Information Security

Introduction
This is the age of universal electronic connectivity, where the activities like hacking, viruses,
electronic fraud are very common. Unless security measures are taken, a network
conversation or a distributed application can be compromised easily. Some simple examples
are:
 Online purchases using a credit/debit card.
 A customer unknowingly being directed to a false website.
 A hacker sending a message to a person pretending to be someone
Network security measures are needed to protect data during transmission. But keep
in mind that, it is the information and our ability to access that information that we
are really trying to protect and not the computers and networks.
Threats/Attack
A threat is an object, person, or other entity that represents a constant danger to an asset
The 2022 CSI survey
 Average annual loss $4.35millions
 1/5 suffered ‗targeted attack‘
Computer Security - generic name for the collection of tools designed to protect data and to
thwart hackers
Network Security - measures to protect data during their transmission
Internet Security - measures to protect data during their transmission over a collection of
interconnected networks.
which consists of measures to deter, prevent, detect, and correct security violations that
involve the transmission & storage of information. These attacks are of two types:-
Active
It is a way attempt to modify, destroy or disrupt network or system resources

Passive
It is an attempt to steal or monitor sensitive data
Interruption
An asset of the system is destroyed or becomes unavailable or unusable. It is an attack on
availability.
 Destruction of some hardware
 Jamming wireless signals
Interception
An unauthorized party gains access to an asset. Attack on confidentiality.
 Wiretapping to capture data in a network.
 Illicitly copying data or programs
Fabrication
When an unauthorized party gains access and tampers an asset. Attack is on Integrity
 Changing data file
 Self-created message is transferred
Modification
An unauthorized party inserts a counterfeit object into the system. Attack on Authenticity.
Also called impersonation
 Hackers gaining access to a personal email and sending message
 Insertion of records in data files
Essential Network and Computer Security Requirements and Services (Principles of
Security)

Confidentiality:
The principle of confidentiality specifies that only the sender and the intended recipient
should be able to access the content of the message. A loss of confidentiality is the
unauthorized disclosure of information.
Student grade information is an asset whose confidentiality is considered to be highly
important by students. In the United States, the release of such information is regulated by the
Family Educational Rights and Privacy Act (FERPA). Grade information should only be
available to students, their parents, and employees that require the information to do their job.
Integrity:
The confidential information sent by A to B which is not accessed by C without the
permission or knowledge of A and B. A loss of integrity is the unauthorized modification or
destruction of information. The assurance that data received are exactly as sent by an
authorized entity (i.e., contain no modification, insertion, deletion, or replay).
Several aspects of integrity are illustrated by the example of a hospital patient’s allergy
information stored in a database. The doctor should be able to trust that the information is
correct and current. Now suppose that an employee (e.g., a nurse) who is authorized to view
and update this information deliberately falsifies the data to cause harm to the hospital. The
database needs to be restored to a trusted basis quickly, and it should be possible to trace the
error back to the person responsible. Patient allergy information is an example of an asset
with a high requirement for integrity. Inaccurate information could result in serious harm or
death to a patient and expose the hospital to massive liability.
Authentication
The mechanism helps in establishing proof of identification. This means verifying that users
are who they say they are and that each input arriving at the system came from a trusted
source.
Access control
Access control specifies and control who can access what. Access control loss when an
unauthorized user can access the data. access control is the ability to limit and control the
access to host systems and applications via communications links.
Availability:
It means that assets are accessible to authorized parties at appropriate times. A loss of
availability is the disruption of access to or use of information or an information system.
The more critical a component or service, the higher is the level of availability required.
Consider a system that provides authentication services for critical systems, applications, and
devices. An interruption of service results in the inability for customers to access computing
resources and staff to access the resources they need to perform critical tasks. The loss of the
service translates into a large financial loss in lost employee productivity and potential
customer loss.