Unit 4.

Privacy and security topics

 Why We Need Information Security?
• our focus is on Internet Security which
consists of measures to deter, prevent, detect,
and correct security violations that involve the
transmission & storage of information
 1.1 SECURITY
• Challenges in Security?
1.Use of computer with internet
2. Software tools are available freely
3. Importance of information
4.Lack of awareness/ignorance/hesitation

• PROTECTION
1.Unahorized Access by intentionally or
unintentionally.
 To protect the operation of any
organization
1.Physical Security:- Access control to physical
device
E.g:- Pen drive, Hard drive, CD/DVD,
Computer,
2. Private Security :- Individual or group
3. Project Security :- Design , Code operation
security
 Introduction
• Information:- Computers, Networks, Internet,
Mobile.
• Security:-trying to understand how to protect.
• The various dangers & pitfalls when we use
technology.
• The consequences of not setting up the right
Security Policies
Security Framework
Security Technology
 Why is Security Required?
• Business & different types of transactions r being
conducted to a large extent over Internet.
• Inadequate or improper security mechanism can bring
whole business down or play havoc with people’s lives!
• Since Electronic Documents & Messages r now
becoming equivalent to proper documents in terms of
their legal validity & binding.
 Why Study Information Security
• Businesses collect mass amounts of data about their
customers, employees, and competitors.
• Most of this data is stored on computers and transmitted
across networks.
• If this information should fall into the hands of a competitor,
the result could be loss of business, lawsuits and bankruptcy.
• Protecting corporate data is no longer an option, it is a
requirement.
 Information Security
• Protecting information and information systems
from unauthorized access, use, disclosure,
disruption, modification, or destruction.

• Background
• Throughout history, confidentiality of information
has always played a key role in military conflict.
• In Past No or little security.
 The Need for Security(Current Scenario)
• Now a days Importance of data was truly
realized.
Financial & Personal data
• Therefore various areas in security began to
gain prominence.
• Typical Examples of Basic Security Mechanism:
Authenticate a User->id, pw
Encode->DB->Not Visible to user who do not
have the right permission.
• Organization employed their own mechanism.
 The Need for Security In Modern Life
• Internet took the world by storm.
• Technology Improved
• Communication Infrastructure became
extremely mature.
• Newer & newer applications begins to
developed for various user demands & need.
• Soon peoples realized that basic security
measures were not quite enough.
Information traveling from a client to a
server over the internet.
 Some real time attacks
• Russian Attacker Maxim actually manage to intruder
into a merchant Internet site & obtained 300,000
credit card numbers from its DB.
• He then attempted extortion by demanding
protection money($100,000) from the merchant.
• The merchant refused to oblige.
• Following this, the attacker published about 25,000
of the credit card numbers on the internet!
• Some banks reissued all the credit cards at a cost of
$20 per card & others forewarned their customers
about unusual entries in their statements.
 Consequences of Attack
• Great Losses-both in terms of finance & goodwill.
• Cost of attack $20*300000=$6M
• Another Example:-
• 1999 Swedish hacker broke into Microsoft’s
Hotmail Website & created a mirror site.
• This allowed anyone to enter any Hotmail user’s
email id & read their emails.
• 2005 survey about the losses that occur due to
successful attacks on security. $455,848,000
• Next year this figure reduced to $201,757340!
 Modern Nature Of Attack
1. Automating Attacks:-
 Traditional Attack: Produce Coins using machinery & Bring
them into circulation.
 Modern Attack: Steal half a dollar from million accounts in
a few minutes time digitally.
2. Privacy Concern:-Every Company are collecting &
processing lots of information about us. Without we
realizing when & how it is going to be used.
3. Distance does not matter:- Attack Can be launched from
the distance.
E.g:- In 1995, a Russian hacker broke into Citibank’s computer
remotely, stealing $12M.
Although the attacker was traced, it was very difficult to
get extradited him for the court case.
 1.2 ELEMENTS OF INFORMATION
SECURITY
• This will Help us understand the attacks better
& also help us in thinking about the possible
solution to tackle it.
• Information Security provide services to user.
 Principle/Goals Of Security
• These r the 4 chief principles of security.
1. Confidentiality:- Is msg seen by someone else?
2. Authentication:- Do u trust the sender of msg?
3. Integrity:- Is the meg changed during transmit?
4. Non-repudiation:- Can sender refute the msg?
• Above principles r related to a particular message.
• There r 2 more linked to overall system as a whole.
5. Access Control:- Who can Access what? [ACL]
6. Availability:- Information should be available
timely.
 Confidentiality
• Confidentiality is the process of preventing disclosure
of information to unauthorized individuals or
systems.

Examples: Credit card

• Confidentiality is necessary, but not sufficient to

maintain privacy
Interception Causes Loss of Message
Confidentiality
 Authenticity
• In computing, e-Business and information security it is
necessary to ensure that the data , transactions,
communications or documents (electronic or physical)
are genuine (i.e. they have not been forged or fabricated.)

Examples: Passport, Credit card Accounts, academic

transcripts
Fabrication is possible in absence of proper
authentication
 Integrity
• Integrity means that data cannot be modified/change
without Authorization

Examples: Manual deletion or alteration or creation of

important data files, Virus infection, Employee
altering their own salary , website vandalism, polling
fraud.
Modification Causes Loss of Message
integrity
 Non-Repudiation
• It is a complex term used to describe the lack of deniability of
ownership of a message, piece of data, or Transaction.

Examples: Proof of an ATM transaction, a stock trade, or an

email
 It does not allow the sender of a
message to refute the claim of not
sending that message
 Access Control
• Role Management->User Side->Which user
can do what.
• Rule Management->Resource Side->Which
resources r accessible and under what
circumstances.
• Access Control List is subset of Access Control
Matrix.
 Availability
• For any information/system to serve its purpose,
• The information must be accessible & usable when it
is needed.
• Computing systems used to store and process the
information, the security controls used to protect it,
and the communication channels used to access it
must be functioning correctly.

Examples: Power outages, Hardware failures,

System upgrades and Preventing denial-of-service
attacks
Interruption puts the availability of
resources in danger.
 ASPECTS OF SECURITY
• ASPECTS OF SECURITY consider 3 aspects of
information security:
•  Security Attack
•  Security Mechanism
•  Security Service
 SECURITY ATTACK
• any action that compromises the security of
information owned by an organization
• information security is about how to prevent
attacks, or failing that, to detect attacks on
information-based systems
• often threat & attack used to mean same thing
• have a wide range of attacks
• can focus of generic types of attacks  Passive 
Active
TYPES OF SECURITY ATTACKS
Passive Attack
Active Attack
 INTERRUPTION
• An asset of the system is destroyed or
becomes unavailable or unusable. It is an
attack on availability. Examples:

• Destruction of some hardware

• Jamming wireless signals
• Disabling file management systems
 INTERCEPTION
• An unauthorized party gains access to an
asset. Attack on confidentiality.
Examples:
• Wire tapping to capture data in a network.
• Illicitly copying data or programs
• Eavesdropping
 MODIFICATION
• When an unauthorized party gains access and
tampers an asset. Attack is on Integrity.
• Examples:
• Changing data file
• Altering a program and the contents of a
message
 FABRICATION
• An unauthorized party inserts a counterfeit
object into the system. Attack on Authenticity.
Also called impersonation.
Examples:
• Hackers gaining access to a personal email
and sending message
• Insertion of records in data files
• Insertion of spurious messages in a network
 SECURITY SERVICES
• It is a processing or communication service
that is provided by a system to give a specific
kind of production to system resources.
• Security services implement security policies
and are implemented by security mechanisms.
 Confidentiality
• Confidentiality is the protection of transmitted
data from passive attacks.
• It is used to prevent the disclosure of information
to unauthorized individuals or systems.
• It has been defined as “ensuring that information
is accessible only to those authorized to have
access”.
• The other aspect of confidentiality is the
protection of traffic flow from analysis.
• Ex: A credit card number has to be secured during
online transaction.
 Authentication
• Authentication This service assures that a communication
is authentic.
• For a single message transmission, its function is to assure
the recipient that the message is from intended source.
• For an ongoing interaction two aspects are involved.
• First, during connection initiation the service assures the
authenticity of both parties.
• Second, the connection between the two hosts is not
interfered allowing a third party to masquerade as one of
the two parties.
• Two specific authentication services defines in X.800 are
 Authentication
• Peer entity authentication: Verifies the identities of the
peer entities involved in communication. Provides use at
time of connection establishment and during data
transmission. Provides confidence against a masquerade
or a replay attack
• Data origin authentication: Assumes the authenticity of
source of data unit, but does not provide protection
against duplication or modification of data units.
Supports
• applications like electronic mail, where no prior
interactions take place between communicating entities.
 Integrity
• Integrity means that data cannot be modified without
authorization. Like confidentiality, it can be applied to a stream of
messages, a single message or selected fields within a message.
• Two types of integrity services are available. They are
• Connection-Oriented Integrity Service: This service deals with a
stream of messages, assures that messages are received as sent,
with no duplication, insertion, modification, reordering or
replays.
• Destruction of data is also covered here. Hence, it attends to
both message stream modification and denial of service.
• Connectionless-Oriented Integrity Service: It deals with individual
messages regardless of larger context, providing protection
against message modification only.
 Integrity
• An integrity service can be applied with or
without recovery.
• Because it is related to active attacks, major
concern will be detection rather than
prevention.
• If a violation is detected and the service
reports it, either human intervention or
automated recovery machines are required to
recover.
 Non-repudiation
• Non-repudiation prevents either sender or
receiver from denying a transmitted message.
This capability is crucial to e-commerce.
Without it an individual or entity can deny
that he, she or it is responsible for a
transaction, therefore not financially liable.
 Access Control
• This refers to the ability to control the level of
access that individuals or entities have to a network
or system and how much information they can
receive.
• It is the ability to limit and control the access to
host systems and applications via communication
links.
• For this, each entity trying to gain access must first
be identified or authenticated, so that access rights
can be tailored to the individuals.
 Availability
• It is defined to be the property of a system or a
system resource being accessible and usable
upon demand by an authorized system entity.
• The availability can significantly be affected by a
variety of attacks, some amenable to automated
counter measures i.e authentication and
encryption and others need some sort of physical
action to prevent or recover from loss of
availability of elements of a distributed system.