LECTURE 2

INTRODUCTION TO
SECURITY
1
2

Topics
 What is security?
 Security Architecture
 Security Principles
 Security Policy
 Security Attacks / Threats
 Methods of Defense
 Security Services
 Security Mechanisms
3
What is Security?
 Definition:
 Security is the quality or state of being secure that is to be free from
danger and
 to be protected from adversaries – from those who would do harm,
intentionally or otherwise
 Information Security:
 Information Security is the protection of information and the systems
and hardware that use, store, and transmit that information
By NSTISSC
4
Security Area
Tools: scanner such as virus scanner, internet
Detection scanner and Web server scanner

Tools: proxy, firewall Prevention

Recovery
Tools: forensic, backup
techniques,
proper planning
5
Security Architecture

 Defined by ITU-T Recommendation X.800 that called OSI Security

Architecture.
 Useful to managers as a way of organizing the task of providing
security
 Architecture was developed as an international standard, computer and
communications vendors have developed security features for their
products and services that relate to the structured definition of services
and mechanisms.
 Focuses on security attacks, security mechanisms and security
services.
6
Security Principles

Prevention of unauthorized disclosure of

Confidentiality information

Prevention of unauthorized Integrity

modification of information

Prevention of unauthorized Availability

withholding of information or
resources
7
Security Policy

 Set of rules to apply to security relevant activities in a security

domain
 Level of security policy: objectives, organizational and system.
 Key aspects of security policy: authorization, access control
policy, accountability
8
Security Attacks / Threats
Classified
By X.800 and RFC 2828 Into
2

Passive attacks: eavesdropping or

monitoring the transmissions
Passive
Goal: to obtain information that is Attacks
being transmitted
Types: release of message contents &
traffic analysis

Active attacks: Involve some

modification of the data stream or the
Active
creation of a false stream Attacks
Goal: to obtain authorization
Categories: masquerade, replay,
modification of messages & denial of
service
9
Passive Attacks: Release of Message Contents

Read contents of message from

Halim to Anita

Internet or other
communications
facility
10
Passive Attacks: Traffic Analysis

Observe pattern of messages

from Halim to Anita

Internet or other
communications
facility
11
Active Attacks: Masquerade

Message from Alex that appears

to be from Halim

Internet or other
communications
facility
12
Active Attacks: Replay

Capture message from Halim to

Anita; later replay
message to Anita

Internet or other
communications
facility
13
Active Attacks: Modification of Messages

Alex modifies message from Halim

to Anita

Internet or other
communications
facility
14
Active Attacks: Denial of Service

Alex disrupts service provided

by server

Internet or other
communications
facility
15
Passive Attack vs. Active Attack
 Passive Attack
 Very difficult to detect. Why?
 Feasible to prevent the success of these attacks. How?
 Emphasis in dealing with passive attacks is on prevention rather than
detection. Why?

 Active Attack
 Quite difficult to prevent active attacks. Why?
 Instead, the goal is to detect active attacks and to recover from any
disruption or delays caused by them.
 If the detection has a deterrent effect, it may also contribute to
prevention.
16
Methods of Defense
 We can deal with harm that occurs when a threat is realized against
a vulnerability in several ways:
 Prevent it, by blocking the attack or closing the vulnerability.
 Deter it, by making the attack harder, but not impossible.
 Deflect it, by making another target more attractive.
 Detect it, either as it happens or some time after the fact.
 Recover from its effects.
17
Methods of Defense: Controls
 Encryption
 Software Controls - access limitations in a data base, in operating
system protect each user from other users
 Hardware Controls –smartcard
 Policies - frequent changes of passwords
 Physical Controls
18
Methods of Defense: Software Controls
 Program controls include:
 Internal program controls: part of the program that enforce security
restrictions, such as access limitations in a database management
program.
 Operating system and network system controls: limitations
enforced by the operating system or network to protect each user from
all other users.
 Independent control programs: application programs, such
password checkers, intrusion detection utilities or virus scanners, that
protect against certain types of vulnerabilities.
 Development controls: quality standards under which a program is
designed, coded, tested and maintained, to prevent software faults from
becoming exploitable vulnerabilities.
19
Methods of Defense: Hardware Controls
 Numerous hardware devices have been created to assist in providing
computer security. These devices include a variety of means, such as:
 Hardware or smart card implementations of encryption
 Locks or cables limiting access or deterring theft
 Devices to verify user’s identities
 Firewalls
 Intrusion detection systems
 Circuit boards that control access
to storage media
20
Methods of Defense: Policies & Procedure Controls

 Controls can also be in place based on agreed-upon procedures or

policies among users, rather than enforcing security through
hardware or software means.

 Training and administration follow immediately after

establishment of policies, to reinforce the importance of security
policy and to ensure their proper use.
21
Methods of Defense: Encryption Controls

 Encryption is the formal name for scrambling data so that

interpretation is meaningless without the intruder’s knowing
how the scrambling was done.
 Encryption can virtually nullify the value of an interception and
the possibility of effective modification or fabrication.
 It clearly addresses the need for confidentiality of data.
 It also can be used to ensure integrity.
 Encryption is the basis of protocols that enable us to provide
security while accomplishing an important system or network
task.
22
Methods of Defense: Effectiveness of Controls
 Principle of effectiveness: Controls must be used and
used properly to be effective.

 There are several aspects that can enhance the effectiveness of

controls:
 Awareness of problem
 Likelihood of use
 Overlapping controls
 Periodic review
23
Security Services
 Defined by X.800:
 A security service as a service provided by a protocol layer of
communicating open systems which ensure adequate security of the
systems or of data transfers.

 Defined by RFC 2828:

 A processing or communication service that is provided by a system to
give a specific kind of protection to system resources where security
services implement security policies and are implemented by security
mechanisms.
24
Security Services: 5 Categories & 14 Specific Services

1. Connection Integrity 1. Prevention of

with Recovery
unauthorized
2. Connection Integrity
without Recovery use of a
3. Selective-field 1. Connection Confidentiality resource
Connection Integrity 2. Connectionless
4. Connectionless Confidentiality
Integrity 3. Selective-field
5. Selective-field
Connectionless Confidentiality
Integrity 4. Traffic Flow Confidentiality

1. Nonrepudiation,
1. Peer Entity
Origin
Authentication
2. Nonrepudiation,
2. Data Origin
Destination
Authentication
25
Security Services: Data Integrity
Provides for the integrity of all user data on a
connection and detects any modification,
insertion, or replay of any data within an
entire data sequence, with recovery
1. Connection Integrity attempted
with Recovery
2. Connection Integrity
without Recovery As Connection Integrity with Recovery but provides detection
3. Selective-field without recovery
Connection Integrity
4. Connectionless
Integrity Provides for the integrity of selected
5. Selective-field fields within the user data of a data
Connectionless block transferred over a connection
Integrity
and takes the form of determination
of whether the selected fields have
been modified, inserted, deleted or
Provides for the integrity
replayed
of selected fields within a
single connectionless
data block; takes the Provides for the integrity of a
form of determination of single connectionless data
whether the selected block and may take the form
fields have been modified of detection of data
modification
26
Security Services: Data Confidentiality

1. Connection
Confidentiality
2. Connectionless
Confidentiality
3. Selective-field
Confidentiality
4. Traffic Flow Confidentiality
27
Security Services: Authentication
Used in association with a logical
connection to provide confidence in the
identity of the entities connected

In a connectionless transfer, provides

assurance that the source of received
data is as claimed

1. Peer Entity
Authentication
2. Data Origin
Authentication
28
Security Services: Nonrepudiation

Proof that the

message was
received by
specified party
Proof that the
message was
sent by the
specified party

1. Non-repudiation,
Origin
2. Non-repudiation,
Destination
29
Security Mechanisms
 Security mechanism is any process (or a device incorporating such a
process) that is designed to detect, prevent or recover from a
security attack.

 Security mechanisms exist to provide and support security services and

was defined by X.800

 Divided into two classes: those that are implemented in a specific

protocol layer and those that are not specific to any particular protocol
layer or security services
 Specific Security Mechanisms
 Pervasive Security Mechanisms
30

SECURITY MECHANISMS Data Integrity

Digital Signature

Access Control

Routing Control

Specific Security Mechanisms

31

SECURITY MECHANISMS Security Audit Trail

Security label

Event Detection

Pervasive Security Mechanisms

32
Lecture Summary
 Due to the technology era today, information security is made
more importance implemented in most of organization.

 Studying information security is also importance due to the

demand career in this area.

 Most of the major requirements for security services can be

given self-explanatory one word labels:
 Confidentiality, authentication, non-repudiation, integrity
 33
Roadmap/Mind Map