BASIC SECURITY CONCEPTS

•What is security?

•What are we protecting?

•System security

•Network security

•Security awareness

•The security process

•Security procedures

•Security in TCP/IP layers

What is System Security?• Protection of assets from unauthorized access

– protection from unauthorized access both from within and external

• Security is a process of reducing risk or the likelihood of harm– Security is a weak link problem- total security is no

better than the weakest link.– It must, therefore, be evaluated across the entire

enterprise– Security is a series of trade-offs: the greater the level of

security the worse the ease of use.

• There are 10 fundamental aspects of security ( system security): – Awareness – make every one understand the critical role security plays

in their well-being– Access – ability to connect to the system resources– Identification – to be able to know the user– Authentication – preventing unauthorized interception of information

during transmission– Authorization – allowing identifiable users access to the resources– Availability – preventing unauthorized withholding of information

and resources– Integrity – preventing unauthorized modification of information– Accuracy – an assurance of the integrity of the resources– Confidentiality – disclosure of information– Accountability – ensuring that if there is unauthorized access to

information, the source can be easily found through an audit

• To safeguard the value of resources ( security of resources) the following are fundamental:– Confidentially- make the resources sharable among only

authorized users. Also to make the sender and receiver of the message authenticate each other and make sure that the content of the message is not altered either by accident or maliciously. In addition, proprietary resources like information need confidentiality

– Accuracy/Message integrity and non-repudiation – the state of information about the resource must be reliable and verifiable – as correct as possible

– Availability/Access Control – resource must be available at all times when needed by a legitimate user.

– Authentication – both sender and receiver should be able to confirm identity of each other – to confirm that the other party is who or what they claim to be.

• Security phases:– Inspection – identifying key security functions needed

and the capabilities available to achieve the desired security level

– Protection – proactive risk reduction – mechanism in place to prevent reduction in desired security level

– Detection ( in action)– to take measures to detect whether an asset has been damaged, how, and who has caused the damage.

– Response ( post-action)– to take measures that allow recovery of assets or recovery from damage, and minimize losses (unwanted publicity).

– Reflection – plans/processes that focus on security improvements.

What are we protecting?• We are protecting system resources:

– Business information– Equipment– Systems– Data (information)

• Data and Information - the most important resource:– Data is a physical phenomena that represents certain aspects of our

conceptualization of the world– When we process data we give it meaning and we call it information.– Data and information are:

• Stored• Moved over communication channels

• We focus on security of data and information:– At source ( source: server/client)– At destination (destination: server/client)– In the communication channel

• The security of computer networks means the security of information on that network.

Ensure security in a network by:• Access – legal channels of getting resources

• Identification – to uniquely distinguish a user of a resource

• Authentication – to prove positively that the user is what he/she claims to be.

• Authorization – being able to determine and allow the user only those resources the user has ability to utilize.

Enhance security by:

• Accountability – ability to associate activities with the actors.

• Awareness – create/cultivate a level of understanding of security issues

• Administration – ability to manage the security system.

Security awareness• Security is a continuous process of making

valuable resources secure.• First act in securing system resources is awareness

– Process of making people understand the implications of security in their lives

– All people in the enterprise must understand the importance of security

– All people must understand the following:• Appropriate use of resources – all people must know why

security of resources matter.• Relevancy of security• Individual’s role • Responsibility• Repercussions

• Awareness programs must be:– Continuous because of new people and program updates.– Comprehensive to cover all aspects of the enterprise that

involve security– Coherent to be well understood – no mistakes must be made– Cost-effect - to encourage people to be responsive/responsible

– this pays handsomely in the long run.

• Awareness plans must be designed to include:– Most effective delivery method– Effective message content

• Awareness implementation– Awards/rewards– Broad-based– Focused– individual

Causes of system security lapses- Hardware – many security problems originate from

hardware failures and poor designs – Software – lots of security problems originate from

poor software designs and testing – Human/user – humans are very unpredictable and

malicious– * Resources ( data and information)– because the

resources within the computer system themselves may contain loopholes through which, if found, intruders enter the systems.

• Having established the security framework and need for network security (more next week) let us look at the current security procedures

• Security procedures: – Good and effective security is a result of a good

security policy– A policy may have one or more of the following

procedures:• For servers and Clients:

– Intrusion Detection Systems (IDS)

– Firewalls

• For the communication channel:– Encryption

– Authentication

Firewalls• To limit access to the local network through

the filtering of signatures:– Filtering policy

• Deny everything (deny-everything-not-specifically allowed)- deny everything then later add those things that are allowed by exception (recommended)

• Allow everything (allow-everything-not-specifically- denied) – allows everything then denies services considered unacceptable.

– Signatures are frequently updated

Network-based IDS• Network-based IDS is a real-time monitoring system of

the network based on external traffic signatures (mostly signatures of known exploits) as they enter a secure private network

• Unlike firewalls, IDS sensors capture, store, and report on signatures without altering them.

• It also monitors internal traffic as it tries to move outside the private network.

• Parameters used to monitor traffic signatures in and out of the private network are base on either TCP or UDP structures.

• IDS sensors are either based on software or hardware.

Host-based IDS

• Statistics show that 80% of all intrusions in a network originate from inside the network.

• Host-based IDS is both an off-line and real-time monitoring system to collect data inside the local network.

• Host-based IDS is based on system logs:• Operating systems logs

• Login logs

• Performance logs

• Application logs

• Access logs

Cryptography (Greek- secret writing)

• Cryptography enables confidential information to be transmitted across insecure communication channels without the risk of interception, eavesdropping or tempering.

• It allows the communicating parties to verify each other’s identities without ever meeting.

• It makes Internet commerce and a lot of confidential communication possible.

• Two types encryption:– Symmetric encryption – in which only one secret key

is used by the two parties.– This has a a key management problem

• The key must be sent from the sender to the receiver, together with the encrypted data.

• The key is susceptible to interception by an intruder

– Asymmetric encryption – in which two keys, a secret and a public key are used in a transaction.

• The public key is used by the sender to encrypt the message before sending it to the recipient.

• Upon receipt, the recipient uses his/her private key to decrypt the message.

• To authenticate the sender to the recipient and make sure that there is no repudiation on the part of the sender, the following procedures are used:– Digital Signature - a digital signature is used in

the process.– Message Digest – Given the overhead of

generating digital signatures, another efficient method that does not use full message encryption is used:

• It is like a checksum/a cyclic redundancy check. The original message is used to compute a fixed “fingerprint” H(m), for a unique message m.

• Known algorithms for this are: MD5, SHA-1.

Security in TCP/IP Layers

• Application later – Email – PGP and IMAP

• Transport layer– SSL and TLS, DES, and IDEA.