Welcome to
Foundation of Information Security
Foundation of Information
Security
Lecture-2
Introduction
• Instructor : Sweta Mishra
• Room No. : 219C, Block-C
• Phone Number: 477 (internal)
• Email : sweta.mishra@snu.edu.in
• Web Link : https://cse.snu.edu.in/people/faculty/sweta-mishra
• Research Interests
• Cryptography, Password-based Cryptosystems, Biometric Security, Information
Security, Blockchain Technology…
• Google scholar link: https://scholar.google.co.in/citations?user=nqSP0nIAAAAJ&hl=en
Spring Semester 2024: Timetable
Lecture Time: 9:30 – 10:55 AM (Monday & Wednesday)
Credits: 3
Contact Hours (L:T:P): 3:0:0
Office hour: Wednesday (3:00 PM - 4:00 PM) or email appointment.
Course logistics
• Lecture slides, assignments will be posted on ‘Blackboard’.
• For each assignment there will be a deadline for submission.
• Be sure that you complete the exercise well before the deadline and
submit your assignment in time, submitted after due date will not be
evaluated.
Course Grading Structure
• These weights are indicative, and may change as semester progresses
Evaluation Instrument Weightage
Mid Term 30%
Quiz 15%
Assignment 10%
Programming Assignment 15%
End Term 30%
Evaluation Strategy
• Relative Grading
• Attendance requirement: 75% (minimum) or as per university policy.
Course contents
• Security Overview, CIA model, Threats, Security Policies and Mechanisms
• Cryptography Basics: Stream Ciphers and Block Ciphers, Public Key Cryptography,
Hash Functions
• Authentication and Access Control
• Malicious Software: Trojan Horses, Viruses, Worms, Logic Bombs, Defenses.
• Denial-of-Service Attacks: DoS, DDoS, Defenses.
• Intrusion Detections, Firewalls and Intrusion Prevention Systems
• Protocols: TLS security, Authentication protocol
Recommended
Books
1. Matt Bishop, S.S.
Venkatramanayya, “Introduction
to Computer Security, 3/e”,
Pearson Education
2. W Stallings, “Cryptography and
Network Security: Principles and
Practice, 6/e”, Prentice Hall
Learning Outcomes
• Recognize threats to Confidentiality, Integrity, and Availability of Information
systems and how security evolves around the CIA principle
• Understand and explain the basic computer security terminologies
• To use the security solutions correctly
• Find and apply documentation of security-related problems and tools
• Think of the countermeasures to identified threats and argue their effectiveness
• Compare different security mechanisms
Security solutions in practice!
Difficult to define user Security!
• Insecure approaches are easier to list down
• Not applying security patches or application updates to your systems
• Using weak passwords
• Downloading programs from the internet
• Opening email attachments from unknown senders
• Using wireless networks without encryption
Why this course is important ?
• In this era of ubiquitous computing where we are connected to each
other through so many computing devices, it is important to protect
our data.
• Technology changes at an increasingly rapid rate but theory about
keeping ourselves secure lags behind.
• Good understanding of the basics of information security helps to
cope with changes as they come.
Security
Digital Forensics Biometrics Security
Mobile Databases
Security Security
Network Hardware Security
Online Social Distributed Systems
Security
Media Security Security
Cryptography
Security
Digital Forensics Biometrics Security
Mobile Databases
Security Security
Network Hardware Security
Online Social Distributed Systems
Security
Media Security Security
Cryptography
Information Security
The term ‘information security’ means protecting
information and information systems from
unauthorized access, use, disclosure, disruption,
modification, or destruction in order to provide
confidentiality, integrity and availability
— Federal Information Security Modernization Act of 2014.
Security Model
CIA triad
Confidentiality
• Ability to protect data from
unauthorized personnel.
Confidentiality
• Possible to achieve through
• Access control
Prevents
• unauthorised users to access confidential data
• Authorised users from accessing information not authorised for
• Use of Cryptography: Encryption methods
• Keeping data at rest, secure
• Provides secure communication
Availability
• The ability of the authorised user to access data for legitimate
purposes whenever required.
We could lose availability
• Power loss, operating system or application problems, network attacks, etc.
CIA triad
Information Security Illuminated by G. Solomon and Mike Chapple
CIA/DAD
• Considering the
Threats also known as
Disclosure, Alteration,
and Denial (DAD)
• A Model for malicious
user
Disclosure
• Getting access to confidential
information
• Insider/outsider attack
• Programming Error
Alteration
• Failing to provide integrity
• Attacker (Insider/outsider)
• Untrained administrator
Denial
• Prevents authorised access of data/information for legitimate users
• System failure
• Denial of Service (DoS) attacks
Impact of Breach of Security
• Impact on an organization
• Degradation to perform its primary functions
• Damage to organizational assets
• Financial loss
• Harm to individual
• Different levels of impact
▪ Low
▪ Medium
▪ High
Computer Security Challenges
• Security is not simple it requires a lot of research and money
• In developing new design, potential attacks on the security features need to be
considered.
• It is necessary to decide where to use the various security mechanisms.
• Requires constant monitoring.
• Security is essentially a battle of wits between a Designer and Attacker
• Little benefit from security investment is perceived until a security failure occurs.
• Strong security is often viewed as an impediment to efficient and user-friendly
operation.
Adding to CIA Triad…
• Authenticity: The property of being genuine and being able to be
verified and trusted. Means verifying that users are who they say they
are and that each input arriving at the system came from a trusted
source.
• Accountability: The security goal that generates the requirement for
actions of an entity to be traced uniquely to that entity.
Vulnerabilities, Threats, and Risk
• Vulnerability: a weakness in a system that may be exploited to
degrade or bypass standard security mechanisms.
• Threat: a set of external circumstances that may allow a vulnerability
to be exploited.
• Risk: When a threat and a corresponding vulnerability both exist.
Example: A threat of a particular virus combined with the vulnerability
of a system without antivirus software combine to constitute a risk to
that system
Threats to Security
• Malicious Code:
- viruses, worms, Trojan horses, etc., computer programs that carry
out malicious actions when run on a system.
• Computer criminals such as Hackers:
- Goal to Penetrate the security of an Information system
• Malicious Insider
- betrayal of trust by a user authorized to use the system.
- Most difficult to prevent
Threats analysis against an application
Credit card payment
• Confidentiality: If data exposed inappropriately
• Integrity: incorrect processing of payments if data becomes corrupt
• Availability: Not possible to process payment if the system or
application goes down
• Authenticity: Need to maintain authentic customer information to
prevent fraudulent transaction.
Risk Analysis
• To effectively identify and deal with the threats of a security system
• An analysis by the security professionals
Risk management process:
• Identify the most valuable assets of an organization
• Identify risks to the assets and how likely the risks to occur
• Actions towards the risk
Risk Management Process
Security Tradeoff
• Tradeoff between risks and benefits.
• The choice to implement a specific security mechanism is influenced
by the cost of the mechanism and the amount of damage it may
prevent
Security Terminology and Relationship
Vulnerabilities and Attacks
System resource vulnerabilities may
- be corrupted (loss of integrity)
- become leaky (loss of confidentiality)
- become unavailable (loss of availability)
Attacks are threats carried out and may be
- passive
- active
- insider
- outsider
Threat Agent/Attacker
• Active attack: An attempt to alter system resources or affect their
operation.
• Passive attack: An attempt to learn or make use of information from
the system that does not affect system resources.
Based on the origin of the attack:
• Insider attack: Initiated by an entity inside the security perimeter,
authorized to access system resources but uses them in a way not
approved.
• Outsider attack: Initiated from outside the perimeter, by an
unauthorized or illegitimate user of the system
Countermeasure
• Means to deal with a security attack
• Prevent
• Detect
• Recover
Countermeasure
• Means to deal with a security attack
• Prevent
• Detect May introduce new vulnerabilities
• Recover
• Goal: to minimize risk
Threat Consequences
• Unotherized Disclosure: Unauthorized access to information
- exposure, interception, inference, intrusion
• Deception: Acceptance of false data
- masquerade, falsification, repudiation
• Disruption: Interruption or prevention of correct operation
- incapacitation, corruption, obstruction
• Usurpation: Unauthorized control of some part of a system
- misappropriation, misuse