2

Data: raw facts {Alphanumeric, image, audio, and video}

Information: result of processing, manipulating and organizing data in a way
that adds to the knowledge of the receiver. {Processed Data}
Knowledge: Knowledge is normally processed by means of structuring,
grouping, filtering, organizing or pattern recognition. {Highly structured
information}
An Information System is a set of interrelated components that collect or retrieve,
process, store and distribute information to support decision making and control in
an organization.
'Information is an asset which, like other important business assets, has value to
an organization and consequently needs to be suitably protected
BS ISO 27002:2005
Mukesh Chinta, Asst Prof, CSE,VRSEC

Security is one of the oldest problem that governments, commercial

organizations and almost every person has to face. The need of security exists
since information became a valuable resource.
Introduction of computer systems to business has escalated the security problem
even more.
The advances in networking and specially in distributed systems made the need
for security even greater.

Any breach with the Information System will lead to Loss of productivity, loss
of revenue, legal liabilities, loss of reputation and other losses.
Cyber crime is defined as criminal activity involving the IT infrastructure,
including illegal access, illegal interception, data interference, misuse of devices,
ID theft and electronic fraud
Mukesh Chinta, Asst Prof, CSE,VRSEC

The e-commerce sector in India is facing a major hurdle due to ineffectiveness of

cyber laws.

Mukesh Chinta, Asst Prof, CSE,VRSEC

So now we know that we need security.

BUT what is security anyway ?
Many people fail to understand the meaning of the word.
Many corporations install an antivirus software, and/or a firewall and believe they are protected.
Are they ?

In the real world, security involves processes. It involves preventive technologies, but also detection and
reaction processes, and an entire forensics system to hunt down and prosecute the guilty. Security is not
a product; it itself is a process. .
Bruce Schneier

The U.S. Governments National Information Assurance Glossary defines

INFOSEC as:

Protection of information systems against

unauthorized access to or modification of
information, whether in storage, processing or
transit, and against the denial of service to
authorized users or the provision of service to
unauthorized users, including those measures
necessary to detect, document, and counter
such threats.
Mukesh Chinta, Asst Prof, CSE,VRSEC

ARPANET, the precursor to the modern internet allowed easy synchronization of information
between data centers but has unsecure points between the data centers and the public. This
vulnerability was addressed by securing physical locations and hardware. A task force formed by
ARPA (Advanced Research Projects Agency) to study internet security in 1967 found this
method to be inadequate, and released the Rand Report R-609 which determined additional
steps must be taken to improve security. This report marked an important stage in the
development of today's information security.

1960s: Organizations start to protect their computers

1970s: The first hacker attacks begin

1980s: Governments become proactive in the fight against cybercrime
1990s: Organized crime gets involved in hacking
2000s: Cybercrime becomes treated like a crime

2010s: Information security becomes serious

Mukesh Chinta, Asst Prof, CSE,VRSEC

The NIST (National Institute of Standards & Technology} Computer Security Handbook [NIST95]
(Available from: http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf) defines the term
computer security as
The protection afforded to an automated information system in order to attain the
applicable objectives of preserving the integrity, availability, and confidentiality of
information system resources (includes hardware, software, firmware, information/data,
and telecommunications).
The definition introduces three key objectives that are at the heart of the computer security:

Confidentiality
Data Confidentiality
Privacy

Integrity
Data Integrity
System Integrity

Availability
Mukesh Chinta, Asst Prof, CSE,VRSEC

 Confidentiality
10

Data Confidentiality - Assures that private or confidential information is

not made available or disclosed to unauthorized individuals.
Privacy - Assures that individuals control or influence what information
related to them may be collected and stored and by whom and to whom
that information may be disclosed.

Integrity
Data Integrity - Assures that information and programs are changed only
in a specified and authorized manner
System Integrity - Assures that a system performs its intended function in
an unimpaired manner, free from deliberate or inadvertent unauthorized

manipulation of the system.

Availability - Assures that systems work promptly and service is not denied
to authorized users.
Mukesh Chinta, Asst Prof, CSE,VRSEC

Federal Information Processing Standards Publications (FIPS PUB 199)

11
provides
a useful characterization of these three objectives in terms of
requirements and the definition of a loss of security in each category:
Confidentiality : Preserving authorized restrictions on information access and disclosure,
including means for protecting personal privacy and proprietary information. A loss of
confidentiality is the unauthorized disclosure of information.
Integrity: Guarding against improper information modification or destruction, and
includes ensuring information non-repudiation and authenticity. A loss of integrity is the
unauthorized modification or destruction of information.

Availability: Ensuring timely and reliable access to and use of information. A loss of
availability is the disruption of access to or use of information or an information system.
Authenticity: The property of being genuine and being able to be verified and trusted;
confidence in the validity of a transmission, a message, or message originator.
Accountability: The security goal that generates the requirement for actions of an entity
to be traced uniquely to that entity.

12

FIPS PUB 199 define three levels of impact on organizations or individuals

should there be a breach of security : Low, Moderate and High
LOW

MODERATE

HIGH

Effect on organizational operations,

assets or individuals

Limited

Primary functions of the organization

and their effectiveness
Damage to organizational assets

Minor
Significant
Severe degradation
degradation degradation
Minor
Significant
Major

Financial Loss

Minor

Significant

Major

Harm to individual

Minor

Significant

Severe (loss of life

or life-threatening
injuries)

Serious

Severe or even
catastrophic

13

1. Not simple seems to be straight forward but very complex

2. Must consider potential attacks on security features

3. Procedures used are often counter-intuitive

4. Involves multiple algorithms and secret information
5. Must decide where to deploy security mechanisms
6. Battle of wits between attacker / admin
7. Not perceived on benefit until a security failure happens
8. Requires regular/constant monitoring which is difficult
9. Often an after-thought rather than an integral part of the process
10. Strong security is regarded as impediment to free usage of a system
Mukesh Chinta, Asst Prof, CSE,VRSEC

14

ITU-T X.800 Security Architecture for OSI defines a systematic way of defining and
providing security requirements. Three important aspects of OSI security architecture are:
: Any action that compromises the security of information owned by an
organization.

: A process (or a device incorporating such a process) that is

designed to detect, prevent, or recover from a security attack.
: A processing or communication service that enhances the security of
the data processing systems and the information transfers of an organization.

Mukesh Chinta, Asst Prof, CSE,VRSEC

 a potential for violation

of security

Threats

Vulnerabilities

Something that
can potentially cause damage to
the organization, IT Systems or
network
an assault on system
security, a deliberate attempt to
evade security services
: A possibility that a threat
exploits a vulnerability in an asset
and causes damage or loss to the
asset.

Controls *
reduce

Protection
Requirements

Risk

Information
assets

Asset values

Relationship between Risk, Threats, and Vulnerabilities

Mukesh Chinta, Asst Prof, CSE,VRSEC

16

The security attacks are classified into

and
A passive attack attempts to learn or make use of information from the system but does
not affect system resources. These are difficult to detect and focus will be on
prevention.
Active attacks involve some modification of the data stream or the creation of a false
stream. These are difficult to prevent and focus is on detection and recovery.

Mukesh Chinta, Asst Prof, CSE,VRSEC

Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions. The goal of the opponent
is to obtain information that is being transmitted. Two types of passive attacks are:
Release of message contents Any transferred message could be intercepted or listened to
Traffic analysis - monitor traffic flow to determine location and identity of communicating hosts and could
observe the frequency and length of messages being exchanged.

Release of Message Contents

Traffic Analysis

17

18

An active attack is one in which an unauthorized change of the system is attempted. This
could include, for example, the modification of transmitted or stored data, or the creation of
new data streams

relate to an entity (usually a computer or a person) taking on a false identity in

order to acquire or modify information, and in effect achieve an unwarranted privilege status.
involves the re-use of captured data at a later time than originally intended in order
to repeat some action of benefit to the attacker.

Mukesh Chinta, Asst Prof, CSE,VRSEC

19

could involve modifying a packet header address for the

purpose of directing it to an unintended destination or modifying the user data.
prevent the normal use or management of
communication services, and may take the form of either a targeted attack on a
particular service or a broad, incapacitating attack.

Mukesh Chinta, Asst Prof, CSE,VRSEC

RFC 2828 defines Security Service as a processing or communication service that is

provided by a system to give a specific kind of protection to system resources.
Authentication

Peer Entity Authentication

Data-Origin Authentication

Access Control
Connection Confidentiality

Security Services

Data
Confidentiality

Connectionless Confidentiality

Selective-Field Confidentiality
Traffic-Flow Confidentiality

Data Integrity

Non Repudiation

Connection Integrity with Recovery

Connection Integrity without Recovery
Selective-Field Connection Integrity
Connectionless Integrity
Selective-Field Connectionless Integrity
Nonrepudiation, Origin
Nonrepudiation, Destination

X.800 divides security services into five categories and fourteen specific services. Security Services intend to counter security
attacks and make use of one or more security mechanisms to provide the service

22

Authentication service is concerned with assurance that

communicating entity is the one claimed. It helps in establishing proof of identification.
Two specific authentication services are defined:
- provides corroboration of the identity of a peer entity in an
association. This service provides confidence, at the time of usage only, that an entity is not
attempting a masquerade or an unauthorized replay of a previous connection.
- provides corroboration of the source of a data unit. In a
connectionless transfer, provides assurance that the source of received data is as claimed
It is the protection of transmitted data from passive attacks,

and the protection of traffic flow from analysis.

: The protection of all user data on a connection
: The protection of all user data in a single data block
The confidentiality of selected fields within the user data on
a connection or in a single data block
The protection of the information that might be derived from
observation of traffic flows
Mukesh Chinta, Asst Prof, CSE,VRSEC

23

It assures that messages are received as sent by an authorized entity,

with no duplication, insertion, modification, reordering, replay, or loss.
Provides for the integrity of all user data on a
connection and detects any modification, insertion, deletion, or replay of any data within an
entire data sequence, with recovery attempted
As above, but provides only detection without
recovery.
Provides for the integrity of selected fields within the
user data of a data block transferred over a connection and takes the form of determination of
whether the selected fields have been modified, inserted, deleted, or replayed.
Provides for the integrity of a single connectionless data block
and may take the form of detection of data modification.
Provides for the integrity of selected fields within
a single connectionless data block
It is the ability to limit and control the access to host systems and
applications via communications links. The prevention of unauthorized use of a resource
(i.e., this service controls who can have access to a resource, under what conditions
access can occur, and what those accessing the resource are allowed to do).
Mukesh Chinta, Asst Prof, CSE,VRSEC

24

: This service does not allow the sender or receiver of a message to

refuse the claim of not sending or receiving that message.
: Proof that the message was sent by the specified party.
: Proof that the message was received by the specified part.

- It is the property of a system / resource being accessible and usable

upon demand by an authorized system entity, according to performance specifications
for the system. A variety of attacks can result in the loss of or reduction in availability.

25

Interception

Forgery

Denial of Service

Is Private?

Who am I dealing with?

Wish to access!!

Security Needs for Network Communications

Not

SENT !

Modification

Claim

Unauthorized access

Has been altered?

Who sent/received it?

Have you privilege?

Mukesh Chinta, Asst Prof, CSE,VRSEC

26

Security Mechanism: A mechanism that is designed to detect, prevent, or recover

from a security attack. No single mechanism that will support all functions required.
The security mechanisms are divided into those that are implemented in a
specific protocol layer called
and those that are not
specific to any particular protocol layer or security service called
.

Security
Mechanism

Description

Encipherment

The use of mathematical algorithms to transform data into a form that is not readily
intelligible. The transformation and subsequent recovery of the data depend on an
algorithm and zero or more encryption keys.

Digital Signature

Data appended to, or a cryptographic transformation of, a data unit that allows a
recipient of the data unit to prove the source and integrity of the data unit and
protect against forgery.

Access Control

A variety of mechanisms that enforce access rights to resources.

Data Integrity

A variety of mechanisms used to assure the integrity of a data unit or stream of

data units.

Authentication
Exchange

A mechanism intended to ensure the identity of an entity by means of information

exchange

Traffic Padding

The insertion of bits into gaps in a data stream to frustrate traffic analysis attempts.

Routing Control

Enables selection of particular physically secure routes for certain data and allows
routing changes, especially when a breach of security is suspected.

Notarization

The use of a trusted third party to assure certain properties of a data exchange.
Mukesh Chinta, Asst Prof, CSE,VRSEC

28
Security
Mechanism

Description

Trusted
Functionality

That which is perceived to be correct with respect to some criteria (e.g., as

established by a security policy).

Security Label

The marking bound to a resource (which may be a data unit) that names or
designates the security attributes of that resource.

Event Detection

Detection of security-relevant events

Security Audit
Trail

Data collected and potentially used to facilitate a security audit, which is an

independent review and examination of system records and activities.

Security
Recovery

Deals with requests from mechanisms, such as event handling and management
functions, and takes recovery actions.

29

Mukesh Chinta, Asst Prof, CSE,VRSEC

Data is transmitted over network between two communicating parties, who must cooperate for the
exchange to take place. A logical information channel is established by defining a route through the
internet from source to destination by use of communication protocols by the two parties.

Two components are present in almost all the security providing techniques.
A security-related transformation on the information to be sent making it unreadable by the opponent, and
the addition of a code based on the contents of the message, used to verify the identity of sender.
Some secret information shared by the two principals and, it, unknown to the opponent. A trusted third
party may be needed to distribute the secret information or to arbitrate disputes between the principals.

31

The general model shows that there are four basic tasks in designing a particular security
service:

1. Design an algorithm for performing the security-related transformation. The algorithm should be
such that an opponent cannot defeat its purpose
2. Generate the secret information to be used with the algorithm
3. Develop methods for the distribution and sharing of the secret information
4. Specify a protocol to be used by the two principals that makes use of the security algorithm and
the secret information to achieve a particular security service
Various other threats to information system like unwanted access still exist. The existence of hackers
attempting to penetrate systems accessible over a network remains a concern. Another threat is
placement of some logic in computer system affecting various applications and utility programs.
This inserted code presents two kinds of threats.
Information access threats intercept or modify data on behalf of users who should not have
access to that data
Service threats exploit service flaws in computers to inhibit use by legitimate users
Mukesh Chinta, Asst Prof, CSE,VRSEC

32

Viruses and worms are two examples of software attacks inserted into the system by means of a
disk or also across the network.

Placing a gatekeeper function, which includes a password-based login methods that

provide access to only authorized users and screening logic to detect and reject worms,
viruses etc.
An internal control, monitoring the internal system activities analyzes the stored
information and detects the presence of unauthorized users or intruders.
Mukesh Chinta, Asst Prof, CSE,VRSEC

Security Controls are categorized based on their functionality and plane of application.
Based on functionality, the types of controls are given as:
- These try to prevent security violations and enforce access control. Like other controls, preventive
controls may be physical, administrative, or technical: doors, security procedures, and authentication requirements

- Detective controls are in place to detect security violations and alert the defenders. They come into
play when preventive controls have failed or have been circumvented and are no less crucial than detective controls.
Detective controls include cryptographic checksums, file integrity checkers, audit trails and logs, and similar mechanisms.

- Corrective controls try to correct the situation after a security violation has occurred. Corrective
controls vary widely, depending on the area being targeted, and they may be technical or administrative in nature.

- Deterrent controls are intended to discourage potential attackers. Examples of deterrent controls include
notices of monitoring and logging as well as the visible practice of sound information security management.

similar to corrective controls applied in more serious situations to recover from security violations and
restore information and information processing resources. These include disaster recovery and business continuity mechanisms,
backup systems and data, emergency key management arrangements, and similar controls.

- are intended to be alternative arrangements for other controls when the original controls have
failed or cannot be used. When a second set of controls addresses the same threats that are addressed by another set of controls,
the second set of controls are compensating controls.
Mukesh Chinta, Asst Prof, CSE,VRSEC

33

Based on plane of application, the types of controls are given as:

Physical Controls include doors, secure facilities, fire extinguishers, flood protection, and air
conditioning.
Administrative Controls are the organizations policies, procedures, and guidelines intended to
facilitate information security.
Technical controls are the various technical measures, such as firewalls, authentication systems,
intrusion detection systems, and file encryption, among others.

Logical access control models are the abstract foundations upon which actual access
control mechanisms and systems are built.
Access control models define how computers enforce access of subjects (such as users,
other computers, applications, and so on) to objects (such as computers, files, directories,
applications, servers, and devices).
Three main access control models exist:

34

Discretionary Access Control (DAC)

In the DAC model, the owner (creator) of information (file or directory) has the discretion to decide about
and set access control restrictions on the object in question.
The advantage of DAC is its flexibility: users may decide who can access information and what they can do
with itread, write, delete, rename, execute, and so on.
At the same time, this flexibility is also a disadvantage of DAC because users may make wrong decisions
regarding access control restrictions or maliciously set insecure or inappropriate permissions.

Mandatory Access Control (MAC)

In systems utilizing MAC, users have little or no discretion as to what access permissions they can set on
their information.
MAC-based systems use data classification levels (such as public, confidential, secret, and top secret) and
security clearance labels corresponding to data classification levels to decide, in accordance with the security
policy set by the system administrator, what access control restrictions to enforce.
Additionally, per-group and/or per-domain access control restrictions may be imposedthat is, in
addition to having the required security clearance level, subjects(users or applications) must also belong to
the appropriate group or domain. This concept is called Compartamentalization or need to know.
Though MAC systems are thought to be more secure than DAC systems, they are more difficult to use and
administer because of the additional restrictions imposed by the OS.
Typically MAC systems are used in government, military and financial environments, where higher level of
security is required and costs are tolerated.
35
Mukesh Chinta, Asst Prof, CSE,VRSEC

Role-Based Access Control (RBAC)

In the role-based access control model, rights and permissions are assigned to roles instead
of individual users. This added layer of abstraction permits easier and more flexible
administration and enforcement of access controls.

Centralized vs. Decentralized Access Control

In environments with centralized access control, a single, central entity makes access
control decisions and manages the access control system; whereas in distributed access
control environments, these decisions are made and enforced in a decentralized manner.
The selection of a particular access control approach should be made only after careful
consideration of an organizations requirements and associated risks.
36

Mukesh Chinta, Asst Prof, CSE,VRSEC

 A vulnerability can occur anywhere in the IT environment, and can be the result of
many different root causes.
solutions gather comprehensive endpoint and
network intelligence and apply advanced analytics to identify and prioritize the
vulnerabilities that pose the most risk to critical systems.
includes assessment of the environment for known
vulnerabilities, and to assess IT components using the security configuration
policies(by device role) that have been defined for the environment.
is a dictionary of common names
(i.e., CVE Identifiers) for publicly known information security vulnerabilities.
provides an open framework for
communicating the characteristics and impacts of IT vulnerabilities.
provides a common
language of discourse for discussing, finding and dealing with the causes of
software security vulnerabilities as they are found in code, design, or system
architecture.
37