CHAPTER 5

INFORMATION SECURITY

GROUP 4
WHAT IS INFORMATION SECURITY?

IT IS OFTEN REFERRED TO AS INFOSEC

IT IS THE PROCESSES AND TOOLS DESIGNED AND DEPLOYED TO PROTECT SENSITIVE

BUSINESS INFORMATION FROM MODIFICATION, DISRUPTION, DESTRUCTION, AND
INSPECTION.
INFORMATION SECURITY VS CYBERSECURITY

• INFORMATION SECURITY IS A BROADER CATEGORY OF PROTECTIONS, COVERING

CRYPTOGRAPHY, MOBILE COMPUTING, AND SOCIAL MEDIA.
• IT IS RELATED TO INFORMATION ASSURANCE, USED TO PROTECT INFORMATION
FROM NON-PERSON-BASED THREATS, SUCH AS SERVER FAILURES OR NATURAL
DISASTERS.
• IN COMPARISON, CYBERSECURITY ONLY COVERS INTERNET-BASED THREATS
AND DIGITAL DATA.
• ADDITIONALLY, CYBERSECURITY PROVIDES COVERAGE FOR RAW, UNCLASSIFIED
DATA WHILE INFORMATION SECURITY DOES NOT
 INFORMATION SECURITY GOALS

THREE PRIMARY GOALS OF INFORMATION SECURITY ARE PREVENTING THE LOSS

OF AVAILABILITY, THE LOSS OF INTEGRITY, AND THE LOSS OF CONFIDENTIALITY
FOR SYSTEMS AND DATA.
 INFORMATION SECURITY GOALS
CONFIDENTIALITY
WHEN PROTECTING INFORMATION, WE WANT TO BE ABLE TO RESTRICT ACCESS TO THOSE WHO ARE
ALLOWED TO SEE IT; EVERYONE ELSE SHOULD BE DISALLOWED FROM LEARNING ANYTHING ABOUT ITS
CONTENTS.

INTEGRITY
THE ASSURANCE THAT THE INFORMATION BEING ACCESSED HAS NOT BEEN
ALTERED AND TRULY REPRESENTS WHAT IS INTENDED.

AVAILABILITY
INFORMATION CAN BE ACCESSED AND MODIFIED BY ANYONE AUTHORIZED TO DO
SO IN AN APPROPRIATE TIME FRAME.
 INFORMATION SECURITY PRINCIPLES
NEED-TO-KNOW
PERSON SHOULD HAVE ABILITY TO ACCESS DATA SUFFICIENT TO PEFORM JOB AND NO MORE

LEAST PRIVILEGE
PERSON SHOULD HAVE ABILITY TO DO TASKS SUFFICIENT TO PERFORM PRIMARY JOBS OR NO MORE

SEGREGATION OF DUTIES
ENSURES NO PERSON CAN ASSUME TWO ROLES: ORIGINATION, AUTHORIZATION,
DISTRIBUTION AND VERIFICATION
COMMON INFORMATION SECURITY RISKS

• SOCIAL ENGINEERING ATTACKS

• ADVANCED PERSISTENT THREATS (APT)
• INSIDER THREATS
• CRYPTOJACKING
• DISTRIBUTED DENIAL OF SERVICE (DDOS)
• RANSOMWARE
• MAN-IN-THE-MIDDLE (MITM) ATTACKS
INFORMATION SECURITY TECHNOLOGIES

• FIREWALLS
• SECURITY INCIDENT AND EVENT
MANAGEMENT (SIEM)
• DATA LOSS PREVENTION (DLP)
• INTRUSION DETECTION SYSTEM (IPS)
• USER BEHAVIORAL ANALYTICS (UBA)
• BLOCKCHAIN CYBERSECURITY
• ENDPOINT DETECTION AND RESPONSE
(EDR)
• CLOUD SECURITY POSTURE MANAGEMENT
(CSPM)
TYPES OF INFORMATION SECURITY

• APPLICATION SECURITY
• INFRASTRUCTURE SECURITY
• CLOUD SECURITY
• CRYPTOGRAPHY
• INCIDENT RESPONSE
• VULNERABILITY MANAGEMENT
• DISASTER RECOVERY
 1) APPLICATION
SECURITY

• APPLICATION SECURITY STRATEGIES PROTECT APPLICATIONS AND APPLICATION

PROGRAMMING INTERFACES (APIS).
• THESE STRATEGIES HELPS TO PREVENT, DETECT AND CORRECT BUGS OR OTHER
VULNERABILITIES IN YOUR APPLICATIONS.
• IF NOT SECURED, APPLICATION AND API VULNERABILITIES CAN PROVIDE A GATEWAY
TO YOUR BROADER SYSTEMS, PUTTING YOUR INFORMATION AT RISK.
  
2) CLOUD
SECURITY

• IT FOCUSES ON BUILDING AND HOSTING SECURE APPLICATIONS IN CLOUD

ENVIRONMENTS AND SECURELY CONSUMING THIRD-PARTY CLOUD APPLICATIONS.
• CLOUD SIMPLY MEANS THAT THE APPLICATION IS RUNNING IN A SHARED ENVIRONMENT.
• BUSINESSES MUST MAKE SURE THAT THERE IS ADEQUATE ISOLATION BETWEEN
DIFFERENT PROCESSES IN SHARED ENVIRONMENTS.
3) CRYPTOGRAPHY

• ENCRYPTING DATA IN TRANSIT AND DATA AT REST HELPS ENSURE DATA

CONFIDENTIALITY AND INTEGRITY.
• DIGITAL SIGNATURES ARE COMMONLY USED IN CRYPTOGRAPHY TO VALIDATE THE
AUTHENTICITY OF DATA. CRYPTOGRAPHY AND ENCRYPTION HAVE BECOME
INCREASINGLY IMPORTANT.
• A GOOD EXAMPLE OF CRYPTOGRAPHY USE IS THE ADVANCED ENCRYPTION
STANDARD (AES).
• THE AES IS A SYMMETRIC KEY ALGORITHM USED TO PROTECT CLASSIFIED
4) INFRASTRUCTURE SECURITY

• INFRASTRUCTURE SECURITY DEALS WITH THE PROTECTION OF INTERNAL AND

EXTRANET NETWORKS, LABS, DATACENTERS, SERVERS, DESKTOPS, AND
MOBILE DEVICES.
5) VULNERABILITY MANAGEMENT
• VULNERABILITY MANAGEMENT IS THE PROCESS
OF SCANNING AN ENVIRONMENT FOR WEAK
POINTS SUCH AS UNPATCHED SOFTWARE AND
PRIORITIZING REMEDIATION BASED ON RISK.
• IN MANY NETWORKS, BUSINESSES ARE
CONSTANTLY ADDING APPLICATIONS, USERS,
INFRASTRUCTURE, AND SO ON. FOR THIS
REASON, IT IS IMPORTANT TO CONSTANTLY
SCAN THE NETWORK FOR POTENTIAL
VULNERABILITIES.
• FINDING A VULNERABILITY IN ADVANCE CAN
SAVE BUSINESSES THE CATASTROPHIC COSTS OF
A BREACH.
6) INCIDENT RESPONSE

• INCIDENT RESPONSE IS THE FUNCTION THAT

MONITORS FOR AND INVESTIGATES POTENTIALLY
MALICIOUS BEHAVIOR.
• IN PREPARATION FOR BREACHES, IT STAFF SHOULD
HAVE AN INCIDENT RESPONSE PLAN FOR
CONTAINING THE THREAT AND RESTORING THE
NETWORK.
• IN ADDITION, THE PLAN SHOULD CREATE A
SYSTEM TO PRESERVE EVIDENCE FOR FORENSIC
ANALYSIS AND POTENTIAL PROSECUTION.
• THIS DATA CAN HELP PREVENT FURTHER
BREACHES AND HELP STAFF DISCOVER THE
ATTACKER.
 PRIVILEGES IN INFORMATION SECURITY

• PRIVILEGE IS THE CONCEPT OF ONLY ALLOWING USERS TO DO CERTAIN THINGS.

• THE RIGHTS GRANTED TO A SINGLE USER OR GROUP OF USERS WHO OPERATE A
COMPUTER
• IT IS DELEGATING AUTHORITY FOR MAKING CHANGES TO A COMPUTER SYSTEM.

• IN MANY SYSTEMS, THERE'S A SEPARATION BETWEEN "NORMAL" USERS

WITHOUT ANY AUTHORITY TO MAKE CHANGES TO THE SYSTEM AND
"ADMINISTRATIVE" USERS WITH FULL ACCESS TO THE SYSTEM.
AUTHENTICATION
PROCEDURES
AUTHENTICATION IS THE PROCESS OF RECOGNIZING A USER’S IDENTITY.
IT IS THE MECHANISM OF ASSOCIATING AN INCOMING REQUEST WITH A
SET OF IDENTIFYING CREDENTIALS.
THE CREDENTIALS PROVIDED ARE COMPARED TO THOSE ON A FILE IN A
DATABASE OF THE AUTHORIZED USER’S INFORMATION ON A LOCAL
OPERATING SYSTEM OR WITHIN AN AUTHENTICATION SERVER
TYPES OF AUTHENTICATION

1. PASSWORD-BASED AUTHENTICATION
2. MULTI-FACTOR AUTHENTICATION
3. CERTIFICATE-BASED
AUTHENTICATION
4. BIOMETRIC AUTHENTICATION
5. TOKEN-BASED AUTHENTICATION
1) PASSWORD-BASED
AUTHENTICATION

PASSWORD AUTHENTICATION IS A PROCESS

THAT INVOLVES A USER INPUTTING A UNIQUE ID
AND KEY THAT ARE THEN CHECKED AGAINST
STORED CREDENTIALS
 2) MULTI-FACTOR AUTHENTICATION

IT IS AN AUTHENTICATION METHOD THAT REQUIRES TWO OR MORE INDEPENDENT WAYS TO

IDENTIFY A USER.
EXAMPLES INCLUDE CODES GENERATED FROM THE USER’S SMARTPHONE, CAPTCHA TESTS,
FINGERPRINTS, VOICE BIOMETRICS OR FACIAL RECOGNITION. 
 3) CERTIFICATE-BASED AUTHENTICATION

• CERTIFICATE-BASED AUTHENTICATION TECHNOLOGIES IDENTIFY USERS, MACHINES

OR DEVICES BY USING DIGITAL CERTIFICATES. A DIGITAL CERTIFICATE IS AN
ELECTRONIC DOCUMENT BASED ON THE IDEA OF A DRIVER’S LICENSE OR A
PASSPORT. 

• THE CERTIFICATE CONTAINS THE DIGITAL IDENTITY OF A USER INCLUDING A PUBLIC

KEY, AND THE DIGITAL SIGNATURE OF A CERTIFICATION AUTHORITY.

• DIGITAL CERTIFICATES PROVE THE OWNERSHIP OF A PUBLIC KEY AND ISSUED ONLY
BY A CERTIFICATION AUTHORITY. 
 4) BIOMETRIC AUTHENTICATION

BIOMETRICS AUTHENTICATION IS A SECURITY PROCESS THAT RELIES ON THE UNIQUE

BIOLOGICAL CHARACTERISTICS OF AN INDIVIDUAL.
EXAMPLES INCLUDE :
• FACIAL RECOGNITION
• FINGERPRINT SCANNERS
• SPEAKER RECOGNITION
• EYE SCANNERS
IT ENABLE USERS TO ENTER THEIR CREDENTIALS ONCE AND RECEIVE A UNIQUE
ENCRYPTED STRING OF RANDOM CHARACTERS IN EXCHANGE.
YOU CAN THEN USE THE TOKEN TO ACCESS PROTECTED SYSTEMS INSTEAD OF
5 ) TO KE N-BA S E D A UTH EN TIC ATI ON

ENTERING YOUR CREDENTIALS ALL OVER AGAIN.

ACCESS CONTROL SCHEMES
 ACCESS
CONTROL

• IS A FUNDAMENTAL COMPONENT OF DATA SECURITY THAT DICTATES WHO’S

ALLOWED TO ACCESS AND USE COMPANY INFORMATION AND RESOURCES.
• THROUGH AUTHENTICATION AND AUTHORIZATION, ACCESS CONTROL
POLICIES MAKE SURE USERS ARE WHO THEY SAY THEY ARE AND THAT THEY
HAVE APPROPRIATE ACCESS TO COMPANY DATA.
• ACCESS CONTROL CAN ALSO BE APPLIED TO LIMIT PHYSICAL ACCESS TO
CAMPUSES, BUILDINGS, ROOMS, AND DATACENTERS
 IMPORTANCE OF ACCESS CONTROL

• CONFIDENTIALITY
• INTRUSION DETECTION AND PREVENTION
• RESTRICT UNAUTHORISED ACCESS
• ELIMINATE KEY CONCERNS:
• PREVENT DATA INTERCEPTION:
• CONTROL DATA OWNERSHIP & DUPLICATES
COMPONETS OF ACCESS CONTROL
TYPES OF ACCESS CONTROL

1. MANDATORY ACCESS CONTROL (MAC):

2. ROLE-BASED ACCESS CONTROL (RBAC)
3. ATTRIBUTE-BASED ACCESS CONTROL (ABAC)
4. DISCRETIONARY ACCESS CONTROL (DAC):
 1)DISCRETIONARY THE OWNER OR ADMINISTRATOR OF THE
ACCESS CONTROL PROTECTED SYSTEM, DATA, OR RESOURCE SETS
(DAC) THE POLICIES FOR WHO IS ALLOWED ACCESS.

PEOPLE ARE GRANTED ACCESS BASED ON AN INFORMATION

2) MANDATORY ACCESS CLEARANCE. A CENTRAL AUTHORITY REGULATES ACCESS
CONTROL (MAC) RIGHTS BASED ON DIFFERENT SECURITY LEVELS. THIS MODEL IS
COMMON IN GOVERNMENT AND MILITARY ENVIRONMENTS. 
3) ATTRIBUTE-BASED ACCESS CONTROL (ABAC)

ACCESS IS BASED ON A SET OF ATTRIBUTES AND ENVIRONMENTAL

CONDITIONS, SUCH AS TIME OF DAY AND LOCATION, ASSIGNED TO BOTH
USERS AND RESOURCES.

4) ROLE-BASED ACCESS CONTROL

(RBAC)
IT IS BASED ON DEFINED BUSINESS FUNCTIONS RATHER THAN THE INDIVIDUAL USER’S IDENTITY.
THE GOAL IS TO PROVIDE USERS WITH ACCESS ONLY TO DATA THAT’S BEEN DEEMED NECESSARY
FOR THEIR ROLES WITHIN THE ORGANIZATION. THIS WIDELY USED METHOD IS BASED ON A
COMPLEX COMBINATION OF ROLE ASSIGNMENTS, AUTHORIZATIONS, AND PERMISSIONS. 
BACKUP AND RECOVERY SCHEMES
 BACKUP AND
RECOVERY

• IT DESCRIBES THE PROCESS OF CREATING AND STORING COPIES OF DATA THAT CAN BE USED TO
PROTECT ORGANIZATIONS AGAINST DATA LOSS.

• THIS IS SOMETIMES REFERRED TO AS OPERATIONAL RECOVERY.

• RECOVERY FROM A BACKUP TYPICALLY INVOLVES RESTORING THE DATA TO THE ORIGINAL LOCATION,
OR TO AN ALTERNATE LOCATION WHERE IT CAN BE USED IN PLACE OF THE LOST OR DAMAGED DATA.

• A PROPER BACKUP COPY IS STORED IN A SEPARATE SYSTEM OR MEDIUM, SUCH AS TAPE, FROM THE
PRIMARY DATA TO PROTECT AGAINST THE POSSIBILITY OF DATA LOSS DUE TO PRIMARY HARDWARE OR
SOFTWARE FAILURE.
 IMPORTANCE OF BACKUP AND RECOVERY

• TOTAL DATA PROTECTION

• QUICK AND EFFICIENT RESTORE
• COST-EFFECTIVE AND CONVENIENT
• RANSOMWARE PROTECTION AND RECOVERY
 STEPS FOR BACKUP & RECOVERY

• BACKUP & RECOVERY CONSISTS OF A CYCLE

OF ITERATIVE ACTIVITIES AND PROCESSES
THAT REQUIRE ONGOING MONITORING AND
CONTROL
 DIFFERENT TYPES OF DATA BACKUP AND
RECOVERY
FULL BACKUP
 A FULL BACKUP IS THE MOST BASIC OF ALL BACKUP TYPES, ALL DATA IS COPIED TO
ANOTHER LOCATION
INCREMENTAL BACKUP
THIS TYPE ONLY BACKS UP THE INFORMATION THAT HAS CHANGED SINCE THE LAST
BACKUP OCCURRED.
DIFFERENTIAL BACKUP
IT IS  SIMILAR TO AN INCREMENTAL BACKUP, A DIFFERENTIAL BACKUP COPIES ALL DATA
CHANGED SINCE THE LAST FULL BACKUP EVERY TIME IT IS RUN.