Information Technology Security

MSI
2017/2018
T1 - Computer and Network Security Concepts
Cryptographic algorithms and protocols can be
grouped into four main areas:

Symmetric encryption

• Used to conceal the contents of blocks or streams of data of any size,

including messages, files, encryption keys, and passwords

Asymmetric encryption

• Used to conceal small blocks of data, such as encryption keys and hash
function values, which are used in digital signatures

Data integrity algorithms

• Used to protect blocks of data, such as messages, from alteration

Authentication protocols

• Schemes based on the use of cryptographic algorithms designed to

authenticate the identity of entities

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

The field of network and Internet security consists of:

measures to deter,
prevent, detect, and
correct security
violations that involve
the transmission of
information

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Computer Security
The NIST Computer Security Handbook defines the term
computer security as:

“the protection afforded to an automated information

system in order to attain the applicable objectives of
preserving the integrity, availability and confidentiality of
information system resources” (includes hardware, software,
firmware, information/ data, and telecommunications)

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Computer Security Objectives
Confidentiality
• Data confidentiality
• Assures that private or confidential information is not made available or
disclosed to unauthorized individuals
• Privacy
• Assures that individuals control or influence what information related to them
may be collected and stored and by whom and to whom that information may
be disclosed
Integrity
• Data integrity
• Assures that information and programs are changed only in a specified and
authorized manner
• System integrity
• Assures that a system performs its intended function in an unimpaired manner,
free from deliberate or inadvertent unauthorized manipulation of the system
Availability
• Assures that systems work promptly and service is not denied to
authorized users

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Network and Computer Security Requirements

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Breach of Security
Levels of Impact

• The loss could be expected to have a severe or

High catastrophic adverse effect on organizational
operations, organizational assets, or individuals

• The loss could be expected to have a

Moderate serious adverse effect on

organizational operations,
organizational assets, or individuals

• The loss could be expected

to have a limited adverse

Low effect on organizational

operations, organizational
assets, or individuals

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Computer Security Challenges
• Security is not simple • Security mechanisms typically involve
more than a particular algorithm or
• Potential attacks on the security
protocol
features need to be considered
• Security is essentially a battle of wits
• Procedures used to provide
between a perpetrator and the
particular services are often counter-
designer
intuitive
• Little benefit from security
• It is necessary to decide where to use
investment is perceived until a
the various security mechanisms
security failure occurs

• Requires constant monitoring

• Strong security is often viewed as an

• Is too often an afterthought impediment to efficient and user-

friendly operation

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

OSI Security Architecture

• Security attack

• Any action that compromises the security of information owned by an

organization
• Security mechanism

• A process (or a device incorporating such a process) that is designed to

detect, prevent, or recover from a security attack

• Security service

• A processing or communication service that enhances the security of the data

processing systems and the information transfers of an organization

• Intended to counter security attacks, and they make use of one or more
security mechanisms to provide the service

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Table 1.1
Threats and Attacks (RFC 4949)

RFC 4949: “Internet Security Glossary, Version 2”

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Security Attacks

• A means of classifying security

attacks, used both in X.800 and
RFC 4949, is in terms of passive
attacks and active attacks

• A passive attack attempts to learn

or make use of information from
the system but does not affect
system resources

• An active attack attempts to alter

system resources or affect their
operation

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Passive Attacks

• Are in the nature of

eavesdropping on, or
monitoring of, transmissions

• Goal of the opponent is to

obtain information that is Two types of passive attacks are:
being transmitted
• The release of message contents
• Very difficult to detect,
emphasis is on prevention • Traffic analysis
rather than detection

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Active Attacks

• Involve some modification of the • Takes place when one entity pretends
to be a different entity
Masquerade • Usually includes one of the other
data stream or the creation of a
forms of active attack
false stream
• Involves the passive capture of a data
• Difficult to prevent because of the Replay unit and its subsequent
retransmission to produce an
wide variety of potential physical, unauthorized effect

software, and network

• Some portion of a legitimate message
vulnerabilities Modification is altered, or messages are delayed or
of messages reordered to produce an
unauthorized effect
• Goal is to detect attacks and to
recover from any disruption or
Denial of • Prevents or inhibits the normal use or
delays caused by them management of communications
service facilities

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Security Services

• Defined by X.800 as:

• A service provided by a protocol layer of communicating open
systems and that ensures adequate security of the systems or of
data transfers
• Divides security services in five categories and fourteen specific
services (see Table in next slide)

• Defined by RFC 4949 as:

• A processing or communication service provided by a system to
give a specific kind of protection to system resources; security
services implement security policies and are implemented by
security mechanisms

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 Security
Services
(ITU-T X.800
Recommendation)

© 2017 Pearson Education, Inc., Hoboken, NJ

All rights reserved.
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
Authentication

Concerned with assuring that a communication is authentic

• In the case of a single message, assures the recipient that the

message is from the source that it claims to be from

• In the case of ongoing interaction, assures the two entities are

authentic and that the connection is not interfered with in such a
way that a third party can masquerade as one of the two
legitimate parties
Two specific authentication services are defined in X.800:

• Peer entity authentication

• Data origin authentication

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Access Control

• The ability to limit and control the access to host systems and
applications via communications links

• To achieve this, each entity trying to gain access must first be

indentified, or authenticated, so that access rights can be
tailored to the individual

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Data Confidentiality

The protection of transmitted data from passive attacks

• Broadest service protects all user data transmitted between two
users over a period of time
• Narrower forms of service includes the protection of a single
message or even specific fields within a message
The protection of traffic flow from analysis
• This requires that an attacker not be able to observe the source
and destination, frequency, length, or other characteristics of the
traffic on a communications facility

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Data Integrity

Can apply to a stream of messages, a single

message, or selected fields within a message

Connection-oriented integrity service, one that

deals with a stream of messages, assures that
messages are received as sent with no duplication,
insertion, modification, reordering, or replays

A connectionless integrity service, one that deals

with individual messages without regard to any
larger context, generally provides protection
against message modification only

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Nonrepudiation

• Prevents either sender or receiver

from denying a transmitted message

• When a message is sent, the receiver

can prove that the alleged sender in
fact sent the message

• When a message is received, the

sender can prove that the alleged
receiver in fact received the message

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Availability Service

• Protects a system to ensure its availability

• This service addresses the security concerns raised by denial-

of-service attacks

• It depends on proper management and control of system

resources and thus depends on access control service and
other security services

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Security Mechanisms (X.800)

Specific Security Mechanisms

• Encipherment
• Digital signatures
• Access controls
• Data integrity
Pervasive Security Mechanisms
• Authentication exchange
• Traffic padding • Trusted functionality
• Routing control • Security labels
• Notarization • Event detection
• Security audit trails
• Security recovery

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 Table 1.3

Security
Mechanisms
(ITU-T X.800
Recommendation)

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Relationship between Security Services and Mechanisms

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Fundamental Security Design Principles
• Economy of mechanism (design simple and small as • Psychological acceptability (mechanisms should not
possible) interfere with the work of users)

• Fail-safe defaults (lack of access by default) • Isolation (isolate public access systems from critical
resources, process and files isolation, separation of
• Complete meditation (all accesses checks for access
security functions)
control)
• Encapsulation (encapsulate data and functions, isolate
• Open design (design should be open rather secret)
from unauthorized accesses)

• Separation of privilege (e.g. multifactor user

• Modularity (security procedures as protected modules,
authentication, lower/higher privileges in processes)
modular architecture)

• Least privilege (least set of permissions required to

• Layering (defense in depth, multiple protection
perform the task, e.g. in role-based access control)
approaches)

• Least common mechanism (minimize functions

• Least astonishment (security mechanisms should respond
shared by different users)
logically and intuitively)

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Fundamental Security Design Principles
Economy of mechanism Fail-safe defaults
• Means that the design of security
• Means that access decisions should
measures embodied in both hardware
be based on permission rather than
and software should be as simple and
exclusion
small as possible
• The default situation is lack of
• Relatively simple, small design is easier
access, and the protection scheme
to test and verify thoroughly
identifies conditions under which

• With a complex design, there are many access is permitted

more opportunities for an adversary to

• Most file access systems and
discover subtle weaknesses to exploit
virtually all protected services on
that may be difficult to spot ahead of
client/server use fail-safe defaults
time

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Fundamental Security Design Principles

Complete mediation Open design

• Means that every access must be checked • Means that the design of a security
against the access control mechanism mechanism should be open rather than
secret
• Systems should not rely on access decisions
retrieved from a cache • Although encryption keys must be
secret, encryption algorithms should be
• To fully implement this, every time a user
open to public scrutiny
reads a field or record in a file, or a data item
in a database, the system must exercise access • Is the philosophy behind the NIST
control program of standardizing encryption and
hash algorithms
• This resource-intensive approach is rarely used

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Fundamental Security Design Principles

Separation of privilege Least privilege

• Defined as a practice in which • Means that every process and every
multiple privilege attributes are user of the system should operate
required to achieve access to a using the least set of privileges
restricted resource necessary to perform the task

• Multifactor user authentication is • An example of the use of this

an example which requires the use principle is role-based access control;
of multiple techniques, such as a the system security policy can identify
password and a smart card, to and define the various roles of users
authorize a user or processes and each role is assigned
only those permissions needed to
perform its functions

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Fundamental Security Design Principles

Least common mechanism Psychological acceptability

• Means that the design should minimize • Implies that the security mechanisms should
the functions shared by different users, not interfere unduly with the work of users,
providing mutual security while at the same time meeting the needs of
those who authorize access
• This principle helps reduce the number
of unintended communication paths • Where possible, security mechanisms should
and reduces the amount of hardware be transparent to the users of the system or, at
and software on which all users most, introduce minimal obstruction
depend, thus making it easier to verify
if there are any undesirable security • In addition to not being intrusive or

implications burdensome, security procedures must reflect

the user’s mental model of protection

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Fundamental Security Design Principles

Isolation Encapsulation
• Applies in three contexts: • Can be viewed as a specific form of
isolation based on object-oriented
• Public access systems should be isolated functionality
from critical resources to prevent
disclosure or tampering • Protection is provided by encapsulating a
collection of procedures and data objects
• Processes and files of individual users in a domain of its own so that the
should be isolated from one another internal structure of a data object is
except where it is explicitly desired accessible only to the procedures of the
protected subsystem, and the
• Security mechanisms should be isolated
procedures may be called only at
in the sense of preventing access to
designated domain entry points
those mechanisms

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Fundamental Security Design Principles

Modularity Layering
• Refers both to the development of • Refers to the use of multiple,
security functions as separate, overlapping protection approaches
protected modules and to the use of addressing the people, technology,
a modular architecture for and operational aspects of
mechanism design and information systems
implementation
• The failure or circumvention of any
individual protection approach will
not leave the system unprotected

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Fundamental Security Design Principles

Least astonishment

• Means that a program or user interface should always

respond in the way that is least likely to astonish the user

• The mechanism for authorization should be transparent

enough to a user that the user has a good intuitive
understanding of how the security goals map to the provided
security mechanism

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Attack Surfaces

• An attack surface consists of the reachable and exploitable vulnerabilities in a

system

• Examples:
• Open ports on outward facing Web and other servers, and code listening on
those ports
• Services available on the inside of a firewall

• Code that processes incoming data, email, XML, office documents, and
industry-specific custom data exchange formats
• Interfaces, SQL, and Web forms

• An employee with access to sensitive information vulnerable to a social

engineering attack

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Attack Surface Categories

• Network attack surface

• Refers to vulnerabilities over an enterprise network, wide-area network,

or the Internet (e.g. network protocol vulnerabilities, denial-of-service
attacks, intrusions, ..)

• Software attack surface

• Refers to vulnerabilities in application, utility, or operating system code

(e.g. in web server software)

• Human attack surface

• Refers to vulnerabilities created by personnel or outsiders (e.g. social

engineering, human error, trusted insiders)
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
Defense in Depth and Attack Surfaces
• An attack surface analysis is
useful to access the scale and
severity of threats to a system

• Should be systematic, as it may

reveal where security
mechanisms are required

• Security designers should find

ways of making this surface
smaller

• Provides guidance on setting

priorities for testing and
implementing mechanisms
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
Attack Tree

• A branching, hierarchical data structure that represents a set of potential

techniques for exploiting security vulnerabilities

• The security incident that is the goal of the attack is represented as the root
node of the tree, and the ways that an attacker could reach that goal are
represented as branches and subnodes of the tree
• The final nodes on the paths outward from the root, (leaf nodes), represent
different ways to initiate an attack

• The motivation for the use of attack trees is to effectively exploit the
information available on attack patterns

• Branches can be labeled with values representing difficulty, cost, or other

attack attributes

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Attack Tree (example: Internet Banking Authentication)

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Model for Network Security

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Model for Network Security

• There are four basic tasks in designing a particular security service

• Design an algorithm for performing security-related transformations

• Generate the secret information to be used with the algorithm

• Develop methods for the distribution and sharing of the secret
information
• Specify a protocol to be used by the two principals that makes use of the
security algorithm and the secret information to achieve a particular
security service
• In this model we deal with symmetric and asymmetric cyphers, data
integrity and trust (key management and authentication)

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Network Access Security Model

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Network Access Security Model

• Protect an information system from unwanted access

• Here we need to deal with hackers, intruders, information access
threats, service threats, ..
• In this model belongs in general Network and Internet Security
mechanisms and approaches (access control mechanisms, cloud
security, transport-level security, wireless network security, IP
security, electronic mail security, ..)

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Unwanted Access

• Placement in a computer system of logic that exploits vulnerabilities in

the system and that can affect application programs as well as utility
programs such as editors and compilers
• Programs can present two kinds of threats:
• Information access threats
• Intercept or modify data on behalf of users who should not have
access to that data
• Service threats
• Exploit service flaws in computers to inhibit use by legitimate users

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Standards

National Institute of Standards and Technology

•NIST is a U.S. federal agency that deals with measurement science, standards, and technology related to U.S.
government use and to the promotion of U.S. private-sector innovation
•Despite its national scope, NIST Federal Information Processing Standards (FIPS) and Special Publications (SP) have a
worldwide impact

Internet Society

•ISOC is a professional membership society with world-wide organizational and individual membership
•Provides leadership in addressing issues that confront the future of the Internet and is the organization home for the
groups responsible for Internet infrastructure standards

ITU-T

•The International Telecommunication Union (ITU) is an international organization within the United Nations System in
which governments and the private sector coordinate global telecom networks and services
•The ITU Telecommunication Standardization Sector (ITU-T) is one of the three sectors of the ITU and whose mission is
the development of technical standards covering all fields of telecommunications

ISO

•The International Organization for Standardization is a world-wide federation of national standards bodies from more
than 140 countries
•ISO is a nongovernmental organization that promotes the development of standardization and related activities with
a view to facilitating the international exchange of goods and services and to developing cooperation in the spheres
of intellectual, scientific, technological, and economic activity

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Review Questions

Consider an automated cash deposit machine in which users provide a card or an account number
to deposit cash. Give examples of confidentiality, integrity and availability requirements (and its
degree of importance)

The system must keep personal identification numbers confidential, both in the system and during
transmission for a transaction. It must protect the integrity of account records and of individual
transactions. We may consider that the availability of individual teller machines is of less concern.

What differentiates the network security model and the network access security model?

The network security model refers to the design of the security mechanisms, based on cryptographic
algorithms, for the establishment of security communications between two entities over an insecure
communications medium. On the other hand, the network access security model is concerned with
protecting an information system from unwanted access, e.g. using network and Internet security protocols

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Summary

• Computer security concepts • Security services

• Definition • Authentication

• Examples • Access control

• Challenges • Data confidentiality

• The OSI security architecture • Data integrity

• Security attacks • Nonrepudiation

• Passive attacks • Availability service

• Active attacks • Security mechanisms

• Attack surfaces and attack trees • Fundamental security design principles

• Network security model

• Network access security model

• Standards

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Bibliography

Cryptography and network security, Stallings,

Pearson, 2017, Chapter 1: Computer and Network
Security Concepts

Segurança em Redes Informáticas, Capítulo 1:

Introdução

Segurança Prática em Sistemas e Redes com Linux,

Capítulo 1: Conceitos fundamentais