INFORMATION SECURITY INTRODUCTION

By:
Mitul Patel
COURSE PLAN
Course Teachers:
Dr. D R Patel(DRP)-Course Coordinator
Mr. Mitul H Patel
Miss. Mukti Padhya
SYLLABUS
BOOKS RECOMMENDED
INFORMATION SECURITY
C.I.A
 Confidentiality-information needs to be hidden from
unauthorized access
 Integrity-protected from unauthorized change

and
 Availability-Available to an authorized entity when it is
needed
 Information Systems are decomposed into three main
portions hardware, software and Communications
 Physical, Personal and Organizational Security
VARIOUS SECURITIES
 Data Security
 Data security is the means of ensuring that data is kept safe
from corruption and that access to it is suitably controlled.
 Computer Security
 protection of information and property from theft, corruption,
or natural disaster,
 Malware: malicious software

 Network Security
 protectthe network and the network-accessible resources
from unauthorized access, consistent and continuous
monitoring and measurement of its effectiveness
SECURITY BASICS
X.800 focuses on three aspects of information security
1. Security service
 properties which any security solution should satisfy e.g.
……
2. Security mechanism
 tools and techniques by which, the security services can
be achieved e.g.
3. Security attack
 actions that are attempts at violating the security rules.
SECURITY SERVICES
 X.800:
“a service provided by a protocol layer of communicating
open systems, which ensures adequate security of the
systems or of data transfers”

 RFC 2828:
“a processing or communication service provided by a
system to give a specific kind of protection to system
resources”
SECURITY SERVICES
SECURITY SERVICES - X.800
OBJECTIVES
 Data Confidentiality : protection of data from unauthorized
disclosure

 Data Integrity : assurance that data received are exactly as sent by

an authorized entity

 Authentication : assurance that the communicating entity is the

one claimed

 Access Control : prevention of the unauthorized use of a resource

 Non-Repudiation : protection against denial by one of the parties

in a communication
SECURITY ATTACKS
 An attack is any action that compromises the security of
information owned by an organization
 Information security is about how to prevent attacks, or
failing that, to detect attacks on information-based
systems
 Often threat & attack used to mean same thing

 Have a wide range of attacks

 Can focus of generic types of attacks

• Passive
• Active
SECURITY THREAT
SECURITY ATTACKS
1. Passive attacks
• Attacker’s goal is to just obtain the information
• Does not modify the data or harm the system
• The system continues with its normal operation
• Difficult to detect
PASSIVE ATTACKS
PASSIVE ATTACKS
 Two types of Passive attacks
Attacks threatening confidentiality
1. Release of message contents
 Unauthorized access or interception of data

2. Traffic Analysis
 Online traffic monitoring by attacker

 Help attacker to guess nature of transmission

 Solution:

 Masking the contents of messages or other information traffic

• so that opponents, even if they captured the message, could not

extract the information from the message.
• The common technique for masking contents is encryption.
ACTIVE ATTACKS
1. Active attacks
 May change the data or harm the system

 Easier to detect than to prevent

ACTIVE ATTACKS
ACTIVE ATTACKS
 Attacks threatening integrity
1. Modification
 means that some portion of a legitimate message is altered, or
that messages are delayed or reordered, to produce an
unauthorized effect
2. Masquerading(Spoofing)
 when one entity pretends to be a different entity
3. Replaying
 involves the passive capture of a data unit and its subsequent
retransmission to produce an unauthorized effect
ACTIVE ATTACKS
 Attacks threatening availability
 Denial of Service Attack
 prevents or inhibits the normal use or management of
communications facilities
 May slow down or totally disrupt the service
 By overloading server
SECURITY MECHANISM
 Feature designed to detect, prevent, or recover from a
security attack
 No single mechanism that will support all services
required
 However one particular element underlies many of the
security mechanisms in use:
• cryptographic techniques
 Specific security mechanisms:
 encipherment, digital signatures, access controls, data
integrity, authentication exchange, traffic padding, routing
control, notarization
SECURITY MECHANISM
 Encipherment: Hiding or covering data
 Data Integrity: Appending a short check value

 Digital Signature: Electronically sender can sign the data

and receiver can verify the signature.
 Authentication Exchange: exchange some messages to
prove identity
 Traffic Padding: inserting some bogus data into the data
traffic
 Routing Control: Selecting and Continously changing
different available routes
 Notarization: Selecting a trusted third party

 Access Control: passwords and PINS

RELATION BETWEEN SERVICES AND
MECHANISM
Security Services Security Mechanisms
Data Confidentiality Encipherment and routing control
Data Integrity Encipherment,digital signature,data integrity
Authentication Encipherment,digital signature,authentication
exchanges
Nonrepudiation Digital signature,data integrity and notarization
Access control Access Control mechanism
MODEL FOR NETWORK SECURITY
MODEL FOR NETWORK SECURITY
 Using this model requires us to:
• design a suitable algorithm for the security transformation
• generate the secret information (keys) used by the
algorithm
• develop methods to distribute and share the secret
information
• specify a protocol enabling the principals to use the
transformation and secret information for a security
service
ASSIGNMENTS????