The document discusses the importance of information security in organizations, highlighting various layers such as physical, personnel, operational, communication, network, and information security. It outlines key concepts like confidentiality, integrity, availability, and the role of human factors such as security collaboration and knowledge sharing in mitigating risks. Additionally, it details common security incidents and the need for formal information security management systems to protect against vulnerabilities.

1. 1
Information Security and Privacy
B.Tech (CSE)
Prepared by:
Atul Kumar Gupta (Tech Faculty)

2. 2
 The complexity of computers and computer networks leads to a vast area of
vulnerability. Therefore an organization’s security should not be viewed as
low priority. Security is the quality or state of being secure – to be free
from danger.
“OR”
“Something that secures or makes safe”.
“OR”
 In other words, it is denying the access to someone who does not have
required credentials to access the organisation information.
Security

3. 3
Evolution of Information Security
• The different layers of security in an organisation are:
Physical Security: To protect physical items and objects from unauthorised
access.
Personnel Security: To protect the employee or a group of employees who are
authorised to access operations of the organisation.
Operation Security: To protect the details of an operation or series of operations
of an organisation.
Communications Security: To protect communication medium, technology and
critical data of an organisation.
Network Security: To protect networking components & their connectivity and
content, which follow through the network components.
Information Security: To protect the confidentiality, technology, storage process,
transmission system and integrity and availability of information assets.

4. 4
 Information security is the protection of computer systems and networks from
information disclosure, theft of or damage to their hardware, software, or
electronic data, as well as from the disruption or misdirection of the services
they provide.
 Information security performs four important functions for an organization:
 Protects the organization’s ability to function
 Enables the safe operation of applications implemented on the organization’s
IT systems
 Protects the data the organization collects and uses
 Safeguards the technology assets in use at the organization
Information Security

5. 5
 Protection of information and the systems and hardware that use, store,
and transmit that information.
 To protect the related systems from danger the following tools are
necessary:
 Policy
 Awareness
 Training
 Education
Information Security

6. 6
Information Security Terminology

7. 7
Malicious Software
 Computer contaminants including viruses, trojan horses, worms, spyware
and adware are collectively referred to as malware.
 Most malware is delivered to target computers via email or interaction with
infected web pages.
 Malware can be designed to spy on unsuspecting users by monitoring their
web surfing habits, stealing files or passwords, or even surreptitiously
enabling web cameras.
 Other malware may enable a controller to issue commands on the infected
computer, including it in what is known as a “bot-net”.
Examples of Information Security Incidents

8. 8
Unauthorized use of computer user accounts
 Unauthorized computer access, popularly referred to as hacking, describes
a criminal action whereby someone uses a computer to knowingly gain
access to data in a system without permission to access that data.
Examples of Information Security Incidents

9. 9
SPAM and Phishing
 Commonly known as SPAM, unsolicited email in its most benign form isn’t
much more than an annoyance and a waste of resources. However, SPAM
can be used to carry malicious software, direct unsuspecting users to
malicious web sites, or spread inappropriate content.
 Phishing attacks are specially crafted email messages that entice users to
visit malicious web sites. These web sites are designed to appear as though
they are trusted; i.e., the malicious web site may have the exact same
colour scheme and layout as your bank’s web site. Once at the web site,
malicious software may be downloaded to the victim computer, or personal
information may be requested.
Examples of Information Security Incidents

10. 10
Theft or Loss
 A common form of security incident is the loss of devices or unauthorized
access to credentials, resulting in cyber criminals obtaining confidential
information.
 For example, a lost laptop, mobile phone, or external hard drive that is
unlocked or unencrypted can easily lead to information being stolen if it
ends up in the wrong hands. Even a locked device could be hacked into by a
sophisticated attacker.
Examples of Information Security Incidents

11. 11
Unauthorized access to publicly accessible information or systems
 Unauthorized access is when a person gains entry to a computer network,
system, application software, data, or other resources without permission.
 Any access to an information system or network that violates the owner or
operator’s stated security policy is considered unauthorized access.
 Unauthorized access is also when legitimate users access a resource that
they do not have permission to use.
Examples of Information Security Incidents

12. 12
Network scans
 Network scans are used to enumerated available services on the servers in
the network;
 Similarly, network scans are also used to the enumerate vulnerabilities on
the network.
 It is for this reason that all network scans are considered reconnaissance
activity, and will be treated as a precursor to an attack.
Examples of Information Security Incidents

13. 13
Denial of Service
 Denial of Service incidents prevent users from accessing services in the
intended manner.
 Whether deliberate or unintended, a denial of service depletes a server or
service from resources, thus rendering it unusable.
Examples of Information Security Incidents

14. 14
 Unauthorized or accidental disclosure of classified or sensitive information;
e.g. email containing classified or sensitive information sent to incorrect
recipients.
 Theft or Loss of classified or sensitive information; e.g. hard copy of
classified or sensitive information stolen from bag or left in cafe.
 Unauthorized modification of classified or sensitive information; e.g.
altering master copy of student or staff record.
Examples of Information Security Incidents

15. 15
 Theft or loss of equipment that contains classified or sensitive information;
e.g. laptop containing classified or sensitive information stolen from bag or
left at conference.
 Unauthorized access by first second or third party to University information
systems; e.g. example virus, malware, denial of service attack.
 Unauthorized access to areas containing IT equipment which stores
classified or sensitive information; e.g. unauthorized entry into a data
centre or network cabinet rooms.
Examples of Information Security Incidents

16. 16
Evolution of Information Security

17. 17
 Information is an important asset and, as such, an integral resource for
business continuity and growth.
 Information security management describes the set of policies and
procedural controls that IT and business organizations implement to secure
their informational assets against threats and vulnerabilities.
 Many organizations develop a formal, documented process for managing
InfoSec, called an information security management system, or ISMS.
 Information security management (ISM) sets the controls that protect
confidential, sensitive, and personal information from damage, theft, or
misuse.
Information Security Management

18. 18
 Reduce information security costs
– Thanks to the risk assessment and analysis approach of an ISMS, organisations can
reduce costs spent on indiscriminately adding layers of defensive technology that
might not work.
 Improve company culture
– The Standard’s holistic approach covers the whole organisation, not just IT, and
encompasses people, processes and technology.
– This enables employees to readily understand risks and embrace security controls as
part of their everyday working practices.
 Win new business and enter new sectors
– Many organisations nowadays will only work with third parties that can demonstrate
effective information security. This is understandable, given that a data breach could
result in costly delays, and may even instigate a supply chain attack.
Benefits of Information Security Management

19. 19
Three concepts of Information Security
 Confidentiality
– Data confidentiality: Assures that confidential information
is not disclosed to unauthorized individuals
– Privacy: Assures that individual control or influence what
information may be collected and stored
 Integrity
– Data integrity: assures that information and programs are
changed only in a specified and authorized manner
– System integrity: Assures that a system performs its
operations in unimpaired manner
 Availability: assure that systems works promptly and
service is not denied to authorized users

20. 20
Human aspect of information security
Security collaboration
 Collaboration refers to working together in order to achieve a shared
goal.
 That goal can be the safeguarding of information assets in an
organisation.
Information security collaboration means the aggregation of employees’
contributions against information security incidents within an
organisation.

21. 21
Human aspect of information security
Security knowledge sharing
 Knowledge sharing plays an important role in the domain of information
security, due to its positive effect on employees’ information security
awareness.
It is acknowledged that security awareness is the most important factor
that mitigates the risk of information security breaches in organisations.

22. 22
Human aspect of information security
Conscious care behavior
Conscious care behavior has been acknowledged as an effective and
efficient approach against phishing, social engineering, and fake anti-
virus and bogus software in order to mitigate information security
breaches.
Complying with policies
The web is a huge and dynamic environment within which hackers use
new and various methods to achieve security breaches.
Misleading applications, such as bogus disk defragmentation or fake anti-
virus scanners, are samples of new methods that are designed to mislead
users into thinking their computer has a problem or virus.

23. 23
Social Engineering
Social engineering is the tactic of manipulating, influencing, or deceiving a
victim in order to gain control over a computer system, or to steal personal and
financial information.
It uses psychological manipulation to trick users into making security
mistakes or giving away sensitive information.
Social engineering attacks happen in one or more steps.
A perpetrator first investigates the intended victim to gather necessary
background information, such as potential points of entry and weak security
protocols, needed to proceed with the attack.

24. 24
Social Engineering
Then, the attacker moves to gain the victim’s trust and provide stimuli for
subsequent actions that break security practices, such as revealing sensitive
information or granting access to critical resources.

25. 25
Thank you!!