Introduction to security
1.
Security
Threat: Security threat is a possible danger that
might exploit vulnerabilities in a computer system to breach security and thus
cause possible harm. Threat is the interaction of actor, motivation and
vulnerability.
A threat can be
either intentional or accidental. Intentional threats are normally due to
intelligent persons like crackers or hackers or criminal organizations.
Accidental threats are due to malfunctioning of computers or due to natural
disasters or due to mistakes done by computer users.
A threat may cause damage through
unauthorized access, destruction, discloser, modification of data or denial of
service. There are four types of security threats
Interception:
It refers to the situation that an unauthorized party
has gained access to a service or data.
Interruption: It
refers to the situation in which services or data become unavailable, unusable,
destroyed and so on.
Modification: It involves
unauthorized changing of data or tempering with a service so that it no longer
adheres to its original specification. Example intercepting and subsequently
changing transmitted data.
Fabrication:
It refers to the situation in which additional data or
activities are generated that would normally not exist. Example an intruder may
attempt to add an entry into a password file or database.
2. Security Attacks: An
attack is any attempt to destroy exposes, alter, disable, steal or gain
unauthorized access to or make unauthorized use of an asset. Intruders first of
all analyze our environment and collect information in order to exploit
vulnerabilities and then perform desire type of attack in our computer system.
An
intruder can stall harmful malicious software in our computer without our
knowledge. These malicious software includes
viruses, spywares and Trojan horses. This software often deletes certain vital
files on our computer, making our computer
to function abnormally.
·
Passive
Attacks: An attack that attempts to learn or make
use of information from the system but does not affect system resources is
called passive attack.
·
Active
Attacks: An attack that attempt to alter system
resources or affect their operation is called active attack.
·
Insider
Attacks: An attack initiated by an entity
that is authorized to access system resources but uses them in a way not
approved by those who granted authorization.
·
Outsider
Attacks: An attack initiated by an unauthorized
user of the system is called outsider attacks. In the internet, potential
outside attackers range from amateur pranksters to organized criminals,
international terrorist and hostile governments.
3. Security
Policy and Mechanism: Security policy is just
the statement about what is allowed and not allowed to do in a system while
security mechanism is a procedure how to implement the security policy.
Mechanism are
designed to detect, prevent or recover from security attacks
Example
considers an office with several employees. The office may have a policy like
“the entire employees need to be authenticated before they enter the office”
This policy can be enforced by one or more of the below given mechanisms
v Each
employee needs to swipe his/her identity card on an RFID reader. The door will
be unlocked only when a valid identity card is swiped.
v Using
a retina/fingerprint scanner, a biosensor will authenticate every employee
entering the office.
4. Formulating Security policy:
Formulation of security policy depends upon needs of particular organization.
Main purpose of security policy is to secure organizational resource. Following
steps are needed to formulating security policy.
·
Analysis
of Existing Security policy: Before
formulating new policies, security administrator must analyze current security
policy and must identify vulnerabilities in it.
·
Identification
of Resources that needs to be secured: Main goal of
security policy is to secure IT assets in the organization. Therefore security
administrator must identify hardware, software or data resources that need
security before designing new policy.
·
Identification
of Possible security thread and security attacks: Once resources to
be secured are identified, security administrator must list out security
threats and attacks that are possible in the organization. Such threats and
attacks may be viruses, unauthorized access, natural disasters etc.
·
Formulation
of possible security policies: While defining new security policy,
we must keep broader view and needs to be thought in different ways. It is good
to design more than one security policies.
·
Evolution
of alternatives Once security policies are designed,
we must evaluate each of them. We need to identify strength, weaknesses, cost
and easiness out IT assets.
·
Selecting
the Best among alternatives: We
need the best security policies that are evaluated previously. Selection of the
policy may depend upon our security need and organizational budgetary.
5. Security Service: Security
service is a service provided by a layer of communicating open systems which
ensures adequate security of the system or of data transfer. Security services
into 5 categories:
v Authentication: A user needs to be authenticated before
providing access to the system. Example whether RC can use the system or not is
defined by authentication.
v Authorization: Authorization
controls access to objects. Example once Bishnu is authenticated, whether he can
write the file abc.txt or not is defined by authorization.
v Data Confidentiality: It
is the property that ensures that information is not made available or
disclosed to unauthorized individuals, entities or process.
v Data Integrity:
In Information security, data integrity is the property that ensures that data
cannot be modified is unauthorized way or if it is modified in unauthorized
way, it should be detected. Example the
message "hello" can be converted into "jgnnq" before transmitting
or storing it. Here, "hello" is plain text and "jgnnq" is
scrambled message.
v Non-repudiation:
Non repudiation implies that one party of a transaction cannot deny having
received a transaction nor can the other party deny having sent a transaction.
Security Awareness Security
awareness is about educating employees about corporate security policies and
procedures for working with information technology. Employees should receive
information about who to contact if they discover a security threat and be threat
that data as a valuable corporate asset.
By
educating employees, supplies, partners and customers, we can reduce the
chances that our organization will become a victim of today’s data security
threats and ensures that all staff can property handle incident, if it occurs.
Malicious Software (Malware): It
is software that brings harm to a computer system, It can be used to disrupt
computer operation, gather sensitive information or gain access to private
computer systems. Malware can be in the form of worms, viruses, Trojans etc.
which steal protected data, delete documents or add software not approved by a
user. Some form attacks include attachments in
emails, browsing a malicious website that installs software after the user
clicks ok on a pop-up.
Worms: This
types of malware uses network resources for spreading. This class was called
worms because of its peculiar features to creep from computer to computer using
network, mail and other informational channels. Worms intrude our computer,
calculate network addresses of other computers and send to these addresses its
copies.
The
biggest danger with a worm is its capability to replicate itself on your
system, so it could send out hundreds or thousands of copies of itself,
creating devastating effect. One example would be for a worm to send a copy of
itself to everyone listed in your e-mail address book.
Virus: A
computer virus is program that inserts itself into one or more files and then
performs some action. Computer virus works into two phases. First phase in
which the virus insert itself into a file is called the insertion phase. The
second phase in which it perform some action is called the execution phase.
The
brain virus written for IBM PCs is an example of this category. It is through
to have been created in early 1986 but was first reported in the United States
in October 1987. It alters the boot sectors of floppy disks, possibly
corrupting files in the process. It also spreads to any uninflected floppy
disks inserted into the system.
Trojan horse: A Trojan horse, or Trojan,
in computing is any malicious computer program which misrepresents itself to
appear useful, routine, or interesting in order to persuade a victim to install
it. Trojans are generally spread by some form of social engineering, for
example where a user is duped into executing an e-mail attachment disguised to
be unsuspicious, (e.g., a routine form to be filled in), or by drive-by
download. Although their payload can be anything, many moderns' forms act as a backdoor,
contacting a controller which can then have unauthorized access to the affected
computer. While Trojans and backdoors are not easily detectable by themselves,
computers may appear to run slower due to heavy processor or network usage.
Malware Vulnerability factors : Factors that makes system
vulnerable to malware are:
v
Use
of the same Operating system: one
cause of vulnerability of networks is consistent use of the same operating
system such as MS windows or Apple OS. In such case, if someone can hack that
OS, he/she can break into any computer in the system. Diversity in operating
systems could increase short-term costs for training and maintenance but it may
prevent total shutdown of the network, and allows those nodes to help with
recovery of the infected nodes.
v Software bugs: Most systems contain bugs or loopholes which
may be exploited by malware. A typical example is the buffer over-run weakness,
in which an application may allow the user to supply more data than will fit in
its buffer.
v
Over-privileged
users and codes: In
some operating system, users are over-privileged in default configuration. They
have been inappropriately granted administrator or equivalent status. Malware,
running as over-privileged code, can use this privilege to threaten the system,
When a user executes code, almost all operating systems allows that code all
rights of that user. This makes users vulnerable to malware in the form of
email attachments which may or may not be disguised.
v Unconfirmed code: Code from floppy disk, CD-ROM, USB
device or internet may be executed without the user's agreement. Such code may
be malware sometimes and hence may cause harm to our company system or may
steal information from computers.
Hacking: It means gaining authorized access
to individual computers or computer network. A hacker is a person who secretly
invades the computers of other, inspecting or tampering with the program or
data stored on them. A hacker may also be defined as a person who uses a
computer to gain an unauthorized access.
Crackers: A cracker is a computer user who
attempts to break into copyrighted software or an information system, this is
done with intend of releasing software so it can be used without paying
royalties. Cracker steals the confidential data, acquire free access to perform
the malicious destruction of files.
Categories of Hackers :Hackers are categorized into three
categories: Black hats, white hats and gray hats.
v Black Hats: Black-hat hackers or black hats are
the type of hackers that violate computer security for personal gain such as
stealing credit card number or harvesting personal data for sale to identify
thieves etc.
v White Hats: White hat hackers or white hats are
the opposite to the black hat hackers. They are the ethical hacker's experts in
compromising computer security systems who use their abilities for good,
ethical and legal purposes rather than bad, unethical and criminal purpose.
Example many white-hat hackers are employed to test organizations computer security
systems.
v Gray hats: A gray-hat hackers or gray hat
falls somewhere between a black hat and a white hat. A gray hat does not work
for their own personal gain but they may technically commit crimes and do
arguably unethical things.
Hacking Approaches: Some of the widely used hacking
approaches are
·
Packet
Sniffing: It involves capturing, decoding, inspecting
and interpreting the information inside a network packet on a TCP/IP network.
The purpose is to steal information usually user IDs, password, network
details, credit card number etc. Sniffing is passive type of attack, wherein
the attackers can be silent/invisible on the network.
·
Password
Cracking: It is the process of recovering
password from the data that have been stored in or transmitted by a computer
system. The purpose of password cracking might be to help a user recover a
forgotten password, to gain unauthorized access to a system or as a preventive
measure by system administrator to check for easily crack able passwords.
·
Email
Hacking : Email
hacked means our password has been comprised and the hacker has actually signed
on to our account, read any emails coming in, looked through our inbox, our saved folders.
Cryptography: Cryptography is the science
for providing security for information. It means of providing secure
communication between individuals, government agencies and military forces.
Cryptography is a cornerstone of the modern security technologies used to
protect information and resources on both open and closed networks.
The terms encode and decode or encipher and
decipher are used instead of encrypt and decrypt. This is we say that we
encode, encrypt or encipher the original message to hide its meaning. Then we
decode, decrypt or decipher it to reveal the original message.
Types of Cryptosystem: There
are two broad classes of cryptosystem
1. Secret-key
Cryptosystem: In a
secret-key cryptosystem, the same key is used for both encryption and
decryption. Since keys are same, two users wishing to communicate in
confidential way must agree and maintain a common secret key. It is also called
symmetric key cryptosystem or private key cryptosystem.
2. Public
key cryptosystem: In
public key cryptosystem, different keys are used for encryption and decryption.
The key used for encryption is public key and is made available to everyone
whereas the key used for decryption is called private key and is only known to
receiver. It is also called asymmetric key cryptosystem.
Difference between Private Key
cryptography and public key cryptography
|
Private key
cryptography
|
public key
cryptography
|
|
Same key is used
for encryption and decryption. Key must be kept secret.
|
Different keys
are used for encryption and decryption. Key used for encryption is called
public key and the key used for decryption is called private key.
|
|
Encryption and
decryption process is more faster than public key cryptosystems
|
Encryption and
decryption process is slower than private key cryptosystems
|
|
Secrecy of the
system entirely depends upon shared secret key. If the key is lost or stolen
then the entire system will fail.
|
Private do not
need to be shares therefore it is relatively more secure than private
cryptosystems.
|
|
It cannot be
used for other systems than achieving confidentiality.
|
It can also be
used in digital signatures and authentication systems.
|
|
It is useful in the systems where it is
possible to share the secret key by meeting.
|
It is useful in
when communication parties are at distant location and is difficult to share
secret key.
|
|
It is feasible
when the numbers of users that involves is communication is few.
|
It is also
feasible when the number of users that involves is communication is large.
|
|
Example are Caesar
cipher, transposition cipher etc
|
Example are RSA algorithm, ELGamal etc.
|
In many countries, including the United States, digital signatures have the same legal significance as the more traditional forms of signed documents. The United States Government Printing Office publishes electronic versions of the budget, public and private laws, and congressional bills with digital signatures.
A digital signature consists of three
algorithms:
·
A
key generation algorithm: This
algorithm randomly produces a pair of public key and private key, where private
key is used to generating signatures and public key is used to verify
signatures.
·
A
signing Algorithm:
This algorithm takes a message and private key as input and produces a
signature that can be attached with documents.
·
A
signature verifying algorithm:
This algorithm takes the message and the public key as input and verifies the
validity of attached signature. It either accepts or rejects the signature.
Hash Functions:
A cryptographic hash function is a one way transformation that takes an
input and returns a fixed -size string, which is called the hash value.
Hash function are important type if
cryptographic algorithm and are widely used in cryptography such as digital
signature, data authentication, e-cash etc. A cryptographic hash function is
consider insecure if either of the following is computationally feasible
ü
Finding
a message that matches a given digest.
ü
Finding
collisions where two different messages have the same message digest.
Well known functions are HMAC, MD4, MD5, SHA1,
SHA256 etc
Some of the areas where hash
functions are applied are:
Message Integrity verification: Determining whether any changes
have been made to a message (or a file). It can be accomplished by comparing
message digests calculated before and after transmission. If they are not
equal, it implies that message is modified by some imposter.
Password Verification: Passwords are usually not stored
in clear text, for obvious reasons but instead in digest form. To authenticate
a user, the password presented by the user is hashed and compared with the
stored hash. This is sometimes referred to as one-way encryption.
Digital Signatures: While generating
digital signatures, the message digest is created and it is encrypted with the
private key so that the signing process becomes faster.
Firewalls: A firewall is a network security
that controls the incoming and outgoing network traffic based on the applies
rule set. It established a barrier between a trusted, secure internal network
and another network such as internet or any other network that is assumed not
to be secure and trusted. It implements a network access policy by forcing
connections to pass through the firewall, where they can be examined and evaluated.
A firewall examines all traffic routed between the two networks to see if it
meets certain criteria. If it does, it is routed between the networks,
otherwise it is stopped.
Firewall can be either hardware or
software. Hardware firewalls can be purchased as stand-alone product but
are also typically found in broadband router, and should be consider an
important part of your system and network set-up.
Software firewalls are installed on our computer and
we can customize it, allowing us some control over its function and protection
features. A software firewall will protects our computer from outside attempts
to control or gain access to our computer.
Types
of Firewalls:
1. Packet Filter Firewalls: It inspects the packets that are
transferred between computers on the Internet. When a packet passes through a
packet filter firewall, its source and destination address, protocol and destination
port numbers are checked against the firewall's rule set. Any packets that
aren't specifically allowed onto the network are dropped, Example if a firewall
is configured with a rule to block Telnet access, then the firewall will drop
packets destined for the port 23.
2. Circuit Filter Firewalls: A circuit -level gateway is a type
of firewall that operates on the session layer of the OSI model. Instead of
inspecting packets by header, it instead maintains a connection between two
hosts that is approved to be safe. It used three way handshaking to see whether
a requested connection is legitimate or not.
3.
Application -level gateways: These firewalls work on the application layer
of the OSI model and that provide protection for a specific application layer
protocols. Proxy server is the best example of application level gateways
firewalls. Application level gateway would work only for the protocols which
are configured. Example if we install a web proxy based firewall than it will
only allow HTTP protocol data. We can set up various proxies on a single
firewall for different applications. Both the client and the server connect to
these proxies instead of connecting directly to each other. So any suspicious
data or connections are dropped by these proxies.
SMTP application proxies can be configured to
allow only certain commands like helo, mail from, rcpt to: to
pass through the firewall and block other commands like expn, vrfy etc
which tries to expand a list or verify if that account exists and are used by
attackers and spammers for their vested self interests.
User Identification and
Authentication: Authentication
is the process of determining and validating user identify. The computer system
uses an abstract object called user account that contains a set of attributes
for each user. The object has a name (user id or logon ID) that is used to
represent the abstract. Additional attributes of the object may include the
full name of the actual user, the department for which he/she is working,
password or any other features of user.
The process of Authentication is
often considered to consist of two distinct phases: Identification and
authentication. Identification occurs when a user claims an identify. This can
be accomplished with a a username, a smart card, or anything else that can
uniquely identify a subject. Authentication is the process of providing an
identity and it occurs when subjects provide appropriate credentials or
evidences to prove their identity. Example when a user provides the correct
password with a username, the password proves that the user is the owner of the
username. Authentication provides proof of a claimed identify.
Three components involved in the
process of user authentication
·
Supplicant:
The party in the
authentication process that will provide its identity and evidence for it and
as a result will be authenticated.
·
Authenticator: It is the server that is
responsible for verifying authenticity of users based on the evidences provided
by him or her.
·
Authentication
Database: It is
the database that stores identity and other attributes that the user possesses.
Users need to provide these attributes to prove his/her identity.
Authentication database can be maintained by authenticator itself or it can be
maintained by some another computer in the system
There are several methods of
authentication
1. Password based authentication: Passwords are an example of an
authentication mechanism based on what people know the user supplies a password
and the computer validates it. If the password is associated with the user,
that user's identity is authenticated. If not, the password is rejected and the
authentication fails. A password is information associated with an entity that
confirms the entity's identity. It can be sequence of characters and digits or
sequence of words such as phrases.
Passwords
can be used in storing in many ways: in plain text form, in encrypted form or
in the form of hash value of password. Hash value of password is consider as
most secure and is widely used approach. A password containing at least one
digit, one letter, one punctuation symbol and one control characters is usually
quite strong.
2. Smartcard based authentication: A smart card is a small plastic
card, containing an embedded microchip that can be programmed to store specific
user authentication information. The chip on a smart card can store multiple
identification factors of a specific user. When the user swipes his or her card
into a smart card reader; the card may implement multiple factors of
authentication.
Advantages:
·
It
eliminates the threat of hackers stealing stored or transmitted information
form a computer.
·
The
information is processed on the smart card so the authentication information is
never transmitted to another machine.
Disadvantages:
·
Smart
card encryption options are limited.
·
Smaller
or shorter encryption keys may be necessary, which heightens the chance of data
compromise.
·
It
also needs extra hardware infrastructure for implementation.
3. Biometric based authentication: Biometric authentication is a type
of system that relies on the unique physiological or behavioral characteristic
of individuals to verify identify for secure access to electronic systems. Some
of the widely used physiological or behavioral characteristics are face, finger
prints, retinal information, voices, DNA structure etc.
Biometric
authentication systems compare the current biometric data capture to stored, confirmed
authentic data in a database. If both sample of the biometric data match,
authentication is conformed and access is granted.
A smart
phone user might log on with his personal identification number (PIN) and then
provide an iris scan to complete the authentication process.
Other
Security measures:
Authorization: Authorization
is the process of giving someone permission to do or have something. Assuming
that someone has logged in to a computer operating system or application, the
system or application may want to identify what resources the user can be given
during this session. Thus authorization is sometimes seen as setting up of
permission by a system administrator and the actual checking of the permission
values that have been set up when a user is getting access. Two widely used authorizations
are Access Control Lists (ACL) and capability list.
Access
control list: An access control list is a list of
permission attached to an object. It stores privileges in the form of <subject,
privilege> pairs. Here object is file or any other hardware or software
resource, subject is user or process and privileges are allowed operations such
as read write and execute.
Example: File1-RC:RW; Bishnu:RWX; Santosh:R
In the above
ACL, It gives permission to read and write the file 1 to RC, to read, write and
execute to Bishnu and Read only to Santosh.
Capability
List: A capability
list is a list of permissions attached to a subject It stores privileges in the
form of <object, privilege> pairs. Here, object is file or any other hardware
or software resource, subject is user or process, and privileges are allowed
operation such as read, write, execute.
RC-File1:RW;
File2:R
In the above
capability list, It gives permission to RC such that he can read and write the
file1 to ram and can only read the file 2.
Antimalware
application: Antimalware
or antimalware is a type of software program designed to prevent, detect and
remediate malware infection on individual computing devices and IT systems.
Antimalware software protects against infection caused by many types of malware
including viruses, worms, Trojan horse etc. Antimalware software can be
installed on an individual computing device, gateway server or dedicated network appliance. Example antimailware
software tools are Avast -Antivirus, Avira antivirus, AVG, anti-virus, Norton
Antivirus, Kaspersky antivirus.
Virus
dictionary approach: In
the virus dictionary approach, when the anti-virus software examines a file, it
refers to a dictionary of known viruses that have been identified by the author
of the anti-virus software, If a piece of code in the file matches any virus
identified in the dictionary, then the antivirus software can be either delete
the file, quarantine it so that the file is inaccessible to other programs and
its virus is unable to spread or attempt to repair the file by removing the
virus itself from the file.
Suspicious
behavior approach: The suspicious behavior approach
doesn't attempt to identify known viruses but instead monitors the behavior of
all programs. If one program tries to write data to an executable program,
Example this is flagged as suspicious behavior and the user is altered to this
and asked what to do. The suspicious behavior approach therefore provides
protection against brand new viruses that do not yet exit in any virus
dictionaries.
No comments:
Post a Comment