INFORMATION SECURITY

Module I: introduction to information security

Lecture 2
1. Need for Security,
2. Types of Security,
3. Vulnerability
4. Security Goals
5. Security Services and Mechanisms
 THE NEED FOR SECURITY

Information security is crucial for protecting

sensitive data from unauthorized access, use,
disclosure, disruption, or destruction. It
safeguards organizational integrity, availability,
and confidentiality, maintaining trust, ensuring
business continuity, and complying with
regulations. Without strong information security
measures, organizations face financial losses,
reputational damage, and operational setbacks.
 THE NEED FOR SECURITY(CURRENT
SCENERIO)
Now a days Importance of data was truly realized.
✔Financial & Personal data

Therefore various areas in security began to gain

prominence.

Typical Examples of Basic Security Mechanism:

✔Authenticatea User->id, pw
✔Encode->DB->Not Visible to user who do not have the right
permission.
1. User Authentication (id, pw)
● Authentication means verifying that the person trying to access a
system is who they claim to be.

● The most common method is by User ID (username) + Password

(pw).

● Example:

○ User enters id = mrinal and pw = myPassword123.

○ System checks this against stored credentials in the database

(DB).
2. Encoding / Encryption of Passwords
● Passwords should never be stored in plain text in the database.

● Instead, they are encoded or hashed before saving.

○ Hashing (preferred): A one-way function (e.g., SHA-256, bcrypt, Argon2).

Encryption: Two-way process (can be decrypted if needed).

○

Example:

○ User password = myPassword123

○ Hashed version in DB = 2a6c...89f (random-looking string).

So even if someone opens the database, they cannot see the actual password.
3. Database Access Control (Not Visible without Permission)
● Even though passwords are hashed, the DB itself must be protected.

● Permissions (Access Control Lists / Roles) define who can access sensitive data.
Example:

■ Admin: Can see user info (but only hashed passwords).

■ Normal User: Cannot query database directly.

■ Unauthorized person: No access at all.

This ensures that only authorized users/roles can interact with authentication data.

Organization employed their own mechanism.

 THE NEED FOR SECURITY(IN MODERN
LIFE)
• Internet took the world by storm.
• Technology Improved
• Communication Infrastructure became
extremely mature.
• Newer & newer applications begins to developed
for various user demands & need.
Soon peoples realized that basic security measures
were not quite enough.
With technological advancements, especially in communication infrastructure, the exchange of information
has become seamless, global, and instantaneous. This maturity of infrastructure has fueled the development
of countless applications across domains such as banking, healthcare, education, e-commerce, social
networking, and governance.
 THE NEED FOR SECURITY

1. Protecting Sensitive Information:

Confidentiality: Ensuring that information is accessible only to

authorized individuals.
Integrity: Maintaining the accuracy and completeness of
information, preventing unauthorized modification.
Availability: Ensuring that authorized users can access
information when needed.
Examples: Protecting financial data, customer information,
intellectual property, and trade secrets.
 THE NEED FOR SECURITY

2. Maintaining Business Continuity:

Preventing Downtime: Minimizing disruptions to business

operations due to security breaches or cyberattacks.
Ensuring Operational Efficiency: Protecting systems and data to
maintain smooth workflow and productivity.
 THE NEED FOR SECURITY

3. Protecting Reputation and Trust:

Building Customer Confidence: Demonstrating a commitment to

data protection fosters trust and loyalty.
Avoiding Negative Publicity: Preventing data breaches reduces
the risk of negative media attention and reputational damage.
 THE NEED FOR SECURITY

4. Ensuring Compliance with Regulations:

Legal and Regulatory Requirements: Meeting industry standards

and legal mandates for data protection.
Avoiding Penalties: Complying with regulations helps avoid
fines and legal repercussions.
 THE NEED FOR SECURITY

5. Preventing Financial Losses:

Direct Costs:
Data breaches can lead to significant financial losses from
recovery efforts, legal fees, and fines.

Indirect Costs:
Lost business, reputational damage, and reduced customer trust
can also result in financial losses.
 THE NEED FOR SECURITY

6. Addressing Evolving Threats:

Cyberattacks:
Information security helps defend against increasingly sophisticated
cyber threats like malware, ransomware, and phishing attacks.
Data Breaches:
Protecting against unauthorized access, disclosure, and theft of
sensitive data.
Insider Threats:
Implementing measures to mitigate risks from malicious or negligent
insiders.
 THE NEED FOR SECURITY

7. Supporting Technological Advancements:

Cloud Computing: Ensuring the security of data stored and

processed in cloud environments.
Mobile Computing: Protecting data on mobile devices and networks.
Internet of Things (IoT): Securing devices and data within the
growing IoT ecosystem.

In conclusion, information security is essential for organizations of

all sizes to protect their valuable assets, maintain their reputation,
and ensure their long-term success in an increasingly digital and
interconnected world.
 THE NEED FOR SECURITY

• Protect sensitive data from unauthorized access or

disclosure.
• Prevent data loss or corruption from attacks or system
failures.
• Ensure business continuity and avoid financial/legal
consequences.
• Build trust with customers and stakeholders.
• Comply with data protection laws and industry
regulations.
WHAT IS INFORMATION SECURITY?

Definition: Protection of information and systems from

unauthorized access, use, disclosure, disruption, modification, or
destruction.

Why It Matters? Ensures data privacy, integrity, and availability

in the digital world.
 KEY ASPECTS OF INFORMATION
SECURITY
1. Confidentiality: Ensuring that sensitive information is only accessible to authorized
individuals.

2. Integrity: Protecting information from unauthorized modification or destruction.

3. Availability: Ensuring that authorized users have timely and reliable access to information
when needed.

4. Authenticity: Verifying the identity of users and systems to ensure they are who they claim to
be.

5. Non-repudiation: Preventing users from denying actions they have performed, especially
with sensitive data.

6. Risk Management: Identifying, assessing, and mitigating potential threats and vulnerabilities.

7. Compliance: Meeting legal and regulatory requirements related to data protection.

THE BIGGEST THREAT TO INFORMATION SECURITY
IS PEOPLE INSIDE THE ORGANIZATION.

• Most problems are caused by insiders rather than external attackers.

• Employees, contractors, or others with authorized access to the company’s systems

or physical premises can intentionally or unintentionally misuse their access,
impacting the organization’s critical data or systems.

• Careless employees who do not adhere to organizational processes and regulations

can cause numerous issues. For example, they might inadvertently email customer
information to external parties, click on phishing links, or share their login
credentials with others.

• Some individuals bypass security measures out of convenience or misguided

attempts to increase productivity.

• Malicious employees may deliberately evade cybersecurity protocols to delete data,

steal information for personal gain, disrupt operations, or otherwise harm the
business
 PRINCIPLES OF SECURITY

• Confidentiality – Prevent disclosure to unauthorized

individuals.
• Integrity – Protect data from unauthorized modification.
• Availability – Ensure reliable access to systems and data.
• Authentication – Verify user identities.
• Authorization – Grant appropriate access rights.
• Non-repudiation – Prevent denial of actions.
 SECURITY GOALS

• Primary Goals (CIA Triad):

• - Confidentiality – Prevent unauthorized access
• - Integrity – Ensure data is not tampered with
• - Availability – Ensure systems are up and accessible
• Extended Goals: Authentication, Accountability, Non-
repudiation
 TYPES OF IT SECURITY
There are four main types of IT security that are important to understand when it comes to
security. IT security is the process of protecting all data of a particular entity, both electronic
and physical.

Network security – The security between different devices located on the same network. In
this case, both software security and hardware security are important. When securing a
network, companies look to make sure that their network won’t be used maliciously.

End-point security – In this situation, security is focused on the devices used. This means that
laptops, phones, computers, tablets, etc. are secure (again, both software and hardware) to
avoid unwanted users sneaking in. This often involves various methods of encryption, user
controls, and of course, software security.

Internet security – This is what is commonly known as cybersecurity and deals with the
transit and use of information. Cybersecurity attacks happen when information is intercepted
and therefore various layers of encryption and authentication are typically used to stop these
attacks.

Cloud security – Cloud security revolves around lowering software security risks within the
cloud. Some of the concepts in cloud security overlap with the other forms of security listed
here, in having to secure data transfers, and devices on the same network.
 CHALLENGES IN SECURITY?

1. Use of computer with internet

2. Software tools are available freely

3. Importance of information

4. Lack of awareness/ignorance/hesitation

PROTECTION
Unauthorized Access by intentionally or unintentionally.