IT Security Concepts

D. Chakravarty,
d_chakravarty@bsnl.co.in
Advanced Level Telecom Training Centre, Ghaziabad
In this session we shall cover
• Information Security Overview
• Information Security Services
• Types of Attacks
• Goals of Security
• E-commerce Security
• Computer Forensics
• Steganography
• Security Engineering

2
1/24/2014
Information Security Overview
• Need for Information Security:
– Protect intellectual property:
• Design, market strategy info, patient’s info, national security
& public safety info
– Convergence era: “ Anywhere anytime communication”
• Online -education, Banking, Auction, e-governance , PO,
Invoice,
• Security Threats:
– Technology: Human benefits, crimes & anti social activities
– Spam, viruses, info wars, hacking bank / credit card info.
• Adverse affects: privacy & confidence loss of individuals
– Direct & indirect loses, frauds, espionage
3
1/24/2014 Course Name / Topic
4
1/24/2014 Course Name / Topic
 Information Security Overview
• Motives of attack:
• Intelligence
• Financial Gain
• Gaining Access
• Thrill, Fun and Games
• Political Hacktivism
• People, Policy, Procedures and Products
– People: Awareness of security & ethical issues, policies, law
– Policy: Reflects management’s approach, commitment
– Procedure: identification critical info assets, vulnerabilities,
threats, preventive measures to avoid threats, mechanisms for
detection of frauds and recovery of systems after attacks
– Products: Anti-virus, firewall, surveillance, IDS

5
1/24/2014 Course Name / Topic
Information Security Overview
• Security system engineering:
Design, Develop and Deploy
• Standard approach models:
– SSE-CMM: System Security Engineering Capability
Maturity Model
– OCTAVE: Operationally Critical Threat, Asset and
Vulnerability Evaluation

6
1/24/2014 Course Name / Topic
 Information Security Services
• A security system has to provide the following services:
– Confidentiality
Ensures secrecy of data. Its aim is to prevent access attacks.
– Integrity
Ensures correctness of information. Its aim is to prevent
modification attacks.
– Availability
Ensures that the info infrastructure are available to authorised
users. Its aim is to prevent denial-of-service attacks.
– Accountability
Ensures that only authorised users have access to the information
or services.
7
1/24/2014 Course Name / Topic
 Types of Attacks
• Social Engineering Attack
– Use non-technical means to gain unauthorised access to info
• Access Attack
– gain unauthorised access to information through eavesdropping,
snooping or interception
• Modification Attack
– Making unauthorised changes to information
• Denial-of-Service Attack
– Make information resources (computer or communication links)
unavailable to authorised users
• Repudiation Attack
– Give false information or deny the occurrence of any event
8
1/24/2014 Course Name / Topic
How to Secure Information?
It involves
• The security at all levels viz
– Network
– OS
– Application
– Data

9
Hacking is not difficult
• Attack tools are available
• Ready made exploits
• Attack Tools (e.g.)
– Port Scanners (Fport, Hping2 ..)
– Vulnerability Scanners (Retina…)
– Password Crackers (John the Ripper..)

10
Security Incidents - Reasons

• Malware (Malicious Codes)

• Known Vulnerabilities
• Configuration Errors

11
Various Malwares

• Virus
• Worms
• Trojan Horses
• Bots
• Key Loggers

12
Vulnerable Configurations
• Default Accounts
• Default Passwords
• Un-necessary Services
• Remote Access
• Logging and Audit Disabled

13
Goals of Security
• Prevention
– To ensure that the possible attacks will fail
• Detection
– To monitor an attack and work out possible preventive
measures.
• Recovery
– To repair the damage done by an attack

14
1/24/2014 Course Name / Topic
E-commerce Security

•Protection of e-commerce assets from unauthorised

access, use, alteration or destruction.
•While security features do not guarantee a secure
system, they are necessary to build a secure system

15
1/24/2014 Course Name / Topic
 E-commerce Security
Security features categories:
• Authentication: Verifies who you say you are. It enforces that you are the only
one allowed to logon to your Internet banking account.
• Authorization: Allows only you to manipulate your resources in specific ways.
This prevents you from increasing the balance of your account or deleting a bill.
• Encryption: Deals with information hiding. It ensures you cannot spy on others
during Internet banking transactions.
• Auditing: Keeps a record of operations. Merchants use auditing to prove that
you bought a specific merchandise.
• Integrity: prevention against unauthorized data modification
• Non-repudiation: prevention against any one party from reneging on an
agreement after the fact
• Availability: prevention against data delays or removal.

16
1/24/2014 Course Name / Topic
 Computer Forensics
– Carry out investigation
– Collect evidence from the computers
• Criminal’s Tactics: email, whois, nslookup, password crack, DoS,
destroy evidence
• To catch criminal, think like a criminal
• Digital Evidence: log files, email headers, address book, recycle bin
• Anonymizer: Service for accessing Internet Services anonimously
• Forensic Tools
• Cyber laws, criminal’s psychology, eye for detail, computer
& networking knowledge

17
1/24/2014 Course Name / Topic
Steganography
• Art of covered writing
• Secret message can be text, voice, image or video
• Cover document - Watermark
• Watermark should not distort the cover doc
appreciably.
• Digital watermarking: ©, s/w sl. Hidden in multimedia
• In this convergence era, steganography is a promising
security technology but at the same time poses a
serious threat to public safety and information
security as cyber-criminals and cyber-terrorists use
this extensively
18
1/24/2014 Course Name / Topic
 Steganography Communication Steganography
Cover
software Network software
Document

Encryption Decryption

Docu Docu
ment ment

Watermark Watermark

19
1/24/2014 Course Name / Topic
 Security Engineering
Systematic approach to develop secure information systems.
• To provide solutions to prevent attacks to the maximum
possible extent.
• Process oriented approach:
– Identify the critical assets and then security requirements
– Identify the security threats and vulnerabilities
– Design various components that make up the Security System
– Implement the design
– Continuously monitor the implementation and observe its
effectiveness
– Continuously improve the processes to meet the overall security
objectives of your organisation.
20
1/24/2014 Course Name / Topic
 Security Engineering
System Security Engineering-Capability Maturity Model (SSE-CMM)
• Process Areas:
– Engineering Process Areas
– Project Process Areas
– Organisational Process Areas
• Capability Maturity Levels: 6 levels
– level 0: No defined process
– Level 1: Processes are informally defined
– Level 2: Processes are well planned & implementation is tracked
– Level 3: Organisation-wide well-defined processes
– Level 4: Processes are quantitatively controlled
– Level 5: Processes are continuously improved.
21
1/24/2014 Course Name / Topic
THANK YOU!