Information & Web App

Management
Chapter 1
Basics of Information Security

Arti Sawant
 Course Objectives
 To focus on cybercrime and need to protect information
 Understand the types of attacks, how to tackle the
amount of risk involved and access control techniques
 Discuss the role of industry standards and legal
requirements with respect to compliance
 The terms, concept and countermeasures of application
Security, Threats, and Attacks
 Understand the Secure Application Design and
Architecture
 Interpret different threat modeling approach
 Course Outcome
 Understand the scope of policies and measures of
information security.
 Apply risk assessment methodology and the role of
access control to Identity management
 Interpret various standards available for information
security.
 Enumerate the terms of application Security, Threats ,
Attacks and describe the countermeasures for the
threats discussed.
 Explain the Secure Application Design and Architecture
 Review the different Security Scanning -testing
techniques and threat modeling approach
Curriculum
Curriculum
Curriculum
 Information Security
 The protection of information and
information systems from unauthorized
access, use, disclosure, disruption,
modification, or destruction to ensure
confidentiality, integrity, and availability
 Aspects of Security
 consider 3 aspects of information security:

security attack

security mechanism

security service
 Security Attack
 any action that compromises the security of
information owned by an organization
 information security is about how to prevent
attacks, or failing that, to detect attacks on
information-based systems
 often threat & attack used to mean same thing
 have a wide range of attacks
 can focus of generic types of attacks

passive

active
Passive Attacks
Active Attacks
 Security Service

Enhance security of data processing systems
and information transfers of an organization

Intended to counter security attacks

using one or more security mechanisms

often replicates functions normally associated
with physical documents
• which, for example, have signatures, dates; need
protection from disclosure, tampering, or
destruction; be notarized or witnessed; be
recorded or licensed
Model for Network Security
Model for Network Access
Security
 CIA Triad: Confidentiality,
Integrity & Availability
 Confidentiality: Only authorized parties
can access information
 Integrity: Ensures data is complete and
accurate
 Availability: Ensures information and
systems are accessible to authorized
users when needed
 Confidentiality
 Goals:
- Prevent sensitive information from being
seen by unauthorized parties.
- Maintain privacy of data in storage,
transmission, and processing
- Enforce proper data classification (e.g.,
public, internal, confidential, restricted).
 Attacks on confidentiality
Attacks Description
Sniffing Intercepting network traffic (e.g. packet sniffing)
Shoulder surfing Observing someone typing a password or PIN
Phishing Trick user in submitting passwords or other confidential
information
Data breach Unauthorized access to databases or storage (e.g.,
stolen credentials or weak access).
Malware/ Software that captures screen, keystrokes, or data from
Spyware user systems.
Improper Disposal Recovering sensitive info from discarded devices/media
without proper sanitization.
 Integrity
 Goals:
- Data should remain the same across systems
and over time unless changed deliberately.
- Users must be able to trust that the data hasn't
been tampered with.
- Only authorized personnel/systems can alter
data.
- Any unauthorized or accidental modification
should be detectable.
 Attacks on integrity
Attacks Description
Modification Attacks The attacker intercepts or accesses data and
changes it for personal gain
Masquerading (Spoofing) The attacker impersonates a legitimate user or
entity to gain unauthorized access.
Replaying Attacks The attacker captures a valid message and re-
sends it later to replicate its effect.
Repudiation One party denies having sent or received a
message, despite having done so
 Availability
 Goals:
- Ensure information and services are accessible
when needed
- Systems and services should operate
consistently and predictably
- Use of backup systems or components to
maintain service
- Ability to recover quickly from failures (e.g., fire,
flood, cyberattack)
 Attacks on availability
Attacks Description
Denial of Service (DoS) Overloads a system with excessive requests,
causing it to crash or slow down
Distributed DoS (DDoS) Similar to DoS but from multiple sources
(botnets) for greater impact
Ransomware Encrypts files/systems, making data unavailable
until ransom is paid
Hardware Failure Attacks Physically damaging servers, storage, or
networking hardware
 Administrative vs Technical Measures
Administrative Measures Technical Measures
Management-level policies and Hardware- or software-based
procedures put in place to define roles, mechanisms that enforce security
responsibilities, behavior, and guidelines policies and protect CIA
to secure the organization

Define rules for acceptable use, access, Protects data in transit and at rest
mobile devices, data handling
Educating employees on phishing, Using Passwords, biometrics, tokens,
password hygiene, incident response MFA for authentication
Define procedures to handle breaches Role-based access control (RBAC),
and incidents ACLs
Determine who gets access, how, and Control network traffic between zones
when
Identify, evaluate, and prioritize security Detect and remove malicious software
risks
SIEM (Security Information and Event
Ensure adherence to standards (e.g.,
Management) -Correlates logs to detect
ISO 27001, GDPR, HIPAA)
threats
 Policies
 An information security policy is a formal, high-
level statement that outlines an organization's
rules and commitment to protecting its
information assets.
 Sets the overall direction and intent.
 Provides management support for security.
 Provides management support for security.
 E.g. Accepted Use Policy, Password policy,
Data protection policy etc.
 Procedures
 Procedures are step-by-step instructions that
explain how to implement a policy.
 Translate policies into concrete actions.
 Ensure tasks are performed consistently and
securely.
 Detailed, task-specific, and operational.
 Focused on "how" rather than "why".
 May vary between departments based on
context.
 Guidelines
 Guidelines are recommendations or best
practices that help users make informed
decisions, but they are not mandatory.
 Offer flexibility while promoting secure behavior.
 Suggest improvements beyond minimum
compliance.
 Optional but encouraged.
 Can be tailored to specific needs.
 Not enforceable, but highly valuable.
 Standards
 Standards are formal rules or criteria that define
uniform specifications, methods, or requirements for
consistent implementation.
 Ensure uniformity and quality across systems and
processes.
 Enforce technical consistency with policies and
procedures.
 Precise and measurable.
 Often based on industry frameworks (e.g., ISO, NIST)
 Mandatory when adopted by the organization.
 Information Security: People,
Process, and Technology (PPT)
 The People, Process, Technology model
is a widely accepted triad framework used
in cybersecurity and information security to
build a balanced and effective security
strategy.
 It emphasizes that true security is
achieved not just by implementing
technology, but also by aligning it with the
right people and processes.
 "People" refers to employees, users,
administrators, security professionals, and
leadership within an organization who interact
with or manage information systems.
 People are the first line of defense — and often
the weakest link.
 Human errors such as clicking phishing links,
using weak passwords, or mishandling data can
lead to security breaches.
 Key Considerations
 Security Awareness Training: Regular education on
cyber threats, phishing, social engineering, etc.
 Roles and Responsibilities: Defining clear accountability
for security.
 Insider Threat Management: Detecting and mitigating
threats from within the organization.
 User Access Management: Assigning only required
privileges based on job roles.
 E.g. A well-trained employee may recognize a phishing
email and report it — preventing a potential data breach.
 Processes refer to the policies, procedures, and
workflows that define how security is managed,
enforced, and monitored across the organization
 Processes ensure that security tasks are
repeatable, consistent, and compliant with
standards.
 They define "how" and "when" security is applied
— reducing the dependency on individual
decision-making.
 Key processes
 Incident Response Plan: Steps to detect, respond to,
and recover from security incidents.
 Risk Management: Identifying and mitigating security
risks.
 Change Management: Secure implementation of
changes to systems.
 Compliance Monitoring: Ensuring alignment with laws
like GDPR, HIPAA, ISO 27001.
 E.g. A documented and tested incident response
process allows a company to quickly isolate a malware-
infected system and avoid further damage.
 "Technology" refers to the tools, platforms,
software, and hardware used to protect, monitor,
and respond to security threats.
 Technology automates and enforces security
controls.
 Provides real-time detection and protection from
cyberattacks.
 Key technologies
 Firewalls & IDS/IPS: Network protection and monitoring.
 Antivirus/Anti-malware: Endpoint defense.
 Encryption: Protects data at rest and in transit
 Authentication Systems (MFA, biometrics): Controls
access
 Security Information and Event Management (SIEM):
Centralized threat analysis and logging.
 E.g. An organization installs an endpoint detection tool
that automatically quarantines systems infected with
ransomware.
 IT Act, 2000
 Enacted by the Indian Parliament in May 2000,
the IT Act provides the legal foundation for
e‑governance and e‑commerce, granting official
recognition to electronic records and digital
signatures
 It amended several laws—including the Indian
Penal Code and the Evidence Act—to
streamline legal recognition of digital documents
and authentication
 Features of Act
 Legal Recognition of Electronic Transactions: Section 4
declares electronic records legally valid and Section 5 validates
digital signatures as legally binding
 Regulatory Framework: Establishes a Controller of Certifying
Authorities (CCA) to oversee digital signature issuance and
compliance
 Cybercrime Offenses & Penalties: Covers hacking, data theft,
identity theft, misrepresentation, cyber‑terrorism, publishing
obscene content, etc. Penalties range from fines to
imprisonment .
 E.g. Civil liability for damage caused by unauthorized access is
covered under Section 43, which allows compensation up to ₹1
crore
 The Act applies to actions involving Indian computer systems,
even if committed abroad
 Case study
 Shreya Singhal v. Union of India (2015)
 IT Act 2008
 The Information Technology (Amendment) Act,
2008 is a major update to the Information
Technology Act, 2000. It was passed by the Indian
Parliament in December 2008 and came into effect
on 27 October 2009.
 To modernize India's cyber laws in response to:

- Rapid advancements in digital technology.

- Emergence of new cybercrimes.
- The need for better data protection and cyber law
enforcement.
 Amendments in IT Act,2008
 Several new cybercrimes were formally defined:
Section Offence Description
Sending offensive/false content electronically
66A Offensive messages
(struck down in 2015).
Dishonest receipt of stolen Penalty for knowingly receiving stolen digital
66B
computer resources assets.

Using someone else's digital signature,

66C Identity theft
password, or other unique ID.

Fraud using computer resources (e.g.,

66D Cheating by personation
phishing).
Capturing/publishing private images without
66E Privacy violation
consent.

Acts intended to threaten sovereignty or

66F Cyber terrorism integrity of India using computer systems.
Punishable with life imprisonment.
 Continue..
 Data Protection: Section 43A

Companies that collect, store, or process sensitive personal
data must implement "reasonable security practices".
 Privacy Safeguard: Section 72A

Punishment for disclosure of personal information without
consent.

Penalty: Up to 3 years imprisonment or ₹5 lakh fine, or both.
 Intermediary Liability: Section 79

Defines the responsibilities of intermediaries (e.g., ISPs, web
hosting services, social media platforms).

Updated in 2021 through IT Rules to impose stricter content
regulation and accountability
 Continue..
 Cybersecurity Institutions Established

Section 70A: Created the National Critical Information Infrastructure
Protection Centre (NCIIPC) under NTRO to protect key sectors like energy,
finance, and transport.

Section 70B: Officially designated CERT-In as the national nodal agency
for cybersecurity incident response.
 Government Surveillance Powers: Section 69

Enables government agencies to intercept, monitor, or decrypt information
for reasons like: Sovereignty and integrity of India, National security.
 Legal Recognition of Electronic Evidence

The amendment made electronic records and digital signatures admissible
as evidence in court.

Strengthened provisions of the Indian Evidence Act and Indian Penal Code.
 IT Act 2000 vs IT Act 2008

Feature IT Act 2000 IT Act 2008 (Amended)

E-commerce, legal validity of Cybercrime, data protection,
Scope
e-records privacy
Identity theft, cyber terrorism,
New Crimes Defined Few (e.g., hacking)
phishing

Data Privacy Not addressed Sections 43A and 72A added

Defined with legal protection

Intermediaries Not well-defined
(Sec 79)
Controller of Certifying
Institutions Added CERT-In, NCIIPC
Authorities
Govt powers under Sec 69
Surveillance Not addressed
introduced
 Standards available for InfoSec
 COBIT
 ISO 27001
 OWASP
 OSSTMM
COBIT-Control Objectives for Information
and Related Technologies
 COBIT is a framework developed by ISACA
(Information Systems Audit and Control
Association)
 It provides a comprehensive governance and
management model for enterprise IT
 It bridges the gap between technical issues,
business risks, and control requirements.
 Objectives of COBIT
 Align IT goals with business objectives
 Provide a structured approach to IT governance
and management.
 Minimize IT risks and enhance control over
information systems
 Ensure regulatory compliance, security, and risk
management.
 Improve decision-making using metrics and
maturity models
 Key principles of COBIT
Principle Description
IT should deliver benefits aligned with
Provide stakeholder value
business needs.
Integrates various enablers (processes,
Holistic approach
structures, people).
Dynamic governance system Governance must adapt to changing
needs.
Governance distinct from Clear distinction between setting
management direction (governance) and executing
(management).
Tailored to enterprise needs Framework can be customized for
different business contexts.
End-to-end governance Covers all enterprise IT, not just IT
system department.
 ISO 27001
 ISO 27001 is a global standard for establishing,
implementing, maintaining, and continuously improving
an Information Security Management System (ISMS)
 Published by the International Organization for
Standardization (ISO) and the International
Electrotechnical Commission (IEC)
 First introduced in 2005, revised in 2013, and most
recently updated in 2022
 ISO 27001 helps protect data confidentiality, integrity,
and availability (CIA) through a systematic approach to
managing sensitive company information
 Objectives
 Establish a risk-based approach to information security.
 Ensure continuous protection of assets like data,
networks, and applications.
 Provide confidence to stakeholders, clients, and
regulators regarding information security
 Ensure compliance with legal, regulatory, and
contractual requirements.
 Enable business continuity through effective risk
management and incident response
 ISO 27001: 2013 version

 Components:
1. Information Security Management System (ISMS): A
structured set of policies, procedures, and processes
that manage information security risks.

2. Annex A Controls (114 controls, grouped into 14

domains ): These controls are recommendations to
reduce risks and address security requirements.
 2013 Version – 14 Control Domains
Domain Example Controls
A.5: Information security policies Management direction for security

A.6: Organization of information Roles, responsibilities, segregation of

security duties

Security in hiring, training, and

A.7: Human resource security
termination

A.8: Asset management Inventory, ownership, classification

A.9: Access control User access policies, authentication

Use of encryption and key

A.10: Cryptography
management

A.11: Physical and environmental Protection of physical assets and

security facilities
 2013 Version – 14 Control Domains
Domain Example Controls
A.12: Operations security Logging, malware protection, backup

Network security and transmission

A.13: Communications security
controls

A.14: System acquisition, development Security in development and testing

A.15: Supplier relationships Third-party risk management

Reporting and handling information
A.16: Incident management
security events

A.17: Business continuity Disaster recovery, availability planning

Legal, regulatory, and contractual

A.18: Compliance
compliance
 ISO 27001: 2022 Update
 The standard now has a total of 93 controls
 Key changes include updated controls for cloud services,
threat intelligence, and data leakage prevention
 The controls are now organized into four categories:
Organizational, People, Physical, and Technological
 2013 version had 114 controls, where it is reduced to 93
as per 2022 version update
 It provides updated guidance on implementing controls,
particularly for emerging technologies and evolving
threats.
 New controls in ISO 27001
 5.7 Threat intelligence: Gathering and analysing information about potential
threats.
 5.23 Information security for use of cloud services: Implementing security
measures when using cloud services.
 5.30 ICT readiness for business continuity: Ensuring ICT systems are ready for
business continuity events.
 7.4 Physical security monitoring: Implementing physical security monitoring to
detect intrusions.
 8.9 Configuration management: Managing the configuration of IT systems.
 8.10 Information deletion: Implementing procedures for deleting information.
 8.11 Data masking: Using data masking techniques to protect sensitive data.
 8.12 Data leakage prevention: Implementing measures to prevent data leakage.
 8.16 Monitoring activities: Monitoring activities to detect security breaches.
 8.23 Web filtering: Implementing web filtering to control access to websites.
 8.28 Secure coding: Following secure coding practices to prevent vulnerabilities
 OSSTMM – Open Source Security
Testing Methodology Manual
 OSSTMM is a practical and scientific methodology for
performing security testing
 Developed by the ISECOM (Institute for Security and
Open Methodologies)
 Focuses on objective, measurable, and repeatable
security analysis
 Emphasizes trust analysis, risk measurement, and
operational security controls
 Widely used in penetration testing, audit, and security
assessments of networks, systems, and processes
 Goals

 Ensure accurate and repeatable security assessments.

 Evaluate security posture based on trust levels, not just
technical flaws
 Provide legal, operational, and technical context for
security testing
 Promote standardization and transparency in testing
processes.
 OSSTMM divides a system or organization into
five channels of interaction:
1. Human security: Social engineering, physical
security related to people
2. Physical security: Doors, locks, surveillance
systems, facility access
3. Wireless security: Radio frequencies, Bluetooth,
Wi-Fi, NFC
4. Telecommunication security: Phones, VoIP,
telecom networks
5. Data networks security: Internet, LAN/WAN,
network protocols and services
 OSSTMM Testing Process

 Define Scope – Select channel(s) to be tested.

 Gather Intelligence – Collect info using passive/active
techniques.
 Perform Tests – Use manual and automated tools (e.g.,
Nmap, Metasploit)
 Measure and Record – Quantify metrics like visibility,
access, trust
 Report Findings – Detailed report with test metrics, trust
levels, and security posture.
COBIT vs ISO 27001 vs OSSTMM
Aspect COBIT ISO/IEC 27001 OSSTMM
International
Control Objectives Standard for Open Source
for Information Information Security Testing
Full Form
and Related Security Methodology
Technologies Management Manual
System
ISO/IEC ISECOM (Institute
(International Org. for Security and
Developed By ISACA
for Open
Standardization) Methodologies)
Scientific and
Establishing and
IT governance repeatable
Primary Purpose managing a risk-
and management methodology for
based ISMS
security testing
Aspect COBIT ISO/IEC 27001 OSSTMM

Empirical,
Risk-based
Governance and measurement-
Approach management
process control driven security
system
testing

Enterprise-wide IT
Information
processes, Technical, human,
security risk
Scope including and physical
management and
information penetration testing
controls
security
5 Channels:
Governance &
Human, Physical,
Main Management Clauses (4–10),
Wireless,
Components Objectives, Annex A Controls
Telecom, Data
Enablers
Networks
Confidentiality,
High-level Visibility, trust,
Integrity,
governance and access control,
Security Focus Availability (CIA)
process control for and risk via
via policies and
IT risks scientific testing
controls
Aspect COBIT ISO/IEC 27001 OSSTMM
Deep coverage –
Limited – via
Moderate – in HR social
policy, training,
Treatment of Security domain engineering,
and
Human Security (A.7), awareness physical access,
roles/responsibiliti
and training behavioural
es
testing
Direct and
Yes – in Annex
detailed –
Treatment of Covered under A.11 (Physical
includes intrusion
Physical organizational and
tests, camera
Security processes Environmental
audits, physical
Security)
barriers

Core component – Risk quantified

Risk At process and risk identification, using RAV (Risk
Management governance level assessment, and Assessment
treatment Value) model

Governance Statement of Quantitative

maturity level, Applicability metrics, attack
Output
strategic IT (SoA), ISMS, surface, trust
alignment compliance report metrics