Domain3

(Chapter 6,7,8,9,10)
Cryptography and Symmetric Key Algorithm
PKI and Cryptographic applications
Principles of Security model, design and capabilities
Security vulnerabilities
Physical security requirements

1
Security Engineering (Domain-3)
• This domain contains the
 concepts, principles, structures
 and standards used to design, implement,
 monitor, secure, operating systems, equipment,
 networks, applications, and those controls
 used to enforce various levels of confidentiality, integrity, and availability

2
 Chapter-6
Cryptography and Symmetric Key Algorithms

3
CAESAR Cipher
• Understanding CAESAR cipher
• Also called ROT3 or rotate3 cipher

4
What is Cryptography
• Method of storing and transmitting data in a particular form so that only those for whom it is intended can
read and process it.
• In other words, it is the study and practice of hiding information.

Confidentiality

Authentication
Cryptography Goals

Integrity

Non-Repudiation
5
 It ensures that data remains private while at Rest or in Transit Confidentiality

Symmetric key cryptosystem Asymmetric cryptosystems

Authentication
It verifies that the claimed identity is true

It ensures that stored data was not altered between the time it was created and the time it was accessed
Integrity

Non-Repudiation
It prevents a subject from claiming at a later stage not to have sent a message

6
Types of Data
Data at Rest Data in Motion

It is a data residing at a permanent location It is data being transferred across a network between
two systems
Ex. Data stored on hard drive, backup tapes, USB drives Ex. Wireless network, public internet

Theft of physical devices is the biggest disadvantage of Eavesdropping attack is a disadvantage of data in
data at rest motion

7
Symmetric Key Algorithms
• Also called Secret Key Cryptography and Private Key Cryptography

• The secret key used in this process is distributed to all members involved in the communication
• A single key is used by all parties to both encrypt and decrypt messages

8
Asymmetric Key Algorithms
• Also called Public Key cryptography

• Each user has two keys: a public key, which is shared with all users, and a private key, which is kept secret
and known only to the user

9
What is Modulo Function
• Modulo function is the remainder value left over after a division operation is performed

Ex.
• 8 mod 6 = 2
• 32 mod 8 = 0

10
ZERO-KNOWLEDGE Proof

• It is a communication concept

• A special type of information is shared but no real data is disclosed such as Digital Signatures and Digital Certificates

11
Split Knowledge Concept
• When the information or privilege required to perform an operation is divided among multiple users, no
single person has sufficient privileges to compromise the security of an environment.

• This separation of duties and two-person control contained in a single solution is called Split Knowledge

• Ex. Key Escrow

12
Codes and Ciphers
Codes Ciphers

Codes are not necessarily meant to provide Ciphers are always meant to hide the true meaning of
confidentiality a message

Codes work on words and phrases Ciphers work on individual characters and bits

13
 Cipher types

Stream Cipher Block Cipher

Transposition Ciphers

Substitution Ciphers

One Time Pad Cipher

Running Key Ciphers

14
Transposition
Cipher
It is a method of encryption by which
the positions held by units of plaintext
are shifted according to a regular
system, so that
the ciphertext constitutes a
permutation of the plaintext

15
Substitution
Cipher
It is a method of encrypting by which
units of plaintext are replaced
with Ciphertext

16
One-Time Pad
Cipher
• Treated as unbreakable cipher

• Also called Vernam cipher

• In this technique, a plaintext is

paired with a random secret key

• Secret key can be as long as the

message or even longer than that.

17
Running-Key
Cipher

It is a type of polyalphabetic
substitution cipher in which a text,
typically from a book, is used to provide
a very long keystream

18
Comparison between Stream & Block Ciphers
Stream Ciphers
Encrypts and decrypts one bit of data at a time
Padding is not required
Insertion and deletion of bits is not possible
Hardware required is less
More suitable for hardware implementation
Parallel encryption process can be done
Faster in process
Requires less code
Ex. One time pad, Caesar cipher
Block Ciphers
Encrypts block of data at a time
Padding is required
Insertion and deletion of bits is possible
Hardware requirement is high
Easy to implement in software
Parallel encryption process cannot be done
Slow in process
Requires more code
Ex. Transposition cipher, DES, AES, RC6

Plaintext bits Ciphertext bits

Encryption Plaintext block Encryption Ciphertext block
Ex. 64 bits ex. 64 bits
Keystream bits

19
What is DES
• Data Encryption Standard
• Published by NIST (National Institute of Standards and Technology) in 1977
• DES is a 64 bit block cipher [56 bits contain actual key information, rest 8 bits contain parity information to
ensure that other 56 bits are accurate]

DES has 5 modes of operation

ECB CBC CFB OFB CTR
Electronic Codebook Cipher block Cipher feedback Output feedback Counter mode
chaining
Operates on 64 bits Operates on 64 bits Operates on 64 bits Operates on 64 bits Operates on 64 bits

20
DES, 3DES and AES
DES 3DES AES
Data Encryption Standard Triple data encryption standard Advanced encryption standard

Developed in 1977 1978 2000

Block size is 64 bits Block size is 64 bits Block size is128 bits

Security level is low Medium High

It is symmetric block cipher It is symmetric block cipher It is symmetric block cipher

Key length is 56 bit 168 and 112 bits 128, 192 or 256 bits

21
 Symmetric Block Ciphers
Name Block size Key size Cipher type
DES 64 bits 56 bits Block Cipher
3DES 64 bits 112 or 168 bits Block Cipher
AES 128 bits 128, 192, 256 bits Block Cipher
RC2 64 bits 128 bits Block Cipher
RC4 Streaming 128 bits Block Cipher
RC5 32, 64, 128 bits 0 – 2040 bits Block Cipher
Skipjack 64 bits 80 bits Block Cipher
Twofish 128 bits 1 – 256 bits Block Cipher
IDEA 64 bits 128 bits Block Cipher
Rijndeal Variable 128, 192, 256 bits Block Cipher
Blowfish Variable 1 – 448 bits Block Cipher

22
 Asymmetric Block Ciphers
Name Cipher type
Diffie-Hellman Block Cipher
RSA Block Cipher
ElGamal Block Cipher
Elliptive Curve Crypto Block Cipher

23
Storing and Destroying of Symmetric Keys
Storage of Encryption keys
• Never store an encryption key on the same system where encrypted data resides

• Sensitive keys should be provided to two individuals. Half key with each one of them. Both when collaborate
can only re-create the key again. Also called Split Knowledge

24
What is Key Escrow
• It is also called Fair Cryptosystems

• In this approach, the secret keys used in a communication are divided into two or more pieces, each of which
is given to an independent third party. Each of these pieces is useless on its own but may be recombined to
obtain the secret key

25
Practice Questions
1. John recently received an email message from Bill. What cryptographic goal would need to be met to convince John that Bill was
actually the sender of the message?
A. Nonrepudiation
B. Confidentiality
C. Availability
D. Integrity

2. What is the length of the cryptographic key used in the Data Encryption Standard (DES) cryptosystem?
A. 56 bits
B. 128 bits
C. 192 bits
D. 256 bits

3. What type of cipher relies on changing the location of characters within a message to achieve confidentiality?
A. Stream cipher
B. Transposition cipher
C. Block cipher
D. Substitution cipher

4. Which one of the following cannot be achieved by a secret key cryptosystem?

A. Nonrepudiation
B. Confidentiality
C. Availability
D. Key distribution
26
5. When correctly implemented, what is the only cryptosystem known to be unbreakable?
A. Transposition cipher
B. Substitution cipher
C. Advanced Encryption Standard
D. One-time pad

6. What is the output value of the mathematical function 16 mod 3?

A. 0
B. 1
C. 3
D. 5

7. What is the minimum number of cryptographic keys required for secure two-way communications in symmetric key cryptography?
A. One
B. Two
C. Three
D. Four

8. Which one of the following cipher types operates on large pieces of a message rather than individual characters or bits of a
message?
A. Stream cipher
B. Caesar cipher
C. Block cipher
D. ROT3 cipher
27
9. What block size is used by the Advanced Encryption Standard?
A. 32 bits
B. 64 bits
C. 128 bits
D. Variable

10. How many encryption keys are required to fully implement an asymmetric algorithm with 10 participants?
A. 10
B. 20
C. 45
D. 100

28
 Chapter-7
PKI and Cryptographic Applications

29
Hash function

• Transformation of a string of characters into a usually shorter fixed

length value or key that represents the original string

• It is a one way function (only encryption is done)

• Similar to fingerprint

30
Message Digest
• It is the result of hashing process

• Input data can vary in length whereas

the Hash length is fixed

• Encrypted password data is called a hash

of the password

31
Message Digest is also called
Hash Value, Hash Total, CRC (Cyclic Redundancy Check), Fingerprint, Checksum, Digital ID

32
Hash function
requirements

• The input can be of any length

• The output has a fixed length
• The hash function is relatively
easy to compute for any input
• The hash function is one-way
• The hash function is collision free

33
 Different Hash algorithms
Secure Hash Algorithm was developed by NIST
SHA-1 SHA-256 SHA-224 SHA-384 SHA-512
Processes a message Processes a message Processes a message Processes a message Processes a message
in 512 bit block size in 512 bit blocks in 512 bit blocks in 1024 bit blocks in 1024 bit blocks
Produces 160 bits MD Produces 256 bits MD Produces 224 bits MD Produces 384 bits MD Produces 512 bits MD

Message Digest series algorithm was developed by Ronald Rivest

MD2 MD4 MD5 HMAC HAVAL
Message digest2 Processes a message Processes a message Hash message Hash of variable
in 512 bit blocks in 512 bit blocks authenticating code length
Produces 128 bits MD Produces 128 bits MD Produces 128 bits MD Variable length 128, 160, 192, 224,
256 bits

34
Password Salting
• A Salt is a randomly generated number that is sent along with the password and stored with the relevant
encrypted hash value
• Salting makes it tough for hackers to crack the password
• A salt makes dictionary attacks and brute force attacks much difficult to crack multiple passwords

35
 Mathematical scheme for
demonstrating the
authenticity of documents
Uses public key algorithm
with hashing algorithm

The encrypted
hash is
It is a message digest attached to
encrypted again with Digital Signature the message
user’s private key

Goals are Used for S/W Used to detect forgery,

Integrity, distribution, Financial tampering with data
Authentication transactions, Contract
and Non- management
Repudiation

36
37
Digital Signature process
Creation of Digital Signature
• Rose creates a MD of the original plaintext using
MD5 hash algorithm.
• Then she encrypts only the MD with her private
key. This encrypted MD is the Digital signature.
• Rose appends the signed MD to plaintext.
• Then she sends this message to Kevin.
Verification of Digital Signature
• Kevin decrypts the digital signature using Rose’s
public key.
• Then he uses same hash algorithm to create a MD
of the plaintext received.
• He compares the two MD (one he received from
Rose and the one he created at his end)
• If both match, he can be assured that the message
is sent from Rose. If not, either someone modified
the message in middle or it is not sent by Rose.
38
NIST approved standard Encryption algorithms

• The Digital Signature Algorithm (DSA) as specified in FIPS 186-4

• The Rivest, Shamir, Adleman (RSA) algorithm as specified in ANSI X9.31

• The Elliptic Curve DSA (ECDSA) as specified in ANSI X9.62

39
What is Steganography
• Steganography is the art of using cryptographic techniques to embed secret messages within another
message via Images, audio files, video files, office documents

• It requires two items:

Container and Data to be hidden

• Goal is confidentiality

40
 • Internet Protocol Security is a suit of protocols that allows secure, encrypted
IPsec communication between two computers over an unsecure network

• Uses public key cryptography

• Provides Encryption, Non-Repudiation, message Authentication and access control

Goals:
Protect IP packets
Provide defense against network attacks

IPsec uses two protocols:

Authentication Header (AH) – Enforces message integrity and non-repudiation
Encapsulating Security Payload (ESP) – Enforces confidentiality and integrity

41
• Peer-to-Peer communication
• Only message portion is encrypted

• Gateway-to-Gateway communication
• Entire packet is encrypted

42
 Digital Certificates

• It provides communicating parties with the assurance that the people they are communicating with
truly are whom they claim to be

• Digital Certificates are essentially endorsed copies of an individual’s public key

• DC uses X.509 standard

• DC are normally provided by Certificate Authorities such as; GoDaddy, DigiCert, Symantec, Comodo etc.

43
1. If Richard wants to send an encrypted message to Sue using a public key cryptosystem, which key does he use to encrypt the
message?
A. Richard’s public key
B. Richard’s private key
C. Sue’s public key
D. Sue’s private key

2. John wants to produce a message digest of a 2,048-byte message he plans to send to Mary. If he uses the SHA-1 hashing
algorithm, what size will the message digest for this particular message be?
A. 160 bits
B. 512 bits
C. 1,024 bits
D. 2,048 bits

3. Richard received an encrypted message sent to him from Sue. Which key should he use to decrypt the message?
A. Richard’s public key
B. Richard’s private key
C. Sue’s public key
D. Sue’s private key

4. Richard wants to digitally sign a message he’s sending to Sue so that Sue can be sure the message came from him without
modification while in transit. Which key should he use to encrypt the message digest?
A. Richard’s public key
B. Richard’s private key
C. Sue’s public key
D. Sue’s private key 44
5. Which International Telecommunications Union (ITU) standard governs the creation and endorsement of digital certificates for
secure electronic communication?
A. X.500
B. X.509
C. X.900
D. X.905

45
 Chapter-8
Principles of Security Models, Design and Capabilities

46
Objects and Subjects
• The object is the resource a user or process wants to access.

• The subject is the user or process that makes a request to access a resource.

Note:
The subject and object refer to some specific access request, so the same resource can serve as a subject and
an object in different access requests.

47
What is a Control
• A control uses access rules to limit the access of a subject to an object.
• Access rules state which objects are valid for each subject.
• An object might be valid for one type of access and be invalid for another type of access

Ex. File access

• A file can be protected from modification by making it read-only for most users but read-write for a small set
of users who have the authority to modify it.

48
Types of Controls
MAC
• Mandatory access control
• Static in nature
• Limits the access to objects by subjects
• Disallows unauthorized access by authorized or
unauthorized subjects
• Focusses on confidentiality and integrity of data
• Each subject possesses attributes that define its
clearance, or authority, to access resources.
• Each object possesses attributes that define its
classification.
DAC
• Discretionary access control
• Dynamic in nature
• Limits the access to objects by subjects
• Disallows unauthorized access by authorized or
unauthorized subjects
• Focusses on confidentiality and integrity of data
• Discretionary access controls allow the subject to
define a list of objects to access as needed
• Based on the identity, the subject may be allowed
to add or modify the rules that define access to
objects
49
Trust and Assurance
Trust
• A trusted system is one in which all protection
mechanisms work together to process sensitive
data for many types of users while maintaining a
stable and secure computing environment
Assurance
• Assurance is simply defined as the degree of
confidence in satisfaction of security needs.
• Assurance must be continually maintained,
updated, and re-verified.
50
What is a security model
• A security model offers a way to
deepen our understanding of how a
computer operating system should be
designed and developed to support a
specific security policy.

• In other words, a security model

provides a way to formalize security
policies.

• A security model gives software

designers something against which to
measure their design and
implementation.

51
Security Model - Types
Security Requirement
• Bell-LaPadula model (1973)
• Biba model (1977)
Confidentiality
• Clark-Wilson model (1987)
• Brewer and Nash model (also
known as Chinese Wall) Integrity
• Graham-Denning model

Availability

52
Security Models
Bella-Padula Biba Clark-Wilson Brewer & Nash Graham-Denning
Enforces Enforces Integrity Enforces Integrity. Also called Chinese
Confidentiality Supports SOD Wall model
No Read Up and No No Read Down and No Uses Authentication Avoids Conflict of Creates objects and
write Down Write Up and Authorization in Interest. Supports SOD subjects
relation to ACL
No stealing of secrets Prevents authorized & Works on the concept Deleting objects and
and No divulging of unauthorized users of RBAC (Rule base subjects
secrets from making improper access control)
modifications
Mainly used in military Mainly used in Mainly used in Subject having access Read, Grant, Delete,
and government commercial sectors commercial sectors to Client-A data cannot Transfer access rights
oriented systems access Client-B data

53
54
 Bella-Padula example

Security level Subject Object

Top Secret Tex Personal files
Secret Sam E-mail files
Confidential Claire Activity logs
Unclassified Umaga Telephone lists

• Tex can READ all files • Sam can WRITE to E-mail or Personal files

• Claire cannot READ Personal or E-mail files • Umaga can WRITE to Activity logs

• Umaga can only READ Telephone lists

55
56
57
What is Trusted Operating System

• A trusted operating system implements sufficient controls to support multilevel security

• It must be tested to demonstrate evidence of correctness to meet specific standards

• A trusted operating system should undergo testing and validation process to meet standards

58
Information Security Standards

ITSEC
• Information Technology Security Evaluation Criteria
• Developed in 1980 to meet the needs of European
market
• Focusses on integrity, availability and confidentiality
• It evaluates two main attributes of a system’s protection
mechanism – functionality and assurance
• Class F1 to F10 rate functionality
• Class E0 to E6 rate assurance
• ITSEC addresses networked systems
TCSEC
• Trusted Computer System Evaluation Criteria
• Introduced in 1985 and retired in 2000
• Also called Orange book
• Focusses exclusively on confidentiality
• It was the first methodical and logical set of standards
developed to secure computer systems
• Predecessor to Common Criteria
• TCSEC deals with stand-alone systems

59
Common Criteria (ISO 15408)
• Developed by ISO
• Treated as a global standard built on TCSEC and ITSEC
• Under this model, an evaluation is carried out on a product and it is assigned an Evaluation Assurance Level
(EAL)
• EAL1 Functionally tested
• EAL2 Structurally tested
• EAL3 Methodically tested and checked
• EAL4 Methodically designed, tested, and reviewed
• EAL5 Semi-formally designed and tested
• EAL6 Semi-formally verified design and tested
• EAL7 Formally verified design and tested

60
Information Security Standards (contd.)
PCI-DSS
• Payment Card Industry–Data Security Standard
• It is a collection of requirements for improving the
security of electronic payment transactions
• PCI-DSS defines requirements for security management,
policies, procedures, network architecture, software
design, and other critical protective measures
• These standards were defined by the PCI Security
Standards Council members, who are primarily credit
card banks and financial institutions
ISO
• International Organization for Standardization
• It defines standards for industrial and commercial
equipment, software, protocols, and management
• It is a worldwide standards-setting group of
representatives from various national standard
organizations
• It issues 6 main products such as: International Standards,
Technical Reports, Technical Specifications, Publicly
Available Specifications, Technical Corrigenda, and Guides
61
Certification and Accreditation
Certification
• It is the comprehensive technical evaluation of the
security components and their compliance for the
purpose of accreditation
• It uses safeguard evaluation, risk analysis,
verification, testing and auditing techniques to
assess the appropriateness of a specific system
Accreditation
• It is the formal acceptance of the adequacy of a
system’s overall security and functionality by
management
• Accreditation is often performed by a third-party
testing service
• We cannot request changes to the configuration or
additional controls to address security concerns
very often during accreditation
62
Virtualization
• It is a technology used to host one or more OS within the memory of a single host computer

• Saves money on management, hardware cost and maintenance

Virtual Machine
• It is a software that can virtualize computer H/w, OS, applications and other computing environments.
• Multiple VMs can run on a single host

63
Virtualization Platforms
Some examples of hardware virtualization platforms are:
• Hyper-V
• VMware ESX
• Oracle VM Server
Some examples of Operating system-level virtualization platforms are:
• Solaris Containers
• Docker
• LXC
Some examples of Application virtualization platforms are:
• App-V
• VMware ThinApp
• Citrix XenApp

64
 It is a layer of software that separates the virtual software from the
Hypervisor physical hardware it runs on.

65
Types of Hypervisors
Type I Type II

Guest 1 Guest 2 Guest 1 Guest 2

OS OS
OS OS

Hypervisor
Hypervisor
Host OS
Hardware Hardware

66
Type I Hypervisor Type II Hypervisor
Runs on bare metal Run as an application on top of the host machine’s OS
Runs directly on host’s H/w Adds another level between the hypervisor and the
bare metal

Hypervisor is integrated into the host’s OS Primarily useful for personal devices
Relatively fast as compared to type II Slower in process
More secure as compared to type II Less secure as OS can be compromised

67
 Chapter 9+10
Security Vulnerabilities, Threats and Countermeasures
Physical Security Requirements

68
What is a Processor
• Another name for Central Processing Unit

• Treated as computer’s nerve center that governs all major operations

69
Execution types

Multitasking Multiprocessing
• In computing, MULTITASKING means handling two • In a MULTIPROCESSING environment, a
or more tasks simultaneously multiprocessor computing system uses more than
one CPU

• Multitasking takes place on PC operating systems

Ex. a Database server might run on a system that
contains four, six, or more processors
Ex. Windows and Linux

70
Execution types (contd.)

Multiprogramming Multithreading
• Multiprogramming usually takes place on large- • Multiple concurrent tasks are performed within a
scale systems single process
• Ex. Mainframes
• Multiprogramming requires specially written • Multithreading permits multiple tasks to operate
software that coordinates its own activities and within a single process
execution through the operating system

Ex. multiple documents are opened at the same time

in a word processing program

71
ROM types
Read-Only Memory (ROM)
• The contents of a standard ROM chip are burned in at the factory, and the end user simply cannot alter it

Programmable Read-Only Memory (PROM)

• During the manufacturing process, a PROM chip’s contents aren’t “burned in” at the factory as with standard
ROM chips. Instead, a PROM incorporates special functionality that allows an end user to burn in the chip’s
contents later

72
ROM types (contd.)
Erasable Programmable Read-Only Memory (EPROM)
• Data can be erased and re-used

Electronically Erasable Programmable Read-Only Memory (EEPROM)

• A non-volatile form of memory that can be erased and re-programmed

73
What is a flash memory
• It is a nonvolatile form of storage media that can be electronically erased and rewritten.

• Flash memory can be erased and written in blocks or pages.

• The most common type of flash memory is NAND flash. It is widely used in memory cards, mobile devices

74
 Random Access Memory (RAM)
• It is readable and writable memory that contains information a computer uses during processing.
• RAM retains its contents only when power is continuously supplied to it.
• RAM is useful only for temporary storage

Dynamic RAM Static RAM

Dynamic RAM is cheaper Static RAM is costly

Slow is speed Static RAM runs much faster

To store data, dynamic RAM uses a series of capacitors, tiny Static memory maintains its contents unaltered as long as
electrical devices that hold a charge power is supplied and impose no CPU overhead for periodic
refresh operations

75
Input and Output devices

Input Devices Output Devices

• Keyboards • Monitor
• Mouse • Printer
• Modems

76
Storage

• Primary Storage • Secondary Storage

• Another name for primary memory • Another name for secondary memory

• Also called volatile storage • Also called non-volatile storage

• Ex. RAM • Ex. Hard drive, solid state drive(SSDs), floppy disk,
magnetic tapes, compact disc(CDs), digital video
disk(DVDs), flash memory cards
• Information is available readily to the CPU while
the computer is running

77
What is BIOS
• Stands for Basic Input Output System

• It contains the OS independent primitive instructions that a computer needs to start up and load the OS
from the disk.

• BIOS is contained in a firmware device that is accessed immediately by the computer at boot time.

• In most computers, the BIOS is stored on an EEPROM chip to facilitate version updates.

• The process of updating the BIOS is known as “flashing the BIOS.”

78
What is BYOD
• Bring your own device (BYOD) is a policy that allows employees to bring their own personal mobile devices
to work and then use those devices to connect to (or through) the company network to business resources
and/or the Internet.

• It helps in improving employee morale and job satisfaction

• It increases security risks to the organization

79
What is Cloud Computing
• It is where software applications, data storage and processing capacities are accessed over the internet.

• In other words, it is an on demand delivery of IT capabilities where IT infrastructure and applications are
provided to subscribers as a metered service over a network.

• It is storing of data and applications on remote servers,

and accessing them via the internet rather than saving or
installing them on your personal or office computer

80
Evolution of Cloud Computing
• ARPANET (Advanced Research Projects Agency Network) project started in 1969 in USA
• Set up by US Department of Defense
• Email service introduced in 1972
• www (World Wide Web) was born and made public in 1991

81
Cloud Service Models

Select, customize
and migrate

Develop, deploy
and migrate

Configure, deploy
and migrate

All 3 above allow users to run applications and store data online however
each offers a different level of user flexibility and control
82
SaaS
Software as a service
It is on-demand-service
It is platform independent
Available for multiple end users
Cheapest
Ex. Microsoft Office 365, Google app Ex. Microsoft Azure
This service is accessible via a web
browser or a lightweight client app.
PaaS IaaS
Platform as a service Infrastructure as a service
It is made up of a programming Offers computing architecture and
language, OS, webserver and Dbase infrastructure
It allows users to create their own It allows users to run any application
cloud app using supplier specific they want on cloud hardware of
tools and languages their own choice
Moderately cheap Very costly
Ex. AWS
83
 IaaS
YOU 3rd Party

Manage the software Manages the hardware

Servers
Data
Applications
Networking
Operating System
Storage
Runtime
Virtualization
Middleware

84
 PaaS
YOU 3rd Party

Manage Manages

Servers Networking
Applications
Runtime
Data Operating System

Storage Virtualization

Middleware

85
 SaaS
YOU 3rd Party

Manages

Data Networking
Servers
Operating System
Runtime

Storage Virtualization

Middleware Applications
86
Deployment Models in Cloud
1. Private Cloud

2. Community Cloud

3. Public Cloud

4. Hybrid Cloud

87
Private Cloud
• It is meant for single organization

Private Cloud
• It can be managed internally or by a third party

• Can be hosted internally within premises or externally

• Security level if high

• Ex. Toyota, Citibank, Wal-mart

88
Community Cloud
• It is used by distinct groups

• Shared by several organizations

Community Cloud
• Supports a specific community

• Ex. Same domain industries

89
Public Cloud
• Can be accessed by anyone

• It has multiple clients

• Hosted at providers location

• Cost is low

• Ex. AWS, Microsoft Azure, Google

90
Hybrid Cloud
• It is combination of two or more clouds

91
Database security
Data Mining
• Data mining techniques allow analysts to comb through data warehouses and look for potential correlated information. Ex.
an analyst might discover that the demand for light bulbs always increases in the winter months and then use this
information when planning pricing and promotion strategies.
• Data mining techniques result in the development of data models that can be used to predict future activity
Data Warehouses
• Data warehouse is used to store large amounts of information from a variety of databases for use with specialized analysis
techniques. They often contain detailed historical information.

Data Dictionary
• A data dictionary is commonly used for storing critical information about data, including usage, type, sources,
relationships, and formats

92
What is OWASP
• It is Open Web Application Security Project

• OWASP is a nonprofit security project focusing on improving security for online or web-based applications

• It is a large community that works together to freely share information, methodology, tools, and techniques
related to better coding practices and more secure deployment architectures

93
Mobile systems

Android iOS
• Android is a mobile device OS based on Linux • iOS is the mobile device OS from Apple
• Mostly used on phones and tablets • It is is available on the iPhone, iPad, iPod, and
Apple TV

94
Device security
• Remote Wiping - A remote wipe lets you delete all data and possibly even configuration settings from a
device remotely

• Lockout - Lockout on a mobile device is similar to account lockout on a company workstation. When a user
fails to provide their credentials after repeated attempts, the account or device is disabled (locked out) for a
period of time or until an administrator clears the lockout flag

• Screen Locks - A screen lock is designed to prevent someone from casually picking up and being able to use
your phone or mobile device. However, most screen locks can be unlocked by swiping a pattern or typing a
number on a keypad display.

95
Security Principles for Site Selection
• Visibility

• Natural Disasters

• Facility Design

96
 Design and Implement Physical Security

The security controls implemented to manage physical security can be divided into three groups

• Administrative
• Technical
• Physical

97
Design and Implement Physical Security
When designing and building a facility, the following major items need to be addressed from a physical
security point of view:
• Walls - Combustibility of material (wood, steel, concrete)
• Doors - Resistance to forcible entry, Locked or controlled entrances
• Ceilings - Combustibility of material (wood, steel, concrete), Fire rating
• Windows – Shatterproof, Placement, Accessibility to intruders
• Flooring - Combustibility of material (wood, steel, concrete), Raised flooring
• HVAC – Positive air pressure, Protected intake vents, Dedicated power lines
• Electric Power supply - Backup and alternate power supplies, Clean and steady power source
• Water and Gas lines - Placement—properly located and labeled
• Fire detection and suppression - Placement of sensors and detectors, Type of detectors and suppression
agents

98
The problems with power are numerous
• Fault - A momentary loss of power
• Blackout - A complete loss of power
• Sag - Momentary low voltage
• Brownout - Prolonged low voltage
• Spike - Momentary high voltage
• Surge - Prolonged high voltage
• Noise - A steady interfering power disturbance or fluctuation
• Transient - A short duration of line noise disturbance

99
Design and Implement Physical Security (contd.)
When designing physical security for an environment, focus on the functional order in which controls should
be used
• 1. Deterrence
• 2. Denial
• 3. Detection
• 4. Delay

Security controls should be deployed so that initial attempts to access physical assets are deterred (boundary restrictions
accomplish this). If deterrence fails, then direct access to physical assets should be denied (for example, locked vault doors). If
denial fails, your system needs to detect intrusion (for example, using motion sensors), and the intruder should be delayed
sufficiently in their access attempts to enable authorities to respond (for example, a cable lock on the asset). It’s important to
remember this order when deploying physical security controls: first deterrence, then denial, then detection, then delay

100
 Temperature, Humidity, and Static

• In addition to power considerations, maintaining the environment involves control over

the HVAC mechanisms.

• Rooms intended primarily to house computers should generally be kept at 60 to 75

degrees Fahrenheit (15 to 23 degrees Celsius).

• Humidity in a computer room should be maintained between 40 and 60 percent.

101
 The four primary stages of fire
• Stage 1: The Incipient Stage At this stage, there is only air ionization but no smoke

• Stage 2: The Smoke Stage In Stage 2, smoke is visible from the point of ignition

• Stage 3: The Flame Stage This is when a flame can be seen with the naked eye

• Stage 4: The Heat Stage The fire considerably further downs the timescale to the point where
there is an intense heat buildup

102
Fire Extinguishers

103
 Server Room security

• Server rooms should be located at the core of the building.

• Try to avoid locating these rooms on the ground floor, the top floor.

• The server room should be located away from water, gas, and sewage lines.

104
 Datacenter Security

• Smartcards
• Proximity Readers
• Intrusion Detection Systems
• Access Abuses

105
 Implement and Manage Physical Security
• Perimeter
• Fences, Gates, Turnstiles, and Mantraps
• Lighting
• Security Guards and Dogs
• Keys and Combination Locks
• Badges
• Motion Detectors

106
 Intrusion Alarms
• Whenever a motion detector registers a significant or meaningful change in the environment, it
triggers an alarm.

• An alarm is a separate mechanism that triggers a deterrent, a repellent, and/or a notification.

• Deterrent Alarms
• Repellant Alarms
• Notification Alarms

107
1. What type of memory device is usually used to contain a computer’s motherboard BIOS?
A. PROM
B. EEPROM
C. ROM
D. EPROM

2. What type of memory is directly available to the CPU and is often part of the CPU?
A. RAM
B. ROM
C. Register memory
D. Virtual memory

3. Which one of the following storage devices is most likely to require encryption technology in order to maintain data security in a
networked environment?
A. Hard disk
B. Backup tape
C. Removable drives
D. RAM
4. What type of memory chip allows the end user to write information to the memory only one time and then preserves that
information indefinitely without the possibility of erasure?
A. ROM
B. PROM
C. EPROM
D. EEPROM
108
5. What is the most common form of perimeter security devices or mechanisms?
A. Security guards
B. Fences
C. CCTV
D. Lighting

6. What is the most important goal of all security solutions?

A. Prevention of disclosure
B. Maintaining integrity
C. Human safety
D. Sustaining availability

7. Which of the following is not a typical type of alarm that can be triggered for physical security?
A. Preventive
B. Deterrent
C. Repellant
D. Notification

8. What is the most common and inexpensive form of physical access control device?
A. Lighting
B. Security guard
C. Key locks
D. Fences

109