Information Technology

Infrastructure
 Information Technology Infrastructure

• Credit Hours: 3
• Lecturer: Shafaq Nisar

• Lecturing Style: Video Lectures of short duration (5-7 minutes)

Security Concepts

1. Introduction
2. Computer Crimes
3. Risk Management
• Risk Response
• Exploits
4. Security Controls
• Attack vectores
5. Security Patterns
• Identity and Access management and Layered security
• Cryptography and Cryptographic Attacks
Introduction

Security Concepts
Introduction

• Security is the combination of:

• Availability
• Confidentiality
• Integrity

• Focused on the recognition and

resistance of attacks

• For IT infrastructures availability

is a non-functional attribute in its
own right
Computer Crimes

• Reasons for committing crime against IT infrastructures:

• Personal exposure and prestige
• Creating damage
• Financial gain
• Terrorism
• Warfare
Personal Exposure and Prestige

• In the past, the hacker community was very keen on getting personal
or group exposure by hacking into a secured IT infrastructure. When
hackers proved that they could enter a secured system and made it
public, they gained respect from other hackers.

• While nowadays most hacking activity is done for other reasons, there
are still large communities of hackers that enjoy the game.
Creating Damage

• Creating damage to organizations to create bad publicity

• For instance, by defacing websites, bringing down systems or

websites, or

• making internal documents public

Financial Gain

• For instance, by holding data hostage and asking for ransom money,
stealing credit card data, changing account data in bank systems

OR

• Stealing passwords of customers and ordering goods on their behalf

Terrorism

• The main purpose of terrorism is creating fear in a society

• A well-planned attack targeted at certain computer systems, like the

• Computer system that manages the water supply

• or

• A nuclear power plant, could result in chaos and fear amongst citizens
Warfare

• Certain governments use hacking practices as acts of war

• Since economies and societies today largely depend on the IT

infrastructures, bringing important IT systems down in a certain
country could cause the economy to collapse.

• Bringing down the internet access of a country for example means: no

access to social media, no e-mails, no web shops, no stock trading, no
search engines, etc.
Risk management
 Risk management

❖ Managing security is all about managing risks

❖ The effort we put in securing the infrastructure should be directly

related to the risk at hand

❖ Risk management is the process of:

❑ Determining an acceptable level of risk

❑ Assessing the current level of risk

❑ Taking steps to reduce risk to the acceptable level

❑ Maintaining that level

Risk list

A risk list can be used to quantify risks

Risk is calculated based on:
Asset name - component that needs to be protected
Vulnerability - weakness, process or physical exposure that makes the asset
susceptible to exploits
Exploit - a way to use one or more vulnerabilities to attack an asset
Probability - an estimation of the likelihood of the occurrence of an exploit
Impact - the severity of the damage when the vulnerability is exploited
Example of Part of a Risk List
Traditional IT Infrastructure
Risk Response

• Controls can be designed and implemented based on identified severity of

the risk in the risk list.

• There four risk responses:

• Acceptance of the risk
• Avoidance of the risk - do not perform actions that impose risk
• Transfer of the risk - for instance transfer the risk to an insurance
company
• Mitigation of the risk and accepting the residual risk
Exploits
• Information can be stolen in many ways

• Examples:
• Key loggers can send sensitive information like passwords to third
parties
• Network sniffers can show network packages that contain sensitive
information or replay a logon sequence
• Data on backup tapes outside of the building can get into wrong hands
• Disposed PCs or disks can get into the wrong hands
• Corrupt or dissatisfied staff can copy information
• End users are led to a malicious website that steals information (phishing)
Security Controls
CIA

• Three core goals of security (CIA):

❑Confidentiality

❑Integrity

❑Availability
CIA
• Confidentiality - prevents the intentional or unintentional
unauthorized disclosure of data
• Integrity - ensures that:
• No modifications to data are made by unauthorized staff or processes

• Unauthorized modifications to data are not made by authorized staff or

processes

• Data is consistent

• Availability - ensures the reliable and timely access to data or IT

resources
CIA

• Example of confidentiality levels

Confidentiality Level Description

1 Public information
2 Information for internal use only
Information for internal use by restricted
3
group
Secret: reputational damage if information is
4
made public
Top secret: damage to organization or society
5
if information is made public
CIA

• Example of integrity levels

Integrity Level Description

1 Integrity of information is of no importance
2 Errors in information are allowed
Only incidental errors in information are
3
allowed
No errors are allowed, leads to reputational
4
damage
No errors are allowed, leads to damage to
5
organization or society
CIA
Calculation examples

• Example of availability levels

Availability Level Description

1 No requirements on availability
Some unavailability is allowed during office
2
hours
Some unavailability is allowed only outside of
3
office hours
No unavailability is allowed, 24/7/365
4
availability, risk for reputational damage
No unavailability is allowed risk for damage to
5
organization or society
Security Controls

• Controls mitigate risks

• Security controls must address at least one of the CIA

• Information can be classified based on CIA levels

• Controls can be designed and implemented based on the identified risk

level for CIA
Security controls -Example
C C C C C I I I I I A A A A A
Control
1 2 3 4 5 1 2 3 4 5 1 2 3 4 5
Standard security policy X X X X X X X X X X X X X X X
Central archiving of documents X X X X
User based password protection X X X X X X X X X X X X
Anti-virus measures X X X X X X X X X X X X
Screensaver lock when leaving workplace X X X X X X
Webmail not allowed X X X
Logging of authentication and authorization
X X X X X X X X X
requests
Secured datacenter and systems management
X X X X X X
room
Encrypted laptops X X
Security key management X X
Penetration hack-tests X X X X X X
IDS systems X X X X X X
Internet access limited to specific sites X X X X X X
Encrypted e-mail X X
Printing only allowed in specific closed rooms X X
Attack Vectors

• Malicious code
• Applications that, when activated, can cause network and server
overload, steal data and passwords, or erase data

• Worms
• Self-replicating programs that spread from one computer to
another, leaving infections as they travel
Attack Vectors

• Virus
• Self-replicating program fragment that attaches itself to a program
or file enabling it to spread from one computer to another, leaving
infections as it travels

• Trojan Horse
• Appears to be useful software but will actually do damage once
installed or run on your computer
Attack Vectors

• Denial of service attack

• An attempt to overload an infrastructure to cause disruption of a service

• Can lead to downtime of a system, disabling an organization to do its

business

• In a Distributed Denial of Service (DDoS) attack the attacker uses many

computers to overload the server

• Groups of computers that are infected by malicious code, called botnets,

perform an attack
Attack Vectors

• Preventive DDoS measures:

• Split business and public resources

• Move all public facing resources to an external cloud provider

• Setup automatic scalability (auto scaling, auto deployment) using

virtualization and cloud technology

• Limit bandwidth for certain traffic

• Lower the Time to Live (TTL) of the DNS records to be able to reroute traffic
to other servers when an attack occurs

• Setup monitoring for early detection

Attack Vectors

• Phishing
• A technique of obtaining sensitive information
• The phisher sends an e-mail that appears to come from a legitimate
source, like a bank or credit card company, requesting
"verification" of information
• The e-mail usually contains a link to a fraudulent web page
Security Patterns
Identity and Access Management (IAM)

• The process of managing the identity of people and systems, and their
permissions

• The IAM process follows three steps:

• Users or systems claim who they are: identification
• The claimed identity is checked: authentication
• Permissions are granted related to the identity and the groups it
belongs to: authorization
Layered Security
• Layered security (also known as a Defense-In-Depth strategy)
implements various security measures in various parts of the IT
infrastructure
• Instead of having one big firewall and have all your security depend on it, it is
better to implement several layers of security

• Preferably security layers make use of different technologies

• This makes it harder for hackers to break through all barriers, as they will need
specific knowledge for each step

• Disadvantage: increases the complexity of the system

Cryptography

• The practice of hiding information using encryption and decryption

techniques

• Encryption is the conversion of information from a readable state to

apparent random data

• Only the receiver has the ability to decrypt this data, transforming it
back to the original information

• A cipher is a pair of algorithms that implements the encryption and

decryption process. The operation of a cipher is controlled by a key
Cryptography
• Block ciphers
• Input:
• A block of plaintext
• A key
• Output:
• A block of cipher text
• Used across a wide range of applications, from ATM machine data
encryption to e-mail privacy and secure remote access
• Standards:
• Data Encryption Standard (DES)
• Advanced Encryption Standard (AES)
Cryptography

• Stream ciphers
• Create an arbitrarily long stream of key material
• Combines key stream with the plaintext bit-by-bit or character-by-
character
• Used when data is in transit over the network
• RC4 is a widely-used stream cipher
Cryptographic Attacks

• Every encryption method can be broken using a brute force attack

• Except a one-time pad cipher with the key of equal or greater
length than the message

• A brute force attack consists of systematically checking all possible

keys until the correct key is found

• The amount of effort needed is exponentially dependent on the size of

the key
Cryptographic Attacks

• Effective security could be achieved if it is proven that no efficient

method (as opposed to the time consuming brute force method) can be
found to break the cipher

• Most successful attacks are based on flaws in the implementation of an

encryption cipher

• To ensure a cipher is flawless, the source code is usually open source

and thus open to inspection to everyone