Unit- I

INTRODUCTION

Computer data often travels from one computer to another, leaving the safety of its protected
physical surroundings. Once the data is out of hand, people with bad intention could modify or forge
your data, either for amusement or for their own benefit.

Cryptography can reformat and transform our data, making it safer on its trip between
computers. The technology is based on the essentials of secret codes, augmented by modern
mathematics that protects our data in powerful ways.

• Computer Security - generic name for the collection of tools designed to protect data and to
thwart hackers

• Network Security - measures to protect data during their transmission

• Internet Security - measures to protect data during their transmission over a collection of
interconnected networks

Security Attacks, Services and Mechanisms

To assess the security needs of an organization effectively, the manager responsible for
security needs some systematic way of defining the requirements for security and characterization of
approaches to satisfy those requirements. One approach is to consider three aspects of information
security:

Security attack – Any action that compromises the security of information owned by an
organization. Security mechanism – A mechanism that is designed to detect, prevent or recover from
a security attack.

Security service – A service that enhances the security of the data processing systems and the
information transfers of an organization. The services are intended to counter security attacks and
they make use of one or more security mechanisms to provide the service.

SECURITY SERVICES

The classification of security services are as follows:

Confidentiality: Ensures that the information in a computer system a n d transmitted information are
accessible only for reading by authorized parties.

E.g. Printing, displaying and other forms of disclosure.

Authentication: Ensures that the origin of a message or electronic document is correctly identified,
with an assurance that the identity is not false.

Catherine COS Page 1

 Integrity: Ensures that only authorized parties are able to modify computer system assets and
transmitted information. Modification includes writing, changing status, deleting, creating and
delaying or replaying of transmitted messages.

Non repudiation: Requires that neither the sender nor the receiver of a message be able to deny the
transmission.

Access control: Requires that access to information resources may be controlled by or the target
system.

Availability: Requires that computer system assets be available to authorized parties when needed.

SECURITY MECHANISMS

One of the most specific security mechanisms in use is cryptographic techniques. Encryption or
encryption-like transformations of information are the most common means of providing security.
Some of the mechanisms are

1. Encipherment 2 .Digital Signature 3. Access Control

SECURITY ATTACKS

There are four general categories of attack which are listed below.

Interruption

An asset of the system is destroyed or becomes unavailable or unusable. This is an attack on

availability e.g., destruction of piece of hardware, cutting of a communication line or Disabling of
file management system.

Interception

An unauthorized party gains access to an asset. This is an attack on confidentiality.

Unauthorized party could be a person, a program or a computer. e.g., wire tapping to capture data in
the network, illicit copying of files

Catherine COS Page 2

Modification An unauthorized party not only gains access to but tampers with an asset. This is an
attack on integrity. e.g., changing values in data file, altering a program, modifying the contents of
messages being transmitted in a network.

Fabrication

An unauthorized party inserts counterfeit objects into the system. This is an attack on
authenticity.

e.g., insertion of spurious message in a network or addition of records to a file.

Network Security Policy

A network security policy is a formal document that outlines the principles, procedures and
guidelines to enforce, manage, monitor and maintain security on a computer network. It is designed
to ensure that the computer network is protected from any act or process that can breach its security.

1. Confidentiality

Confidentiality is roughly equivalent to privacy and avoids the unauthorized disclosure of

information. It involves the protection of data, providing access for those who are allowed to
see it while disallowing others from learning anything about its content. It prevents essential
information from reaching the wrong people while making sure that the right people can get
it. Data encryption is a good example to ensure confidentiality.

Catherine COS Page 3

 Tools for Confidentiality

Encryption

Encryption is a method of transforming information to make it unreadable for unauthorized

users by using an algorithm. The transformation of data uses a secret key (an encryption key)
so that the transformed data can only be read by using another secret key (decryption key). It
protects sensitive data such as credit card numbers by encoding and transforming data into
unreadable cipher text. This encrypted data can only be read by decrypting it. Asymmetric-
key and symmetric-key are the two primary types of encryption.

Access control

Access control defines rules and policies for limiting access to a system or to physical or
virtual resources. It is a process by which users are granted access and certain privileges to
systems, resources or information. In access control systems, users need to present credentials
before they can be granted access such as a person's name or a computer's serial number. In
physical systems, these credentials may come in many forms, but credentials that can't be
transferred provide the most security.

Authentication

An authentication is a process that ensures and confirms a user's identity or role that someone
has. It can be done in a number of different ways, but it is usually based on a combination of-

o something the person has (like a smart card or a radio key for storing secret keys),
o something the person knows (like a password),
o something the person is (like a human with a fingerprint).

Authentication is the necessity of every organizations because it enables organizations to keep

their networks secure by permitting only authenticated users to access its protected resources.
These resources may include computer systems, networks, databases, websites and other
network-based applications or services.

Authorization

Authorization is a security mechanism which gives permission to do or have something. It is

used to determine a person or system is allowed access to resources, based on an access
control policy, including computer programs, files, services, data and application features. It is
normally preceded by authentication for user identity verification. System administrators are
typically assigned permission levels covering all system and user resources. During
authorization, a system verifies an authenticated user's access rules and either grants or refuses
resource access.

Catherine COS Page 4

 Physical Security

Physical security describes measures designed to deny the unauthorized access of IT assets
like facilities, equipment, personnel, resources and other properties from damage. It protects
these assets from physical threats including theft, vandalism, fire and natural disasters.

2. Integrity

Integrity refers to the methods for ensuring that data is real, accurate and safeguarded from
unauthorized user modification. It is the property that information has not be altered in an
unauthorized way, and that source of the information is genuine.

Tools for Integrity

Backups

Backup is the periodic archiving of data. It is a process of making copies of data or data files
to use in the event when the original data or data files are lost or destroyed. It is also used to
make copies for historical purposes, such as for longitudinal studies, statistics or for historical
records or to meet the requirements of a data retention policy. Many applications especially in
a Windows environment, produce backup files using the .BAK file extension.

Checksums

A checksum is a numerical value used to verify the integrity of a file or a data transfer. In
other words, it is the computation of a function that maps the contents of a file to a numerical
value. They are typically used to compare two sets of data to make sure that they are the same.
A checksum function depends on the entire contents of a file. It is designed in a way that even
a small change to the input file (such as flipping a single bit) likely to results in different
output value.

Data Correcting Codes

It is a method for storing data in such a way that small changes can be easily detected and
automatically corrected.

3. Availability

Availability is the property in which information is accessible and modifiable in a timely

fashion by those authorized to do so. It is the guarantee of reliable and constant access to our
sensitive data by authorized people.

Catherine COS Page 5

 Tools for Availability
o Physical Protections
o Computational Redundancies

Physical Protections

Physical safeguard means to keep information available even in the event of physical
challenges. It ensure sensitive information and critical information technology are housed in
secure areas.

Computational redundancies

It is applied as fault tolerant against accidental faults. It protects computers and storage
devices that serve as fallbacks in the case of failures.

Overview of goals of security: Confidentiality, Integrity, and Availability

The CIA (Confidentiality, Integrity and Availability) is a security model that is designed to act as a
guide for information security policies within the premises of an organization or company. The CIA
criteria is one that most of the organizations and companies use in instances where they have installed
a new application, creates a database or when guaranteeing access to some data. For data to be
completely secure, all of these security goals must come to effect. These are security policies that all
work together and therefore it can be wrong to overlook one policy.

Confidentiality
The confidentiality aspect refers to limiting the disclosure and access of information to only the
people who are authorized and preventing those not authorized from accessing it. Through this
method, a company or organization is able to prevent highly sensitive and vital information from
getting into the hand of the wrong people while still making it accessible to the right people.

Encryption: To begin with, encryption of data involves converting the data into a form that can only
be understood by the people authorized. In this case, the information is converted in to the cipher text
format that can be very difficult to understand. Once all security threats have been dealt with, the
information can then be decrypted which means that the data can be converted back to its original
form so that it can be understood. The encryption process can involve the use of highly sophisticated
and complex computer algorithms. In this case, the algorithms cause a rearrangement of the data bits
into digitized signals. If such an encryption process is used, then decryption of the same information
requires one to have the appropriate decryption key. The encryption process should be carried out on
data at rest; that is data stored on a hard drive or USB flash. Data in motion should also be encrypted.
In this case, data in motion refers to all kind of data that is traveling across a network.

Access controls: Access controls is also another way of ensuring confidentiality. This means that one
set various policies and standards when accessing information and other organization resources. One
can choose to use passwords where an individual with the motive of accessing some information must
provide a password so as to gain access. In most cases, one will have to set access controls to work on

Catherine COS Page 6

the basis of identification and authentication. One can use unique user identification cards for the
identification process. The verification process means that one can use items such as biometric
readers and passwords so as to allow access.

One can also implement physical access policies where all employees in an organization have work
badges permitting them to access and use and facility or resource in the organization.

There are some major access control models that an organization can choose to implement. There is
mandatory access control, discretionary access control and role-based access control.

Steganography:

Steganography is also another aspect that can be used to enforce confidentiality. Basically, this is
hiding information. This means that the goal of this criterion is to hide information and data from
third party individuals. Steganography can involve the use of microdots and invisible ink to hide data
and information.

Integrity
Integrity is another security concept that entails maintaining data in a consistent, accurate and
trustworthy manner over the period in which it will be existent. In this case, one has to ensure that
data is not changed in the course of a certain period. In addition, the right procedures have to be taken
to ensure that unauthorized people do not alter the data.

Hashing: Hashing is a kind of cryptographic science that involves the conversion of data in a manner
that it is very impossible to invert it. This is mainly done when one is storing data in some storage
device so that an individual who gains access to it cannot change it or cause some alterations.

Digital signatures: Digital signatures are special types of data safety maintenance where a special
kind of signature is required to access some particular information. The signature can be in the form
of QR code that must be properly read so as to access data.

Certificates: These are special types of user credentials that are required so as to gain access to some
particular information. In this case, an individual without such certificates cannot access that piece of
information. These certificates tend to guarantee some permission and rights.

Non-repudiation: Based on information security, non-repudiation is a cryptographic property that

provides for the digital signing of a message by an individual who holds a private key to a particular
digital signature.

Availability
The concept of availability refers to the up time maintenance of all resources and hardware. This
means that all the hardware and resources one have are functional all the time. It can also involve
carrying out of regular hardware repairs.

Catherine COS Page 7

Redundancy: Redundancy is a concept that is mainly based on keeping things up and running in
one's organization even with the absence of one important component. One idea behind redundancy is
to keep things running and maintaining an uptime. With redundancy, one need to be sure that all one's
network components and resources are working properly and that we are able to use all the resources
available to us. This means that one's organization continues to function normally and as usual.

In this case therefore, one need to ensure that one has no hardware failure. In this case, one can have
redundant servers or power supplies. With this, in case of a power outage, all one's systems will
continue running efficiently because of there is another power supply available at one's disposal. With
such redundancies, one is sure that if one component fails, there is another one that is there available
and ready to take its place.

10 steps to a successful security policy

There are two parts to any security policy. One deals with preventing external threats to maintain the
integrity of the network. The second deals with reducing internal risks by defining appropriate use of
network resources.

Addressing external threats is technology-oriented. While there are plenty of technologies available to
reduce external network threats -- firewalls, antivirus software, intrusion-detection systems, e-mail
filters and others -- these resources are mostly implemented by IT staff and are undetected by the
user.

However, appropriate use of the network inside a company is a management issue. Implementing an
acceptable use policy (AUP), which by definition regulates employee behavior, requires tact and
diplomacy.

At the very least, having such a policy can protect you and your company from liability if you can
show that any inappropriate activities were undertaken in violation of that policy. More likely,
however, a logical and well-defined policy will reduce bandwidth consumption, maximize staff
productivity and reduce the prospect of any legal issues in the future.

These 10 points, while certainly not comprehensive, provide a common-sense approach to developing
and implementing an AUP that will be fair, clear and enforceable.

1. Identify your risks

What are your risks from inappropriate use? Do you have information that should be restricted? Do
you send or receive a lot of large attachments and files? Are potentially offensive attachments making
the rounds? It might be a nonissue. Or it could be costing you thousands of dollars per month in lost
employee productivity or computer downtime.

A good way to identify your risks can be through the use of monitoring or reporting tools. Many
vendors of firewalls and Internet security products allow evaluation periods for their products. If
those products provide reporting information, it can be helpful to use these evaluation periods to
assess your risks. However, it's important to ensure that your employees are aware that you will be
recording their activity for the purposes of risk assessment, if this is something you choose to try.

Catherine COS Page 8

Many employees may view this as an invasion of their privacy if it's attempted without their
knowledge.

2. Learn from others

There are many types of security policies, so it's important to see what other organizations like yours
are doing.

3. Make sure the policy conforms to legal requirements

Depending on your data holdings, jurisdiction and location, you may be required to conform to
certain minimum standards to ensure the privacy and integrity of your data, especially if your
company holds personal information. Having a viable security policy documented and in place is one
way of mitigating any liabilities you might incur in the event of a security breach.

4. Level of security = level of risk

Don't be overzealous. Too much security can be as bad as too little. You might find that, apart from
keeping the bad guys out, you don't have any problems with appropriate use because you have a
mature, dedicated staff. In such cases, a written code of conduct is the most important thing.
Excessive security can be a hindrance to smooth business operations, so make sure you don't
overprotect yourself.

5. Include staff in policy development

No one wants a policy dictated from above. Involve staff in the process of defining appropriate use.
Keep staff informed as the rules are developed and tools are implemented. If people understand the
need for a responsible security policy, they will be much more inclined to comply.

6. Train your employees

Staff training is commonly overlooked or underappreciated as part of the AUP implementation

process. But, in practice, it's probably one of the most useful phases. It not only helps you to inform
employees and help them understand the policies, but it also allows you to discuss the practical, real-
world implications of the policy. End users will often ask questions or offer examples in a training
forum, and this can be very rewarding. These questions can help you define the policy in more detail
and adjust it to be more useful.

7. Get it in writing

Make sure every member of your staff has read, signed and understood the policy. All new hires
should sign the policy when they are brought on board and should be required to reread and reconfirm
their understanding of the policy at least annually. For large organizations, use automated tools to

Catherine COS Page 9

help electronically deliver and track signatures of the documents. Some tools even provide quizzing
mechanisms to test user's knowledge of the policy.

8. Set clear penalties and enforce them

Network security is no joke. Your security policy isn't a set of voluntary guidelines but a condition of
employment. Have a clear set of procedures in place that spell out the penalties for breaches in the
security policy. Then enforce them. A security policy with haphazard compliance is almost as bad as
no policy at all.

9. Update your staff

A security policy is a dynamic document because the network itself is always evolving. People come
and go. Databases are created and destroyed. New security threats pop up. Keeping the security
policy updated is hard enough, but keeping staffers aware of any changes that might affect their day-
to-day operations is even more difficult. Open communication is the key to success.

10. Install the tools you need

Having a policy is one thing, enforcing it is another. Internet and e-mail content security products
with customizable rule sets can ensure that your policy, no matter how complex, is adhered to. The
investment in tools to enforce your security policy is probably one of the most cost-effective
purchases you will ever make.

Catherine COS Page 10