Information Security

Vijay Atluri
atluri@rutgers.edu
http://sites.rutgers.edu/vijay-atluri
 Information Security

Text Book
• William Stallings and Lawrie Brown, Computer
Security: Principles and Practice, 4th edition

2
 Information Security

Objectives

• List and discuss recent trends in computer security

• Describe simple steps to take to minimize the
possibility of an attack on a system
• Describe various types of threats that exist for
computers and networks
• Discuss recent computer crimes that have been
committed

3
 Information Security

A quick note!
• This course is about security defense, not how to
attack
– Defense is too complex to focus mostly on specific attacks
– Nevertheless, we will learn the modus operandi of a few
• Unless you understand the threats you face, you cannot prepare
for defense

4
 Information Security

The Security Problem

• Sixty years ago, computers and data were uncommon.
• Computer hardware was a high-value item and security
was mainly a physical issue.
• Entire system was dedicated to a single user
• protection simply means users picking up their tapes and
cards, clearing up the memory after the job is finished
• growing demand for better efficiency
– led to multiplexing, multiprogramming, resource-sharing operating
systems, time-sharing
– security means isolation of independent software structures and
simultaneously executing processes from each other (primarily to
prevent accidents and errors)

5
 Information Security

The Security Problem (continued)

• users demands for computing power closer to their work

areas
– led to networking enabling neighbor processors and applications to
communicate
– realized the need for communication security
• Increased demand for connectivity compounded the
security problems
– due to more sophisticated users who need to exchange data,
send/receive messages via e-mail, access common databases,
share programs and applications to speed up and reduce
application development efforts, share expensive storage and
output devices ..

6
 Information Security

The Security Problem (continued)

• computers have become more sophisticated and more
powerful
• Now, personal computers are ubiquitous and portable,
making them much more difficult to secure physically.
• Computers are often connected to the Internet.
• The value of the data on computers often exceeds the
value of the equipment.
• Typical computer user today is not as technically
sophisticated as the typical computer user 50 years ago.
• No longer are computers reserved for use by scientists
and engineers
• Almost all businesses have online presence
• Explosion of social online connectivity
7
 Information Security

The Security Problem (continued)

• Electronic crime can take a number of different
forms, but the ones we will examine here fall into
two basic categories:
1. Crimes in which the computer was the target
2. Incidents in which a computer was used to
perpetrate the act
• Virus activity also existed prior to 1988, having
started in the early 1980s.

8
 Information Security

What is Security?
• “The quality or state of being secure—to be
free from danger”
• A successful organization should have
multiple layers of security in place:
– Physical security
– Personal security
– Operations security
– Communications security
– Network security
– Information security
9
 Information Security

Why do we care?
• 2001 AD - The Wild Wild West!!
• Out-of-the-box Linux PC hooked to Internet, not
announced:
– [30 seconds] First service probes/scans detected
– [1 hour] First compromise attempts detected
– [12 hours] PC fully compromised:
• Administrative access obtained
• Event logging selectively disabled Source –CERT Report
• System software modified to suit intruder
• Attack software installed
• PC actively probing for new hosts to intrude
• Example sites that report incidents
– Computer Emergency Response Team (CERT)
– The Cyber Security Hub
– The New Jersey Cybersecurity and Communications Integration
Cell (NJCCIC)
10
 Information Security

The Situation we have today

11
 Information Security

So why are we so vulnerable?

• Poor Software and Systems Design
– Buffer Overflow is the cause of almost half the known
vulnerabilities
– Shrinking time to market leads to improperly tested software
– Security not considered during design time but only added later
on
• Lack of Education
– Secure programming techniques not taught in typical curriculum
– Lack of awareness about security issues
• No Security Policies/Procedures in place
– Even when present, not followed
• Lack of Deterrence Mechanisms
– Most criminal acts go unpunished

12
 Information Security

Many weak links

• many weak links
– vulnerabilities in client software, server software, back-end databases
– web clients and servers
– the whole system is as secure as its weakest link

SERVER CLIENT

Database Database

13
 Information Security

Many Weak Links (continued)

Fraudulent identification
Users

Terminals Terminals

Intercept Tap
Crosstalk

Application Programs Malicious code

Malicious code DBMS
Computer Hardware
and Software

Malicious code
Unauthorized access
Failure of protection mechanisms

Database 14
 Information Security

Contributing Factors
• Lack of awareness of Internet threats and risks
– Security measures are often not considered until an Enterprise has
been penetrated by malicious users
• Wide-open network policies
– Many Internet sites allow wide-open Internet access
• Vast majority of Internet traffic is unencrypted
– Network traffic can be monitored and captured
• Security is still too often an afterthought
– rather than being an integral part of the design process
• the inherent nature of internet
– targeted towards flexibility, interoperability, connectivity rather than
security
– Lack of security in TCP/IP protocol suite
• Most TCP/IP protocols not built with security in mind
– New generation of protocols address this to a certain extent (Internet
Engineering Task Force (IETF))
15
 Information Security

Contributing Factors
• Complexity of security management and administration
• In developing a particular security mechanism or algorithm, one
must always consider potential attacks on those security features
• Procedures used to provide particular services are often
counterintuitive
• Exploitation of software (e.g., protocol implementation) bugs
• Cracker skills keep improving
• easy to commit crime due to
– lack of forensic evidence
– anonymity
– sensitive data repositories are vulnerable targets
– rare regular auditing of computer usage
– non-existing regulatory policies and laws
• Cookies and privacy concerns
• executable contents (Java applets, activeX controls)
• push technology
• CGI scripts
16
 Information Security

Contributing Factors
• Security algorithms require that some secret
information (e.g., keys) require creation, distribution,
and protection of that secret information
• Attackers only need to find a single weakness, while
the designer must find and eliminate all weaknesses
• Security requires regular and constant monitoring
• Perceived as no return on investment by many
– Most organizations are reactive than proactive
• Often need to sacrifice efficiency/user-friendliness

17
 Information Security

Key Security Objectives

concerned with
unauthorized
Integrity modification of
Confidentiality information
concerned with
unauthorized
disclosure of
information

Availability
concerned with
improper denial of
access to
information

19
 Vulnerabilities, Threats
and Attacks
• Categories of vulnerabilities
• Corrupted (loss of integrity)
• Leaky (loss of confidentiality)
• Unavailable or very slow (loss of availability)

• Threats
• Capable of exploiting vulnerabilities
• Represent potential security harm to an asset

• Attacks (threats carried out)

• Passive – attempt to learn or make use of information from the system that does
not affect system resources
• Active – attempt to alter system resources or affect their operation
• Insider – initiated by an entity inside the security perimeter
• Outsider – initiated from outside the perimeter
 Passive and Active
Attacks
Passive Attack Active Attack
• Attempts to alter system
• Attempts to learn or make use of resources or affect their
operation
information from the system but
• Involve some modification of
does not affect system resources
the data stream or the creation of
• Eavesdropping on, or monitoring of, a false stream
transmissions • Four categories:
o Replay
• Goal of attacker is to obtain o Masquerade
information that is being transmitted o Modification of messages
o Denial of service
• Two types:
o Release of message contents
o Traffic analysis
 Table 1.3
Computer and Network Assets, with Examples of Threats
 Table 1.2

Threat
Consequences,
and the
Types of
Threat Actions
That Cause
Each
Consequence

Based on
RFC 4949

**Table is on page 10 in the textbook.

 Information Security

Achieving Security
•
Policy
– what?
– specifies the requirements to be implemented
– includes software, hardware, physical, personnel, procedural
– specifies goals but does not specify how to achieve them
•
Mechanism
– how?
– specifies how the policy can be implemented
•
Assurance
– how well?
– ensures how well the mechanism meets the policy requirements
– low assurance mechanisms are easy to implement whereas high
assurance mechanisms are very difficult to implement
• Evaluation
– Process of measuring assurance 26
Computer Security Strategy
Security Policy Security
• Formal statement of rules Implementation
and practices that specify or • Involves four
regulate how a system or complementary courses of
organization provides action:
security services to protect • Prevention
sensitive and critical system
• Detection
resources
• Response
• Recovery

Assurance
• Encompassing both system
design and system
implementation, assurance
is an attribute of an
information system that
provides grounds for having
confidence that the system
operates such that the
system’s security policy is
enforced
Evaluation
• Process of examining a
computer product or system
with respect to certain
criteria
• Involves testing and may
also involve formal analytic
or mathematical techniques
 Fundamental Security
Design Principles
Economy of Fail-safe Complete
Open design
mechanism defaults mediation

Separation of Least common Psychological

Least privilege
privilege mechanism acceptability

Isolation Encapsulation Modularity Layering

Least
astonishment
 Attack Surfaces
Consist of the reachable and exploitable vulnerabilities
in a system

Examples:

Code that processes

Open ports on An employee with
incoming data,
outward facing access to sensitive
Services available email, XML, office
Web and other Interfaces, SQL, information
on the inside of a documents, and
servers, and code and Web forms vulnerable to a
firewall industry-specific
listening on those social engineering
custom data
ports attack
exchange formats
Attack Surface Categories
Network Software Human
Attack Attack Attack
Surface Surface Surface
Vulnerabilities over an enterprise
Vulnerabilities in application,
network, wide-area network, or the
utility, or operating system code
Internet

Included in this category are
network protocol vulnerabilities,
such as those used for a denial-of-
service attack, disruption of
communications links, and various
forms of intruder attacks
Vulnerabilities created by
personnel or outsiders, such as
social engineering, human error,
and trusted insiders
Particular focus is Web server
software
 Information Security

Security Techniques

• 1) Prevention
– Prevent attackers from violating security policy
– Involves implementing mechanisms that users cannot override
and are trusted to be implemented in correct and unalterable
ways.
– E.g., access control
• 2) Detection
– Detect attackers’ violation of security policy
• Goal is to determine that an attack is underway, or has occurred
and report it.
– auditing/intrusion detection
– incident handling
– Sometime detection is the only option, e.g.,
• Accountability in proper use of authorized privileges
• Modification of messages in a network

32
 Information Security

Security Techniques (continued)

• 3) Recovery
– Stop attack, assess and repair damage
– Continue to function correctly even if attack succeeds
– i.e., Resuming correct operation either after an attack or
even while an attack is underway.

• 4) Tolerance
– practicality

33
 Information Security

Security Techniques (continued)

• Security by Obscurity
– Security by obscurity says that if we hide the inner
workings of a system it will be secure
– It is a bad idea
– Less and less applicable in the emerging world of
vendor-independent open standards
– Less and less applicable in a world of widespread
computer knowledge and expertise

34
 Information Security

Security Techniques (continued)

• Security by legislation
– Security by legislation says that if we instruct our users
on how to behave we can secure our systems
– It is a bad idea
– For example
• Users should not share passwords
• Users should not write down passwords
• Users should not type in their password when someone is
looking over their shoulder
• Users should not open attachments from unknown parties
– User awareness and cooperation is important, but
cannot be the principal focus for achieving security

35
 Information Security

Securing Components
• Computer can be subject of an attack and/or
the object of an attack
– When the subject of an attack, computer is used as an
active tool to conduct attack
– When the object of an attack, computer is the entity being
attacked

36
 Information Security

Balancing Information Security and Access

• Impossible to obtain perfect security

– It is a process NOT a turn-key product

– absolute security does not exist

– security in most systems can be improved

• Security should be considered balance between

protection and availability

• To achieve balance, level of security must allow

reasonable access, yet protect against threats 37
 Information Security

Security Trade-offs

• confidentiality
• integrity
• availability
versus
• cost
• functionality
• ease of use

38
 Information Security

Risk Assessment
• Threats
– possible attacks
• Vulnerabilities
– weaknesses
• Assets
– information and resources
• Risk
– combination of threats, vulnerabilities and assets
• R=V*P*S
– where R= risk, V= value of an asset, P = probability of occurrence of threat, S =
vulnerability of the asset to the threat (i.e., severity of effect of the threat)
• more sophisticated models can be developed

39
 Information Security

Risks
• Electronic systems are susceptible to abuse, misuse and
failure
• direct financial loss resulting from fraud
• theft of valuable confidential information
• loss of business opportunity due to disruption of service
• unauthorized use of resources
• loss of customer confidence
• costs resulting from uncertainties
• false and malicious web sites posing as selling agents
• theft of customer data from selling agents
• privacy and the use of cookies
• customer impersonation

40
 Information Security

Operational Issues
• Cost-Benefit Analysis
– Is it cheaper to prevent or recover?
• Risk Analysis
– Should we protect something?
– How much should we protect this thing?
• Laws and Customs
– Are desired security measures illegal?
– Will people do them?

41
 Information Security

Human Issues
• Organizational Problems
– Power and responsibility
– Financial benefits
• People problems
– Outsiders and insiders
– Social engineering

42
 Information Security

Tying Together

Threats
Policy
Specification

Design

Implementation

Operation

43
 Standards
• Standards have been developed to cover management practices and the
overall architecture of security mechanisms and services
• The most important of these organizations are:
o National Institute of Standards and Technology (NIST)
• NIST is a U.S. federal agency that deals with measurement science, standards, and technology
related to U.S. government use and to the promotion of U.S. private sector innovation
o Internet Society (ISOC)
• ISOC is a professional membership society that provides leadership in addressing issues that
confront the future of the Internet, and is the organization home for the groups responsible
for Internet infrastructure standards
• the organization home for the groups responsible for Internet infrastructure standards,
including the Internet Engineering Task Force (IETF) and the Internet Architecture
Board(IAB). These organizations develop Internet standards and related specifications,all of
which are published as Requests for Comments (RFCs).

o International Telecommunication Union (ITU-T)

• ITU is a United Nations agency in which governments and the private sector coordinate global
telecom networks and services
o International Organization for Standardization (ISO)
• ISO is a nongovernmental organization whose work results in international agreements that
are published as International Standards
 Information Security

NSTISSC Security Model

NSTISSC – National Security Telecommunications and Information

Systems Security Committee 45
established by President Bush under National Security Directive 42
Information Security

46
 Information Security

What is your pay-off?

• security competence is a rare, valuable skill
• U.S. News' Best Jobs rankings
– No. 1 in the top 100: Information Security Analyst
https://money.usnews.com/careers/best-jobs/rankings/the-100-best-jobs
The U.S. government, health care organizations, financial systems and
other companies are growing more reliant on information security
analysts to protect their information systems against hackers and
cyberattacks. The Bureau of Labor Statistics projects 31.2 percent
employment growth for information security analysts between 2019 and
2029. In that period, an estimated 40,900 jobs should open up.
• Cybersecurity Ventures
– predicts there will 3.5 million unfilled cybersecurity jobs by 2021, up
from 1 million openings in 2014. (this prediction has come true)
https://cybersecurityventures.com/jobs/
– Global spending on security awareness training for employees is
predicted to reach $10 billion by 2027, up from around $1 billion in
2014. Training employees how to recognize and defend against cyber
attacks is the most under spent sector of the cybersecurity industry.

47
 Information Security

What is your pay-off? (continued)

• Google and Microsoft promise billions to help bolster
US cybersecurity
– Tech companies like Apple, Google, and Microsoft promised to
help bolster US cybersecurity after a meeting with President
Joe Biden at the White House on Wednesday (8/25/2021). The
pledges vary by company but range from spending billions on
cyber infrastructure to offering supply-chain aid and education.
– Google said it would spend more than $10 billion over the next
five years to strengthen US cybersecurity and the software
supply chain. Microsoft said that it would invest $20 billion in
five years, making similar promises as Google.

48
 Information Security

Jobs in Cyber Security

• Plenty available
• Example - IT Intern-Security at Godiva (PA)
• Principle responsibilities
– Assist with the development of new Security Event Logging Policies and
Standards (10%​)
– Assist with the development and automation of new security reports for
IT staff and managers (20%​)
– Research common security events and associated forensic approaches
(10%​)
– Assist with the inspection of security configuration of IT systems (20%​)
– Assist with creation of Computer Security Incident First Responder
instructional documentation and tool evaluation (20%​)
– Learn security related regulations and obligations including PCI DSS 1.​2
and SOX Section 404(10%​)
– Learn security guidelines from authoritative sources (e.​g.​, NIST, CERT,
CIS, etc.​) and assist with process improvement (10%​)

49
 Information Security

Example Jobs - Information Security

Engineer Professional
• Essential Job Functions
– Performs basic vulnerability scans using vendor utility tools. Monitors security
audit and intrusion detection system logs for system and network anomalies.
Investigates and/or escalates security violations, attempts to gain unauthorized
access, virus infections that may affect the network or other event affecting
security. Documents and reports event(s).
– Assists in providing engineering analysis, design and support for firewalls,
routers, networks and operating systems.
– Assists in performing product evaluations and recommends products/services
for network security. Validates and tests basic security architecture and design
solutions to produce detailed engineering specifications with recommended
vendor technologies.
– Develops, tests and operates firewalls, intrusion detection systems, enterprise
anti-virus systems and software deployment tools.
– Assists in the review and recommends the installation, modification or
replacement of hardware or software components and any configuration
change(s) that affects security.
– Assists in providing oversight and enforcement of security directives, orders,
standards, plans and procedures at server sites.

50
 Information Security

Outline of the course

• Cryptographic Solutions
– Secret Key and Public Key
– Digital Signatures and Key Management
– Authentication
• Attacks and Defenses
• Internet Security
• Access Control and Security Models
• Database Security
• Cloud Security
• Crypto Currency(if time permits)
• Privacy (will not cover)

52