Data and Network Security

1
 What is Computer Security?
• The protection afforded to an automated information system in order to
attain the applicable objectives of preserving the integrity, availability and
confidentiality of information system resources (includes
hardware, software, firmware, information/data, and telecommunications)
is called Computer Security.

2
 What is Computer Security?
• For some Computer Security is controlling access to
hardware, software and data of a computerized system.
• A large measure of computer security is simply keeping the
computer system's information secure.
• In broader terms, computer security can be thought of as the
protection of the computer and its resources against accidental or
intentional disclosure of confidential data, unlawful modification of
data or programs, the destruction of data, software or hardware.
• Computer security also includes the denial of use of one’s computer
facilities for criminal activities including computer related fraud and
blackmail.
• Finally, computer security involves the elimination of weaknesses or
vulnerabilities that might be exploited to cause loss or harm.

3
The Need for Computer Security
• Why the need for Computer Security?
– The value of computer assets and services
• What is the new IT environment?
– Networks and distributed applications/services
– Electronic Commerce (E-commerce, E-business)

4
 The Value of Computer Assets and
Services
• Most companies use electronic information extensively to support their
daily business processes.
• Data is stored on customers, products, contracts, financial
results, accounting etc.
• If this electronic information were to become available to competitors
or to become corrupted, false or disappear, what would happen? What
would the consequences be? Could the business still function?

5
 Network Security Issues
• “The network is the computer”
• Proliferation of networks has increased security risks much more.
• Sharing of resources increases complexity of system.
• Unknown perimeter (linked networks), unknown path.
• Many points of attack.
• Computer security has to find answers to network security problems.
• Hence today the field is called Computer and Network Security.

6
 Computer Security Requirements
• Secrecy
• Integrity
• Availability
• Authenticity
• Non-repudiation
• Access control

7
Secrecy (Confidentiality)
• Secrecy requires that the information in a computer system only be
accessible for reading by authorized parties.
• This type of access includes:
– Printing
– Displaying
– Other forms of disclosure, including simply revealing the existing
of an object

8
 Integrity
• Integrity requires that the computer system asset can be modified
only by authorized parties.
• Modification includes:
– Writing
– Changing
– Changing status
– Deleting and
– Creating

9
 More About Integrity
• Integrity: In lay usage, information has integrity when it is
timely, accurate, complete, and consistent. However, computers are
unable to provide or protect all of these qualities. Therefore, in the
computer security field, integrity is often discussed more narrowly as
having two data integrity and system integrity.
• “Data integrity is a requirement that information and programs are
changed only in a specified and authorized manner.”
• System integrity is a requirement that a system “performs its intended
function in an unimpaired manner, free from deliberate or inadvertent
unauthorized manipulation of the system.”
• The definition of integrity has been, and continues to be, the subject of
much debate among computer security experts.

10
 Availability
• Availability requires that computer system assets are available to
authorized parties.
• Availability is a requirement intended to assure that systems work
promptly and service is not denied to authorized users.

11
 Authenticity
• Authenticity means that parties in a information services can
ascertain the identity of parties trying to access information services.
• Also means that the origin of the message is certain.
• Therefore two types:
– Principal Authentication
– Message Authentication

12
 Non-repudiation
• Originator of communications can’t deny it later.
• Without non-repudiation you could place an order for 1 million
dollars of equipment online and then simply deny it later.
• Or you could send an email inviting a friend to the dinner and then
disclaim it later.
• Non-repudiation associates the identity of the originator with the
transaction in a non-deniable way.

13
 Access Control
• Unauthorized users are kept out of the system.
• Unauthorized users are kept out of places on the system/disk.
• Typically makes use of Directories or Access Control Lists (ACLs) or
Access Control Matrix
• Objects: Resources that need to be protected
• Subjects: Entities that need access to resources
• Rights: Permissions
• Each entry is a triple <subject, object, rights>

14
 Type of Attacks/Threats in
Computer Systems
• A threat is a danger which could affect the security
(confidentiality, integrity, availability) of assets, leading to a potential
loss or damage.
• Interruption
• Interception
• Modification
• Fabrication

15
Type of Attacks in Computer
Systems

16
Normal Flow of Information

17
 Interruption
• An asset of the system is destroyed or becomes unavailable or
unusable. This is an attack on the availability.
• Examples include destruction of a piece of hardware, such as a hard
disk, the cutting of a communication link, or the disabling of the file
management system.
• DOS - Denial of Service Attacks have become very well known.

18
Interruption

19
 Interception
• Information disclosure/information leakage
• An unauthorized party gains access to an asset.
• This is an attack on confidentiality.
• The unauthorized party could be a person, a program, or a
computer.
• Examples include:
– wiretapping to capture data in a network
– the illicit copying of files or programs

20
Interception

21
 Modification
• Modification is integrity violation.
• An unauthorized party not only gains access to but tampers with an asset.
• This is an attack on the integrity.
• Examples include changing values in a data file, altering a program so that
it performs differently, and modifying the content of a message being
transmitted in a network.

22
Modification

23
 Fabrication
• An unauthorized party inserts counterfeit objects into the system.
This is an attack on the authenticity.
• Examples include the insertion of spurious messages in a network or
the addition of records to a file.

24
Fabrication

25
 Classification of Attacks
• Computer Security attacks can be classified into two broad
categories:
– Passive Attacks can only observe communications or data.
– Active Attacks can actively modify communications or data.
Often difficult to perform, but very powerful. Examples include
• Mail forgery/modification
• TCP/IP spoofing/session hijacking

26
Passive Attacks and Active Attacks

27
Passive Attacks and
Active Attacks

28
 Passive Attacks
• Eavesdropping on or monitoring of transmission.
• The goal of the opponent is to obtain information that is being
transmitted.
• Two types:
– Release-of-message contents
– Traffic Analysis

29
 Release-of-message Contents
• Opponent finds out the contents or the actual messages being
transmitted.
• How to protect?
– Encryption
– Steganography

30
 Traffic Analysis
• More subtle than release-of-message contents.
• Messages may be kept secret by masking or encryption but …
• The opponent figures out information being carried by the
messages based on the frequency and timings of the message.
• How to protect?
– Data/Message Padding
– Filler Sequences

31
 Passive Attacks Problems
• Difficult to detect because there is no modification of data.
• Protection approach should be based on prevention rather than
detection.

32
 Active Attacks
• Active attacks involve some sort of modification of the data stream
or the creation of a false stream.
• Four sub-categories:
– Masquerade
– Replay
– Modification of Messages
– Denial of service

33
 Masquerade
• An entity pretends to be another.
• For the purpose of doing some other form of attack.
• Example a system claims its IP address to be what it is not, IP
spoofing.
• How to protect?
– Principal/Entity Authentication

34
 Replay
• First passive capture of data and then its retransmission to produce
an unauthorized effect.
• Could be disastrous in case of critical messages such as
authentication sequences, even if the password were encrypted.
• How to protect?
– Time stamps
– Sequence Numbers

35
 Modification of Messages
• Some portion of a legitimate message is altered or messages are
delayed or reordered to produce an unauthorized effect.
• How to protect?
– Message Authentication Codes
– Chaining

36
 Denial of Service - DOS
• Prevents the normal use or management of communication facilities.
• Such attacks have become very common on the Internet especially
against web servers.
• On the Internet remotely located hackers can crash the TCP/IP
software by exploiting known vulnerabilities in various
implementations.
• One has to constantly look out for software updates and security
patches to protect against these attacks.

37
 Problems with Active Attacks
• Easy to detect but difficult to prevent.
• Efforts are directed to quickly recover from disruption or delays.
• Good thing is that detection will have a deterrent effect.

38
 How Threats Affect Computer
Systems
Interruption Interception
(Denial of Service) (Theft)
HARDWARE

Interruption Interception
(Deletion) (Theft)
SOFTWARE
Modification
(Malicious Code)

Interruption Interception
(Loss) (Eavesdropping)
DATA
Modification Fabrication 39
A Model for Network Security

40
 Security Protocols
• A protocol is a series of steps, involving two or more
parties, designed to accomplish a task.
– Every one involved in a protocol must know the protocol and all
of the steps to follow in advance.
– Everyone involved in the protocols must agree to follow it.
– The protocol must be unambiguous; each step must be well
defined and there must be no chance of misunderstanding.
– The protocol must be complete; there must be a specified action
for every possible situation.
– It should not be possible to do more or learn more than what is
specified in the protocol.

41
 Security
Application Email - S/MIME Application

Protocol
Presentation Presentation

Layers
Session SSL Session

The further down you Transport Transport

go, the more

transparent it is Network IPSec Network

The further up you Datalink PPP - ECP Datalink

go, the easier it is to
deploy Physical Physical

Encrypting Encrypting
PHYSICAL NETWORK
NIC NIC

42
 Security Services Provided by
Security Protocols
• Access control: Protects against unauthorized use.
• Authentication: Provides assurance of someone's identity.
• Confidentiality: Protects against disclosure to unauthorized
identities.
• Integrity: Protects from unauthorized data alteration.
• Non-repudiation: Protects against originator of communications
later denying it.

43
 Security Mechanisms
• Three basic building blocks are used:
– Encryption is used to provide confidentiality, can provide
authentication and integrity protection.
– Digital signatures are used to provide authentication, integrity
protection, and non-repudiation.
– Checksums/hash algorithms are used to provide integrity
protection, can provide authentication.
• One or more security mechanisms are combined to provide a
security service/protocol.

44
 Services, Mechanisms, Algorithms
• A typical security protocol provides one or more security services
(authentication, secrecy, integrity, etc.)
• Services are built from mechanisms.
• Mechanisms are implemented using algorithms.

Services
SSL (Security Protocols)

Signatures Encryption Hashing Mechanisms

DSA RSA RSA DES SHA1 MD5 Algorithms

45
 Services, Mechanisms, Algorithms
Security Protocols (Services)
Standards-based Security Protocols Proprietary Security Protocols

SSL IPSec PrivateWire Big Brother

Mechanisms

Encryption Signature Hashing Key Exchange

Algorithms

Symmetric Asymmetric Asymmetric Symmetric

MD-5 Diffie-
DES RSA DSA SHA-1 Hellman
DESMAC
AES ECC RSA
46
 Encryption and Security
• Encryption is a key enabling technology to implement computer
security.
• But Encryption is to security like bricks are to buildings.
• In the next module we will study encryption in detail.

47
 Computer security is based on eight
major elements:
1. Computer security should support the mission of the organization.
2. Computer security is an integral element of sound management.
3. Computer security should be cost-effective.
4. Computer security responsibilities and accountability should be made
explicit.
5. System owners have computer security responsibilities outside their
own organizations.
6. Computer security requires a comprehensive and integrated approach.
7. Computer security should be periodically reassessed.
8. Computer security is constrained by societal factors.

48
 Typical Security Solutions and
Technologies
• Physical security • User authentication
• Encryption • Passwords and passphrases
• Access control • Challenge-response systems
• Automatic call back • Token or smart cards
• Node authentication
• Exchange of secret protocol
• Differentiated access rights
• Personal characteristics -
• Antivirus software
Biometrics
• Public Key Infrastructure
• Firewalls

49
THANK YOU!

50