The document provides an overview of information security, emphasizing its importance in protecting sensitive data from unauthorized access and alteration. It discusses various services such as message confidentiality, integrity, authentication, and nonrepudiation, along with key concepts like the CIA triad and Parkerian hexad. Additionally, it addresses security threats, vulnerabilities, and risk management, while outlining different types of security controls necessary for a robust security strategy.

1. Information Security
Lecture #1
Hassan Khan

2. Information Security
• Information security is a set of practices designed to carry private
data secure from unauthorized access and alteration for the duration
of storing or transmitting from one location to another.
• Information security is designed and carried out to protect the print,
digital, and other private, sensitive, and private data from
unauthorized persons. It can be used to secure data from being
misused, acknowledgment, destruction, alteration, and disruption.

3. Services of information security
• There are various services of information security which are as follows −
• Message Confidentiality − Message confidentiality or privacy defines that the sender and the receiver
expect confidentiality. The transmitted message should make sense to only the predetermined receiver.
When a user connects with the bank, they predict that the communication is completely confidential.
• Message Integrity − Message integrity defines that the data should appear at the receiver accurately as they
were sent. There should be no changes for the duration of the transmission, neither by chance nor
maliciously. As increasingly monetary exchanges appear over the web, integrity is crucial.
• Message Authentication − Message authentication is a service that furthers message integrity. In message
authentication the receiver is required to be certain of the sender's identity and that an imposter has not
sent the message.
• Message Nonrepudiation − Message nonrepudiation defines that a sender should not be able to deny
sending a message that they send. The burden of data falls on the receiver.
• Entity Authentication − In entity authentication, the entity or user is documented previous to access to the
system resources. For instance, a student who is required to access the university resources is required to
be authenticated during the logging phase. This is to assure the interests of the university and the student.

4. Is information system security the same as
cyber security?
• Information security protects a variety of types of information. This
includes digital data, physical records, and intellectual property (IP).
• Cyber security is a subfield of information security that protects
computer systems and networks from cyber attacks

5. Models for discussing security issues
• When we discuss security issues, it is often helpful to have a model
that we can use as a foundation or a baseline. This gives us a
consistent set of terminology and concepts that we, as security
professionals, can refer to when security issues arise.

6. Three pillars of information security: the CIA triad
• Confidentiality
• Privacy is a major component of InfoSec, and organizations should enact measures that allow only
authorized users access to information. Data encryption, multi-factor authentication, and data
loss prevention are some of the tools enterprises can employ to help ensure data confidentiality.
• Integrity
• Enterprises must maintain data’s integrity across its entire lifecycle. Enterprises with strong
InfoSec will recognize the importance of accurate, reliable data, and permit no unauthorized user
to access, alter, or otherwise interfere with it. Tools like file permissions, identity management,
and user access controls help ensure data integrity.
• Availability
• InfoSec involves consistently maintaining physical hardware and regularly completing system
upgrades to guarantee that authorized users have dependable, consistent access to data as they
need it.

8. Parkerian Hexad
• The Parkerian hexad is a set of six elements of information security proposed by Donn B. Parker in
1998. The Parkerian hexad adds three additional attributes to the three classic security attributes of
the CIA triad (confidentiality, integrity, availability).
• Confidentiality
• Possession or Control
• Integrity
• Authenticity
• Availability
• Utility
These attributes of information are atomic in that they are not broken down into further constituents;
they are non-overlapping in that they refer to unique aspects of information. Any information security
breach can be described as affecting one or more of these fundamental attributes of information.

10. Attacks
• We may face attacks from a wide variety of approaches and angles.
When we look at what exactly makes up an attack, we can break it
down according to the type of attack that it represents, the risk the
attack represents, and the controls we might use to mitigate it

11. Types of Attacks

12. Interception
• Interception attacks allow unauthorized users to access our data,
applications, or environments, and are primarily an attack against
confidentiality. Interception might take the form of unauthorized file
viewing or copying, eavesdropping on phone conversations, or
reading e-mail, and can be conducted against data at rest or in
motion. Properly executed, interception attacks can be very difficult
to detect.

13. Interruption
• Interruption attacks cause our assets to become unusable or
unavailable for our use, on a temporary or permanent basis.
Interruption attacks often affect availability but can be an attack on
integrity as well. In the case of a DoS attack on a mail server, we
would classify this as an availability attack. In the case of an attacker
manipulating the processes on which a database runs in order to
prevent access to the data it contains, we might consider this an
integrity attack, due to the possible loss or corruption of data, or we
might consider it a combination of the two. We might also consider
such a database attack to be a modification attack rather than an
interruption attack.

14. Modification
• Modification attacks involve tampering with our asset. Such attacks might
primarily be considered an integrity attack but could also represent an
availability attack. If we access a file in an unauthorized manner and alter
the data it contains, we have affected the integrity of the data contained
in the file. However, if we consider the case where the file in question is a
configuration file that manages how a particular service behaves,
perhaps one that is acting as a Web server, we might affect the
availability of that service by changing the contents of the file. If we
continue with this concept and say the configuration we altered in the
file for our Web server is one that alters how the server deals with
encrypted connections, we could even make this a confidentiality attack.

15. Fabrication
• An unauthorized party inserts counterfeit objects into the system.
This is an attack on the authenticity.
• Examples include the insertion of fake messages in a network or the
addition of records to a file.

16. How Do Threats, Vulnerabilities, and Risk
Differ?

17. Threats
• A threat refers to any potential danger or harmful event that can exploit a
vulnerability and cause harm to a system, organization, or individual.
• Threats can be intentional or unintentional in nature. Intentional threats are
deliberate actions or attacks carried out by threat actors with malicious intent. These
can include cyberattacks, such as malware infections, malicious code or SQL injection
attacks, ransomware, phishing attempts, and distributed denial-of-service (DDoS)
attacks.
• On the other hand, unintentional threats originate from human error or accidental
actions that can lead to security breaches. These threats include accidental disclosure
of sensitive information or falling victim to social engineering tactics.

18. Vulnerabilities
• A vulnerability is a weakness or flaw in an operating system, network, or
application. A threat actor tries to exploit vulnerabilities to gain
unauthorized access to data or systems. Security vulnerabilities can arise
for many reasons, including misconfigurations, design flaws, or outdated
software versions.
• Common vulnerabilities include software vulnerabilities (that is, bad
code), easily guessable passwords, unpatched systems, lack of encryption,
insecure network configurations, and human error such as falling for
phishing scams or sharing sensitive information unintentionally.

19. Risk
• Risk is the likelihood of a threat exploiting a vulnerability and causing harm. It represents the
potential loss or damage associated with a specific threat.
• Cyber risk encompasses the potential financial, operational, legal, or reputational consequences
of a successful cyberattack or data breach. Risks can vary depending on the specific threat
landscape, the value of the assets at risk, and the effectiveness of existing security controls.
• Organizations employ risk management processes and methodologies to identify, evaluate, and
prioritize security risks. Risk assessment is the systematic identification of potential
cybersecurity threats, vulnerabilities and their associated impacts; and risk assessment is one of
the most important parts of risk management. Risk assessment helps organizations to
understand their security posture, prioritize resources, and make informed decisions regarding
risk mitigation.

20. Control

21. Security controls
• Security controls are not chosen or implemented arbitrarily. They
typically flow out of an organization’s risk management process,
which begins with defining the overall IT security strategy, then goals.
This is followed by defining specific control objectives—statements
about how the organization plans to effectively manage risk. For
example, “Our controls provide reasonable assurance that physical
and logical access to databases and data records is restricted to
authorized users” is a control objective.

22. Physical controls
• Physical controls describe anything tangible that’s used to prevent or
detect unauthorized access to physical areas, systems, or assets. This
includes things like fences, gates, guards, security badges and access
cards, biometric access controls, security lighting, CCTVs, surveillance
cameras, motion sensors, fire suppression, as well as environmental
controls like HVAC and humidity controls.

23. Technical controls
• Technical controls (also known as logical controls) include hardware or
software mechanisms used to protect assets. Some common
examples are authentication solutions, firewalls, antivirus software,
intrusion detection systems (IDSs), intrusion protection systems (IPSs),
constrained interfaces, as well as access control lists (ACLs) and
encryption measures.

24. Administrative controls
• Administrative controls refer to policies, procedures, or guidelines
that define personnel or business practices in accordance with the
organization's security goals. These can apply to employee hiring and
termination, equipment and Internet usage, physical access to
facilities, separation of duties, data classification, and auditing.
Security awareness training for employees also falls under the
umbrella of administrative controls.