Computer and Network Security Introduction

1
Computer and Network Security - Introduction
Athar MahboobWWW http//www.atharmahboob.com Ema
il athar_at_atharmahboob.com
2
Preliminaries

• Course Outline what will we cover in this
  course?
• Course Timings
• Text BookCryptography and Network Security
  Principles and Practice, 2nd Edition William
  Stallings Prentice Hall, 1999
• Reference BookSecurity in Computing, Second
  Edition (International Edition)Charles P.
  PfleegerPrentice Hall, 1997
• Reference Material - http//www.atharmahboob.com/c
  ourses/security
• How to contact the instructor?
• Will we program in this course? you bet.

3
What will we cover in this course?

• Introduction to Computer Security IT
  Environment, Threats and Goals of Computer and
  Network Security
• Encryption and Cryptography
• Symmetric Encryption Algorithms DES
• Asymmetric Encryption Algorithms RSA
• Digital Signatures and Message Authentication
• Pseudo-random Number Generation and its
  Computational Complexity CSPRNG

• Secure Sockets Layer
• IP Security
• Virtual Private Networks
• Malicious Programs, Viruses and Virus Protection
  Strategies
• Fault Tolerance and RAID and UPS Systems
• Data Backups
• Email Security
• Firewalls
• Windows NT Security
• UNIX/Linux Security

4
What is Computer Security?

• The protection afforded to an automated
  information system in order to attain the
  applicable objectives of preserving the
  integrity, availability and confidentiality of
  information system resources (includes hardware,
  software, firmware, information/data, and
  telecommunications) is called Computer Security.

5
What is Computer Security?

• For some Computer Security is controlling access
  to hardware, software and data of a computerized
  system.
• A large measure of computer security is simply
  keeping the computer system's information secure.
  
• In broader terms, computer security can be
  thought of as the protection of the computer and
  its resources against accidental or intentional
  disclosure of confidential data, unlawful
  modification of data or programs, the destruction
  of data, software or hardware.
• Computer security also includes the denial of use
  of ones computer facilities for criminal
  activities including computer related fraud and
  blackmail.
• Finally, computer security involves the
  elimination of weaknesses or vulnerabilities that
  might be exploited to cause loss or harm.

6
Let us start with a story

• The Story of New Jersey Bankers is a famous one.
• It shows how naive people are about security
  issues.

7
The Need for Computer Security

• Why the need for Computer Security?
• The value of computer assets and services
• What is the new IT environment?
• Networks and distributed applications/services
• Electronic Commerce (E-commerce, E-business)

8
The Value of Computer Assets and Services

• Most companies use electronic information
  extensively to support their daily business
  processes.
• Data is stored on customers, products, contracts,
  financial results, accounting etc.
• If this electronic information were to become
  available to competitors or to become corrupted,
  false or disappear, what would happen? What would
  the consequences be? Could the business still
  function?

9
Network Security Issues

• The network is the computer
• Proliferation of networks has increased security
  risks much more.
• Sharing of resources increases complexity of
  system.
• Unknown perimeter (linked networks), unknown
  path.
• Many points of attack.
• Computer security has to find answers to network
  security problems.
• Hence today the field is called Computer and
  Network Security.

10
Is there a Security Problem in Computing?

• Computer fraud in the U.S. alone exceeds 3
  billion each year.
• Less than 1 of all computer fraud cases are
  detectedover 90 of all computer crime goes
  unreported.
• Although no one is sure how much is lost to EFT
  crime annually, the consensus is that the losses
  run in the billions of dollars. Yet few in the
  financial community are paying any heed.
• Average computer bank theft amounts to 1.5
  million.

11
Computer Crimes ...

• Over 25 of all Fortune 500 corporations have
  been victimized by computer crime with an average
  loss of 2-10 million.
• Total estimated losses due to computer crime
  range from 300 million to 500 billion per year.
• Computer-related crime has been escalating at a
  dramatic rate.
• Computer crimes continue to grow and plague
  companies.
• Computer crime is almost inevitable in any
  organization unless adequate protections are put
  in place.

12
Data From Real World

• The following figures are included (source
  Datapro Research) as example, to give an idea
  what is going on in the real world.
• Common Causes of damage Human Error 52,
  Dishonest people 10, Technical Sabotage 10,
  Fire 15, Water 10 and Terrorism 3.
• Who causes damage? Current employees 81,
  Outsiders 13, Former employees 6.
• Types of computer crime Money theft 44, Damage
  of software 16, Theft of information 16,
  Alteration of data 12, Theft of services 10,
  Trespass 2.

13
Computer Viruses

• 53 of BYTE readers have suffered losses of data
  that cost an average of 14,000 per occurrence.
• There are over 3000 viruses with new ones
  developed daily.
• A survey of over 600 companies and government
  agencies in the U.S. and Canada shows that 63
  found at least one virus on their PCs last year.

14
Natural Disasters Another Dimension

• Millions of dollars of damage resulted from the
  1989 San Francisco earthquake.
• The fire at Subang International Airport knocked
  out the computers controlling the flight display
  system. A post office near the Computer Room was
  also affected by the soot which decommissioned
  the post office counter terminals. According to
  the caretaker, the computers were not burnt but
  crashed because soot entered the hard disks.
• Fire, Earthquakes, Floods, Electrical hazards,
  etc.
• How to prevent?

15
Negligence - The Human Factor

• Over 85 of the destruction of valuable computer
  data involves inadvertent acts.
• How to prevent?
• Proper user training
• Idiot proofing

16
Computer Security Requirements

• Secrecy
• Integrity
• Availability
• Authenticity
• Non-repudiation
• Access control

17
Secrecy (Confidentiality)

• Secrecy requires that the information in a
  computer system only be accessible for reading by
  authorized parties.
• This type of access includes
• Printing
• Displaying
• Other forms of disclosure, including simply
  revealing the existing of an object

18
Integrity

• Integrity requires that the computer system asset
  can be modified only by authorized parties.
• Modification includes
• Writing
• Changing
• Changing status
• Deleting and
• Creating

19
More About Integrity

• Integrity In lay usage, information has
  integrity when it is timely, accurate, complete,
  and consistent. However, computers are unable to
  provide or protect all of these qualities.
  Therefore, in the computer security field,
  integrity is often discussed more narrowly as
  having two data integrity and system integrity.
• Data integrity is a requirement that information
  and programs are changed only in a specified and
  authorized manner.
• System integrity is a requirement that a system
  performs its intended function in an unimpaired
  manner, free from deliberate or inadvertent
  unauthorized manipulation of the system.
• The definition of integrity has been, and
  continues to be, the subject of much debate among
  computer security experts.

20
Availability

• Availability requires that computer system assets
  are available to authorized parties.
• Availability is a requirement intended to assure
  that systems work promptly and service is not
  denied to authorized users.

21
Security of Data
22
Authenticity

• Authenticity means that parties in a information
  services can ascertain the identity of parties
  trying to access information services.
• Also means that the origin of the message is
  certain.
• Therefore two types
• Principal Authentication
• Message Authentication

23
Non-repudiation

• Originator of communications cant deny it later.
• Without non-repudiation you could place an order
  for 1 million dollars of equipment online and
  then simply deny it later.
• Or you could send an email inviting a friend to
  the dinner and then disclaim it later.
• Non-repudiation associates the identity of the
  originator with the transaction in a non-deniable
  way.

24
Access Control

• Unauthorized users are kept out of the system.
• Unauthorized users are kept out of places on the
  system/disk.
• Typically makes use of Directories or Access
  Control Lists (ACLs) or Access Control Matrix
• Objects Resources that need to be protected
• Subjects Entities that need access to resources
• Rights Permissions
• Each entry is a triple ltsubject, object, rightsgt

25
Access Control Matrix
26
Multiple Access Controls
27
Security Requirements are often Combined

• For example
• User authentication used for access authorization
  control purposes in confidentiality.
• Non-repudiation is combined with authentication.

Confidentiality
Availability
Integrity
28
Type of Attacks/Threats in Computer Systems

• A threat is a danger which could affect the
  security (confidentiality, integrity,
  availability) of assets, leading to a potential
  loss or damage.
• Interruption
• Interception
• Modification
• Fabrication

29
Type of Attacks in Computer Systems
30
Normal Flow of Information
31
Interruption

• An asset of the system is destroyed or becomes
  unavailable or unusable. This is an attack on
  the availability.
• Examples include destruction of a piece of
  hardware, such as a hard disk, the cutting of a
  communication link, or the disabling of the file
  management system.
• DOS - Denial of Service Attacks have become very
  well known.

32
Interruption
33
Interception

• Information disclosure/information leakage
• An unauthorized party gains access to an asset.
• This is an attack on confidentiality.
• The unauthorized party could be a person, a
  program, or a computer.
• Examples include
• wiretapping to capture data in a network
• the illicit copying of files or programs

34
Interception
35
Modification

• Modification is integrity violation.
• An unauthorized party not only gains access to
  but tampers with an asset.
• This is an attack on the integrity.
• Examples include changing values in a data file,
  altering a program so that it performs
  differently, and modifying the content of a
  message being transmitted in a network.

36
Modification
37
Fabrication

• An unauthorized party inserts counterfeit objects
  into the system. This is an attack on the
  authenticity.
• Examples include the insertion of spurious
  messages in a network or the addition of records
  to a file.

38
Fabrication
39
Classification of Attacks

• Computer Security attacks can be classified into
  two broad categories
• Passive Attacks can only observe communications
  or data.
• Active Attacks can actively modify communications
  or data. Often difficult to perform, but very
  powerful. Examples include
• Mail forgery/modification
• TCP/IP spoofing/session hijacking

40
Passive Attacks and Active Attacks
41
Passive Attacks and Active Attacks
42
Passive Attacks

• Eavesdropping on or monitoring of transmission.
• The goal of the opponent is to obtain information
  that is being transmitted.
• Two types
• Release-of-message contents
• Traffic Analysis

43
Release-of-message Contents

• Opponent finds out the contents or the actual
  messages being transmitted.
• How to protect?
• Encryption
• Steganography

44
Traffic Analysis

• More subtle than release-of-message contents.
• Messages may be kept secret by masking or
  encryption but
• The opponent figures out information being
  carried by the messages based on the frequency
  and timings of the message.
• How to protect?
• Data/Message Padding
• Filler Sequences

45
Passive Attacks Problems

• Difficult to detect because there is no
  modification of data.
• Protection approach should be based on prevention
  rather than detection.

46
Active Attacks

• Active attacks involve some sort of modification
  of the data stream or the creation of a false
  stream.
• Four sub-categories
• Masquerade
• Replay
• Modification of Messages
• Denial of service

47
Masquerade

• An entity pretends to be another.
• For the purpose of doing some other form of
  attack.
• Example a system claims its IP address to be what
  it is not, IP spoofing.
• How to protect?
• Principal/Entity Authentication

48
Replay

• First passive capture of data and then its
  retransmission to produce an unauthorized effect.
• Could be disastrous in case of critical messages
  such as authentication sequences, even if the
  password were encrypted.
• How to protect?
• Time stamps
• Sequence Numbers

49
Modification of Messages

• Some portion of a legitimate message is altered
  or messages are delayed or reordered to produce
  an unauthorized effect.
• How to protect?
• Message Authentication Codes
• Chaining

50
Denial of Service - DOS

• Prevents the normal use or management of
  communication facilities.
• Such attacks have become very common on the
  Internet especially against web servers.
• On the Internet remotely located hackers can
  crash the TCP/IP software by exploiting known
  vulnerabilities in various implementations.
• One has to constantly look out for software
  updates and security patches to protect against
  these attacks.

51
Problems with Active Attacks

• Easy to detect but difficult to prevent.
• Efforts are directed to quickly recover from
  disruption or delays.
• Good thing is that detection will have a
  deterrent effect.

52
How Threats Affect Computer Systems
Interception (Theft)
Interruption (Denial of Service)
HARDWARE
Interception (Theft)
Interruption (Deletion)
SOFTWARE
Modification (Malicious Code)
Interception (Eavesdropping)
Interruption (Loss)
DATA
Fabrication
Modification
53
A Model for Network Security
54
Security Protocols

• A protocol is a series of steps, involving two or
  more parties, designed to accomplish a task.
• Every one involved in a protocol must know the
  protocol and all of the steps to follow in
  advance.
• Everyone involved in the protocols must agree to
  follow it.
• The protocol must be unambiguous each step must
  be well defined and there must be no chance of
  misunderstanding.
• The protocol must be complete there must be a
  specified action for every possible situation.
• It should not be possible to do more or learn
  more than what is specified in the protocol.

55
The Actors in Security Protocols

• Alice First participant in all the protocols
• Bob Second participant in all the protocols
• Carol Participant in three- and four-party
  protocols
• Dave Participant in four-party protocols
• Eve Eavesdropper
• Mallory Malicious active intruder
• Trent Trusted arbitrator
• Victor Verifier
• Peggy Prover
• Walter Warden hell be guarding Alice and Bob in
  some protocols

56
Security Protocol Types

• Arbitrated Protocols
• Adjudicated Protocols
• Self Enforcing Protocols
• Example Protocols
• Key Exchange Protocols
• Authentication Protocols
• Time stamping Service
• Digital Cash

57
Security Protocol Layers

• The further down you go, the more transparent it
  is
• The further up you go, the easier it is to deploy

58
Security Services Provided by Security Protocols

• Access control Protects against unauthorized
  use.
• Authentication Provides assurance of someone's
  identity.
• Confidentiality Protects against disclosure to
  unauthorized identities.
• Integrity Protects from unauthorized data
  alteration.
• Non-repudiation Protects against originator of
  communications later denying it.

59
Security Mechanisms

• Three basic building blocks are used
• Encryption is used to provide confidentiality,
  can provide authentication and integrity
  protection.
• Digital signatures are used to provide
  authentication, integrity protection, and
  non-repudiation.
• Checksums/hash algorithms are used to provide
  integrity protection, can provide authentication.
• One or more security mechanisms are combined to
  provide a security service/protocol.

60
Services, Mechanisms, Algorithms

• A typical security protocol provides one or more
  security services (authentication, secrecy,
  integrity, etc.)
• Services are built from mechanisms.
• Mechanisms are implemented using algorithms.

61
Services, Mechanisms, Algorithms
62
Encryption and Security

• Encryption is a key enabling technology to
  implement computer security.
• But Encryption is to security like bricks are to
  buildings.
• In the next module we will study encryption in
  detail.

63
Network Access Security Model
Firewalls and Security Gateways are based on this
model
64
Computer security is based on eight major
elements

• 1. Computer security should support the mission
  of the organization.
• 2. Computer security is an integral element of
  sound management.
• 3. Computer security should be cost-effective.
• 4. Computer security responsibilities and
  accountability should be made explicit.
• 5. System owners have computer security
  responsibilities outside their own organizations.
• 6. Computer security requires a comprehensive and
  integrated approach.
• 7. Computer security should be periodically
  reassessed.
• 8. Computer security is constrained by societal
  factors.

65
Usability and Security
Determine where on this line your organization
needs lie
66
Typical Security Solutions and Technologies

• Physical security
• Encryption
• Access control
• Automatic call back
• Node authentication
• Differentiated access rights
• Antivirus software
• Public Key Infrastructure
• Firewalls

• User authentication
• Passwords and passphrases
• Challenge-response systems
• Token or smart cards
• Exchange of secret protocol
• Personal characteristics - Biometrics