SlideShare a Scribd company logo
1 of 29
IT8073
INFORMATION SECURITY
BE
IV YEAR – VIII SEM (R18)
(2024-2025)
Prepared
By
Asst.Prof.M.Gokilavani
Department of Computer Science and Engineering
Diploma, Anna Univ UG & PG Courses
Notes Available @
Syllabus
Question Papers
Results and Many more…
www.AllAbtEngg.com
Available in /AllAbtEngg Android App too,
IT8073 INFORMATION SECURITY
DETAILED SYLLABUS
OBJECTIVES:
• To understand the basics of Information Security
• To know the legal, ethical and professional issues in Information Security
• To know the aspects of risk management
• To become aware of various standards in this area
• To know the technological aspects of Information Security
UNIT I INTRODUCTION
History, what is Information Security? Critical Characteristics of Information, NSTISSC
Security Model, Components of an Information System, Securing the Components, Balancing
Security and Access, The SDLC, The Security SDLC
UNIT II SECURITY INVESTIGATION
Need for Security, Business Needs, Threats, Attacks, Legal, Ethical and Professional Issues
- An Overview of Computer Security - Access Control Matrix, Policy-Security policies,
Confidentiality policies, Integrity policies and Hybrid policies
UNIT III SECURITY ANALYSIS
Risk Management: Identifying and Assessing Risk, Assessing and Controlling Risk - Systems:
Access Control Mechanisms, Information Flow and Confinement Problem
UNIT IV LOGICAL DESIGN
Blueprint for Security, Information Security Policy, Standards and Practices, ISO 17799/BS
7799, NIST Models, VISA International Security Model, Design of Security Architecture,
Planning for Continuity
UNIT V PHYSICAL DESIGN
Security Technology, IDS, Scanning and Analysis Tools, Cryptography, Access Control
Devices, Physical Security, Security and Personnel
TEXT BOOK:
1. Michael E Whitman and Herbert J Mattord, ―Principles of Information Security‖, Vikas
Publishing House, New Delhi, 2003
REFERENCES
1. Micki Krause, Harold F. Tipton, ― Handbook of Information Security Management‖, Vol 1-
3 CRC Press LLC, 2004.
2. Stuart McClure, Joel Scrambray, George Kurtz, ―Hacking Exposed‖, Tata McGraw- Hill,
2003
3. Matt Bishop, ― Computer Security Art and Science‖, Pearson/PHI, 2002.
UNIT I– INTRODUCTION: History, what is Information Security? Critical Characteristics
of Information, NSTISSC Security Model, Components of an Information System, Securing
the Components, Balancing Security and Access, The SDLC, The Security SDLC.
1. INTRODUCTION:
 Information technology is the vehicle that stores and transports information—a company’s
most valuable resource—from one business unit to another.
 But what happens if the vehicle breaks down, even for a little while?
As businesses have become more fluid, the concept of computer security has been
replaced by the concept of information security.
 Because this new concept covers a broader range of issues, from the protection of data to the
protection of human resources, information security is no longer the sole responsibility of a
discrete group of people in the company; rather, it is the responsibility of every employee, and
especially managers.
 Organizations must realize that information security funding and planning decisions involve
more than just technical managers: Rather, the process should involve three distinct groups of
decision makers, or communities of interest:
 Information security managers and professionals
 Information technology managers and professionals
 Nontechnical business managers and professionals
These communities of interest fulfill the following roles:
 The information security community protects the organization’s information assets
from the many threats they face.
 The information technology community supports the business objectives of the
organization by supplying and supporting information technology appropriate to
the business’ needs.
 The nontechnical general business community articulates and communicates
organizational policy and objectives and allocates resources to the other groups.
1.1. THE HISTORY OF INFORMATION SECURITY
 The history of information security begins with computer security.
 The need for computer security—that is, the need to secure physical locations, hardware, and
software from threats—arose during World War II when the first mainframes, developed to aid
computations for communication code breaking were put to use.
 Multiple levels of security were implemented to protect these mainframes and maintain the
integrity of their data.
 Access to sensitive military locations, for example, was controlled by means of badges, keys, and
the facial recognition of authorized personnel by security guards.
The 1960s
 During the Cold War, many more mainframes were brought online to accomplish more
complex and sophisticated tasks.
 It became necessary to enable these mainframes to communicate via a less cumbersome
process than mailing magnetic tapes between computer centers.
 In response to this need, the Department of Defense’s Advanced Research Project Agency
(ARPA) began examining the feasibility of a redundant, networked communications system to
support the military’s exchange of information.
 Larry Roberts, known as the founder of the Internet, developed the project—which was called
ARPANET—from its inception.
 ARPANET is the predecessor to the Internet (see Figure 1-2 for an excerpt from the
ARPANET Program Plan).
The 1970s and 80s
 During the next decade, ARPANET became popular and more widely used, and the potential
for its misuse grew.
 Because of the range and frequency of computer security violations and the explosion in the
numbers of hosts and users on ARPANET, network security was referred to as network
insecurity.
 In 1978, a famous study entitled “Protection Analysis: Final Report” was published. It
focused on a project undertaken by ARPA to discover the vulnerabilities of operating system
security.
 The movement toward security that went beyond protecting physical locations began with a
single paper sponsored by the Department of Defense, the Rand Report R-609, which
attempted to define the multiple controls and mechanisms necessary for the protection of a
multilevel computer system.
 In 1967, systems were being acquired at a rapid rate and securing them was a pressing
concern for both the military and defense contractors.
 Multiplexed Information and Computing Service (MULTICS) was the first operating
system to integrate security into its core functions. It was a mainframe, time-sharing operating
system.
 In mid-1969, not long after the restructuring of the MULTICS project, created a new
operating system called UNIX. While the MULTICS system implemented multiple security
levels and passwords, the UNIX system did not.
 In the late 1970s, the microprocessor brought the personal computer and a new age of
computing.
 The PC became the workhorse of modern computing. This decentralization of data processing
systems in the 1980s gave rise to networking— that is, the interconnecting of personal
computers and mainframe computers, which enabled the entire computing community to
make all their resources work together.
The 1990s
 This gave rise to the Internet, the first global network of networks. The Internet was made
available to the general public in the 1990s, having previously been the domain of
government, academia, and dedicated industry professionals.
 The Internet brought connectivity to virtually all computers that could reach a phone line or an
Internet-connected local area network (LAN).
 As networked computers became the dominant style of computing, the ability to physically
secure a networked computer was lost, and the stored information became more exposed to
security threats.
2000 to Present
 Today, the Internet brings millions of unsecured computer networks into continuous
communication with each other.
 Recent years have seen a growing awareness of the need to improve information security, as
well as a realization that information security is important to national defense.
 The growing threat of cyber-attacks have made governments and companies more aware of
the need to defend the computer-controlled control systems of utilities and other critical
infrastructure.
1.2. WHAT IS SECURITY?
In general, security is “the quality or state of being secure—to be free from danger.” In other
words, protection against adversaries—from those who would do harm, intentionally or
otherwise. A successful organization should have the following multiple layers of security in
place to protect its operations:
 Physical security, which encompasses strategies to protect people, physical assets,
and the workplace from various threats including fire, unauthorized access, or natural
disasters.
 Personal security, which overlaps with physical security in the protection of the
people within the organization.
 Operations security, which focuses on securing the organization’s ability to carry out
its operational activities without interruption or compromise.
 Communications security, which encompasses the protection of an organization’s
communications media, technology, and content, and its ability to use these tools to
achieve the organization’s objectives.
 Network security, which addresses the protection of an organization’s data
networking devices, connections, and contents, and the ability to use that network to
accomplish the organization’s data communication functions.
 Information security includes the broad areas of information security management,
computer and data security, and network security.
Where it has been used?
 Governments, military, financial institutions, hospitals, and private businesses.
 Protecting confidential information is a business requirement.
1.2.1. CIA Triangle
 The Committee on National Security Systems (CNSS) defines information security as the
protection of information and its critical elements, including the systems and hardware that use,
store, and transmit that information.
 Figure 1.1 shows that information security includes the broad areas of information security
management, computer and data security, and network security.
 The CNSS model of information security evolved from a concept developed by the computer
security industry called the C.I.A. triangle.
 The C.I.A. triangle based on the three characteristics of information that give it value to
organizations: confidentiality, integrity, and availability.
 The threats to the confidentiality, integrity, and availability of information have evolved into a vast
collection of events, including accidental or intentional damage, destruction, theft, unintended or
unauthorized modification, or other misuse from human or nonhuman threats.
1.2.2.Key information security concepts
Some of these terms are:
 Access: A subject or object’s ability to use, manipulate, modify, or affect another subject or
object.Authorized users have legal access to a system, whereas hackers have
illegal access to a system. Access controls regulate this ability.
 Asset: The organizational resource that is being protected. An asset can be logical, such as a
Web site, information, or data; or an asset can be physical, such as a person, computer system,
or other tangible object. Assets, and particularly information assets, are the focus of security
efforts; they are what those efforts are attempting to protect.
 Attack: An intentional or unintentional act that can cause damage to or otherwise
compromise information and/or the systems that support it.
o Attacks can be active or passive, intentional or unintentional, and direct or indirect.
o A hacker attempting to break into an information system is an intentional attack.
o A lightning strike that causes a fire in a building is an unintentional attack.
o A direct attack is a hacker using a personal computer to break into a system.
o An indirect attack is a hacker compromising a system and using it to attack other
systems.
o Direct attacks originate from the threat itself. Indirect attacks originate from a
compromised system or resource that is malfunctioning or working under the control
of a threat.
 Control, safeguard, or countermeasure: Security mechanisms, policies, or procedures
that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise
improve the security within an organization.
 Exploit: A technique used to compromise a system. This term can be a verb or a noun.
o Threat agents may attempt to exploit a system or other information asset by using it
illegally for their personal gain. Or, an exploit can be a documented process to take
advantage of a vulnerability or exposure, usually in software, that is either inherent in
the software or is created by the attacker.
o Exploits make use of existing software tools or custom-made software components.
 Exposure: A condition or state of being exposed. In information security, exposure exists
when a vulnerability known to an attacker is present.
 Loss: A single instance of an information asset suffering damage or unintended or
unauthorized modification or disclosure. When an organization’s information is stolen,
it has suffered a loss.
 Protection profile or security posture: The entire set of controls and safeguards, including
policy, education, training and awareness, and technology, that the organization implements
(or fails to implement) to protect the asset.
o The terms are sometimes used interchangeably with the term security program,
although the security program often comprises managerial aspects of security,
including planning, personnel, and subordinate programs.
 Risk: The probability that something unwanted will happen. Organizations must minimize
risk to match their risk appetite—the quantity and nature of risk the organization is willing to
accept.
 Subjects and objects: A computer can be either the subject of an attack—an agent entity
used to conduct the attack—or the object of an attack—the target entity, as shown in Figure
1.2.
o A computer can be both the subject and object of an attack, when, for example, it is
compromised by an attack (object), and is then used to attack other systems (subject).
 Threat: A category of objects, persons, or other entities that presents a danger to an asset.
Threats are always present and can be purposeful or undirected. For example, hackers
purposefully threaten unprotected information systems, while severe storms incidentally
threaten buildings and their contents.
 Threat agent: The specific instance or a component of a threat.
 Vulnerability: A weaknesses or fault in a system or protection mechanism that opens it to
attack or damage. Some examples of vulnerabilities are a flaw in a software package, an
unprotected system port, and an unlocked door.
1.3 CRITICAL CHARACTERISTICS OF INFORMATION (or) INFORMATION
SECURITY COMPONENTS:
 Confidentiality
o Integrity
 Availability
o Privacy
o Identification
o Authentication
o Authorization
o Accountability
 Accuracy
o Utility
o Possession
1.3.1 Confidentiality
 Confidentiality of information ensures that only those with sufficient privileges may access
certain information. When unauthorized individuals or systems can access information,
confidentiality is breached. To protect the confidentiality of information, a number of
measures are used:
 Information classification
 Secure document storage
 Application of general security policies
 Education of information custodians and end users
Example, a credit card transaction on the Internet.
 The system attempts to enforce confidentiality by encrypting the card number during
transmission, by limiting the places where it might appear (in data bases, log files, backups,
printed receipts, and so on), and by restricting access to the places where it is stored.
 Giving out confidential information over the telephone is a breach of confidentiality if the
caller is not authorized to have the information, it could result in a breach of confidentiality.
i. Integrity
 Integrity is the quality or state of being whole, complete, and uncorrupted.
 The integrity of information is threatened when it is exposed to corruption, damage,
destruction, or other disruption of its authentic state.
 Corruption can occur while information is being compiled, stored, or transmitted.
o Integrity means that data cannot be modified without authorization.
o Example: Integrity is violated when an employee deletes important data files, when a
computer virus infects a computer, when an employee is able to modify his own salary
in a payroll database, when an unauthorized user vandalizes a website, when someone
is able to cast a very large number of votes in an online poll, and so on.
1.3.2 Availability
 Availability is the characteristic of information that enables user access to information without
interference or obstruction and in a required format.
 A user in this definition may be either a person or another computer system.
 Availability does not imply that the information is accessible to any user; rather, it means
availability to authorized users.
o For any information system to serve its purpose, the information must be available
when it is needed.
o Example: High availability systems aim to remain available at all times, preventing
service disruptions due to power outages, hardware failures, and system upgrades.
i. Privacy
 The information that is collected, used, and stored by an organization is to be used
only for the purposes stated to the data owner at the time it was collected.
 This definition of privacy does focus on freedom from observation (the meaning
usually associated with the word), but rather means that information will be used only
in ways known to the person providing it.
ii. Identification
 An information system possesses the characteristic of identification when it is able to
recognize individual users.
 Identification and authentication are essential to establishing the level of access or
authorization that an individual is granted.
iii.Authentication
 Authentication occurs when a control provides proof that a user possesses the identity
that he or she claims.
 In computing, e-Business and information security it is necessary to ensure that the
data, transactions, communications or documents(electronic or physical) are genuine
(i.e. they have not been forged or fabricated).
iv.Authorization
 After the identity of a user is authenticated, a process called authorization provides
assurance that the user (whether a person or a computer) has been specifically and
explicitly authorized by the proper authority to access, update, or delete the contents of
an information asset.
V. Accountability
 The characteristic of accountability exists when a control provides assurance that
every activity undertaken can be attributed to a named person or automated process.
 For example, audit logs that track user activity on an information system provide
accountability.
1.3.3 Accuracy
 Information should have accuracy. Information has accuracy when it is free from
mistakes or errors and it has the value that the end users expects.
 If information contains a value different from the user’s expectations, due to the
intentional or unintentional modification of its content, it is no longer accurate.
i. Utility
 Information has value when it serves a particular purpose.
 This means that if information is available, but not in a format meaningful to the end
user, it is not useful. Thus, the value of information depends on its utility.
ii. Possession
 The possession of Information security is the quality or state of having ownership or
control of some object or item.
1.4 NSTISSC SECURITY MODEL
 ‘National Security Telecommunications & Information systems security committee’
document.
 It is now called the National Training Standard for Information security professionals.
 The NSTISSC Security Model provides a more detailed perspective on security.
 While the NSTISSC model covers the three dimensions of information security, it omits
discussion of detailed guidelines and policies that direct the implementation of controls.
 Another weakness of using this model with too limited an approach is to view it from a
single perspective.
 The 3 dimensions of each axis become a 3x3x3 cube with 27 cells representing
areas that must be addressed to secure today’s Information systems.
 To ensure system security, each of the 27 cells must be properly addressed
during the security process.
 For example, the intersection between technology, Integrity & storage areas
require a control or safeguard that addresses the need to use technology to
protect the Integrity of information while in storage.
1.5 COMPONENTS OF AN INFORMATION SYSTEM
 An information system (IS) is much more than computer hardware; it is the entire set of
software, hardware, data, people, procedures, and networks that make possible the use of
information resources in the organization (Fig 1.4).
 These six critical components enable information to be input, processed, output, and stored.
 Each of these IS components has its own strengths and weaknesses, as well as its own
characteristics and uses.
 Each component of the information system also has its own security requirements.
Components are:
 Software
 Hardware
 Data
 People
 Procedures
 Networks
1.5.1 Software
 The software components of IS comprises applications, operating systems, and assorted
command utilities.
 Software programs are the vessels that carry the lifeblood of information through an
organization.
 These are often created under the demanding constraints of project management, which limit
time, cost, and manpower.
1.5.2 Hardware
 Hardware is the physical technology that houses and executes the software, stores and carries
the data, and provides interfaces for the entry and removal of information from the system.
 Physical security policies deal with hardware as a physical asset and with the protection of
these physical assets from harm or theft.
 Applying the traditional tools of physicalsecurity, such as locks and keys, restricts access to
and interaction with the hardware components of an information system.
 Securing the physical location of computers and the computers themselves is important
because a breach of physical security can result in a loss of information.
 Unfortunately, most information systems are built on hardware platforms that cannot
guarantee any level of information security if unrestricted access to the hardware is possible.
1.5.3 Data
 Data stored, processed, and transmitted through a computer system must be protected.
 Data is often the most valuable asset possessed by an organization and is the main target of
intentional attacks.
 The raw, unorganized, discrete(separate, isolated) potentially-useful facts and figures that are
later processed(manipulated) to produce information.
1.5.4 People
 There are many roles for people in information systems. Common ones include
 Systems Analyst
 Programmer
 Technician
 Engineer
 Network Manager
 MIS (Manager of Information Systems)
 Data entry operator
1.5.5 Procedures
 A procedure is a series of documented actions taken to achieve something.
 A procedure is more than a single simple task.
 A procedure can be quite complex and involved, such as performing a backup, shutting down
a system, patching software.
1.5.6 Networks
 When information systems are connected to each other to form Local Area Network (LANs),
and these LANs are connected to other networks such as the Internet, new security challenges
rapidly emerge.
1.6.SECURING COMPONENTS
 Protecting the components from potential misuse and abuse by unauthorized users.
o Subject of an attack
Computer is used as an active tool to conduct the attack.
o Object of an attack
Computer itself is the entity being attacked
Two types of attacks:
1. Direct attack
2. Indirect attack
i. Direct attack
 When a Hacker uses his personal computer to break into a system.[Originate from the
threat itself]
ii. Indirect attack
 When a system is compromised and used to attack other system. [Originate from a
system or resource that itself has been attacked, and is malfunctioning or working under
the control of a threat].
 A computer can, therefore, be both the subject and object of an attack when, for
example, it is first the object of an attack and then compromised and used to attack other
systems, at which point it becomes the subject of an attack.
1.7. BALANCING INFORMATION SECURITY AND ACCESS
 Has to provide the security and is also feasible to access the information for its application.
 Information Security cannot be an absolute: it is a process, not a goal.
 Should balance protection and availability.
 Approaches to Information Security Implementation
 Bottom- up- approach.
 Top-down-approach
 Has higher probability of success.
 Project is initiated by upper level managers who issue policy &
procedures & processes.
 Dictate the goals & expected outcomes of the project.
 Determine who is suitable for each of the required action.
1.8. THE SYSTEMS DEVELOPMENT LIFE CYCLE (SDLC)
SDLC Waterfall Methodology
 SDLC-is a methodology for the design and implementation of an information system in an
organization.
 A methodology is a formal approach to solving a problem based on a structured sequence
of procedures.
 SDLC consists of 6 phases.
1.8.1 Investigation
 It is the most important phase and it begins with an examination of the event or plan that
initiates the process.
 During this phase, the objectives, constraints, and scope of the project are specified.
 At the conclusion of this phase, a feasibility analysis is performed, which assesses the
economic, technical and behavioral feasibilities of the process and ensures that
implementation is worth the organization’s time and effort.
1.8.2 Analysis
 It begins with the information gained during the investigation phase.
 It consists of assessments (quality) of the organization, the status of current systems, and the
capability to support the proposed systems.
 Analysts begin by determining what the new system is expected to do, and how it will interact
with existing systems.
 This phase ends with the documentation of the findings and an update of the feasibility
analysis.
1.8.3 Logical Design
 In this phase, the information gained from the analysis phase is used to begin creating a
systems solution for a business problem.
 Based on the business need, applications are selected that are capable of providing needed
services.  Based on the applications needed, data support and structures capable of providing
the needed inputs are then chosen.
 In this phase, analysts generate a number of alternative solutions, each with corresponding
strengths and weaknesses, and costs and benefits.
 At the end of this phase, another feasibility analysis is performed.
1.8.4 Physical design
 In this phase, specific technologies are selected to support the solutions developed in the
logical design.
 The selected components are evaluated based on a make-or-buy decision.
 Final designs integrate various components and technologies.
1.8.5 Implementation
 In this phase, any needed software is created.
 Components are ordered, received and tested.
 Afterwards, users are trained and supporting documentation created.
 Once all the components are tested individually, they are installed and tested as a system.
 Again a feasibility analysis is prepared, and the sponsors are then presented with the system
for a performance review and acceptance test.
1.8.6 Maintenance and change
 It is the longest and most expensive phase of the process.
 It consists of the tasks necessary to support and modify the system for the remainder of its
useful life cycle.
 Periodically, the system is tested for compliance, with business needs.
 Upgrades, updates, and patches are managed.
 As the needs of the organization change, the systems that support the organization must also
change.
 When a current system can no longer support the organization, the project is terminated and a
new project is implemented.
1.9. THE SECURITY SYSTEMS DEVELOPMENT LIFE CYCLE (SEC SDLC)
 The same phases used in the traditional SDLC can be adapted to support the implementation
of an information security project.
Fig: Secure System Development Life Cycle (SecSDLC)
1.9.1 Investigation
 This phase begins with a directive from upper management, dictating the process,
outcomes, and goals of the project, as well as its budget and other constraints.
 Frequently, this phase begins with an enterprise information security policy, which
outlines the implementation of a security program within the organization.
 Teams of responsible managers, employees, and contractors are organized.
 Problems are analyzed.
 Scope of the project, as well as specific goals and objectives, and any additional
constraints not covered in the program policy, are defined.
 Finally, an organizational feasibility analysis is performed to determine whether the
organization has the resources and commitment necessary to conduct a successful security
analysis and design.
1.9.2. Analysis
 In this phase, the documents from the investigation phase are studied.
 The developed team conducts a preliminary analysis of existing security policies or
programs, along with that of documented current threats and associated controls.
 The risk management task also begins in this phase.
Risk managements the process of identifying, assessing, and evaluating the levels of risk facing
the organization, specifically the threats to the organization’s security and to the information
stored and processed by the organization.
1.9.3. Logical and physical design
 This phase creates and develops the blueprints for information security, and examines and
implements key policies.
 The team plans the incident response actions.
 Plans business response to disaster.
 Determines feasibility of continuing and outsourcing the project.
 In this phase, the information security technology needed to support the blueprint outlined in
the logical design is evaluated.
 Alternative solutions are generated.
 Designs for physical security measures to support the proposed technological solutions are
created.
 At the end of this phase, a feasibility study should determine the readiness of the organization
for the proposed project.
 At this phase, all parties involved have a chance to approve the project before implementation
begins.
1.9.4. Implementation
 Similar to traditional SDLC
 The security solutions are acquired (made or bought), tested, implemented, and tested
again
 Personnel issues are evaluated and specific training and education programs are
conducted.
 Finally, the entire tested package is presented to upper management for final approval.
1.9.5. Testing and Validation
 Constant monitoring, testing, modification, updating, and repairing to meet changing threats
have been done in this phase.
1.10. SECURITY PROFESSIONALS AND THE ORGANIZATION
 Senior management
 Chief information Officer (CIO) is the responsible for
 Assessment
 Management
 implementation of information security in the organization
 Information Security Project Team
 Champion
 Promotes the project
 Ensures its support, both financially & administratively.
 Team Leader
 Understands project management
 Personnel management
 Information Security technical requirements.
 Security policy developers
 individuals who understand the organizational culture,
 existing policies
 Requirements for developing & implementing successful policies.
 Risk assessment specialists
 Individuals who understand financial risk assessment techniques.
 The value of organizational assets,
 The security methods to be used.
 Security Professionals
 Dedicated
 Trained, and well educated specialists in all aspects of information security
from both a technical and non-technical stand point.
 System Administrators
 Administrating the systems that house the information used by the
organization.
 End users
 Data Owners
o Responsible for the security and use of a particular set of information.
o Determine the level of data classification
o Work with subordinate managers to oversee the day-to-day administration of the data.
 Data Custodians
o Responsible for the storage, maintenance, and protection of the information.
o Overseeing data storage and backups
o Implementing the specific procedures and policies.
 Data Users (End users)
o Work with the information to perform their daily jobs supporting the mission of the
organization.
o Everyone in the organization is responsible for the security of data, so data users are
included here as individuals with an information security role
Question Bank
2marks Questions
1. Define information security.
It is a well-informed sense of assurance that the information risks and controls are in
balance.
2. List the critical characteristics of information.
• Availability
• Accuracy
• Authenticity
• Confidentiality
• Integrity
• Utility
• Possession
3. Define security. What are the multiple layers of security?
Security is “the quality or state of being secure-to be free from danger”.
• Physical Security
• Personal Security
• Operations Security
• Communication Security
• Network Security
• Information Security
4. When can a computer be a subject and an object of an attack respectively?
When a computer is the subject of attack, it is used as an active tool to conduct the attack.
When a computer is the object of an attack, it is the entity being attacked.
5. Why is a methodology important in implementing the information security?
Methodology is a formal approach to solve a problem based on a structured sequence of
procedures.
6. Difference between vulnerability and exposure.
Vulnerability Exposure
Weakness or fault in a system or protection
Mechanism that expose information to attack
or damage.
The exposure of an information system is a
Single instance when the system is open to
damage.
7. Sketch the NSTISSC security model.
8. List out the security services.
Three security services:
Confidentiality, integrity, and availability Threats are divided into four broad classes:
 Disclosure, or unauthorized access to information
 Deception, or acceptance of false data
 Disruption, or interruption or prevention of correct operation
 Unauthorized control of some part of a system.
9. Define the snooping and spoofing.
 Snooping: The unauthorized interception of information is a form of disclosure. It is
passive, suggesting simply that some entity is listening to (or reading)
communications or browsing through files or system information.
 Masquerading or spoofing: An impersonation of one entity by another is a form of
both deception and usurpation.
10. List the components used in security models.
 Software
 Hardware
 Data
 People
 Procedures
 Networks
11. What are the functions of Information Security?
 Protects the organization's ability to function
 Enables the safe operation of applications implemented on the organizations IT
systems
 Protects the data the organization collects and uses.
 Safe guards the technology assets in use at the organization
12. What are the phases of SDLC Waterfall method?
 Investigation
 Analysis
 Logical Design
 Physical Design
 Implementation
 Maintenance & change
13. What is Rand Report R-609?
The Rand Report was the first widely recognized published document to identify the
role of management and policy issues in computer security.
The scope of computer security grew from physical security to include:
 Safety of the data
 Limiting unauthorized access to that data
 Involvement of personnel from multiple levels of the organization
14. What is meant by balancing Security and Access?
 It is impossible to obtain perfect security
 It is not an absolute
 It is a process of Security should be considered a balance between protection and
availability
 To achieve balance, the level of security must allow reasonable access
PART–B(16Marks)
1. Describe the Critical Characteristics of Information. Nov/Dec2011
Nov/Dec/May/Jun 2012
1.3 CRITICAL CHARACTERISTICS OF INFORMATION (or) INFORMATION
SECURITY COMPONENTS:
 Confidentiality
o Integrity
 Availability
o Privacy
o Identification
o Authentication
o Authorization
o Accountability
 Accuracy
o Utility
o Possession
1.4.1 Confidentiality
 Confidentiality of information ensures that only those with sufficient privileges may access
certain information. When unauthorized individuals or systems can access information,
confidentiality is breached. To protect the confidentiality of information, a number of
measures are used:
 Information classification
 Secure document storage
 Application of general security policies
 Education of information custodians and end users
Example, a credit card transaction on the Internet.
 The system attempts to enforce confidentiality by encrypting the card number during
transmission, by limiting the places where it might appear (in data bases, log files, backups,
printed receipts, and so on), and by restricting access to the places where it is stored.
 Giving out confidential information over the telephone is a breach of confidentiality if the
caller is not authorized to have the information, it could result in a breach of confidentiality.
ii. Integrity
 Integrity is the quality or state of being whole, complete, and uncorrupted.
 The integrity of information is threatened when it is exposed to corruption, damage,
destruction, or other disruption of its authentic state.
 Corruption can occur while information is being compiled, stored, or transmitted.
o Integrity means that data cannot be modified without authorization.
o Example: Integrity is violated when an employee deletes important data files, when a
computer virus infects a computer, when an employee is able to modify his own salary
in a payroll database, when an unauthorized user vandalizes a website, when someone
is able to cast a very large number of votes in an online poll, and so on.
1.4.2 Availability
 Availability is the characteristic of information that enables user access to information without
interference or obstruction and in a required format.
 A user in this definition may be either a person or another computer system.
 Availability does not imply that the information is accessible to any user; rather, it means
availability to authorized users.
o For any information system to serve its purpose, the information must be available
when it is needed.
o Example: High availability systems aim to remain available at all times, preventing
service disruptions due to power outages, hardware failures, and system upgrades.
v.Privacy
 The information that is collected, used, and stored by an organization is to be used
only for the purposes stated to the data owner at the time it was collected.
 This definition of privacy does focus on freedom from observation (the meaning
usually associated with the word), but rather means that information will be used only
in ways known to the person providing it.
vi.Identification
 An information system possesses the characteristic of identification when it is able to
recognize individual users.
 Identification and authentication are essential to establishing the level of access or
authorization that an individual is granted.
vii. Authentication
 Authentication occurs when a control provides proof that a user possesses the identity
that he or she claims.
 In computing, e-Business and information security it is necessary to ensure that the
data, transactions, communications or documents (electronic or physical) are genuine
(i.e. they have not been forged or fabricated).
viii. Authorization
 After the identity of a user is authenticated, a process called authorization provides
assurance that the user (whether a person or a computer) has been specifically and
explicitly authorized by the proper authority to access, update, or delete the contents of
an information asset.
VI. Accountability
 The characteristic of accountability exists when a control provides assurance that
every activity undertaken can be attributed to a named person or automated process.
 For example, audit logs that track user activity on an information system provide
accountability.
1.4.3 Accuracy
 Information should have accuracy. Information has accuracy when it is free from
mistakes or errors and it has the value that the end users expects.
 If information contains a value different from the user’s expectations, due to the
intentional or unintentional modification of its content, it is no longer accurate.
iii. Utility
 Information has value when it serves a particular purpose.
 This means that if information is available, but not in a format meaningful to the end
user, it is not useful. Thus, the value of information depends on its utility.
iv. Possession
 The possession of Information security is the quality or state of having ownership or
control of some object or item.
2. Explain the Components of an Information System. Nov/Dec 2011
Nov/Dec 2012May/Jun 2013
1.5 COMPONENTS OF AN INFORMATION SYSTEM
 An information system (IS) is much more than computer hardware; it is the entire set of
software, hardware, data, people, procedures, and networks that make possible the use of
information resources in the organization (Fig 1.4).
 These six critical components enable information to be input, processed, output, and stored.
 Each of these IS components has its own strengths and weaknesses, as well as its own
characteristics and uses.
 Each component of the information system also has its own security requirements.
Components are:
 Software
 Hardware
 Data
 People
 Procedures
 Networks
1.5.1 Software
 The software components of IS comprises applications, operating systems, and assorted
command utilities.
 Software programs are the vessels that carry the lifeblood of information through an
organization.
 These are often created under the demanding constraints of project management, which limit
time, cost, and manpower.
1.5.2 Hardware
 Hardware is the physical technology that houses and executes the software, stores and carries
the data, and provides interfaces for the entry and removal of information from the system.
 Physical security policies deal with hardware as a physical asset and with the protection of
these physical assets from harm or theft.
 Applying the traditional tools of physical security, such as locks and keys, restricts access to
and interaction with the hardware components of an information system.
 Securing the physical location of computers and the computers themselves is important
because a breach of physical security can result in a loss of information.
 Unfortunately, most information systems are built on hardware platforms that cannot
guarantee any level of information security if unrestricted access to the hardware is possible.
1.5.3 Data
 Data stored, processed, and transmitted through a computer system must be protected.
 Data is often the most valuable asset possessed by an organization and is the main target of
intentional attacks.
 The raw, unorganized, discrete (separate, isolated) potentially-useful facts and figures that are
later processed(manipulated) to produce information.
1.5.4 People
 There are many roles for people in information systems. Common ones include
 Systems Analyst
 Programmer
 Technician
 Engineer
 Network Manager
 MIS (Manager of Information Systems)
 Data entry operator
1.5.5 Procedures
 A procedure is a series of documented actions taken to achieve something.
 A procedure is more than a single simple task.
 A procedure can be quite complex and involved, such as performing a backup, shutting down
a system, patching software.
1.5.6 Networks
 When information systems are connected to each other to form Local Area Network (LANs),
and these LANs are connected to other networks such as the Internet, new security challenges
rapidly emerge.
3. DiscussSDLCindetail. May/June2013
Answer Refer Topic No. 1.8
4.Describe SecSDLC in detail. Nov/Dec 2011 Nov/Dec2012
May/Jun 2013
Answer Refer Topic No. 1.9
5. Explain the NSTISSC security model and the top down approach and bottom up
approach to security implementation. Nov/Dec2011
Top-down Approach
 Initiated by upper management:
 Issue policy, procedures, and processes
 Dictate the goals and expected outcomes of the project
 Determine who is accountable reach of the required actions
 Strong upper management support, a dedicated champion, dedicated funding, clear
planning, and the chance to influence organizational culture
 Most successful top-down approach
Bottom up Approach
 Security from a grass-roots effort - systems administrators attempt to improve the
security of their systems
 Key advantage-technical expertise of the individual administrators
 Seldom works, as it lacks a number of critical features:
 Participant support
 Organizational staying power
6. Explain any five professional in information security with their role and focus.
Answer Refer Topic No. 1.10

More Related Content

What's hot

Wireless LAN Deployment Best Practices
Wireless LAN Deployment Best PracticesWireless LAN Deployment Best Practices
Wireless LAN Deployment Best PracticesMichael Boman
 
Steganography ProjectReport
Steganography ProjectReportSteganography ProjectReport
Steganography ProjectReportekta sharma
 
Steganography and Its Applications in Security
Steganography and Its Applications in SecuritySteganography and Its Applications in Security
Steganography and Its Applications in SecurityIJMER
 
Sosiaalinen media, pelit ja ruutuaika
Sosiaalinen media, pelit ja ruutuaikaSosiaalinen media, pelit ja ruutuaika
Sosiaalinen media, pelit ja ruutuaikaHarto Pönkä
 
The mobile connectivity infographic
The mobile connectivity infographicThe mobile connectivity infographic
The mobile connectivity infographicKen Tan
 
Bluetooth security
Bluetooth securityBluetooth security
Bluetooth securityRamasubbu .P
 
Tietoturva ja tietosuoja Office 365 -palveluissa
Tietoturva ja tietosuoja Office 365 -palveluissaTietoturva ja tietosuoja Office 365 -palveluissa
Tietoturva ja tietosuoja Office 365 -palveluissaHarto Pönkä
 
google file system
google file systemgoogle file system
google file systemdiptipan
 
[법무법인민후] 원본데이터의 AI 학습목적 활용
[법무법인민후] 원본데이터의 AI 학습목적 활용[법무법인민후] 원본데이터의 AI 학습목적 활용
[법무법인민후] 원본데이터의 AI 학습목적 활용MINWHO Law Group
 
AUDIO STEGANOGRAPHY PRESENTATION
AUDIO STEGANOGRAPHY PRESENTATIONAUDIO STEGANOGRAPHY PRESENTATION
AUDIO STEGANOGRAPHY PRESENTATIONManush Desai
 
AI and Machine Learning In Cybersecurity | A Saviour or Enemy?
AI and Machine Learning In Cybersecurity | A Saviour or Enemy?AI and Machine Learning In Cybersecurity | A Saviour or Enemy?
AI and Machine Learning In Cybersecurity | A Saviour or Enemy?SahilRao25
 
Steganography Engineering project report
Steganography Engineering project reportSteganography Engineering project report
Steganography Engineering project reportRishab Gupta
 
Basics of storage Technology
Basics of storage TechnologyBasics of storage Technology
Basics of storage TechnologyLopamudra Das
 
Security models
Security models Security models
Security models LJ PROJECTS
 

What's hot (20)

Wireless LAN Deployment Best Practices
Wireless LAN Deployment Best PracticesWireless LAN Deployment Best Practices
Wireless LAN Deployment Best Practices
 
Steganography ProjectReport
Steganography ProjectReportSteganography ProjectReport
Steganography ProjectReport
 
Steganography and Its Applications in Security
Steganography and Its Applications in SecuritySteganography and Its Applications in Security
Steganography and Its Applications in Security
 
NTFS Forensics
NTFS Forensics NTFS Forensics
NTFS Forensics
 
Data protection
Data protectionData protection
Data protection
 
Sosiaalinen media, pelit ja ruutuaika
Sosiaalinen media, pelit ja ruutuaikaSosiaalinen media, pelit ja ruutuaika
Sosiaalinen media, pelit ja ruutuaika
 
Audio Steganography synopsis
Audio Steganography synopsisAudio Steganography synopsis
Audio Steganography synopsis
 
The mobile connectivity infographic
The mobile connectivity infographicThe mobile connectivity infographic
The mobile connectivity infographic
 
Stegnography
StegnographyStegnography
Stegnography
 
Snort IDS/IPS Basics
Snort IDS/IPS BasicsSnort IDS/IPS Basics
Snort IDS/IPS Basics
 
Bluetooth security
Bluetooth securityBluetooth security
Bluetooth security
 
Tietoturva ja tietosuoja Office 365 -palveluissa
Tietoturva ja tietosuoja Office 365 -palveluissaTietoturva ja tietosuoja Office 365 -palveluissa
Tietoturva ja tietosuoja Office 365 -palveluissa
 
google file system
google file systemgoogle file system
google file system
 
[법무법인민후] 원본데이터의 AI 학습목적 활용
[법무법인민후] 원본데이터의 AI 학습목적 활용[법무법인민후] 원본데이터의 AI 학습목적 활용
[법무법인민후] 원본데이터의 AI 학습목적 활용
 
AUDIO STEGANOGRAPHY PRESENTATION
AUDIO STEGANOGRAPHY PRESENTATIONAUDIO STEGANOGRAPHY PRESENTATION
AUDIO STEGANOGRAPHY PRESENTATION
 
AI and Machine Learning In Cybersecurity | A Saviour or Enemy?
AI and Machine Learning In Cybersecurity | A Saviour or Enemy?AI and Machine Learning In Cybersecurity | A Saviour or Enemy?
AI and Machine Learning In Cybersecurity | A Saviour or Enemy?
 
Steganography Engineering project report
Steganography Engineering project reportSteganography Engineering project report
Steganography Engineering project report
 
Object storage
Object storageObject storage
Object storage
 
Basics of storage Technology
Basics of storage TechnologyBasics of storage Technology
Basics of storage Technology
 
Security models
Security models Security models
Security models
 

Similar to IT8073 _Information Security _UNIT I Full notes

Information Assurance And Security - Chapter 1 - Lesson 1
Information Assurance And Security - Chapter 1 - Lesson 1Information Assurance And Security - Chapter 1 - Lesson 1
Information Assurance And Security - Chapter 1 - Lesson 1MLG College of Learning, Inc
 
Network Security and Privacy in Medium Scale Businesses in Nigeria
Network Security and Privacy in Medium Scale Businesses in NigeriaNetwork Security and Privacy in Medium Scale Businesses in Nigeria
Network Security and Privacy in Medium Scale Businesses in NigeriaINFOGAIN PUBLICATION
 
Laureate Online Education Information Security Engineering .docx
Laureate Online Education Information Security Engineering .docxLaureate Online Education Information Security Engineering .docx
Laureate Online Education Information Security Engineering .docxDIPESH30
 
Cyber Security
Cyber SecurityCyber Security
Cyber SecurityBryCunal
 
Cyber Security Intelligence
Cyber Security IntelligenceCyber Security Intelligence
Cyber Security Intelligenceijtsrd
 
A Review of Information Security Issues and Techniques.pdf
A Review of Information Security  Issues and Techniques.pdfA Review of Information Security  Issues and Techniques.pdf
A Review of Information Security Issues and Techniques.pdfArlene Smith
 
Paper Titled Information Security in an organization
Paper Titled Information Security in an organizationPaper Titled Information Security in an organization
Paper Titled Information Security in an organizationMohammed Mahfouz Alhassan
 
Cyber security: challenges for society- literature review
Cyber security: challenges for society- literature reviewCyber security: challenges for society- literature review
Cyber security: challenges for society- literature reviewIOSR Journals
 
Security Issues Concerning CryptosystemsStudents NameInstitu.docx
Security Issues Concerning CryptosystemsStudents NameInstitu.docxSecurity Issues Concerning CryptosystemsStudents NameInstitu.docx
Security Issues Concerning CryptosystemsStudents NameInstitu.docxjeffreye3
 
Running Head TRENDS IN CYBERSECURITY1TRENDS IN CYBERSECURITY.docx
Running Head TRENDS IN CYBERSECURITY1TRENDS IN CYBERSECURITY.docxRunning Head TRENDS IN CYBERSECURITY1TRENDS IN CYBERSECURITY.docx
Running Head TRENDS IN CYBERSECURITY1TRENDS IN CYBERSECURITY.docxtodd521
 
Paper id 25201417
Paper id 25201417Paper id 25201417
Paper id 25201417IJRAT
 
Peripheral Review and Analysis of Internet Network Security
Peripheral Review and Analysis of Internet Network SecurityPeripheral Review and Analysis of Internet Network Security
Peripheral Review and Analysis of Internet Network SecurityIJRES Journal
 
DEFENSE MECHANISMS FOR COMPUTER-BASED INFORMATION SYSTEMS
DEFENSE MECHANISMS FOR COMPUTER-BASED INFORMATION SYSTEMS DEFENSE MECHANISMS FOR COMPUTER-BASED INFORMATION SYSTEMS
DEFENSE MECHANISMS FOR COMPUTER-BASED INFORMATION SYSTEMS IJNSA Journal
 
ZamanAsad_INFA 670_9041_RPAPER_Cybersecurity-3
ZamanAsad_INFA 670_9041_RPAPER_Cybersecurity-3ZamanAsad_INFA 670_9041_RPAPER_Cybersecurity-3
ZamanAsad_INFA 670_9041_RPAPER_Cybersecurity-3Asad Zaman
 

Similar to IT8073 _Information Security _UNIT I Full notes (20)

Information Assurance And Security - Chapter 1 - Lesson 1
Information Assurance And Security - Chapter 1 - Lesson 1Information Assurance And Security - Chapter 1 - Lesson 1
Information Assurance And Security - Chapter 1 - Lesson 1
 
Network Security and Privacy in Medium Scale Businesses in Nigeria
Network Security and Privacy in Medium Scale Businesses in NigeriaNetwork Security and Privacy in Medium Scale Businesses in Nigeria
Network Security and Privacy in Medium Scale Businesses in Nigeria
 
Laureate Online Education Information Security Engineering .docx
Laureate Online Education Information Security Engineering .docxLaureate Online Education Information Security Engineering .docx
Laureate Online Education Information Security Engineering .docx
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Cyber Security Intelligence
Cyber Security IntelligenceCyber Security Intelligence
Cyber Security Intelligence
 
A Review of Information Security Issues and Techniques.pdf
A Review of Information Security  Issues and Techniques.pdfA Review of Information Security  Issues and Techniques.pdf
A Review of Information Security Issues and Techniques.pdf
 
MIS 7.pptx
MIS 7.pptxMIS 7.pptx
MIS 7.pptx
 
Paper Titled Information Security in an organization
Paper Titled Information Security in an organizationPaper Titled Information Security in an organization
Paper Titled Information Security in an organization
 
820 1961-1-pb
820 1961-1-pb820 1961-1-pb
820 1961-1-pb
 
Forensics
ForensicsForensics
Forensics
 
Cyber security: challenges for society- literature review
Cyber security: challenges for society- literature reviewCyber security: challenges for society- literature review
Cyber security: challenges for society- literature review
 
Security Issues Concerning CryptosystemsStudents NameInstitu.docx
Security Issues Concerning CryptosystemsStudents NameInstitu.docxSecurity Issues Concerning CryptosystemsStudents NameInstitu.docx
Security Issues Concerning CryptosystemsStudents NameInstitu.docx
 
Is ch1 (2)
Is ch1 (2)Is ch1 (2)
Is ch1 (2)
 
Lecture 1-2.pdf
Lecture 1-2.pdfLecture 1-2.pdf
Lecture 1-2.pdf
 
Running Head TRENDS IN CYBERSECURITY1TRENDS IN CYBERSECURITY.docx
Running Head TRENDS IN CYBERSECURITY1TRENDS IN CYBERSECURITY.docxRunning Head TRENDS IN CYBERSECURITY1TRENDS IN CYBERSECURITY.docx
Running Head TRENDS IN CYBERSECURITY1TRENDS IN CYBERSECURITY.docx
 
Paper id 25201417
Paper id 25201417Paper id 25201417
Paper id 25201417
 
Peripheral Review and Analysis of Internet Network Security
Peripheral Review and Analysis of Internet Network SecurityPeripheral Review and Analysis of Internet Network Security
Peripheral Review and Analysis of Internet Network Security
 
DEFENSE MECHANISMS FOR COMPUTER-BASED INFORMATION SYSTEMS
DEFENSE MECHANISMS FOR COMPUTER-BASED INFORMATION SYSTEMS DEFENSE MECHANISMS FOR COMPUTER-BASED INFORMATION SYSTEMS
DEFENSE MECHANISMS FOR COMPUTER-BASED INFORMATION SYSTEMS
 
A01450131
A01450131A01450131
A01450131
 
ZamanAsad_INFA 670_9041_RPAPER_Cybersecurity-3
ZamanAsad_INFA 670_9041_RPAPER_Cybersecurity-3ZamanAsad_INFA 670_9041_RPAPER_Cybersecurity-3
ZamanAsad_INFA 670_9041_RPAPER_Cybersecurity-3
 

More from Asst.prof M.Gokilavani

IT8073_Information Security_UNIT I _.pdf
IT8073_Information Security_UNIT I _.pdfIT8073_Information Security_UNIT I _.pdf
IT8073_Information Security_UNIT I _.pdfAsst.prof M.Gokilavani
 
GE3151 PSPP UNIT IV QUESTION BANK.docx.pdf
GE3151 PSPP UNIT IV QUESTION BANK.docx.pdfGE3151 PSPP UNIT IV QUESTION BANK.docx.pdf
GE3151 PSPP UNIT IV QUESTION BANK.docx.pdfAsst.prof M.Gokilavani
 
GE3151 PSPP UNIT III QUESTION BANK.docx.pdf
GE3151 PSPP UNIT III QUESTION BANK.docx.pdfGE3151 PSPP UNIT III QUESTION BANK.docx.pdf
GE3151 PSPP UNIT III QUESTION BANK.docx.pdfAsst.prof M.Gokilavani
 
GE3151 PSPP All unit question bank.pdf
GE3151 PSPP All unit question bank.pdfGE3151 PSPP All unit question bank.pdf
GE3151 PSPP All unit question bank.pdfAsst.prof M.Gokilavani
 
AI3391 Artificial intelligence Unit IV Notes _ merged.pdf
AI3391 Artificial intelligence Unit IV Notes _ merged.pdfAI3391 Artificial intelligence Unit IV Notes _ merged.pdf
AI3391 Artificial intelligence Unit IV Notes _ merged.pdfAsst.prof M.Gokilavani
 
AI3391 Artificial intelligence Session 29 Forward and backward chaining.pdf
AI3391 Artificial intelligence Session 29 Forward and backward chaining.pdfAI3391 Artificial intelligence Session 29 Forward and backward chaining.pdf
AI3391 Artificial intelligence Session 29 Forward and backward chaining.pdfAsst.prof M.Gokilavani
 
AI3391 Artificial intelligence Session 28 Resolution.pptx
AI3391 Artificial intelligence Session 28 Resolution.pptxAI3391 Artificial intelligence Session 28 Resolution.pptx
AI3391 Artificial intelligence Session 28 Resolution.pptxAsst.prof M.Gokilavani
 
AI3391 Artificial intelligence session 27 inference and unification.pptx
AI3391 Artificial intelligence session 27 inference and unification.pptxAI3391 Artificial intelligence session 27 inference and unification.pptx
AI3391 Artificial intelligence session 27 inference and unification.pptxAsst.prof M.Gokilavani
 
AI3391 Artificial Intelligence Session 26 First order logic.pptx
AI3391 Artificial Intelligence Session 26 First order logic.pptxAI3391 Artificial Intelligence Session 26 First order logic.pptx
AI3391 Artificial Intelligence Session 26 First order logic.pptxAsst.prof M.Gokilavani
 
AI3391 Artificial Intelligence Session 25 Horn clause.pptx
AI3391 Artificial Intelligence Session 25 Horn clause.pptxAI3391 Artificial Intelligence Session 25 Horn clause.pptx
AI3391 Artificial Intelligence Session 25 Horn clause.pptxAsst.prof M.Gokilavani
 
AI3391 Artificial Intelligence session 24 knowledge representation.pptx
AI3391 Artificial Intelligence session 24 knowledge representation.pptxAI3391 Artificial Intelligence session 24 knowledge representation.pptx
AI3391 Artificial Intelligence session 24 knowledge representation.pptxAsst.prof M.Gokilavani
 
AI3391 Artificial Intelligence UNIT III Notes_merged.pdf
AI3391 Artificial Intelligence UNIT III Notes_merged.pdfAI3391 Artificial Intelligence UNIT III Notes_merged.pdf
AI3391 Artificial Intelligence UNIT III Notes_merged.pdfAsst.prof M.Gokilavani
 
AI3391 Artificial Intelligence Session 23 Backtracking CSP's.pptx
AI3391 Artificial Intelligence Session 23 Backtracking CSP's.pptxAI3391 Artificial Intelligence Session 23 Backtracking CSP's.pptx
AI3391 Artificial Intelligence Session 23 Backtracking CSP's.pptxAsst.prof M.Gokilavani
 
AI3391 Artificial intelligence Session 22 Cryptarithmetic problem.pptx
AI3391 Artificial intelligence Session 22 Cryptarithmetic problem.pptxAI3391 Artificial intelligence Session 22 Cryptarithmetic problem.pptx
AI3391 Artificial intelligence Session 22 Cryptarithmetic problem.pptxAsst.prof M.Gokilavani
 

More from Asst.prof M.Gokilavani (20)

IT8073_Information Security_UNIT I _.pdf
IT8073_Information Security_UNIT I _.pdfIT8073_Information Security_UNIT I _.pdf
IT8073_Information Security_UNIT I _.pdf
 
GE3151 PSPP UNIT IV QUESTION BANK.docx.pdf
GE3151 PSPP UNIT IV QUESTION BANK.docx.pdfGE3151 PSPP UNIT IV QUESTION BANK.docx.pdf
GE3151 PSPP UNIT IV QUESTION BANK.docx.pdf
 
GE3151 PSPP UNIT III QUESTION BANK.docx.pdf
GE3151 PSPP UNIT III QUESTION BANK.docx.pdfGE3151 PSPP UNIT III QUESTION BANK.docx.pdf
GE3151 PSPP UNIT III QUESTION BANK.docx.pdf
 
GE3151 UNIT II Study material .pdf
GE3151 UNIT II Study material .pdfGE3151 UNIT II Study material .pdf
GE3151 UNIT II Study material .pdf
 
GE3151 PSPP All unit question bank.pdf
GE3151 PSPP All unit question bank.pdfGE3151 PSPP All unit question bank.pdf
GE3151 PSPP All unit question bank.pdf
 
GE3151_PSPP_All unit _Notes
GE3151_PSPP_All unit _NotesGE3151_PSPP_All unit _Notes
GE3151_PSPP_All unit _Notes
 
GE3151_PSPP_UNIT_5_Notes
GE3151_PSPP_UNIT_5_NotesGE3151_PSPP_UNIT_5_Notes
GE3151_PSPP_UNIT_5_Notes
 
GE3151_PSPP_UNIT_4_Notes
GE3151_PSPP_UNIT_4_NotesGE3151_PSPP_UNIT_4_Notes
GE3151_PSPP_UNIT_4_Notes
 
GE3151_PSPP_UNIT_3_Notes
GE3151_PSPP_UNIT_3_NotesGE3151_PSPP_UNIT_3_Notes
GE3151_PSPP_UNIT_3_Notes
 
GE3151_PSPP_UNIT_2_Notes
GE3151_PSPP_UNIT_2_NotesGE3151_PSPP_UNIT_2_Notes
GE3151_PSPP_UNIT_2_Notes
 
AI3391 Artificial intelligence Unit IV Notes _ merged.pdf
AI3391 Artificial intelligence Unit IV Notes _ merged.pdfAI3391 Artificial intelligence Unit IV Notes _ merged.pdf
AI3391 Artificial intelligence Unit IV Notes _ merged.pdf
 
AI3391 Artificial intelligence Session 29 Forward and backward chaining.pdf
AI3391 Artificial intelligence Session 29 Forward and backward chaining.pdfAI3391 Artificial intelligence Session 29 Forward and backward chaining.pdf
AI3391 Artificial intelligence Session 29 Forward and backward chaining.pdf
 
AI3391 Artificial intelligence Session 28 Resolution.pptx
AI3391 Artificial intelligence Session 28 Resolution.pptxAI3391 Artificial intelligence Session 28 Resolution.pptx
AI3391 Artificial intelligence Session 28 Resolution.pptx
 
AI3391 Artificial intelligence session 27 inference and unification.pptx
AI3391 Artificial intelligence session 27 inference and unification.pptxAI3391 Artificial intelligence session 27 inference and unification.pptx
AI3391 Artificial intelligence session 27 inference and unification.pptx
 
AI3391 Artificial Intelligence Session 26 First order logic.pptx
AI3391 Artificial Intelligence Session 26 First order logic.pptxAI3391 Artificial Intelligence Session 26 First order logic.pptx
AI3391 Artificial Intelligence Session 26 First order logic.pptx
 
AI3391 Artificial Intelligence Session 25 Horn clause.pptx
AI3391 Artificial Intelligence Session 25 Horn clause.pptxAI3391 Artificial Intelligence Session 25 Horn clause.pptx
AI3391 Artificial Intelligence Session 25 Horn clause.pptx
 
AI3391 Artificial Intelligence session 24 knowledge representation.pptx
AI3391 Artificial Intelligence session 24 knowledge representation.pptxAI3391 Artificial Intelligence session 24 knowledge representation.pptx
AI3391 Artificial Intelligence session 24 knowledge representation.pptx
 
AI3391 Artificial Intelligence UNIT III Notes_merged.pdf
AI3391 Artificial Intelligence UNIT III Notes_merged.pdfAI3391 Artificial Intelligence UNIT III Notes_merged.pdf
AI3391 Artificial Intelligence UNIT III Notes_merged.pdf
 
AI3391 Artificial Intelligence Session 23 Backtracking CSP's.pptx
AI3391 Artificial Intelligence Session 23 Backtracking CSP's.pptxAI3391 Artificial Intelligence Session 23 Backtracking CSP's.pptx
AI3391 Artificial Intelligence Session 23 Backtracking CSP's.pptx
 
AI3391 Artificial intelligence Session 22 Cryptarithmetic problem.pptx
AI3391 Artificial intelligence Session 22 Cryptarithmetic problem.pptxAI3391 Artificial intelligence Session 22 Cryptarithmetic problem.pptx
AI3391 Artificial intelligence Session 22 Cryptarithmetic problem.pptx
 

Recently uploaded

Novel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending ActuatorsNovel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending ActuatorsResearcher Researcher
 
WAVELET SCATTERING TRANSFORM FOR ECG CARDIOVASCULAR DISEASE CLASSIFICATION
WAVELET SCATTERING TRANSFORM FOR ECG CARDIOVASCULAR DISEASE CLASSIFICATIONWAVELET SCATTERING TRANSFORM FOR ECG CARDIOVASCULAR DISEASE CLASSIFICATION
WAVELET SCATTERING TRANSFORM FOR ECG CARDIOVASCULAR DISEASE CLASSIFICATIONgerogepatton
 
Secure Key Crypto - Tech Paper JET Tech Labs
Secure Key Crypto - Tech Paper JET Tech LabsSecure Key Crypto - Tech Paper JET Tech Labs
Secure Key Crypto - Tech Paper JET Tech Labsamber724300
 
priority interrupt computer organization
priority interrupt computer organizationpriority interrupt computer organization
priority interrupt computer organizationchnrketan
 
Plastifloor Park Deck Waterproofing System_Flyer
Plastifloor Park Deck Waterproofing System_FlyerPlastifloor Park Deck Waterproofing System_Flyer
Plastifloor Park Deck Waterproofing System_FlyerPlasti-Chemie GmbH
 
ADM100 Running Book for sap basis domain study
ADM100 Running Book for sap basis domain studyADM100 Running Book for sap basis domain study
ADM100 Running Book for sap basis domain studydhruvamdhruvil123
 
Defining the Clouds for entriprises.pptx
Defining the Clouds for entriprises.pptxDefining the Clouds for entriprises.pptx
Defining the Clouds for entriprises.pptxAshwiniTodkar4
 
Indian Tradition, Culture & Societies.pdf
Indian Tradition, Culture & Societies.pdfIndian Tradition, Culture & Societies.pdf
Indian Tradition, Culture & Societies.pdfalokitpathak01
 
Madani.store - Planning - Interview Questions
Madani.store - Planning - Interview QuestionsMadani.store - Planning - Interview Questions
Madani.store - Planning - Interview QuestionsKarim Gaber
 
Guardians of E-Commerce: Harnessing NLP and Machine Learning Approaches for A...
Guardians of E-Commerce: Harnessing NLP and Machine Learning Approaches for A...Guardians of E-Commerce: Harnessing NLP and Machine Learning Approaches for A...
Guardians of E-Commerce: Harnessing NLP and Machine Learning Approaches for A...IJAEMSJORNAL
 
Overview of IS 16700:2023 (by priyansh verma)
Overview of IS 16700:2023 (by priyansh verma)Overview of IS 16700:2023 (by priyansh verma)
Overview of IS 16700:2023 (by priyansh verma)Priyansh
 
AntColonyOptimizationManetNetworkAODV.pptx
AntColonyOptimizationManetNetworkAODV.pptxAntColonyOptimizationManetNetworkAODV.pptx
AntColonyOptimizationManetNetworkAODV.pptxLina Kadam
 
Introduction to Artificial Intelligence: Intelligent Agents, State Space Sear...
Introduction to Artificial Intelligence: Intelligent Agents, State Space Sear...Introduction to Artificial Intelligence: Intelligent Agents, State Space Sear...
Introduction to Artificial Intelligence: Intelligent Agents, State Space Sear...shreenathji26
 
Ece technical seminar topic for under graduate.pptx
Ece technical seminar topic for under graduate.pptxEce technical seminar topic for under graduate.pptx
Ece technical seminar topic for under graduate.pptxArjunPLinekaje
 
Javier_Fernandez_CARS_workshop_presentation.pptx
Javier_Fernandez_CARS_workshop_presentation.pptxJavier_Fernandez_CARS_workshop_presentation.pptx
Javier_Fernandez_CARS_workshop_presentation.pptxJavier Fernández Muñoz
 
Cost estimation approach: FP to COCOMO scenario based question
Cost estimation approach: FP to COCOMO scenario based questionCost estimation approach: FP to COCOMO scenario based question
Cost estimation approach: FP to COCOMO scenario based questionSneha Padhiar
 
Network Enhancements on BitVisor for BitVisor Summit 12
Network Enhancements on BitVisor for BitVisor Summit 12Network Enhancements on BitVisor for BitVisor Summit 12
Network Enhancements on BitVisor for BitVisor Summit 12cjchen22
 
Introduction of Object Oriented Programming Language using Java. .pptx
Introduction of Object Oriented Programming Language using Java. .pptxIntroduction of Object Oriented Programming Language using Java. .pptx
Introduction of Object Oriented Programming Language using Java. .pptxPoonam60376
 
LM7_ Embedded Sql and Dynamic SQL in dbms
LM7_ Embedded Sql and Dynamic SQL in dbmsLM7_ Embedded Sql and Dynamic SQL in dbms
LM7_ Embedded Sql and Dynamic SQL in dbmsBalaKrish12
 
Design and Analysis of Algorithms Lecture Notes
Design and Analysis of Algorithms Lecture NotesDesign and Analysis of Algorithms Lecture Notes
Design and Analysis of Algorithms Lecture NotesSreedhar Chowdam
 

Recently uploaded (20)

Novel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending ActuatorsNovel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending Actuators
 
WAVELET SCATTERING TRANSFORM FOR ECG CARDIOVASCULAR DISEASE CLASSIFICATION
WAVELET SCATTERING TRANSFORM FOR ECG CARDIOVASCULAR DISEASE CLASSIFICATIONWAVELET SCATTERING TRANSFORM FOR ECG CARDIOVASCULAR DISEASE CLASSIFICATION
WAVELET SCATTERING TRANSFORM FOR ECG CARDIOVASCULAR DISEASE CLASSIFICATION
 
Secure Key Crypto - Tech Paper JET Tech Labs
Secure Key Crypto - Tech Paper JET Tech LabsSecure Key Crypto - Tech Paper JET Tech Labs
Secure Key Crypto - Tech Paper JET Tech Labs
 
priority interrupt computer organization
priority interrupt computer organizationpriority interrupt computer organization
priority interrupt computer organization
 
Plastifloor Park Deck Waterproofing System_Flyer
Plastifloor Park Deck Waterproofing System_FlyerPlastifloor Park Deck Waterproofing System_Flyer
Plastifloor Park Deck Waterproofing System_Flyer
 
ADM100 Running Book for sap basis domain study
ADM100 Running Book for sap basis domain studyADM100 Running Book for sap basis domain study
ADM100 Running Book for sap basis domain study
 
Defining the Clouds for entriprises.pptx
Defining the Clouds for entriprises.pptxDefining the Clouds for entriprises.pptx
Defining the Clouds for entriprises.pptx
 
Indian Tradition, Culture & Societies.pdf
Indian Tradition, Culture & Societies.pdfIndian Tradition, Culture & Societies.pdf
Indian Tradition, Culture & Societies.pdf
 
Madani.store - Planning - Interview Questions
Madani.store - Planning - Interview QuestionsMadani.store - Planning - Interview Questions
Madani.store - Planning - Interview Questions
 
Guardians of E-Commerce: Harnessing NLP and Machine Learning Approaches for A...
Guardians of E-Commerce: Harnessing NLP and Machine Learning Approaches for A...Guardians of E-Commerce: Harnessing NLP and Machine Learning Approaches for A...
Guardians of E-Commerce: Harnessing NLP and Machine Learning Approaches for A...
 
Overview of IS 16700:2023 (by priyansh verma)
Overview of IS 16700:2023 (by priyansh verma)Overview of IS 16700:2023 (by priyansh verma)
Overview of IS 16700:2023 (by priyansh verma)
 
AntColonyOptimizationManetNetworkAODV.pptx
AntColonyOptimizationManetNetworkAODV.pptxAntColonyOptimizationManetNetworkAODV.pptx
AntColonyOptimizationManetNetworkAODV.pptx
 
Introduction to Artificial Intelligence: Intelligent Agents, State Space Sear...
Introduction to Artificial Intelligence: Intelligent Agents, State Space Sear...Introduction to Artificial Intelligence: Intelligent Agents, State Space Sear...
Introduction to Artificial Intelligence: Intelligent Agents, State Space Sear...
 
Ece technical seminar topic for under graduate.pptx
Ece technical seminar topic for under graduate.pptxEce technical seminar topic for under graduate.pptx
Ece technical seminar topic for under graduate.pptx
 
Javier_Fernandez_CARS_workshop_presentation.pptx
Javier_Fernandez_CARS_workshop_presentation.pptxJavier_Fernandez_CARS_workshop_presentation.pptx
Javier_Fernandez_CARS_workshop_presentation.pptx
 
Cost estimation approach: FP to COCOMO scenario based question
Cost estimation approach: FP to COCOMO scenario based questionCost estimation approach: FP to COCOMO scenario based question
Cost estimation approach: FP to COCOMO scenario based question
 
Network Enhancements on BitVisor for BitVisor Summit 12
Network Enhancements on BitVisor for BitVisor Summit 12Network Enhancements on BitVisor for BitVisor Summit 12
Network Enhancements on BitVisor for BitVisor Summit 12
 
Introduction of Object Oriented Programming Language using Java. .pptx
Introduction of Object Oriented Programming Language using Java. .pptxIntroduction of Object Oriented Programming Language using Java. .pptx
Introduction of Object Oriented Programming Language using Java. .pptx
 
LM7_ Embedded Sql and Dynamic SQL in dbms
LM7_ Embedded Sql and Dynamic SQL in dbmsLM7_ Embedded Sql and Dynamic SQL in dbms
LM7_ Embedded Sql and Dynamic SQL in dbms
 
Design and Analysis of Algorithms Lecture Notes
Design and Analysis of Algorithms Lecture NotesDesign and Analysis of Algorithms Lecture Notes
Design and Analysis of Algorithms Lecture Notes
 

IT8073 _Information Security _UNIT I Full notes

  • 1. IT8073 INFORMATION SECURITY BE IV YEAR – VIII SEM (R18) (2024-2025) Prepared By Asst.Prof.M.Gokilavani Department of Computer Science and Engineering
  • 2. Diploma, Anna Univ UG & PG Courses Notes Available @ Syllabus Question Papers Results and Many more… www.AllAbtEngg.com Available in /AllAbtEngg Android App too, IT8073 INFORMATION SECURITY DETAILED SYLLABUS OBJECTIVES: • To understand the basics of Information Security • To know the legal, ethical and professional issues in Information Security • To know the aspects of risk management • To become aware of various standards in this area • To know the technological aspects of Information Security UNIT I INTRODUCTION History, what is Information Security? Critical Characteristics of Information, NSTISSC Security Model, Components of an Information System, Securing the Components, Balancing Security and Access, The SDLC, The Security SDLC UNIT II SECURITY INVESTIGATION Need for Security, Business Needs, Threats, Attacks, Legal, Ethical and Professional Issues - An Overview of Computer Security - Access Control Matrix, Policy-Security policies, Confidentiality policies, Integrity policies and Hybrid policies UNIT III SECURITY ANALYSIS Risk Management: Identifying and Assessing Risk, Assessing and Controlling Risk - Systems: Access Control Mechanisms, Information Flow and Confinement Problem UNIT IV LOGICAL DESIGN Blueprint for Security, Information Security Policy, Standards and Practices, ISO 17799/BS 7799, NIST Models, VISA International Security Model, Design of Security Architecture, Planning for Continuity UNIT V PHYSICAL DESIGN Security Technology, IDS, Scanning and Analysis Tools, Cryptography, Access Control Devices, Physical Security, Security and Personnel TEXT BOOK: 1. Michael E Whitman and Herbert J Mattord, ―Principles of Information Security‖, Vikas Publishing House, New Delhi, 2003 REFERENCES 1. Micki Krause, Harold F. Tipton, ― Handbook of Information Security Management‖, Vol 1- 3 CRC Press LLC, 2004. 2. Stuart McClure, Joel Scrambray, George Kurtz, ―Hacking Exposed‖, Tata McGraw- Hill, 2003 3. Matt Bishop, ― Computer Security Art and Science‖, Pearson/PHI, 2002.
  • 3. UNIT I– INTRODUCTION: History, what is Information Security? Critical Characteristics of Information, NSTISSC Security Model, Components of an Information System, Securing the Components, Balancing Security and Access, The SDLC, The Security SDLC. 1. INTRODUCTION:  Information technology is the vehicle that stores and transports information—a company’s most valuable resource—from one business unit to another.  But what happens if the vehicle breaks down, even for a little while? As businesses have become more fluid, the concept of computer security has been replaced by the concept of information security.  Because this new concept covers a broader range of issues, from the protection of data to the protection of human resources, information security is no longer the sole responsibility of a discrete group of people in the company; rather, it is the responsibility of every employee, and especially managers.  Organizations must realize that information security funding and planning decisions involve more than just technical managers: Rather, the process should involve three distinct groups of decision makers, or communities of interest:  Information security managers and professionals  Information technology managers and professionals  Nontechnical business managers and professionals These communities of interest fulfill the following roles:  The information security community protects the organization’s information assets from the many threats they face.  The information technology community supports the business objectives of the organization by supplying and supporting information technology appropriate to the business’ needs.  The nontechnical general business community articulates and communicates organizational policy and objectives and allocates resources to the other groups. 1.1. THE HISTORY OF INFORMATION SECURITY  The history of information security begins with computer security.  The need for computer security—that is, the need to secure physical locations, hardware, and software from threats—arose during World War II when the first mainframes, developed to aid computations for communication code breaking were put to use.  Multiple levels of security were implemented to protect these mainframes and maintain the integrity of their data.  Access to sensitive military locations, for example, was controlled by means of badges, keys, and the facial recognition of authorized personnel by security guards.
  • 4. The 1960s  During the Cold War, many more mainframes were brought online to accomplish more complex and sophisticated tasks.  It became necessary to enable these mainframes to communicate via a less cumbersome process than mailing magnetic tapes between computer centers.  In response to this need, the Department of Defense’s Advanced Research Project Agency (ARPA) began examining the feasibility of a redundant, networked communications system to support the military’s exchange of information.  Larry Roberts, known as the founder of the Internet, developed the project—which was called ARPANET—from its inception.  ARPANET is the predecessor to the Internet (see Figure 1-2 for an excerpt from the ARPANET Program Plan). The 1970s and 80s  During the next decade, ARPANET became popular and more widely used, and the potential for its misuse grew.  Because of the range and frequency of computer security violations and the explosion in the numbers of hosts and users on ARPANET, network security was referred to as network insecurity.  In 1978, a famous study entitled “Protection Analysis: Final Report” was published. It focused on a project undertaken by ARPA to discover the vulnerabilities of operating system security.  The movement toward security that went beyond protecting physical locations began with a single paper sponsored by the Department of Defense, the Rand Report R-609, which attempted to define the multiple controls and mechanisms necessary for the protection of a multilevel computer system.  In 1967, systems were being acquired at a rapid rate and securing them was a pressing concern for both the military and defense contractors.  Multiplexed Information and Computing Service (MULTICS) was the first operating system to integrate security into its core functions. It was a mainframe, time-sharing operating system.  In mid-1969, not long after the restructuring of the MULTICS project, created a new operating system called UNIX. While the MULTICS system implemented multiple security levels and passwords, the UNIX system did not.  In the late 1970s, the microprocessor brought the personal computer and a new age of computing.  The PC became the workhorse of modern computing. This decentralization of data processing systems in the 1980s gave rise to networking— that is, the interconnecting of personal computers and mainframe computers, which enabled the entire computing community to make all their resources work together.
  • 5. The 1990s  This gave rise to the Internet, the first global network of networks. The Internet was made available to the general public in the 1990s, having previously been the domain of government, academia, and dedicated industry professionals.  The Internet brought connectivity to virtually all computers that could reach a phone line or an Internet-connected local area network (LAN).  As networked computers became the dominant style of computing, the ability to physically secure a networked computer was lost, and the stored information became more exposed to security threats. 2000 to Present  Today, the Internet brings millions of unsecured computer networks into continuous communication with each other.  Recent years have seen a growing awareness of the need to improve information security, as well as a realization that information security is important to national defense.  The growing threat of cyber-attacks have made governments and companies more aware of the need to defend the computer-controlled control systems of utilities and other critical infrastructure. 1.2. WHAT IS SECURITY? In general, security is “the quality or state of being secure—to be free from danger.” In other words, protection against adversaries—from those who would do harm, intentionally or otherwise. A successful organization should have the following multiple layers of security in place to protect its operations:  Physical security, which encompasses strategies to protect people, physical assets, and the workplace from various threats including fire, unauthorized access, or natural disasters.  Personal security, which overlaps with physical security in the protection of the people within the organization.  Operations security, which focuses on securing the organization’s ability to carry out its operational activities without interruption or compromise.  Communications security, which encompasses the protection of an organization’s communications media, technology, and content, and its ability to use these tools to achieve the organization’s objectives.  Network security, which addresses the protection of an organization’s data networking devices, connections, and contents, and the ability to use that network to accomplish the organization’s data communication functions.  Information security includes the broad areas of information security management, computer and data security, and network security. Where it has been used?  Governments, military, financial institutions, hospitals, and private businesses.  Protecting confidential information is a business requirement.
  • 6. 1.2.1. CIA Triangle  The Committee on National Security Systems (CNSS) defines information security as the protection of information and its critical elements, including the systems and hardware that use, store, and transmit that information.  Figure 1.1 shows that information security includes the broad areas of information security management, computer and data security, and network security.  The CNSS model of information security evolved from a concept developed by the computer security industry called the C.I.A. triangle.  The C.I.A. triangle based on the three characteristics of information that give it value to organizations: confidentiality, integrity, and availability.  The threats to the confidentiality, integrity, and availability of information have evolved into a vast collection of events, including accidental or intentional damage, destruction, theft, unintended or unauthorized modification, or other misuse from human or nonhuman threats. 1.2.2.Key information security concepts Some of these terms are:  Access: A subject or object’s ability to use, manipulate, modify, or affect another subject or object.Authorized users have legal access to a system, whereas hackers have illegal access to a system. Access controls regulate this ability.  Asset: The organizational resource that is being protected. An asset can be logical, such as a Web site, information, or data; or an asset can be physical, such as a person, computer system,
  • 7. or other tangible object. Assets, and particularly information assets, are the focus of security efforts; they are what those efforts are attempting to protect.  Attack: An intentional or unintentional act that can cause damage to or otherwise compromise information and/or the systems that support it. o Attacks can be active or passive, intentional or unintentional, and direct or indirect. o A hacker attempting to break into an information system is an intentional attack. o A lightning strike that causes a fire in a building is an unintentional attack. o A direct attack is a hacker using a personal computer to break into a system. o An indirect attack is a hacker compromising a system and using it to attack other systems. o Direct attacks originate from the threat itself. Indirect attacks originate from a compromised system or resource that is malfunctioning or working under the control of a threat.  Control, safeguard, or countermeasure: Security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve the security within an organization.  Exploit: A technique used to compromise a system. This term can be a verb or a noun. o Threat agents may attempt to exploit a system or other information asset by using it illegally for their personal gain. Or, an exploit can be a documented process to take advantage of a vulnerability or exposure, usually in software, that is either inherent in the software or is created by the attacker. o Exploits make use of existing software tools or custom-made software components.  Exposure: A condition or state of being exposed. In information security, exposure exists when a vulnerability known to an attacker is present.  Loss: A single instance of an information asset suffering damage or unintended or unauthorized modification or disclosure. When an organization’s information is stolen, it has suffered a loss.  Protection profile or security posture: The entire set of controls and safeguards, including policy, education, training and awareness, and technology, that the organization implements (or fails to implement) to protect the asset. o The terms are sometimes used interchangeably with the term security program, although the security program often comprises managerial aspects of security, including planning, personnel, and subordinate programs.  Risk: The probability that something unwanted will happen. Organizations must minimize risk to match their risk appetite—the quantity and nature of risk the organization is willing to accept.  Subjects and objects: A computer can be either the subject of an attack—an agent entity used to conduct the attack—or the object of an attack—the target entity, as shown in Figure 1.2. o A computer can be both the subject and object of an attack, when, for example, it is compromised by an attack (object), and is then used to attack other systems (subject).
  • 8.  Threat: A category of objects, persons, or other entities that presents a danger to an asset. Threats are always present and can be purposeful or undirected. For example, hackers purposefully threaten unprotected information systems, while severe storms incidentally threaten buildings and their contents.  Threat agent: The specific instance or a component of a threat.  Vulnerability: A weaknesses or fault in a system or protection mechanism that opens it to attack or damage. Some examples of vulnerabilities are a flaw in a software package, an unprotected system port, and an unlocked door. 1.3 CRITICAL CHARACTERISTICS OF INFORMATION (or) INFORMATION SECURITY COMPONENTS:  Confidentiality o Integrity  Availability o Privacy o Identification o Authentication o Authorization o Accountability  Accuracy o Utility o Possession 1.3.1 Confidentiality  Confidentiality of information ensures that only those with sufficient privileges may access certain information. When unauthorized individuals or systems can access information, confidentiality is breached. To protect the confidentiality of information, a number of measures are used:  Information classification  Secure document storage  Application of general security policies
  • 9.  Education of information custodians and end users Example, a credit card transaction on the Internet.  The system attempts to enforce confidentiality by encrypting the card number during transmission, by limiting the places where it might appear (in data bases, log files, backups, printed receipts, and so on), and by restricting access to the places where it is stored.  Giving out confidential information over the telephone is a breach of confidentiality if the caller is not authorized to have the information, it could result in a breach of confidentiality. i. Integrity  Integrity is the quality or state of being whole, complete, and uncorrupted.  The integrity of information is threatened when it is exposed to corruption, damage, destruction, or other disruption of its authentic state.  Corruption can occur while information is being compiled, stored, or transmitted. o Integrity means that data cannot be modified without authorization. o Example: Integrity is violated when an employee deletes important data files, when a computer virus infects a computer, when an employee is able to modify his own salary in a payroll database, when an unauthorized user vandalizes a website, when someone is able to cast a very large number of votes in an online poll, and so on. 1.3.2 Availability  Availability is the characteristic of information that enables user access to information without interference or obstruction and in a required format.  A user in this definition may be either a person or another computer system.  Availability does not imply that the information is accessible to any user; rather, it means availability to authorized users. o For any information system to serve its purpose, the information must be available when it is needed. o Example: High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades. i. Privacy  The information that is collected, used, and stored by an organization is to be used only for the purposes stated to the data owner at the time it was collected.  This definition of privacy does focus on freedom from observation (the meaning usually associated with the word), but rather means that information will be used only in ways known to the person providing it. ii. Identification  An information system possesses the characteristic of identification when it is able to recognize individual users.  Identification and authentication are essential to establishing the level of access or authorization that an individual is granted. iii.Authentication  Authentication occurs when a control provides proof that a user possesses the identity that he or she claims.
  • 10.  In computing, e-Business and information security it is necessary to ensure that the data, transactions, communications or documents(electronic or physical) are genuine (i.e. they have not been forged or fabricated). iv.Authorization  After the identity of a user is authenticated, a process called authorization provides assurance that the user (whether a person or a computer) has been specifically and explicitly authorized by the proper authority to access, update, or delete the contents of an information asset. V. Accountability  The characteristic of accountability exists when a control provides assurance that every activity undertaken can be attributed to a named person or automated process.  For example, audit logs that track user activity on an information system provide accountability. 1.3.3 Accuracy  Information should have accuracy. Information has accuracy when it is free from mistakes or errors and it has the value that the end users expects.  If information contains a value different from the user’s expectations, due to the intentional or unintentional modification of its content, it is no longer accurate. i. Utility  Information has value when it serves a particular purpose.  This means that if information is available, but not in a format meaningful to the end user, it is not useful. Thus, the value of information depends on its utility. ii. Possession  The possession of Information security is the quality or state of having ownership or control of some object or item. 1.4 NSTISSC SECURITY MODEL  ‘National Security Telecommunications & Information systems security committee’ document.  It is now called the National Training Standard for Information security professionals.  The NSTISSC Security Model provides a more detailed perspective on security.  While the NSTISSC model covers the three dimensions of information security, it omits discussion of detailed guidelines and policies that direct the implementation of controls.  Another weakness of using this model with too limited an approach is to view it from a single perspective.  The 3 dimensions of each axis become a 3x3x3 cube with 27 cells representing areas that must be addressed to secure today’s Information systems.  To ensure system security, each of the 27 cells must be properly addressed during the security process.  For example, the intersection between technology, Integrity & storage areas require a control or safeguard that addresses the need to use technology to protect the Integrity of information while in storage.
  • 11. 1.5 COMPONENTS OF AN INFORMATION SYSTEM  An information system (IS) is much more than computer hardware; it is the entire set of software, hardware, data, people, procedures, and networks that make possible the use of information resources in the organization (Fig 1.4).  These six critical components enable information to be input, processed, output, and stored.  Each of these IS components has its own strengths and weaknesses, as well as its own characteristics and uses.  Each component of the information system also has its own security requirements. Components are:  Software  Hardware  Data  People  Procedures  Networks
  • 12. 1.5.1 Software  The software components of IS comprises applications, operating systems, and assorted command utilities.  Software programs are the vessels that carry the lifeblood of information through an organization.  These are often created under the demanding constraints of project management, which limit time, cost, and manpower. 1.5.2 Hardware  Hardware is the physical technology that houses and executes the software, stores and carries the data, and provides interfaces for the entry and removal of information from the system.  Physical security policies deal with hardware as a physical asset and with the protection of these physical assets from harm or theft.  Applying the traditional tools of physicalsecurity, such as locks and keys, restricts access to and interaction with the hardware components of an information system.  Securing the physical location of computers and the computers themselves is important because a breach of physical security can result in a loss of information.  Unfortunately, most information systems are built on hardware platforms that cannot guarantee any level of information security if unrestricted access to the hardware is possible. 1.5.3 Data  Data stored, processed, and transmitted through a computer system must be protected.  Data is often the most valuable asset possessed by an organization and is the main target of intentional attacks.  The raw, unorganized, discrete(separate, isolated) potentially-useful facts and figures that are later processed(manipulated) to produce information. 1.5.4 People  There are many roles for people in information systems. Common ones include  Systems Analyst  Programmer  Technician  Engineer  Network Manager  MIS (Manager of Information Systems)  Data entry operator 1.5.5 Procedures  A procedure is a series of documented actions taken to achieve something.  A procedure is more than a single simple task.  A procedure can be quite complex and involved, such as performing a backup, shutting down a system, patching software.
  • 13. 1.5.6 Networks  When information systems are connected to each other to form Local Area Network (LANs), and these LANs are connected to other networks such as the Internet, new security challenges rapidly emerge. 1.6.SECURING COMPONENTS  Protecting the components from potential misuse and abuse by unauthorized users. o Subject of an attack Computer is used as an active tool to conduct the attack. o Object of an attack Computer itself is the entity being attacked Two types of attacks: 1. Direct attack 2. Indirect attack
  • 14. i. Direct attack  When a Hacker uses his personal computer to break into a system.[Originate from the threat itself] ii. Indirect attack  When a system is compromised and used to attack other system. [Originate from a system or resource that itself has been attacked, and is malfunctioning or working under the control of a threat].  A computer can, therefore, be both the subject and object of an attack when, for example, it is first the object of an attack and then compromised and used to attack other systems, at which point it becomes the subject of an attack. 1.7. BALANCING INFORMATION SECURITY AND ACCESS  Has to provide the security and is also feasible to access the information for its application.  Information Security cannot be an absolute: it is a process, not a goal.  Should balance protection and availability.  Approaches to Information Security Implementation  Bottom- up- approach.  Top-down-approach  Has higher probability of success.  Project is initiated by upper level managers who issue policy & procedures & processes.  Dictate the goals & expected outcomes of the project.  Determine who is suitable for each of the required action. 1.8. THE SYSTEMS DEVELOPMENT LIFE CYCLE (SDLC) SDLC Waterfall Methodology  SDLC-is a methodology for the design and implementation of an information system in an organization.
  • 15.  A methodology is a formal approach to solving a problem based on a structured sequence of procedures.  SDLC consists of 6 phases. 1.8.1 Investigation  It is the most important phase and it begins with an examination of the event or plan that initiates the process.  During this phase, the objectives, constraints, and scope of the project are specified.  At the conclusion of this phase, a feasibility analysis is performed, which assesses the economic, technical and behavioral feasibilities of the process and ensures that implementation is worth the organization’s time and effort.
  • 16. 1.8.2 Analysis  It begins with the information gained during the investigation phase.  It consists of assessments (quality) of the organization, the status of current systems, and the capability to support the proposed systems.  Analysts begin by determining what the new system is expected to do, and how it will interact with existing systems.  This phase ends with the documentation of the findings and an update of the feasibility analysis. 1.8.3 Logical Design  In this phase, the information gained from the analysis phase is used to begin creating a systems solution for a business problem.  Based on the business need, applications are selected that are capable of providing needed services.  Based on the applications needed, data support and structures capable of providing the needed inputs are then chosen.  In this phase, analysts generate a number of alternative solutions, each with corresponding strengths and weaknesses, and costs and benefits.  At the end of this phase, another feasibility analysis is performed. 1.8.4 Physical design  In this phase, specific technologies are selected to support the solutions developed in the logical design.  The selected components are evaluated based on a make-or-buy decision.  Final designs integrate various components and technologies. 1.8.5 Implementation  In this phase, any needed software is created.  Components are ordered, received and tested.  Afterwards, users are trained and supporting documentation created.  Once all the components are tested individually, they are installed and tested as a system.  Again a feasibility analysis is prepared, and the sponsors are then presented with the system for a performance review and acceptance test. 1.8.6 Maintenance and change  It is the longest and most expensive phase of the process.  It consists of the tasks necessary to support and modify the system for the remainder of its useful life cycle.  Periodically, the system is tested for compliance, with business needs.  Upgrades, updates, and patches are managed.  As the needs of the organization change, the systems that support the organization must also change.
  • 17.  When a current system can no longer support the organization, the project is terminated and a new project is implemented. 1.9. THE SECURITY SYSTEMS DEVELOPMENT LIFE CYCLE (SEC SDLC)  The same phases used in the traditional SDLC can be adapted to support the implementation of an information security project. Fig: Secure System Development Life Cycle (SecSDLC) 1.9.1 Investigation  This phase begins with a directive from upper management, dictating the process, outcomes, and goals of the project, as well as its budget and other constraints.  Frequently, this phase begins with an enterprise information security policy, which outlines the implementation of a security program within the organization.  Teams of responsible managers, employees, and contractors are organized.  Problems are analyzed.  Scope of the project, as well as specific goals and objectives, and any additional constraints not covered in the program policy, are defined.  Finally, an organizational feasibility analysis is performed to determine whether the organization has the resources and commitment necessary to conduct a successful security analysis and design. 1.9.2. Analysis  In this phase, the documents from the investigation phase are studied.  The developed team conducts a preliminary analysis of existing security policies or programs, along with that of documented current threats and associated controls.  The risk management task also begins in this phase.
  • 18. Risk managements the process of identifying, assessing, and evaluating the levels of risk facing the organization, specifically the threats to the organization’s security and to the information stored and processed by the organization. 1.9.3. Logical and physical design  This phase creates and develops the blueprints for information security, and examines and implements key policies.  The team plans the incident response actions.  Plans business response to disaster.  Determines feasibility of continuing and outsourcing the project.  In this phase, the information security technology needed to support the blueprint outlined in the logical design is evaluated.  Alternative solutions are generated.  Designs for physical security measures to support the proposed technological solutions are created.  At the end of this phase, a feasibility study should determine the readiness of the organization for the proposed project.  At this phase, all parties involved have a chance to approve the project before implementation begins. 1.9.4. Implementation  Similar to traditional SDLC  The security solutions are acquired (made or bought), tested, implemented, and tested again  Personnel issues are evaluated and specific training and education programs are conducted.  Finally, the entire tested package is presented to upper management for final approval. 1.9.5. Testing and Validation  Constant monitoring, testing, modification, updating, and repairing to meet changing threats have been done in this phase. 1.10. SECURITY PROFESSIONALS AND THE ORGANIZATION  Senior management  Chief information Officer (CIO) is the responsible for  Assessment  Management  implementation of information security in the organization  Information Security Project Team  Champion  Promotes the project  Ensures its support, both financially & administratively.  Team Leader
  • 19.  Understands project management  Personnel management  Information Security technical requirements.  Security policy developers  individuals who understand the organizational culture,  existing policies  Requirements for developing & implementing successful policies.  Risk assessment specialists  Individuals who understand financial risk assessment techniques.  The value of organizational assets,  The security methods to be used.  Security Professionals  Dedicated  Trained, and well educated specialists in all aspects of information security from both a technical and non-technical stand point.  System Administrators  Administrating the systems that house the information used by the organization.  End users  Data Owners o Responsible for the security and use of a particular set of information. o Determine the level of data classification o Work with subordinate managers to oversee the day-to-day administration of the data.  Data Custodians o Responsible for the storage, maintenance, and protection of the information. o Overseeing data storage and backups o Implementing the specific procedures and policies.  Data Users (End users) o Work with the information to perform their daily jobs supporting the mission of the organization. o Everyone in the organization is responsible for the security of data, so data users are included here as individuals with an information security role
  • 20. Question Bank 2marks Questions 1. Define information security. It is a well-informed sense of assurance that the information risks and controls are in balance. 2. List the critical characteristics of information. • Availability • Accuracy • Authenticity • Confidentiality • Integrity • Utility • Possession 3. Define security. What are the multiple layers of security? Security is “the quality or state of being secure-to be free from danger”. • Physical Security • Personal Security • Operations Security • Communication Security • Network Security • Information Security 4. When can a computer be a subject and an object of an attack respectively? When a computer is the subject of attack, it is used as an active tool to conduct the attack. When a computer is the object of an attack, it is the entity being attacked. 5. Why is a methodology important in implementing the information security? Methodology is a formal approach to solve a problem based on a structured sequence of procedures. 6. Difference between vulnerability and exposure. Vulnerability Exposure Weakness or fault in a system or protection Mechanism that expose information to attack or damage. The exposure of an information system is a Single instance when the system is open to damage.
  • 21. 7. Sketch the NSTISSC security model. 8. List out the security services. Three security services: Confidentiality, integrity, and availability Threats are divided into four broad classes:  Disclosure, or unauthorized access to information  Deception, or acceptance of false data  Disruption, or interruption or prevention of correct operation  Unauthorized control of some part of a system. 9. Define the snooping and spoofing.  Snooping: The unauthorized interception of information is a form of disclosure. It is passive, suggesting simply that some entity is listening to (or reading) communications or browsing through files or system information.  Masquerading or spoofing: An impersonation of one entity by another is a form of both deception and usurpation. 10. List the components used in security models.  Software  Hardware  Data  People  Procedures  Networks 11. What are the functions of Information Security?  Protects the organization's ability to function  Enables the safe operation of applications implemented on the organizations IT systems  Protects the data the organization collects and uses.  Safe guards the technology assets in use at the organization
  • 22. 12. What are the phases of SDLC Waterfall method?  Investigation  Analysis  Logical Design  Physical Design  Implementation  Maintenance & change 13. What is Rand Report R-609? The Rand Report was the first widely recognized published document to identify the role of management and policy issues in computer security. The scope of computer security grew from physical security to include:  Safety of the data  Limiting unauthorized access to that data  Involvement of personnel from multiple levels of the organization 14. What is meant by balancing Security and Access?  It is impossible to obtain perfect security  It is not an absolute  It is a process of Security should be considered a balance between protection and availability  To achieve balance, the level of security must allow reasonable access PART–B(16Marks) 1. Describe the Critical Characteristics of Information. Nov/Dec2011 Nov/Dec/May/Jun 2012 1.3 CRITICAL CHARACTERISTICS OF INFORMATION (or) INFORMATION SECURITY COMPONENTS:  Confidentiality o Integrity  Availability o Privacy o Identification o Authentication o Authorization o Accountability  Accuracy o Utility o Possession
  • 23. 1.4.1 Confidentiality  Confidentiality of information ensures that only those with sufficient privileges may access certain information. When unauthorized individuals or systems can access information, confidentiality is breached. To protect the confidentiality of information, a number of measures are used:  Information classification  Secure document storage  Application of general security policies  Education of information custodians and end users Example, a credit card transaction on the Internet.  The system attempts to enforce confidentiality by encrypting the card number during transmission, by limiting the places where it might appear (in data bases, log files, backups, printed receipts, and so on), and by restricting access to the places where it is stored.  Giving out confidential information over the telephone is a breach of confidentiality if the caller is not authorized to have the information, it could result in a breach of confidentiality. ii. Integrity  Integrity is the quality or state of being whole, complete, and uncorrupted.  The integrity of information is threatened when it is exposed to corruption, damage, destruction, or other disruption of its authentic state.  Corruption can occur while information is being compiled, stored, or transmitted. o Integrity means that data cannot be modified without authorization. o Example: Integrity is violated when an employee deletes important data files, when a computer virus infects a computer, when an employee is able to modify his own salary in a payroll database, when an unauthorized user vandalizes a website, when someone is able to cast a very large number of votes in an online poll, and so on. 1.4.2 Availability  Availability is the characteristic of information that enables user access to information without interference or obstruction and in a required format.  A user in this definition may be either a person or another computer system.  Availability does not imply that the information is accessible to any user; rather, it means availability to authorized users. o For any information system to serve its purpose, the information must be available when it is needed. o Example: High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades. v.Privacy  The information that is collected, used, and stored by an organization is to be used only for the purposes stated to the data owner at the time it was collected.
  • 24.  This definition of privacy does focus on freedom from observation (the meaning usually associated with the word), but rather means that information will be used only in ways known to the person providing it. vi.Identification  An information system possesses the characteristic of identification when it is able to recognize individual users.  Identification and authentication are essential to establishing the level of access or authorization that an individual is granted. vii. Authentication  Authentication occurs when a control provides proof that a user possesses the identity that he or she claims.  In computing, e-Business and information security it is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine (i.e. they have not been forged or fabricated). viii. Authorization  After the identity of a user is authenticated, a process called authorization provides assurance that the user (whether a person or a computer) has been specifically and explicitly authorized by the proper authority to access, update, or delete the contents of an information asset. VI. Accountability  The characteristic of accountability exists when a control provides assurance that every activity undertaken can be attributed to a named person or automated process.  For example, audit logs that track user activity on an information system provide accountability. 1.4.3 Accuracy  Information should have accuracy. Information has accuracy when it is free from mistakes or errors and it has the value that the end users expects.  If information contains a value different from the user’s expectations, due to the intentional or unintentional modification of its content, it is no longer accurate. iii. Utility  Information has value when it serves a particular purpose.  This means that if information is available, but not in a format meaningful to the end user, it is not useful. Thus, the value of information depends on its utility. iv. Possession  The possession of Information security is the quality or state of having ownership or control of some object or item. 2. Explain the Components of an Information System. Nov/Dec 2011 Nov/Dec 2012May/Jun 2013 1.5 COMPONENTS OF AN INFORMATION SYSTEM
  • 25.  An information system (IS) is much more than computer hardware; it is the entire set of software, hardware, data, people, procedures, and networks that make possible the use of information resources in the organization (Fig 1.4).  These six critical components enable information to be input, processed, output, and stored.  Each of these IS components has its own strengths and weaknesses, as well as its own characteristics and uses.  Each component of the information system also has its own security requirements. Components are:  Software  Hardware  Data  People  Procedures  Networks
  • 26. 1.5.1 Software  The software components of IS comprises applications, operating systems, and assorted command utilities.  Software programs are the vessels that carry the lifeblood of information through an organization.  These are often created under the demanding constraints of project management, which limit time, cost, and manpower. 1.5.2 Hardware  Hardware is the physical technology that houses and executes the software, stores and carries the data, and provides interfaces for the entry and removal of information from the system.  Physical security policies deal with hardware as a physical asset and with the protection of these physical assets from harm or theft.  Applying the traditional tools of physical security, such as locks and keys, restricts access to and interaction with the hardware components of an information system.  Securing the physical location of computers and the computers themselves is important because a breach of physical security can result in a loss of information.  Unfortunately, most information systems are built on hardware platforms that cannot guarantee any level of information security if unrestricted access to the hardware is possible. 1.5.3 Data  Data stored, processed, and transmitted through a computer system must be protected.  Data is often the most valuable asset possessed by an organization and is the main target of intentional attacks.  The raw, unorganized, discrete (separate, isolated) potentially-useful facts and figures that are later processed(manipulated) to produce information. 1.5.4 People  There are many roles for people in information systems. Common ones include  Systems Analyst  Programmer  Technician  Engineer  Network Manager  MIS (Manager of Information Systems)  Data entry operator 1.5.5 Procedures  A procedure is a series of documented actions taken to achieve something.  A procedure is more than a single simple task.
  • 27.  A procedure can be quite complex and involved, such as performing a backup, shutting down a system, patching software. 1.5.6 Networks  When information systems are connected to each other to form Local Area Network (LANs), and these LANs are connected to other networks such as the Internet, new security challenges rapidly emerge. 3. DiscussSDLCindetail. May/June2013 Answer Refer Topic No. 1.8 4.Describe SecSDLC in detail. Nov/Dec 2011 Nov/Dec2012 May/Jun 2013 Answer Refer Topic No. 1.9
  • 28. 5. Explain the NSTISSC security model and the top down approach and bottom up approach to security implementation. Nov/Dec2011
  • 29. Top-down Approach  Initiated by upper management:  Issue policy, procedures, and processes  Dictate the goals and expected outcomes of the project  Determine who is accountable reach of the required actions  Strong upper management support, a dedicated champion, dedicated funding, clear planning, and the chance to influence organizational culture  Most successful top-down approach Bottom up Approach  Security from a grass-roots effort - systems administrators attempt to improve the security of their systems  Key advantage-technical expertise of the individual administrators  Seldom works, as it lacks a number of critical features:  Participant support  Organizational staying power 6. Explain any five professional in information security with their role and focus. Answer Refer Topic No. 1.10