Predictive Analysis - Using Insight-informed Data to Determine Factors Drivin...
Lecture 01- What is Information Security.ppt
1. CSSY1208
Introduction to Information Security
Lecture 1: What is Information Security?
1
Textbook :
The Basics of Information Security
Understanding the Fundamentals of InfoSec in Theory and Practice
Second Edition,
Jason Andress
Elsevier Publication
Referenced Book :
Cryptography and Network Security
6th Edition, William Stallings, Pearson Publication
2. Outline
2
CHAPTER-1- What is Information Security?
Introduction-Defining information security and basic terminologies related to
information security concept. Threats and Risks. Defense in Depth: Layers.
3. Introduction
• Information security is defined as “protecting information
and information systems from unauthorized access, use,
disclosure, disruption, modification, or destruction,”
• The protection afforded to an automated information
system in order to preserve the integrity, availability, and
confidentiality of information system resources.(includes
hardware, software, information/data, and
communications )
• In a general sense, information security means protecting
our assets.
3
4. Background
• Traditionally, before the widespread use of computers, security
was provided by:
Physical means: locked filing cabinets
Administrative mechanisms: rigid hiring process
• In recent times, computer use require automated tools to
protect files and other stored information
• And use of networks and communications requires measures
to protect data during transmission
4
5. What are we Secure/Insecure
Defining the exact point at which we can be considered secure
presents a bit of a challenge.
Are we secure if our systems are properly patched?
Are we secure if we use strong passwords?
Are we secure if we are disconnected from the Internet entirely?
From a certain point of view, all of these questions can be answered
with a “no,” so the real question is are we reasonably secure.
5
Defining when we are insecure is a much easier task, and we can
quickly list a number of items that would put us in this state:
• Not patching our systems or not patching quickly enough
• Using weak passwords such as “password” or “12345678”
• Downloading infected programs from the Internet
6. Information Security goals
Prevention: all types of information(personal information, company
information, information about intellectual property) must be
protected. Preventing unauthorized access to confidential information
must be the number one priority to security professionals
Detection: happen when a user is discovered trying to access
unauthorized data or after an information has been lost. This can be
accomplished by investigating individuals or by scanning a network.
Recovery: information can be lost or damage after an intrusion of
unauthorized users or a disaster strikes a system. Thus, you need to
implement a process to recover your important data from a crashed
system or damaged data storage.
6
7. The Confidentiality, Integrity, and
Availability Triad
7
• Three of the primary concepts in
information security are
confidentiality, integrity, and
availability, commonly known as the
CIA triad, as shown in previous
figure.
• The CIA triad gives us a model by
which we can think about and
discuss security concepts, and tends
to be very focused on security, as it
pertains to data.
8. Defining Information Security
(cont’d.)
Confidentiality
This aims states that information/systems should only be
read/known/learnt by authorised people
This is about keeping information private, secret and out of the hands
of unauthorised people
Confidentiality can be compromised by:
– Loss of a laptop containing data.
– A person looking over our shoulder while we type a password.
– An e-mail attachment being sent to the wrong person.
– An attacker penetrating our systems, or
– similar issues.
8
9. Defining Information Security (cont’d.)
Integrity
• Integrity refers to the ability to prevent our data from being
changed in an unauthorized or undesirable manner. This could
mean the unauthorized change or deletion of our data or
portions of our data, or it could mean an authorized, but
undesirable, change or deletion of our data.
• A good example : File permission in Linux and Windows for
purposes of preventing unauthorized changes.
• Many applications, such as databases, can allow us to undo or
roll back changes that are undesirable.
9
10. Defining Information Security (cont’d.)
Availability
This aim states that information or systems should be available
to authorised people when needed.
Loss of availability can refer to a wide variety of breaks
anywhere in the chain that allows us access to our data. Such
issues is power loss, operating system or application problems,
network attacks, compromise of a system, or other problems
when are caused by an outside party, such as an attacker ,they
are commonly referred to as a denial of service (DoS) attack.
10
11. Defining Information Security
(cont’d.)
• Although the use of CIA to define the security objectives is a
well established, additional security concepts is needed to
present a complete picture. Most commonly mentioned
concepts are:
Authenticity
Accountability
11
12. Defining Information Security
(cont’d.)
Authenticity: the property of being able to be verified and
trusted. This means verifying that users are who they say and
that each input arriving at the system came from trusted
source.
Accountability: the security goal that generates the
requirement for actions of an entity to be traced uniquely to the
entity.
12
13. The Parkerian hexad, named for Donn Parker and introduced in
his book Fighting Computer Crime, provides us with a somewhat
more complex variation of the classic CIA triad. Where the CIA
triad consists of confidentiality, integrity and availability, the
Parkerian hexad consists of these three principles, as well as
possession or control, authenticity, and utility.
13
The Parkerian Hexad
14. Attacks
We may face attacks from a wide variety of approaches and
vectors. When we look at what exactly makes up an attack, we
can break it down according to the type of attack that it
represents, the risk the attack represents, and the controls we
might use to mitigate it.
14
Types of attack payloads
15. Attacks (cont’d.)
• A useful means of classifying security attacks is in term of
passive attack and active attack.
• A passive attack: attempts to learn or make use of
information from the system but does not affect system
resources.
• Active attack: attempts to alter system resources or affect
their operation.
15
16. Interception/Disclosure
• An unauthorised party has gained the ability to read or know a
particular piece of information. Also known as un-authorized
access
• Basically a breach of confidentiality
• Does not necessarily have to involve information being
intercepted while in transit
• Unauthorised access to stored information could also be
considered to be interception (or disclosure)
• Example: illegal eavesdropping or sniffing, illegal copying.
16
17. Interruption
• Information or systems are not available when needed by
legitimate user also known as denial of services
• Basically a breach of availability
• Could involve:
• Loss or destruction
• Deletion of data/software
• Degradation of a system/service/network
• Example: An attacker launches a Denial of Service attack
against a website, cutting communications line, disabling a file
management system.
17
18. Modification
• A resource is altered in an unauthorised way
• Also known as tampering a resources
• Basically a breach of integrity
• Could affect:
• Data/information
• The state of a system – settings, configuration etc
• An attacker changes a value in a database from 100 to 1000 in
order to commit some type of fraud
18
19. Fabrication
• false entities are created
• Also a breach of integrity
• Example: an attacker adds false sales records to a database in
order to commit some type of fraud, insertion of spurious
message in a network, adding a record to a file, counterfeit
bank notes, fake cheques
• Sometimes there is a fine line between modification and
fabrication.
• e.g. Fabrication is the creation of a false record in a
database fabrication, and modification is of something
existing such as the overall database?
19
25. Information Security Terminology
• Asset
• Something that has a value
• Threat
• Event or object that may defeat the security measures in place
and result in a loss
• By itself does not mean that security has been compromised
• Threat agent
• Person or thing that has the power to carry out a threat
• Vulnerability
• Weakness that allows a threat agent to bypass security
• Exploiting the security weakness
• Taking advantage of the vulnerability
25
26. Information Security Terminology
26
Risk
Likelihood that a threat agent will exploit a vulnerability
Some degree of risk must always be assumed
Three options for dealing with risk
a) Accept
b) Mitigate or Reduce
c) Transfer (insurance)
27. Risk management
27
The risk management process
In order to compensate for risks
that occur in our environment, the
risk management process is very
important to implement and
follow.
At a high level, we need to
identify our important assets,
identify the potential threats
against them, assess the
vulnerabilities that we have
present, and then take steps to
mitigate these risks
28. Identify threats
28
The risk management process
Once we have enumerated our
critical assets, we can then begin
to identify the threats that might
affect them.
29. Assess vulnerabilities
29
The risk management process
When we look at assess
vulnerabilities, we need to do so
in the context of potential threats.
Any given asset may have
thousands or millions of threats
that could impact it, but only a
small fraction of these will
actually be relevant.
30. Assess risks
30
The risk management process
Once we have identified the
threats and vulnerabilities for a
given asset, we can assess the
overall risk. As we discussed
earlier in this chapter, risk is the
conjunction of a threat and a
vulnerability. A vulnerability with
no matching threat or a threat with
no matching vulnerability do not
constitute a risk.
31. Mitigating risks
31
The risk management process
In order to help us mitigate risk,
we can put measures in place to
help ensure that a given type of
threat is accounted for. These
measures are referred to as
controls.
32. Mitigating risks(cont’d.)
32
Controls are divided into three categories:
• Physical - Physical controls are those controls that protect the
physical environment in which our systems sit, or where our
data is stored.
• Logical - Logical controls, sometimes called technical
controls, are those that protect the systems, networks, and
environments that process, transmit, and store our data.
• Administrative - Administrative controls are based on rules,
laws, policies, procedures, guidelines, and other items that are
“paper” in nature.
33. Incident response
33
In the event that our risk management efforts fail, incident
response exists to react to such events. Incident response should
be primarily oriented to the items that we feel are likely to cause
us pain as an organization, which we should now know based on
our risk management efforts. Reaction to such incidents should be
based, as much as is possible or practical, on documented
incident response plans, which are regularly reviewed, tested, and
practiced
The incident response process, at a high level, consists of:
• Preparation
• Detection and analysis
• Containment
• Eradication
• Recovery
• Post incident activity
34. Incident response…
34
The incident response process, at a high level, consists of:
• Preparation - The preparation consists of all of the activities, This typically
involves having the policies and procedures that govern incident response and
handling in place, conducting training, etc.
• Detection and analysis - The detection and analysis phase is where the
action begins to happen in our incident response process., This may be output
from an Intrusion Detection System (IDS), Anti Virus software, firewall logs.
• Containment - To ensure that the situation does not cause any more damage
than it already has, or to at least lessen any ongoing harm.
• Eradication - During eradication, we will attempt to remove the effects of
the issue from our environment.
• Recovery - recover to a better state that were in which we were prior to the
incident, or perhaps prior to the issue started if we did not detect the problem
immediately
• Post incident activity - we attempt to determine specifically what
happened, why it happened, and what we can do to keep it from happening
again.
35. Defense in depth
35
Defense in depth is a strategy
common to both military
maneuvers and information
security. In both senses, the basic
concept of defense in depth is to
formulate a multilayered defense
that will allow us to still achieve a
successful defense should one or
more of our defensive measures
fail.
Defense in depth.
36. 36
When we look at the layers we might place in our defense in depth
strategy, we will likely find that they vary given the particular
situation and environment we are defending.
a strictly logical information security perspective, we would want to
look at the external network, network perimeter, internal network,
host, application, and data layers as areas to place our defenses.
Layers
Defense in depth