Basics of Information Security
Content
Basics of Information Security. By : Varun Upadhyay Email : [email protected] 1
2
Agenda Introduction What is information Security
Goals of Information Security CIA Triad Attack types Threat, Vulnerabilities and Risk Types of control to mitigate and control risks Defense in depth Identification, Authentication and Authorization
3
What is Information Security? Information security is defined as “protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction,” Or In a general sense, security means protecting our assets.
Assets : computer system , Servers, Databases, Employees etc.
4
The Goal of Information Security
Confidentiality: This means that information is only being seen or used by people who are authorized to access it.
Integrity: This means that any changes to the information by an unauthorized user are impossible (or at least detected), and changes by authorized users are tracked.
Availability: This means that the information is accessible when authorized users need it.
5
CIA Triad
6
Attack Types
7
Threats, Vulnerabilities and Risks Threat: something that has the potential to cause us harm. Eg. Floods, Earthquakes ,Human Errors. Vulnerabilities: They are weaknesses or holes that can be exploited by threats in order to cause us harm. Eg. Operating System Security policies, Websites etc.
Risk: Risk is the likelihood that something bad will happen. In order for us to have a risk in a particular environment, we need to have both a threat and a vulnerability that the specific threat can exploit. Impact: Impact is the expected loss after occurrence of a risk event.
8
Types of controls to avoid, mitigate Risks Physical Controls: Physical controls are those controls that protect the physical environment in which our systems sit, or where our data is stored. For eg:- fences, gates, locks, bollards, guards, and cameras, but also include systems like heating and air conditioning systems, fire suppression systems, and backup power generators. Logical controls, sometimes called technical controls, are those that protect the systems, networks, and environments that process, transmit, and store our data. Logical controls can include items such as passwords, encryption, logical access controls, firewalls, and intrusion detection systems.
9
Types of controls to avoid, mitigate Risks Administrative controls are based on rules, laws, policies, procedures, guidelines, and other items that are “paper” in nature.
10
Defense in depth
11
Defence in depth The basic concept of defense in depth is to formulate a multi-layered defense that will allow us to still mount a successful defense should one or more of our defensive measures fail. For eg:- Multifactor authentication
12
Identification Identification: is simply an assertion of who we are. This may include who we claim to be as a person, who a system claims to be over the network, who the originating party of an e-mail claims to be, or similar transactions. It is important to note that the process of identification does not extend beyond this claim and does not involve any sort of verification or validation of the identity that we claim.
13
Authentication and Authorization Authentication : Authentication is, in an information security sense, the set of methods we use to establish a claim of identity as being true. For eg:- Providing a correct password for valid email id
Authorization: Authorization is the next step taken after we have completed identification and authentication Authorization enables us to determine, once we have authenticated the party in question, exactly what they are allowed to do. For eg:- if a user can read, write or modify a file on operating system
14
End of the Slide
Digitally signed by Varun Kumar Upadhyay DN: cn=Varun Kumar Upadhyay, o=National Law Institute University, ou=NLIU, [email protected], c=IN Date: 2015.06.26 11:07:40 +05'30'
15
Queries? 1.
2. 3.
4. 5.
16
Thank you
2
Agenda Introduction What is information Security
Goals of Information Security CIA Triad Attack types Threat, Vulnerabilities and Risk Types of control to mitigate and control risks Defense in depth Identification, Authentication and Authorization
3
What is Information Security? Information security is defined as “protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction,” Or In a general sense, security means protecting our assets.
Assets : computer system , Servers, Databases, Employees etc.
4
The Goal of Information Security
Confidentiality: This means that information is only being seen or used by people who are authorized to access it.
Integrity: This means that any changes to the information by an unauthorized user are impossible (or at least detected), and changes by authorized users are tracked.
Availability: This means that the information is accessible when authorized users need it.
5
CIA Triad
6
Attack Types
7
Threats, Vulnerabilities and Risks Threat: something that has the potential to cause us harm. Eg. Floods, Earthquakes ,Human Errors. Vulnerabilities: They are weaknesses or holes that can be exploited by threats in order to cause us harm. Eg. Operating System Security policies, Websites etc.
Risk: Risk is the likelihood that something bad will happen. In order for us to have a risk in a particular environment, we need to have both a threat and a vulnerability that the specific threat can exploit. Impact: Impact is the expected loss after occurrence of a risk event.
8
Types of controls to avoid, mitigate Risks Physical Controls: Physical controls are those controls that protect the physical environment in which our systems sit, or where our data is stored. For eg:- fences, gates, locks, bollards, guards, and cameras, but also include systems like heating and air conditioning systems, fire suppression systems, and backup power generators. Logical controls, sometimes called technical controls, are those that protect the systems, networks, and environments that process, transmit, and store our data. Logical controls can include items such as passwords, encryption, logical access controls, firewalls, and intrusion detection systems.
9
Types of controls to avoid, mitigate Risks Administrative controls are based on rules, laws, policies, procedures, guidelines, and other items that are “paper” in nature.
10
Defense in depth
11
Defence in depth The basic concept of defense in depth is to formulate a multi-layered defense that will allow us to still mount a successful defense should one or more of our defensive measures fail. For eg:- Multifactor authentication
12
Identification Identification: is simply an assertion of who we are. This may include who we claim to be as a person, who a system claims to be over the network, who the originating party of an e-mail claims to be, or similar transactions. It is important to note that the process of identification does not extend beyond this claim and does not involve any sort of verification or validation of the identity that we claim.
13
Authentication and Authorization Authentication : Authentication is, in an information security sense, the set of methods we use to establish a claim of identity as being true. For eg:- Providing a correct password for valid email id
Authorization: Authorization is the next step taken after we have completed identification and authentication Authorization enables us to determine, once we have authenticated the party in question, exactly what they are allowed to do. For eg:- if a user can read, write or modify a file on operating system
14
End of the Slide
Digitally signed by Varun Kumar Upadhyay DN: cn=Varun Kumar Upadhyay, o=National Law Institute University, ou=NLIU, [email protected], c=IN Date: 2015.06.26 11:07:40 +05'30'
15
Queries? 1.
2. 3.
4. 5.
16
Thank you
