This document outlines topics to be discussed in a lecture on cryptography and network security. It includes two case studies of data breaches at government organizations and a hotel chain. It discusses security needs and objectives, why security is difficult to achieve, how security became an issue, threat modeling, risk assessment, the three aspects of security (attacks, mechanisms, services), and key points to remember around security including the trade-off between security and usability.

1. Lec-2: Cryptography &Network
Security
Mr. Islahuddin Jalal
MS (Cyber Security) – UKM Malaysia
Research Title – 3C-CSIRT Model for Afghanistan
BAKHTAR UNIVERSITY ‫باخترپوهنتون‬ ‫د‬
Bakhtar University 1

2. Outlines to be discussed…. Today
• Case studies
• Security Needs and Objectives
• Exploiters
• Why Security is difficult to achieve ?
• How Security become an issue?
• Threat Modeling
• Risk assessment
• How to get Secure?
• 3 Aspects of Security
• Points to remember
Bakhtar University 2

3. Case Study---1
• Read the following incident and try to find which security breach/breaches occurred, and
what can go wrong.
• "The U.S The Department of Energy (DOE) has confirmed a recent cyber incident that
occurred at the end of July 2013 and resulted in the unauthorized disclosure of federal
employee Personally Identifiable Information (PII). It is believed about 14,000 past and
current DOE employees PII may have been affected,
• The incident included the compromise of 14 servers and 20 workstations. The data that
was exposed includes names, date of births, blood types, Social Security Numbers, other
government-issued identification numbers, and contact information.
• At the time, officials blamed Chinese hackers, but two weeks later a group calling itself
Parastoo (a common girls name in Farsi) claimed they were behind the breach, posting
data that was hacked from a DOE webserver.
• [http://www.csoonline.com/article/738230/u.s.-dept.-of-energy-reports-second-
security-breach]
Bakhtar University 3

4. Case Study --- 2
• Read the following incident and try to find which security breach/breaches
occurred, and what can go wrong.
• "In early February, a hotel franchise management company that manages
168 hotels in 21 states suffered a data breach that exposed hundreds of
guests’ debit and credit cards information in 2013.
• White Lodging Services Corporation maintains hotel franchises for some of
the top names in lodging such as Hilton, Marriott, Westin and Sheraton.
Sources reported that the data breach centered mainly around the gift
shops and restaurants within these hotels managed by White Lodging, not
necessarily the front desk computers where guests pay for their rooms”.
• [http://www.forbes.com/sites/moneybuilder/2015/01/13/the-big-data-
breaches-of-2014/]
Bakhtar University 4

5. Finding about the case studies
• Hundreds of security breaches occurring around us
• All
• Companies
• Organizations
• Individuals needs
• Security Must be deployed at multiple levels
To be
vigilant
Bakhtar University 5

6. Security Needs and Objectives
• Authentication (who is the person, server, software etc.)
• Authorization (what is that person allowed to do)
• Privacy (controlling one’s personal information)
• Anonymity (remaining unidentified to others)
• Non-repudiation (user can’t deny having taken an action)
• Audit (having traces of actions in separate systems/places)
Bakhtar University 6

7. Safety VS Security
• Safety: is about protecting from
• accidental risks,
• road safety,
• air travel safety
• Security: is about mitigating risks of
• dangers,
• caused by intentional,
• malicious actions,
• homeland security,
• airport and aircraft security,
• information and computer security,
• Easier to protect against accidental than malicious misuse
Bakhtar University 7

8. One of the most time consuming thing is to have an enemy
(E.B. White)
Bakhtar University 8

9. Exploiters
• Hacker
• Cracker
• Intruder
• Attacker
The Intention is
destruction
The intention is not
destruction
-Not Ordinary people
-Evil-genius
-Expert level
programmers
-Know working and
functionality of the
system
-Don’t create risks or
vulnerability, just
exploiting it
Bakhtar University 9

10. Threat
• Threat
• A possible danger that may exploit a vulnerability
• Vulnerability
• A weakness in the system which allows an attacker to reduce it usage.
• Attack
• Any action that compromises the security of information owned by an organization.
• An intelligent act
• Deliberate attempt (especially in the sense of a method or technique) to evade
security services and violate the security policy of a system.
• When something really happen and the computer system has been compromised
Bakhtar University 10

11. Why Security is difficult to achieve?
Bakhtar University 11

12. Why security is difficult to achieve?
• Attacker chooses
• Time
• Place
• Method
• Possible attacks
• Currently known attacks
• Yet to be discovered attacks
• Software /system security is difficult to measure
• Client’s don’t demand security
• Client’s can’t sue a vendor
• Physical access
Bakhtar University 12

13. How Security Became an Issue
• People and businesses depend greatly on computer technology and
automation in many different aspects of their lives.
• Examples:
• public utilities,
• military defense systems,
• financial institutions,
• medical equipment,
Bakhtar University 13

14. How Security Became an Issue
• With the increasing exposure to computing and processing, the
individuals who used computers learned more about using the
technology and getting the most out of it.
• However, the good things in life often have a darker side. Taking
technology down from the pedestal of the mainframe and putting it
into so many individuals’ hands led to a lot of issues that never had to
be dealt with in the mainframe days.
Bakhtar University 14

15. How Security became an Issue
• Now there were thousands of people not versed and experienced in
computing who had much more access to important data and
processes.
• Barriers and protection mechanisms were not in place to protect
employees and systems from mistakes, so important data got
corrupted accidentally, and individual mistakes affected many other
systems instead of just one.
Bakhtar University 15

16. Threat Modeling
• A procedure for optimizing network security by identifying
• objectives and vulnerabilities, and then defining countermeasures to prevent,
or mitigate the effects of, threats to the system.
• What threats will the system face?
• What could go wrong?
• How could the system be attacked and by whom?
Bakhtar University 16

17. Risk Assessment
• How much to worry about them?
• Calculate or estimate potential loss and its likelihood
• Risk management
• Reduce both probability and consequences of a security breach
Bakhtar University 17

18. Threat Modeling and Risk Assessment
• Secure against what and from Whom?
• who will be using the application?
• what does the user (and the admin) care about?
• where will the application run? (on a local system as Administrator/root? An
intranet application?
• As a web service available to the public? On a mobile phone?) what are you
trying to protect and against whom?
Bakhtar University 18

19. What steps to take for Threat Modeling
and Risk Assessment?
Bakhtar University 19

20. Steps to Take
• Evaluate
• Threat
• Risks
• Consequences
• Address the threats and Mitigate the risks
100% security
is not possible
Bakhtar University 20

21. Assignment#01
Write a Risk Assessment and Analysis Report on your
organization.
Bakhtar University 21

22. Trade-off
• More Security = Higher Cost, Less convenience in functionality and
productivity
• Security measures should be as invisible as possible
• This means that it should not irritate users or slow down the software (too
much).
• Example: Forcing a password change everyday.
• Users will find a workaround, or just stop using it.
• Note:
• It is better to choose security level relevant to your needs
Bakhtar University 22

23. Testing Security
• Called Penetration Testing
• Proactive and authorized attempt to evaluate the security of an IT
infrastructure
• By safely attempting to exploit system vulnerabilities including
• OS
• Service
• Application flaws
• Improper configurations
• Risky end user’s behaviour
Bakhtar University 23

24. How to get Secure?
• Three Aspects of Security
• Security Attack (any action that compromise the security)
• Security Mechanism (a mechanism that is designed to detect, prevent, or
recover from a security attack)
• Security Service (a service that enhances the security of data processing
systems, and information transfers. A security service makes use of one or
more security mechanism)
• Know your Enemy
• Types of attacks
• Typical tricks
• Commonly exploited vulnerabilities
Bakhtar University 24

25. Security Attacks
• Passive attacks: This is an attack on the network in the nature of
eavesdropping or monitoring of transmission of data
– Aims to learn or make use of information from the system but does not affect
system resources.
– Difficult to detect, measures are available to prevent their success.
• Active attacks: This involves modification of the data in transmission
or the creation of a false stream.
– Attempts to alter system resources or a affect their operation
– Difficult to prevent, measures available to detect and recover from
destruction
9/24/2017 Bakhtar University 25
• Active and passive security threats

26. Security Threats
9/24/2017 Bakhtar University 26
Passive threats
Release of
message content
Traffic
analysis
Active threats
Masquerade
Replay
Modification of
Message content DoS
 Active and passive security threats

27. Passive attacks
• Release of message content:
• Content of a message are read.
• A message may be carrying sensitive or confidential data.
• For example: A telephone conversation, email messages, or confidential
information
9/24/2017 Bakhtar University 27

28. Passive attacks
• Traffic analysis:
• An intruder makes inferences by observing message patterns
• Can be done even if messages are encrypted
• Inferences: Location and identity of hosts
9/24/2017 Bakhtar University 28

29. Active Attacks
• Masquerade: An entity pretends to be some other entity.
• Example: An entity captures an authentication sequence and replays it later
to impersonate the original entity
• Replay: Involves the passive capture of a data unit and its subsequent
retransmission to produce an unauthorized effect
• Modification: A portion of a legitimate message altered to produce
an undesirable effect
• Denial of service: Inhibits normal use of computer and
communications resources and facilities
9/24/2017 Bakhtar University 29

30. Security Mechanisms
• In order to detect, prevent, or recover from these security attacks, we
use security mechanisms
• There is no single mechanism which will provide all the services or
perform all the functions mentioned
• A variety of mechanisms are used to detect and prevent certain
attacks, and to provide certain functions and services
9/24/2017 Bakhtar University 30

31. Security Mechanisms
• Encryption
• Software Controls (access limitations in a database, in operating
system protect each user from other users)
• Hardware Controls (smart card)
• Policies (frequent changes of passwords)
• Physical Controls
• Information flowing over an secure communications channel, for
example: Virtual Private Network (VPN)
9/24/2017 Bakhtar University 31

32. 9/24/2017 Bakhtar University 32

33. Security Services
• Enhance security of data processing systems and
information transfers of an organization
• Intended to counter security attacks
• Using one or more security mechanisms
• Often replicates functions normally associated with
physical documents, for example:
• signatures, dates, protection from disclosure, tampering,
destruction; be notarized or witnessed; be recorded or
licensed
9/24/2017 Bakhtar University 33

34. Security Services
• A classification of security services:
- Confidentiality (privacy)
- Authentication (who created or sent the data)
- Integrity (has not been altered)
- Non-repudiation (the order is final)
- Access control (prevent misuse of resources)
- Availability (permanence, non-erasure)
• Denial of Service Attacks, Virus that deletes files
9/24/2017 Bakhtar University 34

35. Protection, Detection, Reaction
•An ounce of Prevention is worth a pound of Cure
Bakhtar University 35

36. Protection, Detection, Reaction
• Better to protect that to recover.
• Detection is necessary because total prevention is impossible to
achieve.
• Without some kind of reaction,
• detection is useless .
• Like a burglar alarm that no-one listens and responds to.
• Protection, detection, reaction: each and every of the three elements
is very important.
• Security solutions focus too often on protection only.
Bakhtar University 36

37. Is a particular security measure good?
• What problem does it solve?
• Whether it really solves the problem you have.
• How well does it solve the problem?
• Will it work as expected?
• What new problems does it add?
• What are the economic and social costs?
• Cost of implementation, lost functionality or productivity.
• Given the above, is it worth the costs?
Bakhtar University 37

38. Points to Remember
• There is never a free lunch
• Don’t go for free software
• Free wallpapers
• Etc
• No one is going to give you anything free
Bakhtar University 38

39. Thank You
For Your Patience
Bakhtar University 39