Security Notes

Return on security investment: if we have a ack, how much are we going to lose?

Inves ng in security is cheaper than losses resul ng from an a ack.

 Chapter 1:
What am I protec ng? (We are talking about Security perimeters) / Goals.

- All states (stored, transmi ed of my informa on is part of my perimeter.

What am I protec ng against?

- What is an a ack?: the a acks will occur when there is a threat that exploits a vulnerability.
- Vulnerability: feature that can be exploited by a threat in order to alter its normal state.
(Vulnerabili es can be on many levels: applica on-level, human-related, etc..).
- Zero-day vulnerabili es: they start since we have found the solu on for the vulnerability un l
the update of the so ware on the last device.
- A acks can be passive (will not modify anything) or ac ve (I will modify).
- Ac ve: interrup on, fabrica on (make traffic with someone else’s name), modifica on, etc.
- Passive: intercep on.
- Before the attack (we talk about threat):
 Iden fy the vulnerabili es that can be exploited (systems: cyber security
audit/pentest).
 Iden fy the possible threats (mo va on, how much will the a acker invest),
 Compute the probability that one threat exploits a vulnerability (prob of the a ack),
how much will I lose?(es mated loss).
 Using the prob of a ack and the es mated loss, we can compute the security risk.
Cyber Security Risk= probability of occurrence x es mated loss.
 We talk about Preven ve Security Mechanisms: e.g: Firewall.
- During the attack (we talk about intrusion):
 Detect the intrusion.
 if the intrusions are accurate or not.
 Intrusion coordina on.
 What are the vulnerabili es that have been exploited.
 We talk about Detec ve Security mechanisms: IDS: Intrusion Detec on Systems.
- After the attack (we talk about Alert):
 Are the alerts correct.
 What are the scenarios of the a ack.
Slide (39) Alert: Difference between Q2 and Q3: we have the survivability system and
the recovery system.
Yes (a ack) No (a ack)
There is an alert True Posi ve (TP) False Posi ve (FP)
No alert False Nega ve (FN) True Nega ve (TN)
 We choose between systems based on our preferences to the percentages of FPs and
FNs.
 We talk about Recovery/Correc ve ;Systems.
What are we guaranteeing? (we are talking about Security proper es (confiden ality/ integrity/
availability):

- Confidentiality: protec ng the “read” property: WHO can read?  Only authorized people.
Related a acks: phishing/sniffing.
- Integrity: protec ng the “write” property: WHO can modify? And if a modifica on has
occurred, you can detect it.
Related a acks: data fabrica on or modifica on.
- Non-repudiation: related to integrity. You can not deny that you have changed or modified the
data.
- Availability: data is available for the customer for all the conceived me.
Related a acks: DoS a acks.
- Authentication: Who is accessing.
- Authorization/Access Control: once authen cated, what you can do. Required authen ca on!
- Accountability: trace all ac ons back to their responsible user.

What is the difference between privacy and confiden ality?

- Confiden ality: you can read the informa on.

- Privacy: can u use that informa on that you can read.

What is the difference between anonymity and confiden ality.

- Anonymity is a type of confiden ality (like vo ng). You need to know who voted and the type
of vote but can not relate them to each other.

What is the difference between Authen ca on and Iden fica on:

- Iden fica on: is to know who the person is.

- Authen ca on: verify that that person is actually legi mate. Proving who you are.

What would be the mechanisms that I should use?

Informa on security is a con nuous process following the evolu on of ac vi es.

Malware: a malicious so ware.

Difference between a virus and a worm:

- Worm can duplicate/replicate itself between different equipment.

- Virus a acks only the device when ini ated. Can be programmed to wait for a specific
condi on of the device.

Phishing: it is a passive a ack (this means that the a acker will collect your informa on without
altering them  I am just observing/seeing my target without them being aware that they are being
followed).

Botnets:

- DDOS: Distributed Denial of Service: its main goal is to make a service unavailable. E.g: make
all customers unable to access the websites by shu ng down the website, or take the
zombies/bot which are normal computers and send their virus to these zombies in order to
hide behind them, then the zombies will send their responses to the website thus, the
 website will be overloaded and all legi mate users will find that the website is busy. DDOS is
a huge family and can take many forms.

DNS A acks: Domain Name Service: the mapping between IP@s and URls(or domain Name) is done
through DNS. So, the a acker will ask the DNS to give them the link.

- If there is a problem with the root DNS, all other DNSes will be affected.

Difference between h p and h ps: with h ps anyone who is trying to phish our ac vity will not
understand what he or she is seeing.

NIST: Na onal Ins tute of Standardiza on and Technologies. Any topic related to IT in the US is
developed by NIST.

 Chapter 2:
Encryption: We encrypt a plain text (we see it and can understand it), so we transmit it into a
message that another person can see it but cannot understand it (= confiden ality).

Decryption: transfer into a plain text that we can read and understand.
With encryp on and decryp on, we are talking about Cryptography. There are other techniques
which do not allow an external party to even see that there is traffic: we are talking about
Steganography (hide all the message).

Cryptanalysis: to crack the cryptography.

Cryptology is the whole science that includes cryptography and cryptanalysis.

Key: a parameter used in order to encrypt and decrypt a message. This key will define the difference
between symmetric and asymmetric systems.

Cryptography ensures confiden ality.

There are two main families of cryptographic func ons: Encryp on and Hash-func ons.

E(M,K): the func on Encryp on E of message M using key K.

D(C,K): the func on Decryp on D of Cipher text C using key K.

E=D^(-1).

If the same key K is used in both encryp on and decryp on we talk about Symmetric Systems. If they
are different, we talk about asymmetric (a private and public one for Encryp on, a private and public
one for Decryp on).

For each input M1(plain text) we have only one image C1 (cipher text). And for each image C1 we
have only one input M1.

Caesar Cipher: example 1: each le er is subs tuted by the third le er that comes a er it.

The algorithm is public and only the key should be kept secret.

Shannon: he tried to ask “is there a perfect secrecy?”. The answer was “Yes, BUT..”:
 The One- me Pad: The condi ons for a perfect secrecy are:

1. The size of the key must be the same as the message

2. The key should be random. (All the systems we are working with today are pseudorandom).
3. The key is used only once.

We do not talk about total security anymore, but about security in me. Thus, we are talking
about modern cryptography.

In modern cryptography, we talk about:

Probability of crack:

 In symmetric systems: XOR func on (n=c+k): if a and b are the same the result is 0
else it is 1.
The a ack in this case is to try many keys with that same size un l cracking the cipher
code. This a ack is called: Bruteforce. In order to minimize the probability of this
a ack, we increase the size of the key.

A good cipher ensures:

Confusion: Each le er has many replacements.

Diffusion: If I change in one line, the whole document changes (lawken ena nbadel
ouel le er fel message mte3i, yekhi ouel le er fel cipher tetbadal ma 3malna chay. Heka aleh
nhebou 3al diffusion)

Subs tu on to ensure confusion, Permuta on to ensure diffusion.

Stream Cipher: in real me encryp on.

Block Cipher: encryp ng a saved document.

DES/AES: Algorithms for Block Cipher.

A3/A5: Algorithms for Stream Cipher.

In Data Encryp on Standard (DES):

Encryp on is done block by block, then we assemble to the whole thing.

Example: We take the plain text, divide it into blocks; we permute each of them once for
diffusion. Then, we cipher it for 16 rounds. Then, we permute it once again. Finally, we
assemble the whole thing (hedha process m3a9ad w yekhedmouh b des machines, juste
efehmou l concept w t3ada).

The strength of the cryptography algorithm is measured on a scale of 2^(112).

Counter Mode: in addi on to blocks, we will add a counter. Thus, the result of encryp on of each
block is different (lah9i9a walah ma naaraf hedhi fech tkharaf, awka zedou counter w kahaw).

Hash-func ons: Hash is the fingerprint of each func on.

Proper es of Hash-func ons:

- Public.
- Easy to calculate: quick and does not consume resources.
 - No ma er the size of the message, the Hash will always have the same size.
- Can not deduce the message from it.
- Two different messages do not have the same Hash.

Hash is not cryptography.

Hash func ons are used for integrity. (I do not care if someone reads it, but I do not want anyone to
change it).

Difference between weak and strong collision: the difference is in the data we have available. With
weak collision, we have x and hash(x) and we are looking for x’ with the same Hash. However, with
strong collision, we have x and x’ and we want to deduce a hash that is the same for both of them
(which should not be possible).

HMAC: used so the a acker cannot alter the message and its H without the receiver knowing about
it. For this purpose, HMACs add a key that only the sender and receiver know to encrypt the Hash.

Asymmetrical cryptography:
1st Scenario: The sender will use the public key of the receiver in order to encrypt the
message. The receiver will decrypt it using the receiver’s private key.  Confiden ality.

2nd Scenario: the sender encrypts the code using the sender’s private key. Thus, anyone (the
receiver) can decrypt it using the sender’s public key. Authen ca on (we know that the specific
sender sent it because we decrypted it using their public code), Integrity (whoever modifies the
message cannot encrypt it again since they need the private key o the sender), non-repudia on (you
cannot deny having encrypted that message since you must have used your private key).

The digital signature: I encrypt the hash of my message using my private key and send it with
my message. The system will check the hash of the message, decrypt the hash received using the
public key of the sender, and compare them to verify for modifica ons. This applies the two scenarios
above.

RSA Algorithm:
1. Generate the keys (public & private since we are in the Asymmer cal).
Choose p & q (that are prime numbers).
Compute n=p*q
Compute Q(n)=(p-1)*(q-1).
Choose 1<e<Q(n) ( e can be any number but should NOT be divisible by Q(n) )
Find d such that d*e=1 mod Q(n).
 Public key is (e,n) | Private key is d.
 To cipher the message M. We will put it to the power of e mod n (C=M^(e) mod n)
 To Decipher M= C^(d) mod n.
In this case, this process is applied twice by both the sender and receiver.

To generate the keys for the RSA cryptosystem, we need to follow these steps:

1. Choose two distinct prime numbers, p and q.

2. Compute n = p * q.
3. Compute the totient of n, φ(n) = (p-1) * (q-1).
 4. Choose an integer e, 1 < e < φ(n), such that gcd(e, φ(n)) = 1.
5. Compute the integer d, 1 < d < φ(n), such that e * d ≡ 1 (mod φ(n)).
Helpful YouTube videos:

h ps://www.youtube.com/watch?v=J4_R_bysWAI

h ps://www.youtube.com/watch?v=KOKmY0TtYww

Symmetrical
(-) Huge number of keys due to having to
create a key for each of the receivers.
(-) Key distribu on is difficult.
(+) Fast
(+) Easy to compute
Asymmetrical
(-) Take more computa on resources
(-) Takes more me.
(+) 1 public key for all
(+) no problem of key distribu on.

 Hybrid encryp on will merge the benefits of the two methods.

Hybrid Encryp on:

There are two scenarios:

 Online (RSA):
- Asymmetric: the client connects to the web server, the web server will send a public key,
which will create a session key (symmetric key) which will be sent to the server for
decryp on.
- Symmetric: the key will be used in further opera ons in web pages.
 Offline (RSA):
- We have a public and private key for each of the sender and receiver.
- We will get the public key of the receiver, then the sender will generate a session key
(symmetric) the will encrypt the session key using the public key of the receiver then will
encrypt the mail using the session key then will send it. The receiver will then retrieve the
symmetric key using the public key then will use it to decrypt the mail.

Diffie Hellman: Asymmetric used to distribute symmetric key.

 Chapter 3: