Assignment#01

Information security

Submitted By:

Waseem Ahmad id: 29598

Zrar Haider id:

Submit to:

Sir

Q#01) what is OSI security architecture?

Ans) OSI security architecture is systematic approach that is useful to managers as a way of organizing
the task of providing security. This architecture was developed as an international standard, computer and
communications vendors (suppliers) have developed security features for their products and services that
relate to this structured definition of services and mechanisms. The OSI security architecture focuses on
security attacks, mechanisms, and services.

These can be defined briefly as

Security attack: Any action or any activity that compromises/disturbed the security of information
owned by an organization.

Security mechanism: A process or a device incorporating that is designed to detect, prevent, or recover
from a security attack. E.g. anti-various

Security service: A processing or communication service that enhances the security of the data
processing systems and the information transfers of an organization. The services are intended to counter
security attacks, and they make use of one or more security mechanisms to provide the service.

Q#02) what is the difference between passive and active security threats?

Passive Attacks

Passive attacks are the ones in which the attacker observes all the messages and copy the content of
messages or information. They focus on monitoring all the transmission and gaining the data. ... Unlike
the Active attacks, these are difficult to detect as it does not involve alteration in data or information

Active attacks

Active attacks are attacks in which the hacker attempts to change or transform the content of messages or
information. These attacks are a threat to the integrity and availability of the system. Due to these attacks,
systems get damaged, and information can be altered. The prevention of these attacks is difficult due to
their high range of physical and software vulnerabilities. The damage that is done with these attacks can
be very harmful to the system and its resources. 

Q #03) List and briefly define categories of passive and active security attacks.

Passive attack types

 Release of message content, a telephonic conversation, an E-mail message or a transferred file

may contain confidential data. A passive attack monitors the contents of the transmitted data. ...
When the messages are exchanged neither the sender nor the receiver is aware that a third party
may capture the messages.
   Traffic analysis attacks are based on what the attacker hears in the network. ... The attacker
simply listens to the network communication to perform traffic analysis to determine the location
of key nodes, the routing structure, and even application behavior patterns

Active attack types

 Masquerade
A masquerade takes place when one entity pretends to be a different entity. A masquerade
attack usually includes one of the other forms of active attack. For example, authentication
sequences can be captured and replayed after a valid authentication sequence has taken place,
thus enabling an authorized entity with few privileges to obtain extra privileges by impersonating
an entity that has those privileges.
 Replay

Replay involves the passive capture of a data unit and its subsequent retransmission to
produce an unauthorized effect (paths 1, 2, and 3 active).

 Modification of messages

Modification of messages simply means that some portion of a legitimate message is

altered, or that messages are delayed or reordered, to produce an unauthorized effect (paths 1 and 2
active). For example, a message meaning “Allow John Smith to read confidential file accounts” is
modified to mean “Allow Fred Brown to read confidential file accounts.”

 The denial of service

The denial of service prevents or inhibits the normal use or management of

communications facilities (path 3 active). This attack may have a specific target; for example, an
entity may suppress all messages directed to a particular destination (e.g., the security audit service).
Another form of service denial is the disruption of an entire network, either by disabling the network
or by overloading it with messages so as to degrade performance.
Q#4) List and briefly define categories of security services.

Ans) A security service as a service that is provided by a protocol layer of communicating open
systems and that ensures adequate security of the systems or of data transfers. A processing or
communication service that is provided by a system to give a specific kind of protection to system
resources; security services implement security policies and are implemented by security
mechanisms.

Security services into five categories and fourteen specific services

Authentication

Authentication is the process or action of verifying the identity of a user or process.

Authentication service is concerned with assuring that a communication is authentic.

Two specific authentication services are following

Peer entity authentication is provided for use at the establishment of, or at times during the data
transfer phase of, a connection. It attempts to provide confidence that an entity is not performing
either a masquerade or an unauthorized replay of a previous connection

Data authentication is the process of confirming the origin and integrity of data. The term is
typically related to communication, messaging and integration. Data authentication has two
elements: authenticating that you're getting data from the correct entity and validating the integrity
of that data.

Access control

 Access control is a security technique that regulates who or what can view or use resources in a
computing environment. It is a fundamental concept in security that minimizes risk to the business or
organization. ... Logical access control limits connections to computer networks, system files and
data.

Data confidentiality

Data confidentiality is about protecting data against unintentional, unlawful, or unauthorized access,

disclosure, or theft. Confidentiality has to do with the privacy of information, including authorizations
to view, share, and use it. ... Passwords, which must remain confidential to protect systems and
accounts

Data integrity 

Data integrity refers to the accuracy and consistency (validity) of data over its lifecycle.
Compromised data, after all, is of little use to enterprises, not to mention the dangers presented by
sensitive data loss
 Repudiation 

A repudiation attack happens when an application or system does not adopt controls to properly track
and log users' actions, thus permitting malicious manipulation or forging the identification of new
actions. ... If this attack takes place, the data stored on log files can be considered invalid or
misleading

Availability service 

The Availability service improves information workers' calendaring and meeting scheduling

experience by providing secure, consistent, and up-to-date free/busy information

Q #05) List and briefly define categories of security mechanisms

Ans) security mechanisms are field in computer technology that deals with ensuring security of
computer network infrastructure. As the network is very necessary for sharing of information
whether it is at hardware level such as printer, scanner, or at software level. Therefore security
mechanism can also be termed as is set of processes that deal with recovery from security attack.
Various mechanisms are designed to recover from these specific attacks at various protocol layers.

Types of Security Mechanism are :

1. Encipherment:
This security mechanism deals with hiding and covering of data which helps data to become
confidential. It is achieved by applying mathematical calculations or algorithms which reconstruct
information into not readable form. It is achieved by two famous techniques named Cryptography
and Encipherment. Level of data encryption is dependent on the algorithm used for encipherment.
2. Access Control:
This mechanism is used to stop unattended access to data which you are sending. It can be achieved
by various techniques such as applying passwords, using firewall, or just by adding PIN to data.

3. Notarization:
This security mechanism involves use of trusted third party in communication. It acts as mediator
between sender and receiver so that if any chance of conflict is reduced. This mediator keeps record
of requests made by sender to receiver for later denied.
4. Data Integrity:
This security mechanism is used by appending value to data to which is created by data itself. It is
similar to sending packet of information known to both sending and receiving parties and checked
before and after data is received. When this packet or data which is appended is checked and is the
same while sending and receiving data integrity is maintained.
5. Authentication exchange:
This security mechanism deals with identity to be known in communication. This is achieved at the
TCP/IP layer where two-way handshaking mechanism is used to ensure data is sent or not
6. Bit stuffing:
This security mechanism is used to add some extra bits into data which is being transmitted. It
helps data to be checked at the receiving end and is achieved by Even parity or Odd Parity.
7. Digital Signature:
This security mechanism is achieved by adding digital data that is not visible to eyes. It is form of
electronic signature which is added by sender which is checked by receiver electronically. This
mechanism is used to preserve data which is not more confidential but sender’s identity is to be
notified

Problems
Q#01) Consider an automated teller machine (ATM) in which users provide a personal identification
number (PIN) and a card for account access. Give examples of confidentiality, integrity, and
availability requirements associated with the system and, in each case, indicate the degree of
importance of the requirement.

Ans)

1. The system must keep personal identification numbers confidential, both in the host system
and during transmission for a transaction. It must protect the integrity of account records and
of individual transactions.
2. Availability of the host system is important to the economic well-being of the bank, but not to
its fiduciary responsibility. The availability of individual teller machines is of less concern.
3. The system does not have high requirements for integrity on individual transactions, as
lasting damage will not be incurred by occasionally losing.
4. The communication should be encrypted
5. Pin should also be encrypted
6. The actions accomplish through the bank should link with the bank link.