Huawei Certified ICT Associate

Security v3.0
Professional Training Program
www.huawei.com

Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved.

Huawei Certified ICT Associate

Security v3.0
Instructor: Ssendi Samuel
www.huawei.com

Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved.

Basic Concepts of Informatio
n Security

www.huawei.com

Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved.

 Foreword
 Information security is the process of ensuring safe data communication an
d preventing issues such as information leakage, modification, and disrupti
on.
 This document describes the basic concepts and protection measures of inf
ormation security, as well as information security risks and associated asses
sment and avoidance methods.

Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Page 4
 Objectives
 Upon completion of this course, you will be able to:
 Describe the definition and characteristics of information security.
 Explain the characteristics and differences of security models.
 Differentiate between security risks.

Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Page 5
 Contents
1. Information and Information Security
2. Information Security Risks and Management

Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Page 6
 Information
What is information?

Books/
Books/ State
State secrets
secrets
Letters
Letters

Emails
Emails Radar
Radar signals
signals

Transaction
Transaction Test
Test questions
questions
data
data

 information created, received, and maintained as evidence and information by an organizati

on or person, in pursuance of legal obligations or in the transaction of business.
--- ISO/IEC Guidelines for the Management of IT Security (GMITS)

Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Page 7
 Information Security
 Information security refers to the preservation of the confidentiality, integrity, and availability of data th
rough security technologies.
 These technologies include computer software and hardware, network, and key technologies. Organizat
ional management measures throughout the information lifecycle (generation, transmission, exchange,
processing, and storage) are also essential.
 The following will be affected if information assets are damaged:

National System operating and Personal privacy

security continuous development and property
 The aim of information security is to protect data against threats through technical means and effective
management.

Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Page 8
 Information Security Development

Early 1900s 1980s

Communication secrecy stage Information assurance stage

Limited communication Information-based

technologies and security replaces
dispersedly stored data traditional security

Post-1960s
Information security stage

Internet development brings

new challenges and threats to
information security

Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Page 9
 Photo or Information Leakage?
 After the Chinese government invited bids
for oil production equipment, Japanese int
elligence experts used this simple photo to
uncover the following secrets of the Daqin
g Oilfield:
 Located between 46N and 48N, as indicate
d by the clothing of Wang Jinxi
 Diameter of the oil well, inferred from the ha
ndle rack

Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Page 10
 Communication Secrecy Stage
 In the early 1900s, communication technologies were underdeveloped, and data was stored
in different locations.
 Information system security was limited to physical security of information and cipher-base
d security of communication (mainly stream cipher).
 As long as information was in a relatively secure place and unauthorized users were prohibit
ed from accessing the information, data security could be generally guaranteed.

Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Page 11
 Information Security Stage
 Since the 1990s, Internet technologies have developed rapidly, and information leaks have i
ncreased.
 As a result, in addition to confidentiality, integrity and availability, information security bega
n to focus on more principles and objectives, such as controllability and non-repudiation.

Non-
Confidentiality Availability
repudiation

Integrity Controllability

Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Page 12
 Information Assurance Stage
 Business-oriented information security assurance

Business Security system Management

Different service Cohesive security Talent

traffic with various management and development and
risks and technical protection; system
protection proactive defense but establishment for
methods not passive protection security
management

Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Page 13
 Case - WannaCry

Energy Transportation
 In 2017, the WannaCry ransomware cr
yptoworm, propagated through Etern
alBlue, infected over 100,000 comput
ers, causing a loss of US$8 billion.

Government Education

Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Page 14
 Case - OceanLotus
 Since April 2012, the OceanLotus group
has carried out targeted penetration and
attacks on important sectors of China, su
ch as the government, scientific research
institutes, maritime institutions, maritime
construction, and shipping enterprises.
 The attacks are intended to obtain confi
dential information, intercept intelligenc
e sent out by attacked computers, and e
nable the computers to automatically se
nd related intelligence.

Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Page 15
 Discussion: What Are the Causes of Such Attacks?

Direct Cause Indirect Cause

 Virus  Information
 Vulnerability system
 Trojan horse complexity
 Backdoor  Human and
program environment
 DDoS attack factors
 …

Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Page 16
 Significance of Building Information Security

Increasing importance
• The information network has Importance
become the foundation of
economic prosperity, social stability, Applicable to many
and national development. technical fields
Applicability
• Informatization profoundly For example:
influences the global economic • Command, Control,
integration, national strategy Communications, Computers
adjustment, and security priorities. and Intelligence (C4I) system
• Information security has • E-commerce system
transformed from a technical issue • Biomedical system
into a matter of national security
worldwide.
• Intelligent Transport System
(ITS)

Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Page 17
 Contents
1. Information and Information Security
2. Information Security Risks and Management

Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Page 18
 Risks Involved in Information Security

Physical risks

Other risks Network risks

Risks

Management risks System risks

Application risks Information risks

Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Page 19
 Physical Risks
 Device theft and destruction
 Link aging, man-made damage, and bite from animals
 Network device fault
 Network device unavailability due to power failure
 Electromagnetic radiation in the equipment room

Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Page 20
 Information Risks
 Storage security
 Transmission security
 Access security

Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Page 21
 Information Transmission Security

Enterprise business information

Tampered information

Branch

t ion
a
r m ge
o a
Inf leak

t ion
r ma ring
o e
Inf mp
ta

Attacker
Headquarters

Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Page 22
 Information Access Security

Unauthorized user

Illegal login

Authentication
server on the
network

Intranet

Authorized user

Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Page 23
 System Risks
 Database system configuration security
 Security database
 Security of services running in the system

Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Page 24
 Application Risks
 Network virus
 Operating system security
 Email application security
 Web service security
 FTP service security
 DNS service security
 Business application software security

Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Page 25
 Network Risks

Security zone

Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Page 26
 Management Risks
 Determine whether the information system has management risks from the
following aspects:

National policy • Effective national information security regulations

formulated
• Specialized agency to manage information security

• Security management rules and equipment room management

Enterprise system system with clear responsibilities and rights
• Enterprises can establish own security management organizations

• Effective security policies and high-quality security management personnel

Management • Effective supervision and inspection system, and adherence to rules and
system regulations

Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Page 27
 Significance of Information Security Management
 According to statistics, 70% of enterprise information loss is caused by negligence
or intentional leakage by internal staff.

Weak
Weak Non-
Non- Loose
security
security Loose
Malicious
Malicious standard
standard

70%
awareness
awareness authorization
authorization
data
data theft
theft system
system rules
among
among rules
operations
operations
employees
employees

Technologies 30% Management 70%

 Security technologies are only the means to control information security. They can
only be effective with the appropriate support of management procedures.

Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Page 28
 Current Development of Information Security M
anagement

Introducing information security

development strategies and plans
Each country has introduced its own information
security development strategy and plan.

Strengthening legislation to achieve

unified and standardized management
Information Security Defining and standardizing information security work
through laws is the strongest guarantee for effective
Management implementation of security measures.

Entering the era of standardized and

systematized management
The era of standardized and systematized information
security management began in the 1990s. ISO/IEC
27000 is the best known system.

Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Page 29
 Quiz
1. Information security incidents frequently occur because of security attack metho
ds, such as vulnerabilities, viruses, and backdoor programs.
A. True
B. False

Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Page 30
 Summary
 Information security development history
 Basic concepts of information security

Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Page 31
 Thank You
www.huawei.com

Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Page 32