Information security, sometimes shortened to InfoSec, is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (e.g. electronic, physical)
2. The art of war teaches us to rely not on the likelihood of the enemy’s not coming,
but on our own readiness to receive him; not on the chance of his not attacking,
but rather on the fact that we have made our position unassailable.
—The Art of War, Sun Tzu
3. Information Security (IS)
Information :-
when raw facts and figures are processed
Communicate meaningful/understandable sentence
Security :-
Degree of resistance or protection from harm
As quoted by Institute for Security and Open Methodologies (ISECOM)
“a form of protection where a separation is created between the assets and the threat”
4. Information Security (cont.)
“Preservation of confidentiality, integrity and availability of information. Note: In addition,
other properties, such as authenticity, accountability, non-repudiation and reliability can
also be involved.” (ISO/IEC 27000:2009)
“The protection of information and information systems from unauthorized access, use,
disclosure, disruption, modification, or destruction in order to provide confidentiality,
integrity, and availability.” (CNSS, 2010)
Note :- IEC – International Electro-technical Commission
ISO – International Organization for Standard
CNSS – Committee on National Security Systems
5. Terminologies
Confidentiality: In information security, confidentiality "is the property, that
information is not made available or disclosed to unauthorized individuals,
entities, or processes" (Excerpt ISO27000).
Integrity: In information security, data integrity means maintaining and assuring
the accuracy and completeness of data over its entire life-cycle. This means that
data cannot be modified in an unauthorized or undetected manner. This is not the
same thing as referential integrity in databases, although it can be viewed as a
special case of consistency as understood in the classic ACID model of transaction
processing. Information security systems typically provide message integrity in
addition to data confidentiality.
6. Terminologies (cont.)
Availability: For any information system to serve its purpose, the information must be available
when it is needed. This means that the computing systems used to store and process the
information, the security controls used to protect it, and the communication channels used to
access it must be functioning correctly. High availability systems aim to remain available at all
times, preventing service disruptions due to power outages, hardware failures, and system
upgrades. Ensuring availability also involves preventing denial-of-service attacks, such as a
flood of incoming messages to the target system essentially forcing it to shut down.
Non-repudiation: In law, non-repudiation implies one's intention to fulfil their obligations to a
contract. It also implies that one party of a transaction cannot deny having received a
transaction nor can the other party deny having sent a transaction. Note: This is also regarded
as part of Integrity.
7. Threat level
Low: The loss could be expected to have a limited adverse effect on organizational operations,
organizational assets, or individuals. A limited adverse effect means that, for example, the loss of
confidentiality, integrity, or availability might (i) cause a degradation in mission capability to an extent
and duration that the organization is able to perform its primary functions, but the effectiveness of
the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in
minor financial loss; or (iv) result in minor harm to individuals.
Moderate: The loss could be expected to have a serious adverse effect on organizational operations,
organizational assets, or individuals. A serious adverse effect means that, for example, the loss might
(i) cause a significant degradation in mission capability to an extent and duration that the
organization is able to perform its primary functions, but the effectiveness of the functions is
significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant
financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or
serious, life-threatening injuries.
8. Threat level (cont.)
High: The loss could be expected to have a severe or catastrophic adverse effect
on organizational operations, organizational assets, or individuals. A severe or
catastrophic adverse effect means that, for example, the loss might (i) cause a
severe degradation in or loss of mission capability to an extent and duration that
the organization is not able to perform one or more of its primary functions; (ii)
result in major damage to organizational assets; (iii) result in major financial loss;
or (iv) result in severe or catastrophic harm to individuals involving loss of life or
serious, life-threatening injuries.
10. Phase 1 – Reconnaissance
longest phase
Information gained through
Internet searches
Social engineering
Dumpster diving
Dumpster diving is looking for treasure in someone else's trash. (A dumpster is a large trash
container.)
treasures like access codes or passwords written down on sticky notes, phone list, calendar, or
organizational chart can be used to assist an attacker using social engineering techniques
What enables the enlightened rulers and good generals to conquer the enemy at every move
and achieve extraordinary success is foreknowledge.
—Sun-tzu
11. Phase 1 – Reconnaissance (cont.)
Employees are often easily tricked
For providing tidbits of information which, over time, act to complete a complete picture of
processes, organizational structure, and potential soft-spots
Non-intrusive network scanning
Don't alert them
Domain name management/search services
WhoIS
12. Phase 1 – Reconnaissance (Prevention)
Make sure your systems don't leak information to the Web, including:
Software versions and patch levels
Email addresses
Names and positions of key personnel
Ensure proper disposal of printed information
Provide generic contact information for domain name registration lookups
Like company info. and contact
Prevent perimeter LAN/WAN devices from responding to scanning attempts
13. Phase 2 – Scanning
Open ports
Open services
Vulnerable applications, including operating systems
Weak protection of data in transit
Make and model of each piece of LAN/WAN equipment
15. Phase 3 - Gaining Access
Modern-day attack
to either extract information of value to the attacker or use the network as a
launch site for attacks against other targets
17. Phase 3 - Gaining Access (Prevention)
Physical security controls should
detect attempts at a hands-on attack
delay an intruder long enough to allow effective internal or external human response
(i.e., security guards or law enforcement).
Security managers should make every effort to ensure end-user devices and
servers are not easily accessible by unauthenticated users.
denying local administrator access to business users
closely monitoring domain and local admin access to servers
18. Phase 3 - Gaining Access (Prevention)
encrypt highly sensitive information and protect keys
Even if network security is weak, scrambling information and denying attacker
access to encryption keys is a good final defence when all other controls fail. But
don't rely on encryption alone.
There are other risks due to weak security, such as system unavailability or use of
your network in the commission of a crime.
19. Phase 4 - Maintaining Access
Having gained access, an attacker must maintain access long enough to
accomplish his or her objectives. Although an attacker reaching this phase has
successfully circumvented your security controls, this phase can increase the
attacker's vulnerability to detection.
Detect and filter file transfer content to external sites or internal devices
Look for connections to odd ports or nonstandard protocols
Prevent/detect direct session initiation between servers in your data centre and
networks/systems not under your control
21. Phase 5 – Covering Tracks
After achieving his or her objectives, the attacker typically takes steps to hide the
intrusion and possible controls left behind for future visits. Again, in addition to
anti-malware, personal firewalls, and host-based IPS solutions, deny business users
local administrator access to desktops.
Alert on any unusual activity, any activity not expected based on your knowledge
of how the business works. To make this work, the security and network teams
must have at least as much knowledge of the network as the attacker has
obtained during the attack process.
22. Why is IS needed?
We need information security to reduce the risk of unauthorized information
disclosure, modification, and destruction.
We need information security to reduce risk to a level that is acceptable to the
business (management).
We need information security to improve the way we do business.
23. “
”
If you know the enemy and know yourself, you need
not fear the result of a hundred battles. If you know
yourself but not the enemy, for every victory gained
you will also suffer a defeat. If you know neither the
enemy nor yourself, you will succumb in every
battle.
― SUN TZU, THE ART OF WAR
Any Questions