Вы находитесь на странице: 1из 13

Lecture 1: Introduction to

Information Security
Learning Objectives

Upon completion of this lecture, you should be able to:

 Understand the key terms and critical concepts of
information security

 Understand important security properties and

critical characteristics of information

 Understand the different security layers of an

What is Security?

 “The quality or state of being secure - to be free

from danger”.

 Protection from adversaries- those who would do

harm, intentionally or otherwise- is the ultimate
objective of security.
Key Information Security Concepts

 The organizational resource that is being protected

 An asset can be logical, such as a Web site,
information, or data
 An asset can be physical, such as a person,
computer system
 Assets, and particularly information assets, are the
focus of security efforts.

 A category of objects, persons, or other entities that

presents a danger to an asset.
 Threats are always present and can be purposeful
or undirected.
 For example, hackers purposefully threaten
unprotected information systems, while severe
storms incidentally threaten buildings and their

 A weaknesses or fault in a system or protection

mechanism that opens it to attack.
 Examples of vulnerabilities:
A flaw in a software (e.g., lack of input validation)
 An unprotected system port
 An unlocked door

 Some well-known vulnerabilities have been

examined, documented, and corrected; others
remain undiscovered.
 An intentional or unintentional act that can cause
damage or compromise information and/or the systems
that support it.
 Attacks can be:
 Active/Passive: Someone casually reading sensitive
information not intended for his or her use is a passive
 Intentional/Unintentional: a fire caused by an accident is
 Direct/Indirect: a hacker compromising a system and using it
to attack other systems is an indirect attack (e.g., botnets)
 Attack vs Threat

 A technique used by attackers to compromise a

system for their personal gain.

 An exploit takes advantage of a vulnerability, that

is either inherent in the software or is created by the

 Exploits make use of existing hacking tools or

custom-made tools.

 The potential for loss, damage or destruction of an

asset as a result of a threat exploiting a
 Risk = Asset + Vulnerability + Threat
 Risk is a function of threats exploiting vulnerabilities
to obtain damage or destroy assets.
 Threats may exist, but if there are no vulnerabilities
then there is little/no risk.
 Similarly, a vulnerability may exist, but there is no
threat, then there is little/no risk.
Subject and Object

 A computer can be the subject of an attack : The

computer is used to conduct the attack
 A computer can also be the object of an attack : the
target of the attack (victim)
 A computer can be both the subject and object of
an attack, when, for example, it is compromised by
an attack (object), and is then used to attack other
systems (subject).
Control, safeguard, or countermeasure

 Security mechanisms, policies, or procedures that

can successfully counter attacks, reduce risk, resolve
vulnerabilities, and otherwise improve the security
within an organization.
 Examples: Anti-virus, firewall, password-protection,

 Overall security is improving, but so is the

number of potential hackers.