17-Oct-21

Enterprise Information
Security (EIS) CS6730

Lecture 2

Syed Aijaz Ahmed

Summary of Lecture 1
• Important Terms : Assets , Threat , Vulnerability, Risk, Threat Actor ,Control

• Security Goals: The CIA triad has become the de facto standard model
for keeping your organization secure.
• Enterprise Security is the process by which an organization protects its
information assets (data, servers, workstations, storage,
networking, applications, etc.) from infringement of confidentiality,
integrity,
or availability.
• Asset Classification
• Security Attacks

1
 17-Oct-21

Information Security Management

• Covers both intentional and accidental events Threat agents can be people
or acts of nature
• People can cause harm by accident or by intent .
• IS management has as goal to avoid damage and to control risk of damage
to information assets .
• Information Security Focuses On:
–Understanding threats and vulnerabilities
–Managing threats by reducing vulnerabilities or threat exposures
–Detection of attacks and recovery from attacks
–Investigate and collect evidence about incidents (forensics)

2
 17-Oct-21

Enterprise Information Security

• Enterprise Security is the process by which an organization protects
its information assets (data, servers, workstations, storage,
networking, applications, etc.) from infringement of confidentiality,
integrity, or availability.
• It includes policies and procedures which provide guidance on
the who, what, why, and how to implement the protection
mechanism for an organization’s information assets.
Example
A policy is a guiding principle used to A level Higher
set direction in an organization. National
A procedure is a series of steps to be Information
followed as a consistent and Security ..
repetitive approach to accomplish an NADRA etc.
end result.

Enterprise
challenges
•For an effective information security program and strategy, it is
necessary to have ongoing support from senior management,
business owners and department heads. Information security cannot
be driven up from the middle of an organization. Without support
of senior management, the issues of inadequate funding,
insufficient staffing and poor compliance will be ongoing.
• Support can be gained by educating senior management or
developing persuasive business cases. “Unfortunately, more often, it
is a serious incident or major compromise that is needed to
generate management commitment”.

3
 17-Oct-21

Balancing Information Security and Access

• Impossible to obtain perfect security—it is a process, not an

absolute

• Security should be considered balance between protection and

availability

• There is an inter dependency between these attributes. When

Approaches to Information Security Implementation:

Bottom-Up Approach
• Grassroots effort: Systems administrators attempt to improve security
of their systems.
• Key advantage: technical expertise of individual administrators
• Seldom works, as it lacks a number of critical features:
• Participant support
• Organizational staying power

4
 17-Oct-21

Approaches to Information Security Implementation:

Top-Down Approach
• Initiated by upper management
• Issue policy, procedures, and processes
• Dictate goals and expected outcomes of project
• Determine accountability for each required action
• The most successful type of top-down approach also involves a formal
development strategy referred to as systems development life cycle.

The key concept

here is the
direction of the
left and right
side arrows to
show where
planning is
sourced and
from which
direction the
pressure for
success is
driven.

10

5
 17-Oct-21

Differences Between
Leadership and Management
• The leader influences employees so that they are willing to
accomplish objectives
• He or she is expected to lead by example and demonstrate personal
traits that instill a desire in others to follow
• Leadership provides purpose, direction, and motivation to those
that
follow
• A manager administers the resources of the organization

Classifying Assets
• Reason to classify an asset is so that you can take specific action,
based on policy, with regard to assets in a given class.

•By classifying data and labeling it (such as labeling “top secret” data
on a hard disk), we can then focus the appropriate amount
of protection or security on that data.
• More security for top secret data than for unclassified
data, for instance.

6
 17-Oct-21

Asset Classification
Not all assets have the same value. An organization must classify its assets

Security Attacks
• Security attack: Any action that compromises the security of
information owned by an organization

• Passive Attacks
A Passive attack attempts to learn or make use of information from
the system but does not affect system resources. The goal of the
opponent is to obtain information is being transmitted.

Difficult to Detect . Countermeasure is to prevent than detect.

7
 17-Oct-21

Security Attacks (Contd.)

• Active Attacks

An Active attack attempts to alter system resources or effect their

operations. Active attack involve some modification of the data stream
or creation of false statement.

Easier to detect difficult to prevent , goal is to defend ,detect and

recover.

8
 17-Oct-21

Some Known characters of Network Security literature

Generic characters can be users ,
Client server machines , Routers etc.
communicating over an unsecure
channel .

9
 17-Oct-21

Generic Tools for implementing C I A

The Three Dimensions of the

Cybersecurity Cube (also called the
McCumber Cube)

In 1991, John McCumber created a

model framework for establishing and
evaluating information security (
information assurance) programs, now
known as The McCumber Cube. This
security model is depicted as a three-
dimensional Rubik's Cube-like grid.

10
17-Oct-21

11
17-Oct-21

12
17-Oct-21

13
 17-Oct-21

Using [Link] ( File Integrity and Checksum

verifier)
• Demonstration

14