Securit

y
Unit 6

IT
infrastructur Prof. Naeem Akhtar
 Lecture Contents

 6.1 Introduction
 6.2 Risk management
 6.3 Security Patterns

3
 Introduction
 Security is the
combination of:
• Availability
• Confidentiality
• Integrity
 Focused on the
recognition and
resistance of attacks
 For IT infrastructures
availability is a non-
functional attribute in its
own right

4
 Computer crimes
 Reasons for committing crime against IT
infrastructures:
• Personal exposure and prestige
• Creating damage
• Financial gain
• Terrorism
• Warfare

5
 Computer crimes
• Personal exposure and prestige: In the past, the hacker
community was very keen on getting personal or group
exposure by hacking into a secured IT infrastructure.
• When hackers proved that they could enter a secured
system and made it public, they gained respect from other
hackers. While nowadays most hacking activity is done for
other reasons, there are still large communities of hackers
that enjoy the game.
• Creating damage to organizations to create bad publicity.
For instance, by defacing websites, bringing down systems
or websites, or making internal documents public.

6
 Computer crimes
• Financial gain: For instance, by holding data hostage and
asking for ransom, stealing credit card data, changing
account data in bank systems, or stealing passwords of
customers and ordering goods on their behalf.
• Terrorism: The main purpose of terrorism is creating fear
in a society. A well-planned attack targeted at certain
computer systems, like the computer system that manages
the water supply or a nuclear power plant, could result in
chaos and fear amongst citizens.

7
 Computer crimes
• Warfare: Certain governments use hacking practices as
acts of war. Since economies and societies today largely
depend on the IT infrastructures, bringing important IT
systems down in a certain country could cause the
economy to collapse.
• Bringing down the internet access of a country for example
means:
• no access to social media, no e-mails, no web shops, no stock
trading, no search engines, etc.

8
Security

Risk management

9
 Risk management
 Managing security is all about managing risks
 The effort we put in securing the infrastructure should be
directly related to the risk at hand
 Risk management is the process of:
• Determining an acceptable level of risk
• Assessing the current level of risk
• Taking steps to reduce risk to the acceptable level
• Maintaining that level

10
 Risk list
 A risk list can be used to quantify risks
 Risk is calculated based on:
• Asset name - component that needs to be protected
• Vulnerability - weakness, process or physical exposure that
makes the asset susceptible to exploits
• Exploit - a way to use one or more vulnerabilities to attack an
asset
• Probability - an estimation of the likelihood of the occurrence
of an exploit
• Impact - the severity of the damage when the vulnerability is
exploited

11
 Risk list
P=Probability I=Impact R=Risk

12
 Risk response
• There are four risk responses:
• Acceptance of the risk
• Avoidance of the risk - do not perform actions that
impose risk
• Transfer of the risk - for instance transfer the risk to an
insurance company
• Mitigation of the risk and accepting the residual risk

13
 Exploits
 Information can be stolen in many ways
 Examples:
• Key loggers can send sensitive information like passwords to
third parties
• Network sniffers can show network packages that contain
sensitive information or replay a logon sequence
• Data on backup tapes outside of the building can get into
wrong hands
• Disposed PCs or disks can get into the wrong hands
• Corrupt or dissatisfied staff can copy information
• End users are led to a malicious website that steals
information (phishing)
14
 CIA
 Three core goals of security (CIA):
1. Confidentiality - prevents the intentional or
unintentional unauthorized disclosure of data
2. Integrity - ensures that:
• No modifications to data are made by unauthorized staff or
processes
• Unauthorized modifications to data are not made by
authorized staff or processes
• Data is consistent
3. Availability - ensures the reliable and timely access to
data or IT resources by the appropriate staff

15
 CIA
 Example of confidentiality
levels
Confidentiality Level Description
1 Public information
2 I nformation for internal use only
I nformation for internal use by restricted
3
group
Secret: reputational damage if information is
4
made public
Top secret: damage to organization or society
5
if information is made public

16
 CIA
 Example of integrity
levels
I ntegrity Level Description
1 I ntegrity of information is of no importance
2 Errors in information are allowed
Only incidental errors in information are
3
allowed
No errors are allowed, leads to reputational
4
damage
No errors are allowed, leads to damage to
5
organization or society

17
 CIA
 Example of availability
levels
Availability Level Description
1 No requirements on availability
Some unavailability is allowed during office
2
hours
Some unavailability is allowed only outside of
3
office hours
No unavailability is allowed, 24/ 7/ 365
4
availability, risk for reputational damage
No unavailability is allowed risk for damage to
5
organization or society

18
 Security controls
 Controls mitigate risks
 Security controls must address at least one of the CIA
 Information can be classified based on CIA levels
 Controls can be designed and implemented based on the
identified risk level for CIA

19
 Security controls
 Example
C C C C C I I I I I A A A A A
Control
1 2 3 4 5 1 2 3 4 5 1 2 3 4 5
Standard security policy X X X X X X X X X X X X X X X
Central archiving of documents X X X X
User based password protection X X X X X X X X X X X X
Anti- virus measures X X X X X X X X X X X X
Screensaver lock when leaving workplace X X X X X X
Webmail not allowed X X X
Logging of authentication and authorization
X X X X X X X X X
requests
Secured datacenter and systems management
X X X X X X
room
Encrypted laptops X X
Security key management X X
Penetration hack- tests X X X X X X
I DS systems X X X X X X
I nternet access limited to specific sites X X X X X X
Encrypted e- mail X X
Printing only allowed in specific closed rooms X X

20
 Attack vectors
 Malicious code
• Applications that, when activated, can cause network and server
overload, steal data and passwords, or erase data
 Worms
• Self-replicating programs that spread from one computer to
another, leaving infections as they travel
 Virus
• Self-replicating program fragment that attaches itself to a
program or file enabling it to spread from one computer to
another, leaving infections as it travels
 Trojan Horse
• Appears to be useful software but will actually do damage once
installed or run on your computer
21
 Attack vectors
 Denial of service attack
• An attempt to overload an infrastructure to cause disruption
of a service
• Can lead to downtime of a system, disabling an
organization to do its business
• In a Distributed Denial of Service (DDoS) attack the attacker
uses many computers to overload the server
• Groups of computers that are infected by malicious code,
called botnets, perform an attack

22
 Attack vectors
 Preventive DDoS measures:
• Split business and public resources
• Move all public facing resources to an external cloud
provider
• Setup automatic scalability (auto scaling, auto
deployment) using virtualization and cloud technology
• Limit bandwidth for certain traffic
• Lower the Time to Live (TTL) of the DNS records to be
able to reroute traffic to other servers when an attack
occurs
• Setup monitoring for early detection

23
 Attack vectors
 DDoS countermeasures:
• Immediately inform your internet provider and ask for
help
• Run a script to terminate all connections coming from
the same source IP address if the number of
connections is larger than ten
• Change to an alternative server (with another IP
address)
• Scale-out the public facing environment under attack
• Reroute or drop suspected traffic

24
 Attack vectors
 Social engineering
• Social skills are used to manipulate people to obtain
information which can be used in an attack
• Like passwords or other sensitive information
• By nature, people want to help other people

25
 Attack vectors
 Phishing
• A technique of obtaining sensitive information
• The phisher sends an e-mail that appears to come from a
legitimate source, like a bank or credit card company,
requesting "verification" of information
• The e-mail usually contains a link to a fraudulent web page

26
 Attack vectors
 Baiting
• Baiting uses physical media, like an USB flash drive, left
to be found
• It relies on the curiosity of people to find out what is on it
• The attacker hopes some employee picks up the device
and brings it inside the organization
• When the device is put into an organization owned PC,
malicious software is installed automatically

27
Security

Security Patterns

28
Security Patterns

 1. Identity and Access Management

(IAM)
 2. Segregation of duties and least
privilege
 3. Layered security

29
 Identity and Access Management (IAM)
• The process of managing the identity of people and
systems, and their permissions
• The IAM process follows three steps:
i. Users or systems claim who they are: identification
ii. The claimed identity is checked: authentication
iii. Permissions are granted related to the identity and the
groups it belongs to: authorization

30
 Identity and Access Management (IAM)
• Single Sign-On (SSO):
• A user logs in once and is passed seamlessly, without an
authentication prompt, to SSO enabled applications
• Can be implemented using identity providing systems
• LDAP
• Kerberos
• Microsoft Active Directory
• Users authenticate to these identity providers
• Applications trust the identity provider, so they allow access
when a user is authenticated

31
 Identity and Access Management (IAM)
• Federated identity management:
• Extends SSO above the enterprise level
• Creates a trusted identity provider across organizations
• Participating organizations share identity attributes based on
agreed-upon standards

32
 Authentication
• Using one of three ways:
• Something you know, like a password or PIN
• Something you have, like a bank card, a token or a
smartphone
• Something you are, like a fingerprint or an iris scan
• Multi-factor authentication:
• At least two types of authentication are required

33
 Role Based Access Control (RBAC)
• In RBAC, instead of granting permissions to individual
identities, groups are granted permissions
• Identities are members of one or more groups
• Groups are related to their roles in the organization
• Groups can be nested (a group is member of another
group)
• RBAC is used in almost all organizations

34
 Segregation of duties and least privilege
• Segregation of duties (also known as
separation of duties):
• Assigns related sensitive tasks to different people or
departments
• No single person has total control of the system’s
security mechanisms
• Least privilege:
• Users of a system should have the lowest level of
privileges necessary to perform their work
• Users should only have privileges for the shortest length
of time

35
 Segregation of duties and least privilege
• In secure systems, multiple distinct
administrative roles should be configured:
• Security manager
• Systems manager
• Super user
• A two-man control policy can be applied
• Two systems managers must review and approve each
other’s work
• Two systems managers are needed to complete every
security sensitive task

36
 Layered security
• Layered security (also known as a Defense-In-Depth
strategy) implements various security measures in
various parts of the IT infrastructure
• Instead of having one big firewall and have all your security
depend on it, it is better to implement several layers of
security
• Preferably security layers make use of different
technologies
• This makes it harder for hackers to break through all barriers,
as they will need specific knowledge for each step
• Disadvantage: increases the complexity of the system

37
 Cryptography
• The practice of hiding information using encryption
and decryption techniques
• Encryption is the conversion of information from a
readable state to apparent random data
• Only the receiver has the ability to decrypt this data,
transforming it back to the original information
• A cipher is a pair of algorithms that implements the
encryption and decryption process
• The operation of a cipher is controlled by a key

38
 Cryptography
• Block ciphers
• Input:
• A block of plaintext
• A key
• Output:
• A block of cipher text
• Used across a wide range of applications, from ATM
machine data encryption to e-mail privacy and secure
remote access
• Standards:
• Data Encryption Standard (DES)
• Advanced Encryption Standard (AES)

39
 Cryptography
• Stream ciphers
• Create an arbitrarily long stream of key material
• Combines key stream with the plaintext bit-by-bit or character-by-
character
• Used when data is in transit over the network
• RC4 is a widely-used stream cipher

40
 Symmetric key encryption
• Both the sender and receiver share the same
key

41
Symmetric key encryption

42
 Symmetric key encryption

43
 Public key encryption
• Two different but mathematically related
keys are used:
 a public key and a private key

44
 Public key encryption
• Two different but mathematically related keys are
used:
• a public key - may be freely distributed
• a private key - must remain secret by the organization
• Diffie–Hellman and RSA algorithms are the most widely used
algorithms
• Disadvantage: slow
• About 1000 to 10,000 times slower than symmetric key encryption

45
 Symmetric key encryption
• Mostly used to setup a channel between two parties,
to safely exchange a new, temporary symmetric key
• Pete creates a random secret key and encrypts it using the
public key from John
• The encrypted secret key is sent to John using an open channel
(like the internet)
• John is the only party that can decrypt the message, because he
has the private key that is related to the public key. John
decrypts the message and now knows the secret key
• Pete and John start communicating using symmetric key
encryption, using the exchanged secret key
• When the communication is finished, the shared key is no
longer valid and is deleted
46
 Hash functions
• Hash functions take some piece of data, and output a
short, fixed length text string (the hash)
• The hash is unique for that piece of data
• The input string “hello world” produces the following MD5 hash:
• 5eb63bbbe01eeed093cb22bb8f5acdc3
• The input string “hallo world” produces the following MD5 hash:
• 5fd591a948dc76dd731f8998e19c773a
• While only one letter was changed, the hash is completely
different

47
 Digital signatures
• To create a digital signature of some text (like an e-mail), a
hash is created and encrypted with the private key of the
sender
• The receiver decrypts the hash key using the sender's
public key
• The receiver also calculates the hash of the text and
compares it with the decrypted hash to ensure the text
wasn't tampered with
• Since the hash was encrypted using a private key, it is
guaranteed that the hash was created by the owner of the
private key – the only person that could have created the
encrypted hash
48
Digital signatures

49
Cryptographic attacks

a) Hash coding
b) Private-key, and
c) Public-key Encryption

50
 Cryptographic attacks
• Every encryption method can be broken using a brute force
attack
• Except a one-time pad cipher with the key of equal or greater length than
the message
• A brute force attack consists of systematically checking all
possible keys until the correct key is found
• The amount of effort needed is exponentially dependent on the
size of the key
• Effective security could be achieved if it is proven that no
efficient method (as opposed to the time consuming brute
force method) can be found to break the cipher
• Most successful attacks are based on flaws in the
implementation of an encryption cipher
• To ensure a cipher is flawless, the source code is usually open
51
 Unit 6 – Security

End of Lecture

Thank you for

your attention Prof. Naeem Akhtar