Professional Documents
Culture Documents
Unit 4
Unit 4
UNIT IV
Virus and ransomware can corrupt all the documents stored on your servers. Be cautious
when dealing with spams and phishing emails policies.
Department of Computer Science & Engineering , BVCOE New Delhi
10 Subject: INFORMATION SECURITY, Instructor: MrVijay Kumar
2. Manage your documents
Document security works best when access rights to documents are granted
on a need-to-have basis. Having documents locked by passwords and
restricting access is an effective way to ensure a secure document
environment. Electronic document management systems can be extremely
useful. These systems will have audit trails that monitor documents and
record any modifications and general activity. It is vital that these trails must
be actively checked for suspicious activity which could pose a threat to
document security standards.
Sending documents as PDFs removes document format-dependent bottlenecks and turns digital
documents into password protected files with secure encryption and permission controls to manage
edits. This means that they cannot be edited by anyone but the document creator, reducing the risk of
counterfeiting. PDFs also prevent hackers from retrieving the metadata of the document creator when
using Word/PowerPoint formats.
What’s more, electronic signatures can not only help senders get a quick signature on outgoing
documents, but also enable recipients to ensure that the documents they receive do indeed come from
who they claim to be from, and that no alterations have occurred since it was authenticated.
Cryptographic keys are used for a number of different functions, such as those listed below. The
properties of the associated key (e.g. type, length, crypto-period) will depend on its intended
function.
We will see two aspects of the RSA cryptosystem, firstly generation of key pair and
secondly encryption-decryption algorithms.
ed = 1 mod (p − 1)(q − 1)
Select e = 5, which is a valid choice since there is no number that is common factor of 5 and (p − 1)(q − 1) = 6 × 12 = 72,
except for 1.
The pair of numbers (n, e) = (91, 5) forms the public key and can be made available to anyone whom we wish to be able to
send us encrypted messages.
Input p = 7, q = 13, and e = 5 to the Extended Euclidean Algorithm. The output will be d = 29.
Returning to our Key Generation example with plaintext P = 10, we get ciphertext C = 10^5 mod 91
RSA Decryption
The decryption process for RSA is also very straightforward. Suppose that the receiver of public-key pair (n, e)
has received a ciphertext C.
Receiver raises C to the power of his private key d. The result modulo n will be the plaintext P.
Digital signatures can provide evidence of origin, identity and status of electronic
documents, transactions or digital messages. Signers can also use them to
acknowledge informed consent.
▪ Digital signatures work through public key cryptography's two mutually authenticating
cryptographic keys. The individual who creates the digital signature uses a private key to encrypt
signature-related data, while the only way to decrypt that data is with the signer's public key.
▪ If the recipient can't open the document with the signer's public key, that's a sign there's a problem
with the document or the signature. This is how digital signatures are authenticated.
▪ Digital signature technology requires all parties trust that the individual creating the signature has
kept the private key secret. If someone else has access to the private signing key, that party could
create fraudulent digital signatures in the name of the private key holder.
A hash is a fixed-length string of letters and numbers generated by an algorithm. The digital signature creator's private key is then
used to encrypt the hash. The encrypted hash -- along with other information, such as the hashing algorithm -- is the digital
signature.
The reason for encrypting the hash instead of the entire message or document is a hash function can convert an arbitrary input into
a fixed-length value, which is usually much shorter. This saves time as hashing is much faster than signing.
The value of a hash is unique to the hashed data. Any change in the data, even a change in a single character, will result in a
different value. This attribute enables others to use the signer's public key to decrypt the hash to validate the integrity of the data.
If the decrypted hash matches a second computed hash of the same data, it proves that the data hasn't changed since it was signed.
If the two hashes don't match, the data has either been tampered with in some way and is compromised or the signature was
created with a private key that doesn't correspond to the public key presented by the signer -- an issue with authentication.
2) Digital signatures provide and enhance security using encryption technology. The
sensitive information such as the signature is encrypted. After verification, the
sensitive information is decrypted and made available.
Packet filtering firewalls are fast, cheap and effective. But the security they provide is very basic.
Since these firewalls cannot examine the content of the data packets, they are incapable of protecting
against malicious data packets coming from trusted source IPs. Being stateless, they are also
vulnerable to source routing attacks and tiny fragment attacks. But despite their minimal
functionality, packet filtering firewalls paved the way for modern firewalls that offer stronger and
deeper security.
Department of Computer Science & Engineering , BVCOE New Delhi
44 Subject: INFORMATION SECURITY, Instructor: MrVijay Kumar
2. Circuit-level gateways
Working at the session layer, circuit-level gateways verify established Transmission Control Protocol
(TCP) connections and keep track of the active sessions. They are quite similar to packet filtering
firewalls in that they perform a single check and utilize minimal resources. However, they function at
a higher layer of the Open Systems Interconnection (OSI) model. Primarily, they determine the
security of an established connection. When an internal device initiates a connection with a remote
host, circuit-level gateways establish a virtual connection on behalf of the internal device to keep the
identity and IP address of the internal user hidden.
Circuit-level gateways are cost-efficient, simplistic and have barely any impact on a network’s
performance. However, their inability to inspect the content of data packets makes them an
incomplete security solution on their own. A data packet containing malware can bypass a circuit-
level gateway easily if it has a legitimate TCP handshake. That is why another type of firewall is often
configured on top of circuit-level gateways for added protection.
Department of Computer Science & Engineering , BVCOE New Delhi
45 Subject: INFORMATION SECURITY, Instructor: MrVijay Kumar
3. Stateful inspection firewalls
A step ahead of circuit-level gateways, stateful inspection firewalls, in addition to verifying
and keeping track of established connections, also perform packet inspection to provide
better, more comprehensive security. They work by creating a state table with source IP,
destination IP, source port and destination port once a connection is established. They create
their own rules dynamically to allow expected incoming network traffic instead of relying on
a hardcoded set of rules based on this information. They conveniently drop data packets that
do not belong to a verified active connection.
Stateful inspection firewalls check for legitimate connections as well as source and
destination IPs to determine which data packets can pass through. Although these extra
checks provide advanced security, they consume a lot of system resources and can slow
down traffic considerably. Hence, they are prone to DDoS (distributed denial-of-service
attacks).
Department of Computer Science & Engineering , BVCOE New Delhi
46 Subject: INFORMATION SECURITY, Instructor: MrVijay Kumar
4. Application-level gateways (proxy firewalls)
Application-level gateways, also known as proxy firewalls, are implemented at the application layer via a proxy
device. Instead of an outsider accessing your internal network directly, the connection is established through
the proxy firewall. The external client sends a request to the proxy firewall. After verifying the authenticity of
the request, the proxy firewall forwards it to one of the internal devices or servers on the client’s behalf.
Alternatively, an internal device may request access to a webpage, and the proxy device will forward the
request while hiding the identity and location of the internal devices and network.
Unlike packet filtering firewalls, proxy firewalls perform stateful and deep packet inspection to analyze the
context and content of data packets against a set of user-defined rules. Based on the outcome, they either
permit or discard a packet. They protect the identity and location of your sensitive resources by preventing a
direct connection between internal systems and external networks. However, configuring them to achieve
optimal network protection can be a bit hard.You must also keep in mind the tradeoff—a proxy firewall is
essentially an extra barrier between the host and the client, causing considerable slowdowns.
Although intrusion detection systems monitor networks for potentially malicious activity,
they are also disposed to false alarms. Hence, organizations need to fine-tune their IDS
products when they first install them. It means properly setting up the intrusion detection
systems to recognize what normal traffic on the network looks like as compared to malicious
activity.
Department of Computer Science & Engineering , BVCOE New Delhi
48 Subject: INFORMATION SECURITY, Instructor: MrVijay Kumar
Virtual Private Network
A virtual private network, or VPN, is an encrypted connection over the Internet from a
device to a network. The encrypted connection helps ensure that sensitive data is safely
transmitted. It prevents unauthorized people from eavesdropping on the traffic and allows
the user to conduct work remotely. VPN technology is widely used in corporate
environments.
Intranet based VPN: When several offices of the same company are connected using Site-to-Site VPN type, it is
called as Intranet based VPN.
Extranet based VPN: When companies use Site-to-site VPN type to connect to the office of another company, it
is called as Extranet based VPN.
Basically, Site-to-site VPN create a imaginary bridge between the networks at geographically distant offices and
connect them through the Internet and sustain a secure and private communication between the networks. In
Site-to-site VPN one router acts as a VPN Client and another router as a VPN Server as it is based on Router-
to-Router communication. When the authentication is validated between the two routers only then the
communication starts.
engineering attacks. Two-factor authentication, which consists of something you know and something you have, is a
minimum requirement for providing secure remote access to the corporate network. In some cases, three-factor
authentication may be necessary; this form of authentication adds one more requirement—something you are (a
biometric such as fingerprint or iris scan, for example).
Spread of viruses, worms, and Trojans from remote computers to the internal network:
Remote access is a major threat vector to network security. Every remote computer that does
not meet corporate security requirements may potentially forward an “infection” from its local network environment
to an organization’s internal network. Up-to-date antivirus software on the remote computer is required to mitigate
this type of risk.
Department of Computer Science & Engineering , BVCOE New Delhi
54 Subject: INFORMATION SECURITY, Instructor: MrVijay Kumar
Split tunneling:
Split tunneling takes place when a computer on the remote end of a VPN tunnel simultaneously exchanges
network traffic with both the shared (public) network and the internal (private) network without first placing
all of the network traffic inside the VPN
tunnel. This provides an opportunity for attackers on the shared network to compromise the remote computer
and use it to gain network access to the internal network.