CSCI 2201: Dr. Raghav V.

Sampangi (he/him)
Faculty of Computer Science

Intro to Information Security Dalhousie University

Acknowledgements

Dalhousie University is located in Mi’kma’ki, the ancestral and unceded

territory of the L’nu’k. We are all treaty people.

We recognize that African Nova Scotians are a distinct people whose

histories, legacies, and contributions have enriched the part of Mi’kma’ki,
currently known as Nova Scotia since 1604.
Quick recap: Course info

• What is the Life Happens clause?

• What is the Regret clause?

• Where will announcements be posted?

• Which movie universe is better: Marvel or DC or Astraverse? !

 Module 1:
Foundations of InfoSec
Learning objectives: InfoSec Foundations

• Data vs. Information

Remember • Vulnerabilities, threat, and risk
• What is information security?

Understand • Defense in depth

• CIA Triad
Understand and apply • Parkerian Hexad
• Attack types

Understand, analyze, and • Risk management process

apply • Risk control and Incident response
Quick recap: Data v. information

• What is meant by data, information?

• Data is the building block of information, à Dalhousie University

usually raw, unorganized, and unprocessed. à Atlantic Canada
à Largest university
• It is not useful on its own except carrying facts.

• Information: processed and organized data Dalhousie University is

the largest university in
to offer meaning and context [2].
Atlantic Canada.
• Information uses data.
Quick recap: Data v. information

Source:
What is the difference
between data and information?
(hubspot.com)
Quick recap: Security

• What is it?
• Security is about protecting “something”.

• What/who are we protecting?

• Assets: hardware or software, data, and people.
• Logical vs. physical assets.

• Who are we protecting it/them from?

• From attackers, virus/worms, natural disasters,
power failure, or vandalism.

• Security is a paradigm, a way of thinking.

Quick recap: Information systems and security

• Information System (IS)

• A system for collecting, processing, storing, and distributing information.

• Information Security (InfoSec)

• Practice of preventing or reducing the chance of unauthorized access, use,
disclosure, disruption, modification, or destruction of information and information
system (IS).

• Cybersecurity v. InfoSec?
• Cybersecurity exists as a subset of information security.
• InfoSec extends to any platform, including analog.
• Even a filing cabinet with paper documents might need an information security intervention.
Planning for security

• Security Plan
• Involves finding a balance between protection, usability, and cost.

• “The only truly secure system is one that is powered off, cast in a block
of concrete and sealed in a lead-lined room with armed guards-and even
then I have my doubts.” - Eugene H. Spafford, the director of Purdue’s Center for
Education and Research in Information Assurance Security The field of Usable
• Is this a usable system? Is this a productive system? Security & Privacy
exists for this reason J

• Typically, usability is usually inversely proportional to security.

• Find a balance between protection, usability, and cost [4].
• The cost must not exceed the value of assets we want to protect.
Are we ever truly secure?

• We are never truly secure L

• When are we not secured?

• Using weak passwords such as
“password” or “1234” or “admin” or “username.”
• Downloading infected programs from the Internet. This Photo by Unknown Author is licensed under CC BY-NC-ND

• Opening e-mail attachments from unknown senders.

• Not patching our systems or not patching quickly enough.
• Using wireless networks without encryption/VPN.
The CIA Triad
The CIA Triad

• It is a Baseline Security Model [3].

• CIA triad:
• Confidentiality, Integrity, and
Availability
• Also referred to as CAI triad in some
security circles (esp. in the US).

• DAD:
• Disclosure, Alteration, and Denial
• The inverse of confidentiality, integrity,
and availability.
The CIA Triad
CIA Triad: Confidentiality

Ability to protect information from those who are not authorized to view it.

Implement at different levels of

Important for individual and organization. the process: each party is responsible to
ensure confidentiality.

Example: Confidentiality in ATM transactions

ATM owner: account Bank: transaction with the

Individual: PIN
number, balance ATM, balance updates
CIA Triad: Confidentiality Breach!

• When someone gets access to information that the person must not
access.

• Examples:
• Loss of a laptop contains important information.
• A person looking over your shoulder while you are typing your password.
• An important email attachment sent to the wrong person.
CIA Triad: Confidentiality v. Privacy

• Privacy is about an individual:

• It’s their right to be left alone and not be observed/disturbed.
• “It is the right of an individual to have some control over how
their personal information is collected, used, and/or disclosed.” [9]

• Confidentiality is about the data:

• The ability to protect information from those who are not authorized
to view it, to the best extent possible.
• Narrower focus than privacy.

Haikus from [9]

This Photo by Unknown Author is licensed under CC BY-SA

What can we do to ensure confidentiality?
The CIA Triad
CIA Triad: Integrity

Ability to prevent data from being changed in an unauthorized and

undesirable manner.

Unauthorized/undesirable Critical to support making

Ability to reverse
change or delete of data correct decisions.
(portion of data). undesirable changes. E.g., medical test results.

Example:
OS enables different levels of permission in file systems.
The ability to restore and revert database transactions.
CIA Triad: Integrity Violation

An integrity violation can involve the

modification of data in an unauthorized or
undesirable manner.

Example: suppose some important files are stored

• Integrity violation:
on a USB Drive, which is the only copy of such • There is no encryption used,
files, and they are stored without any encryption therefore, no protection against
or file protection of any kind. access or modification.

• Any unauthorized third party

Now imagine you want to send this USB drive to a can intercept the USB thumb
collaborator, and it is lost during the shipment. drive during transit and make
changes to the files.
CIA Triad: Integrity Violation

• What if the USB thumb drive

An integrity violation can involve the did not contain any important
modification of data in an unauthorized or
undesirable manner.
or confidential content?
• The value of the asset and the
impact may be low, i.e., its utility
may be low, but…
Example: suppose some important files are stored
on a USB Drive, which is the only copy of such • If the content is accessed or
files, and they are stored without any encryption modified, it is still an integrity
or file protection of any kind.
violation.

Now imagine you want to send this USB drive to a

collaborator, and it is lost during the shipment.
What can we do to ensure integrity?
The CIA Triad
CIA Triad: Availability

• An authorized person must be able to access information when required.

• Information or data may be unavailable due to:

• Power loss, OS or application fault, network attack, etc.

• An attacker after failing to breach confidentiality or integrity can try to

attack on the availability:
• DoS (Denial of Service): when legitimate users cannot access desired services.

Question:
When an institutional network is under
DoS attack, what would be a
reasonable action step for the
administrator?
CIA Triad: Unavailability

Suppose you are attempting to access your bank website to pay a bill.

You’ve clicked on submit after entering all details.

Due to high traffic, the server that hosts your bank’s website may not serve
your request and instead responds with an error.
What can we do to ensure availability?
CIA Triad: Summary
CIA Triad: How to ensure...?

• Confidentiality?
• Using encryption (protect from changes) and access control.

• Integrity?
• Using encryption (protect from changes) and hash (verify if message is not
modified).
• Ability to reverse undesirable changes.

• Availability?
• Backup and redundancy.
The Parkerian Hexad
The Parkerian Hexad

• CIA model is simple and does explore

the human element in security.

• The Parkerian Hexad adds

possession, authenticity, and utility
along with CIA to consider
six essential security attributes.
The Parkerian Hexad: Possession (control)

• Data or information can be on multiple devices in multiple versions,

e.g., encrypted vs. non-encrypted.
• We must have possession or control of those devices.

• Possession problem may not include confidentiality problem.

• An unauthorized person can possess confidential information without
a confidentiality breach.
• Can you think of an example?
The Parkerian Hexad: Possession

Possession or control refers to possessing the medium on which

the data in question is stored.

This can be a portable device with integrated storage such as a laptop, phone or tablet, but can also be a standalone
storage device such as a CD, USB thumb drive, SSD/Hard drive, or any other physical data storage medium.

The threat of possession refers to the issue of physical possession but does not
necessarily imply access to any data on that device.

An individual who finds your laptop would have

Example: suppose you lost your laptop that has
possession over the laptop but would not access it
encrypted files protected by a password.
without the password.
The Parkerian Hexad: Possession

Possession or control refers to possessing the medium on which

the data in question is stored.

This can be a portable device with integrated storage such as a laptop, phone or tablet, but can also be a standalone
storage device such as a CD, USB thumb drive, SSD/Hard drive, or any other physical data storage medium.

The threat of possession refers to the issue of physical possession but does not
necessarily imply access to any data on that device.

An individual who finds your laptop would have

Example: suppose you lost your laptop that has
Example: FBIpossession
v. Apple over the laptop but would not access it
encrypted filesiPhone
protected by a password.
encryption case, related to the San Bernardino shooting incident (2015)
without the password.
The Parkerian Hexad: Authenticity

Authenticity is about the creator or owner of the data/information in question.

Data in question is not modified. We can use digital signatures to ensure

But who is the creator or sender? authenticity.

Example: If an attacker changes the originator/creator of an email to a different one, it violates

authenticity.
The Parkerian Hexad: Utility

Utility refers usefulness of the data in question.

Utility is not binary in Rather there can be a

nature. degree of utility.

Example:
In the earlier example of shipment of USB drives
to your collaborator (integrity violation), if the
USB drive was encrypted, it would not have
been useful for an intruder.
Reference material and helpful resources

[1] https://www.electric.ai/blog/recent-big-company-data-breaches
[2] https://winpure.com/blog/what-is-the-difference-between-data-and-information/
[3] https://cryptiot.de/iot/security/security-solution-iot-com-protocol/
[4] https://empmonitor.com/blog/how-to-balance-your-productivity-and-security-skillfully-in-your-business/
[5] https://www.packetlabs.net/cybersecurity-statistics-2021/
[6] https://eng.libretexts.org/Courses/Delta_College/Information_Security/01%3A_Information_Security_Defined/
1.4_Attacks_-_Types_of_Attacks
[7] https://www.pcmag.com/how-to/what-are-zero-day-exploits-and-attacks
[8] https://www.foxnews.com/us/top-five-cybercrimes-watch-out-for-2023.amp
[9] https://oipc.sk.ca/privacy-versus-confidentiality/