Introduction to Information

Security
Dr D Sivakumar
Professor
Department of CSE
AMET University
What Is Information Security?
 Information security is the practice of
protecting information by mitigating
information risks…
 It involves the protection of information
systems and the information processed,
stored, and transmitted by these systems
from unauthorized access, use,
disclosure, disruption, modification, or
destruction.
Slide 2
 includes the protection of personal information, financial
information, and sensitive or confidential information
stored in both digital and physical forms.
 Information Security is not only about securing
information from unauthorized access
 is basically the practice of preventing unauthorized
access, use, disclosure, disruption, modification,
inspection, recording, or destruction of information.
Information can be a physical or electronic one.

Slide 3
Why We Use Information Security?

 Protecting sensitive information

 Mitigating risk
 Compliance with regulations
 Protecting reputation
 Ensuring business continuity

Slide 4
Three Principles of Information
Security?

 Confidentiality – Means information is not

disclosed to unauthorized individuals,
entities and process.
 Integrity – Means maintaining accuracy and
completeness of data. This means data
cannot be edited in an unauthorized way.
 Availability – Means information must be
available when needed

Slide 5
Why is Information Security Important?

 Improved security: By identifying and classifying sensitive information,

organizations can better protect their most critical assets from unauthorized access
or disclosure.
 Compliance: Many regulatory and industry standards, such as HIPAA and PCI-
DSS, require organizations to implement information classification and data
protection measures.
 Improved efficiency: By clearly identifying and labeling information, employees can
quickly and easily determine the appropriate handling and access requirements for
different types of data.
 Better risk management: By understanding the potential impact of a data breach or
unauthorized disclosure, organizations can prioritize resources and develop more
effective incident response plans.
 Cost savings: By implementing appropriate security controls for different types of
information, organizations can avoid unnecessary spending on security measures
that may not be needed for less sensitive data.
 Improved incident response: By having a clear understanding of the criticality of
specific data, organizations can respond to security incidents in a more effective and
efficient manner.

Slide 6
Uses of Information Security

 Confidentiality: Keeping sensitive information confidential and protected from

unauthorized access.
 Integrity: Maintaining the accuracy and consistency of data, even in the presence of
malicious attacks.
 Availability: Ensuring that authorized users have access to the information they need,
when they need it.
 Compliance: Meeting regulatory and legal requirements, such as those related to data
privacy and protection.
 Risk management: Identifying and mitigating potential security threats to prevent harm
to the organization.
 Disaster recovery: Developing and implementing a plan to quickly recover from data
loss or system failures.
 Authentication: Verifying the identity of users accessing information systems.
 Encryption: Protecting sensitive information from unauthorized access by encoding it
into a secure format.
 Network security: Protecting computer networks from unauthorized access, theft, and
other types of attacks.
 Physical security: Protecting information systems and the information they store from
theft, damage, or destruction by securing the physical facilities that house these
systems.

Slide 7
Issues

of Information Security
Cyber threats: The increasing sophistication of cyber attacks, including malware,
phishing, and ransomware, makes it difficult to protect information systems and the
information they store.
 Human error: People can inadvertently put information at risk through actions such as
losing laptops or smartphones, clicking on malicious links, or using weak passwords.
 Insider threats: Employees with access to sensitive information can pose a risk if they
intentionally or unintentionally cause harm to the organization.
 Legacy systems: Older information systems may not have the security features of newer
systems, making them more vulnerable to attack.
 Complexity: The increasing complexity of information systems and the information they
store makes it difficult to secure them effectively.
 Mobile and IoT devices: The growing number of mobile devices and internet of things (
IoT) devices creates new security challenges as they can be easily lost or stolen, and
may have weak security controls.
 Integration with third-party systems: Integrating information systems with third-party
systems can introduce new security risks, as the third-party systems may have security
vulnerabilities.
 Data privacy: Protecting personal and sensitive information from unauthorized access,
use, or disclosure is becoming increasingly important as data privacy regulations become
more strict.
 Globalization: The increasing globalization of business makes it more difficult to secure
information, as data may be stored, processed, and transmitted across multiple countries
with different security requirements.

Slide 8
The History Of Information
Security
 Computer security began immediately after the first
mainframes were developed
 Groups developing code-breaking computations during
World War II created the first modern computers
 Physical controls were needed to limit access to
authorized personnel to sensitive military locations
 Only rudimentary controls were available to defend
against physical theft, espionage, and sabotage

Slide 9
Figure 1-1 – The Enigma

Slide 10
The 1960s
 Department of Defense’s Advanced
Research Project Agency (ARPA) began
examining the feasibility of a redundant
networked communications
 Larry Roberts developed the project from
its inception

Slide 11
Figure 1-2 - ARPANET

Slide 12
The 1970s and 80s
 ARPANET grew in popularity as did its potential
for misuse
 Fundamental problems with ARPANET security
were identified
– No safety procedures for dial-up connections to the
ARPANET
– User identification and authorization to the system
were non-existent
 In the late 1970s the microprocessor expanded
computing capabilities and security threats

Slide 13
R-609 – The Start of the Study of
Computer Security
 Information Security began with Rand
Report R-609
 The scope of computer security grew from
physical security to include:
– Safety of the data
– Limiting unauthorized access to that data
– Involvement of personnel from multiple levels
of the organization

Slide 14
The 1990s
 Networks of computers became more
common, so too did the need to
interconnect the networks
 Resulted in the Internet, the first
manifestation of a global network of
networks
 In early Internet deployments, security
was treated as a low priority

Slide 15
The Present
 The Internet has brought millions of
computer networks into communication
with each other – many of them
unsecured
 Ability to secure each now influenced by
the security on every computer to which it
is connected

Slide 16
What Is Security?
 “The quality or state of being secure--to be free
from danger”
 To be protected from adversaries
 A successful organization should have multiple
layers of security in place:
– Physical security-Address the issues necessary to protect the physical
items & objects
– Personal security –involves the protection of the individual who
are authorized to access the organization

Slide 17
– Operations security – protection of the details of a
particular operation or series of activities
– Communications security – protection of an
organization communications media, technology, and
content
– Network security- protection of networking
components, connections and contents

Slide 18
What Is Information Security?
 The protection of information and its critical
elements, including the systems and hardware
that use, store, and transmit that information
 Tools, such as policy, awareness, training,
education, and technology are necessary
 The C.I.A. triangle was the standard based on
confidentiality, integrity, and availability
 The C.I.A. triangle has expanded into a list of
critical characteristics of information

Slide 19
Critical Characteristics Of
Information
The value of information comes from the
characteristics it possesses.
– Availability- enables authorized users, persons or systems to
access information without interference Ex. Library
– Accuracy- Free from mistakes or errors and it has the value that
the end user expects Ex: Checking account
– Authenticity- Information- being genuine or original rather than
reproduction or fabrication Ex: email spoofing

Slide 20
– Confidentiality – exposure to unauthorized individuals or
systems is prevented Ex: organization
– Integrity – whole, complete and uncorrupted Ex:many viruses or
worms are designed to corrupt the data
– Utility – the information has value when it serves a particular
purposes
– Possession- information is the quality having ownership or
control of some object.

Slide 21
NSTISSC Security Model

 National Security Telecommunications and

Information System security Committee –
produce a document about information security
 This documents presents a comprehensive
model for information security and is becoming
the evolution standard for the security of
information system
 The three dimensions- 3x3x3 cube with 27 cells
representing areas that must be addressed to
secure today information systems

Slide 22
Figure 1-3 – NSTISSC
Security Model

Slide 23
Components of an Information
System

 To fully understand the importance of

information security, you need to know the
elements of an information system

 An Information System (IS) is much more than

computer hardware; it is the entire set of
software, hardware, data, people, and
procedures necessary to use information as a
resource in the organization

Slide 24
Securing the Components
 The computer can be either or both the
subject of an attack and/or the object of
an attack
 When a computer is
– the subject of an attack, it is used as an
active tool to conduct the attack
– the object of an attack, it is the entity being
attacked

Slide 25
Figure 1-5 – Subject and
Object of Attack

Slide 26
Balancing Security and
Access
 It is impossible to obtain perfect security -
it is not an absolute; it is a process
 Security should be considered a balance
between protection and availability
 To achieve balance, the level of security
must allow reasonable access, yet protect
against threats

Slide 27
Figure 1-6 – Balancing
Security and Access

Slide 28
Bottom Up Approach
 Security from a grass-roots effort -
systems administrators attempt to
improve the security of their systems
 Key advantage - technical expertise of the
individual administrators
 Seldom works, as it lacks a number of
critical features:
– participant support
– organizational staying power
Slide 29
Figure 1-7 – Approaches to
Security Implementation

Slide 30
Top-down Approach
 Initiated by upper management:
– issue policy, procedures, and processes
– dictate the goals and expected outcomes of the project
– determine who is accountable for each of the required
actions
 This approach has strong upper management
support, a dedicated champion, dedicated funding,
clear planning, and the chance to influence
organizational culture
 May also involve a formal development strategy
referred to as a systems development life cycle
– Most successful top-down approach

Slide 31
The Systems Development
Life Cycle
 Information security must be managed in
a manner similar to any other major
system implemented in the organization
 Using a methodology
– ensures a rigorous process
– avoids missing steps
 The goal is creating a comprehensive
security posture/program

Slide 32
SSLC
 Security System Development Life Cycle (SSDLC) is a
framework used to manage the development,
maintenance, and retirement of an organization’s
information security systems.
 SSDLC is a useful framework for managing the
development, maintenance, and retirement of an
organization’s information security systems.
 It helps to ensure that security systems meet the needs
of the organization and are developed in a structured
and controlled manner.
 This can help organizations to protect their sensitive
information, maintain compliance with relevant
regulations, and keep their data and systems safe from
cyber threats.
Slide 33
 Planning: During this phase, the organization identifies its information
security needs and develops a plan to meet those needs. This may include
identifying potential security risks and vulnerabilities, and determining the
appropriate controls to mitigate those risks.
 Analysis: During this phase, the organization analyzes its information
security needs in more detail and develops a detailed security requirements
specification.
 Design: During this phase, the organization designs the security system to
meet the requirements developed in the previous phase. This may include
selecting and configuring security controls, such as firewalls, intrusion
detection systems, and encryption.
 Implementation: During this phase, the organization develops, tests, and
deploys the security system.
 Maintenance: After the security system has been deployed, it enters the
maintenance phase, where it is updated, maintained, and tweaked to meet
the changing needs of the organization.
 Retirement: Eventually, the security system will reach the end of its useful
life and will need to be retired. During this phase, the organization will plan
for the replacement of the system, and ensure that data stored in it is
properly preserved .
Slide 34
SecSDLC
 Security System Development Life Cycle (SecSDLC) is defined
as the set of procedures that are executed in a sequence in the
software development cycle (SDLC).
 It is designed such that it can help developers to create software
and applications in a way that reduces the security risks at later
stages significantly from the start.
 SecSDLC is similar to Software Development Life Cycle (SDLC),
but they differ in terms of the activities that are carried out in each
phase of the cycle.
 SecSDLC eliminates security vulnerabilities. Its process involves
identification of certain threats and the risks they impose on a
system as well as the needed implementation of security controls to
counter, remove and manage the risks involved. Whereas, in the
SDLC process, the focus is mainly on the designs and
implementations of an information system

Slide 35
Figure 1-8 – SDLC Waterfall
Methodology

Slide 36
 System Investigation: This process is started by the officials/directives
working at the top level management in the organization. The objectives
and goals of the project are considered priorly in order to execute this
process. An Information Security Policy is defined which contains the
descriptions of security applications and programs installed along with their
implementations in organization’s system.
 System Analysis: In this phase, detailed document analysis of the
documents from the System Investigation phase are done. Already existing
security policies, applications and software are analyzed in order to check
for different flaws and vulnerabilities in the system. Upcoming threat
possibilities are also analyzed. Risk management comes under this
process only.
 Logical Design: The Logical Design phase deals with the development of
tools and following blueprints that are involved in various information
security policies, their applications and software. Backup and recovery
policies are also drafted in order to prevent future losses. In case of any
disaster, the steps to take in business are also planned. The decision to
outsource the company project is decided in this phase. It is analyzed
whether the project can be completed in the company itself or it needs to
be sent to another company for the specific task.

Slide 37
 Physical Design: The technical teams acquire the tools and blueprints
needed for the implementation of the software and application of the
system security. During this phase, different solutions are investigated for
any unforeseen issues which may be encountered in the future. They are
analyzed and written down in order to cover most of the vulnerabilities that
were missed during the analysis phase.
 Implementation: The solution decided in earlier phases is made final
whether the project is in-house or outsourced. The proper documentation is
provided of the product in order to meet the requirements specified for the
project to be met. Implementation and integration process of the project are
carried out with the help of various teams aggressively testing whether the
product meets the system requirements specified in the system
documentation.
 Maintenance: After the implementation of the security program it must be
ensured that it is functioning properly and is managed accordingly. The
security program must be kept up to date accordingly in order to counter
new threats that can be left unseen at the time of design.

Slide 38
Advantages
 mproved security: By following the SSDLC, organizations can ensure that
their information security systems are developed, maintained and retired in
a controlled and structured manner, which can help to improve overall
security.
 Compliance: The SSDLC can help organizations to meet compliance
requirements, by ensuring that security controls are implemented to meet
relevant regulations.
 Risk management: The SSDLC provides a structured and controlled
approach to managing information security risks, which can help to identify
and mitigate potential risks.
 Better project management: The SSDLC provides a structured and
controlled approach to managing information security projects, which can
help to improve project management and reduce risks.
 Increased efficiency: By following the SSDLC, organizations can ensure
that their resources are used efficiently, by ensuring that the development,
maintenance and retirement of information security systems is planned and
managed in a consistent and controlled manner.
Slide 39
Disadvantages
 Cost: Implementing the SSDLC framework can be costly, as it may require
additional resources, such as security experts, to manage the process.
 Time-consuming: The SSDLC is a cyclical process that involves multiple
phases, which can be time-consuming to implement.
 Complexity: The SSDLC process can be complex, especially for
organizations that have not previously used this framework.
 Inflexibility: The SSDLC is a structured process, which can make it difficult
for organizations to respond quickly to changing security needs.
 Limited Adaptability: The SSDLC is a predefined process, which is not
adaptable to new technologies, it may require updating or revising to
accommodate new technology.

Slide 40
SDLC and the SecSDLC
 The SecSDLC may be
– event-driven - started in response to some
occurrence or
– plan-driven - as a result of a carefully
developed implementation strategy
 At the end of each phase comes a
structured review

Slide 41
Investigation
 What is the problem the system is being
developed to solve?
– The objectives, constraints, and scope of the
project are specified
– A preliminary cost/benefit analysis is
developed
– A feasibility analysis is performed to
assesses the economic, technical, and
behavioral feasibilities of the process

Slide 42
Analysis
 Consists primarily of
– assessments of the organization
– the status of current systems
– capability to support the proposed systems
 Analysts begin to determine
– what the new system is expected to do
– how the new system will interact with existing systems
 Ends with the documentation of the findings and
a feasibility analysis update

Slide 43
Logical Design
 Based on business need, applications are
selected capable of providing needed services
 Based on applications needed, data support
and structures capable of providing the needed
inputs are identified
 Finally, based on all of the above, select specific
ways to implement the physical solution are
chosen
 At the end, another feasibility analysis is
performed

Slide 44
Physical Design
 Specific technologies are selected to
support the alternatives identified and
evaluated in the logical design
 Selected components are evaluated
based on a make-or-buy decision
 Entire solution is presented to the end-
user representatives for approval

Slide 45
Implementation
 Components are ordered, received,
assembled, and tested
 Users are trained and documentation
created
 Users are then presented with the system
for a performance review and acceptance
test

Slide 46
Maintenance and Change
 Tasks necessary to support and modify
the system for the remainder of its useful
life
 The life cycle continues until the process
begins again from the investigation phase
 When the current system can no longer
support the mission of the organization, a
new project is implemented

Slide 47
Security Systems
Development Life Cycle
 The same phases used in the traditional
SDLC adapted to support the specialized
implementation of a security project
 Basic process is identification of threats
and controls to counter them
 The SecSDLC is a coherent program
rather than a series of random, seemingly
unconnected actions

Slide 48
Investigation
 Identifies process, outcomes and goals of
the project, and constraints
 Begins with a statement of program
security policy
 Teams are organized, problems analyzed,
and scope defined, including objectives,
and constraints not covered in the
program policy
 An organizational feasibility analysis is
performed
Slide 49
Analysis
 Analysis of existing security policies or
programs, along with documented current
threats and associated controls
 Includes an analysis of relevant legal
issues that could impact the design of the
security solution
 The risk management task (identifying,
assessing, and evaluating the levels of
risk) also begins
Slide 50
Logical & Physical Design
 Creates blueprints for security
 Critical planning and feasibility analyses to
determine whether or not the project should
continue
 In physical design, security technology is
evaluated, alternatives generated, and final
design selected
 At end of phase, feasibility study determines
readiness so all parties involved have a chance
to approve the project

Slide 51
Implementation
 The security solutions are acquired (made
or bought), tested, and implemented, and
tested again
 Personnel issues are evaluated and
specific training and education programs
conducted
 Finally, the entire tested package is
presented to upper management for final
approval
Slide 52
Maintenance and Change
 The maintenance and change phase is
perhaps most important, given the high
level of ingenuity in today’s threats
 The reparation and restoration of
information is a constant duel with an
often unseen adversary
 As new threats emerge and old threats
evolve, the information security profile of
an organization requires constant
adaptation
Slide 53
Security Professionals and the
Organization
 It takes a wide range of professionals to
support a diverse information security
program
 To develop and execute specific security
policies and procedures, additional
administrative support and technical
expertise is required

Slide 54
Senior Management
 Chief Information Officer
– the senior technology officer
– primarily responsible for advising the senior
executive(s) for strategic planning
 Chief Information Security Officer
– responsible for the assessment, management, and
implementation of securing the information in the
organization
– may also be referred to as the Manager for Security,
the Security Administrator, or a similar title

Slide 55
Security Project Team
A number of individuals who are experienced in
one or multiple requirements of both the
technical and non-technical areas:
– The champion
– The team leader
– Security policy developers
– Risk assessment specialists
– Security professionals
– Systems administrators
– End users

Slide 56
Data Ownership
 Data Owner - responsible for the security
and use of a particular set of information
 Data Custodian - responsible for the
storage, maintenance, and protection of
the information
 Data Users - the end systems users who
work with the information to perform their
daily jobs supporting the mission of the
organization
Slide 57
Communities Of Interest
 Each organization develops and
maintains its own unique culture and
values. Within that corporate culture,
there are communities of interest:
– Information Security Management and
Professionals
– Information Technology Management and
Professionals
– Organizational Management and
Professionals

Slide 58
Information Security: Is It an
Art or a Science?
 With the level of complexity in today’s
information systems, the implementation
of information security has often been
described as a combination of art and
science

Slide 59
Security as Art
 No hard and fast rules nor are there many
universally accepted complete solutions
 No magic user’s manual for the security of
the entire system
 Complex levels of interaction between
users, policy, and technology controls

Slide 60
Security as Science
 Dealing with technology designed to
perform at high levels of performance
 Specific conditions cause virtually all
actions that occur in computer systems
 Almost every fault, security hole, and
systems malfunction is a result of the
interaction of specific hardware and
software
 If the developers had sufficient time, they
could resolve and eliminate these faults
Slide 61
Security as a Social Science
 Social science examines the behavior of
individuals interacting with systems
 Security begins and ends with the people
that interact with the system
 End users may be the weakest link in the
security chain
 Security administrators can greatly reduce
the levels of risk caused by end users,
and create more acceptable and
supportable security profiles
Slide 62