Foundation of Information

Security
Lecture-3
Topics Covered…
• Definition of Information Security
• CIA Triad
• Security Terminology
• Types of Attacks/Attackers
• Security Terminology and Relationship
• Countermeasure
• Threat Consequences
Today’s Content…

• Quick Recap
• Defense in Depth
• Confidentiality
• Cryptographic Solution
• Symmetric Approach
• Asymmetric Approach
Course Grading Structure
• These weights are indicative, and may change as semester progresses
Mode-I Mode-II

Evaluation Weightage Evaluation Weightage

Instrument Instrument
Mid Term 30% Mid Term 30%
Quiz 15% Quiz 15%
Assignment 10% Mini-project 25%
Programming 15% (Group of max 2)
Assignment End Term 30%
End Term 30%
Information Security
The term ‘information security’ means protecting
information and information systems from
unauthorized access, use, disclosure, disruption,
modification, or destruction in order to provide
confidentiality, integrity and availability

— Federal Information Security Modernization Act of 2014.

Security Model
CIA triad
Computer Security Terminologies…
• Assets: system resources that need to be protected. For example: Data, Software,
hardware, communication links etc.
• Vulnerability: a weakness in a system that may be exploited to degrade or bypass
standard security mechanisms. It can make the assets
- corrupted (loss of integrity)
- become leaky (loss of confidentiality)
- become unavailable (loss of availability)

• Threat: a set of external circumstances that may allow a vulnerability to be

exploited.
• Risk: When a threat and a corresponding vulnerability both exist.

Example: A threat of a particular virus combined with the vulnerability of a system

without antivirus software constitute a risk to that system
Computer Security Terminologies…
• Attack: a threat that is carried out and can be
• Active attack: An attempt to alter system resources or affect their operation.
• Passive attack: An attempt to learn or make use of information from the
system that does not affect system resources.
Based on the origin of the attack:
• Insider attack: Initiated by an entity inside the security perimeter, authorized
to access system resources but uses them in a way not approved.
• Outsider attack: Initiated from outside the perimeter, by an unauthorized or
illegitimate user of the system
Computer Security Terminologies…
• Countermeasure: means to deal with a security attack
• Prevent
• Detect May introduce new vulnerabilities
• Recover

• Goal: to minimize risk

Security Tradeoff
• Tradeoff between risks and benefits.
• The choice to implement a specific security mechanism is influenced
by the cost of the mechanism and the amount of damage it may
prevent
Computer Security Terminologies…

• Security Policy: A set of rules and practices that specify or regulate

how a system or organization provides security services to protect
sensitive and critical system resources.

• CIA principle helps to design security policy

Security Terminology and Relationship
Threat Consequences
A security violation that results from an attack
• Unauthorized Disclosure: Unauthorized access to information
- exposure, interception, inference, intrusion
• Deception: Acceptance of false data
- masquerade, falsification, repudiation
• Disruption: Interruption or prevention of correct operation
- incapacitation, corruption, obstruction
• Usurpation: Unauthorized control of some part of a system
- misappropriation, misuse
Scope of Computer Security

System Assets: Hardware,

Software, Data,
communication lines and
networks
This image explains the **Scope of Computer Security**, which
includes different aspects of protecting a computer system.

### **Key Points:**

1. **Data Protection** – Only authorized users should be able to
access data. Unauthorized access must be blocked.
2. **User Authentication** – Only verified users should be allowed to
access the computer system. This is done using passwords,
biometrics, or security tokens.
3. **Network Security** – Data should be safely transmitted over
networks without being intercepted or altered by hackers.
4. **File Security** – Sensitive files must be kept secure so that only
authorized people can access or modify them.

### **System Assets to Protect:**

- **Hardware** (computers, servers)
- **Software** (applications, operating systems)
- **Data** (important files, personal information)
- **Communication lines and networks** (internet, cables, wireless
connections)

In simple terms, computer security ensures that only the right people
can access the right information while keeping hackers and
unauthorized users out.
Security Functional Requirements: Countermeasures

1. Countermeasures that require computer security technical

measures, either hardware or software, or both; and
2. Countermeasures that are fundamentally management issues

Need to combine technical and managerial approaches to achieve

effective computer security!
Strategy to Provide Computer Security
A comprehensive security strategy involves three aspects:
• Specification/policy
- what is the security scheme supposed to do?
- codify in policy and procedures
• Implementation/mechanisms
- how does it do it?
- prevention, detection, response, recovery
• Correctness/assurance
- does it really work?
- assurance, evaluation
Computer
and
Network
Attacks

- A Common Language for Computer Security Incidents, John D. Howard, Thomas A. Longstaff, 1998
Computer An attacker uses a tool to exploit a vulnerability to perform an
and action on a target in order to achieve an unauthorized Result
Network
Attacks

- A Common Language for Computer Security Incidents, John D. Howard, Thomas A. Longstaff, 1998
 Defense in Depth
• Strategy toward preventing security attacks

- Foundation of Information Security A Straightforward Introduction, Jason Andress.

Defense in Depth
• Strategy toward preventing security attacks

-Firewall
-VPN
-Penetration Testing
- Proxy
Defense in Depth
• Strategy toward preventing security attacks

-IDS/IPS
-Penetration Testing
-Logging
-Firewall
-VPN
-Penetration Testing
- Proxy
Defense in Depth
• Strategy toward preventing security attacks

- Antivirus
- IDS/IPS
- Penetration Testing
- Authentication
-IDS/IPS
-Penetration Testing
-Logging
-Firewall
-VPN
-Penetration Testing
- Proxy
Defense in Depth
• Strategy toward preventing security attacks

- Content Filtering
- Penetration Testing
- SSO
- Antivirus
- IDS/IPS
- Penetration Testing
- Authentication
-IDS, IPS
-Penetration Testing
-Logging
-Firewall
-VPN
-Penetration Testing
- Proxy
Defense in Depth
• Strategy toward preventing security attacks

- Access Control
- Encryption
- Backup - Content Filtering
- Penetration Testing
- Antivirus - SSO
- IDS/IPS
- Penetration Testing
- Authentication
-IDS, IPS
-Penetration Testing
-Logging
-Firewall
-VPN
-Penetration Testing
- Proxy
Confidentiality

• Cryptographic Solution
• Symmetric Approach
• Asymmetric Approach
Basic Setup:
• Communication over an insecure channel
• Types of insecure channel
• Internet (unprotected network of computers)
• Wifi (not password protected)
• Air Waves (GSM connection) etc.
 Meet Alice and Bob

Insecure network channel

ALICE BOB at Bank

 Meet Alice and Bob
Message
Username: sweetalice
Password: alice123
TRANSFER Rs. 100 TO
ACCOUNT NO. XYZ

Insecure network channel

ALICE BOB at Bank

 Meet Alice and Bob
Message
Username: sweetalice
Password: alice123
TRANSFER Rs. 100 TO
ACCOUNT NO. XYZ

Insecure network channel

ALICE BOB at Bank

NOT
ENCRYPTED
 Meet Charlie – the eavesdropper
Message
Username: sweetalice
Password: alice123
TRANSFER Rs. 100 TO
ACCOUNT NO. XYZ

ALICE BOB

CHARLIE
 Meet Charlie – the eavesdropper
Message
Username: sweetalice
Password: alice123
TRANSFER Rs. 100 TO
ACCOUNT NO. XYZ

Listen

ALICE BOB

CHARLIE
 Username, Password sent in clear!!!
Message
Username: sweetalice
Password: alice123
TRANSFER Rs. 100 TO
ACCOUNT NO. XYZ

ALICE BOB

CHARLIE
 Username, Password sent in clear!!!
Message
Username: sweetalice
Password: alice123
TRANSFER Rs. 100 TO
ACCOUNT NO. XYZ

LISTENS AND GETS LOGIN DETAILS OF

ALICE

ALICE BOB

CHARLIE
 Username, Password sent in clear!!!

Modify

Message
Username: sweetalice
Password: alice123
TRANSFER Rs. 100 TO
ACCOUNT NO. XYZ
Message
Username: sweetalice
Password: alice123
TRANSFER Rs. 1000000 TO
ACCOUNT NO. 5678
 Confidentiality can be achieved using
encryption/decryption

Encryption Decryption
Secure Network

E ^d@#*^

D
&!h^*hi ^d@#*^
&!h^*hi

Message
(I love you) Message
(I love you)

E: Encryption- Charlie cannot see what is being sent over the channel
D: Decryption- Bob can successfully decrypt the message
Basic Definitions:
• Plaintext (P) – The original message
• Ciphertext (C) – The scrambled message
• E() – Encryption Function
• D() – Decryption Function
Basic Definitions:
• Plaintext (P) – The original message
• Ciphertext (C) – The scrambled message
• E() – Encryption Function
• D() – Decryption Function

Q. To ensure safety of our data, should the enc./dec. algorithm be

known to all or kept secret ??
Why secrecy of algorithms is not a good idea ?
1. Maintaining secrecy of algorithms is very cumbersome
• Industrial espionage
• Insider Threat
• Reverse Engineering of the code
Why secrecy of algorithms is not a good idea ?
1. Maintaining secrecy of algorithms is very cumbersome
• Industrial espionage
• Insider Threat
• Reverse Engineering of the code

2. Public design enables establishment of standards

• Designs which withstand years of public scrutiny – likely to gain more
confidence on its robustness
• Better that flaws are revealed by ethical hackers than malicious attackers
 Thought to be secure

Enigma Machine
 Thought to be secure

Enigma Machine

Alan Turing and his team

broke the enigma
encryption method
 Thought to be secure

Enigma Machine

Alan Turing and his team

broke the enigma
encryption method
But …
• We can’t make everything public
• Eve can easily decrypt then
But …
• We can’t make everything public
• Eve can easily decrypt then

• Incorporate a second parameter

• The “KEY”
• Short secret data shared by both communicating parties
But …
• We can’t make everything public
• Eve can easily decrypt then

• Incorporate a second parameter

• The “KEY”
• Short secret data shared by both communicating parties

Kerckhoff’s Principle [1883]:

A cryptosystem should be secure even if the attacker knows all the details of
the system, with the exception of the secret key.
Depending upon the key, cryptosystems can be
divided into:

• Symmetric Cryptosystems
• Asymmetric Cryptosystems
 Symmetric Encryption
• Both the parties use the same key to encrypt and decrypt

Hi, Meet you at xydA@tyhskykb Hi, Meet you at

Starbucks on mc88888*!$6jgj Starbucks on
Friday at 3:00 gb768$gh^kkdv Friday at 3:00
PM. Encryption mmmvmvbb Decryption PM.

Plaintext Ciphertext Plaintext

48
 Asymmetric Encryption
• Communicating parties use two keys – public key (known to all) and private key
(known only to owner) to encrypt and decrypt
 Asymmetric Encryption
• Communicating parties use two keys – public key (known to all) and private key
(known only to owner) to encrypt and decrypt

1. Bob gives Alice his

public key
 Asymmetric Encryption
• Communicating parties use two keys – public key (known to all) and private key
(known only to owner) to encrypt and decrypt

Hi, Meet you at xydA@tyhskykb

Starbucks on mc88888*!$6jgj
Friday at 3:00 gb768$gh^kkdv
PM. Encryption mmmvmvbb

Plaintext Ciphertext

1. Bob gives Alice his 2. Alice uses the public key of Bob
public key to encrypt her message
 Asymmetric Encryption
• Communicating parties use two keys – public key (known to all) and private
key (known only to owner) to encrypt and decrypt

3. Bob receives Alice’s

encrypted message
 Asymmetric Encryption
• Communicating parties use two keys – public key (known to all) and private
key (known only to owner) to encrypt and decrypt

xydA@tyhskykb Hi, Meet you at

mc88888*!$6jgj Starbucks on
gb768$gh^kkdv Friday at 3:00
mmmvmvbb Decryption PM.

Ciphertext Plaintext

3. Bob receives Alice’s 4. Bob uses his private key to

encrypted message decrypt her message
Asymmetric Encryption

• Can the reverse be used, i.e., private key is used for encryption and
public key is used for decryption ?
• Why or why not ?