SECURITY

COMPUTING
WEEK 08: LEGAL ISSUES AND ETHICS
 DELIVERED BY:

Yojan Dhakal | Lead IS Auditor Aaditya Khati| SOC Manager

IS Audit Practitioner @CryptoGen Nepal Team Lead @CryptoGen Nepal

ISO 27001 | CEH Practical| AZ 900 | CSFPC CEH | CPISI | AZ 900 | LRSA | LRPA | LRSE
NSE 1 | NSE 2 | LogPoint Certified Admin & LRDE | LogPoint Certified Admin | CCNA CyberOps
Analyst CPE | F5 Delivery Engineer | Tenable Certified

AP @KFA Practical Contributor @KFA

REVISION – SECURITY COMPUTING
• Information security Overview
• Vulnerability, Threat & Risk
• Confidentiality, Integrity & Availability
• Authentication, Access Control and Cryptography
ASSETS
• An asset is any data, device or other component of an organization's systems that is valuable – often because it contains
sensitive data or can be used to access such information.
• For example, an employee’s desktop computer, laptop or company phone would be considered an asset, as would
applications on those devices. Likewise, critical infrastructure, such as servers and support systems, are assets.
INFORMATION SECURITY
• Information security (sometimes referred to as InfoSec) covers the tools and processes that organizations use to protect
information.
• This includes policy settings that prevent unauthorized people from accessing business or personal information.
• InfoSec is a growing and evolving field that covers a wide range of fields, from network and infrastructure security to
testing and auditing.
• Information security protects sensitive information from unauthorized activities, including inspection, modification,
recording, and any disruption or destruction.
• The goal is to ensure the safety and privacy of critical data such as customer account details, financial data or intellectual
property.
PRINCIPLES OF
INFORMATION SECURITY
The CIA Triad defines three key principles of data security

Confidentiality
Confidentiality measures are designed to prevent unauthorized
disclosure of information.

Integrity
The principle of integrity ensures that data is accurate and reliable and
is not modified incorrectly, whether accidentally or maliciously.

Availability
Availability is the protection of a system’s ability to make software
systems and data fully available when a user needs it (or at a specified
time).
PRINCIPLES OF
INFORMATION SECURITY
TYPES HACKERS
Black Hat Hackers
• Unethical individuals
• These people hack the system illegally to steal money or to achieve their own illegal goals
• Black hat hacking is illegal.

White Hat Hackers

• Ethical Hackers or a Penetration Tester
• Same techniques used by Black Hat hackers
• Legally Hacking to strengthen information security
• Focuses on protecting the cyber space

Grey Hat Hackers

• Hybrid between Black hat Hackers and White hat hackers
• They will hack any system even if they don't have permission to test the security of the system
• Gray hat hacking is illegal, as the hacker has not received permission from an organization to attempt to infiltrate their systems.
VULNERABILITY, THREAT, RISK
2022

• Threat: Anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an
asset.
• Vulnerability: Weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access
to an asset.
• Risk: The potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability.

Asset + Threat + Vulnerability = RISK

THREAT VECTORS
2022

❑ Unauthorized access—may be the result of malicious attackers, malware, and employee error.

❑ Misuse of information by authorized users—an insider threat may misuse information by altering, deleting, or using
data without authorization.

❑ Data leaks—threat actors or cloud misconfiguration may lead to leaks of personally identifiable information (PII) and
other types of sensitive data.

❑ Loss of data—poorly configured replication and backup processes may lead to data loss or accidental deletion.

❑ Service disruption—downtime may cause reputational damages and revenue losses. It may be accidental, or the
result of a denial of service (DoS) attack.
 2022

MOM: METHOD, OPPORTUNITY & MOTIVE

Method: The skill, knowledge, tools and other things with which to be able
to pull off the attack.

Opportunity: The time and access to accomplish attack.

Motive: A reason to want to perform this attack against a system.

• Deny any of those three things and the attack will not occur.
• Knowledge, specification, source code available on the internet.
• Access to computer systems available through purchase of same types
of systems, internet access, physical security not strong, easy break-in.
• Financial, revenge, power, random.
THREATS
❑ Threats of any kind fall under one of the following categories.
❑ Interception (Unauthorized access to an asset)
❑ Interruption (State of an asset being lost, unavailable or unusable)
❑ Modification (Unauthorized changes, tampering with an asset)
❑ Fabrication (Creating false data to deceive or defraud )
CONTROLS
Physical controls stop or block an attack by using something tangible too,
❑ Walls and fences
❑ Locks
❑ Guards
❑ Sprinklers and other fire extinguishers
Procedural or administrative controls use a command or agreement that
❑ Requires or advises people how to act; for example,
❑ Laws, regulations
❑ Policies, procedures, guidelines
❑ Copyrights, patents
❑ Contracts, agreements
Technical controls counter threats with technology (hardware or software),
❑ Passwords
❑ Program or operating system access controls
❑ Network protocols
❑ Firewalls, intrusion detection systems
❑ Encryption
❑ Network traffic flow regulators
CRYPTOGRAPHY
Cryptography conceals data against unauthorized access. Well-disguised data cannot easily be read, modified,
or fabricated.
❑ Consider the steps involved in sending messages from a sender, S, to a recipient, R.
❑ If S entrusts the message to T, who then delivers it to R, T then becomes the transmission medium.
❑ If an outsider, O, wants to access the message (to read, change, or even destroy it), we call O an interceptor
or intruder.
❑ Any time after S transmits the message via T, it is vulnerable to exploitation, and O might try to access it in
any of the following ways:
• Block it, by preventing its reaching R, thereby affecting the availability of the message
• Intercept it, by reading or listening to the message, thereby affecting the confidentiality of the
message
• Modify it, by seizing the message and changing it in some way, affecting the message’s integrity
• Fabricate an authentic-looking message, arranging for it to be delivered as if it came from S, thereby
also affecting the integrity of the message
CRYPTOGRAPHY
A system for encryption and decryption is called a cryptosystem.
❑ Encryption is the process of encoding a message so that its meaning is not obvious; decryption is the reverse process
• The terms encode and decode or encipher and decipher are used instead of encrypt and decrypt
❑ The original form of a message is known as plaintext, and the encrypted form is called ciphertext.
❑ A cryptosystem involves a set of rules for how to encrypt the plaintext and decrypt the
❑ ciphertext. The encryption and decryption rules, called algorithms
CRYPTOGRAPHY
• Cryptography is used in a process to develop algorithms which can be used to conceal information from all
except the sender and the receiver
• Convert plain text information into cipher texts and vice-versa
• Basic Cryptography terminologies:
• Encrypt: Scrambling data to make it unreadable
• Decrypt: Unscrambling data to its original format
• Cipher: Another word for algorithm
• Key: A complex sequence of alpha-numeric characters, produced by the algorithm that allows you to
scramble and unscramble data
• Plaintext: Unencrypted or decrypted text (It does not always have to be text)
• Ciphertext: Data that has been encrypted
CRYPTOGRAPHY

Plaintext Encryption Ciphertext Decryption

Readable Text Unreadable data or

Encrypted Data
SYMMETRIC ENCRYPTION SYSTEMS
SYMMETRIC ENCRYPTION SYSTEMS
POLICIES AND PROCEDURES
Policies
• Policy is a set of rules or guidelines for your organization and
employees to follow in order to achieve a specific goal
• An effective policy should outline what employees must do or not do,
directions, limits, principles, and guidance for decision making.
Procedures
• It is the instruction on how a policy is followed.
• Step-by-step instruction for how the policies outlined above are to be
achieved. A policy defines a rule, and the procedure defines who is
expected to do it and how they are expected to do it.
WEEK 09
END OF SLIDE