Introduction to
Information Security -12 Marks
Information: It is a resource fundamental to the
success of any business.
Data: It is a collection of all types of
information which can be stored and used as per requirement.
Knowledge: It is based on data that is organized,
synthesized or summarized and it is carried by experienced employees in
the organization.
Action: It is used to pass the required
information to a person who needs it with the help of information system.
Security
Ø Security is the method which makes the
accessibility of information or
system more reliable.
Ø Security means to protect information or
system from unauthorized user like attackers, who do harm to system
or to network intentionally
or unintentionally.
Ø Security is not only to protect information
or network, but also allow
authorized user to access the system or network.
Need of Security
1. Security
protecting the Functionality of an Organization.
Ø General Manager and IT Manager are responsible for
implementing information security that protects
the functionality of an organization.
Ø Implementing information security has more to do
with management then technology.
Ø For e.g. Managing payroll has more to do with
management then Calculating wages, other
things etc.
2. Enabling the safe
operation of application.
Ø Today organization operates on integrated efficient
and capable applications.
Ø A modern organization need to create an environment
that safeguards these applications, specially operating system Platform, email,
instant messaging application etc.
3. Protecting data that organization use and collect.
Ø Without data an organization losses its records
of transaction and ability to deliver a value to its customer.
Ø Protecting data at motion and at rest are both critical
aspects of information security.
Ø The value of data motivates attackers to steal and
corrupt the data.
4. Safeguarding technology assets in organization.
Ø To perform effectively, organizations must
employ secure infrastructure service which appropriate to the size and the
scope of the organization.
Ø For e.g. a small business uses an email service
and secure with the personal encryption tool.
Ø When an organization grows, it must develop additional
security service that uses system of software, encryption methodology and legal
agreement that support entire information infrastructure.
Information
Classification
1. Unclassified: Information that is neither sensitive nor classified. The
public release of this information does not violet confidentiality.
2. Sensitive but Unclassified (SBU): Information that has been designated
as a minor secret but may not create serious damage if disclosed.
3. Confidential: The unauthorized disclosure of confidential information
could cause some damage to the country‘s national security.
4. Secret: The
unauthorized disclosure of this information could cause serious damage to the countries
national security.
5. Top secret: This
is the highest level of information classification. Any unauthorized disclosure
of top secret information will cause grave damage to the country‘s national
security
Criteria for Information
Classification
Ø Value: It is the most commonly used criteria for classifying data
in private sector. If the information is valuable to an organization it needs
to be classified.
Ø Age: The classification of the information may be lowered if the information value decreases over the time.
Ø Useful Life: If the information has been made available to new information, important changes to the information can be often considered.
Ø Personal association: If the information is personally associated with specific individual or is addressed by a privacy law then it may need to be classified.
Three pillars of information security:
Confidentiality
Ø It is used as an attempt to prevent the
intentional or unintentional unauthorized disclosure of message contents.
Ø Loss of confidentiality can occur in many ways
such as through the intentional release of private company information or
through a misapplication of networks right.
Integrity
The concept of integrity
ensures that
1. Modifications are not made to data by unauthorized
person or processes.
2. Unauthorized modifications are not made to the
data by authorized person or processes.
3. The data is internally and externally consistent.
Availability
Ø The concept of availability ensures the reliable
and timely access to data or computing resources by the appropriate person.
Ø Availability guarantees that the systems are up and
running when they are needed.
Ø In addition, this concept guarantees that the security
services needed by the security practitioner are in working order.
Data Obfuscation
Ø It is a form of data masking where data is purposely
crumbled to prevent unauthorized access to sensitive material.
Ø A method to prevent intrusion of private & sensitive
information.
Ø Related to encryption
Ø It hides original information with random
characters.
Ø It is concealment of meaning in
data/information.
Ø It makes data confusing and harder to interpret.
Ø It protects data by replacing it with fictitious
data.
Ø If a data loss involving obfuscated data, an unauthorized
user may be able to read the data, but it will not reflect any individual
details.
Ø Protection provided through combination of encryption
and obfuscation.
Ø The use of personal information in govt/medical/voter
list will create a threat to privacy.
Ø Data obfuscation modifies data items without changing
usefulness of data.
Ø Some areas need to mask real time data which
extracts
from database.
Ø Data needed for testing where it should be
obfuscated
and encrypted.
Ø Some agencies that have legal rights to use live
data, now
there is only need of encryption.
Data obfuscation techniques
Usefulness:
How appropriate is the
obfuscated data set for use after it has been changed.
Effectiveness:
How much time, effort
and skill required by attacker to understand & remove obfuscation.
Resiliency:
How much time, effort
and skill an attacker would expend writing a program to automatically
un-obfuscate & resources required to run un-obfuscator.
Cost:
The impact of
implementation.
Event Classification
Events that can damage
the Information Security
o
Disaster
Ø
Cause significant
disruption in operational & computer processing capabilities.
Ø
Cause permanent &
considerable harm to assets
o
Crisis
Ø Event that leads to an unstable and abnormal
situation.
Ø Decisions are made quickly limit damage
o
Catastrophe
Ø
Extremely large scale disaster and dangerous
situation
- Obfuscation – confuse, mask
- Concealment – Cover up, hide, keep out of sight
- Scrambled – jumbled
- Fictitious – untrue, bogus
- Resiliency – the ability of a substance or object to spring back into its shape, elasticity
- Disruption – problem which interrupt an event
