Information security involves protecting information and systems from unauthorized access, use, disclosure, disruption, modification, or destruction. It includes measures to ensure information availability, accuracy, authenticity, confidentiality and integrity. Network security aims to secure network components, connections and contents through authentication, encryption, firewalls and vulnerability patching in a continuous process of securing, monitoring, testing and improving security. Key related terms include assets, threats, vulnerabilities, risks, attacks, and countermeasures.

1. Information Security
What is Information Security?

2. Information Security
Information SecurityInformation Security is the name given to
the preventative stepspreventative steps we take to guard
our informationinformation and our capabilitiescapabilities.
Measures adopted to prevent the
unauthorized use, misuse, modification,
or denial of use of knowledge, facts
,data or capabilities.

3. Critical Characteristics of
Information
Availability
Accuracy
Authenticity
Confidentiality
Integrity

4. Availability
Enables users who need to accessaccess
information to do so without interferenceinterference
and receive it in requiredrequired format.format.
The information is availableavailable only to the
authorizedauthorized users.

5. Accuracy
Information is accurate when it is freefree
from mistakesfrom mistakes or errors and it has the
value that the end user expects.

6. Authenticity
Authenticity of information is the quality
or state of being genuine or original,genuine or original,
rather than a reproduction or fabrication.
e.g. Email SpoofingEmail Spoofing
 The unauthorized use of a third-partyThe unauthorized use of a third-party
domain name as the sender's name in an e-domain name as the sender's name in an e-
mail messagemail message
http://blockstatus.com/anonymous-
mailer

7. Confidentiality
Information is available only to people
with rightful access.rightful access.
Ensuring that only those with the rightsrights
and privilegesprivileges to accessaccess a particular set
of information are able to do so.
It is closely related with the privacyprivacy of
information.

8. Integrity
 Information can only be changedchanged by
authorizedauthorized personnel.
 The quality or state of being whole, completewhole, complete
and uncorrupteduncorrupted is the integrity of information.
 Three goals of Integrity
 Prevention of Modification by unauthorized users.
 Prevention of unauthorized modification by authorized users.
 Preservation of Internal and External Consistency.
 Integrity check can be done through:
 File size
 File hashing
 Hashing is the transformation of a string of character s into a
usually shorter fixed-length value or key that represents the
original string

9. Components of an Information
System
Software
Hardware
Data
People
Procedures

10. Software
 Comprises of OSOS,,ApplicationsApplications and commandcommand
utilitiesutilities.
 BugsBugs, WeaknessesWeaknesses and HolesHoles.
 An error or defect in software or hardware that causes a program to
malfunction
 Security Hole( something you need to fix now)
 Security Warning( something you need to fix soon)
 Security Note (something you need to fix when you get around to it, or just
some information that you should consider)
 Service PacksService Packs, PatchesPatches and Hot fixesHot fixes.
 Security is least Priorityleast Priority in Software
development

11. Hardware
HousesHouses and ExecutesExecutes a software.
Stores and carries the data.
Provides InterfacesInterfaces for the entry and
removal of information from the system.
Physical security policiesPhysical security policies deal with thedeal with the
H/WH/W.

12. Data
MainMain object of intentionalintentional attacks

13. People
Main threatMain threat to information security.
Often OverlookedOverlooked

14. Procedures
Procedures are written instructionswritten instructions for
accomplishingaccomplishing a specific tasktask.
Another frequently overlookedoverlooked
component

15. What is Network Security?
 Effort to create a secure computingsecure computing platformplatform,
so users or programs cannot perform actionscannot perform actions
that they are not allowed to do.
 Network Security is the protectionprotection of
networking componentsnetworking components, connectionsconnections and
contentscontents.

16. Network Security as a Continuous
Process
Network security is a continuous processcontinuous process built
around a security policy.
Step 1: Secure
Step 2: Monitor
Step 3: Test
Step 4: Improve

17. Step 1: Secure the Network
Implement security solutions to preventprevent
unauthorized accessunauthorized access and to protectprotect
information.information.
Authentication
Encryption
Firewalls
Vulnerability Patching

18. Step 2: Monitor Security
 Detects violationsDetects violations to the security policy
Involves system auditingsystem auditing and real-time intrusionintrusion
detectiondetection
 ValidatesValidates the securitysecurity implementation in
Step 1

19. Step 3: Test Security
 Validates effectivenessValidates effectiveness of the security policy
through system auditing and network scanningnetwork scanning

20. Step 4: Improve Security
Use information from the monitor and test
phases to make improvementsimprovements to the security
implementation.
Adjust the security policy as security holessecurity holes and
risksrisks are identified.

21. Terms related to Security
 Assets
 Threats
 Attack
 Vulnerability
 Risk Analysis
 Countermeasures
 Hacking

22. Asset
An asset is the organizational resourceorganizational resource
that is being protected.
It can be logicallogical like website,
information, data.
It can be physicalphysical like computer system
or other tangible object.

23. Threats, Vulnerability and Controls
 Threat
 a person, thing, event or idea which poses some danger to an asset
(in terms of confidentiality, integrity, availability).
 a possible means by which a security policy may be breached.
 An attack
 is a realization of a threat.
 Vulnerability
 A weakness in the system that can be exploited to cause loss or
harm
 Control, Countermeasure, safeguard
 An action, device, procedure or technique that removes or reduces a
vulnerability.

24. Risk = Threat + Vulnerability
Threats without vulnerabilities pose no risk.
Likewise, vulnerabilities without threats
pose no risk.
Risk is the probability that something can
happen.
Risk analysis can be quantitative or
qualitative.

25. Cont…
Risk can be qualitatively defined in three
levels:
 LowLow- Action to remove the vulnerability
should be taken if possible
 MediumMedium- Action to remove the vulnerability
is advisable
 HighHigh-- Action should be taken immediately to
remove this vulnerability

26. Hacking
Can be defined positively and
negatively:
To write computer programs for enjoyment.
To gain access to a computer illegally.

27. Summary
What is Information Security?
What is Network Security?
Assets, Threats and Countermeasures