Professional Documents
Culture Documents
Lecture 1 - Network Security Basics
Lecture 1 - Network Security Basics
SCHOOL OF SCIENCE
Course Content
LECTURE
1 Key concepts in Information Security. Threats and vulnerabilities in
Computer Networks, Authentication applications,
2 Electronic Mail security, IP security,
3 Web security, Other Web security issues:- Intruders and viruses, firewalls,
Digital cash, secret sharing Schemes,
4 Cat 1
5 Conventional Encryption :- Classical Systems, DES, 3DES, AES,
Symmetric Ciphers, RC4, RC5).
6 Zero-Knowledge Techniques, FolkLore.
7 Public Key cryptography:- Introduction to Number Theory, Key
Management, Message Authentication and Hash Functions.
8 Hash and MAC Algorithms, Digital Signatures, Passwords and Password
Management
9 Penetration testing
10 Trends in Network security.
11 Presentations
12 CAT II
Lecture 1:
.
Assessment
Continuous Assessment Tests (CATs): 30%
End of Semester Written Examinations: 70%
Learning Materials
1
LECTURE 1
Key concepts in Information Security
Information security is the practice of defending information from unauthorized access, use, disclosure,
disruption, modification, perusal, inspection, recording or destruction.
It is also defined as preservation of confidentiality, integrity and availability of information. Other
properties, such as authenticity, accountability, non-repudiation and reliability can also be involved.
Security attack – Any action that compromises the security of information owned by an organization.
Security mechanism – A means used to detect, prevent or recover from a security attack.
Security service –The tools intended to counter security attacks and make use of one or more security
mechanisms to provide the service.
Confidentiality - limiting information access and disclosure to authorized users -- "the right people" --
and preventing access by or disclosure to unauthorized ones -- "the wrong people."
Integrity - Maintaining and assuring the accuracy and consistency of data over its entire life-cycle.
Availability - This means that the computing systems used to store and process the information, the
security controls used to protect it, and the communication channels used to access it must be functioning
correctly.
Non-repudiation - It implies that one party of a transaction cannot deny having received a transaction
nor can the other party deny having sent a transaction.
Risk is the likelihood that something bad will happen that causes harm to an informational asset (or the
loss of the asset).
Vulnerability is a weakness that could be used to endanger or cause harm to an informational asset.
A threat is anything (manmade or act of nature) that has the potential to cause harm. The likelihood that
a threat will use a vulnerability to cause harm creates a risk. When a threat does use a vulnerability to
inflict harm, it has an impact
Cryptography - The art or science encompassing the principles and methods of transforming an
intelligible message into one that is unintelligible, and then retransforming that message back to its
original form.
Information Infrastructure comprises communications networks, computers, databases, management,
applications, and consumer electronics and can exist at the global, national, or local level.
The network and infrastructure equipment that provides connectivity between enclaves can be logically
grouped into three areas:
Public/commercial networks and network technologies
Dedicated network services
Government-owned and services-operated
Organizational and government information systems and their corresponding networks offer attractive
targets to hackers. They must be able to withstand the ever-growing quantity of threats from hackers of all
types in order to limit damage and recover rapidly when such attacks do occur.
Network Vulnerabilities
Passive: Passive attacks include traffic analysis, monitoring of unprotected communications, decrypting
weakly encrypted traffic, and capturing authentication information (e.g., passwords). Passive intercept of
network operations can give adversaries indications and warnings of impending actions. Passive attacks
can result in the disclosure of information or data files to an attacker without the consent or knowledge of
the user. Examples include the disclosure of personal information such as credit card numbers and
medical files.
Active: Active attacks include attempts to circumvent or break protection features, introduce malicious
code, or steal or modify information. These include attacks mounted against a network backbone,
exploitation of information in transit, electronic penetrations into an enclave, or attacks on an authorized
remote user when attempting to connect to an enclave. Active attacks can result in the disclosure or
dissemination of data files, denial of service, or modification of data.
2
Close-in: Close-in attacks are where an unauthorized individual is in physical close proximity to
networks, systems, or facilities for the purpose of modifying, gathering, or denying access to information.
Close proximity is achieved through surreptitious entry, open access, or both.
Insider: Insider attacks can be malicious or non-malicious. Malicious insiders have the intent to
eavesdrop, steal or damage information, use information in a fraudulent manner, or deny access to other
authorized users. Non-malicious attacks typically result from carelessness, lack of knowledge, or
intentionally circumventing security for non-malicious reasons, such as to "get the job done."
Distribution: Distribution attacks focus on the malicious modification of hardware or software at the
factory or during distribution. These attacks can introduce malicious code into a product such as a back
door to gain unauthorized access.to information or a system function at a later date.
Network vulnerabilities come in many forms but the most common types are:
1. Malware, short for malicious software, such as Trojans, viruses, and worms that are installed on a
user’s machine or a host server.
2. Social engineering attacks that fool users into giving up personal information such as a username or
password.
3. Outdated or unpatched software that exposes the systems running the application and potentially the
entire network.
4. Misconfigured firewalls / operating systems that allow or have default policies enabled.
5. Gaps in your application security: when applications are not kept up-to-date, tested and patched, the
doors are open to code injection, cross-site scripting, insecure direct object references, and much
more
3
Man-in-the-middle attacks involve a third party intercepting and exploiting communications
between two entities that should remain private. Not only does eavesdropping occur but also
information can be changed or misrepresented by the intruder, causing inaccuracy and even security
breaches.
This is a vulnerability that allows attackers to spy on or alter the communication between devices in
your network. A man-in-the-middle attack could lead to the installation of viruses, warms, or
Ransomware. Cybercriminals can carry out man-in-the-middle attack through:
IP spoofing
DNS spoofing
HTTPS spoofing
SSL hijacking
Wi-Fi hacking
Machine learning
Rootkit tools gain remote access to systems without permission and can lead to the installation of
malware and the stealing of passwords and other data.
Superuser accounts
Superuser accounts can turn into network vulnerabilities. These accounts have unlimited privileges,
data, and devices and are often used for administrative purposes by IT team leaders.
The user can create, modify, and delete files, install software, or copy information. If a cybercriminal
gets hold of such an account, the damage to your network and your business could be catastrophic.
Causes of Vulnerabilities
Design and development errors: There can be flaws in the design of hardware and software. These
bugs can put your business-critical data at risk of exposure.
Poor system configuration: This is another cause of vulnerability. If the system is poorly configured,
then it can introduce loopholes through which attackers can enter into the system & steal the
information.
Human errors: Human factors like improper disposal of documents, leaving the documents
unattended, coding errors, insider threats, sharing passwords over phishing sites, etc. can lead to
security breaches.
Connectivity: If the system is connected to an unsecured network (open connections) then it comes
in the reach of hackers.
Complexity: The security vulnerability rises in proportion to the complexity of a system. The more
features a system has, the more chances of the system being attacked.
Passwords: Passwords are used to prevent unauthorized access. They should be strong enough that
no one can guess your password. Passwords should not be shared with anyone at any cost and
passwords should be changed periodically. In spite of these instructions, at times people reveal their
passwords to others, write them down somewhere and keep easy passwords that can be guessed.
User Input: You must have heard of SQL injection, buffer overflows, etc. The data received
electronically through these methods can be used to attack the receiving system.
Management: Security is hard & expensive to manage. Sometimes organizations lack behind in
proper risk management and hence vulnerability gets induced in the system.
Lack of training to staff: This leads to human errors and other vulnerabilities.
Communication: Channels like mobile networks, internet, telephone opens up security theft scope.
Note
The threats are too great, too fast, and too powerful, and the day you are hacked will arrive much sooner
rather than later. Basic security is NOT ENOUGH.
4
Throw out any notion you might have that you will be able to completely eliminate risks. Shift those
security goals around minimizing and managing risks - keeping the impact of incidents low and the
efforts to resolve incidents as efficient as possible.
The tools you implement to make those goals possible is what makes it all work, including:
Complete managed security including all your end points
Encrypt EVERYTHING – in transit and at rest
Secure EVERYTHING – with dual factor authentication
Trust no one and no account (Zero trust!)
Patch, patch, and keep patching
Leverage third party specialists for audits and monitoring
Stay on top of patch management, revisit and validate alerting infrastructure at every point of
egress/ingress,
Use defense in depth (layered security measures), and
Teach users to protect their accounts and report suspicious events.
INTRUDERS
One of the most publicized attacks to security is the intruder, generally referred to as hacker or cracker.
Three classes of intruders are as follows:
Masquerader – an individual who is not authorized to use the computer and who penetrates a
system’s access controls to exploit a legitimate user’s account.
Misfeasor – a legitimate user who accesses data, programs, or resources for which such access is not
authorized, or who is authorized for such access but misuse his or her privileges.
Clandestine user – an individual who seizes supervisory control of the system and uses this control to
evade auditing and access controls or to suppress audit collection.
The masquerader is likely to be an outsider; the misfeasor generally is an insider; and the clandestine user
can be either an outsider or an insider.
Intruder attacks range from the benign to the serious. At the benign end of the scale, there are many
people who simply wish to explore internets and see what is out there. At the serious end are individuals
who are attempting to read privileged data, perform unauthorized modifications to data, or disrupt the
system. Benign intruders might be tolerable, although they do consume resources and may slow
performance for legitimate users.
Intrusion techniques
The objective of the intruders is to gain access to a system or to increase the range of privileges
accessible on a system. Generally, this requires the intruders to acquire information that should be
protected. In most cases, the information is in the form of a user password.
Typically, a system must maintain a file that associates a password with each authorized user. If such a
file is stored with no protection, then it is an easy matter to gain access to it. The password files can be
protected in one of the two ways:
One way encryption – the system stores only an encrypted form of user’s password.
In practice, the system usually performs a one way transformation (not reversible) in which the
password is used to generate a key for the encryption function and in which a fixed length output is
produced.
Access control – access to the password file is limited to one or a very few accounts.
5
Collect information about users such as their full names, the name of their spouse and
children, pictures in their office and books in their office that are related to hobbies.
Try user’s phone number, social security numbers and room numbers.
Try all legitimate license plate numbers.
Use a Trojan horse to bypass restriction on access.
Tap the line between a remote user and the host system.
Two principle countermeasures:
Detection – concerned with learning of an attack, either before or after its success.
Prevention – challenging security goal and an uphill bottle at all times.
INTRUSION DETECTION:
Inevitably, the best intrusion prevention system will fail. A system's second line of defense is intrusion
detection, and this has been the focus of much research in recent years.
This interest is motivated by a number of considerations, including the following:
1. If an intrusion is detected quickly enough, the intruder can be identified and ejected from the system
before any damage is done or any data are compromised.
2. An effective intrusion detection system can serve as a deterrent, so acting to prevent intrusions.
3. Intrusion detection enables the collection of information about intrusion techniques that can be used
to strengthen the intrusion prevention facility.
4. Intrusion detection is based on the assumption that the behavior of the intruder differs from that of a
legitimate user in ways that can be quantified.
6
Provide boundary defenses for systems within the enclave that cannot defend themselves due to
technical or configuration problems.
Provide a risk-managed means of selectively allowing information to flow across the enclave
boundary.
Provide protection against the undermining of systems and data within the protected enclave by
external entities.
Provide strong authentication, and thereby authenticated access control, of users sending or receiving
information from outside their enclave.
Detection tools
It is important to supplement system and network logs with additional tools that watch for signs that an
incident has occurred or has been attempted.
These include tools that monitor and inspect system resource use, network traffic, network connections,
user accounts, file access, virus scanners, tools that verify file and data integrity, vulnerability scanners,
and tools to process log files.
Examples of detection tools include tools that:
• Report system events, such as password cracking, or the execution of unauthorized programs
• Report network events, such as access during nonbusiness hours, or the use of Internet Relay Chat
(IRC), a common means of communication used by intruders
• Report user-related events, such as repeated login attempts, or unauthorized attempts to access
restricted information
• Verify data, file, and software integrity, including unexpected changes to the protections of files or
improperly set access control lists on system tools
• Examine systems in detail on a periodic basis to check log file consistency or known vulnerabilities
Detection techniques
Incident detection is based on three simple steps:
1. Observe and monitor information systems for signs of unusual activity.
7
2. Investigate anything that appears to be unusual.
3. If something is found that cannot be explained by authorized activity, immediately initiate
predetermined incident response procedures.
8
Eradication
Removal of the root cause of a security incident often requires a great deal of analysis, followed by
specific corrective actions, such as the improvement of detection mechanisms, changes in reporting
procedures, installation of enhanced protection mechanisms (such as firewalls), implementation of more
sophisticated physical access controls, development of methods that improve user community awareness
and provide training on what to do when an incident occurs, or making specific changes to security policy
and procedures to prevent reoccurrence of an incident.
Recovery
Restoring a compromised information system to normal operation should be accomplished when the root
cause of the incident has been corrected. This prevents the same or a similar type of incident from
occurring and helps to ensure that a recurring incident will be detected in a more timely fashion.
The determination to return a system to normal operation prior to fully resolving the root problem should
require the involvement of senior management.
System restoration steps may include the following:
• Using the latest trusted backup to restore user data: Users should review all restored data files to
ensure that they have not been affected by the incident.
• Enabling system and application services: Only those services actually required by the users of the
system should be enabled initially.
• Reconnecting the restored system to its LAN: Validate the system by executing a known series of
tests, where prior test results are available for comparison.
• Being alert for problem recurrence: A recurrence of a viral or intrusion attack is a real possibility.
Once a system has been compromised, especially by an intruder, the system will likely become a
target for future attacks.
COMP 425 : INFORMATION SYSTEMS SECURITY
CAT 1
a) Explain the following:- IP spoofing, DNS spoofing , HTTPS spoofing , SSL hijacking, Wi-
Fi hacking. [6 MKS]
b) Explain three hacking tools, which are useful in securing networks. [6 MKS]
c) Explain how SQL injection works in a network. [6 MKS]
d) Name six penetration testing tools and one disadvantage of each. [6 MKS]
e) Which options do you have in executing a Denial of Service Attack? [6 Mks]