Introduction to Information

Security

Lecture 1
Week 1 (8 Sept 2014)
Topics
• What is security?
• Security Architecture
• Security Principles
• Security Policy
• Security Attacks / Threats
• Methods of Defense
• Security Services
• Security Mechanisms
 What is Security?
• Definition:
• Security is the quality or state of being secure that is
to be free from danger and
• to be protected from adversaries – from those who
would do harm, intentionally or otherwise

• Information Security:
• Information Security is the protection of information
and the systems and hardware that use, store, and
transmit that information
By NSTISSC
Security Trends
Security Trends
Why Spam?
Why Malware?
Cyber Attack Trend

May 2013 Cyber Attacks Statistics

 Security Area

Tools: scanner such as virus scanner, internet

Detection scanner and Web server scanner

Tools: proxy, firewall Prevention

Tools: cryptography techniques, Recovery

proper planning
 Security Architecture
• Defined by ITU-T Recommendation X.800 that called OSI
Security Architecture.

• Useful to managers as a way of organizing the task of

providing security

• Architecture was developed as an international standard,

computer and communications vendors have developed
security features for their products and services that relate to
the structured definition of services and mechanisms.

• Focuses on security attacks, security mechanisms and

security services.
 Security Principles

Prevention of unauthorized disclosure of

Confidentiality information

Prevention of unauthorized Integrity

modification of information

Prevention of unauthorized Availability

withholding of information or
resources
 Security Policy

• Set of rules to apply to security relevant activities in a

security domain

• Level of security policy: objectives, organizational and

system.

• Key aspects of security policy: authorization, access

control policy, accountability
 Security Attacks / Threats
Classified
By X.800 and RFC 2828 Into
Passive 2
attacks: eavesdropping or monitoring
the transmissions
Goal: to obtain information that is
being transmitted
Types: release of message contents Passive
Attacks
& traffic analysis

Active
attacks: Involve some modification of
the data stream or the creation
Active
of a false stream Attacks
Goal: to obtain authorization
Categories: masquerade, replay,
modification of messages &
denial of service
 Passive Attacks:
Release of Message Contents

Read contents of message from

Halim to Anita

Internet or other
communications
facility
Passive Attacks: Traffic Analysis

Observe pattern of messages

from Halim to Anita

Internet or other
communications
facility
Active Attacks: Masquerade

Message from Alex that appears

to be from Halim

Internet or other
communications
facility
Active Attacks: Replay

Capture message from Halim to

Anita; later replay
message to Anita

Internet or other
communications
facility
Active Attacks: Modification of Messages

Alex modifies message from Halim

to Anita

Internet or other
communications
facility
Active Attacks: Denial of Service

Alex disrupts service provided

by server

Internet or other
communications
facility
 Passive Attack vs.Active
ActiveAttack
Attack
• Passive Attack 
◦ Quite difficult to prevent
• Very difficult to detect. active attacks. Why?
Why?
◦ Instead, the goal is to detect
active attacks and to recover
• Feasible to prevent the from any disruption or delays
success of these attacks. caused by them.
How?
◦ If the detection has a
deterrent effect, it may also
• Emphasis in dealing contribute to prevention
with passive attacks is
on prevention rather
than detection. Why?

Edited by: Siti Rahayu Selamat

 Methods of Defense
• We can deal with harm that occurs when a threat is
realized against a vulnerability in several ways:

• Prevent it, by blocking the attack or closing the

vulnerability.
• Deter it, by making the attack harder, but not
impossible.
• Deflect it, by making another target more attractive.
• Detect it, either as it happens or some time after the
fact.
• Recover from its effects.
 Methods of Defense: Controls
• Encryption

• Software Controls - access limitations in a data base, in

operating system protect each user from other users

• Hardware Controls –smartcard

• Policies - frequent changes of passwords

• Physical Controls
 Methods of Defense:
Encryption Controls

• Encryption is the formal name for scrambling data so that

interpretation is meaningless without the intruder’s
knowing how the scrambling was done.

• Encryption can virtually nullify the value of an interception

and the possibility of effective modification or fabrication.
• It clearly addresses the need for confidentiality of data.
• It also can be used to ensure integrity.
• Encryption is the basis of protocols that enable us to provide
security while accomplishing an important system or
network task.
 Methods of Defense:
Software Controls
• Program controls include:
• Internal program controls: part of the program that enforce
security restrictions, such as access limitations in a database
management program.

• Operating system and network system controls: limitations

enforced by the operating system or network to protect each
user from all other users.

• Independent control programs: application programs, such

password checkers, intrusion detection utilities or virus scanners,
that protect against certain types of vulnerabilities.

• Development controls: quality standards under which a program

is designed, coded, tested and maintained, to prevent software
faults from becoming exploitable vulnerabilities.
 Methods of Defense:
Hardware Controls
• Numerous hardware devices have been created to assist in
providing computer security. These devices include a variety of
means, such as:

• Hardware or smart card implementations of encryption

• Locks or cables limiting access or deterring theft
• Devices to verify user’s identities
• Firewalls
• Intrusion detection systems
• Circuit boards that control access to storage media
 Methods of Defense:
Policies & Procedure Controls

• Controls can also be in place based on agreed-upon

procedures or policies among users, rather than enforcing
security through hardware or software means.

• Training and administration follow immediately after

establishment of policies, to reinforce the importance of
security policy and to ensure their proper use.
 Methods of Defense:
Effectiveness of Controls

• Principle of effectiveness: Controls must be used and used

properly to be effective.

• There are several aspects that can enhance the effectiveness of

controls:
• Awareness of problem

• Likelihood of use

• Overlapping controls

• Periodic review
 Security Services
• Defined by X.800:
• A security service as a service provided by a protocol layer
of communicating open systems which ensure adequate
security of the systems or of data transfers.

• Defined by RFC 2828:

• A processing or communication service that is provided by a
system to give a specific kind of protection to system
resources where security services implement security
policies and are implemented by security mechanisms.
• Authentication – assurance that the communicating entity is the
one claimed

• Access Control - prevention of the unauthorized use of a resource

• Data Confidentiality –protection of data from unauthorized

disclosure

• Data Integrity - assurance that data received is as sent by an

authorized entity

• Non-Repudiation - protection against denial by one of

the parties in a communication
 Security Services:
5 Categories & 14 Specific Services

1. Connection Integrity
with Recovery
2. Connection Integrity 1. Prevention of
without Recovery unauthorized
3. Selective-field use of a
Connection Integrity 1. Connection Confidentiality
2. Connectionless resource
4. Connectionless
Integrity Confidentiality
5. Selective-field 3. Selective-field
Connectionless
Integrity
Confidentiality
4. Traffic Flow Confidentiality

1. Peer Entity 1. Non-repudiation, Origin

Authentication 2. Non-repudiation,
2. Data Origin Destination
Authentication
 Security Services: Data Integrity
Provides for the integrity of all user data on a
connection and detects any modification,
insertion, or replay of any data within an
entire data sequence, with recovery
attempted
1. Connection Integrity
with Recovery
2. Connection Integrity
without Recovery As Connection Integrity with Recovery but provides detection
3. Selective-field
without recovery
Connection Integrity
4. Connectionless
Integrity
5. Selective-field
Connectionless
Integrity Provides for the integrity of selected fields within the user
data of a data block transferred over a connection and
takes the form of determination of whether the selected
fields have been modified, inserted, deleted or replayed

Provides for the integrity of

selected fields within a single
connectionless data block;
takes the form of Provides for the integrity of a single
determination of whether the connectionless data block and may
selected fields have been take the form of detection of data
modified modification
Security Services: Data Confidentiality

1. Connection
Confidentiality
2. Connectionless
Confidentiality
3. Selective-field
Confidentiality
4. Traffic Flow
Confidentiality
Security Services: Authentication
Used in association with a logical connection to
provide confidence in the identity of the entities
connected

In a connectionless transfer, provides

assurance that the source of received
data is as claimed

1. Peer Entity
Authentication
2. Data Origin
Authentication
Security Services: Non-repudiation

Proof that the

message was
received by
specified party

Proof that the

message was sent
by the specified
party

1. Non-repudiation, Origin
2. Non-repudiation,
Destination
 Security Mechanisms
• Security mechanism is any process (or a device
incorporating such a process) that is designed to detect,
prevent or recover from a security attack.

• Security mechanisms exist to provide and support security

services and was defined by X.800

• Divided into two classes: those that are implemented in a

specific protocol layer and those that are not specific to any
particular protocol layer or security services
• Specific Security Mechanisms
• Pervasive Security Mechanisms
 SECURITY MECHANISMS

Data Integrity
Digital Signature
Access Control

Routing Control
SECURITY MECHANISMS

Security label Security Audit Trail

Event Detection
 Relationship between Security Services and
Mechanisms
Mechanism
Encipherment Digital Access Data Authentication Traffic Routing Notarization
Service Signature Control Integrity Exchange Padding Control

Peer Entity
Authentication
Y Y Y
Data Origin
Authentication
Y Y
Access Control
Y
Confidentiality
Y Y
Traffic Flow
Confidentiality
Y Y Y
Data Integrity
Y Y Y
Non-
repudiation
Y Y Y
 Lecture Summary
• Due to the technology era and sophisticated cyber
threats/attacks/crime today, information security is made
more importance implemented in most of organization.

• Studying information security is also importance due to

the demand career in this area.

• Most of the major requirements for security services can

be given self-explanatory one word labels:
• Confidentiality, Authentication, Non-repudiation, Integrity