session information security
TRANSCRIPT
Information SecuritySession
Introduction to Information Security
Segment
WHAT IS INFORMATION SECURITY?
Information Security is the practice or
method of protecting information and
averting information risks. “
OBJECTIVES OF INFORMATION SECURITY
CIA Triad
Information must be accurate
and complete
Integrity
Information must be available
when needed
Availability
Confidentiality
Information is not disclosed to
unauthorised individuals
OBJECTIVES OF INFORMATION SECURITY
CIA Triad: Example of an ATM
Transaction is noted and
updated in bank account
Integrity
All transactions can be
accessed and viewed anytime
Availability
Confidentiality
ATM PIN is confidential and
uncompromised
IMPORTANCE OF INFORMATION SECURITY
Attacking the system with virus or
worms
Data Bug Infection
Stealing the data
Data Theft Modifying the data to make it
erroneous
Data Corruption
Making the data irretrievable by
destroying its trace
Data Destruction
Deleting any stored data
Data Deletion
Information Security is
to
check and prevent
OBJECTIVES OF SECURITY MANAGEMENT SYSTEM
1Minimise the loss of physical and
information assets01
1Minimise the loss of business or
business opportunities02
1Ensure system integrity and reliability
of data03
1Ensure highest quality information
systems04
1 Recover fast from any disaster05
Fire, earthquake or flood
Natural Calamities
Illegal access, theft, user errors or program changes
Human Actions
Hardware, software, network and telecommunication
functioning
Failure of System
SOURCES OF THREATS TO INFORMATION SYSTEMS
ADDRESSING INFORMATION SECURITY CHALLENGES
Guard or firewall from unknown threats
Provide methods and systems to recover from damage
Identify theft sources/possibilities of occurrence
Protect information from unauthorised access
Check the misuse of information obtained from unauthorised access
Limit the damage from attacks
Prevention
Limitations
Protection
Deployed when judgment and
discretion are required and
used to monitor automated
controls
Manual Controls
Deployed for processes with
high volumes of similar
transactions
Automated Controls
WHAT ARE THE TYPES OF SECURITY CONTROLS THAT CAN BE PUT IN PLACE?
Manual and Automated Control with example of
Google Forms
Automated Control
⚫ Phone number can only accept numericals
Manual Control
⚫ Access to the form
WHAT ARE THE TYPES OF SECURITY CONTROLS THAT CAN BE PUT IN PLACE?
MANUAL CONTROLS
4Data
Access control to physical data
storage, control on change or deletion
3Operations
Authorised setup operations, job scheduling,
backup and recovery, storage and retrieval
systems
2Hardware and Software
Authenticity control, usage control, operational
control through password and selective rights
1Premises
Access control, physical locks, recording
entry and exit
Let’s look a day in the life of Ravi and understand the various manual measures
organisations take to ensure the security of information
Ravi enters the premises and logs his key card. Due to the sensitive nature of his
current project, there’s a designated office space with restricted access
He logs in to his desktop and connects to client network
He monitors the current status of his team member’s projects through a
personalised dashboard accessible to the senior management and the clients
Mistakenly, one of his teammate sent an official file over personal mail and IT
team flagged it. He takes a meeting with the team and explains the importance of
data protection
At the end of the day, IT team runs a daily backup of data to company servers
Ravi lock his desktop and leaves for the day
SETTING MANUAL CONTROLS IN AN ORGANISATION
Output (Updates, Reports)
Ensure all updates, check pre- and post-process
conditions, log of all reports processed04
Process for data integrity, check complete input for
validity, completeness and precision
Input Processing (Validity, Rules)
03
Edit check for specification, picture, layout
Input Quality (Field Level)02
01 Control totals, document count, hash totals, source
check, error display
Input (Document and Fields)
AUTOMATED CONTROLS
Let’s look a day in the life of Ravi and understand the various automated measures
organisations take to ensure the security of information.
Ravi has to send in an invoice that was generated by one of his clients
The invoice is to be uploaded on a system platform
The system accepts the invoice only in a prescribed format that is already
conveyed
The invoices are checked for duplicacy and validated for their accuracy
Invoices are then processed by extracting the information from them and
compiling them in an Excel sheet
SETTING AUTOMATED CONTROLS IN AN ORGANISATION
16
Fault Tolerant Computer Systems
It contains redundant hardware, software
and power supply to take over as primary
if one fails to service the requirement.
Employee Evaluation
Their selection and appointment should be
done after in-depth scrutiny of past record
and references.
Usage Monitoring
Policy, procedures and record-keeping
systems keep watch on who visits and for
how long.
Physical Access Control
Servers, PCs and other installations are
controlled for access.
MANAGING SECURITY THREATS IN BUSINESSES
MANAGING SECURITY THREATS IN BUSINESSES
Use of Security Monitors
Set of software programs which monitor
the use of network and protect them from
any unauthorised use.
Testing of Audit Trail
Various steps through which the
transaction is processed.
Application of Biometric
SecurityAn individual’s biometric profile built in the
system is processed every time when they
attempt to access the system.
Protection from Virus
Hidden programs that enter through network
and force the system to clone the virus.
Entry Level Security Codes
Security code is a multi-level password
system incorporated at entry level for
security management.
MANAGING SECURITY THREATS IN E-BUSINESS
Firewall
Prevents unauthorised access 1
Authenticity
Confirms the authenticity of the other user 2
Encryption
Prevents unwanted reading of information,
messages or reports
3
Message Integrity
Asserts that the communication content is not
disturbed4
Digital Signature
Confirms sender’s authenticity
5
MANAGING SECURITY THREAT IN E-BUSINESS: ENCRYPTION
Encryption Decryption
Hi, this is
MIS
course!
Text page
Sender
Itdnc 89fs
654da
duas@g
654 ytsh!!
Cipher Text
Hi, this is
MIS
course!
Text page
Receiver
MANAGING SECURITY THREAT IN E-BUSINESS: ENCRYPTION
Non-Encrypted Data
Can Access
ReceiverSender
Encrypted Data
Cannot accessx
Cyber SecuritySegment
RECALL INFORMATION SECURITY
Information Security
Cyber Security
Network
Security
Protect digital and physical data/ information
Protect digital data/information
Protect organisation’s IT infrastructure
and data shared over its network
CYBER SECURITY
To protect sensitive, personal and business
digital information through prevention of attack
and detection of attacker.
Cybersecurity protects only digital data whereas
information security aims to protect all data across
all forms.
NETWORK SECURITY
Network security is focused on
protecting and preventing an
organisation's IT infrastructure
from online threats and
vulnerabilities.
Network security, a subset of
cybersecurity, aims to protect any
data that is being sent through
devices in your network to ensure
that the information is not changed
or intercepted.
““
LET’S RECALL INFORMATION SECURITY, CYBER SECURITY AND NETWORK SECURITY
Information Security
Cyber Security
Network
Security
Protect email and letters
Protect the email
Protect the email while it is being
transferred or sent/received
An attacker modifies the
information from the system
and alters the system
resources.
Active Attack
An attacker observes and/or
copies the information from
the system to use them for
malicious purposes.
Passive Attack
TYPES OF ATTACKS ON NETWORK
Active Attack
ReceiverSender
Internet
ACTIVE ATTACK
Let’s take the example of e-mail.
Your friend sends you a mail but their
account is hacked.
The hacker changes the content of the
mail dynamically, before it reaches you.
The sender and the user (you) both are
unaware of the changes unless you
explicitly talk about it over the phone.
Passive Attack
ReceiverSender
Internet
PASSIVE ATTACK
Let’s take the example of e-mail.
Your friend sends you an e-mail but their
account is hacked.
The hacker copies the relevant content
but there’s no tampering with the content.
System resources are not alteredSystem resources are changed
Prevention of passive attack is prioritisedDetection of active attack is prioritised
Confidentiality is threatenedIntegrity as well as availability is threatened
Information remains unchangedInformation is modified
Active Attacks Passive Attacks
COMPARING ACTIVE AND PASSIVE ATTACKS
BBC was struck with an active attack which took
down it’s iPlayer for about 3 months
Equifax data breach released personally
identifiable information for about 160 million users
EXAMPLES OF ACTIVE ATTACKS
TYPES OF ATTACK ON NETWORK
Types of Active Attacks
Denial of Service (DoS)
Attack makes the host inaccessible by
flooding the bandwidth with large data
Distributed Denial of Service (DDoS)
It is a large scale attack version of DoS
when multiple sources attack a single
host
Spoofing Attack
Falsely identifying as another user or
website to take control
TYPES OF ATTACK ON NETWORK
Types of Active Attacks
SQL Injection
SQL code is inserted in an active data input
field to disrupt the database
Buffer Overflow
Attack leads to overwriting of memory
files to corrupt or damage it
ARP Poisoning or Spoofing
Rerouting the traffic and information from
the host to the attacker
TYPES OF ATTACK ON NETWORK
Types of Passive Attacks
Computer Port Scanning: Checking ports
to find active and vulnerable ports available
for an attack
Network Wiretapping:Monitoring network
channels to collect a range of information
ADVANCED PERSISTENT THREAT ATTACK
Hybrid Attack
Advanced Persistent Threat (APT) is a form of
cyberattack in which a person gains unauthorised
access to a network or system and remains
undetected for an extended period.
APTs are not “hit and run” attacks but are
planned carefully against strategic targets and
carried over a prolonged period of time.
Advanced Persistent Threat (APT) is a form of
cyberattack in which a person gains unauthorised
access to a network or system and remains
undetected for an extended period.
APTs are not “hit and run” attacks but are
planned carefully against strategic targets and
carried over a prolonged period of time.
AIM OF ADVANCED PERSISTENT THREAT ATTACK
Steal Personally Identifiable Information (PII)
Steal or compromise classified data
Steal Intellectual Property
Act of sabotage (such as taking control of a
site or deleting a database)
ADVANCED PERSISTENT THREAT ATTACK STAGES
Five Stage Process
Cause damage by
transferring data and
removing traces of their
presence
Stage the attack
when ready
Multiply and expand to other
parts of the network
Deploy malware or
a trojan (hidden)
software
Initial access
1 2 3 4 5
Green ITSegment
Computers, laptops and
mobile devices are energy-
intensive sectors that
accounts for 2% of human
greenhouse gas emissions
worldwide.
Source: Global Action Plan
Green IT refers to using IT resources
in an efficient and environmentally
responsible way
Green IT aims to minimise the
negative impact of IT operations on
the environment by designing,
manufacturing, operating and
disposing off IT products in an
environment-friendly manner
““
GREEN IT
TWO PERSPECTIVES OF GREEN IT
For example, using video conferencing
platforms to avoid travelling for meets and thus
saving fuel
Use IT to Make Organisation Green or IT
for Green
For example, using energy efficient laptops
Make IT Green or Green for IT
1
2
TWO PERSPECTIVES OF GREEN IT
Green IT 2.0: “IT for Green”Green IT 1.0: “Green for IT”
Data Centre
and FacilitiesDistributed IT
IT systems
management
Server and storage
virtualisation
Building
automation
PC power
management
Thin client systems
Managed print
services
Business Process
and Strategy
Public Policy and
Infrastructure
Carbon
management
Teleworking
Supply chain
optimisation
Smart grid
Green cities
Climate change
policies
STAGES OF GREEN IT
Disposal
Usage
Manufacturing
Design
Planning
5 STAGES OF GREEN IT
Planning
Ο Selection and deployment of
environment-friendly IT and use
of energy efficient IT equipment
Ο Addresses planning of data
centres which should consume
less energy and cooling
requirement
01Manufacturing
03
Design
02Ο IT products should not use
hazardous substances during
their manufacturing or usage
Ο Use green energy and non-toxic
substances in manufacturing
process
Ο Aims at designing IT systems in
accordance with energy efficient
green IT standards
5 STAGES OF GREEN IT
Usage
04Disposal
05
Ο Addresses all activities that leads
to lower power consumption and
minimises generation of
hazardous material
Ο Recycling e-waste with no or little
impact on the environment
CRADLE-TO-CRADLE PRINCIPLE
Cradle-to-Cradle: Remaking the Way We Make
Things by Braungart and McDonough advocates
the principle of nature to be adopted in the design of
products of any variety.
It argues that modern-day manufacturing must
follow the nature’s principles of cradle to cradle
rather than one-way, ‘cradle-to-grave’
manufacturing model as existing today.
‘Cradle-to-grave’ approach produces almost 90% of
the materials as waste, most of which either go
into scrapyard or landfill sites.
CRADLE-TO-CRADLE PRINCIPLE
Plant
Decomposes into
environment
or gives birth
to a new plant
Product
Man made
product cycle
Organic or
synthetic
materialNature
Cycle
Produce like
fruits, flowers
and seedsRaw
material
Human
Consumption
CRADLE-TO-CRADLE TECH PRODUCT EXAMPLE
Cradle-to-
Cradle Life
Cycle of tech
Product
Technical Nutrient
Disassembly
Return
Use
Product
Production
STRATEGIES FOR MAKING IT GREEN
Is this equipment intelligent enough to
behave in an environment-friendly manner?
Intelligent
03
Is this IT equipment/ application safe
from nature’s point of view?
Nature
02
Can we prolong the use, reuse or
seek multiple use of the equipment? 01
Use
Can the use lead to less travel and saving of
resources?
Virtualisation
04
STRATEGIES FOR MAKING IT GREEN
Can the equipment be used with
sustainable sources such as solar power
or wind energy?
Sustainable
06
Are the resources used biodegradable,
re-deployable and non-toxic in nature?05
Resources
Is this equipment or application efficient?
Efficient07
BOTTOM LINES AND GREEN IT
Green IT strategy is not just environment friendly
but also adds to enhanced savings.
Progressive organisations now evaluate the
organisation performance on new matrix called
triple bottom line.
Triple Bottom Line (TBL or
3BL) is an evaluative
framework which considers
three parts of any
organisation’s social,
environmental (or
ecological) and financial.
““
TRIPLE BOTTOM LINE
TRIPLE BOTTOM LINE AT WIPRO
Social- Wipro’s inclusive culture and workforce
diversity are evident from their gender diversity
program- ‘Women of Wipro’
Environmental and Financials- Wipro’s Green PC is
an environmentally responsible product with 5-star
energy ratings and comes with responsible handling
after End of Life
TRIPLE BOTTOM LINE AT ITC
ITC's e-Choupal model seeks to address the issues
relating to last mile connectivity by leveraging IT to
build capability at the grassroots through
empowerment of the small farmer
ITC seeks to enhance farm productivity and income
by aligning output with market demand through
connectivity
ITC has over 4100 installations covering nearly
25,000 villages and serving 2.4 million farmers
05All e-waste is disposed by
authorised/licensed agencies in a safe
manner
04Schedule of collection times is communicated
to all locations for handing over the e-waste
03Adequate cloud space is provided for backing
up devices
02Upgraded devices are given to employees
only when they return the old device
01Upgrade electronic items after the older one
is properly disposed
FEW ORGANISATION-WIDE MEASURES TO COUNTER E-WASTE