Information Security

Code: ETCS-401
UNIT- I
Information and Security:
Information Systems: Recent History, Distributed Information System
and its Importance, Role of Internet and Web Services, Threats and
attacks, Classification of Threats and Assessing Damages Security in
Mobile and Wireless Computing- Security Challenges in Mobile Devices,
authentication Service Security, Security Implication for organizations,
Laptops Security. Basic Principles of Information Security,
Confidentiality, Integrity Availability and other terms in Information
Security, Information Classification and their Roles, Privacy of Data.
History
• What has changed in 50 Years ?
• Importance of WWW – backbone
• The EDI(Electronic Data Interchange), ERP (Enterprise Resource
Planning), EIS(Executive Information System), Supply Chain
Management(SCM)
• ENIGMA
Information System
•  An Information System can be defined technically as a set of
interrelated components that collect (or retrieve), process, store and
distribute information to support decision making and control in an
organization. Another definition of an Information system (by
Buckingham et al (1987b)
Another Definition
•   A system which assembles, stores, processes, and delivers
information relevant to an organization (or to a society), in such a way
that the information is accessible and useful to those who wish to use
it, including managers, staff, clients and citizens. An information
system is a human activity (social) system, which may or may not
involve the use of computer systems. Also, in addition to supporting
decision-making, information systems help workers and managers to
analyze complex problems, to develop new products and to integrate
the various modules and departments.
Types of Information Systems
• The six major types of information systems corresponding to each organizational
level are:
• 1. Transaction Processing Systems (TPS): serve the operational level of an
organization.
• 2. Knowledge work systems (KWS)
• 3. Office automation systems (OAS) to serve the knowledge level of an
organization.
• 4. Decision-support systems (DSS)
• 5. Management information systems (MIS) serve the management level of the
organization.
• 6. Executive support systems (ESS) serve the strategic level of an organization.
 What is Security in General

 Security is about protecting assets from damage or harm

            Focuses on all types of assets
            Example: your body, possessions, the environment, the nation
Security and related concepts
– National security (political stability)
– Safety (health)
– Environmental security (clean environment)
– Information security
– etc.
What is Information Security
• Information Security focuses on protecting information assets from damage or harm
• What are the assets to be protected?
• – Example: data files, software, IT equipment and infrastructure
• Covers both intentional and accidental events
• – Threat agents can be people or acts of nature
• – People can cause harm by accident or by intent
• Information Security:
– The preservation of confidentiality, integrity and availability of information;
•  in addition, other properties such as authenticity, accountability, non-repudiation and reliability can
also be involved.
Scope of Information Security

• IS management has as goal to avoid damage and to control risk of damage to information assets

• IS management focuses on:

– Understanding threats and vulnerabilities
– Managing threats by reducing vulnerabilities or threat exposures
– Detection of attacks and recovery from attacks
– Investigate and collect evidence about incidents

(forensics)
The Need for Information Security

• Why not simply solve all security problems once for all?
•  Reasons why that’s impossible:
– Rapid innovation constantly generates new technology with new vulnerabilities
– More activities go online
– Crime follows the money
– Information security is a second thought when developing IT
– New and changing threats
– More effective and efficient attack technique and tools are being developed
•  Conclusion: Information security doesn’t have a final goal, it’s a continuing process
Security control categories

•Physical controls

•Technical Controls

•Administrative controls
Physical controls

• Facility protection
• Security guards
• Locks
• Monitoring
• Environmental controls
• Intrusion detection
Technical Controls

• Logical access control

• Cryptographic controls
• Security devices
• User authentication
• Intrusion detection
• Forensics
Administrative controls

• Policies & standards

• Procedures & practice
• Personnel screening
• Awareness training
• Secure System Dev.
• Incident Response
Security Control Functional Types

• Preventive controls:
Prevent attempts to exploit vulnerabilities
      Example: encryption of files
• Detective controls:
Warn of attempts to exploit vulnerabilities
      Example: Intrusion detection systems (IDS)
• Corrective controls:
Correct errors or irregularities that have been detected.
      Example: Restoring all applications from the last known good image to bring a corrupted system back
                        online
Layers of
DIS 
Information System Architecture

• Four basic types:

• 1 tier
• 2 tier
• 3 tier
• N-tier
One Tier Architecture

• Presentation, Application and resource layer are merged in One layer

• Impractical to implement in today's Time. 

Two Tier
Architecture
Advantages
and
Disadvantages
of 2 Tier
Advantages 
and 
Disadvantage
s of 3 Tier
Review Questions

• Q1. Distributed system as a stack of three abstract layers, Names the layers?

• Q2. The statement, " client/Server Architecture emerged where the presentation layer resided with the
client" , is true?

• Q3. 3 Tier Architecture also evolved to integrate between ______ Systems and allow for ______
Connectivity.

• Q4. Which Architecture emerged with the middleware and why?