WQD7010 Network & Security

Dr. Saaidal Razalli Bin Azzuhri

Dept. of Comp System & Technology
Fac. of Science Comp & IT.
WQD7010
 My contact details:
- email: [email protected]
- Phone (O): 0379677022 ext 2507
- Phone (M): 0133306515
- Room: B-2-14
Assessment is through…
 Final exam – 50%
 Mid-Term – 20%
 Group/Individual Assignment – 30%
 Do the lab assignments during lab hours or outside – not graded, but
exam or mid term can be from the lab assignments

 For group assignment, identified free riders will get 0!!!!

 Fraud (copying from your peers, others or internet, or allow your friend
to copy from you, or sharing your solutions publicly) will not be
tolerated, will get 0!!!
 If caught, will be handed straight to examination/disciplinary
committee!!!
 L1: Introduction to Network Security (Outline)
 Security Concept
 OSI Security Architecture (Security Attacks,
Mechanisms and Services)
 Methods of Defense
 A model for Internetwork Security
 Internet standards and RFC
Background
 Traditionally, before the widespread use of computers, security was
provided by
– physical means – locked filing cabinets
– administrative mechanisms – rigid hiring process
 In recent times, especially in global networking environment, the
security requirements have changed
 Another major change that affected security is the introduction of
distributed systems and the use of networks and communications
facilities for carrying data between terminal user and computer and
between computer and computer
 Ensuring security is a far more complicated issue today
 Computer use requires automated tools to protect files and other stored
information
 Use of networks and communications links requires measures to protect
data during transmission
Case Study
The Australian Institute of Criminology survey in 2016 revealed
(https://aic.gov.au/publications/tandi/tandi526)
 The rapid growth of the internet is transforming how we engage and
communicate. It also creates new opportunities for fraud and data theft.
 In a sample of more than 13 million emails identified as spam, more than
100,000 contained malicious attachments; nearly 1.4 million contained
malicious web links that allows cybercriminals to remotely access them.
 The Australian economy relies on networked computer systems across all
business sectors
 About 91,927 small businesses reported a response to security breach in
2013 these organizations suffered financial loss
- $890m
- loss of productivity, customer confidence
News on Cyber Attack
Toyota Australia & Melbourne Hospital Under Cyber Attacks (https
://tendaily.com.au/news/crime/a190220gad/cyber-ransom-attacks-on-the-rise-as-toyota-and
-melbourne-hospital-become-latest-victims-20190221/
)
 A cyber crime syndicate accessed the medical files of 15,000 patients at Melbourne
Heart Group at Melbourne's Cabrini Hospital.
 The attack corrupted data in the system and completely crippled its servers.
 It is believed the records were hacked by malware originating from either North Korea or
Russia, but this is yet to be confirmed.
 Meanwhile, Toyota Australia has confirmed it has been subject to an attempted cyber
attack.
 These hacks come just days after Prime Minister Scott Morrison revealed Australia's
major political parties were hacked by a foreign government.
 The company has confirmed the attempted attack that took out its e-mail system,
forcing employees to turn to other forms of communication to continue working
News On Cyber Attack
Media Prima hit by ransomware, hackers demand RM26mil in bitcoins
(https://
www.thestar.com.my/news/nation/2018/11/13/media-prima-hit-by-ransomware-hackers-dem
and-rm26mil-in-bitcoins-says-report/
)
 Media Prima Berhad's computer systems have been locked out by cyber attackers who
are demanding millions of ringgit in ransom.
 The media company, which runs a stable of TV/radio channels, newspapers, advertising
and digital media companies was hit by a ransomware attack last Thursday (Nov 8),
The Edge Financial Daily reported.
 The report, quoting a source, said the attackers are demanding 1,000 bitcoins to
release access to the computer systems.
 The source reportedly added that Media Prima has decided not to pay the ransom.
Other Security News

 My short interview with TV3, regarding 5G

security (24 Jan 2019)
https://www.youtube.com/watch?v=bDbQNrCkiN4&feature=youtu.be
 “The protection afforded to
Computer Security an automated information
system in order to attain the
The NIST Computer applicable objectives of
Security Handbook defines preserving the integrity,
the term computer security availability, and
as:
confidentiality of information
system resources (includes
hardware, software,
firmware, information/data,
and telecommunications)”
CIA Triad
Computer Security Objectives
Confidentiality
• Data confidentiality
• Assures that private or confidential information is not made available or
disclosed to unauthorized individuals
• Privacy
• Assures that individuals control or influence what information related to them
may be collected and stored and by whom and to whom that information may
be disclosed
Integrity
• Data integrity
• Assures that information and programs are changed only in a specified and
authorized manner
• System integrity
• Assures that a system performs its intended function in an unimpaired manner,
free from deliberate or inadvertent unauthorized manipulation of the system

Availability
• Assures that systems work promptly and service is not denied to
authorized users
Possible additional concepts:

Authenticity Accountability
• Verifying that users are • The security goal that
who they say they are generates the
and that each input requirement for actions
arriving at the system of an entity to be traced
came from a trusted uniquely to that entity
source
 Definitions
 Computer Security or Information Security
 generic name for the collection of tools designed to protect data
and to thwart hackers
 Network Security
 measures to protect data during their transmission (crucial in
distributed system, networks and communication facilities)
 Internet Security
 measures to protect data during their transmission over a
collection of interconnected networks (Internetwork security)
Security Focus
 Consists of measures to prevent, detect, and correct security
violations that involve the storage and transmission of
information
 Few Examples:
• A transmits a sensitive file to B that must be protected from
disclosure. C, not authorized to read the file, monitors the
transmission and captures the file during transmission
• D intercepts a message during transmission, changes the content
and transmits to F as if it originated from E.
• A message is sent from a customer to a stockbroker with
instructions of transactions. Subsequently, the investments lose
value and the customer denies sending the message
Breach of Security: Levels of Impact
• The loss could be expected to have a severe or
catastrophic adverse effect on organizational
Hi operations, organizational assets, or individuals

gh
• The loss could be expected to have a
serious adverse effect on organizational

Moderate operations, organizational assets, or

individuals

• The loss could be expected to

have a limited adverse effect
on organizational operations,

Low organizational assets, or

individuals
Examples of Security Requirements

Confidentiality Integrity Availability

Patient information
stored in a database – The more critical a
Student grade inaccurate information component or service,
information is an asset could result in serious the higher the level of
whose confidentiality is harm or death to a availability required
considered to be highly patient and expose the
important by students hospital to massive
liability A moderate availability
A Web site that offers a requirement is a public
forum to registered users Web site for a university
to discuss some specific
topic would be assigned
Regulated by the Family a moderate level of An online telephone
Educational Rights and integrity directory lookup
Privacy Act (FERPA) An example of a low- application would be
integrity requirement is classified as a low-
an anonymous online poll availability requirement
Computer Security Challenges
 Security is not simple  Security mechanisms typically
 Potential attacks on the security involve more than a particular
features need to be considered algorithm or protocol
 Procedures used to provide  Security is essentially a battle of
particular services are often wits between a perpetrator and
counter-intuitive the designer
 It is necessary to decide where  Little benefit from security
to use the various security investment is perceived until a
mechanisms security failure occurs
 Requires constant monitoring  Strong security is often viewed
 Is too often an afterthought as an impediment to efficient
and user-friendly operation
OSI Layer
OSI Security Architecture
 ITU-T X.800 “Security Architecture for OSI” defines a systematic
way of defining and providing security requirements
 Provides a useful, if abstract, overview of concepts that we will
study
 A systematic approach is necessary to address the task(s)
 OSI security architecture provides a useful framework that
defines such a systematic way
− To define the security requirements and
− Adopt approaches to satisfy those requirements
OSI Security Architecture
 Focusing on three aspects of information
security
 Security Attacks
 Security Mechanism
 Security Services
Security Attacks
 Any action that compromises the security of
information owned by an organization
 Vulnerability: a weakness in a computer system that might be exploited
to cause loss or harm
 Threat: circumstances that have the potential to cause loss or harm
 Control: a protective measure
 Information security is about how to prevent attacks,
or failing that, to detect attacks on information-based
systems
 often threat & attack are used to mean the same thing
 Have a wide range of attacks
 Can focus on generic types of attacks
Threats and Attacks (RFC 4949)
Security Attacks - Taxonomy
 A security attack may attempt to do one or more of the
following:
– Interruption: an attack on availability
– Interception: an attack on confidentiality
– Modification: an attack on integrity
– Fabrication: an attack on authenticity
 Two types of security attacks:
– Passive Attacks
– Active Attacks
Interruption
 Also known as denial of services (DoS).
 Information resources (hardware, software
and data) are deliberately made unavailable,
lost or unusable, usually through malicious
destruction.
 e.g.: cutting a communication line, disabling a
file management system, etc.
Interception
 Also known as un-authorized access.
 Difficult to trace as no traces of
intrusion might be left.
 e.g: illegal eavesdropping or
wiretapping or sniffing, illegal
copying.
Modification
 Also known as tampering a resource.
 Resources can be data, programs,
hardware devices, etc.
Fabrication
 Also known as counterfeiting (of objects such as data,
programs, devices, etc).
 Allows to by-pass the authenticity checks.
 e.g.: insertion of spurious messages in a network,
adding a record to a file, counterfeit bank notes, fake
cheques,2
 impersonation/masquerading
– to gain access to data, services etc..
Security Attacks - Taxonomy
Passive Attacks
 Nature: eavesdropping on, or monitoring of, transmission of
information between the communicating parties
 Goal: to capture information during transmission

 Two types of Passive attack:

– Release of message content
 capture and read the content
- Traffic analysis
 can’t read the information, but observe the pattern
 determine the location and identity of communicating parties
 observe frequency and length of communication
Passive Attacks
Active Attacks
 Modifies a data stream or creates a false data streams
 • Four types of active attacks:
– Masquerade: one entity pretends to be a different entity
> authentication sequences are captured and replayed
> an entity can gain extra privileges
– Replay: passive capture of data and subsequent retransmission
– Modification of Message: messages can be altered, delayed or
reordered to produce unauthorized effect
– Denial of Service: prevents normal use or management of
communication facilities
> usually have a specific target
> disruption of services of an entire network or suppression of all
messages directed to a particular destination
Active Attacks
Security Attacks in Nutshells
Security Services
 Enhance the security of the data processing systems and the
information transfers of an organization
 Intended to counter security attacks
 Make use of one or more security mechanisms to provide the
service
 Replicate functions normally associated with physical
documents
– e.g have signatures, dates;
– need protection from disclosure, tampering, or destruction;
– be notarized or witnessed;
– be recorded or licensed
Security Services
• Defined by X.800 as:
• A service provided by a protocol layer of
communicating open systems and that ensures
adequate security of the systems or of data transfers

• Defined by RFC 4949 as:

A processing or communication service provided by a
system to give a specific kind of protection to system
resources
X.800 Service Categories
 X.800 defines security services into 5 major
categories:
– Data Confidentiality
– Data Integrity
– Authentication
– Non-repudiation
– Access control
X.800 Service Categories
 Data Confidentiality – protection of data from unauthorized disclosure
 Data Integrity - assurance that data received has not been modified by
an unauthorized entity
 Authentication: assures that the communication is authentic
– communicating entities are who they claim to be
– have both peer-entity &data origin authentication
 Access Control - prevention of the unauthorized use of a resource
 Non-Repudiation - protection against denial by one of the parties in a
communication
– Receiver can prove that sender has sent the message
– Sender can proof the receiver has received the message
X.800 Security Mechanism

specific security mechanisms are

protocol layer specific, whilst the
pervasive security mechanisms are not!!
X.800 Security Mechanism
 Security services are implemented by
one or more security mechanism
 Security mechanisms are invoked at
appropriate layers and in appropriate
combinations
 See the Table 1.4 for relationship
between different security service and
mechanism
Fundamental security design principles
 The National Centers of Academic Excellence in Information
Assurance/Cyber Defense, which is jointly sponsored by the U.S.
Department of Homeland Security, list the following as fundamental
security design principles:
 Economy of mechanism
 Fail-safe defaults
 Complete mediation
 Open design separation of privilege
 Least privilege
 Least common mechanism
 Psychological acceptability
 Isolation
 Encapsulation
 Modularity
 Layering
 Least astonishment
Fundamental security design principles
 Economy of mechanism  Separation of privilege
 The design of security measures embodied  A practice in which multiple privilege attributes are
required to achieve access to a restricted
in both hardware and software should be as
resource
simple and small as possible
 Least privilege
 Fail-safe default  Every process and every user of the system
 Access decisions should be based on should operated using the least set of privileges
permission rather than exclusion—the necessary to perform the task
default situation is lack of access, and the
protection scheme identifies conditions  Least common mechanism
under which access is permitted  The design should minimize the functions shared
by different users, providing mutual security
 Complete mediation  Psychological acceptability
 Every access must be checked against the  Implies that the security mechanisms should not
access control mechanism interfere unduly with the work of users, while at
the same time meeting the needs of those who
 Open design authorize access
 The design of a security mechanism should
be open rather than secret
Fundamental security design principles
 Isolation
 A principle that applies in three contexts:
first, public access systems should be
isolated from critical resources to
 Layering
prevent disclosure to tampering;  Refers to the use of multiple,
second, the processes and files of overlapping protection approaches
individual users should be isolated from addressing the people, technology,
one another except where it is explicitly and operational aspects of information
desired; third, security mechanisms systems
should be isolated in the sense of
preventing access to those mechanisms
 Least privilege
 Encapsulation  Every process and every user of the
 Viewed as a specific form of isolation system should operated using the
based on object-oriented functionality least set of privileges necessary to
perform the task
 Modularity
 Refers both to the development of  Least astonishment
security functions as separate,
protected modules and to the use of a  A program or user interface should
modular architecture for mechanism always respond in the way that is
design and implementation least likely to astonish the user
Attack surface
 Consists of the reachable and exploitable vulnerabilities in a
system
 Examples:
 Open ports on outward facing Web and other servers, and code listening on those ports
 Services available on the inside of a firewall
 Code that processes incoming data, e-mail, XLM, office documents, and industry-specific
custom data exchange formats
 Interfaces, SQL, and Web forms
 An employee with access to sensitive information vulnerable to a social engineering attack

 Can be categorized in the following way:

 Network attack surface
 This category refers to vulnerabilities over an enterprise network, wide-area network, or Internet

 Software attack surface

 Vulnerabilities in application, utility, or operating system code

 Human attack surface

 Refers to vulnerabilities created by personnel or outsiders, such as social engineering, human error, and
trusted insiders
 Attack trees
A branching, hierarchical The ways that an attacker
data structure that The security incident that could reach that goal are
represents a set of is the goal of the attack is iteratively and
potential techniques for represented as the root incrementally represented
exploiting security node of the tree as branches and
vulnerabilities subnodes of the tree

Branches can be labeled

The final nodes on the
with values representing
paths outward from the
difficulty, cost, or other
root, the leaf nodes,
attack attributes, so that
represent different ways
alternative attacks can be
to initiate an attack
compared
Model for Network Security
Network Access Security Model
Model for Network Security
 This model requires us to :
– design a suitable algorithm for the security-related
transformation
– generate the secret information (keys) used by the algorithm
– develop methods to distribute and share the secret
information
– specify a protocol enabling the principals to use the
transformation and secret information for a security service
 Unwanted Access
 Placement in a computer
Programs can
system of logic that exploits present two kinds
of threats:
vulnerabilities in the system
and that can affect
application programs as
well as utility programs Information access
Service threats
threats

Intercept or modify
Exploit service
data on behalf of
flaws in computers
users who should
to inhibit use by
not have access to
legitimate users
that data
Standards
NIST ISOC
 National Institute of Standards  Internet Society
and Technology  Professional membership society
 U.S. federal agency that deals with worldwide organizational and
with measurement science, individual membership
standards, and technology
 Provides leadership in addressing
related to U.S. government use
and to the promotion of U.S.
issues that confront the future of
private-sector innovation the Internet
 NIST Federal Information  Is the organization home for the
Processing Standards (FIPS) and groups responsible for Internet
Special Publications (SP) have a infrastructure standards, including
worldwide impact the Internet Engineering Task
Force (IETF) and the Internet
Architecture Board (IAB)
 Internet standards and related
specifications are published as
Requests for Comments (RFCs)
Summary
 Computer security  Security services
concepts  Authentication
 Definition  Access control
 Examples  Data confidentiality
 Challenges  Data integrity
 The OSI security  Nonrepudiation
architecture  Availability service
 Security attacks  Security mechanisms
 Passive attacks  Attack surfaces and attack
 Active attacks
trees
 Model for network security  Attack surfaces
 Standards  Attack trees
Further reading
 Chapter 1 of the textbook: Network
Security Essentials- Application &
Standards” by William Stallings 6th
Edition, 2017
http://www.cybersafe.my/cyberyouths-posters.html