OEC 3: Information Security

Teaching and Exam Scheme

• 3 credit course
• 3 hours/per week
• No lab or Programming Knowledge required
• IE1 – 10 Marks
• IE2 – 10 Marks
• MTE – 50 Marks converted to 30
• ETE - 80 Marks converted to 50
Background
• Data is the new oil!
• Some recent Data Breaches
• Twitter confirms data from 5.4 million accounts was stolen.
• Uber announced on December 12th, 2022 that a hacker under the
pseudonym “UberLeaks” gained access to 70,000+ Uber employees’
data and was posting stolen corporate data
• Medibank – Australian health insurer confirmed data breaches.
• AIIMS under Ransomware attack – November 2022
Why Information Security is important?
• To protect the data
• Confidentiality, Integrity, Availability
• To safeguard the reputation /goodwill of the organization
• To protect Critical Information Infrastructure
• To safeguard the health and well-being of the customers
Course Objectives
• To offer an understanding of principle concepts, central topics and basic
approaches in information and cyber security.
• To make students aware of the basics and different algorithms of Cryptography.
• To acquire knowledge of standard algorithms and protocols employed to provide
confidentiality, integrity and authenticity.
Course Outcomes
• After learning the course, the students should be able to:

1. Identify computer and network security threats, classify the threats and develop a security
model to prevent, detect and recover from the attacks.

2. Propose the security Services and Mechanisms for preventing the different security attacks.

3. Use Symmetric key Cryptographic Techniques to encrypt and decrypt the messages.

4. Use Asymmetric key Cryptographic Techniques to encrypt and decrypt the messages.

5. Use different Hash Techniques to provide Authentication and to check the Integrity of
messages in transit.

6. Use Message Authentication Code to provide Authentication.

Syllabus
• Unit 1:
• Security Basics
• Computer Security Concepts - Need, Security Vs Privacy, Confidentiality,
Integrity & Availability (CIA), additional Security considerations,
• The challenges of Security, Threats, Attacks and Assets, Operational Model of
Security;
• Case Study: Study of Campus Network and identification of possible Threats,
Attacks and Assets
Syllabus
• Unit 2:
• Encryption Techniques Basics:
• Symmetric & Asymmetric Cipher Model;
• Cryptography; Cryptanalysis and BruteForce Attack
• Classical Encryption Techniques
• Substitution Techniques: Caesar Cipher, Monoalphabetic Ciphers,
Poly-alphabetic Ciphers, Playfair Cipher;
• Transposition Techniques: Rail Fense Technique
Syllabus
• Unit 3: Symmetric Cipher
• Traditional Cipher Structure: Stream ciphers and Block Ciphers; Feistel
Cipher Structure
• Data Encryption Standard (DES): DES Encryption; DES Decryption; DES
Example; Strength of DES;
• Block Cipher Modes of Operations: Electronic Code Book (ECB), Cipher
Block Chaining Mode(CBC), Cipher Feedback Mode (CFB), Output
Feedback Mode (OFB), Counter Mode (CTR)
Syllabus
• Unit 4:
• Asymmetric Cipher Public-Key Cryptosystems:
• Secrecy, authentication, secrecy & authentication; applications,
requirements;
• The RSA Algorithm: Algorithm, Example, The security of RSA;
• Diffie-Hellman Key Exchange: The Algorithm, Key Exchange
Protocol, Man-in-the-middle attack;
Syllabus
• Unit 5:

• Key Management and Distribution

• Symmetric Key Distribution using Symmetric key Encryption,
• Symmetric Key Distribution using Asymmetric key Encryption,
• Distribution of Public Keys.
• Case Study: Introduction to X.509
Syllabus
• Unit 6:
• Cryptographic Hash Functions & Message Authentication Codes
• Cryptographic Hash Functions: Applications,
• Secure Hash Algorithm (SHA)-512,
• MD5
• Message Authentication Codes (MAC):
• Requirements,
• Functions,
• Security of MACs
Textbooks
• William Stallings, ―Cryptography and network security principles and
practices‖, Pearson, 6th Edition, ISBN: 978-93-325-1877-3 (Soft copy
uploaded)

• Atul Kahate, ―Cryptography and Network Security‖, Mc Graw Hill

Publication, 2nd Edition, 2008, ISBN: 978- 0-07-064823-4
About Myself
• Dr. Asmita Manna

• [email protected]
• 8600218534
• 9003LA
Unit 1- Security Basics
What is Security?
• Security means “safety”

• Degree of resistance to or protection from

harm

• It applies to any vulnerable and valuable

assets:

• Person, Data, Community, Item, Nation,

Organization
 Computer Security - generic name for the collection
of tools designed to protect data and to thwart
hackers

Different Network Security - measures to protect data during

their transmission

types of Internet Security - measures to protect data during

Security their transmission over a collection of
interconnected networks

IT security is the protection of computer systems and

networks from information disclosure, theft of or damage to
their hardware, software, or electronic data, as well as from
the disruption or misdirection of the services they provide.
Security means …

Providing Security
• Protecting Assets ISO 27001-ISMS (Anything that has some value – financial, logical,
intangible) from threats
• Primary Assets – Business Process and Data
• Secondary Assets – Hardware, Software, Network, Personnel, Site,
Organizational Structure
Elements of Information
Security
• Triad
• Confidentiality
• Integrity
• Availability
• In addition to that
• Authenticity
• Accountability
• Non-repudiation
Confidentiality
• Assurance that information is shared only among authorized persons
or organizations.
Example: Alice and Bob want their communications to be secret from
Eve
Integrity
• Assurance that the information is authentic and complete.
• Maintaining and assuring the accuracy and consistency of data over
its entire life-cycle.
• Changes need to be done only by authorized entities and through
authorized mechanisms
Availability
• Assurance that the systems responsible for delivering, storing, and
processing information are accessible when needed, by those who
need them.
• Authenticity

• The property of being genuine and being able to be verified and trusted

• Accountability

• an individual is entrusted to safeguard and control equipment, keying material, and

information and is answerable to proper authority for the loss or misuse of that
equipment or information

• Non-repudiation

• Assurance that the sender of information is provided with proof of delivery and the
recipient is provided with proof of the sender's identity, so neither can later deny having
processed the information.
Security, Functionality and Usability
• Security goes up
• Functionality and Usability?
Key Terminologies
• Security attack
• Any action that compromises the security (CIA) of any assets
• Vulnerability
• Inherent weakness in the security system
• Default password, open ports, untrained employees
• Threat
• A probable action having potential to cause loss or harm
• Malicious program
• Control
• Countermeasure / protective measure to maintain the security
Types of malware
• Viruses
A Virus is a malicious executable code attached to another executable file.

• How do they spread

• Through phishing scam

• Downloaded from suspicious websites

• Worms
Worms replicate themselves on the system, attaching themselves to different files and
looking for pathways between computers, such as computer network that shares common
file storage areas.

• Carry a payload – the malicious part

• Spyware
Its purpose is to steal private information from a computer system for a third party.
Spyware collects information and sends it to the hacker.
• Trojan horse
A Trojan horse is malware that carries out malicious operations under the appearance of
a desired operation such as playing an online game.

• Mostly created backdoor

• Logic Bombs
A logic bomb is a malicious program that uses a trigger to activate the malicious code.
The logic bomb remains non-functioning until that trigger event happens.

• Ransomware

Ransomware grasps a computer system or the data it contains until the victim makes a
payment.
• Backdoors
A backdoor bypasses the usual authentication used to access a system.

• Rootkits
A rootkit modifies the OS to make a backdoor.

• Keyloggers
Keylogger records everything the user types on his/her computer system to
obtain passwords and other sensitive information and send them to the
source of the keylogging program.
Different Attacks
• Social engineering is the act of manipulating others to divulge
confidential information.
• Elaborate lying—a type of con game that influences a person to
take an action that may not be in his or her best interest
• Social engineering
• An attack that relies on human communication and often involves tricking people into breaking their
normal security procedures
• The ultimate risk is to an individual’s or a business’s information security.
Phishing attacks can take many forms:

Common Spear
Phishing Phishing Smishing Vishing Whaling
Fraudulent Fraudulent Fraudulent Telephone Phishing
emails with a emails that text messages. calls where emails that
general appear to be the caller is target high
message. from someone attempting to profile victims
you know. steal your (celebrities,
personal politicians or
information. executives.)
• Website forgery is phishing that sends victims to a website that looks exactly like

an official website: a bank, PayPal, etc.

• Then, they are tricked into providing their personal information.

• Pretexting is creating a strong yet fabricated story that seems real to the victim,

tricking the person into giving information to a false figure of authority.

• Impersonating someone to obtain access to an individual, to a business, or to

computer system information

Types of Attacks
Security Attack
• Action that compromises security of
assets of an enterprise

• A passive attack attempts to learn or

make use of information from the system
but does not affect system resources.

• An active attack attempts to alter system

resources or affect their operation
Security Attack - Passive Attack
• The goal of the opponent is to obtain
information that is being transmitted
• Neither the sender nor receiver is aware that a
third party has observed the traffic pattern.
• Two types of Passive Attack
• Release of message content
• A telephone conversation, an e-mail
message, and a transferred file may
contain confidential info.
• Encryption is the solution.
• Traffic Analysis
• Even if contents of messages are
encrypted, an opponent might still be
able to observe the pattern of these
messages.
Security Attack – Active Attack

• Active attacks involve some modification of

the data stream or the creation of a false
stream.
• Active Attacks are difficult to prevent because
of the wide variety of potential physical,
software, and network vulnerabilities.
• Active attacks can be subdivided into four
categories:
• masquerade,
• replay,
• modification of messages, and
• denial of service.
Security Attack – Active Attack (Contd…)
• Masquerading
• It takes place when one entity pretends to be a different entity.
• It usually includes one of the other forms of active attack.
• Replay
• It involves the passive capture of a data unit and its subsequent retransmission to produce an
unauthorized effect.
• Modification of messages:
• It simply means that some portion of a legitimate message is altered, or that messages are delayed
or reordered, to produce an unauthorized effect.
• Denial of Service
• It prevents or inhibits the normal use or management of communications facilities.
• E.g. an entity may suppress all messages directed to a particular destination
Active attack vs Passive attack
Types of Attack by Security Goals
• Compromising Confidentiality
• Snooping
• Traffic Analysis
• Compromising Integrity
• Modification of Message
• Masquerading/ spoofing
• Replaying
• Compromising Availability
• Denial of Service
• Distributed DoS
Security Services and
Mechanisms
Security Services and Mechanisms
• The International Telecommunication Union-Telecommunication
Standardization
Sector (ITU-T) provides some security services and some mechanisms
to implement those services.

• Security services and mechanisms are closely related because a

mechanism or combination of mechanisms are used to provide a service.

• Also, a mechanism can be used in one or more services.

Security Services
Security Mechanisms
Encipherment
• Encipherment, hiding or covering data, can provide confidentiality. It can
also be used to complement other mechanisms to provide other services.
Today two techniques cryptography and steganography are used for
enciphering.
Data Integrity
• The data integrity mechanism appends to the data a short checkvalue that has
been
created by a specific process from the data itself. The receiver receives the data
and the
checkvalue. He creates a new checkvalue from the received data and compares
the
newly created checkvalue with the one received. If the two checkvalues are the
same,
the integrity of data has been preserved
Digital Signature
• A digital signature is a means by which the sender can electronically sign
the data and the receiver can electronically verify the signature.

• The sender uses a process that involves showing that she owns a private
key related to the public key that she has announced publicly.

• The receiver uses the sender’s public key to prove that the message
is indeed signed by the sender who claims to have sent the message.
Authentication Exchange
• In authentication exchange, two entities exchange some
messages to prove their identity to each other. For example,
one entity can prove that she knows a secret that only she is

supposed to know.
Traffic Padding
• Traffic padding means inserting some bogus data into the data
traffic to thwart the adversary’s attempt to use the traffic

analysis.
Routing Control
• Routing control means selecting and continuously changing different
available routes between the sender and the receiver to prevent the

opponent from eavesdropping on a particular route.

Notarization
• Notarization means selecting a third trusted party to control the communication
between two entities. This can be done, for example, to prevent repudiation. The
receiver can involve a trusted party to store the sender request in order to
prevent the

sender from later denying that she has made such a request.
Access Control
• Access control uses methods to prove that a user has access right to the
data or
resources owned by a system. Examples of proofs are passwords and

PINs

•DAC
•MAC
•RBAC
Models of Network Security
Model for Network Security
• using this model requires us to:
• design a suitable algorithm for the security transformation
• generate the secret information (keys) used by the algorithm
• develop methods to distribute and share the secret information
• specify a protocol enabling the principals to use the transformation
and secret information for a security service