

COURSE OUTLINE
 Introduction Information Security
 Cryptography
 Network security
 Security in e-commerce
 Application specific security mechanisms
 Application Security
 Assessment Methodology
 Test (15%)
 Lab Test (10%)
 Practical and Written Assignments (15%)
 Project (20%)
 Final Exam (40%) (Includes all contents covered)
 N.B: weight may vary accordingly.
 Chapter One
Introduction to Information Security

 Introduction
 Information is the lifeblood of every organization.
 If this Information is compromised there can be a wide range of consequences
ranging from damage to company's reputation thought of in finical penalties
such as regulatory fines and cost of remediation.
 The purpose of information protection is to protect an organization's valuable
resources, such as information, hardware, and software.
 Brief History of Computer/Information
Security

 Until the 1960s, information security was straight forward process composed
predominantly of physical security and simple document classification schemes.

 The primary threats to security were physical theft of equipment, espionage against the
products of the systems, and sabotage.
 History of Information Security …

 In the 60s and 70s

 Evolutions
 Computers became interactive
 Multiuser/Multiprogramming was invented
 More and more data started to be stored in computer databases
 Organizations and individuals started to worry about
 What the other persons using computers are doing to their data
 What is happening to their private data stored in large databases
 History of Information Security …

 In the 80s and 90s

o Evolutions
 Personal computers were popularized
 LANs and the Internet invaded the world
 Applications such as E-commerce, E-government and E-health started to be developed
 Viruses became majors threats
 Organizations and individuals started to worry about
 Who has access to their computers and data
 Whether they can trust a mail, a website, etc.
 Whether their privacy is protected in the connected world
 Individual remote sites did not have sufficient controls and safeguards to protect data from unauthorized remote users.
 The movement to ward security went beyond protecting physical locations
 PRESENT SCENARIO

 Today, the internet brings millions of unsecured computer networks into continuous
communication with each other.
 The security of each computer’s stored information is now contingent on the level of
security of every other computer to which it is connected.
 Cyber attacks have made governments and companies more aware of the need to defend
the Computer-controlled controls systems of utilities and other critical infrastructure.
Famous Security Problems
Famous Security Problems …
 Early Efforts

With all the above, Information Security become soul of organizations life.
 Early Efforts…

 Standardization
 1985: Orange Book for Security Evaluation (or TCSEC Trusted
Computer System Evaluation Criteria)
 Describes the evaluation criteria used to assess the level of trust
that can be placed in a particular computer system
 1978: DES selected as encryption standard by the US
Early Efforts…
Human factor as motivation
 What is Security?
 In general, security is “the quality or state of being secure—to be free from danger.”

 In other words, protection against adversaries—from those who would do harm, intentionally or
otherwise—is the objective.
 Where to Have Security?

 A successful organization should have the following multiple layers of security in place to protect its operations:
 Physical security, to protect physical items, objects, or areas from unauthorized access and misuse
 Personnel security, to protect the individual or group of individuals who are authorized to access the
organization and its operations
 Operations security, to protect the details of particular operation or series of activities.
 Communications security, to protect communications media, technology, and content.
 Network security, to protect networking components, connections, and contents.
 Information security, to protect the confidentiality, integrity and availability of information assets, whether in
storage, processing, or transmission. It is achieved via the application of policy, education, training and
awareness, and technology
 Where to Have Security? …
*Intrusion detection system or intrusion prevention system
 THE MYTH: “OUR SITE IS SAFE”

 We use network vulnerability assessments”.

 This approach neglects the security of the software on the network or Web server.
 “We have firewalls in place”.
 Port 80 & 443 are open for the right reasons.
 “We encrypt our data with SSL”.
 This only protects data between site and user, not the Web application itself.
 Cont…

 Computer Security: The protection afforded to an automated information

system in order to attain the applicable objectives of preserving the
integrity, availability, and confidentiality of information system resources
(includes hardware, software, firmware, information/ data, and
telecommunications).
Security …
CIA
CIA…
CIA…
Goal of Security
 Security Threats and Attacks

Threats and Attacks

 A computer security threat is a potential violation of security; it is any person, act, or object that
poses a danger to computer security/privacy.
 The violation need not actually occur for there to be a threat
 The fact that the violation might occur means that those actions that could cause it to occur must
be guarded against (or prepared for)
 Those actions are called attacks
 Those who execute such actions, or cause them to be executed, are called attackers
 The computer world is full of threats; viruses, worms, crackers, etc.
 And so is the real world; thieves, pick-pockets, burglars, murderers, drunk drivers, …
 Note: the terms threat and attack are commonly used to mean more or less the same thing
 Threats and Attacks …

 Types of threats
 Disclosure: unauthorized access to information (also called snooping or Interception)
e.g., Snooping: unauthorized interception of information
 Deception: acceptance of false data (modification, spoofing, repudiation of origin,
denial of receipt) e.g., Modification: unauthorized change of information; Denial of
receipt
 Disruption: interruption or prevention of correct operation e.g., Modification:
unauthorized change of information
 Usurpation: unauthorized control of some part of a system e.g., Identity theft; Denial
of service
 Threats and Attacks …

 What do you do in real life?

 You learn about the threats
 What are the threats
 How can these threats affect you
 What is the risk for you to be attacked by these threats
 How you can protect yourself from these risks
 How much does the protection cost
 What can you do to limit the damage in case you are attacked
 How can you recover in case you are attacked
 Then, you protect yourself in order to limit the risk but to continue to live your life
 You need to do exactly the same thing with computers!
 Attacks

 Security Attack: any action that compromises the security of information

owned by an organization.
 Classification of attack (used both in X.800 and RFC 2828)
 Passive attacks: attempts to learn or make use of information from the
system but does not affect system resources.
 Active attacks: attempts to alter system resources or affect their operation.
 Passive Attack

 Thegoaloftheopponentistoobtaininformationthatisbeingtransmitted.
 Two types of passive attacks are there lease of message contents(or
sniffing) and traffic analysis.
 Release of message contents: A telephone conversation, an electronic
mail message,
andatransferredfilemaycontainsensitiveorconfidentialinformation;wewo
uldliketopreventanopponentfromlearningthecontentsofthesetransmissio
ns
 It is also called interception: An attack on confidentiality
Release of Message Content
 Cont…

 Friends and Enemies: Alice, Bob, Trudy

 Well-known in the network security world
 Alice and Bob (lovers!) want to communicate “securely”
 Trudy (the intruder) may intercept, delete, or add messages
Sniffing …
Traffic Analysis
SNOOPING
Passive Attacks …
Active Attacks …
Active Attacks …
Active Attacks …
Masquerading…
Active Attacks …
Active Attacks …
Active Attacks …
Active Attacks …
DOS…
DOS…
DOS…
DOS…
ACTIVE ATTACKS …
Cont…
Cont…
 Hacking (Intrusion) Attack
 Hacking: is any attempt to intrude or gain unauthorized access to your system either via some
operating system flaw or other means. The purpose may or may not be malicious
Hackers…
Malware Attack
Malware Attack…
Malware Attack …
Malware Attack …
Malware Attack …
Malware Attack …
Malware Attack …
Malware Attack …
Malware Attack …
Internet Fraud
Internet Fraud …
Internet Fraud …
Thank you!