INFORMATION SECURITY

AND PRIVACY
DATA AND INFORMATION
 Data– Raw facts
Alphanumeric, image, audio, video
 Information- a collection of facts organized in
such a way that they have an additional value
beyond the value of the facts themselves
 Information security- Protection of crucial
information including hardware and software
that is used, stored, and transmit information.
THREAT AND VULNERABILITY
 Threat- a possible event that can damage or
harm your information system
 Vulnerability- weakness of the system. Its is the
degree of exposure in view of threat
INFORMATION SECURITY
 Information Security is not only about securing
information from unauthorized access.
 Information Security is basically the practice of
preventing unauthorized access, use, disclosure,
disruption, modification, inspection, recording or
destruction of information.
 Information can be physical or electronic one.
Information can be anything like Your details or we
can say your profile on social media, your data in
mobile phone, your biometrics etc.
 Thus Information Security spans so many research
areas like Cryptography, Mobile Computing, Cyber
Forensics, Online Social Media etc.
CONTINUE..
 During First World War, Multi-tier Classification
System was developed keeping in mind
sensitivity of information. With the beginning of
Second World War formal alignment of
Classification System was done. Alan Turing was
the one who successfully decrypted Enigma
Machine which was used by Germans to encrypt
warfare data.
PRINCIPLE OF INFORMATION SYSTEM
SECURITY
 Information System Security or INFOSEC refers
to the process of providing protection to the
computers, networks and the associated data.
 With the advent of technology, the more the
information is stored over wide networks, the
more crucial it gets to protect it from the
unauthorized which might misuse the same.
 Every organisation has the data sets that contain
confidential information about its activities.
 Information Security programs are build around
3 objectives, commonly known as CIA –
Confidentiality, Integrity, Availability.
CONTINUE..
CONFIDENTIALITY
 Confidentiality – means information is not
disclosed to unauthorized individuals, entities
and process. For example if we say I have a
password for my Gmail account but someone saw
while I was doing a login into Gmail account. In
that case my password has been compromised
and Confidentiality has been breached.
INTEGRITY
 Integrity – means maintaining accuracy and
completeness of data. This means data cannot be
edited in an unauthorized way. For example if an
employee leaves an organisation then in that
case data for that employee in all departments
like accounts, should be updated to reflect status
to JOB LEFT so that data is complete and
accurate and in addition to this only authorized
person should be allowed to edit employee data.
AVAILABILITY
 Availability – means information must be
available when needed. For example if one needs
to access information of a particular employee to
check whether employee has outstanded the
number of leaves, in that case it requires
collaboration from different organizational teams
like network operations, development operations,
incident response and policy/change
management.
OTHER PRINCIPLE
 Non repudiation – means one party cannot deny
receiving a message or a transaction nor can the
other party deny sending a message or a
transaction.
 For example in cryptography it is sufficient to
show that message matches the digital signature
signed with sender’s private key and that sender
could have a sent a message and nobody else
could have altered it in transit.
 Data Integrity and Authenticity are pre-
requisites for Non repudiation.
CONTINUE..
 Authenticity – means verifying that users are
who they say they are and that each input
arriving at destination is from a trusted source.
This principle if followed guarantees the valid
and genuine message received from a trusted
source through a valid transmission.
CONTINUE..
 For example if take above example sender sends
the message along with digital signature which
was generated using the hash value of message
and private key. Now at the receiver side this
digital signature is decrypted using the public
key generating a hash value and message is
again hashed to generate the hash value. If the 2
value matches then it is known as valid
transmission with the authentic or we say
genuine message received at the recipient side.
QUESTIONS
Which Of The Following Is An Independent
Malicious Program That Need Not Any Host
Program?
 Trap Doors

 Trojan Horse

 Virus

 Worm
BALANCING INFORMATION SECURITY AND
ACCESS:
 It is the sole purpose of the organization to
protect the interests of the users and to provide
them with the appropriate amount of information
whenever necessary.
 Also, at the same time, it is necessary to provide
adequate security to the information so that not
anyone can access it.
 The need for maintaining the perfect balance of
information security and accessibility arises from
the fact that information security can never be
absolute.
CONTINUE..
 It would be harmful to provide free access to a
piece of information and it would be hard to
restrict any accessibility.
 So, one needs to make sure that the exact
required balance is maintained so that both the
users and the security professionals are happy.
WHY INFORMATION SECURITY
 Fast growth of internet
 Commercialization of internet

 Legal aspects

 Theft of confidential data

 Financial frauds

 Use of IT across business

 Increased rate of cyber crimes

SOME GOOD HABITS
 Always use official software
 Keep all software updated
 Don’t disclose all of your information on the
social media sites
 Take care while discarding your waste material
 If using free software, then always download it
from original site
 Use email properly
 Use strong firewall programs
 Install upto-dated antivirus
 Use strong passwords
 Backup of crucial data
QUESTIONS
The First Phase Of Hacking An IT System Is
Compromise Of Which Foundation Of Security?
 Availability

 Confidentiality

 Integrity

 Authentication
CONCLUSION
 At the core of Information Security is
Information Assurance, which means the act of
maintaining CIA of information, ensuring that
information is not compromised in any way when
critical issues arise. These issues are not limited
to natural disasters, computer/server
malfunctions etc.
 Thus, the field of information security has grown
and evolved significantly in recent years. It offers
many areas for specialization, including securing
networks and allied infrastructure, securing
applications and databases, security testing,
information systems auditing, business
continuity planning etc.
REASONS WHY INFORMATION SYSTEMS
ARE IMPORTANT FOR BUSINESS TODAY
 Running a successful business calls for proper
management of financial and organizational data
and statistics with quality information systems.
 Almost every company has experienced a
drastically slowed workflow because of data
problems related to reliability and accuracy.
 It’s true that there is no substitute for right
information at the right time in the business
world.
CONTINUE..
 This prompted the development of systems that
can be used to make the information accurate,
readily available, and easily accessible.
 With the effectiveness of information systems, an
organization can have better decision-making,
better planning, and ultimately better results.
QUESTIONS
Why Would A Hacker Use A Proxy Server?
 To Create A Stronger Connection With The
Target.
 To Create A Ghost Server On The Network.

 To Hide Malicious Activity On The Network

 To Obtain A Remote Access Connection.

HOW DO INFORMATION SYSTEMS
INFLUENCE MODERN BUSINESS?
 In today’s continuously changing and fast moving
world, where customers’ requirements and
preferences are always evolving, the only
businesses that can hope to remain competitive
and continue to function at the performance
levels that can match their customers’
expectations are those that are going to embrace
innovation.
 In the recent past, any business success has been
pegged on the information technology quality
that the business has employed and the
capability to correctly use such information.
CONTINUE..
 Information systems (IS) importance has
increased dramatically, and most businesses
have been prompted to introduce it to keep their
competitive edge. Today, nobody can envisage a
business without an effective information system.
 Introduction of an information system to a
business can bring numerous benefits and assist
in the way the business handles its external and
internal processes that a business encounters
daily and decision making for the future.
 Some of the benefits of an information system
include:
QUESTION
Which Of The Following Is Not A Factor In
Securing The Environment Against An Attack On
Security?
 The System Configuration

 The Business Strategy Of The Company

 The Education Of The Attacker

 The Network Architecture

NEW PRODUCTS AND SERVICES
 Any company looking to improve and secure the
future has to establish a broader perspective with the
use of a well-designed and coordinated information
system.
 The IS makes it easier to analyze independent
processes such as information to produce valuable
products or services and organized work activities.
 Therefore, an IS can give a company the competitive
advantage by analyzing how a company creates,
produce, and sell their products or services.
 This means that the focus will be put on the main
goal ahead.
INFORMATION STORAGE
 Every organization needs records of its activities
to find the cause of problems and proper
solutions.
 Information systems come in handy when it
comes to storing operational data,
communication records, documents, and revision
histories.
 Manual data storage will cost the company lots of
time, especially when it comes to searching for
specific data.
CONTINUE..
 A quality information system stores data in a
comprehensive and sophisticated database which
makes the process of finding it convenient.
 With such information, a company can analyze
how certain actions affected the business as well
as prepare cost estimates and forecasts.
EASIER DECISION MAKING
 Without an information system, a company can
take a lot of time and energy in the decision
making process.
 However, with the use of IS, it’s easier to deliver
all the necessary information and model the
results and this can help you make better
decisions.
 The management team can use the information
system to choose the best course of action and
carry out the tasks.
CONTINUE..
 When there are several appealing alternatives,
the information system can be used to run
different scenarios by calculating key indicators
such as costs, sales, and profits.
 This way, you can determine the alternative with
the most beneficial results.
BEHAVIORAL CHANGE
 Employers and employees can communicate
rapidly and more effectively with an information
system.
 While emails are quick and effective, the use of
Information systems is more efficient since
documents are stored in folders that can be
shared and accessed by employees.
 This implies that information flows from the
management to lower-level employees and vice
versa.
CONTINUE..
 Also, the lower-level employees get enlightened
and involved in important decision making, and
this eliminates the need for middle managers.
 Employees who are directly involved in the
decision-making process are motivated and
dedicated to their tasks.
QUESTION
Firewalls are to protect against
 Virus Attacks

 Fire Attacks

 Data Driven Attacks

 Unauthorized Attacks
IMPORTANCE OF INFORMATION SYSTEMS
 To gain the maximum benefits from your
company's information system, you have to
exploit all its capacities.
 Information systems gain their importance by
processing the data from company inputs to
generate information that is useful for managing
your operations.
 To increase the information system's
effectiveness, you can either add more data to
make the information more accurate or use the
information in new ways.
1. BUSINESS COMMUNICATION SYSTEMS
 Part of management is gathering and distributing
information, and information systems can make this
process more efficient by allowing managers to
communicate rapidly.
 Email is quick and effective, but managers can use
information systems even more efficiently by storing
documents in folders that they share with the
employees who need the information. This type of
communication lets employees collaborate in a
systematic way.
 Each employee can communicate additional
information by making changes that the system
tracks. The manager collects the inputs and sends the
newly revised document to his target audience.
2. BUSINESS OPERATIONS MANAGEMENT
 How you manage your company's operations
depends on the information you have.
Information systems can offer more complete and
more recent information, allowing you to operate
your company more efficiently.
 You can use information systems to gain a cost
advantage over competitors or to differentiate
yourself by offering better customer service. Sales
data give you insights about what customers are
buying and let you stock or produce items that
are selling well.
 With guidance from the information system, you
can streamline your operations.
3. COMPANY DECISION-MAKING
 The company information system can help you
make better decisions by delivering all the
information you need and by modeling the results
of your decisions.
 A decision involves choosing a course of action
from several alternatives and carrying out the
corresponding tasks.
 When you have accurate, up-to-date information,
you can make the choice with confidence.
CONTINUE..
 If more than one choice looks appealing, you can
use the information system to run different
scenarios.
 For each possibility, the system can calculate key
indicators such as sales, costs and profits to help
you determine which alternative gives the most
beneficial result.
QUESTION
What is called periodic assessment of security
vulnerability in computer system?
 A : Threat

 B : Attack

 C : Hacking

 D : Security audit
4. COMPANY RECORD-KEEPING
 Your company needs records of its activities for
financial and regulatory purposes as well as for
finding the causes of problems and taking corrective
action.
 The information system stores documents and
revision histories, communication records and
operational data.
 The trick to exploiting this recording capability is
organizing the data and using the system to process
and present it as useful historical information.
 You can use such information to prepare cost
estimates and forecasts and to analyze how your
actions affected the key company indicators.
WHY SECURITY?
 Cyberspace (internet, work environment,
intranet) is becoming a dangerous place for all
organizations and individuals to protect their
sensitive data or reputation. This is because of
the numerous people and machines accessing it.
 It is important to mention that the recent studies
have shown a big danger is coming from internal
threats or from disappointed employees like the
Edward Snowden case, another internal threat is
that information material can be easy accessible
over the intranet.
CONTINUE..
 One important indicator is the IT skills of a
person that wants to hack or to breach your
security has decreased but the success rate of it
has increased, this is because of three main
factors −
 Hacking tools that can be found very easily by
everyone just by googling and they are endless.
 Technology with the end-users has increased rapidly
within these years, like internet bandwidth and
computer processing speeds.
 Access to hacking information manuals.
SECURITY BREACH
WHAT IS COMPUTER SECURITY?
 Computer security basically is the protection of
computer systems and information from harm,
theft, and unauthorized use. It is the process of
preventing and detecting unauthorized use of
your computer system.
 There are various types of computer security
which is widely used to protect the valuable
information of an organization.
WHAT TO SECURE?
 Let’s see this case, you are an IT administrator in
a small company having two small servers
staying in a corner and you are very good at your
job. You are doing updates regularly, setting up
firewalls, antiviruses, etc. One day, you see that
the organization employees are not accessing the
systems anymore. When you go and check, you
see the cleaning lady doing her job and by
mistake, she had removed the power cable and
unplugged the server.
 This case indicates that even physical security is
important in computer security, as most of us
think it is the last thing to take care of.
CONTINUE..
QUESTION
What is called a single point of access for several
networking services?
 A : Phishing

 B : Web service

 C : Directory service

 D : Worms
WHAT ALL TO SECURE?
 First of all, is to check the physical security by
setting control systems like motion alarms, door
accessing systems, humidity sensors,
temperature sensors. All these components
decrease the possibility of a computer to be stolen
or damaged by humans and environment itself.
 People having access to computer systems should
have their own user id with password protection.
 Monitors should be screen saver protected to hide
the information from being displayed when the
user is away or inactive.
CONTINUE..
 Secure your network especially wireless,
passwords should be used.
 Internet equipment as routers to be protected
with password.
 Data that you use to store information which can
be financial, or non-financial by encryption.
 Information should be protected in all types of its
representation in transmission by encrypting it.
QUESTION
To Hide Information Inside A Picture, What
Technology Is Used?
 Rootkits

 Bitmapping

 Steganography

 Image Rendering
APPROACHES TO INFORMATION SECURITY
IMPLEMENTATION
 Information security, or infosec, refers to data
security — one component of a larger
cybersecurity plan that takes proactive steps to
protect data. Key areas of an infosec program
include controlling who can access what data,
what level of access each authorized person is
given, employee training, and accommodations
for your specific data needs.
 An infosec program is necessary for any company
responsible for managing personal or client data,
including healthcare facilities, financial
institutions, utility businesses, property
managers, and schools. In some countries and
industries, data protection is legally required.
CONTINUE..
 In order to determine the safety of data from
potential violations and cyber-attacks, the
implementation of the security model has an
important phase to be carried out. In order to
ensure the integrity of the security model can be
designed using two methods:
1. BOTTOM-UP APPROACH:
 The company’s security model is applied by
system administrators or people who are working
in network security or as cyber-engineers.
 The main idea behind this approach is for
individuals working in this field of information
systems to use their knowledge and experience in
cybersecurity to guarantee the design of a highly
secure information security model.
CONTINUE..
Key Advantages –
 An individual’s technical expertise in their field
ensures that every system vulnerability is
addressed and that the security model is able to
counter any potential threats possible.
Disadvantage –
 Due to the lack of cooperation between senior
managers and relevant directives, it is often not
suitable for the requirements and strategies of
the organisation.
2. TOP-DOWN APPROACH:
 This type of approach is initialized and initiated
by the executives of the organization.
 They formulate policies and outline the procedures to
be followed.
 Determine the project’s priorities and expected
results
 Determine liability for every action needed

 It is more likely to succeed. That strategy usually

provides strong support from top management by
committing resources, a consistent preparation
and execution mechanism and opportunities to
affect corporate culture.
CONTINUE..
CONTINUE..
 Security management issues have been handled
by organizations in various ways.
 Traditionally, companies adopted a bottom-up
approach, where the process is initiated by
operational employees and their results are
subsequently propagated to upper management
as per the proposed policies.
 Since management has no information about the
threat, the effects, the idea of resources, possible
returns, and the security method, this approach
has occasionally created a sudden and violent
collapse.
CONTINUE..
 On the contrary, the top-down approach is a
highly successful reverse view of the whole issue.
 Management understands the gravity and starts
the process, which is subsequently collected
systematically from cyber engineers and
operating personnel.
QUESTION
Performing Hacking Activities With The Intent On
Gaining Visibility For An Unfair Situation Is
Called
 Cracking

 Analysis

 Hacktivism

 Exploitation
SECURITY SERVICES:
 A processing or communication service that enhances
the security of the data processing systems and the
information transfers of an organization.
 These services are intended to counter security
attacks, and they make use of one or more security
mechanisms to provide the service.
 The following basic security services are
confidentiality, integrity, authentication, source
authentication, authorization and non-repudiation.
 A range of cryptographic and non-cryptographic tools
may be used to support these services. While a single
cryptographic mechanism could provide more than
one service, it cannot provide all services.
CONTINUE..

Services
CONTINUE..
What Is The Most Important Activity In System
Hacking?
 Information Gathering

 Cracking Passwords

 Escalating Privileges

 Covering Tracks
1. CONFIDENTIALITY
 When preventing disclosure of information to
unauthorized parties is needed, the property of
confidentiality is required.
 Cryptography is used to encrypt the information
to make it unintelligible to everyone but those
who are authorized to view it.
 To provide confidentiality, the cryptographic
algorithm and mode of operation needs to be
designed and implemented in such a way that an
unauthorized party will be unable to determine
the keys that have been associated with the
encryption or have the ability to derive the
information without using the correct keys.
2. DATA INTEGRITY
 Data integrity provides assurance that data has
not been modified in an unauthorized manner
after it was created, transmitted, or stored.
 This means that there has been no insertion,
deletion or substitution done with the data.
 Digital signatures or message authentication
codes are cryptographic mechanisms that can be
used to detect both accidental modifications that
might occur because of hardware failure or
transmission issues and deliberate modifications
that might be performed by an adversary.
3. AUTHENTICATION
 Cryptography can provide two types of
authentication services:
 Integrity authentication can be used to verify
that non-modification has occurred to the data.
 Source authentication can be used to verify the
identity of who created the information, such as
the user or system.
 Digital signatures or message authentication
codes are used most often to provide
authentication services.
 Key-agreement techniques might also be used to
provide this service.
4. AUTHORIZATION
 Authorization provides permission to perform a
security function or activity.
 This security service is often supported by a
cryptographic service.
 Authorization is generally granted after the
successful execution of a source authentication
service.
5. NON-REPUDIATION
 In key management, the term non-repudiation
refers to the binding of a certificate subject
through the use of digital signature keys and
digital certificates to a public key.
 When non-repudiation is required for a digital
signature key, it means that the signature that
has been created by that key has the support of
both the integrity and source authentication
services of a digital signature.
CONTINUE..
 The digital signature may also indicate a
commitment by way of the certificate subject in
the same manner that a document with a
handwritten signature would.
 However, here are many aspects to be considered
in making a legal decision regarding non-
repudiation and this cryptographic mechanism is
considered only one element to be used in that
decision.
6. SUPPORT SERVICES
 Supporting services are often required for the
above basic cryptographic security services.
 As an example, a cryptographic service will often
require services for key establishment and
random number generation as well as protection
of the cryptographic keys themselves.
QUESTION
Phishing is a form of
 Impersonation

 Spamming

 Identify Theft

 Scanning
7. COMBINING SERVICES
 Combination of the above six security services is
strongly advised.
 When designing a secure system, designers
usually begin by determining which security
systems are required to protect the information
that will be contained and processed by the
system.
 Once the services have been determined, the
mechanisms that will best provide these services
are considered.
8. MANAGING THE KEYS
 The correct management of cryptographic keys is
essential to the level of security that might be
achieved in a system through cryptography. This
achievable security depends on various factors
such as the architecture of the cryptographic
system or the applied mix of mechanisms and
their intrinsic robustness against attacks.
INFORMATION SECURITY POLICY
 An Information Security Policy (ISP) is a set of
rules that guide individuals when using IT
assets. Companies can create information
security policies to ensure that employees and
other users follow security protocols and
procedures. Security policies are intended to
ensure that only authorized users can access
sensitive systems and information.
 Creating an effective security policy and taking
steps to ensure compliance is an important step
towards preventing and mitigating security
threats.
CONTINUE..
 To make your policy truly effective, update it
frequently based on company changes, new
threats, conclusions drawn from previous
breaches, and changes to security systems and
tools.
 Make your information security strategy
practical and reasonable. To meet the needs and
urgency of different departments within the
organization, it is necessary to deploy a system of
exceptions, with an approval process, enabling
departments or individuals to deviate from the
rules in specific circumstances.
INFORMATION SECURITY THREATS
 There are hundreds of categories of information
security threats and millions of known threat
vectors. Below are some of the key threats that
are a priority for security teams at modern
enterprises.
1. UNSECURE OR POORLY SECURED
SYSTEMS
 The speed and technological development often
leads to compromises in security measures. In
other cases, systems are developed without
security in mind, and remain in operation at an
organization as legacy systems. Organizations
must identify these poorly secured systems, and
mitigate the threat by securing or patching them,
decommissioning them, or isolating them.
2. SOCIAL MEDIA ATTACKS
 Many people have social media accounts, where
they often unintentionally share a lot of
information about themselves. Attackers can
launch attacks directly via social media, for
example by spreading malware via social media
messages, or indirectly, by using information
obtained from these sites to analyze user and
organizational vulnerabilities, and use them to
design an attack.
QUESTION
The first computer virus is
 (A) The famous

 (B) HARLIE

 (C) PARAM

 (D) Creeper
3. SOCIAL ENGINEERING
 Social engineering involves attackers sending
emails and messages that trick users into
performing actions that may compromise their
security or divulge private information. Attackers
manipulate users using psychological triggers
like curiosity, urgency or fear.
 Because the source of a social engineering
message appears to be trusted, people are more
likely to comply, for example by clicking a link
that installs malware on their device, or by
providing personal information, credentials, or
financial details.
CONTINUE..
 Organizations can mitigate social engineering by
making users aware of its dangers and training
them to identify and avoid suspected social
engineering messages. In addition, technological
systems can be used to block social engineering
at its source, or prevent users from performing
dangerous actions such as clicking on unknown
links or downloading unknown attachments.
4. MALWARE ON ENDPOINTS
 Organizational users work with a large variety of
endpoint devices, including desktop computers,
laptops, tablets, and mobile phones, many of
which are privately owned and not under the
organization’s control, and all of which connect
regularly to the Internet.
 A primary threat on all these endpoints is
malware, which can be transmitted by a variety
of means, can result in compromise of the
endpoint itself, and can also lead to privilege
escalation to other organizational systems.
CONTINUE..
 Traditional antivirus software is insufficient to
block all modern forms of malware, and more
advanced approaches are developing to securing
endpoints, such as endpoint detection and
response (EDR).
5. LACK OF ENCRYPTION
 Encryption processes encode data so that it can
only be decoded by users with secret keys. It is
very effective in preventing data loss or
corruption in case of equipment loss or theft, or
in case organizational systems are compromised
by attackers.
 Unfortunately, this measure is often overlooked
due to its complexity and lack of legal obligations
associated with proper implementation.
Organizations are increasingly adopting
encryption, by purchasing storage devices or
using cloud services that support encryption, or
using dedicated security tools.
QUESTION
The first PC virus was developed in
 (A) 1980

 (B) 1986

 (C) 1988

 (D) 1999
6. SECURITY MISCONFIGURATION
 Modern organizations use a huge number of
technological platforms and tools, in particular
web applications, databases, and Software as a
Service (SaaS) applications, or Infrastructure as
a Service (IaaS) from providers like Amazon Web
Services.
 Enterprise grade platforms and cloud services
have security features, but these must be
configured by the organization.
CONTINUE..
 Security misconfiguration due to negligence or
human error can result in a security breach.
Another problem is “configuration drift”, where
correct security configuration can quickly become
out of date and make a system vulnerable,
unbeknownst to IT or security staff.
 Organizations can mitigate security
misconfiguration using technological platforms
that continuously monitor systems, identify
configuration gaps, and alert or even
automatically remediate configuration issues
that make systems vulnerable.