Information Security INTRODUCTION

Security Concepts

Attack Vs Threat
 A threat is a “potential” violation of security
◼ The violation need not actually occur
◼ The fact that the violation might occur makes it a threat
◼ It is important to guard against threats and be prepared for
the actual violation

 The actual violation of security is called an attack

 Information Security INTRODUCTION

Security Goals

 Confidentiality (privacy): The principle of restricting

access to information
➢ Only people who are authorized should be able to access
information
➢ Protection of data from unauthorized disclosure
➢ Keeping data and resources secret or hidden

 Example for loss of confidentiality:

 Losing disks with sensitive data
 Information Security INTRODUCTION

Security Goals

 Integrity (has not been altered): Integrity is about

preventing improper or unauthorized change of data
 Assurance that data received is as sent by an authorized entity
Ensuring authorized modifications
Includes correctness and trustworthiness
• May refer to:
• Data integrity
• Origin integrity

 Only trustworthy data is of value

 Example for loss of integrity:
 Student hacking into university computer and changing grades
 Information Security Availability

 Availability is about making sure that information

is accessible when needed (by authorized persons)
 Usually this implies keeping systems that store the
information (and restrict access) operational

 Example for loss of availability:

 System taken out by a disaster
 Information Security INTRODUCTION

Security Goals

 Authentication (who created or sent the data):

 Confirming the identity of an entity
 Aassurance that the communicating entity is the one claimed

 Access control (prevent misuse of resources):

 Prevention of the unauthorized use of a resource
➢ Authentication
➢ Authorization
➢ Auditing

 Non-repudiation (the order is final):

 Protection against denial by one of the parties in a communication
 An entity is not able to refute an earlier action
 Information Security INTRODUCTION

Security Goals

 Accountability:
 Ensuring that an entity’s action is traceable uniquely to that entity

 Security Assurance:
 Assurance that all above objectives are met
 Information Security INTRODUCTION

Security Attacks
Threats

Attack on Attack on

Availability Confidentiality

Attack on
Attack on
Authenticity
Integrity

Masquerading

spoofing
 Information Security INTRODUCTION

Security Attacks

 Interruption: Attack on the availability

 Interception: Attack on the confidentiality

 Modification: Attack on the integrity

 Fabrication: Attack on the authenticity

 Information Security INTRODUCTION

Security Attacks

 Interruption, delay, denial of receipt or denial of service

◼ System assets or information become unavailable or are
rendered unavailable
 Interception or snooping
◼ Unauthorized party gains access to information by browsing
through files or reading communications
 Modification or alteration
◼ Unauthorized party changes information in transit or
information stored for subsequent access
 Fabrication, masquerade, or spoofing
◼ Spurious information is inserted into the system or network
by making it appear as if it is from a legitimate entity
 Repudiation of origin
◼ False denial that an entity created something
 Information Security INTRODUCTION

Security Attacks

Passive attacks:
Eavesdropping on, or monitoring of, transmissions to:
Obtain message contents, or
Monitor traffic flows

Active attacks:
Modification of data stream to:
Masquerade of one entity as some other Fabrication

Replay previous messages

Modify messages in transit
Denial of service
 Information Security INTRODUCTION

Security Attacks

Passive attacks

Obtaining Traffic
message contents Analysis

❖ Wiretapping
❖ Port Scanning
❖ Traffic analysis
❖ Eavesdropping
Information Security INTRODUCTION

Security Attacks

Passive attacks
 Information Security INTRODUCTION

Security Attacks

Active attacks

Masquerade Replay Modification Denial of Service

Fabrication

❑ Social Engineering
❑ DoS
❑ Spoofing
❑ DDoS
❑ ARP Poisoning
❑ Flooding
❑ Man in the Middle
❑ Smurf
❑ Overflows
❑ PoD
❑ Exploits
❑ Mail bombs
❑ And a lot more
Information Security INTRODUCTION

Security Attacks

Active attacks
 Information Security INTRODUCTION

Requirements
& Policies

Information
Security
Features Assets
or
Services

Attackers
Security
Mechanisms

Security Architecture
 Information Security INTRODUCTION

Types of Security

IT PHYSICAL POLITICAL MONITORY

Security Security Security Security

Application Home Homeland Financial

Security Security Security Security

Data Food Human

Security Security Security

Information Infrastructure National

Security Security Security

Network Place International

Security Security Security

Public
Security
 Information Security INTRODUCTION

 Computer Security:
 Measures to protect data stored on a computer

 Network Security:
 Measures to protect data during their transmission

 Internet Security:
 Measures to protect data during their transmission over a
collection of interconnected networks

Computer Network Internet

Security Security Security
 Information Security INTRODUCTION

Network Security

 Network security consists of:

 The provisions made in an underlying computer network
infrastructure,
 Policies adopted by the network administrator to protect the
network and the network-accessible resources from unauthorized
access and
 Consistent and continuous monitoring and measurement of its
effectiveness.
 Network security starts from authenticating any user,
most likely a username and a password.
 Once authenticated, a firewall enforces access policies such as
what services are allowed to be accessed by the network users.
 Security
Network Security Model
Yahoo etc.
 Security
Network Security Model

Yahoo etc.
 Security
Network Security Model

Using this model requires us to:

 design a suitable algorithm for the security transformation
 generate the secret information (keys) used by the algorithm
 develop methods to distribute and share the secret information
 specify a protocol enabling the principals to use the transformation
and secret information for a security service
 Security
Network Access Security Model
 Security
Network Access Security Model

Using this model requires us to:

◼ select appropriate gatekeeper functions to identify users
◼ implement security controls to ensure only authorized
users access designated information or resources
 Security
Methods of Defense
Encryption
Software Controls (access limitations in a
data base, in operating system protect
each user from other users)
Hardware Controls (smart card)
Policies (frequent changes of passwords)
Physical Controls
 Information Security INTRODUCTION

 Information Security requirements have changed

in recent times
 Traditionally provided by physical and administrative
mechanisms

 Computer use requires automated tools to

protect files and other stored information

 Use of networks and communication links

requires measures to protect data during
transmission
 Information Security INTRODUCTION

Security
 Protecting information against malicious or accidental
access plays an important role in information-based
economies/societies
 Few application areas:
Banking:
Online banking, PIN protocols, digital cash
Economy:
Mobile phones, DVD players, Pay-per-View TV, computer games
Military:
 IFF (Identification, friend or foe), secure communication
channels, weapon system codes

 It’s surprising how much still goes wrong in these

areas.
 Security Levels

• System Level • Network Level • Data Level

Threat Solution
 Data Level  Data Level
 Confidentiality  Encryption
 Integrity  Hash / Compression
 Non-repudiation  Trusted Third Parties
 System Level  System Level
 Access control  Access Control Protocol
 Authentication  Passwords
 Authorization  Access Control Lists
 Auditing  Auditing Logs
 Malware  Antivirus
 Network Level  Network Level
 Availability  Firewalls
 Access Control  Proxies
 Information Security INTRODUCTION

Typical Cases of Security Lapses

Loss of confidential data:

2007:
HMRC loses (unencrypted) disks containing personal
details of 25 million people

2008:
HSBC loses disks containing details of 180,000
policy holders (fined for a total of £3.2 million)

2007:
Hard disk containing records of 3 million candidates
for driver’s licenses goes missing not just happening
in the UK: Sunrise (Swiss ISP) exposes account
names and passwords of users in 2000
 Information Security INTRODUCTION

Typical Cases of Security Lapses

 Credit card fraud is a recurring theme, ranges

from:
Spying out PINs at ATMs to
Organized stealing and trading of credit card numbers

 Recent high profile case:

In the U.S. Albert Gonzalez and other hackers
infiltrated Heartland and Hannaford (two firms
processing payments)
They stole millions of credit card numbers between
2006 and 2008
This has cost Heartland $12.6 million so far.
 Information Security INTRODUCTION

Typical Cases of Security Lapses

 Hacking into other systems:

2008:
In the U.S. 18-year old student hacks into high school
computer, changes grades
2005:
UCSB (University of California Santa Barbara) student
hacks into eGrades system and changes grades

 Web site defacement also seems to happen

quite regularly (with targets including the
U.N., Microsoft, and Google)
 Information Security INTRODUCTION

Typical Cases of Security Lapses

 Denial-of-Service attacks:
2009:
Twitter is hit by a denial-of-service attack and brought
to a standstill

Natural disasters (cause needs not be

malicious):
Data loss through fire, storm, flooding
2005:
Hurricane Katrina takes out two data centers of an
aerospace company in the U.S.; unfortunately, they
backed each other up
 Information Security
Security Controls

 Security controls are mechanisms to protect

information (or a system) against:
 unauthorized access (ensuring confidentiality)
 unauthorized modification (ensuring integrity)
 destruction/denial-of-service (ensuring availability)

 Controls are also called countermeasures or

safeguards
 General types of controls:
Physical
Technical
Administrative
 Information Security
Security Controls

 Physical Controls include:  Administrative controls:

 Locks  Staff training
 Security guards  Clear responsibilities
 Badges/swipe cards/scanners  Policies and procedures
 Alarms  Contingency plans
 Fire extinguishers  ...
 Backup power
 ...

 Technical controls include:

 Access control software/passwords
 Antivirus software
 Encryption
 Backup software/systems
 ...
 Information Security
Security Controls Administrative Controls

 Policy
◼ A policy is a general statement produced by senior
management that dictates what role security will play in
organization or what is acceptable and not acceptable
generally.
◼ Policies are usually broad documents that require
procedures to implement them.

 Standards
◼ A standard refer to mandatory activities, actions or rules.
e.g. ISO 9001, ISO 27001 etc.
 Information Security
Security Controls Administrative Controls

 Baselines
◼ Baselines are also used to define the minimum level of
protection required.
◼ In security, specific baselines can be defined per system
type, which indicates the necessary settings and the
level of protection being provided

 Guidelines
◼ Recommended actions and operational guides.
 Information Security
Security Controls

 Controls to be covered in this course:

Technical controls

 Although physical and administrative

controls should be kept in mind, we don’t
have enough time to cover everything

 Technical controls are more interesting from

the point of view of computer science and
management
 Information Security
Defense in Depth
Implementation of multiple controls so that the successful breach is
difficult to achieve for attacker

Controls are implemented

in layers to ensure defense
in depth.