Security

Er. Roshan Kandel

1
Objective of the Course

2
Detailed Syllabus

3
4
5
6
What is Security?
• Security is one of the most important challenges modern organisations
face.
• Security is about protecting organisational assets, including personnel
data, equipment and networks from attack through the use of
prevention techniques in the form of vulnerability testing/security
policies and detection techniques, exposing breaches in security and
implementing effective responses.
• The aim of this unit is to provide you with knowledge of security,
associated risks and how security breaches impact on business
continuity.

7
An unexpected success…

• Evolution of technology, usage and value

8
IT SECURITY RISKS
• Risks:
• 1. Unauthorised use of a system;
• 2. Unauthorised removal or copying of data or code from a system;
• 3. Damage to or destruction of physical system assets and
environment;
• 4. Damage to or destruction of data or code inside or outside the
system;
• 5. Naturally occurring risks.

9
Security Breach
• Think of a security breach as a break-in. If someone smashes a
window and climbs into your home, that’s a security breach.
• If the intruder snatches your documents and personal information and
climbs back out the window, that’s a data breach — but more on that
later.
• A security breach is any incident that results in unauthorized access to
computer data, applications, networks or devices.
• It results in information being accessed without authorization.
• Typically, it occurs when an intruder is able to bypass security
mechanisms.
10
Examples of a security breach
• When a major organization has a security breach, it always hits the
headlines. Security breach examples include the following:
• Equifax - in 2017, a website application vulnerability caused the
company to lose the personal details of 145 million Americans. This
included their names, SSNs, and drivers' license numbers. The attacks
were made over a three-month period from May to July, but the
security breach wasn't announced until September.
• Yahoo - 3 billion user accounts were compromised in 2013 after a
phishing attempt gave hackers access to the network.

11
Examples of a security breach contd…
• eBay saw a major breach in 2014. Though PayPal users' credit card
information was not at risk, many customers' passwords were
compromised. The company acted quickly to email its users and ask
them to change their passwords in order to remain secure.
• Facebook saw internal software flaws lead to the loss of 29 million
users' personal data in 2018. This was a particularly embarrassing
security breach since the compromised accounts included that of
company CEO Mark Zuckerberg.

12
Examples of a security breach contd…
• Marriott Hotels announced a security and data breach affecting up to
500 million customers' records in 2018. However, its guest
reservations system had been hacked in 2016 - the breach wasn't
discovered until two years later.

• And many more……..

13
Why do we need security?
• Protect vital info while still allowing access to those who need it
• Provide authentication and access control for resources
• Guarantee privacy and correct access.

14
Is the Internet secure?
• The Internet was designed for open
connectivity
• “Security” was always optional (and
normally a low priority)

15
The real questions
• If you ask…
• – “Is the Internet secure?”
• – “Can the Internet be secured?”
• – “Can society ever be safe?”
• – The truthful answer is “No”
• But if you ask…
• – “Can my services/networks/transactions be secured?”
• – “Can the Internet be used securely?”
• – “Can I stay safe?”
• – The answer is probably “Yes” (but with care!)
16
Myths and Mysteries
• Fiction: The Internet can be secured
• Fiction: Hackers are magicians
• Fiction: Security experts are the magicians
• Fiction: Computer viruses are like actual viruses

• Fact: The Internet can be used securely

17
Assets
 Everything that have value for an organization or impact its business continuity
 This includes people, data, hardware, software, physical devices, and documents
 Bank: Clients accounts
 Hospital: Medical records
 Software: Patents and Source Codes
 University: Teaching materials and Grades
 Assets should be identified to create information security system
 An asset is what we are trying to protect
 Security specialist must be fully aware of the assets he/she is protecting

18
Threat
 A person, thing, event or idea which poses danger to an asset
 A breach to the following:
 Confidentiality
 Integrity
 Availability
 Legitimate use
 A possible means of breaching a security policy
 Exploiting a vulnerability, intentionally or accidentally
 Obtain, damage, or destroy an asset
 A threat is what we are trying to protect against

19
Vulnerability AND Exploit
 Vulnerability
 Weakness or absence of safeguards
 Holes or gaps in a security program
 Can be exploited by threats to gain unauthorized access to an asset
 A vulnerability is a backdoor in our protection efforts
 Exploit
 An exploit is a program, script, or code
 Aims to perform unauthorized operations
 An example is a backdoor Trojan used to grant unauthorized access to a machine
 The way or tool by which an attacker uses a vulnerability to damage the target system

20
RISK
 A measure of the cost of realized vulnerability
 The potential for loss, damage, or destruction of an asset
 Result of a threat exploiting a vulnerability
 Risk exists when our systems have a vulnerability that a given threat can attack
 Security deals with managing risk to your critical assets
 Security is basically an exercise in loss reduction
 Impossible to eliminate risk totally
 Risk is the probability of a threat crossing or touching a vulnerability

21
Impact
 The result of an exploited vulnerability
 Deleted files
 Loss of information
 Loss of company image
 Loss of privacy

22
RISK Assessment
 Vulnerability
 Password is vulnerable for dictionary or exhaustive key attacks
 Threat
 Intruder can exploit the password weakness to break into the system
 Risk
 Resources within the system are prone for illegal access/modify/damage by the intruder.

Risk = Threat x Vulnerability x Impact

23
Terms: Breaking it down
• Threat
• Any circumstance or factor with the potential to cause harm
• A motivated, capable adversary
• Vulnerability
• A weakness in a system; in procedures, design, or implementation that can be
exploited
• Software bugs, design flaws, operational mistakes
• The human factor – “Social engineering”
• Risk = likelihood x consequence
• The likelihood (probability) that a particular vulnerability will occur
• The severity (impact) of that occurrence

24
Authentication and Authorisation
• Access control
• The ability to permit or deny the use of a resource by a user, through three
essential services…
• Authentication
• To reliably identify individual users
• Users = people, processes, devices
• Authorisation
• To control which users are allowed to do what with a resource
• Representing trust, assuming reliable authentication

25
Security Goals

26
Confidentiality, Integrity, and Availability
• Confidentiality: There are two types of data: data in motion as it
moves across the network; and data at rest, when data is sitting on
storage media (server, local workstation, in the cloud, and so forth).
• Confidentiality means that only the authorized individuals/systems can
view sensitive or classified information.
• This also implies that unauthorized individuals should not have any
type of access to the data.
• Regarding data in motion, the primary way to protect that data is to
encrypt it before sending it over the network.
• Another option you can use with encryption is to use separate
networks for the transmission of confidential data.
27
Confidentiality, Integrity, and Availability
• Integrity: Integrity for data means that changes made to data are done
only by authorized individuals/systems.
• Corruption of data is a failure to maintain data integrity.

28
Confidentiality, Integrity, and Availability
• Availability: This applies to systems and to data. If the network or its
data is not available to authorized users—perhaps because of a denial-
of-service (DoS) attack or maybe because of a general network failure
—the impact may be significant to companies and users who rely on
that network as a business tool.
• The failure of a network generally equates to loss of revenue.
• Perhaps thinking of these security concepts as the CIA might help you
remember them: confidentiality , integrity , and availability .

29
Security Goals: CIA
 Confidentiality
 Ensuring that information is not revealed to unauthorized persons
 Data transmitted or stored should only be revealed to an intended audience
 Integrity
 Ensuring consistency of data
 Possible to detect any modification of data
 Availability
 Ensuring that legitimate users are not denied access to information and resources

30
Security as a Process
• A single product cannot provide complete security for an organization.
Usually more than one security mechanisms are used and integrated in
an organization:
• 1. Every computer system should be capable of restricting access to
files based on the ID of the user
• – Authorization
• 2. An anti-virus software
• – Help to detect/clean the system from malicious software that want to gain
access to a system

31
• 3. Firewalls are access control devices for a network.
• – Exist between the internal and external networks.
• – However, they will not prevent an attacker, using an allowed connection,
from attacking a system, for example an attacker from the inside.
• 4. Intrusion detection systems (IDS) could identify when someone is
doing something wrong and stop them.
• – However, they will not detect legitimate users who may have access to
inappropriate information.

32
• 5. Smartcards can be used for authentication
• – but cannot prevent misuse if lost or stolen.
• 6. Biometric systems can be used to reduce the risk of someone
guessing a password.
• – There are biometric scanners for verifying fingerprints, retina/iris, palm
vein, hand geometry, facial geometry, and voice.
• – Issues on the precision of the devices

33
Examples of Biometric Technologies

34
• 7. With a policy management system, an organization can be made
aware of any system that does not conform to policy.
• – However, policy management may not consider vulnerabilities in systems or
misconfigurations of application software.
• 8. Vulnerability scanning can help identify potential entry points of
intruders.
• – However, it will not detect legitimate users with inappropriate access or
intruders already in the system.

35
• 9. Encryption will protect information in storage and in transit.
• – However, encryption systems will not differentiate between legitimate and
illegitimate users, if both present the same keys to the encryption algorithm.
• 10. Physical security will not protect the system from attacks by those
using legitimate access or attacks through the network

36
Who is an attacker?
• In computer and computer networks, an attacker is the individual or
organization who performs the malicious activities to destroy, expose,
alter, disable, steal or gain unauthorized access to or make
unauthorized use of an asset.
• As the Internet access becomes more pervasive across the world, and
each of us spends more time on the web, there is also an attacker
grows as well. Attackers use every tools and techniques they would try
and attack us to get unauthorized access.

37
What can the attackers do?
• Eavesdropping – Listen in on communications
• Masquerading – Impersonating someone else
• Forgery – Invent or duplicate/replay information
• Trespass – Obtain unauthorised access
• Subversion – Modify data and messages in transit
• Destruction – Vandalise or delete important data
• Disruption – Disable or prevent access to services
• Infiltration – Hide out inside our machines
• Hijacking – “Own” and use machines for nefarious purposes
38
And why do they do it?
Motivation Examples
Knowledge driven • Recreational
• Research
Issue-based • Hacktivism
• Patriotism
Antisocial • Revenge
• Vandalism
Competitive • Theft of IP
• Damage to competitors
Criminal • Theft of assets
• Extortion
Strategic • Espionage
• State-driven or sponsored
39
And, how to they do it?
• Human beings – the weakest links
• “Phishing”
• Password attacks
• DNS attacks
• Denial of Service
• And many more …

40
41
• Firstly, an Insider is an individual with privileged access to an IT
system in an organization. 
• An Insider threat can be defined as ‘a current or former employee,
contractor or other business partner with access to the organization’s
network, system or data and intentionally misuses them or whose
access results in misuse’.

42
The Insider threat

43
• Perform port scans on outside systems and initiate attacks from inside
the Company
• Access unauthorized information (salary, secret trade).
• Spread SPAM, SCAM, and/or malicious code.
• Implement unauthorized changes to data or programs or steal data files
for personal gain.
• Visit illegal download sites.
• Install illegal software into their computer (copyright infringement).

44
• an Outsider threat occurs when an individual or a group seeks to gain
protected information by infiltrating and taking over profile of a
trusted user from outside the organization.
• Outside intruders can be hackers/crackers, saboteurs and thieves. If the
network is compromised, intruders can attack or misuse the system.
• One common technique used by intruders to gain unauthorized access
to the system is password theft.  

45
46
• Sniffing/wiretapping/eavesdropping on network traffic: place a device
or program to intercept or monitor packets sent over the network. As a
result, sensitive information such as passwords and trade secrets can
be captured.
• Exploiting security weaknesses: use vulnerability assessment tools to
probe network systems, then exploiting identified vulnerabilities to
gain access to or to break-in to the system.

47
• Internet Protocol (IP) spoofing: a system is configured to impersonate
another system’s IP address in an attempt to gain access to the targeted
system.
• Social engineering: intruders trick legitimate users into disclosing
information they want. The information can be confidential or
sensitive information. They prey on qualities of human nature such as
a desire to be helpful, a tendency to trust people, or fear of getting in
trouble.

48