Information & Cybersecurity

concept

1
Module 7: Information and
Cyber Security Concepts
 What is this course about?

This course is to discuss

– security needs
– security services
– security mechanisms and protocols
for data stored in computers and transmitted
across computer networks

3
 What security is about in general?
• Security is about protection of assets
• Prevention
– take measures that prevent your assets from being
damaged (or stolen)
• Detection
– take measures so that you can detect when, how, and by
whom an asset has been damaged
• Reaction
– take measures so that you can recover your assets

4
 Real world example
• Prevention
– locks at doors, window bars, secure the walls around
the property, hire a guard
• Detection
– missing items, burglar alarms, closed circuit TV
• Reaction
– attack on burglar (not recommended ), call the
police, replace stolen items, make an insurance claim

5
 Internet shopping example
• Prevention
– encrypt your order and card number, enforce merchants
to do some extra checks, using PIN even for Internet
transactions, don’t send card number via Internet
• Detection
– an unauthorized transaction appears on your credit card
statement
• Reaction
– complain, dispute, ask for a new card number, sue (if you
can find of course )
– Or, pay and forget (a glass of cold water) 

6
Information security in past & present
• Traditional Information Security
– keep the cabinets locked
– put them in a secure room
– human guards
– electronic surveillance systems
– in general: physical and administrative mechanisms
• Modern World
– Data are in computers
– Computers are interconnected

Computer and Network Security

7
 Terminology
• Computer Security
– 2 main focuses: Information and Computer itself
– tools and mechanisms to protect data in a computer
(actually an automated information system), even if the
computers/system are connected to a network
– tools and mechanisms to protect the information system
itself (hardware, software, firmware, *ware )
• Against?
– against hackers (intrusion)
– against viruses
– against denial of service attacks
– etc. (all types of malicious behavior)

8
 Terminology
• Network and Internet Security
– measures to prevent, detect, and correct security
violations that involve the transmission of information in
a network or interconnected networks

9
 A note on security terminology
• No single and consistent terminology in the
literature!
• Be careful not to confuse while reading papers and
books

• See the next slide for some terminology taken from

Stallings and Brown, Computer Security who took
from RFC4949, Internet Security Glossary

10
 Computer
Security
Terminology
RFC 4949, Internet

Security Glossary,

May 2000
 The global average cost of cyber
crime/attacks 2017 Cost of
Cyber Crime
Study by
Accenture*

Steeper
increasing
trend in the
recent years

* https://www.accenture.com/t20170926T072837Z__w__/us-en/_acnmedia/PDF-61/Accenture-2017-CostCyberCrimeStudy.pdf
12
 Breakdown by Sector
2017 Cost of
Cyber Crime
Study by
Accenture*

- Financial
Services
Sector has
the Highest
Cost due to
Cyber Crime

* https://www.accenture.com/t20170926T072837Z__w__/us-en/_acnmedia/PDF-61/Accenture-2017-CostCyberCrimeStudy.pdf
13
 Annual Return of Investment (RoI)
2017 Cost of Cyber Crime Study
by Accenture*

- More or less in
parallel with
deployment rate
- But AI, Data
Mining based novel
techniques have
higher RoI
- Bad performance
for encryption and
DLP, but they are
needed

* https://www.accenture.com/t20170926T072837Z__w__/us-en/_acnmedia/PDF-61/Accenture-2017-CostCyberCrimeStudy.pdf
14
Security Objectives: CIA Triad and Beyond
 Computer Security Objectives
Confidentiality
• Data confidentiality
• Assures that private or confidential information is not made available or
disclosed to unauthorized individuals
• Privacy
• Assures that individuals control or influence what information related to them
may be collected and stored and by whom and to whom that information may
be disclosed

Integrity
• Data integrity
• Assures that information changed only in a specified and authorized manner
• System integrity
• Assures that a system performs its intended function in an unimpaired manner,
free from deliberate or inadvertent unauthorized manipulation of the system

Availability
• Assures that systems work promptly and service is not denied to
authorized users
 Additional concepts:

Authenticity Accountability
• Verifying that users are • Being able to trace the
who they say they are responsible
and that each input party/process/entity in
arriving at the system case of a security
came from a trusted incident or action.
source
Services, Mechanisms, Attacks
• 3 aspects of information security:
– security attacks (and threats)
• actions that (may) compromise security
– security services
• services counter to attacks
– security mechanisms
• used by services
• e.g. secrecy is a service, encryption (a.k.a.
encipherment) is a mechanism

18
 Attacks
• Attacks on computer systems
– break-in to destroy information
– break-in to steal information
– blocking to operate properly
– malicious software
• wide spectrum of problems

• Source of attacks
– Insiders
– Outsiders

19
 Attacks
• Network Security
– Active attacks
– Passive attacks
• Passive attacks
– interception of the messages
– What can the attacker do?
• use information internally
– hard to understand
• release the content
– can be understood
• traffic analysis
– hard to avoid
– Hard to detect, try to prevent

20
 Attacks
• Active attacks
– Attacker actively manipulates
the communication
– Masquerade
• pretend as someone else
• possibly to get more privileges
– Replay
• passively capture data
and send later
– Denial-of-service
• prevention the normal use of
servers, end users, or network
itself

21
 Attacks
• Active attacks (cont’d)
– deny
• repudiate sending/receiving a message later
– modification
• change the content of a message

22
 Security Services
• to prevent or detect attacks
• to enhance the security
• replicate functions of physical documents
– e.g.
• have signatures, dates
• need protection from disclosure, tampering, or
destruction
• notarize
• record

23
 Basic Security Services
• Authentication
– assurance that the communicating entity is the one it claims to be
– peer entity authentication
• mutual confidence in the identities of the parties involved in a connection
– Data-origin authentication
• assurance about the source of the received data
• Access Control
– prevention of the unauthorized use of a resource
– to achieve this, each entity trying to gain access must first be
identified and authenticated, so that access rights can be tailored
to the individual

24
 Basic Security Services
• Data Confidentiality
– protection of data from unauthorized disclosure
(against eavesdropping)
– traffic flow confidentiality is one step ahead
• this requires that an attacker not be able to observe the
source and destination, frequency, length, or other
characteristics of the traffic on a communications facility
• Data Integrity
– assurance that data received are exactly as sent by an
authorized sender
– i.e. no modification, insertion, deletion, or replay

25
 Basic Security Services
• Non-Repudiation
– protection against denial by one of the parties
in a communication
– Origin non-repudiation
• proof that the message was sent by the specified
party
– Destination non-repudiation
• proof that the message was received by the
specified party

26
 Relationships
• among integrity, data-origin authentication
and non-repudiation
Non-repudiation

Authentication

Integrity

27
 Security Mechanisms
• Cryptographic Techniques
– will see next
• Software and hardware for access limitations
– Firewalls
• Intrusion Detection and Prevention Systems
• Traffic Padding
– against traffic analysis
• Hardware for authentication
– Smartcards, security tokens
• Security Policies / Access Control
– define who has access to which resources.
• Physical security
– Keep it in a safe place with limited and authorized physical access

28
Cryptographic Security Mechanisms

• Encryption (a.k.a. Encipherment)

– use of mathematical algorithms to transform
data into a form that is not readily intelligible
• keys are involved

29
Cryptographic Security Mechanisms
• Message Digest
– similar to encryption, but one-way (recovery not possible)
– generally no keys are used
• Digital Signatures and Message Authentication Codes
– Data appended to, or a cryptographic transformation of, a
data unit to prove the source and the integrity of the data
• Authentication Exchange
– ensure the identity of an entity by exchanging some
information

30
 Security Mechanisms
• Notarization
– use of a trusted third party to assure certain properties
of a data exchange
• Timestamping
– inclusion of correct date and time within messages

31
 And the Oscar goes to …
• On top of everything, the most fundamental
problem in security is
– SECURE KEY EXCHANGE
• mostly over an insecure channel

32
A General Model for Network Security

33
 Model for Network Security
• using this model requires us to:
– design a suitable algorithm for the security
transformation
– generate the secret information (keys) used by the
algorithm
– develop methods to distribute and share the secret
information
– specify a protocol enabling the principals to use the
transformation and secret information for a security
service

34
Model for Network Access Security

35
 Model for Network Access Security
• using this model requires us to:
– select appropriate gatekeeper functions to identify
users and processes and ensure only authorized
users and processes access designated
information or resources
– Internal control to monitor the activity and
analyze information to detect unwanted intruders

36
 More on Computer System Security

• Based on “Security Policies”

– Set of rules that specify
• How resources are managed to satisfy the security
requirements
• Which actions are permitted, which are not
– Ultimate aim
• Prevent security violations such as unauthorized access, data
loss, service interruptions, etc.
– Scope
• Organizational or Individual
– Implementation
• Partially automated, but mostly humans are involved
– Assurance and Evaluation
• Assurance: degree of confidence to a system
• Security products and systems must be evaluated using certain
criteria in order to decide whether they assure security or not

37
Aspects of Computer Security
• Mostly related to Operating Systems
• Similar to those discussed for Network Security
– Confidentiality
– Integrity
– Availability
– Authenticity
– Accountability
– Dependability

38
 Aspects of Computer Security
• Confidentiality
– Prevent unauthorised disclosure of information
– Synonyms: Privacy and Secrecy
• any differences? Let’s discuss
• Integrity
– two types: data integrity and system integrity
– In general, “make sure that everything is as it is supposed
to be”
– More specifically, “no unauthorized modification, deletion”
on data (data integrity)
– System performs as intended without any unauthorized
manipulations (system integrity)

39
 Aspects of Computer Security
• Availability
– services should be accessible when needed and
without extra delay
• Accountability
– audit information must be selectively kept and
protected so that actions affecting security can be
traced to the responsible party
– How can we do that?
• Users have to be identified and authenticated to have a basis
for access control decisions and to find out responsible party
in case of a violation.
• The security system keeps an audit log (audit trail) of security
relevant events to detect and investigate intrusions.
• Dependability
– Can we trust the system as a whole?

40
 Attack Surfaces
• An attack surface consists of the reachable and
exploitable vulnerabilities in a system
• Examples:
– Open ports on outward facing Web and other servers, and
code listening on those ports
– Services available in a firewall
– Code that processes incoming data, email, XML, office
documents, etc.
– Interfaces and Web forms
– An employee with access to sensitive information vulnerable
to a social engineering attack
 Attack Surface Categories
• Network attack surface
– Refers to vulnerabilities over an enterprise network,
wide-area network, or the Internet
• E.g. DoS, intruders exploiting network protocol
vulnerabilities
• Software attack surface
– Refers to vulnerabilities in application, utility, or
operating system code
• Human attack surface
– Refers to vulnerabilities created by personnel or
outsiders
– E.g. social engineering, insider traitors
 Some Other Security Facts
 Not as simple as it might first appear to the novice
 Must consider all potential attacks when designing a system
 Generally yields complex and counterintuitive systems
 Battle of intelligent strategies between attacker and admin
 Requires regular monitoring
 Not considered as a beneficial investment until a security
failure occurs
 Actually security investments must be considered as insurance against
attacks
 too often an afterthought
 Not only from investment point of view, but also from design point of
view

43