Module 2

Information and Network Security

Dr. S.Thamizharasan, Assistant Professor/SCOPE CSI3022-Cyber Security and Application Security 1 / 26

 Introduction

Ancient Cryptography Images

Dr. S.Thamizharasan, Assistant Professor/SCOPE CSI3022-Cyber Security and Application Security 2 / 26

 Introduction Introduction

Ancient Cryptography Images

Dr. S.Thamizharasan, Assistant Professor/SCOPE CSI3022-Cyber Security and Application Security 3 / 26

 Computer and Information Security

Computer and Information Security

Computer and Information Security: The protection afforded to an automated

information system in order to attain the applicable objectives of preserving
the integrity, availability, authenticity, accountability and conidentiality of in-
formation system resources (includes hardware, software, firmware, informa-
tion/data, and telecommunications).
The key objectives that are at the heart of computer and information security
are:
(1) Confidentiality
(2) Integrity
(3) Availabilty
(4) Authenticity
(5) Accountability

Dr. S.Thamizharasan, Assistant Professor/SCOPE CSI3022-Cyber Security and Application Security 4 / 26

 Computer and Information Security Computer and Information Security

Computer and Information Security

Confidentiality: Preserving authorized restrictions on information access and

disclosure,(i.e.,) protecting personal privacy and proprietary information.
A loss of confidentiality is the unauthorized disclosure of information.
This term covers two related concepts:
(a) Data confidentiality: Assures that the confidential information is not made
available or disclosed to unauthorized individuals.
(b) Privacy: Assures that individuals control what information related to them
may be collected and stored and by whom and to whom that information may
be disclosed.

Dr. S.Thamizharasan, Assistant Professor/SCOPE CSI3022-Cyber Security and Application Security 5 / 26

 Computer and Information Security Computer and Information Security

Computer and Information Security

Integrity: Guarding against improper information modification or destruction,

including ensuring information nonrepudiation and authenticity.
A loss of integrity is the unauthorized modification or destruction of informa-
tion.
This term covers two related concepts:
(a) Data Integrity: Assures that information (both stored and in transmitted
packets) and programs are changed only in a specified and authorized manner.
(b) System Integrity: Assures that a system performs its intended function in
an unimpaired manner, free from deliberate unauthorized manipulation of the
system.

Dr. S.Thamizharasan, Assistant Professor/SCOPE CSI3022-Cyber Security and Application Security 6 / 26

 Computer and Information Security Computer and Information Security

Computer and Information Security

Availability: Ensuring timely and reliable access to the information and use of
information.
A loss of availability is the disruption of access to the information system or
use of information system.
Assures that systems work promptly and service is not denied to authorized
users.

Dr. S.Thamizharasan, Assistant Professor/SCOPE CSI3022-Cyber Security and Application Security 7 / 26

 Computer and Information Security Computer and Information Security

Computer and Information Security

Authenticity: The property of being genuine and being able to be verified and
trusted; confidence in the validity of a transmission, a message, or message
originator.
This means verifying that users are trusted one and that each input arriving at
the system came from a trusted source.

Dr. S.Thamizharasan, Assistant Professor/SCOPE CSI3022-Cyber Security and Application Security 8 / 26

 Computer and Information Security Computer and Information Security

Computer and Information Security

Accountability: The security goal that generates the requirement for actions
of an entity to be traced uniquely to that entity.
Because truly secure systems are not yet an achievable goal, we must be able
to trace a security breach to a responsible party.
Systems must keep records of their activities to permit later forensic analysis
to trace security breaches or to aid in transaction disputes.

Dr. S.Thamizharasan, Assistant Professor/SCOPE CSI3022-Cyber Security and Application Security 9 / 26

 Computer and Information Security Computer and Information Security

Computer and Information Security

Figure 1 : Essential Computer and Information security requirements

Dr. S.Thamizharasan, Assistant Professor/SCOPE CSI3022-Cyber Security and Application Security 10 / 26

 Computer and Information Security Computer and Information Security

Security Threats and Vulnerabilities

Dr. S.Thamizharasan, Assistant Professor/SCOPE CSI3022-Cyber Security and Application Security 11 / 26

 Computer and Information Security Security Threats and Vulnerabilities

OSI Security Architecture

The Open System Interconnect(OSI) security architecture was designed by the

ITU-T (International Telecommunication Union - Telecommunication)
This OSI standard defines a systematic approach to evaluate various security
products and policies.
This architecture is useful to managers as a way of organizing the task of
providing security.
Furthermore, this architecture was developed as an international standard,
computer and communication vendors have developed security features for
their products and services that relate to this structured definition of services
and mechanisms.
The OSI security architecture focuses on
(i) Security Attacks
(ii) Security Mechanisms
(iii) Security Services

Dr. S.Thamizharasan, Assistant Professor/SCOPE CSI3022-Cyber Security and Application Security 12 / 26

 Computer and Information Security Security Threats and Vulnerabilities

OSI Security Architecture

Security Attack: Any action that compromises the security of information

owned by an organization.
Security Mechanisms: A process that is designed to detect, prevent or recover
from a security attack.
Security Service: A processing or communication service that enhances the
security of the data processing systems and the information transfers of an
organization.
The services are intended to counter security attacks, and they make use of
one or more security mechanisms to provide the service.

Dr. S.Thamizharasan, Assistant Professor/SCOPE CSI3022-Cyber Security and Application Security 13 / 26

 Computer and Information Security Security Threats and Vulnerabilities

Threats, Attack and Vulnerabilities

Threat: A potential for violation of security, which exists when there is a

circumstance, capability, action or event that could breach security and cause
harm.
That is, threat is a possible danger that might exploit vulnerability.
Attack: An assault on system that derives from an intelligent threat.
That is, an intelligent act that is a deliberate attempt to evade security services
and violate the security policy of a system.

Dr. S.Thamizharasan, Assistant Professor/SCOPE CSI3022-Cyber Security and Application Security 14 / 26

 Security Attacks

Security Attacks

Security attacks are broadly classified into passive attacks and active attacks
A passive attack attempts to learn or make use of information from the system
but does not affect system resources.
An active attack attempts to alter system resources or affect their operation.

Figure 2 : (a) Passive attack; (b) Active attack

Dr. S.Thamizharasan, Assistant Professor/SCOPE CSI3022-Cyber Security and Application Security 15 / 26

 Security Attacks Passive Attacks

Passive Attacks

Passive attacks are in the nature of eavesdropping. The goal of the opponent
is to obtain information that is being transmitted.
Two types of passive attacks are
(i) Release of message contents: A telephone conversation, an email message
and a transferred file may contain sensitive or confidential information. We
would like to prevent an opponent from learning the contents of these trans-
missions.
(ii) Traffic analysis: Masking the contents of messages or other information,
so that even if the opponent captured the message, he could not extract the
information from the message. The common technique for masking contents
is encryption.
Passive attacks are very difficult to detect, because they do not involve any
alteration of data.

Dr. S.Thamizharasan, Assistant Professor/SCOPE CSI3022-Cyber Security and Application Security 16 / 26

 Security Attacks Active Attacks

Active Attacks
Active attacks involve some modification of the data stream or creation of a
false stream.
It can be subdivided into four categories
(i) masquerade
(ii) replay
(iii) modifications of messages
(iv) denial of service

Dr. S.Thamizharasan, Assistant Professor/SCOPE CSI3022-Cyber Security and Application Security 17 / 26

 Security Attacks Active Attacks

Active Attacks

Masquerade takes place when one entity pretends to be a different entity(refer

in the figure: path2 is active)
Here authentication sequences can be captured and replayed after a valid au-
thentication sequence has taken place, thus enabling an authorized entity with
a few privileges to obtain extra privileges by impersonating an entity that has
those privileges.

Dr. S.Thamizharasan, Assistant Professor/SCOPE CSI3022-Cyber Security and Application Security 18 / 26

 Security Attacks Active Attacks

Active Attacks

Replay involves the passive capture of data unit and its subsequent retrans-
mission to produce an unauthorized effect(path1,2 and 3 active)
Modification of messages simply means that some portion of a legitimate mes-
sage is altered or delayed or reordered, to produce an unauthorized effect.(path1
and 2 active)

Dr. S.Thamizharasan, Assistant Professor/SCOPE CSI3022-Cyber Security and Application Security 19 / 26

 Security Attacks Active Attacks

Denial of Service prevents the normal use of communication facilities (path3

is active).
Another form of denial of service is the disruption of an entire network either
by disabling the network or by overloading it with messages so as to degrade
performance.
Passive attacks are difficult to detect, measures are available to prevent their
success.
Active attacks are quiet difficult to prevent because of the wide variety of
physical, software and network vulnerabilities. The goal is to detect active
attacks and to recover from any disruption or delays caused by them.

Dr. S.Thamizharasan, Assistant Professor/SCOPE CSI3022-Cyber Security and Application Security 20 / 26

 Security Attacks Active Attacks

Security Mechanisms

Dr. S.Thamizharasan, Assistant Professor/SCOPE CSI3022-Cyber Security and Application Security 21 / 26

 Security Mechanisms

Security Mechanisms

The security mechanisms are divided into those that are implemented in a
specific protocol layer, such as TCP or an application layer protocol, and those
that are not specific to any particular protocol layer or security service.
(i) Specific Security Mechanisms
(ii) Pervasive Security Mechanisms

Dr. S.Thamizharasan, Assistant Professor/SCOPE CSI3022-Cyber Security and Application Security 22 / 26

 Security Mechanisms Specific Security Mechanisms

Specific Security Mechanisms

Specific Security Mechanisms: It is incorporated into the appropriate protocol layer

in order to provide some of the OSI security services
(a) Encipherment
(b) Digital Signature
(c) Access control
(d) Data Integrity
(e) Authentication Exchange
(f) Traffic Padding
(g) Routing Control
(h) Notarization

Dr. S.Thamizharasan, Assistant Professor/SCOPE CSI3022-Cyber Security and Application Security 23 / 26

 Security Mechanisms Specific Security Mechanisms

Specific Security Mechanisms

Specific Security Mechanisms: It is incorporated into the appropriate protocol layer

in order to provide some of the OSI security services
(a) Encipherment
(b) Digital Signature
(c) Access control
(d) Data Integrity
(e) Authentication Exchange
(f) Traffic Padding
(g) Routing Control
(h) Notarization
Encipherment : The use of mathematical algorithms to transform data into a
form that is not readily intelligible.
The transformation and subsequent recovery of the data depend on an algo-
rithm and more encryption keys.

Dr. S.Thamizharasan, Assistant Professor/SCOPE CSI3022-Cyber Security and Application Security 23 / 26

 Security Mechanisms Specific Security Mechanisms

Specific Security Mechanisms

Digital Signature: Cryptographic transformation of a data unit that allows a
recipient of the data unit to prove the source and integrity of the data unit
and protect against forgery.

Dr. S.Thamizharasan, Assistant Professor/SCOPE CSI3022-Cyber Security and Application Security 24 / 26

 Security Mechanisms Specific Security Mechanisms

Specific Security Mechanisms

Digital Signature: Cryptographic transformation of a data unit that allows a
recipient of the data unit to prove the source and integrity of the data unit
and protect against forgery.
Access Control: A variety of mechanisms that enforce access rights to re-
sources.

Dr. S.Thamizharasan, Assistant Professor/SCOPE CSI3022-Cyber Security and Application Security 24 / 26

 Security Mechanisms Specific Security Mechanisms

Specific Security Mechanisms

Digital Signature: Cryptographic transformation of a data unit that allows a
recipient of the data unit to prove the source and integrity of the data unit
and protect against forgery.
Access Control: A variety of mechanisms that enforce access rights to re-
sources.
Data Integrity:A variety of mechanisms used to assure the integrity of a data
unit or stream of data units.

Dr. S.Thamizharasan, Assistant Professor/SCOPE CSI3022-Cyber Security and Application Security 24 / 26

 Security Mechanisms Specific Security Mechanisms

Specific Security Mechanisms

Digital Signature: Cryptographic transformation of a data unit that allows a
recipient of the data unit to prove the source and integrity of the data unit
and protect against forgery.
Access Control: A variety of mechanisms that enforce access rights to re-
sources.
Data Integrity:A variety of mechanisms used to assure the integrity of a data
unit or stream of data units.
Authentication Exchange: A mechanism intended to ensure the identity of an
entity by means of information exchange.

Dr. S.Thamizharasan, Assistant Professor/SCOPE CSI3022-Cyber Security and Application Security 24 / 26

 Security Mechanisms Specific Security Mechanisms

Specific Security Mechanisms

Digital Signature: Cryptographic transformation of a data unit that allows a
recipient of the data unit to prove the source and integrity of the data unit
and protect against forgery.
Access Control: A variety of mechanisms that enforce access rights to re-
sources.
Data Integrity:A variety of mechanisms used to assure the integrity of a data
unit or stream of data units.
Authentication Exchange: A mechanism intended to ensure the identity of an
entity by means of information exchange.
Traffic Padding: The insertion of bits into gaps in a data stream to frustrate
traffic analysis attempts.

Dr. S.Thamizharasan, Assistant Professor/SCOPE CSI3022-Cyber Security and Application Security 24 / 26

 Security Mechanisms Specific Security Mechanisms

Specific Security Mechanisms

Digital Signature: Cryptographic transformation of a data unit that allows a
recipient of the data unit to prove the source and integrity of the data unit
and protect against forgery.
Access Control: A variety of mechanisms that enforce access rights to re-
sources.
Data Integrity:A variety of mechanisms used to assure the integrity of a data
unit or stream of data units.
Authentication Exchange: A mechanism intended to ensure the identity of an
entity by means of information exchange.
Traffic Padding: The insertion of bits into gaps in a data stream to frustrate
traffic analysis attempts.
Routing Control: Enables selection of particular physically secure routes for
certain data and allows routing changes, especially when a breach of security
is suspected.

Dr. S.Thamizharasan, Assistant Professor/SCOPE CSI3022-Cyber Security and Application Security 24 / 26

 Security Mechanisms Specific Security Mechanisms

Specific Security Mechanisms

Digital Signature: Cryptographic transformation of a data unit that allows a
recipient of the data unit to prove the source and integrity of the data unit
and protect against forgery.
Access Control: A variety of mechanisms that enforce access rights to re-
sources.
Data Integrity:A variety of mechanisms used to assure the integrity of a data
unit or stream of data units.
Authentication Exchange: A mechanism intended to ensure the identity of an
entity by means of information exchange.
Traffic Padding: The insertion of bits into gaps in a data stream to frustrate
traffic analysis attempts.
Routing Control: Enables selection of particular physically secure routes for
certain data and allows routing changes, especially when a breach of security
is suspected.
Notarization: The use of a trusted third party to assure certain properties of a
data exchange.
Dr. S.Thamizharasan, Assistant Professor/SCOPE CSI3022-Cyber Security and Application Security 24 / 26
 Security Mechanisms Pervasive Security Mechanisms

Pervasive Security Mechanisms

Pervasive Security Mechanisms:Mechanisms that are not specific to any par-

ticular OSI security service or protocol layer
(a) Trusted Functionality
(b) Security Label
(c) Event Detection
(d) Security Audit Trail
(e) Security Recovery

Dr. S.Thamizharasan, Assistant Professor/SCOPE CSI3022-Cyber Security and Application Security 25 / 26

 Security Mechanisms Pervasive Security Mechanisms

Pervasive Security Mechanisms

Trusted Functionality: It is perceived to be correct with respect to some criteria

(as established by a security policy)

Dr. S.Thamizharasan, Assistant Professor/SCOPE CSI3022-Cyber Security and Application Security 26 / 26

 Security Mechanisms Pervasive Security Mechanisms

Pervasive Security Mechanisms

Trusted Functionality: It is perceived to be correct with respect to some criteria

(as established by a security policy)
Security Label: The marking bound to a resource that names or designates the
security attributes of that resource.

Dr. S.Thamizharasan, Assistant Professor/SCOPE CSI3022-Cyber Security and Application Security 26 / 26

 Security Mechanisms Pervasive Security Mechanisms

Pervasive Security Mechanisms

Trusted Functionality: It is perceived to be correct with respect to some criteria

(as established by a security policy)
Security Label: The marking bound to a resource that names or designates the
security attributes of that resource.
Event Detection: Detection of security-relevant events.

Dr. S.Thamizharasan, Assistant Professor/SCOPE CSI3022-Cyber Security and Application Security 26 / 26

 Security Mechanisms Pervasive Security Mechanisms

Pervasive Security Mechanisms

Trusted Functionality: It is perceived to be correct with respect to some criteria

(as established by a security policy)
Security Label: The marking bound to a resource that names or designates the
security attributes of that resource.
Event Detection: Detection of security-relevant events.
Security Audit Trail: Data collected and potentially used to facilitate a security
audit, which is an independent review and examination of system records and
activities.

Dr. S.Thamizharasan, Assistant Professor/SCOPE CSI3022-Cyber Security and Application Security 26 / 26

 Security Mechanisms Pervasive Security Mechanisms

Pervasive Security Mechanisms

Trusted Functionality: It is perceived to be correct with respect to some criteria

(as established by a security policy)
Security Label: The marking bound to a resource that names or designates the
security attributes of that resource.
Event Detection: Detection of security-relevant events.
Security Audit Trail: Data collected and potentially used to facilitate a security
audit, which is an independent review and examination of system records and
activities.
Security Recovery: Deals with requests from mechanisms, such as event han-
dling and management functions, and takes recovery actions.

Dr. S.Thamizharasan, Assistant Professor/SCOPE CSI3022-Cyber Security and Application Security 26 / 26