The document outlines information security concepts, defining security, privacy, and information security, and highlighting the differences between cybersecurity, network security, and information security. It lists top threats to information security such as social engineering, malware, and poor configuration, alongside preventive strategies for organizations. Additionally, it emphasizes the principles of confidentiality, integrity, and availability in protecting sensitive data.

1. Lecture 01
Information Security
1

2. 2

3. 3
What is Security?
• The state of being free from danger or
threat
• Freedom form threat
In general, security means being free
from danger. To be secure is to be
protected from the risk of loss, damage,
unwanted modification or other
hazards.

4. Security is every where..
4
Plants lagan
big organiztaion protect

5. What is
privacy
• A state in which one is not observed or disturbed by
other.
• Security is the technical methods used to protect the data
and not concerned with how and when it used.
• Privacy is how an organization process Personal
Data to comply with laws, regulations.
5
Yani koi ap ko dahk na sky or ap khoudh dahky etc
Envernoment ko protect karna
personal data ko used na kary

6. • Security can be achieved without privacy
but Privacy cannot be achieved without
security.
6

7. 7

8. What is Information
Security?
8

9. 9
Description of InfoSec
• Information security (sometimes referred
to as InfoSec)
– covers the tools and processes
• It includes policy settings
– Prevent unauthorized people from
accessing business or personal
information
• Protects sensitive information
– including inspection, modification, recording,
and any disruption or destruction

10. 10
• The consequences of security
incidents include
– Theft of private information
– Data tampering
– Data deletion
– Attacks can disrupt work processes and
damage a company’s reputation, and also
have a tangible cost
• Organizations must allocate funds for
security
– Ensure that they are ready to detect,
respond to, and proactively prevent, attacks
such as

11. Terms we
heard….
NETWORK
SECURITY
11
INFORMATION
SECURITY

12. 12

13. 13
Difference Between Cyber Security,
Network Security, and Information
Security
Sr.# Cyber Security Network Security Information Security
01.
Cyber security is the method
of protecting systems,
networks, and programs from
digital attacks.
Network Security is the
method of protecting the
usability and integrity of
your network and data.
Information security is the
measures taken to protect
the records from
unauthorized entry and
use.
02.
Cyber Security is a subpart of
Information Security.
Network Security is a
subpart of Cyber Security.
Cyber Security &
Network Security comes
under Information
Security.
03.
It protects anything in the
cyber area.
It protects anything in the
network area.
Information security is for
information irrespective of
the space.

14. 14
Sr.# Cyber Security Network Security Information Security
04.
It deals with protection from
cyber attacks.
It deals with protection
from DOS (Denial of
Service) attacks.
It deals with the security
of data from any kind of
threat.
05.
Cyber security attacks
against cybercrime and
cyber fraud.
Network Security attacks
against trojans.
Information Security
attacks against
unauthorized access,
disclosure modification,
and disruption.
06.
Cyber security ensures the
security of the entire digital
data.
Network security only
ensures the security of
transit data.
Information security
ensures the protection of
transit and digital data.

15. 15
Sr.# Cyber Security Network Security Information Security
07.
It deals with the security of
the data resting.
It secures data traveling
across the network by
terminals.
It gives integrity,
confidentiality, and
availability.
08.
Common Cyber Security
Risks:
 Social engineering
 Brute force
 Baiting
 Ransomware
Common Network
Security Risks:
 Viruses, worms,
and trojans
 Denial of Service
(DOS) attack
 Zero-day attacks
Common
Information Security
Risks:
 Access
 Destruction
 Availability

16. https://nr3c.gov.pk/about_us.ht
ml
16

17. 17

18. 18
Multan Address
• CYBER CRIME WING
– INCHARGE CYBER CRIME
FIA OFFICE H.06, STREET-3
SHALIMAR TOWN BOSAN TOWN
MULTAN
– PHONE +92 61-9330999

19. 19
Top Cyber security
companies in
Pakistan List 2022 Updated
• Delta Tech, Pakistan’s Cyber Security
Consulting Firm
• Tier3 Cyber Security Services – Pakistan
• Catalyic Security | Cyber Security Solutions |
Cyber Security Company |
catalyicsecurity.com
• Trillium Information Security Systems (TISS)
• PakCERT [Pakistan Computer Emergency
Response Team]
• Dunicot Pvt. Ltd., Cyber Security Services
Company
• Tranchulas
• Cyber Security consultancy Company
• Institute of Cyber Security
• Pakistan Information Security Association

20. 20

21. 21
Information Security
Policy
• An Information Security Policy (ISP) is a set
of rules that guide individuals when using IT
assets.
• Companies can create information
security policies
– to ensure that employees and other users
follow security protocols and procedures.
• Security policies are intended to ensure that
– only authorized users can access sensitive
systems and information.

22. 22
• To make your policy truly effective,
– update it frequently based on company
changes,
– new threats, conclusions drawn
from previous breaches,
– and changes to security systems and tools.
• Make your information security
strategy practical and reasonable.
• To meet the needs and urgency of
different departments within the
organization,
– it is necessary to deploy a system of
exceptions, with an approval process,
– enabling departments or individuals to

23. 23
Top Information Security
Threats
1. Unsecure or Poorly Secured Systems
• The speed and technological development
– Often leads to compromises in security
measures.
• In other cases, systems are developed
without security in mind,
– Remain in operation at an organization as
legacy systems.
• Organizations must identify these poorly
secured systems,
– and mitigate the threat by securing or patching
them or isolating them.

24. 24
2. Social Media
Attacks
• Many people have social media accounts,
– where they often unintentionally share a lot
of information about themselves.
• Attackers can launch attacks directly via
social media,
– Eg. By spreading malware via social
media messages, or indirectly, by using
information obtained from these sites to
analyze user and organizational
vulnerabilities, and use them to
design an attack.

25. 25
3. Social
Engineering
• It involves attackers sending emails and messages
– that trick users into performing actions that may
compromise their security or divulge private
information.
– Attackers manipulate users using psychological
triggers like curiosity, urgency or fear.
• Because the source of a social engineering
message appears to be trusted,
– people are more likely to comply, for example by
clicking a link that installs malware on their
device, or by providing personal information,
credentials, or financial details.
• Organizations can mitigate it by making users
– aware of its dangers and
– training them to identify and avoid suspected
social engineering messages.
– In addition, technological systems can be used to
block social engineering at its source.

26. 26

27. 27
4. Malware on
Endpoints
• Organizational users work with a large
variety of endpoint devices,
– Including desktop computers, laptops, tablets, and
mobile phones,
– Many of which are privately owned and not under the
organization’s control,
– All of which connect regularly to the Internet.
• A primary threat on all these endpoints is
malware, which can be transmitted by a variety
of means,
– can result in compromise of the endpoint itself,
– can also lead to privilege escalation to other
organizational systems.
• Traditional antivirus software is insufficient to
block all modern forms of malware, and
– more advanced approaches are developing to
securing
endpoints, such as endpoint detection and response

28. 28
5. Lack of
Encryption
• Encryption processes encode data so that it
can only be decoded by users with secret
keys.
– It is very effective in preventing data loss
– in case of equipment loss or theft
– in case of organizational systems are
compromised by attackers.
• Unfortunately, this measure is often
overlooked due to its complexity and lack of
legal obligations associated with proper
implementation.
• Organizations are increasingly
adopting encryption,
– by purchasing storage devices or
– using cloud services that support encryption, or
– using dedicated security tools.

29. 29
6. Security
Misconfiguration
• Modern organizations use a huge
number of technological platforms and
tools,
– in particular web applications, databases, and
– Software as a Service (SaaS) applications, or
– Infrastructure as a Service (IaaS)
• from providers like Amazon Web Services.
• Enterprise grade platforms and cloud
services have security features,
– But these must be configured by the
organization.
– Security misconfiguration due to

30. 30
• Another problem is “configuration drift”,
– where correct security configuration can quickly
become out of date and make a system
vulnerable, to IT or security staff.
• Organizations can mitigate
security misconfiguration using
– technological platforms that continuously
monitor systems,
– identify configuration gaps, and
– alert or even automatically remediate
configuration issues that make systems
vulnerable.

31. 31
CYBER CRIME
PREVENTION TIPS
HTTPS://NR3C.GOV.PK/CTIPS.HTML
• SECURE YOUR SMART PHONES
– Always secure your smartphone with a strong
password
– Ensure that your device locks itself automatically
– Install security software
– Only download apps from approved sources
– Check your apps permissions
– Dont miss operating system updates
– Be wary of any links you receive via email or text
message
– Turn off automatic Wi-Fi connection
– When browsing or shopping on your phone (or
computer), always look

32. 32
• SECURE YOUR ONLINE BANKING
– Never use same PIN CODE for multiple bank
accounts
– Never use unprotected PCs at cybercafes for
internet banking
– Never keep your pin code and cards together
– Never leave the PC unattended when using internet
banking in a publicplace
– Register for Mobile SMS, Email Transaction Alerts
– Never reply to emails asking for your password or pin
code
– Visit banks website by typing the URL in the address
bar
– Log off and close your browser when you are done
using internet banking
– When using ATM always conceal keypad before
entering pin code
– Before using ATM, make sure that there is no extra

33. 33
• SECURE YOUR FACEBOOK
– Use extra security features to access
account (security code, Login alert
etc)
– Use login notification alert
– Allow specific individuals to view your
contents (Videos, Photos and Friends
etc.)
– Control who can contact you
– Block your profile from search engines

34. 34
• SECURE YOUR WI-FI
– Change Default Administrator Passwords
and Usernames of the Wi-Fi Router
– Use complex password and change Password
after regular intervals
– Position the Router or Access Point Safely
– Turn off the Network / Wi-Fi routers if it is not
in use

35. 35
• SECURE YOUR BROWSING
– What you put online will always remain
there
– Never trust any free online content
– Dont provide personal information online to
get something free
– Don’t click on links inside e-mails or
messages

36. 36
Information
Security
• It can be defined as “measures
adopted to prevent the unauthorized
use, misuse, modification or denial of
use of knowledge, facts, data or
capabilities”.
• Three aspects of IS are:
– Security Attack
– Security Mechanism
– Security Service

37. 37
• Security Attack:
– Any action that comprises the security of information
• Security Mechanism:
– A mechanism that is designed to detect, prevent, or
recover from a security.
• Security Service:
– It is a processing or communication service that
enhances the security of the data
processing systems and information transfer. The
services are intended to counter security attacks
by making use of one or more security
mechanisms to provide the service.

38. What are the 3 Principles
of IS?
• The basic tenets of IS are called the CIA
Triad
38

39. Confidentiali
ty
• Confidentiality measures are
designed to prevent unauthorized
disclosure of information.
• The purpose of the confidentiality
principle is to keep personal information
private
– and to ensure that it is visible and accessible
only to those individuals who own it or need
it to perform their organizational functions.
39
mean ap koudh data dahk sky ,ya ap ka parents, ya apko doctor etc

40. Integrit
y
• Consistency includes protection against
unauthorized changes (additions, deletions,
alterations, etc.) to data.
• The principle of integrity ensures that data is
accurate and reliable and is not modified
incorrectly, whether accidentally or maliciously.
40
Koi bh ap ka data Modiy na kary

41. Availabili
ty
• Availability is the protection of a system’s ability
to make software systems and data fully
available when a user needs it (or at a specified
time).
• The purpose of availability is to make the
technology infrastructure, the applications and
the data available when they are needed for an
organizational process or for an organization’s
customers
.
41
ka
Ap ka data available ho na chay.
it is very important principel
Backup Sytsem ho na chay

42. Passive Vs. Active
Attacks
• Information security is intended to
protect organizations against malicious
attacks.
• There are two primary types of attacks:
– Passive and
Active.
Release of
message
contents
Traffic
analysis
Passive
Activ
e Masquerad
e
Repl
y
Modification of
message
contents
Denial of

43. 43
Passive
Attack
• In a passive attack, an attacker monitors a
system and illegally copies information
without altering it.
• They then use this information to
disrupt networks or compromise target
systems.
• The attackers do not make any change to
the communication or the target systems.
– This makes it more difficult to detect.
• However, encryption can help prevent
passive attacks because it obfuscates the
data, making it more difficult for attackers to
make use of it.

44. A Passive attack attempts to learn or make
use of information from the system, but does
not affect system resources.
44

45. 45
Types of passive
attacks
• Release of message content
– It may be desirable to prevent the opponent
from learning the contents of the
transmission.
• Traffic analysis
– A more clever technique where the
• Opponent could determine the location and
identity of communicating hosts
• Could observe the frequency & length of
encrypted messages being exchanged there
• by guessing the nature of communication taking
place.

46. Active
Attack
• Active attacks involve some modification
of the data stream or creation of a false
stream. An active attack attempts to alter
system resources or affect their
operation.
46

47. Four types of Active
attacks
• Masquerade: Here, an entity pretends to be
some other entity. It usually includes
one of the other forms
of active attack
– Example: If the legitimate user leaves the
terminal or session open and logged in, a
coworker may act as a masquerade attacker.
– Vulnerable authentication is one of the
other factor that can trigger a masquerade
attack, as it helps the attacker to gain access
much easily.
47

48. Replay: It involves the passive capture of a data unit
and its subsequent retransmission to produce an
unauthorized effect. i.e. transmission is maliciously or
fraudulently repeated or delayed
48
man-in-the-middle
attack

49. • Modification of messages: It means that some
portion of a legitimate message is altered, or that
messages are delayed to produce an unauthorized effect.
– Ex: “John’s acc no is 2346” is modified as “John’s acc no is 7892”
• Denial of service: This attack prevents or inhibits the
normal use or management of communication facilities.
– Ex: (a) Disruption of entire network by disabling it
– (b) Suppression of all messages to a particular destination
by a third party.
49

50. Common variants of an active
attacks
1. Interruption
• the attacker interrupts the original communication
and creates new, malicious messages,
pretending to be one of the communicating
parties.
• An asset of the system is destroyed or becomes
unavailable or unusable. It is an attack on
availability.
– Examples
• Destruction of some hardware
• Jamming wireless signals 50

51. 2.
Interception
– An unauthorized party gains access to an asset.
Attack on confidentiality.
• Examples:
– Wire tapping to capture data in a
network.
– Illicitly copying data or programs
– Eavesdropping
51

52. 3.
Modification
When an unauthorized party gains access
and tampers an asset. Attack is on
Integrity.
• Examples:
– Changing data file
– Altering a program and the contents of a
message
52

53. 4.
Fabrication
• Creates fake, or synthetic, communications, typically with
the aim of achieving denial of service (DoS). This
prevents users from accessing systems or performing
normal operations.
• An unauthorized party inserts a bogus object into the
system.
Attack on Authenticity. Also called impersonation
• Examples:
– Hackers gaining access to a personal email and
sending message
– Insertion of records in data files
– Insertion of spurious messages in a network
53

54. 54
Reading Assignment
Question: What do you know about
HERMIT Spyware?
– Read and prepare its brief summary
– No need to submit its Hard / Soft copy.
– Will be discussed in class.
– Deadline: Before Next lecture.