Introduction to security

2
 Data: raw facts {Alphanumeric, image, audio, and video}
 Information: result of processing, manipulating and organizing data in a way
that adds to the knowledge of the receiver. {Processed Data}
 Knowledge: Knowledge is normally processed by means of structuring,
grouping, filtering, organizing or pattern recognition. {Highly structured
information}
An Information System is a set of interrelated components that collect or retrieve,
process, store and distribute information to support decision making and control in
an organization.
Mukesh Chinta, Asst Prof, CSE,VRSEC
'Information is an asset which, like other important business assets, has value to
an organization and consequently needs to be suitably protected’
BS ISO 27002:2005

3  Security is one of the oldest problem that governments, commercial
organizations and almost every person has to face. The need of security exists
since information became a valuable resource.
 Introduction of computer systems to business has escalated the security problem
even more.
 The advances in networking and specially in distributed systems made the need
for security even greater.
 Any breach with the Information System will lead to Loss of productivity, loss
of revenue, legal liabilities, loss of reputation and other losses.
 Cyber crime is defined as criminal activity involving the IT infrastructure,
including illegal access, illegal interception, data interference, misuse of devices,
ID theft and electronic fraud

4
The e-commerce sector in India is facing a major hurdle due to ineffectiveness of
cyber laws.

6  So now we know that we need security.
BUT what is security anyway ?
 Many people fail to understand the meaning of the word.
 Many corporations install an antivirus software, and/or a firewall and believe they are protected.
Are they ?
“In the real world, security involves processes. It involves preventive technologies, but also detection and
reaction processes, and an entire forensics system to hunt down and prosecute the guilty. Security is not
a product; it itself is a process. …. ”
Bruce Schneier

7
The U.S. Government’s National Information Assurance Glossary defines
INFOSEC as:
“Protection of information systems against
unauthorized access to or modification of
information, whether in storage, processing or
transit, and against the denial of service to
authorized users or the provision of service to
unauthorized users, including those measures
necessary to detect, document, and counter
such threats.”

8
ARPANET, the precursor to the modern internet allowed easy synchronization of information
between data centers but has unsecure points between the data centers and the public. This
vulnerability was addressed by securing physical locations and hardware. A task force formed by
ARPA (Advanced Research Projects Agency) to study internet security in 1967 found this
method to be inadequate, and released the Rand Report R-609 which determined additional
steps must be taken to improve security. This report marked an important stage in the
development of today's information security.
 1960s: Organizations start to protect their computers
 1970s: The first hacker attacks begin
 1980s: Governments become proactive in the fight against cybercrime
 1990s: Organized crime gets involved in hacking
 2000s: Cybercrime becomes treated like a crime
 2010s: Information security becomes serious

9
The protection afforded to an automated information system in order to attain the
applicable objectives of preserving the integrity, availability, and confidentiality of
information system resources (includes hardware, software, firmware, information/data,
and telecommunications).
The NIST (National Institute of Standards & Technology} Computer Security Handbook [NIST95]
(Available from: http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf) defines the term
computer security as
The definition introduces three key objectives that are at the heart of the computer security:
 Confidentiality
• Data Confidentiality
• Privacy
 Integrity
• Data Integrity
• System Integrity
 Availability

10
 Confidentiality
• Data Confidentiality - Assures that private or confidential information is
not made available or disclosed to unauthorized individuals.
• Privacy - Assures that individuals control or influence what information
related to them may be collected and stored and by whom and to whom
that information may be disclosed.
 Integrity
• Data Integrity - Assures that information and programs are changed only
in a specified and authorized manner
• System Integrity - Assures that a system performs its intended function in
an unimpaired manner, free from deliberate or inadvertent unauthorized
manipulation of the system.
 Availability - Assures that systems work promptly and service is not denied
to authorized users.

11
Federal Information Processing Standards Publications (FIPS PUB 199)
provides a useful characterization of these three objectives in terms of
requirements and the definition of a loss of security in each category:
• Confidentiality : Preserving authorized restrictions on information access and disclosure,
including means for protecting personal privacy and proprietary information. A loss of
confidentiality is the unauthorized disclosure of information.
• Integrity: Guarding against improper information modification or destruction, and
includes ensuring information non-repudiation and authenticity. A loss of integrity is the
unauthorized modification or destruction of information.
• Availability: Ensuring timely and reliable access to and use of information. A loss of
availability is the disruption of access to or use of information or an information system.
• Authenticity: The property of being genuine and being able to be verified and trusted;
confidence in the validity of a transmission, a message, or message originator.
• Accountability: The security goal that generates the requirement for actions of an entity
to be traced uniquely to that entity.

12
LOW MODERATE HIGH
Effect on organizational operations,
assets or individuals
Limited Serious Severe or even
catastrophic
Primary functions of the organization
and their effectiveness
Minor
degradation
Significant
degradation
Severe degradation
Damage to organizational assets Minor Significant Major
Financial Loss Minor Significant Major
Harm to individual Minor Significant Severe (loss of life
or life-threatening
injuries)
FIPS PUB 199 define three levels of impact on organizations or individuals
should there be a breach of security : Low, Moderate and High

13
1. Not simple – seems to be straight forward but very complex
2. Must consider potential attacks on security features
3. Procedures used are often counter-intuitive
4. Involves multiple algorithms and secret information
5. Must decide where to deploy security mechanisms
6. Battle of wits between attacker / admin
7. Not perceived on benefit until a security failure happens
8. Requires regular/constant monitoring which is difficult
9. Often an after-thought rather than an integral part of the process
10. Strong security is regarded as impediment to free usage of a system

14
ITU-T X.800 “Security Architecture for OSI” defines a systematic way of defining and
providing security requirements. Three important aspects of OSI security architecture are:
: Any action that compromises the security of information owned by an
organization.
: A process (or a device incorporating such a process) that is
designed to detect, prevent, or recover from a security attack.
: A processing or communication service that enhances the security of
the data processing systems and the information transfers of an organization.

Threats Vulnerabilities
Risk
Asset valuesProtection
Requirements
Information
assets
Controls *
reduce
– a potential for violation
of security
– Something that
can potentially cause damage to
the organization, IT Systems or
network
– an assault on system
security, a deliberate attempt to
evade security services
: A possibility that a threat
exploits a vulnerability in an asset
and causes damage or loss to the
asset.
Relationship between Risk, Threats, and Vulnerabilities

16
The security attacks are classified into and
 A passive attack attempts to learn or make use of information from the system but does
not affect system resources. These are difficult to detect and focus will be on
prevention.
 Active attacks involve some modification of the data stream or the creation of a false
stream. These are difficult to prevent and focus is on detection and recovery.

17
Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions. The goal of the opponent
is to obtain information that is being transmitted. Two types of passive attacks are:
 Release of message contents – Any transferred message could be intercepted or listened to
 Traffic analysis - monitor traffic flow to determine location and identity of communicating hosts and could
observe the frequency and length of messages being exchanged.
Release of Message Contents Traffic Analysis

18
An active attack is one in which an unauthorized change of the system is attempted. This
could include, for example, the modification of transmitted or stored data, or the creation of
new data streams
relate to an entity (usually a computer or a person) taking on a false identity in
order to acquire or modify information, and in effect achieve an unwarranted privilege status.
involves the re-use of captured data at a later time than originally intended in order
to repeat some action of benefit to the attacker.

19 could involve modifying a packet header address for the
purpose of directing it to an unintended destination or modifying the user data.
prevent the normal use or management of
communication services, and may take the form of either a targeted attack on a
particular service or a broad, incapacitating attack.

Security Services
Authentication
Access Control
Data
Confidentiality
Data Integrity
Non Repudiation
Peer Entity Authentication
Data-Origin Authentication
Connection Confidentiality
Connectionless Confidentiality
Selective-Field Confidentiality
Traffic-Flow Confidentiality
Connection Integrity with Recovery
Connection Integrity without Recovery
Selective-Field Connection Integrity
Connectionless Integrity
Selective-Field Connectionless Integrity
Nonrepudiation, Origin
Nonrepudiation, Destination
RFC 2828 defines Security Service as a processing or communication service that is
provided by a system to give a specific kind of protection to system resources.
X.800 divides security services into five categories and fourteen specific services. Security Services intend to counter security
attacks and make use of one or more security mechanisms to provide the service

22 – Authentication service is concerned with assurance that
communicating entity is the one claimed. It helps in establishing proof of identification.
Two specific authentication services are defined:
- provides corroboration of the identity of a peer entity in an
association. This service provides confidence, at the time of usage only, that an entity is not
attempting a masquerade or an unauthorized replay of a previous connection.
- provides corroboration of the source of a data unit. In a
connectionless transfer, provides assurance that the source of received data is as claimed
– It is the protection of transmitted data from passive attacks,
and the protection of traffic flow from analysis.
: The protection of all user data on a connection
: The protection of all user data in a single data block
The confidentiality of selected fields within the user data on
a connection or in a single data block
The protection of the information that might be derived from
observation of traffic flows

23
– It assures that messages are received as sent by an authorized entity,
with no duplication, insertion, modification, reordering, replay, or loss.
Provides for the integrity of all user data on a
connection and detects any modification, insertion, deletion, or replay of any data within an
entire data sequence, with recovery attempted
As above, but provides only detection without
recovery.
Provides for the integrity of selected fields within the
user data of a data block transferred over a connection and takes the form of determination of
whether the selected fields have been modified, inserted, deleted, or replayed.
Provides for the integrity of a single connectionless data block
and may take the form of detection of data modification.
Provides for the integrity of selected fields within
a single connectionless data block
– It is the ability to limit and control the access to host systems and
applications via communications links. The prevention of unauthorized use of a resource
(i.e., this service controls who can have access to a resource, under what conditions
access can occur, and what those accessing the resource are allowed to do).

24
: This service does not allow the sender or receiver of a message to
refuse the claim of not sending or receiving that message.
: Proof that the message was sent by the specified party.
: Proof that the message was received by the specified part.
- It is the property of a system / resource being accessible and usable
upon demand by an authorized system entity, according to performance specifications
for the system. A variety of attacks can result in the loss of or reduction in availability.

25
Interception
Is Private?
Modification
Has been altered?
Forgery
Who am I dealing with?
Claim
Who sent/received it?
Not
SENT !
Denial of Service
Wish to access!!
Have you privilege?
Unauthorized access
Security Needs for Network Communications

26
Security Mechanism: A mechanism that is designed to detect, prevent, or recover
from a security attack. No single mechanism that will support all functions required.
 The security mechanisms are divided into those that are implemented in a
specific protocol layer called and those that are not
specific to any particular protocol layer or security service called
.

Security
Mechanism
Description
Encipherment The use of mathematical algorithms to transform data into a form that is not readily
intelligible. The transformation and subsequent recovery of the data depend on an
algorithm and zero or more encryption keys.
Digital Signature Data appended to, or a cryptographic transformation of, a data unit that allows a
recipient of the data unit to prove the source and integrity of the data unit and
protect against forgery.
Access Control A variety of mechanisms that enforce access rights to resources.
Data Integrity A variety of mechanisms used to assure the integrity of a data unit or stream of
data units.
Authentication
Exchange
A mechanism intended to ensure the identity of an entity by means of information
exchange
Traffic Padding The insertion of bits into gaps in a data stream to frustrate traffic analysis attempts.
Routing Control Enables selection of particular physically secure routes for certain data and allows
routing changes, especially when a breach of security is suspected.
Notarization The use of a trusted third party to assure certain properties of a data exchange.

28
Security
Mechanism
Description
Trusted
Functionality
That which is perceived to be correct with respect to some criteria (e.g., as
established by a security policy).
Security Label The marking bound to a resource (which may be a data unit) that names or
designates the security attributes of that resource.
Event Detection Detection of security-relevant events
Security Audit
Trail
Data collected and potentially used to facilitate a security audit, which is an
independent review and examination of system records and activities.
Security
Recovery
Deals with requests from mechanisms, such as event handling and management
functions, and takes recovery actions.

29

Data is transmitted over network between two communicating parties, who must cooperate for the
exchange to take place. A logical information channel is established by defining a route through the
internet from source to destination by use of communication protocols by the two parties.
Two components are present in almost all the security providing techniques.
 A security-related transformation on the information to be sent making it unreadable by the opponent, and
the addition of a code based on the contents of the message, used to verify the identity of sender.
 Some secret information shared by the two principals and, it, unknown to the opponent. A trusted third
party may be needed to distribute the secret information or to arbitrate disputes between the principals.

31
The general model shows that there are four basic tasks in designing a particular security
service:
1. Design an algorithm for performing the security-related transformation. The algorithm should be
such that an opponent cannot defeat its purpose
2. Generate the secret information to be used with the algorithm
3. Develop methods for the distribution and sharing of the secret information
4. Specify a protocol to be used by the two principals that makes use of the security algorithm and
the secret information to achieve a particular security service
Various other threats to information system like unwanted access still exist. The existence of hackers
attempting to penetrate systems accessible over a network remains a concern. Another threat is
placement of some logic in computer system affecting various applications and utility programs.
This inserted code presents two kinds of threats.
 Information access threats intercept or modify data on behalf of users who should not have
access to that data
 Service threats exploit service flaws in computers to inhibit use by legitimate users

32
Viruses and worms are two examples of software attacks inserted into the system by means of a
disk or also across the network.
Placing a gatekeeper function, which includes a password-based login methods that
provide access to only authorized users and screening logic to detect and reject worms,
viruses etc.
An internal control, monitoring the internal system activities analyzes the stored
information and detects the presence of unauthorized users or intruders.

33
Security Controls are categorized based on their functionality and plane of application.
Based on functionality, the types of controls are given as:
- These try to prevent security violations and enforce access control. Like other controls, preventive
controls may be physical, administrative, or technical: doors, security procedures, and authentication requirements
- Detective controls are in place to detect security violations and alert the defenders. They come into
play when preventive controls have failed or have been circumvented and are no less crucial than detective controls.
Detective controls include cryptographic checksums, file integrity checkers, audit trails and logs, and similar mechanisms.
- Corrective controls try to correct the situation after a security violation has occurred. Corrective
controls vary widely, depending on the area being targeted, and they may be technical or administrative in nature.
- Deterrent controls are intended to discourage potential attackers. Examples of deterrent controls include
notices of monitoring and logging as well as the visible practice of sound information security management.
– similar to corrective controls applied in more serious situations to recover from security violations and
restore information and information processing resources. These include disaster recovery and business continuity mechanisms,
backup systems and data, emergency key management arrangements, and similar controls.
- are intended to be alternative arrangements for other controls when the original controls have
failed or cannot be used. When a second set of controls addresses the same threats that are addressed by another set of controls,
the second set of controls are compensating controls.

34
Based on plane of application, the types of controls are given as:
 Physical Controls include doors, secure facilities, fire extinguishers, flood protection, and air
conditioning.
 Administrative Controls are the organization’s policies, procedures, and guidelines intended to
facilitate information security.
 Technical controls are the various technical measures, such as firewalls, authentication systems,
intrusion detection systems, and file encryption, among others.
 Logical access control models are the abstract foundations upon which actual access
control mechanisms and systems are built.
 Access control models define how computers enforce access of subjects (such as users,
other computers, applications, and so on) to objects (such as computers, files, directories,
applications, servers, and devices).
 Three main access control models exist:

Discretionary Access Control (DAC)
35
• In the DAC model, the owner (creator) of information (file or directory) has the discretion to decide about
and set access control restrictions on the object in question.
• The advantage of DAC is its flexibility: users may decide who can access information and what they can do
with it—read, write, delete, rename, execute, and so on.
• At the same time, this flexibility is also a disadvantage of DAC because users may make wrong decisions
regarding access control restrictions or maliciously set insecure or inappropriate permissions.
Mandatory Access Control (MAC)
• In systems utilizing MAC, users have little or no discretion as to what access permissions they can set on
their information.
• MAC-based systems use data classification levels (such as public, confidential, secret, and top secret) and
security clearance labels corresponding to data classification levels to decide, in accordance with the security
policy set by the system administrator, what access control restrictions to enforce.
• Additionally, per-group and/or per-domain access control restrictions may be imposed—that is, in
addition to having the required security clearance level, subjects(users or applications) must also belong to
the appropriate group or domain. This concept is called Compartamentalization or need to know.
• Though MAC systems are thought to be more secure than DAC systems, they are more difficult to use and
administer because of the additional restrictions imposed by the OS.
• Typically MAC systems are used in government, military and financial environments, where higher level of
security is required and costs are tolerated.

36
Role-Based Access Control (RBAC)
In the role-based access control model, rights and permissions are assigned to roles instead
of individual users. This added layer of abstraction permits easier and more flexible
administration and enforcement of access controls.
Centralized vs. Decentralized Access Control
In environments with centralized access control, a single, central entity makes access
control decisions and manages the access control system; whereas in distributed access
control environments, these decisions are made and enforced in a decentralized manner.
The selection of a particular access control approach should be made only after careful
consideration of an organization’s requirements and associated risks.

37
A vulnerability can occur anywhere in the IT environment, and can be the result of
many different root causes.
solutions gather comprehensive endpoint and
network intelligence and apply advanced analytics to identify and prioritize the
vulnerabilities that pose the most risk to critical systems.
includes assessment of the environment for known
vulnerabilities, and to assess IT components using the security configuration
policies(by device role) that have been defined for the environment.
is a dictionary of common names
(i.e., CVE Identifiers) for publicly known information security vulnerabilities.
provides an open framework for
communicating the characteristics and impacts of IT vulnerabilities.
provides a common
language of discourse for discussing, finding and dealing with the causes of
software security vulnerabilities as they are found in code, design, or system
architecture.

Introduction to security

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Introduction to security (20)

More from Mukesh Chinta (20)

Recently uploaded (20)

Introduction to security