INFORMATION SECURITY LECTURE. NOTES. (Subject Code: BIT ) for. Bachelor of Technology in. Information Technology. Department of Computer. Engineering Class handwritten notes, exam notes, previous year questions, PDF free download. Lecture notes available at least one day prior to lecture. – Work on the workshop questions MSc Information Security, Royal Holloway College, London,
|Language:||English, Spanish, German|
|Distribution:||Free* [*Registration Required]|
EXPLANATORY NOTES how to ensure information and network security, how to protect a personal computer and how via email, like a malicious PDF file. Information Security Full Notes PDF Download eBook. Information Security Full Notes Download PDF eBook. Hello Friends, Here is the Notes. She hung up and typed her notes into ISIS, the company's Information Status and Issues. System. The history of information security begins with computer security. The need for .. (See terney.info Since this.
The classification of a particular information asset that has been assigned should be reviewed periodically to ensure the classification is still appropriate for the information and to ensure the security controls required by the classification are in place and are followed in their right procedures. Access control[ edit ] Access to protected information must be restricted to people who are authorized to access the information.
The computer programs, and in many cases the computers that process the information, must also be authorized. This requires that mechanisms be in place to control the access to protected information.
The sophistication of the access control mechanisms should be in parity with the value of the information being protected; the more sensitive or valuable the information the stronger the control mechanisms need to be. The foundation on which access control mechanisms are built start with identification and authentication. Access control is generally considered in three steps: identification, authentication , and authorization.
If a person makes the statement "Hello, my name is John Doe " they are making a claim of who they are. However, their claim may or may not be true. Before John Doe can be granted access to protected information it will be necessary to verify that the person claiming to be John Doe really is John Doe. Typically the claim is in the form of a username. By entering that username you are claiming "I am the person the username belongs to".
Authentication[ edit ] Authentication is the act of verifying a claim of identity. When John Doe goes into a bank to make a withdrawal, he tells the bank teller he is John Doe, a claim of identity. The bank teller asks to see a photo ID, so he hands the teller his driver's license.
The bank teller checks the license to make sure it has John Doe printed on it and compares the photograph on the license against the person claiming to be John Doe. If the photo and name match the person, then the teller has authenticated that John Doe is who he claimed to be.
There are three different types of information that can be used for authentication: Something you know: things such as a PIN, a password , or your mother's maiden name Something you have: a driver's license or a magnetic swipe card Something you are: biometrics , including palm prints , fingerprints , voice prints and retina eye scans Strong authentication requires providing more than one type of authentication information two-factor authentication.
The username is the most common form of identification on computer systems today and the password is the most common form of authentication. Usernames and passwords have served their purpose, but they are increasingly inadequate. Authorization[ edit ] After a person, program or computer has successfully been identified and authenticated then it must be determined what informational resources they are permitted to access and what actions they will be allowed to perform run, view, create, delete, or change.
This is called authorization. Authorization to access information and other computing services begins with administrative policies and procedures.
The policies prescribe what information and computing services can be accessed, by whom, and under what conditions. The access control mechanisms are then configured to enforce these policies.
Different computing systems are equipped with different kinds of access control mechanisms. Some may even offer a choice of different access control mechanisms. The access control mechanism a system offers will be based upon one of three approaches to access control, or it may be derived from a combination of the three approaches.
The access to information and other resources is usually based on the individuals function role in the organization or the tasks the individual must perform.
The discretionary approach gives the creator or owner of the information resource the ability to control access to those resources. In the mandatory access control approach, access is granted or denied basing upon the security classification assigned to the information resource. To be effective, policies and other security controls must be enforceable and upheld. Effective policies ensure that people are held accountable for their actions.
The U. Treasury 's guidelines for systems processing sensitive or proprietary information, for example, states that all failed and successful authentication and access attempts must be logged, and all access to information must leave some type of audit trail.
This principle gives access rights to a person to perform their job functions. This principle is used in the government when dealing with difference clearances.
Even though two employees in different departments have a top-secret clearance , they must have a need-to-know in order for information to be exchanged. Within the need-to-know principle, network administrators grant the employee the least amount of privileges to prevent employees from accessing more than what they are supposed to.
Need-to-know helps to enforce the confidentiality-integrity-availability triad.
Need-to-know directly impacts the confidential area of the triad. Main article: Cryptography Information security uses cryptography to transform usable information into a form that renders it unusable by anyone other than an authorized user; this process is called encryption. Information that has been encrypted rendered unusable can be transformed back into its original usable form by an authorized user who possesses the cryptographic key , through the process of decryption.
Cryptography is used in information security to protect information from unauthorized or accidental disclosure while the information is in transit either electronically or physically and while information is in storage. Cryptography can introduce security problems when it is not implemented correctly.
Cryptographic solutions need to be implemented using industry-accepted solutions that have undergone rigorous peer review by independent experts in cryptography. The length and strength of the encryption key is also an important consideration. A key that is weak or too short will produce weak encryption.
The keys used for encryption and decryption must be protected with the same degree of rigor as any other confidential information. They must be protected from unauthorized disclosure and destruction and they must be available when needed. Public key infrastructure PKI solutions address many of the problems that surround key management.
In recent years these terms have found their way into the fields of computing and information security. Federal Sentencing Guidelines now make it possible to hold corporate officers liable for failing to exercise due care and due diligence in the management of their information systems. This is often described as the "reasonable and prudent person" rule. A prudent person takes due care to ensure that everything necessary is done to operate the business by sound business principles and in a legal, ethical manner.
A prudent person is also diligent mindful, attentive, ongoing in their due care of the business. In the field of information security, Harris  offers the following definitions of due care and due diligence: "Due care are steps that are taken to show that a company has taken responsibility for the activities that take place within the corporation and has taken the necessary steps to help protect the company, its resources, and employees.
First, in due care, steps are taken to show; this means that the steps can be verified, measured, or even produce tangible artifacts. Second, in due diligence, there are continual activities; this means that people are actually doing things to monitor and maintain the protection mechanisms, and these activities are ongoing.
Organizations have a responsibility with practicing duty of care when applying information security. To keep out potential attackers, you need to recognize each user and each device.
Then you can enforce your security policies. You can block noncompliant endpoint devices or give them only limited access. This process is network access control NAC. Cisco Identity Services Engine Antivirus and antimalware software "Malware," short for "malicious software," includes viruses, worms, Trojans, ransomware, and spyware.
Sometimes malware will infect a network but lie dormant for days or even weeks.
The best antimalware programs not only scan for malware upon entry, but also continuously track files afterward to find anomalies, remove malware, and fix damage. Advanced Malware Protection Application security Any software you use to run your business needs to be protected, whether your IT staff builds it or whether you download it.
Unfortunately, any application may contain holes, or vulnerabilities, that attackers can use to infiltrate your network.
Application security encompasses the hardware, software, and processes you use to close those holes. Behavioral analytics tools automatically discern activities that deviate from the norm. Your security team can then better identify indicators of compromise that pose a potential problem and quickly remediate threats.
Cognitive Threat Analytics Stealthwatch Network as a Sensor Data loss prevention Organizations must make sure that their staff does not send sensitive information outside the network. Data loss prevention, or DLP, technologies can stop people from uploading, forwarding, or even printing critical information in an unsafe manner. Data Loss Prevention Email security Email gateways are the number one threat vector for a security breach. Attackers use personal information and social engineering tactics to build sophisticated phishing campaigns to deceive recipients and send them to sites serving up malware.
An email security application blocks incoming attacks and controls outbound messages to prevent the loss of sensitive data.
Email Security Firewalls Firewalls put up a barrier between your trusted internal network and untrusted outside networks, such as the Internet. They use a set of defined rules to allow or block traffic. A firewall can be hardware, software, or both. Cisco offers unified threat management UTM devices and threat-focused next-generation firewalls. More about firewalls Intrusion prevention systems An intrusion prevention system IPS scans network traffic to actively block attacks.