1

CC3121-Information Security
Spring 2024
 2
Instructor Contact Details

► Name: Sowaiba Khan

► Course Instructor: CC3121- Information Security
► Credit Hours: 3
► Designation : Lecturer
► Office Location: SDT-404
► Email: [email protected]
► Visiting Hours: Tues,Wed,Friday 10:00am-12:00pm)
 3
Course Objectives

► The main objective of this course is to provide a detailed view to information security and
related topics.
► The students will learn about the technical as well as the management side of security in
computer systems.
► They will acquire knowledge about fundamental principles of security and also about practical
approaches to securing computer and network based systems.
► Moreover, students should be able to work on cryptography, digital signature, security and
privacy policies and able to define legal aspects in information security.
 4
Security Motivation Factors

► Three important motives of students to support security at organization level are:

► Avoiding and mitigating loss

► Avoiding negligence

► Enhancing strategic business values

 5
Introduction to Information Security

“The protection of information and information systems from unauthorized access,

use, or disruption.” - NIST
“well-informed sense of assurance that the information risks and controls are in
balance.” — Jim Anderson, Inovant (2002)
 6
The History of Information Security

► Began immediately following development of first mainframes

► Developed for code-breaking computations
► During World War II
► Multiple levels of security were implemented
► Physical controls
► Rudimentary
► Defending against physical theft, espionage, and sabotage
 7
The 1960s

► Original communication by mailing tapes

► Advanced Research Project Agency (ARPA)
► Examined feasibility of redundant networked communications
► Larry Roberts developed ARPANET from its inception
► Plan
► Link computers
► Resource sharing
► Link 17 Computer Research Centers
► Cost 3.4M
► ARPANET is predecessor to the Internet
 8
The 1970s and 80s

► ARPANET grew in popularity

► Potential for misuse grew
► Fundamental problems with ARPANET security
► Individual remote sites were not secure from unauthorized users
► Vulnerability of password structure and formats
► No safety procedures for dial-up connections to ARPANET
► Non-existent user identification and authorization to system
 9
The 1970s and 80s (cont’d.)

► Rand Report R-609

► Paper that started the study of computer security
► Information Security as we know it began
► Scope of computer security grew from physical security to include:
► Safety of data
► Limiting unauthorized access to data
► Involvement of personnel from multiple levels of an organization
 10
MULTICS

► Early focus of computer security research

► System called Multiplexed Information and Computing Service (MULTICS)
► First operating system created with security as its primary goal
► Mainframe, time-sharing OS developed in mid-1960s
► GE, Bell Labs, and MIX
► Several MULTICS key players created UNIX
► Late 1970s
► Microprocessor expanded computing capabilities
► Mainframe presence reduced
► Expanded security threats
 11
The 1990s

► Networks of computers became more common

► Need to interconnect networks grew
► Internet became first manifestation of a global network of networks
► Initially based on de facto standards
► In early Internet deployments, security was treated as a low priority
 12
2000 to Present

► Millions of computer networks communicate

► Many of the communication unsecured
► Ability to secure a computer’s data influenced by the security of every
computer to which it is connected
► Growing threat of cyber attacks has increased the need for improved
security
 13
Vulnerabilities
 14
What is Security?

► “The quality or state of being secure—to be free from danger”

► A successful organization should have multiple layers of security in place:
► Physical security
► Personnel security
► Computer Security
► Operations security
► Communications security
► Network security
► Information security
 15
What is Security? (cont’d.)

► The protection of information and its critical elements, including systems and
hardware that use, store, and transmit that information
► Necessary tools: policy, awareness, training, education, technology
► C.I.A. triangle
► Was standard based on confidentiality, integrity, and availability
► Now expanded into list of critical characteristics of information
 16
Motivation

People have always tried to protect their property

 17
Motivation (cont’d.)

Most records are now electronic:

❖Credit cards
❖ Online banking
❖Travel cards
❖ Video-on-demand
Coming trend: internet of things
 18
Motivation (cont’d.)

►Protecting information against malicious or accidental

access plays an important role now
►A slightly more detailed look at applications:
► Banking: online banking, PIN protocols, digital cash
Economy: mobile phones, DVD players,
► Pay-per-View TV, computer games
► Military: IFF (Identification, friend or foe), secure
communication channels, weapon system codes
 19
Motivation (cont’d.)

How well is information protected?

Not too well. . .

Mostly, there’s a false sense of security
 20
Typical Cases of Security Lapses

► Loss of confidential data:

► 2007: HMRC loses (unencrypted) disks containing personal details of 25 million people
► 2013: Hackers access records of 40 million customers including credit card
information from Target
► 2014: Hackers steal personal records of 21 million people from the Office of Personnel
Management
► 2017: Peshawar Hacker Hacks Daewoo Bus Service Website
 21
Typical Cases of Security Lapses (cont’d.)

Credit card fraud is a recurring theme, ranges from spying out PINs at ATMs to organized
stealing and trading of credit card numbers
High profile case:
• In the U.S. Albert Gonzalez and other hackers infiltrated Heartland and Hannaford
(two firms processing payments)
They stole more than 170 million credit card numbers between 2005 and 2007
This has cost Heartland approximately $140 million
 22
Typical Cases of Security Lapses (cont’d.)

•In 2013 Sony’s playstation network was breached

•Around 100 million customer records were stolen (including credit card numbers,
e-mail addresses, passwords)
• The company was sued world-wide
• Network had to be taken offline for three weeks
•Costs are estimated at $1.5 billion for Sony
 23
Typical Cases of Security Lapses (cont’d.)

Schools and universities are also hacked:

2008: in the U.S. 18-year old student hacks into high
school computer, changes grades
2005: UCSB (University of California Santa
Barbara) student hacks into eGrades system and
changes grades
 24
Typical Cases of Security Lapses (cont’d.)

Sometimes this is more about showing off

Web site defacement seems to happen quite regularly,
targets include
the U.N.
Microsoft
Google
 25
Typical Cases of Security Lapses (cont’d.)

►Denial-of-Service attacks:
► 2009: Twitter is hit by a denial-of-service attack and brought to a standstill
► Natural disasters (cause needs not be malicious): Data loss through fire,
storm, flooding
► 2005: Hurricane Katrina takes out two data centers of an aerospace company
in the U.S.; unfortunately, they backed each other up
 26
Home Task

► Significant IS Breach in recent past

► Brief summary of its investigation report
 27
Course Prerequisites

► Students should have a solid mathematical foundation and be familiar with

basic programming concepts, data structures.
► A basic concept of computer networks and security is also necessary in order
to study this course.
 28
Course Contents

► Following contents will be covered throughout the semester in week wise lectures:
► Basic notions of confidentiality, integrity, availability; authentication models; protection
models; security kernels; Encryption, Hashing and Digital Signatures; audit; intrusion
detection and response; database security, host based and network-based security issues
operational security issues; physical security issues; personnel security; policy formation
and enforcement; access controls; information flow; legal and social issues;
identification and authentication in local and distributed systems; classification and trust
modeling; risk assessment
 29
Reference Material

► Principles of Information Security, 6th edition by M. Whitman and H.

Mattord
► CISSP (Certified Information System Security Professional) 4th Edition
► Computer Security: Principles and Practice, 3rd edition by William
Stallings