INFORMATION SECURITY

Module I: introduction to information security

Lecture 3
1. CIA Triad (Confidentiality, Integrity, Availability)
 TO PROTECT THE OPERATION OF ANY
ORGANIZATION

1. Physical Security:- Access control to physical device

e.g:- Pen drive, Hard drive, CD/DVD, Computer,

2. Private Security :- Individual or group

3. Project Security :- Design , Code operation security

 SECURITY APPROACHES

• Reactive Approach – Responds to incidents after they

occur.
• Proactive Approach – Prevents threats before they
occur.
• Layered Security (Defense in Depth) – Multiple layers
of protection.
• Risk-Based Approach – Focuses on assessing and
minimizing risks.
• Zero Trust Model – Never trust, always verify.
 SECURITY APPROACHES

The information security implementation is through two

approaches

Bottom-up and Top-down

These approaches help protect data from theft or loss,

modification, and unauthorized access, which ensures integrity.
Also, sensitive information is encrypted to safeguard the data.
STEPS FOR AN INFORMATION SECURITY
PROGRAM
• The security team is building a framework according to the
current situation.
• To understand the source of the threat.
• Risk assessment.
• Manage and Remediate the threat.
• Develop an action plan to evaluate any damage.
• Acknowledge third parties.
• Security controls to mitigate risk.
• Awareness regarding security and training.
• Audit and monitor to assess the vulnerability
 LAYERS IN INFORMATION SECURITY
APPROACH
• The Infosec implementing protection includes cybersecurity,
security based on web, application, device, network, physical,
or software. The data recovery and backup during the disaster
were also included.
• The approach of integrating concerns into smaller parts to
assure protection to each layer and manage it easily. Let's
discuss each layer approach ?
 EVOLUTION OF INFORMATION
SECURITY

• Pre-Computer Era: Physical security, lock-and-key

systems. Security was focused on physical documents (e.g., safes, locks, guards).

Mainframe Era: Password protection, access control. Emphasis on

access control and password protection.

Networking Era: Firewalls, intrusion detection systems. Rise of

firewalls, antivirus, intrusion detection systems.

Cloud/IoT Era: Advanced cryptography, zero-trust

models. Modern Era (Cloud, IoT, AI): Emphasis on encryption, zero trust architecture, identity management, and advanced

threat detection.
 VULNERABILITY IN INFORMATION
SYSTEMS
Definition:
A weakness in system design, implementation, or configuration.

• Types: Software Bugs, Weak Passwords, Misconfigured

Systems, Social Engineering.

• Example: Phishing attacks using fake login pages.

 SECURITY SERVICES

• Authentication – Proving user identity

• Access Control – Defining and enforcing policies
• Data Confidentiality – Encryption, secure protocols
• Data Integrity – Checksums, hash functions
• Non-repudiation – Digital signatures
• Availability – Redundancy, failover systems
 SECURITY MECHANISMS

• Technical Mechanisms: Encryption (AES, RSA), Firewalls &

IDS, Anti-malware Tools

• Administrative Mechanisms: Policies & Procedures, Security

Awareness Training
•
Physical Mechanisms: Biometric locks, CCTV, restricted
access
 Emerging Trends in Information Security

● Zero Trust Security Model

● Cloud Security

● AI and Machine Learning in Cybersecurity

● Security for IoT Devices

● Data Privacy and Compliance (e.g., GDPR, HIPAA)

 REAL-LIFE EXAMPLE

• Case Study: Ransomware Attack

• Violation: Affects Availability & Confidentiality

• Mitigation: Regular Backups, Strong Access Controls

• Recent events show that commercial, personal and sensitive
information is very hard to keep secure.

• As breaches in information security continue to make headline

news, it is becoming increasingly clear that technological solutions are
not the only answer.

• Research conducted in 2007 suggests that at least 80% of data

leakages are caused by staff rather than IT systems (source:
Financial Times/Forrester Research, Nov-07).

• It is clear therefore that Information Security should be viewed as a

management function rather than one of IT alone.
 CIA TRIAD IN DETAIL

• Confidentiality: Tools - Encryption, Access Control

• Integrity: Tools - Hashing, Checksums
• Availability: Tools - Backups, Redundancy, Load
Balancing

The CIA Triad

If you are an information security specialist, your primary concern is for the
confidentiality, integrity, and availability of your data (this is often referred to as the “CIA
or CIA Triad”).

These crucial concepts are at the heart of successful information protection.

 Confidentiality - The act of protecting data from being observed by any unauthorized
persons.
Confidentiality is the process of preventing disclosure of information to
unauthorized individuals or systems.
An example of protecting confidentiality would be the act of
preventing passwords from being stolen or the theft of an employee’s
computer.
Example: Credit card
This term covers two related concepts:
◦ Data confidentiality
◦ Privacy

Confidentiality is necessary, but not sufficient to maintain privacy.

 Integrity - The act of maintaining and assuring the accuracy and completeness of data over its entire
lifecycle. Essentially, this means that data cannot and should not be modified by any unauthorized persons.
A breach of integrity would include something like the implementation of malware hidden in another
program. Solarwinds as an example of a breach of integrity.

Integrity means that data cannot be modified/change without

Authorization.
This term covers two related concepts:
◦ Data integrity: Assures that information and programs are changed
only in a specified and authorized manner.
◦ System integrity: Assures that a system performs its intended
function in an unimpaired manner, free from deliberate or
inadvertent unauthorized manipulation of the system.

Examples: Manual deletion or alteration or creation of important data

files, Virus infection, Employee altering their own salary etc.
For any information/system to serve its purpose.
The information must be accessible & usable when it is
needed.
Availability - The act of maintaining the ability to access and use
data when needed. If there is an attack that brings down your
network, whether temporary or locked out, then that is a failure of
availability.

Colonial Pipeline attack as a good example.

Thus, the role of an Information Security Analyst (or "Info Sec
Analyst") vs. a Cybersecurity Analyst is that the Info Sec Analyst
manages large and small computer systems with the goal of
securing any data form against computer-related crimes. Their
duties encompass a broad spectrum, from monitoring network
activity to analyzing potential security risks and vulnerabilities
Computing systems used to store and process the
information, the security controls used to protect it, and
the communication channels used to access it must be
functioning correctly.

Examples: Power outages, Hardware failures,

System upgrades and Preventing denial-of-service
attacks

These three concepts form what is often referred to as the

CIA triad.
In computing, e-Business and information security it is
necessary to ensure that the data, or documents
transactions, communications (electronic or physical) are
genuine (i.e. they have not been forged or
fabricated.)

Examples: Passport, Credit card Accounts, academic

transcripts
It is a complex term used to describe the lack of deniability of
ownership of a message, piece of data, or Transaction.

Examples: Proof of an ATM transaction, a stock trade, or

an email.
Role Management->User Side->Which user can do
what.
Rule Management->Resource Side->Which
resources are accessible and under what
circumstances.

Access Control List is subset of Access Control Matrix.

 . Role Management → User Side (Who can
do what?)
Definition: Role management is about defining what actions a
particular user (or group of users) is allowed to perform in a system.

Focus: It’s user-centric.

Mechanism: Roles are created (e.g., Admin, Manager, Employee,

Guest), and each role is assigned certain permissions. Users are then
mapped to these roles.
Example:
Admin: Can add/remove users, modify data, access all reports.
Manager: Can view and edit team data, generate reports.
Employee: Can only view and update their own data.
Guest: Can only view public information.

This model is known as Role-Based Access Control (RBAC).

It answers: "Which user can do what?"
 Rule Management → Resource Side (Which
resources are accessible and under what
circumstances?)
Definition: Rule management defines the conditions under which a user can
access a particular resource (file, API, database, service, etc.).

Focus: It’s resource-centric.

Mechanism: Instead of static roles, rules are defined based on attributes,

policies, and contexts (time, location, device, etc.).

Example:
Resource: Salary Database
Rule: Only HR role can view salary details of all employees.
Rule: Employees can view only their own salary data.
Resource: System Dashboard
Rule: Accessible only during office hours (9 AM – 6 PM).
Rule: Deny access if login attempt is from outside the company network.
This approach resembles Rule-Based Access Control (also called Policy-Based
or Attribute-Based Access Control - ABAC).
It answers: "Which resources are accessible, and under what conditions?"
 SECURITY POLIOCY

Risk → Secure → Action

Security aims to control threats by identifying risks, applying
protective techniques, and taking corrective actions.
Techniques & Measures: Methods like audits, monitoring, and
encryption help prevent vulnerabilities.
Secure Computing Platform: Systems are designed so users can
perform only permitted actions, minimizing misuse of
privileges.
 SECURITY POLIOCY

External Approach:- for external attacker

Focuses on protecting against outside attackers (e.g., firewalls,
intrusion detection, strong authentication).

Internal Approach:- for inside environmental attack

Deals with threats from within the organization (e.g., access
control, user behavior monitoring, role-based policies).

Overall, security is about managing risks through proactive

measures, restricting misuse, and defending against both
external and internal threats.
 SECURITY TECHNIQUES
(security measures)

❖Cryptographic Techniques:
Ensure confidentiality (only intended users read data) and integrity
(data is not altered).
❖Authentication Techniques:
Verify that communication happens only between valid, trusted
users.
❖Chain of Trust Techniques:
Ensure that only authentic and verified software runs in the system.
❖Access Control:
Defines user privileges and restricts unauthorized actions.
❖Vulnerability Management:
Ability to detect and patch known flaws before exploitation.
 SECURITY TECHNIQUES
(security measures)
❖Data Backup:
Protects against data loss due to system failure, attack, or
disaster.
❖Anti-virus Software:
Defends against malware and malicious programs.
❖Firewall:
Acts as a barrier between trusted and untrusted networks.
❖IDS/IPS (Intrusion Detection/Prevention Systems):
Detect and prevent unauthorized access or misuse.
❖Information Security Awareness:
Training users to identify and resist social engineering
(phishing, scams, manipulation).
Together, these measures build a multi-layered defense against both external attacks and
internal misuse.
Security is the most important aspect of computer world
Following r the steps one should follow:-

Assets:- Decide, Identify, Protect

Risks:- identify threats, attacks, vulnerabilities,
exploits, theft
Protection:- find out the solutions
Tools & Technique:- select
Priorities:- decide the order of point 4
1. Cryptography:- Mathematical “scrambling’’ of data.

2. Data Security:-Protective measures, keep safe from un-

authorized access, privacy, prevent breaches , etc.

3. Computer Security Model:-

It Depends on computer architecture, specification, security
issues, protection mechanism.
Act as a framework for information system security policy.
4. Network Security:-
Protection during transmission,
Policies & provision by Admin,
Authorization & Access Control,
5. Computer Security Procedure:-
strategies, guideline, policies,
standards, specification, regulations & laws.
6. Security Exploits:-
Vulnerabilities, Unintended & un-patched
flaws in s/w, Virus, worms & Trojan horses,
malwares, Different types of attacks,
7. Authentication:- person, computer, program
8. Identity management:- user, device, services
9. Internet policy:- whatsapp, FB, ect..
10. Security Software
Examples of IDS(Intrusion Detection System) and IPS
(Intrusion Prevention System).
 CONCLUSION

• Information Security is fundamental in safeguarding digital

assets.
• Understanding vulnerabilities and applying appropriate
services/mechanisms is critical.
• CIA triad remains the foundation for all security models.
 REFERENCES

• ISO/IEC 27001
• NIST Cybersecurity Framework
• Stallings, W. “Cryptography and Network Security”