Information and Cyber Security (Code : 410251) Semester VII - Computer Engineering (Savitribai Phule Pune University) Pravin Goyal PEGSA Price ¢ 240/- FH Teenknowledge Mi Publications (Book Code : PE6SA) (Copyright No. - 3673/2019-CO/L & 8811/2019-CO/L)Information and Cyber Security Pravin Goyal (Semester VIII ~ Computer Engineering) (Savitribai Phule Pune University) Copyright © by Author. All rights reserved, No part of this publication may be reproduced, copied, or stored in a retrieval system, distributed or transmitted in any form or by any means, including photocopy, recording, or other electronic or mechanical methods, without the prior written permission of the publisher. This book is sold subject to the condition that it shall not, by the way of trade or otherwise, be lent, resold, hired out, or otherwise circulated without the publisher's prior written consent in any form of binding or cover other than which it is published and without a similar condition including this condition being imposed on the subsequent purchaser and ‘without limiting the rights under copyright reserved above. First Edition : December 2019 (TechKnowledge Publication) This edition is for sale in India, Bangladesh, Bhutan, Maldives, Nepal, Pakistan, Sri Lanka and designated countries in South-East Asia. Sale and purchase of this book outside of these countries is unauthorized by the publisher. Printed at : 37/2, Ashtvinayak Industrial Estate, Near Pari Company, Narhe, Pune, Maharashtra State India, Pune 411041 ISBN: —_ 978-93-89748.22-2 Copyright Application Number : 3673/2019-CO/L & 8811/2019-CO/L. Published by : ‘TechKnowledge Publications Head Office : B/S, First floor, Maniratna Complex, ‘Taware Colony, Aranyeshwar Comer, Pune - 411 009. Maharashtra State, India Ph : 91-20-24221234, 91-20-24225678, Email : [email protected], Website : www.techknowledgebooks.com [410251] (FID : PE6S) (Book Code : PE6SA) (Book Code : PE6SA) (Copyright No. - 3673/2019-CO/L & 8811/2019-CO/L)We dedicate this Publication soulfully and wholeheartedly, in loving memory of our beloved founder director, Late Shri, Pradeepsheth Lalchandji Lunawat, who will always be an inspiration, a positive force and strong support behind us. Lt. Shri. Pradeepji L. Lunawat Soulful Tribute and Gratitude for all Your Sacrifices, Hardwork and 40 years of Strong Vision...Dedicated to .... Krishna, the Greatest AlmightyMy Dear Students, Lam extremely happy to come out with this book on “Information and Cyber Security” for you. The topics within the chapters have been arranged in @ proper sequence to ensure smooth flow of the subject. I present this book in the loving memory of Late Shri, Pradeepji Lunawat, our source of inspiration and a strong foundation of “TechKnowledge Publications”. He will always be remembered in our heart and motivate us to achieve our milestone. Tam thankful to Shri. J. S. Katre, Shri. Shital Bhandari, Shri, Arunoday Kumar and Shri. Chandroday Kumar for the encouragement and support that they have extended. 1 am also thankful to the staff members of TechKnowledge Publications and others for Ur efforts to make this book as good as itis. I have jointly made every possible efforts to eliminate all the errors in this book. However if you find any, please let me know, because that will help me to improve further. I am also thankful to my family members and friends for patience and encouragement. (Book Code : PE6SA) (Copyright No. - 3673/2019-COML & 8811/2019-CO/L)Syllabus Savitribai Phule Pune University Fourth Year of Computer Engineering (2015 Course) Course Code : 410251 Course Name : Information and Cyber Security Teaching Scheme : Examination Scheme : TH : 03 Hours/Week Credits : 03 In-Sem (Paper): 30 Marks End-Sem (Paper) : 70 Marks Prerequisites : 310245-Computer Networks. Course Objectives : To offer an understanding of principle concepts, central topics and basic approaches in information and cyber security, ‘To know the basics of eryptography. ‘To acquire knowledge of standard algorithms and protocols employed to provide confidentiality, integrity and authenticity, ‘To enhance awareness about Personally Identifiable Information (PII), Information Management, cyber forensics. Course Outcomes : On completion of the course, student will be able to : Gauge the security protections and limitations provided by today's technology. Identify information security and cyber security threats. ‘Analyze threats in order to protect or defend it in cyberspace from cyber-attacks. Build appropriate security solutions against cyber-attacks Course Contents Unit |: Security Basics Introduction, Elements of Information Security, Security Policy, Techniques, Steps, Categories, Operational Model of Network Security, Basic Terminologies in Network Security. Threats and Vulnerability, Difference between Security and Privacy. (Refer Chapter 1) Unit Il: Data Encryption Techniques And Standards Introduction, Encryption Methods: Symmetric, Asymmetric, Cryptography, Substitution Ciphers. Transposition Ciphers, Stenography applications and limitations, Block Ciphers and methods of operations, Feistal Cipher, Data Encryption Standard (DES), Triple DES, DES Design Criteria, Weak Keys in DES Algorithms, Advance Eneryption ‘Standard (AES), (Refer Chapter 2) (Book Code : PE6SA) (Copyright No. - 3673/2019-CO/L & 8811/2019-CO/L)Unit Ill: Public Key and Management Public Key Cryptography, RSA Algorithm: Working, Key length, Security, Key Distribution, Deffie-Hellman Key Exchange, Elliptic Curve: Arithmetic, Cryptography, Security, Authentication methods, Message Digest, Kerberos, Digital Signatures: Implementation, Algorithms, Standards (DSS), Authentication Protocol. (Refer Chapter 3) Unit IV : Security Requirements IP Security: Introduction, Architecture, IPV6, IPv4, IPSec protocols, and Operations, AH Protocol, ESP Protocol, ISAKMP Protocol, Oakey determination Protocol, VPN. WEB Security: Introduction, Secure Socket Layer (SSL), ‘SSL Session and Connection, SSL Record Protocol, Change Cipher Spec Protocol, Alert Protocol, Handshake Protocol. Electronic Mail Security: Introduction, Pretty Good Privacy, MIME, S/MIME, Comparison. Secure Electronic ‘Transaction (SET). (Refer Chapter 4) Unit V : Firewall and Intrusion Introduction, Computer Intrusions. Firewall Introduction, Characteristics and types, Benefits and limitations. Firewall architecture, Trusted Systems, Access Control. Intrusion detection, IDS: Need, Methods, Types of IDS, Password ‘Management, Limitations and Challenges. (Refer Chapter 5) Unit VI: Confidentiality And Cyber Forensic Introduction to Personally Identifiable Information (PII), Cyber Stalking, PII impact levels with examples Cyber ‘Stalking, Cybererime, PI Confidentiality Safeguards, Information Protection Law: Indian Perspective. (Refer Chapter 6) goa ‘(Book Code : PEGSA) (Copyright No. - 3673/2019-COL & 8811/2019-CO/L)3_information and Cyber Security (SPPU-Sem 8-Comp,) 1 UNITT Chapter 1: Security Basics 101-30 Syllabus : Introduction, Elements of Information Security, ‘Security Policy, Techniques, Steps, Categories, Operational Model (of Network Secutty, Basic Terminologies in Network Securty. ‘Threats and Vulnerability, Difference between Security and Privacy 1.1 Concept Busing - Security ~ What i i al/2uoT4 1.2 Elements of inlormation Socuty 13 1.3 Basie Terminologies in Network Sacurty (OSI Model) 1-7 4.31 Tho OSI Securty Architecture 18 1.32 Categories of Security Services. 19 14 Security Techniques / Stops / Mechanisms 19 141 Placement of Secunty Servoos and Mechanisms ..1-10 1.5 Operational Model of Network Security (Network Security Model at 1.6 Securty Threats and Vulnerabites. 143 161 Secuily The... 449 1.6.1(A)_ Comparison between Securiy Threats 448 162 1415 163 STRIDE Model 1416 17 Secunty Attacks 447 174 etve tacks. 1418 1.72 Passive Attacks 120 1.73 Comparison between Active and Passive Attacks ..1-21 118 Secunty Policy 121 1.8.1 Characterstes of Policies 122 182 Typos of Polcies. 422 1.83 Policy Implementation 427 Table of Contents UNIT IT Chapter 2: Data Encryption Techniques and Standards 2:1 to 246, Syllabus: Introduction, Encryption Methods: Symmetric, ‘Asymmetric, Cryptography, Substitution Ciphers. Transposition Ciphers, Stenography applications and limitations, Block Ciphers ‘and methods of operations, Feistal Cipher, Data Encryption ‘Standard (DES), Triple DES, DES Design Criteria, Weak Kays in DES Algorithms, Advance Encryption Standard (AES), 2.4 Concept Bing - Information Secrecy. a 2.2 _Inadton to Cryptography 22 23 Classical Enoryption Techniques. 24 231 Substitution. 24 2.3.(A)_Ditfrence between Monoaiphabatlc and Polyalphabetic Ciphers. 222 232 Transposition. 222 24 Rotor Machines. 205 25 Steganography. 226 2.6 Methods of Encryption 227 261 Symmetre Key Enoryption. 227 262 Asymmetric Key Eneyption 228 2.63 Comparison between Symmetric and Asymmatic Keys. 231 27 Typos of Symmate Algorithms (Ciphers). 2a1 27.1 Block Ciphers 2a1 272 Steam Ciphers 282 2.7.3 Comparison between Block and Steam Cipher ...233 28” Data Enorption Standard (ES). 293 2.8.1 Block Cipher Design Principles (DES Design Citra). 293 2.82 Block Diagram and Intemals of DES 204 2.83 Block Cipher ~ Modes of Operation (lor DES and other Block Ciphers in Genera. 2:96 284 Comparison between Modes of Operation 298 285 Weakness in DES 230 2.86 Double DES . 209 (Copyright No. - 8678/2018-COIL & 8611/2019-CO/L)BE_Information and Cyber Security (SPPU-Sem 8-Comp,)_2 287 — SDESor Triple DES 240 29° Advanced Encryption Standard (AES). 241 2.9.1 Block Diagram and Internals of AES 281 28.2 Comparison between DES and AES. 243 2.10 Attacks on Cryptosystems. 243 2.10.1 Comparison between Differential and Linear, Cryptanalysis. 244 UNIT TT Chapter 3: Public Key and Management _ 3-1 to 3-56, ‘Syllabus = Public Key Cryptography, RSA Algorithm: Working, Key length, Security, Key Distribution, DetfieHellman Key Exchange, Elipic Curve: Arithmetic, Cryptography, Security, ‘Autnenication methods, Message Digest, Kerberos, X.509 ‘Authentication service. Digital Signatures: Implementation, Algorthms, Standards (DSS), Authentication Protocol 3a ‘Modular Arithmetic aa 3.1.1 Congruence Property 32 32 Athmetc in Cryptography 38 82.1 Euclid's or Euctdean Algorithm 34 822 Extended Euclidean Algorithm. 5 32.3 Mullpicative Inverse using extended Euclidean Algorthm 3.10 32.4 "Chinese Remainder Theorem. 3.13 32.5 Fermat's Theorem... 318 22.6 Euler's theorem 319 33 Public Key Cryptography. 3.20 33.1 Principles of Pubic Key Cryptosystems, 3-20 34 RSA. 321 8.4.1 Attacks on RSA... 324 35 Die Holman Key Exchange Algor. 324 36 Elliptic Curve Arthmetic and Cryptography. er 36.1 How doos it work? 328 37 ElGamal Curve Arithmetic and Cryptography vv. 29 38 "Concept Building Information Accuracy. 331 39 Message Authentication Methods (Functions ....m.S2 3.9.1 Cryptographic Hash Functions 392 Table of Contents 3.10 MAC (Message Authentication Code) 1889 811 Digital Signature. 349 3.11.1 How does this work? 343 3.11.2 Properties of Digital Signature. 44 8113 X509 Conticate. 345 3.11.4 Dighal Signature Schemes. 348 9.11.8 Dighal Signature Standard (OSS). 3.48 3.11.8 Digital Signature Algorithm (OSA) 9.48 312 Kerberos. 349 2.13 Needham Schroeder Authentication Protocol ou. 9St 3.13.1 The Neodham-Schrosder Symmetric Key Based ‘Authentication Protocol 351 3.132 The Neecham-Schrosder Asymmetic Key Based ‘Authentication Protocol 382 UNIT IV Chapter 4: Security Requirements 4-1 to 429 ‘Syllabus : IP Security: Introduction, Architecture, IPV6, IP v4, IPSec protocols, and Operations, AH Protocol, ESP Protocol, ISAKMP Protocol, Oakkey determination Protocol, VPN. WEB ‘Security: Induction, Secure Socket Layer (SSL), SSL Session ‘and Connection, SSL Record Protocol, Change Cipher Spec Protocol, Alert Protocol, Handshake Protocol. Electronic Mail Security: Introduction, Pretty Good Privacy, MIME, S/MIME, Comparison. Secure Electronic Transaction (SET). 44 IP Secunty. “4 444 IP, 42 442 Pe. 42 44.3 Intomet Protocal Secu (Pee) oo 8 444 Authentication Header (AH) 4s 4.415 Encapsulating Security Payload (ESP) 4s 41.6 Intomet Seourty Associaton and Key Management Protocol (ISAKMP). 48 44.7 Intomet Key Exchange (IKE). 48 44.8 OAKLEY Key Determination Protocol 49 42 VPN. 410 (Copyright No. - 9679/2019-CONL & 8811/2018-COL) storeW_tnformation and Cyber Security (SPPU-Sem 6-Comp) 3 “able of Contant 421 Typoscf VEN. a0 4.22 Challenges of using VPN. o4-11 | Chapter. Firewall and intrusion 5-1 to 5-59 43 ‘Web Secutty Ate ‘Syllabus : Introduction, Computer Intrusions. Firewall introduction, soe eee ee Jere || characterstcs and types, Benetts and lita. Frewal acitctre, Trusted Systims, Access Cont. lnruson 41 Oveniew of SSL Protos a aat io of aL Pe e detection, IDS: Need, Methods, Types of IDS, Password 4.4.40) Sessin and Connection Sates. 4419 || Management Lintatons and Chalenges. 44.18) 891 Record Layer Protacl as | 51 Frovats. s 4.4.1(C) SSL Change Cipher Spec Protocol. .A-16 | 5.1.1 Classification of Firewalls 52 4as(0) SSL Aen Prot “are | 512. Chalongs in Managing and Deploying Frowal..5S AANG) ee. vendo poo 52 Computer Ison and Iniusion Detection Systems (ws). re 442 Transport Layer See (TS)... a8 521 Inoducton 58 4s imps “16 522 Need ior08.. 58 451 Comparison between HTTP and HTTPS 419 vente 5.23 Types of IDS ST 452 Motvaton Bones of using HTTPS w=4+1®| 52.4 intone and Chalangos oO. _ 459° Fomat,PonNumber and Representation 4#20 | 59 Aggoas Conte se 48 Secu Electronic Tansactons (SEN. 421 | 54 Tosted systems sa 47 mal Secry. 422| 541 BobLaPadia (LP) Model 517 47.1 Prety Good Privacy (POP) 422 | 542° wba Mode! 821 A730) Web ot Tat ze | 58° Ashonticaton Mets... 525 47:8). PGP Serces aay | 551 Ivoductry Cones 525 ATA) ®6P Ago. as | 852 Typesct Amentcaton Metods ser ation Tp08 aoa ue suas | 552 Comparson een Auenteaton Types SZ 554 Factors of Authetaton 502 473 SME 428 555 Passuord Based Atherton $00 4479/8). SMIME Sences aa 556 Passnrd Secon Ciera Qity Gudsnes)..597 47318) SIME Atgorits, 428 55.7 String Passwords on Systm 887 47:10) SMIME Cryptographic Message Sy (CMS) A.27 558 Atacs,Lnitations and Chalengeson Password Based 47:10) Comparison between PGP and SAME. aan dranteaion 20 559 Token Based Authontcaton 546 (Copyright No. - 3673/2019-CO/L & 8811/2019-CO/L) W iecternetet8 _Information and Cyber Security (SPPU-Sem 8-Comp.) 4 Table of Contents ESO ares cenet eereereee 552 | 651 Diference between Securty and Privacy 623 5.5-10(8) Components of Blometie Systems -u--un52 | 88 Coneopt Bung - Privacy Laws Around he Wods.6:28 67 Cybercrime. 625 '55.10(8) Operating Biometic Systems. : 552 67.1 Inroducton, Denton and Origin 6-25 '55.10(C) Accuracy of Biometric Systems. 554 67.2 Cybercrime and Infomation Secu 628 5.5.10(0) Types of Biometric Systoms. 5.55 10) Types aaa! 67.3 Categories of Cyoorcies... sen 28 ENS 674 Classiication of Cyber nen 28 Confidentiality and Cyber Forensic 675 The Legal Perspectives of Cybererines. 6-1 to 6-48 | 6.7.5(A) The indian Perspective 631 », || 67.58). The Global Perspective. os ‘Slabus : Introduction to Personally Identiable Information ( Cyber Staking, Pil impact levels with examples Cyber Staking, || 68 cybersaking oat Ccybereme, Pll Conidentalty Safeguards, Infomation Protection ees 6.81 Cyberstaking Harassment... eat ee 1 | 982 TypesotStakers sn AD 6.2 Introduction to PersonalyIdanttabe Information (Piyé-1 | S&S Howevberstaking works ? eae 6.2.1 Privacy PrN enn 62 | 884 Howto safeguard youre from staking ?. eas 63 Concop Bung Privacy Rbk on he Wat “e | 888 Provision inthe Indian Jurisdiction for Staking 848 ee eg | 88 Phases of Cyber Forensics 6-48 65 Pil Confderity Satoguards on aoaA Note to Readers From The Author Dear Readers, ‘Thank you for choosing to read this book to learn about the fascinating world of Information and Cybersecurity. I welcome and appreciate your decision, Cybersecurity involves several key concepts that are crucial for your understanding and appreciating the depth of the subject. To make it easy for you to grasp the subject, I have carefully added some related reading material that, at times, you may not find listed directly in the course syllabus. Do not panic! These topics would make you exam ready as well as ready for real world. Not having a solid understanding of these topics would make it very difficult for you to understand the listed course syllabus topics. So, read on and. read all, Also, if you are looking to build your career in computer security domain, I would suggest that you retain this book for your future reference. This book is not written only to give you pointed and limited understanding of the syllabus topics aimed at only passing the exam. This can be a good reference aid when you are actually on the job. Finally, I hope you enjoy reading this book and build a strong foundation and understanding of the subject that is required for your success! ‘Thanks and regards, Pravin Goyal (Copyright No. - 3673/2019-CO/L & 8811/2019-CO/L)Security Basics Syllabus : ‘At the end ofthis unit, you should be able to understand and comprehend the following syllabus topics + Introduction + Elements of Information Security + Basic Terminologies in Network Security © Categories of Security Services © Security Techniques / Steps / Mechanisms ‘© Operational Model of Network Security (Network Security Model) © Threats and Vulnerability © Security Policy ‘+ Difference between Security and Privacy 14.1 Concept Building - Security - What is it really? = Before we begin with understanding information security and its related concepts, let's talk Let me ask you a question + How do you manage your Debit Card and its PIN? Do you leave your Debit Card unattended and with PIN information available to everyone?” Your Response 4 CLaughinaly) Of course, not. I heep my Debit Card with me all the time and never share my PIN with anyone” ‘My Response + “Oh, that’s nice. But, why do-you need to do that?” Your Response 2 ‘Because, I need to ensure that my money is ‘safe, and no one takes it out except me. 1 don't trust everyone with my money these days, you know” ‘My Response _: “Got it. You are a security champion”. = Ifyou followed our conversation, you already know what security is. Qur job is easy now. Let us define some terms around our conversation above. 1. Assets : You were trying to protect your money, isn’t it? Iti called Assets. Money is your Asset in our conversation that you were trying to protect, 25 Definition : Assets are something that has value and is worth protecting. Security is all about ensuring that the assets are kept protected all the time as much as possible within your capabilities or means.information and Cyber Security (SPPU-Sem 8-Comp,) _1-2 Security Basics Controls (or Countermeasures) : So, how did you actually safeguard your money? You didn't leave the Debit Card around and you memorised your PIN. isn't it? Definition : Any countermeasures or actions that you take to safeguard an asset are called Controls. So, in our conversation, you have put two controls in place to safeguard your money — firs is to keep your Debit Card with you and second is to memorise your PIN. You are a security champion! Threat : Hey, you told me that you don’t trust everyone with your money, isn’t it? That unknown everyone who can to You or an harm yous called a Threat You knew there are threats around your money, and you protected it so well. You are a security champion. 4. Vulnerability : What if you left your Debit Card and PIN on the table for anyone to get hold of them and use? | hear you scream, “Come on, why would | do that to myself?” Exactly you would not want to create a situation in which your assets can be harmed. This s precisely called addressing (or avoiding) a Vulnerability. (EB Definition : Vuinerability is the weakness or lack of controls around assets. | am happy that you have put two good controls (keeping your Debit Card safe and memorizing your PIN) and you avoided the vulnerability around your money (asset). 5. Rlsk : So far, you would agree that leaving Debil Card and PIN unattended poses a likelihood that someone might just grab them and use them. “2 Definition : That likelihood of a harm occurring to an asset is called Risk. itis this Risk that you want to reduce by applying controls around your assets. Remember one thing here, Risk can [NEVER be 0 (zero). Someone can steal your Debit Card from your wallet and force you at gunpoint to tell your PIN. The core thing that you need to ensure when dealing with Risk is “to reduce it to an acceptable level’. Never aim to make anything (or any asset more precisely speaking) risk free because that's not possible, really. 6. Exposure : Someday suppose you do accidently leave your Debit Card behind and your PIN was known to someone, you could actually lose some or all your money. That particular day or rather that particular situation of you forgetting Your Debit Card behind could lead to an exposure Definition : Exposure is an instance of being harmed. So, if you got exposed anytime, immediately change your PIN and take a lesson in security to apply controls always ‘around assets so that you do not have future exposures. | am sure you won't have exposures because you are a security champion already, aren't you? Let summaries the above terms in a simple block diagram as shown in Fig. 1.1.1. I you are feeling good about what we talked about so far, believe me, you have started your security journey on a high note. The several chapters and topics that you read in this book (howsoever complex or dry they look at first) are all written to help you effectively do just ONE thing : Safeguard your Assets. ‘(Copyright No. - 3673/2019-COML & 8811/2019-COML)&F information and Cyber Security (SPPU-Sem 8-Comp.) _1-3 Security Basics Threat | Exploits a Controls May damage} Risk ES Loads to Applied to safeguard = | Exposure Fig. 1.44 ~ Ifyou know what you are © Trying to protect. © And from whom. © Andhow. You understand security. There is nothing else to learn 1.2 Elements of Information Security [a2 List and expiain various elements of intormation Security, c (May 19, 5 Marks) — Now that you have a general understanding of security, let's set some context about Information Security. When we say information security ~ what exactly are we protecting? What is the asset? The asset here is “Information” or more precisely “Digital Information”, The information could be about your Facebook user account, Online bank account, OS password, email or pretty much anything that touches a computer system, There are 3 tenets (or pillars) of security: 1. Confidentiality 2. Integrity 3. Availablity = These tenets in short are also called as the CIA triad or any other combination of the first letters in their words. These are also sometimes called goals of security. = Let's dive deeper into each one of them. 1. Confidentiality ~ Confidentiality can be defined as, 2 Definition : An act of protecting information from unauthorised disclosure to an entity. (Copyright No, - 3673/2019-COML & S811019-CO) AF Teenie4 Security Basics Information and Cyber Security (SPPU-Sem 8-Cor = ttensures that the protected information is kept secret throughout its lifetime and is made avallable only to the authorised entities as and when needed. The information should be © Protected at Rest : When stored on the disk © Protected in Motion : When transmitted over the network © Protected during Use : When processing — Remember our conversation from Debit Card and PIN? How did you protect your PIN and provide confidentiality toit? © Protected at Rest: You didn’t write it down. You kept it in your mind. No one could know or use it except you © Protected in Motion : You physically moved to an ATM (carrying your mind and the protected PIN there) instead of revealing it to anyone. © Protected during use : You watch out if someone is looking at your fingers as you punch the PIN on the [ATM keyboard — _Interms of digital information, confidentiality is enforced using several mechanisms: 1. Encryption 2. Access control 3. Data classification = We would be studying them at depth in later chapters. 2. Integrity = _ Integrity can be defined as, GE“ Deftnition ‘An cet of protecting information from imauthorised modification by an entity — _Itensures that the information remains intact and no unauthorised entity can modify it. Any modification to the Integrity information is allowed only if the entity is authorised to do so. The information requires maintaining throughout its lifetime. — For example, during criminal investigations, any evidence that you collect is protected from touching or any ‘modifications to ensure that those evidences can be used during court proceedings. if evidence is tampered, itis not admissible in the court and cannot be used. Another example is email. If| send you an email and someone changes it before you read it, you might get wrong information, or it could be severely damaging to our relations. = Interms of digital information, integrity is enforced using several mechanisms: 1. Hashing 2. Access Control 3. Data Classification 4, Input and output sanitization = We would be studying them at depth i later chapters. (Copyright No, - 367972019-COML & BBTI01I.COML) weBF Information and Cyber Secutly (SPPU-Sem 8-Comp,) _1-5 Security Basics 3. Availability = Availability can be defined as, = _ Itensures that the information is adequately protected to remain available when it is needed, Any unauthorised entity should not be able to destroy it. Also, the availability principle extends to any equipment such as computers, network devices and printers. These should be available and be able to perform as expected. — If someone can get access to them and then prevent you from using these then that impacts availability of the system for your use. — For example, your Windows or Linux systems track all activities done on the system via log files. | do some mischief around your computer and then delete the log files, you would have no way to prove that | did something to your computer. The availability of log files is crucial to ensure that the system is adequately ‘monitored and protected from any security mishaps, = Availablity is generally enforced using several mechanisms: 1. Access control Isolation Back up Disaster Recovery Business continuity processes We would be studying them at depth in later chapters. ~ _ Let’s summarise the above 3 security principles with the help of diagrams as shown in Fig. 1.2.1 Integnity Availabilty Alteration Fig. 1.2.1 Confidentiality, Integrity and Availability are the 3 core principles of security. Ensuring that you understand the ‘objectives behind these principles is crucial to your success in the information and cybersecurity domain. (Copyright No. - 36732019-COT. & BAITANIS-COM) TetteeaeageNF information and Cyber Security (SPPU-Sem 8-Comp,) 1-8 Security Basics 4, dentification = Identification (in short 1D) is defined as, |B Definition : A way to claim an entity's presence with respect to the process being carried out. — This means that during a process, your presence (or your consent) is ascertained (or established). = For example, when you try to login to your Facebook account, you provide your Email or Phone number to establish your presence during the login process. = There are several other forms of identification that we use today such as Aadhar Card, PAN Card, Voter ID, Debit Card, Admit card, etc. All of these identification methods bring a sense of credibility that you are present, or you sive your consent to complete a particular process. 5. Authentication = Authentication is defined as, Definition : A way to ensure that the entity is indeed what itelaimstobe con = This means that proving just the 1D is not enough. You must additionally prove that the ID belongs to you. For example, even if | know your Facebook email address or phone, | cannot login as you until | also know the password. ~ Thus, knowing just the ID isnot enough. We need to prove that the ID belongs lo us and that is what is precisely called authentication. itis for this reason that you need to additionally sign when you submit Aadhar card or PAN card as an ID proof to ensure that someone didn't just use the photocopy of those IDs without your permission (or consent). Some of the ways to authenticate an ID are passwords, biometric (ike your Aadhar fingerprints or phone sensor), PIN (Ike for Debit Card), or OTP (SMS that you get to confirm transaction). 6. Authorisation ~ Authorisation is defined as, Definition : A way to determine what resource an entity ean access, = Once you have provided your 1D and have been successfully authenticated, the next step is authorisation where d object. the system determines if you have the permission to access the de — For example, even if you have a valid voter ID card but if your name is not on the electoral lst ata particular area booth, you won't be allowed to vote. Having authenticated ID is one thing and getting access to the resource is another. = Just because you have an authenticated ID, does not mean that you have automatically access to the resources. So, authenticated ID is a must for authorisation but that does not always guarantee that you would be allowed Accountability — Accountability is defined as, Definition : A way to record your actions, (Copyright No, - 367372019-COML & B8I1/2019-COML) ¥,WF invormation and Cyber Security (SPPU-Sem 8-Comp.) _1-7 Security Basics — Suppose, you used a system to take print outs. That system logs this action (pretty much like you record attendance in lab or classroom) to build a trace (evidence or proof) that you used the printer. — If you were not supposed to use the printer, the evidence can be used to find you accountable for using it without permissions and could result in particular consequences. = Accountability is a key determinant of how securely a system is operating. The logs generated are continuously ‘monitored and necessary alarms are raised if any entry Is found to be suspicious. = Let’s summarise the 4 access control steps with the help of Fig. 1.2.2. Tsentiicaen h [Authorzation User al Sa Record, Fig. 1.2.2 8. Non-repudiation = _Non-repudiation is defined as, 2 Definition : A way to prove your actions. = It'is used in conjunction with accountability and the CIA triad. Non-repudiation provides an assurance that someone cannot deny their actions later on. For example, if | sent you an email, | cannot later deny that | did not. = Tosend an email, must have used my email ID and password and then sent it over to you over a secure network where no one could change the email body. If you can establish all of these facts truthfully, you have proven that | sent that email and thus established non-repudiation. Basic Terminologies in Network Security (OSI Model) ‘Note: Discussing OS! Mode! in-depth is beyond the scope of this book. I is assumed that you have covered it in detail in Lk ‘your subjects on networking. A general high-level overview is presented here as a refresh 4% Definition : The Open Systems Interconnection model (OSI model) is a conceptual model that characterizes and standardizes the communication functions of networked communications without diving into complexities of protocols, architecture and the underlying technologies. = The 0S! model consists of 7 layers. Each layer interacts with the layer above and below it and passes on the respective protocol data units encapsulated into their respective headers. ‘(Copyright No. - 36732019-COML & B811/0019-COML) SE rateoctansW Information and Cyber Security (SPPU-Sem 8-Comp.) 1-8 Table 1.3.1 ve Function 7 | Application | Data Application Interface ~ APIs, Us 6 _| Presentation | Data Data translation between networking and application 5 | session | bata Manage communication sessions between sender and receiver 4 _| Transport _| Segment, Datagram | Reliable data transmission 3 | network | Packet Network packet addressing and routing 2 | datatink | Frame Transmission of data between two nodes 1 | Physical | Binary Actual communication over physical media — Here each OS! layer protocol adds its own information to the data packet. — _ Pecapsulation happens hottom ~ up (from Physical to Application Layer). = Table 1.3.2 shows quick reference summary for various protocols atthe respective OSI Layers. Table 1.3.2 Application | HTTP, FTP, SMTP, etc. Presentation | JPEG, MPEG, TIFF, ASCII, etc. Session NFS, RPC, etc. Transport | TCP, UDP, SSI, etc. Network |, ICMP, OSPF, etc. Data Link | ARP, PPP, Ethernet, etc. Physical ISON, DSI, 10Base-T, ete 1.3.1. The OSI Security Architecture = The objective of the OSI model is to permit the interconnection of heterogeneous computer systems so that useful ‘communication between application processes may be achieved. ‘(Copyright No.- 3673/2019-COL & 8811/2019-CONL) 7 reatonaetesInformation and Cyber Secut (SPPU-Sem 8-Comp. 1 ‘Security Basics = At the various OSI layers, the security controls must be established in order to protect the information exchanged between the application processes (or the connected computers or devices). Such controls make it difficult to obtain the information in any unauthorised way. = OSI security functions are concerned only with the OSI layers involved in the communications path. it does not include other security controls such as securing the operating system or the application process itself. Let’s learn about the various security services and mechanisms placed at the OSI layers. 1.3.2 Categories of Security Services B- Definition : Security services are safeguard controts recommended to be placed at the various OSI layers. — The various security services are listed as shown in Fig.1.3.1. ‘Authentication 1. Peer entity authentication 2. Data origin authentication = 41. Connection Confidentiality 4. Connection integrity with recovery 1. Non-repudiation with proof of origin 2. Non-epudiation 2.Connectionless with proof of integrity without delivery recovery 3. Selective field ‘connection | integrity 4. Connectionless integrity 5. Selective field connectionless integrity 2. Connectionless confidentiality 3. Selective Feld confidentiality 4.Trafic ow confidentaity Fig. 1.3.4 1.4 _ Security Techniques / Steps / Mechai ms Definition : Security mechanisms are various techniques recommended to provide security services at the The various security mechanisms that can be applied are as following — Encipherment (Encryption) © Symmetric © Asymmetric ‘(Copyright No, - 367370019. COML & BBTTBOTD-COM) wie¥ _information and Cyber Security (SPPU-Sem 8-Comp,) _1-10 Security Basics = Digital signature (© Signing a data unit © Verifying a data unit = Access control © Passwords © Time of access © Duration of access © Access route Data integrity (© Sent quantity of data (© Received quantity of data (© Sequencing of data units © Time stamping = Authentication © Handshaking © Cryptographic techniques = Traffic padding = Routing Control _ Notarization — Pervasive Security Security labels ~ Event detection = Security auait = Security recovery 1.4.1 Placement of Security Services and Mechanisms — Now that you have a fair understanding of the various security services and the security mechanisms that can be used at the various OSI layers, let us see recommended placement for them. Physical Layer | Connection Confidentiality Traffic Flow Confidentiality Encipherment Data Link Layer | Connection Confidentiality Connectionless Confidentiality Encipherment (Copyright No, - 3673/2019-COML & 8811/2019-COVL) RF Tententeane& information and Cyber Security (SPPU-Sem 8-Comp,) _1-11 Security Basics Ost Layer Security Service Security Mechanism without recovery Connectionless Integrity Network Layer | Peer Entity Authentication Data Origin Authentication Access Control service Connection Confidentiality Connectionless Confidentiality Traffic Flow Confidentiality Connection Integrity Authentication Encipherment Digital signature Access control Routing control Traffic Padding Data integrity Integrity without recovery Connectionless Integrity | Transport Layer | Peer Entity Authentication Data Origin Authentication Access Control service Connection Confidentiality Connectionless Confidentiality Connection Integrity with recovery Connection ‘Authentication Encipherment Digital Signature Access control Data integrity Session Layer__ | No security services are provided in the session layer Not Applicable Layer Proof or Origin Non-repudiation with Proof of Delivery Presentation | Connection Confidentiality Connectionless Confidentiality Selective Field Confidentiality Traffic Flow Confidentiality Peer Entity Authentication Data Origin Authentication Connection Integrity with Recovery Connection Integrity without Recovery Selective Field Connection Integrity Connectionless Integrity Selective Field Connectionless Integrity Non-repudiation with Encipherment Digital Signature Data integrity Notarization of Delivery Confidentiality Selective Field Confidentiality Traffic Application Peer Entity Authentication Data Origin Authentication Access Layer Control Service Connection Confidentiality Connectionless Flow Confidentiality Connection Integrity with Recovery Connection Integrity without Recovery Selective Field Connection Integrity Connectionless Integrity Selective Field Connectionless Integrity 'Non-repudiation with Proof of Origin Non-repudiation with Proof Encipherment Access Control Digital signature Data integrity Traffic Padding Notarization 1.5 Operational Model of Network Security (Network Security Model) PEIN Q. _ Explain Operational Securty Mode! for Networks Security. (March 19, 5 Marks) £5 Definition : Network Security Model (NSM) is a seven-layer model that divides the task of securing a network infrastructure into seven manageable sections. itis similar to the seven OSI layers. The model is generic and can apply to all security implementation and devices. NNSM provides a unified way of securing networks. It is easier to pinpoint issues at the respective NSM layers and address the gaps, if any. ~ Table 1.5.1 lists the NSM layers and how they align with the OSI layers. Itis important to understand that like the OSI layers, each NSM layer builds on top of the previous layer. (Copyright No. - 3673/2019-COVL & 8811/2019-COL)W Information and Cyber Security (SPPU-Sem 8-Comp.) _1-12 Security Basics = any layer is compromised, the layers above it are disrupted as well. For example, if there is an attack at NSM layer 2, it would disrupt layers above it (3, 4, 5, 6 and 7). Let's learn about each of the NSM layers. Table 1.5.1 [Network Security Model (NSM) _| OSI Model (inverted) Physical Physical VIAN Data Link ACL Network Software Transport User Session Administrative Presentation IT Department Application 1. NSM Layer 1 : Physical : It works at the physical layer. It ensures to safeguard the physical aspects of network, For example, physical access to the routers, switches or any other is networking equipment. There could be several physical forms of physical security such as security alarms, security guards and CCTV. 2. NSM Layer 2 : VLAN : VLAN stands for Virtual Local Area Network. At this layer, the network is segmented (partitioned) into smaller network chunks to safeguard them individually and to also manage them effectively. tt ensures that only authorized devices connect to the provided networks. You could create VLANs department wise, region wise or in any other suitable grouping mechanism based on your site requirements. NSM Layer 3 : ACL rnetwork layer from the OS! layer. For example, certain IP ranges (say finance department) might be restricted for (CL stands for Access Control List. ACLs are created to allow or deny access based on the ‘access by other devices on the network ACIS can he created on routers, firewalls and switches and can ‘effectively control the network access as designed and intended. 4, NSM Layer 4 : Software : The software layer Is focused on keeping the device software up to date with the latest upgrades and patches in order to mitigate any known software vulnerabilities. At this layer, the patches are Installed to ensure that the software running on the device cannot be exploited. For example, you install security patches on your operating system or update applications on your phone to ensure that you are running the secure version of the software and it does not have any known exploits. 5, NSM Layer 5 : User : This layer deals with the user access and management. The user layer focuses on the user's training and knowledge about security on the network. The user should understand the basic concepts of network security and should be capable of applying security related judgement. For example, users should be aware of which software to run on the system and which not, 6. NSM Layer 6 : Administrative : The administrative layer focuses on the training of administrative users. It works very similar to the user layer but focuses primarily on the administrative staff. It provides guidance to the layers below it to adequately protect the network. For example, it can dictate which software is allowed for user consumption NSM Layer 7: IT Department : The IT department layer deals directly with the maintenance of all layers and ‘making sure that the entire network works correctly from NSM model. It has several professionals in the team that know to architect and operate a secure network ‘Copyright No. 3673/2019-CON. & S81 1/2019-COML) wrWF information and Cyber Securty (SPPU-Sem 8-Comp.) _1-13 Security Basics 1.6 _ Security Threats and Vulnerabi ~ From our previous discussion on Debit Card and PIN, you now understand what security threat and vulnerabilities ‘mean. Threats can exploit your assets and vulnerabilities are situations that could possibly lead to such an exploit. = Let us review some of the security threats and vulnerabilities commonly found in the context of information security. 1.6.1 Security Threats — There are several security threats to an information system. Some of them are briefed as shown in Fig. 1.6.1. 6. Natural Disasters 7. Malicious Software Fig. 1.6.1 : Security Threats 1. Innocent / Untrained personnel = These could be your employees, household members or any person who does not understand intricate complexities of security. These people believe the information presented to them and often are soft targets of several frauds. = These can get easily convinced and can be pushed to do harm to your organisation (say by sharing critical details) or to any other critical asset. As a countermeasure, you should provide security training time to time and enforce the idea that security is everyone's responsibilty 2. Script: ‘These are just exploiting the systems for fun. They have a lot of free time and can go around the internet to find systems that have weak controls. Once a system is found, they can play games, watch movies, download other software or just send some random messages on the screen. — These do not have sophisticated skills to exploit weaknesses themselves and usually depend on attack tools or software. As a countermeasure, test your website and software against general attack tools and ensure that any weaker controls are sufficiently addressed. (Copyright No.~ 36732019-CON. & BBITAO19-COM) teeniesLW Information and Cyber Security (SPPU-Sem 8-Comp.)_1-14 ‘Security Basics 3. Hackers / Crackers — These are people who have sophisticated computer security skills. They have a deep understanding of how various protocols, services, operating systems, drivers, network equipment etc. work and can thus launch sophisticated attacks on such information systems. = They usually hide their presence and activities to ensure that they are unnoticed and can exploit the systems for a long time without getting detected. As a countermeasure, invest in penetration testing of your website and software and ensure that all the security findings are adequately addressed. 4. Insiders / Disgruntled personnel = These people are on your side, but they have malicious intent to impact your systems. They might have grudge ‘on you or the organisation and typically exploit the systems to take revenge. = Insider threats are extremely hard to detect since you might believe that their actions are part of their job and ‘may not suspect them or monitor them very closely. As a countermeasure, use access control to provide least possible permissions required to carry out one’s job, You should evaluate the permissions time to time and censure that those permissions are still relevant to the job done by the person. Nations Many a times, nations spy on each other and want to steal information related to country defence, forces, arms, and other intellectual property and confidential information that can severely damage the reputation of the country or its economics, = These attacks are highly sophisticated but have huge Impact on nations. For example, you might have heard of Russian involvement in the US elections. As a countermeasure, nations typically protect the sensitive information by limiting information sharing only amongst the high-ranking otticals. They deploy top notch security solutions, processes and continuously monitor their operations to detect any unauthorised act 6. Natural disasters = Natural disasters such as flood, earthquake, lightning, etc. can severely damage the information systems (remember availability as one of the tenets of security?) and could impact information availabilty — Asa countermeasure, you invest in backup, business continuity processes and disaster recovery solutions that ‘can quickly bring back the systems and information to avoid large impact on your business. 7. Malicious software — These are software programs written with malicious intent. The purpose of these programs is to harm the information systems or extract useful information in an unauthorised manner. = Asa countermeasure, you install such software detection tools. These tools could be anti-virus, anti-malware, anti-spyware, intrusion detection system, intrusion prevention system, etc. We would explore this in depth in the subsequent section, ‘(Copyright No, - 3673/2019-COML & 881172019-COML) Stents