Вы находитесь на странице: 1из 13

Lecture 1: Introduction to

Information Security
Learning Objectives
2

Upon completion of this lecture, you should be able to:


 Understand the key terms and critical concepts of
information security

 Understand important security properties and


critical characteristics of information

 Understand the different security layers of an


organization
What is Security?
3

 “The quality or state of being secure - to be free


from danger”.

 Protection from adversaries- those who would do


harm, intentionally or otherwise- is the ultimate
objective of security.
Key Information Security Concepts
Asset
5

 The organizational resource that is being protected


 An asset can be logical, such as a Web site,
information, or data
 An asset can be physical, such as a person,
computer system
 Assets, and particularly information assets, are the
focus of security efforts.
Threat
6

 A category of objects, persons, or other entities that


presents a danger to an asset.
 Threats are always present and can be purposeful
or undirected.
 For example, hackers purposefully threaten
unprotected information systems, while severe
storms incidentally threaten buildings and their
contents.
Vulnerability
7

 A weaknesses or fault in a system or protection


mechanism that opens it to attack.
 Examples of vulnerabilities:
A flaw in a software (e.g., lack of input validation)
 An unprotected system port
 An unlocked door

 Some well-known vulnerabilities have been


examined, documented, and corrected; others
remain undiscovered.
Attack
8
 An intentional or unintentional act that can cause
damage or compromise information and/or the systems
that support it.
 Attacks can be:
 Active/Passive: Someone casually reading sensitive
information not intended for his or her use is a passive
attack
 Intentional/Unintentional: a fire caused by an accident is
unintentional
 Direct/Indirect: a hacker compromising a system and using it
to attack other systems is an indirect attack (e.g., botnets)
 Attack vs Threat
Exploit
9

 A technique used by attackers to compromise a


system for their personal gain.

 An exploit takes advantage of a vulnerability, that


is either inherent in the software or is created by the
attacker.

 Exploits make use of existing hacking tools or


custom-made tools.
Risk
11

 The potential for loss, damage or destruction of an


asset as a result of a threat exploiting a
vulnerability.
 Risk = Asset + Vulnerability + Threat
 Risk is a function of threats exploiting vulnerabilities
to obtain damage or destroy assets.
 Threats may exist, but if there are no vulnerabilities
then there is little/no risk.
 Similarly, a vulnerability may exist, but there is no
threat, then there is little/no risk.
Subject and Object
12

 A computer can be the subject of an attack : The


computer is used to conduct the attack
 A computer can also be the object of an attack : the
target of the attack (victim)
 A computer can be both the subject and object of
an attack, when, for example, it is compromised by
an attack (object), and is then used to attack other
systems (subject).
Control, safeguard, or countermeasure
13

 Security mechanisms, policies, or procedures that


can successfully counter attacks, reduce risk, resolve
vulnerabilities, and otherwise improve the security
within an organization.
 Examples: Anti-virus, firewall, password-protection,
etc.

 Overall security is improving, but so is the


number of potential hackers.