SECURITY in IT

~Shikhar Agarwal
 DEFINITION
• Computer security is a branch of computer
science that addresses enforcement of 'secure'
behavior on the operation of computers.

• The definition of 'secure' varies by application,

and is typically defined implicitly or explicitly by a
security policy that addresses confidentiality,
integrity and availability of electronic information
that is processed by or stored on computer
systems.
 Security in IT context

Physical Computing
Security Security

Prevent users from Informatio Secure computer

accessing facility, n Security and networks from
resource or malicious use.
information stored
on physical media

Prevent unauthorized and

unwarranted access of data
or information in any form
Information Security
What Information Security means

Confidentiality Availability
Non-
repudiation
Integrity

Digital
Credentials
Authenticatio
n

Auditing
Risk
assessment
Compliance/
Regulations
Administratio
Governance
n
Common Fraudulent
Practices
Online Fraud

Common types of fraud

Phishing

Identity theft

Man-In-the-Middle Attacks

Denial of Service (Dos)

Password Attack

Data Theft
Securing Systems
To Secure Systems we need

– Physical Security

– Technological Security

– Policies and Procedures

 Securing Systems (cont’d)
• Technological security is just one part of security problem

• Physical security of systems is important

– Only right people (authorized users) have access to the systems
– First priority is to make systems physically secure

• Technological Security
– Network security:
• To secure systems over network
• Only valid packets delivered to web server
– Application security: Web servers, Apps are secure
– Operating system security

• Policies and Procedures

– Ensure systems are secure overall
– Every employee should be asked not to give out passwords
• To anybody within or outside organization
– For example n-strikes policies for passwords
– Document Shredding
• Sensitive papers to be shredded
Key Security
Concepts
 Key Security Concepts
• Authentication
• Authorization
• Confidentiality
• Data/Message Integrity
• Accountability
• Availability
• Non-Repudiation
Key Concepts

1. Authentication
 Authentication
• Authentication
– Verifies identity
– is a process by which an entity proves that it is
who it claims to be
• Three general ways of authentication:
– Something we know (i.e., Passwords)
– Something we have (i.e., Tokens)
– Something we are (i.e., Biometrics)
Something we KNOW
• Something we know
– Example:
• Passwords, Pass phrase, PIN

• Pros
– Simple to implement
– Simple for us to understand
• Cons
– Easy to crack (unless we choose strong ones)
• Hacker can try common login names, concatenations of
words etc.
• We need to be forced to choose strong passwords for
example, by setting password policies
– Passwords are reused many times
• Each time we enter a password to access the system,
the attacker listens-in every time
 Something we HAVE – A Token

• Smart Cards
• ATM Cards

• SecurID

• USB Tokens
 Something we ARE
• Biometrics
– Techniques used:
• Palm scan
• Retinal scan
• Iris scan
• Fingerprint
• Voice Id
• Facial Recognition
• Signature Dynamics
– Pros
• Provides a strong authentication solution
– Raise the bar for authentication
– Cons
• Difficulty in terms of deployment and management
• Social acceptance
• Key management
– If a bad guy is able to copy a fingerprint – then how are the secret pieces of info
actually managed?
 Two Factor Authentication
• Two Factor Authentication (T-FA) requires two independent
ways to establish identity and privileges
• Combination of “what we know” and “what we have” factors
– Example: ATM Cards

+
What we have What we know
Types of Authentication
• Person to computer

• Computer to Computer

• There are three types of authentication

– Server Authentication – who is the client
– Client Authentication – who is the server
– Mutual Authentication (Client and Server)

• Authenticated user is the “Principal”

 Server Authentication
• Server authentication is the process in which the
server authenticates to the client, thus helping the
client to verify the server

• Server authentication is very important in Financial

Institutions and Home Banking systems
– Example, Personal Assurance Message (PAM)
which identifies the server to the user, and helps
prevent phishing attacks
Client Authentication
• Client authentication involves proving the identity of
the client to a server on the web

• Client generally communicates with the server

using Hypertext Transfer Protocol (HTTP)

• HTTP being a stateless, sessionless protocol, the

client must provide an authentication token
 Mutual Authentication
• Mutual authentication refers to a client/user
authenticating themselves to the server and that
server authenticating itself to the user in such a
way that both parties are assured of the other’s
identity

• This is done for a client process and a server

process without user interaction
 Key Concepts
2. Authorization
 Authorization

• Authorization is the process of granting or

denying user’s access to a resource

• Authorization is a step next to authentication,

in which the users access to various system
is based on the permissions granted to them
 Key Concepts
3. Confidentiality
 Confidentiality
• Protecting the communication/data from the unintended recipients
• Keep the contents of the communication secret by using a shared secret
between the communicating parties

• Confidentiality can be achieved

Shared key secret through
Shared key access
– Cryptography
– Access Controls
– Database views
Key Concepts
4. Message/Data Integrity
 Message/Data Integrity
• Data integrity is the process of ensuring non-
alteration of data during the transit

• Techniques used to check the data integrity are

– Hashing algorithms
– Checksums
– Message Authentication Codes (MAC)
 Key Concepts
5. Accountability
 Accountability
• Logging & Audit Trials
– Logging all the activities carried out by the system user
– Auditing is a surveillance mechanism that watches over
access to all sensitive information contained within the
database
• Requirements to implement Logging and Audit Trails
– Secure Time stamping (OS vs. Network)
– Data integrity in logs / audit trials
 Key Concepts

6. Availability
 Availability
• The period for which the system / network is
available to the user
– Example
• Dial tone availability, System Downtime limit,
Web server response time
• Solutions
– Add redundancy to eliminate single point of
failure
– Impose limits that legitimate users can use
 Key Concepts

7. Non-Repudiation
 Non-Repudiation
• Non-repudiation provides evidence of the message
source, so that the sender cannot refuse its origin.

• Generate evidence / receipts (digitally signed

documents)
Privileges
 Privileges
• A privilege in a computer system is a permission to perform an
action.
• Privileges can be
– Automatic
– Granted
– Applied for
• Examples of various privileges include
– the ability to create a file in a directory
– to read or delete a file
– access a device
– have read or write permission to a socket for communicating
over the Internet
Principle of least privilege

• A user/computer program is given the least

amount of privileges necessary to accomplish
his/its task.
• Example:
– Use of Valet keys in the car
• Allows the valet only to start the car and drive down to the
parking lot, these keys do not allow the valet to access the
store part in the car where the valuables are kept.
• The idea of the valet key is to provide access only to the
required resources
 Secure Defaults
• Only enable 20% features of the product
that will be used by 80% of the users

• Harden systems – switch of all

unnecessary services by default
Cryptography
 What is Cryptography?
• The conversion of data into a secret code for protection
of privacy using a specific algorithm and a secret key
• The original text, or “plaintext”, is converted into a
coded equivalent called “ciphertext” via an encryption
algorithm
• Cryptography is used in many software security
systems to achieve high level of security
• The ciphertext can only be decoded (decrypted) using
a predefined secret key