References

Barney, N. (n.d.). What is Network Security? Definition, Importance

and Types. TechTarget. Retrieved November 28, 2022, from

https://www.techtarget.com/searchnetworking/definition/network-

security

Security Incident Response

Incident Response
● an organized approach to addressing and managing the aftermath of a
security breach or cyberattack
● a.k.a IT incident, computer incident or security incident
● the goal is to handle the situation in a way that limits damage and reduces
recovery time and costs
● is about making and having a flight plan before it is necessary
● it is a overall business function that helps ensure an organization can make
quick decisions with reliable information (rather than being an IT-centric
process)

Computer Security Incident Response Team (CSIRT)

● conducts incident response activities
● a group that has been previously selected to include information security
and general IT staff
● may also include representatives from the legal, human resources and
public relations departments
● follows the organization's incident response plan (IRP)
○ Set of written instructions that outline the organization's response to
network events, security incidents and confirmed breaches.

Any incident not properly contained can escalate into bigger problem that lead to
damaging data breach, large expense or system collapse.
Responding to an incident quickly will help an organization minimize losses,
mitigate exploited vulnerabilities, restore services/processes and reduce risk that
future incidents pose.

Incident Response Plan

● set of instructions an incident response team follows when an event occurs
● it should include procedures to detect, respond to and limit the effects of a
security incident

6-step Incident Response Plan

According to the SANS Institute
1. Preparation. Preparing users and IT staff to handle potential incidents,
should they arise.
2. Identification. Determining whether an event qualifies as a security
incident.
3. Containment. Limiting the damage of the incident and isolating affected
systems to prevent further damage.
4. Eradication. Finding the root cause of the incident and removing affected
systems from the production environment.
5. Recovery. Ensuring no threat remains and permitting affected systems back
into the production environment.
6. Lessons learned. Completing incident documentation, performing analysis
to learn from the incident and potentially improving future response
efforts.

Security Management Model

Access Control Models
● The value of information come from the characteristics it possesses
○ Confidentiality
○ Integrity
○ Availability
Expanded to Include
● Identification
 ○ An information possesses this characteristic when it is able to
recognize individual users
○ Identification and authentication are essential to establishing the
level of access/authorization that an individual is granted
● Authentication
○ Occurs when a control proves that a user possesses the identity that
he/she claims
● Authorization
○ Assures that the user has been specifically and explicitly authorized
by proper authority to access, update, or delete the contents of an
information asset
● Privacy
● Accountability

Categories of Access Control

1. Preventative
○ Avoid an incident
2. Deterrent
○ Prevent an initial incident
3. Detective
○ Detect and identify incident
4. Corrective
○ Mitigate damage done
5. Recovery
○ Restore operation
6. Compensating
○ Resolve shortcomings

Types of Controls (another approach)

● Technical
● Operational (Physical)
● Management (Administrative)
How Information Systems Authenticate Users
● Request user ID and password
○ Hash password
○ Retrieve stored user ID and hashed password
○ Compare
● Make a function call to a network based authentication service

How a System Stores User IDs and Passwords

● Stored in a database table
○ Application database or authentication database
○ User ID stored in plaintext
○ Password store encrypted or hashed

● Strong Authentication
○ Traditional user ID + password authentication has known weakness
○ Stronger types of authentication available (strong authentication)

1. Two Factor Authentication

○ First factor - what user know
○ Second factor - what user has
2. Biometric Authentication
○ Stronger than user ID + password
○ Stronger than two-factor?

● Authentication Issues
○ Password quality
○ Consistency of user credentials across multiple environments
○ Too many user IDs and passwords
○ Handling password resets
○ Dealing with compromised passwords
○ Staff terminations

● Degree of Authority
○ Mandatory Access Controls (MAC) Security Model
 ■ Data classification scheme/model
■ Data owners classify information assets
■ Reviews periodically
■ Rate collection of info and user with sensitivity levels
■ User and data owners have limited control over access
■ Security clearance structure
■ Each user assigned an authorization level
■ Roles and corresponding security clearances
○ Discretionary Access Controls (DAC) Security Model
■ The owner of an object controls who and what may access it
■ Access is at the owner's discretion
■ Most personal computer operating systems are designed
based on the DAC model
○ Role Based Access Controls (RBAC) Security Model
■ Non Discretionary Control
■ An improvement over the MAC security model
■ Role-based controls
■ Task-based controls
■ Simplifies management in a complex system with many users
and objects

● Testing Access Controls

- access controls are the primary defense that protect assets
1. Penetration Tests
■ Automatic scans to discover vulnerabilities
■ E.g. Nessus, Nikto, SAINT, Superscan, Retina, ISS, Microsoft
Baseline Security Analyzer
2. Application Vulnerability Test
■ Discover vulnerabilities in an application
■ Automated tools and manual tools
■ E.g. of vulnerabilities
■ Cross-site scripting
■ Injection flaws
 ■ Malicious file execution
■ Broken authentication
■ Broken session management
■ Information leakage
■ Insecure use of encryption
3. Code Reviews
4. Audit Log Analysis
■ Regular examination of audit and event log
■ Detect unwanted events
■ Audit log protection

● Access Control Attacks

- intruders will try to defeat, bypass, or trick access controls in order to
reach their target
- attack objectives:
○ Guess credentials
○ Malfunction of access controls
○ Bypass access controls
○ Replay known good log-ins
○ Trick people into giving up credentials

1. Buffer Overflow
○ Cause malfunction in a way that permits illicit access
○ Send more data than application was design to handle properly
○ Countermeasure:
■ safe coding that limits length of input data
■ Filter input data to remove unsafe characters
2. Script Injection
○ Insertion of scripting language characters into application input fields
○ Execute script on side
○ Execute script on client side -- trick user or browser
○ Countermeasure:
■ Strip "unsafe" characters from input
3. Data Remanence
○ Data that remains after it has been deleted
○ Deleted hard drive files, erased files, discarded/lost media: USB keys,
backup tapes, CDs
○ Countermeasures:
■ Improve media physical controls (post Wikileaks controls)
4. Denial of Service (DoS)
○ Actions that cause target system to fail, thereby denying service to
legitimate user
○ Distributed Denial of Service (DDoS)
○ Countermeasures:
■ Input filters
■ Patches
■ High capacity
5. Eavesdropping
○ Interception of data transmissions
○ Countermeasure:
■ Encryption
■ Stronger encryption
6. Spoofing and Masquerading
○ Specially crafted network packets that contain forged address of
origin
○ Countermeasure:
■ Router/firewall configuration to drop forged packets,
■ Judicious use of e-mail for signaling or data transfer
7. Social Engineering
○ Tricking people into giving out sensitive information by making them
think they are helping someone
○ Countermeasures:
■ Security awareness training
8. Phishing
○ Incoming, fraudulent e-mail messages designed to give the
appearance of origin from a legitimate institution
 ○ Tricks user into providing sensitive data via forged web site or return
e-mail
○ Countermeasure:
■ Security awareness training
9. Pharming
○ Redirection of traffic to a forged website
○ Countermeasure:
■ User awareness training
■ Patches
■ Better controls
10. Malicious Code
○ Viruses, worms, trojan horses, spyware, key logger
○ Harvest data or cause system malfunction
○ Countermeasures:
■ Anti-virus
■ Anti-spyware
■ Security awareness training

● Security Architecture Models

- help organizations quickly make improvements through adaptation
- can focus on:
○ Computer hardware or software
○ Policies and practices
○ The confidentiality of information
○ The integrity of the information

1. Bell-LaPadula Confidentiality Model

○ A state machine model that helps ensure the confidentiality of an
information system
○ Using mandatory access controls (MACs), data classification and
security clearances
2. Biba Integrity Model
 ○ Provides access controls to ensure that objects or subjects cannot
have less integrity as a result of read/write operations
○ Ensures no information from a subject can be passed on to an object
in a higher security level
○ This prevents contaminating data of higher integrity with data of
lower integrity
3. Clark-Wilson Integrity Model
○ Built upon principles of change control rather than integrity levels
○ Its change control principle
■ No changes by unauthorized subjects
■ No unauthorized changes by authorized subjects
■ The maintenance of internal and external consistency
4. Graham-Denning Access Control Model
○ Compose of three parts;
■ Set of objects
■ Set of subjects
■ Set of rights
○ Primitive protection rights
■ Create or delete object, create or delete subject
■ Read, grant, transfer and delete access rights
5. Harrison-Ruzzo-Ullman Model
○ Define a method to allow changes to access rights and the addiction
and removal of subjects and objects (since systems change over time,
their protective states need to change)
○ Built on an access control matrix
○ Includes a set of generic rights and a specific set of commands
6. Brewer-Nash Model
○ Designed to prevent a conflict of interest between two parties
○ Requires user to select one of two conflicting sets of data, after
which they cannot access the conflicting data

Network
 ● Consist of two or more devices that are linked in order to share resources
or allow communications
E.x.
1. Computer Networks
2. Phone Networks
3. Satellite Network

Security
● Act of protecting a person, property or organization from an attack

Cryptography
● The science of secret or hidden writing
● The process of converting a message into a secret code (cipher text) and
changing the encoded message back to regular text (plain text)
● Two main Components:
○ Encryption
- practice of hiding messages so that they cannot be read by anyone
other than the intended recipient
- Conversion of the original message into a secret code or cipher text
using a key
● Decryption
- conversion of encoded message or plain text back to the original
message using the same key
● Authentication & Integrity -ensuring that users of data/resources are the
persons they claim to be and that a message has not been surreptitiously
altered

Cipher
● Method for encrypting messages
● Encryption algorithms are standardized and published
● The key which is an input to the algorithm is a secret
○ Key - string of numbers or characters
○ Symmetric - same key is used for encryption and decryption
 ○ Asymmetric - different keys are used for encryption and decryption

Symmetric Algorithms
● Types
1. Block Ciphers - encrypt data one block at a time (64 or 128 bits)
- used for a single message
1. Stream Ciphers - encrypt data one bit/byte at a time
- used if data is a constant stream of information
● Key Strengths
1. Strength of algorithm is determined by the size of the key
■ The longer the key the more difficult it is to crack
2. Key length is expressed in bits
■ Typical key sizes vary between 48 and 448 bits
3. Key space - set of possible keys for a cipher
■ 40-bit key (
■ 128-bit key (
■ Each additional bit added to the key length doubles the
security
4. To crack the key the hacker has to use brute-force
■ Try all the possible keys till a key that works is found

Substitution Ciphers
1. Caesar Cipher
○ Method in which each letter in the alphabet is rotated by three
letters
2. Monoalphabetic Cipher
○ Any letter can be substituted for any other letter
○ Each letter has to have a unique substitute
○ Brute force approach would be time consuming
○ Statistical analysis would make it feasible to crack the key
3. Polyalphabetic Caesar Cipher
○ Developed by Blaise de Vigenere. A.k.a "Vigenere Cipher)
○ Uses a sequence of monoalphabetic ciphers in tandem
 4. Using a key to shift alphabet
○ Obtain a key for the algorithm and then shift the alphabet
E.x
Key - word (4 letters)
*shift all the letter by four and remove letters w, o, r, d from
encryption

Shannon's Characteristics of Good ciphers

● amount of secrecy needed should determine the amount of labor
appropriate for encryption and decryption
● set of keys and the enciphering algorithm should be free from complexity.
● Implementations should as simple as possible
● Errors in ciphering should not propagate and cause corruption in the
message
● The size of the enciphered text should be no larger than the text of the
original message

Encryption Systems
● Properties of Trustworthy Systems
1. It is based on sound mathematics - good cryptographic algorithms
are derived from solid principles
2. It has been analyzed by competent experts and found to be sound - is
hard for the writers to envisage all possible attacks
3. It has stood the "test of time" - review both mathematical
foundations of an algorithm and the way it builds upon those
foundations

Authentication: Basics
● Authentication - process of validating the identity of a user or the integrity
of a piece of data
● Three(3) technologies that provides authentication
○ Message Digest / Message Authentication Codes
○ Digital Signatures
 ○ Public Key Infrastructure
● Two(2) types of user authentication
○ Identity presented by a remote or application participating in a
session
○ Sender's identity is presented along with a message

Authentication: Message Digest

Message Digest
● a fingerprint for a document
● Purpose is to provide proof that data has not altered
Hashing
● Process of generating a message digest from data
● Has function are one way functions with ff. properties
○ Infeasible to reverse the function
○ Infeasible to construct two messages which hash to same digest
● Commonly used hash algorithms
○ MD5 - 128 bit hashing algorithm by Ron Rivest of RSA
○ SHA & SHA-1 - 162 but hashing algorithm developed by NIST

Message Authentication Codes: Basics

● Message digest created with a key
● Creates security by requiring a secret key to be possesses by both parties in
order to retrieve message

Password Authentication: Basics

● Password - secret character string only known to user and server
● Message Digest - commonly used for password authentication
● Stored hash of the password is a lesser risk
● Problems with password based authentication
○ Attacker learns password by social engineering
○ Attacker cracks password by brute-force or guesswork
○ Eavesdrops password (unprotected communication over the network
○ Replays an encrypted password back to the authentication server
Authentication Protocols
● Set of rules that governs the communication of data related to
authentication between the server and the user
● Techniques used to build a protocol are:
○ Transformed password
■ Password transformed using one way function before
transmission
■ Prevents eavesdropping but not replay
○ Challenge-response
■ Server sends random value (challenge) along with
authentication request
■ Protects against replay
○ Time stamp
■ Authentication must have time-stamp embedded
■ Server checks if the time is reasonable
■ Protections against replay
■ Depends on the synchronization of clocks on computers
○ One-time password
■ New password obtained by passing user-password through
one-way functions n times which keeps incrementing
■ Protect against replay and eavesdropping
Kerberos
● Authentication service that uses symmetric key encryption and a key
distribution center.
● Server contains symmetric keys of all users and also contains information
on which user has access privilege to which service on the network

AUTHENTICATION
● Personal Tokens
○ Hardware devices that generate unique strings that are usually used
in conjunction with passwords for authentication
○ Different physical of tokens: hand-held devices, smart cards, PCMCIA
cards, USB tokens
 ○ Different types
■ Storage Token
■ Secret value that is stored on a token and is available
after the token has been unlocked using a PIN
■ Synchronous one-time password generator
■ Generate new password periodically based on time and
a secret code stored in the token
■ Challenge-response
■ Token computes a number based on a challenge value
sent by the server
■ Digital Signature Token
■ Contains the digital signature private key and computes
a digital signature on a supplied data value
● Biometrics
○ Uses certain biological characteristics for authentication
○ Biometric reader measures physiological indicia and compares them
to specified values
○ Not capable of securing information over the network
○ Different techniques
■ Fingerprint recognition
■ Voice recognition
■ Handwriting recognition
■ Retinal scan
■ Hand geometry recognition
● Iris Recognition
○ Takes advantage of the natural pattern in people's irises
○ Facts
■ Probability of two irises producing exactly the same code: 1 in
10 to the 78th power
■ Independent variable (degrees of freedom) extracted: 266
■ Iris code record size: 512 bytes
■ Operating system compatibility: DOS and windows
● Digital Signatures
 ○ A data item which accompanies or logically associated with a digitally
encoded message
○ Has two goals
■ A guarantee of the source of the data
■ Proof that the data has not been tampered with
● Digital Certificates
○ A signed statement by a trusted party that another party's public key
belongs to them
○ Allows one certificate authority to be authorized by a different
authority
○ Top level certificate must be self signed
● Certificate Chaining
○ The practice of signing a certificate with another private key that has
a certificate for its public key
○ A person's public key and some identifying information signed by an
authority's private key verifying the person's identity
○ Authorities public key can be used to decipher the certificate
○ Certificate authority (trusted party)