Information & Cybersecurity

concept

1
 What is this course about?

This course is to discuss

– security needs
– security services
– security mechanisms and protocols
for data stored in computers and transmitted
across computer networks

2
 What security is about in general?
• Security is about protection of assets
• Prevention
– take measures that prevent your assets from being
damaged (or stolen)
• Detection
– take measures so that you can detect when, how, and by
whom an asset has been damaged
• Reaction
– take measures so that you can recover your assets

3
 Real world example
• Prevention
– locks at doors, window bars, secure the walls around
the property, hire a guard
• Detection
– missing items, burglar alarms, closed circuit TV
• Reaction
– attack on burglar (not recommended ☺), call the
police, replace stolen items, make an insurance claim

4
 Internet shopping example
• Prevention
– encrypt your order and card number, enforce merchants to
do some extra checks, using PIN even for Internet
transactions, don’t send card number via Internet
• Detection
– an unauthorized transaction appears on your credit card
statement
• Reaction
– complain, dispute, ask for a new card number, sue (if you
can find of course ☺)
– Or, pay and forget (a glass of cold water) ☺

5
Information security in past & present
• Traditional Information Security
– keep the cabinets locked
– put them in a secure room
– human guards
– electronic surveillance systems
– in general: physical and administrative mechanisms
• Modern World
– Data are in computers
– Computers are interconnected

Computer and Network Security

6
 Terminology
• Computer Security
– 2 main focuses: Information and Computer itself
– tools and mechanisms to protect data in a computer
(actually an automated information system), even if the
computers/system are connected to a network
– tools and mechanisms to protect the information system
itself (hardware, software, firmware, *ware ☺)
• Against?
– against hackers (intrusion)
– against viruses
– against denial of service attacks
– etc. (all types of malicious behavior)

7
 Terminology
• Network and Internet Security
– measures to prevent, detect, and correct security
violations that involve the transmission of information in
a network or interconnected networks

8
 A note on security terminology
• No single and consistent terminology in the
literature!
• Be careful not to confuse while reading papers and
books

• See the next slide for some terminology taken from

Stallings and Brown, Computer Security who took
from RFC4949, Internet Security Glossary

9
 Computer
Security
Terminology
RFC 4949, Internet

Security Glossary,

May 2000
 The global average cost of cyber
crime/attacks 2017 Cost of
Cyber Crime
Study by
Accenture*

Steeper
increasing
trend in the
recent years

* https://www.accenture.com/t20170926T072837Z__w__/us-en/_acnmedia/PDF-61/Accenture-2017-CostCyberCrimeStudy.pdf
11
 Breakdown by Sector 2017 Cost of
Cyber Crime
Study by
Accenture*

- Financial
Services
Sector has
the Highest
Cost due to
Cyber Crime

* https://www.accenture.com/t20170926T072837Z__w__/us-en/_acnmedia/PDF-61/Accenture-2017-CostCyberCrimeStudy.pdf
12
 Annual Return of Investment (RoI)
2017 Cost of Cyber Crime Study by
Accenture*

- More or less in
parallel with
deployment rate
- But AI, Data
Mining based novel
techniques have
higher RoI
- Bad performance
for encryption and
DLP, but they are
needed

* https://www.accenture.com/t20170926T072837Z__w__/us-en/_acnmedia/PDF-61/Accenture-2017-CostCyberCrimeStudy.pdf
13
Security Objectives: CIA Triad and
Beyond
 Computer Security Objectives
Confidentiality
• Data confidentiality
• Assures that private or confidential information is not made available or
disclosed to unauthorized individuals
• Privacy
• Assures that individuals control or influence what information related to them
may be collected and stored and by whom and to whom that information may
be disclosed
Integrity
• Data integrity
• Assures that information changed only in a specified and authorized manner
• System integrity
• Assures that a system performs its intended function in an unimpaired manner,
free from deliberate or inadvertent unauthorized manipulation of the system

Availability
• Assures that systems work promptly and service is not denied to
authorized users
 Additional concepts:

Authenticity Accountability
• Verifying that users are • Being able to trace the
who they say they are responsible
and that each input party/process/entity in
arriving at the system case of a security
came from a trusted incident or action.
source
Services, Mechanisms, Attacks

• 3 aspects of information security:

– security attacks (and threats)
• actions that (may) compromise security
– security services
• services counter to attacks
– security mechanisms
• used by services
• e.g. secrecy is a service, encryption (a.k.a.
encipherment) is a mechanism

17
 Attacks
• Attacks on computer systems
– break-in to destroy information
– break-in to steal information
– blocking to operate properly
– malicious software
• wide spectrum of problems

• Source of attacks
– Insiders
– Outsiders

18
 Attacks
• Network Security
– Active attacks
– Passive attacks
• Passive attacks
– interception of the messages
– What can the attacker do?
• use information internally
– hard to understand
• release the content
– can be understood
• traffic analysis
– hard to avoid
– Hard to detect, try to prevent

19
 Attacks
• Active attacks
– Attacker actively manipulates
the communication
– Masquerade
• pretend as someone else
• possibly to get more privileges
– Replay
• passively capture data
and send later
– Denial-of-service
• prevention the normal use of
servers, end users, or network
itself

20
 Attacks
• Active attacks (cont’d)
– deny
• repudiate sending/receiving a message later
– modification
• change the content of a message

21
 Security Services
• to prevent or detect attacks
• to enhance the security
• replicate functions of physical documents
– e.g.
• have signatures, dates
• need protection from disclosure, tampering, or
destruction
• notarize
• record

22
 Basic Security Services
• Authentication
– assurance that the communicating entity is the one it claims
to be
– peer entity authentication
• mutual confidence in the identities of the parties involved in a
connection
– Data-origin authentication
• assurance about the source of the received data
• Access Control
– prevention of the unauthorized use of a resource
– to achieve this, each entity trying to gain access must first
be identified and authenticated, so that access rights can be
tailored to the individual

23
 Basic Security Services
• Data Confidentiality
– protection of data from unauthorized disclosure
(against eavesdropping)
– traffic flow confidentiality is one step ahead
• this requires that an attacker not be able to observe the
source and destination, frequency, length, or other
characteristics of the traffic on a communications facility
• Data Integrity
– assurance that data received are exactly as sent by an
authorized sender
– i.e. no modification, insertion, deletion, or replay

24
 Basic Security Services
• Non-Repudiation
– protection against denial by one of the parties
in a communication
– Origin non-repudiation
• proof that the message was sent by the specified
party
– Destination non-repudiation
• proof that the message was received by the
specified party

25
 Relationships
• among integrity, data-origin authentication
and non-repudiation
Non-repudiation

Authentication

Integrity

26
 Security Mechanisms
• Cryptographic Techniques
– will see next
• Software and hardware for access limitations
– Firewalls
• Intrusion Detection and Prevention Systems
• Traffic Padding
– against traffic analysis
• Hardware for authentication
– Smartcards, security tokens
• Security Policies / Access Control
– define who has access to which resources.
• Physical security
– Keep it in a safe place with limited and authorized physical access

27
Cryptographic Security Mechanisms

• Encryption (a.k.a. Encipherment)

– use of mathematical algorithms to transform
data into a form that is not readily intelligible
• keys are involved

28
Cryptographic Security Mechanisms
• Message Digest
– similar to encryption, but one-way (recovery not possible)
– generally no keys are used
• Digital Signatures and Message Authentication Codes
– Data appended to, or a cryptographic transformation of, a
data unit to prove the source and the integrity of the data
• Authentication Exchange
– ensure the identity of an entity by exchanging some
information

29
 Security Mechanisms
• Notarization
– use of a trusted third party to assure certain properties
of a data exchange
• Timestamping
– inclusion of correct date and time within messages

30
 And the Oscar goes to …
• On top of everything, the most fundamental
problem in security is
–SECURE KEY EXCHANGE
• mostly over an insecure channel

31
A General Model for Network Security

32
 Model for Network Security

• using this model requires us to:

– design a suitable algorithm for the security
transformation
– generate the secret information (keys) used by the
algorithm
– develop methods to distribute and share the secret
information
– specify a protocol enabling the principals to use the
transformation and secret information for a security
service

33
Model for Network Access Security

34
 Model for Network Access Security
• using this model requires us to:
– select appropriate gatekeeper functions to
identify users and processes and ensure only
authorized users and processes access designated
information or resources
– Internal control to monitor the activity and
analyze information to detect unwanted intruders

35
 More on Computer System Security
• Based on “Security Policies”
– Set of rules that specify
• How resources are managed to satisfy the security
requirements
• Which actions are permitted, which are not
– Ultimate aim
• Prevent security violations such as unauthorized access, data
loss, service interruptions, etc.
– Scope
• Organizational or Individual
– Implementation
• Partially automated, but mostly humans are involved
– Assurance and Evaluation
• Assurance: degree of confidence to a system
• Security products and systems must be evaluated using certain
criteria in order to decide whether they assure security or not
36
Aspects of Computer Security
• Mostly related to Operating Systems
• Similar to those discussed for Network Security
– Confidentiality
– Integrity
– Availability
– Authenticity
– Accountability
– Dependability

37
 Aspects of Computer Security
• Confidentiality
– Prevent unauthorised disclosure of information
– Synonyms: Privacy and Secrecy
• any differences? Let’s discuss
• Integrity
– two types: data integrity and system integrity
– In general, “make sure that everything is as it is supposed to
be”
– More specifically, “no unauthorized modification, deletion”
on data (data integrity)
– System performs as intended without any unauthorized
manipulations (system integrity)

38
 Aspects of Computer Security
• Availability
– services should be accessible when needed and
without extra delay
• Accountability
– audit information must be selectively kept and
protected so that actions affecting security can be
traced to the responsible party
– How can we do that?
• Users have to be identified and authenticated to have a basis
for access control decisions and to find out responsible party
in case of a violation.
• The security system keeps an audit log (audit trail) of security
relevant events to detect and investigate intrusions.
• Dependability
– Can we trust the system as a whole?
39
 Attack Surfaces
• An attack surface consists of the reachable and
exploitable vulnerabilities in a system
• Examples:
– Open ports on outward facing Web and other servers,
and code listening on those ports
– Services available in a firewall
– Code that processes incoming data, email, XML, office
documents, etc.
– Interfaces and Web forms
– An employee with access to sensitive information
vulnerable to a social engineering attack
 Attack Surface Categories
• Network attack surface
– Refers to vulnerabilities over an enterprise
network, wide-area network, or the Internet
• E.g. DoS, intruders exploiting network protocol
vulnerabilities
• Software attack surface
– Refers to vulnerabilities in application, utility, or
operating system code
• Human attack surface
– Refers to vulnerabilities created by personnel or
outsiders
– E.g. social engineering, insider traitors
 Some Other Security Facts
▪ Not as simple as it might first appear to the novice
▪ Must consider all potential attacks when designing a system
▪ Generally yields complex and counterintuitive systems
▪ Battle of intelligent strategies between attacker and admin
▪ Requires regular monitoring
▪ Not considered as a beneficial investment until a security
failure occurs
▪ Actually security investments must be considered as insurance against
attacks
▪ too often an afterthought
▪ Not only from investment point of view, but also from design point of
view

42