Week1.

Introduction to Information
Security. Basic Terminology.

Lecture slides by Zhanbolat Seitkulov

January IITU, Information Security 1

Teaching
•  Lectures – by Me (15 lectures on a weekly
basis)
•  Labs and Practical sessions – also by Me

•  Contact
Email: zhanbolat.iitu@gmail.com
Office 802 or 112

January IITU, Information Security 2

 Some information to help you to take
this module

January IITU, Information Security 3

Course Objectives
•  15 lectures – one per week
–  Provide overview of Security Principles
•  Encryption, Network Security, Software Security, Data and
Network Protection methods
•  Laboratory works and Quizzes
•  Prerequisites:
–  Information systems
–  Networking
•  Programming and Basic Mathematical skills
•  Attendance is desirable!
January IITU, Information Security 4
What you can get from this course
•  Why protect? What protect? How protect?
•  Sorts of threats against modern computers
and networks
–  Network attacks, types of worms and viruses
•  How the above problems is being solved in the
industry
–  Concepts of encryption, hardware and software
protection (firewall, IDS, policies and procedures)

January IITU, Information Security 5

Syllabus at a glance
•  Basic terminology.
•  Classical Encryption. Early cryptography. Rotor machines: Enigma and its
relatives.
•  Block ciphers and the Data Encryption Standard.
•  Basic concepts in Number Theory and Finite Fields
•  Advanced Encryption Standard
•  Public Key Cryptography and RSA.
•  Cryptographic Hash Function
•  Digital Signatures
•  User Identification and Authentication
•  Access Control (Authorization)
•  Network Firewalls
•  Risk Management

January IITU, Information Security 6

How to take this course: reading
Basic literature (Required Reading!):
•  Cryptography and Network Security by
William Stallings, 5th edition, 2006
•  Security in Computing by Charles P. Pfleeger
and Shari Lawrence Pfleeger, 4th edition, 2006

January IITU, Information Security 7

How to take this course: schedule
•  Attend all lectures
•  Submit assignments on time
–  Do not leave until the last minute
–  Marks will be deducted for late submission (-10% for
each day)
–  Cannot mark what is not there
–  Plagiarism … will be detected!
•  Penalty will be given according to the University’s plagiarism
policy
•  See assignment description for submission date

January IITU, Information Security 8

Assessment
•  First term
–  Laboratory works (5x10%) = 50%
–  Quizzes (5x5%) = 25%
–  Term Exam 25%
•  The same for the second term
•  Overall mark:
–  30% - 1st term
–  30% - 2nd term
–  40% - Final Examination
January IITU, Information Security 9
Questions?

January IITU, Information Security 10

Basic Concepts and Terminology
•  Vulnerability
•  Threat
•  Attack
•  Security concepts:
–  Confidentiality, Integrity, Availability
•  Security Service

January IITU, Information Security 11

Vulnerability
•  Some state of the system of being open to
attacks or injuries.
•  Example in house analogy:
–  “Open Door” is the vulnerability for thieves

January IITU, Information Security 12

Threat
•  A statement of an intention to injure, damage
or any other enemy action.
•  A potential for violation of security.
•  In case of “house” example:
–  “Loss of Money” is a threat

January IITU, Information Security 13

•  4 kind of threats:
–  Interception
–  Interruption
–  Modification
–  Fabrication

January IITU, Information Security 14

•  Interception – unauthorized access to a data.
•  For example,
–  Illegal copying of program or data files

Source: https://genesisdatabase.wordpress.com/
January IITU, Information Security 15
•  Interruption – a data of the system becomes
lost, unavailable, or unusable.
•  Examples include
–  Erasure of a program or data file
–  Malicious destruction of a hardware device

Source: https://genesisdatabase.wordpress.com/
January IITU, Information Security 16
•  Modification – unauthorized, change tamper
with a data.
•  For example,
–  Someone might change the values in a database

Source: https://genesisdatabase.wordpress.com/
January IITU, Information Security 17
•  Fabrication – E.g. Unauthorized insertion to a
existing database.

Source: https://genesisdatabase.wordpress.com/
January IITU, Information Security 18
Attack
•  An assault on system security
•  A deliberate attempt to evade security
services

•  Kind of attacks:
–  Passive attacks
–  Active attacks

January IITU, Information Security 19

Passive Attacks

Source: Cryptography and Network Security by Stallings

January IITU, Information Security 20
Passive Attacks (cont.)

Source: Cryptography and Network Security by Stallings

January IITU, Information Security 21
Active Attacks

Source: Cryptography and Network Security by Stallings

January IITU, Information Security 22
Active Attacks (cont.)

Source: Cryptography and Network Security by Stallings

January IITU, Information Security 23
Why to attack? (MOM)
•  Method: skills, knowledge, tools, etc.
•  Opportunity: time and access
•  Motive: fame, money, etc.

January IITU, Information Security 24

Key Security Concepts
•  Used to prevent weaknesses from being
exploited
– Confidentiality – access only by authorized users;
E.g. Student grades
– Integrity – modify only by authorized users; E.g.
Patient information
– Availability – E.g. Users want to check their
accounts

January IITU, Information Security 25

Relationship between Confidentiality,
Integrity, and Availability

January IITU, Information Security 26

How to avoid security attacks?
•  Think about vulnerabilities

January IITU, Information Security 27

•  Viruses, worms, trojans

January IITU, Information Security 28

•  Servers, server rooms, laptops, etc. (Physical
Security)

January IITU, Information Security 29

•  Data protection
–  The most important thing in majority of
information systems

January IITU, Information Security 30

How to protect? 3Ds of Security
•  Defense – reducing risks and saving costs of
incidents (E.g. Firewalls, antivirus software,
spam filters, etc.)
•  Deterrence – punishing makes attackers think
twice (E.g. Laws, organizational policies and
procedures)
•  Detection – need alert if security incident
occurs (E.g. Audit logs, intrusion detection
system, network traffic monitoring)
January IITU, Information Security 31
How to protect? Security Service
•  Enhance security of data processing systems
and information transfers of an organization
•  Intended to counter security attacks
–  Using one or more security mechanisms
•  Often replicates functions normally associated
with physical documents
–  E.g. have signatures, dates; need protection from
disclosure

January IITU, Information Security 32

Security Services
•  X.800:
–  “a service provided by a protocol layer of
communicating open systems, which ensures
adequate security of the systems or of data
transfers”
•  RFC 2828:
–  “a processing or communication service provided
by a system to give a specific kind of protection to
system resources”

January IITU, Information Security 33

Security Services (X.800)
•  Authentication – assure that communication entity is
the one claimed
•  Access Control – prevention of the unauthorized use of
a resource
•  Data Confidentiality – protection of data from
unauthorized disclosure
•  Data Integrity – assure that data received is as sent by
an authorized entity
•  Non-Repudiation – protection against denial by one of
the parties in a communication
•  Availability – resource accessible/usable.

January IITU, Information Security 34

Security Mechanisms (X.800)
•  Features designed to protect, prevent, or
recover from a security attack
•  No single mechanism that will support all
services required

•  Specific security mechanisms:

–  Encipherment, digital signatures, access controls,
data integrity, authentication

January IITU, Information Security 35

Summary
•  Basic Information Security Terminology
•  Key Security Concepts
–  Confidentiality, Integrity, Availability
•  Subject of attacks? Hardware, Software and Data
•  How to avoid attacks?
–  Think about vulnerabilities
•  How to protect?
–  3 Ds: Defense, Deter, Detect
–  Security Services

January IITU, Information Security 36

Reading
•  Cryptography and Network Security by
Stallings
•  Chapter 1:
–  Sections 1.1, 1.3, 1.4, 1.5, 1.8

January IITU, Information Security 37

 Introduction to Information
Security. Basic Terminology.
Lecture slides by Zhanbolat Seitkulov

January IITU, Information Security 38