Network Security Introduction Lecture #1

NETWORK SECURITY
Lecturer: Mohammad Salim Ehsan
LECTURE #1
SECURITY

In one sense, information security dates back to when humans began keeping secrets; in
the early days, physical files and documents were kept under literal lock and key. Once
the business world began using computers, network security became essential to protect
the electronic network infrastructure of these vital systems. The advent of the internet
changed everything, adding once-unimagined technological capabilities but also creating
new vulnerabilities; and giving rise to a critical new industry — cybersecurity.
Some analyses regard information security as the umbrella term because it refers to
the processes and techniques designed to protect any kind of sensitive data and
information from unauthorized access, whether in print or electronic form.

Cybersecurity is a subset of information security that deals with protecting an
organization’s internet-connected systems from potential cyberattacks; and network
security is a subset of cybersecurity that is focused on protecting an organization’s IT
infrastructure from online threats. Though the terms are often used in conjunction with
one another, cybersecurity is considered to be the broader discipline, with network
security defined as one aspect of information and/or cybersecurity.
Security: “Security is the degree of protection against danger, damage, loss, and
crime. Security as a form of protection are structures and processes that provide
or improve security as a condition”

Information Security | Cybersecurity | Network Security
Information security: according to security training specialist the SANS Institute, refers to
“the processes and methodologies which are designed and implemented to protect print,
electronic, or any other form of confidential, private and sensitive information or data from
unauthorized access, use, misuse, disclosure, destruction, modification, or interference.”
The reference to “print” and information or data is significant, since cybersecurity pertains
solely to digital or electronic information or data.

Cybersecurity: is “the practice of protecting systems, networks and programs from
digital attacks,” according to high-tech giant Cisco. “These attacks are usually aimed
at accessing, changing, or destroying sensitive information; extracting money from
users; or interrupting normal business processes.” PCmag simplifies the definition to:
“the protection of data and systems in networks that are connected to the internet.”
Network security: the SANS Institute explains, is “the process of taking physical
and software preventative measures to protect the underlying networking
infrastructure from unauthorized access, misuse, malfunction, modification,
destruction, or improper disclosure, thereby creating a secure platform for
computers, users and programs to perform their permitted critical functions within a
secure environment.”

What Is the CIA Triangle in Security?
The three elements of the CIA triad are considered the three most crucial components of
information security.
CIA – Confidentiality, Integrity, Availability
Confidentiality: Ensuring that the information is inaccessible to unauthorized people,
commonly enforced through encryption, IDs and passwords, two-factor authentication
and additional defensive strategies.
Integrity: Safeguarding information and systems from being modified by unauthorized
people, thereby ensuring that the protected data is accurate and trustworthy.

Availability: Ensuring that authorized people have access to the information when
needed; this includes rigorously maintaining all systems, keeping them current with
upgrades, using backups to safeguard against disruptions or data loss, etc. Widely
observed throughout the security industry, the CIA triad, according to Techopedia, “was
created to provide a baseline standard for evaluating and implementing information
security regardless of the underlying system and/or organization.”

What Is the CIA Triangle in Security?
Along CIA triad there are three additional concepts that are needed for stronger security
breach, as explained below.
Authenticity: The property of being genuine and being able to be verified and
trusted; confidence in the validity of a transmission, a message, or message
originator. This means verifying that users are who they say they are and that
each input arriving at the system came from a trusted source.
Authenticity is important to ensure that information and communication come
from a trusted source. This includes protecting against impersonation,
spoofing and other types of identity fraud. Common techniques used to
establish authenticity include authentication, digital certificates, and biometric
identification

Network Security Introduction Lecture #1

Accountability: The security goal that generates the requirement for actions of
an entity to be traced uniquely to that entity. This supports nonrepudiation,
deterrence, fault isolation, intrusion detection and prevention, and after-action
recovery and legal action
Accountability ensures that users and actions can be traced, so responsibility
can be assigned if something goes wrong, such as a security breach.
In a well-rounded security system, Accountability supports the other
principles by tracking who accesses or modifies data, which helps maintain the
integrity and confidentiality of the information.

Non-repudiation is important to ensure that a party cannot deny
having sent or received a message or transaction. This includes
protecting against message tampering and replay attacks. Common
techniques used to establish non-repudiation include digital
signatures, message authentication codes and timestamps.

Message tampering and replay attacks

Level of Security Breach Impact
2014 Data Breaches by the Numbers (and the Impact)
A year ago, I was writing about the 575 million data records lost or stolen throughout 2013, a
sum based on the data collected by the Breach Level Index that seemed astonishing at the
time. The Target breach that happened at the end of that year stood out for me as the
epitome of a changing infosec landscape, in which a breach not only caught the attention of
industry experts, but also warranted weeks of mainstream media coverage.
Time changes everything. Unfortunately, in terms of breach occurrences, things didn’t
improve in 2014. The number of data records lost or stolen somehow increased by
approximately 78% year over year, with more than 1 billion records lost or stolen last year
according to the Breach Level Index. That breaks down to 32 records lost or stolen every
second of the year. There were 1,056 breach incidents in 2013. There were 1,541 in 2014, an
approximately 46% increase. But the figure that really stands out to me is 4%; that’s the
percentage of the all 2014 incidents that were “secure breaches” – those in which encryption
was used to protect the data and render it useless after it was compromised.

Additionally, breaches continued to make headlines last year, picking up where the
Target breach news left off. 2014 was the year hackers successfully attacked the payment
data systems of Home Depot, stealing 109 million data records and registering a 10.0 on
the Breach Level Index’s risk assessment scale. JP Morgan Chase likewise encountered a
10.0 breach, in which more than 80 million records were compromised. And then came
the Sony Pictures Entertainment breach.
While it was low by the numbers in comparison to some other 2014 breaches – 47,000
records compromised – Sony’s breach stands out most to me. Employees
were threatened, executives’ private emails were released, films still in theaters were
leaked, and the theatrical release of a film with A-list stars and a $44 million budget, The
Interview, was cancelled. The FBI was involved in an investigation that led to the
conclusion that the attack originated in North Korea, and the breach and what it
represented was so significant that President Obama personally addressed the nation in
regards to the situation.

We continue to see the impact of that breach in 2015. Last week, Amy Pascal, the co-chairman
of Sony at the time of the hack, stepped down following the above mentioned release of her
private emails. And on February 10, 2015, just days ago, the White House called the Sony
hack a “game changer” and announced the formation of a new agency, the Cyber Threat
Intelligence Integration Center, to gather and analyze information about cyberthreats.
Take a moment to consider just how far-reaching the impact of one breach was socially,
economically, and politically. Like Target, the Sony breach became the top story in the news,
but it seemed like the cyberattack ripple effect increased exponentially at the end of 2014. A
breach occurred, and the world changed.

Like many of us, I do my best to balance optimism with realistic expectations. I don’t
think we can expect that a new perimeter security measure is coming that will keep
determined cybercriminals from successfully breaching most organizations they target.
I don’t anticipate the Sony breach to be the last to have history-making implications that
may indirectly impact the lives of people around the globe.
As Tsion Gonen, chief strategy officer for Identity & Data Protection at Gemalto,
recently wrote for The Hill: “It’s time that executives and information security
professionals accept the fact that their companies will be breached and start thinking
outside the box when it comes to data security.”
My hope is that in another year, if I’m writing about the billions of data records stolen in
2015, I’ll at least be able to say that the silver lining is the percentage of secure breaches
increased and they stand as evidence that more companies followed Gonen’s advice.

Level of Security Breach Impact
Low Impact Level: The loss could be expected to have a limited effect on organizational
operations. (i) a ruin in small part of mission (ii) minor damage (iii) minor financial loss
Moderate Impact Level: The loss could be expected to have a serious adverse effect
on organizational operations. (i) significance ruin on mission capability (ii)
significant damage to organizational assets (iii) significant financial loss but no loss of
life or threatening injuries.
High Impact Level: The loss could be expected to have a severe or catastrophic
adverse effect on organizational operations. (i) cause a severe ruin in or loss of
mission capability that the organization may not continue to operation (ii) result in
major damage to organizational assets; (iii) result in major financial loss; or (iv) result
in severe or catastrophic harm to individuals such loss of life.
Data impact levels

Challenges of Computer Security
1. Not Sample
2. Must consider potential attacks
3. Procedures used counter intuitive
4. Involve algorithms and secret info
5. Must decide where to deploy mechanism
6. Battle of wits between attacker/admin
7. Not perceived on benefit until fail
8. Requires regular monitoring
9. Too often an after – through
10. Regarded as impediment to using system

Useful Terminologies
1. Adversary (threat agent)
Individual, group… that has the
intent to conduct damaging
activities.

2. Attack Any kind of malicious activity that attempts to collect, disrupt, deny, degrade,
or destroy information system resources or the information itself.

3. Countermeasure A device or techniques that has as its objective the damage of the
operational effectiveness of undesirable activity, or the prevention of sabotage, theft, or
unauthorized access to or use of sensitive information/systems.

4. Risk A measure of the extent to which an entity is threatened by a potential
circumstance or event, and typically a function of :
• The adverse impacts that would arise if the circumstance or event occurs;
• The likelihood of occurrence.

5. Security Policy A set of criteria for the provision of security services.

6. System Resource (Asset) A major application, general support system, high
impact program, physical plant, mission critical system, personnel, equipment, or a
logically related group of systems.

7. Threat Any circumstance or event with the potential to adversely impact
organizational operations (including mission, functions, image, or reputation),
organizational assets, individuals, other organizations, or the Nation through an
information system via unauthorized access, destruction, disclosure, modification of
information, and/or denial of service.

8. Vulnerability Weakness in an information system, system security procedures, internal
controls, or implementation that could be exploited or triggered by a threat source.

Security Requirements
1. Access Control
2. Certification, Accreditation, and Security
Assessments
3. Awareness and Training
4. Audit and Accountability
5. Configuration Management
6. Emergency Planning
7. Identification and Authentication
8. Incident Response
9. Maintenance
10. Media Protection
11. Physical and Environmental Protection
12. Planning
13. Personnel Security
14. Risk Assessment
15. Systems and Services Acquisition
16. System and Communications Protection
17. System and Information Integrity

Access control is a data security process that enables organizations to manage who is
authorized to access corporate data and resources.

Certification and accreditation is a two-step process that ensures security of information
systems.

Security awareness training is the process of educating people to understand, identify,
and avoid cyber threats.

Audit and Accountability tools work together to identify, document, and report on
auditable system transactions and provide audit records to meet system compliance.

Security configuration management is the process of adjusting and maintaining
configurations for information systems to minimize security risks.
Security configuration management

Emergency planning is the process of developing a comprehensive strategy to address and
mitigate disastrous situations.

Identification is the ability to identify uniquely a user of a system or an application that is
running in the system.
Authentication is the ability to prove that a user or application is genuinely who that
person or what that application claims to be.

Incident Response an organization's processes and technologies for detecting and
responding to cyberthreats, security breaches or cyberattacks

The maintenance of the security system involves periodic checks of all the elements
that make up the installation (cameras, detectors, computers, circuits, lighting systems,
etc.) to verify that they work well.

Media Protection Policies
These policies generally cover how to use, store, and transmit data in a way that maintains
confidentiality and integrity during authorized use.

Physical security controls protect assets from inappropriate physical access, theft, or
vandalism, while
Environmental security controls protect assets from accidental, intentional, and natural
events, including fire and water damage or power disruption.

A 'Security Planning Process' involves identifying assets needing protection, assessing
risks, determining countermeasures, and implementing security measures to safeguard
against potential threats.

Personnel security protects your people, information, and assets by enabling your
organization to: reduce the risk of harm to your people, customers and partners. reduce
the risk of your information or assets being lost, damaged, or compromised.

A security risk assessment identifies, assesses, and implements key security controls in
applications.
It also focuses on preventing application security defects and vulnerabilities. Carrying out
a risk assessment allows an organization to view the application portfolio holistically—
from an attacker's perspective.

Systems and Services Acquisition includes the development and implementation of
an assessment plan for ongoing security and privacy control assessments, performing
unit, integration, system,

System and Communications Protection (SC) focuses on how the organization must:
monitor, control, and protect organizational communications

System and information integrity provide assurance that the information being accessed
has not been tampered with or damaged by an error in the information system.

Attack Surface and Attack Trees
• Open ports
• Open ports on outward facing Web and other servers
• Services outside a firewall
• An employee with access to sensitive info.
1. Attack surface: the reachable and exploitable vulnerabilities in a system

Attack surfaces can be categorized in the following way:
1. Network attack surface: This category refers to vulnerabilities over an enterprise
network, wide-area network, or the Internet.
2. Software attack surface: This refers to vulnerabilities in application, utility, or
operating system code.
3. Human attack surface: This category refers to vulnerabilities created by
personnel or outsiders, such as social engineering, human error, and trusted
insider

2. Attack Tree: An attack tree is a branching, hierarchical data structure that represents
a set of potential techniques for exploiting security vulnerabilities.
The analysis used to generate this tree considered the three components involved in
authentication:
• User terminal and user (UT/U): These attacks target the user equipment, including the
tokens that may be involved, such as smartcards or other password generators, as well as
the actions of the user.
• Communications channel (CC): This type of attack focuses on communication links.
• Internet banking server (IBS): These types of attacks are offline attack against the
servers that host the Internet banking application. Five overall attack strategies can be
identified, each of which exploits one or more of the three components.
Attack Surface and Attack Trees

password generators
smartcards

Thank You
▪ End of Lecture #1

Network Security Introduction Lecture #1

More Related Content

Similar to Network Security Introduction Lecture #1 (20)

Recently uploaded (20)

Network Security Introduction Lecture #1