Unit 5: Security

Chapter 01: Introduction to IT Security.

Table of Contents
Introduction
Learning Outcomes
Learning Outcomes and Assessment Criteria
Introduction to IT Security
What does Security really mean?
Attacks on Security
Passive Attacks
Active Attacks
Security Services – What do we expect?
Authentication
Access Control
Confidentiality
Data Integrity
Nonrepudiation
Availability
Achieving Security
Encryption
Digital Signatures
Access Control
Recommended Resources
Introduction

Security is one of the most important challenges modern organizations face. It is about protecting
organizational assets, including personnel, data, equipment and networks, from attack through
the use of prevention techniques in the form of vulnerability testing/security policies and
detection techniques, exposing breaches in security and implementing effective responses.
The aim of this unit is to give students knowledge of security, the associated risks and how it has
an impact on business continuity? Students will examine security measures involving access
authorization and regulation of use. They will implement contingency plans and devise security
policies and procedures. The unit also introduces students to detection of threats and
vulnerabilities in physical and IT security, and how to manage risks relating to organizational
security.
This unit includes network security design and operational topics, including address translation,
DMZ, VPN, firewalls, AV and intrusion detection systems. Remote access will be covered, as will
the need for frequent vulnerability testing as part of organizational and security audit
compliance. As a result, students will develop skills such as communication literacy, critical
thinking, analysis, reasoning and interpretation on, which are crucial for gaining employment and
developing academic competence. Learning Outcomes by the end of this unit students will be
able to:
LO1 Assess risks to IT security
LO2 Describe IT security solutions
LO3 Review mechanisms to control organizational IT security
LO4 Manage organizational security.
Unit 5: Security

Introduction to IT Security
What does Security really mean?
Security is defined as the state of being free from danger or threat. Information security is
defined as the practice of preventing unauthorized access, use, disclosure, disruption,
modification, inspection, recording, or the destruction of information. As you can see from that
definition, there are several threats that we have to face. It’s not just about prevented someone
from stealing something –it’s much more than that.

Attacks on Security
An attack is any action that compromises the security of information owned by an
organization. At the highest level, these attacks can be broadly categorized as Passive attacks
and Active attacks.

 Passive Attacks
A passive attack is where the attacker does not attempt to modify or affect the resources on
the target system. Instead, the attacker is trying to find out or learn information out of that
system.
Examples of passive attacks include eavesdropping or monitoring of networks and
communications. Eavesdropping means to listen-in on communications and transmissions.
For example, we could use a network monitoring tool to look at the information that is
transmitted via a Wi-Fi router. If we were to listen-in and record a telephone conversation (and
also possibly release that to the public), that would be an example of passive attack.
 Active Attacks
An active attack is where the attacker attempts to alter the system (i.e. by changing data or
settings) or to affect the operation of the system. Examples of active attacks include
masquerading, replaying, modification, and denial of service.
Masquerading is where we pretend to be someone or something else, so that we can fool the
system into thinking that we are someone else. This could be useful when trying to fool the
system into granting us access to it, or if we wish to leave a false trail of evidence that points to
someone else.

Security Services - What do we expect?

Security services are meant to counter attacks on security, and they make use of one or more
security mechanisms in order to provide that service. They either enhance the security of a
system itself, or the methods that we use for transferring information within an organization or
outside. The main security services that we expect are explained in the following sections. In
order to achieve these, we need to make use of one or more concepts, protocols, or technologies.

1.3.1. Authentication
Authentication comes from the word ‘Authentic’, which means ‘real’. In other words, when we
communicate with someone, or receive a file from someone, we would like to know whether the
person that we are communicating with, or the file that we are receiving really did come from
who we think we are communicating with. Remember from earlier that we learnt about
masquerading, where someone pretends to be someone else. In authentication, we need to be
given an assurance that this communication or information really is authentic. One of the
simplest ways of achieving this would be to use a challenge-response system such as asking for a
password or a key-phrase and then validating that.

1.3.2. Access Control

Access control is a security technique where we regulate or control who or what has access to
view or use a specific resource.
In the physical world, the easiest way to do is to lock the door to a room, so that the wrong type of person
cannot get into it. In the digital world, we can restrict access by having a login system where a user needs
to have both a username and a password in order to access that resource. Other mechanisms can include
biometric based access control systems which use fingerprints, retina scans, and so on.
1.3.3. Confidentiality

Confidential information is secret information that we do not wish for someone else to see.
Confidentiality can therefore be achieved either by hiding the information in plain sight using
steganography techniques, or by using cryptographic techniques to change the information into a format
that the normal person cannot open without the proper password or key.

1.3.4. Data Integrity

Integrity refers to the unchanging nature of something. When we refer to integrity of data, what we mean
is that it should not have changed from the point of transmitting it, to the point of receiving it. Data
integrity can be lost due to accidental situations such as power spikes in a network, and also due to attacks
such as man-in-the-middle attacks. We should therefore use mechanisms such as hashing, digital
signatures, and encryption as ways to prevent or detect this.

1.3.5Nonrepudiation

Repudiation means the action of denying something. Nonrepudiation therefore means non-deniability.
Someone should not be able to send a message and later deny having sent it. The easiest way to enforce
nonrepudiation would be to make the digital signature compulsory when sending a transmission.

1.3.6. Availability
Availability means that a specific service should be available for use when you need it. This is the
one thing that we cannot specifically guarantee 100%, as a network service may become
unavailable due to a technical issue even when it is not under attack. This is why even web
hosting companies give you a 99.99% guarantee of uptime without ever saying 100%.

1.4. Achieving Security

There are a number of approaches that we can take in order to achieve security. These include:
1.4.1. Encryption
Also known as Enciphering and Ciphering, encryption is the process of converting a plaintext
message into a crypto text or cipher text by using an encryption algorithm together with a
password or key. Most encryption systems are two-way encryptions which means that we can
decrypt the message back into the plaintext if we have the required password or key. Popular
examples of encryption algorithms include the RSA public key algorithm, the Elliptic Curve
Cryptography (ECC).
1.4.2Digital Signatures
Similar to a physical signature that we place on a physical document such as a letter, we can
digitally sign electronic documents and communications too. This lets us verify who really sent
us the message, and also prevents someone from fraudulently changing a message.

1.4.3Access Control
Access control mechanisms help us to control who has access to a specific resource. The simplest
access control method is to use a username and a password, so that only authorized people can
gain entry to a system. More advanced systems can then allocate different levels of permissions
to different logins or types of logins so that we may have better control.

Recommended Resources
Textbooks
Alexander, D. et al. (2020) Information Security Management Principles. BSC. Collins, R. (2017)
Network Security Monitoring: Basics for Beginners. A Practical Guide Create Space Independent
Publishing Platform.
Sanders, C. Smith, J. (2013) Applied Network Security Monitoring: Collection, Detection, and
Analysis.Syngress.

Steinberg, R. (2011) Governance, Risk Management, and Compliance: It Can't Happen to Us –Avoiding
Corporate Disaster While Driving Success. Wiley.

Tipton, H. (2010) Information Security Management Handbook. 4th Ed. Auerbach Publications.

Web

www.bcs.org BCS, The Chartered Institute for IT (General reference)

www.bsa.org Software Alliance (General reference)

www.fast.org.uk Federation Against Software Theft (General reference)

www.ico.org.uk Information Commissioners Office (General reference)