Faculty of Business

Department of Financial Technology

Information Systems Security & Protection

Chapter#1: Introduction to Information Security

Dr. Ali Ahmad Alawneh

2nd Term 2023/2024

1
 Information systems

An information system (IS) is a collection of hardware,

software, data, and people that work together to collect,
process, store, and disseminate information. An IS can be
used for a variety of purposes, such as supporting business
operations, decision making, and communication.

Information systems are vulnerable to a variety of security

threats, such as hackers, viruses, and natural disasters. As
such, it is important for organizations to implement appropriate
security measures to protect their information systems.

2
What is information systems security (INFOSEC)?

Information security refers to the protection of information and

information systems from unauthorized access, use, disclosure,
disruption, modification, or destruction. It aims to protect the
confidentiality, integrity, and availability of information and
information systems.

The protection of information systems against unauthorized

access to or modification of information, whether in storage,
processing or transit, and against the denial of service to
authorized users, including those measures necessary to
detect, document, and counter such threats.

3
What is information systems security (INFOSEC)?

INFOSEC refers to the processes and

methodologies involved with keeping information
confidential, available, and assuring its integrity.

It also refers to:

- Access controls, which prevent unauthorized
personnel from entering or accessing a system.
- Protecting information no matter where that
information is, i.e. in transit (such as in an email)
or in a storage area.
- The detection and remediation of security
breaches, as well as documenting those events
4
What is information systems security (INFOSEC)?

Information security (infosec) is a set of policies,

procedures and principles for safeguarding digital
data and other kinds of information. Infosec
responsibilities include establishing a set of business
processes that protect information assets, regardless
of how that information is formatted or whether it is
in transit, being processed or at rest in storage.

Infosec ensures that the employees have access to

the data they require, while preventing unauthorized
access. It can also be associated with risk
management and legal regulations.
5
 Principles of Information Security

The pillars or principles of infosec are collectively

known as the confidentiality-integrity-availability
(CIA) triad. These are intended to serve as a guide
for information security policies and processes within
an organization. The overall goal of infosec is to let
the good guys in, while keeping the bad guys out.
The three primary tenants to support this are
confidentiality, integrity and availability.

6
7
 Principles of Information Security

- Confidentiality is the principle that information

should only be available to those with the proper
authorization to that data. Integrity is the principle
that information is consistent, accurate and
trustworthy. Availability is the principle that
information is easily accessible by those with proper
authorization and remains so in case of failure to
minimize interruptions to users.
- These three principles do not exist in isolation, but
inform and affect one another. Therefore, any
infosec system involves a balance of these factors.
8
 Principles of Information Security

While the CIA triad forms the basis of infosec policy

and decision-making, other factors, including the
following, should be added to a complete infosec
plan:
- Risk management. Because infosec involves a
balance of competing factors, it is associated with
risk management. The goal here is to maximize
positive outcomes, while minimizing negative ones.
Organizations use risk management principles to
determine the level of risk they are willing to take on
when executing a system. They can also put into
place guards and mitigations to reduce risk.
9
 Principles of Information Security

- Data classification. Data classification should also be

considered with infosec to give extra attention to information
that needs to remain either highly confidential or data that
needs to remain easily available.
- User training. Businesses should also employ user
training to protect personal data, as well as both computer
controls and organizational policy as risk mitigation factors.
For example, to limit the risk of an accounting analyst
changing financial data, an organization can put in place a
technical control limiting change rights and logging changes.
Alternatively, an organizational policy of having a second
person to audit completed records can also mitigate this risk.

10
 Principles of Information Security

- Nonrepudiation. Another important infosec factor

is nonrepudiation, which is the ability to prove that
information hasn't been tampered with. No one should tamper
with data at rest or in transit, its source should be trustworthy
and it shouldn't be accidentally or maliciously modified.
- Business continuity and disaster recovery
(BCDR). BCDR is an additional consideration of infosec. Data
should remain available and unchanged in the case of a
software or hardware failure. Organizations can accomplish
this through backups or redundant systems.

11
 Principles of Information Security

- Change management. Consider change

management with an infosec policy as well. Poorly managed
changes may cause outages that affect the availability of a
system. System changes may also affect the overall security
of stored data.

12
 Types of Information Security

- Although information security can take many different

forms, the following are the most common types:

1. Application security. This infosec approach is

designed for safeguarding applications
and application programming interfaces. It stops and
blocks vulnerabilities and data breaches from
affecting applications. Application security can be
achieved through various techniques, such as
employing web application firewalls and scanners
that continuously find, monitor and mitigate
vulnerabilities.
13
 Types of Information Security

2. Infrastructure security. Infrastructure security

focuses on
safeguarding intranet and extranet networks, as well
as labs, data centers, servers, desktop computers,
cloud assets and mobile devices. It also protects
against typical cybercrimes, as well as natural
disasters and other mishaps. In short, infrastructure
security plays a big part in reducing and mitigating
damage from any type of malfunction.

14
 Types of Information Security

3. Cloud security. This approach is geared toward

securing, building and hosting apps in the cloud. To
ensure cloud security, businesses must ensure secure
application usage and isolation between separate
processes because cloud applications are run in a
shared environment.

15
 Types of Information Security

4. Cryptography. Cryptography is the process of

converting plaintext data into secure data by
encrypting it. This infosec approach encrypts both
the data at rest and in transit to ensure data integrity
and defend against cyber attacks. To make messages
and data harder to read, security teams frequently
use digital signatures and sophisticated algorithms.
For instance, symmetric key algorithms, such
as Advanced Encryption Standard, are frequently
employed to secure sensitive government data.

16
 Types of Information Security

5. Vulnerability management. Every year,

thousands of new vulnerabilities are discovered that
require organizations to patch their operating
systems and applications and reconfigure the security
settings of their network. The vulnerability
management process identifies and manages all the
weak points in an environment to proactively address
vulnerabilities before they turn into real threats.

17
 Types of Information Security

6. Incident response plan. An incident

response plan is a set of information security
processes that are used to identify, contain and
recover from security breaches. By having an
incident response strategy in place, organizations can
contain threats and recover easily from the aftermath
of a security incident. Steps for preserving evidence
for forensic examination and future prosecution
should also be established as part of this plan. These
details can be used to identify the perpetrator and
prevent subsequent attacks.
18
19
 Information Security Threats

1. Insecure systems: New technology is being

released every day. However, if it's not designed with
security in mind, it can have severe repercussions for
the information security of an organization.
Consequently, if a business is running obsolete
or legacy systems, it runs a great risk of falling prey
to security breaches. Organizations should identify
weak systems and patch them up or decommission
them as necessary.

20
 Information Security Threats

2. Social media attacks: Attacks on information

security through social media are on the rise.
Cybercriminals use direct or indirect means to attack
social media sites. Through messaging, attackers can
often transfer malware to social media users who are
the targets of direct attacks, whereas indirect
techniques may involve gathering data from social
media sites to identify organizational or user
vulnerabilities and plan an attack.

21
 Information Security Threats

3. Social engineering attacks: Social

engineering is the practice of coercing individuals
into disclosing or stealing their personal information.
This tactic relies on exploiting human nature, which
is typically the weakest link in a system. Attackers
typically send phishing emails and messages that
have a tone of urgency or fear, tricking users into
divulging their sensitive information.

22
 Information Security Threats

4. Third-party breaches: Attackers occasionally

use a flaw or vulnerability to gain access to and steal
data held on the systems of third-party vendors. For
instance, in 2021, hackers exploited the
vulnerabilities in Microsoft Exchange Server to access
the emails of 60,000 private companies and nine
government entities.

23
 Information Security Threats

5. Lack of encryption: Encryption is a great way

to protect information assets within an organization.
However, this important method is often overlooked
by certain organizations due to its complex nature
and lack of legal implications. For example, the
healthcare industry follows HIPAA compliance, which
requires every computer to be encrypted due to the
sensitive nature of the data involved.

24
 Information Security Threats

6. Distributed denial-of-service attacks

In a distributed denial-of-service (DDoS) attack,
multiple compromised machines attack a target,
such as a server, website or other network
resource, making the target totally inoperable.
The flood of connection requests, incoming
messages or malformed packets forces the target
system to slow down or to crash and shut down,
denying service to legitimate users or systems.

25
 Information security vs. cybersecurity

Since most information exchange happens in cyberspace

these days, the terms information
security and cybersecurity are often used
interchangeably. While their paths intersect, both terms
have individual meanings.
Physical security, data encryption and network security
are all examples of information security. It is also closely
related to information assurance, which safeguards data
against threats, such as natural disasters and server
outages. In short, information security is concerned with
protecting any type of data, not just data in cyberspace.

26
 Information security vs. cybersecurity

Cybersecurity, on the other hand, is a subcategory of

information security. It deals with technological
threats and the practices and tools that can be used
to mitigate cyber attacks, such
as spyware or ransomware. Data security is another
related category of cybersecurity that focuses on
protecting an organization's data from accidental or
malicious exposure to unauthorized parties.

27
 Closing-Down

Any Questions?

28