Introduction to Information Security | Syllabus ; Information, Ni classification, Security, ne security, Three pillars of classification, leed and Importanc of Information, information Criteria for informatign Classification, ed of security, B; me inches of information information ecurity, data Obfuscation, event 14 Information 12 Security 1.3 _ Information Securitya x 44_Information ST Information is a resource fundamental to the succes ofany business ‘ Information is a combination of following three parts (1) Data : It is a collection of all types of informatiog which can be stored and used as per requirement for example - personal data, medical informatioy accounting data etc. (2) Knowledge : It is based on data that is organized, synthesized or summarized and it is carried by experienced employees in the organization. (@) Action : Tt is used to pass the required information to a person who needs it with the help of information system. Information is a important asset and need to. be protected all the time. Need and Importance of Information : ‘Today's world is ‘Information Age’, becauso of use of computer and communication technology. Computers lay to check mails, bank are very essential tod transactions ete. ; fo, we need a system that manage and server the nformation/data to people when they need it eformation ia a He blood of every OTERSAaRES saree damage to snformetionldaln A case ‘Truptions in a normal process of organization like financial loss ete. = a tnformaton Seeurty(USETE) 1.3 jaro to tortion Secu ‘Ao information sf 5 System includes hardware, ae deta, and spoliation ecto manage iformation formation is on of the most valuable resources of 82 organization so its = ee ee making Fig. 14.1 Loformatio System within Organization ‘The main objective of an information system is to ‘monitor and document the operations of other systems. ‘An organization requires information system strategic plan to: fo. Discover the area where information technology ‘can be used ‘Communicate to management about need and concern of use of © Reduce the IT expenses © Use of IT applications in st organization to improve the services Ensure integration and phe” WE = implementation of IT efforts ‘a key component of rategic area of the ‘Today, Information technology is ReY ME competitive strategy. Hence ay ee and organization should tightly ink their information communication flow requirements, - 1-4 Into, to information Secu Bi crnaten Soest WSSTEL the decision making capability, the {(S) should be call for intensivy etween different units in the . To satisfy Ioformation System ‘and comples interaction organization. 4.12. Information Classification : «Generally organizations will classify their information 0 provide information security se ain razon for dassifying information is thot a data or information of organization will not have the same level of criticality. Some information or data may bbe important for some people in organization like senior management for strategie decisions. + Some data like formulae, secrete of trade, product information ete. are important because loss of such information will harm the organization in many ways like organization's goodwill, market ete. Hence, classification of information will be beneficial for ‘organization to decide level of security. + The main aim of the organization is to improve Confidentiality, Integrity and Availability (CIA) of ‘information and to reduce the risk related to information. + Information classification is important component while securing any trusted system like government sectors. In such areas, information classification is very critical and it is used to prevent unauthorized ‘access to the aystem and achieve confidentiality, Another reason of classification may be because of Privacy lawa and legislations or any other compliance. gop PICO ent 9 gone ; nlomaton Securty SBE) 5.5 ot ntrmaton Seu + Classification of information and information assets will help organization to employ security policies and security procedures for protection of information and assets that are more critical + Advantages of information classification are 8 follows © Information classification is a commitment to the organization for security protection. © Information classification will help organization to identify which information is eritieal and more sensitive, © Information classification supports. CIA - Confidentiality, Integrity and Availability. © Information classification will help organization to decide what type of protection is applied to which type of information, © Information classification will fulfill the legal requirement to legal mandates, compliance and regulations. * In organization classification should be based on sensitivity of information towards its loss and disclosure. Its job of information owner to define level of sensitivity of the information. This will help to Properly implement security controls based on classification of information. 1.1.3 Criteria for Information Classification : ‘The information classification defines’ what kind. information is stored on a system? Based on classification, the information may need i Protections in place.Eh ration ses USETE)_1-6_ nto formation See Levels of Information classifications used i, Government or Military are as follows (1) Unclassified : Information is not classified as well ay not sensitive. Information access is public and will no affect confidentiality. ‘The information is low-impact, and hence it does not require any security. @) Sensitivity but unclassified : Information is les, sensitive and if gets disclosed then it will not create serious damage to the organization. (3) Confidential : The unauthorized access to confidential information will cause damage or be prejudicial ty national security. This label is used for information which are labeled between Sensitive but Unclassified (SBU) and Secrete. Hee pau (4) Secret : Secret label should be applied to the information where the unauthorized disclosure of such information could cause serious damage to the national security. (5) TopSecret : Top Secret shall be applied to information where the unauthorized disclosure of this type of information could cause exceptionally grave damage to ‘the national ‘security. This is the highest level of dassification, Information Secutty (acerey 1-7 ___ Intro. to Information Secu impact on organization, 2) Sensitive : This of classification ¢ information ne integrity. (3) Private: 'ype of information needs higher level than normal information. Such type of ds security for confidentiality as well a is type of information is personal in nature and used by company only. The disclosure of such information can affect company and its employees for example - medical information, salary information ete. Following are the criteria used to decide classification ofinformation percheo' (1) Value“ It is the common criteria of information classification. When the information is more valuable for organization then that information should be classified, — \jr— prereck @) Age :"Age states that the classification of information might be lowered if the information's value decreases over time. For example - ifthe documents are classified and then they are automatically declassified after specific time period. @) Useful Life : Useful Life states that if the information has been made out-of-date due to new information or any other reasons then that information can regularly be declassified. (Personal Association : The information which is personally associated with particular individuals or it is addressed by a privacy law then such information should be classified. ame Brrvomaton secu SBTE) 18 te to Information secunty 1.2__ Security Security is the method which makes the accessibility of information or system more reliable. Security means to protect information or system from unauthorized users like attackers, who do harm to system or to network intentionally or unintentionally. Security is not only to protect system or network, but also allows authorized users to access the system or network. For protecting any organizations, following multi- layers of securities aré important o Physical Security : It will protect physical jtems/assets like Hard disk, RAM, objects or areas from unauthorized users. Perséral’ Security -:* It will protect the jual users or groups in the organization indivi who are authorized to use operations and organization. © Operational Security : It will protect details of particular operations/series of activities in the organization. o Communication Security : It will protect communication technology, media and content of communication. 0 Network Security : It will protect networking components like router, bridges, connections and contents etc. Information Security : It will protect all informational assets. It contains management cement vars +9 Into. to nformation Security information sec Security, computer and network security, puter and data security Managoment of Information secuty Organization should implement tools like policy, training and education to provide security to information and its system. 1 Need of Security : ‘Now a day Information security is the emenging field because of wide use of computers in day to day life. Information security is not only related to computer system or information but it should apply to all aspects of safeguarding or protecting information or data in any form or media. It is very much important to protect system or network from unauthorized access or modifeation like- rd part of information. ation or data in Security means to protection of informs some form from unauthorized use.infomation Seu For any organization, musBTe)__1-10___ Ito. to Information Secu Information security perform, {following four important functions 0 2) Enables sat protect the organization's ability to function : of both IT managemen, ‘manage © implement security protects the information organizational ability to func Information security is a part of management than technology for example - in payroll system, it is more job of management than mathematica] computations. Policy and its implementation are important in information security than technology which is implementing it. So each organization, who are interested in implementing information security must address security in terms of business impact and the cost of business interruption rather than focusing on security as a technical problem. ‘operations of applications : Now days many organization purchase and operate integrated, efficient and capable, applications. ‘These applications are very much important for ‘the organizations infrastructure like - email, ‘messaging applications, OS platforms ete. Hence it is need of an organization to create an environment that will protect such applications which are running under organization's IT system. ® 0 piemsten Ses STE S15 jy, ofan SO © Such appt or dovelon nitions can either be purchased ‘Safeguard the technologh esponsibility gt department of ano infrastructure to IT ganization, Protects the data collected and used by organization : entire Data is the 2 the most important factor of any Ganization, without it organization loses its records of transactions, customers ete Any organization like government, busines! ites depend on informal system to support various transactions, ‘The valuable data attract attackers to steal or ‘corrupt the data; hence the protections of data in motion or at rest are the information security. ‘Therefore important for Management should protect the integrity and value of organization's data by implementing effective information security Programs. sets of an organization : ‘To work effectively, an organization should add secure infrastructure services. ‘Small businesses can use ISP and personal jon tool for email services whereas large organizations can use PKI (Public Kay Infrastructure) which uses digital certificate to check confidentiality of the transaction.y susove)_112_heolniarmation Sac : wniation grows, more robust any "Jn information security, a system can be : ‘ a © A eric er eompment tke mathermad, | protocol ete Hence, epi technologies ams like Firewall. sce tec nee Fe ae n Security : © Anoperating eystem Basie Principles of Information 2 A Communication System sof informatio, : : 22 (a) shows the three goals of in : © Organization staf, structure, policies, procedures ns etc as a collection - o Internet © _An Application System. payroll aystem ete. Phyl Seay —— ) vier VJ + sym Secty a: Security Goal ia Soc a. {Hardware and Software Security + These security goals are key requirement for security and itis also known as “Pillars of Information 13.1 Security” which we will see in set Onion skin is the ideal approach for security. It is a layered security mechanism hence if failure of any of the security control means the asset is not completely Fig. 1.2.2 (b) : Layered Security unsecure means ‘efense-inlepth ‘ sa cio earths 1.3 Information Securit ‘Defense-in-depth” is the concept of protecting an ——™wormation Security: 1.3.1 Three Pillars of Information Secut information assets and system with a series of defensive mechanisms in such a way that if one i i mechanism fs another il already e te pleoe nn = Following figure shows the three pillars of Information rity : stop an attack.( 14 ig. 1.3.4 Thee Pillars 0 Confident a Avalaity information Security (CIA Telad) Confidentiality : tis used to ensure that only the individuals why have the authority can be able to view a piece « information, Unauthorized individual cannot by able to view data for which they are not entitled to. be It is nothing but the secrecy or cbotciaent w information and Resources, : In the sensitive fields like Industry, government and military there is need to keep information secret. In this case only the authorized person can access information or resources To maintain the confidentiality various ‘mechanisms are used like Resource hiding cryptography, access control mechanism. ‘Loss of confidentiality is due to intentional release of company’s private information or bs misuse of rights by employees. Integrity : Integrity is related with the generation and modification of data. Only the authorized individuals can be able to create or change (0! delete) information. Integrity should ensure (Boman ss, SCTE) 1.15 io. inomaton Secu o Modifie, Dattion by authorized porson only donuithorized modification should not be One by authorized person, Rats should be consistent internally as wall be eemtelly. Internal information should consistent with all sub entities as well as with external, Situations like real world. Availablity: + ‘This used to ensure that that the data or the System is available for use when the authorized user wants to access it, It ensures reliable information by authorix and timely access of ed person, 1.3.2 DatalObtuscation (D0) : Data obfuscation is a method to prevent the intrusion of private and sensitive datalinformation, Data obfuscation is related to the encryption of data and itis the solution to information tho because It ides orignal information with pandom charactors Data obfuscation sn form of data masking whore data in purposely scrambled to prvent unauthorized scons a. data/information usage, making it confusing and harder to interpret. © The terms Data obfuscation and data encryption are fundamentally different. Encryption prevents _ unauthorized users fom understanding the date, i jed when the ‘data is, + Typically, eneryption can be applied Segoe ja onder to protec “an ae he7 riormaton Securty MSBTE) _1-16__Inoto infomation So ‘ encryption can also be applied ‘in transit’, whig, protects the information from being compromise, during transmission. However, with encryption authorized users can still have access to the origing, data, In encryption, data cannot be read in their encryptej format hence it is logically secure because fy decryption suitable key is required. Data obfuscation protects individual's data in. non, production environments by replacing it with representative but fictitious data. In the event of a data loss involving obfuscated data, ‘an unauthorized user may be able to read the dat, “(including field headings), but it will not reflect any individual's details Information protection can therefore be provided through a combination of encryption and date obfuscation. ‘The private sector users have similar requirements for ‘a data obfuscation service as part of their testing and support services. ‘The use of personal information in government records, ‘medical records, and voters lists ete. will create a threat to privacy. Hence many countries are focusing on safeguards for privacy of personal information. It is necessary for organizations to understand the risk and need of data protection in terms of privacy to the publicized information, Hence the term data obfuscation is used which modifies the data items without changing the usefulness of the data. Biternaton secur wsare) a7 «Basically there are extracts from data the personnel inv the system needs production system, agencies. «)\- Normally, (A ike we bases. For example, let’s consider ‘stigating system problems, where 'o handle the extracted data from which is then, send to other ‘here can be following possible situations ne ine needs for testing where it should ‘and encrypted, or eam sem hat have legal rights to q there is only need of data eneryption. + /in any above mentioned cases, only the data which is required that should be extracted but not the full data set and extra protection should be provided by data obfuscation method, + Data Obfuscation is a batch activity and it is relatively simple to achieve but sometimes it is harder for IT support. staff (Customer Service Representative) to solve the problem, who can access the sensitive personal data at the time of diagnosing the system problems. This is more complex if the personal data is causing the problem which the support staffs are trying to solve. Now, here the end-users will always need support staff with the right permission to search at live personal data,ary where there | An higher level of protection is necess ‘on data in non, je the relation to the usage of product production environments. + Audit Report in medical system, which /Sxample + contains sensitive information and it, 8 generated for auditor is to examine the external auditor. The job of ‘ seport for information which shows Possiblt fraud or abuse of information. rovide pationts personal Management should not P) ‘less and until he needs it, information to the auditor unl sree nformation should be presented in such & Way tre the examination of information i8 allowed 60 ‘hat nly patterns of information ean be detected hen auditor discovers probable case of abuse, he may weg ene real name and other information of party, In Tate ease, he ean eontact and ask for the information to fustomer service representative who supplied the report. ‘The data that into an application which gives customer service representative. In case of organization, when sensitive inform: provided to data mining expert, then encryption is not ‘a good solution because data should be provided in ‘ACSII format. Hence the better solution to obfuscate the data is with a simple substitution cipher technique. Data Obfuscation techniques can be classified by # number of eriteri = Fy © Usefulness : measures how appropriate is the obfuscated data set for use after it has been js obfuscated are read and then inputs it real data by the ation is changed, le ways of \ information Socurty (sere) vot ffectiveness : m Lottematon Soe and. skill ig | DessUFes how mu understand, a, mt by ss Land remo? construct, remove, the ich time, effort attacker to obfuscation the resources the mourn the unebantr na ising the resiliency will hen ee automated unobfuseation of dig, PRY Cost : measures the i 7 Cont: mensrs 2 ipa pomsting th Bevious two abeds ia easeion of the Uetloment ting pan mts tht esuse“hage ema” wage or ee len ime to create ebascated data said to have a large cost. s ication : 4.3.3 Event Clas: Following are the classifications Whigs tne Information Seay ST + Disaster : It is any event that can cause a significant disruption in operational and/or computer processing capabill cl operations of the business. Te causes permanent and considerable harm to the assets of an organization like hardware, information, property, staf, services ee. consequence of some event potential risk, In erses, deci nt__or__as__an__unfor that had been considered 2 isions be made quickly toSecurit information Security (MSBTE) 1-20 Intro. to Information y limit damage to the organization and if not handled carefully then it becomes disaster. * Catastrophe : It is an extremely large-scale disaster and dangerous Situation like major troubles resulting from the damage of critical equipment in processing. or cage three pillars of information security. ~ a Explain why Information System is important. Q3 Define term Information and Security. \o Describe term Data Obfuscation. , ~ O56 Define following terms - disaster, crisis, catastrophe, . LE What is security? Explain different types of securities, ~ 2. Explain different criteria’s used for information. _ oe Explain different levels used in classification of information oe Explain need of security in detail. Classification of Qua