Introduction to

Network
Security
Week – 1

Dr Faisal Bashir
1
2
 3

Objective of this course

 Learn This is not a cryptography course.

 Basic definitions and concepts of network

security

 network attacks

 measures taken to prevent common

network related attacks.

The course is not aimed to teach HOW TO HACK

it is more about HOW TO PREVENT.
 4

What’s this course about?

 Basic concepts and terminologies (Week 1)
 Networks attacks (Week 2)
 Port scanning, DOS, TCP session hijacking etc
 Encryption Techniques (Week 3 -7)
 Symmetric: primitive and standard techniques
 Block cipher operations
 Stream ciphers
 Asymmetric: Public key cryptography and RSA
 Data Integrity (Week 8-10)
 Simple and secure hash functions, MAC, Digital
Signatures
 Authentication Schemes (Week 11)
 Transport Layer (Week 12)
 SSL and TLS
 Secure Email (Week 13)
 Network Layer (Week 14)
 Wireless LAN Security (Week 15)
 Firewalls and IDS (Week 16)
 5

General course info

 Course Code: CTN-541
 Prerequisite: Computer Networks
 Textbook:
 Cryptography and Network Security,
William Stallings, 5th Edition, Pearson
Education, 2011
 Security in Computing, Charles P. Pfleeger,
Fourth Edition, Pearson Education, 2011.
 Online readings
 6

Agenda
 Basicdefinitions
 Need for secure systems
 Properties of secure system
 Attacks, services and mechanisms
 Secure network model
 7

What is “Security”
 Dictionary.com says:
 Freedom from risk or danger; safety.
 Freedom from doubt, anxiety, or fear;
confidence.
 Something that gives or assures safety,
as:
 Measures adopted by a government to
prevent mutiny, sabotage, or attack.
 Measures adopted, as by a business or
homeowner, to prevent a crime such as
burglary or assault:
 …etc.
 8

What is “Security”
 System correctness
 If user supplies expected input, system
generates desired output.
 Good input  Good output
 Security
 If attacker supplies unexpected input,
system does not fail in certain ways
 Bad input  Bad output
 9

We are concerned with …

 Computer Security - generic name
for the collection of tools designed
to protect data and to prevent
hackers
 Network Security - measures to
protect data during their
transmission
 Internet Security - measures to
protect data during their
transmission over a collection of
interconnected networks
 10

Why do we need security?

Lets go through some real-

world examples.
 11

New York Times and Twitter

struggle after Syrian hack …
(2013)
 The newspaper and social network were hit
after their domain name details were
maliciously edited by hackers.
 The Syrian Electronic Army (SEA), a group
supporting Syrian president Bashar al-Assad,
says it carried out the attack.
 In recent months, these hackers have
targeted major media companies including
the Financial Times, Washington Post, CNN
and BBC.
 The SEA was able to gain access to
Melbourne IT's system, where Twitter and the
New York Times registered their respective
domains.
http://www.bbc.co.uk/news/technology-23862105
 12

Major banks hit with biggest cyber

attacks in history… (2012)
 The websites of Bank of America,
JPMorgan, U.S. Bank and PNC Bank all
suffered day-long slowdowns and been
sporadically unreachable for many
customers ….
 A denial of service attack
 The attackers got hold of thousands of
high-powered application servers and
pointed them all at the targeted banks.
 The volume of traffic sent to these sites
was 10 to 20 times the volume that was
normally recorded.
http://money.cnn.com/2012/09/27/technology/bank-cyberattacks/index.html

By David Goldman CNN September 28, 2012

iPhone attack … (2007)
 iPhoneSafari downloads
malicious web page
 Arbitrary code is run with
administrative privileges
 Can read SMS log,
address book, call
history, other data
 could dial phone
numbers, send text
messages, or record
audio
 Transmit collected data
over network to attacker
http://www.securityevaluators.com/iphone/ 1
 14

Top 7 Network Attacks of 2015 … so far June 2015

http://www.calyptix.com/top-threats/top-7-network-attack-types-in-2015-so-far/
15
 16

Top 10 network attacks techniques of 2014

17
 18

Mobile threats 2014

19

Mobile
threats
2014
 20

Top 5 out of 20 Mobile threats of 2014

1 Trojan-SMS.AndroidOS.Stealer.a 18.0%

2 RiskTool.AndroidOS.MimobSMS.a 7.1%

3 DangerousObject.Multi.Generic 6.9%

4 RiskTool.AndroidOS.SMSreg.gc 6.7%

5 Trojan-SMS.AndroidOS.OpFake.bo 6.4%
Mass-scale Organizational
21
Targeted Attacks (MOTAs)
Bagle mass-mailer
worm campaign
between January
1, 2014, and April
29, 2014

Source: Symantec April 2015

 22

Recent Trends
 Malware, worms, and Trojan horses
 spread by email, instant messaging, malicious or infected
websites
 Botnets and zombies
 improving their encryption capabilities, more difficult to
detect
 Scareware – fake/rogue security software
 Attacks on client-side software
 browsers, media players, PDF readers, etc.
 Ransom attacks
 malware encrypts hard drives, or DDOS attack
 Social network attacks
 Users’ trust in online friends makes these networks a prime
target.

Texas CISO, Feb 2010

 23

Trends
 24

Operating system
vulnerabilities
 25

Reported Web Vulnerabilities "In the Wild"

Cross-site scripting (XSS)

Data from aggregator and validator of NVD-reported vulnerabilities

 26

Web vs System vulnerabilities

 27

http://www.gfi.com/blog/report-the-most-vulnerable-operating-systems-and-applications-in-2012/
 28

Why are there security vulnerabilities?

 Lots of buggy software...
 Why do programmers write insecure code?
 Awareness is the main issue
 Some contributing factors
 Few security audits
 C is an unsafe language
 Programming text books do not emphasize security
 Programmers have other things to worry about
 Legacy software
 Consumers do not care about security
 Security is expensive and takes time

A vulnerability that is “too complicated for anyone

to ever find” will be found !
 29

So … Who is vulnerable?
 Financial institutions and banks
 Internet service providers
 Pharmaceutical companies
 Government and defense agencies
 Multinational corporations
…

ANYONE and EVERYONE ON THE NETWORK

 30

Security properties … CIA triad

 Confidentiality
 Information about system or its
users cannot be learned by an
attacker
 Integrity
 The system continues to
operate properly, only
reaching states that would
occur if there were no attacker
 Availability
 Actions by an attacker do not
prevent users from having
access to use of the system
 31

Aspects of Security

 consider 3 aspects of information

security:
 security attacks
 security mechanisms
 security services
 32

Security Attack
 any action that compromises the security of
information owned by an organization
 often threat & attack used to mean same thing
 Threat: A person, thing, event, or idea which
poses some danger to an asset in terms of
that asset's confidentiality, integrity,
availability, or legitimate use.
 Attack: A realization of a threat; Any action
that attempts to compromise the security of
the information owned by an
organization/person
Attacks
Nature of attacks
Active attacks
Passive attacks

Categorization of attacks
Interruption
Interception
Modification
Fabrication
 34

Passive Attacks
 35

Active Attacks
 37

Security Service
 enhance security of data processing
systems and information transfers of an
organization
 intended to counter security attacks
 using one or more security mechanisms
 38

Security Services (X.800)

 Authentication - assurance that the
communicating entity is the one claimed
 Access Control - prevention of the
unauthorized use of a resource
 Data Confidentiality –protection of data
from unauthorized disclosure
 Data Integrity - assurance that data
received is as sent by an authorized entity
 Non-Repudiation - protection against
denial by one of the parties in a
communication
 39

Security Mechanisms
 feature designed to detect, prevent, or
recover from a security attack
 no single mechanism that will support all
services required
 however one particular element underlies
many of the security mechanisms in use:
 cryptographic techniques
 hence our focus on this topic
 40

Security Mechanisms
specific security mechanisms:
 encipherment
 digital signatures
 access controls
 Message authentication code
 traffic padding
 routing control
 41

 Confidentiality:
Data Privacy in
Unauthorized parties
cannot access communication …
information (->Secret Services & Bill
Key Encryption) Mechanisms
 Authenticity: Ensuring
Confidentiality
that the actual sender is Joe
the claimed sender. (-
>Public Key Encryption) Bill Authenticity
Joe (Actually Bill)
 Integrity: Ensuring that
the message was not Ann
modified in transmission. Ann
(->Hashing) Integrity
 Nonrepudiation: Ensuring Joe Non-Repudiation
that sender cannot Joe
deny sending a Bill
message at a later time.
(->Digital Signature) Ann

Ann
 42

Model for Network Security

 43

Model for Network Security

 using this model requires us to:
1. design a suitable algorithm for the
security transformation
2. generate the secret information (keys)
used by the algorithm
3. develop methods to distribute and share
the secret information
4. specify a protocol enabling the
principals to use the transformation and
secret information for a security service
 44

Model for Network Access Security

 45

Model for Network Access

Security
 using this model requires us to:
1. select appropriate gatekeeper functions
to identify users
2. implement security controls to ensure
only authorised users access designated
information or resources
 trusted computer systems may be useful
to help implement this model
 46

Summary
 have considered:
 Basic definitions
 computer, network, internet security
 security
attacks, services, mechanisms
 models for network (access) security