Computer Security Concepts

Chapter 1
 Network and Information Security
• Information security, (InfoSec) consists of defending
information from unauthorized access.

• Network security consists of defending computer

network and network-accessible resources from
unauthorized access

Dr. Benita Jaison , MCA Department, St. Francis College

 Computer Security
• The protection provided to an automated
information system in order to attain the
applicable objectives of preserving the
confidentiality, integrity and availability of
information system resources (includes
hardware, software, firmware,
information/data, and telecommunications).

Dr. Benita Jaison , MCA Department, St. Francis College

Key Security Concepts-CIA triad

Dr. Benita Jaison , MCA Department, St. Francis College

 Key Security Concepts-CIA triad
• Confidentiality : Confidentiality prevents sensitive information
from reaching the wrong people, while making sure that the right
people can in fact get it.
Eg: Our bank account credentials should not be available to others.

• Integrity: Integrity involves maintaining the consistency,

accuracy, and trustworthiness of data over its entire life cycle.

Eg: Whatever amount saved in the account should be visible and intact. Deposit of 10
lakhs should be correctly shown and not 3 lakhs.

• Availability :Assures that systems work promptly and service is

not denied to authorized users.
Eg:Our account should be accessible for our use withJaison
Dr. Benita our, MCA
credentials.
Department, St. Francis College
 Three Key Objectives of Computer Security
• Confidentiality (restriction on information access and disclosure)
– Data confidentiality: Assures that confidential information is not made
available to unauthorized individuals.
– System Privacy: Assures that individuals control what information may be
collected by whom and to whom that information may be disclosed.
• Integrity (restriction on information modification and destruction)
– Data integrity: Assures that information and programs are changed only in a
specified and authorized manner.
– System integrity: Assures that a system performs its intended function free
from unauthorized manipulation of the system.
• Availability: (ensuring timely access to and use of information)
– Data Availability: Assures that systems work promptly and service is not
denied to authorized users.
– System Availability:Guarding against hardware failure, denial of service,

Dr. Benita Jaison , MCA Department, St. Francis College

 Definition of a loss of security
• Confidentiality: Loss of confidentiality is the
unauthorized disclosure of information.

• Integrity: Loss of integrity is the unauthorized

modification or destruction of information.

• Availability: Loss of availability is the disruption of

access or use of information.

Dr. Benita Jaison , MCA Department, St. Francis College

 Two additional concepts
• Authenticity: The property of being genuine and
being able to be verified and trusted; verifying that
users are who they say they are.

• Accountability: The security goal that generates the

requirement for actions of an entity to be traced
uniquely to that entity ; must be able to trace a
security breach to a responsible party.

Dr. Benita Jaison , MCA Department, St. Francis College

 Security Requirements derived from
the C-I-A
• Identification – Who do you say you are?
eg: username in login page
• Authentication – How do I know it’s really
you? eg: Password field in login page
• Authorization – What are you allowed to do?
eg: administrator , less privileged user
• Accountability– Who should be responsible?

Dr. Benita Jaison , MCA Department, St. Francis College

 Threat and Vulnerability

Threat :
– Threat is a possible danger to the system.
Vulnerability:
– Vulnerability is a point where a system is
susceptible or prone to attack.

Dr. Benita Jaison , MCA Department, St. Francis College

 Threats and Attack
Threat
– A potential for violation of security, that could
cause harm.
– A possible danger that might exploit a
vulnerability.
Attack
– An intentional attempt on system security that
derives from an intelligent threat;
– A deliberate attempt to violate the security policy
of a system. Dr. Benita Jaison , MCA Department, St. Francis College
 Levels of impact
• Three levels of impact on organizations or individuals

• The loss of confidentiality, integrity, or availability can

be
– Low :a limited adverse effect
– Moderate :a significant adverse effect
– High :a severe or catastrophic adverse effect

Dr. Benita Jaison , MCA Department, St. Francis College

 Computer Security Challenges
Computer security is both fascinating and complex. Some of the reasons follow:
1. Computer security is not as simple as it might first appear to the novice. The
requirements seem to be straightforward, but the mechanisms used to meet those
requirements can be quite complex and subtle.
2. In developing a particular security mechanism or algorithm, one must always consider
potential attacks (often unexpected) on those security features.
3. Having designed various security mechanisms, it is necessary to decide where to
use them.
5. Security mechanisms involve algorithm or protocol, which also require participants to
have secret information, leading to issues of creation, distribution, and protection of
that secret information.
6. Computer security is essentially a battle of wits between a intruders who tries to find
holes and the administrator who tries to close them.
7. There is a natural tendency on the part of users to perceive little benefit from security
investment until a security failure occurs.
8. Security requires regular monitoring, difficult in today's short-term environment.
9. Security is still too often an afterthought - incorporated after the design is complete.
10. Many users / security administrators view strong security as an obstruction to
efficient and user-friendly operation of an information system.
Dr. Benita Jaison , MCA Department, St. Francis College
Network and Internet security

• Network and Internet security

– consists of measures to deter, prevent, detect and correct
security violations that involve the transmission of
information.
• Cryptographic algorithms and protocols
– Symmetric encryption
– Asymmetric encryption
– Data integrity algorithms
– Authentication protocols

Dr. Benita Jaison , MCA Department, St. Francis College

 Standardizing Agencies
• NIST is a U.S. federal agency that deals with
measurement science, standards, and technology
related to U.S.
• ISOC is a professional membership society that deals
the future of the Internet.
• ITU is an international organization for the
production of standards covering all fields of
telecommunications.
• ISO is a nongovernmental organization whose work
results in international agreements that are
published as International Standards.
Dr. Benita Jaison , MCA Department, St. Francis College
 Standardizing Agencies
• NIST : National Institute of Standards and
Technology
• ISOC : Internet Society
• FIPS : Federal Information Processing Standards
• SP : Special Publications
• ITU-T: The International Telecommunication Union
(ITU)
• ISO: The International Organization for
Standardization
• The Open Systems Interconnection (OSI)
Dr. Benita Jaison , MCA Department, St. Francis College
 OSI Security Architecture
• ITU recommends X.800 “Security Architecture for OSI”
which provides a systematic way of defining the
requirements for security and characterizing the
approaches to satisfying those requirements.

– OSI architecture focuses on security attacks, mechanisms,

and services
– OSI architecture was developed as an international
standard, which has to be followed by computer and
communications vendors.
– OSI security architecture is useful to managers as a way of
organizing the task of providing security.
Dr. Benita Jaison , MCA Department, St. Francis College
 Aspects of Security

• 3 aspects (features) of information security:

– security attack
– security mechanism
– security services

Dr. Benita Jaison , MCA Department, St. Francis College

 Aspects of Security
• Security attack: Any action that compromises the
security of information owned by an organization.
• Security service: A service that enhances the security
of the data processing systems and the information
transfers of an organization.
– The services are intended to counter security attacks
– The services make use of security mechanisms.
– Eg: confidentiality, authentication, access control, integrity, non-
repudiation.
• Security mechanism: A process or feature designed to
detect, prevent or recover from a security attack.
• Eg: encryption, digital signature, access control etc.
Dr. Benita Jaison , MCA Department, St. Francis College
 Security Attacks
Any action that compromises the security of
information owned by an organization.

Attacks are of 2 types:

• Passive attack-A passive attack attempts to learn
or make use of information from the system but
does not affect system resources.
• Active attack-An active attack attempts to alter
system resources or affect their operation.

Dr. Benita Jaison , MCA Department, St. Francis College

 Passive Attack
• Passive attacks do not affect system resources
– Eg: Eavesdropping, monitoring
• Goal : to obtain information that is being transmitted
• Two types of passive attacks
1. Release of message contents
2. Traffic analysis
• Passive attacks are very difficult to detect.
– Message transmission apparently normal.
• Emphasis on prevention rather than detection.

Dr. Benita Jaison , MCA Department, St. Francis College

Passive Attacks :Release of Message Contents

Reading the content of the message, but the

content is not changed.

Dr. Benita Jaison , MCA Department, St. Francis College

 Passive Attacks : Traffic Analysis
Traffic analysis : Even if the message is encrypted understand the pattern of the
message, location and identity of communicating hosts, observe the frequency and
length of messages being exchanged to recognize the type of communication.

Dr. Benita Jaison , MCA Department, St. Francis College

 Active attack
• Active attacks try to alter system resources or affect
their operation
– Modification of data, or creation of false data
• Four categories
1. Replay
2. Modification of messages
3. Masquerade
4. Denial of service

• Difficult to prevent
– The goal is to detect and recover

Dr. Benita Jaison , MCA Department, St. Francis College

 Active Attacks : Replay
• Reply messages involves capturing the message by the
intruder , then duplicate the message get the ideas or patterns
used and send back the original message without any
modification.(creating an unauthorized effect)

Dr. Benita Jaison , MCA Department, St. Francis College

 Active Attacks
Modification of Messages
• Modify/alter (part of) messages, delay or reorder the message in
transit to produce an unauthorized effect.

Dr. Benita Jaison , MCA Department, St. Francis College

 Active Attacks - Masquerade
• Intruder acting as one of the entity, and communicating with the
other entity.
• An entity having lesser privilege impersonating or acting an entity
that has extra privileges.

Dr. Benita Jaison , MCA Department, St. Francis College

 Active Attacks :Denial of Service
• Prevents or inhibits the normal use or management of
communications facilities of a specific target or entire network
• Suppress all messages directed to a particular destination .
• Disruption of an entire network, either by disabling the network or by
overloading it with messages so as to degrade performance.

Dr. Benita Jaison , MCA Department, St. Francis College

 Security Service
– A service that enhance security of data processing
systems and information transfers of an organization

– SS are intended to counter (oppose) security attacks

– SS uses one or more security mechanisms

– SS often replicates functions normally associated with

physical documents
• have signatures, dates; need protection from disclosure,
tampering, or destruction; be notarized or witnessed; be
recorded or licensed.
Dr. Benita Jaison , MCA Department, St. Francis College
 Security Services
• Security service can be defined as
“a service provided by a protocol layer of
communicating open systems, which ensures
adequate security of the systems or of data
transfers”

“a processing or communication service provided by

a system to give a specific kind of protection to
system resources”

Dr. Benita Jaison , MCA Department, St. Francis College

 Security Services (X.800)
X.800 divides these services into five categories and fourteen specific services.
• Authentication
– peer-entity authentication
– data origin authentication
• Access Control
• Data Confidentiality
• Connection Confidentiality
• Connectionless Confidentiality
• Selective-Field Confidentiality
• Traffic-Flow Confidentiality
• Data Integrity
• Connection Integrity with Recovery
• Connection Integrity without Recovery
• Selective-Field Connection Integrity
• Selective-Field Connectionless Integrity
• Connectionless Integrity
• Non-Repudiation
• Nonrepudiation of Origin
• Nonrepudiation of Destination
Dr. Benita Jaison , MCA Department, St. Francis College
• Availability
 Security Services (X.800)
• Authentication - assurance that communicating entity is
the one claimed or they are genuine.

• Data origin authentication :Provides validation of the source

of a data unit.
– In the case of message sending, the authentication service is to
assure the recipient that, the message is sent from authentic
source.(eg:e-mail)

• Peer-entity authentication :Provides validation of the

identity of a peer entity in an association.

– In the case of a connection of a terminal to a host, two aspects are

involved. (eg: telephonic talk, chatting)
• First the service assures that the two entities are authentic,
• Second, the service assure that the connection is not interfered with
active attack.(masquerade or an unauthorized replay)
Dr. Benita Jaison , MCA Department, St. Francis College
 Security Services (X.800)
• Access Control - prevention of the unauthorized use of
a resource
– Each entity (Remote users)trying to access must be
identified, or authenticated through access rights.
• use of a communication resource,
• reading, writing or deletion of an information resource,
• execution of a processing resource.

Dr. Benita Jaison , MCA Department, St. Francis College

 Security Services (X.800)
• Data Confidentiality
• Protection from unauthorized user access and disclosure .
(from passive attacks).

• 2 aspects: several levels of protection and protection of

traffic flow from analysis.
– Connection Confidentiality-The protection of all user data on a
connection.(One TCP connection over a period of time)
– Connectionless Confidentiality-The protection of all user data in a
single data block(datagram).(single message over UDP connection)
– Selective-Field Confidentiality -The confidentiality of selected fields
within the user data on a connection or in a single data
block.(eg:password field alone)

– Traffic-Flow Confidentiality- The protection of the information that

might be derived from observation of traffic flows.(so that attacker
is not able to observe the source, destination, frequency, length)
Dr. Benita Jaison , MCA Department, St. Francis College
 Security Services (X.800)
• Data Integrity - assurance that data received is as sent by an
authorized entity (trustworthiness of data)
• Connection-oriented, addresses both message stream modification and denial of
service.(active attack)
• Connectionless, addresses only protection against message modification.
Connection Integrity with Recovery
– Provides for the integrity of data on a (eg:TCP)connection by detection
(modification, insertion, deletion, or replay), and with recovery attempted.
Connection Integrity without Recovery
– provides only detection without recovery.
Selective-Field Connection Integrity
– Provides integrity of selected fields on a (eg:TCP)connection and detection .
Connectionless Integrity
– Provides integrity of a single connectionless data block (eg:UDP) and may
take the form of detection of data modification and replay detection.
Selective-Field Connectionless Integrity
– Provides integrity of selected fields within a single connectionless data block;
with detection.
Dr. Benita Jaison , MCA Department, St. Francis College
 Security Services (X.800)
• Non-Repudiation
• Non-repudiation prevents either sender or receiver from
denying a transmitted message(Accountability)
– Non-repudiation, Origin -Proof that the message was sent by
the specified sender.
– Non-repudiation, Destination - Proof that the message was
received by the specified receiver.
– Availability, is the accessibility of a system or a system
resource upon demand by an authorized system entity.
• A system to ensure its availability. (denial-of-service attacks)
• By management and control of system resources (access control
service ).

Dr. Benita Jaison , MCA Department, St. Francis College

Dr. Benita Jaison , MCA Department, St. Francis College
 Security Mechanism
• Security mechanisms are feature designed to
detect, prevent, or recover from a security attack
• “Security Mechanism” are the specific means of
implementing one or more security services.
• Cryptographic techniques is one of the particular
element underlies many of the security
mechanisms in use:
• Security mechanisms are of two types:
– Specific security mechanisms:
– Pervasive security mechanisms:
Dr. Benita Jaison , MCA Department, St. Francis College
 Security Mechanisms
• The mechanisms that are implemented in a
specific protocol layer, such as TCP or an
application-layer protocol- specific security
mechanisms:
– encipherment, digital signatures, access controls, data
integrity, authentication exchange, traffic padding,
routing control, notarization
• The mechanisms that are not specific to any
particular protocol layer or security service-
pervasive security mechanisms:
– trusted functionality, security labels, event detection,
security audit trails, security recovery
Dr. Benita Jaison , MCA Department, St. Francis College
 Specific Security Mechanisms
Encipherment or Encryption

• The use of mathematical algorithms to transform data into a form

that is not readily intelligible.
• Encrypted text depend on algorithm and encryption keys used.

Dr. Benita Jaison , MCA Department, St. Francis College

 Specific Security Mechanisms
Encipherment or Encryption

• "If one 'enciphers,' then one is using reversible cryptography. If

one 'encrypts,' then one might be using either reversible
cryptography or irreversible cryptography".
• Encryption is the conversion of data into a form, called a
ciphertext, that cannot be easily understood by unauthorized
people. Decryption is the process of converting encrypted data
back into its original form, so it can be understood. Symmetric
encryption (also called secret key encryption) and asymmetric
encryption (also called public key encryption.)

Dr. Benita Jaison , MCA Department, St. Francis College

 Specific Security Mechanisms
Digital Signature
Data appended to a data unit that allows a recipient of the data unit
to prove the source and integrity of the data unit and protect
against forgery (e.g., by the recipient).
Data created by a cryptographic transformation of data.

Dr. Benita Jaison , MCA Department, St. Francis College

 Specific Security Mechanisms
Access Control
A variety of mechanisms that enforce access rights to resources.

Dr. Benita Jaison , MCA Department, St. Francis College

 Specific Security Mechanisms
Data Integrity
A variety of mechanisms used to assure the integrity of a data unit or stream of
data units.eg:check sum,HMAC,AES
Authentication Exchange
A mechanism intended to ensure the identity of an entity by means of
information exchange. Eg:RSA
Traffic Padding
The insertion of bits into gaps in a data stream to frustrate traffic analysis
attempts.
Routing Control
Enables selection of particular physically secure routes for certain data and
allows routing changes, especially when a breach of security is suspected.
Notarization
The use of a trusted third party to assure certain properties of a data exchange.
Dr. Benita Jaison , MCA Department, St. Francis College
 Pervasive Security Mechanisms
• Trusted Functionality
That which is perceived to be correct with respect to some criteria. Any
functionality providing or accessing security mechanisms should be trustworthy.
• Event Detection
Detection of security-relevant events. Login failures or changes to system
parameters.
• Security Label
The label that designates the security attributes of that resource. Labels may be
associated with users also.
• Security Audit Trail
Data collected and potentially used to facilitate a security audit, Log of past
security-related events permits detection and investigation of past security
breaches
• Security Recovery
Deals with requests from mechanisms, such as event
Dr. Benita handling
Jaison , MCA Department,and management
St. Francis College
functions, and takes recovery actions.
 Model for Network Security
• A message is to be transferred between two
entities in the transaction, across some sort of
Internet service.

– The two entities must cooperate for the exchange to

take place.
– The two entities must establish a logical information
channel and should have cooperative use of
communication protocols (e.g., TCP/IP) by the two
entities.
Dr. Benita Jaison , MCA Department, St. Francis College
 Model for Network Security
• A model for network security should provide four basic
tasks in designing a particular security service:
1. design a suitable algorithm for the security
transformation
2. generate the secret information or keys used by
the algorithm
3. develop methods to distribute and share the
secret information (keys)
4. specify a protocol enabling the principals (entities)
to use the transformation and secret information
(key) for a security service
Dr. Benita Jaison , MCA Department, St. Francis College
 Model for Network Security
• All the techniques for providing security have
two components:
– A security-related transformation of the
information(algorithm) to be sent.
– Some secret information shared (key) by the two
principals (entities) and unknown to the opponent.
• A trusted third party may be needed to achieve
secure transmission.
– distributing the secret information
– sort out disputes between the two principals
entities. Dr. Benita Jaison , MCA Department, St. Francis College
Model for Internal Network
Security

Dr. Benita Jaison , MCA Department, St. Francis College

 Hacker and Intruder
• The hacker can be someone who, with no
malign intent, simply gets satisfaction from
breaking and entering a computer system.

• The intruder can be a disgruntled employee

who wishes to do damage or a criminal who
seeks to exploit computer assets for financial
gain (e.g: obtaining credit card numbers or
performing illegal money transfers).
Dr. Benita Jaison , MCA Department, St. Francis College
 Model for Network Security

The security mechanisms needed to cope with unwanted

access fall into two broad categories a gatekeeper function
(which includes password-based login procedures) and
internal controls that monitor activity and analyze stored
information. Dr. Benita Jaison , MCA Department, St. Francis College
 Software Threats,Attacks,Mechanism
• Software attack - A computer system of logic that exploits
vulnerabilities in the system and that can affect application programs
as well as utility programs, such as editors and compilers.
– Viruses and worms are two examples of software attacks.
• Programs can present two kinds of threats:
– Information access threats: Intercept or modify data on behalf of users who
should not have access to that data.
– Service threats: Exploit service flaws in computers to inhibit use by legitimate
users.
• Introduced into a system by means of a disk or through a network

Dr. Benita Jaison , MCA Department, St. Francis College