PPTX Slide 1

(1)

C S 4 8 3 – S D S E C T I O N

BY D R . D A N I YA L A L G H A Z Z AW I ( 1 )

Information Security

(2)

Syllabus

Textbook:

 “Information Security-Principles and Practice” by Mark Stamp

Grading:

 Projects:

1. Classic Cipher: 10%

2. Symmetric Cipher: 15%

3. Asymmetric Cipher: 15%

4. New Cipher: 10%

 Exams (Open book):

 OS Services: 5%

 Midterm: 15%

 Final: 30%

(3)

Definition

Information Security is the process of

protecting data from unauthorized access, use, disclosure, destruction, modification, or disruption.

Other names:

 Computer security

 Information assurance

 Data security

 IT security

 Computer security

(4)

Basic Principles of Information Security

Confidentiality

 No one can see it

Integrity

 Remove / Insert some pages

Availability

 see it anytime

(5)

Where to Start? Risk Management

We need to start the Risk Management’s process:

 To identify the vulnerabilities

 To identify the threat

Why do we need Risk Management?

 a threat may use a vulnerability to cause harm to valuable information

The objective of the Risk Management’s :

 To reduce risk to an acceptable level

(6)

1. D E F I N I T I O N

2. P R O C E S S

3. E X E C U T I V E

Risk Management

(7)

Definition

“Risk management is the process of

identifying vulnerabilities and threats to the information resources used by an

organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information

resource to the organization.” CISA Review Manual 2006

(8)

Process

1. Identification of assets and estimating their value.

2. Conduct a threat assessment.

3. Conduct a vulnerability assessment.

4. Calculate the impact that each threat would have on each asset.

5. Identify, select and implement appropriate controls.

6. Evaluate the effectiveness of the control measures.

(9)

Executive Management

Executive Management can choose to:

 accept the risk

 mitigate the risk

 deny the risk

(10)

Executive Management

1. “Accept the risk”?

 do nothing !

2. “Mitigate the risk”?

 Administrative Control

 Logical Control

 Physical Control

3. “Deny the risk”?

 Confidentiality

 Integrity

 Authenticity

(11)

1. T E R M I N O L O G Y

2. C R Y P T O G R A P H Y

3. C I P H E R S

1. Substitution Ciphers

2. Transposition Ciphers

3. Symmetric Ciphers

4. Asymmetric Ciphers

Cryptology

(12)

Basic Terminology of Crypto

Cryptology: is the art and science of making and breaking “secret codes.”

Cryptography: is the making of “secret codes.”

Cryptanalysis: is the breaking of “secret codes.”

Crypto: is a synonym for any or all of the above (and more).

(13)

Cryptography

Cipher (رفص) is an algorithm for performing encryption and decryption — a series of well- defined steps that can be followed as a

procedure.

Plaintext Ciphertext

Encrypt

Decrypt

(14)

Cryptography

The operation of a cipher usually depends on a piece of auxiliary information, called a key.

Key Authentication Problem

Plaintext Ciphertext

Encrypt

Decrypt

(15)

Cryptography

Ciphers

1. Classic

Substituti on e.g., Caesar

Cipher

Transpos ition e.g., Route Cipher

Hybrid

2. Modern

Symmetri c (Private

Key) Str

ea m Ci ph er e.g

., R C4

, A5

/1

Bl oc k Ci ph er e.g

., DE

S, AE S

Asymmet ric (Public

Key) e.g., RSA

Hybrid