INFORMATION SECURITY

PRESENTED BY:
RAJA ZAKA ULLAH
SENIOR LECTURER
LAHORE GARRISON UNIVERSITY
 INFORMATION SECURITY
 Credit Hours: 3+0
 Prerequisites: None
 Attendance Required: 85%
 Marks Distribution
I. Sessional 25
II. Mid Term 25
III. Final Exam 50
 COURSE
LEARNING OUTCOMES (CLOS):
 Explain key concepts of information security such as
design principles, cryptography, risk management, and
ethics.
 Discuss legal, ethical, and professional issues in
information security.
 Apply various security and risk management tools for
achieving information security and privacy.
 Identify appropriate techniques to tackle and solve
problems in the discipline of information security.
 COURSE CONTENT
WEEKS CONTENTS
1 Information Security Foundations
2 Security Design Principles
3 Cryptography Basic and Terminologies
4 Symmetric Cryptography
5 Asymmetric Cryptography
6 Encryption, Hash Functions, Digital Signatures
7 Key Management
8 Authentication and Access Control
 COURSE CONTENT
WEEKS CONTENTS
9 Software Security
10 Malware, Vulnerabilities and Protections
11 Database Security
12 Network Security, Firewalls
13 Intrusion Detection
14 Security policies, Policy Formation and Enforcement
15 Risk Assessment, Cybercrime
16 Law and Ethics in Information Security, Privacy and Anonymity of
data
 INFORMATION
SECURITY FOUNDATIONS

Information Security Concepts

Threats, Attacks, and Assets
Security Functional Requirements
 SECURITY
DESIGN PRINCIPLES
Fundamental Security Design Principles
Attack Surfaces and Attack Trees
Vulnerabilities ,Risk, Countermeasure
Information Security Strategy
 CRYPTOGRAPHY
BASIC AND TERMINOLOGIES
 Cryptography
 Cryptanalysis
 Plaintext original message
 Cipher text transformed message
 Key secret used in transformation
 Encryption
 Decryption
 Cipher algorithm for encryption/decryption
 SYMMETRIC
CRYPTOGRAPHY
Data Encryption Standard (DES)
Triple-DES (3DES)
Blowfish
IDEA (International Data Encryption Algorithm)
RC4, RC5, and RC6
Advanced Encryption Standard (AES)
 ASYMMETRIC
CRYPTOGRAPHY
o Diffie-Hellman
o RSA (Rivest-Shamir-Adleman)
o El Gamal
o Elliptic curve cryptosystem (ECC)
o Digital Signature Algorithm (DSA)
o Merkle-Hellman Knapsack
 ENCRYPTION,
HASH FUNCTIONS,
DIGITAL SIGNATURES
 AUTHENTICATION
AND ACCESS CONTROL
User Authentication Access Control
• Electronic user authentication • “The prevention of
principles unauthorized use of a resource,
• Password-based authentication including the prevention of use
• Token-based authentication of a resource in an
• Biometric authentication unauthorized manner“
• Remote user authentication • Central element of Information
• Security issues for user security
authentication
• Practical application: an iris
biometric system
• Case stury: security problems for
ATM systems
 SOFTWARE SECURITY
• Discussed software security issues
• Handling program input safely
Size, interpretation, injection, XSS, fuzzing
• Writing safe program code
Algorithm, machine language, data, memory
• Interacting with O/S and other programs
ENV, least privilege, syscalls / std libs, file lock, temp files, other
programs
• Handling program output
 DATABASE SECURITY
 Introduced Databases and DBMS
 Relational Databases
 Database Access Control Issues
SQL, role-based
 Inference
 Statistical database Security Issues
 Database Encryption
 Cloud Security
 MALWARE,
VULNERABILITIES
AND PROTECTIONS
• Introduced types of malicous software
incl backdoor, logic bomb, trojan horse, mobile
• Virus types and countermeasures
• Worm types and countermeasures
• Bots
• Rootkits
 NETWORK SECURITY

• Secure Sockets Layer (SSL) / Transport Layer

Security (TLS)
• IPv4 and IPv6 Security
• S/MIME (Secure/Multipurpose Internet Mail
Extension)
 INTRUSION DETECTION
• Introduced intruders & intrusion detection
Hackers, criminals, insiders
• Intrusion detection approaches
Host-based (single and distributed)
Network
Distributed adaptive
• Honeypots
• Snort example
 FIREWALLS
• Introduced need for & purpose of firewalls
• Types of firewalls
Packet filter, Stateful inspection, application and circuit
gateways
• Firewall hosting, locations, topologies
• Intrusion prevention systems
 IT SECURITY
MANAGEMENT
AND RISK ASSESSMENT
• Detailed need to perform risk assessment as part of IT
security management process
• Relevant security standards
• Presented risk assessment alternatives
• Detailed risk assessment process involves
Context including asset identification
Identify threats, vulnerabilities, risks
Analyse and evaluate risks
 IT
SECURITY CONTROLS,
PLANS, AND PROCEDURES
• Security controls or safeguards
Management, operational, technical
Supportive, preventative, detection / recovery
• IT security plan
• Implementation of controls
Implement plan, training and awareness
• Implementation followup
Maintenance, compliance, change / config management,
incident handling
 PHYSICAL AND
INFRASTRUCTURE SECURITY
• Introduced physical security issues
• Threats: nature, environmental, technical, human
• Mitigation measures and recovery
• Assessment, planning, implementation
• Physical/logical security integration
 HUMAN
RESOURCES SECURITY
• Introduced some important topics relating to
human factors
• Security awareness, training & education
• Organizational security policy
• Personnel security
• E-mail and Internet Use Policies
 SECURITY AUDITING
• Introduced need for security auditing
• Audit model, functions, requirements
• Security audit trails
• Implementing logging
• Audit trail analysis
• Integrated SIEM products
 LEGAL
AND ETHICAL ASPECTS
Reviewed a Range of Topics:
• Cybercrime and computer crime
• Intellectual property issues
• Privacy
• Ethical issues
 TEACHING
METHODOLOGY
• Lectures,
• Written Assignments,
• Semester Project,
• Presentations
 COURSE
ASSESSMENT
• Sessional Exam,
• Week Practical Assignments,
• Quizzes,
• Project,
• Presentations,
• Final Exam
 TEXT BOOKS

• Computer Security: Principles and Practice, 3rd

edition by William Stallings
• Cryptography and Network Security Principles and
Practices, Fourth Edition By William Stallings
• Official (ISC)2 Guide to the CISSP CBK, 3rd edition
 REFERENCE MATERIALS
• Principles of Information Security, 6th edition by M.
Whitman and H. Mattord
• Computer Security, 3rd edition by Dieter Gollmann
• Computer Security Fundamentals, 3rd edition by
William Easttom