Foundations - Part 01 - Prof. Saji K Mathew

00:17

Hello and welcome to the second session of cybersecurity and privacy course.

00:23

So, in the last class we had a brief introduction about cybersecurity and privacy, actually

00:30

we were trying to understand what the title means.

00:33

So, it is like laying the foundation for foundation and today is the foundation for cybersecurity.

00:40

So, we will dwell on certain fundamental aspects of cybersecurity, predominantly cybersecurity

00:48

and privacy as a topic, we will do after a few sessions on cybersecurity gets over and

00:55

you will get to appreciate what is, what are the connections between data privacy and cybersecurity

01:01

through, of course, through several sessions that follow.

01:06

So, essentially cybersecurity as an administrative issue, is what this course is focusing on.

01:15

So, in administration you need to administrate, you need to manage several resources.

01:21

So,you have to as managers , you manage human resources, you manage technological resources

01:29

you manage tangible and intangible resources of a organization.

01:34

So essentially, we do not look at cyber security as a technological issue alone but we also

01:43

look at it as a broad or much bigger issue concerning governance and management of organizations.

01:50

So what are the frameworks that are available what are the standards that are available

01:54

for cyber security management in practice is a part of this course as I outlined in

02:01

the previous session.

02:03

And we would also be looking at technology in a three dimensional perspective, as I explained

02:13

in the last class, as technology as a source of threat, technology as an asset to be protected

02:19

and technology also as a tool or as a firewall for protecting your cyber assets.

02:29

So there are three aspects to technology in this course.

02:34

And the cyber security challenges are emerging, we have seen that in the last class.

02:40

So, I am going to bring certain diagrams that actually help you understand the concept of

02:46

cyber security or information security in a holistic way, understanding what are the

02:54

different dimensions of it.

02:57

So one such diagram is this and of course the title is information security, As I explained

03:03

to you in the last class, cyber security and information security are closely related.

03:08

Information security is a part of cyber security and it is a most important part of cyber security

03:15

I would say and therefore you can understand it from multiple dimensions.

03:21

You can see, there are three major dimensions - information security as the main concept

03:29

or the main central concept, the main concept and then you can see there are three concentric

03:35

circles, which constitute three dimensions or three constituents of information security

03:41

which are network security,computer and data security and management of information security.

03:50

And in the intersection, you see the intersection, a shaded intersection which actually emerges

03:59

from the management perspective in terms of color, you can see that but which is central,

04:04

you know, which is common to all the three.

04:07

So, in other words, you can see that policy guides, policy is the reference for security

04:16

related practice, security related decisions, for example, how much should an organization

04:24

invest in cyber security?

04:26

We are going to discuss a case today where there is an organization which is invested

04:31

as much as Pentagon, invests in security.

04:34

So huge focus on cybersecurity, that may not be the case with all organizations.

04:41

So the policies would differ from organization to organization, depending on the criticality

04:49

of the cyber assets and other considerations, that organization choose, chooses.

04:55

So, they make choices on cybersecurity investments.

05:00

So the policy is the intersection and policy guides decisions as I said, then you see network

05:05

security and computer and data security.

05:09

Other way to think about it is, well, this is about in data and information.

05:16

So in data and information, there are three aspects, one is data storage, other is data

05:21

transmission and the third is data processing.

05:25

So these are the computing elements- data storage devices, data transmission and data

05:31

processing.

05:32

So, security pertains to these three aspects of computing.

05:36

You can see computer and data security involves data, databases and computer means processing.

05:44

So the applications that process the data.

05:47

So that is one aspect, storage and processing and the third aspect is data transmission.

05:53

You can see network security when data or information is transmitted from node A to

06:00

node B, there is a chance of data breach or you know unauthorized access to the data and

06:11

therefore that is another aspect or another aspect of computer security or information

06:16

security.

06:17

So data storage, data transmission and data processing - three aspects of computing needs

06:24

protection and should be secured and that is what is represented in this diagram.

06:31

And, well, in order to do that, you need management practices and management policies . There

06:39

should be human resources, there should be technology for protecting these assets and

06:46

there should be decisions on ,how much to protect and how much to leave, how much to

06:52

leave - that is also a decision management actually, may not over invest in security,

06:57

we will see that.

06:58

So all these are pertaining to the administrative dimension of cyber security.

07:04

So you can see cyber security is not one - cyber security involves all the three and there

07:10

is a need for understanding and also practicing it, as an integrated effort to protect cyber

07:20

assets.

07:22

Now, this is a very important aspect of cyber security as a course, any course in cyber

07:30

security you do, be it a technology course, be it a management course, you will have these

07:37

three concepts which will be a common fundamental set of three concepts - Confidentiality, Integrity

07:47

and Availability.

07:49

So, this is often called the CIA triangle, CIA triangle.

07:55

So, what is CIA triangle means one way to understand it is, CIA is the purpose of cyber

08:09

security,what does cyber security do?

08:13

Cyber security ensures that confidentiality, integrity and availability of information

08:23

is secured.

08:24

So it is like the purpose, what is cyber security’s aim to achieve, it aims to achieve confidentiality,

08:31

integrity and availability of information,information in the cyber world.

08:39

Well, that is the most dominant or most important concept, the concept, set of concepts that

08:46

pertain to cyber security.

08:48

Of course,the cyber world goes beyond information today , so those aspects we will slowly integrate

08:54

into the lessons that are coming up but at a fundamental level, if you look at the purpose

09:00

of information security,it is to ensure these three aspects which are important for computing

09:10

for it which are important for secured storage processing and transmission of information.

09:18

So there may be other aspects, other concepts also related to cyber security, for example

09:24

accountability.

09:26

So those are related concepts, we will discuss them one by one.

09:29

So let us try to understand what each of these concepts are,in some more detail as we go.

09:39

So I will get into each of these concepts in the coming slides but let us have a holistic

09:44

understanding of cyber security or information security, I am using it, these two terms synonymously

09:52

now.

09:53

So, here is an NSTI SSC security model, also known as McCumber cube or John McCumber is

10:04

the person, who proposed this cube which makes understanding about cyber security holistic,

10:13

very holistic and if you look at it closely and if you are in the practice of cyber security,

10:19

this cube ensures that you do not miss anything.

10:22

do not miss anything, you do not miss any aspect of cyber security.

10:25

There are three dimensions that McCumber cube actually represents in a cubical form, the

10:33

first dimension is the computing dimension which we discussed, storage processing transmission

10:42

these are the three roles of computer systems and that is where your information and data

10:48

reside.

10:49

So those are the assets and those are the devices which actually are involved in the

10:59

storage processing and transmission of data.

11:02

The second dimension is the objective or the purpose of cyber security which is availability

11:08

integrity and, sorry, confidentiality, integrity and availability.

11:12

So when computer systems store, process and transmit data,they should be secure, what

11:19

does security means - security means confidentiality, integrity and availability.

11:24

So these three dimensions of computing should be protected with respect to confidentiality

11:30

integrity and availability.

11:31

Now how do you do that?

11:34

How do you actually protect?

11:35

There are three methods to ensure cyber security, they are number one, policy, number two, education

11:44

and number three, technology.

11:47

These are methods to ensure cyber security in terms of confidentiality, integrity and

11:55

availability for data and information storage, processing and transmission.

12:01

So it is very intuitive, the important lesson here is, suppose you look at one cell of this

12:09

cube, it does not miss,it looks at all the three dimensions for example, there is an

12:15

application so that is for data processing, look at the center dimension.

12:22

So this is for this particular cell, you will look at it from three dimensions.

12:28

So for example, this is for data processing and integrity of data processing has to be

12:35

ensured and this integrity has to be ensured with respect to policy, education and technology.

12:43

So this, the number of cells of course, you can, you know say, so three into three into

12:49

three, so each cell is holistic and when as my practicing managers, you can actually ask

12:55

these questions, you know, are all these cells considered in cyber security?

13:03

Due attention has been paid to all the three dimensions across all the cells.

13:08

So that is the, that is another fundamental concept or a fundamental framework to understand

13:14

cyber security - the McCumber cube.

13:17

Now, let me also take you through the CIA triangle which we discussed, which I propose

13:29

as the three objectives or the purpose of cyber security.

13:35

The first concept is confidentiality.

13:42

What is confidentiality?

13:43

Confidential information.

13:48

So I have heard in administrative circles, if you want to make something public and make

14:00

a gossip out of something, put some document is so called, you know you want to actually

14:05

leak it out, put it into an envelope, close this and put a heading - confidential and

14:12

give it to a clerk, that will be the talk of the town the next day.

14:17

So the moment you say confidential, you become curious.

14:21

So people are curious to listen to conversations or tap data which is not theirs.

14:29

There is a human tendency, sometimes it is out of many reasons.

14:35

So I can't tell you all the reasons why people want to access others information.

14:41

There can be malice, there can be evil intentions, there can be fun, there can be, it could be

14:48

by mistake also.

14:50

So there could be human errors but it can happen due to several reasons.

14:55

The purpose of cyber security is to ensure that if person A sends an information to person

15:02

B and person A wants this to be read only by person B and not by any C, system has to

15:12

ensure that, this transmission of data from A to B is confidential, that is it is read,

15:19

only by B and not by C.

15:24

And three scholars, of course, they are not scholars, they are also entrepreneurs, you

15:28

must have heard about this name Rivest, Shamir and Adleman, they actually, we will refer

15:35

to them later on in encryption techniques, when we discuss in a later class.

15:42

So they published a paper in 1978 in IBM systems journal where they actually represented confidentiality

15:50

using the diagram that is given here.

15:52

Alice is sending a confidential letter or a message to Bob and then there is the evil

15:59

Eve, actually wanting to intersect or wanting to know what is going on.

16:04

So that is where, the aspect of confidentiality comes.

16:08

A data which is confidential should be read by only the intended recipient not by anybody

16:16

else and that is what confidentiality is.

16:20

And you can think of the application of this concept in so many situations or so many contexts

16:31

in business and in society.

16:34

For example, who accesses your private information, who has access to your credits or your academic

16:46

performance.

16:47

So, the institute can give access to those who can access it and those who should not

16:55

access it, as those who are not supposed to access it, should not do it.

16:59

So the data has to be protected against unauthorized access unauthorized access.

17:07

And see for example, best example is our Aadhaar database.

17:12

Aadhaar database is biometric and it is your personal identity.

17:23

And it is the responsibility of the country to ensure that this is not accessed by people

17:30

or anyone.

17:31

It is my data.

17:32

So, that is where the privacy aspect comes in.

17:35

And when I shared it with someone, it should be used by that entity or the data processor

17:44

only with those for whom I have given permission, I have given consent to share the data.

17:51

There is always a consent between the data collector or the data processor and the data

17:56

subject.

17:57

And therefore that contract should be maintained and that is what confidentiality is.

18:03

Confidentiality is the responsibility of the data collector to ensure that data is shared

18:11

only with the intended recipients and not with unintended recipients.

18:17

So how do we actually ensure this?

18:20

So, in order to ensure confidentiality, there is need for information classification.

18:28

For example, in an organization there is personal data and there is data about your salaries

18:38

for example, in a company when you work, And the HR department has to ensure that your

18:45

salary data is known, can be accessed by maybe certain superiors but not by your peers or

18:54

your subordinates.

18:55

There is a policy.

18:57

So the policy has to be implemented in the database access.

19:01

Essentially you are ensuring confidentiality as to who can access and who cannot access.

19:07

So therefore information need to be classified.

19:10

We will discuss information classification later, as to what is confidential and what

19:15

is not confidential or what is top secret as in the US military.

19:19

And then documents have to be secured in terms of storage and the security policies has to

19:26

be applied and people need to be trained and so on.

19:30

That is the confidentiality aspect of information.

19:36

So you will see in systems that ensure confidentiality, when an information passes from Alice to Bob,

19:44

the jealous Eve may be able to access that data.

19:48

You may be able to intersect and even if you intersect you cannot actually make out what

19:54

it is.

19:55

Caesar cipher, you know, Caesar used to communicate with his commanders through someone.

20:01

But if someone on the way reads that you do not understand anything.

20:04

So that is encryption.

20:06

We will come to that.

20:07

The second aspect of cyber security is integrity.

20:13

What do you mean by integrity when you hear this word what comes to your mind?

20:25

Completeness.

20:27

Yeah, integrity means purity, completeness.

20:32

Okay.

20:33

No compromise on the quality.

20:36

Yeah it talks about quality.

20:38

It talks about completeness.

20:40

It talks about purity.

20:42

Is that the word you use?

20:43

Okay.

20:44

Alright.

20:45

Okay.

20:46

So we refer to people, you know, the so and so person does not have integrity and so and

20:53

so person high integrity.

20:56

So integration, integrity means whole, the full.

21:01

So if part is missing, somebody is really good in doing job but somebody gets into malpractices.

21:12

So we say, integrity is questionable.

21:16

Some aspect is fine but some aspect is missing.

21:19

Integrity is that.

21:20

There is an information that is transmitted from A to B. That is the whole information.

21:26

At A, it is the whole information but when it reaches B, part of it is missing.

21:31

For example, you are giving your CV.

21:32

You are sharing your CV with placement and you have your complete CV.

21:38

But somebody is jealous about your CV and removes your work experience.

21:44

Then, I hope it does not happen, but then information is passed.

21:50

CV is passed but integrity is the problem.

21:54

Part of the data is stolen or missing or somebody actually changes your work experience.

22:00

Say, you said, 10 years and somebody makes it 2 years.

22:05

You alter the data.

22:07

So you also manipulate it.

22:09

All that is about the integrity of the data.

22:13

So when data passes from A to B, the data should reach B intact.

22:19

We call it intact, without any damage, without any manipulation, without any change and it

22:26

should be as it is.

22:28

That is the integrity aspect of data.

22:32

And in practical scenarios, for example if you share your data in with your employer

22:44

and employer does not give you access to your personal data or your professional or your

22:54

bio data.

22:55

And suppose you did a certificate program or you updated your, you want to update your

23:00

CV.

23:01

But as an employee, they do not give you access to your data.

23:05

Then again, it is a matter of integrity.

23:07

You are not able to update your data.

23:11

And today, by regulation it is required that when a data, a subject shares the data with

23:21

a data controller or a data collector, the subject should have access to that data wherever

23:29

it is stored.

23:30

I should be able to make changes to that data.

23:32

It is my data and I should have access to it.

23:36

It is one of the privacy rights.

23:38

It is also about the integrity of the data.

23:40

The data is incomplete.

23:42

And suppose, it can also happen when somebody entered that data into a database, your date

23:47

of birth is entered wrong.

23:50

And date of birth matters in employment.

23:53

Suppose you are born in year 2000, suppose it is entered as 2010, there is a big problem

24:01

out there.

24:02

Even one year change can actually affect your promotions and so many things.

24:06

So it affects you and you are the affected party, others may not mind.

24:10

So it is somebody else's problem but user must have access.

24:13

So it is a problem of data integrity, essentially.

24:16

So it reflects in so many aspects in organizations, in government and in so many other settings.

24:22

So integrity is therefore a very fundamental aspect of information security.

24:30

Confidentiality and then integrity.

24:33

Who has access to your data and protecting your data without damage.

24:38

That is the second aspect.

24:39

And the third dimension of cyber security is availability.

24:49

Well, availability is the other side of confidentiality.

25:00

Data should not be available to unintended audience.

25:04

But data should be available, when it is required by the intended party.

25:11

When you are in need of information, it should be accessible and available.

25:17

So it is the other side.

25:18

It should not be accessed by someone who does not have access rights but it should be accessible

25:24

and always accessible as per contract, based on the contract.

25:29

And therefore availability is very critical in certain business context.

25:40

Availability of databases.

25:43

Suppose you are trying to book a ticket, an airline ticket or train ticket in IRCTC.

25:51

And you try to log in, you log in and you are about to reserve but the database is not

25:58

available, it is down.

26:00

And maybe you want to browse and see your past reservations some information you want

26:04

but the database is not accessible.

26:06

You have signed in and therefore you have the privilege to access your data.

26:11

It’s your data, you are not accessing somebody else's.

26:14

You are within confidentiality but the system should allow you to access your information

26:21

when you are in need of it.

26:24

And this is the time for you to make a reservation and the data is not available.

26:27

It is a problem of availability.

26:30

So, in order for computing systems to ensure availability, they need to make provisions

26:39

for that.

26:40

Cyber security management requires to ensure data is available to those who are intended

26:47

recipients of the data.

26:50

And availability is related to reliability.

26:58

If systems are reliable, they will be available.

27:02

So therefore, reliability engineering, especially in computer systems, ensures the availability

27:11

of data or databases or access to computing resources using a method known as redundancy.

27:24

Redundancy is the word.

27:27

So,how much of redundancy, if one system is down, the processing or access should not

27:34

stop, should be available from other systems.

27:36

So availability by redundancy.

27:39

So I am just giving a clue as to how technologically you will ensure availability and availability

27:45

is also a function of how much.

27:49

There is a 99.9999 so the number of nines after the decimal point.

27:57

So, that is a sort of contract also when it comes to B2B in terms of IT contracts, in

28:03

terms of availability.

28:04

So when critical systems run on IT, availability is critical and therefore by contract, by

28:10

service level agreements, there will be contractual arrangement between parties to ensure availability

28:16

of systems.

28:18

And therefore if a client is asking for more availability, you can imagine the service

28:23

provider has to invest more in redundancy.

28:26

And therefore, the cost will be higher.

28:28

So therefore, you can always ask for 100 percent availability but 100 percent comes at a, sometimes

28:34

an infinite cost.

28:36

So, these are concepts that are related to cyber security - confidentiality, integrity

28:45

and availability and these three terms, even if you forget everything else, should be by

28:51

heart to you, as students of cyber security.

28:54

Even if you have woken up in the middle of the night, what is cyber security doing? confidentiality,

28:59

integrity and availability.

29:00

So there should be straight recall of these three concepts.

29:06

Let me illustrate it with an example.

29:09

So there is an image of course, what does it take you to, this image, biometric, the

29:19

yeah, the retinal.

29:22

So somebody is taking a biometric scan of the eye.

29:27

It can be different aspects of the eye, we will see that later.