Federal TVET Insttute

Msc ICT Management

Informaton Security

Learning Guide 1: General Concept of

Security

Dr. Patrick D. Cerna

 Learning Objecties
Upon completon of this lecture, you should be able to:
– Understand the need for informaton security.
– Understand a successful informaton security program is
the responsibility of an organizaton’s general
management and IT management.
– Informaton Security CIA Triad
– Understand the threats posed to informaton security
and the more common atacks associated with those
threats.
– Social Engineering in Informaton Security

Slide 2
Business Needs First, Technology Needs Last
Informaton security performs four important
functons for an organizaton:
– Protects the organizaton’s ability to functon
– Enables the safe operaton of applicatons
implemented on the organizaton’s IT systems
– Protects the data the organizaton collects and
uses
– Safeguards the technology assets in use at the
organizaton

Slide 3
 Protectng the Ability to Functon
• Management is responsible
• Informaton security is
– a management issue
– a people issue
• Communites of interest must argue for
informaton security in terms of impact
and cost

Slide 4
 Enabling Safe Operaton

• Organizatons must create integrated,

efcient, and capable applicatons
• Organizaton need eniironments that
safeguard applicatons
• Management must not abdicate to the IT
department its responsibility to make choices
and enforce decisions

Slide 5
 What security is about in general?
• Security is about protection of assets
– D. Gollmann, Computer Security, Wiley
• Prevention
– take measures that prevent your assets from being
damaged (or stolen)
• Detection
– take measures so that you can detect when, how, and
by whom an asset has been damaged
• Reaction
– take measures so that you can recover your assets

6
 Real world example
• Prevention
– locks at doors, window bars, secure the walls
around the property, hire a guard
• Detection
– missing items, burglar alarms, closed circuit TV
• Reaction
– attack on burglar (not recommended )

7
 Internet shopping example
• Prevention
– encrypt your order and card number, enforce merchants
to do some extra checks, using PIN even for Internet
transactions, don’t send card number via Internet
• Detection
– an unauthorized transaction appears on your credit card
statement
• Reaction
– complain, dispute, ask for a new card number, sue (if
you can find of course )
– Or, pay and forget (a glass of cold water) 

8
Information security in past & present
• Traditional Information Security
– keep the cabinets locked
– put them in a secure room
– human guards
– electronic surveillance systems
– in general: physical and administrative
mechanisms
• Modern World
– Data are in computers
– Computers are interconnected

9
 Terminology
• Computer Security
– 2 main focuses: Information and Computer itself
– tools and mechanisms to protect data in a computer
(actually an automated information system), even if
the computers/system are connected to a network
– tools and mechanisms to protect the information
system itself (hardware, software, firmware)
• Against?
– against hackers (intrusion)
– against viruses
– against denial of service attacks
– etc. (all types of malicious behavior)

10
 Terminology
• Network and Internet Security
– measures to prevent, detect, and correct
security violations that involve the transmission of
information in a network or interconnected networks

11
Security Objectives: CIA Triad and Beyond
 Computer Security Objectives
Confdentality
 Data confdentality
 Assures that priiate or confdental informaton is not made available or
disclosed to unauthorized individuals
 Priiacy
 Assures that indiiiduals control or infuence what informaton related to them
may be collected and stored and by whom and to whom that informaton may
be disclosed

Integrity
 Data integrity
 Assures that informaton changed only in a specifed and authorized manner
 System integrity
 Assures that a system performs its intended functon in an unimpaired manner,
free from deliberate or inadvertent unauthorized manipulaton of the system

Aiailability
 Assures that systems work promptly and service is not denied to
authorized users
 Additional concepts:

Authentcity
 Verifying that users are
who they say they are and
that each input arriiing at
the system came from a
trusted source
Accountability
 Being able to trace the
responsible
party/process/entty in
case of a security incident
or acton.
Services, Mechanisms, Attacks
• 3 aspects of information security:
– security attacks (and threats)
• actions that (may) compromise security
– security services
• services counter to attacks
– security mechanisms
• used by services
• e.g. secrecy is a service, encryption (a.k.a.
encipherment) is a mechanism

15
 Attacks
• Attacks on computer systems
– break-in to destroy information
– break-in to steal information
– blocking to operate properly
– malicious software
• wide spectrum of problems

• Source of attacks
– Insiders
– Outsiders

16
 Attacks
• Network Security
– Active attacks
– Passive attacks
• Passive attacks
– interception of the messages
– What can the attacker do?
• use information internally
– hard to understand
• release the content
– can be understood
• traffic analysis
– hard to avoid
– Hard to detect, try to prevent

17
 Attacks
• Active attacks
– Attacker actively manipulates
the communication
– Masquerade
• pretend as someone else
• possibly to get more
privileges
– Replay
• passively capture data
and send later
– Denial-of-service
• prevention the normal use of
servers, end users, or network
itself
18
 Attacks
• Active attacks (cont’d)
– deny
• repudiate sending/receiving a message later
– modification
• change the content of a message

19
 Security Services
• to prevent or detect attacks
• to enhance the security
• replicate functions of physical
documents
– e.g.
• have signatures, dates
• need protection from disclosure, tampering, or
destruction
• notarize
• record

20
 Basic Security Services
 Authentcaton
– assurance that the communicatng entty is the one it claims to be
– peer entty authentcaton
• mutual confdence in the identtes of the partes iniolied in a connecton
– Data-origin authentcaton
• assurance about the source of the receiied data
 Access Control
– preienton of the unauthorized use of a resource
– to achieie this, each entty trying to gain access must frst be
identfed and authentcated, so that access rights can be tailored
to the indiiidual

21
 Basic Security Services
• Data Confidentiality
– protection of data from unauthorized disclosure
(against eavesdropping)
– traffic flow confidentiality is one step ahead
• this requires that an attacker not be able to observe the
source and destination, frequency, length, or other
characteristics of the traffic on a communications facility
• Data Integrity
– assurance that data received are exactly as sent
by an authorized sender
– i.e. no modification, insertion, deletion, or replay

22
 Basic Security Services
• Non-Repudiation
– protection against denial by one of the
parties in a communication
– Origin non-repudiation
• proof that the message was sent by the
specified party
– Destination non-repudiation
• proof that the message was received by the
specified party

23
 Attack Surface Categories
 Network atack surface
– Refers to iulnerabilites oier an enterprise network,
wide-area network, or the Internet
• E.g. DoS, intruders exploitng network protocol iulnerabilites
 Sofware atack surface
– Refers to iulnerabilites in applicaton, utlity, or
operatng system code
 Human atack surface
– Refers to iulnerabilites created by personnel or
outsiders
– E.g. social engineering, insider traitors
 Atacks
• An atack is the deliberate act that exploits
vulnerability
• It is accomplished by a threat-agent to damage or
steal an organizaton’s informaton or physical asset
– An exploit is a technique to compromise a system
– A iulnerability is an identfed weakness of a controlled
system whose controls are not present or are no longer
efectie
– An atack is then the use of an exploit to achieie the
compromise of a controlled system

Slide 25
 Malicious Code
• This kind of atack includes the
executon of viruses, worms, Trojan
horses, and actve web scripts with
the intent to destroy or steal
informaton
• The state of the art in atacking
systems in 2002 is the multivector
worm using up to six atack vectors
to exploit a iariety of iulnerabilites
in commonly found informaton
system deiices

Slide 26
Slide 27
 Atack Descriptons
• IP Scan and Atack – Compromised system scans
random or local range of IP addresses and targets any
of seieral iulnerabilites known to hackers or lef
oier from preiious exploits
• Web Browsing - If the infected system has write
access to any Web pages, it makes all Web content
fles infectous, so that users who browse to those
pages become infected
• Virus - Each infected machine infects certain
common executable or script fles on all computers
to which it can write with iirus code that can cause
infecton

Slide 28
 Atack Descriptons
• Unprotected Shares - using fle shares to copy iiral
component to all reachable locatons
• Mass Mail - sending e-mail infectons to addresses found
in address book
• Simple Network Management Protocol - SNMP
iulnerabilites used to compromise and infect
• Hoaxes - A more deiious approach to atacking
computer systems is the transmission of a iirus hoax,
with a real iirus atached

Slide 29
 Atack Descriptons
• Back Doors - Using a known or preiiously unknown and
newly discoiered access mechanism, an atacker can gain
access to a system or network resource
• Password Crack - Atemptng to reierse calculate a password
• Brute Force - The applicaton of computng and network
resources to try eiery possible combinaton of optons of a
password
• Dictonary - The dictonary password atack narrows the feld
by selectng specifc accounts to atack and uses a list of
commonly used passwords (the dictonaryy to guide guesses

Slide 30
 Atack Descriptons
• Denialiofiservice (DoS) –
– atacker sends a large number of connecton or informaton
requests to a target
– so many requests are made that the target system cannot
handle them successfully along with other, legitmate requests
for seriice
– may result in a system crash, or merely an inability to perform
ordinary functons
• Distributed Denialiofiservice (DDoS) - an atack in which
a coordinated stream of requests is launched against a
target from many locatons at the same tme

Slide 31
Slide 32
 Atack Descriptons
• Spoofng - technique used to gain unauthorized
access whereby the intruder sends messages to a
computer with an IP address indicatng that the
message is coming from a trusted host
• ManiinitheiMiddle - an atacker snifs packets from
the network, modifes them, and inserts them back
into the network
• Spam - unsolicited commercial e-mail - while many
consider spam a nuisance rather than an atack, it is
emerging as a iector for some atacks

Slide 33
Slide 34
Slide 35
 Atack Descriptons
• Mailibombing - another form of e-mail atack that is
also a DoS, in which an atacker routes large quanttes
of e-mail to the target
• Snifers - a program and/or deiice that can monitor data
traieling oier a network. Snifers can be used both for
legitmate network management functons and for
stealing informaton from a network
• Social Engineering - within the context of informaton
security, the process of using social skills to coniince
people to reieal access credentals or other ialuable
informaton to the atacker

Slide 36
 Atack Descriptons
• Bufer Overfow –
– applicaton error occurs when more data is sent to a bufer
than it can handle
– when the bufer oierfows, the atacker can make the target
system execute instructons, or the atacker can take adiantage
of some other unintended consequence of the failure
– Usually the atacker fll the oierfow bufer with executable
program code to eleiate the atacker’s permission to that of an
administrator.

Slide 37
 Atack Descriptons
• Ping of Death Atacks ii
– A type of DoS atack
– Atacker creates an ICMP packet that is larger
than the maximum allowed 65,535 bytes.
– The large packet is fragmented into smaller
packets and reassembled at its destnaton.
– Destnaton user cannot handle the
reassembled oiersized papcket, thereby
causing the system to crash or freeze.

Slide 38
 Atack Descriptons
• “People are the weakest link. You can haie
the best technology; frewalls, intrusion-
detecton systems, biometric deiices ... and
somebody can call an unsuspectng employee.
That's all she wrote, baby. They got
eierything.”
• “brick atack” – the best confgured frewall in
the world can’t stand up to a well placed brick

Slide 39
 Atack Descriptons
• Timing Atack –
– relatiely new
– works by exploring the contents of a web browser’s cache
– can allow collecton of informaton on access to password-protected
sites
– another atack by the same name iniolies atemptng to intercept
cryptographic elements to determine keys and encrypton algorithms

Slide 40
Department of Information Technology

Understanding Social Engineering

Social engineering is a process in which an atacker

atempts to acquire informaton about your network
and system by social means, such as talking to people
in the organizaton. A social engineering atack may
occur oier the phone, by e-mail, or in person. The
intent is to acquire access informaton, such as user IDs
and passwords.
Department of Information Technology

Phishing

Phishing is a form of social engineering in which you

simply ask someone for a piece of informaton that you
are missing by making it look as if it is a legitmate
request. An eimail might look as if it is from a bank
and contain some basic informaton, such as the user’s
name. In the e-mail, it will ofen state that there is a
problem with the person’s account or access priiileges.
They will be told to click a link to correct the problem.
Department of Information Technology

Phishing

The only preientie measure in dealing with social

engineering atacks is to educate your users and staf
to never give out passwords and user IDs over the
phone or via eimail, or to anyone who isn’t positiely
ierifed as being who they say they are.
Department of Information Technology

Auditng Processes and Files

Most systems generate security logs and audit fles of

actvity. These fles do absolutely no good if they aren’t
periodically reiiewed for unusual eients.

Many web seriers provide message auditng, as do

logon, system, and applicaton servers.
Department of Information Technology

Auditng Processes and Files

In an access atack, these fles can be deleted,

modifed, and scrambled to preient system
administrators from knowing what happened in the
system.

A logic bomb could, for example, delete these fles

when it completes.

Administrators might know that something happened,

but they would get no clues or assistance from the log
and audit fles.
Thank You!!!
 References:
1. GoodRich
Department of M.T. and Tamassia
Information R. (2010y.
Technology
Introducton to Computer Security.
Addison Wesley

2. Dulaney, E. (2008y. CompTIA Security+

Deluxe Study Guide: SY0-201. 4th Ed.
Sybex Press

3. Conklin, A. and White, G. (2010y.

Principles of Computer Security:
CompTIA Security+ and Beyond. 3rd
Ed. McGraw-Hill Company.