Ministry Of Higher Education 1

Paktia University
Faculty of Computer Science

Chapter 1

SUB: NETWORK SECURITY

 Outlines 2
 Network security introduction
 How does network security work
 CIA
 Vulnerability
 Threats
 Data classification
 Data Security Control
 Response to a security breach
 Laws & Ethics
 Conclusion
 Network Security 3

 Network security protects networking infrastructure from data theft,

unauthorized access and manipulation.
 Network Security is the protection of a computer network-accessible
assists through intrusion detection, preventive resource and oversight
by management technologies.
 Network security mitigates or prevents unauthorized parties from
accessing the network.
 Network security is the act of protecting digital resources, application
and data from malicious intrusion.
Network Security… 4

 Network security is closely related to cybersecurity and information security.

 Cybersecurity guards against digital threats.
 InfoSec focuses on data protection.
 Both feed into protecting network infrastructure against outside threats.
 In simple word network security defined as “protecting information from
unintended access.”
How Does Network security work 5

 A computer network provides communication and enable the

sharing of information to multiple user within a user.
 Network security technologies work within several layers to protect
your network as a whole against any potential threats.
 Network security is enabled through the implementation of
protective software and hardware within your network.
Network security objectives 6

 When considering networks, you can view them from different

perspectives.
 Not all users appreciate their role in keeping data safe.
 If a user is compromised or an unauthorized individual gains access,
the security of the network may still fail as a result.
 an important point to remember is that the users themselves
represent a security risk and that training users is a key part of a
comprehensive security policy.
CIA(Confidentiality Integrity Availability) 7
 Confidentiality 8
 There are two types of data: data in motion and data in rest
 Confidentiality means that only the authorized individuals/systems can view
sensitive or classified information.
 Confidentiality is the concealment of information or resources.
 The need for keeping information secret arises from the use of computers in
institutions with sensitive information such as government and industry.
 The principles of confidentiality assert that information and function can be
accessed only by authorized parties.
 EX: military secrets
Integrity 9

 Integrity for data means that changes made to data are done only by
authorized individuals/systems.
 Integrity refers to the trustworthiness of data or resources.
 Integrity includes data integrity (the content of the information) and
origin integrity (the source of the data, often called authentication).
 The principles of integrity assert that information and functions can be
added and removed only by authorized people.
 Ex: incorrect data entered by a user in the database
Available 10

 This applies to systems and to data. If the network or its data is not
available to authorized users
 Availability refers to the ability to use information or resources.
 Availability means information should be consistently and readily
accessible for authorized parties.
 Availability is an important aspect of reliability as well as of system
design because an unavailable system is at least as bad as no system
at all.
Vulnerability 11

 A vulnerability is a weakness. It can be a weakness in the hardware, the

software, the configuration, or even the user operating the system.
Risk 12

 Risk is the potential for unauthorized access to, compromise,

destruction, or damage to an asset.
 If a threat exists, but proper countermeasures and protections are in
place (it is your goal to provide this protection), the potential for the
threat to be successful is reduced (thus reducing the overall risk).
Countermeasure 13

 A countermeasure is a device or process (a safeguard) that is

implemented to counteract a potential threat, which thus
reduces risk.
Threat 14

 A threat is any circumstance or event that has the potential to

comprise CAI.
 Threats can com form in inside or outside an organization.
 threats can be nature.
 Internal threats
 External threads
Data Classification(1/2) 15

 To optimally allocate resources and secure assets, it is essential that

some form of data classification exists.
 By identifying which data has the most worth, administrators can
make the greatest effort to secure that data.
 Sometimes information classification is a regulatory requirement,
and there can be liability issues that relate to the proper care of data
that are factors.
 When an organization takes classification seriously, it illustrates to
everyone that the company is taking information security seriously.
 Data Classification(1/2)… 16

 The methods and labels applied to data differ all around the world, but
some patterns do emerge.
 Unclassified: Data that has little or no confidentiality, integrity, or
availability requirements and therefore little effort is made to secure it.
 Sensitive But Unclassified (SBU): Data that could prove embarrassing if
revealed, but no great security breach will occur.
 Confidential: Data that must comply with confidentiality requirements.
This is the lowest level of classified data in this scheme.
 Data Classification(1/2)… 17

 Secret: Data for which you take significant effort to keep secure. The
number of individuals who have access to this data is usually
considerably fewer than the number of people who are authorized to
access confidential data.
 Top secret: Data for which you make great effort and sometimes incur
considerable cost to guarantee its secrecy. Usually a small number of
individuals have access to top-secret data, on condition that there is a
need to know.
Data Classification(1/2)… 18
 Data Classification (2/2) 19

 Value: Value is the number one criterion. Not all data has the same value.
 Age: For many types of data, its importance changes with time.
 Useful life: Often data is valuable for only a set window of time, and after
that window has expired there is no need to keep it classified.
 Personal association: Data of this type usually involves something of a
personal nature.
 Data Classification Procedure 20
 Generally, the information classification procedure is as follows:
 Step 1. Identify the administrator or custodian of the data.
 Step 2. Define how information is classified and labeled (the number of
required classification levels).
 Step 3. Classify the data by its owner.
 Step 4. Specify exceptions to the classification policy.
 Step 5. Define controls to be applied to each classification policy.
 Step 6. Specify termination procedures for declassifying data or transferring
the custody of the data.
 Step 7. Create an enterprise-awareness program.
 Step 8. (Optional) Audit compliance to classification policy.
 Data Classification Roles 21
 For a classification system to work, there must be different roles that are fulfilled.
 Owner: The owner is the person who is ultimately responsible for the
information, usually senior-level management who is in charge of a
business unit.
 Custodian: The custodian is usually a member of the IT staff who has the
day-to day responsibility for data maintenance.
 User: Users bear no responsibility for the classification of data or even the
maintenance of the classified data.
 Security Controls (1/2) 22

 Once the owner classifies the data, the custodian is responsible for
securing the data.
 These controls fall into one of three categories:
 Administrative: Controls that are largely policies and procedures.
 Technical: Controls that involve electronics, hardware, software, and so on
 Physical: Controls that are mostly mechanical.
 Administrative Controls 23
 Administrative controls are largely policy and procedure driven.
 You will find many of the administrative controls that help with
information security in the enterprise in the human resources department.
 Some of these controls are as follows:
 Security-awareness training
 Security policies and standards
 Change controls and configuration controls
 Security audits and tests
 Good hiring practices
 Background checks of contractors and employees
 Technical Controls 24

 Members of IT staffs tend to think of information security solely in terms of

technical controls.
 Firewalls
 IPSs
 Virtual private network (VPN) concentrators and clients
 TACACS+ and RADIUS servers
 One-time password (OTP) solutions
 Smart cards
 Biometric authentication devices
 Network Admission Control (NAC) systems
 Routers with ACLs
 Physical Controls 25
 While trying to secure an environment with good technical and administrative
controls, it is also necessary that you lock the doors in the data center.
 Intruder detection systems
 Security guards
 Locks
 Safes
 Racks
 Uninterruptible power supplies (UPS)
 Fire-suppression systems
 Positive air-flow systems
 Security Controls (2/2) 26
 Controls are also categorized by the type of control they are:
 Preventive: The control prevents access.
like: Lock on door
 Deterrent: The control deters access.
like: Video Surveillance
 Detective: The control detects access.
like: Motion Sensor
 Response to a Security breach 27

 Motive: Motive is concerned with why an individual performed

the illegal act.
 Opportunity: Having identified a list of suspects, the next thing to
consider is whether they had the opportunity to commit the crime.
 Means: The means is an important thing to prove as well. Do not
accuse someone who does not have the technical knowledge to
accomplish the deed.
 Laws and Ethics 28
 For many businesses today, one of the biggest considerations for setting
security policies is compliance with the law.
 Criminal: Concerned with crimes, and its penalties usually involve the risk of
fines or imprisonment, or both.
 Civil (also called tort): Focuses on correcting wrongs that are not crimes. An
example of a civil law case is if one company sues another company for
infringing on a patent. The penalty in civil law is usually monetary, although
there can also be performance requirements such as ceasing to infringe on the
patent.
 Administrative: Involves government agencies enforcing regulations. For
example, a company may owe its employees vacation pay.
 Conclusion 29
 Network security defined as protecting information from unintended access.
 Confidentiality means that only the authorized individuals/systems can
view sensitive or classified information.
 Integrity refers to the trustworthiness of data or resources.
 Availability refers to the ability to use information or resources.
 A threat is any circumstance or event that has the potential to comprise
CAI. control level: Physical, Technical and Administrative