Definitions & challenges of

security
 Module 1
• Definitions & challenges of security
• Attacks & services
• Security policies
• Security Controls
• Access control structures
• Cryptography
• Deception
• Ethical Hacking
• Firewalls
• Identify and Access Management (IdAM).
 Security- Definitions
• Computer Security
- collection of tools designed to protect data and
from the hackers.

• Network Security
- measures to protect data during their transmission.

• Internet Security
- measures to protect data during their transmission
over a collection of interconnected networks.
 INFORMATION SECURITY
 Data
recording of “something” measured
Raw material, just measured

 Information
Information is the result of processing, manipulating and organizing
data in a way that adds to the knowledge of the receiver.
Processed data

 Knowledge
Knowledge is normally processed by means of structuring,
grouping, filtering, organizing or pattern recognition.
Highly structured information
 Attacks - Definition
 An attack is the deliberate act that exploits
vulnerability.
 It is accomplished by a threat agent that damages
or steals an organization’s information or physical
asset.
 An exploit is a technique to compromise a system.
 Vulnerability is an identified weakness of a
controlled system with controls that are not
present or are no longer effective.
 An attack is the use of an exploit to achieve the
compromise of a controlled system.
Security Challenges
Information Assets and Threats: Malware
Threats
• Malware is abbreviated term of Malicious
Software
• Malware defines wide variety of potential
harmful software.
• Malicious software is a umbrella term and it is
designed for
– gaining access to target machines.
– Stealing information and harm the target system
Information Assets and Threats: Examples
of Malware
• Trojan Horse • Virus
• Backdoor • Worms
• Rootkit • Spyware
• Ransomware • Botnet
• Adware • Crypter
 Information Assets and Threats:
Different Ways a Malware can Get into a System

• Instant Messenger applications

• IRC (Internet Relay Chat)
• Removable devices
• Attachments
• Legitimate "shrink-wrapped" software packaged by a disgruntled
employee
• Browser and email software bugs
• NetBIOS (FileSharing)
• Fake programs
• Untrusted sites and freeware software
• Downloading files, games, and screensavers from Internet sites
Information Assets and Threats: Trojan

• Trojan Horses and Trojans are the malicious

programs which mislead from its actual intentions.
• This term delivered from Greek Story of a great
wooden horse. This horse had soldiers hiding
inside waiting to enter into the city. As this
wooden horse reached in the city, soldiers came
out and attacked the city.
• With this philosopy, Trojan Software misleads
from its true intentions and wait for best time.
Information Assets and Threats: Trojan

Trojan
• A Malicious program misleading the user about
its actual intention is classified as Trojan. Trojan
are typically spread by Social Engineering.
• These Trojan may provide access to personal
information as well as unauthorized access to the
attacker.
• The Trojan can also leads to infection of other
connected devices across a network.
Information Assets and Threats: Trojan

The purpose spreading Trojan Programs are

• Creating backdoor
• Gaining unauthorized access
• Steal Information
• Infect Connected devices
• Ransomware attack
• Using Victim for spamming and victim as Botnet
• Downloading other malicious software
• Disabling Firewalls
Information Assets and Threats: Common Ports used by Trojans
 Information Assets and Threats: Types of
Trojan
1. Command Shell Trojans
2. Defacement Trojans
3. HTTP/HTTPS Trojans
4. Botnet Trojans
5. Proxy Server Trojans
6. Remote Access Trojans (RAT)
7. FTP Trojans
8. VNC Trojans
9. Destructive Trojans
10. ICMP Trojans or ICMP Tunneling
11. Notification Trojans
 Information Assets and Threats: Trojan
Counter measures
• Avoid to click on suspected Email attachment
• Block unused ports
• Monitor Network Traffic
• Avoid Downloaded from untrusted source
• Install updated security software and antivirus
• Scam removable media before use
• Enable Auditing
• Configured host based Firewall
• Intrusion Detection Software
Information Assets and Threats: Virus and
Worm Concepts
•Introduction to Viruses
•A virus is a self-replicating program that produces its own copy by
attaching itself to another program, computer boot sector or document.
•Viruses are generally transmitted through file downloads, infected
disk/flash drives and as email attachments.
•Virus Characteristics:
–Infects other program
–Transforms itself
–Encrypts itself
–Alters data
–Corrupts files and programs
–Self-replication
 Information Assets and Threats: Stages
of Virus Life
• Design: Developing virus code using programming languages or
construction kits.
• Replication: Virus replicates for a period of time within the target
system and then spreads itself.
• Launch: It gets activated with the user performing certain actions
such as running an infected program.
• Detection: A virus is identified as threat infecting target systems.
• Incorporation: Antivirus software developers assimilate defenses
against the virus.
• Elimination: Users install antivirus updates and eliminate the
virus threats.
 Information Assets and Threats: Types of
Virus
1. System or Boot Sector Viruses
• Boot Sector Virus is designed to move actual Master
Boot Record (MBR) from its actual location
• When system boots, virus code is executed first and
then control is passed to original MBR.
 Information Assets and Threats: Types of
Virus
2. File and Multipartite Viruses
• File Viruses: File viruses infect the files which
are executed like executable file or BAT File.
• Multipartite Virus: Multipartite viruses infect
the system boot sector and the executable
files at the same time.
 Information Assets and Threats: Types of
Virus
Q1) A virus that can cause multiple infections is
know as what type of virus?
• Multipartite
• Stealth
• Camouflage
• Multi-infection
A1) A multipartite virus can cause multiple
infections.
 Information Assets and Threats: Types of
Virus
3. Macro Viruses
• Macro Virus is specially designed for
Microsoft Word, Excel and other application
using Visual Basic for Application (VBA)
• Macro viruses infect templates or convert
infected documents into template files, while
maintaining their appearance of ordinary
document files.
 Information Assets and Threats: Types of
Virus
4. Cluster Virus
• It is designed to attack and modify the file
location table or directory table.
• Since it modifies the directory table entries so
that it points users or system processes to the
virus code instead of the actual program.
• It will launch itself first when any program on the
computer system is started and then the control is
passed to actual program.
 Information Assets and Threats: Types of
Virus
5. Stealth/Tunneling Viruses
• In order to evade detection, it employs tunnel technique
to launch under anti-virus via a tunnel and intercepting
request from operating system interruption handler.
• (i.e) A virus can hide itself by intercepting the anti-
virus software's request to read the file and passing the
request to the virus, instead of the OS.
• The virus can then return an uninfected version of the
file to the anti-virus software, so that it appears as if the
file is "clean".
 Information Assets and Threats: Types of
Virus
6. File Extension Viruses
• File extension viruses change the extensions of files.
• .TXT is safe as it indicates a pure text file.
• With extensions turned off, if someone sends you a file
named BAD.TXT.VBS, you will only see BAD.TXT.
• If you have forgotten that extensions are turned off, you might
think this is a text file and open it.
• This is an executable Visual Basic Script virus file and could
do serious damage.
• Countermeasure is to turn off "Hide file extensions" in
Windows.
 Information Assets and Threats: Types of
Virus
7. Encryption Virus
8. Polymorphic code
9. Metamorphic viruses
10. Files overwriting or cavity viruses
11. Shell Virus
12. Add on and intrusive viruses
13. Companion/Camouflage Viruses
14. Sparse Infector Viruses
 Information Assets and Threats: Worms

Worms:
• Computer worms are malicious programs
that replicate, execute, and spread across the network
connections independently without human interaction.
• Most of the worms are created only to
– replicate and spread across a network,
– consuming available computing resources;
– however, some worms carry a payload to damage the host system.
• Attackers use worm payload to install backdoors in infected
computers, which turns them into zombies and creates botnet;
these botnets can be used to carry further cyber attacks.
 Information Assets and Threats:
How is a Worm Different from a Virus?
• Replicates on its own: A worm is a special type
of malware that can replicate itself and use
memory, but cannot attach itself to other
programs.
• Spreads through the Infected Network: A
worm takes advantages
of file or information transport features on
computer systems and spread through the infected
network automatically but a virus does not.
 Information Assets and Threats:
Virus vs Worm
Virus Worm
Worm infects a system by exploiting a
Virus infects a system by inserting itselft into a
vulnerability in an OS or application
file or executable program
by replicating itself
Typically, a worm does not modify any stored
It might delete or alter content in files, or
programs. It only exploits the CPU and
change the location of files in the system
memory
It consumes network bandwidth, system
It alters the way a computer system operates,
memory, etc., excessively overloading servers
without the knowledge or consent of a user
and computer systems

A virus cannot be spread to other computers A worm, after being installed in a system, can

unless an infected file is replicated and replicate it selft and spread by using IRC,
actually sent to the other computer Outlook, or other applicable mailing programs
A virus is spread at a uniform speed, as
A worm spreads more rapidly than a virus
programmed
Viruses are hard to remove from infected As compared with a virus, a worm can
machines be easily removed from a system
 Security Attacks
1. Passive Attack: Make use of information from
the system but doesn’t affect the system resource.
 Passive attacks are in the nature of
eavesdropping on / monitoring of the
transmissions.
 The goal of the opponent is to obtain
information that is being transmitted.
 Two types of passive attacks are
1.The release of message contents .

2.Traffic analysis
29
 Security Attacks

• 2. Active
attack:
Attempts to
alter the
system
resources.
30
 Passive Attacks TYPES
1.Release of Message Contents

31
 Passive Attacks TYPES
1.Release of Message Contents

Release of message contents contains

Telephonic conversion, an electronic mail
message & transferred file may contain
sensitive or confidential information.
[ These information are monitored by
the opponent]

32
Passive Attacks TYPES
2.Traffic Analysis

Observe the Traffic

33
 Passive Attacks TYPES
2.Traffic Analysis

2. Traffic Analysis : capture the message

but couldn't extract the information from
the message.

In passive Attacks, it is difficult to detect

because they don’t involve any alteration
of the data.
34
 Security Attacks
Active Attacks: involves some modification of
data stream
Or
Create of a false stream.
 4 categories
1.Masquerate
2. Replay
3. Modification
4. Denial of service
35
 Security Attacks
1.Masquerate : When one entity pretends to be a
different entity
2.Replay : involves passive capture of a data unit.
3.Modification : Message is altered/
delayed/reordered
4. Denial of service : prevents communication
facilities( disruption of an entire network either
by disabling the network or overloading it with
message to degrade performance)

36
Active Attacks (1)
Masquerade

37
Active Attacks (2)
Replay

38
 Active Attacks (3)
Modification of Messages

39
Active Attacks (4)
Denial of Service

40
 Handling Attacks

 Passive attacks – focus on Prevention

 Easy to stop
 Hard to detect

 Active attacks – focus on Detection and

Recovery
 Hard to stop
 Easy to detect
Definitions

42
 Social engineering

• actions that potentially lead to leak of confidential

information.
• It use various strategies for disclosing confidential
information.
• Technique used by social engineers is to pretend to
be someone else like IT professional, member of the
management team, co-worker, insurance
investigator or even member of governmental
authorities.
• Unauthorized access gain to confidential
information, data theft, industrial espionage or
environment/ service disruption.
43
 Phishing attack
• This type of attack is used in social engineering
techniques to steal confidential information.
• Example of such attack targets victim's banking
account details and credentials.
• Phishing attacks tend to use schemes involving
spoofed emails sent to users that lead them to
malware infected websites designed to appear as real
online banking websites.
• Phishing is a type of deception designed to steal your
valuable personal data, such as credit card numbers,
passwords, account data, or other information.

44
 Current Phishing Techniques

• Employ visual elements from target site

• DNS Tricks:
– www.ebay.com.kr
– [email protected]
– www.gooogle.com

• JavaScript Attacks

• Certificates
– Phishers can acquire certificates for domains
they own
– Certificate authorities make mistakes
 Spear-Phishing: Improved Target Selection

• Socially aware attacks

Urge victims to update or validate their account
 Threaten to terminate the account if the victims not
reply
 Use gift or bonus as a bait
Context-aware attacks
“Your bid on eBay has won!”
“The books on your Amazon wish list are on sale!”
Another Example:
 But wait…

WHOIS 210.104.211.21:

Location: Korea, Republic Of

 SECURITY SERVICES: Assets

• Information security is a state of well-being of

information and infrastructure in which the
possibility of theft, tampering, and disruption
of information and services is kept low or
tolerable. The classification of security services
are as follows:
• Confidentiality: Assurance that the
information is accessible only to
those authorized to have access
 SECURITY SERVICES: Assets

• Integrity: The trustworthiness of data or

resources in terms of preventing improper and
unauthorized changes
• Availability: Assurance that the systems
responsible for delivering, storing, and
processing information are accessible
when required by the authorized users
 SECURITY SERVICES: Assets

• Authenticity: Authenticity refers to the

characteristic of a communication, document
or any data that ensures the quality of being
genuine
• Non-Repudiation: Guarantee that the sender
of a message cannot later deny having sent the
message and that the recipient cannot deny
having received the message
 Security policies
• An information security policy (ISP) is a set of
rules, policies and procedures designed to
ensure all end users and networks within an
organization meet minimum IT security and
data protection security requirements.
 Security policies
• What is the purpose of an information security
policy?
– An information security policy aims to enact
protections and limit the distribution of data to only
those with authorized access. Organizations create ISPs
to:
• Establish a general approach to information security
• Document security measures and user access
control policies
• Detect and minimize the impact of compromised
information assets such as misuse of data, networks, mobile
devices, computers and applications
• Protect the reputation of the organization
 Security policies
• What is the purpose of an information security
policy?
– An information security policy aims to enact protections
and limit the distribution of data to only those with
authorized access. Organizations create ISPs to:
• Comply with legal and regulatory requirements like NIST,
GDPR, HIPAA and FERPA
• Protect their customer's data, such as credit card numbers
• Provide effective mechanisms to respond to complaints and
queries related to real or perceived cyber security risks such
as phishing, malware and ransomware
• Limit access to key information technology assets to those
who have an acceptable use
 Security policies
• Why is an information security policy is
important?
– Creating an effective information security policy and
that meets all compliance requirements is a critical
step in preventing security incidents like data
leaks and data breaches.
– ISPs are important for new and established
organizations. Increasing digitalization means every
employee is generating data and a portion of that
data must be protected from unauthorized access.
Depending on your industry, it may even be
protected by laws and regulations.
 Security policies
• Why is an information security policy is important?
– Sensitive data, personally identifiable information (PII),
and intellectual property must be protected to a higher
standard than other data.
– Whether you like it or not, information
security (InfoSec) is important at every level of your
organization. And outside of your organization.
– Increased outsourcing means third-party vendors have
access to data too. This is why third-party risk
management and vendor risk management is part of
any good information security policy. Third-party
risk, fourth-party risk and vendor risk are no joke.
 Security policies
• What are the key elements of an information
security policy?
– 1. Purpose
– 2. Audience
– 3. Information security objectives
– 4. Authority and access control policy
– 5. Data classification
– 6. Data support and operations
– 7. Security awareness training
– 8. Responsibilities and duties of employees
 Security policies
• What are the key elements of an information
security policy?
– 1. Purpose
• Preserve your organization's information security.
• Detect and preempt information security breaches
caused by third-party vendors, misuse of networks, data,
applications, computer systems and mobile devices.
• Protect the organization's reputation
• Uphold ethical, legal and regulatory requirements
• Protect customer data and respond to inquiries and
complaints about non-compliance of security
requirements and data protection
 Security policies
• What are the key elements of an information
security policy?
– 2. Audience
• Define who the information security policy applies to
and who it does not apply to. You may be tempted to
say that third-party vendors are not included as part of
your information security policy.
 Security policies
• What are the key elements of an information
security policy?
– 3. Information security objectives
• Confidentiality: data and information are protected
from unauthorized access
• Integrity: Data is intact, complete and accurate
• Availability: IT systems are available when needed
 Security policies
• What are the key elements of an information
security policy?
– 4. Authority and access control policy
• This part is about deciding who has the authority to
decide what data can be shared and what can't.
• Remember, this may not be always up to your
organization.
• For example, if you are the CSO at a hospital. You likely
need to comply with HIPAA and its data protection
requirements. If you store medical records, they can't
be shared with an unauthorized party whether in
person or online.
 Security policies
• What are the key elements of an information
security policy?
– 5. Data classification
• An information security policy must classify data into
categories. A good way to classify the data is into five levels
that dictate an increasing need for protection:
– Level 1: Public information
– Level 2: Information your organization has chosen to keep
confidential but disclosure would not cause material harm
– Level 3: Information has a risk of material harm to individuals or your
organization if disclosed
– Level 4: Information has a high risk of causing serious harm to
individuals or your organization if disclosed
– Level 5: Information will cause severe harm to individuals or your
organization if disclosed
 Security policies
• What are the key elements of an information security
policy?
– 6. Data support and operations
• Once data has been classified, you need to outline how data is each level
will be handled. There are generally three components to this part of your
information security policy:
– Data protection regulations: 
» Organizations that store personally identifiable information (PII) or sensitive
data must be protected according to organizational standards, best practices,
industry compliance standards and regulation
– Data backup requirements: 
» Outlines how data is backed up, what level of encryption is used and what third-
party service providers are used
– Movement of data: 
» Outlines how data is communicated. Data that is deemed classified in the above
data classification should be securely communicated with encryption and not
transmitted across public networks to avoid man-in-the-middle attacks
 Security policies
• What are the key elements of an information
security policy?
– 7. Security awareness training
• Security training should include:
– Social engineering: 
» Teach your employees about phishing, spearphishing and
other common social engineering cyber attacks
– Clean desk policy: 
» Laptops should be taken home and documents shouldn't
be left on desks at the end of the work day
– Acceptable usage: 
» What can employees use their work devices and Internet
for and what is restricted?
 Security policies
• What are the key elements of an information security
policy?
– 8. Responsibilities and duties of employees
• This is where you operationalize your information security policy. This
part of your information security policy needs to outline the owners of:
– Security programs
– Acceptable use policies
– Network security
– Physical security
– Business continuity
– Access management
– Security awareness
– Risk assessments
– Incident response
– Data security
– Disaster recovery
– Incident management
Security Controls in Information Security

• Once an organization defines control

objectives, it can assess the risk to individual
assets and then choose the most appropriate
security controls to put in place.
 Security Control Types
• Physical controls
• Technical controls
• Administrative controls
 Security Control Types
• Physical controls
 Security Control Types
• Physical controls
– It describe anything tangible that’s used to
prevent or detect unauthorized access to physical
areas, systems, or assets. This includes things like
fences, gates, guards, security badges and access
cards, biometric access controls, security lighting,
CCTVs, surveillance cameras, motion sensors, fire
suppression, as well as environmental controls like
HVAC and humidity controls.
 Security Control Types
• Technical controls
 Security Control Types
• Technical controls
– (also known as logical controls) include hardware
or software mechanisms used to protect assets.
Some common examples are authentication
solutions, firewalls, antivirus software, intrusion
detection systems (IDSs), intrusion protection
systems (IPSs), constrained interfaces, as well as
access control lists (ACLs) and encryption
measures.
 Security Control Types
• Administrative controls
 Security Control Types
• Administrative controls
– It refer to policies, procedures, or guidelines that
define personnel or business practices in
accordance with the organization's security goals.
These can apply to employee hiring and
termination, equipment and Internet usage,
physical access to facilities, separation of duties,
data classification, and auditing. Security
awareness training for employees also falls under
the umbrella of administrative controls.
 Security Control Functions
• Preventative controls
• Detective controls
• Corrective controls
 Security Control Functions
• Preventative controls
– It describe any security measure that’s designed to
stop unwanted or unauthorized activity from
occurring.
– Examples include physical controls such as fences,
locks, and alarm systems;
– technical controls such as antivirus software,
firewalls, and IPSs; and
– administrative controls like separation of duties, data
classification, and auditing.
 Security Control Functions
• Detective controls
– It describe any security measure taken or solution
that’s implemented to detect and alert to
unwanted or unauthorized activity in progress or
after it has occurred.
– Physical examples include alarms or notifications
from physical sensor (door alarms, fire alarms)
that alert guards, police, or system administrators.
– Honeypots and IDSs are examples of technical
detective controls.
 Security Control Functions
• Corrective controls
– It include any measures taken to repair damage or
restore resources and capabilities to their prior
state following an unauthorized or unwanted
activity.
– Examples of technical corrective controls include
patching a system, quarantining a virus,
terminating a process, or rebooting a system.
– Putting an incident response plan into action is an
example of an administrative corrective control.
 Security Control Functions
• Recovery controls
– Recovery controls are somewhat like corrective controls,
but they are applied in more serious situations to recover
from security violations and restore information and
information processing resources.
– Recovery controls may include,

– disaster recovery and business continuity mechanisms

– backup systems and data
– emergency key management arrangements and
similar controls.
 Security Control Functions
• Compensation controls
– Compensating controls are intended to be alternative
arrangements for other controls when the original
controls have failed or cannot be used.  
• When a second set of controls addresses the same
threats that are addressed by another set of
controls, it acts as a compensating control.
 Access Control Models
• The term ‘access control’ refers to “the control
of access to system resources after a user’s
account credentials and identity have been
authenticated and access to the system has
been granted”.
 Access Control Models
• Access control is used to identify a subject
(user/human) and to authorize the subject to
access an object (data/resource) based on the
required task.
• These controls are used to protect resources from
unauthorized access and are put into place to
ensure that subjects can only access objects using
secure and pre-approved methods.
 Access Control Models
• Logical access control models are the abstract
foundations upon which actual access control
mechanisms and systems are built. Access control
is among the most important concepts in
computer security. Access control models define
how computers enforce access of subjects (such
as users, other Computers, applications and so on)
to objects (such as computers, files, directories,
applications, servers and devices).
 Access Control Models
• Discretionary Access Control Model
• Mandatory Access Control Model
• Role based Access Control Model
 Access Control Models

• Discretionary Access Control Model(DAC)

 Access Control Models
• Discretionary Access Control(DAC)
– DAC is a type of access control system that assigns
access rights based on rules specified by users.
The principle behind DAC is that subjects can
determine who has access to their objects.
 Access Control Models
• Mandatory Access Control Model(MAC)
– The design and implementation of MAC is
commonly used by the government. It uses a
hierarchical approach to control access to
files/resources. Under a MAC environment, access
to resource objects is controlled by the settings
defined by a system administrator.
 Access Control Models
• Mandatory Access Control Model(MAC)
– This means access to resource objects is
controlled by the operating system based on what
the system administrator configured in the
settings. It is not possible for users to change
access control of a resource.
 Access Control Models
• Mandatory Access Control Model(MAC)
– Each user account is also assigned classification
and category properties.
– This system provides users access to an object if
both properties match. If a user has high
classification but is not part of the category of the
object, then the user cannot access the object.
 Access Control Models
• Mandatory Access Control Model(MAC)
 Access Control Models
• Role-Based Access Control (RBAC)
– RBAC, also known as a non-discretionary access
control, is used when system administrators need
to assign rights based on organizational roles
instead of individual user accounts within an
organization.
– It presents an opportunity for the organization to
address the principle of ‘least privilege’. This gives
an individual only the access needed to do their
job, since access is connected to their job.
 Access Control Models
• Role-Based Access Control (RBAC)
 Basic Terminologies in
Cryptography
• Plaintext
• Ciphertext
• Encryption
• Decryption
• Keys
• Hash
• Salt
• Symmetric and Asymmetric Algorithms
• Public and Private Keys
• HTTPS
• End-to-End Encryption
 Basic Terminologies in
Cryptography
• Plaintext
– which is simple but just as important as the
others: plaintext is an unencrypted, readable,
plain message that anyone can read.
 Basic Terminologies in
Cryptography
• Ciphertext
– Ciphertext is the result of the encryption process.
– The encrypted plaintext appears as apparently
random strings of characters, rendering them
useless.
– A cipher is another way of referring to the
encryption algorithm that transforms the
plaintext, hence the term ciphertext.
 Basic Terminologies in
Cryptography
• Encryption
– Encryption is the process of applying a mathematical
function to a file that renders its contents unreadable
and inaccessible---unless you have the decryption key.
– For instance, let's say you have a Microsoft Word
document.
– You apply a password using Microsoft Office's inbuilt
encryption function.
– The file is now unreadable and inaccessible to anyone
without the password. You can even encrypt your
entire hard drive for security.
 Basic Terminologies in
Cryptography
• Decryption
– If encryption locks the file, then decryption
reverses the process, turning ciphertext back to
plaintext. 
– Decryption requires two elements: the correct
password and the corresponding decryption
algorithm.
 Basic Terminologies in
Cryptography
• Keys
– The encryption process requires a cryptographic
key that tells the algorithm how to transform the
plaintext into ciphertext. 
– Kerckhoffs's principle states that "only secrecy of
the key provides security," while Shannon's maxim
continues "the enemy knows the system.”
 Basic Terminologies in
Cryptography
• Keys
– These two statements influence the role of
encryption, and keys within that.
– Keeping the details of an entire encryption
algorithm secret is extremely difficult; keeping a
much smaller key secret is easier.
– The key locks and unlocks the algorithm, allowing
the encryption or decryption process to function.
 Basic Terminologies in
Cryptography
• Keys
– Is a Key a Password?
• No. Well, at least not entirely. Key creation is a result of
using an algorithm, whereas a password is usually a
user choice.
• The confusion arises as we rarely specifically interact
with a cryptographic key, whereas passwords are part
of daily life.
• Passwords are at times part of the key creation process.
A user enters their super-strong password using all
manner of characters and symbols, and the algorithm
generates a key using their input.
 Basic Terminologies in
Cryptography
• Hash
– When a website encrypts your password, it uses an
encryption algorithm to convert your plaintext
password to a hash.
– A hash is different from encryption in that once the
data is hashed, it cannot be unhashed. Or rather, it is
extremely difficult.
– Hashing is really useful when you need to verify
something's authenticity, but not have it read back. In
this, password hashing offers some protection
against brute-force attacks (where the attacker tries
every possible password combination).
 Basic Terminologies in
Cryptography
• Hash
– You might have even heard of some of the
common hashing algorithms, such as MD5, SHA,
SHA-1, and SHA-2. Some are stronger than others,
while some, such as MD5, are outright vulnerable.
– For instance, if you head to the site MD5 Online,
you'll note they have 123,255,542,234 words in
their MD5 hash database.
 Basic Terminologies in
Cryptography
• Salt
– When passwords are part of key creation, the
encryption process requires additional security
steps.
– One of those steps is salting the passwords.
– At a basic level, a salt adds random data to a one-
way hash function.
 Basic Terminologies in
Cryptography
• Salt
– There are two users with the exact same
password: hunter2.
– We run hunter2 through an SHA256 hash
generator and receive
f52fbd32b2b3b86ff88ef6c490628285f482af15ddc
b29541f94bcf526a3f6c7.
– Someone hacks the password database and they
check this hash; each account with the
corresponding hash is immediately vulnerable.
 Basic Terminologies in
Cryptography
• Symmetric and Asymmetric Algorithms
– In modern computing, there are two primary
encryption algorithm types: symmetric and
asymmetric. They both encrypt data, but function in
a slightly different manner.
• Symmetric algorithm: 
– Uses the same key for both encryption and decryption. Both
parties must agree on the algorithm key before commencing
communication.
• Asymmetric algorithm: 
– Uses two different keys: a public key and a private key. This
enables secure encryption while communicating without
previously establishing a mutual algorithm. This is also known
as public key cryptology
 Basic Terminologies in
Cryptography
• Public and Private Keys
– An asymmetric algorithm uses two keys: a public
key and a private key.
– The public key can be sent to other people, while
the private key is only known by the owner.
– What's the purpose of this?
• Well, anyone with the intended recipient's public key
can encrypt a private message for them, while the
recipient can only read the contents of that message
provided they have access to the paired private key.
Check out the below image for more clarity.
 Basic Terminologies in
Cryptography
• Public and Private Keys
 Basic Terminologies in
Cryptography
• Public and Private Keys
– Public and private keys also play an essential role
in digital signatures, whereby a sender can sign
their message with their private encryption key.
– Those with the public key can then verify the
message, safe in the knowledge that the original
message came from the sender's private key.
– A key pair is the mathematically linked public and
private key generated by an encryption algorithm.
 Basic Terminologies in
Cryptography
• HTTPS
– HTTPS (HTTP Secure) is a now widely
implemented security upgrade for the HTTP
application protocol that is a foundation of the
internet as we know it.
– When using a HTTPS connection, your data is
encrypted using Transport Layer Security (TLS),
protecting your data while in transit.
– HTTPS generates long-term private and public keys
that in turn are used to create a short-term
session key.
 Basic Terminologies in
Cryptography
• HTTPS
– The session key is a single-use symmetric key that the
connection destroys once you leave the HTTPS site
(closing the connection and ending its encryption).
– However, when you revisit the site, you will receive
another single-use session key to secure your
communication.
– A site must completely adhere to HTTPS to offer
users complete security.
– Since 2018 the majority of sites online began offering
HTTPS connections over standard HTTP.
 Basic Terminologies in
Cryptography
• End-to-End Encryption
– One of the biggest encryption buzzwords is that
of end-to-end encryption.
– Social messaging platform service WhatsApp began
offering its users end-to-end encryption (E2EE) in
2016, making sure their messages are private at all
times.
– WhatsApp isn't the first, or even the only messaging
service to offer end to end encryption. It did,
however, move the idea of mobile message
encryption further into the mainstream---much to the
ire of myriad government agencies around the world.
 Encryption
(Cryptography)
- “hidden writing” (hiding the meaning of the
message)
 Encryption
(Cryptography)
 Encryption
(Cryptography)
• Basic security goals:
- privacy (secrecy, confidentiality)
• only the intended recipient can see the
communication
- authenticity (integrity)
• the communication is generated by the
alleged sender
Types of Encryption Algorithms
Identify and Access Management (IdAM)

• Identity and access management (IAM or

IdAM for short) is a way to tell who a user is
and what they are allowed to do.
• IAM is like the bouncer at the door of a
nightclub with a list of who is allowed in, who
isn't allowed in, and who is able to access the
VIP area.
• IAM is also called identity management (IdM).
Identify and Access Management (IdAM)

• In more technical terms, IAM is a means of

managing a given set of users' digital
identities, and the privileges associated with
each identity.
• Within an organization, IAM may be a single
product, or it may be a combination of
processes, software products, cloud services,
and hardware that give administrators
visibility and control over the organizational
data that individual users can access.
Identify and Access Management (IdAM)
• Identity in the context of computing
– A person's entire identity cannot be uploaded and
stored in a computer, so "identity" in a computing
context means a certain set of properties that can
be conveniently measured and recorded digitally.
– Think of an ID card or a passport: not every fact
about a person is recorded in an ID card, but it
contains enough personal characteristics that a
person's identity can quickly be matched to the ID
card.
Identify and Access Management (IdAM)
• Identity in the context of computing
– To verify identity, a computer system will assess a
user for characteristics that are specific to them.
– If they match, the user's identity is confirmed.
These characteristics are also known as
"authentication factors,“.
– The three most widely used authentication factors
are:
• Something the user knows
• Something the user has
• Something the user is
Identify and Access Management (IdAM)
• Identity in the context of computing
– Something the user has: 
• This factor refers to possession of a physical token that
is issued to authorized users. 
• The most basic example of this authentication factor is
the use of a physical house key to enter one's home.
The assumption is that only someone who owns, rents,
or otherwise is allowed into the house will have a key.
Identify and Access Management (IdAM)
• Identity in the context of computing
– Something the user is: 
• This refers to a physical property of one's body.
• A common example of this authentication factor in
action is Face ID, the feature offered by many modern
smartphones. Fingerprint scanning is another example.
• Less common methods used by some high-security
organizations include retina scans and blood tests.
Identify and Access Management (IdAM)
• Access management
– "Access" refers to what data a user can see and what
actions they can perform once they log in.
– Once John logs into his email, he can see all the emails he
has sent and received.
– However, he should not be able to see the emails sent and
received by Tracy, his coworker.