Cryptography

Jumana Khwaileh-LTUC
Topics…

 Information security
 What is information security?
 The information security triad.
 Security risks.
 Security mechanisms.
 Security concepts.
Learning Objectives

 Upon successful completion of this chapter, you will be able to:

Identify the information security triad.

Understand the concepts of information security tools.
Identify main security concepts.
Information Security
 The protection of information and its critical elements, including systems and
hardware that use, store, transmit that information.

 It’s the application of measures to ensure the safety and privacy of data by managing its
storage and distribution. Information security has both technical and social implications

 Necessary tools for information security: policy, awareness, training, education,

technology.

 Information security is the process of the protecting the data from unauthorized
access, disclosure, destruction or disruption.
Personal Information Security
 Simple steps that individuals can take to be more secure:
 Keep your software up to date

 Install antivirus software

 Use public networks carefully

 Backup your data

 Secure your accounts with two-factor authentication

 Make your passwords long, unique, and strong

 Be suspicious of strange links and attachments

Risk

 IT security defined by three components:

 Threats

 Vulnerabilities

 Consequences
Security risks
 Risks to information can be assessed by identifying different types of possible
attack that can be attempted.

 These attacks are often classified by the type of action that an attacker is able to
perform.

 Passive Attacks

 Active Attacks
Security risks
 Passive attacks

• The main type of passive attack is unauthorized access to data. This is a passive
process in the sense that the data and the processes being conducted on that data
remain unaffected by the attack.

• Note that a passive attack is often likened to ‘stealing’ information. However, unlike
stealing physical goods, in most cases theft of data still leaves the owner in possession
of that data.

• As a result, information theft may go unnoticed by the owner. Indeed, it may even be
undetectable.
Security risks
 Active attacks
• An active attack involves either data being changed in some way, or a process
being conducted on the data.
• Examples of active attacks include:
• Unauthorized alteration of data
• Unauthorized deletion of data
• Unauthorized transmission of data
• Unauthorized tampering with the origin of data
• Unauthorized prevention of access to data (denial of service).
Passive Attacks and Active Attacks
Information Security & Cryptography
 Information security involves the use of many
different types of security technologies, as well as
management processes and controls.

 Cryptography provides the techniques that

underpin most information security technologies.
Information Security
 The rise in significance of information security has brought with it an increase in the
importance and widespread use of cryptography.

 As we shall see, cryptography lies at the heart of most technical information security
mechanisms.

 As a result, cryptography has become something most people use in everyday

applications.

 Once largely the domain of government and the military, cryptography is now deployed
on devices that can be found in the pockets of almost every consumer of technology.
Security Goals

 CIA helps to define what you are trying

to protect using 3 elements:
• Confidentiality
• Integrity
• Availability
CIA Triad
Taxonomy of security goals
Confidentiality
• Confidentiality is probably the most common aspect of information security. We need to
protect our confidential information (Information’s Safeguard).

 An organization needs to guard against those malicious actions that endanger the
confidentiality of its information.

 Keeping sensitive information private.

 Encryption services can protect your data at rest or in transit and prevent unauthorized
access to protected data.
Integrity

• Integrity means that changes need to be done only by authorized entities and

through authorized mechanisms.

• Results from the protection of unauthorized modification or destruction of

information.

• Information needs to be changed constantly.

Availability

• Availability: Information services are accessible when they are needed.

• The information created and stored by an organization needs to be available to

authorized entities.

• Information needs to be constantly changed, which means it must be accessible

to authorized entities.
The CIA triad

• Confidentiality: Who is authorized to use data?

• Integrity: Is data „good?”
• Availability: Can access data whenever need it?

C I
S

A
ATTACKS
• The three goals of security¾confidentiality, integrity, and availability¾can be
threatened by security attacks.

• Topics discussed in this section:

1. Attacks Threatening Confidentiality

2. Attacks Threatening Integrity
3. Attacks Threatening Availability
4. Passive versus Active Attacks
ATTACKS
Taxonomy of attacks with relation to security goals
Attacks Threatening Confidentiality

• Snooping refers to unauthorized access to or interception of data.

• Traffic analysis refers to obtaining some other type of information by

monitoring online traffic.
Attacks Threatening Integrity

• Modification means that the attacker intercepts the message and changes it.

• Masquerading or spoofing happens when the attacker impersonates somebody

else.

• Replaying means the attacker obtains a copy of a message sent by a user and later

tries to replay it.

Attacks Threatening Availability
• Repudiation means that sender of the message might later deny that he/she has
sent the message; the receiver of the message might later deny that he has
received the message.

• Denial of service (DoS) is a very common attack.

• It may slow down or totally interrupt the service of a system.

Passive Versus Active Attacks

Categorization of passive and active attacks

Tools for Information Security
Tools for Information Security
• Authentication
• Access Control
• Encryption
• Passwords
• Backup
• Firewalls
• Virtual Private Networks (VPN)
• Physical Security
• Security Policies
Authentication
• Persons accessing the information is who they say they are
• Factors of identification:
• Something you know – user ID and password
• User ID identifies you while the password authenticates you
• Easy to compromise if weak password
• Something you have – key or card
• Can be lost or stolen
• Something you are – physical characteristics (i.e., biometrics)
• Much harder to compromise
• A combination of at least 2 factors is recommended
Access Control
• Once authenticated – only provide access to information necessary to perform
their job duties to read, modify, add, and/or delete information by:
• Access control list (ACL) created for each resource (information)
• List of users that can read, write, delete or add information
• Difficult to maintain all the lists
• Role-based access control (RBAC)
• Rather than individual lists
• Users are assigned to roles
• Roles define what they can access
• Simplifies administration
Encryption
• An algorithm (program) encodes or scrambles information during transmission or
storage
• Decoded/unscrambled by only authorized individuals to read it
• How is this done?
• Both parties agree on the encryption method (there are many) using keys
• Symmetric key – sender and receiver have the
key which can be risky
• Public Key – use a public and private key
where the public key is used to send an
encrypted message and a private key that the
receiver uses to decode the message
Passwords
• Single-factor authentication (user ID/password) is the easiest to break
• Password policies ensure that this risk is minimized by requiring:
• A certain length to make it harder to guess
• Contain certain characters – such as upper and lower case, one number, and a
special character
• Changing passwords regularly and do not a password to be reused
• Employees do not share their password
• Notifying the security department if they
feel their password has been compromised.
• Yearly confirmation from employees that
they understand their responsibilities
Backup
• Important information should be backed up and store in a separate location
• Very useful in the event that the primary computer systems become unavailable

• A good backup plan requires:

• Understanding of the organizational information resources
• Regular backups of all data
• Offsite storage of backups
• Test of the data restoration

• Complementary practices:
• UPS systems
• Backup processing sites
 Firewalls
• Can be a piece of hardware and/or software
• Hardware firewalls are connected to the network.
• Software firewalls run on the operating system and intercepts packets as they arrive to a
computer.
• Can implement multiple firewalls to allow segments of the network to be partially secured
to conduct business.
• Intrusion Detection Systems (IDS) watch for specific types of activities to alert security
personnel of potential network attack.
Virtual Private Networks (VPN)
• Some systems can be made private using an internal network to limit access to them
• Can’t be accessed remotely and are more secure
• Requires specific connections such as being onsite

• VPN allows users to remotely access these systems over a public network like the Internet
• Bypasses the firewall
• Encrypts the communication or the data exchanged

• CPP students have this ability for:

• Exchange services from your Outlook client
• Mapping a drive or mounting a file share
• Instructions to establish a VPN connection can be found at
https://ehelp.wiki.cpp.edu/VPN_(Virtual_Private_Network):_Requirements
Physical Security
• Protection of the actual equipment
• Hardware
• Networking components

• Organizations need to identify assets that need to be physically secured:

• Locked doors
• Physical intrusion detection - e.g., using security cameras
• Secured equipment
• Environmental monitoring – temperature, humidity, and airflow for computer
equipment
• Employee training
Security Policies
• Starting point in developing an overall security plan

• Formal, brief, and high-level statement issued by senior management

• Guidelines for employee use of the information resources

• Embraces general beliefs, goals, objectives, and acceptable procedures

• Includes company recourse if employees violate the policy

• Security policies focus on confidentiality, integrity, and availability

• Includes applicable government or industry regulations

Security Policies

• Bring Your Own Device (BYOD) policies for mobile devices

• Use when accessing/storing company information
• Intellectual property implications

• Difficult to balance the need for security and users’ needs

Summary

• Identified the information security triad

• Identified and understand the high-level concepts surrounding

information security tools

• Identified and understand types of attack.

• Identified and understand policies.

Lab Work
• CIA, find out 3 website
• first one C (Confidentiality) is the highest
• Second website one I (integrity) is the highest
• last one A availability is the highest
• Write done all the functions this website do, and which one is
the highest secure website
• note:( you can use Nmap to know what port are open )