Unit 6 Security

 Introduction, Security services, Need of Security

On a computer network with different interconnected systems security is not only important, but
also hard to achieve. Not only do we need to consider threats on our own (local) system but also on
all systems connected to it, as well as the connections themselves.

Where we may have some trust in our own system, we likely will not trust all systems on the
network and their users. The interests of the other parties on the network may be completely
different than ours. As we have seen in our security analysis, connecting interests lead to (security)
risks.

To secure the network we need to consider attacks at different layers Consider the network layer
model for TCP/IP in below figure.

An application process will use the transport

layer's connection service

To manage a connection with a remote process

it wants to communicate with. But to do this
(human understandable) addresses used by the
application, such as www.tue.ni, need to be translated to IP addresses understood by the network
layer using DNS

An attacker may try to get the trace redirected to their IP address by disturbing this step (e.g.,
through DNS spoofing). Alternatively, the attacker could influence lower layers to achieve the same
result. For example, an attacker could eavesdrop messages if she has access to the physical layer

 Why(need) is security important

Below are the reasons why cyber security is so important

in what's become a predominant digital world: Cyber-
attacks can be extremely expensive for businesses to
endure.

In addition to financial damage suffered by the business,

a data breach can also inflict untold reputational damage.
Cyber attacks these days are becoming progressively
destructive. Cybercriminals are using more sophisticated
ways to initiate cyber attacks.

Regulations such as GDPR are forcing organizations into

taking better care of the personal data they hold. Because of the above reasons, cyber security has
become an important part of the business and the focus now is on developing appropriate response
plans that minimize the damage in the event of a cyber attack. But an organization or an individual
can develop a proper response plan only when he has a good grip on cyber security fundamentals.
  Services fundamentals

Cyber security Fundamentals - Confidentiality: Confidentiality is about preventing the disclosure of

data to unauthorized parties. It also means trying to keep the identity of authorized parties involved
in sharing and holding data private and anonymous. Often confidentiality is compromised by
cracking poorly encrypted data, Man-in-the-middle (MITM) attacks, disclosing sensitive data.
Standard measures to establish confidentiality include:

Data encryption

• Two-factor authentication

• Biometric verification

• Security tokens

• Integrity

Integrity refers to protecting information from being modified by unauthorized parties.

Standard measures to guarantee integrity include: Cryptographic checksums

• Using file permissions

• Uninterrupted power supplies

• Data backups

• Availability is making sure that authorized parties are able to access the information when needed.
Standard measures to guarantee availability include: Backing up data to external drives

• Implementing firewalls

• Having backup power supplies

• Data redundancy

 Types of Cyber Attacks

A cyber-attack is an exploitation of computer systems and networks. It uses malicious code to alter
computer code, logic or data and lead to cybercrimes, such as information and identity theft.

Cyber-attacks can be classified into the following categories

1) Web-based attacks

2) System-based attacks

 Key Principles of Security, Threats and Vulnerabilities

Security Vulnerabilities, Threats and Attacks

Categories of vulnerabilities

Corrupted (Loss of integrity)

• Leaky (Loss of confidentiality)

• Unavailable or very slow (Loss of availability)

• Threats represent potential security harm to an asset when vulnerabilities are exploited.

Attacks are threats that have been carried out Passive Make use of information from the

system without affecting system resources.

• Active Alter system resources or affect operation

• Insider Initiated by an entity inside the organization

• Outsider Initiated from outside the perimeter

• Computer criminals Computer criminals have access to enormous amounts of hardware, software,
and data they have the potential to cripple much of effective business and government throughout
the world.

In a sense, the purpose of computer security is to prevent these criminals from doing damage. We
say computer crime is any crime involving a computer or aided by the use of one.

Although this definition is admittedly broad, it allows us to consider ways to protect ourselves, our
businesses, and our communities against those who use computers

maliciously.

One approach to prevention or moderation is to understand who commits these crimes and why.
Many studies have attempted to determine the characteristics of computer criminals.

By studying those who have already used computers to commit crimes, we may be able in the future
to spot likely criminals and prevent the crimes from occurring.

CIA Triad The CIA Triad is actually a security model that has been developed to help people think
about various parts of IT security.

Protecting confidentiality is dependent on being able to define and enforce certain access levels for
information. In some cases, doing this involves separating informant

In some cases, doing this involves separating information into various collections that are organized
by who needs access to the information and how sensitive that information actually is the amount of
damage suffered if the confidentiality was breached.

Some of the most common means used to manage confidentiality include access control lists,
volume and file encryption, and Unix file permissions.

Integrity Data integrity is what the "I' in CIA Triad stands for. This is an essential component of the
CIA Triad and designed to protect data from deletion or modification from any unauthorized party,
and it ensures that when an authorized person makes a change that should not have been made the
damage can be reversed.

Availability This is the final component of the CIA Triad and refers to the actual availability of your
data. Authentication mechanisms, access channels and systems all have to work properly for the
information they protect and ensure it's available when it is needed.

Understanding the CIA triad The CIA Triad is all about information. While this is considered the core
factor of the majority of IT security, it promotes a limited view of the security that ignores other
important factors.
For example, even though availability may serve to make sure you don't lose access to resources
needed to provide information when it is needed, thinking about information security in itself
doesn't guarantee that someone else hasn't used your hardware resources without authorization.

Its important to understand what the CIA Triad is. how it is used to plan and also to

implement a quality security policy while understanding the various principles behind it.

It's also important to understand the limitations it presents.

When you are informed, you can utilize the CIA Triad for what it has to offer and avoid the

consequences that may come along by not understanding it.

Assets and Threat What is an Asset: An asset is any data, device or other component of an

organization's systems that is valuable often because it contains sensitive data or can be

used to access such information.

For example: An employee's desktop computer, laptop or company phone would be considered an
asset, as would applications on those devices. Likewise, critical infrastructure, such as servers and
support systems, are assets.

An organization's most common assets are information assets. These are things

such

as

databases and physical files the sensitive data that you store.

What is a threat:

A threat is any incident that could negatively affect an asset for example, if it's lost, knocked offline
or accessed by an unauthorized party.

Threats can be categorized as circumstances that compromise the confidentiality, integrity or

availability of an asset, and can either be intentional or accidental.

Intentional threats include things such as criminal hacking or a malicious insider stealing

information, whereas accidental threats generally involve employee error, a technical malfunction or
an event that causes physical damage, such as a fire or natural disaster

 Types of Attacks, ITU-T X.800 Security Architecture for OSI

Types of Active attacks:

Masquerade: in this attack, the intruder pretends to be a particular user of a system to gain access or
to gain greater privileges than they are authorized for.

A masquerade may be attempted through the use of stolen login IDs and passwords, through finding
security gaps in programs or through bypassing the authentication mechanism

Session replay: In this type of attack, a hacker steals an authorized user's log in information by
stealing the session ID. The intruder gains access and the ability to do anything the authorized user
can do on the website.
Message modification: In this attack, an intruder alters packet header addresses to direct a message
to a different destination or modify the data on a target machine. In a denial of service (DoS) attack,
users are deprived of access to a network or web resource. This is generally accomplished by
overwhelming the target with more traffic than it can handle.

In a distributed denial-of-service (DDoS) exploit, large numbers of compromised systems (sometimes

called a botnet or zombie army) attack a single target.

Passive Attacks: Passive attacks are relatively scarce from a classification perspective, but can be

carried out with relative ease, particularly if the traffic is not encrypted.

Types of Passive attacks: Eavesdropping (tapping): the attacker simply listens to messages exchanged
by two entities. For the attack to be useful, the traffic must not be encrypted. Any unencrypted
information, such as a password sent in response to an HTTP request, may be retrieved by the
attacker.

Traffic analysis: the attacker looks at the metadata transmitted in traffic in order to deduce
information relating to the exchange and the participating entities, e g, the form of the exchanged
traffic (rate, duration, etc.).

In the cases where encrypted data are used, traffic analysis can also lead to attacks by cryptanalysis
whereby the attacker may obtain information or succeed in un encrypting the traffic.

Software Attacks: Malicious code (sometimes called malware) is a type of software designed to take
over or damage a computer user's operating system, without the user's knowledge or approval. It
can

be very difficult to remove and very damaging. Common malware examples are listed in the
following

table:
Hardware Attacks:

Common hardware attacks include: Manufacturing backdoors, for malware or other penetrative
purposes backdoors aren't limited to software and hardware, but they also affect embedded
radiofrequency identification (RFID) chips and memory.

Eavesdropping by gaining access to protected memory without opening other hardware

Inducing faults, causing the interruption of normal behavior

• Hardware modification tampering with invasive operations.

• Backdoor creation the presence of hidden methods for bypassing normal computer

• Authentication systems Counterfeiting product assets that can produce extrordinary operations
and those made to gain malicious access to systems

Osi Security Architecture ITU-T X800 "Security architecture for osi" Defines a systematic way of
defining and providing security requirements for us it provides a useful, if abstract, overview of
concepts we will study.

Aspects of security Consider 3 aspects of information security

Security attack

Security mechanism

Security service

Security attack Any action that compromises the security of information owned by an organization
Information security is about how to prevent attacks, or failing that, to detect attacks on information
based systems Often threat & attack used to mean same thing Have a wide range of attacks Can
focus of generic types of attacks Passive and Active.
 Releaseof mcssagc

Security Service

Enhance security of data processing systems and information transfers of an organization Intended
to counter security attacks Using one or more security mechanisms Often replicates functions
normally associated with physical documents

Which, for example, have signatures, dates, need protection from disclosure, tampering, or
destruction; be notarized or witnessed be recorded or licensed X.800: "a service provided by a
protocol layer of communicating open systems, which ensures adequate security of the systems or
of data transfers"

Rfc 2828: "a processing or communication service provided by a system to give a specific kind of
protection to system resources"
Authentication assurance that the communicating entity is the one claimed.

Access control prevention of the unauthorized use of a resource Data. Confidentiality protection of
data from unauthorized disclosure Data integrity assurance that data received is as sent by an
authorized entity.

Non-repudiation protection against denial by one of the parties in a communication.

Security Policy and mechanisms, Operational Model of Network Security

MODEL FOR NETWORK SECURITY

MODEL FOR NETWORK SECURITY

• Using this model requires us to:

1. Design a suitable algorithm for the security transformation

2.Generate the secret information (keys) used by the algorithm Develop methods to distribute and
share the secret information

3. Specify a protocol enabling the principals to use the transformation and secret information for a
security service

SYMMETRIC ENCRYPTION

Sender and recipient share a common key

All classical encryption algorithms are private-key

Was only type prior to invention of public-key in 1970's And by far most widely used

SOME BASIC TERMINOLOGY

• Plaintext - original message

• Ciphertext - coded message

Cipher - algorithm for transforming plaintext to ciphertext Key - info used in cipher known only to
sender/receiver

Encipher

(encrypt) - converting plaintext to ciphertext

Decipher (decrypt) - recovering ciphertext from plaintext Cryptography - study of encryption

principles/methods

Cryptanalysis (codebreaking) - study of principles/ methods of deciphering ciphertext without

knowing key

Cryptology - field of both cryptography and cryptanalysis

Symmetric cipher model

Requirements

Two requirements for secure use of symmetric encryption

A strong encryption algorithm

A secret key known only to sender / receiver

Mathematically have:

у = ек(х)

Cryptography

Characterize cryptographic system by

Type of encryption operations used

• Substitution / transposition / product

Number of keys used

• Single key or private / two-key or public

Way in which plaintext is processed

• Block / stream

Cryptanalysis

Objective to recover key not just message

General approaches:

Cryptanalytic attack

Brute-force attack

Cryptanalytic Attacks

Cipher text only

Only know algorithm & cipher text, is statistical, know or can identify plaintext.

Highlighted

Type here to search

 Symmetric and Asymmetric Key Cryptography

Cryptography is a phenomenon in which a plain text is sent in

Network converting it into cipher text to prevent miss use of data while transmission in a network

Cryptography

Symmetric

Private key Traditional private/secret/single key cryptography uses one key Shared by both sender
and receiver

• If this key is disclosed communications are compromised

• Also is symmetric, parties are equal

• Hence does not protect sender from receiver forging a message & claiming is sent by sender

• Uses two keys

A public & a private key.

• Asymmetric since parties are not equal

• Uses clever application of number theoretic concepts to function

• Complements rather than replaces private key crypto • Developed to address two key issues

Key distribution

How to have secure communications in general without having to trust a with your key

Digital signatures

How to verify a message comes intact from the claimed sender

Asymmetric cryptography involves the use of two keys:

A public-key, which may be known by anybody, and can be used to encrypt messages, and verify
signatures

A private key, known only to the recipient, used to decrypt messages, and sign (create) signatures

• Is asymmetric because Those who encrypt messages or verify signatures cannot decrypt messages
or create signature

 Security in Network, Transport and Application:

TIS (transport layer security)

Ietf standard rfc 2246 similar to sslv3 with minor differences

In record format version number Uses hmac for mac

A pseudo-random function expands secrets Has additional alert codes Some changes in supported
ciphers Changes in certificate types & negotiations Changesin crypto computations & padding

Application security

There are two components of security in mobile computing

Security of devices and security in networks.

A secure network access involves authentication between the device and the base stations or Web
servers. This is to ensure that only authenticated devices can be connected to the network for
obtaining the requested services.

No Malicious Code can impersonate the service provider to trick the device into doing something it
does not mean to. Thus, the networks also play a crucial role in security of mobile devices.

Some eminent kinds of attacks to which mobile devices are subjected to are: push attacks, pull
attacks

Some eminent kinds of attacks to which mobile devices are subjected to are: push attacks, pull
attacks and crash attacks.

Authentication services security is important given the typical attacks on mobile devices through
wireless networks: Dos attacks, traffic analysis, eavesdropping, man-in-the middle attacks and
session hijacking.

Security measures in this scenario come from Wireless Application Protocols (WAPs), use of VPNs,
media access control (MAC) address filtering and development in 802 xx standards.

 Introduction of IPSec, SSL, HTTPS, S/MIME

S/MIME (SECURE/MULTIPURPOSE INTERNET MAIL EXTENSIONS)

Security enhancement to mime email original internet rc822 email was text only Mime provided
support for varying content types and multi part messages

With encoding of binary data to textual form S/mime added security enhancements Have s/mime
support in many mail agents

Eg ms outlook, mozilla, mac mail etc.

S/MIME: functions

Enveloped data

Encrypted content and associated keys

Signed data

Encoded message + signed digest

Clear-signed data

Clear text message + encoded signed digest

Signed & enveloped data

Nesting of signed & encrypted entities

S/MIME cryptographic algorithms

Digital signatures: dss & Isa Hash functions: sha-1 & md5

Session key encryption: elgamal & isa Message encryption: aes, triple des, re2/40 and others Mac:
hmac with sha-l Have process to decide which algorithms to use

S/MIME messages

S/mime secures a mime entity with a signature, encryption, or both Forming a mime wrapped
packets object Have a range of content types Enveloped data, Signed data, Clear-signed data,

Registration request, Certificate only message

Notes

Highlighted

IP SECURITY

Have a range of application specific security mechanisms

Eg. S/mime, pgp, kerberos, ssl/https.

However, there are security concerns that cut across protocol layers Would like security
implemented by the network for all applications

General ip security mechanisms Provides

Authentication

Confidentiality

Key management

Applicable to use over lans, across public & private wans, & for the internet.

Benefits of IPSEC

In a firewall/router provides strong security to all traffic crossing the perimeter

In a firewall/router is resistant to bypass

Is below transport layer, hence transparent to applications

Can be transparent to end users

Can provide security for individual users

Secures routing architecture

SSL (SECURE SOCKET LAYER)

Transport layer security service

Originally developed by Netscape

Version 3 designed with public input

Subsequently became internet standard known as tis (transport layer security)

Uses tcp to provide a reliable end-to-end service

SSL Connection

A transient, peer-to-peer, communications link

Associated with 1 ssl session

SSl session

An association between client & server

Created by the handshake protocol

Define a set of cryptographic parameters

May be shared by multiple ssl connections

HTTPS stands for Hypertext Transfer Protocol Secure. It is the protocol where encrypted HITP data is
transferred over a secure connection. By using secure connection such as Transport Layer Security or
Secure Sockets Layer, the privacy and integrity of data are maintained and authentication of
websites is also validated.

Index
Notes

Highlighted

Underlined

 Overview of IDS and Firewalls

What is a firewall

It is a choke point of control and monitoring Interconnects networks with differing trust Imposes
restrictions on network services. Only authorized traffic is allowed Auditing and controlling access
Can implement alarms for abnormal behavior Provide nat & usage monitoring Implement vpns using
ipsec Must be immune to penetration.

Firewall limitations

Cannot protect from attacks bypassing it

Cannot protect against internal threats

Cannot protect against transfer of all virus infected programs or files

Because of huge range of o/s & file types

Firewalls packet filters

Simplest, fastest firewall component. Foundation of any firewall system

Examine each ip packet (no context) and permit or deny according to rules. Hence restrict access to
services (ports) Possible default policies.

 That not expressly permitted is prohibited

 That not expressly prohibited is permitted

Almost every medium and large-scale organization has a presence on the Internet and has an
organizational network connected to it. Network partitioning at the boundary between the
outside Internet and the internal network is essential for network security. Sometimes the
inside network (intranet) is referred to as the "trusted" side and the external Internet as the "un-
trusted" side.

Types of Firewall
Firewall is a network device that isolates organization's intemal network from larger
outside network/lnternet. It can be a hardware, software, or combined system that prevents
unauthorized access to or from internal network.
 All data packets entering or leaving the internal network pass through the firewall,
which examines each packet and blocks those that do not meet the specified security criteria.

administered
network public
trusted "good guys"
Intemet
untrusted "bad
firewall guys"
Deploying firewall at network boundary is like aggregating the security at a single point. It is
analogous to locking an apartment at the entrance and not necessarily at each door.

Firewall is considered as an essential element to achieve network security for the following
reasons —

Internal network and hosts are unlikely to be properly secured.

Internet is a dangerous place with criminals, users from competing companies,

disgruntled ex-employees, spies from unfriendly countries, vandals, etc.

To prevent an attacker from launching denial of service attacks on network resource.

To prevent illegal modification/access to internal data by an outsider attacker.

Firewall is categorized into three basic types —

Packet filter (Stateless & Stateful)

Application-level gateway
Circuit-level gateway
These three categories, however, are not mutually exclusive. Modern firewalls have a mix of
abilities that may place them in more than one of the three categories.
 Stateless & Stateful Packet Filtering Firewall
In this type of firewall deployment, the internal network is connected to the external
network,/lnternet via a router firewall. The firewall inspects and filters data packet-by-packet.

Packet-filtering firewalls allow or block the packets mostly based on criteria such as source
and/or destination IP addresses, protocol, source and/or destination port numbers, and various
other parameters within the IP header.

The decision can be based on factors other than IP header fields such as ICMP message type,
TCP SYN and ACK bits, etc.

Packet filter rule has two parts —

Selection criteria — It is a used as a condition and pattern matching for decision making.

• Action field — This part specifies action to be taken if an IP packet meets the selection
criteria. The action could be either block (deny) or permit (allow) the packet across
the firewall.

Packet filtering is generally accomplished by configuring Access Control Lists (ACL) on

routers or switches. ACL is a table ofpacket filter rules.

As traffic enters or exits an interface, firewall applies ACLs from top to bottom to each
incoming packet, finds matching criteria and either permits or denies the individual packets.
Stateless firewall is a kind of a rigid tool. It looks at packet and allows it if its meets the
criteria even if it is not part of any established ongoing communication.

Hence, such firewalls are replaced by stateful firewalls in modem networks. This type
of firewalls offer a more in-depth inspection method over the only ACL based packet
inspection methods of stateless firewalls.

Stateful firewall monitors the connection setup and teardown process to keep a check
on connections at the TCP/IP level. This allows them to keep track of connections state and
determine which hosts have open, authorized connections at any given point in time.
They reference the rule base only when a new connection is requested. Packets
belonging to existing connections are compared to the firewall's state table of open
connections, and decision to allow or block is taken. This process saves time and provides
added security as well.
No packet is allowed to trespass the firewall unless it belongs to already established
connection. It can timeout inactive connections at firewall after which it no longer admit
packets for that connection.

Firewall provides network boundary protection by separating an internal network from

the public Internet. Firewall can function at different layers of network protocol. IDS/IPS
allows to monitor the anomalies in the network traffic to detect the attack and take preventive
action against the same.