Introduction

Week 1
 OULTILNE
1.Information Security Foundations
2.Security Design Principles
3.Security Mechanisms
 CONTENTS

Information Security
1 Foundations
Computer Security

The protection afforded to an automated

information system in order to attain application
objectives of preserving the integrity, availability
and confidentiality of information system including
Hardware, Software, Firmware, Information and
telecommunications.
Computer Security

Definition includes three objectives (CIA Traids)

1. Confidentiality: private or confidential
information is not made available or disclosed to
unauthorized.
2. Integrity: Information and programs are
changed only in specified and authorized manner.
3. Availability: Systems work promptly and service
is not denied to authorized users. timely and
reliable access
Computer Security - Challenges

1. Complex Requirements: Security needs like

confidentiality, authentication, non repudiation, and integrity
sound simple, but the methods to achieve them are complex.
2. Unpredictable Attacks: Attackers often find
weaknesses in unexpected ways, so security solutions must
consider all possible attack methods.
3. Counter-intuitive Measures: Security measures can
seem overly complicated and unnecessary until full range of
threats is understood
4. Placement Matters: Security needs to be placed
strategically, both physically (e.g., firewalls on networks) and
logically (e.g., encryption at different levels)
Computer Security - Challenges

5. Secret Information Management: Security often

depends on secret keys or passwords, which need to be
created, shared, and protected securely.
6. Security's ROI Problem: Investing in security might not
seem beneficial until a breach happens, just like buying
insurance before an accident.
7. Attackers Vs. Defenders: Attackers only need to find
one weakness, while defenders need to find and fix them all
for perfect security.
8. Constant Monitoring: Security requires continuous
monitoring, which is hard to maintain in busy environments.
Computer Security - Challenges

9. Afterthought Security: Security is often added after a

system is designed, rather than being integrated from the
start
10. Usability vs. Security: Strong security measures can
make systems less user-friendly, leading to resistance from
users.
Types of Attacks

Active Attacks: aims to directly modify, disrupt or destroy

system or data. Examples: Denial of Service (DoS), Flooding
of website with traffic to crash it. Malware Attacks, Virus,
worms and Trojan Horse can modify, delete or encrypt or
even take control of system
Passive Attacks: aim to steal information from a computer
system without being detected Examples:Eavesdropping,
Interception of data transmission over network
(Unencrypting traffic) Sniffing Capturing data packets
traveling on a network.
Classification of Attacks Based on Origin

Inside Attacks: An attack initiated by an entity

within security perimeter e.g. employee misuse
data for personal gain.
Outside Attacks: An attack initiated by an entity
outside security perimeter e.g. Hacker from
outside company trying to break into company’s
network to steal data either for fun, profit or
malicious intent.
Computer Security - Terminologies

Adversary (Threat Agent): An entity that attacks or poses

a threat to a system e.g. hacker trying to steal data from
company’s server
Attack: Attempt to breach security e.g using phishing to
trick employees into revealing their passwords.
Countermeasure: an action, device or technique that
reduces or prevents threads and vulnerabilities e.g. installing
antivirus software to detect and remove malware or using
encryption for sensitive data.
Risk: Likelihood that threat will exploit a vulnerability,
causing harm. e.g. risk of data loss if company’s database
isn’t backed-up
Computer Security - Terminologies

Security Policy: Set of rules on how to protect sensitive

resources. e.g. policy to set strong passwords and change
them regularly.
System Resource(Asset): Valuable data, services,
equipment within system e.g. customer information stored in
database.
Threat: Potential cause of security breach that could cause
harm. e.g. new virus spreading on internet that could infect
computers.
Vulnerability: Weakness in system that can exploited e.g.
outdated software version that security flaws or weak
password.
 CONTENTS

Security
2 Mechanism
 Security Mechanism

Security mechanisms are technical tools and

techniques that are used to implement
security services. A mechanism might operate
by itself, or with others, to provide a particular
service.
Security Mechanism
 Encipherment

This security mechanism deals with hiding and covering of

data which helps data to become confidential.
It is achieved by applying mathematical calculations or
algorithms which reconstruct information into not
readable form.
It is achieved by two famous techniques named
Cryptography and Encipherment.
Example: Sending Confidential Email with encryption ensures
that only the recipient can read it, even someone intercepts it.
 Access Control

This mechanism is used to stop unattended access to data

which you are sending. It can be achieved by various
techniques such as applying passwords, using firewall, or
just by adding PIN to data.
Example: A website that requires a username and
password to log in
 Notarization

Notarization involves a trusted third party to mediate

between the sender and receiver, reducing conflicts by
keeping records of the transactions.
Example: When buying a house, an escrow company holds
the buyer’s payment until all conditions of the sale are
met. This ensures that both the buyer and seller are
protected.
 Data Integrity

Data integrity ensures that data remains unchanged

during transmission by adding a value to it that can be
checked before and after sending.
Example: Checksum: When downloading a software, a
checksum is provided. After download, the checksum of
the file is compared to ensure it has not been corrupted or
tampered with.
 Authentication Exchange

Authentication exchange confirms the identity of the

parties involved in communication, often using a two-way
handshake process at the TCP/IP layer.
Example: Login Process: When logging into an online
banking account, the server verifies your identity using
your username and password, and may also send a
verification code to your phone for additional security.
 Bit Suffering

This security mechanism is used to add some extra

bits into data which is being transmitted.
It helps data to be checked at the receiving end and is
achieved by Even parity or Odd Parity.
 Digital Signature

This security mechanism is achieved by adding digital

data that is not visible to eyes.
It is form of electronic signature which is added by
sender which is checked by receiver electronically.
Example:When a company sends an official document
via email, it may include a digital signature to verify
that the document indeed came from the company
and has not been altered.
 CONTENTS

Security Design
3 Principles
 Fundamental Security Design Principles

Fundamental Security Design Principles are guidelines that help

in creating secure systems, ensures that security measures are
effectively implemented and maintained.
1. Economy of Mechanism 8. Isolation
2. Fail-Safe Default 9. Encapsulation

3. Complete Mediation 10.Modularity

4. Open Design 11.Layering
5. Separation of Privilege 12. Least Privilege
6. Least Common Mechanism 13. Least Astonishment
 1. Economy of Mechanism

This fundamental security principle defines that the

security measures implemented in the software and the
hardware must be simple and small. This would ease the
testers to test the security measures thoroughly.
E.g Implementing a simple firewall rule that blocks all
incoming traffic except for a few services. or Instead of a
ten-step login process, use a strong password and two-
factor authentication (like a code sent to your phone).
 2. Fail-Safe Defaults

Access to any system or resource should be denied by

default and only granted if the user has proper
authorization. This ensures that no one gets access by
mistake
e.g A network firewall that blocks all incoming traffic
unless specific rules allow certain types of traffic.
or A file system where all new files are accessible only
by their creator unless permissions are explicitly
changed.
 3. Complete Mediation

A database system that verifies user credentials for

each query request.
e.g. A database system that verifies user credentials
for each query request.
An ATM asks for your PIN every time you use it, not
just the first time
 4. Open Design

Security mechanisms should be open for scrutiny by

experts, but the secret keys (like encryption keys)
should be kept private.
Example: The way a lock works can be known, but the
key itself is what grants access.
or Open-source security software where the code is
available for public review.
 5. Separation of Privilege

This security principle states that whenever a user

tries to gain access to a system, the access should not
be granted based on a single attribute or condition.
this as a multi factor user authentication as this
principle says that multiple techniques must be
implemented to authenticate a user.
e.g. Accessing a secure server that requires a security
token and a PIN code.
 6. Least Privilege

Users should only have access to the specific

information and functions they need to do their job.
Example: A customer service might only be able to
access customer contact information, not financial
data.
Example 2: An employee who can view but not edit
certain sensitive documents.
 7. Least Common Mechanism

Minimize the functions shared by different users to

reduce the risk of unintended access.
Example 1: Separate network segments for different
departments to limit shared resources.
Example 2: Different login servers for different groups
within an organization.
 8. Psychological Acceptability

Security measures shouldn't make it difficult or

frustrating for authorized users to access what they
need.
Example: A fingerprint scanner for your phone is more
user-friendly than a complex password every time you
unlock it.
 9. Isolation

Isolation is a security design principle that involves

separating critical data, processes, or resources from
public access to protect them from unauthorized
access and threats. This principle is applied in three
main circumstances:
1. Isolation of critical System
2. Isolation of User Data
3. Isolation of Security Mechanism
 9. Isolation
Isolation of Critical System

Systems with super important data, processes, or

resources need extra protection from public access.
There are two main approaches:
Physical Isolation: separate server room with
restricted access, keeping critical systems physically
apart from publicly accessible ones.
Logical Isolation: implementing firewall or using
virtual machines.
 9. Isolation
Isolation of User Data

Ensuring that the files or data of one user are kept

separate from the files or data of another user.
e.g. Modern operating systems provide user-specific
directories and permissions to ensure each user's data
is isolated.
 9. Isolation
Isolation of Security Mech.

Security mechanisms themselves should be isolated to

prevent unauthorized access.
e.g. storing encryption keys in a hardware security
module (HSM) separate from the main application
servers.
 10. Encapsulation

Protect data and processes by restricting access to

certain parts of the system.
e.g. Object-oriented programming that restricts direct
access to data objects.
 11. Modularity

This security designing principle says that the security

mechanism must be generated as separate and
protected modules and the security mechanism must
be generated using the modular architecture.
e.g A modular antivirus system where each module
handles different types of threats.
 12. Layering

Use multiple security measures to create a layered

defense. If one layer is breached, others can still
provide protection.
Example: A website might use strong passwords,
firewalls, and encryption to protect user data.
 13. Least Astonishment

The user interface should not surprise users; security

mechanisms should be understandable.
e.g. Clear and simple error messages that explain
security-related actions.
THANK YOU
The Reader Group of Colleges