Information Security

Prepared By: Hetal

Bhaidasna
Introduction

■ Information is the most critical resource for many

organizations so it must be protected.

■ Due to the growth of networked data, security attacks have

become a dominant problem in practically all information
infrastructures.

■ Computer Security: generic name for the collection of tools

designed to protect data and to thwart hackers

■ Network Security: measures to protect data during their

transmission

■ Internet Security: measures to protect data during their

transmission over a collection of interconnected networks

Information Security 2
OSI (X.800) Security Architecture

■ OSI Architecture is useful to manage as a way of

organizing the task of providing security.

1. Security Attack: Any action that compromises the

security of information owned by an organization.
2. Security Mechanism: A process that is designed to
detect , prevent or recover from security attack.
3. Security Services: A processing or communication
service that enhances the security of the data processing
system and the information transfer of an organization .

Information Security 3
Security Attacks

■ Any action that compromises the security of information

owned by an organization

■ Information security is about how to prevent attacks, or failing

that, to detect attacks on information-based systems

■ Two types of attacks are there

➢ Passive attack
➢ Active attack

Information Security 4
Security Attacks (Cont…)

Information Security 5
Security Attacks (Cont…)

■ Passive attack:
A passive attack attempts to learn or make use of
information from the system but does not affect system
resources.

There are two types of Passive Attack:

1. Release of a message content

2. Traffic analysis

Information Security 6
Security Attacks (Cont…)
■ Release of a message content
A telephone conversation, an e-mail message and a
transferred file may contain sensitive or confidential
information

Information Security 7
Security Attacks (Cont…)
■ Traffic analysis
▪ It is a kind of attack done on encrypted messages.
▪ The opponent might be able to observe the pattern of such
encrypted message.
▪ The opponent could determine the location and identity of
communicating hosts and could observe the frequency and
length of messages being exchanged .

Information Security 8
Security Attacks (Cont…)

■ Passive attacks are very difficult to detect because they do not

involve any alternation of the data

■ Typically, the message traffic is sent and received in an

apparently normal fashion and neither the sender nor
receiver is aware that a third party has read the messages or
observed the traffic pattern

■ However, it is feasible to prevent the success of these attacks,

usually by means of encryption

■ Thus, the emphasis in dealing with passive attacks is on

prevention rather than detection

Information Security 9
Security Attacks (Cont…)

■ Active attacks

■ Active attacks involve some modification of the data stream or

the creation of a false stream and can be subdivided into four
categories:

■ Masquerade
■ Replay
■ Modification of messages
■ Denial of service

Information Security 10
Security Attacks (Cont…)

■ A masquerade takes place when one entity pretends to be a

different entity

■ For example, authentication sequences can be captured and

replayed after a valid authentication sequence has taken place,
thus enabling an authorized entity with few privileges to
obtain extra privileges by impersonating an entity that has
those privileges.

Information Security 11
Security Attacks (Cont…)

■ Replay involves the passive capture of a data unit and its

subsequent retransmission to produce an unauthorized
effect

Information Security 12
Security Attacks (Cont…)

■ Modification of message simply means that some portion of a

legitimate message is altered, or that message are delayed or
reordered, to produce an unauthorized effect

Information Security 13
 Security Attacks (Cont…)
▪ The denial of service prevents or inhibits the normal use or
management of communications facilities
This attack may have a specific target; for example, an entity may suppress
all messages directed to a particular destination
Another form of service denial is the disruption of an entire network,
either by disabling the network or by overloading it with messages so as to
degrade performance

Information Security 14
Security Attacks (Cont…)

■ Active attacks present the opposite characteristic of passive

attacks.

■ Whereas passive attacks are difficult to detect, measures are

available to prevent their success.

■ On the other hand, it is quite difficult to prevent active attacks

absolutely, because of the wide variety of potential physical,
software, and network vulnerabilities.

■ Instead, the goal is to detect active attacks and to recover from

any disruption or delay caused by them.

■ If the detection has a deterrent effect, it may also contribute to

prevention.

Information Security 15
Model for Network Security

Information Security 16
Model for Network Security (Conti…)

■ using this model requires us to:

1. Design a suitable algorithm for the security
transformation
2. Generate the secret information (keys) used
by the algorithm
3. Develop methods to distribute and share the
secret information
4. Specify a protocol enabling the principals to
use the transformation and secret
information for a security service

Information Security 17
Information Security Objectives

■ Confidentiality or privacy
■ Keeping information secret from all but those who are
authorized to see it
■ Privacy involves protecting data from unauthorized
individuals while in transit or in the store
■ When data travels across a network, especially the internet, it
may travel through many intermediate organizations and
their devices, such as routers
■ During this process, data packets may be intercepted
intentionally or accidentally, or misdirected, and privacy can
be lost.

■ Data integrity
■ Ensuring that information has not been altered by
unauthorized or unknown means.
■ Data integrity provides protection against alteration in an
unauthorized manner since the time it was created,
transmitted, or stored by Information
an authorized
Security source. 18
Information Security Objectives (Conti…)

■ Ensuring the integrity of information requires being able to

detect corruption or change to even a single bit of transferred
or stored data

■ Entity authentication or identification

■ Conformation of the identity of an entity.
■ Authentication deals with the confirmation of the identity of a
user or devices, such as an employee, customer, partner, or a
smart card before allowing access to a system or permitting
the completion of a transaction.

■ Non-repudiation
■ Preventing the denial of previous commitments or actions.
■ Non-repudiation requires mechanisms similar to a personal
signature on a cheque or contract to prevent the denial of
previous commitments or actions.
Information Security 19
Information Security Objectives (Conti…)

■ Additional Information security objectives are:

■ Message authentication: validation of the source of

information; also known as data origin authentication

■ Authorization: Transference to another entity of official

sanction, to do or be something.

■ Validation: A means to provide timeliness of authorization to

use or manipulate information or resources.

■ Access Control: restricting access to resources to privileged

entities.

Information Security 20
Information Security Objectives (Conti…)

■ Certification: Endorsement of information by trusted entity.

■ Time-stamping: Recording the time of creation or existence of

information.

■ Witnessing: Verifying the creation of existence of information

by an entity other than the creator.

■ Receipt: Acknowledgement that information has been

received.

■ Conformation: Acknowledgement that services has been

provided.

■ Ownership: A means to provide an entity with the legal right

to use or transfer a resource to others.
■

Information Security 21
Information Security Objectives (Conti…)
■ Anonymity: Concealing the identity of an entity involve
involved in some process.

■ Revocation: Retraction of certification or authorization.

■ Availability: Assuring the data and system resources are

available to authorized parties when needed.

■ Message Privacy: E-mail message or files can be encrypted as

a complete unit before transmission, using a utility, or built in
browser functions.

■ Channel Privacy: Channel privacy usually requires that data

sent and received through the communications channel is
encrypted and decrypted at the packet level, regardless of the
content.
■

Information Security 22