Information Security

Introduction
-Er.Shankar Bhattarai, M.Sc. Engg.
My Introduction
• Shankar Bhattarai
• M.Sc. Engineering in Technology and Innovation Management
(Pulchowk Campus, IoE, Tribhuvan University)
• B.E Computer Engineering (Kantipur Engineering College, Tribhuvan
University)
Email: [email protected]
Current: IT Officer (SHRUTI Office), Lecturer (CITE)
Past: System Admin (GIZ Nepal),Project Coordinator (Bits Innovation)
Interest : Computer Network & Security
Basics of Information System
• Data: raw facts
Alphanumeric, image, audio, and video
• Information: collection of facts organized in such a way that they have
additional value beyond the value of the facts themselves.
• An Information System is a set of interrelated components that
collect or retrieve, process, store and distribute information to
support decision making and control in an organization.
What is Security?
• “The quality or state of being secure i.e. to be free from danger”
• To be protected from attackers
• A successful organization should have multiple layers of security in
place:
• Physical security
• Personal security
• Operations security
• Communications security
• Network security
Information Security
Information security means protecting information and information
systems from unauthorized access, use, disclosure, disruption,
modification, or destruction.

According to the SANS Institute:

“Information security refers to the processes and methodologies that
are designed and implemented to protect print, electronic, or any other
form of confidential, private and sensitive information or data from
unauthorized access, use, misuse, disclosure, destruction, modification
or disruption”
Information Security
• Information Security programs are build around 3 objectives,
commonly known as CIA – Confidentiality, Integrity, Availability.
• Confidentiality – means information is not disclosed to unauthorized
individuals, entities and process.
• Integrity – means maintaining accuracy and completeness of data.
• Availability – means information must be available when needed.
Cybersecurity
• Cybersecurity is a subset of information security.
• According to Cisco, “Cybersecurity is the practice of protecting
systems, networks and programs from digital attacks. These attacks
are usually aimed at accessing, changing, or destroying sensitive
information; extorting money from users; or interrupting normal
business processes.”

• InfoSec aims to keep data in any form secure, whereas cybersecurity

protects only digital data.
Network Security

Network security focus on internal protection by keeping close surveillance

on passwords, firewalls, internet access, encryption, backups and more.
The main focus is to protect internal information by monitoring employee
behavior and network access.
According to the SANS Institute.
• “Network security is the process of taking physical and software
preventative measures to protect the underlying networking
infrastructure from unauthorized access, misuse, malfunction,
modification, destruction, or improper disclosure, thereby creating a
secure platform for computers, users and programs to perform their
permitted critical functions within a secure environment.”
History of Information security

• The Enigma machine was invented

by the German engineer Arthur
Scherbius at the end of World War
I.
• Several different Enigma models
were produced, but the German
military models, having a
plugboard, were the most
complex.
• Around December 1932, Marian
Rejewski, a Polish mathematician
and cryptanalyst, while working at
the Polish Cipher Bureau broke
the message keys of the
plugboard Enigma machine.
History
• Computer security began immediately after the first mainframes were
developed , around 1943
• Groups developing code-breaking computations during World War II
created the first modern computers
• Physical controls were needed to limit access to authorized personnel
to sensitive military locations
During this time, there was no internet or network to worry about, so
security was largely focused on more physical measures, and
preventing access to people with enough knowledge about how to
work a computer.
History
After the development of Internet
• Creeper was an experimental computer program written by Bob
Thomas in 1971. This self-replicating version of Creeper is generally
accepted to be the first computer worm.
• The program was not actively malicious software as it caused no
damage to data, the only effect being a message it output to the
teletype reading "I'M THE CREEPER; CATCH ME IF YOU CAN".
• Later, Reaper was a similar program created by Ray Tomlinson to
move across the ARPANET and delete the self-replicating Creeper
History
• In 1989, First DDoS attack recorded in the history. Robert Morris
created a worm that dramatically slow down the internet speed and
functionality.
• Originally, this one wasn’t designed with any harmful intent rather to
highlight security flaws, but disaster struck when a fault in tis code
caused it to replicate excessively causing extensive damage.
• Same year, In 1989 first Ransomware attack was also recorded which
was poorly designed and easily can removed designed by Joseph
Popp.
History
• In 1990, an act was passed in UK (i.e. Computer Misuse Act 1990) that
made any unauthorized access of any computer system is illegal.
• This act became the foundation for cybersecurity protections.
• In 1994, SSL (Secured Socket Layer) was introduced by Netscape .
• SSL is an internet protocol that encrypts communications between
our computing devices.
• In 1995 version 2.0 was released and SSL Implemented in HTTP which
is commonly known as HTTPS
Method of Defense
1 . Encryption
• The most powerful tool in providing computer security is coding . By transforming data
so that it is unintelligible to the outside observer , the value of an interception and the
possibility of a modification or a fabrication are almost nullified .
• Encryption provides secrecy for data . Additionally , encryption can be used to achieve
integrity , since data that cannot be read generally also cannot be changed.
Furthermore , encryption is important in protocols , which are agreed-upon sequences of
actions to accomplish some task. Some protocols ensure availability of resources . Thus ,
encryption is at the heart of methods for ensuring all three goals of computer security .
• Steganography is the technique of hiding secret data within an ordinary, non-secret, file
or message in order to avoid detection; the secret data is then extracted at its
destination.
Encryption
Encryption
A process of encoding a message
Decryption
It is the reverse process
Ciphertext
Ciphertext is encrypted text transformed from plaintext using an encryption algorithm.
Ciphertext can't be read until it has been converted into plaintext (decrypted) with a key.
In Encryption Algorithms, key (K) is generally used
Symmetric encryption (uses Private key only)
Asymmetric encryption (uses public key and private key)
Encryption
Most used Encryption methods:
DES (Data Encryption Standard)
DES stands for Data Encryption Standard. Developed in the early 1970s at IBM. DES is a
symmetric cryptographic (private key) algorithm. It encrypts the data using the
symmetric key algorithm (there will be a single key for encryption and decryption). DES
encrypts by dividing the data into smaller chunks of 64 bits and then using a 56-bit key
with the encryption algorithm to get encrypted 64-bit cipher.
Triple DES/ 3DES (3 Data Encryption Standard)
Triple DES was designed to replace the original Data Encryption Standard (DES)
algorithm, which hackers eventually learned to defeat with relative ease. At one time,
Triple DES was the recommended standard and the most widely used symmetric
algorithm in the industry approved in 1995.
Encryption
RSA (Rivest- Shamir- Adleman, 1977)
RSA is a public-key encryption algorithm and the standard for encrypting data sent
over the internet. Unlike Triple DES, RSA is considered an asymmetric algorithm due
to its use of a pair of keys.
AES (Advanced Encryption Standard,2001)
The Advanced Encryption Standard (AES) is the algorithm trusted as the standard
by the U.S. Government and numerous organizations. It is a symmetric key
algorithm. Meaning, same key is used for both encryption and decryption.Although
it is extremely efficient in 128-bit form, AES also uses keys of 192 and 256 bits for
heavy duty encryption purposes.
Contd.. (Methods of Defense)
2. Software Controls
• Programs themselves are the second link in computer security. Programs must
be secure enough to exclude outside attack . They must also be developed
and maintained so that one can be confident of the dependability of the
programs .
• Program controls include the following kinds of things:
• Development controls , which are standards under which a program is designed ,
coded , tested , and maintained
• Operating system controls , which are limitations enforced by the operating system to
protect each user from all other users
• Internal program controls that enforce security restrictions , such as access limitations
in a data base management program
Contd.. (Methods of Defense)
3. Hardware Controls
• Numerous hardware devices have been created to assist in providing
computer security. These devices include a variety of means, such as
• hardware or smart card implementations of encryption
• locks or cables limiting access or deterring theft
• devices to verify users' identities
• firewalls
• intrusion detection systems (IDS)
• circuit boards that control access to storage media
Contd.. (Methods of Defense)
4. Policies and Procedures
• Sometimes, we can rely on agreed-on procedures or policies among
users rather than enforcing security through hardware or software
means. In fact, some of the simplest controls, such as frequent
changes of passwords, can be achieved at essentially no cost but with
tremendous effect. Training and administration follow immediately
after establishment of policies, to reinforce the importance of security
policy and to ensure their proper use.
Contd.. (Methods of Defense)
4. Physical Controls
• Some of the easiest, most effective, and least expensive controls are
physical controls. Physical controls include locks on doors, guards at
entry points, backup copies of important software and data, and
physical site planning that reduces the risk of natural disasters. Often
the simple physical controls are overlooked while we seek more
sophisticated approaches.
Contd.. (Methods of Defense)
5. Awareness of Problem
• People using controls must be convinced of the need for security. That
is, people will willingly cooperate with security requirements only if
they understand why security is appropriate in a given situation.
However, many users are unaware of the need for security, especially
in situations in which a group has recently undertaken a computing
task that was previously performed with lax or no apparent security.
Contd.. (Methods of Defense)
6. Overlapping Controls
• As we have seen with fortress or home security, several different controls may apply to
address a single vulnerability. For example, we may choose to implement security for a
microcomputer application by using a combination of controls on program access to the
data, on physical access to the microcomputer and storage media, and even by file
locking to control access to the processing programs.

7. Periodic Review
• Few controls are permanently effective. Just when the security specialist finds a way to
secure assets against certain kinds of attacks, the opposition doubles its efforts in an
attempt to defeat the security mechanisms. Thus, judging the effectiveness of a control is
an ongoing task. (Sidebar 1-8 reports on periodic reviews of computer security.)
Computer Attack
• A computer/cyber attack is any type of offensive action that targets
computer information systems, infrastructures, computer networks or
personal computer devices, using various methods to steal, alter or destroy
data or information systems.
• Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks
• Man-in-the-middle (MitM) attack
• Phishing and spear phishing attacks
• Password attack/Brute force
• SQL injection attack
• Cross-site scripting (XSS) attack
• Eavesdropping attack
• Malware attack
Biggest Cyber Attacks in the History
Yahoo ! , 2016
• The company said the attack compromised the real names, email
addresses, dates of birth and telephone numbers of 500 million users.
Marriott - Starwood Hotels, 2018
• On November 30, 2018, Marriott International, one of the largest
hotel chains in the world, suffered a major data breach involving its
reservations database. Marriot initially estimated that as many as 500
million of its customers might have been affected by the cyber-
incident, but then went on to amend its estimate to 383 million.
Biggest Cyber Attacks in the History
eBay
• As one of the world’s largest online marketplaces, most famous for its
auction-style sales, eBay probably needs little in the way of introduction.
In 2014, the company disclosed that it had been the victim of an attack in
which as many as 145 million of its active users were affected.
Target
• In 2013, Target, one of the largest retailers in the United States, suffered
a major data breach that affected more than 41 million customer
payment card accounts as well as the contact information of over 60
million customers.
Biggest Cyber Attacks in the History
• Evernote: 50 million records compromised in 2013
• Living Social: 50 million records compromised in 2013
• Sony Online Entertainment: 24.6 million records compromised in
2011
• Sony PlayStation Network: 77 million records compromised in 2010
Biggest Cyber Attacks in the History
• In Nepal,
Vianet,April 2020
There was a breach of customer data from a well-known ISP of Nepal,
Vianet; more than 1.7 Lakh users data was leaked on the internet.
Foodmandu, March 2020
The hackers have leaked the database consist of more than 50,000 User
names, personal detail, latitude, longitude, current address, emails, and
phone number
Biggest Cyber Attacks in the History
ATM Hacked, 2019
September 2nd, 2019, five Chinese citizens found hacking the Nepalese
ATM server around Kathmandu Valley. The Hacker succeed to hack the
ATM Machine after injecting the malware in the ATM machine. In the
following cybercrime, Chinese hackers robbed Rs 17.6 lakh in total.
Security breaches leads to
• Reputation loss
• Financial loss
• Intellectual property loss
• Breaches leading to legal actions
• Loss of customer confidence
• Business interruption costs
• Loss of goodwill
Social Engineering
• Social Engineering – is the art of manipulating people so that they
give up their confidential information like bank account details,
password etc.
• These criminals can trick you into giving your private and confidential
information or they will gain your trust to get access to your computer
to install a malicious software- that will give them control of your
computer.
Computer Crime
• Cybercrime, also called computer crime, the use of a computer as an instrument to
further illegal ends, such as committing fraud, stealing intellectual property,
stealing identities, or violating privacy, spreading private image or videos over
internet etc.
• computer crime is an act performed by a knowledgeable computer user, sometimes
referred to as a hacker that illegally browses or steals a company's or individual's
private information. In some cases, this person or group of individuals may be
malicious and destroy or otherwise corrupt the computer or data files.
• From 2018 to 2019, 180 cases of cybercrime were recorded, 125 from the
Kathmandu and 55 from outside the valley.
• There were 132 cases reported during 2017, and according to Nepal Police, they
reported just 53 cases of cybercrime in 2016.
Computer security risk
• A computer security risk is anything on your computer that may
damage or steal your data or allow someone else to access your
computer, without your knowledge or consent. There are a lot of
different things that can create a computer risk like malware (Viruses),
spyware, ransomware, trojan horse, worms etc.
• Misconfiguration of computer products as well as unsafe computing
habits also pose risks.
Threats on Information Security
• Threat can be anything that can take advantage of a vulnerability to
breach security and negatively alter, erase, harm object or objects of
interest.
• Vulnerable: The state of being exposed to the possibility of being
attacked or harmed
END !!