SECURITY

LECTURE 8
 Objectives
• Describe the challenges of securing information
• Define information security and explain why it is
important
• Identify the types of attackers that are common
today
• List the basic steps of an attack
• Describe the five basic principles of defense

2
Computer Security is the ability of a system to protect
information and system resources with respect to
confidentiality and integrity.

Aspects of Security:
• Prevention: Take measures that prevent your assets from being damaged

• Detection: Take measures so that you can detect when, how, and by whom an
asset has been damaged

• Reaction: Take measures so that you can recover your assets or to recover from a
damage to your assets
Where to focus security controls?

• Data: Format and content of data

• Operations: Operations allowed on data

• Users: Access control of data based on user

 SECURITY
5 ATTACKS

• Interruption: This is an attack on availability

• Disrupting traffic

• Physically breaking communication line

• Interception: This is an attack on confidentiality

• Overhearing, eavesdropping over a communication line
 SECURITY
6
ATTACKS (CONTINUED)

• Modification: This is an attack on integrity

• Corrupting transmitted data or tampering with it before it reaches its destination

• Fabrication: This is an attack on authenticity

• Faking data as if it were created by a legitimate and authentic party
 Today’s Security Attacks (cont’d.)
• Examples of recent attacks
– Bogus antivirus software
• Marketed by credit card thieves
– Online banking attacks
– Hacking contest
– Nigerian 419 advanced fee fraud
• Number one type of Internet fraud
– Identity theft using Firesheep
– Malware
– Infected USB flash drive devices
7
Difficulties in Defending Against Attacks
• Universally connected devices
• Increased speed of attacks
• Greater sophistication of attacks
• Availability and simplicity of attack tools
• Faster detection of vulnerabilities
• Delays in patching
– Weak distribution of patches
• Distributed attacks
8
 What Is Information Security?
• Before defense is possible, one must understand:
– What information security is
– Why it is important
– Who the attackers are

9
 Defining Information Security
• Security
– Steps to protect person or property from harm
• Harm may be intentional or nonintentional
– Sacrifices convenience for safety
• Information security
– Guarding digitally-formatted information:
• That provides value to people and organizations

10
Defining Information Security (cont’d.)
• Three types of information protection: often called
CIA
– Confidentiality
• Only approved individuals may access information
– Integrity
• Information is correct and unaltered
– Availability
• Information is accessible to authorized users

11
Defining Information Security (cont’d.)
• Protections implemented to secure information
– Identification
• Proof of who you are
– Authentication
• Individual is who they claim to be
– Authorization
• Grant ability to access information
– Accounting
• Provides tracking of events

12
 CSC100 Computer Literacy - Comp Sec

INFORMATION
13 SECURITY TERMINOLOGY

• Security - protection of information and property

from theft, corruption, or natural disaster, while
allowing the information and property to remain
accessible and productive to its intended users

• Threat - a possible danger that might exploit a

vulnerability to breach security and thus cause
possible harm
 CSC100 Computer Literacy - Comp Sec

14INFORMATIONSECURITY
TERMINOLOGY (CONT’D.)
• Risk - Event or action that causes loss of or damage to
computer system

• Ethics - Moral principles concerning computer use

• Vulnerability
– Flaw or weakness

• Threat agent can bypass security

• Attacks - A vulnerability that has been compromised and

exploited to cause harm to a computer system
Figure 1-4 Information security components analogy

15
 Information Security Terminology
(cont’d.)
Options to deal with risk
– Accept
• Realize there is a chance of loss
– Diminish
• Take precautions
• Most information security risks should be
diminished
– Transfer risk to someone else
• Example: purchasing insurance

16
Figure 1-3 Information security components 17
THERE ARE THREE PRIMARY REASONS
FOR NETWORK SECURITY THREATS:

• Technology weaknesses
• Computer and network technologies have intrinsic security
weaknesses.
• Configuration weaknesses
• Network administrators or network engineers need to learn what
the configuration weaknesses are and correctly configure their
computing and network devices to compensate.
• Security policy weaknesses
• Security policy weaknesses can create unforeseen security
threats. The network may pose security risks to the network if
users do not follow the security policy.
• Human error
GOALS OF NETWORK SECURITY

• Achieve the state where any action that is not

expressly permitted is prohibited
• Eliminate theft

• Determine authentication

• Identify assumptions

• Control secrets
CREATING A SECURE NETWORK
STRATEGY

• Address both internal and external threats

• Define policies and procedures

• Reduce risk across perimeter security, the

Internet, intranets, and LANs
CREATING A SECURE NETWORK
STRATEGY
• Human factors

• Know your weaknesses

• Limit access

• Achieve security through persistence

• Develop change management process

• Remember physical security

• Perimeter security
• Control access to critical network applications, data, and services

continued…
CREATING A SECURE NETWORK
STRATEGY
• Firewalls

• Prevent unauthorized access to or from private network

• Create protective layer between network and outside
world
• Replicate network at point of entry in order to receive and
transmit authorized data
• Have built-in filters
• Log attempted intrusions and create reports

continued…
CREATING A SECURE NETWORK
STRATEGY

• Access control
• Ensures that only legitimate traffic is allowed
into or out of the network
• Passwords

• PINs

• Smartcards

continued…
CREATING A SECURE NETWORK
STRATEGY CONT…
• Change management

• Document changes to all areas of IT

infrastructure

• Encryption

• Ensures messages cannot be intercepted or

read by anyone other than the intended
person(s)

continued…
CREATING A SECURE NETWORK
STRATEGY

• Intrusion detection system (IDS)

• Provides 24/7 network surveillance

• Analyzes packet data streams within

the network
• Searches for unauthorized activity
THE FOUR PRIMARY CLASSES OF
THREATS TO NETWORK SECURITY

Unstructured threats
These consist of mostly inexperienced
individuals using easily available hacking
tools such as shell scripts and password
crackers
Structured threats
These come from hackers that are more
highly motivated and technically competent
 THE FOUR PRIMARY CLASSES OF THREATS
TO NETWORK SECURITY CONT ….

External threats
These arise from individuals or organizations working
outside of a company. i.e. they do not have authorized
access to the computer systems or network.
Internal threats
These occur when someone has authorized access to
the network with either an account on a server or
physical access to the network.
 Understanding the Importance of
Information Security
• Preventing data theft
– Security often associated with theft prevention
– Business data theft
• Proprietary information
– Individual data theft
• Credit card numbers

28
 Understanding the Importance of
Information Security (cont’d.)
• Thwarting identity theft
– Using another’s personal information in unauthorized
manner
• Usually for financial gain
– Example:
• Steal person’s SSN
• Create new credit card account
• Charge purchases
• Leave unpaid

29
 Understanding the Importance of
Information Security (cont’d.)
• Avoiding legal consequences
– Laws protecting electronic data privacy
• The Health Insurance Portability and Accountability
Act of 1996 (HIPAA)
• The Sarbanes-Oxley Act of 2002 (Sarbox)
• The Gramm-Leach-Bliley Act (GLBA)
• California’s Database Security Breach Notification Act
(2003)

30
 Understanding the Importance of
Information Security (cont’d.)
• Foiling (preventing) cyberterrorism
– Premeditated, politically motivated attacks
– Target: information, computer systems, data
– Designed to:
• Cause panic
• Provoke violence
• Result in financial catastrophe

31
 Understanding the Importance of
Information Security (cont’d.)
• Potential cyberterrorism targets
– Banking
– Military
– Energy (power plants)
– Transportation (air traffic control centers)
– Water systems

32
 Who Are the Attackers?
• Categories of attackers
– Hackers
– Script kiddies
– Spies
– Insiders
– Cybercriminals
– Cyberterrorists

33
 Hackers
• Hacker
– Person who uses computer skills to attack
computers
– Term not common in security community
• White hat hackers
– Goal to expose security flaws
– Not to steal or corrupt data
• Black hat hackers
– Goal is malicious and destructive

34
 Script Kiddies
• Script kiddies
– Goal: break into computers to create damage
– Unskilled users
– Download automated hacking software (scripts)
• Use them to perform malicious acts
– Attack software today has menu systems
• Attacks are even easier for unskilled users
– 40 percent of attacks performed by script kiddies

35
 Spies
• Computer spy
– Person hired to break into a computer:
• To steal information
• Hired to attack a specific computer or system:
– Containing sensitive information
• Goal: steal information without drawing attention to
their actions
• Possess excellent computer skills:
– To attack and cover their tracks

36
 Insiders
• Employees, contractors, and business partners
• 48 percent of breaches attributed to insiders
• Examples of insider attacks
– Health care worker publicized celebrities’ health
records
• Disgruntled over upcoming job termination
– Government employee planted malicious coding
script
– Stock trader concealed losses through fake
transactions
– U.S. Army private accessed sensitive documents
37
 Cybercriminals
• Network of attackers, identity thieves, spammers,
financial fraudsters
• Difference from ordinary attackers
– More highly motivated
– Willing to take more risk
– Better funded
– More tenacious
– Goal: financial gain

38
 Cybercriminals (cont’d.)
• Cybercrime
– Targeted attacks against financial networks
– Unauthorized access to information
– Theft of personal information
• Financial cybercrime
– Trafficking in stolen credit cards and financial
information
– Using spam to commit fraud

39
 Cyberterrorists
• Cyberterrorists
– Ideological motivation
• Attacking because of their principles and beliefs
• Goals of a cyberattack:
– Deface electronic information
• Spread misinformation and propaganda
– Deny service to legitimate computer users
– Commit unauthorized intrusions
• Results: critical infrastructure outages; corruption of
vital data

40
 Attacks and Defenses
• Wide variety of attacks
– Same basic steps used in attack
• To protect computers against attacks:
– Follow five fundamental security principles

41
 Steps of an Attack
• Probe for information
– Such as type of hardware or software used
• Penetrate any defenses
– Launch the attack
• Modify security settings
– Allows attacker to reenter compromised system
easily
• Circulate to other systems
– Same tools directed toward other systems
• Paralyze networks and devices
42
Figure 1-6
Steps of an attack

43
 Defenses Against Attacks
• Fundamental security principles for defenses
– Layering
– Limiting
– Diversity
– Obscurity
– Simplicity

44
 Layering
• Information security must be created in layers
– Single defense mechanism may be easy to
circumvent
– Unlikely that attacker can break through all defense
layers
• Layered security approach
– Can be useful in resisting a variety of attacks
– Provides the most comprehensive protection

45
 Limiting
• Limiting access to information:
– Reduces the threat against it
• Only those who must use data granted access
– Amount of access limited to what that person needs
to know
• Methods of limiting access
– Technology
• File permissions
– Procedural
• Prohibiting document removal from premises

46
 Diversity
• Closely related to layering
– Layers must be different (diverse)
• If attackers penetrate one layer:
– Same techniques unsuccessful in breaking through
other layers
• Breaching one security layer does not compromise
the whole system
• Example of diversity
– Using security products from different manufacturers

47
 Obscurity
• Obscuring inside details to outsiders
• Example: not revealing details
– Type of computer
– Operating system version
– Brand of software used
• Difficult for attacker to devise attack if system
details are unknown

48
 Simplicity
• Nature of information security is complex
• Complex security systems
– Difficult to understand and troubleshoot
– Often compromised for ease of use by trusted users
• Secure system should be simple:
– For insiders to understand and use
• Simple from the inside
– Complex from the outside

49
 PART B
AUTHENTICATION
SECURITY OF SYSTEM
RESOURCES
• Three-step process (AAA)
• Authentication
• Positive identification of person/system seeking access to
secured information/services
• Authorization
• Predetermined level of access to resources
• Accounting
• Logging use of each asset
AUTHENTICATION TECHNIQUES

• Usernames and passwords

• Kerberos
• Challenge Handshake Authentication Protocol (CHAP)
• Mutual authentication
• Digital certificates
• Tokens
• Biometrics
• Multifactor authentication
USERNAMES AND PASSWORDS

• Username
• Unique alphanumeric identifier used to identify an individual when
logging onto a computer/network

• Password
• Secret combination of keystrokes that, when combined with a
username, authenticates a user to a computer/network
BASIC RULES FOR PASSWORD
PROTECTION
1. Memorize passwords; do not write them down
2. Use different passwords for different functions
3. Use at least 6 characters
4. Use mixture of uppercase and lowercase letters,
numbers, and other characters
5. Change periodically
STRONG PASSWORD CREATION
TECHNIQUES
• Easy to remember; difficult to recognize
• Examples:
• First letters of each word of a simple phrase; add a number and
punctuation
• Asb4M?
• Combine two dissimilar words and place a number between them
• SleigH9ShoE
• Substitute numbers for letters (not obviously)
TECHNIQUES TO USE MULTIPLE
PASSWORDS
• Group Web sites or applications by appropriate level of
security
• Use a different password for each group
• Cycle more complex passwords down the groups, from most sensitive
to least
STORING PASSWORDS

• Written
• Keep in a place you are not likely to lose it
• Use small type
• Develop a personal code to apply to the list

• Electronic
• Use a specifically designed application (encrypts data)
DIGITAL CERTIFICATES

• Electronic means of verifying identity of an

individual/organization
• Digital signature
• Piece of data that claims that a specific, named individual wrote or
agreed to the contents of an electronic document to which the
signature is attached
ELECTRONIC ENCRYPTION AND
DECRYPTION CONCEPTS
• Encryption
• Converts plain text message into secret message

• Decryption
• Converts secret message into plain text message

• Symmetric cipher
• Uses only one key

• Asymmetric cipher
• Uses a key pair (private key and public key)
ELECTRONIC ENCRYPTION AND
DECRYPTION CONCEPTS
• Certificate authority (CA)
• Trusted, third-party entity that verifies the actual identity of an
organization/individual before providing a digital certificate

• Nonrepudiation
• Practice of using a trusted, third-party entity to verify the authenticity
of a party who sends a message
HOW MUCH TRUST
SHOULD ONE PLACE IN A CA?
• Reputable CAs have several levels of authentication that
they issue based on the amount of data collected from
applicants
• Example: VeriSign
SECURITY TOKENS

• Authentication devices assigned to specific user

• Small, credit card-sized physical devices
• Incorporate two-factor authentication methods
• Utilize base keys that are much stronger than short, simple
passwords a person can remember
TYPES OF SECURITY TOKENS

• Passive
• Act as a storage device for the base key
• Do not emit, or otherwise share, base tokens
• Active
• Actively create another form of a base key or encrypted form of a
base key that is not subject to attack by sniffing and replay
• Can provide variable outputs in various circumstances
ONE-TIME PASSWORDS

• Used only once for limited period of time; then is

no longer valid
• Uses shared keys and challenge-and-response
systems, which do not require that the secret be
transmitted or revealed
• Strategies for generating one-time passwords
• Counter-based tokens
• Clock-based tokens
BIOMETRICS

• Biometric authentication
• Uses measurements of physical or behavioral characteristics of an
individual
• Generally considered most accurate of all authentication methods
• Traditionally used in highly secure areas
• Expensive
HOW BIOMETRIC
AUTHENTICATION WORKS
1. Biometric is scanned after identity is verified
2. Biometric information is analyzed and put into an
electronic template
3. Template is stored in a repository
4. To gain access, biometric is scanned again
5. Computer analyzes biometric data and compares it to
data in template
6. If data from scan matches data in template, person is
allowed access
7. Keep a record, following AAA model
FALSE POSITIVES AND FALSE
NEGATIVES
• False positive
• Occurrence of an unauthorized person being authenticated by a
biometric authentication process

• False negative
• Occurrence of an authorized person not being authenticated by a
biometric authentication process when they are who they claim to be
DIFFERENT KINDS OF
BIOMETRICS

• Physical characteristics
• Fingerprints
• Hand geometry
• Retinal scanning
• Iris scanning
• Facial scanning

• Behavioral characteristics
• Handwritten signatures
• Voice
FINGERPRINT BIOMETRICS
HAND GEOMETRY AUTHENTICATION
RETINAL SCANNING
IRIS SCANNING
SIGNATURE VERIFICATION
GENERAL TRENDS IN
BIOMETRICS
• Authenticating large numbers of people over a short period
of time (eg, smart cards)
• Gaining remote access to controlled areas
MULTIFACTOR
AUTHENTICATION
• Identity of individual is verified using at least two of the
three factors of authentication
• Something you know (eg, password)
• Something you have (eg, smart card)
• Something about you (eg, biometrics)
ADDITIONAL READINGS
(NOT COMPULSORY)

 Smith, R. 2002, Authentication: From Passwords to

Public Keys, Addison Wesley, New Jersey. ISBN 0-201-
61599-1
 The RFC for Security policies:
http://www.faqs.org/rfcs/rfc2196.html
Books
1. Security+ Guide to Network Security Fundamentals,
(2009)Third Edition by Mark Ciampa
2. Network security a beginners guide (2001) by Eric Maiwald
 Summary
• Information security attacks growing exponentially
in recent years
• Several reasons for difficulty defending against
today’s attacks
• Information security protects information’s integrity,
confidentiality, and availability:
– On devices that store, manipulate, and transmit
information
– Using products, people, and procedures

78
 Summary (cont’d.)
• Goals of information security
– Prevent data theft
– Thwart identity theft
– Avoid legal consequences of not securing
information
– Maintain productivity
– Foil cyberterrorism
• Different types of people with different motivations
conduct computer attacks
• An attack has five general steps
79