• Information Assurance and Security

1
OUTLINE

• What is Security?
• Security trend
• Sources and consequences of risks
• Types of Vulnerabilities
• Security criteria
• Security attack types
• Security services and mechanisms
• Security model (X.800 and X.805)

2
DEFINITION OF IAS
Assume you visit an e-commerce website such as your online bank
or ATM.
Before you type in high sensitive information, you would like to
have some assurance that your information will be protected.
You want to know, what security-relevant things do you want to
happen, or not happen when you use such a website?
So, Information assurance and security is a profession focused on
the management and protection of knowledge, information, and
data.
Assurance is a measure of confidence that the security features,
practices, procedures, and architecture of a system accurately
mediates and enforces the security policy

3
INFORMATION ASSURANCE
(IA)
IA is the process of getting the right information to the right people
at the right time.

It relates to measures taken that protect and defend information and

information systems by ensuring their availability, integrity,
authentication, confidentiality, and non-repudiation.

It is the practice of assuring information and managing risks related

to the use, processing, storage, and transmission of information or
data and the systems and processes used for those purposes.

4
 IA PROCESS
The information assurance process typically begins with the
enumeration and classification of the information assets to be
protected.

Next, the IA practitioner will perform a risk assessment for those

assets.

Vulnerabilities in the information assets are determined in order to

enumerate the threats capable of exploiting the assets.

The sum of the products of the threats' impact and the probability of
their occurring is the total risk to the information asset.

5
 IA PROCESS
With the risk assessment complete, the IA practitioner then
develops a risk management plan. This plan proposes
countermeasures that involve mitigating, eliminating, accepting, or
transferring the risks, and considers prevention, detection, and
response to threats.

Countermeasures may include technical tools such

as firewalls and anti-virus software, policies and procedures
requiring such controls as regular backups and configuration
hardening, employee training in security awareness, or organizing
personnel into dedicated computer emergency response
team (CERT) or computer security incident response team (CSIRT).
6
CON’T…
The cost and benefit of each countermeasure is carefully
considered. Thus, the IA practitioner does not seek to
eliminate all risks, were that possible, but to manage them in
the most cost-effective way.

After the risk management plan is implemented, it is tested

and evaluated, often by means of formal audits.

The IA process is an iterative one, in that the risk assessment

and risk management plan are meant to be periodically
revised and improved based on data gathered about their
completeness and effectiveness. 7
IA VS INFOSEC
See the ff diagram

InfoSec
•More tools and tactics
IA focused
•More strategy focus •Stresses technology
•Broader spectrum of and operations
Information and protection •Concerned with security
•Concerned with organizations applications and
over all risk and mitigation infrastructure
•E.g. Anti-virus, firewall,
vulnerability analysis

8
COMPUTER AND NETWORK SECURITY

What is Security?
Security is about
• Threats (bad things that may happen, e.g. your
money getting stolen)
• Vulnerabilities (weaknesses in your defenses, e.g.
your front door being made of thin wood and glass)
• Attacks (ways in which the threats may be
actualized,
• e.g. a thief breaking through your weak front
door while you and the neighbors are on
holiday)

9
COMPUTER AND NETWORK
SECURITY…
“The most secure
computers are those
not connected
to the Internet and
shielded
from any interference”

10
 COMPUTER AND NETWORK
SECURITY…
Computer security is about
provisions and policies adopted to
protect information and property
from theft, corruption, or natural
disaster
 while allowing the information and
property to remain accessible and
productive to its intended users.
security of computers against
intruders (e.g.,hackers) and
malicious software (e.g., viruses).

11
 COMPUTER AND NETWORK
SECURITY…
Network security on the other hand deals with
provisions and policies adopted to prevent and monitor
unauthorized access, misuse, modification, or denial of
the computer network and network-accessible
resources.

12
 WHO ARE THE ATTACKERS?
Vandals (Hackers, crackers) driven by intellectual challenge.

Insiders: employees or customers seeking revenge or gain informal

benefits

Natural disasters: flooding, fire, storms, earthquake…

Criminals seeking financial gain.

Organized crime seeking gain or hiding criminal activities.

Organized terrorist groups or nation states trying to influence national

policy.

Foreign agents seeking information (spying) for economic, political, or

military purposes.

Tactical countermeasures intended to disrupt military capability.

Large organized terrorist groups

13
Cyber attacks
WHAT ARE THE VULNERABILITIES?
Physical vulnerabilities (Eg. Computer can be stolen)
Natural vulnerabilities (Eg. Earthquake)
Hardware and Software vulnerabilities (Eg. Failures)
Media vulnerabilities (Eg. Hard disks can be stolen)
Communication vulnerabilities (Ex. Wires can be tapped)
Human vulnerabilities (Eg. Insiders)
Poorly chosen passwords
Software bugs (non reliability of software)
 buffer overflow attacks

14
CONSEQUENCES…

Failure/End of service
Reduction of QoS, down to Denial of Service (DDoS)
Internal problems in the enterprise
Trust decrease from partners (client, providers, share-
holders)
Technology leakage
Human consequences (personal data, sensitive data -
medical, insurances, …)

15
SECURITY CRITERIA (IN DETAIL)
•To understand the types of threats to security that exist,
first we need to have a definition of security
requirements.
•In this section, different security requirements are
presented.

Availability
•It requires that computer and network assets are only
available to authorized parties.
• computer and network should provide all the designated
services in the presence of all kinds of security attack.

16
 SECURITY CRITERIA...
Integrity
It requires that messages should be modified or altered only
by authorized parties.
 Modification includes writing, changing, deleting, and creating the
message that is supposed to be transmitted across the network.

Integrity guarantees that no modification, addition, or

deletion is done to the message;
The altering of message can be malicious or accidental.

17
SECURITY CRITERIA...
Confidentiality
It requires that the message can only be accessible for reading by
authorized parties.
It also requires that the system should verify the identity of a user.

Authentication
It means that correct identity is known to communicating parties.
This property ensures that the parties are genuine not impersonator.

Authorization
This property gives access rights to different types of users.
 For example a network management can be performed by network
administrator only.

18
COMPUTER AND NETWORK
SECURITY
ATTACKS
Categories of Attacks
 Interruption: An attack on availability

 Interception: An attack on confidentiality

 Modification: An attack on integrity

 Fabrication: An attack on authenticity

19
COMPUTER AND NETWORK SECURITY
ATTACKS…
Categories of Attacks/Threats
Source

Destination
Normal flow of information
Attack

Interruption Interception

Modification Fabrication
20
EXAMPLES OF THREATS

21
 SECURITY ATTACK TYPES
The attacks can also be classified by the following criteria.
 Passive or active,
 Internal or external,
 At different protocol layers.
Passive vs. active attacks
•A passive attack attempt to learn or make use of the information
without changing the content of the message and disrupting the
operation of the communication.
•Examples of passive attacks are:
-- Eavesdropping , traffic analysis, and traffic monitoring.

22
SECURITY ATTACK TYPES…

Active attack attempts to interrupt, modify, delete,

or fabricate messages or information thereby
disrupting normal operation of the network.

Some examples of active attacks include:

 Jamming, impersonating, modification, denial of service
(DoS), and message replay.

23
PASSIVE ATTACKS
Passive attacks do not affect system resources
 Eavesdropping, monitoring
 The goal of the opponent is to obtain information that is being
transmitted

Two types of passive attacks

 Release of message contents
 Traffic analysis

Passive attacks are very difficult to detect

 Message transmission apparently normal
 No alteration of the data
 Emphasis on prevention rather than detection
 By means of encryption

24
PASSIVE ATTACKS (1)
RELEASE OF MESSAGE CONTENTS

25
PASSIVE ATTACKS (2)
TRAFFIC ANALYSIS

26
ACTIVE ATTACKS
Active attacks try to alter system resources or
affect their operation
 Modification of data, or creation of false data
Four categories
 Masquerade of one entity as some other
 Replay previous message
 Modification of messages
 Denial of service (DoS): preventing normal use
 A specific target or entire network

Difficult to prevent
 The goal is to detect and recover

27
ACTIVE ATTACKS (1)
MASQUERADE

28
ACTIVE ATTACKS (2)
REPLAY

29
ACTIVE ATTACKS (3)
MODIFICATION OF MESSAGES

30
ACTIVE ATTACKS (4)
DENIAL OF SERVICE

31
SECURITY ATTACK TYPES…
Internal vs. External attacks
External attacks are carried out by hosts that don’t
belong to the network domain, sometimes they are
called outsider.
 E.g.it can causes congestion by sending false routing
information thereby causes unavailability of services.
In case of internal attack, the malicious node from the
network gains unauthorized access and acts as a genuine
node and disrupts the normal operation of nodes.
They are also known as insider.

32
COMMON SECURITY ATTACKS AND THEIR
COUNTERMEASURES
Finding a way into the network
 Firewalls

Exploiting software bugs, buffer overflows

 Intrusion Detection Systems

Denial of Service
 access filtering, IDS

TCP hijacking
 IPSec

Packet sniffing
 Encryption (SSL, HTTPS)

Social problems
 Education

33
SECURITY SERVICES (X.800)
Authentication - assures that communicating entity is the
one claimed
 have both peer-entity & data origin authentication

Access Control - prevention of the unauthorized use of a

resource
Data Confidentiality –protection of data from
unauthorized disclosure
Data Integrity - assurance that data received is as sent by
an authorized entity
Non-Repudiation - protection against denial by one of the
parties in a communication
Availability – resource accessible/usable
34
SECURITY MECHANISM
Feature designed to detect, prevent, or recover from a security
attack
no single mechanism that will support all services required
however one particular element underlies many of the security
mechanisms in use:
 Cryptographic techniques

hence our focus on this course

35
 1 0 Q n e
t e r O
h a p
of C
En d

36