KKKT4173: NETWORK &

SECURITY
INTRO
DR. NOR FADZILAH ABDULLAH
JKEES, FKAB
 COURSE SYNOPSIS

• The course gives a broad understanding for implementing security services

based on cryptography in today's communication networks. Topics covered
include conventional and modern cryptography techniques and their
application to network services, such as confidentiality, integrity,
authentication, and non-repudiation. The strength of today's ciphers and
their implementations on the communication system will be analysed. It will
also cover its usage in the implementation and configuration of firewalls in
depth; design, implementation and configuration of intrusion detection
systems; prevention systems; advanced network security architectures;
advanced wireless security: principle and practice; security in trusted-based
computing environments.

2
 BOOKS
• STALLINGS, W., CRYPTOGRAPHY AND • TANENBAUM & WETHERALL, COMPUTER
NETWORK SECURITY, 6TH EDITION, NEW NETWORKS, 5TH EDITION. MASSACHUSETTS:
JERSEY, PRENTICE HALL, 2013. PRENTICE HALL, 2010.

3
 COURSE STRUCTURE

No. Topic
1 Introduction to Network & Security
2 Classical Encryption Techniques
3 Block Ciphers: DES and AES
4 Public-Key Cryptography and RSA
5 Message Authentication, Hash Functions and MAC.
6 Digital Signatures
7 Key Management & Distribution, User Authentication

4
 THE DANGER:
WHY NETWORKS AND DATA ARE
ATTACKED
 WAR
STORIES
HIJACKED PEOPLE
 A hacker set up an open “rogue” wireless hotspot posing as a legitimate wireless
network.

 A customer logged onto her bank’s website.

 The hacker hijacked her session.

 The hacker gained access to her bankaccounts.

https://www.youtube.com/watch?v=zcmmFQGxMNU
 WAR STORIES
RANSOMED COMPANIES
 An employee receive an email from his CEO,containing an attached
PDF.

 Ransomware is installed on the employee’s computer.

 Ransomware gathers and

encrypts corporate data.
 The attackers hold the company’s
data for ransom until they are paid.

https://www.youtube.com/watch?v=4gR562GW7TI
 WAR
STORIES
TARGETED
NATIONS
 Stuxnet Worm

• Infiltrated Windows operating systems.

• Targeted Step 7 software that controls programmable logic controllers (PLCs) to damage
the centrifuges in nuclear facilities.
• Transmitted from the infected USB drives into the PLCs eventually damaging many
cetrifuges.
• Zero Days, a film released in 2016, attempts to document the development and
deployment of the Stuxnet targeted malware attack
EXAMPLE : FAKE EMAIL

9
EXAMPLE : FAKE WEBSITE

10
 RECENT ATTACKS (E.G.)

http://www.ibtimes.com/google-malaysia-website-apparently-hacked-company-
says-dns-attack-1880764
 RECENT ATTACKS (E.G.)

http://www.theguardian.com/technology/2013/oct/03/adobe-hacking-data-
breach-cyber-attack
 13
https://www.theguardian.com/technology/2016/aug/31/dropbox-hack-
passwords-68m-data-breach
 14

https://techcrunch.com/2016/06/08/twitter-hack/
 15

http://fortune.com/2016/09/22/yahoo-hack-qa
 JUST WAITING FOR TROUBLE?

http://www.prweb.com/releases/2015/01/prweb12456779.htm
SAFEGUARDS

17
• The NIST computer security handbook defines the term computer
security as:
“The protection afforded to an automated information system in order to
attain the applicable objectives of preserving the integrity, availability
and confidentiality of information system resources” (includes hardware,
software, firmware, information/data, and telecommunications)
 SECURITY OBJECTIVES
Confidentiality
• Data confidentiality
• Assures that private or confidential information is not made available or
disclosed to unauthorized individuals
• Privacy
• Assures that individuals control or influence what information related to them
may be collected and stored and by whom and to whom that information may
be disclosed

Integrity
• Data integrity
• Assures that information and programs are changed only in a specified and
authorized manner
• System integrity
• Assures that a system performs its intended function in an unimpaired manner,
free from deliberate or inadvertent unauthorized manipulation of the system

Availability
• Assures that systems work promptly and service is not denied to
authorized users
 CONFIDENTIALITY

• For storage of information

• E.G. An organization needs to guard against malicious actions that
endanger the confidentiality of sensitive information such as income
tax return, salary slips

• For transmission of information.

• When we send a piece of information to be stored in a remote
computer or when we retrieve a piece of information from a remote
computer, we need to conceal it during transmission.
 INTEGRITY

• Information needs to be changed constantly. Integrity implies

changes need to be done only by authorized entities and through
authorized mechanisms  data integrity (content) and origin
integrity (authenticated source)
• In a bank, when a customer deposits or withdraws money, the balance
of her account needs to be changed.
• Integrity violation is not necessarily the result of a malicious act;
an interruption in the system, such as a power surge, may also
create unwanted changes in some information.
 AVAILABILITY

• The information created and stored by an organization needs to be

available to authorized entities. Information is useless if it is not
available.
• Information needs to be constantly changed, which means it must be
accessible to authorized entities.

• The unavailability of information is just as harmful for an organization

as the lack of confidentiality or integrity.
• Imagine what would happen to a bank if the customers could not access
their accounts for transactions.
 HOW TO REACH THE GOALS?

• Privacy can be achieved by either encryption or steganography or a

combination of both.
• Authentication is realized by username and password according to
logging on to a system and by a digital signature according to
messages.
• Integrity is shown by a valid hash value that might be integrated into a
digital signature.

23
 POSSIBLE ADDITIONAL CONCEPTS:

Authenticity Accountability
• Verifying that users are • The security goal that
who they say they are generates the
and that each input requirement for actions
arriving at the system of an entity to be traced
came from a trusted uniquely to that entity
source
BREACH OF SECURITY LEVELS OF IMPACT

• The loss could be expected to have a severe or

High catastrophic adverse effect on organizational
operations, organizational assets, or individuals

• The loss could be expected to have a

Moderate serious adverse effect on
organizational operations,
organizational assets, or individuals

• The loss could be expected

to have a limited adverse
Low effect on organizational
operations, organizational
assets, or individuals
 EXAMPLE 1: SECURITY REQUIREMENTS

ATM system:
• Confidentiality: high impact (the system must keep personal
identification numbers, both in the host system and during transmission
for a transaction).

• Integrity: high impact (must protect the integrity of account records and
of individual transactions).
• Availability:
• host system: medium impact (important to the economic well being
of the bank, but not to its trustee/fiduciary responsibility).
• individual teller machines: low impact.
26
 EXAMPLE 2: SECURITY REQUIREMENTS

Telephone switching system:

• Confidentiality: high impact (must preserve the confidentiality of
individual calls, preventing one caller from overhearing another)

• Integrity:
• individual transactions: low impact (lasting damage will not be
incurred by occasionally losing a call or billing record).
• control programs and configuration records: high impact (switching
function would be defeated without it).
• Availability: high impact (to ensure switching function would not be
compromised)

27
 EXAMPLE 3: SECURITY REQUIREMENTS

A power plant contains a SCADA (supervisory control and data

acquisition) system controlling the distribution of electric power for a
large military installation. The SCADA system contains:
• real-time sensor data acquired by the SCADA system:
• Confidentiality: low/no potential impact.
• Integrity: high impact.
• Availability: high impact.

• routine administrative information processed by the system:

• Confidentiality: low impact.
• Integrity: low impact.
• Availability: low impact.

28
 EXAMPLE 4: SECURITY REQUIREMENTS

Desktop publishing system used to produce documents for various

organizations
• Confidentiality: important requirement if it is being used to publish
corporate proprietary material.

• Integrity: important requirement if it is being used to publish laws or

regulations documents.
• Availability: important requirement if it is being used to publish a daily
paper.

29
COMPUTER SECURITY CHALLENGES
• Security is not simple • Security mechanisms typically involve
• Potential attacks on the more than a particular algorithm or
security features need to be protocol
considered • Security is essentially a battle of wits
• Procedures used to provide between a perpetrator and the
particular services are often designer
counter-intuitive • Little benefit from security investment
is perceived until a security failure
• It is necessary to decide where
occurs
to use the various security
mechanisms • Strong security is often viewed as an
impediment to efficient and user-
• Requires constant monitoring
friendly operation
• Is too often an afterthought
 OSI SECURITY ARCHITECTURE: FOCUS
AREAS
• Security attack
• Any action that compromises the security of information owned by an
organization

• Security mechanism
• A process (or a device incorporating such a process) that is designed to detect,
prevent, or recover from a security attack

• Security service
• A processing or communication service that enhances the security of the data
processing systems and the information transfers of an organization
• Intended to counter security attacks, and they make use of one or more security
mechanisms to provide the service
THREATS AND ATTACKS (RFC 4949)
 THREAT ACTORS
AMATEURS
 Known as script kiddies.

 Have little or noskill.

 Use existing tools or instructions found
onthe Internet to launch attacks.
 THREAT ACTORS
HACKTIVISTS
 Protest against organizations or governments
• Post articlesand videos.
• Leak information.
• Disrupt web services with DDoS attacks.
 THREAT ACTORS
FINANCIAL GAIN
 Much hacking activity is motivated by financial
gain.
 Cybercriminals want to generate cash flow
• Bank accounts
• Personal data
• Anything else they can leverage
 THREAT ACTORS
TRADE SECRETS AND GLOBAL POLITICS

 Nation states are also interested in using

cyberspace
• Hacking othercountries
• Interfering with internal politics
• Industrial espionage
• Gain significant advantage in
international trade
 Threat Actors
HOW SECURE IS THE INTERNET OF
THINGS
 The Internet of Things (IoT)
• Connected things to improve quality of life.
• Example: fitness trackers
 How secure are these devices?
• Firmware
• Security flaws
• Updatable withpatch
 DDoS attack against domain name provider,
Dyn
• Took downmany websites.
• Compromised webcams, DVRs, routers, and
other IoT devices formed abotnet.
• The hacker controlled botnet created the
DDoS attack that disabled essential
Internet services.

https://www.youtube.com/watch?v=BHHCvcCUOWU
 Threat Impact
PII AND PHI

 Personally identifiable information (PII) is any

information that can be used to positively identify
an individual.
• Examples of PII include: Name, Social security
number, Birthdate, Credit card numbers, Bank
account numbers, Government-issued ID, Address
information (street, email, phone numbers)
• This information is sold on the dark web.
• Create fake accounts, such as credit cards and
short-term loans.
 Protected Health Information (PHI) – A subset of PII:
• Creates and maintains electronic medical records
(EMRs)
• Regulated by Health Insurance Portability and
Accountability Act (HIPAA)
 The economic impact of cyberattacks is difficult to ascertain with
precision; however, according to an article in Forbes, it is
estimated that businesses lose $400 billion annually to
cyberattacks.

https://www.forbes.com/sites/stevemorgan/2015/11/24/ibms-ceo-on-hackers-
cyber-crime-is-the-greatest-threat-to-every-company-in-the- 39

world/#7f4eaff73f07
 THREAT IMPACT
LOST COMPETITIVE
ADVANTAGE
 Could result in lost competitive
advantage.
• Corporate espionage in cyberspace.
• Loss of trust that comes when a
company is unable to protect its
customers’personal data.
 Threat Impact
POLITICAL AND NATIONAL
SECURITY

 In 2016, a hacker published PII of

20,000 U.S. FBI employees and 9,000
U.S. DHS employees.
 Stuxnet worm was designed to
impede Iran’s progress in
enriching uranium
• Example of network attack
motivated by national security
concerns
 Cyberwarfare is a serious possibility.
 The Internet has become essential as a
medium for commercial and financial
activities.
• Disruption can devastate a nation’s
economy and the safety of its citizens.
 BECOMING A DEFENDER
CERTIFICATIONS

 A variety of cybersecurity certifications are available:

• CCNA Cyber Ops
• CompTIA Cybersecurity Analyst Certification (CSA+)
• (ISC)² Information Security Certifications (including CISSP)
• Global Information Assurance Certification (GIAC)
 OSI NETWORK STACK AND
ATTACKS
em ail,W eb,N FS Sendm ail, FTP , NFS bugs
application
presentation
RP C R P C w orm s, portm apper ex ploits
session
TCP SYN flooding, RI P attack s,
transport sequence num ber prediction
IP I P sm urfing and other
netw ork
802.11 address spoofing attack s
data link W EP attack s
physical

Only as secure as the single w eak est layer…

NFS: network file system, RPC: remote procedure call
 SECURITY ATTACKS
•A means of classifying security
attacks, used both in X.800 and RFC
4949:
•A passive attack attempts to learn
or make use of information from the
system but does not affect system
resources
•An active attack attempts to alter
system resources or affect their
operation
 PASSIVE ATTACKS
• Are in the nature of
eavesdropping/snooping on,
or monitoring of, transmissions
• Goal of the opponent is to Release of • prevent an opponent from
obtain information that is learning the contents of
message sensitive/confidential
being transmitted contents transmissions
• Very difficult to detect
because do not alter data
Traffic • Analyse traffic to predict
• Requires encipherment analysis nature of communication
techniques
 EXAMPLE: PASSIVE ATTACK

• Release of message contents

• A file transferred through the internet may contain
confidential information. An unauthorized entity may
intercept the transmission and use the contents for her own
benefit.

• Traffic analysis
• Find the electronic address (such as the e-mail address) of
the sender or the receiver, collect pairs of requests and
responses to guess the nature of the transaction.
 ACTIVE ATTACKS
• Involve some modification of the • Takes place when one entity
Masquerade pretends to be a different entity
data stream or the creation of a / Spoofing • Usually includes one of the other
forms of active attack
false stream
• Difficult to prevent because of the • Involves the passive capture of a
wide variety of potential physical, data unit and its subsequent
Replay retransmission to produce an
software, and network unauthorized effect
vulnerabilities
• Some portion of a legitimate
• Goal is to detect attacks and to Modification message is altered, or messages
recover from any disruption or of messages are delayed or reordered to
produce an unauthorized effect
delays caused by them

Denial of • Prevents or inhibits the normal

use or management of
service communications facilities
 SECURITY THREATS

S D

normal transmission

S D S D S D S D

A
A A A

interruption interception modification forgery

48
 ACTIVE AND PASSIVE THREATS

passive threats active threats

interception interruption modification forgery

(secrecy / privacy) (availability) (integrity) (authenticity)

release of traffic
message analysis
contents

49
 EXAMPLES: ACTIVE ATTACKS

• Masquerading /spoofing
• An attacker might steal the bank card and PIN of a bank
customer and pretend that she is that customer (sender).
• A user tries to contact a bank, but another site pretends
that it is the bank (receiver) and obtains some information
from the user.
• Replaying
• A person sends a request to her bank to ask for payment
to the attacker, who has done a job for her. The attacker
intercepts the message and sends it again to receive
another payment from the bank.
 EXAMPLES: ACTIVE ATTACKS
• Modification
• A customer sends a message to a bank to initiate some
transaction. The attacker intercepts the message and changes the
type of transaction to benefit herself.
• Denial of service (dos)
• Client send many bogus requests to a server until the server
crashes due to heavy load.
• Intercept and delete a server’s response to a client, making the
client believe that the server is not responding.
• Bank with two servers – one server is blocked, the other provides
false information
• Intercept requests from the clients, causing the clients to send
requests many times and overload the system.
 STANDARDS
National Institute of Standards and Technology

• NIST is a U.S. federal agency that deals with measurement science, standards, and technology related to
U.S. government use and to the promotion of U.S. private-sector innovation
• Despite its national scope, NIST Federal Information Processing Standards (FIPS) and Special Publications
(SP) have a worldwide impact

Internet Society

• ISOC is a professional membership society with world-wide organizational and individual membership
• Provides leadership in addressing issues that confront the future of the Internet and is the organization home
for the groups responsible for Internet infrastructure standards

ITU-T

• The International Telecommunication Union (ITU) is an international organization within the United Nations
System in which governments and the private sector coordinate global telecom networks and services
• The ITU Telecommunication Standardization Sector (ITU-T) is one of the three sectors of the ITU and whose
mission is the development of technical standards covering all fields of telecommunications

ISO

• The International Organization for Standardization is a world-wide federation of national standards bodies
from more than 140 countries
• ISO is a nongovernmental organization that promotes the development of standardization and related
activities with a view to facilitating the international exchange of goods and services and to developing
cooperation in the spheres of intellectual, scientific, technological, and economic activity

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 SECURITY SERVICES

• Defined by X.800 as:

• A service provided by a protocol layer of communicating open systems and
that ensures adequate security of the systems or of data transfers

• Defined by RFC 4949 as:

• A processing or communication service provided by a system to give a
specific kind of protection to system resources
 X.800 SERVICE CATEGORIES

• AUTHENTICATION
• ACCESS CONTROL
• DATA CONFIDENTIALITY
• DATA INTEGRITY
• NONREPUDIATION

… relates back to security objectives

 1. AUTHENTICATION

• Concerned with assuring that a communication is authentic

• In the case of a single message, assures the recipient that the message is
from the source that it claims to be from
• In the case of ongoing interaction, assures the two entities are authentic and
that the connection is not interfered with in such a way that a third party can
masquerade as one of the two legitimate parties

Two specific authentication services are defined in X.800:

• Peer entity authentication

• Data origin authentication
 2. ACCESS CONTROL
• The ability to limit and control the access to host systems and
applications via communications links
• To achieve this, each entity trying to gain access must first be
identified, or authenticated, so that access rights can be tailored to the
individual
 3. DATA CONFIDENTIALITY
• The protection of transmitted data from passive attacks
• Broadest service protects all user data transmitted between two users over a
period of time
• Narrower forms of service includes the protection of a single message or even
specific fields within a message

• The protection of traffic flow from analysis

• This requires that an attacker not be able to observe the source and destination,
frequency, length, or other characteristics of the traffic on a communications
facility
4. DATA INTEGRITY

Can apply to a stream of messages, a single

message, or selected fields within a message

Connection-oriented integrity service, one that

deals with a stream of messages, assures that
messages are received as sent with no duplication,
insertion, modification, reordering, or replays

A connectionless integrity service, one that deals

with individual messages without regard to any
larger context, generally provides protection against
message modification only
 5. NONREPUDIATION

• Prevents either sender or receiver from denying a transmitted message

(origin)
• When a message is sent, the receiver can prove that the alleged sender
in fact sent the message
• When a message is received, the sender can prove that the alleged
receiver in fact received the message
 EXAMPLE: REPUDIATION

• Denial by the sender: a bank customer asking her bank

to send some money to a third party but later denying
that she has made such a request.
• Denial by the receiver: a person buys a product from a
manufacturer and pays for it electronically, but the
manufacturer later denies having received the payment
and asks to be paid.
 Security
Services
(X.800)
 SECURITY MECHANISMS (X.800)

Specific Security Mechanisms

• Encipherment
• Digital signatures
• Access controls
• Data integrity
Pervasive Security Mechanisms
• Authentication exchange
• Traffic padding • Trusted functionality
• Routing control • Security labels
• Notarization • Event detection
• Security audit trails
• Security recovery
 Security
Mechanisms
(X.800)
MODEL 1: NETWORK SECURITY
3 Distribute/Sharing

1 Design

2 Generate 4 Agreed protocol

… 4 tasks relates to security mechanisms & services
MODEL 2: NETWORK ACCESS SECURITY

… protecting an information system from unwanted access

 UNWANTED ACCESS
• Placement in a computer system of logic (software) that exploits
vulnerabilities in the system and that can affect application programs
as well as utility programs such as editors and compilers
• Programs can present two kinds of threats:
• Information access threats
• Intercept or modify data on behalf of users who should not have access to that
data
• Service threats
• Exploit service flaws in computers to inhibit use by legitimate users
• Categories of security mechanisms for unwanted access:
• Gatekeeper function e.G. Password
• Internal controls that monitor activity and analyse stored information in an
attempt to detect the presence of unwanted intruders