He
hacked into over 400 military computers, including
mainframes at the Pentagon, and intended selling
their secrets to the KGB. Fortunately, he was
thwarted.
• Two years later, in 1988, saw the birth of the Morris
Worm – one of the major turning points in the
history of information security.
• Morris worm: self-replicating worm, first massive
worm.
Rubal_CN 22
Evolution of Information Security - 1980
23. • By the middle of the 90s, network security threats
had increased exponentially and, as such, firewalls
and antivirus programs had to be produced on a
mass basis to protect the public. It was a NASA
researcher who created the very first firewall
program design.
Rubal_CN 23
Evolution of Information Security - 1990
24. • Proper punishment.
• In the early 2000s, governments began to clamp
down on the criminality of hacking, giving much
more serious sentences to those culpable –
including extensive jail time and large fines.
Rubal_CN 24
Evolution of Information Security - 2000
25. • Era of major breaches.
• Snowden & The NSA, 2013: Edward Snowden – a former CIA employee
and contractor for the US Government – copied and leaked classified
information from the National Security Agency (NSA), highlighting the
fact that the government was effectively ‘spying’ on the public. He is
controversially thought of as a hero to some, and a traitor to others.
• Yahoo, 2013 – 2014: Hackers broke into Yahoo, jeopardising the
accounts and personal information of all their three billion users. They
were fined $35 million for failing to disclose news of the breach in a
timely manner, and Yahoo’s sale price decreased by $350 million as a
result.
• WannaCry, 2017: More widely known as the first ‘ransomworm’,
WannaCry targeted computers running the Microsoft Windows
operating system and demanded ransom payments in the Bitcoin
cryptocurrency. In only one day, the worm infected over 230,000
computers across 150 countries.
Rubal_CN 25
Evolution of Information Security - 2010
28. Confidentiality
• The degree of confidentiality determines the secrecy of
the information. The principle specifies that only the
sender and receiver will be able to access the
information shared between them. Confidentiality
compromises if an unauthorized person is able to
access a message.
• For example, let us consider sender A wants to share
some confidential information with receiver B and the
information gets intercepted by the attacker C. Now the
confidential information is in the hands of an intruder
C.
Rubal_CN 28
Principles of Security
29. • Availability:
The principle of availability states that the
resources will be available to authorize party at all
times. Information will not be useful if it is not
available to be accessed. Systems should have
sufficient availability of information to satisfy the
user request.
Rubal_CN 29
Principles of Security
30. • Integrity:
Integrity gives the assurance that the information
received is exact and accurate. If the content of the
message is changed after the sender sends it but
before reaching the intended receiver, then it is
said that the integrity of the message is lost.
Rubal_CN 30
Principles of Security
31. • Authentication
Authentication is the mechanism to identify the
user or system or the entity. It ensures the identity
of the person trying to access the information. The
authentication is mostly secured by using
username and password. The authorized person
whose identity is preregistered can prove his/her
identity and can access the sensible information.
Rubal_CN 31
Principles of Security
33. • A vulnerability is a weakness in the system.
• For instance, a particular system
may be vulnerable to unauthorized
data manipulation because the
system does not verify a user’s
identity before allowing data
access.
Rubal_CN 33
Vulnerability
34. • A threat to a computing system is a set of
circumstances that has the potential to cause loss
or harm.
Rubal_CN 34
Threat
35. Rubal_CN 35
• we can see a small crack in the
wall—a vulnerabilitythat threatens the
man’s security. If the water rises to or
beyond the level of the crack, it will
exploit the vulnerability and harm the man.
36. An intentional or unintentional act that can cause
damage to or otherwise compromise information
and/or the systems that support it. Attacks can be
active or passive, intentional or unintentional, and
direct or indirect.
Rubal_CN 36
Attack
37. • Access: A subject or object’s ability to use, manipulate,
modify, or affect another subject or object.
• Asset: The organizational resource that is being
protected. An asset can be logical, such as a Web site,
information, or data; or an asset can be physical, such
as a person,computer system, or other tangible object.
• Risk: The probability that something unwanted will
happen.
• Subjects and objects: A computer can be either the
subject of an attack—an agent entity used to conduct
the attack—or the object of an attack—the target
entity,
Rubal_CN 37
39. • Information System (IS) is entire set of:
• Software,
• Hardware,
• Data,
• People,
• Procedures, and
• Networks
• Necessary to use information as a resource in the
organization.
Rubal_CN 39
Components of the Information System
41. • Impossible to obtain perfect security—it is a
process, not an absolute
• Security should be considered balance between
protection and availability.
• To achieve balance, level of security must allow
reasonable access, yet protect against threats.
Rubal_CN 41
Balancing Information Security and Access
44. • Systems development life cycle (SDLC) is methodology
and design for implementation of information security
within an organization
• Methodology is formal approach to problem-solving
based on structured sequence of procedures
• Using a methodology
• Ensures a rigorous process
• Avoids missing steps
• Goal is creating a comprehensive security
posture/program
• Traditional SDLC consists of six general phases
Rubal_CN 44
System Development Life Cycle
46. Rubal_CN 46
Secure System Development Life Cycle
• Generally speaking, a secure SDLC involves
integrating security testing and other activities
into an existing development process.
• Examples include writing security requirements
alongside functional requirements and performing
an architecture risk analysis during the design
phase of the SDLC.
47. Rubal_CN 47
Secure System Development Life Cycle
• Many secure SDLC models are in use, but one of
the best known is the Microsoft Security
Development Lifecycle (MS SDL), which outlines 12
practices organizations can adopt to increase the
security of their software.
• And earlier this year, NIST published the final
version of its Secure Software Development
Framework, which focuses on security-related
processes that organizations can integrate into their
existing SDLC.
48. Rubal_CN 48
Secure System Development Life Cycle
• Prepare the Organization (PO): Ensure that the
organization’s people, processes, and technology are
prepared to perform secure software development at the
organization level and, in some cases, for each individual
project.
• Protect the Software (PS): Protect all components of the
software from tampering and unauthorized access.
• Produce Well-Secured Software (PW): Produce well-
secured software that has minimal security vulnerabilities in
its releases.
• Respond to Vulnerabilities (RV): Identify vulnerabilities in
software releases and respond appropriately to address
those vulnerabilities and prevent similar vulnerabilities from
occurring in the future.
49. Rubal_CN 49
Secure System Development Life Cycle
• https://www.tutorialspoint.com/system_analysis_and_
design/system_analysis_and_design_development_life
_cycle.htm
• https://www.synopsys.com/blogs/software-
security/secure-
sdlc/#:~:text=Generally%20speaking%2C%20a%20secur
e%20SDLC,design%20phase%20of%20the%20SDLC.
• https://www.microsoft.com/en-
us/securityengineering/sdl/practices
• https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.042
32020.pdf
51. • Wide range of professionals required to support a
diverse information security program
• Senior management is key component; also,
additional administrative support and technical
expertise required to implement details of IS
program.
Rubal_CN 51
Security professional in the organization
52. • Chief Information Officer (CIO)
• Senior technology officer
• Primarily responsible for advising senior executives on
strategic planning
• Chief Information Security Officer (CISO)
• Primarily responsible for assessment, management, and
implementation of IS in the organization
• Usually reports directly to the CIO
Rubal_CN 52
Security professional in the organization
53. • Champion: A senior executive who promotes the project
and ensures its support, both financially and
administratively, at the highest levels of the organization.
• Team leader: A project manager, who may be a
departmental line manager or staff unit manager, who
understands project management, personnel management,
and information security technical requirements.
• Security policy developers: People who understand the
organizational culture, existing policies, and requirements
for developing and implementing successful policies.
• Risk assessment specialists: People who understand
financial risk assessment techniques, the value of
organizational assets, and the security methods to be used.
Rubal_CN 53
Information Security Project Team
54. • Security professionals: Dedicated, trained, and well-
educated specialists in all aspects of information
security from both a technical and nontechnical
standpoint.
• Systems administrators: People with the primary
responsibility for administering the systems that house
the information used by the organization.
• End users: Those whom the new system will most
directly affect. Ideally, a selection of users from various
departments, levels, and degrees of technical
knowledge assist the team in focusing on the
application of realistic controls applied in ways that do
not disrupt the essential business activities they seek to
safeguard.
Rubal_CN 54
Information Security Project Team