Security Mechanisms: Vulnerability, Attack, Threat, Network Security Mechanisms.

Vulnerability: Vulnerabilities are weak points or loopholes in security that an attacker

exploits in order to gain access to the network or to resources on the network.
Attack: Attack is any attempt to destroy, expose, alter, disable, steal or gain unauthorized
access to or make unauthorized use of an asset.
Two types of attack are: Passive Attack, Active Attack.
Passive Attack: A passive attack is a network attack in which a system is monitored and
sometimes scanned for open ports and vulnerabilities.
Active Attack: An active attack is a network exploit in which a hacker attempts to make
changes to data on the target or data en route to the target.
Masquerade – Masquerade attack takes place when one entity pretends to be different
entity. A Masquerade attack involves one of the other form of active attacks.
Modification of messages – It means that some portion of a message is altered or that
message is delayed or reordered to produce an unauthorized effect. For example, a message
meaning “Allow JOHN to read confidential file X” is modified as “Allow Smith to read
confidential file X”.
Threat: In computer security, a threat is a potential negative action or event facilitated by a
vulnerability that results in an unwanted impact to a computer system or application.
Network Security Mechanism: A mechanism that is designed to detect, prevent, or recover
from a security attack.
Different types of security Mechanisms are:
Routing control, Traffic padding, Encipherment, Access Control, Digital Signatures, Data
Integrity.
Routing Control: It Enables selection of particular physically secure routes for certain data
and allows routing changes, especially when a breach of security is suspected.
Traffic Padding: Traffic padding may be used to hide the traffic pattern, which means to
insert dummy traffic into the network and present to the intruder a different traffic pattern.
Encipherment: Encipherment is the process of making data unreadable to unauthorized
entities by applying a cryptographic algorithm (an encryption algorithm). Cryptography
technique is used for enciphering.
Cryptography: Cryptography is the science of keeping information secure by transforming it
into form that unintended recipients cannot understand.
Symmetric Key Cryptography
An encryption system in which the sender and receiver of a message share a single,
common key that is used to encrypt and decrypt the message. The most popular
symmetric–key system is the Data Encryption Standard (DES).
Asymmetric Key Encryption (or Public Key Cryptography)
The encryption process where different keys are used for encrypting and decrypting the
information. Keys are different but are mathematically related, such that retrieving the plain
text by decrypting cipher text is feasible.
Digital Signature: A digital signature is a mathematical technique used to validate the
authenticity and integrity of a message, software or digital document.
Access Control: It uses methods to prove that a user has access rights to the data or
resources owned by a system. E.g. Passwords and Pins.
Data Integrity: Data integrity refers to maintaining and assuring the accuracy and
consistency of data. A variety of mechanisms used to assure the integrity of a data unit or
stream of data units.
Methods of Data Integrity:
A check digit is an extra digit added to a number so that, if a number is changed, the error
will be detected.
Method

 Starting from the right, multiply the first digit by 1, the second by 2 etc.
 Add the results together
 Use the last digit of the result and add to end of number.
Example: 56037 becomes 560372
Example: 50637 becomes 506376
Symmetric encryption:
In symmetric encryption, you use the same key for both encryption and decryption of your
data or message. Taking the example I gave above, sending a secure message to your
granny, both of you need to have the same key in order to encrypt and decrypt the
messages that you may exchange with each other.

Asymmetric encryption:
Asymmetric encryption is quite the opposite to the symmetric encryption as it uses not one
key but a pair of keys: a private one and a public one.
You use one to encrypt your data, which is called public key, and the other to decrypt the
encrypted message, which is called the private key.
When you encrypt your message using, let’s say, your granny’s public key, that same
message can only be decrypted using her private key.

Voice over Internet Protocol (VoIP)

Voice over Internet Protocol (VoIP), is a technology that allowing you to make voice calls
over a broadband Internet connection instead of a analog (regular) phone line. Some VoIP
services allow you to call people using the same service, but others may allow you to call
anyone. They can have a telephone number – including local, long distance, mobile, and
international numbers or not. Some VoIP services only work over your computer or a special
VoIP phone while other services allow you to use a traditional phone connected to a VoIP
adapter.

How VoIP / Internet Voice Works –

Voice are converted into a digital signal by VoIP services that travel over the Internet. If
regular phone number is called, the signal is converted to a regular telephone signal i.e. an
analog signal before it reaches the destination. VoIP can allow you to make a call directly
from a computer having a special VoIP phone, or a traditional phone connected to a special
adapter. Wireless hot spots in locations such as airports, hospitals, cafes etc allow you to
connect to the Internet and can enable you to use VoIP service wirelessly.
Advantages of VoIP –
 Some VoIP services offer features and services that are not available with a
traditional phone, or are available but only for an additional fee.
 Paying for both a broadband connection and a traditional telephone line can be
avoided.
 Smoother connection than an analog signal can be provided.
Disadvantages of VoIP –
 Some VoIP services don’t work during power outages and the service provider may
not offer backup power.
 Not all VoIP services connect directly to emergency services through emergency
service numbers.
  VoIP providers may or may not offer directory assistance.
System administration Security: A security systems administrator handles all aspects of
information security and protects the virtual data resources of a company. Provides for
securing administration of Enterprise infrastructure, Security infrastructure.
Secure system administration is the foundation for enterprise security measures.
Reasons for targeting system administration:
Consolidation in IT:
Now a day’s system administrator controls thousands of computers, often from a single
console.
System administration security is poor:
Systems administration technology is relatively immature with few built-in checks and
balances to detect malicious activity or prevent in the first place.
System administration Goals and Objectives:
Goal: To protect the enterprise's administrative channels from being used by adversary.
Objectives: Preventive (make it harder for the attackers to get system control)
Detective: (detect attacks on system administration channels or malicious systems
administration activity when it occurs)
Forensics: (focus on creating detailed audit logs of all privileged systems administration
activities).
SA: Threat Vectors:

 Keeping attackers from conducting malicious systems administration activities in the

enterprise.
 Compromise credentials of system administrator
 Compromise the computer of system administrator
 Compromise the computing infrastructure (virtualization, storage etc.) and use the
computing capabilities to take control of systems
 Compromise systems administration infrastructure (computer mangt. Patch
 magt. Or other systems to take control of the enterprise
 Compromise monitoring systems that have administrative access
 Use local computer administrative accounts to move from one personal computer
to another with administrative rights
SA: Capabilities: SA capabilities help

 Isolate command and control networks and protocols

 Provide cryptographic protection for systems administration
 Allow for auditing of systems administration activities to detect attacks
In this functional area, it is good to have redundancy in protection.

 For example, using network isolation along with strong authentication helps ensure
that the breach of one protection mechanism alone will not be disastrous.
SA capabilities:

 Bastion hosts
 Out-of-Band (OOB) management
 Network isolation
 Integrated Lights-Out (ILO), Keyboard Video Mouse (KVM), and power controls
 Virtualization and Storage Area Network (SAN) management
 Segregation of administration from services
 Multi-factor authentication for Systems Administrators (SAs)
 Administrator audit trail(s)
 Command logging and analytics
Network Security:
Purpose: To protect the enterprise network from unauthorized access
Needs to be considered in terms of the following security controls

 Preventive control (firewall and separate sections of the network from each other)
 Detective control (detect attacker activity that cannot be blocked)
 Monitoring control (capture activity that is input to correlation engines that support
forensics.)
NS: Goals and Objectives:
Block malicious traffic, Monitor and analyze network traffic, Log information about network
traffic.
NS: Threat Vectors:

 Attackers enter the enterprise through outbound network connections from servers
or clients on the internal network.
 Attackers enter the enterprise through the network connections of Internet-facing
servers.
 Attackers use internal networks to move laterally between computers inside the
enterprise.
 Attackers use enterprise networks to extract data and remove it from the Enterprise.
 Attackers take control of network infrastructure components and then leverage
them to gain entry to the enterprise or to bypass other security measures.
NS: Capabilities:
Switches and routers, Software Defined Networking (SDN), Domain Name System (DNS) and
Dynamic Host Configuration Protocol (DHCP), Network Time Protocol (NTP), Network
service management, Firewall and virtual machine firewall, Network Intrusion
Detection/Network Intrusion Prevention System (IDS/IPS), Wireless networking (Wi-Fi),
Packet intercept and capture, Secure Sockets Layer (SSL) intercept, Network Access Control
(NAC), Virtual Private Networking (VPN) and Internet Protocol Security (IPSec), Network
Traffic Analysis (NTA)
Application Security:
Application security involves security measures that are specific to certain applications or
protocols running over the network.
By this simple definition, application security technologies and capabilities include

 e-mail security
 application-aware firewall features
 database gateways
 forward web proxies.
Application security operates alongside network security.
AS: Goal and objectives:
Goal: to protect the enterprise applications from use or attack
Objective:

 The preventive objective is to block exploitation of applications and application

communications protocols for malicious use.
 The detective objective is to detect compromises of applications and attempts to
exploit them for malicious purposes.
 The forensic objective is to log data about application activity that can be used for
audits and investigations of incidents.
 The audit objective is for auditors to be able to collect evidence and artifacts that
suggest that applications are safe and not being used or manipulated by attackers.
AS: Threat Vectors:
Initial entry by leveraging email to send malicious messages to users.

 For gaining control of end user, servers, mobile device

Leverage vulnerabilities in web browsers and web-plugins

 For gaining control

Exploiting vulnerabilities in enterprise server applications.

 For gaining control

 During the development of an application the attacker may find and then exploit the
flaw of software for gaining control
AS: Capabilities:
E-mail security, Web-shell detection, Application firewalls, Database firewalls, Forward
proxy and web filters, Reverse proxy, Data Leakage Protection (DLP), Secure application and
database software development, Software code vulnerability analysis (including source code
verification and bug tracking).
Cryptography & Network Security:
Foundations:
Internet Protocol: IP packets have no inherent security. No way to verify:

 The claimed sender is the true sender

 The data has not been modified in transit
 The data has not been viewed by a third party
Ipsec provides an automated solution for these three areas

 Authentication
 Integrity
 Confidentiality
Internet Protocol Security:
The IP security (IPSec) is an Internet Engineering Task Force (IETF) standard suite of
protocols between 2 communication points across the IP network that provide data
authentication, integrity, and confidentiality. It also defines the encrypted, decrypted and
authenticated packets. The protocols needed for secure key exchange and key management
are defined in it.
IP security Overview:
In 1994, IAB report “Security in the Internet Architecture” Identified Key areas for security
Mechanisms

 Secure the network infrastructure

 Unauthorized monitoring
 Unauthorized Control of network traffic
 Secure end-user-to-end-user traffic
Uses/Applications of IP Security:

 To encrypt application layer data.

 To provide security for routers sending routing data across the public internet.
 To provide authentication without encryption, like to authenticate that the data
originates from a known sender.
 To protect network data by setting up circuits using IPsec tunneling in which all data
is being sent between the two endpoints is encrypted, as with a Virtual Private
Network (VPN) connection.
Examples of IPsec:

 Secure branch office connectivity over the internet

 Secure remote access over the Internet
 Establishing extranet and intranet connectivity with partners
 Enhancing electronic commerce security
Benefits of IPSec:

 in a firewall/router provides strong security to all traffic crossing the perimeter

 in a firewall/router is resistant to bypass
 can be transparent to end users
 can provide security for individual users
 secures routing architecture
IP Security Architecture:
• specification is quite complex, with groups:
• Architecture
• RFC4301 Security Architecture for Internet Protocol
• Authentication Header (AH)
• RFC4302 IP Authentication Header
• Encapsulating Security Payload (ESP)
• RFC4303 IP Encapsulating Security Payload (ESP)
• Internet Key Exchange (IKE)
• RFC4306 Internet Key Exchange (IKEv2) Protocol
• Cryptographic algorithms
• Other
IPSec Services:

 Access control
 Connectionless integrity
 Data origin authentication
 Rejection of replayed packets
 a form of partial sequence integrity
 Confidentiality (encryption)
 Limited traffic flow confidentiality
Transport and Tunnel Modes:
Transport Mode: to encrypt & optionally authenticate IP data, can do traffic analysis but is
efficient, good for ESP host to host traffic
Tunnel Mode: encrypts entire IP packet, add new header for next hop, no routers on way
can examine inner IP header, good for VPNs, gateway to gateway security
Security Associations: (IPSEC)
• a one-way relationship between sender & receiver that affords security services to
the traffic carried on it.
• defined by 3 parameters:
• Security Parameters Index (SPI)
• IP Destination Address
• Security Protocol Identifier
• has a number of other parameters
• seq no, AH & EH info, lifetime etc
• have a database of Security Associations
Encapsulating Security Payload (ESP):

 provides message content confidentiality, data origin authentication, connectionless

integrity, an anti-replay service, limited traffic flow confidentiality
 services depend on options selected when establish Security Association (SA), net
location
 can use a variety of encryption & authentication algorithms
Encryption & Authentication Algorithms & Padding:
• ESP can encrypt payload data, padding, pad length, and next header fields
• if needed have IV at start of payload data
• ESP can have optional ICV for integrity
• is computed after encryption is performed
• ESP uses padding
• to expand plaintext to required length
• to align pad length and next header fields
• to provide partial traffic flow confidentiality
Combining Security Associations:
• SA’s can implement either AH or ESP
• to implement both need to combine SA’s
• form a security association bundle
• may terminate at different or same endpoints
• combined by
 • transport adjacency
• iterated tunneling
• combining authentication & encryption
• ESP with authentication, bundled inner ESP & outer AH,
bundled inner transport & outer ESP
IPSec Key Management:
• handles key generation & distribution
• typically need 2 pairs of keys
• 2 per direction for AH & ESP
• manual key management
• sysadmin manually configures every system
• automated key management
• automated system for on demand creation of keys for SA’s in large systems
• has Oakley & ISAKMP elements
Internet Security Association and Key Management Protocol:
Internet Security Association and Key Management Protocol (ISAKMP) is used for
negotiating, establishing, modification and deletion of SAs and related parameters.
It defines the procedures and packet formats for peer authentication creation and
management of SAs and techniques for key generation. It also includes mechanisms that
mitigate certain threats – e.g., Denial Of Service (DOS) and anti-replay protection.
In ISAKMP, SA and key management are separate from any key exchange protocols; so, in a
sense ISAKMP is an "abstract" protocol – it provides a framework for authentication and key
management and supports many actual key exchange protocols (e.g., IKE). ISAKMP defines
header and payload formats, but needs an instantiation to a specific set of protocols.
Such an instantiation is denoted as the ISAKMP Domain Of Interpretation (DOI): an example
of this for the IPsec/IKE is the IPsec DOI [RFC2407].

 provides framework for key management

 defines procedures and packet formats to establish, negotiate, modify, & delete SAs
 independent of key exchange protocol, encryption alg, & authentication method
 IKEv2 no longer uses Oakley & ISAKMP terms, but basic functionality is same
INFORMATION SECURITY MANAGEMENT SYSTEM: (ISO/IEC 27001:2005)
ISO/IEC 27001 is an international standard on how to manage information security. The
standard was originally published jointly by the International Organization for
Standardization (ISO) and the International Electro technical Commission (IEC) in 2005 and
then revised in 2013.
It details requirements for establishing, implementing, maintaining and continually
improving an information security management system (ISMS) – the aim of which is to help
organizations make the information assets they hold more secure.
History of ISO/IEC 27001 Standard:
1992: The Department of Trade and Industry (DTI), which is part of the UK Government,
publish a 'Code of Practice for Information Security Management'.

1995: This document is amended and re-published by the British Standards Institute (BSI) in
1995 as BS7799.

2000: In December, BS7799 is again re-published, this time as a fast tracked ISO standard. It
becomes ISO 17799 (or more formally, ISO/IEC 17799).

2005: A new version of ISO 17799 is published. This includes two new sections, and closer
alignment with BS7799-2 processes..

2005: The latest version of ISMS is known as ISO/IEC 27001:2005

27000 Series of Standards:

Published standards

ISO/IEC 27001 - Certification standard against which organizations' ISMS may certified
(published in 2005)

ISO/IEC 27002 - The re-naming of existing standard ISO 17799 (last revised in 2005, and
renumbered ISO/IEC 27002:2005 in July 2007)

ISO/IEC 27006 - Guide to the certification/registration process (published in 2007)

In preparation

ISO/IEC 27000 - Vocabulary for the ISMS standards ISO/IEC 27003 - ISMS implementation
guide

ISO/IEC 27004 - Standard for information security management measurements ISO/IEC

27005 - Standard for risk management

ISO/IEC 27007 - Guideline for auditing information security management systems

ISO/IEC 27011 - Guideline for telecommunications in information security management
system ISO/IEC 27799 - Guidance on implementing ISO/IEC 27002 in the healthcare
industry.

What is Information?

Information comprises the meanings and interpretations that people place upon the facts
and Data. The value of the information springs from the ways it is interpreted and applied to
make products, to provide services, and so on.

Why Information Security Is Very Important?

 Reducing the risk of data breaches and attacks in IT systems.

 Applying security controls to prevent unauthorized access to sensitive information.
 Preventing disruption of services, e.g., denial-of-service attacks.
 Protecting IT systems and networks from exploitation by outsiders.
 Keeping downtime to a minimum so productivity stays high.
 Ensuring business continuity through data protection of information assets.
 Providing peace of mind by keeping confidential information safe from security
threats.

Elements of Information Security:

Confidentiality: Making sure that those who should not see information

Integrity: Making sure that the information has not been changed from its original

Availability: Making sure that the information is available for use when you need it

Authenticity: Authenticity refers to the characteristic of a communication, document, or any

data that ensures the quality of being genuine or corrupted. The major role of
authentication is to confirm that a user is genuine, one who he / she claims to be.

What is Information Security Management System?

Information Security Management is a process by which the value of each Organization

information is assessed and, if appropriate, protected on ongoing basis.

Building an Information Security Management system is achieved through the “systematic

assessment of the systems, technologies and media contained information, appraisal of the
loss of information, cost of security breaches, and development & deployment of counter
measures to threats.”

If simplify, ISMS provide a platform where organization recognizes most valuable spots of in
an organization and builds armor-plating to protect them.
Structure of ISO/IEC 27001:2005:

The information security Management Program should include

 Define Scope and Boundaries of the ISMS

 Define the Security Policy
 Define a Risk Assessment Approach of Organization
 Identify the Information Assets and their Risks
 Analyze and Evaluate the Risks
 Identify and Evaluate options for Treatment of Risk
 Select Control Objectives and Controls for treating Risks (Annexure A)
 Formulate Risk Treatment Plan and Implement RTP Plan
 Implement Control to meet Control Objectives
 Define how to measure effectiveness of the Controls
 handles key generation & distribution
 typically need 2 pairs of keys
 2 per direction for AH & ESP
 manual key management
 sysadmin manually configures every system
 automated key management
 automated system for on demand creation of keys for SA’s in large systems
 has Oakley & ISAKMP elements

Benefits of ISO/IEC 27001:

 Identify critical assets via the Business Risk Assessment

 Improved understanding of business aspects
 Provide a structure for continuous improvement
 Be a confidence factor internally as well as externally
 Systematic approach
 Ensure that ”knowledge capital” will be ”stored” in a business management system
 Reductions in adverse publicity
 Reductions in security breaches and/or claims
 handles key generation & distribution
 typically need 2 pairs of keys
 2 per direction for AH & ESP
 manual key management
 sysadmin manually configures every system
 automated key management
  automated system for on demand creation of keys for SA’s in large systems
 has Oakley & ISAKMP elements

Control Objectives:

Security policy: To provide management direction and support for information security in
accordance with business requirements and relevant laws and regulations. Information
security policy document Review of the information security policy
Organization of Information Security: (Internal)

 To Manage Information Security within the Organization.

 Management commitment to information security Information security co-
ordination
 Allocation of information security responsibilities Authorization process for
information processing facilities Confidentiality agreements
 Contact with authorities
 Independent review of information security
External Parties
To maintain the security of organizational information and information processing facilities
that are accessed processed, communicated to, or managed by external parties
Identification of risks related to external parties Addressing security when dealing with
customers Addressing security in third party agreements.
Asset Management:
Responsibility of Assets
To achieve and maintain appropriate protection of organizational assets: Inventory of
assets, Ownership of assets, and Acceptable use of assets.
Information classification
To ensure that information receives an appropriate level of protection: Classification
guidelines, Information labeling and handling.
Human Resource Security:
Prior to employment
To ensure that employees, contractors and third party users understand their
responsibilities, and are the roles they are considered for, and to reduce the risk of theft
,fraud or misuse of facilities.
During employment
To ensure that all employees, contractors and third party users are aware of information
security threats and concerns, their responsibilities and liabilities and are equipped to
support organizational security policy in the course of their normal work and to reduce the
risk of human error.

Termination or change of employment

To ensure that employees, contractors and third party users exit an organization or change
employment in an orderly manner.
Termination responsibilities, Return of assets, Removal of access rights
Benefits of ISO/IEC 27001: