Scribd Logo
Upload

Welcome to Scribd!

  • Introduction To Security Sevices, Attacks and Service Mechanism

    Uploaded by

    Lalit
    3 views37 pages
    This document provides an introduction to computer security concepts including confidentiality, integrity, availability, vulnerabilities, risks, threats, attacks, and adversaries. It then discusses common security attacks such as those threatening confidentiality through snooping or traffic analysis, integrity through modification or masquerading, and availability through denial of service. Popular modern attacks like malware, phishing, man-in-the-middle, denial-of-service, SQL injection, and zero-day exploits are also overviewed. The document concludes with an overview of security services, mechanisms, the relationship between services and mechanisms, and techniques like cryptography and steganography.

    Original Description:

    Original Title

    1. Introduction to Security Sevices, Attacks and Service Mechanism

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides an introduction to computer security concepts including confidentiality, integrity, availability, vulnerabilities, risks, threats, attacks, and adversaries. It then discusses common security attacks such as those threatening confidentiality through snooping or traffic analysis, integrity through modification or masquerading, and availability through denial of service. Popular modern attacks like malware, phishing, man-in-the-middle, denial-of-service, SQL injection, and zero-day exploits are also overviewed. The document concludes with an overview of security services, mechanisms, the relationship between services and mechanisms, and techniques like cryptography and steganography.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    3 views37 pages

    Introduction To Security Sevices, Attacks and Service Mechanism

    Uploaded by

    Lalit
    This document provides an introduction to computer security concepts including confidentiality, integrity, availability, vulnerabilities, risks, threats, attacks, and adversaries. It then discusses common security attacks such as those threatening confidentiality through snooping or traffic analysis, integrity through modification or masquerading, and availability through denial of service. Popular modern attacks like malware, phishing, man-in-the-middle, denial-of-service, SQL injection, and zero-day exploits are also overviewed. The document concludes with an overview of security services, mechanisms, the relationship between services and mechanisms, and techniques like cryptography and steganography.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 37

    Introduction

    3 / 29
    Outline

    Introduction

    Security Attacks

    Services and Mechanisms

    2 / 29
    Introduction

    Computer Security: The protection afforded to an automated


    information system in order to attain the applicable
    objectives of preserving the integrity, availability, and
    confidentiality of information system resources
    (hardware, software, firmware, information/data, and
    telecommunications).
    - NIST Computer Security Handbook

    4 / 29
    Introduction

    5 / 29
    Introduction

    I Confidentiality is concealment of information or resources


    from unauthorized people
    I Integrity refers to the trustworthiness of data or resources
    I Availability refers to the ability to use the information or
    resource desired

    6 / 29
    Introduction

    Vulnerability: a flaw or weakness in a system’s design or


    implementation
    Risk: an expectation of loss expressed as the probability
    Threat: a potential for violation of security
    Attack: an assault on system security that derives from an
    intelligent threat
    Adversary: an entity that attacks a system
    Countermeasure: an action, device, procedure, or technique that
    reduces a threat, a vulnerability, or an attack

    7 / 29
    Security Attacks

    8 / 29
    Security Attacks

    Security attacks are unauthorized actions against IT assets in order


    to destroy them, modify them or steal sensitive data

    9 / 29
    Security Attacks

    10 / 29
    Security Attacks: Threat to Confidentiality

    Snooping: snooping refers to unauthorized access to data


    Traffic Analysis: the attacker can obtain other type of information
    by monitoring online traffic

    11 / 29
    Security Attacks: Threat to Integrity

    Modification: after accessing information, the attacker modifies the


    information to make it beneficial to herself/himself
    Masquerading: masquerading happens when the attacker
    impersonates somebody else
    Replaying: the attacker obtains a copy of a message sent by a
    user and later tries to replay it
    Repudiation: the sender of the message might later deny that
    she/he has sent the message

    12 / 29
    Security Attacks: Threat to Availability

    Denial of Service: it may slow down or totally interrupt the


    services of the system

    13 / 29
    1.1
    1.2
    1.3
    1.1
    1.2
    Passive Versus Active Attacks

    Table Categorization of passive and active attacks

    1.3
    Currently Popular Security Attacks

    I Malware
    I Phishing
    I Man-in-the-middle attack
    I Denial-of-service
    I SQL injection
    I Zero-day exploit

    14 / 29
    Malware

    Malware is a term used to describe malicious software, including


    spyware, ransomware, viruses, and worms. Malware breaches a
    network through a vulnerability, typically when a user clicks a
    dangerous link or email attachment that then installs risky
    software.

    15 / 29
    Phishing

    Phishing is the practice of sending fraudulent communications that


    appear to come from a reputable source, usually through email.
    The goal is to steal sensitive data like credit card and login
    information or to install malware on the victims machine.

    16 / 29
    Man-in-the-middle attack

    Man-in-the-middle (MitM) attacks, also known as eavesdropping


    attacks, occur when attackers insert themselves into a two-party
    transaction. Once the attackers interrupt the traffic, they can filter
    and steal data.

    17 / 29
    Denial-of-service

    A denial-of-service attack floods systems, servers, or networks with


    traffic to exhaust resources and bandwidth. As a result, the system
    is unable to fulfill legitimate requests. Attackers can also use
    multiple compromised devices to launch this attack. This is known
    as a distributed-denial-of-service (DDoS) attack.

    18 / 29
    SQL injection

    A Structured Query Language (SQL) injection occurs when an


    attacker inserts malicious code into a server that uses SQL and
    forces the server to reveal information it normally would not. An
    attacker could carry out a SQL injection simply by submitting
    malicious code into a vulnerable website search box.

    19 / 29
    Zero-day exploit

    A zero-day exploit hits after a network vulnerability is announced


    but before a patch or solution is implemented. Attackers target the
    disclosed vulnerability during this window of time.

    20 / 29
    Services and Mechanisms

    21 / 29
    Services and Mechanisms

    Security Service: A service that enhances the security of data


    processing systems and information transfers. A
    security service makes use of one or more security
    mechanisms.
    Security Mechanism: A mechanism that is designed to detect,
    prevent, or recover from a security attack.

    22 / 29
    Security Services

    23 / 29
    Security Mechanisms

    24 / 29
    Security Mechanisms

    Encipherment provides confidentiality


    Data Integrity mechanism appends to the data a short checkvalue
    that has been created by a specific process from the
    data itself
    Digital Signature is a means by which the sender can electronically
    sign the data and the receiver can electronically
    verify the signature

    25 / 29
    Security Mechanisms

    Authentication Exchange two entities exchange some messsages to


    prove their identity to each other
    Traffic Padding means inserting some bogus data into the data
    traffic to thwart the adversary’s attempt to use traffic
    analysis
    Routing Control means selecting and continuously changing
    different available routes between the sender and the
    receiver to prevent the opponent from eavesdropping
    on a particular route

    26 / 29
    Security Mechanisms

    Notarization means selecting a trusted third party to control the


    communication between two entities
    Access Control uses methods to prove that a user has access right
    to the data or resources owned by a system

    27 / 29
    Relationship between Security Services and Security
    Mechanisms

    28 / 29
    TECHNIQUES

    Mechanisms discussed in the previous sections are only


    theoretical recipes to implement security. The actual
    implementation of security goals needs some
    techniques. Two techniques are prevalent today:
    cryptography and steganography.

    Cryptography
    Steganography

    1.1
    Cryptography

    Cryptography, a word with Greek origins, means “secret


    writing.” However, we use the term to refer to the science
    and art of transforming messages to make them secure and
    immune to attacks.

    1.2
    Steganography

    The word steganography, with origin in Greek, means


    “covered writing,” in contrast with cryptography, which
    means “secret writing.”

    Example: covering data with text

    1.3
    END

    29 / 29

    You might also like