Information Security Unit 1: Notes

 Introduction to Information Security -12 Marks


InformationIt is a resource fundamental to the success of any business.
DataIt is a collection of all types of information which can be stored and used as per requirement.
KnowledgeIt is based on data that is organized, synthesized or summarized and it is carried by experienced employees in the organization.
ActionIt is used to pass the required information to a person who needs it with the help of information system.


Security

Ø Security is the method which makes the accessibility of information or system more reliable.

Ø Security means to protect information or system from unauthorized user like attackers, who do harm to system or to network intentionally or unintentionally.

Ø  Security is not only to protect information or network, but also    allow authorized user to access the system or network.


Need of Security


1. Security protecting the Functionality of an Organization.

Ø  General Manager and IT Manager are responsible for   implementing information security that protects the functionality of an organization.

Ø  Implementing information security has more to do with management then technology.

Ø  For e.g. Managing payroll has more to do with
 management then Calculating wages, other things etc.


2. Enabling the safe operation of application.

Ø  Today organization operates on integrated efficient and capable applications.

Ø  A modern organization need to create an environment that safeguards these applications, specially operating system Platform, email, instant messaging application etc.


3. Protecting data that organization use and collect.

Ø  Without data an organization losses its records of transaction and ability to deliver a value to its customer.

Ø  Protecting data at motion and at rest are both critical aspects of information security.

Ø  The value of data motivates attackers to steal and corrupt the data.

 



4. Safeguarding technology assets in organization.
 

Ø  To perform effectively, organizations must employ secure infrastructure service which appropriate to the size and the scope of the organization.

Ø  For e.g. a small business uses an email service and secure with the personal encryption tool.

Ø  When an organization grows, it must develop additional security service that uses system of software, encryption methodology and legal agreement that support entire information infrastructure.


Information Classification


1. Unclassified: Information that is neither sensitive nor classified. The public release of this information does not violet confidentiality.
2. Sensitive but Unclassified (SBU): Information that has been designated as a minor secret but may not create serious damage if disclosed.
3. Confidential: The unauthorized disclosure of confidential information could cause some damage to the country‘s national security.
4. Secret: The unauthorized disclosure of this information could cause serious damage to the countries national security.
5
. Top secret: This is the highest level of information classification. Any unauthorized disclosure of top secret information will cause grave damage to the country‘s national security


Criteria for Information Classification

 

Ø Value: It is the most commonly used criteria for classifying data in private sector. If the information is valuable to an organization it needs to be classified. 

Ø Age: The classification of the information may be lowered if the information value decreases over the time.

Ø Useful Life: If the information has been made available to new information, important changes to the information can be often considered.

Ø Personal association: If the information is personally associated with specific individual or is addressed by a privacy law then it may need to be classified.


Three pillars of information security:

 




Confidentiality

Ø It is used as an attempt to prevent the intentional or unintentional unauthorized disclosure of message contents.

Ø Loss of confidentiality can occur in many ways such as through the intentional release of private company information or through a misapplication of networks right.


Integrity


The concept of integrity ensures that
1. Modifications are not made to data by unauthorized person or processes.
2. Unauthorized modifications are not made to the data by authorized person or processes.
3. The data is internally and externally consistent.



Availability

Ø The concept of availability ensures the reliable and timely access to data or computing resources by the appropriate person.

Ø Availability guarantees that the systems are up and running when they are needed.

Ø In addition, this concept guarantees that the security services needed by the security practitioner are in working order.

 


Data Obfuscation

 

Ø It is a form of data masking where data is purposely crumbled to prevent unauthorized access to sensitive material.

Ø A method to prevent intrusion of private & sensitive information.

Ø Related to encryption

Ø It hides original information with random
characters.

Ø  It is concealment of meaning in data/information.

Ø It makes data confusing and harder to interpret.

Ø It protects data by replacing it with fictitious data.

Ø If a data loss involving obfuscated data, an unauthorized user may be able to read the data, but it will not reflect any individual details.

Ø Protection provided through combination of encryption and obfuscation.

Ø The use of personal information in govt/medical/voter list will create a threat to privacy.

Ø Data obfuscation modifies data items without changing usefulness of data.

Ø Some areas need to mask real time data which extracts
from database.

Ø Data needed for testing where it should be obfuscated
and encrypted.

Ø Some agencies that have legal rights to use live data, now
there is only need of encryption.


Data obfuscation techniques


Usefulness:
How appropriate is the obfuscated data set for use after it has been changed.
Effectiveness:
How much time, effort and skill required by attacker to understand & remove obfuscation.
Resiliency:
How much time, effort and skill an attacker would expend writing a program to automatically un-obfuscate & resources required to run un-obfuscator.
Cost:
The impact of implementation.

 

Event Classification


Events that can damage the Information Security

o   Disaster

Ø Cause significant disruption in operational & computer processing capabilities.

Ø Cause permanent & considerable harm to assets

o   Crisis

Ø Event that leads to an unstable and abnormal situation.

Ø Decisions are made quickly limit damage

o   Catastrophe

Ø  Extremely large scale disaster and dangerous situation

 

  •  Obfuscation – confuse, mask
  •  Concealment – Cover up, hide, keep out of sight
  •  Scrambled – jumbled
  •  Fictitious – untrue, bogus
  •  Resiliency – the ability of a substance or object to spring back into its shape, elasticity
  •  Disruption – problem which interrupt an event





Post a Comment (0)
Previous Post Next Post