Information Security

Unit 1

Text Books :
⮚ Network Security Essentials by William
Stallings

⮚ Cryptography and Network Security by

William Stallings
UNIT - 1
▪ Security Attacks (Interruption, Interception, Modification and
Fabrication )

▪ Security Services (Confidentiality, Authentication, Integrity, Non –

Repudiation, Access Control over Availability)

▪ Security Mechanisms

▪ A model for Internet work security

▪ Internet Standards and RFCs,

Course Objectives: Why? What?
⮚ To learn the fundamental concepts of security attacks,
security services and Mechanisms.
⮚ To apply conventional cryptographic techniques and
Public key cryptography techniques in order to do
encryption.
⮚ To learn IP security Architecture and its role in security
framework.
⮚ To apply SSL and TLS for Web Security.
⮚ To design and develop Intrusion Detection Systems and
Firewall.
Course Outcomes : Result

⮚ Get familiarized with the fundamental concepts of

security attacks, security services.
⮚ Implement the conventional cryptographic techniques.
⮚ Simulate the Public key cryptography techniques.
⮚ Comprehend IP security Architecture and its role in
security framework.
⮚ Implement SSL and TLS for Web Security.
⮚ Design Intrusion Detection Systems and Firewall.
Prerequisites 
⮚ What is Computer Networks?
⮚ What is Database?
⮚ Operating system?
Chapter 1 – Introduction

⮚ The art of war teaches us to rely not on

the likelihood of the enemy's not coming,
but on our own readiness to receive him;
not on the chance of his not attacking, but
rather on the fact that we have made our
position unassailable.
⮚ —The Art of War, Sun Tzu
INTRODUCTION
⮚ Security is the key concept in this information age.

⮚ When firms use private networks they do not think

much about security, only a few do.

⮚ But Internet has changed the scenario in the world.

Specially for people running business over the
internet, requires “SECURITY” about their
transactions.
IMPORTANCE :
⮚ Security provides privacy for your data. Means no
other party view your data.

⮚ People who depend a lot on data security are

● Daily Routine Transactions on the network

● E-Mail, a common routine

● E-commerce, Banking

● Super Markets to Jet Flight

● Multimedia Message Services (MMS)

While Transmitting data what people think about
security
a) Is my data secured ?

b) If a sensitive data is send over inter network, can

anybody else watch it

c) Can anybody alter my web site display ?

d) How can customers do business on internet

e) Can anybody misuse the credit card details that are

send by the customers?
Aim of Course
⮚ Our focus is on Internet Security
⮚ which consists of measures to deter,
prevent, detect, and correct security
violations that involve the transmission &
storage of information
Background
⮚ Information Security requirements have changed
in recent times

⮚ traditionally provided by physical and

administrative mechanisms

⮚ computer use requires automated tools to

protect files and other stored information

⮚ use of networks and communications links

requires measures to protect data during
transmission
Definitions
⮚ Computer Security - generic name for the
collection of tools designed to protect data and
to thwart hackers

⮚ Network Security - measures to protect data

during their transmission

⮚ Internet Security - measures to protect data

during their transmission over a collection of
interconnected networks
THE NEED FOR
NETWORK SECURITY
PRESENTATION OBJECTIVES
▪ Understand information security services

▪ Be aware of vulnerabilities and threats

▪ Realize why network security is necessary

▪ What are the elements of a comprehensive

security program

The Need for Web Security 14

What Is The Internet?
▪ Collection of networks that communicate
▪ with a common set of protocols (TCP/IP)

▪ Collection of networks with

▪ no central control
▪ no central authority
▪ no common legal oversight or
regulations
▪ no standard acceptable use policy

▪ “wild west” atmosphere

The Need for Web Security 15

Why Is Internet Security a
Problem?
▪ Security not a design
consideration
▪ Implementing change is
difficult
▪ Openness makes
machines easy targets
▪ Increasing complexity

The Need for Web Security 16

Common Network Security
Problems

▪ Network eavesdropping
▪ Malicious Data Modification
▪ Address spoofing (impersonation)
▪ ‘Man in the Middle’ (interception)
▪ Denial of Service attacks
▪ Application layer attacks

The Need for Web Security 17

WHO ARE THE OPPONENTS?
▪ 49% are inside employees on
the internal network

▪ 17% come from dial-up (still

inside people)

▪ 34% are from Internet or an

external connection to another
company of some sort

HACKERS

The Need for Web Security 18

HACKER MOTIVATIONS
▪ Money, profit
▪ Access to additional resources
▪ Experimentation and desire to
learn
▪ “Gang” mentality
▪ Psychological needs
▪ Self-gratification
▪ Personal vengeance
▪ Emotional issues
▪ Desire to embarrass the target
The Need for Web Security 19
Internet Security?
o d e
cio us C Session
l i
Ma Hijacking
Wor
Viruses Tro
j an
ms s
Replay Attack s
l o w
Ov erf
Port ng Bu ff e r
a nni
Sc Denial of Se rvice
- t he -
Spoofing a n -i n
M
id dl e
The Need for Web Security m 20
What Do People Do When They
Hear All These?

▪ Take the risks!

▪ But there are solutions

▪ Ignoring the situation is not

one of them

The Need for Web Security 21

THE MOST COMMON EXCUSES
▪ No one could possibly be interested in my information
▪ Anti-virus software slows down my processor speed too much.
▪ I don't use anti-virus software because I never open viruses or e-mail
attachments from people I don't know.

▪ So many people are on the

Internet, I'm just a face in
the crowd. No one would
pick me out.
▪ I'm busy. I can't become a
security expert--I don't have
time, and it's not important
enough
The Need for Web Security 22
THE OSI SECURITY ARCHITECTURE

⮚ To assess effectively the security needs of an

organization and to evaluate and choose various security
products and policies, the manager responsible for
security needs some systematic way of defining the
requirements for security and characterizing the
approaches to satisfying those requirements.
⮚ The OSI security architecture was developed in the
context of the OSI protocol architecture, The OSI
security architecture mainly focuses on security attacks,
mechanisms, and services.
Aspects of Security
Consider 3 aspects of information security
1. Security Attack
2. Security Mechanisms
3. Security Services
Security Attack :Any action that compromises the
security of information owned by a organization.
Security Mechanism :A mechanism that is designed to
detect, prevent, or recover from a security attack.
Security Services :A service that enhances the security
of the data processing systems and the information
transfers of an organization. The services are
intended to counter the security attacks, and they
make use of more secure mechanism
Security Attack

⮚ any action that compromises the security of information

owned by an organization
⮚ information security is about how to prevent attacks, or
failing that, to detect attacks on information-based
systems
⮚ often threat & attack used to mean same thing
⮚ have a wide range of attacks
⮚ can focus of generic types of attacks
● passive
● active
Security Threats
Passive Attacks

Passive Attacks are in the nature of eavesdropping on, or

monitoring of, transmissions but does not affect system
resources. The goal of the opponent is to obtain information that
is being transmitted.
Two types of Passive Attacks are there
1) Release of Contents (Message) is easily understood. A
telephone conversation, an e-mail message. We should prevent
the opponent from learning the contents
2) Traffic Analysis : More subtle (difficult to detect). A way of
masking the contents of messages, so that if opponents even
capture the message, could not extract the information. The
common technique for masking is “ENCRYPTION”
Passive Attacks
Active Attacks

Active Attacks is modification of data stream or the

creation of false stream, attempt to alter system resources or
affect their operation. There are four types
1) Masquerade
2) Replay
3) Modification of message contents
4) Denial of Services
⮚ Active attacks present the opposite characteristics of passive
attacks. Whereas passive attacks are difficult to detect,
measures are available to prevent their success. On the other
hand, it is quite difficult to prevent active attacks absolutely,
because of the wide variety of potential physical, software,
and network vulnerabilities. Instead, the goal is to detect
active attacks and to recover from any disruption or delays
caused by them.
A Masquerade takes place when
one entity pretends to be different
entity. Masquerader usually
misuses his services
Example : Authentication sequences
Can be captured & replayed after valid
authentication. It’s like an authorized
entity with a few privileges tries to
Obtain extra privileges

Replay : Involves the passive

capture of a data unit & is
subsequent retransmission to
produce an unauthorized effect.
Modification of Message :
Simply means that some portion
Of legitimate(legal) message is
altered, or messages are delayed
or reordered, to produce an
unauthorized effect.
Example : “Allow John Smith to read confidential file accounts” is modified
to “Allow Fred Brown to read confidential file accounts”

Denial of Service : Prevents on inhibits the normal use of

management of communication facilities. This message
(attack) may have a specific target.
Example: an entity may suppress all
messages directed to a particular
destination (Security Audit Service)
Ex2 : Another form of DOS is disruption
of an entire network, either by disabling
the network or by overloading it with messages to degrade performance
Active Attacks
Security Attacks / Threats
⮚ Threat : A potential for violation of security, which exists
when there is a circumstance, capability, action, or event
that could breach security and cause harm. That is, a
threat is a possible danger that might exploit a
vulnerability.
⮚ Attack : An assault on system security that derives from
an intelligent threat; that is, an intelligent act that is a
deliberate attempt (especially in the sense of a method
or technique) to evade security services and violate the
security policy of a system.
The Normal Flow

The remaining parts of the figure shows the following four

general categories
INTERRUPTION
An asset of the system is destroyed or becomes unavailable
or unusable. This is an attack on availability.
Examples include destruction of a piece of hardware, such as
hard disk, the cutting of communication line or disabling of the
file management system
INTERCEPTION
An unauthorized party gains access to an asset. This is an
attack on confidentiality. The unauthorized party could be a
person, a program or a computer.
Examples include wire tapping to capture data in a network,
and the unauthorized copying of files or programs
MODIFCATION
An unauthorized party not only gains access to but tampers
with an asset. This is an attack on integrity.
Examples include changing values in a data file, altering a
program so that it performs differently, and modifying the
content of messages being transmitted in a network
FABRICATION
An unauthorized party inserts counterfeit i.e. not genuine (A
Copy that is represented as the original) objects into the
system. This is an attack on authenticity.
Examples include the insertion of spurious (plausible but
false) messages in a network or the addition of records to a
file
Security Goals

Confidentiality

Integrity Availability
Security Services
⮚ We can think information security services as replicating
the types of functions normally associated with physical
documents

⮚ Documents typically have signatures and dates; they

need to protected from disclosure, tempering etc.
Similarly several aspects of electronic documents make
the provision of such functions of services challenging

1. It is usually possible to discriminate between an original

paper document and a Xerox copy. However, an
electronic document is merely a sequence of bits; there is
no difference whatsoever between the “ original “ and any
number of copies.
2 An alteration to a paper document may leave some sort
of physical evidence of the alteration. For Ex : An erasure
can result in a thin spot or a roughness on a surface.
Similarly alteration bits in a computer memory or in a
signal leaves no physical traces
3 Any “proof” with a physical document typically depends
on the physical characteristic of document (Ex : Shape of
handwriting, signatures etc). Any such proof of
authenticity of electronic documents must be based on
internal evidence present in the information itself.
Therefore computer & network security research and
development have focused on a few general security
services that encompasses the Information Security
Facility.
Security Service
● Enhance security of data processing systems
and information transfers of an organization
● intended to counter security attacks
● using one or more security mechanisms
● often replicates functions normally associated
with physical documents
• which, for example, have signatures, dates; need
protection from disclosure, tampering, or
destruction; be notarized or witnessed; be
recorded or licensed
Security Services
⮚ X.800:
“a service provided by a protocol layer of
communicating open systems, which ensures
adequate security of the systems or of data
transfers”

⮚ RFC 2828:
“a processing or communication service
provided by a system to give a specific kind of
protection to system resources”
CIA TRAID
Confidentiality
⮚ Confidentiality refers to an organization’s efforts to keep
their data private or secret and mainly involves ensuring
that only those who are authorized have access to
specific assets and that those who are unauthorized are
actively prevented from obtaining access.
Example
⮚ 1. only authorized Payroll employees should have
access to the employee payroll database.
⮚ 2. it’s reasonable for ecommerce customers to expect
that the personal information they provide to an
organization (such as credit card, contact, shipping, or
other personal information) will be protected
Violations
⮚ Confidentiality can be violated intentionally or by
unintentionally.
⮚ Intentionally, by direct attacks, eavesdropping etc
⮚ unintentionally through human error, carelessness, or
inadequate security controls
Countermeasures
⮚ to protect confidentiality include
⮚ Data classification and labeling;
⮚ Strong access controls and authentication mechanisms;
⮚ encryption of data in process, in transit, and in storage;
⮚ adequate education and training for all individuals with
access to data
Integrity
⮚ Integrity refers to the quality of something being whole or
complete.
⮚ Integrity is about ensuring that data has not been
tampered with and, therefore, can be trusted. It is
correct, authentic, and reliable.
Example : Ecommerce customers expects product and
pricing information to be accurate, and that quantity,
pricing, availability
Violations : integrity can be compromised directly via an
attack vector (tampering with intrusion detection
systems, modifying configuration files, or changing
system logs to evade detection) or unintentionally,
through human error, lack of care, coding errors, or
inadequate policies, procedures, and protection
mechanisms.
⮚ Countermeasures that protect data integrity include
encryption, hashing, digital signatures, intrusion
detection systems, auditing, version control, and strong
authentication mechanisms and access controls.
⮚ Note that integrity goes hand in hand with the concept
of non-repudiation: the inability to deny something. By
using digital signatures in email, for example, a sender
cannot deny having sent a message, and the recipient
cannot claim the message received was different from
the one sent. Non-repudiation assists in ensuring
integrity.
Availability
⮚ Availability means that networks, systems, and applications
are up and running. It ensures that authorized users have
timely, reliable access to resources when they are needed.
⮚ Example : Many things can jeopardize availability, including hardware
or software failure, power failure, natural disasters, and human error .
⮚ Violations : Well-known attack that threatens availability is
the denial-of-service, in which the performance of a system,
website, web-based application, or web-based service is
intentionally and maliciously degraded, or the system
becomes completely unreachable.
⮚ Countermeasures to help ensure availability include
redundancy (in servers, networks, applications, and
services), hardware fault tolerance (for servers and storage),
regular software patching and system upgrades, backups,
comprehensive disaster recovery plans, and denial-of-
service protection solutions.
Security Services (X.800)
⮚ Authentication - assurance that the
communicating entity is the one claimed
⮚ Access Control - prevention of the
unauthorized use of a resource
⮚ Data Confidentiality –protection of data from
unauthorized disclosure
⮚ Data Integrity - assurance that data received is
as sent by an authorized entity
⮚ Non-Repudiation - protection against denial by
one of the parties in a communication
Security Mechanism
⮚ feature designed to detect, prevent, or
recover from a security attack
⮚ no single mechanism that will support all
services required
⮚ however one particular element underlies
many of the security mechanisms in use:
● cryptographic techniques
⮚ hence our focus on this topic
Security Mechanisms (X.800)
⮚specific security mechanisms:
● encipherment, digital signatures, access
controls, data integrity, authentication
exchange, traffic padding, routing control,
notarization
⮚pervasive security mechanisms:
● trusted functionality, security labels, event
detection, security audit trails, security
recovery
Types of Security Mechanism
⮚ Network Security is field in computer technology that deals
with ensuring security of computer network infrastructure.
Therefore security mechanism can also be termed as is set
of processes that deal with recovery from security attack.
Various mechanisms are designed to recover from these
specific attacks at various protocol layers.
Types of Security Mechanism are :
1. Encipherment :
This security mechanism deals with hiding and covering of data
which helps data to become confidential. It is achieved by applying
mathematical calculations or algorithms which reconstruct
information into not readable form. It is achieved by two famous
techniques named Cryptography and Encipherment. Level of data
encryption is dependent on the algorithm used for encipherment .
2. Access Control :
This mechanism is used to stop unattended access to data which
you are sending. It can be achieved by various techniques such as
applying passwords, using firewall, or just by adding PIN to data
3. Notarization :
This security mechanism involves use of trusted third party in
communication. It acts as mediator between sender and receiver so
that if any chance of conflict is reduced. This mediator keeps record
of requests made by sender to receiver for later denied.
⮚ 4.Data Integrity :
This security mechanism is used by appending value to data to which is
created by data itself. It is similar to sending packet of information known to
both sending and receiving parties and checked before and after data is
received. When this packet or data which is appended is checked and is
same while sending and receiving data integrity is maintained.
⮚ 5.Authentication exchange :
This security mechanism deals with identity to be known in communication.
This is achieved at the TCP/IP layer where two-way handshaking
mechanism is used to ensure data is sent or not
⮚ 6.Bit stuffing :
This security mechanism is used to add some extra bits into data which is
being transmitted. It helps data to be checked at the receiving end and is
achieved by Even parity or Odd Parity.
⮚ 7.Digital Signature :
This security mechanism is achieved by adding digital data that is not visible
to eyes. It is form of electronic signature which is added by sender which is
checked by receiver electronically. This mechanism is used to preserve data
which is not more confidential but sender’s identity is to be notified.
A Model for Network Security
1) A message is to be transferred from one party to
another across some sort of internet.

2) The two parties, who are the principals in this

transaction, must cooperate for the exchange to take
place.

3) A logical information channel is established by defining a

route through the internet from source to destination and
by the use of communication protocols (e.g. TCP/IP) by
the two principals.

Now security aspects come into play when it is necessary to

protect the information
Techniques for providing security have two components :
1. A security related transformation on the information to be
sent. Examples include encryption of the message, which
scrambles the message so that it is unreadable to the
opponent and the addition of a code based on the
contents of the message, which can be used to verify the
identity of the sender
2. Some secret information shared by the two principals
and it is hoped, unknown to the opponent. Example
Encryption key used to scramble message.
A Trusted third party may be needed to achieve secure
transmission.
Ex :- Third party may be responsible for distributing the secret
key information to the two principals while keeping it
away from the opponent.
Or a third party may be needed to arbitrate disputes between
the two principals concerning the authenticity of a message
transmission.

General Model shows that there are four basic tasks.

⮚ using this model requires us to:

1. design a suitable algorithm for the security
transformation
2. generate the secret information (keys) used by the
algorithm
3. develop methods to distribute and share the secret
information
4. specify a protocol enabling the principals to use the
transformation and secret information for a security
service
Model for Network Security
Model for Network Access Security
⮚ using this model requires us to:
1. select appropriate gatekeeper functions to identify
users
2. implement security controls to ensure only
authorised users access designated information or
resources
⮚ trusted computer systems may be useful to help
implement this model
⮚ Gate Keeper Function :- It includes password based
login procedures that are designed to detect and reject
to all but authorized users and screening logic that are
designed to detect and reject worms, viruses and
similar attacks.
Model for Network Access
Security
INTERNET STANDARDS AND RFC’S

Many of the network security protocols and applications

used in our subject have been specified as Internet
standards and Internet RFCs (Request for comments)
The Internet Society :
By universal agreement, an organization known as Internet
society is responsible for the development and publications
of the standards.
Three organizations under Internet Society are responsible
for actual work of standard development and publication
Internet Architecture Board (IAB) :-
Responsible for defining the overall architecture of the
internet providing guidance and broad direction to IETF
Internet Engineering Task Force (IETF)
The protocol engineering and development arm of the internet
Internet Engineering Steering Group (IESG)
Responsible for technical management of IETF activities and the
Internet Standard Process
RFC Publications :-
⮚RFC’s are working notes on internet R & D Community.
⮚The actual development of new standards and protocols for
internet is carried out by working group of IETF.
⮚During development of specification, the group makes a draft
copy available on internet known as “internet draft” placed on
IETF’s online directory
⮚This document remains online for six months. Any interested
party can review and comment on this. If not progressed till six
months it withdraws.
⮚Finally IETF publishes the RFC’s with the approval of IESG.
The Standardization Process
⮚The left-hand side of Above shows the series of steps, called the
standards track, that a specification goes through to become a standard;
this process is defined in RFC 2026. The steps involve increasing
amounts of scrutiny and testing. At each step, the IETF must make a
recommendation for advancement of the protocol, and the IESG must
ratify it. The process begins when the IESG approves the publication of an
Internet Draft document as an RFC with the status of Proposed Standard

⮚The white boxes represent temporary states. However a document must

remain in proposed standard for at least six months and in a draft
standard for at least four months to allow time to review and comment .

⮚The Red Boxes represent long term states that may be occupied for
years. For a specification to be advanced to draft status, some operational
experience is to be obtained.

⮚After this it is elevated to Internet Standard. Now it is assigned with RFC

no and finally when protocol becomes obsolete, it is assigned to Historic
rate.
Buffer Overflow
⮚ A buffer overflow occurs when a program or process
tries to store more data in a buffer (temporary data
storage area) than it was intended to hold.
⮚ Since buffers are created to contain a finite amount of
data, the extra information – which has to go somewhere
– can overflow into adjacent buffers corrupting of
overwriting the valid data held in them.
⮚ It may occur accidentally through programming error,
buffer overflow is an increasingly common type of
security attack on data integrity.
⮚ In buffer specific actions, in effect sending new
instructions to the attacked computer that could for
example, damage the user’s files, change data or
disclose confidential information
⮚ Buffer overflow attacks are said to have arisen because
the C programming supplied the framework and poor
programming practices supplied the vulnerability

⮚ In July 2000, a programming flow made it possible for an

attacker to compromise the integrity of the target
computer by simply it sending an e-mail message.

⮚ Unlike the typical e-mail virus, users could not protect

themselves by not opening attached files; in fact the user
did not even have to open the message to enable the
attack.

⮚ The programs message header mechanisms had a

defect that made it possible for senders to overflow the
area with extraneous data
Summary
⮚ have considered:
● definitions for:
• computer, network, internet security
⮚ X.800 standard
⮚ security attacks, services, mechanisms
⮚ models for network (access) security