COMPUTER AND NETWORK SECURITY

INTRODUCTION TO SECURITY
(An Overview of Concepts and Applications)

[Link] Kumar, Dept. of CSE Computer and Network Security

1
 Motivation

 The art of war teaches us not to rely on the likelihood of the

enemy’s not coming, but on our own readiness to receive
him; not on the chance of his not attacking, but rather on the
fact that we have made our position unassailable. –The art of
War, Sun Tzu.

[Link] Kumar, Dept. of CSE Computer and Network Security

1
Definition: Security

• At present we may define “the scientific study of techniques for

securing digital information, transactions, and distributed
computations. ”
 “Security” relates to- “In the presence of adversaries,
transactions or computations or communication etc., are
performed.”
 Security Policies (i.e. confidentiality, Integrity and etc. ),
Security Mechanism (i.e. Prevention and Detection). 3

[Link] Kumar, Dept. of CSE Computer and Network Security

1
Attack Examples: IoT

* Pohrmen, Fabiola & Das, Rohit & Saha, Goutam. (2019). Blockchain‐based security aspects in heterogeneous
Internet‐of‐Things networks: A survey. Transactions on Emerging Telecommunications Technologies. 30.
10.1002/ett.3741.

[Link] Kumar, Dept. of CSE Computer and Network Security

1
Attack Examples

[Link] Kumar, Dept. of CSE Computer and Network Security

1
Policies and Mechanisms

 Policy says what is, and is not, allowed

• This defines “security” for the site/system/etc.
 Mechanisms enforce policies.
 Composition of policies:
• If policies conflict, discrepancies may create security
vulnerabilities.
6

[Link] Kumar, Dept. of CSE Computer and Network Security

1
Goals of Security

 Prevention
• Prevent attackers from violating security policy.
 Detection
• Detect attackers’ violation of security policy.
 Recovery
• Stop attack, assess and repair damage.
• Continue to function correctly even if attack succeeds.
7

[Link] Kumar, Dept. of CSE Computer and Network Security

1
Trust and Assumptions

 Underlie all aspects of security

 Policies
• Unambiguously partition system states
• Correctly capture security requirements
 Mechanisms
• Assumed to enforce policy
• Supported mechanisms work correctly
8

[Link] Kumar, Dept. of CSE Computer and Network Security

1
Types of Mechanisms

 Secure Set of reachable states

Set of secure states

 Precise

 Broad
9

[Link] Kumar, Dept. of CSE Computer and Network Security

1
Assurance

 Specification
• Requirement analysis
• Statement of desired functionality
 Design
• How system will meet specification
 Implementation
• Program/systems that carry out design.
10

[Link] Kumar, Dept. of CSE Computer and Network Security

1
Operational Issues

 Cost-benefit analysis
• Is it cheaper to prevent or recover?
 Risk analysis
• Should we protect something?
• How much should we protect this thing?
 Laws and Customs
• Are desired security measures illegal?
11
• Will people do them?

[Link] Kumar, Dept. of CSE Computer and Network Security

1
Human Issues

 Organizational problems
• Power and responsibility
• Financial benefits
 People problems
• Outsiders and insiders
• Social engineering
12

[Link] Kumar, Dept. of CSE Computer and Network Security

1
 Security Aspects
 Measures to deter, prevent, detect, and correct security
violations in information transmission.
1. Data Security
• Data security is the means of ensuring that data is kept
safe from corruption and that access to it is suitably
controlled.
2. Network Security
• Protect the network and the network-accessible resources
13
from unauthorized access, consistent and continuous
monitoring and measurement of its effectiveness.

[Link] Kumar, Dept. of CSE Computer and Network Security

1
 Security Aspects (cont.)
3. Computer Security
• The objective of computer security includes the
protection of individual computing devices (like desktops,
laptops, or servers) from unauthorized access, theft, or
damage, while allowing them to remain accessible and
productive to its intended users.
• Mal-ware: MALicious softWARE includes computer
viruses, worms, Trojan horses, most root-kits, spy-ware,
14
dishonest ad-ware,

[Link] Kumar, Dept. of CSE Computer and Network Security

1
 Examples of Security Violations

 Unauthorized Disclosure
• User C captures a sensitive file transmitted between Users
A and B.
 Message Alteration
• User F intercepts and modifies a message from Manager D
to Computer E.
 Message Fabrication 15
• User F creates a fake message, impersonating Manager D
to Computer E.
[Link] Kumar, Dept. of CSE Computer and Network Security
1
 Examples of Security Violations (cont.)

 Delayed Invalidation
• A fired employee intercepts a message and accesses
sensitive data before invalidation.
 Denial of Responsibility
• A customer denies sending instructions for stock
transactions after a loss.
 And may include other scenarios. 16

[Link] Kumar, Dept. of CSE Computer and Network Security

1
 Basic Terms Related to Security/
Cryptography
 Plain text: Original message
 Cipher text: Coded message
 Enciphering/Encryption: The process of converting from
plain text to cipher text.
 Deciphering/Decryption: The process of converting from
cipher text to plain text.
 Cryptography: The many schemes used for encryption
17
constitutes the area of study.
 Cryptographic System: Encryption scheme.
[Link] Kumar, Dept. of CSE Computer and Network Security
1
 Basic Terms Related to Security/
Cryptography
 Cryptanalysis: Techniques used for deciphering a message
without any knowledge of the enciphering details.
 Cryptology: Cryptography and cryptanalysis.

18

[Link] Kumar, Dept. of CSE Computer and Network Security

1
 Overview of Cryptographic Algorithms and
Protocols
 Symmetric Encryption
• Utilizes the same key for both encryption and decryption
processes.
• Used to conceal the contents of blocks or streams of data
of any size, including messages, files, encryption keys, and
passwords.
19

[Link] Kumar, Dept. of CSE Computer and Network Security

1
 Overview of Cryptographic Algorithms and
Protocols (cont.)
 Asymmetric Encryption
• Employs a unique pair of keys – a public key for
encryption and a private key for decryption.
• Used to conceal small blocks of data, such as encryption
keys and hash function values, which are used in digital
signatures. 20

[Link] Kumar, Dept. of CSE Computer and Network Security

1
 Overview of Cryptographic Algorithms and
Protocols (cont.)
• Data Integrity
• Used to protect blocks of data.
• Ensure that blocks of data remain unchanged and are not
tampered with during transmission.
• Authentication Protocols
• Verify the identity of entities involved 21 in a
communication

[Link] Kumar, Dept. of CSE Computer and Network Security

1
 Computer Security Concepts

 NIST Definition: Protection for an automated information

system to ensure the integrity, availability, and
confidentiality of its resources, including hardware, software,
firmware, data, and telecommunications.
 Key Objectives (CIA Triad):
• Confidentiality
• Integrity 22
• Authentication

[Link] Kumar, Dept. of CSE Computer and Network Security

1
 Computer Security Concepts (cont.)

 Confidentiality
• Data Confidentiality: Protects private data from
unauthorized access.
• Privacy: Ensures control over the collection and
distribution of personal data.
 Integrity
• Data Integrity: Prevents unauthorized data modification.
23
• System Integrity: Ensures systems operate as intended
without unauthorized changes.
[Link] Kumar, Dept. of CSE Computer and Network Security
1
 Computer Security Concepts (cont.)

 Availability
• Ensures reliable and timely access to data and services.
• Examples: Authentication systems (high), university
websites (moderate), online polls (low).

24

[Link] Kumar, Dept. of CSE Computer and Network Security

1
 CIA Triad in Action

 Use case examples:

• Student grades: High confidentiality.
• Patient allergy information: High integrity.
• Authentication services: High availability.

25

[Link] Kumar, Dept. of CSE Computer and Network Security

1
 Impact Levels Defined by FIPS PUB 199
∗

 Low Impact:
• Limited adverse effects on organizational operations,
assets, or individuals.
• Examples: Minor disruptions or damage to non-critical
systems or data.
 Moderate Impact:
• Significant adverse effects, potentially causing: 26
• Noticeable financial loss.
∗Standards for Security Categorization of Federal Information and Information Systems

[Link] Kumar, Dept. of CSE Computer and Network Security

1
Impact Levels Defined by FIPS PUB 199
∗

(cont.)
 Moderate Impact:
• Degradation in mission capability or efficiency.
• Damage to assets, requiring corrective actions.
 High Impact:
• Severe or catastrophic effects, leading to:
• Loss of life or significant harm.
27
• Critical mission failure.
• Major financial loss or reputational damage.
∗Standards for Security Categorization of Federal Information and Information Systems

[Link] Kumar, Dept. of CSE Computer and Network Security

1
Beyond CIA Triad

 Parkerian Hexad∗

28

∗𝑊ℎ𝑖𝑡𝑚𝑎𝑛,𝑀.𝐸.,& 𝑀𝑎𝑡𝑡𝑜𝑟𝑑,𝐻.𝐽.(2021). 𝑃𝑟𝑖𝑛𝑐𝑖𝑝𝑙𝑒𝑠 𝑜𝑓 𝑖𝑛𝑓𝑜𝑟𝑚𝑎𝑡𝑖𝑜𝑛 𝑠𝑒𝑐𝑢𝑟𝑖𝑡𝑦.𝐶𝑒𝑛𝑔𝑎𝑔𝑒 𝑙𝑒𝑎𝑟𝑛𝑖𝑛𝑔

[Link] Kumar, Dept. of CSE Computer and Network Security
1
OSI Security Architecture (Defined in x.800)

 Provides a systematic approach to security requirements.

 Key Elements:
• Security Attacks
• Security Mechanisms
• Security Services
 Usefulness:
• Helps managers organize security tasks.
29
• Basis for international standards.

[Link] Kumar, Dept. of CSE Computer and Network Security

1
Security Attacks

 Actions that compromise the

security of information
 Categories:
• Interception (Confidentiality)
• Interruption (Availability)
• Modification (Integrity)
• Fabrication (Authentication) 30

[Link] Kumar, Dept. of CSE Computer and Network Security

1
Security Attacks (cont.)

 Passive Attacks (Interception)

 Types:
• Release of Message Contents: Unauthorized access to
sensitive data.
• Traffic Analysis: Observing communication patterns to
infer details.
 Characteristics: 31
• Difficult to detect.
• Focus is on prevention using methods like encryption.

[Link] Kumar, Dept. of CSE Computer and Network Security

1
Security Attacks (cont.)

 Active Attacks (Interruption, Modification, and Fabrication)

 Types:
• Masquerade: Impersonating another entity.
• Replay: Capturing and retransmitting data.
• Modification of Messages: Altering legitimate messages.
• Denial of Service (DoS): Disrupting normal communication.
 Characteristics:
32
• Focus is on detection and recovery.
• Difficult to prevent due to diverse vulnerabilities.

[Link] Kumar, Dept. of CSE Computer and Network Security

1
Security Services

• Processing or communication services that ensure adequate

protection of systems and data.
• Counter security attacks using mechanisms.
 Categories:
1. Authentication: Ensure communication is authentic.
• Types:
 Peer Entity Authentication: Verifies identity during
33
communication.
 Data Origin Authentication: Confirms the source of a
data unit.
[Link] Kumar, Dept. of CSE Computer and Network Security
1
Security Services (cont.)

 Categories:
2. Access Control: Limit and control access to systems and
applications.
• Process:
 Authenticate users.
 Assign tailored access rights.
3. Confidentiality: Protect data from passive attacks.
34
• Levels of Protection:
 Broad (e.g., all user data during a session).
 Narrow (e.g., specific fields within a message).
[Link] Kumar, Dept. of CSE Computer and Network Security
1
Security Services (cont.)

 Categories:
4. Data Integrity: Ensure data is not altered or tampered with.
• Scope:
 Stream of messages.
 Single messages.
 Fields within messages.
5. Nonrepudiation: Prevents either sender or receiver from
35
denying a transmitted message.

[Link] Kumar, Dept. of CSE Computer and Network Security

1
Security Services (cont.)

 Categories:
6. Availability: The property of a system or system resource
being accessible and usable upon demand by an authorized
system entity.
• Key Points:
 Depends on proper management and control of system
resources.
36
 Relies on other security services like access control.
 Combines automated countermeasures (e.g.,
authentication, encryption) and physical actions.
[Link] Kumar, Dept. of CSE Computer and Network Security
1
Security Mechanisms (cont.)

 A process that is designed to detect, prevent, or recover from a

security attack.
 Encipherment:
• Reversible: Encryption algorithms for encrypting and
decrypting data.
• Irreversible: Hash algorithms and Message Authentication
Codes (MACs) for digital signatures and message
37
authentication.
 Digital Signature:
• Ensures data integrity and non-repudiation.
[Link] Kumar, Dept. of CSE Computer and Network Security
1
Security Mechanisms (cont.)

 Access Control:
• Restricts access to system resources based on permissions.
 Data Integrity:
• Guarantees that data has not been altered during
transmission.
 Authentication Exchange:
• Verifies the identity of entities using secure information
38
exchange protocols.
 Traffic Padding:
• Inserts extra bits into data streams to prevent traffic analysis.
[Link] Kumar, Dept. of CSE Computer and Network Security
1
Security Mechanisms (cont.)

 Routing Control:
• Allows selection of secure routes for data transmission and
changes routing if security breaches are detected.
 Notarization:
• Employs a trusted third party to verify and ensure specific
properties of data exchanges.
39

[Link] Kumar, Dept. of CSE Computer and Network Security

1
Relationship Between Security Services and
Mechanisms

40

[Link] Kumar, Dept. of CSE Computer and Network Security

1
Fundamental Security Design Principles

The National Centers of Academic Excellence in Information

Assurance/Cyber Defense (NCAE-C) identify the following
fundamental security design principles [NCAE13]:
1. Economy of Mechanism: Keep security designs simple and
small.
2. Fail-Safe Defaults: Deny access by default; allow access only
with explicit permission.
3. Complete Mediation: Validate every access request through
the access control mechanism.

[Link] Kumar, Dept. of CSE Computer and Network Security

1
Fundamental Security Design Principles
(cont.)
4. Open Design: Security mechanisms should be open for public
review, except for secret keys.
5. Separation of Privilege: Require multiple attributes or
methods to access sensitive resources.
6. Least Privilege: Grant only the minimum permissions
necessary for a task.
7. Least Common Mechanism: Minimize shared functions
among users to reduce vulnerabilities.
8. Psychological Acceptability: Ensure security measures are
user-friendly and non-intrusive.
[Link] Kumar, Dept. of CSE Computer and Network Security
1
Fundamental Security Design Principles
(cont.)
9. Isolation: Separate public, user, and security mechanisms to
prevent unauthorized access.
10. Encapsulation: Use object-oriented techniques to restrict
access to internal structures.
11. Modularity: Build security functions as independent modules
for easier updates and reuse.
12. Layering: Employ multiple overlapping protections. 43
13. Least Astonishment: Ensure system behavior aligns with user
expectations to reduce errors.

[Link] Kumar, Dept. of CSE Computer and Network Security

1
Attack Surfaces
• An attack surface consists of the reachable and exploitable
vulnerabilities in a system.
• Examples:
 Open ports on outward facing Web and other servers, and
code listening on those ports
 Services available on the inside of a firewall
 Code that processes incoming data, email, XML, office
documents, etc. 44
 Interfaces, SQL, and Web forms
 An employee with access to sensitive information vulnerable
to a social engineering attack
[Link] Kumar, Dept. of CSE Computer and Network Security
1
Attack Surfaces
 Categories:
 Network attack surface:
 This category refers to vulnerabilities over an enterprise
network, wide-area network, or the Internet.
 Included in this category are network protocol
vulnerabilities, such as those used for a denial-of-service
attack, disruption of communications links, and various
forms of intruder attacks.

[Link] Kumar, Dept. of CSE Computer and Network Security

1
Attack Surfaces
 Categories:
 Software attack surface:
 This refers to vulnerabilities in application, utility, or
operating system code.
 A particular focus in this category is Web server software.
 Human attack surface:
 This category refers to vulnerabilities created by personnel
or outsiders, such as social engineering, human error, and
trusted insiders.

[Link] Kumar, Dept. of CSE Computer and Network Security

1
Attack Surfaces Analysis

 Identifies potential vulnerabilities in the system.

 Highlights where security mechanisms are needed.
 Process:
1. Identify all points of interaction and vulnerability (e.g.,
inputs, APIs, network interfaces).
2. Assess the risk level of each point.
 Benefits:
47
• Reduce points of exposure to adversaries.
• Focus testing and strengthening measures on critical
vulnerabilities.
[Link] Kumar, Dept. of CSE Computer and Network Security
1
Types of Attack
• Social engineering/phishing
• Physical break-ins, theft
• Password attacks
• Buffer overflows
• Command injection
• DOS
• Exploitation of faulty application logic
• Snooping 48
• Packet manipulation or fabrication
• Backdoors
• Malware
[Link] Kumar, Dept. of CSE Computer and Network Security
1
Attack Tree

 An attack tree is a hierarchical structure that represents

potential techniques for exploiting security vulnerabilities.
 Structure:
• Root Node: Represents the goal of the attack (e.g.,
compromising a system).
• Branches/Subnodes: Represent different ways the attacker
can achieve that goal.
49
• Leaf Nodes: Represent the final methods to initiate the
attack.

[Link] Kumar, Dept. of CSE Computer and Network Security

1
Attack Tree (cont.)
 Attack Tree Node Types:
• AND-node:
• Requires all subgoals to be achieved.
• Example: Access to the system + User credentials must
both be compromised.
• OR-node:
• Requires any one of the subgoals to be achieved.
• Example: Gain admin privileges OR bypass authentication.

[Link] Kumar, Dept. of CSE Computer and Network Security

1
Attack Tree (cont.)
 Purpose:
• Security analysts use attack trees to structure and analyze
attack patterns, helping to uncover vulnerabilities.
• Helps in designing secure systems and applications, guiding
the choice of countermeasures.

51

[Link] Kumar, Dept. of CSE Computer and Network Security

1
Attack Tree: Example
 Internet Banking Authentication.
 User terminal and user (UT/U):
These attacks target the user
equipment, including the tokens
that may be involved, such as
smartcards or other password
generators, as well as the actions
of the user. 52

[Link] Kumar, Dept. of CSE Computer and Network Security

1
Attack Tree: Example (cont.)
 Communications channel (CC):
This type of attack focuses on
communication links.
 Internet banking server (IBS):
These types of attacks are offline
attacks against the servers that
host the Internet banking
application. 53

[Link] Kumar, Dept. of CSE Computer and Network Security

1
A Model for Network Security

54

[Link] Kumar, Dept. of CSE Computer and Network Security

1
A Model for Network Security (cont.)
 Four Basic Tasks in Designing a Security Service
1. Design the Security Algorithm: The algorithm must be
secure against adversaries.
2. Generate Secret Information: This secret is crucial for
encryption and transformation.
3. Distribute and Share Secret Information: Methods to
securely share keys or secrets.
4. Specify a Protocol: The protocol used by the two principals
should implement the security measures.

[Link] Kumar, Dept. of CSE Computer and Network Security

1
Additional Security-Related Situations
 Unwanted Access:
• Hackers and intruders attempting to breach a system.
• Threats from malicious users or programs.
 Types of Threats:
1. Information Access Threats: Intercept or modify data
inappropriately.
2. Service Threats: Exploit service flaws, e.g., viruses, worms.
56

[Link] Kumar, Dept. of CSE Computer and Network Security

1
Security Mechanisms for Unwanted Access
 Gatekeeper Function:
• Password-based login to prevent unauthorized access.
• Screening Logic (e.g., anti-virus) to detect malicious
programs.
 Internal Controls: Once an intruder gains access, internal
controls monitor activity and data to detect and prevent further
damage.
57

[Link] Kumar, Dept. of CSE Computer and Network Security

1
Challenges of Computer and Network Security

 Balancing Complexity, Usability, and Threat Mitigation.

 Complexity of Security Requirements
• Security requirements are seemingly simple:
confidentiality, authentication, nonrepudiation, integrity.
• Mechanisms are complex and involve subtle reasoning.
 Thinking Like an Attacker
• Successful attacks often exploit unexpected weaknesses.
• Attackers view problems differently to uncover
vulnerabilities.
[Link] Kumar, Dept. of CSE Computer and Network Security
1
Challenges of Computer and Network Security
(cont.)
 Counterintuitive Security Mechanisms
• Security solutions often appear unnecessarily complex.
• Complexity makes sense only after considering potential
threats.
 Placement of Security Mechanisms
• Physical placement: Where in the network should
mechanisms go?
• Logical placement: Which layer of the architecture (e.g.,
TCP/IP)?
[Link] Kumar, Dept. of CSE Computer and Network Security
1
Challenges of Computer and Network Security
(cont.)
 Managing Secrets and Protocols
• Security mechanisms rely on secret information (e.g.,
encryption keys).
• Challenges with creation, distribution, and protection of
secrets.
• Unpredictable delays in protocols can complicate security.
 Battle of Wits 60
• Designers must eliminate all weaknesses; attackers need
only one.
• Security is an ongoing challenge.
[Link] Kumar, Dept. of CSE Computer and Network Security
1
Challenges of Computer and Network Security
(cont.)
 Perceived Value of Security
• Users and managers often
undervalue security until
breaches occur.
• Security failures highlight its
importance.
• Security is an ongoing
challenge.

[Link]
[Link] Kumar, Dept. of CSE Computer and Network Security
1
Challenges of Computer and Network Security
(cont.)
 Continuous Monitoring
• Security requires constant
vigilance.
• Overloaded environments make
monitoring difficult..

62

[Link]
album/screenshots/[Link]?sfvrsn=297e998c_10
[Link] Kumar, Dept. of CSE Computer and Network Security
1
Challenges of Computer and Network Security
(cont.)
 Security as an Afterthought
• Often integrated post-design,
causing inefficiencies.
• Viewed as a barrier to user-
friendliness and efficiency.

[Link] Kumar, Dept. of CSE Computer and Network Security

1
Standards
• Many security techniques and applications are defined as
standards.
• Various organizations contribute to the development and
promotion of these standards.
 The most popular standards are:
1. National Institute of Standards and Technology (NIST)
• U.S. federal agency dealing with measurement science,
standards, and technology. 64
• Develops standards for U.S. government and promotes
innovation in the private sector.

[Link] Kumar, Dept. of CSE Computer and Network Security

1
Standards (cont.)
 The most popular standards are:
1. National Institute of Standards and Technology (NIST)
 Key Standards:
• Federal Information Processing Standards (FIPS)
• Special Publications (SP)
2. Internet Society (ISOC)
• Professional membership society for the future of the
Internet. 65
• Provides leadership in Internet infrastructure and
standards.

[Link] Kumar, Dept. of CSE Computer and Network Security

1
Standards (cont.)
 The most popular standards are:
2. Internet Society (ISOC)
 Home to groups responsible for Internet standards:
• Internet Engineering Task Force (IETF)
• Internet Architecture Board (IAB)
 Key Standards:
• Develops standards and specifications for Internet
infrastructure. 66
• Published as Requests for Comments (RFCs).

[Link] Kumar, Dept. of CSE Computer and Network Security

1
Standards (cont.)
 The most popular standards are:
3. International Telecommunication Union (ITU-T)
• International organization within the United Nations
coordinating global telecom networks and services.
• ITU-T develops technical standards for
telecommunications.
 Key Standards:
• ITU-T standards are referred to as Recommendations.
• Global influence on telecom and network security
standards.

[Link] Kumar, Dept. of CSE Computer and Network Security

1
Standards (cont.)
 The most popular standards are:
4. International Organization for Standardization (ISO)
• A worldwide federation of national standards bodies.
• Promotes standardization in various fields including
technology, science, and trade.
 Key Standards:
• ISO develops International Standards for the exchange
of goods and services. 68
• Standards help facilitate global cooperation in
intellectual, scientific, technological, and economic
activities.
[Link] Kumar, Dept. of CSE Computer and Network Security
1
 Contents of the slides are taken from the following resources:
1. Cryptography and Network Security: Principles and Practice, eBook, Global Edition, 7th
edition By William Stallings
2. Pender-Bey, G., 2019. The parkerian hexad. Information Security Program at Lewis
University.

69