Lecture 8

Data Protection Methods

11/05/24 1
Even though any digital communication is
secure, attackers will test the security method
and attempt to breach the system. To stay one
step ahead of the hackers and protect your
organization's data, you will need to have an
understanding of the fundamentals of data
protection and the choices you have for
implementing them on your network.

There are many ways to protect data on a

network. In this section, we will explore
different data protection methods.
11/05/24 2
 Authentication
Authentication is a network security measure in which a user
or a network component proves its identity in order to gain
access to network resources. There are many possible
authentication methods, the most common being a
combination of user name and password.

Figure: A type of authentication.

11/05/24 3
 Authentication Methods
There are several methods for authentication.

User ID authentication
•This is one of the most basic authentication methods. It involves comparing a
user name and password against those stored in a database. If the credentials
match, the user is authenticated. If not, the user is denied access. However, this
method may not be very secure because credentials are often transferred in
plaintext.

Multifactor authentication
•This requires validation of at least two possible authentication factors. Thus, it
can be any combination of what you know, what ou have, and who you are. A
common example is that of word verification, involving a graphical character
string displayed along with the user name and password fields. So, apart from
providing the user name and password, you need to enter the string verbatim.

11/05/24 4
 Authentication Methods
Mutual authentication
•This requires each communicating party to verify its identity.
First, a service or resource verifies the credentials of the client,
and then the client verifies the credentials of the former. This
prevents the client from inadvertently submitting confidential
information to a server that is not secure.
Biometric authentication
•Biometrics is the science of measuring biological information.
Thus, biometric authentication involves validating information
based on the physical characteristics of an individual. This
includes using a fingerprint scanner, a retinal scanner, or voice-
recognition and face-recognition software. However, biometric
authentication is very expensive to implement, and so is not
widely adopted as other authentication methods.
11/05/24 5
 Encryption
Encryption is a security technique that converts data from plain form to coded
form. The data in plain form is known as cleartext or plaintext, and the data in
encrypted form is known as ciphertext. Only authorized parties with the
necessary decoding information can interpret and read the encrypted data. This
process is known as decryption. Encryption can be one way or two way. One-
way encryption is designed to hide only cleartext that is never decrypted. In
two-way encryption, ciphertext is decoded as cleartext.

Figure : Encryption converts plaintext into ciphertext.

11/05/24 6
 Key-Based Encryption Systems

Data encryption depends on the use of a key to control how

information is encoded and decoded. There are two main
categories of key-based encryption.
 In shared-key or symmetric encryption systems, the same
key is used to encode and decode data. The secret key must
somehow be communicated securely between the two
parties.
 In key-pair or asymmetric encryption systems, each party
has two keys: a public key, which anyone can obtain, and a
private key, known only to a specific individual. Anyone can
use the public key to encrypt data and only the holder of the
associated private key can decrypt it.

11/05/24 7
 Encryption and Security Goals
Encryption is used to promote various security goals, as described in the
following table.

11/05/24 8
 Digital Certificates

A digital certificate is an electronic document that associates credentials with a

public key. Both users and devices can hold certificates. The certificate
validates the certificate holder's identity and is also a way to distribute the
holder's public key. A server called a Certificate Authority (CA) issues
certificates and the associated public or private key pairs.

Figure: The constituents of a digital certificate.

11/05/24 9
 Public Key Infrastructure

Public Key Infrastructure (PKI) is a hierarchical system used for the purpose of
authenticating and validating data and entities to secure transactions over the
Internet. A PKI consists of digital certificates, CAs, a registration authority, and
a certificate management system, and issues and maintains public or private key
pairs and certificates.

Figure : The components of a PKI.

11/05/24 10
 Antivirus Software
Antivirus software is an application that scans files for executable code that
matches patterns, known as signatures or definitions, that are common among
viruses. The antivirus software also monitors systems for activity associated
with viruses such as accessing the boot sector. Additionally, it deletes viruses
that may have already infected the computer. Antivirus software is typically
deployed on gateway computers at the perimeter of the network and on
individual desktop systems.

Figure : Antivirus software installed on a network and its components.

11/05/24 11
 Guidelines for Protecting Data

By balancing a potential security threat with the cost of

implementing and maintaining a secure network, a
security professional ensures a proper level of data
protection and guards against loss of network
functionality.

11/05/24 12
 Guidelines
• To protect data on your network, follow these guidelines:
– Deploy intruder-detection and virus-protection software to
monitor unauthorized activity, such as the presence of
viruses, password-cracking software, or Trojan horses.
– Limit access to the network to prevent the introduction of
hardware-based sniffers or unauthorized hosts.
– Use strong and complex passwords. Change passwords on a
regular basis.
– Employ strong authentication and encryption measures on
data stored on network servers.

11/05/24 13
 Guidelines (Contd)

– To guard against IP spoofing, use more than one form of

authentication among devices.
– Encrypt data during network transmission so that it cannot
be read by sniffers.
– Conceal network address information with various
technologies, such as firewalls, Internet proxies, and address
translation, to protect against spoofing and hijacking.
– Train users to recognize and deter social engineering attacks.

11/05/24 14
 Part 2

Local and Internet Security

11/05/24 15
 Local Security

11/05/24 16
An organization's quest is to ensure security
for its users, systems, and data, they will need
to implement security measures at different
levels and on various components of their
network. Configuring appropriate security on
local network components is an important part
of an overall security plan.
An important component of a security plan is
implementing security measures on the local
network. In this section, we will identify the
components of local network security.
11/05/24 17
 Share-Level and User-Level Security
Rights
A right is a security setting that controls whether or not a user
can perform a system-wide function such as shutting down a
computer or logging on to a server. Rights are assigned to
users or group accounts, not to a particular object or resource.

Figure: A user assigned with various rights.

11/05/24 18
Permissions
A permission is a security setting that determines the level of access a user or a
group account has to a particular resource. Permissions can be associated with a
variety of resources such as files, printers, shared folders, and network directory
databases. Permissions can be configured to allow different levels of privileges
or to deny privileges to users who should not access a resource.

Figure : Various permissions to different users on a network.

11/05/24 19
Users and Groups
Rights and permissions can be assigned to individual user accounts. However,
this is an inefficient security practice because many permission assignments
must be duplicated for users with similar roles and individual users' roles and
needs can change frequently. It is more efficient to create groups of users with
common needs and assign the rights and permissions to the user groups. As
individual users' needs change, users can be placed in groups with the
appropriate security configuration.

Figure
11/05/24 : Users and groups on a network. 20
 Internet Security

11/05/24 21
Every organization today wants to connect to
the Internet. At the same time, every
organization has a valid concern about the
risks involved in connecting to this huge,
open, public network. You need to be aware
of the specific tools and techniques that
companies use to protect themselves from
outside attacks and from Internet misuse
internally.
We will look at the primary techniques that
are used to secure Internet connections.
11/05/24 22
 Network Address Translation
Network Address Translation (NAT) is a simple form of Internet security that
conceals internal addressing schemes from the Internet. A router is configured
with a single public IP address on its external interface and a nonroutable address
on its internal interface. A NAT service running on the router or on another
system translates between the two addressing schemes. Packets sent to the Internet
from internal hosts appear as if they came from a single IP address, preventing
external hosts from identifying and connecting directly to internal systems.

Figure : A server translates network addresses.

11/05/24 23
Firewalls
A firewall is a software program or a hardware device that protects networks
from unauthorized data by blocking unsolicited traffic. Firewalls allow
incoming or outgoing traffic that has specifically been permitted by a system
administrator and also incoming traffic that is sent in response to requests from
internal hosts. Firewalls use complex-filtering algorithms that analyze incoming
packets based on destination and source addresses, port numbers, and data type.

Figure : A firewall protects networks from unauthorized data.

11/05/24 24
Demilitarized Zones
A demilitarized zone (DMZ) is a small section of a private network that is
located between two firewalls and made available for public access. A DMZ
enables external clients to access data on private systems, such as web servers,
without compromising the security of the internal network. The external
firewall enables public clients to access the service and the internal firewall
prevents them from connecting to protected internal hosts.

Figure : A DMZ on a network.

11/05/24 25
Internet Proxies
An Internet proxy is a system that isolates internal networks from the Internet
by downloading and storing Internet files on behalf of internal clients. The
Internet proxy intercepts requests for web-based or other external resources that
come from internal clients, and if it does not have the data in its cache,
generates a completely new request packet using itself as the source. In addition
to providing security, the data cache can also improve client response time and
reduce Internet traffic by providing frequently used pages to clients from a local
source.

Figure : An Internet proxy working on behalf of clients on a

network.
11/05/24 26
 THE END

11/05/24 27