Information Security

Lecture 1
Introduction

Dr. Marwa Zamzam

German International University in Cairo
[email protected]
 Credit
Based on
Lecture notes of Dr. Amr ElMougy, Dr. Aliaa elbolock and Dr. Hanan
Hindy
IT Security Course of Swansea University
 The IT Security Major

Information
Security

Cryptography Application and Mobile Digital Forensics

Devices Security
Network Security Ethical Hacking and Business Continuity and Risk
Penetration Testing Management
Course Logistics

4
Course Organization
❑Lectures:
• One lecture/week
• Course content and applied problems

❑Tutorials:
• One Tut/week
• You work under our supervision

❑Attendance in the Tutorials is mandatory for passing. Missing more than 25%
of all tutorials earns you an ‘F’.
Grading Scheme

Practical
20%
Final
40%

Quizzes
20%

Midterm
20%
Support System

❑Ask for help when needed

 Email
 Office hours
❑Marwa Zamzam:
 Office: A214
 Email: [email protected]
❏ TAs:
1) Salma
2) Thomas
3) Peter
4) Mohamed Wael
Course Resources
 Course Outline
Week Lectures
1 Introduction
2 Classical Crypto
3 Symmetric Encryption
4 Modes of Operation
5 Stream Ciphers
6 RSA
7 Diffie Hellman and MAC
8 Hash Functions
9 Key Management
10 User Authentication
11 Blockchains
12 Internet Security
Why Information Security?
Why Information Security?
Why Information Security?
Why Information Security?
Why Information Security?
Everyday Life
 Growth of Cybercrime Costs

https://www.embroker.com/blog/cyber-attack-statistics/
 Frequency of Ransomware Attacks

https://blackcell.io/frequency-of-ransomware-attacks-infographic/
Cyber Incidents by Industry
WannaCry Attack May 2017

The attackers demanded $300 worth of bitcoins and then later

increased the ransom demand to $600 worth of bitcoins. If
victims did not pay the ransom within three days, victims of
the WannaCry ransomware attack were told that their files
would be permanently deleted.

200,000 computers were infected across 150 countries

It was estimated to cost the NHS a whopping £92 million after 19,000
appointments were canceled as a result of the attack.
 Learning Objectives

By the end of this lecture, you should be able to

o Define IT Security
o Explain the CIA model
o Explain the AAA model
o Identify the general types of attacks
o Formulate the weakest link concept
What is Information Security?
What is Information Security
❑ Security is the protection of Physical assets from enemies (traditional definition)

❑ Information Security is the protection of information from unauthorized access, usage, disclosure,
modification, or any misuse.
Data vs. Information
❑ When talking about the value of a company’s information assets, this distinction becomes more important.
 From Computer Security…
The US-based National Institute for Standards and Technology (NIST)
defines Computer Security as follows:

Measures and controls that ensure confidentiality, integrity, and

availability (CIA) of the information processed and stored by a
computer.
 … to Information Security…
The US-based National Institute for Standards and Technology (NIST)
defines Information Security as follows:

The protection of information and information systems from access, use,

disclosure, unauthorized disruption, modification, or destruction in
order to provide confidentiality, integrity, and availability.
 … to Cybersecurity
The US-based National Institute for Standards and Technology (NIST)
defines Cybersecurity as follows:

Prevention of damage to, protection of, and restoration of computers,

electronic communications systems, electronic communications services,
wire communication, and electronic communication, including
information contained therein, to ensure its availability, integrity,
authentication, confidentiality, and nonrepudiation.
 Defining Cybersecurity

● Broad field that is mainly concerned with protecting the

Confidentiality, Integrity, and Availability (CIA) of computing
devices, networks, hardware, software, data, and information.

● Cannot be achieved through technology alone, it also involves the use

of procedures, products and people.

● The CIA model and AAA model help explain the activities or key
concepts of cybersecurity.
 CIA Model
Confidentiality, Integrity, and Availability
Confidentiality
 Data confidentiality: Assures that private or confidential information is not made available or disclosed to
unauthorized individuals

 Privacy: Assures that individuals control or influence what information related to them may be collected and
stored and by whom and to whom that information may be disclosed
Integrity
 Guarantee the accuracy and reliability of data by protecting it from unauthorized modification or
tampering.

 Measures like data integrity checks, digital signatures, and access controls contribute to maintaining data
integrity.
Availability
 Ensure that network resources and services are consistently available to authorized users.

 This involves implementing measures such as redundancy, load balancing, and Distributed Denial-of-Service
(DDoS) protection to mitigate disruptions and downtime.
 AAA Model
Authentication, Authorization, and Accounting
AAA Model
 Authentication is the process of proving you are who you say are. Identification is when you claim to be
someone and authentication is when you prove it. Ensure it’s the right person!

 Authorization means providing correct level of access that a user should have based on their credentials. This
means that users, devices, programs and processes should be granted enough permission to do their required
functions and not a single drop more. Ensure that access is to the right information!

 Accounting is keeping track of what users do while they are logged into a system. This helps tracing back to
events leading up to a cybersecurity incident.
AAA Model
AAA Model
Non-repudiation
 It is an extra pillar.

 It is the assurance that someone cannot deny the validity of something, especially their own actions.

 A statement's author cannot successfully dispute its authorship or the validity of an associated contract.
Types of Attacks
Types of Network Attacks
 Passive Attack:

The primary goal is to obtain information without the

knowledge of the victim or altering the integrity of the data.

Passive attacks are often associated with confidentiality

breaches.

 Active Attack:

Active attacks aim to compromise the integrity, availability,

or authenticity of the information or the information system.

They may involve actions such as modifying data, disrupting

network services, or gaining unauthorized access.
Passive attacks
 Release of message contents

The release of message content is another threat that can compromise the security of a network. This occurs when
sensitive or confidential information is transmitted through telephonic conversation, electronic mail, or transfer
files.
Passive attacks
 Traffic Analysis

Traffic analysis is a form of attack that involves monitoring the communication between two parties to gain
insight into the nature of the communication. Even if the information being transmitted is encrypted, an attacker
can still determine the location and identity of the communicating hosts, as well as the frequency and length of
messages being exchanged.
Active attacks
 Masquerade

A masquerade attack is when an entity pretends to be a different entity to gain access to sensitive information.
This attack is particularly dangerous if the authorization procedure is only partially secure. Masquerade attacks
can be carried out in various ways, including stealing passwords and logins, finding program gaps, or bypassing
the authentication process.
Active attacks
 Replay

A replay attack captures and transmits a message to produce an authorized effect. The attacker aims to save a
copy of the original data on the network and then use it for personal gain.
Active attacks
 Modification of Message

Modification of messages is an attack on the integrity of the original data. This attack occurs when an
unauthorized party gains access to data and then alters or delays it to produce an unauthorized effect. This can
include altering transmitted data packets or flooding the network with fake data.
Active attacks
 Denial of Service

It is when an attacker disrupts the routine use of communication facilities. This type of attack can be targeted
towards a specific entity, or it can be used to disrupt an entire network by overloading it with messages.
Weakest Link Principle

“A security system is only as strong as

its weakest link”
 Weakest Link Principle
Cryptography is different due to the Weakest Link Property

Are Humans the Weakest

Link in Cybersecurity?

Network System Communication

46
 Example: A Building Security

Think about your building, what security measures are in place?

Possibly a secured door:

But what about the ceiling tiles, windows, -- these link rooms to corridors!
.... The weakest link.
47
 Security Analysis of the Building

The lock on building doors increase the security of that

particular link (the door) but not of the whole system.

Of course the locks make it slightly harder for a

burglar, and also for everyone else.

But does a lock actually increase security?

To improve security, we should always try to improve the weakest link.

48
 Attack Vectors - The Building Example
Attack vectors provide a method for Threat Modelling:

Enter
Vault

Consider getting into a vault:

Through Through Through Through
walls floor door ceiling

Break Defeat Break

hinge lock door
When designing a security solution, one should look
at each level into the system, in more detail 49
 Designing for Security
Designing for security is fundamentally different to other forms of
engineering.

Consider designing a bridge:

https://www.youtube.com/watch?v=j-zczJXSxnw

Physical effects such as strength and wind need to be considered.

But they are somewhat controlled.
But what needs to be considered when we put this in the context of security?
50
 Designing for Security
When designing for security we need to consider a malicious attacker
is always present, intelligent, and clever

Considering designing a bridge, what if:

• The adversary could make the wind blow up and down?
• Change the direction of wind at high frequency?

Of course, these ideas are dismissed as “silly” in classical engineering

BUT note that such eventualities should always be considered by security

engineers!
51
 Professional Paranoid

 To work within security you need to become devious yourself!

 Think about how you can cheat everything and everyone around
you.

Warning! It is important to separate these thoughts from your

personal life… Hence you need to be “professionally paranoid”.
52
 Is Security an Absolute Solution?

Cryptography (the art and science of secure communication) is often

considered a solution to security.

It is not absolute!
It can often form part of the solution, but in itself it is not a full
solution to a problem.

It can make security of systems stronger but also weaker if weak crypto
solutions are being implemented.

53
 Cryptography is Hard!

Never trust a cryptographic system that has not been analysed

by experts (and still then there is likely to be flaws!)

⇒ Cryptography Protocols and Services

54
Thank you 