CS 432/532

Computer and Network Security

Spring 2025

Atıl Utku Ay
[email protected]
FENS L026

1
Lecture Notes

◼ Prepared by Albert Levi

– His name is removed from the cover page.
– Some students may not be aware of who is
the instructor (or TA of the course.)
– Do not send e-mail to him to ask your
questions☺

2
 Grading, Exams, Others (Tentative)
◼ Midterm Exam (25%)
– Lab hour, so no objections! In-class exam
– TBD after add/drop period. We may not be able to announce the grades
before the withdraw deadline
◼ Final Exam (40%) will be scheduled by ÖK/SR
◼ Project, Labs, HWs, CtF(432)/Takehome(532)
– Total 35% (Project is 15-20% of it)
– Project
• Application level secure protocol design and implementation (with network
connectivity via TCP sockets)
• Proper use of cryptographic functions
• 2 or 3 stages with different deadlines and evaluation
• Groups of 2 people (not less, not more) for CS 432. Individual for CS 532
• CS52 students will do the project alone (they may also propose their own
projects)
– CtF contest (only for CS432)
– Couple of Homework and Lab work
◼ Attendance is a must. (Collected for YÖK, not used as a grading item.)
◼ See other details at the syllabus (Bannerweb and SUCourse+) 3
 Announcements
◼ The labs will start in 4th week (see the related announcement)
– TA info and office hours are in SUCourse.
◼ There will be 4-5 labs but some may last 2+ weeks
– About practical issues of security
– Graded in-lab or via homework or attendance
◼ Labs DO NOT support lectures and they are kind of independent
– But, some lab sessions can be used for lecture.
◼ Labs are NOT recitations; DO NOT expect any exam help in the
labs

4
 Announcements
◼ SUCourse+ is active
– We will use it homework/lab submissions and grade posting.
– Lecture materials will also be posted there.
• PPT files will be posted before the lecture (but can be modified after
all of the material in it has been covered)
◼ E-mail list and Announcements
– We will use an email list and/or SUCourse+ Announcement
• check your sabanciuniv.edu emails frequently.
◼ Any type of recording is not allowed.
– You may take notes.

5
 What is this course about?

This course is to discuss

– security needs
– security services
– security mechanisms and protocols
for data stored in computers and
transmitted across computer networks

6
What we will/won’t cover?
◼ We will cover
– security threats
– practical security issues (practice in labs)
– security protocols in use
– security protocols not in use
– securing computer systems
– introductory cryptography
◼ We will not cover
– advanced cryptography
– computer networks
– operating systems
– computers in general
– how to hack ☺ 7
What security is about in
general?
◼ Security is about protection of assets
– D. Gollmann, Computer Security, Wiley
◼ Prevention
– take measures that prevent your assets from
being damaged (or stolen)
◼ Detection
– take measures so that you can detect when, how,
and by whom an asset has been damaged/stolen
◼ Reaction
– take measures so that you can recover your
assets 8
Real world example
◼ Prevention
– locks at doors, window bars, secure the walls
around the property, hire a guard
◼ Detection
– missing items, burglar alarms, closed circuit TV
◼ Reaction
– attack on burglar (not recommended ☺), call the
police, replace stolen items, make an insurance
claim

9
Internet shopping example
◼ Prevention
– encrypt your order and card number, enforce
merchants to do some extra checks, using PIN
even for Internet transactions, don’t send card
number via Internet
◼ Detection
– an unauthorized transaction appears on your
credit card statement
◼ Reaction
– complain, dispute, ask for a new card number, sue
(if you can find of course ☺)
– Or, pay and forget (a glass of cold water) ☺
10
Information security in past & present
◼ Traditional Information Security
– keep the cabinets locked
– put them in a secure room
– human guards
– electronic surveillance systems
– in general: physical and administrative
mechanisms
◼ Modern World
– Data are in computers
– Computers are interconnected

Computer and Network Security

11
Terminology
◼ Computer Security
– 2 main focuses: Information and Computer itself
– tools and mechanisms to protect data in a computer
(actually an automated information system), even if
the computers/system are connected to a network
– tools and mechanisms to protect the information
system itself (hardware, software, firmware, *ware ☺)
◼ Against?
– against hackers (intrusion)
– against viruses (malwares)
– against denial of service attacks
– etc. (all types of malicious behavior)

12
Terminology
◼ Network and Internet Security
– measures to prevent, detect, and correct security
violations that involve the transmission of
information in a network or interconnected networks

13
A note on security terminology
◼ No single and consistent terminology in the
literature!
◼ Be careful not to confuse while reading
papers and books

◼ See the next slide for some terminology taken

from Stallings and Brown, Computer Security
who took from RFC4949, Internet Security
Glossary

14
Computer
Security
Terminology
RFC 4949, Internet

Security Glossary,

May 2000
Computer
Security
Terminology
RFC 4949, Internet

Security Glossary,

May 2000
Relationships among the security Concepts

17
Skill and knowledge required to
Security Trends
mount an attack

18
 Types of cyber attacks experienced

2019 Cost of Cyber Crime - High proportional increase of

Study by Accenture* ransomware
- But amount-wise, not a malware
https://www.accenture.com/_acnmedia/PDF-96/Accenture-2019-Cost-of-Cybercrime-Study-Final.pdf#zoom=50 19
 Deployment Rate of Security 2019 Cost of
Cyber Crime
Technologies and Net Savings Study by
Accenture*

- AI, ML and data analytics based intelligent methods pay back, but not
widely deployed
- Classical technologies are not so beneficial but needed
https://www.accenture.com/_acnmedia/PDF-96/Accenture-2019-Cost-of-Cybercrime-Study-Final.pdf#zoom=50 20
 https://us.norton.com/internetsecurity-
Some Data Gathered by Norton emerging-threats-cyberthreat-trends-
cybersecurity-threat-review.html

21
Security Objectives: CIA Triad
and Beyond
Computer Security Objectives
Confidentiality
• Data confidentiality
• Assures that private or confidential information is not made available or
disclosed to unauthorized individuals
• Privacy
• Assures that individuals control or influence what information related to
them may be collected and stored and by whom and to whom that
information may be disclosed

Integrity
• Data integrity
• Assures that information changed only in a specified and authorized
manner
• System integrity
• Assures that a system performs its intended function in an unimpaired
manner, free from deliberate or inadvertent unauthorized manipulation of
the system

Availability
• Assures that systems work promptly and service is not denied to
authorized users
 Additional concepts:

Authenticity Accountability
• Verifying that users • Being able to trace
are who they say the responsible
they are and that party/process/entity
each input arriving at in case of a security
the system came incident or action.
from a trusted source
Attacks, Services, Mechanisms
◼ 3 aspects of information security:
– security attacks (and threats)
• actions that (may) compromise security
– security services
• services counter to attacks
– security mechanisms
• used by services
• e.g. secrecy is a service, encryption (a.k.a.
encipherment) is a mechanism

25
 Attacks
◼ Attacks on computer systems
– break-in to destroy information
– break-in to steal information
– blocking to operate properly
– malicious software
• wide spectrum of problems

◼ Source of attacks
– Insiders
– Outsiders
26
Attacks
◼ Network Security
– Active attacks
– Passive attacks
◼ Passive attacks
– interception of the messages
– What can the attacker do?
• use information internally
– hard to understand
• release the content
– can be understood
• traffic analysis
– hard to avoid
– Hard to detect, try to prevent
27
Attacks
◼ Active attacks
– Attacker actively
manipulates
the communication
– Masquerade
• pretend as someone else
• possibly to get more privileges
– Replay
• passively capture data
and send later
– Denial-of-service
• prevention the normal use of
servers, end users, or network
itself 28
 Attacks
◼ Active attacks (cont’d)
– denial
• repudiate sending/receiving a message later
– modification
• change the content of a message

29
 Security Services
◼ to prevent or detect attacks
◼ to enhance the security
◼ replicate functions of physical
documents
– e.g.
• have signatures, dates
• need protection from disclosure, tampering, or
destruction
• notarize
• record
30
Basic Security Services
◼ Authentication
– assurance that the communicating entity is the
one it claims to be
– peer entity authentication
• mutual confidence in the identities of the parties involved
in a connection
– Data-origin authentication
• assurance about the source of the received data
◼ Access Control
– prevention of the unauthorized use of a resource
– to achieve this, each entity trying to gain access
must first be identified and authenticated, so that
access rights can be tailored to the individual 31
Basic Security Services
◼ Data Confidentiality
– protection of data from unauthorized disclosure
(against eavesdropping)
– traffic flow confidentiality is one step ahead
• this requires that an attacker not be able to observe the
source and destination, frequency, length, or other
characteristics of the traffic on a communications facility
◼ Data Integrity
– assurance that data received are exactly as sent
by an authorized sender
– i.e. no modification, insertion, deletion, or replay

32
 Basic Security Services
◼ Non-Repudiation
– protection against denial by one of the
parties in a communication
– Origin non-repudiation
• proof that the message was sent by the
specified party
– Destination non-repudiation
• proof that the message was received by the
specified party

33
 Relationships
◼ among integrity, data-origin
authentication and non-repudiation
Non-repudiation

Authentication

Integrity

34
 Security Mechanisms
◼ Cryptographic Techniques
– will see next
◼ Software and hardware for access limitations
– Firewalls
◼ Intrusion Detection and Prevention Systems
◼ Traffic Padding
– against traffic analysis
◼ Hardware for authentication
– Smartcards, security tokens
◼ Security Policies / Access Control
– define who has access to which resources.
◼ Physical security
– Keep it in a safe place with limited and authorized
physical access 35
Cryptographic Security Mechanisms

◼ Encryption (a.k.a. Encipherment)

– use of mathematical algorithms to
transform data into a form that is not
readily intelligible
• keys are involved

36
Cryptographic Security Mechanisms
◼ Message Digest
– similar to encryption, but one-way (recovery not
possible)
– generally no keys are used
◼ Digital Signatures and Message
Authentication Codes
– Info appended to, mostly as a cryptographic
transformation of, a data unit to prove the source
and the integrity of the data
◼ Authentication Exchange
– ensure the identity of an entity by exchanging
some information
37
 Security Mechanisms
◼ Notarization
– use of a trusted third party to assure certain
properties of a data exchange
◼ Timestamping
– inclusion of correct date and time within messages

◼ Both are mostly accompanied by

cryptographic protocols

38
And the Oscar goes to …

◼ On top of everything, the most

fundamental problem in security is
–SECURE KEY EXCHANGE
• mostly over an insecure channel

39
A General Model for Network
Security

40
 Model for Network Security
◼ using this model requires us to:
– design a suitable algorithm for the security
transformation
– generate the secret information (keys) used by the
algorithm
– develop methods to distribute and share the
secret information
– specify a protocol enabling the principals to use
the transformation and secret information for a
security service

41
Model for Network Access Security

42
Model for Network Access Security

◼ using this model requires us to:

– select appropriate gatekeeper functions to
identify users and processes and ensure
only authorized users and processes
access designated information or
resources
– Internal control to monitor the activity and
analyze information to detect unwanted
intruders

43
More on Computer System Security
◼ Based on “Security Policies”
– Set of rules that specify
• How resources are managed to satisfy the security
requirements
• Which actions are permitted, which are not
– Ultimate aim
• Prevent security violations such as unauthorized access,
data loss, service interruptions, etc.
– Scope
• Organizational or Individual
– Implementation
• Partially automated, but mostly humans are involved
◼ Assurance and Evaluation
– Assurance: degree of confidence to a system
– Security products and systems must be evaluated
using certain criteria in order to decide whether they
assure security or not 44
Aspects of Computer Security
◼ Mostly related to Operating Systems
◼ Similar to those discussed for Network
Security but now for still data and computer
systems
– Confidentiality
– Integrity
– Availability
– Authenticity
– Accountability
– Dependability
45
Aspects of Computer Security
◼ Confidentiality
– Prevent unauthorised disclosure of information
– Privacy and Secrecy
• Are they synonyms? Any differences?
◼ Integrity
– two types: data integrity and system integrity
– In general, “make sure that everything is as it is
supposed to be”
– More specifically, “no unauthorized modification,
deletion” on data (data integrity)
– System performs as intended without any
unauthorized manipulations (system integrity)
46
 Aspects of Computer Security
◼ Availability
– services should be accessible when needed and
without extra delay
◼ Accountability
– audit information must be selectively kept and
protected so that actions affecting security can be
traced to the responsible party
– How can we do that?
• Users have to be identified and authenticated to have a
basis for access control decisions and to find out
responsible party in case of a violation.
• The security system keeps an audit log (audit trail) of
security relevant events to detect and investigate
intrusions.
◼ Dependability
– Can we trust the system as a whole?
47
 Attack Surfaces
◼ An attack surface consists of the reachable and
exploitable vulnerabilities in a system
◼ Examples:
– Open ports on outward facing Web and other
servers, and code listening on those ports
– Services available in a firewall
– Code that processes incoming data, email, XML,
office documents, etc.
– Interfaces and Web forms
– An employee with access to sensitive information
vulnerable to a social engineering attack
Attack Surface Categories
◼ Network attack surface
– Refers to vulnerabilities to an enterprise
network from the Internet
• E.g. DoS, intruders exploiting network protocol
vulnerabilities
◼ Software attack surface
– Refers to vulnerabilities in application, or
operating system code
◼ Human attack surface
– Refers to vulnerabilities created by personnel
or outsiders
– E.g. social engineering, insider traitors
Fundamental Dilemma of
Security
◼ “Security unaware users have specific
security requirements but no security
expertise.”
– from D. Gollmann
– Solution: level of security is given in predefined
classes specified in some common criteria
• Orange book (Trusted Computer System Evaluation
Criteria) is such a criteria

50
 Fundamental Tradeoff
◼ Between security and ease-of-use
◼ Security may require clumsy and
inconvenient restrictions on users and
processes
“If security is an add-on that people have to do
something special to get, then most of the time they
will not get it”

Martin Hellman,
co-inventor of Public Key Cryptography
51
 Good Enough Security

“Everything should be as secure as

necessary, but not securer”

Ravi Sandhu, “Good Enough Security”, IEEE Internet

Computing, January/February 2003, pp. 66- 68.

◼ Read the full article at

http://dx.doi.org/10.1109/MIC.2003.1167341

52
 Some Other Security Facts
▪ Not as simple as it might first appear to the novice
▪ Must consider all potential attacks when designing a
system
▪ Generally yields complex and counterintuitive systems
▪ Battle of intelligent strategies between attacker and
admin
▪ Requires regular monitoring
▪ Not considered as a beneficial investment until a security
failure occurs
▪ Actually security investments must be considered as insurance
against attacks
▪ too often an afterthought
▪ Not only from investment point of view, but also from design
point of view
53