Module:1

Introduction to Security
 Security Service
– enhance security of data processing systems
and information transfers of an organization
– intended to counter security attacks
– using one or more security mechanisms
– often replicates functions normally associated
with physical documents
• which, for example, have signatures, dates; need
protection from disclosure, tampering, or
destruction; be notarized or witnessed; be
recorded or licensed
 Security Services
• X.800:
“a service provided by a protocol layer of
communicating open systems, which ensures
adequate security of the systems or of data
transfers”

• RFC 2828:
“a processing or communication service
provided by a system to give a specific kind
of protection to system resources”
 Security Properties
• Identification
• Authentication
• Authorization
• Confidentiality
• Integrity
• Availability
• Non-repudiation
 Security Properties
• Authentication
 Security Properties
• Authorization
 Security Properties
• Confidentiality
 Security Properties
• Integrity
 Security Properties
• Availability
 Security Properties
• Non-repudiation
 Confidentiality Authentication Availability

Interception Forgery Denial of Service

Is Private? Who am I dealing with? Wish to access!!

Integrity Non-Repudiation Access Control

Not
SENT !

Modification Claim Unauthorized access

Has been altered? Who sent/received it? Have you privilege?

 VULNERABILITIES
• Vulnerability is a weakness in an information
system, system security procedures, internal
controls, or implementation that could be exploited
or triggered by a threat source.

• ‘Threat agent or actor’

– It refers to the intent and method targeted at the
intentional exploitation of the vulnerability or a situation
and method that may accidentally trigger the vulnerability.
 VULNERABILITIES
• ‘Threat vector’
– is a path or a tool that a threat actor uses to attack the target.

• ‘Threat targets’
– are anything of value to the threat actor such as PC, laptop, PDA,
tablet, mobile phone, online bank account or identity.
 THREAT AGENTS CLASSIFICATION

• Corporations:

– Partners and competitors come under this category.

• Unintentional human error:

– accidents, carelessness etc.

• Intentional human error:

– insider, outsider etc.

• Natural:

– Flood, fire, lightning, meteor, earthquakes etc.

 Security Vulnerability Types
1. Network Vulnerabilities
2. Operating System Vulnerabilities
3. Human Vulnerabilities
4. Process Vulnerabilities
 Security Vulnerability Types
1. Network Vulnerabilities. 
– These are issues with a network’s hardware
or software that expose it to possible
intrusion by an outside party. Examples
include insecure Wi-Fi access points and
poorly-configured firewalls.
 Security Vulnerability Types
2. Operating System Vulnerabilities.
– These are vulnerabilities within a particular
operating system that hackers may exploit
to gain access to an asset the OS is installed
on—or to cause damage.
– Examples include default superuser
accounts that may exist in some OS installs
and hidden backdoor programs.
 Security Vulnerability Types
3. Human Vulnerabilities. 
– The weakest link in many cybersecurity
architectures is the human element.
– User errors can easily expose sensitive data,
create exploitable access points for attackers, or
d i s r u p t s y s t e m s .

4. Process Vulnerabilities
– Some vulnerabilities can be created by specific
process controls (or a lack thereof). One example
would be the use of weak passwords (which may
also fall under human vulnerabilities).