UNIT I:Introduction to Information Security –

Introduction to Information Security, Need for Security - Threats to security &

Attacks, Computer System Security and Access Controls - System access and data
access.

Introduction to Information Security:

Information Security refers to the practices and technologies designed to protect data and
systems from unauthorized access, misuse, or harm. It ensures that sensitive information
remains safe and accessible only to those who are authorized.

EX:
Information Security is not only about securing information from unauthorized access.
Information Security is basically the practice of preventing unauthorized access, use,
disclosure, disruption, modification, inspection, recording, or destruction of information.
Information can be a physical or electronic one. Information can be anything like Your details
or we can say your profile on social media, your data on your mobile phone, your biometrics,
etc. Thus Information Security spans so many research areas like Cryptography, Mobile
Computing, Cyber Forensics, Online Social Media, etc.

Why We Use Information Security?

We use information security to protect valuable information assets from a wide range of
threats, including theft, and cybercrime. Here are some key reasons why information security
is important:
• Protect sensitive data: Keep personal, financial, and confidential information safe
from theft or misuse.

• Mitigate risks: Prevent cyberattacks, breaches, and unauthorized access.

• Ensure compliance: Adhere to laws and regulations regarding data protection.

• Maintain trust: Preserve reputation and reliability by preventing security incidents.

• Ensure continuity: Keep critical systems operational even in the face of disruptions.

What are the 3 Principles of Information Security? The three core principles, known as
the CIA Triad, are:
1. Confidentiality: Ensuring information is accessible only to those who have
permission.
 Ex:
Means information is not disclosed to unauthorized individuals, entities and process.
For example if we say I have a password for my Gmail account but someone saw
while I was doing a login into Gmail account. In that case my password has been
compromised and Confidentiality has been breached.
2. Integrity: Ensuring data remains accurate and unchanged except by authorized
entities.
EX:

Means maintaining accuracy and completeness of data. This means data cannot be
edited in an unauthorized way. For example if an employee leaves an organisation
then in that case data for that employee in all departments like accounts, should be
updated to reflect status to JOB LEFT so that data is complete and accurate and in
addition to this only authorized person should be allowed to edit employee data.
3. Availability: Ensuring information and systems are accessible when needed by
authorized users.

EX:
Means information must be available when needed. For example if one needs to
access information of a particular employee to check whether employee has
outstanded the number of leaves, in that case it requires collaboration from different
organizational teams like network operations, development operations, incident
response and policy/change management. Denial of service attack is one of the factor
that can hamper the availability of information.

Apart from this there is one more principle that governs information security
programs. This is Non repudiation.
Non-Repudiation: Ensures no one can deny sending or receiving a message by
using tools like digital signatures. Depends on data integrity and authenticity.
Authenticity: Verifies users and sources are genuine to ensure secure
communication.
Accountability: Tracks actions of entities, ensuring every activity is traceable for
transparency and responsibility.
 Need Of Information Security

Information system means to consider available countermeasures or controls

stimulated through uncovered vulnerabilities and identify an area where more work is
needed. The purpose of data security management is to make sure business continuity
and scale back business injury by preventing and minimizing the impact of security
incidents.

The basic principle of Information Security is:

1. Confidentiality: Confidentiality refers to protecting sensitive information from
unauthorized access or disclosure. This involves keeping confidential data secure and
accessible only to those who are authorized to access it.

2. Authentication: Authentication is a crucial aspect of the principle of Information

Security and is used to verify the identity of individuals or systems attempting to
access sensitive information or systems. It is a process of verifying that a person or
system is who or what it claims to be. Authentication is a critical component of
Confidentiality and Availability as it helps prevent unauthorized access to sensitive
information and systems.
3. Non-Repudiation: Non-repudiation is a principle of Information Security that refers
to the ability to prove that an action or transaction took place and that it was
performed by a specific individual or system. The term “non-repudiation” implies that
an action or transaction cannot be denied by the individual or system that performed
it.
4. Integrity: Integrity refers to the accuracy and completeness of information and the
prevention of unauthorized or accidental modification of data. This ensures that data
is not tampered with and remains trustworthy.

The need for Information security:

Information security is essential for protecting sensitive and valuable data from
unauthorized access, use, disclosure, disruption, modification, or destruction. Here are
some of the key reasons why information security is important:
Protecting Confidential Information: Confidential information, such as personal
data, financial records, trade secrets, and intellectual property, must be kept secure to
prevent it from falling into the wrong hands. This type of information is valuable and
can be used for identity theft, fraud, or other malicious purposes.

Complying with Regulations: Many industries, such as healthcare, finance, and

government, are subject to strict regulations and laws that require them to protect
sensitive data. Failure to comply with these regulations can result in legal and
financial penalties, as well as damage to the organization’s reputation.
 Maintaining Business Continuity: Information security helps ensure that critical
business operations can continue in the event of a disaster, such as a cyber-attack or
natural disaster. Without proper security measures in place, an organization’s data and
systems could be compromised, leading to significant downtime and lost revenue.

Protecting Customer Trust: Customers expect organizations to keep their data safe
and secure. Breaches or data leaks can erode customer trust, leading to a loss of
business and damage to the organization’s reputation.
Preventing Cyber-attacks: Cyber-attacks, such as viruses, malware, phishing, and
ransomware, are becoming increasingly sophisticated and frequent. Information
security helps prevent these attacks and minimizes their impact if they do occur.

Protecting Employee Information: Organizations also have a responsibility to

protect employee data, such as payroll records, health information, and personal
details. This information is often targeted by cybercriminals, and its theft can lead to
identity theft and financial fraud.

Threats to security & Attacks:

security threats are potential threats to your computer’s efficient operation and
performance. These could be harmless adware or dangerous trojan infection. As the
world becomes more digital, computer security concerns are always developing. A
threat in a computer system is a potential danger that could jeopardize your data
security. At times, the damage is irreversible.

Types of Threats:
A security threat is a threat that has the potential to harm computer systems and
organizations. The cause could be physical, such as a computer containing sensitive
information being stolen. It’s also possible that the cause isn’t physical, such as a viral
attack.
1. Physical Threats: A physical danger to computer systems is a potential cause of an
occurrence/event that could result in data loss or physical damage. It can be classified
as:
• Internal: Short circuit, fire, non-stable supply of power, hardware failure due to
excess humidity, etc. cause it.

• External: Disasters such as floods, earthquakes, landscapes, etc. cause it.

• Human: Destroying of infrastructure and/or hardware, thefts, disruption, and
unintentional/intentional errors are among the threats.
2. Non-physical threats: A non-physical threat is a potential source of an incident
that could result in:

• Hampering of the business operations that depend on computer systems.

• Sensitive – data or information loss

• Keeping track of other’s computer system activities illegally.

• Hacking id & passwords of the users, etc.

What is a Threat?
A threat is a possible security violation that might exploit the vulnerability of a system
or asset. The origin of the threat may be accidental, environmental (natural disaster),
human negligence, or human failure. Different types of security threats are
interruption, interception, fabrication, and modification.

Types of Threats
• Unstructured Threats: Unstructured threats are typically executed by inexperienced
individuals using easily accessible hacking tools like shell scripts and password
crackers. If executed solely to test a hacker’s skills, they can cause significant damage
to a company.
• Structured Threat: A structured threat involves an organized attempt to breach a
specific network or organization. These threats come from highly motivated and
technically proficient hackers.
• External Threats: External threats might come from individuals or organizations
working outside the company. They have unauthorized access to the computer
systems and network. They typically enter a network via the Internet or dial-up access
servers.

• Internal Threat: Internal dangers occur due to authorized network access, whether
through a server account or physical access.

What is Attack?

An attack is a deliberate unauthorized action on a system or asset. Attacks can be

classified as active and passive attacks. An attack will have a motive and will follow a
method when the opportunity arises.

Types of Attack
• Active Attack: Active attacks aim to manipulate system resources or impact their
operation.
• Passive Attack: Passive attacks aim to extract sensitive information from a system
without affecting its resources.

Active Attacks
Active attacks are unauthorized actions that alter the system or data. In an active
attack, the attacker will directly interfere with the target to damage or gain
unauthorized access to computer systems and networks. This is done by injecting
 hostile code into communications, masquerading as another user, or altering data to
get unauthorized access.

Types of active attacks are as follows:

1. Masquerade Attack
2. Modification of Messages

3. Repudiation

4. Replay Attack
5. Denial of Service (DoS) Attack

1. Masquerade Attack
Masquerade attacks are considered one type of cyber attack in which the attacker
disguises himself to pose as some other person and accesses systems or data. It could
either be impersonating a legal user or system and demanding other users or systems
to provide information with sensitive content or access areas that are not supposed to
be accessed normally. This may even include behaving like an actual user or even
some component of the system with the intention of manipulating people to give out
their private information or allowing them into secured locations.

There are several types of masquerading attacks, including:

• Username and Password Masquerade: In this masquerade attack, a person uses
either stolen or even forged credentials to authenticate themselves as a valid user
while gaining access to the system or application.
• IP address masquerade: This is an attack where the IP address of a malicious user is
spoofed or forged such that the source from which the system or the application is
accessed appears to be trusted.
• Website masquerade: A hacker creates a fake website that resembles as a legitimate
one in order to gain user information or even download malware.

• Email masquerade: This is an e-mail masquerade attack through which an attacker

sends an apparently trusted source email so that the recipient can mistakely share
sensitive information or download malware.
Masquerade Attack

2. Modification of Messages
This is when someone changes parts of a message without permission, or mixes up
the order of messages, to cause trouble. Imagine someone secretly changing a letter
you sent, making it say something different. This kind of attack breaks the trust in the
information being sent. For example, a message meaning “Allow JOHN to read
confidential file X” is modified as “Allow Smith to read confidential file X”.

Modification of messages

3. Repudiation
 Repudiation attacks are a type of cyber attack wherein some person does something
damaging online, such as a financial transaction or sends a message one does not want
to send, then denies having done it. Such attacks can seriously hinder the ability to
trace down the origin of the attack or to identify who is responsible for a given action,
making it tricky to hold responsible the right person.
There are several types of repudiation attacks, including:

• Message repudiation attacks: In this attack, a message has been sent by an attacker,
but the attacker later denies the sending of the message. This can be achieved either
through spoofed or modified headers or even by exploiting vulnerabilities in the
messaging system.

• Transaction repudiation attacks: Here, in this type of attack, a transaction-for

example, monetary transaction-is made, and at after some time when the evidence
regarding the same is being asked to be give then the attacker denies ever performing
that particular transaction. This can be executed either by taking advantage of the
vulnerability in the transaction processing system or by the use of stolen and forged
credentials.
• Data repudiation attacks: In a data repudiation attack, data is changed or deleted.
Then an attacker will later pretend he has never done this. This can be done by
exploiting vulnerabilities in the data storage system or by using stolen or falsified
credentials.

4. Replay

It is a passive capturing of a message with an objective to transmit it for the

production of an authorized effect. Thus, in this type of attack, the main objective of
an attacker is saving a copy of the data that was originally present on that particular
network and later on uses it for personal uses. Once the data gets corrupted or leaked
it becomes an insecure and unsafe tool for its users.
 Replay

5. Denial of Service (DoS) Attack

Denial of Service (DoS) is a form of cybersecurity attack that involves denying the
intended users of the system or network access by flooding traffic or requests. In this
DoS attack, the attacker floods a target system or network with traffic or requests in
order to consume the available resources such as bandwidth, CPU cycles, or memory
and prevent legitimate users from accessing them.

There are several types of DoS attacks, including:

• Flood attacks: Here, an attacker sends such a large number of packets or requests to a
system or network that it cannot handle them all and the system gets crashed.

• Amplification attacks: In this category, the attacker increases the power of an attack
by utilizing another system or network to increase traffic then directs it all into the
target to boost the strength of the attack.

To Prevent DoS attacks, organizations can implement several measures, such as:
1. Using firewalls and intrusion detection systems to monitor network traffic and
block suspicious activity.
2. Limiting the number of requests or connections that can be made to a system or
network.

3. Using load balancers and distributed systems to distribute traffic across multiple
servers or networks.

4. Implementing network segmentation and access controls to limit the impact of a

DoS attack.
 Denial of Service

Passive Attacks
A Passive attack attempts to learn or make use of information from the system but
does not affect system resources. Passive Attacks are in the nature of eavesdropping
on or monitoring transmission. The goal of the opponent is to obtain information that
is being transmitted. Passive attacks involve an attacker passively monitoring or
collecting data without altering or destroying it. Examples of passive attacks
include eavesdropping, where an attacker listens in on network traffic to collect
sensitive information, and sniffing, where an attacker captures and analyzes data
packets to steal sensitive information.

Types of Passive attacks are as follows:

1. The Release of Message Content

2. Traffic Analysis

1. The Release of Message Content

Telephonic conversation, an electronic mail message, or a transferred file may contain
sensitive or confidential information. We would like to prevent an opponent from
learning the contents of these transmissions.
Passive attack

2. Traffic Analysis
Suppose that we had a way of masking (encryption) information, so that the attacker
even if captured the message could not extract any information from the message.
The opponent could determine the location and identity of communicating host and
could observe the frequency and length of messages being exchanged. This
information might be useful in guessing the nature of the communication that was
taking place.
The most useful protection against traffic analysis is encryption of SIP traffic. To do
this, an attacker would have to access the SIP proxy (or its call log) to determine who
made the call.
 Traffic analysis

Computer System Security and Access Controls:

Computer security refers to protecting and securing computers and their related data,
networks, software, hardware from unauthorized access, misuse, theft, information
loss, and other security issues. The Internet has made our lives easier and has
provided us with lots of advantages but it has also put our system’s security at risk of
being infected by a virus, of being hacked, information theft, damage to the system,
and much more.

Three key objectives that are at the heart of computer security:

1.Confidentiality: Preserving authorized restrictions on information access and
disclosure, including means for protecting personal privacy and proprietary
information. A loss of confidentiality is the unauthorized disclosure of information.
This term covers two related concepts:
• Data confidentiality: Assures that private or confidential information is not made
available or disclosed to unauthorized individuals.
• Privacy: Assures that individuals control or influence what information related to
them may be collected and stored and by whom and to whom that information may be
disclosed.
2.Integrity: Guarding against improper information modification or destruction,
including ensuring information nonrepudiation and authenticity. A loss of integrity is
the unauthorized modification or destruction of information.This term covers two
related concepts:
• Data integrity: Assures that information (both stored and in transmitted packets) and
programs are changed only in a specified and authorized manner.
• System integrity: Assures that a system performs its intended function in an
unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of
the system.
3.Availability: Ensuring timely and reliable access to and use of information. A loss
of availability is the disruption of access to or use of information or an information
system .Assures that systems work promptly and service is not denied to authorized
users.

Importance of Access Control

Access control is a foundational aspect of computer system security. It regulates who
can access specific resources and what actions they can perform. By enforcing strict
access rules, organizations protect sensitive data from unauthorized individuals,
thereby minimizing the risk of data breaches, ensuring compliance with regulations
(like GDPR or HIPAA), and maintaining overall security posture

Key Components of Access Control

Several key components are integral to an effective access control system, including:
1. Authentication: Verifying the identity of users attempting to access resources,
typically through methods like passwords, biometric scans, or multi-factor
authentication (MFA)
2. Authorization: Once authenticated, determining what resources a user can access and
what actions they can perform based on predefined permissions

3. Access Management: Implementing security policies to manage user access

effectively, which involves adding and removing permissions as users change roles
4. Audit and Monitoring: Keeping track of access attempts and maintaining logs for
regulatory compliance and for identifying suspicious activities
5. Accountability: Ensuring that actions taken by users can be traced back to them,
crucial for conducting security audits and responding to incidents

Types of Access Control Models

There are several models that define how access can be controlled within an
organization:
• Discretionary Access Control (DAC): Resource owners determine who can access
their resources. It’s flexible but can lead to security risks
 • Mandatory Access Control (MAC): Access decisions are made based on security
classifications assigned to both the resources and the users, ideal for high-security
environments
• Role-Based Access Control (RBAC): Access rights are assigned based on the role of
users within the organization, simplifying management by grouping users by their
roles

• Attribute-Based Access Control (ABAC): Access is determined by multiple

attributes of users, resources, and the environment, providing a highly granular and
flexible approach

Emerging Trends in Access Control

With the rise of cloud computing, remote work, and advanced cyber threats,
organizations face new challenges in access management. Key trends include:
• Zero Trust Security: This model emphasizes never assuming trust and requiring
continuous verification for access to resources, adapting access permissions based on
real-time contexts
• Identity and Access Management (IAM): IAM solutions help centralize user
management and enforce security policies across a diverse IT environment, crucial for
maintaining effective access control
• Passwordless Authentication: Increasingly seen as a more secure alternative to
traditional password-based systems, leveraging biometrics or cryptographic keys
instead of passwords

System access and data access.

System access and data access are related but distinct concepts in cybersecurity and
information management. System access refers to the ability to interact with and use a
system, while data access refers to the ability to retrieve, modify, or move data within
that system.

System Access:
Definition:
System access grants users or systems the ability to interact with and use a specific
computer system or network resource.

Purpose:

It's a fundamental aspect of security that controls who can log into a system, use its
resources, and perform actions on it.
 Methods:
System access is typically controlled through authentication (verifying a user's
identity) and authorization (determining what actions a user is allowed to perform).

Examples:
Accessing a computer network, logging into a web application, or running commands
on a server.

Data Access:

Definition:

Data access refers to the ability to retrieve, modify, copy, or move data stored within a
system or database.

Purpose:
It enables users and applications to interact with and utilize data for various purposes,
such as reporting, analytics, and decision-making.

Methods:
Data access is controlled through access control mechanisms that determine which
users or systems have permission to access specific data and what actions they are
allowed to perform on it.
Examples:

Accessing customer information in a database, reading a file on a server, or modifying

a record in a spreadsheet.

Relationship:
System access is a prerequisite for data access. A user or system must have the
necessary system permissions to log into a system and then have the appropriate data
access permissions to access specific data within that system.

Data access is often managed separately from system access, allowing for finer-
grained control over data sensitivity and usage.
Strong system and data access control is crucial for maintaining data security,
preventing unauthorized access, and ensuring compliance with relevant regulations.

Types of Access Controls

1. Discretionary Access Control (DAC):

o Access is determined by the owner of the resource.
 o Owners grant permissions to specific users or groups as they see fit.

o Example: A file owner decides who can read, write, or execute their file.
2. Mandatory Access Control (MAC):

o Access is governed by strict policies set by administrators.

o Permissions are assigned based on classifications, such as security levels.

o Example: A military system where data access depends on clearance level.

3. Role-Based Access Control (RBAC):

o Access is determined by the roles assigned to users.

o Each role comes with predefined permissions relevant to their function.

o Example: A database admin role has full access to manage data, while an
analyst can only read data.

Emerging Security Mechanisms

1. Biometrics and Zero-Trust Models for System Access:

o Biometrics like fingerprint or facial recognition ensure user authenticity.

o Zero-trust models require continuous verification, assuming no user or device
is inherently trustworthy.
2. Data Masking, Encryption, and Tokenization for Data Access:

o Data masking hides sensitive parts of data, displaying only what's necessary.
o Encryption transforms data into unreadable formats without the decryption
key.

o Tokenization replaces sensitive data with unique identifiers (tokens), ensuring

its safety during processing.

Challenges or Risks
1. Over-Privileged Accounts in System Access:
o Users with excessive permissions can accidentally or intentionally
compromise systems.

o Regular audits and least privilege principles help mitigate this risk.

2. Safeguarding Data Access in Multi-Cloud Environments:

o Managing data permissions across multiple cloud providers can be complex.

o Solutions like unified identity management and encryption can address

security gaps.