IA 124:

INTRODUCTION TO IT SECURITY

LECTURE 02
SECURITY CONCEPTS (b)

1 3/31/2023
 OUTLINE
❖Review
❖Social engineering
❖Cybercrime
❖OSI security architecture
❖Security Policy

2 3/31/2023
 Vulnerabilities, Threats and Attacks
❖Vulnerability is a weakness in an information system
or its components that might be exploited to
compromise the security of the system.
❖Threat is any circumstances or events that can
potentially harm an information system by destroying
it, disclosing the information stored on the system,
adversely modifying data, or making the system
unavailable.
❖Attack is the deliberate act that exploits vulnerability.
Is the actual attempt to violate security.

3 3/31/2023
 SOCIAL ENGINEERING

4 3/31/2023
 SOCIAL ENGINEERING
❖ Social Engineering is the art of convincing people to reveal
confidential information.
❖ Social Engineering is the tactic or trick of gaining sensitive
information by exploiting the basic human nature such as:
1. Trust
2. Fear
3. Desire
❖ Social engineers use psychological tricks on humans
❖ Social engineers depends on the fact that people are unaware of
their valuable information and are careless about protecting it.
❖ Social engineering is the art of manipulating people into doing
things, particularly security-related-such as giving away computer
access or revealing confidential information.
5 3/31/2023
 I need a
Social Engineering password reset.
What is the
passwd set to?

This is John,
the System
Admin. What
is your
password?

I have come
What ethnicity to repair
are you? Your your
mother’s and have machine…
maiden name? some
software
patches
 Social Engineering
❖Gather information about
1. Confidential information
2. Access details
3. Authorization details
❖Social Engineering is the hack that requires no knowledge
of code.
❖Despite its relative simplicity the risks associated with
social engineering are just as serious as the numerous
hacks.
❖Social engineering is the hardest form of attack to defend
against because it cannot be defended with hardware or
7 software alone. 3/31/2023
 Social Engineering
❖Factors that makes companies vulnerable to attacks
Insufficient security training
1.
2. Easy access of information
3. Lack of security policies
4. Several organizational units
❖Impact on the Organization
1. Economic loss
2. Damage of goodwill
3. Loss of privacy
4. Temporary or permanent closure
5. Dangers of terrorism
8 3/31/2023
 SOCIAL ENGINEERING
 Why is social engineering effective?
✓Security policies are as string as their weakest
link, and humans are the most susceptible factor.
✓There is no specific software or hardware for
defending against a social engineering attack
✓Its is difficult to detect social engineering attempts
✓There is no method to ensure complete security
form social engineering attacks

9 3/31/2023
10 3/31/2023
 Approach to Social Engineering Attacks
❖Online: Internet connectivity enables attackers to
approach employees form an anonymous Internet
source and persuade them to provide information
through a believable user.
❖Telephone: Request information, usually through the
imitation of a legitimate user, either to access the
telephone system itself or to gain remote access to
computer systems
❖Personal approaches: In personal approaches, attackers
get information by directly asking for it.

11 3/31/2023
 Types of Social Engineering

❖Human-based
✓Gather sensitive information by interaction
✓Attacks of this category exploit trust, fear,
and helping nature of humans
❖Computer-based
✓Social engineering is carried out with the
help of computer.

12 3/31/2023
 Human-based social engineering
❖Gather sensitive information by interaction
❖Attacks of this category exploit trust, fear, and helping
nature of humans
1. Posing as a legitimate end user
 Give identity and ask for sensitive information
2. Posing as an Important user
 Posing as a VIP of a target company, valuable
customer, etc.
3. Posing as an Technical Support
 Call as technical support staff and request IDs and
passwords to retrieve data.
13 3/31/2023
 Human-based social engineering

14 3/31/2023
 Human-based social engineering

EAVESDROPPING

15 3/31/2023
 Human-based social engineering
❖Eavesdropping
✓Eavesdropping or unauthorized listening of
conversations or reading of messages.
✓Interception of any form such as audio, video, or
written
✓It can also be done using communication channels such
as telephone lines, email, instant messaging, etc.

16 3/31/2023
 Human-based social engineering
 Eavesdropping

17 3/31/2023
 Human-based social engineering

SHOULDER SURFING

18 3/31/2023
 Human-based social engineering
❖Shoulder Surfing
✓Shoulder surfing is the name given to the procedure
that thieves use to find out passwords, personal
identification number, account numbers, etc
✓Thieves look over your shoulder or even watch from a
distance using binoculars, in order to get those pieces
of information

19 3/31/2023
 Human-based social engineering
❖Shoulder surfing is a direct observation technique such as
looking over someone's shoulder to get their passwords,
PINs, and other sensitive personal information.
❖Someone may even listen in on your conversation while
you give out your credit card number over the phone.
❖So, you should never reveal your password in front of
others because there may be chance of shoulder surfing.

20 3/31/2023
 Human-based social engineering
❖Do not type your usernames and passwords before
unauthorized persons, or strangers. They may do
shoulder surf and get your information.

21 3/31/2023
 Human-based social engineering

DUMPSTER DRIVING

22 3/31/2023
 Human-based social engineering
 Dumpster Driving
❖Search for sensitive information at target company’s
✓Trash bin
✓Printer trash bin
✓User desk for sticky notes

23 3/31/2023
 Human-based social engineering
 Dumpster Driving

24 3/31/2023
Computer-Based Social engineering

PHISHING
25 3/31/2023
 Computer-Based Social engineering
❖ Phishing
✓It is a criminal act of sending an illegitimate email, falsely
claiming to be from a legitimate site in an attempt to acquire
the user’s personal or account information
✓Phishing emails redirects users to false WebPages of
trustworthily sites that ask them to submit their personal
information.
✓Email spoofing is the forgery of an email header so that the
message appears to have originated from someone or
somewhere other than actual source

26 3/31/2023
 Computer-Based Social engineering
❖ Phishing
✓It is the act of tricking someone into giving confidential
information (like passwords and credit card information) on
a fake web page or email form pretending to come from a
legitimate company (like their bank)
❖ Phishing emails or pop-ups redirect users to fake WebPages of
mimicking trustworthy sites that ask them to submit their
personal information.
❖ These scams attempt to gather
1. Personal information
2. Financial information
3. Sensitive information
27 3/31/2023
 Why Phishing Scams?
❖A phishing expedition, like the fishing expedition it's
named for, is a speculative venture: the phisher puts the
lure hoping to fool at least a few of the prey that
encounter the bait.
❖The thief is hoping to hook you with a very slick but
very fake website to fish for your personal information.

 Why people fall for phishing scams?

✓Typically, the messages appear to come from well
known and trustworthy Web sites.
✓Web sites that are frequently spoofed by phishers
include PayPal, eBay, MSN, Yahoo, BestBuy, and
28 America Online. 3/31/2023
 “Phishing” Scam Occur when
❖ You get an email that looks like it comes from your bank, credit
card company, etc.
❖ Asking you to “update their records”
❖May be due to potential fraud, other reasons
❖ Provides a hyperlink to a web page where you enter your personal
information
❖ The link takes you to a thief’s website that is disguised to look like
the company’s.

❖ EFFECTS OF PHISHING
✓ Internet fraud ✓ Financial loss to the original institutions

✓ Identity theft ✓ Difficulties in Law Enforcement Investigations

✓ Erosion of Public Trust in the Internet

29 3/31/2023
 Phishing E-mails Examples (1)

30 3/31/2023
 Phishing E-mails Examples (2)

31 3/31/2023
 Phishing E-mails Examples (3)

32 3/31/2023
 HOW TO COMBAT PHISHING
 Educate application users
✓ Think before you open
✓ Never click on the links in an email, message boards or mailing
lists
✓ Never submit credentials on forms embedded in emails
✓ Inspect the address bar and SSL certificate
✓ Never open suspicious emails
✓ Ensure that the web browser has the latest security patch applied
✓ Install latest anti-virus packages
✓ Destroy any hard copy of sensitive information
✓ Verify the accounts and transactions regularly
✓ Report the scam via phone or email.
33 3/31/2023
 How to Protect Yourself
❖Never click on hyperlinks in emails, never cut and paste
the link into your web browser. - INSTEAD, type in the
URL to go to the website in your search engine.
❖Call the company directly to confirm whether the
website is valid.
❖Don’t reply to email or pop-up messages that ask for
personal or financial information.
❖Don’t email personal information.
❖Be cautious opening attachments

34 3/31/2023
 What if I was tricked and entered my
information on the web site?
Take immediate action to protect your identity and
all of your online accounts.
Treat the situation like you lost your wallet or purse.
Immediately contact all of your financial institutions,
preferably by phone, and inform them of the situation.

Choose a strong password that is significantly different

from your old passwords.

Go to every web site where you may have stored credit
card and/or bank numbers and change the password at
each web site
35 3/31/2023
 IDENTITY THEFT

36 3/31/2023
 What is identity theft?
❖Identity theft:
✓Is used to refer to all types of crime in which
someone wrongfully obtains and uses another
person’s personal data in a way that involves fraud
or deception for economic gain or engage in other
unlawful activities.

37 3/31/2023
 What is identity theft?
 Identity theft:
✓Someone steals your personal information
✓Uses it without permission
✓Can damage your finances, credit history
and reputation
Identity theft is a crime in which an imposter
obtains key pieces of information such as
Social Security and driver's license numbers
and uses it for their own personal gain.
38 3/31/2023
 How does identity theft happen?
 Identity thieves will:
✓Steal information from trash or from a business
✓Trick you into revealing information
✓Take your wallet or purse
✓Pretend to offer a job, loan, or apartment to get
your information

39 3/31/2023
 Reduce Your Risk (1)
❖Identity protection means treating your personal
information with care.
❖Dumpster diving
✓Its amazing what people throw in the trash
 Personal information
 Passwords
✓Many enterprises now shred all white paper trash
❖Inside jobs
✓Disgruntled employees
✓Terminated employees (about 50% of intrusions resulting
in significant loss)
40 3/31/2023
 Reduce Your Risk (2)
 Protect Your Personal Information
✓ Keep your important papers secure.
✓ Be careful with your mail.
✓ Shred sensitive documents.
✓ Don’t overshare on social networking sites.
✓ Order a copy of your credit report from each of the three major credit
bureaus
 Protect your computer
✓ Use anti-virus software, anti-spyware software, and a firewall.
✓ Create strong passwords.
✓ Keep your computer’s operating system, browser, and security up to date.
✓ Encrypt your data.
✓ Lock up your laptop.
✓ Try not to store financial information on your laptop
✓ Do not download files sent to you by strangers
41 3/31/2023
 Cybercrime

42 3/31/2023
 Cyber Crime
 Computer crime: any act directed against computers or that uses
computers as an instrumentality of a crime.
✓ Cyber Theft
✓ Financial Crimes.
✓ Identity Theft.
✓ Hacking and Cyber Terrorism

 Cybercrime is…?
✓ Offenses ranging from criminal activity against data to content
and copyright infringement.
✓ United Nations refers to acts of fraud, forgery and unauthorized
access
✓ Unlawful acts wherein the computer is either a tool or a target or
43
both 3/31/2023
 Cybersecurity VS Cybercrime
❖Cybercrime encompasses any criminal act dealing with
computers and networks (called hacking). Additionally,
cyber crime also includes traditional crimes conducted
through the Internet.’
❖Cybersecurity is the body of technologies, processes and
practices designed to protect networks, computers,
programs and data from attack, damage or unauthorized

44 3/31/2023
 Computer Crimes
❖ Financial Fraud ❖ Content related Offenses
❖ Credit Card Theft ✓ Hate crimes
❖ Identity Theft ✓ Harassment
❖ Computer specific crimes ✓ Cyber-stalking
✓ Denial-of-service ❖ Child pornography
✓ Denial of access to information

❖ Intellectual Property Offenses

✓ Information theft
✓ Trafficking in pirated information
✓ Storing pirated information
✓ Compromising information
✓ Destroying information

45 3/31/2023
 Hackers Terms
❖Hacking: Showing computer expertise
❖Cracking: Breaching security on software or systems
❖Phreaking: Cracking telecom networks
❖Spoofing: Faking the originating IP address in a
datagram
❖Denial of Service (DoS): Flooding a host with
sufficient network traffic so that it can’t respond
anymore

46 3/31/2023
 Who is a Hacker?
Intelligent individuals with excellent
computer skills, with the ability to create and
explore into the computer’s software and
hardware

❖ Study C/C++/assembly language

❖ Study computer architecture How can be a real
❖ Study operating system
hacker?
❖ Study computer network
❖ Examine the hacking tools for a month
❖ Think the problem of the computer
❖…
47 3/31/2023
 History of Hacking
1. Telephone hacking 2. Computer virus
✓ Use telephone freely ✓ Destroy many computers
✓ It’s called phreaking 3. Network hacking
✓ Phreaking: Cracking ✓ Hack the important server remotely
telecom networks and destroy/modify/disclose the
information
Why do hackers hack?
❖ Just for fun, or hobby or to gain knowledge.
❖ Show off
❖ Hack other systems secretly
❖ Notify many people their thought
❖ Steal important information: stealing business data, credit card
information, email passwords, etc
48 ❖ Destroy enemy’s computer network during the war 3/31/2023
 Hacker Classes
❖Black hats: Individuals with extraordinary
computing skills, resorting to malicious or
destructive activities and are also known as
crackers.
❖White hats: Individuals professing hacker skills
and using them for defensive purposes and are
also known as security analyst.
❖Gray hats: Individuals who work both
offensively and defensively at various times.
49 3/31/2023
 HACKING PHASES
1. Reconnaissance: Reconnaissance refers to the preparatory phase
where an attacker seeks to gather information about a target prior to
launching an attack.
2. Scanning: Scanning refers to the pre-attack phase when the
attacker cans the network for specific information on the basis of
information gathered during reconnaissance.
3. Gaining Access: Gaining access refers to the point where the
attacker obtains access to the operating system or applications on
the computer or network.
4. Maintaining Access: Maintaining Access refers to the phase when
the attacker tries to retain his or her ownership of the system.
5. Covering Track: Covering Tracks refers to the activities carried
out by an attackers to hide malicious acts.
50 3/31/2023
 What do hackers do after hacking?
 Patch security hole
✓The other hackers can’t intrude
 Clear logs and hide themselves
 Install rootkit ( backdoor )
✓The hacker who hacked the system can use the
system later
 Install scanner program
 Install exploit program
 Install denial of service program
 Use all of installed programs silently
51 3/31/2023
 Why can’t defend against hackers?
❖ There are many unknown security hole
❖ Hackers need to know only one security hole to hack the
system
❖ Admin need to know all security holes to defend the system

❖ How can protect the system?

✓ Patch security hole often
✓ Encrypt important data
✓ Setup firewall: Example; ipchains
✓ Setup IDS: Example; snort
✓ Backup the system often
52 3/31/2023
 What should do after hacked?
❖Shutdown the system
✓Or turn off the system
❖Separate the system from network
❖Restore the system with the backup
✓Or reinstall all programs
❖Connect the system to the network

53 3/31/2023
 PENETRATION TESTING

Penetration Testing is a method of actively

evaluating the security of an Information
system or network by simulating an attack
form a malicious source

 Identify the threats facing an organization’s

information assets
54 3/31/2023
 Penetration Testing
❖A pentest simulates methods that intruders use to gain
unauthorized access to an organization’s networked
systems and then compromise.
❖In the context of penetration testing, the tester is limited
by resources: namely time, skilled resources, and
access to equipment- as outlined in the penetration
testing agreement.
❖Two types of testing
1. External Testing
2. Internal Testing

55 3/31/2023
 PENETRATION TESTING
1. Black box testing: The tester has no prior
knowledge of the infrastructure to be tested.
2. White box testing: The tester has complete
knowledge of the infrastructure that needs
to be tested is known.
3. Grey box testing: The tester usually has a
limited knowledge of Information.

56 3/31/2023
 OSI
SECURITY ARCHITECTURE

57
 SERVICES, MECHANISMS, ATTACKS
(OSI SECURITY ARCHITECTURE)
❖ International Telecommunications Union (ITU) is a United
Nations sponsored agency that develops standards relating to
telecommunications and to Open system Interconnection (OSI)
❖ ITU-T X.800 “Security Architecture for OSI” defines a
systematic way of defining and providing security
requirements.
❖ The document defines security attacks, mechanisms, and
services, and the relationships among these categories.
❖ Therefore, The OSI security architecture focuses on
1. Security Attacks,
2. Security Mechanisms
58 3. Security Services
 SERVICES, MECHANISMS, ATTACKS
(OSI SECURITY ARCHITECTURE)

Definition
❖The OSI Security Architecture is a framework
that provides a systematic way of defining the
requirements for security and characterizing the
approaches to satisfying those requirements.
❖The framework defines security attacks,
mechanisms, and services, and the relationships
among these categories.

59
 SERVICES, MECHANISMS, ATTACKS
(OSI SECURITY ARCHITECTURE)
1. Security Attacks: is the deliberate act that exploits
vulnerability. Is the actual attempt to violate security.
2. Security Mechanism: Any process that is designed to
detect, prevent or recover from a security attacks. E.g.,
encryption algorithm, digital signatures, and
authentication protocols.
3. Security Services: The services are intended to counter
security attacks, and they make the use of one or more
security mechanisms to provide the services. E.g.,
authentication, access control, data confidentiality, data
integrity, nonrepudiation, and availability
✓ A security service is a measure to address a security
60
threat.
 (1) SECURITY ATTACKS (review)
1. Interruption: This is an attack on availability
2. Interception: This is an attack on confidentiality
3. Modification: This is an attack on integrity
4. Fabrication: This is an attack on authenticity

61
 PASSIVE VS. ACTIVE
ATTACKS

❖Security attacks are usually classified as:

1. Passive Attacks
2. Active Attacks

62
 ATTACKS: PASSIVE ATTACKS
❖ Passive Attacks: Attempts to learn or make use of information
from the system, but does not affect system resources.
❖ Interception: Goal is to obtain information
✓ No modification of content or fabrication
❖ Two types of attacks
1. Traffic analysis
✓ Detects the source and destination.
✓ Frequency of transmission and length of messages.
2. Release of message content
✓ To gain personal advantages
✓ Blackmailing parties involved in communication
63
 ATTACKS: ACTIVE ATTACKS
❖Active Attacks: Attempts to alter system resources or
affect their operation.
❖Interruption, modification and fabrication
✓ Modification of content and/or participation in communication.
❖Four categories
1. Masquerading
✓ Pretends to be some one else
2. Replay or retransmit
✓ Retransmission of passive captured data
3. Modification the content in transit.
4. Deny of Service (DoS) attack

64
 Summary
Passive and Active Threats

65
 (2) SECURITY MECHANISM
❖Feature designed to detect, prevent, or
recover from a security attack
❖No single mechanism that will support all
services required
❖However one particular element underlies
many of the security mechanisms in use:
✓Cryptographic techniques
✓E.g. encryption used for authentication

66
 (3) SECURITY SERVICES
❖Enhance security of data processing systems and
information transfers of an organization.
❖Are intended to counter security attacks.
❖Use one or more security mechanisms.
❖6 categories:
1. Confidentiality 4. Authentication
2. Integrity 5. Access Control
3. Availability 6. Non-Repudiation

67
 SECURITY SERVICES
❖ Confidentiality: Assurance that the information is accessible only to
those authorized to have access.
✓ The protection of data from unauthorized disclosure.
❖ Integrity: The trustworthiness of data of resources in terms of
preventing improper and unauthorized changes.
✓ The assurance that data received are exactly as sent by an
authorized entity (i.e., contain no modification, insertion, deletion,
or replay).
❖ Availability: Assurance that the systems are accessible when
required by the authorized users.
✓ The property of a system or a system resource being accessible and
usable upon demand by an authorized system entity, according to
performance specifications for the system (i.e., a system is available if it
provides services according to the system design whenever users request
68 them).
 SECURITY SERVICES
❖Authentication: The assurance that the
communicating entity is the one that it claims to be.
❖Access control: The prevention of unauthorized use of
a resource (i.e., this service controls who can have
access to a resource, under what conditions access can
occur, and what those accessing the resource are
allowed to do).
❖Non-repudiation: Provides protection against denial
by one of the entities involved in a communication of
having participated in all or part of the communication.
69
 Security Policy

70
 Information Security Policy
❖Policy is central to all information security efforts.

71
 Information Security Policy
❖ Communities of interest must consider policies as basis for all
information security efforts.
❖ Policies direct how issues should be addressed and technologies
used.
❖ Security policies are least expensive controls to execute but
most difficult to implement.
❖ Policy: course of action used by organization to convey
instructions from management to those who perform duties.
❖ Policies are organizational laws.
✓ Standards: more detailed statements of what must be done to
comply with policy
✓ Practices, procedures and guidelines effectively explain how to
72
comply with policy
 Information Security Policy, Standards and Practices

 For a policy to be effective, must be properly disseminated, read,

understood and agreed to by all members of organization
73
 Information Security Policy, Standards
and Practices

74
 Policy and Mechanism and Services
❖ Security policy provide more detailed guidance on how to put
security principles into practice.
✓ A security policy is a statement of what is and what is not
allowed.
❖ Security mechanism is a method, tool, or procedure for enforcing a
security policy.
✓ If policies conflict, discrepancies may create security
vulnerabilities
❖ A security mechanism is a means to provide a security service.
✓ E.g. encryption, cryptographic protocols
❖ A security service is a measure to address a security threat.
✓ E.g. authenticate individuals to prevent unauthorized access
❖ Security services implement security policies and are implemented
75 by security mechanisms.
 Information Security Policy, Standards
and Practices (password)
Access to
network resource
Passwords will be granted
will be 8 through a unique
characters user ID and
long password
Passwords
should include
one non-alpha
and not found
in dictionary

77
 Security Education, Training, and
Awareness Program
❖Good policies and procedures are ineffective if they are not
taught and reinforced by the employees.
❖As soon as general security policy exist, policies to
implement security education, training and awareness
program should follow.
❖After receiving training, employees should sign a
statement acknowledging that they understand the policies.
❖Security education and training builds on the general
knowledge the employees must possess to do their jobs,
familiarizing them with the way to do their jobs securely
78
 SECURITY CHALLENGES
❖Evolution of technology focused on ease of use
❖Increased number of networked-based
application
❖Increased complexity of computer
infrastructure administration and management
❖It is difficult to centralize security in a
distributed computing environment

79
 QUOTES
Others refers: Ten
Commandments
of Computer
Ethics

80
 QUOTES
Bruce Schneier,
Security Technologist
and Author

“If you think technology can solve your

security problems, then you don’t
understand the problems and you don’t
understand the technology.”

81 3/31/2023
 END

IA 124 LECTURE 02
82 3/31/2023