Computer and Information security

Lecture Note

CSC 409

2 Units

Prepared by
Dr. Mogaji S.A

1
 Lecture 1:
1.0 What is Information Security?
Information security (sometimes referred to as InfoSec) covers the tools and processes that organizations
use to protect information. This includes policy settings that prevent unauthorized people from accessing
business or personal information. InfoSec is a growing and evolving field that covers a wide range of
fields, from network and infrastructure security to testing and auditing.
Information security protects sensitive information from unauthorized activities, including inspection,
modification, recording, and any disruption or destruction. The goal is to ensure the safety and privacy of
critical data such as customer account details, financial data or intellectual property.
The consequences of security incidents include theft of private information, data tampering, and data
deletion. Attacks can disrupt work processes and damage a company’s reputation, and also have a tangible
cost.
Organizations must allocate funds for security and ensure that they are ready to detect, respond to, and
proactively prevent, attacks such as phishing, malware, viruses, malicious insiders, and ransomware.

1.1.1 Tenets/Principles of Information Security

The basic tenets of information security are confidentiality, integrity and availability. Every element of the
information security program must be designed to implement one or more of these principles. Together
they are called the CIA Triad.
Confidentiality
Confidentiality measures are designed to prevent unauthorized disclosure of information. The purpose of
the confidentiality principle is to keep personal information private and to ensure that it is visible and
accessible only to those individuals who own it or need it to perform their organizational functions.
Integrity
Consistency includes protection against unauthorized changes (additions, deletions, alterations, etc.) to
data. The principle of integrity ensures that data is accurate and reliable and is not modified incorrectly,
whether accidentally or maliciously.
Availability
Availability is the protection of a system’s ability to make software systems and data fully available when a
user needs it (or at a specified time). The purpose of availability is to make the technology infrastructure,
the applications and the data available when they are needed for an organizational process or for an
organization’s customers.

The CIA Triad defines three key principles of data security

2
1.1.2 Information Security Policy
An Information Security Policy (ISP) is a set of rules that guide individuals when using IT assets.
Companies can create information security policies to ensure that employees and other users follow
security protocols and procedures. Security policies are intended to ensure that only authorized users can
access sensitive systems and information.
Creating an effective security policy and taking steps to ensure compliance is an important step towards
preventing and mitigating security threats. To make your policy truly effective, update it frequently based
on company changes, new threats, conclusions drawn from previous breaches, and changes to security
systems and tools.
Make your information security strategy practical and reasonable. To meet the needs and urgency of
different departments within the organization, it is necessary to deploy a system of exceptions, with an
approval process, enabling departments or individuals to deviate from the rules in specific circumstances.

1.2 Forms of security Attacks

Security attacks: Any action that compromises the security of information owned by an organization.
These attacks are classified as:
1. Passive Attacks
2. Active Attacks

1.2.1 Active attacks: An Active attack attempts to alter system resources or effect their operations.
Active attack involves some modification of the data stream or creation of false statement. Types of active
attacks are as following:
1. Masquerade –
Masquerade attack takes place when one entity pretends to be different entity. A Masquerade attack
involves one of the other forms of active attacks.

3
2. Modification of messages –
It means that some portion of a message is altered or that message is delayed or reordered to
produce an unauthorised effect. For example, a message meaning “Allow JOHN to read
confidential file X” is modified as “Allow Smith to read confidential file X”.

3. Repudiation –
This attack is done by either sender or receiver. The sender or receiver can deny later that he/she
has send or receive a message. For example, customer ask his Bank “To transfer an amount to
someone” and later on the sender(customer) deny that he had made such a request. This is
repudiation.
4. Replay –
It involves the passive capture of a message and its subsequent the transmission to produce an
authorized effect.

4
5. Denial of Service –
It prevents normal use of communication facilities. This attack may have a specific target. For
example, an entity may suppress all messages directed to a particular destination. Another form of
service denial is the disruption of an entire network wither by disabling the network or by
overloading it by messages so as to degrade performance.

5
1.2.2 Passive attacks: A Passive attack attempts to learn or make use of information from the system
but does not affect system resources. Passive Attacks are in the nature of eavesdropping on or monitoring
of transmission. The goal of the opponent is to obtain information is being transmitted. Types of Passive
attacks are as following:
1. The release of message content –
Telephonic conversation, an electronic mail message or a transferred file may contain sensitive or
confidential information. We would like to prevent an opponent from learning the contents of these
transmissions.

2. Traffic analysis –
Suppose that we had a way of masking (encryption) of information, so that the attacker even if
captured the message could not extract any information from the message.
The opponent could determine the location and identity of communicating host and could observe
the frequency and length of messages being exchanged. This information might be useful in
guessing the nature of the communication that was taking place.

1.2.3 How to Prevent Security Attacks

Although we had a look at several ways to prevent the different types of cyber-attacks we discussed, let's
summarize and look at a few personal tips which you can adopt to avoid a cyber-attack on the whole.

6
 1. Change your passwords regularly and use strong alphanumeric passwords which are difficult to
crack. Refrain from using too complicated passwords that you would tend to forget. Do not use the
same password twice.
2. Update both your operating system and applications regularly. This is a primary prevention method
for any cyber-attack. This will remove vulnerabilities that hackers tend to exploit. Use trusted and
legitimate Anti-virus protection software.
3. Use a firewall and other network security tools such as Intrusion prevention systems, Access
control, Application security, etc.
4. Avoid opening emails from unknown senders. Scrutinize the emails you receive for loopholes and
significant errors.
5. Make use of a VPN. This makes sure that it encrypts the traffic between the VPN server and your
device.
6. Regularly back up your data. According to many security professionals, it is ideal to have three
copies of your data on two different media types and another copy in an off-site location (cloud
storage). Hence, even in the course of a cyber-attack, you can erase your system’s data and restore
it with a recently performed backup.
7. Employees should be aware of cybersecurity principles. They must know the various types of
cyberattacks and ways to tackle them.
8. Use Two-Factor or Multi-Factor Authentication. With two-factor authentication, it requires users to
provide two different authentication factors to verify themselves. When you are asked for over two
additional authentication methods apart from your username and password, we term it as multi-
factor authentication. This proves to be a vital step to secure your account.
9. Secure your Wi-Fi networks and avoid using public Wi-Fi without using a VPN.
10. Safeguard your mobile, as mobiles are also a cyberattack target. Install apps from only legitimate
and trusted sources, make sure to keep your device updated.

Top Information Security Threats

There are hundreds of categories of information security threats and millions of known threat vectors.
Below we cover some of the key threats that are a priority for security teams at modern enterprises.

Unsecure or Poorly Secured Systems

The speed and technological development often leads to compromises in security measures. In other cases,
systems are developed without security in mind, and remain in operation at an organization as legacy
systems. Organizations must identify these poorly secured systems, and mitigate the threat by securing or
patching them, decommissioning them, or isolating them.
Social Media Attacks
Many people have social media accounts, where they often unintentionally share a lot of information about
themselves. Attackers can launch attacks directly via social media, for example by spreading malware via
social media messages, or indirectly, by using information obtained from these sites to analyze user and
organizational vulnerabilities, and use them to design an attack.
Social Engineering
Social engineering involves attackers sending emails and messages that trick users into performing actions
that may compromise their security or divulge private information. Attackers manipulate users using
psychological triggers like curiosity, urgency or fear.

7
Because the source of a social engineering message appears to be trusted, people are more likely to
comply, for example by clicking a link that installs malware on their device, or by providing personal
information, credentials, or financial details.
Organizations can mitigate social engineering by making users aware of its dangers and training them to
identify and avoid suspected social engineering messages. In addition, technological systems can be used
to block social engineering at its source, or prevent users from performing dangerous actions such as
clicking on unknown links or downloading unknown attachments.

Malware on Endpoints
Organizational users work with a large variety of endpoint devices, including desktop computers, laptops,
tablets, and mobile phones, many of which are privately owned and not under the organization’s control,
and all of which connect regularly to the Internet.
A primary threat on all these endpoints is malware, which can be transmitted by a variety of means, can
result in compromise of the endpoint itself, and can also lead to privilege escalation to other organizational
systems.
Traditional antivirus software is insufficient to block all modern forms of malware, and more advanced
approaches are developing to securing endpoints, such as endpoint detection and response (EDR).

Lack of Encryption
Encryption processes encode data so that it can only be decoded by users with secret keys. It is very
effective in preventing data loss or corruption in case of equipment loss or theft, or in case organizational
systems are compromised by attackers.
Unfortunately, this measure is often overlooked due to its complexity and lack of legal obligations
associated with proper implementation. Organizations are increasingly adopting encryption, by purchasing
storage devices or using cloud services that support encryption, or using dedicated security tools.

Security Misconfiguration
Modern organizations use a huge number of technological platforms and tools, in particular web
applications, databases, and Software as a Service (SaaS) applications, or Infrastructure as a Service (IaaS)
from providers like Amazon Web Services.
Enterprise grade platforms and cloud services have security features, but these must be configured by the
organization. Security misconfiguration due to negligence or human error can result in a security breach.
Another problem is “configuration drift”, where correct security configuration can quickly become out of
date and make a system vulnerable, unbeknownst to IT or security staff.
Organizations can mitigate security misconfiguration using technological platforms that continuously
monitor systems, identify configuration gaps, and alert or even automatically remediate configuration
issues that make systems vulnerable.

8
2.0 Lecture 2:
2.1 The Concept of Authentication, Authorisation and Accounting (AAA)
Authentication, authorisation and accounting (AAA) refers to a common security framework for mediating
network and application access. AAA intelligently controls access to computer resources by enforcing
strict access and auditing policies. This process ensures that access to network and software application
resources can be restricted to specific, legitimate users.
AAA security has a part to play in almost all the ways we access networks today. Historically AAA
security has set the benchmark.

Although the AAA moniker is commonly used in reference to either RADIUS or Diameter (network
protocols), the concept is widely used for software application security as well. This is especially true of
SaaS products and in microservice architectures.

2.1.1 What is AAA security?

Authentication, authorisation and accounting (AAA) refers to a common security framework for mediating
network and application access. AAA intelligently controls access to computer resources by enforcing
strict access and auditing policies. This process ensures that access to network and software application
resources can be restricted to specific, legitimate users.
AAA security has a part to play in almost all the ways we access networks today. Historically AAA
security has set the benchmark.
Although the AAA moniker is commonly used in reference to either RADIUS or Diameter (network
protocols), the concept is widely used for software application security as well. This is especially true of
SaaS products and in microservice architectures.

i. Authentication: Who are you?

Authentication is the first step in the AAA security process and describes the network or applications way
of identifying a user and ensuring the user is whom they claim to be. The user enters a valid username and
password before they are granted access; each user must have a unique set of identification information.
Identification can be established via passwords, single sign-on (SSO) systems, biometrics, digital
certificates, and public key infrastructure.
User authentication ensures proper authorisation to access a system is granted; as data theft and
information security threats become more advanced, this is increasingly important. While authentication
cannot completely prevent identity theft, it can ensure network resources are protected through several
authentication methods.
Upon receiving a request for access, the AAA security server compares a user’s authentication credentials
with other user credentials stored in the database, and if the credentials match, the user is granted access to
the network or software. If the credentials are at a variance, authentication fails and user access is denied.
Network and system administrators are responsible for monitoring, adding, and deleting authorised users
from a system.
Once a user has been successfully authenticated, they must gain authorisation for completing certain tasks
and issuing commands. Furthermore, all activity completed by that user (legitimate or otherwise), can now
be logged in association with that user’s authorisation credentials.

9
 ii. Authorisation: What resources are you permitted to use?
Authorisation refers to the process of enforcing policies, such as determining the qualities of activities,
resources, or services a user is permitted to use. Authorisation usually occurs within the context of
authentication; once you have been authenticated, AAA security authorisation assembles the set of
attributes that describe what you are authorised to perform.

Users are assigned authorisation levels that define their access to a network and associated resources. For
example, a user might be able to type commands, but only be permitted to show execute certain
commands. This may be based on geographical location restrictions, date or time-of-day restrictions,
frequency of logins, or multiple logins by a single user. Other types of authorisation include route
assignments, IP address filtering, bandwidth traffic management, and encryption. An administrator may
have privileged access, but even they may be restricted from certain actions.

For example, in more secure application architectures passwords are stored salted with no process for
decrypting. These secure applications enable passwords to be changed (with existing passwords being
overridden), but never retrieved. AAA security authorisation allows you to enforce this restriction.

iii. Accounting: What resources were accessed, at what time, by whom, and what commands were
issued?
Accounting measures the resources users consume during access to a network or application, logging
session statistics and user information including session duration, and data sent and received. Usage
information is used for authorisation control, billing, trend analysis, resource utilisation, and capacity
planning activities.

Accounting ensures that an audit will enable administrators to login and view actions performed, by whom,
and at what time. One restriction of the accounting component of AAA security is that it requires an
external AAA security server to store actual accounting records.

Proper accounting enables network and system administrators to review who has been attempting to access
what and if access was granted.

AAA security in action

Now that you have an idea of what AAA is, let’s observe at the actual process.
A client attempts to connect to a network, and is challenged by a prompt for identify information. Identity
information is sent to the Policy Enforcement Point (PEP “ the authenticator), and the PEP sends the
collected identity information to the Policy Decision Point (PDP “ the brains), which then queries relevant
information at the Policy Information Point (PIP “ the information repository) to make the final access
decision. The PEP cannot see the specific identity information provided, it simply relays information
directly to the PDP.
The PIP returns a success or failure measure from the credential validation assessment and sends additional
information about the client to the PDP for evaluation. This may include a user’s role and location.

10
The PDP evaluates learned information (and any contextual information against configured policies) then
makes an authorised decision. The PDP sends the PEP the authentication result, and any authorisations
specific to that user, which trigger specific PEP actions that apply to the user. All information is sent to the
accounting system.

The PEP applies the authorisation profile learned from the PDP and sends an authentication successful
message to the user.
The user has system access.

2.1.2 Benefits of using AAA security

AAA security enables mobile and dynamic security. Without AAA security, a network must be statically
configured in order to control access. IP addresses must be fixed, systems cannot move, and connectivity
options must be well defined. The proliferation of mobile devices and the diverse network of consumers
with their varied network access methods generate a great demand for AAA security.
AAA security is designed to enable you to dynamically configure the type of authorisation and
authentication you want by creating a method list for specific services and interfaces. AAA security means
increased flexibility and control over access configuration and scalability, access to standardized
authentication methods such as RADIUS, TACACS+, and Kerberos, and use of multiple backup systems.
The increase of security breaches such as identity theft, indicate that it is crucial to have sound practises in
place for authenticating authorised users in order to mitigate network and software

11
3.0 Lecture 3:
3.1 Overview of Cryptography
Introduction
The science of cryptology is not as enigmatic as you might think. A variety of cryptographic techniques are
used regularly in everyday life. For example, open your newspaper to the entertainment section and you’ll
find the daily cryptogram, a word puzzle that involves unscrambling letters to find a hidden message. Also,
although it is a dying art, many secretaries still use shorthand, or stenography, an abbreviated, symbolic
writing method, to take rapid dictation.
These examples illustrate one important application of cryptography—the efficient and rapid transmittal of
information—but cryptography also protects and verifies data transmitted via information systems.
The science of encryption, known as cryptology, encompasses cryptography and cryptanalysis.
Cryptography comes from the Greek words kryptos, meaning “hidden,” and graphein, meaning “to write,”
and involves making and using codes to secure messages. Cryptanalysis involves cracking or breaking
encrypted messages back into their unencrypted origins. Cryptography uses mathematical algorithms that
are usually known to all. After all, it’s not the knowledge of the algorithm that protects the encrypted
message, it’s the knowledge of the key—a series of characters or bits injected into the algorithm along with
the original message to create the encrypted message. An individual or system usually encrypts a plaintext
message into ciphertext, making it unreadable to unauthorized people—those without the key needed to
decrypt the message back into plaintext, where it can be read and understood.
The field of cryptology is so vast that it can fill many volumes. This textbook provides only a general
overview of cryptology and some specific information about a few cryptographic tools. In the early
sections of this chapter, you will learn the background of cryptology as well as key concepts in
cryptography and common cryptographic tools. In later sections, you will learn about common
cryptographic protocols and some of the attack methods used against cryptosystems.

3.1.1 Key Terms

Cryptanalysis: The process of obtaining the plaintext message from a ciphertext message without
knowing the keys used to perform the encryption.
Cryptography: The process of making and using codes to secure information.
Cryptology: The field of science that encompasses cryptography and cryptanalysis.
Cryptography Terminology
To understand the fundamentals of cryptography, you must know the meanings of the following terms:
• Algorithm: The mathematical formula or method used to convert an unencrypted message into an
encrypted message. This sometimes refers to the programs that enable the cryptographic processes.

12
• Bit stream cipher: An encryption method that involves converting plaintext to ciphertext one bit at a
time.
• Block cipher: An encryption method that involves dividing the plaintext into blocks or sets of bits and
then converting the plaintext to ciphertext one block at a time.
• Cipher: When used as a verb, the transformation of the individual components (characters, bytes, or bits)
of an unencrypted message into encrypted components or vice versa (see decipher and encipher); when
used as a noun, the process of encryption or the algorithm used in encryption, and a term synonymous with
cryptosystem.
• Ciphertext or cryptogram: The unintelligible encrypted or encoded message resulting from an
encryption.
• Code: The process of converting components (words or phrases) of an unencrypted message into
encrypted components.
• Decipher: See Decryption.
• Decryption: The process of converting an encoded or enciphered message (ciphertext) back to its original
readable form (plaintext). Also referred to as deciphering.
• Encipher: See Encryption.
• Encryption: The process of converting an original message (plaintext) into a form that cannot be used by
unauthorized individuals (ciphertext). Also referred to as enciphering.
• Key or cryptovariable: The information used in conjunction with the algorithm to create the ciphertext
from the plaintext; it can be a series of bits used in a mathematical algorithm or the knowledge of how to
manipulate the plaintext. Sometimes called a cryptovariable.
• Keyspace: The entire range of values that can be used to construct an individual key.
• Link encryption: A series of encryptions and decryptions between a number of systems, wherein each
system in a network decrypts the message sent to it and then reencrypts the message using different keys
and sends it to the next neighbor. This process continues until the message reaches the final destination.
• Plaintext or cleartext: The original unencrypted message that is encrypted and is the result of successful
decryption.
• Steganography: The process of hiding messages; for example, hiding a message within the digital
encoding of a picture or graphic so that it is almost impossible to detect that the hidden message even
exists.
• Work factor: The amount of effort (usually expressed in units of time) required to perform cryptanalysis
on an encoded message.

13
3.2 Principles of cryptography
The core principles of modern-day cryptography include:
 Confidentiality
 Integrity
 Non-repudiation
 Authentication
i. Confidentiality
Data Confidentiality ensures that the data is limited to those who are authorized to view it. The data should
only be visible to those who possess some critical information, like the decryption key, for example.
ii. Integrity
Data integrity refers to the accuracy, legitimacy, and consistency of information in a system. When a
message is sent, particularly using an untrusted medium like the internet, data integrity ensures us that a
message wasn’t tampered with or accidentally altered.
Let’s use the example of military orders. We’re at war and an army general needs to send an order of
retreat to his troops across the sea. Without a guarantee of data integrity, a hacker could intercept the
message, change the order, and send it on its way. The army might receive an order to advance and walk
right into a trap the general knew about.
iii. Non-repudiation
Non-Repudiation assures that no one can deny the validity of the data in question, and is actually a legal
term used in cyber security. Non-Repudiation is typically accomplished by the use of a service that
provides proof of the origin and integrity of the information. It makes it nearly impossible to successfully
deny who or where a message came from.
Non-repudiation is similar to data integrity, but it has more to do with knowing who sent the information,
and less with whether or not it was changed along the way. In the military example from above, even if we
could guarantee that the retreat order was never tampered with, non-repudiation would be a way to ensure
it was the general who gave the order in the first place, and not some enemy spy.
iv. Authentication
There are two kinds of authentication typically used in cryptography.
1. Integrity authentication like a MAC or HMAC ensures that data hasn’t been tampered with.
Hash-based message authentication code (or HMAC) is a cryptographic authentication technique that uses
a hash function and a secret key
2. Source authentication, like an SSL certificate, can be used to verify the identity of who created the
information. Every time you connect to a website over HTTPS, your browser ensures that you’re
connected to the site you think you are by checking the SSL certificate.

14
3.2.1 Practical Principle of Cryptography
Let’s say there is a smart guy called Eaves who secretly got access to your communication channel. Since
this guy has access to your communication, he can do much more than just eavesdropping, for example, he
can try to change the message. Now, this is just a small example. What if Eave gets access to your private
information? The result could be catastrophic.
So how can Andy be sure that nobody in the middle could access the message sent to Sam? That’s
where Encryption or Cryptography comes in. Let me tell you ” What is Cryptography “.
Cryptography is the practice and study of techniques for securing communication and data in the presence
of adversaries.

Alright, now that you know ” what is cryptography ” let’s see how cryptography can help secure the
connection between Andy and Sam.
So, to protect his message, Andy first convert his readable message to unreadable form. Here, he converts
the message to some random numbers. After that, he uses a key to encrypt his message, in Cryptography,
we call this ciphertext.
Andy sends this ciphertext or encrypted message over the communication channel, he won’t have to worry
about somebody in the middle of discovering his private messages. Suppose, Eaves here discover the
message and he somehow manages to alter it before it reaches Sam.

15
Now, Sam would need a key to decrypt the message to recover the original plaintext. In order to convert
the ciphertext into plain text, Sam would need to use the decryption key. Using the key he would convert
the ciphertext or the numerical value to the corresponding plain text.
After using the key for decryption what will come out is the original plaintext message, is an error. Now,
this error is very important. It is the way Sam knows that message sent by Andy is not the same as the
message that he received. Thus, we can say that encryption is important to communicate or share
information over the network.

3.3 Types of cryptography

Cryptography is broadly classified into two categories: Symmetric key Cryptography and Asymmetric key
Cryptography (popularly known as public key cryptography), and also Hash function

16
 3.3.1 Symmetric key cryptography
Symmetric encryption uses the same key for encryption and decryption. The sender and receiver of the
message use a single shared key to encrypt and decrypt messages. Symmetric key systems are faster and
simpler, but sharing keys is difficult. If you need to communicate over an insecure medium, how would you
get the key to the recipient in the first place?
The answer is that for communication to another party, you’ll probably want to use asymmetric encryption,
which we’ll cover shortly. Symmetric encryption excels when you’re encrypting information at rest. For
example, your password manager encrypts your passwords, but they aren’t being sent to anyone. You only
need one key, because you’re the only one using it.
Common symmetric encryption algorithms include AES and DES.

3.3.2 Asymmetric Key Encryption (or Public Key Cryptography)

Asymmetric encryption uses different keys for encryption and decryption. A pair of keys that are
cryptographically related are used to encrypt and decrypt information. A public key is used for encryption
while its private key is used for decryption.
If I want to receive a message from my wife, I would send her my public key. The public key is just that,
public. If someone intercepts the key, it’s not a problem, they won’t be able to use it to decrypt anything.
My wife would then use my public key to encrypt a message for me. Now, since I’m the only one that owns
the corresponding private key, I’ll be able to decrypt that message once I receive it.
Common asymmetric encryption algorithms ECC and RSA.

The encryption process where different keys are used for encrypting and decrypting the information. Keys are
different but are mathematically related, such that retrieving the plain text by decrypting ciphertext is

feasible.

RSA is the most widely used form of public key encryption,

RSA Algorithm
RSA stands for Rivest, Shamir, and Adelman, inventors of this technique
Both public and private key are interchangeable

17
Variable Key Size (512, 1024, or 2048 bits)

Here’s how keys are generated in RSA algorithm

Alright, this was it for “What is Cryptography” blog. To safeguard your information and data shared over the
internet it is important to use strong encryption algorithms, to avoid any catastrophic situations.

3.3.3 Difference between Symmetric and Asymmetric cryptography

Properties Symmetric Asymmetric
Keys A single key A private and public key
Speed Faster, simple Slower, more complex
Use cases Bulk encryption of data at Encryption of data in transit
rest between two parties
Principles Confidentiality Confidentiality, authentication,
provided non-repudiation

3.3.4 Hash Functions

The third most common type of cryptography involves hash functions. No key is used in this algorithm. A
fixed-length value is calculated from the plaintext, which makes it impossible for the contents of the
plaintext to be recovered.
However, because the same plaintext will always hash to the same output, it can be used to, for example,
compare passwords without ever storing them.

What is hashing?
Hashing converts input data to output random data of fixed size (digest). This is a one-way function;
hence the original input data cannot be derived from the output. One usage of hashing is instead of
storing password in clear text, we store the hashed password. Even if the hashed passwords were to be
compromised, the nature of hashing makes it difficult to retrieve the clear password.
Some of the commonly used hashing algorithms include MD5, SHA-1, bcrypt, Whirlpool, SHA-2 and
SHA-3.

18
3.3.5 Encryption and Decryption Processes
 Encryption is a process of converting normal data into an unreadable form whereas Decryption is a
method of converting the unreadable/coded data into its original form.
 Encryption is done by the person who is sending the data to the destination, but the decryption is
done at the person who is receiving the data.
 The same algorithm with the same key can be used for both the encryption-decryption processes.

Why use Encryption and Decryption? (The importance of Encryption and Decryption)
Here, are important reasons for using encryption:
 Helps you to protect your confidential data such as passwords and login id
 Provides confidentiality of private information
 Helps you to ensure that that the document or file has not been altered
 Encryption process also prevents plagiarism and protects IP
 Helpful for network communication (like the internet) and where a hacker can easily access
unencrypted data.
 It is an essential method as it helps you to securely protect data that you don’t want anyone else to
have access.

i. Encryption Process
Encryption is a process which transforms the original information into an unrecognizable form. This new
form of the message is entirely different from the original message. That’s why a hacker is not able to read
the data as senders use an encryption algorithm. Encryption is usually done using key algorithms.
Data is encrypted to make it safe from stealing. However, many known companies also encrypt data to keep
their trade secret from their competitors.

Encryption Process

ii. Decryption process

Decryption is a process of converting encoded/encrypted data in a form that is readable and understood by a
human or a computer. This method is performed by un-encrypting the text manually or by using keys used
to encrypt the original data.

Decryption process

19
3.3.6 Types of Keys
Symmetric Key:
Symmetric-key encryption are algorithms which use the same cryptographic keys for both encryption of
plaintext and decryption of ciphertext.
Asymmetric Key:
Asymmetric encryption uses 2 pairs of key for encryption. Public key is available to anyone while the secret
key is only made available to the receiver of the message. This boots security.
Public Key:
Public key cryptography is an encryption system which is based on two pairs of keys. Public keys are used
to encrypt messages for a receiver.
Private Key:
Private key may be part of a public/ private asymmetric key pair. It can be used in asymmetric encryption as
you can use the same key to encrypt and decrypt data.
Pre-Shared Key:
In cryptography, a pre-shared key (PSK) is a shared secret which was earlier shared between the two parties
using a secure channel before it is used.

20
3.3.7 Difference between Encryption and Decryption
Difference between Encryption and Decryption
Parameter Encryption
What is It is a process of converting
normal data into an unreadable
form. It helps you to avoid any
unauthorized access to data
Process Whenever the data is sent
between two separate machines, it
is encrypted automatically using a
secret key.
Location of The person who is sending the
Conversion data to the destination.
Example An employee is sending essential
documents to his/her manager.
Use of The same algorithm with the same
Algorithm key is used for the encryption-
decryption process.
Major Transforming humanly
function understandable messages into an
incomprehensible and obscure
form that cannot be interpreted.
Decryption
It is a method of converting the
unreadable/coded data into its
original form.
The receiver of the data
automatically allows you to convert
the data from the codes into its
original form.
The receiver receives the data and
converts it.
The manager is receiving the
essential documents from his/her
employee.
The only single algorithm is used
for encryption and decryption with
a pair of keys where each use for
encryption and decryption.
It is a conversion of an obscure
message into an understandable
form which is easy to understand
by a human.

3.4 Cipher Methods

There are two methods of encrypting plaintext: the Bit Stream method or the Block Cipher method, as
defined in the previous section. In the bit stream method, each bit in the plaintext is transformed into a
cipher bit one bit at a time. In the block cipher method, the message is divided into blocks—for example,
sets of 8-, 16-, 32-, or 64-bit blocks—and then each block of plaintext bits is transformed into an encrypted
block of cipher bits using an algorithm and a key. Bit stream methods commonly use algorithm functions
like the exclusive OR operation (XOR), whereas block methods can use substitution, transposition, XOR,
or some combination of these operations, as described in the following sections. Note that most computer
based encryption methods operate on data at the level of its binary digits (bits), while others operate at the
byte or character level.

You may wonder if you need to know all of the technical details about cipher methods that follow in this
section. Although most security professionals will not get involved in designing cryptographic algorithms
(or cipher methods) or even wind up using them directly, you have probably used many of them indirectly
when you browse the Web, and it is certainly helpful to understand how the tools work. At some point you

21
may need to know these fundamental building blocks of cryptography so you can understand your options
when evaluating commercial or open-source cipher methods.

3.4.1 Substitution Cipher

Method of encryption by which units of plaintext are replaced with ciphertext, according to a fixed
system; the “units” may be single letters (the most common), pairs of letters, triplets of letters, mixtures of
the above, and so forth.

Example:
Consider this example shown on the slide: Using the system just discussed, the keyword “zebras” gives us
the following alphabets:

Key Terms
i. Monoalphabetic Substitution: A substitution cipher that only incorporates a single alphabet in the
encryption process.
ii. Polyalphabetic Substitution: A substitution cipher that incorporates two or more alphabets in the
encryption process.
iii. Substitution Cipher: An encryption method in which one value is substituted for another.
Vigenère Cipher: An advanced type of substitution cipher that uses a simple polyalphabetic code.

22
i. Monoaphabetic substitution
A substitution cipher exchanges one value for another—for example, it might exchange a letter in the
alphabet with the letter three values to the right, or it might substitute one bit for another bit four places to
its left. A three-character substitution to the right results in the following transformation of the standard
English alphabet.
Initial alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZ yields
Encryption alphabet: DEFGHIJKLMNOPQRSTUVWXYZABC
Within this substitution scheme, the plaintext MOM would be encrypted into the ciphertext PRP.
This is a simple enough method by itself, but it becomes very powerful if combined with other operations.
The previous example of substitution is based on a single alphabet and thus is known as a monoalphabetic
substitution.
ii. Polyalphabetic substitutions.
More advanced substitution ciphers use two or more alphabets, and are referred to as polyalphabetic
substitutions.
To extend the previous example, consider the following block of text:
Plaintext: ABCDEFGHIJKLMNOPQRSTUVWXYZ
Substitution cipher 1: DEFGHIJKLMNOPQRSTUVWXYZABC
Substitution cipher 2: GHIJKLMNOPQRSTUVWXYZABCDEF
Substitution cipher 3: JKLMNOPQRSTUVWXYZABCDEFGHI
Substitution cipher 4: MNOPQRSTUVWXYZABCDEFGHIJKL
The first row here is the plaintext, and the next four rows are four sets of substitution ciphers, which taken
together constitute a single polyalphabetic substitution cipher. To encode the word TEXT with this cipher,
you substitute a letter from the second row for the first letter in TEXT, a letter from the third row for the
second letter, and so on—a process that yields the ciphertext WKGF. Note how the plaintext letter T is
transformed into a W or an F, depending on its order of appearance in the plaintext. Complexities like these
make this type of encryption substantially more difficult to decipher when one doesn’t have the algorithm
(in this case, the rows of ciphers) and the key, which is the substitution method. A logical extension to this
process is to randomize the cipher rows completely in order to create a more complex operation.
iii. Vigenère cipher.
An advanced type of substitution cipher that uses a simple polyalphabetic code is the Vigenère cipher. The
cipher is implemented using the Vigenère square (or table), also known as a tabula recta—a term invented
by Johannes Trithemius in the 1500s.

23
 Table below illustrates the setup of the Vigenère square, which is made up of 26 distinct cipher alphabets.
In the header row and column, the alphabet is written in its normal order. In each subsequent row, the
alphabet is shifted one letter to the right until a 26 X 26 block of letters is formed.
You can use the Vigenère square in several ways. For example, you could perform an encryption by simply
starting in the first row, finding a substitute for the first letter of plaintext, and then moving down the rows
for each subsequent letter of plaintext. With this method, the word SECURITY in plaintext becomes
TGFYWOAG in ciphertext.
A much more sophisticated way to use the Vigenère square is to use a keyword to represent the shift. To
accomplish this, you begin by writing a keyword above the plaintext message.
For example, suppose the plaintext message is “SACK GAUL SPARE NO ONE” and the keyword is
ITALY. We thus end up with the following:
ITALYITALYITALYITA
SACKGAULSPARENOONE

A A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
H H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
I I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
J J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
K K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
L L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
M M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
N N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
O O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
P P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
Q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
R R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
S S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
T T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
U U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
V V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
W W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
X X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
Y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
Z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
Vigenère square Table

24
Now you use the keyword letter and the message (plaintext) letter below it in combination.
Returning to the Vigenère square, notice how the first column of text, like the first row, forms the normal
alphabet. To perform the substitution, start with the first combination of keyword and message letters, IS.
Use the keyword letter to locate the column and the message letter to find the row, and then look for the
letter at their intersection. Thus, for column “I” and row “S,” you will find the ciphertext letter “A.” After
you follow this procedure for each letter in the message, you will produce the encrypted ciphertext
ATCVEINLDNIKEYMWGE. One weakness of this method is that any keyword-message letter
combination containing an “A” row or column reproduces the plaintext message letter.
For example, the third letter in the plaintext message, the C (of SACK), has a combination of AC, and thus
is unchanged in the ciphertext. To minimize the effects of this weakness, you should avoid choosing a
keyword that contains the letter “A.

3.4.2 Transposition Cipher

Key Terms
Permutation cipher See transposition cipher.
i. Transposition cipher: A cryptographic operation that involves simply rearranging the values
within a block based on an established pattern. Also known as a permutation cipher.
Like the substitution operation, the transposition cipher is simple to understand, but if properly used, it can
produce ciphertext that is difficult to decipher. In contrast to the substitution cipher, however, the
transposition cipher or permutation cipher simply rearranges the bits or bytes (characters) within a block to
create the ciphertext. For an example, consider the following transposition key pattern.
Key pattern: 8 → 3, 7 → 6, 6 → 2, 5 → 7, 4 → 5, 3 → 1, 2 → 8, 1 → 4
In this key, the bit or byte (character) in position 1 moves to position 4. When operating on
binary data, position 1 is at the far right of the data string, and counting proceeds from right
to left. Next, the bit or byte in position 2 moves to position 8, and so on.
The following rows show the numbering of bit locations for this key; the plaintext message
00100101011010111001010101010100, which is broken into 8-bit blocks for clarity; and
the ciphertext that is produced when the transposition key depicted above is applied to the
plaintext.
The following rows show the numbering of bit locations for this key; the plaintext message
00100101011010111001010101010100, which is broken into 8-bit blocks for clarity; and
the ciphertext that is produced when the transposition key depicted above is applied to the
plaintext.

25
Bit locations: 87654321 87654321 87654321 87654321
Plaintext 8-bit blocks: 00100101|01101011|10010101|01010100
Ciphertext: 00001011|10111010|01001101|01100001
Reading from right to left in this example, the first bit of plaintext (position 1 of the first byte) becomes the
fourth bit (in position 4) of the first byte of the ciphertext. Similarly, the second bit of the plaintext
(position 2) becomes the eighth bit (position 8) of the ciphertext, and so on.
To examine further how this transposition key works, look at its effects on a plaintext message comprised
of letters instead of bits. Replacing the 8-bit block of plaintext with the example plaintext message
presented earlier, “SACK GAUL SPARE NO ONE,” yields the
following.
Letter locations: 87654321|87654321|87654321
Plaintext: __ENO_ON|_ERAPS_L|UAG_KCAS
Key: Same key as above, but characters transposed, not bits.
Ciphertext: ON_ON_E_|_AEPL_RS|A_AKSUGC
Here, you read from right to left to match the order in which characters would be transmitted from a sender
on the left to a receiver on the right. The letter in position 1 of the first block of plaintext, “S,” moves to
position 4 in the ciphertext. The process is continued until the letter “U,” the eighth letter of the first block
of plaintext, moves to the third position of the ciphertext. This process continues with subsequent blocks
using the same specified pattern. Obviously, the use of different-sized blocks or multiple transposition
patterns would enhance the strength of the cipher.

ii. Exclusive OR
Exclusive OR operation (XOR) A function within Boolean algebra used as an encryption function in which
two bits are compared. If the two bits are identical, the result is a binary 0; otherwise, the result is a binary
1.
The exclusive OR operation (XOR) is a function of Boolean algebra in which two bits are compared and a
binary result is generated. XOR encryption is a very simple symmetric cipher that is used in many
applications where security is not a defined requirement.
Table below shows an XOR table with the results of all possible combinations of two bits.
To see how XOR works, consider an example in which the plaintext is the word “CAT.”
The ASCII binary representation of the plaintext is 01000011 01000001 01010100.
In order to encrypt the plaintext, a key value should be selected. In this case, the bit pattern
for the letter “V” (01010110) is used, and is repeated for each character to be encrypted, written from left

26
to right. Performing the XOR operation on the two bit streams (the plaintext and the key) produces the
result shown in Table 8-4.
The bottom row of Table 8-4, “Cipher,” is read from left to right and contains the bit stream
that will be transmitted. When this cipher is received, it can be decrypted using the key value

XOR Table

Example XOR Encryption

“V.” Note that the XOR encryption method is very simple to implement and equally simple to break. The
XOR encryption method should not be used by itself when an organization is transmitting or storing
sensitive data. Actual encryption algorithms used to protect data typically use the XOR operator as part of
a more complex encryption process.
You can combine XOR with a block cipher to produce a simple but powerful operation. In the example that
follows (again read from left to right), the first row shows a character message “5E5þ•” requiring
encryption. The second row shows this message in binary notation.
In order to apply an 8-bit block cipher method, the binary message is broken into 8-bit blocks in the row
labeled “Message blocks.” The fourth row shows the 8-bit key (01010101) chosen for the encryption. To
encrypt the message, you must perform the XOR operation on each 8-bit block by using the XOR function
on the message bit and the key bit to determine the bits of the ciphertext. The result is shown in the row
labeled “Ciphertext.”
This ciphertext can now be sent to a receiver, who will be able to decipher the message simply by knowing
the algorithm (XOR) and the key (01010101).

27
Message (text): “5E5+•”
Message (binary): 00110101 01000101 00110101 00101011 10010101
Message blocks: 00110101 01000101 00110101 00101011 10010101
Key: 01010101 01010101 01010101 01010101 01010101
Ciphertext: 01100000 00010000 01100000 01111110 11000000
If the receiver cannot apply the key to the ciphertext and derive the original message, either the cipher was
applied with an incorrect key or the cryptosystem was not used correctly.

3.5 HASH FUNCTIONS

Hash algorithms: Public functions that create a hash value, also known as a message digest, by
converting variable-length messages into a single fixed-length value.
Hash functions: Mathematical algorithms that generate a message summary or digest (sometimes called a
fingerprint) to confirm message identity and integrity.
Hash value: See message digest.
Message Authentication Code (MAC): A key-dependent, one-way hash function that allows only specific
recipients (symmetric key holders) to access the message digest.
Message digest: A value representing the application of a hash algorithm on a message that is transmitted
with the message so it can be compared with the recipient’s locally calculated hash of the same message. If
both hashes are identical after transmission, the message has arrived without modification. Also known as a
hash value.
Secure Hash Standard (SHS): A standard issued by the National Institute of Standards and
Technology (NIST) that specifies secure algorithms, such as SHA-1, for computing a condensed
representation of a message or data file.

In addition to ciphers, another important encryption technique that is often incorporated into cryptosystems
is the hash function. Hash functions are mathematical algorithms used to confirm the identity of a specific
message and confirm that the content has not been changed.
While they do not create ciphertext, hash functions confirm message identity and integrity, both of which
are critical functions in e-commerce.
Hash algorithms are used to create a hash value, also known as a message digest, by converting variable-
length messages into a single fixed-length value. The message digest is a fingerprint of the author’s
message that is compared with the recipient’s locally calculated hash of the same message. If both hashes
are identical after transmission, the message has arrived without modification. Hash functions are

28
considered one-way operations in that the same message always provides the same hash value, but the hash
value itself cannot be used to determine the contents of the message.
Hashing functions do not require the use of keys, but it is possible to attach a Message Authentication
Code (MAC) to allow only specific recipients to access the message digest. Because hash functions are
one-way, they are used in password verification systems to confirm the identity of the user. In such
systems, the hash value, or message digest, is calculated based on the originally issued password, and this
message digest is stored for later comparison. When the user logs on for the next session, the system
calculates a hash value based on the user’s password input, and this value is compared against the stored
value to confirm identity.
The Secure Hash Standard (SHS) is issued by the National Institute of Standards and Technology
(NIST). Standard document FIPS 180-4 specifies SHA-1 (Secure Hash Algorithm 1) as a secure algorithm
for computing a condensed representation of a message or data file.
SHA-1 produces a 160-bit message digest, which can be used as an input to a digital signature algorithm.
SHA-1 is based on principles modeled after MD4, which is part of the MDx family of hash algorithms
created by Ronald Rivest. New hash algorithms, SHA-256, SHA-384, and SHA-512, have been proposed
by NIST as standards for 128, 192, and 256 bits, respectively. The number of bits used in the hash
algorithm is a measurement of the algorithm’s strength against collision attacks. SHA-256 is essentially a
256-bit block cipher algorithm that creates a key by encrypting the intermediate hash value, with the
message block functioning as the key. The compression function operates on each 512-bit message block
and a 256-bit intermediate message digests.

An attack method called rainbow cracking has generated concern about the strength of the processes used
for password hashing. In general, if attackers gain access to a file of hashed passwords, they can use the
application Rainbow Crack and its combination of brute force and dictionary attacks to reveal user
passwords. Passwords that are dictionary words or poorly constructed can be easily cracked. Well-
constructed passwords that are of sufficient length can take a long time to crack even using the fastest
computers, but by using a rainbow table—a database of precomputed hashes from sequentially calculated
passwords—the rainbow cracker simply looks up the hashed password and reads out the text version. No
brute force is required. This type of attack is more properly classified as a time-memory trade-off attack.
To defend against such an attack, you must first protect the file of hashed passwords and implement strict
limits on the number of attempts allowed per login session. You can also use an approach called password
hash salting. Salting is the process of providing a random piece of data to the hashing function when the
hash is first calculated. The use of the salt value creates a different hash; when a large set of salt values are
used, rainbow cracking fails because the time-memory trade-off is no longer in the attacker’s favor. The

29
salt value is not kept a secret: It is stored along with the account identifier so that the hash value can be re-
created during authentication. Additional techniques include key stretching and key strengthening. Key
stretching involves repeating the hashing algorithm up to several thousand
times to continuously inject the password, salt value, and interim hash results back into the
process. Key strengthening extends the key with the salt value, but then deletes the salt value.

3.6 Cryptographic Algorithms

Introduction
In general, cryptographic algorithms are often grouped into two broad categories—symmetric
and asymmetric—but in practice, today’s popular cryptosystems use a combination of both
algorithms. Symmetric and asymmetric algorithms are distinguished by the types of keys they
use for encryption and decryption operations.
3.6.1 Symmetric Encryption
Key Terms
Advanced Encryption Standard (AES): The current federal standard for the encryption of data, as
specified by NIST. AES is based on the Rijndael algorithm, which was developed by Vincent Rijmen and
Joan Daemen.
Private-Key: encryption See symmetric encryption.
Secret Key: A key that can be used in symmetric encryption both to encipher and decipher the message.
Symmetric Encryption: A cryptographic method in which the same algorithm and secret key are used
both to encipher and decipher the message.

30
Encryption methodologies that require the same secret key to encipher and decipher the message are
performing private-key encryption or symmetric encryption. Symmetric encryption methods use
mathematical operations that can be programmed into extremely fast computing algorithms so that
encryption and decryption are executed quickly, even by small computers.
As you can see in Figure below, one of the challenges is that both the sender and the recipient must have
the secret key. Also, if either copy of the key falls into the wrong hands, messages can be decrypted by
others and the sender and intended receiver may not know a message was intercepted. The primary
challenge of symmetric key encryption is getting the key to the receiver, a process that must be conducted
out of band to avoid interception. In other words, the process must use a channel or band other than the one
carrying the ciphertext.
There are a number of popular symmetric encryption cryptosystems. One of the most widely known is the
Data Encryption Standard (DES); it was developed by IBM and is based on the company’s Lucifer
algorithm, which uses a key length of 128 bits. As implemented, DES uses a 64-bit block size and a 56-bit
key. DES was adopted by NIST in 1976 as a federal standard for encryption of nonclassified information,
after which it became widely employed in commercial applications. DES enjoyed increasing popularity for
almost 20 years until 1997, when users realized that a 56-bit key size did not provide acceptable levels of
security. In 1998, a group called the Electronic Frontier Foundation (www.eff.org) used a specially
designed computer to break a DES key in just over 56 hours. Since then, it has been theorized that a
dedicated attack supported by the proper hardware (not necessarily a specialized computer) could break a
DES key in less than a day.

31
Example of Symmetric Encryption
Triple DES (3DES)
Triple DES (3DES) was created to provide a level of security far beyond that of DES. 3DES was an
advanced application of DES, and while it did deliver on its promise of encryption strength beyond DES, it
soon proved too weak to survive indefinitely—especially as computing power continued to double every
18 months. Within just a few years, 3DES needed to be replaced.
The successor to 3DES is the Advanced Encryption Standard (AES). AES is a federal information
processing standard (FIPS) that specifies a cryptographic algorithm used within the U.S. government to
protect information in federal agencies that are not part of the national defense infrastructure. (Agencies
that are considered a part of national defense use more secure methods of encryption, which are provided
by the National Security Agency.) The requirements for AES stipulate that the algorithm should be
unclassified, publicly disclosed, and available royalty-free worldwide. AES was developed to replace both
DES and 3DES.

While 3DES remains an approved algorithm for some uses, its expected useful life is limited.
Historically, cryptographic standards approved by FIPS have been adopted on a voluntary basis by
organizations outside government entities. The AES selection process involved cooperation between the
U.S. government, private industry, and academia from around the world.
AES was approved by the Secretary of Commerce as the official federal governmental standard on May 26,
2002.
AES implements a block cipher called the Rijndael Block Cipher with a variable block length and a key
length of 128, 192, or 256 bits. Experts estimate that the special computer used by the Electronic Frontier
Foundation to crack DES within a couple of days would require approximately 4,698,864 quintillion years
(4,698,864,000,000,000,000,000) to crack AES.

32
3.6.2 Asymmetric Encryption
Key Terms
Asymmetric Encryption: A cryptographic method that incorporates mathematical operations involving
both a public key and a private key to encipher or decipher a message. Either key can be used to encrypt a
message, but then the other key is required to decrypt it.
Public-Key Encryption: See asymmetric encryption.

While symmetric encryption systems use a single key both to encrypt and decrypt a message, asymmetric
encryption uses two different but related keys. Either key can be used to encrypt or decrypt the message.
However, if key A is used to encrypt the message, only key B can decrypt it; if key B is used to encrypt a
message, only key A can decrypt it. Asymmetric encryption can be used to provide elegant solutions to
problems of secrecy and verification.
This technique has its greatest value when one key is used as a private key, which means it is kept secret
(much like the key in symmetric encryption) and is known only to the owner of the key pair. The other key
serves as a public key, which means it is stored in a public location where anyone can use it. For this
reason, the more common name for asymmetric encryption is public-key encryption.
Consider the following example, as illustrated in Figure below; Alex at XYZ Corporation wants to send an
encrypted message to Rachel at ABC Corporation. Alex goes to a public-key registry and obtains Rachel’s
public key. Remember that the foundation of asymmetric encryption is that the same key cannot be used
both to encrypt and decrypt the same message. So, when Rachel’s public key is used to encrypt the
message, only her private key can be used to decrypt the message; that private key is held by Rachel alone.
Similarly, if Rachel wants to respond to Alex’s message, she goes to the registry where Alex’s public key
is held and uses it to encrypt her message, which of course can only be read by Alex’s private key. This
approach, which keeps private keys secret and encourages the sharing of public keys in reliable directories,
is an elegant solution to the key management problems of symmetric key applications. `

33
Asymmetric algorithms are one-way functions, meaning they are simple to compute in one direction, but
complex to compute in the opposite direction. This is the foundation of public-key encryption. It is based
on a hash value, which is calculated from an input number using a hashing algorithm, as you learned earlier
in this chapter. This hash value is essentially a summary of the original input values. It is virtually
impossible to derive the original values without knowing how they were used to create the hash value. For
example, if you multiply 45 by 235, you get 10,575. This is simple enough. But if you are simply given the
number 10,575, can you determine which two numbers were multiplied to produce it?
Now assume that each multiplier is 200 digits long and prime. The resulting multiplicative product could
be up to 400 digits long. Imagine the time you’d need to factor out those numbers. There is a shortcut,
however. In mathematics, it is known as a trapdoor (which is different from the software trapdoor). A
mathematical trapdoor is a “secret mechanism that enables you to easily accomplish the reverse function in
a one-way function.”5 With a trapdoor, you can use a key to encrypt or decrypt the ciphertext, but not both,
thus requiring two keys. The public key becomes the true key, and the private key is derived from the
public key using the trapdoor.
One of the most popular public-key cryptosystems is RSA, whose name is derived from Rivest-Shamir-
Adleman, the algorithm’s developers. The RSA algorithm was the first publickey encryption algorithm
developed (in 1977) and published for commercial use. It is very popular and has been embedded in
essentially all widely available Web browsers to provide security for e-commerce applications. The
patented RSA algorithm has become the de facto standard for public-use encryption applications.

34
The problem with asymmetric encryption, as shown earlier in Figure 8-6, is that holding a single
conversation between two parties requires four keys. Moreover, if four organizations want to exchange
communications, each party must manage its private key and four public keys. In such scenarios,
determining which public key is needed to encrypt a particular message can become a rather confusing
problem, and with more organizations in the loop, the problem expands. This is why asymmetric
encryption is sometimes regarded by experts as inefficient. Compared with symmetric encryption,
asymmetric encryption is also not as efficient in terms of CPU computations. Consequently, hybrid
systems, such as those described later in this chapter in the “public key infrastructure (PKI)” section, are
more commonly used than pure asymmetric systems.

Encryption Key Size

When deploying ciphers, it is important for users to decide on the size of the cryptovariable or key, because
the strength of many encryption applications and cryptosystems is measured by key size. How exactly does
key size affect the strength of an algorithm? Typically, the length of the key increases the number of
random guesses that have to be made in order to break the code. Creating a larger universe of possibilities
increases the time required to make guesses, and thus a longer key directly influences the strength of the
encryption.
It may surprise you to learn that when it comes to cryptosystems, the security of encrypted data is not
dependent on keeping the encrypting algorithm secret. In fact, algorithms should be published and often
are, to enable research to uncover their weaknesses. The security of any cryptosystem depends on keeping
some or all elements of the cryptovariable(s) or key(s) secret, and effective security is maintained by
manipulating the size (bit length) of the keys and following proper procedures and policies for key
management.
For a simple example of how key size is related to encryption strength, suppose you have an algorithm that
uses a three-bit key. You may recall from earlier in the chapter that keyspace is the range from which the
key can be drawn. Also, you may recall that in binary notation, three bits can be used to represent values
from 000 to 111, which correspond to the numbers 0 to 7 in decimal notation and thus provide a keyspace
of eight keys. This means an algorithm that uses a three-bit key has eight possible keys; the numbers 0 to 7
in binary are 000, 001, 010, 011, 100, 101, 110, and 111. If you know how many keys you have to choose
from, you can program a computer to try all the keys in an attempt to crack the encrypted message.
The preceding statement makes a few assumptions: (1) you know the algorithm, (2) you have the encrypted
message, and (3) you have time on your hands. It is easy to satisfy the first criterion. The encryption tools
that use DES can be purchased over the counter. Many of these tools are based on encryption algorithms
that are standards, as is DES itself, and therefore it is relatively easy to get a cryptosystem based on DES
that enables you to decrypt an encrypted message if you possess the key. The second criterion requires the
interception of an encrypted message, which is illegal but not impossible. As for the third criterion, the task
required is a brute force attack, in which a computer randomly or sequentially selects possible keys of the
known size and applies them to the encrypted text or a piece of the encrypted text. If the result is
plaintext—bingo! But, as indicated earlier in this chapter, it can take quite a long time to exert brute force
on more advanced cryptosystems. In fact, the strength of an algorithm is determined by how long it takes to
guess the key.

35
3.7 Cryptographic Tools
The ability to conceal the contents of sensitive messages and verify the contents of messages and the
identities of their senders can be important in all areas of business. To be useful, these cryptographic
capabilities must be embodied in tools that allow IT and information security practitioners to apply the
elements of cryptography in the everyday world of computing. This section covers some of the widely used
tools that bring the functions of cryptography to the world of information systems
3.7.1 Public Key Infrastructure (PKI)
Key Terms
i. Certificate Authority (CA): In PKI, a third party that manages users’ digital certificates.
Certificate Revocation List (CRL): In PKI, a published list of revoked or terminated digital certificates.
ii. Digital Certificates: Public-key container files that allow PKI system components and end users
to validate a public key and identify its owner.
iii. Public Key Infrastructure (PKI): An integrated system of software, encryption methodologies,
protocols, legal agreements, and third-party services that enables users to communicate securely
through the use of digital certificates.
iv. Registration Authority (RA): In PKI, a third party that operates under the trusted collaboration
of the certificate authority and handles day-to-day certification functions.

Public key infrastructure (PKI) systems are based on public-key cryptosystems and include digital
certificates and certificate authorities (CAs). Digital certificates allow the PKI components and their users
to validate keys and identify key owners. (Digital certificates are explained in more detail later in this
chapter.) PKI systems and their digital certificate registries enable the protection of information assets by
making verifiable digital certificates readily available to business applications. This, in turn, allows the
applications to implement several key characteristics of information security and integrate these
characteristics into the following business processes across an organization:
• Authentication: Individuals, organizations, and Web servers can validate the identity of each party in an
Internet transaction.
• Integrity: Content signed by the certificate is known not to have been altered while in transit from host to
host or server to client.
• Privacy: Information is protected from being intercepted during transmission.
• Authorization: The validated identity of users and programs can enable authorization rules that remain in
place for the duration of a transaction; this reduces overhead and allows for more control of access
privileges for specific transactions.
• Nonrepudiation: Customers or partners can be held accountable for transactions, such as online
purchases, which they cannot later dispute.
A typical PKI solution protects the transmission and reception of secure information by integrating the
following components:
• A Certificate Authority (CA), which issues, manages, authenticates, signs, and revokes users’ digital
certificates. These certificates typically contain the user name, public key, and other identifying
information.
• A Registration Authority (RA), which handles certification functions such as verifying registration
information, generating end-user keys, revoking certificates, and validating user certificates, in
collaboration with the CA.

36
• Certificate directories, which are central locations for certificate storage that provide a single access
point for administration and distribution.
• Management protocols, which organize and manage communications among CAs, RAs, and end users.
This includes the functions and procedures for setting up new users, issuing keys, recovering keys,
updating keys, revoking keys, and enabling the transfer of certificates and status information among the
parties involved in the PKI’s area of authority.
• Policies and procedures, which assist an organization in the application and management of certificates,
in the formalization of legal liabilities and limitations, and in actual business use.

Common implementations of PKI include systems that issue digital certificates to users and servers,
directory enrollment, key issuing systems, tools for managing key issuance, and verification and return of
certificates. These systems enable organizations to apply an enterprise wide solution that allows users
within the PKI’s area of authority to engage in authenticated and secure communications and transactions.
The CA performs many housekeeping activities regarding the use of keys and certificates that are issued
and used in its zone of authority. Each user authenticates himself or herself with the CA. The CA can issue
new or replacement keys, track issued keys, provide a directory of public-key values for all known users,
and perform other management activities. When a private key is compromised or the user loses the
privilege of using keys in the area of authority, the CA can revoke the user’s keys. The CA periodically
distributes a certificate revocation list (CRL) to all users. When important events occur, specific
applications can make a real-time request to the CA to verify any user against the current CRL.
The issuance of certificates and their keys by the CA enables secure, encrypted, nonrepudiable e-business
transactions. Some applications allow users to generate their own certificates and keys, but a key pair
generated by the end user can only provide nonrepudiation, not reliable encryption. A central system
operated by a CA or RA can generate cryptographically strong keys that are considered independently
trustworthy by all users, and can provide services for users such as private-key backup, key recovery, and
key revocation.
The strength of a cryptosystem relies on both the raw strength of its key’s complexity and the overall
quality of its key management security. PKI solutions can provide several mechanisms for limiting access
and possible exposure of the private keys. These mechanisms include password protection, smart cards,
hardware tokens, and other hardware-based key storage devices that are memory-capable, like flash
memory or PC memory cards. PKI users should select the key security mechanisms that provide an
appropriate level of key protection for their needs. Managing the security and integrity of the private keys
used for nonrepudiation or the encryption of data files is critical to successfully using the encryption and
nonrepudiation services within the PKI’s area of trust.

37
Lecture 4
4.1 Digital Signature and Authentication protocol
A digital signature is an electronic, encrypted stamp of authentication on digital information such as
messages. The digital signature confirms the integrity of the message.
This signature ensures that the information originated from the signer and was not altered, which proves the
identity of the organization that created the digital signature. Any change made to the signed data invalidates
the whole signature.
The use of digital signatures is important because they can ensure end-to-end message integrity, and can
also provide authentication information about the originator of a message. To be the most effective, the
digital signature must be part of the application data so that it is generated at the time the message is created.
Then, the signature is verified at the time the message is received and processed. You can choose to sign the
entire message, or sign parts of the message (even overlapping parts of a message can be signed). You can
choose to sign only parts of a message if a part of the message must be modified before it reaches the
consumer. In this scenario, if the entire message was signed, the whole signature is invalidated if even one
part of the message is modified. You can specify partial signatures for a message by specifying an ID
attribute for every element that you want to sign and adding a reference.
Note that Signed messages with a valid time stamp are considered to have valid signatures, regardless of the
age or revocation status of the signing certificate.

4.1.1 The steps of the digital signature process are as follows:

1. The sender computes a message digest (with an algorithm such as RSA or SHA1) and then encrypts
the digest with their private key, which forms the digital signature. Multiple signatures and signature
formats can be attached to a message, each referencing different (or even overlapping) parts of the
message.
2. The sender transmits the digital signature with the message.
3. The receiver decrypts the digital signature with the public key of the sender, thus regenerating the
message digest.
4. The receiver computes a message digest from the message data that was received, and verifies that
the two digests are the same. If these digests match, the message is both intact and authentic.
When a content creator digitally signs a message, the signature must meet the following criteria to be valid:
 The certificate that is associated with the digital signature is current (not expired).
 The certificate that is associated with the digital signature is issued to the signing publisher by a
reputable certificate authority (CA). The CA signs certificates that it issues. The signature consists of
a data string that is encrypted with the private key of the CA. Any user can then verify the signature
on the certificate by using the CA public key to decrypt the signature.
 The publisher (the signing organization), is trusted.

4.2 Authentication protocol

An authentication protocol is a type of computer communications protocol or cryptographic protocol
specifically designed for transfer of authentication data between two entities. It allows the receiving entity
to authenticate the connecting entity (e.g. Client connecting to a Server) as well as authenticate itself to the
connecting entity (Server to a client) by declaring the type of information needed for authentication as well
as syntax. It is the most important layer of protection needed for secure communication within computer
networks.

38
User authentication is the first most priority while responding to the request made by the user to the
software application. There are several mechanisms made which are required to authenticate the access
while providing access to the data. In this blog, we will explore the most common authentication protocols
and will try to explore their merits and demerits.
4.2.1. Kerberos :
Kerberos is a protocol that aids in network authentication. This is used for validating clients/servers during
a network employing a cryptographic key. It is designed for executing strong authentication while
reporting to applications. The overall implementation of the Kerberos protocol is openly available by MIT
and is used in many mass-produced products.

Some advantages of Kerberos :

 It supports various operating systems.
 The authentication key is shared much efficiently than public sharing.
Some disadvantages of Kerberos :
 It is used only to authenticate clients and services used by them.
 It shows vulnerability to soft or weak passwords.
4.2.2. Lightweight Directory Access Protocol (LDAP) :
LDAP refers to Lightweight Directory Access Protocol. It is a protocol that is used for determining any
individuals, organizations, and other devices during a network regardless of being on public or corporate
internet. It is practiced as Directories-as-a-Service and is the grounds for Microsoft building Activity
Directory.

39
Some advantages of LDAP :
 It is an automated protocol which makes it modernizing easier.
 It supports existing technologies and allows multiple directories.
Some disadvantages of LDAP :
 It requires the experience of deployment.
 The directory servers are required to be LDAP obedient for deployment.
4.2.3. Open Authorization (OAuth2)
Open Authorization (OAuth) as the name suggests it is an authorization framework that promotes granting
limited access to the user on its account through an HTTP service. When a user requests access to
resources an API call is made and after the authentication token is passed.

Some advantages of OAuth2 :

 It is a simple protocol and is easy to implement.
 It provides server-side authorization of code.
Some disadvantages of OAuth2 :
 It is vulnerable to manage different sets of code.
 It shows serious effects on sites connected to another affected system.

4.2.4. Security Assertion Markup Language (SAML)

SAML stands for Security Assertion Markup Language which is based on XML-based authentication
data format which provides the authorization between an identity provider and service provider. It serves as
a product of the OASIS Security Services Technical Committee.

40
Some advantages of SAML :
 It reduced the administrative costs for the end-users.
 It provides a single sign-in for authenticating across service providers.
Some disadvantages of SAML :
 It is dependent on the identity provider.
 All the data is managed in a single XML format.
4.2.5. RADIUS :
RADIUS stands for Remote Authentication Dial-In User Service. It is a network protocol that provides
sufficient centralized Authentication, Accounting, and Authorization for the users that use and network
services. The functioning of the protocol occurs when the user requests access to network resources, where
the RADIUS server encrypts the credentials which are entered by the user. After this, the user credentials
are mapped through the local database and provide access.

Some advantages of RADIUS :

 It is a great mechanism for providing multiple access for Admins.
 It provides a unique identity to each user in a session.
Some disadvantages of RADIUS :
 Initial implementation for this mechanism is hard on hardware.
 It has a variety of models that may require a special team which is cost consuming.
Differentiating between the protocols will not make justice to the protocols because it depends on the use
of the application and for what purpose it is being used.

41
Lecture 5
5.1 Network Security

Network security is about protecting an organization’s computer networks from intrusion using data and
access controls. Examples include Data Loss Prevention (DLP), IAM (Identity Access Management), NAC
(Network Access Control), and NGFW (Next-Generation Firewall) application controls to enforce safe web use
policies.

Network security is also the protection of the underlying networking infrastructure from unauthorized access,
misuse, or theft. It involves creating a secure infrastructure for devices, applications, users, and applications to
work in a secure manner.

5.1.1 How does network security work?

Network security combines multiple layers of defenses at the edge and in the network. Each network security
layer implements policies and controls. Authorized users gain access to network resources, but malicious actors
is blocked from carrying out exploits and threats.
How do I benefit from network security?
Digitization has transformed our world. How we live, work, play, and learn have all changed. Every
organization that wants to deliver the services that customers and employees demand must protect its network.
Network security also helps you protect proprietary information from attack. Ultimately it protects your
reputation.

5.2 Types of network security

i. Firewalls
A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether
to allow or block specific traffic based on a defined set of security rules. Cisco offers both threat-focused
firewalls and Unified Threat Management (UTM) devices.

42
 ii. Intrusion prevention systems
An intrusion prevention system (IPS) scans network traffic to actively block attacks. Secure IPS appliances do
this by correlating huge amounts of global threat intelligence to not only block malicious activity but also track
the progression of suspect files and malware across the network to prevent the spread of outbreaks and
reinfection.
iii. Workload security
Workload security protects workloads moving across different cloud and hybrid environments. These distributed
workloads have larger attack surfaces, which must be secured without affecting the agility of the business.

iv. NetWORK security

NetWORK security is Cisco's vision for simplifying network, workload, and multicloud security by delivering
unified security controls to dynamic environments.

v. SecureX
SecureX is a cloud-native, built-in platform that connects the Cisco Secure portfolio and your infrastructure. It
allows you to radically reduce dwell time and human-powered tasks.

vi. Network segmentation

Software-defined segmentation puts network traffic into different classifications and makes enforcing security
policies easier. Ideally, the classifications are based on endpoint identity, not mere IP addresses. You can assign
access rights based on role, location, and more so that the right level of access is given to the right people and
suspicious devices are contained and remediated.

vii. VPN
A virtual private network encrypts the connection from an endpoint to a network, often over the internet.
Typically, a remote-access VPN uses IPsec or Secure Sockets Layer to authenticate the communication between
device and network.

viii. Access control

Not every user should have access to your network. To keep out potential attackers, you need to recognize each
user and each device. Then you can enforce your security policies. You can block noncompliant endpoint devices
or give them only limited access. This process is network access control (NAC).

ix. Anti-virus and anti-malware software

"Malware," short for "malicious software," includes viruses, worms, Trojans, ransomware, and spyware.
Sometimes malware will infect a network but lie dormant for days or even weeks. The best antimalware
programs not only scan for malware upon entry, but also continuously track files afterward to find anomalies,
remove malware, and fix damage.
x. Application security
Any software you use to run your business needs to be protected, whether your IT staff builds it or whether you
buy it. Unfortunately, any application may contain holes, or vulnerabilities, that attackers can use to infiltrate

43
your network. Application security encompasses the hardware, software, and processes you use to close those
holes.

Application security offers protection for web applications to prevent data or code from being stolen or manipulated
These safeguards are implemented during the software development process but involve patches, upgrades, and
other approaches to protect apps after deployment.
xi. Behavioral analytics
To detect abnormal network behavior, you must know what normal behavior looks like. Behavioral analytics tools
automatically discern activities that deviate from the norm. Your security team can then better identify indicators of
compromise that pose a potential problem and quickly remediate threats.
xii. Cloud security
Cloud security is a broad set of technologies, policies, and applications applied to defend online IP, services,
applications, and other imperative data. It helps you better manage your security by shielding users against threats
anywhere they access the internet and securing your data and applications in the cloud.

It is also the process of protecting data stored in the cloud from unauthorized access. While cloud computing provid
manage the infrastructure, organizations that use their services must take extra precautions to secure their data.

44
 xiii. Data loss prevention
Organizations must make sure that their staff does not send sensitive information outside the network. Data loss
prevention, or DLP, technologies can stop people from uploading, forwarding, or even printing critical information
in an unsafe manner.

xiv. Email security

Email gateways are the number one threat vector for a security breach. Attackers use personal information and socia
engineering tactics to build sophisticated phishing campaigns to deceive recipients and send them to sites serving up
malware. An email security application blocks incoming attacks and controls outbound messages to prevent the loss
of sensitive data.

xv. Industrial network security

As you are digitizing your industrial operations, the deeper integration between IT, cloud, and industrial networks is
exposing your Industrial Control Systems (ICS) to cyber threats. You need full visibility into your OT security
posture to segment the industrial network, and feed IT security tools with rich details on OT devices and behaviors.

xvi. Mobile device security

Cybercriminals are increasingly targeting mobile devices and apps. Within the next three years, 90 percent of IT
organizations may support corporate applications on personal mobile devices. Of course, you need to control which
devices can access your network. You will also need to configure their connections to keep network traffic private.

This is the process of employing user authentication and authorization across mobile devices, which is especially
important as companies increasingly allow remote workers to use home Wifi networks.

xvii. Security information and event management

SIEM products pull together the information that your security staff needs to identify and respond to threats. These
products come in various forms, including physical and virtual appliances and server software.

xviii. Web security

A web security solution will control your staff's web use, block web-based threats, and deny access to malicious
websites. It will protect your web gateway on site or in the cloud. "Web security" also refers to the steps you take to
protect your own website.

45
 xix. Wireless security
Wireless networks are not as secure as wired ones. Without stringent security measures, installing a wireless LAN
can be like putting Ethernet ports everywhere, including the parking lot. To prevent an exploit from taking hold, you
need products specifically designed to protect a wireless network.

xx. Infrastructure Security

Infrastructure security is the process of safeguarding critical systems and assets from cyber threats. This
typically includes hardware and software assets such as end-user devices, data center resources, networking
systems, and cloud services. Organizations must also protect their assets from physical threats such as natural
disasters, utility outages, theft, or vandalism.

xxi. Internet of Things (IoT) Security

IoT-enabled devices, such as smart speakers, can be hacked and used to spy on people, as allowing devices to
connect to the internet creates an additional attack surface for cybercriminals to exploit. IoT security seeks to
end this.

46
6.0 Lecture 6 Concept of Cybersecurity
6.1 What is Cyber Security?
According to the ITU, Cyber security refers to the collection of tools, policies, security concepts, security
safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and
technologies that can be used to protect the cyber environment and organization and user’s assets.
Organization and user’s assets include connected computing devices, personnel, infrastructure,
applications, services, telecommunications systems, and the totality of transmitted and/or stored
information in the cyber environment. Cyber security strives to ensure the attainment and maintenance of
the security properties of the organization and user’s assets against relevant security risks in the cyber
environment - the internet. Cyber Security can also be described as the body of technologies, processes and
practices designed to protect networks, computers, programs and data from attack, damage or unauthorized
access. ITU also notes that the general objectives of Cyber Security are: Availability; Integrity, (which may
include authenticity and non-repudiation) and Confidentiality.

6.1.1 Three Pillars of Cybersecurity: The Foundation of Effective Cybersecurity

Cybersecurity is a framework that requires the marshaling of resources in a coordinated manner. Let’s
break down what that looks like:
i. People
Organizations hire trained cybersecurity professionals to design and implement cybersecurity frameworks.
They must also train their employees to recognize phishing scams and social engineering. People tend to be
the weakest link in an organization’s cyber resiliency.
ii. Processes
Processes and policies provide the frameworks for cybersecurity governance. These processes range from
preventative strategies to avoid cyberattacks to real-time interventions in the event of cybercrime to
identify and eliminate an intruder.
iii. Technology
Technology refers to the IT infrastructure (hardware and software) organizations use to achieve
cybersecurity. Examples include antivirus software and defensive AI that scans computer networks for
anomalous behaviors and learns from prior cyberattacks. Cloud encryption technology secures data stored
in the cloud by turning the information into unreadable code before it is stored.

47
6.1.2 The Three Primary Objectives of Cybersecurity

The CIA triad is a common model that explains the main objectives of any cybersecurity framework. This
model helps security teams ensure all bases are covered using security best practices.
i. Confidentiality
Organizations must protect proprietary information and their consumer’s personal data. Access must be
restricted to authorized users, and robust authentication protocols and user permission controls are needed
to keep intruders out. For example, employees in unrelated departments should not have access to certain
data because it could be liable to exploitation.
ii. Integrity
Data must be accurate, trustworthy, and free from tampering. Data integrity can be maintained with access
control and encryption. In some cases, data may be protected physically from outside sources that might
corrupt it (particularly for businesses that use on-premise servers rather than cloud storage).
iii. Availability
Ensuring systems, applications, and networks are functioning normally and haven’t been shut down by
attackers. Data should be available to authorized users whenever they require it.

48
6.2 The Cybersecurity Process (NIST Cybersecurity Framework)

The NIST framework consists of standards, guidelines, and best practices to mitigate cybersecurity risk.
The framework comes from the National Institute of Standards and Technology, a government agency
formed by the U.S. Department of Commerce that develops cybersecurity standards for businesses, federal
agencies, and the broader public. Here’s what that looks like in practice:

i. Identify
Determine the nature of the threat and identify the assets that need protection.
ii. Protect
Implement appropriate security controls to protect the compromised asset and restore system function.
iii. Detect
Determine the nature and impact of the threat. Implement continuous monitoring capabilities to track
security events and see if protective measures are working.

iv. Respond
Develop techniques to oust the intruder and limit the impact of the threat (threat containment).
v. Recover
This is the process of restoring any systems and services that were impaired during the attack and
implementing improvements based on lessons learned.

49
 Cybersecurity Types

Cybersecurity can be categorized into five distinct strategies. Organizations often need a combination of
approaches to secure themselves.

6.3 Cyber-Attack
cyber-attack can be defined as an attack initiated from a computer against a website, computer system or
individual computer (collectively, a single computer) that compromises the confidentiality, integrity or availability
of the computer or information stored on it. They further noted that cyber-attacks may take the following forms:
i. Gaining, or attempting to gain, unauthorized access to a computer system or its data.
ii. Unwanted disruption or denial of service attacks, including the take down of entire web sites;
iii. Installation of viruses or malicious code (malware) on a computer system;
iv. Unauthorized use of a computer system for processing or storing data;
v. Changes to the characteristics of a computer system’s hardware, firmware or software without the owner’s
knowledge, instruction or consent;
vi. Inappropriate use of computer systems by employees of former employees.

Cyber-attacks could be categories by state and origin as follows:

6.3.1 Active and Passive Attacks.
An "active" attack aims to alter system resources or affect their operation. Conversely, a "passive" attack seeks
to use information from a system but does not affect system resources of that. Instead, passive attacks aim to
obtain data for an off-line attack. For example, hackers typically use packet inspection and analysis to facilitate
offline review of security protocols and thus fine-tune exploits.

6.3.2 Inside and Outside Attacks

We may also characterize attacks according to their initiation point. The Internet Security Glossary describes
an “Inside Attack” as one that is initiated by an entity inside the security perimeter (an "insider"). Insider
attacks are difficult to defend against because the culprits misuse the access privileges obtained for legitimate
business functions.

50
In contrast, unauthorized or illegitimate users initiate "outside attacks” outside the security perimeter. Outsider
attackers include hackers, organized criminal groups and States. The attack types are not mutually exclusive as
outsiders often rely on insiders.

6.4 Main Cyber Threats

Cybercriminals are continuously changing their strategies and uncovering new attack vectors.
The term Cyber threats refer to persons who attempt unauthorized access to a control system device and/or
network using a data communications pathway.
This access can be directed from within an organization by trusted users or from remote locations by
unknown persons using the Internet. Threats to control systems can come from numerous sources, including
hostile governments, terrorist groups, disgruntled employees, and malicious intruders (ICS-CERT). Cyber
threats could be further differentiated by character, impact, origin and actor as follows:

6.4.1 Accidental or Intentional Threats

Accidental threats occur without premeditated intent. For example, system or software malfunctions and
physical failures. However, intentional threats result from deliberate acts against the security of an asset.
Intentional threats range from casual examination of a computer network using easily available monitoring
tools, to sophisticated attacks using special system knowledge. Intentional threats that materialize become
attacks.

6.4.2 Active or Passive Threats

Active threats are the ones that result in some change to the state or operation of a system, such as the
modification of data and the destruction of physical equipment. Conversely, passive threats do not involve a
change of state to the equipment.
Passive threats aim to glean information from a system without affecting the resources of the system.
Common passive threat techniques include eavesdropping, wiretapping and deep packet analysis or
inspections. Successful passive threats become passive attacks.

6.5 Security Risk

Cyber security risk is the probability of exposure or loss resulting from a cyber-attack or data breach on your
organization. A better, more encompassing definition is the potential loss or harm related to technical
infrastructure, use of technology or reputation of an organization.

Security Risk refers to the probability that a threat will exploit a vulnerability to breach the security of an asset.
It is important for States to manage cyber risks. However, as most readers know, functional IT systems operate
with a degree of exposure to threats because full elimination of risk is either too expensive or undesirable. As
such, a national cyber security strategy is the first step in ensuring that all stakeholders assume responsibility for
and take steps to reduce risk.

51
Here are some of the most common cyber security risks:
i. Malware

Malware is any malicious software designed to infiltrate computer networks to steal data or cause damage.
Some examples include viruses, worms, spyware, adware, and ransomware.

ii. Phishing

Phishing is the process of sending fraudulent communications, purported to come from a trusted source, but
is in fact embedded with malware. Phishing emails typically contain links to a spoofed website (a fake
website made to look like the original) to persuade the victim to divulge their personal information.

iii. Denial-of-Service (DoS) Attack

A DoS attack occurs when hackers flood a server with internet traffic to prevent legitimate users from
accessing a website or application. DDoS uses a network of “zombie” computers coordinated by multiple
botnet machines that instruct infected competitors to flood a website with fake requests.

52
iv. Data Breaches
Hackers often attempt to gain access to a company’s servers or cloud storage to steal sensitive or confidential
information. This is called a data breach.
SQL Injection

A code injection technique that can destroy a database. It allows an attacker to interfere with the queries an
application makes to its database by inserting malicious SQL statements into an entry field for execution (i.e.
instructing the database to dump the database contents to the attacker).

v. Ransomware

Ransomware is any type of malware that restricts access to a computer system, locks authorized users out of
the system, or severely hampers system performance. Attackers will demand a ransom in exchange for the
restoration of access.

53
 6.5.1 Threat Source
A threat source could be regarded as an entity that desires to breach information or physical assets’ security
controls. The threat source ultimately aims to benefit from the breach for example financially.

6.5.2 Threat Actor

A Cyber threat actor is an entity that actually performs the attack or, in the case of accidents, will exploit the
accident. For example, if an organized crime group corrupts an employee, then the group is the Threat Source
and the employee is the Threat Actor.

6.5.3 Vulnerability
The intentions of threat sources and threat actors often materialize into attacks largely because they exploit
weaknesses in the security controls. The weakness may include lack of software patching and poor
configuration. Even sound technical controls may fail if social engineering attacks dupe staff with weak
knowledge into breaching security.

6.6 Cyber security Response Teams

1. Computer Emergency Response Team [CERT]

A Computer Emergency Response Team [CERT] is basically an expert group which handles computer
security incidents. They are human counterparts to anti-virus software in the sense that when new viruses or
computer security threats are discovered, these teams document these problems and work to fix them. Being
that these teams are made up of people who can react to new situations, they are much more capable of
dealing with new virus threats than anti-virus programs would be by themselves.

According to Cert.org the primary goals of CERT include:

i.Establishing a capacity to quickly and effectively coordinate communication among experts during security
emergencies in order to prevent future incidents;
ii.Building awareness of security issues across the internet community.

Other functions include:

i.Developing the cyber incident response plan;
ii.Identifying and classifying cyber- attack scenarios;
iii.Determining the tools and technology used to detect and prevent attacks;
iv.Promoting cyber-security awareness;
v.Determining scope for investigations and conducting investigations within the scope once attack occurs.

2. Cyber Incident Response Team [CIRT]

A Cyber Response Team is responsible for developing the written cyber incident response plan, investigating
and responding to cyber-attacks in accordance with that plan.
More specifically, some of the roles of CIRT are outlined below:

i. Developing the cyber incident response plan;

ii. Identifying and classifying cyber- attack scenarios;

54
 iii. Determining the tools and technology used to detect and prevent attacks;
iv. Promoting cyber-security awareness;
v. Determining scope for investigations and conducting investigations within the scope once attack
occurs.

3. ITU- IMPACT Alliance

ITU and the International Multilateral Partnership against Cyber Threats (IMPACT) signed an agreement on
September 3rd 2008, which made IMPACT the Global Cyber Security Agenda (GCA) operational home and
had tasked IMPACT with the responsibility to operationalize the various initiatives under the GCA. The
GCA is an international Cyber Security framework that was formulated following deliberations by more than
100 leading experts worldwide. The GCA contains many recommendations, which when adopted and
appropriately implemented, would result in improved Cyber Security for the global community of nations.

Furthermore on September 8th 2011, IMPACT formally became the Cyber Security executing arm of ITU in
a landmark agreement that was signed during the World Summit for Information Society 2011 (WSIS) Forum
in Geneva, May 2011. IMPACT is tasked by ITU with the responsibility of providing Cyber Security
assistance and support to ITU’s 193 Member States and also to other organizations within the UN system.

55
 Lecture 7
7.0 Authentication Applications
Here two authentication applications shall be discussed
1. Kerberos – a private-key authentication service • then
2. X.509 - a public-key directory authentication service
7.1 A Kerberos is a system or router that provides a gateway between users and the internet.
Therefore, it helps prevent cyber attackers from entering a private network. It is a server, referred to as an
“intermediary” because it goes between end-users and the web pages they visit online.
What Is Kerberos?
In mythology, Kerberos (also known as Cerberus) is a large, three-headed dog that guards the gates to the
underworld to keep souls from escaping. In our world, Kerberos is the computer network authentication
protocol initially developed in the 1980s by Massachusetts Institute of Technology (MIT) computer
scientists. The idea behind Kerberos is to authenticate users while

Kerberos provides a centralized authentication server whose function is to authenticate users to servers and
servers to users. Kerberos relies exclusively on conventional encryption, making no use of public-key
encryption. Preventing passwords from being sent over the internet.

7.1.1 The requirements for Kerberos

The following are the requirements for Kerberos:
i. Secure: A network eavesdropper should not be able to obtain the necessary information to impersonate a
user. More generally, Kerberos should be strong enough that a potential opponent does not find it to be the
weak link.
ii. Reliable: For all services that rely on Kerberos for access control, lack of availability of the Kerberos
service means lack of availability of the supported services. Hence, Kerberos should be highly reliable and
should employ a distributed server architecture, with one system able to back up another.
iii. Transparent: Ideally, the user should not be aware that authentication is taking place,
beyond the requirement to enter a password.
iv. Scalable: The system should be capable of supporting large numbers of clients and servers. This
suggests a modular, distributed architecture.

7.1.2 Version of Kerberos

Two versions of Kerberos are in common use. Version 4 implementations still exist. Version 5 corrects
some of the security deficiencies of version 4 and has been issued as a proposed Internet Standard.

i. Kerberos: Version 4
Kerberos Version 4 makes use of Data Encryption Standard (DES), in a rather elaborate protocol, to provide
the authentication service. Viewing the protocol as a whole, it is difficult to see the need for the many
elements contained therein. Therefore, we adopt a strategy used by Bill Bryant of Project Athena and build up
to the full protocol by looking first at several hypothetical dialogues. Each successive dialogue adds
additional complexity to counter security vulnerabilities revealed in the preceding dialogue. After examining
the protocol, we look at some other aspects of version 4.

56
7.1.3 A Simple Authentication Dialogue
In an unprotected network environment, any client can apply to any server for service. The obvious security risk
is that of impersonation. An opponent can pretend to be another client and obtain unauthorized privileges on
server machines. To counter this threat, servers must be able to confirm the identities of clients who request
service. Each server can be required to undertake this task for each client/server interaction, but in an open
environment, this places a substantial burden on each server.
An alternative is to use an authentication server (AS) that knows the passwords of all users and stores these in a
centralized database. In addition, the AS shares a unique secret key with each server. These keys have been
distributed physically or in some other secure manner. Consider the following hypothetical dialogue.

The portion to the left of the colon indicates the sender and receiver; the portion to the right indicates the
contents of the message, the symbol || indicates concatenation.
(1) C→AS: IDC||PC||IDV
(2) AS→C: Ticket
(3) C→V: IDC||Ticket
Ticket = E(Kv, [IDC||ADC||IDV])
where
C = client
AS = authentication server
V =server
IDC = identifier of user on C
IDV = identifier of V
PC = password of user on C
ADC = network address of C
Kv = secret encryption key shared by AS and V

Authentication Server (AS): that knows the passwords of all users and stores these in a centralized database. •
AS shares a unique secret key with each server.
• Step 1: The client module C in the user’s workstation requests the user’s password and then sends a message
to the AS that includes the user’s ID, the server’s ID, and the user’s password.
• Step 2: The AS checks its database to see if the user has supplied the proper password for this user ID and
whether this user is permitted access to server V.
• Step 3: If both tests are passed, the AS accepts the user as authentic and must now convince the server that this
user is authentic. To do so, the AS creates a ticket that contains the user’s ID and network address and the
server’s ID.
• Step 4:This ticket is encrypted using the secret key shared by the AS and this server.
• Step 5:This ticket is then sent back to C.
• Step 6: With this ticket, C can now apply to V for service. C sends a message to V containing C’s ID and the
ticket.
• Step 7: V decrypts the ticket and verifies that the user ID in the ticket is the same as the unencrypted user ID
in the message.
• Step 8: If these two match, the server considers the user authenticated and grants the requested service.

57
In this scenario, the user logs on to a workstation and requests access to server V. The client module C in the
user's workstation requests the user's password and then sends a message to the AS that includes the user's
ID, the server's ID, and the user's password. The AS checks its database to see if the user has supplied the
proper password for this user ID and whether this user is permitted access to server V. If both tests are
passed, the AS accepts the user as authentic and must now convince the server that this user is authentic. To
do so, the AS creates a ticket that contains the user's ID and network address and the server's ID. This ticket
is encrypted using the secret key shared by the AS and this server. This ticket is then sent back to C. Because
the ticket is encrypted, it cannot be altered by C or by an opponent. With this ticket, C can now apply to V for
service. C sends a message to V containing C's ID and the ticket. V decrypts the ticket and verifies that the
user ID in the ticket is the same as the unencrypted user ID in the message. If these two match, the server
considers the user authenticated and grants the requested service. Each of the ingredients of message (3) is
significant. The ticket is encrypted to prevent alteration or forgery. The server's ID (IDV) is included in the
ticket so that the server can verify that it has decrypted the ticket properly. IDC is included in the ticket to
indicate that this ticket has been issued on behalf of C. Finally, ADC serves to counter the following threat.
An opponent could capture the ticket transmitted in message (2), then use the name IDC and transmit a
message of form (3) from another workstation. The server would receive a valid ticket that matches the user
ID and grant access to the user on that other workstation. To prevent this attack, the AS includes in the ticket
the network address from which the original request came. Now the ticket is valid only if it is transmitted
from the same workstation that initially requested the ticket.

users subsequently request access to other services from TGS on basis of users TGT

58
7.2 Kerberos Version 5
Kerberos Version 5 is a protocol for improving the security in the authentication and authenticating a single
dispersed service over a network. It is commonly used in Windows 2000 and Windows XP.
Version 5 operates by allowing users on all business computing platforms to access all services in a
heterogeneous environment using a single user account database.
7.3 Difference between Kerberos Version 4 and Version 5
The following table highlights the major differences between Kerberos Version 4 and Version 5.
Kerberos Version 4 Kerberos Version 5
DES encryptions techniques. Any type of encryption can be employed because the
encrypted text is tagged with an encryption type
identifier.
“Receiver-makes-right” encoding system. ASN.1 coding system.
For a ticket lifespan is 5 minutes, the ticket The ticket lifetime is defined as an arbitrary amount
lifetime must be provided in units. of time.
Ticket support is satisfactory Ticket support is excellent and facilitates forwarding,
renewing and postdating tickets.
Only a few IP addresses and other addresses Multiple IP addresses and other addresses for various
for other sorts of network protocols are network protocols are included.
included.
Lecture 7

59
 Lecture 8
8.0 Web Security
Web security refers to the protective measures and protocols that organizations adopt to protect the
organization from cyber criminals and threats that use the web channel. Web security is critical to business
continuity and to protecting data, users and companies from risk.

Web security is a broad category of security solutions that protect users, devices, and wider network
against internet-based cyberattacks—malware, phishing, and more—that can lead to breaches and data
loss.
It reduces the security risk to your organization when your users accidentally access malicious files and
websites through some combination of firewall inspection, intrusion prevention system (IPS) scanning,
sandboxing, URL filtering, and various other security and access controls.

8.1 Web security threats

Web security threats are vulnerabilities within websites and applications, or attacks launched by malicious
actors. Web security threats are designed to breach an organizations security defenses, enabling hackers
and cyber criminals to control systems, access data and steal valuable resources. Common web security
threats include malware, ransomware, cross-site scripting (XSS), SQL injection, phishing, denial of
service and many others.

Web security is enforced by a security appliance that acts as a web proxy, sitting between users and the
Internet. This appliance can either be an on-premises or cloud-based appliance or software deployed within
the user’s web browser. Yet all that matters is that an employee’s computer is configured to send all
Internet-bound traffic through the web security system.

The web security solution’s location between a web user and the Internet provides it with a deep level of
visibility and control over web traffic. All traffic flowing through it can be inspected at the application
layer for malicious content or for actions that violate corporate policy. Approved traffic can continue on to
its intended destination, while anything else can be dropped.

8.2 What Does Web Security Include?

A web security solution should provide comprehensive protection to users against web-related cyber
threats. Some of the essential features of a web security solution include:

 URL Filtering: Cybercriminals use a variety of known-bad URLs as part of phishing campaigns or to
deliver malware. URL filtering makes it possible to block users from visiting these known-bad and other
inappropriate sites and to enforce bandwidth limitations on certain types of sites (such as video streaming).
 Application Control: Web security solutions perform traffic inspection at the application layer, which
means that they have insight into the application generating the traffic and the data that it contains. This
granular visibility makes it possible for web administrators to define application-specific rules to ensure
that access to applications and sensitive data is properly controlled both inside and outside of the
organization.

60
 Data Loss Prevention: Exfiltration of sensitive and proprietary data can occur in a variety of ways and
carries significant costs to an organization. Data loss prevention (DLP) solutions monitor data flows to
block potential leakages of sensitive and valuable information.
 Antivirus: Malicious websites are a major delivery vector for malware such as ransomware, trojans, and
information stealers. The antivirus built into a web security solution will inspect all traffic flowing through
it to determine if it contains known malware samples identified by unique signatures.
 SSL Introspection: A growing percentage of web traffic uses HTTPS, which encrypts the traffic to protect
it against eavesdropping. SSL introspection allows an organization’s security solutions to inspect this
encrypted web traffic, enabling them to detect and block malicious content and data exfiltration.

The web can be a dangerous place, and it poses significant risks to an organization and its employees. A
web security solution needs a wide range of features to provide effective protection against these threats.

8.3 Benefits of Web Security

A web security solution has deep visibility and granular control over Internet-bound traffic. It inspects
traffic at the application layer, providing a better understanding of its function and the data that it contains.
These capabilities provide a number of benefits to an organization and its employees, such as:

 Malicious Content Protection: Web security blocks known-bad phishing sites and drive-by downloads,
and inspects web traffic for malicious content. This helps to protect employees against malware and other
threats.
 Data Security: DLP solutions monitor movement of an organization’s sensitive data. This helps to ensure
that sensitive and valuable data is not exposed to unauthorized users.
Data Loss Prevention (DLP) solutions are security tools that help organizations to ensure that sensitive
data such as Personally Identifiable Information (PII) or Intellectual Property (IP) does not get outside the
corporate network or to a user without access.
 Regulatory Compliance: Companies need to comply with an ever-increasing number of data protection
regulations. Web security solutions help with this by providing increased visibility and control for sensitive
and protected data within an organization’s possession.
 Improved Network Performance: Application control enables network administrators to apply
application-specific policies. This allows throttling and blocking of certain sites and traffic, improving the
network performance for legitimate business traffic.
 Secure Remote Work: Web security solutions enable remote employees to work securely from anywhere.
Companies can apply and enforce corporate security policies on employee devices regardless of their
location.

8.4 Secure Socket Layer and Transport Layer Security

SSL stands for Secure Socket Layer while TLS stands for Transport Layer Security. Both Secure Socket
Layer and Transport Layer Security are the protocols used to provide security between web browsers and
web servers. The main difference between Secure Socket Layer and Transport Layer Security is that, in SSL
(Secure Socket Layer), the Message digest is used to create a master secret and It provides the basic security
services which are Authentication and confidentiality. while In TLS (Transport Layer Security), a Pseudo-
random function is used to create a master secret.

61
 There are some differences between SSL and TLS which are given below:
SSL TLS
SSL stands for Secure Socket Layer. TLS stands for Transport Layer Security.
SSL (Secure Socket Layer) supports TLS (Transport Layer Security) does not support
the Fortezza algorithm. the Fortezza algorithm.
SSL (Secure Socket Layer) is the 3.0 version. TLS (Transport Layer Security) is the 1.0 version.
In SSL (Secure Socket Layer), the Message digest In TLS(Transport Layer Security), a Pseudo-
is used to create a master secret. random function is used to create a master secret.
In SSL (Secure Socket Layer), the Message In TLS(Transport Layer Security), Hashed
Authentication Code protocol is used. Message Authentication Code protocol is used.
SSL (Secure Socket Layer) is more complex than TLS (Transport Layer Security) is simple.
TLS(Transport Layer Security).
 SSL (Secure Socket Layer) is less secured as  TLS (Transport Layer Security) provides high
compared to TLS(Transport Layer Security). security.
 SSL is less reliable and slower.  TLS is highly reliable and upgraded. It provides
less latency.
 SSL has been depreciated.  TLS is still widely used.
 SSL uses port to set up explicit connection.  TLS uses protocol to set up implicit connection.

8.5 IP security (IPSec)

The IP security (IPSec) is an Internet Engineering Task Force (IETF) standard suite of protocols
between 2 communication points across the IP network that provide data authentication, integrity, and
confidentiality. It also defines the encrypted, decrypted and authenticated packets. The protocols
needed for secure key exchange and key management are defined in it.
7.5.1 Uses of IP Security –
IPsec can be used to do the following things:
 To encrypt application layer data.
 To provide security for routers sending routing data across the public internet.
 To provide authentication without encryption, like to authenticate that the data originates from a
known sender.
 To protect network data by setting up circuits using IPsec tunneling in which all data is being sent
between the two endpoints is encrypted, as with a Virtual Private Network(VPN) connection.

IPSec provides
i. Access control: User authentication
ii. Data integrity
iii. Data origin authentication
iv. Rejection of replayed packets
v. Confidentiality (encryption)
vi. Limited traffic flow confidentiality

62
 Benefits:
i. Security at Layer 3 ⇒ Applies to all transports/applications
ii. Can be implemented in Firewall/router
iii. ⇒ Security to all traffic crossing the perimeter
iv. Transparent to applications and can be transparent to end users
v. Can provide security for individual users

IP Security Scenario

8.5.2 Components of IP Security –

It has the following components:
1. Encapsulating Security Payload (ESP) –
It provides data integrity, encryption, authentication and anti replay. It also provides authentication for
payload.
2. Authentication Header (AH) –
It also provides data integrity, authentication and anti replay and it does not provide encryption. The
anti replay protection, protects against unauthorized transmission of packets. It does not protect data’s
confidentiality.

63
3. Internet Key Exchange (IKE) –
It is a network security protocol designed to dynamically exchange encryption keys and find a way
over Security Association (SA) between 2 devices. The Security Association (SA) establishes shared
security attributes between 2 network entities to support secure communication. The Key Management
Protocol (ISAKMP) and Internet Security Association which provides a framework for authentication
and key exchange. ISAKMP tells how the set up of the Security Associations (SAs) and how direct
connections between two hosts that are using IPsec.

IP Security Architecture
Internet Key Exchange (IKE)
IPSec
Security Association Database
Security Policy database

Security Associations are used by IPSec to enforce a security policy. A higher level Security Policy
Database (SPD) specifies what security services are to be applied to IP packets and how. An SPD
discriminates between traffic that is to be IPSec-protected and traffic allowed to bypass IPSec.
If the traffic is to be IPSec-protected, it also determines which specific SA the traffic should use.
Each SPD entry is defined by a set of IP and upper-layer protocol field values, called selectors. In
effect, these selectors are used to filter outgoing traffic in order to map it into a particular SA

64
 Lecture 9
9.0 Design of a trusted system
9.1 What is a trusted system?
A system on which we rely to enforce the security policies and strategies is referred as a trusted
system. In the field of computing, “Trust” is that entity, on the basis of which a user transfers the
information through the communication channel.
Once a trusted system is breached, it leads to the compromise of security policies governing the whole
system setup.
Thus, a trusted system is the central figure to implement an organization’s security policies and
provides assurance, trust and security. In quest of achieving the system security, it is seen that the
system has to implement certain kind of layered architecture which renders eavesdropping ineffective.
When we define a trusted system, it is essential to know the difference between the trusted system and
trustworthy system. A trusted system is the one whose failure breaks the entire security architecture,
and also it is the centralized figure which is designated the word “trusted” due to its role, but a
trustworthy system is the one which can be trusted, if at all, it is implemented correctly. Thus, a
trustworthy system can move towards the prominence of being trusted, should it be implemented
properly and should it satisfy all the security policies.

Trusted Systems are based on different level of security. They are mentioned as below:
 Multilevel Security: This type of Trusted system ensures that security is maintained at different levels
of the computer system. It ensures that the information is prevented from being at risk. The different
security levels of computer systems are :
 Top Secret Level
 Secret Level
 Confidential Level
 Unclassified Level
 The order of security level is also given by top level security having the highest priority followed by
secret Level priority, confidential Level priority and then least priority is assigned to unclassified level
priority. If security is not cleared at one particular level, flow of information is restricted. Also, one
important point that must be kept in mind is that ‘Read Up’ and ‘Write Down’ are not permitted in
multilevel security.
 Data Access Control: This type of Trusted system provides additional security to the verified process
of log-in. It helps in setting permissions for different users, giving them limited access and restricting
any additional accesses granted. There are three basic models of Data Access Control:
 Access Matrix: They are composed of three parts
 Subject
 Object
 Access right
 Access Control List: They are composed of different entries of objects depicting user access and the
level of access granted (public or private). Access control list demonstrate column-wise split.
 Capability List: They are composed of authorised users and the granted operations for them. Users
can have multiple capability tickets. Capability list demonstrate row-wise split.

65
 Reference Monitor: This type of trusted system provides hardware level security by limiting the
access to objects. Reference monitor maintain security rules ensuring that ‘Read Up’ and ‘Write
Down’ operations are not performed. Reference monitor ensure that the entire security maintaining
process that is carried out is verified and safe.

9.2 Importance of Trusted System:

 Identity Verification: Trusted systems ensure that only verified users are given access. The
verification process takes place that each user is identified uniquely.
 Safety Maintained: Trusted system ensures that safety is maintained by preventing direct access to
confidential information.
 Limiting Access: Permissions and access that are absolutely necessary are granted for users.
Unwanted rules and permissions are avoided.

9.3 Worms, Viruses and Intruder

9.3.1 Worms:
Worms are similar to a virus but it does not modify the program. It replicates itself more and more to cause
slow down the computer system. Worms can be controlled by remote. The main objective of worms is to eat
the system resources. The WannaCry ransomware worm in 2000 exploits the Windows Server Message Block
(SMBv1) which is a resource-sharing protocol.
 A worm is a program that can replicate itself and send copies from computer to computer across
network connections. Upon arrival, the worm may be activated to replicate and propagate again.
 In addition to propagation, the worm usually performs some unwanted function. An e-mail virus has
some of the characteristics, of a worm, because it propagates itself from system to system. A worm
actively seeks out more machines launching pad for attacks on other machines.
 Network worm programs use network connections to spread from system to system. Once active within
a system, a network worm can behave as a computer virus or bacteria, or it could implant Trojan horse
programs or perform any number of disruptive or destructive actions.
9.3.2 State of worm technology
 Multiplatform: Worms are not limited to windows machines but can attack a variety of platforms,
especially the popular varieties of UNIX.
 Multiexploit: New worms penetrate systems in a variety of ways, using exploits against web servers,
browsers, e-mail, file sharing and other network based applications.
 Ultrafast Spreading: One technique to accelerate the spread of a worm is to conduct a prior internet
scan to accumulate internet addresses of vulnerable machines.
 Polymorphic: To evade detection, skip past filters and foil real-time analysis, worms adopt the virus
polymorphic technique. Each copy of the worm has new code generated on the fly using functionality
equivalent instructions and encryption techniques.
 Metamorphic: In addition to changing their appearance, metamorphic worms have a repertoire of
behaviour pattern that are unleashed at different stages of propagation.
 Transport Vehicles: Because worms can rapidly compromise a large no.of systems, they are ideal for
spreading other distributed attack tools, such as distributed denial of service zombies.
 Zero-Day exploit: To achieve maximum surprise and distribution, a worm should exploit an unkown
vulnerability that is only discovered by the general network community when the worm is launched.

66
9.4 Virus:
A virus is a malicious executable code attached to another executable file that can be harmless or can
modify or delete data. When the computer program runs attached with a virus it performs some action
such as deleting a file from the computer system. Viruses can’t be controlled by remote. The
ILOVEYOU virus spreads through email attachments.
9.4.1 Nature of a Virus
i. A virus can do anything that other programs do. The only difference is that it attaches itself to
another program and executes secretly when the host program is run.
ii. Once a virus is executing, it can perform any function such as erasing files and programs.
iii. Most viruses carry out their work in a manner that is specific to6a particular operating system and
in some cases specific to a particular hardware platform. Thus they are designed to take advantage of
the details and weaknesses of particular systems.
iv. A virus can be prepended or postpended to an executable program, or it can be embedded in some
other fashion. The key to it’s operation is that the infected program, when invoked, will first execute
the virus code and then execute the original code of the program.
v. During it’s lifetime a typical virus goes through following 4 phases:
o Dominant Phase: The virus is idle. The virus will eventually be activated by some
event, such as a date, the presence of another program or file, or the capacity of the disk
exceeding some limit.
o Propagation Phase: The virus places an identical copy of itself into other programs or
into certain system areas on the disk.
o Triggering Phase: The virus is activated to perform the function for which it was
intended.
o Execution Phase: The function is performed. The function may be harmless of
damaging.
9.4.2 Types of viruses:
i. Parasitic Virus: The traditional and still most common form of virus. A parasitic virus attaches
itself to executable and replicates when the infected program is executed.
ii. Memory resident Virus: Lodges in main memory as part of a resident system program. From that
point on, the virus infects every program that executes.
iii. Boot-Sector Virus: Infects a master boot record or boot record and spreads when a system is
booted from the disk containing the virus.
iv. Stealth Virus: A form of virus explicitly designed to hide itself from detection by antivirus
software.
v. Polymorphic Virus: A virus that mutates with every infection, making detection by the “signature”
of the virus impossible.
vi. Metamorphic Virus: A metamorphic virus mutates with every infection. The difference is that a
metamorphic virus rewrites itself completely at each iteration, increasing the difficulty of detection.
Metamorphic viruses may change their behaviour as well as their appearance.

67
9.4.3 Examples of recent viruses:
i. Macro viruses:
o Macro virus is platform independent. Virtually all of the macro viruses infect Microsoft
Word documents. Any hardware platform and operating system that supports word can
be infected.
o Macro viruses infect documents, not executable portions of code. Most of the
information introduced onto a computer system is in the form of a document rather than
a program.
o Macro viruses are easily spread. A very common method is by e-mail.
ii. E-Mail viruses:
A more recent development in malicious software is the e-mail virus. The first rapidly spreading e-
mail viruses such as Melissa, made use of a Microsoft word macro embedded in an attachment. If the
recipient opens the e-mail attachment, the word macro is activated. Then,
o The e-mail virus sends itself to everyone on the mailing list in the user’s email package.
o The virus does local damage.

9.5 Difference between Worms and Virus :

No. Basis of WORMS VIRUS

Comparison
1. Definition A Worm is a form of malware that A Virus is a malicious executable
replicates itself and can spread to code attached to another
different computers via Network. executable file which can be
harmless or can modify or delete
data.
2. Objective The main objective of worms is to eat the The main objective of viruses is
system resources. It consumes system to modify the information.
resources such as memory and
bandwidth and made the system slow in
speed to such an extent that it stops
responding.
3. Host It doesn’t need a host to replicate from It requires a host is needed for
one computer to another. spreading.
4. Harmful It is less harmful as compared. It is more harmful.
5. Detection and Worms can be detected and removed by Antivirus software is used for
Protection the Antivirus and firewall. protection against viruses.
6. Controlled by Worms can be controlled by remote. Viruses can’t be controlled by
remote.
7. Execution Worms are executed via weaknesses in Viruses are executed via
the system. executable files.

68
 8. Comes from Worms generally comes from the Viruses generally comes from the
downloaded files or through a network shared or downloaded files.
connection.
9. Symptoms  Hampering computer  Pop-up windows linking
performance by slowing down it to malicious websites
 Automatic opening and running  Hampering computer
of programs performance by slowing
 Sending of emails without your down it
knowledge  After booting, starting of
 Affected the performance of web unknown programs.
browser  Passwords get changed
 Error messages concerning to without your knowledge
system and operating system
10. Prevention  Keep your operating system and  Installation of Antivirus
system in updated state software
 Avoid clicking on links from  Never open email
untrusted or unknown websites attachments
 Avoid opening emails from  Avoid usage of pirated
unknown sources software
 Use antivirus software and a  Keep your operating
firewall system updated
 Keep your browser
updated as old versions
are vulnerable to linking
to malicious websites
11. Types Internet worms, Instant messaging Boot sector virus, Direct Action
worms, Email worms, File sharing virus, Polymorphic virus, Macro
worms, Internet relay chat (IRC) worms virus, Overwrite virus, File
are different types of worms. Infector virus are different types
of viruses
12. Examples Examples of worms include Morris Examples of viruses include
worm, storm worm, etc. Creeper, Blaster, Slammer, etc.
13. Interface It does not need human action to It needs human action to
replicate. replicate.
14. Speed Its spreading speed is faster. Its spreading speed is slower as
compared to worms.

9.6 Intruders:
A computer intruder is anyone or anything that tries to get access to any part of your computer system
another without permission.

69
  The objective of the intruder is to gain access to a system or to increase the range of privileges
accessible on a system. Most initial attacks use system or software vulnerabilities that allow a
user to execute code that opens a back door into the system.
 The intruder attempts to acquire information that should have been protected. In some cases,
this information is in the form of a user password. With knowledge of some other user’s
password, an intruder can log in to a system and all information available on system.
There are three classes of intruders:
o Masquerader: An individual who is not authorized to use the computer and who
penetrates a system’s access controls to exploit a legitimate user’s account. The
masquerader is likely to be an outsider.
o Misfeasor: A legitimate user who accesses data, programs, or resources for which such
access is not authorized, or who is authorized for such access but misuses his or her
privileges. The misfeasor generally is an insider.
o Clandestine user: An individual who seizes supervisory control of the system and uses
this control to evade auditing and access controls or to suppress audit collection. The
clandestine user can be either an outsider or an insider.
 Intruder attacks range from the benign to the serious. At the benign end of the scale, there are
many people who simply wish to explore internets and see what is out there. At the serious end
are individuals who are attempting to read privileged data, perform unauthorized modifications
to data, or disrupt the system
9.6.1 Types of Intrusion
Following are some examples of intrusion
i. Performing a remote root compromise of an e-mail server
ii. Defacing a Web server
iii. Guessing and cracking passwords
iv. Copying a database containing credit card numbers
v. Viewing sensitive data, including payroll records and medical information, without
authorization

9.7 Logic Bombs

 Logic bombs are programmed threats that lie dormant in commonly used software for an
extended period of time until they are triggered; at this point, they perform a function that is
not the intended function of the program in which they are contained.
 Logic bombs usually are embedded in programs by software developers who have legitimate
access to the system.
 Conditions required to trigger a logic bomb include the presence or absence of certain files, a
particular day of the week, or a particular user running the application.
 The logic bomb might check first to see which users are logged in, or which programs are
currently in use on the system. Once triggered, a logic bomb can destroy or alter data, cause
machine halts, or otherwise damage the system.
 Time-outs are a special kind of logic bomb that are occasionally used to enforce payment or
other contract provisions. Time-outs make a program stop running after a certain amount of
time unless some special action is taken.

70
  Protection against malicious logic bombs can be done by not installing software without
thoroughly testing it and reading it. By keeping regular backups, we scan restore data.
9.8 Trojan Horses
 Trojan horses resemble a program that the user wishes to run - a game, a spreadsheet, or an
editor. While the program appears to be doing what the user wants, it actually is doing
something else unrelated to its advertised purpose, and without the user's knowledge.
 For example, the user may think that the program is a game. While it is printing messages
about initializing databases and asking questions like "What do you want to name your
player?" and "What level of difficulty do you want to play?" the program may actually be
deleting files, reformatting a disk, or otherwise altering information.
 All the user sees, until it's too late, is the interface of a program that the user is trying to run.
 Trojan horses are, unfortunately, as common as jokes within some programming environments.
They are often planted as cruel tricks on bulletin boards and circulated among individuals as
shared software.
 An attacker can embed commands in places other than compiled programs. Shell files
(especially shar files), awk, Perl, and sed scripts, TeX files, PostScript files, MIME-encoded
mail, WWW pages, and even editor buffers can all contain commands that can cause you
unexpected problems.
 Another form of a Trojan horse makes use of block-send commands or answerback modes in
some terminals
 The best way to avoid Trojan horses is to never execute anything, as a program or as input to
an interpreter, until you have carefully read through the entire file. When you read the file, use
a program or editor that displays control codes in a visible manner. If you do not understand
what the file does, do not run it until you do. And never, ever run anything as root unless you
absolutely must.

71