Information Security Management Assurance

(ISM811S
Chapter 2 – Information Security Mechanisms
Dr Mercy Chitauro
 Outline

1. Information Security Terminology

2. Attack types
3. Security controls
4. Access Controls
5. System logs
6. Firewalls
7. IDS/IPS
8. Cryptographic Controls
9. Other important, emerging security controls
1. Remote access
2. Wireless Network Security
3. Scanning and Analysis tools
4. Bring your device security
10. Homework
 Learning outcomes
▪ Outline basic security terminology and attack types;
▪ Differentiate types of attacks;
▪ Explain the difference between vulnerabilities and threats;
▪ Explain the difference between technical and administrative controls;
▪ Discuss the various access control approaches;
▪ Identify common approaches to firewall implementation;
▪ Describe the types of IDS and the strategies on which they are based;
▪ Explain cryptography, the encryption process, and cryptographic controls;
▪ Outline other emerging security mechanisms;
▪ Outline management of emerging security mechanisms.
 Information Security
(infosec)
• Information security is the protection of
information and its critical
characteristics:
– Confidentiality
– Integrity
– Availability
• Including the systems and hardware that
store and transmit that information.
 • Data
– Documents
– Photos
http://www.rightstreamit.co.uk/services.htm

– Music
– Videos
– Email
• Hardware
– Computers
– Devices
– Network gear
• Software
– OS
– Utilities(antivirus)
– Apps – commercial and individual;
 Terminology
• A Vulnerability is a weakness in an IT system
that might be exploited to cause loss or harm
• Types
– Technological: Weaknesses inherent in computers
and network technologies such as operating
systems, network protocols like TCP/IP, ICMP, OSPF,
etc.
– Configuration: This results from improper
computer and network configurations
– Security Policy: This is a result of users not
following security policies or poor policy
enforcement procedures.
 Terminology
• A threat to an IT system is set of
circumstances that have the potential to
cause harm/loss/danger/damage
– Non human threats
• Natural disasters, loss of electrical power, failure of
components
– Human threats
• Non malicious
• malicious
 Malicious Threats
• Random
– Harm any computer or user
– Virus
– Denial of Service (DoS)
• Directed
– Harm specific computers
– DoS
– Advanced Persistent threat
– impersonation
 Terminology
• Attack: An assault on system security that
derives from an intelligent threat. That is, an
intelligent act that is a deliberate attempt to
evade security services and violate the
security policy of a system.
• Exploit: Software or commands that take
advantage of a vulnerability in order to carry
out an attack
Individual

Attackers Hacker

Organised
crime
10
 Attack Types
Reconnaissance

Access Attacks

Denial of Service

Malware Attacks
 Reconnaissance

Reconnaissance also known as information

gathering is the unauthorized discovery
Reconnaissance attacks can consist of the
and mapping of systems, services, or
following:
vulnerabilities. In most cases, precedes an
access or DoS attack
• Internet information queries
• Ping sweeps
• Port scans
• Packet sniffers
• Social engineering
 Access Attacks
Password Attacks

Port redirection

Man-in-the-middle attack

Buffer Overflow
 DoS and DDoS Attacks
• A DDoS attack and the simpler version of a DoS
attack on a server, send extremely large numbers of
requests over a network or the Internet.
– These many requests cause the target server to run well
below optimum speeds.
– Consequently, the attacked server becomes unavailable
for legitimate access and use.
– By overloading system resources, DoS and DDoS attacks
crash applications and processes by executing exploits or
a combination of exploits.
– DoS and DDoS attacks are the most publicized form of
attack and are among the most difficult to completely
eliminate.
 Distributed Denial of
Service Attack (DoS)
• DDoS attacks are designed to saturate network
links with spurious data which can overwhelm a
link causing legitimate traffic to be dropped.
– DDoS uses attack methods similar to standard DoS
attacks but operates on a much larger scale.
– Typically hundreds or thousands of attack points
attempt to overwhelm a target.
 Malware
• “Malicious software” is software designed to
infiltrate a computer without the owner's informed
consent.
• Malware includes:
– Computer viruses
– Worms
– Trojan horses
– Rootkits
– Backdoors (Method of bypassing normal authentication
procedures and usually installed using Trojan horses or
worms.)
– For profit (Spyware, botnets, keystroke loggers, and
dialers)
 Threat or
Vulnerability?
1. Computer with no passwords
2. Misconfigured firewall
3. A hacker
4. Computer virus
 Controls

• Is a means
to counter
harm
 Types of Control

• Physical
• Procedural/administrative
• Technical
 Technical Control

• Enable policy enforcement where human

behaviour is difficult to regulate
• For example a password policy that specifies
strength, how often to change the password
and prohibits reuse would be impossible to
enforce by asking personnel
Response to fast feedback
 Access Controls

• Access controls regulate the admission of

users into trusted areas of an
organization
– Logical and physical
• Access control is maintained by means of
a collection of policies, programs to carry
out those policies and technologies that
enforce policies
 The four processes
of access control

Identification Authentication

Authorisation Accountability

A successful access control approach always incorporates all four of these

elements
 Identification

• Identification is a mechanism that

provides information about an unverified
entity – called a supplicant – that wants
to be granted access to a known entity.
• The label is known as an ID
 Authentication
• Authentication is the act of proving or
validating an identity (supplicant’s
purpoted identity)
• Authentication- Verifying that users are
who they say they are and that each
input arriving at the system came from a
trusted source
Authentication
Mechanisms
 Biometrics

https://www.slideshare.net/adoitya/biometric-technologythe-most-reliable-security-system
 Problems with
Biometrics
• Intrusive
• Expensive
• Single point of failure
• Sampling error
• False readings
• Speed
• Forgery

• False positive: incorrectly confirming an identity

• False negative: incorrectly denying an identity
• Biometric matches are not exact; the issue is whether
the rate of false positives and false negatives is
acceptable
 Authorisation

• Begins with an authenticated user

– user authorization-grants access to resources
to only that entity
– Group authorization- matches authenticated
entities to a list of group memberships and
then grants access to resources based on the
group’s access rights
– Multiple systems authorization – single sign
on - use gets authorization ticket honored by
all systems within the authentication domain
 Accountability
• Accountability – Ensures that all actions on a
system can be attributed to an authenticated
identity
– Accomplished by implementing system logs and
database journals and by auditing these record
• System logs – are records maintained by a
particular system that has been configured
to record specific information such as failed
access attempts and system modifications.
 Items logs can track

Network Other System

performance network data performance

Other system Process Other

data performance process data

Files and Applications

Users
directories and services
 System logs
• Some Systems are configured to record a
common set of data by default. Others
must be configured to be activated
• To protect the log data you must ensure
that the servers that create and store the
logs are secure
• According to NIST Log management
infrastructure involves 2 tiers:
– Log generation
– Log analysis and storage
 Log Generation

• Configuring systems to create logs

• Configuration changes needed to
consolidate logs –if desired
• Activities include
– Activating logging on servers
– Defining where to store logging data
• On the system
• Centralised log analysis system
 Issues in log generation

• Multiple log sources

• Inconsistent log content
• Inconsistent timestamps
• Inconsistent log format
 Log generation
functions
• To interpret data from log generation,
the following functions must be
addressed
– Log parsing – dividing data logs within logs
into specific values, as some data may
consist of a solid data stream.
– Event filtering – the separation of items of
interest from the rest of the data that the log
collects.
– Event aggregation- the consolidation of
similar entries or related events within a log.
 Log Analysis and Storage

• Transferring log data to an analysis

system.
• Analysis systems are called Security
event information management systems.
– Log data from a number of servers or other
network devices for the purposes of
interpreting, filtering, correlating, analysing,
storing and reporting the data
 Important functions
within log storage
Log rotation

Log archival

Log compression

Log reduction

Log normalization

Log conversion

Log file integrity

 Management functions
in log analysis
Event Correlation
The association of multiple log file
entries according to a predefined
event

Log viewing Log reporting

The display of data in a form that is The display of the results of log
easily understable by humans analysis
 Managing logs
1.Make sure data store can handle the amount of data generate by the
configured logging activities

2. Rotate logs when unlimited data storage is not possible

3. Archive logs. Log systems can copy logs periodically to remote storage
locations

4.Secure logs by encrypting to prevent unwanted disclosure

5. Destroy logs once data has outlived its usefulness

40
Questions?
?

41
10 minute
break

42
Where are you joining
us from?
 Firewalls

• Any device that prevents a specific type of

information from moving between an
untrusted network (internet) and trusted
network.
– Separate computer

– Service running on an existing router or server

– Separate network
 Firewall Types

• Packet filtering firewall,

• Stateful inspection firewalls,
• Application-level gateways or
proxies,
• Circuit level gateways,
• Next generation firewalls or unified
threat management.
 Packet filtering
firewalls
• Are simple networking devices that filter packets by
examining every incoming and outgoing packet
header
• Can selectively filter packets based on values in the
packet header, accepting or rejecting packets as
needed
• Can be configured to filter based on IP address,
type of packet, port request, and/or other
elements present in the packet
 Packet Filtering
Example Rules

Rule Direction Src Address Dest AddressProtocol Dest Port Action

A In External Internal TCP 25 Permit

B Out Internal external TCP >1023 Permit

C Out Internal external TCP 25 Permit

D In external internal TCP >1023 Permit

E either any any any any deny

 Stateful inspection
firewalls
• Stateful inspection firewalls build on packet
filtering firewalls by keeping a state table of
outbound TCP connections and sequence numbers.
• A stateful inspection firewall records state and
context of each outbound packet which enables it
to restrict incoming packets that are not responses
to requests from internal hosts.
• Therefore, stateful inspection firewalls can prevent
attacks that depend on TCP session numbers
 Example Rules
stateful inspection

Source Source port Destination Destination Connection

Address address port state
192.168.1.100 1030 210.22.88.29 80 Established
192.168.1.102 1031 216.32.42.123 80 Established
192.168.1.101 1033 173.66.32.122 25 Established
192.168.1.106 1035 177.231.32.12 79 Established
223.43.21.231 1990 192.168.1.6 80 Established
212.22.123.32 2112 192.168.1.6 80 Established
210.22.212.18 3321 192.168.1.6 80 Established
24.102.32.23 1025 192.168.1.6 80 Established
223.21.22.12 1046 192.168.1.6 80 Established
 Application-level firewalls
• Often consists of dedicated computers kept separate from the
first filtering router (edge router)
• Commonly used in conjunction with a second or internal filtering
router - or proxy server
• Proxy server, rather than the Web server, is exposed to outside
world from within a network segment called the demilitarized
zone (DMZ), an intermediate area between a trusted network
and an untrusted network
• Application-level firewalls are implemented for specific protocols
 How application-level firewall works
Packet is received on a firewall

Packet is processed at network layer

Data from packet is passed on to kernel space

From inside host From outside

it seems as if host it seems as
application-level if application-
Data is then passed on to application level
gateway is level gateway is
200.20.5.123 123.25.67.99

Data is passed on to proxy server listening TCP or UDP port

Proxy service processes the data it has received.

The data is compared to the acceptable command set rules, as well as to host and user permission rules set in the
firewall.

The proxy decides on whether to forward or discard the packet

Additionally, the firewall may perform other functions such URL filtering, data modification, authentication logging,
and HTTP object caching.
 Circuit-level
firewalls
• A circuit level firewall acts much like an application-
level gateway but it does not do packet inspection
rather it acts as TCP relay between the inside host
and the outside host. It does not permit end-to-end
connection so its sets up two connections between
itself and the inside host and between itself and
the outside host. Depending on the rules it makes
decisions on whether the TCP connections are
allowed
 Next Generation Firewalls
• NGFW capabilities are like that of a Unified Threat
Management (UTM).
• These types of firewalls combine firewall capabilities
with those of other security devices such as intrusion
detection systems, deep packet inspectors and
decryptors of encrypted packets, content filters, spam
filters and malware scanners and filters.
• NGFW and UTM take advantage of the increased
memory that is now available these days to reduce the
number of security devices to be deployed.
• Although NGFW reduce number of network security
devices deployed they introduce a single point of
failure.
 Firewall Deployment

Each of the firewall

Four architectural
generations can be
implementations of firewalls
implemented in a number of
are especially common:
architectural configurations
• Packet filtering routers
• Screened-host firewalls
• Dual-homed host firewalls
• Screened-subnet firewalls
 Bastion host or the
screening router
the firewall is dual homed, which means it has a
connection to the trusted network and another
connection to the untrusted network. This is ideal
in cases where only addresses need to be
checked. In addition if the firewall is
compromised then traffic on the trusted side
becomes exposed.
Application Proxying

In cases where proxying

is required Common
applications that are
proxied are email and
web services.
 DMZ
Firewalls are also placed in
demilitarised zone (DMZ) architectures.
In a DMZ architecture publicly,
accessible services are put in their own
subnet. A firewall is placed between the
publicly accessible services and the
outside network. In addition, a firewall
is placed between the publicly
accessible services and the trusted
network
 Selecting the Right Firewall
1. When evaluating a firewall, ask the following questions:

2. What type of firewall technology offers the right balance between protection
and cost for the needs of the organization?

3. What features are included in the base price? What features are available at
extra cost? Are all cost factors known?

4. How easy is it to set up and configure the firewall? How accessible are the
staff technicians who can competently configure the firewall?

5. Can the candidate firewall adapt to the growing network in the target
organization?
58
 Managing Firewalls
• All traffic from trusted network is allowed out.
• Firewall device is never accessible directly from public
network.
• Simple Mail Transport Protocol (SMTP) data is allowed
to pass through the firewall but should be routed to a
SMTP gateway.
• All Internet Control Message Protocol (ICMP) data
should be denied.
• Telnet (terminal emulation) access to all internal
servers from the public networks should be blocked.
• When Web services are offered outside the firewall,
HTTP traffic should be handled by some form of proxy
access or DMZ architecture.
Questions?
?

60
 IDS and IPS systems
• Work like burglar alarms
• Alarm raised when a system violation is detected
• If IPS
– Stop the attack
– Reconfigure devices to block access
– Changing attack content and make it benign
• Two approaches are used to implement IDSs, signature-
based intrusion detection and anomaly detection.
 Signature-Based IDS
• work like antivirus software.
• Predetermined attack patterns known as signatures
are preconfigured in the IDS.
• When a similar attack pattern is detected, an alarm
is raised.
• Cannot detect new attacks that have not been
loaded in the signature database.
• Will not detect attacks in their signature database
that have been modified to not match a signature
stored
 Anomaly Based IDS
• Anomaly IDS depend on behaviour within the system.
• They will capture an average behaviour over a specific time.
• This average behaviour is known as a baseline.
• Once the baseline has been established the IDS periodically
captures activity and compares it to baseline.
• If the activity captured is not within baseline ranges an alert
is raised.
• Anomaly IDS tend to produce more false positives because
normal behaviour does not always compare with baselines.
• Unlike signature-based IDS anomaly IDS can capture new
attacks.
 • that IDS can either be host based or network
based. Host based IDS monitor host traffic and
network-based IDS monitor network traffic

Managing
Intrusion
Detection
Systems
 Managing Intrusion
Detection Systems
• Consolidated enterprise manager
– Valuable tool in managing an IDS
– Software that allows security professional to
collect data from multiple host- and network-
based IDSs and look for patterns across systems
and subnetworks
– Collects responses from all IDSs used to identify
cross-system probes and intrusions
Questions?
?

66
Response to fast feedback
10 minute
break

68
 Cryptography
• Encryption algorithms hide original data from an
authorised use us an authorised user.
• They do this by scrambling the data to an
unreadable format to someone who does not have
the encryption key.
• Encryption is known as secret writing. It a process
of encoding a message so that its meaning is not
obvious.
• Encryption transforms data that was readable and
understandable to unreadable and in
incomprehensible data.
 Cryptography
• Encryption uses mathematical algorithms to transform data
into a form that is not readily intelligible.
• The transformation and subsequent recovery of the data
depend on an algorithm and zero or more encryption keys.
• You find that in most instances cryptographic controls are
used to implement other security controls such as
authentication, authorisation, and accountability.
• There are two types of encryption algorithms symmetric
encryption algorithms and symmetric encryption algorithms.
 Terminology
• Plaintext - original message
• Ciphertext - coded message
• Cipher - algorithm for transforming plaintext to ciphertext
• Key - info used in cipher known only to sender/receiver
• Encipher (encrypt) - converting plaintext to ciphertext
• Decipher (decrypt) - recovering ciphertext from plaintext
• Cryptography - study of encryption principles/methods
• Cryptanalysis (code breaking) - study of principles/methods
of deciphering ciphertext without knowing key
• Cryptology - field of both cryptography and cryptanalysis
 Two Classes of
Encryption Algorithms

Symmetric encryption algorithms are commonly known is shared secret key

algorithms. The sender and the receiver must share a secret key before
communication takes place. Examples include Advanced Encryption Standard
(AES), Data Encryption Standard (DES), 3DES, Blowfish, Twofish, International Data
Encryption Algorithm (IDEA).

asymmetric encryption algorithms use two different keys. One key is used for
decryption and a different key is used for encryption. These keys are known as
private key and public key. The private key is kept secret and the public key is
publicly distributed. The private key and public key must be related through a
mathematical algorithm, and it should not be possible to derive the private key
from the public key. Asymmetric encryption algorithms are commonly known as
public key encryption algorithms. Public key encryption algorithms are slower than
symmetric encryption algorithms because they are more difficult to compute.
Examples include RSA, Diffie Hellman, Elgamal and Elliptic curve.
 Encryption
confidentiality
• Encryption algorithms are used to provide
confidentiality. How?
• An encryption scheme transforms data into form
that is not understandable.
• Take for example information in a database if an
encryption scheme is used on that data, it is
transformed to unintelligible data.
• If that data is kept in that unintelligible form if an
attacker gets access to that data, they will not be
able to understand even if they have access to it.
• This means that data is kept confidential because
the unauthorised user does not understand it.
• Authorised users will use the encryption key to
decrypt the data when they need to access it.
 Encryption
authentication
1. An authentication tag which is derived from a
mathematical algorithm that uses the information
as the parameter is calculated.
2. The authentication tag is encrypted and
ciphertext Y is obtained
3. The value Y for the cipher is kept with the data
4. The information is later retrieved and steps 1 and
2 are repeated and ciphertext Z is obtained
5. If the value kept at Y is not equal to Z then
information has been compromised
6. If the values at Y=Z then data has not been
compromised and has been authenticated because
the ciphertext is the same.
 Digital Signatures
• Users are authenticated using digital signatures.
• Digital Signatures are obtained using asymmetric
encryption algorithms.
• Using asymmetric encryption algorithm a user
Nakasole uses their private key to generate a
cipher Y from plaintext X.
• if Nakasole’s public key that Narene has is able to
decrypt cipher Y to plaintext X Narene verifies
that it was indeed Nakasole who generated the
cipher Y because Narene assumes only Nakasole
knows his private key and is the only one who can
generate a cipher with his public key that can be
decrypted with his public key.
• In this way Narene will have authenticated
Nakasole a user in a system.
 Public key infrastructure (PKI)
Set of hadware, Systems with computer
Systems that issue
software, cryptosystems key values to be
digital certificates to
necessary to implement included in digital
users and servers
public key encryption certificates

Tools for managing user

enrollment, key Other services Verification and return
generation and associated with PKI of certificates
certificate issuance

Key revocation services

Cryptographic controls

77
 Encryption Applications

• Transport Layer Security (TLS), and its predecessor Secure

Sockets Layer (SSL), protocols that encrypt communication
sessions on the Internet. Can secure web browsing, e-commerce
transactions such as online shopping, banking, etc., and instant
messaging or Internet chat;
• Secure Electronic Transaction (SET) is a set of standard protocols
for securing credit card transactions over insecure networks
using digital certificates and public key cryptography;
• IPSec is a set of protocols to secure Internet communications.
Authentication and encryption are the key functions. Used in
the implementation of Virtual Private Networks (VPN);
• Pretty Good Privacy (PGP), developed by Zimmermann, is a
software package that supports secure email communications.
Security services provided include message encryption, digital
signatures, data compression, and email compatibility. Uses
IDEA for encrypting the messages and RSA for key exchanges
and digital signatures;
 Encryption Applications

• Secure Multi-Purpose Internet Mail Extensions (S/MIME)

uses public key cryptography to provide authentication
for email messages through digital signatures. Uses
encryption for confidentiality of the email message. An
encryption protocol that provides digital signature
capabilities to email messages.);
• Secure Shell (SSH) establishes secure channel between
communicating computers;
• Kerberos- encryption and authentication service, to
authenticate network resources without third-party
verification. A centralized server is responsible for key
distribution and session authentication between two
network resources;
• Steganography art of concealing information within
computer files such as documents, images, or any
multimedia content;
 Encryption Applications

• Digital Watermarking -method for embedding copyright

information in digital content such as documents,
images, and multimedia files, e.t.c;
• SecureID - two-factor authentication system developed
in which a randomly generated number is used along
with a PIN or password for authentication purposes. This
is used in local, as well as remote, access to computers;
• Wireless Application Protocol (WAP) - set of standards
for wireless communications by using devices such as
mobile phones, used in Wireless Transmission Layer
Security (WTLS);
• IEEE 802.11 is set of standards for (WLAN). Wired
Equivalent Privacy (WEP) and WI-FI Protected Access
(WPA) are used for encryption.
 Exercise Using Julius Ceasar
• One of the earliest forms of symmetric key encryption techniques
is the Caesar cipher. Caesar cipher is a substitution encryption
technique in which each element in the plaintext is mapped into
another element. It is a type of substitution cipher in which each
letter in the plaintext is replaced by a letter some fixed number of
positions down the alphabet.
 Remote Access
Protection
• Sometimes users need to connect remotely to business
IT systems. For example, we have cases of teleworkers,
salesman wanting to connect to an organisations IT
system from a customer site. Remote users have grown
exponentially due to the Covid-19 pandemic. In
instances like this remote access protocols like RADIUS
AND TACACS are used for access control. This means
these protocols are responsible for authentication
authorisation and accountability of remote users.
RADIUS AND TACACS are client server protocols
whereby authentication is managed by a central server
RADIUS operation
 Scanning and
Analysis Tools
• Scanning and analysis tools can find vulnerabilities
in systems, holes in security components, and other
unsecured aspects of the network
• Conscientious administrators
– Will have several informational web sites bookmarked
– Frequently browse for new vulnerabilities, recent
conquests, and favorite assault techniques
– Nothing wrong with using tools used by attackers to
examine own defenses and search out areas of
vulnerability
 Scanning and
Analysis Tools
• Scanning tools collect the information that an
attacker needs to succeed
• Footprinting
– Organized research of the Internet addresses owned or
controlled by a target organization
• Fingerprinting
– Entails the systematic examination of all of the
organization’s network addresses
– Yields a detailed network analysis that reveals useful
information about the targets of the planned attack
 Bring your device
security
• COVID-19 has forced organisations to accept devices that employees have at
home too connect to organisational resources from outside's the business
network.
• This means organisations must accept digital devices that are at the
employee’s disposal.
• These devices are usually not secured to be at the same standard as those
devices configured by the organisation’s security administrator.
• But even before COVID-19 organisations were forced to accept digital devices
such as smart phones that employees we're using to access organisational
resources.
• To manage these connections organisations are now using Network Access
Control (NAC) Technologies. A NAC will enable administrators to define and
control how devices and users access resources from the organisation's
network. An effective NAC must (Whitman & Mattford, 2019):
– offer scalable capacity;
– be vendor-neutral;
– support wired and wireless-enabled delivery;
– offer multiple deployment options, including physical and virtual appliances as well as cloud
services;
– communicate and exchange information with all network devices.
Questions?
?

87
 This week‘s poll
• Whitman, M.E., and Mattord, H. J. (2019). Management of
Information Security, 6th Edition. Cengage. ISBN: 978·1·337-
40571·3

• Pfleeger, C. P., & Pfleeger, L. S. (2015). Security in computing (5th

ed.). New Jersey, USA: Pearson Education Inc
 Summary

identification authentication Authorisation

2-3 factor Biometric

accountability
authenticatio technologies

IDPS
Firewalls Encryption

Wireless
Remote
BYOD network
access
Security
 References
• Whitman, M.E., and Mattord, H. J. (2019). Management of
Information Security, 6th Edition. Cengage. ISBN: 978·1·337-
40571·3

• Pfleeger, C. P., & Pfleeger, L. S. (2015). Security in computing (5th

ed.). New Jersey, USA: Pearson Education Inc
 Homework
• Read chapter 10 and 2- Whitman, M.E.,
and Mattord, H. J. (2019). Management
of Information Security, 6th Edition.
Cengage. ISBN: 978·1·337-40571·3
Questions?
?

92
 13 Storch Street T: +264 61 207 2258
Private Bag 13388 F: +264 61 207 9258
Windhoek E: [email protected]
NAMIBIA W: www.nust.na

Thank You.