Data & Information Security

Security
• Freedom from risk, doubt or fear
– Something that assures safety

Security

Computer Network
Security Security
 Computer Security
• Computer security is a technique used to protect data
stored on a single computer
– ensures that the data or information stored on computer cannot
be accessed, read, or otherwise compromised by any individuals
without appropriate authorization. 
• Data corruption / Erroneous
– Viruses (Counter: Anti-virus programs)
• Access Control
– Unauthorized access (counter: Password protection)
• Physical Damage
– Earthquakes, part burning or theft etc
 Network Security
• Covers any computer(s) connected to the
network and flow of data communication
between two or more nodes in the network or
outside the network.
– Viruses and worms
– Spywares
– Service attacks
– Hackers
 Security Goals
– Confidentiality: information needs to be hidden
from unauthorized access
– Integrity: protected from unauthorized change
– Availability: available to an authorized entity
when it is needed
Attacks Threatening Confidentiality
1) Snooping: refers to unauthorized access to or
interception of data.
– For example, a file transferred through the Internet
may contain confidential information. An
unauthorized entity may intercept the
transmission and use the contents for his/her own
benefit.
 Countermeasure
– Encryption ( the method by which information is converted into secret
code that hides the information's true meaning.)
 Attacks Threatening Confidentiality (2)
2) Traffic Analysis:
Although “encipherment” of data may make it
nonintelligible (impossible to understand). for the intercepter, he/she
can obtain some other type of information i.e.;
– electronic address (such as the e-mail address) of the sender
or the receiver.
– collect pairs of requests and responses to help her to guess
the nature of the transaction.
 Countermeasure
– Padding ( The insertion of bits into gaps in an information flow is known as traffic padding.
This provide to counter traffic analysis attempts.)
 Attacks Threatening Integrity
1) Modification:
Attacker modifies the information to make it
beneficial to himself/herself.
– For example, a customer sends a message to a
bank to do some transaction. The attacker
intercepts the message and changes the type of
transaction to benefit himself/herself.
 Attacks Threatening Integrity (2)
2) Spoofing:
Happens when the attacker impersonates somebody else.
– For example, an attacker might steal the bank card and PIN
of a bank customer and pretend that he/she is that
customer.
• Sometimes the attacker pretends to be the receiver
entity.
– For example, a user tries to contact a bank, but another site
pretends that it is the bank and obtains some information
from the user.
 Attacks Threatening Integrity (3)
3) Replaying
The attacker obtains a copy of a message sent by
a user and later tries to replay it.
– For example, a person sends a request to bank to
ask for payment to the attacker, who has done a
job for him/her. The attacker intercepts the
message and sends it again to receive another
payment from the bank.
 Attacks Threatening Integrity (4)
4) Repudiation:
• Performed by one of the two parties in the
communication: the sender or the receiver.
– The sender of the message might later deny that
he/she has sent the message;
– The receiver of the message might later deny that
he/she has received the message.
 Attacks Threatening Availability
1) Denial of Service (DoS)
Slow down or totally interrupt the service of a
system.
• The attacker can use several strategies to achieve
this.
– He/She might send so many bogus requests to a server
that the server crashes because of the heavy load.
– The attacker might intercept and delete a server’s
response to a client, making the client believe that the
server is not responding.
 Security Service
• A processing or communication service that is
provided by a system to give a specific kind of
protection to system resources
– Specific mechanisms are required to implement
these services
 What is X.800
• Security architecture or service that provides various
services to secure network transmission

• Authentication - assurance that the communicating

entity is the same that is claimed
• Access Control - prevention of the unauthorized use
of a resource
• Data Confidentiality –protection of data from
unauthorized disclosure
• Data Integrity - assurance that data received is as sent
by an authorized entity without any false modification
• Non-Repudiation - protection against denial by one of
the parties in a communication
 A Model for Network Security
• Two aspects
– Encryption
– Some secret information shared by the two parties
and, it is hoped, unknown to the opponent
Tasks to implement security service
• 1. Design an algorithm for performing the
security-related transformation (Encryption).
• 2. Generate the secret information to be used
with the algorithm.
• 3. Develop methods for the distribution and
sharing of the secret information.
• 4. Specify a protocol to be used by the both
parties (Sender and receiver) for using security
algorithm and secret key.
 Network Access Security Model
• Gatekeeper function
– includes password-based login procedures that
are designed to deny access to all except
authorized users
 Lines of defence
• Encryption
• Software base access controls
– Access limitations to resources
• Hardware based access controls
– Smartcards
• Information Security Policies
– Frequent changes of passwords
• Physical defence
Security Principles to Follow
19

 Turn off file sharing

 Disable Wi-Fi and Bluetooth if not needed
 Turn off automatic and ad hoc connections
 Install an antivirus program on all your computers
 Think twice before posting your personal information online
 Never open an e-mail attachment unless you are expecting it and it is
from a trusted source
 Install a personal firewall program
 Disable file and printer sharing on Internet connection
 Always have strong passwords
 Limit the amount of information you provide to websites; fill in only
required information
 Clear your history file when you are finished browsing