Lec 1 - IS - Intro

Download as pptx, pdf, or txt
Download as pptx, pdf, or txt
You are on page 1of 55

Lecture – 1

Information Security (CSNC3413)


Section: G-9
Course Instructor: Mahwish Shahid
Course Instructor

 Mahwish Shahid
 Email: Mahwish.shahid@ucp.edu.pk
 Office: Sports Building (GYM Faculty),
o 2nd floor, Cabin 13, FOIT
Policies and Guidelines
 No usage of cellphones in the class!
 Attendance Policy/Late Policy
 Quiz Policy
 Mostly announced and 4-6 Quizzes
 Assignments
 Mostly group based assignments
 Group strength 5-6 students
 4 Assignments
 Plagiarism/AI results in Zero (0)
 Class Participation
 Class exercises (No retake)
Good Practices
 Be on time in class
 Be regular (do not miss a single class)
 Start assignments on time
 Do not miss any assignment or quiz
 Come up with good questions (ask in class/after class)
 Visit during office hours to discuss your problems/assignments
Bad Practices
 Excuses
 Coming late in class (remember: quiz will be in first 15 min of class)
 Come to class without pen and notebooks
 Asking for leaves --- Teacher has no authority to grant leaves.
 Manage your 6 absents as emergency leaves, or request HoD/Dean for extra leaves.
 Requesting to increase marks
 Coming to class without reading the required text/notes
 Copying / plagiarism
 Asking to extend the deadline
 Using mobile phones in class or Cross talk in class
“There is no alternative to hard work!”
Learning Outcomes
CLO CLO STATEMENT Bloom’s PLO
Taxonomy Level
Identify and comprehend basics terms and
technologies and concepts of information security PLO 1-Academic
1 2
Education
Investigate and analyze real situations from the
information security point of view and model them
using various security control measures PLO 3- Problem
2 4
Analysis

Apply the concepts of confidentiality, integrity, PLO 4- Design/


3 and availability into practice 3 Development of
Solutions
Contents

 Introduction of Information Security


o Basics of Information Security
o Basic terminologies
o CIA Model
o Solution of CIA related Issues?
o Social Engineering
Why This Course is Important?

• Growing Cyber Threats: Increase in cybercrime, hacking, and


breaches.
• Real-World Application: Critical for safeguarding personal data,
corporate assets, and national security.
• Professional Growth: Information security expertise is in high
demand, opening roles like Security Analyst, Penetration Tester, and
Risk Manager.
• Compliance & Regulations: Familiarity with laws like GDPR,
HIPAA, and data protection regulations.
How This Course Will Help You in the
Future
• Career Opportunities: Wide range of job opportunities in
cybersecurity, ethical hacking, and network security.
• Knowledge Application: Apply security principles to protect systems
in future workplaces.
• Critical Thinking: Develop the mindset to assess risks and implement
robust security measures.
• Cross-Disciplinary Skills: Cybersecurity knowledge is relevant to
finance, healthcare, government, and IT sectors.
Class Activity - Think, Pair, Share

 Objective: To engage students in understanding the difference between data


and information and how security applies to each.
• Step 1: Think individually for 2 minutes: What are examples of data and
information from a security perspective?
• Step 2: Pair up and discuss your examples with your partner.
• Step 3: Share your findings with the class.
 Examples for guidance:
• Data: Raw numbers or files (e.g., 123456, login credentials).
• Information: Processed data that provides meaning (e.g., user login data tied to
an account).
WHAT IS DATA?
WHAT IS DATA?

 Data is a collection of raw facts, figures, images, audio, video, and


multimedia that can be stored, processed, and analyzed.
 Data is often unorganized and lacks context, but it can be used to
generate information.
WHAT IS INFORMATION?

 Information is processed and contextualized data that has meaning and


relevance to a specific context or situation. Information is often
structured and organized in a way that makes it easier to understand and
use.
Data vs Information in Security

• Data: Raw, unprocessed facts (e.g., login credentials, transaction data).


• Information: Processed data that carries meaning (e.g., user identity or
patterns from transaction data).
• Security Implications: Protecting data at all stages, from collection to
processing, is crucial to prevent breaches, fraud, and data misuse.
DIKIW Model in Information Security

• Data: Raw facts without context (e.g., server logs).


• Information: Contextualized data (e.g., analyzing logs for unusual
activity).
• Knowledge: Understanding patterns and implications (e.g., recognizing
a potential security threat).
• Wisdom: Applying learned knowledge to make security decisions (e.g.,
implementing a firewall rule to block suspicious IPs).
DIKIW - MODEL
DIKIW Model

 Example:
• Data: Login attempts at different times.
• Information: Multiple failed login attempts.
• Knowledge: These are coming from different IPs, indicating a possible brute
force attack.
• Wisdom: Implement multi-factor authentication to enhance security.
DIKIW - MODEL
 The DIKIW model is a framework that describes the relationship
between data, information, knowledge, intelligence, and wisdom.
 The model suggests that data is the most basic form of information,
which is then processed and contextualized to form knowledge.
 Intelligence is the ability to use knowledge to solve problems or make
decisions, while wisdom is the ability to apply intelligence to achieve
long-term goals and benefits.
 The DIKIW model is often used in information management and
knowledge management to help organizations manage and leverage
their data, information, and knowledge assets.
WHAT IS AN ASSET?

 An asset is what we are trying to protect.


 Anything that is valuable for an organization
 Information
 Property
 Software
 Hardware
 Human
WHAT IS A THREAT?

 Any thing that can cause harm


 From someone else
 A threat is a potential danger to an asset (information)

 Threat Agent:
 The entity which causes threat to happen
 Example: An intruder in a system, Malware, Nature
WHAT IS A VULNERABILITY?

 A weakness or gap in our protection efforts.


 It makes an attack possible.

 Vulnerability is weakness or gap in a security program that can be


exploited by threats to gain unauthorized access to an asset.
WHAT IS RISK?

 The potential for loss, damage or destruction of an asset as a result of a


threat exploiting a vulnerability.

→ A risk is a possible event which could cause a loss


→ Own perception
→ Risk = F(Threat, Vulnerability, Asset)
WHAT IS RISK?
WHAT IS RISK?

 Risk is the intersection of assets, threats, and vulnerabilities.


EXPOSURE FACTOR AND IMPACT

 Exposure Factor and Impact are two terms that are commonly used in
the field of risk management.
 Exposure Factor refers to the percentage of loss that an asset may
experience due to a specific threat.
 In other words, it represents the potential damage that a threat can cause
to an asset.
 This percentage is usually estimated based on the asset's value, the
likelihood of the threat occurring, and the vulnerability of the asset to
the threat.
EXPOSURE FACTOR AND IMPACT
(Cont.)
 Impact, on the other hand, refers to the extent of damage that a threat
can cause.
 It takes into account the Exposure Factor, as well as other factors such
as the duration of the impact and the availability of backup resources.
 Impact is usually expressed in terms of a range of values, such as low,
medium, or high, based on the severity of the potential damage.
RISK REDUCTION LEVERAGE
Risk Reduction Leverage is another Quantitative means of assessing how Risks are being
managed.

Since Risk Exposure is not absolute but relative, we can compare different exposures to one
another. One of the ways we can compare such exposures is to compare the Exposure of a single
event BEFORE and AFTER managing the risk. We need a simple measure to assess Risk
Reduction.

20.8.1 Example of Risk Reduction Leverage

Let us consider a Server with some data on it. The probability of losing the data is 20%. The cost
of losing such data is measured in terms of the cost of rebuilding it. This is estimated at $20,000:

Probability of loss 0.2 BEFORE Resolution


Loss $20,000
Exposure to data loss 0.2 x $20,000 = $4,000
(Note that the $4000 is simply the average impact: if we have 100 days then since the probability of data loss is 20%, we
expect to lose data on 20 of them. In each case, we will have a damage or impact of $20,000. Therefore, the total expected
impact would be 20 x $20,000 or $400,000. Divide this over 100 days to get the average impact and you will get $4000).

Now we provide a method of reducing the possibility of data loss (Say frequent backup or replication on another database,
etc). This reduces the risk to 5%. The impact on losing the data is the same since we still need to rebuild the data.
However, the cost of introducing the loss reduction is $2000.

Probability of loss 0.05 AFTER Resolution


Loss $20,000 (Same loss in this example)
Exposure 0.05 x $20,000 = $1000
Cost of Risk Reduction $2000

So using the above formula, the Risk Reduction Leverage is:

Leverage ($4000 - $1000) / $2000 = 1.5

The higher the Leverage, the better the solution.

The Risk Reduction Leverage gives us the following benefits:

We can now compare different ways of reducing data loss to each other by comparing the Reduction Leverage
We can increase Leverage by Increasing the difference between Exposure (Before) and Exposure (After), that is by improving
the solution and reducing the probability.
We can also increase Leverage by reducing the cost of risk reduction or by selecting better solutions.

In conclusion, use Risk Reduction Leverage to assess different solutions to a risky event.
Exercise
 A company owns an asset with a total cost of 50,000 PKR.
 The probability of a risk associated with the asset occurring is 70%.
 Total Loss if the risk occurs is 10,000 PKR.
 The company is evaluating two potential countermeasures:
• Countermeasure X, which reduces the probability of the risk occurring to 30% and the total
loss if the risk occurs to 2,000 PKR, and Countermeasure Y, which reduces the probability to
15% and the total loss if the risk occurs to 2,510 PKR.
 Calculate the Risk Exposure (R.E) before and after implementing the countermeasures.
 Determine which countermeasure is more cost-effective, considering that
Countermeasure X costs 25,000 PKR and Countermeasure Y costs 10,000 PKR.
 Which countermeasure would you recommend the company to implement based on
cost-effectiveness?
Solution??
 Countermeasure Y is more cost effective (0.66235)
SECURITY CONCEPTS

 Assurance:
 The level of guarantee that a security system will behave as expected
 Countermeasure/safeguard/control:
 A countermeasure is a way to stop a threat
 Defense in depth:
 Never rely on one single security measure alone
 Take (maximum) steps to protect the system
SECURITY

 The art of war teaches us to rely:


 Not on the likelihood of the enemy is not coming, but on our own
readiness to receive him;
 Not on the chance of his not attacking, but rather on the fact that we
have made our position unassailable (impossible to challenge).

— The Art
of War, Sun Tzu
SECURITY

 Security is the degree of protection against danger, loss, and criminals.


 The condition that prevents unauthorized persons from having access
(to official information).

 The National Institute of Standards and Technology (NIST) defines


security as:

“The preservation of confidentiality, integrity, and availability of


information.”
SECURITY CONCEPTS

 Security Attack: Any action that compromises the security of


information owned by an organization.
 Security Mechanism: A mechanism designed to detect, prevent, or
recover from a security attack
CIA MODEL / CIAA MODEL
 Confidentiality (privacy) :
 Protection of data from unauthorized disclosure

 Integrity (has not been altered) :


 Assurance that data received is as sent by an authorized entity

 Availability (permanence, non-erasure) :


 Denial of Service Attacks
 Virus that deletes files
 Authentication (who created or sent the data):
 Assurance that the communicating entity is the one claimed

 Non-repudiation :
 The ability to verify that an action or communication has been performed by a specific individual or entity and that it
cannot be denied later.
SECURITY LEVELS
SECURITY ATTACKS
SECURITY ATTACKS

 Passive attacks involve:


 Eavesdropping on or monitoring transmissions to obtain message contents
or monitor traffic flows.
 Active attacks include:
 Modification of the data stream to masquerade as one entity, replay
previous messages, modify messages in transit, or deny service.
Additionally, fabrication may occur.
SECURITY ATTACKS
SECURITY ATTACKS
SECURITY CONTROLS
SECURITY CONTROLS
SECURITY CONTROLS
SECURITY CONTROLS
SOCIAL ENGINEERING

 Malicious activities accomplished through human interaction.


 “Cyber criminals use social engineering to heck our minds”.
 They use our emotions - To make us stop thinking rationally.
SOCIAL ENGINEERING
EXAMPLES

 Giving up username, password or pin.


 Sending money via electronic funds.
 Unintentionally acting as a money mule for purpose of laundering.
 Nigerian Prince Fraud (early 2000s).
 Linked to human greed.
PRINCIPLES ON WHICH SOCIAL
ENGINEERING TECHNIQUES ARE BASED:
 Dr. Robert Cialdini breaks the techniques of social engineering down in
to six principles:
 RECIPROCITY
 SCARCITY
 AUTHORITY
 CONSISTENCY
 LIKING
 CONSENSUS
SOCIAL ENGINEERING ATTACKS

 BAITING (Deceptive Promises)


 SCAREWARE
 PRETEXTING
 PHISHING (BeEF, Vishing, Smishing)
Pretextin
 SPEAR PHISHING g
PREVENTION

 DON’T OPEN EMAILS & ATTACHMENTS FROM SUSPICIOUS


SOURCES.
 USE MULTIFACTOR AUTHENTICATION.
 BEWARY OF TEMPTING OFFERS.
 KEEP ANTIVIRUS/ANTIMALWARE RUNNING AND UP-TO-
DATE.
Class Discussion

• Question: Can you think of a recent security breach and how it could
have been prevented?
• Discussion Points: Apply the CIA Triad to real-world examples.

You might also like