SlideShare une entreprise Scribd logo

Information System Security(lecture 1)

Télécharger en tant que PPT, PDF
Ali Habeeb
Ali Habeeb
TechnologieActualités & Politique
1  sur  20
Information System SecurityInformation System Security Lecture 1Lecture 1 Introduction to Information SystemIntroduction to Information System SecuritySecurity
22 OutlineOutline 1.1. What is Security?What is Security? 2.2. What is Information Security?What is Information Security? 3.3. Why Information System Security?Why Information System Security? 4.4. Vulnerability, Threat and AttackVulnerability, Threat and Attack 5.5. Security PoliciesSecurity Policies 6.6. Security MeasuresSecurity Measures 7.7. Security RequirementsSecurity Requirements 8.8. Security ServicesSecurity Services 9.9. Security MechanismsSecurity Mechanisms
33 1. What is security?1. What is security?  SecuritySecurity:: protecting general assetsprotecting general assets  Security can be realized through:Security can be realized through: 1.1. PreventionPrevention: take measures that prevent your assets from being damaged.: take measures that prevent your assets from being damaged. 2.2. DetectionDetection: take measures so that you can detect when, how, and by: take measures so that you can detect when, how, and by whom an asset has been damaged.whom an asset has been damaged. 3.3. ReactionReaction: take measures so that you can recover your assets or to recover: take measures so that you can recover your assets or to recover from a damage to your assetsfrom a damage to your assets  Examples: next slideExamples: next slide  There are many branches of Security: national security,There are many branches of Security: national security, economic security,economic security, information securityinformation security, etc., etc.
44 ExamplesExamples  Ex. 1 - Private propertyEx. 1 - Private property – Prevention: locks at doors, window bars, walls around the property.Prevention: locks at doors, window bars, walls around the property. – Detection: stolen items aren’t there any more, burglar alarms, CCTV, …Detection: stolen items aren’t there any more, burglar alarms, CCTV, … – Reaction: call the police,…Reaction: call the police,…
55 ExamplesExamples  Ex. 2 - eCommerceEx. 2 - eCommerce – Prevention: encrypt your orders, rely on the merchant to perform checksPrevention: encrypt your orders, rely on the merchant to perform checks on the caller,…on the caller,… – Detection: an unauthorized transaction appears on your credit cardDetection: an unauthorized transaction appears on your credit card statementstatement – Reaction: complain, ask for a new credit card number, …Reaction: complain, ask for a new credit card number, …
66 2. What is Information Security?2. What is Information Security?  Information securityInformation security:: is concerned with protecting informationis concerned with protecting information and information resources such as: books, faxes, computer data,and information resources such as: books, faxes, computer data, voice communications, etc.voice communications, etc.  Information security isInformation security is determining:determining:  whatwhat needs to be protected,needs to be protected, i.e.i.e., assets, assets  andand whywhy (Security requirements which include CIA),(Security requirements which include CIA),  whatwhat needs to be protected from (Threats, vulnerabilities, risks),needs to be protected from (Threats, vulnerabilities, risks),  andand howhow (Security measures) to protect it for as long as it exists(Security measures) to protect it for as long as it exists – Security measures which are implemented according to a security policySecurity measures which are implemented according to a security policy
77 3. What is Information System3. What is Information System Security (ISS)?Security (ISS)? InformationInformation SystemsSystems (assets)(assets)Security Measures Attackers Policies Taken from K. Martin’s lecture, RHUL
88 Information System SecurityInformation System Security  ISS is concerned with protecting Information systemISS is concerned with protecting Information system assets such as PCs, software, applications, etc.assets such as PCs, software, applications, etc.  In order to ensure the security of Information Systems, weIn order to ensure the security of Information Systems, we need to determine:need to determine: 1.1. Assets (i.e., Information systems) to be protectedAssets (i.e., Information systems) to be protected 2.2. Security requirements; CIASecurity requirements; CIA 3.3. Threats, vulnerabilities, risksThreats, vulnerabilities, risks 4.4. Security policiesSecurity policies 5.5. Security measuresSecurity measures
99 4. Vulnerability, Threat and4. Vulnerability, Threat and AttackAttack  AA vulnerabilityvulnerability: is a weakness in system design or: is a weakness in system design or implementation and can be in hardware or software.implementation and can be in hardware or software. – Example: a software bug exists in the OS, or no password rules are set.Example: a software bug exists in the OS, or no password rules are set.  AA threatthreat:: – Is a set of circumstances that has the potential to cause loss or harmIs a set of circumstances that has the potential to cause loss or harm – is an indication of potential undesirable eventis an indication of potential undesirable event – It refers to a situation in whichIt refers to a situation in which  a person could do something undesirable (an attacker initiating a denial-of-a person could do something undesirable (an attacker initiating a denial-of- service attack against an organization's email server), orservice attack against an organization's email server), or  a natural occurrence could cause an undesirable outcome (a fire damaging ana natural occurrence could cause an undesirable outcome (a fire damaging an organization's information technology hardware).organization's information technology hardware).
1010 4. Vulnerability, Threat and4. Vulnerability, Threat and AttackAttack  AA RiskRisk is the possibility of suffering harm or loss.is the possibility of suffering harm or loss.  AnAn attackattack: is a realization of a threat: is a realization of a threat  AnAn attackerattacker: is a person who exploit a vulnerability: is a person who exploit a vulnerability  An attacker must have means, opportunity, and motiveAn attacker must have means, opportunity, and motive – Synonyms: enemy, adversary, opponent, eavesdropper, intruderSynonyms: enemy, adversary, opponent, eavesdropper, intruder
1111 Vulnerability, Attack and ThreatVulnerability, Attack and Threat  AA hackerhacker:: – A person who have advanced knowledge of operating systems andA person who have advanced knowledge of operating systems and programming languagesprogramming languages – Might discover holes within systems and the reasons for such holesMight discover holes within systems and the reasons for such holes – Share what they discover but never intentionally damage dataShare what they discover but never intentionally damage data  AA crackercracker:: – The one who breaks into or violates the system integrity of remoteThe one who breaks into or violates the system integrity of remote machines with the malicious intent, i.e., gaining unauthorized accessmachines with the malicious intent, i.e., gaining unauthorized access – Might destroy vital data, deny legitimate users servicesMight destroy vital data, deny legitimate users services  AA passive adversarypassive adversary is an adversary who is capable only ofis an adversary who is capable only of reading from an unsecured channelreading from an unsecured channel  AnAn active adversaryactive adversary is an adversary who may also transmit, alter,is an adversary who may also transmit, alter, or delete information on an unsecured channelor delete information on an unsecured channel
1212 Common security attacksCommon security attacks  InterruptionInterruption, delay, denial of receipt or denial of service, delay, denial of receipt or denial of service – System assets or information become unavailable or are rendered unavailableSystem assets or information become unavailable or are rendered unavailable  Interception or snoopingInterception or snooping – Unauthorized party gains access to information by browsing through files orUnauthorized party gains access to information by browsing through files or reading communications.reading communications.  Modification or alterationModification or alteration – Unauthorized party changes information in transit or information stored forUnauthorized party changes information in transit or information stored for subsequent access.subsequent access.  Masquerade or spoofingMasquerade or spoofing – Spurious information is inserted into the system or network by making it appearsSpurious information is inserted into the system or network by making it appears as if it is from a legitimate entity.as if it is from a legitimate entity.  Repudiation of originRepudiation of origin – False denial that an entity created something.False denial that an entity created something.
1313 5. Security Policy5. Security Policy  AA security policysecurity policy states what is, and is not, allowedstates what is, and is not, allowed  Is a document describing a company’s security controls andIs a document describing a company’s security controls and activities.activities.  Does not specify technologies.Does not specify technologies.  Examples:Examples: – Policy: Password constructionPolicy: Password construction Account names must not be used inAccount names must not be used in passwords.passwords. – Policy: Confidentiality of Personal informationPolicy: Confidentiality of Personal information all personalall personal information must be treated as confidential.information must be treated as confidential.  A security Policy is a guideline for implementing securityA security Policy is a guideline for implementing security measures.measures.
1414 6. Security measures6. Security measures  Security measuresSecurity measures include techniques for ensuring:include techniques for ensuring: – Prevention: such asPrevention: such as encryptionencryption,, user authenticationuser authentication,, one timeone time passwordpassword,, anti-virusanti-virus,, firewalfirewall, etc.l, etc. – Detection: such asDetection: such as IDS (Intrusion Detection Systems)IDS (Intrusion Detection Systems), Monitoring tools,, Monitoring tools, Firewall log,Firewall log, digital signaturedigital signature, etc., etc. – Reaction (or recovery): Such as Backup systems, OS’s recovery points,Reaction (or recovery): Such as Backup systems, OS’s recovery points, etc.etc.  Encryption (lectures 2 & 3)Encryption (lectures 2 & 3)  Digital Signature (lecture 4)Digital Signature (lecture 4)  User Authentication (lecture 5)User Authentication (lecture 5)  Antivirus (lecture 7)Antivirus (lecture 7)  IDS and firewalls (Lectures 8 & 9)IDS and firewalls (Lectures 8 & 9) Database security (lecture 6)
1515 7. Security Requirements7. Security Requirements  Most important security requirements are:Most important security requirements are: – ConfidentialityConfidentiality: keeping information secret from all but those: keeping information secret from all but those who are authorized to see it.who are authorized to see it.  Also called secrecy or privacyAlso called secrecy or privacy – IntegrityIntegrity: ensuring information has not been altered by: ensuring information has not been altered by unauthorized or unknown means.unauthorized or unknown means. – AvailabilityAvailability :: keeping information accessible by authorized userskeeping information accessible by authorized users when requiredwhen required
1616 Security RequirementsSecurity Requirements  Other requirements:Other requirements: – Entity authenticationEntity authentication :: corroboration of the identity of an entitycorroboration of the identity of an entity (e.g., a person, a credit card, etc.)(e.g., a person, a credit card, etc.)  Identification, identity verificationIdentification, identity verification – Message authenticationMessage authentication : corroborating the source of: corroborating the source of information; also known asinformation; also known as data origin authenticationdata origin authentication..  Message authentication implicitly provides data integrityMessage authentication implicitly provides data integrity – Digital SignatureDigital Signature : a means to bind information to an entity: a means to bind information to an entity – Non-repudiationNon-repudiation:: preventing the denial of previous commitmentspreventing the denial of previous commitments or actionsor actions
1717 Security RequirementsSecurity Requirements – AuthorizationAuthorization : conveyance, to another party, of official sanction: conveyance, to another party, of official sanction to do or to be something.to do or to be something. – Access controlAccess control: restricting access to resources to privileged: restricting access to resources to privileged entities.entities. – ValidationValidation: a means to provide timeliness of authorization to use: a means to provide timeliness of authorization to use or manipulate information or resources.or manipulate information or resources.  These Requirements are referred to asThese Requirements are referred to as ISS objectivesISS objectives (another definition of ISS)(another definition of ISS)..
1818 8. Security services8. Security services  AnAn information security serviceinformation security service is a method to provide someis a method to provide some specific aspects of securityspecific aspects of security – ExamplesExamples  Confidentiality is a security objective (requirement), encryption is anConfidentiality is a security objective (requirement), encryption is an information security serviceinformation security service  Integrity is another security objective (requirement), a method to ensureIntegrity is another security objective (requirement), a method to ensure integrity is a security service.integrity is a security service.  BreakingBreaking a security service implies defeating the objective ofa security service implies defeating the objective of the intended service.the intended service.
1919 9. Security mechanisms9. Security mechanisms  AA security mechanismsecurity mechanism encompasses Protocols, algorithms,encompasses Protocols, algorithms, Non-cryptographic techniques (hardware protection) toNon-cryptographic techniques (hardware protection) to achieve specific security objectives (confidentiality, integrity,achieve specific security objectives (confidentiality, integrity, …).…).
2020

Recommandé

INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITYAhmed Moussa
 
Information security management system
Information security management systemInformation security management system
Information security management systemArani Srinivasan
 
Computer security overview
Computer security overviewComputer security overview
Computer security overviewCAS
 
System security
System securitySystem security
System securitysommerville-videos
 
Cia security model
Cia security modelCia security model
Cia security modelImran Ahmed
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Securitybelsis
 
Information security management
Information security managementInformation security management
Information security managementUMaine
 
Information Security Lecture #1 ppt
Information Security Lecture #1 pptInformation Security Lecture #1 ppt
Information Security Lecture #1 pptvasanthimuniasamy
 

Recommandé

INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITYAhmed Moussa
 
Information security management system
Information security management systemInformation security management system
Information security management systemArani Srinivasan
 
Computer security overview
Computer security overviewComputer security overview
Computer security overviewCAS
 
System security
System securitySystem security
System securitysommerville-videos
 
Cia security model
Cia security modelCia security model
Cia security modelImran Ahmed
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Securitybelsis
 
Information security management
Information security managementInformation security management
Information security managementUMaine
 
Information Security Lecture #1 ppt
Information Security Lecture #1 pptInformation Security Lecture #1 ppt
Information Security Lecture #1 pptvasanthimuniasamy
 
Security Mechanisms
Security MechanismsSecurity Mechanisms
Security Mechanismspriya_trehan
 
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)Biswajit Bhattacharjee
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
Information security threats
Information security threatsInformation security threats
Information security threatscomplianceonline123
 
Security policies
Security policiesSecurity policies
Security policiesNishant Pahad
 
Chapter2 the need to security
Chapter2 the need to securityChapter2 the need to security
Chapter2 the need to securityDhani Ahmad
 
Overview of Information Security & Privacy
Overview of Information Security & PrivacyOverview of Information Security & Privacy
Overview of Information Security & PrivacyNawanan Theera-Ampornpunt
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & SecurityEryk Budi Pratama
 
Information security and Attacks
Information security and AttacksInformation security and Attacks
Information security and AttacksSachin Darekar
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Security models
Security models Security models
Security models LJ PROJECTS
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principlesDivya Tiwari
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident ResponsePECB
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005ControlCase
 
Fundamentals of Network security
Fundamentals of Network securityFundamentals of Network security
Fundamentals of Network securityAPNIC
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security conceptsG Prachi
 
Information security
Information securityInformation security
Information securityLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Information security
Information securityInformation security
Information securityLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Fabiha Shahzad
 
Information system and security control
Information system and security controlInformation system and security control
Information system and security controlCheng Olayvar
 
4 System For Information Security
4 System For Information Security4 System For Information Security
4 System For Information SecurityAna Meskovska
 

Contenu connexe

Tendances

Security Mechanisms
Security MechanismsSecurity Mechanisms
Security Mechanismspriya_trehan
 
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)Biswajit Bhattacharjee
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
Chapter2 the need to security
Chapter2 the need to securityChapter2 the need to security
Chapter2 the need to securityDhani Ahmad
 
Information security and Attacks
Information security and AttacksInformation security and Attacks
Information security and AttacksSachin Darekar
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Security models
Security models Security models
Security models LJ PROJECTS
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principlesDivya Tiwari
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident ResponsePECB
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005ControlCase
 
Fundamentals of Network security
Fundamentals of Network securityFundamentals of Network security
Fundamentals of Network securityAPNIC
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security conceptsG Prachi
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Fabiha Shahzad
 

Tendances (20)

Security Mechanisms
Security MechanismsSecurity Mechanisms
Security Mechanisms
 
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
 
Information security threats
Information security threatsInformation security threats
Information security threats
 
Security policies
Security policiesSecurity policies
Security policies
 
Chapter2 the need to security
Chapter2 the need to securityChapter2 the need to security
Chapter2 the need to security
 
Overview of Information Security & Privacy
Overview of Information Security & PrivacyOverview of Information Security & Privacy
Overview of Information Security & Privacy
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & Security
 
Information security and Attacks
Information security and AttacksInformation security and Attacks
Information security and Attacks
 
Security risk management
Security risk managementSecurity risk management
Security risk management
 
Security models
Security models Security models
Security models
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principles
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
 
Fundamentals of Network security
Fundamentals of Network securityFundamentals of Network security
Fundamentals of Network security
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security concepts
 
Information security
Information securityInformation security
Information security
 
Information security
Information securityInformation security
Information security
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
 

En vedette

Information system and security control
Information system and security controlInformation system and security control
Information system and security controlCheng Olayvar
 
4 System For Information Security
4 System For Information Security4 System For Information Security
4 System For Information SecurityAna Meskovska
 
Plugging the Holes: Security and Compatability in Hadoop
Plugging the Holes: Security and Compatability in HadoopPlugging the Holes: Security and Compatability in Hadoop
Plugging the Holes: Security and Compatability in HadoopOwen O'Malley
 
Information system development
Information system development Information system development
Information system development Sanoob Sidiq
 
PROPRIETARY AND OPEN SOURCE SOFTWARE
PROPRIETARY AND OPEN SOURCE SOFTWARE PROPRIETARY AND OPEN SOURCE SOFTWARE
PROPRIETARY AND OPEN SOURCE SOFTWARE Kak Yong
 
Security & control in management information system
Security & control in management information systemSecurity & control in management information system
Security & control in management information systemOnline
 
InformationSecurity
InformationSecurityInformationSecurity
InformationSecuritylearnt
 
Planning, design and implementation of information systems
Planning, design and implementation of information systemsPlanning, design and implementation of information systems
Planning, design and implementation of information systemsOnline
 
System Development Life Cycle & Implementation of MIS
System Development Life Cycle & Implementation of MISSystem Development Life Cycle & Implementation of MIS
System Development Life Cycle & Implementation of MISGeorge V James
 
Implementation of MIS and its methods
Implementation of MIS and its methodsImplementation of MIS and its methods
Implementation of MIS and its methodsPoojith Chowdhary
 

En vedette (10)

Information system and security control
Information system and security controlInformation system and security control
Information system and security control
 
4 System For Information Security
4 System For Information Security4 System For Information Security
4 System For Information Security
 
Plugging the Holes: Security and Compatability in Hadoop
Plugging the Holes: Security and Compatability in HadoopPlugging the Holes: Security and Compatability in Hadoop
Plugging the Holes: Security and Compatability in Hadoop
 
Information system development
Information system development Information system development
Information system development
 
PROPRIETARY AND OPEN SOURCE SOFTWARE
PROPRIETARY AND OPEN SOURCE SOFTWARE PROPRIETARY AND OPEN SOURCE SOFTWARE
PROPRIETARY AND OPEN SOURCE SOFTWARE
 
Security & control in management information system
Security & control in management information systemSecurity & control in management information system
Security & control in management information system
 
InformationSecurity
InformationSecurityInformationSecurity
InformationSecurity
 
Planning, design and implementation of information systems
Planning, design and implementation of information systemsPlanning, design and implementation of information systems
Planning, design and implementation of information systems
 
System Development Life Cycle & Implementation of MIS
System Development Life Cycle & Implementation of MISSystem Development Life Cycle & Implementation of MIS
System Development Life Cycle & Implementation of MIS
 
Implementation of MIS and its methods
Implementation of MIS and its methodsImplementation of MIS and its methods
Implementation of MIS and its methods
 

Similaire à Information System Security(lecture 1)

Basic Security Chapter 1
Basic Security Chapter 1Basic Security Chapter 1
Basic Security Chapter 1AfiqEfendy Zaen
 
Basic security concepts_chapter_1
Basic security concepts_chapter_1Basic security concepts_chapter_1
Basic security concepts_chapter_1abdifatah said
 
PPT0-Computer Security Concepts.pptx
PPT0-Computer Security Concepts.pptxPPT0-Computer Security Concepts.pptx
PPT0-Computer Security Concepts.pptxPiBits
 
Basic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpageBasic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpagenakomuri
 
Introduction to Computer Security
Introduction to Computer SecurityIntroduction to Computer Security
Introduction to Computer SecurityKamal Acharya
 
Ch01
Ch01Ch01
Ch01n C
 
LIS3353 SP12 Week 9
LIS3353 SP12 Week 9LIS3353 SP12 Week 9
LIS3353 SP12 Week 9Amanda Case
 
E sec chaptr-1
E sec chaptr-1E sec chaptr-1
E sec chaptr-1123aleena
 
Security in network computing
Security in network computingSecurity in network computing
Security in network computingManoj VNV
 
Ia 124 1621324143 ia_124_lecture_01
Ia 124 1621324143 ia_124_lecture_01Ia 124 1621324143 ia_124_lecture_01
Ia 124 1621324143 ia_124_lecture_01ITNet
 
Computer Security Chapter 1
Computer Security Chapter 1Computer Security Chapter 1
Computer Security Chapter 1Temesgen Berhanu
 
Security information for internet and security
Security information for internet and securitySecurity information for internet and security
Security information for internet and securitySomesh Kumar
 

Similaire à Information System Security(lecture 1) (20)

Basic Security Chapter 1
Basic Security Chapter 1Basic Security Chapter 1
Basic Security Chapter 1
 
Basic security concepts_chapter_1
Basic security concepts_chapter_1Basic security concepts_chapter_1
Basic security concepts_chapter_1
 
PPT0-Computer Security Concepts.pptx
PPT0-Computer Security Concepts.pptxPPT0-Computer Security Concepts.pptx
PPT0-Computer Security Concepts.pptx
 
Basic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpageBasic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpage
 
Introduction to Computer Security
Introduction to Computer SecurityIntroduction to Computer Security
Introduction to Computer Security
 
Ch01
Ch01Ch01
Ch01
 
LIS3353 SP12 Week 9
LIS3353 SP12 Week 9LIS3353 SP12 Week 9
LIS3353 SP12 Week 9
 
Introduction Network security
Introduction Network securityIntroduction Network security
Introduction Network security
 
IS Unit II.pptx
IS Unit II.pptxIS Unit II.pptx
IS Unit II.pptx
 
System Security-Chapter 1
System Security-Chapter 1System Security-Chapter 1
System Security-Chapter 1
 
E sec chaptr-1
E sec chaptr-1E sec chaptr-1
E sec chaptr-1
 
Security in network computing
Security in network computingSecurity in network computing
Security in network computing
 
Ia 124 1621324143 ia_124_lecture_01
Ia 124 1621324143 ia_124_lecture_01Ia 124 1621324143 ia_124_lecture_01
Ia 124 1621324143 ia_124_lecture_01
 
Network Security
Network Security Network Security
Network Security
 
Intro
IntroIntro
Intro
 
Computer Security Chapter 1
Computer Security Chapter 1Computer Security Chapter 1
Computer Security Chapter 1
 
Security information for internet and security
Security information for internet and securitySecurity information for internet and security
Security information for internet and security
 
introduction of ethical hacking. (ppt)
introduction of ethical hacking. (ppt)introduction of ethical hacking. (ppt)
introduction of ethical hacking. (ppt)
 
introduction of ethical hacking. ppt
introduction of ethical hacking. pptintroduction of ethical hacking. ppt
introduction of ethical hacking. ppt
 
Ch1 cse
Ch1 cseCh1 cse
Ch1 cse
 

Plus de Ali Habeeb

Anonymous Connections And Onion Routing
Anonymous Connections And Onion RoutingAnonymous Connections And Onion Routing
Anonymous Connections And Onion RoutingAli Habeeb
 
Opinion Mining
Opinion MiningOpinion Mining
Opinion MiningAli Habeeb
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityAli Habeeb
 
Data-Centric Routing Protocols in Wireless Sensor Network: A survey
Data-Centric Routing Protocols in Wireless Sensor Network: A surveyData-Centric Routing Protocols in Wireless Sensor Network: A survey
Data-Centric Routing Protocols in Wireless Sensor Network: A surveyAli Habeeb
 
Secure erasure code based distributed storage system with secure data forwarding
Secure erasure code based distributed storage system with secure data forwardingSecure erasure code based distributed storage system with secure data forwarding
Secure erasure code based distributed storage system with secure data forwardingAli Habeeb
 
Organizing User Search Histories
Organizing User Search HistoriesOrganizing User Search Histories
Organizing User Search HistoriesAli Habeeb
 
Detecting and Resolving Firewall Policy Anomalies
Detecting and Resolving Firewall Policy AnomaliesDetecting and Resolving Firewall Policy Anomalies
Detecting and Resolving Firewall Policy AnomaliesAli Habeeb
 
Bit Torrent Protocol
Bit Torrent ProtocolBit Torrent Protocol
Bit Torrent ProtocolAli Habeeb
 
A study of Data Quality and Analytics
A study of Data Quality and AnalyticsA study of Data Quality and Analytics
A study of Data Quality and AnalyticsAli Habeeb
 
Adhoc and Sensor Networks - Chapter 10
Adhoc and Sensor Networks - Chapter 10Adhoc and Sensor Networks - Chapter 10
Adhoc and Sensor Networks - Chapter 10Ali Habeeb
 
Adhoc and Sensor Networks - Chapter 09
Adhoc and Sensor Networks - Chapter 09Adhoc and Sensor Networks - Chapter 09
Adhoc and Sensor Networks - Chapter 09Ali Habeeb
 
Adhoc and Sensor Networks - Chapter 08
Adhoc and Sensor Networks - Chapter 08Adhoc and Sensor Networks - Chapter 08
Adhoc and Sensor Networks - Chapter 08Ali Habeeb
 
Adhoc and Sensor Networks - Chapter 07
Adhoc and Sensor Networks - Chapter 07Adhoc and Sensor Networks - Chapter 07
Adhoc and Sensor Networks - Chapter 07Ali Habeeb
 
Adhoc and Sensor Networks - Chapter 06
Adhoc and Sensor Networks - Chapter 06Adhoc and Sensor Networks - Chapter 06
Adhoc and Sensor Networks - Chapter 06Ali Habeeb
 
Adhoc and Sensor Networks - Chapter 05
Adhoc and Sensor Networks - Chapter 05Adhoc and Sensor Networks - Chapter 05
Adhoc and Sensor Networks - Chapter 05Ali Habeeb
 
Adhoc and Sensor Networks - Chapter 04
Adhoc and Sensor Networks - Chapter 04Adhoc and Sensor Networks - Chapter 04
Adhoc and Sensor Networks - Chapter 04Ali Habeeb
 

Plus de Ali Habeeb (20)

Anonymous Connections And Onion Routing
Anonymous Connections And Onion RoutingAnonymous Connections And Onion Routing
Anonymous Connections And Onion Routing
 
Opinion Mining
Opinion MiningOpinion Mining
Opinion Mining
 
WAP
WAPWAP
WAP
 
USB 3.0
USB 3.0USB 3.0
USB 3.0
 
Blue Eyes
Blue EyesBlue Eyes
Blue Eyes
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Data-Centric Routing Protocols in Wireless Sensor Network: A survey
Data-Centric Routing Protocols in Wireless Sensor Network: A surveyData-Centric Routing Protocols in Wireless Sensor Network: A survey
Data-Centric Routing Protocols in Wireless Sensor Network: A survey
 
Web Security
Web SecurityWeb Security
Web Security
 
Secure erasure code based distributed storage system with secure data forwarding
Secure erasure code based distributed storage system with secure data forwardingSecure erasure code based distributed storage system with secure data forwarding
Secure erasure code based distributed storage system with secure data forwarding
 
Organizing User Search Histories
Organizing User Search HistoriesOrganizing User Search Histories
Organizing User Search Histories
 
Detecting and Resolving Firewall Policy Anomalies
Detecting and Resolving Firewall Policy AnomaliesDetecting and Resolving Firewall Policy Anomalies
Detecting and Resolving Firewall Policy Anomalies
 
Bit Torrent Protocol
Bit Torrent ProtocolBit Torrent Protocol
Bit Torrent Protocol
 
A study of Data Quality and Analytics
A study of Data Quality and AnalyticsA study of Data Quality and Analytics
A study of Data Quality and Analytics
 
Adhoc and Sensor Networks - Chapter 10
Adhoc and Sensor Networks - Chapter 10Adhoc and Sensor Networks - Chapter 10
Adhoc and Sensor Networks - Chapter 10
 
Adhoc and Sensor Networks - Chapter 09
Adhoc and Sensor Networks - Chapter 09Adhoc and Sensor Networks - Chapter 09
Adhoc and Sensor Networks - Chapter 09
 
Adhoc and Sensor Networks - Chapter 08
Adhoc and Sensor Networks - Chapter 08Adhoc and Sensor Networks - Chapter 08
Adhoc and Sensor Networks - Chapter 08
 
Adhoc and Sensor Networks - Chapter 07
Adhoc and Sensor Networks - Chapter 07Adhoc and Sensor Networks - Chapter 07
Adhoc and Sensor Networks - Chapter 07
 
Adhoc and Sensor Networks - Chapter 06
Adhoc and Sensor Networks - Chapter 06Adhoc and Sensor Networks - Chapter 06
Adhoc and Sensor Networks - Chapter 06
 
Adhoc and Sensor Networks - Chapter 05
Adhoc and Sensor Networks - Chapter 05Adhoc and Sensor Networks - Chapter 05
Adhoc and Sensor Networks - Chapter 05
 
Adhoc and Sensor Networks - Chapter 04
Adhoc and Sensor Networks - Chapter 04Adhoc and Sensor Networks - Chapter 04
Adhoc and Sensor Networks - Chapter 04
 

Dernier

DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 

Dernier (20)

DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 

Information System Security(lecture 1)

  • 1. Information System SecurityInformation System Security Lecture 1Lecture 1 Introduction to Information SystemIntroduction to Information System SecuritySecurity
  • 2. 22 OutlineOutline 1.1. What is Security?What is Security? 2.2. What is Information Security?What is Information Security? 3.3. Why Information System Security?Why Information System Security? 4.4. Vulnerability, Threat and AttackVulnerability, Threat and Attack 5.5. Security PoliciesSecurity Policies 6.6. Security MeasuresSecurity Measures 7.7. Security RequirementsSecurity Requirements 8.8. Security ServicesSecurity Services 9.9. Security MechanismsSecurity Mechanisms
  • 3. 33 1. What is security?1. What is security?  SecuritySecurity:: protecting general assetsprotecting general assets  Security can be realized through:Security can be realized through: 1.1. PreventionPrevention: take measures that prevent your assets from being damaged.: take measures that prevent your assets from being damaged. 2.2. DetectionDetection: take measures so that you can detect when, how, and by: take measures so that you can detect when, how, and by whom an asset has been damaged.whom an asset has been damaged. 3.3. ReactionReaction: take measures so that you can recover your assets or to recover: take measures so that you can recover your assets or to recover from a damage to your assetsfrom a damage to your assets  Examples: next slideExamples: next slide  There are many branches of Security: national security,There are many branches of Security: national security, economic security,economic security, information securityinformation security, etc., etc.
  • 4. 44 ExamplesExamples  Ex. 1 - Private propertyEx. 1 - Private property – Prevention: locks at doors, window bars, walls around the property.Prevention: locks at doors, window bars, walls around the property. – Detection: stolen items aren’t there any more, burglar alarms, CCTV, …Detection: stolen items aren’t there any more, burglar alarms, CCTV, … – Reaction: call the police,…Reaction: call the police,…
  • 5. 55 ExamplesExamples  Ex. 2 - eCommerceEx. 2 - eCommerce – Prevention: encrypt your orders, rely on the merchant to perform checksPrevention: encrypt your orders, rely on the merchant to perform checks on the caller,…on the caller,… – Detection: an unauthorized transaction appears on your credit cardDetection: an unauthorized transaction appears on your credit card statementstatement – Reaction: complain, ask for a new credit card number, …Reaction: complain, ask for a new credit card number, …
  • 6. 66 2. What is Information Security?2. What is Information Security?  Information securityInformation security:: is concerned with protecting informationis concerned with protecting information and information resources such as: books, faxes, computer data,and information resources such as: books, faxes, computer data, voice communications, etc.voice communications, etc.  Information security isInformation security is determining:determining:  whatwhat needs to be protected,needs to be protected, i.e.i.e., assets, assets  andand whywhy (Security requirements which include CIA),(Security requirements which include CIA),  whatwhat needs to be protected from (Threats, vulnerabilities, risks),needs to be protected from (Threats, vulnerabilities, risks),  andand howhow (Security measures) to protect it for as long as it exists(Security measures) to protect it for as long as it exists – Security measures which are implemented according to a security policySecurity measures which are implemented according to a security policy
  • 7. 77 3. What is Information System3. What is Information System Security (ISS)?Security (ISS)? InformationInformation SystemsSystems (assets)(assets)Security Measures Attackers Policies Taken from K. Martin’s lecture, RHUL
  • 8. 88 Information System SecurityInformation System Security  ISS is concerned with protecting Information systemISS is concerned with protecting Information system assets such as PCs, software, applications, etc.assets such as PCs, software, applications, etc.  In order to ensure the security of Information Systems, weIn order to ensure the security of Information Systems, we need to determine:need to determine: 1.1. Assets (i.e., Information systems) to be protectedAssets (i.e., Information systems) to be protected 2.2. Security requirements; CIASecurity requirements; CIA 3.3. Threats, vulnerabilities, risksThreats, vulnerabilities, risks 4.4. Security policiesSecurity policies 5.5. Security measuresSecurity measures
  • 9. 99 4. Vulnerability, Threat and4. Vulnerability, Threat and AttackAttack  AA vulnerabilityvulnerability: is a weakness in system design or: is a weakness in system design or implementation and can be in hardware or software.implementation and can be in hardware or software. – Example: a software bug exists in the OS, or no password rules are set.Example: a software bug exists in the OS, or no password rules are set.  AA threatthreat:: – Is a set of circumstances that has the potential to cause loss or harmIs a set of circumstances that has the potential to cause loss or harm – is an indication of potential undesirable eventis an indication of potential undesirable event – It refers to a situation in whichIt refers to a situation in which  a person could do something undesirable (an attacker initiating a denial-of-a person could do something undesirable (an attacker initiating a denial-of- service attack against an organization's email server), orservice attack against an organization's email server), or  a natural occurrence could cause an undesirable outcome (a fire damaging ana natural occurrence could cause an undesirable outcome (a fire damaging an organization's information technology hardware).organization's information technology hardware).
  • 10. 1010 4. Vulnerability, Threat and4. Vulnerability, Threat and AttackAttack  AA RiskRisk is the possibility of suffering harm or loss.is the possibility of suffering harm or loss.  AnAn attackattack: is a realization of a threat: is a realization of a threat  AnAn attackerattacker: is a person who exploit a vulnerability: is a person who exploit a vulnerability  An attacker must have means, opportunity, and motiveAn attacker must have means, opportunity, and motive – Synonyms: enemy, adversary, opponent, eavesdropper, intruderSynonyms: enemy, adversary, opponent, eavesdropper, intruder
  • 11. 1111 Vulnerability, Attack and ThreatVulnerability, Attack and Threat  AA hackerhacker:: – A person who have advanced knowledge of operating systems andA person who have advanced knowledge of operating systems and programming languagesprogramming languages – Might discover holes within systems and the reasons for such holesMight discover holes within systems and the reasons for such holes – Share what they discover but never intentionally damage dataShare what they discover but never intentionally damage data  AA crackercracker:: – The one who breaks into or violates the system integrity of remoteThe one who breaks into or violates the system integrity of remote machines with the malicious intent, i.e., gaining unauthorized accessmachines with the malicious intent, i.e., gaining unauthorized access – Might destroy vital data, deny legitimate users servicesMight destroy vital data, deny legitimate users services  AA passive adversarypassive adversary is an adversary who is capable only ofis an adversary who is capable only of reading from an unsecured channelreading from an unsecured channel  AnAn active adversaryactive adversary is an adversary who may also transmit, alter,is an adversary who may also transmit, alter, or delete information on an unsecured channelor delete information on an unsecured channel
  • 12. 1212 Common security attacksCommon security attacks  InterruptionInterruption, delay, denial of receipt or denial of service, delay, denial of receipt or denial of service – System assets or information become unavailable or are rendered unavailableSystem assets or information become unavailable or are rendered unavailable  Interception or snoopingInterception or snooping – Unauthorized party gains access to information by browsing through files orUnauthorized party gains access to information by browsing through files or reading communications.reading communications.  Modification or alterationModification or alteration – Unauthorized party changes information in transit or information stored forUnauthorized party changes information in transit or information stored for subsequent access.subsequent access.  Masquerade or spoofingMasquerade or spoofing – Spurious information is inserted into the system or network by making it appearsSpurious information is inserted into the system or network by making it appears as if it is from a legitimate entity.as if it is from a legitimate entity.  Repudiation of originRepudiation of origin – False denial that an entity created something.False denial that an entity created something.
  • 13. 1313 5. Security Policy5. Security Policy  AA security policysecurity policy states what is, and is not, allowedstates what is, and is not, allowed  Is a document describing a company’s security controls andIs a document describing a company’s security controls and activities.activities.  Does not specify technologies.Does not specify technologies.  Examples:Examples: – Policy: Password constructionPolicy: Password construction Account names must not be used inAccount names must not be used in passwords.passwords. – Policy: Confidentiality of Personal informationPolicy: Confidentiality of Personal information all personalall personal information must be treated as confidential.information must be treated as confidential.  A security Policy is a guideline for implementing securityA security Policy is a guideline for implementing security measures.measures.
  • 14. 1414 6. Security measures6. Security measures  Security measuresSecurity measures include techniques for ensuring:include techniques for ensuring: – Prevention: such asPrevention: such as encryptionencryption,, user authenticationuser authentication,, one timeone time passwordpassword,, anti-virusanti-virus,, firewalfirewall, etc.l, etc. – Detection: such asDetection: such as IDS (Intrusion Detection Systems)IDS (Intrusion Detection Systems), Monitoring tools,, Monitoring tools, Firewall log,Firewall log, digital signaturedigital signature, etc., etc. – Reaction (or recovery): Such as Backup systems, OS’s recovery points,Reaction (or recovery): Such as Backup systems, OS’s recovery points, etc.etc.  Encryption (lectures 2 & 3)Encryption (lectures 2 & 3)  Digital Signature (lecture 4)Digital Signature (lecture 4)  User Authentication (lecture 5)User Authentication (lecture 5)  Antivirus (lecture 7)Antivirus (lecture 7)  IDS and firewalls (Lectures 8 & 9)IDS and firewalls (Lectures 8 & 9) Database security (lecture 6)
  • 15. 1515 7. Security Requirements7. Security Requirements  Most important security requirements are:Most important security requirements are: – ConfidentialityConfidentiality: keeping information secret from all but those: keeping information secret from all but those who are authorized to see it.who are authorized to see it.  Also called secrecy or privacyAlso called secrecy or privacy – IntegrityIntegrity: ensuring information has not been altered by: ensuring information has not been altered by unauthorized or unknown means.unauthorized or unknown means. – AvailabilityAvailability :: keeping information accessible by authorized userskeeping information accessible by authorized users when requiredwhen required
  • 16. 1616 Security RequirementsSecurity Requirements  Other requirements:Other requirements: – Entity authenticationEntity authentication :: corroboration of the identity of an entitycorroboration of the identity of an entity (e.g., a person, a credit card, etc.)(e.g., a person, a credit card, etc.)  Identification, identity verificationIdentification, identity verification – Message authenticationMessage authentication : corroborating the source of: corroborating the source of information; also known asinformation; also known as data origin authenticationdata origin authentication..  Message authentication implicitly provides data integrityMessage authentication implicitly provides data integrity – Digital SignatureDigital Signature : a means to bind information to an entity: a means to bind information to an entity – Non-repudiationNon-repudiation:: preventing the denial of previous commitmentspreventing the denial of previous commitments or actionsor actions
  • 17. 1717 Security RequirementsSecurity Requirements – AuthorizationAuthorization : conveyance, to another party, of official sanction: conveyance, to another party, of official sanction to do or to be something.to do or to be something. – Access controlAccess control: restricting access to resources to privileged: restricting access to resources to privileged entities.entities. – ValidationValidation: a means to provide timeliness of authorization to use: a means to provide timeliness of authorization to use or manipulate information or resources.or manipulate information or resources.  These Requirements are referred to asThese Requirements are referred to as ISS objectivesISS objectives (another definition of ISS)(another definition of ISS)..
  • 18. 1818 8. Security services8. Security services  AnAn information security serviceinformation security service is a method to provide someis a method to provide some specific aspects of securityspecific aspects of security – ExamplesExamples  Confidentiality is a security objective (requirement), encryption is anConfidentiality is a security objective (requirement), encryption is an information security serviceinformation security service  Integrity is another security objective (requirement), a method to ensureIntegrity is another security objective (requirement), a method to ensure integrity is a security service.integrity is a security service.  BreakingBreaking a security service implies defeating the objective ofa security service implies defeating the objective of the intended service.the intended service.
  • 19. 1919 9. Security mechanisms9. Security mechanisms  AA security mechanismsecurity mechanism encompasses Protocols, algorithms,encompasses Protocols, algorithms, Non-cryptographic techniques (hardware protection) toNon-cryptographic techniques (hardware protection) to achieve specific security objectives (confidentiality, integrity,achieve specific security objectives (confidentiality, integrity, …).…).
  • 20. 2020

Notes de l'éditeur

  1. Information security : Is more than setting up a firewall, running an anti-virus software, using passwords to control access to databases, or discovering vulnerabilities in your system software. Is determining: what needs to be protected, i.e. , assets such as PCs, softwares, applications, etc. Why assets need protection , i.e., s ecurity requirements such as Confidentiality, Integrity, and Availability (C.I.A.) what it needs to be protected from (e.g., threats, vulnerabilities, risks), how to protect assets, i.e., what security measures we need to protect assets Security measures include techniques for: Prevention: techniques, to prevent occurrence of threats, such as encryption, firewalls, etc. Detection: techniques, to discover illegal actions, or attempted illegal access, such as IDSs (Intrusion Detection Systems), monitoring tools, etc. Reaction or recovery: techniques to minimizes the damages and restore the CIA of damages assets (eg, backup of systems). Security measures are an implementation of a security policy.
  2. Vulnerabilities: is a weakness in system design or implementation and can be in hardware or software. hardware accidental: fires, floods, mice malicious: fires, theft software: accidental: Bugs (buffer overflows), bad design (fails to an insecure state) Malicious: deletion, spyware, trojans, A Threat is an indication of a potential undesirable event. It refers to a situation in which either a person could do something undesirable (e.g., initiating a denial-of-service attack against an organization's email server) or a natural occurrence could cause an undesirable outcome (a fire damaging an organization's information technology hardware). A Risk is the possibility of suffering harm or loss. It refers to a situation in which either a person could do something undesirable or a natural occurrence could cause an undesirable outcome resulting in a negative impact or consequence.
  3. Vulnerabilities: is a weakness in system design or implementation and can be in hardware or software. hardware accidental: fires, floods, mice malicious: fires, theft software: accidental: Bugs (buffer overflows), bad design (fails to an insecure state) Malicious: deletion, spyware, trojans, A Threat is an indication of a potential undesirable event. It refers to a situation in which either a person could do something undesirable (e.g., initiating a denial-of-service attack against an organization's email server) or a natural occurrence could cause an undesirable outcome (a fire damaging an organization's information technology hardware). A Risk is the possibility of suffering harm or loss. It refers to a situation in which either a person could do something undesirable or a natural occurrence could cause an undesirable outcome resulting in a negative impact or consequence.
  4. Denail: A refusal to comply with or satisfy a request Snooping : To pry into the private affairs of others Masquerade: to go about as if in disguise Spoofing: to deceive Spurious: not genuine or false Repudiation: the refusal to acknowledge a contract or debt
  5. Lectures 2 – 5 explain how to use cryptography as security measures. Lecture 6 shows another way to implement database-related security measures.
  6. ISS is about keeping confidentiality, integrity, and availability
  7. ISS is about keeping confidentiality, integrity, and availability
  8. ISS is about keeping confidentiality, integrity, and availability