Chapter 1

Introduction to Security
Concepts
 Outline
Networking Vs. Security
Network protocols and TCP/IP
Different Attacks
Malicious Codes
Basic security terms
Authentication Mechanisms

2
 Definitions
Security : “the quality or state of
being free from danger” or “
measures taken to guard against
espionage, sabotage, crime, attack,
or escape.”
Computer Security: “the
prevention and protection of
computer from unauthorized access,
use, alteration, degradation,
destruction, and other threats.
3
 Definitions
Attacks/threat: any activity that aims
to gain access to computers for
malicious purposes.
Vulnerability/security hole: refer to a
state that can be exploited for such an
attack.
Privacy: The right of the individual to
be protected against intrusion into his
personal life or affairs, or those of his
family, by direct physical means or by
publication of information.
4
 Definitions
Assets
◦ Things we might want to protect:
 Hardware
 Software
 Data

5
Network Protocol &
Security
Network protocols are a set of
rules and conventions that
govern how data is transmitted
and received over a network.
These protocols define:
◦ format of data packets,
◦ error handling,
◦ addressing, and other aspects of
network communication.

6
 TCP/IP Protocol Suite
 It is the foundation of modern networking.
 It consists of several layers, each with its own set of
protocols.
1. Application Layer: This layer includes protocols like
HTTP, FTP, SMTP, and DNS. It deals with application-
level data and user interactions.
2. Transport Layer: is responsible for end-to-end
communication. It includes TCP for reliable, connection-
oriented communication and UDP for connectionless
communication.
3. Internet Layer: is primarily governed by the IP. It is
responsible for routing and addressing data packets to
their destination across networks.
4. Link Layer: includes protocols for the physical and
data link layers of network communication. Ethernet
and Wi-Fi are examples of link layer technologies.
7
Cont.…
TCP/IP communication involves
data encapsulation, where data is
wrapped in various headers and
trailers as it moves down the
protocol stack and is unwrapped
as it moves up.
Each layer adds its own header,
addressing information, and
control data.

8
Cont.…
Physical Layer Attack: Wiretapping or
eavesdropping on physical communication
channels.
◦ Countermeasure: Use secure physical cabling
and encryption technologies, like VPNs or
TLS/SSL for higher-layer data protection.
Data Link Layer Attack: MAC address
spoofing, ARP poisoning, or VLAN hopping.
◦ Countermeasure: Implement port security, use
MAC address filtering, employ ARP inspection,
and configure VLAN ACLs (Access Control
Lists).

9
Cont.…
Network Layer (IP Layer) Attack: IP
spoofing, DDoS attacks, or routing attacks.
◦ Countermeasure: Implement packet filtering,
use Access Control Lists (ACLs), and deploy
intrusion detection and prevention systems
(IDPS) to mitigate DDoS attacks.
Transport Layer Attack: Man-in-the-
Middle (MitM) attacks, session hijacking,
and SYN flooding.
◦ Countermeasure: Use Transport Layer Security
(TLS) for encryption, employ firewalls and
intrusion detection systems, and implement
SYN/ACK cookies to prevent SYN flooding.

10
Cont.…
Application Layer Attack: SQL
injection, Cross-Site Scripting
(XSS), and Cross-Site Request
Forgery (CSRF).
◦ Countermeasure: Input validation,
output encoding, and parameterized
queries to mitigate SQL injection;
implement security headers and
input validation to prevent XSS and
CSRF attacks.

11
 History
Until1960s computer security was limited to
physical protection of computers.
The late 1960s and 1970s
◦ Evolutions
 Computers became interactive
 Multiuser/Multiprogramming & Networking was invented
 More and more data started to be stored in computer
databases
◦ Organizations and individuals started to worry
about
 What the other persons using computers are doing to their
data
 What is happening to their private data stored in large
databases
◦ Remote access of data was possible opening up new
possibilities for abuse.
12
 History
 Computer security was almost non-existing
before 1980s.(besides physical protection)
 In the 1980s and 1990s
◦ Evolution
 Personal computers were popularized
 LANs and Internet invaded the world
 Applications such as E-commerce, E-government and
E-health started to develop
 Viruses become major threats
◦ Organizations/individuals started to worry
about
 Who has access to their computers and data
 Whether they can trust a mail, a website, etc.
 Whether their privacy is protected in the connected world

13
 History
In 2000s
◦ Computers become smaller
◦ Computers become parts of our life
◦ Security became a global concern .
In the past, computer security
violations, such as viruses were
caused by hackers(young adults
who did this for fun)
Today, attacks on computers are
planned and funded by organized
criminals and may be devastating.
14
 History: Famous security problems

• Morris worm – Internet Worm

• November 2, 1988 a worm attacked more
than 60,000 computers around the USA
• Robert Morris became the first person
to be charged for the Computer Fraud
and Abuse Act of 1986
• He was sentenced to three years of
probation, 400 hours of community
service and a fine of some $10,000
• He is currently an associate professor at
the Massachusetts Institute of Technology

15
History: Famous security
problems…
• NASA shutdown
• In 1990, an Australian computer science
student was charged for shutting down
NASA’s computer system for 24 hours
• Airline computers
• In 1998, a major travel agency discovered
that someone penetrated its ticketing
system and has printed airline tickets
illegally
• Bank theft
• In 1984, a bank manager was able to steal
$25 million through un-audited computer
transactions
16
History: Famous security problems…

In 2010,Wikileak
◦ began releasing classified cables
that had been sent to the U.S. State
Department by 274 of its consulates,
embassies, and diplomatic missions
around the world. Dated between
December 1966 and February 2010,
◦ the cables contain diplomatic
analysis from world leaders, and the
diplomats' assessment of host
countries and their officials.
17
 Activity
Why does the problem of
computer security exists?
Why are computers so vulnerable
to attacks and so easy to
damage?

18
 Limitations
 Lack of intelligence( can’t think )
 Easy to break computer security than to
build fully secured computers.
◦ only one weakness is enough to launch an
attack
 Operating systems: different levels b/n
hardware and GUI(hidden malicious
software).
◦ “Easy to use easy to misuse !”
 Internet and its protocols: important
Internet protocols were developed in the
1970s and 1980s, before Internet security
became a global concern.
19
 Basic concepts

 Key objectives that are at the heart of

computer security.(C-I-A)
 Confidentiality: Data is confidential if it
stays obscure to all but those authorized to
use it.
 Integrity: Data has integrity as long as it
remains identical to its state when the last
authorized user finished with it.
 Availability: Data is available when it is
accessible by authorized users in a
convenient format and within a reasonable
time.
20
Basic concepts…
A computing system is said to be
secure if it has all three properties:
◦ Confidentiality
 Access to systems or data is limited to
authorized parties
◦ Integrity
 When you ask for data, you get the “right”
data
◦ Availability
 The system or data is there when you
want it
21
 Basic concepts…
Supplements to CIA:
Authentication
◦ How do I know it's really you?
Authorization
◦ Now that you are here, what are you
allowed to do?
Accountability
◦ Who did what, and, perhaps, who pays
the bill?

22
Basic concepts…
Privacy
◦ “informational self-determination”
◦ This means that you get to control
information about you
◦ “Control” means many things:
 Who gets to see it
 Who gets to use it
 What they can use it for
 Who they can give it to

23
 Basic concepts…
vulnerabilities, threats &
countermeasures
vulnerability is a point where a system
is susceptible to attack.
A threat is a possible danger to the
system.
◦ It might be a person (cracker or a spy),
◦ a thing (a faulty piece of equipment),
◦ an event (a fire or a flood) that might exploit
a vulnerability of the system.
Countermeasures are techniques for
protecting your system.
24
 Vulnerabilities

Physical vulnerabilities
◦break into your server room, device theft, steal
backup media and printouts,
◦Locks, guards, Surveillance cams, Burglar
alarms
Natural vulnerabilities
◦vulnerable to natural disasters and to
environmental threats, power loss
◦Natural disasters: fire, flood, earthquakes,
lightning
◦environmental threats: Dust, humidity, and
uneven temperature conditions
◦air conditioning and heating systems……UPS,25
Vulnerabilities…

Hardware and Software

vulnerabilities
◦ protection features failure lead to open
security holes
◦ open some "locked" systems by
introducing extra hardware
◦ Software failures: antivirus ,firewall failures
Media vulnerabilities
◦ can be stolen, damaged by dust or
electromagnetic fields.
◦ keep backup tapes and removable disks
clean and dry
26
Vulnerabilities…

Communication
vulnerabilities
◦ Wires can be tapped, physically
damaged, EMI
◦Fiber optics
Human vulnerabilities
◦the greatest vulnerability of all
◦Employees, contractors
◦Choose employees carefully
27
 Consequences…
 Failure/End of service
 Reduction of QoS, down to Denial of Service
(DDoS)
 Internal problems in the enterprise
 Trust decrease from partners (client,
providers, share-holders)
 Technology leakage
 Human consequences (personal data,
sensitive data - medical, insurances, …)

28
Threats
 Threats fall into three main categories
based on the source: natural,
unintentional, and intentional.
 Natural: fires, floods, power failures,
and other disasters
◦ fire alarms, temperature gauges, and surge
protectors
◦ backing up critical data off-site.
 Unintentional threats: delete a file,
change of security passwords
◦ Training , security procedures and policies

29
Threats…
 Intentional threats: outsiders and insiders
 Outsiders may penetrate systems in a
variety of ways:
◦ simple break-ins of buildings and computer
rooms;
◦ disguised entry as maintenance personnel;
◦ anonymous, electronic entry through modems
and network connections;
◦ and bribery or coercion of inside personnel.
 Although most security mechanisms protect
best against outside intruders, surveys
indicates that most attacks are by insiders.

30
 Threats…
 Estimatesare that as many as 80 percent of
system penetrations are by fully authorized
users who abuse their access privileges to
perform unauthorized functions.
◦ "The enemy is already in, we hired them.”
 Insiders are sometimes referred as living
Trojan horses
 There are a number of different types of
insiders.
◦ fired or disgruntled employee might be trying to
steal revenge; employee might have been
blackmailed or bribed by foreign or corporate
enemy agents.
31
Threats…

◦ greedy employee might use her inside

knowledge to divert corporate or customer
funds for personal benefit.
◦ insider might be an operator, a systems
programmer, or even a casual user who is
willing to share a password.
 Don't forget, one of the most dangerous
insiders may simply be lazy or untrained.
◦ He doesn't bother changing passwords,
◦ doesn't learn how to encrypt email messages
and other files,
◦ leaves sensitive printouts in piles on desks and
floors, and ignores the paper shredder when
disposing of documents. 32
 Security Attacks
Any action that compromises the security
of information owned by an organization.
Classification security attacks
◦ passive attacks and active attacks.
A passive attack attempts to learn or
make use of information from the system
but does not affect system resources.
 An active attack attempts to alter
system resources or affect their operation.

33
 Security attacks

Normal flow of
information

Interrupti Intercepti
on on

Modificatio Fabrication
n

34
Countermeasures

Authentication
Password, cards, biometrics
Encryption
Auditing
Administrative procedures
Standards
Physical security
Laws
Backups

35
Control
◦ Removing or reducing a vulnerability
◦ You control a vulnerability to prevent
an attack and block a threat.

36
 Security services
AUTHENTICATION
◦ The assurance that the communicating
entity is the one that it claims to be
ACCESS CONTROL
◦ The prevention of unauthorized use of a
resource (i.e., this service controls who can
have access to a resource, under what
conditions access can occur, and what
those accessing the resource are allowed to
do).
DATA CONFIDENTIALITY
◦ The protection of data from unauthorized
disclosure.
37
 Security services…
DATA INTEGRITY
◦ The assurance that data received are
exactly as sent by an authorized entity
(i.e., contain no modification, insertion,
deletion, or replay).
NONREPUDIATION
◦ Provides protection against denial by
one of the entities involved in a
communication of having participated
in all or part of the communication.

38
 Goals of security
Prevention : means that an attack will
fail.
◦E.g.. passwords ( prevent unauthorized users
from accessing the system).
Detection : is most useful when an attack
cannot be prevented, but it can also
indicate the effectiveness of preventative
measures.
◦Detection mechanisms accept that an attack
will occur;
◦determine that an attack is underway, or has
occurred, and report it.
◦The attack may be monitored, however, to39
Goals…
Recovery : requires resumption of
correct operation.
◦ has two forms.
 The first is to stop an attack and to
assess and repair any damage
caused by that attack.
◦ E.g. if the attacker deletes a file, recovery
restore the file from backup tapes.
◦ the attacker may return, so recovery
involves identification and fixing of the
vulnerabilities used by the attacker to
enter the system 40
 Goals
In a second form of recovery, the
system continues to function
correctly while an attack is underway.
◦fault tolerance.
It differs from the first form of
recovery, because at no point does
the system function incorrectly.
However, the system may disable
nonessential functionality.

41
Malicious
Software

42
What is Malicious Software
 Software deliberately designed to harm
computer systems.

 Malicious software program causes

undesired actions in information
systems.

 Spreads from one system to another

through:
E-mail (through attachments)
Infected disks
Downloading / Exchanging of corrupted
files
Embedded into computer games

43
 Malicious Software -
Categories

Malicious
Software

Trojan
Viruses Rabbit Hoaxes Spyware Trapdoor Worms
Horse
Boot File
Time Logic
Virus Viruse
Bomb Bomb
es s

44
 Types of Malicious Software
 Virus : is a program that spread to other
software in the system. i.e., program that
incorporates copies of itself into other
programs.
 Viruses are programs that spread malicious
code to other programs by modifying them

Two major categories of viruses:

1. Boot sector virus : infect boot sector of
systems.
activate while booting
machine
2. File virus : infects program files.
activates when program is 45
 Rabbit : this malicious software
replicates itself without limits.
 Depletes some or all the system’s
resources.

 Re-attacks the infected systems – difficult

recovery.
 Exhausts all the system’s resources such
as CPU time, memory, disk space.
 Depletion of resources thus denying user
access to those resources.

46
Hoaxes : false alerts of spreading viruses.
 e.g., sending chain letters.

 Message seems to be important to recipient,

forwards it to other users – becomes a chain.

 Exchanging large number of messages (in

chain) floods the network resources –
bandwidth wastage.

 Blocks
the systems on network – access
denied due to heavy network traffic.

47
Trojan Horse : this is a malicious program
with unexpected additional functionality.
 It includes harmful features of which the user
is not aware.
 Perform a different function than what these
are advertised to do (some malicious action
e.g., steal the passwords).
 Neither self-replicating nor self-
propagating.
 User assistance required for infection.
 Infects when user installs and executes
infected programs.
 Some types of Trojan horses include Remote
Access Trojans (RAT), Key Loggers, Password-
Stealers (PSW), and logic bombs.
48
 Transmitting medium :
1. spam or email
2. a downloaded file
3. a disk from untrusted source
4. a legitimate program with the Trojan
inside.

 Trojan looks for your personal information

and sends it to the Trojan writer (hacker).
 It can also allow the hacker to take full
control of your system.

49
 Spyware : is unwanted software that
infiltrates your computing device, stealing your
internet usage data and sensitive information.
 Spyware programs explore the files in an
information system.
 Information forwarded to an address specified
in Spyware.
 Spyware can also be used for investigation of
software users or preparation of an attack.

50
 Trapdoor : Secret undocumented entry point to
the program.
 An example of such feature is so called back
door, which enables intrusion to the target by
passing user authentication methods.
 A hole in the security of a system deliberately left
in place by designers or maintainers.
 Trapdoor allows unauthorized access to the
system.
 Only purpose of a trap door is to "bypass" internal
controls.
 It is up to the attacker to determine how this
circumvention of control can be utilized for his
benefit.
51
 Worms : is a program that spreads copies of
itself through a network.
 Does irrecoverable damage to the computer
system.
 Stand-alone program, spreads only through
network.
 Also performs various malicious activities
other than spreading itself to different
systems e.g., deleting files.
 Attacks of Worms:
1. Deleting files and other malicious actions on
systems.
2. Communicate information back to attacker
e.g., passwords, other proprietary information.
3. Disrupt normal operation of system, thus
denial of service attack (DoS)
4. Worms may carry viruses with them. 52
Means of spreading Infection by
Worms :

 Infects one system, gain access to trusted

host lists on infected system and spread to
other hosts.

 Anothermethod of infection is penetrating a

system by guessing passwords.

 Byexploiting widely known security holes, in

case, password guessing and trusted host
accessing fails.

53
 VIRUSES – More Description

Desirable properties of Viruses :

 Virus program should be hard to detect by
anti-virus software.
 Viruses should be hard to destroy or
deactivate.
 Spread infection widely.
 Should be easy to create.
 Be able to re-infect.
 Should be machine / platform independent,
so that it can spread on different hosts.
54
Detecting virus infected
files/programs :

 Virusinfected file changes – gets bigger.

 Modification detection by checksum

55
Places where viruses live :
 Boot sector
 Memory
 Disk – Applications and data stored on disk.
 Libraries – stored procedures and classes.
 Compiler
 Debugger
 Virus checking program infected by virus –
unable to detect that particular virus
signature.

56
Effect of Virus attack on computer
system
 Virus may affect user’s data in memory –
overwriting.
 Virus may affect user’s program –
overwriting.
 Virus may also overwrite system’s data or
programs – corrupting it – disrupts normal
operation of system.
 “Smashing the Stack” – Buffer overflow
due to execution of program directed to
virus code.
57
Preventing infection by malicious
software :
 Use only trusted software, not pirated software.
 Test all new software on isolated computer
system.
 Regularly take backup of the programs.
 Use anti-virus software to detect and remove
viruses.
 Update virus database frequently to get new
virus signatures.
 Install firewall software, which hampers or
prevents the functionality of worms and Trojan
horses.
 Make sure that the e-mail attachments are
secure. 58
Questions?

59
 Assignment 1: Virus writing

Study malicious program (virus) writing tutorials

and create a simple malicious (virus) program that
doesn’t spread but infects a particular file of your
choice.
Then write an antivirus program that detects your
malicious (virus) program.
You can use either java or python programming.

60
Authentication

61
Who Goes There?
How to authenticate a human to a
machine?
Can be based on…
◦ Something you know
 For example, a password
◦ Something you have
 For example, a smartcard
◦ Something you are
 For example, your fingerprint

62
Something You Know
Passwords
Lots of things act as passwords!
◦ PIN
◦ Social security number
◦ Date of birth
◦ Name of your pet, etc.

63
Why Passwords?
Why is “something you know”
more popular than “something
you have” and “something you
are”?
Cost: passwords are free
Convenience: easier for SA to
reset pwd than to issue user a
new thumb

64
Good and Bad Passwords
Good
Bad passwords
Passwords?
◦ jfIej,43j-EmmL+y
frank
◦ 09864376537263
Fido
◦ P0kem0N
password
◦ FSa7Yago
4444
◦ 0nceuP0nAt1m8
Pikachu
◦ PokeGCTall150
102560
◦ AustinStamp

65
Password Experiment
 Three groups of users  each group
advised to select passwords as follows
◦ Group A: At least 6 chars, 1 non-letter
◦ Group B: Password based on passphrase
◦ Group C: 8 random characters
 Results
◦ Group A: About 30% of pwds easy to crack
◦ Group B: About 10% cracked
 Passwords easy to remember
◦ Group C: About 10% cracked
 Passwords hard to remember

66
Password Experiment
User compliance hard to achieve
In each case, 1/3rd did not comply
(and about 1/3rd of those easy to
crack!)
Assigned passwords sometimes best
If passwords not assigned, best advice
is
◦ Choose passwords based on passphrase
◦ Use pwd cracking tool to test for weak
pwds
◦ Require periodic password changes?
67
Attacks on Passwords
Attacker could…
◦ Target one particular account
◦ Target any account on system
◦ Target any account on any system
◦ Attempt denial of service (DoS) attack
Common attack path
◦ Outsider  normal user  administrator
◦ May only require one weak password!

68
Password Retry
Suppose system locks after 3 bad
passwords. How long should it
lock?
◦ 5 seconds
◦ 5 minutes
◦ Until SA restores service
What are +’s and -’s of each?

69
Dictionary Attack
Attackerpre-computes h(x) for all x in a
dictionary of common passwords
Suppose attacker gets access to
password file containing hashed
passwords
◦ Attacker only needs to compare hashes to
his pre-computed dictionary
◦ Same attack will work each time
Canwe prevent this attack? Or at least
make attacker’s job more difficult?
70
Other Password Issues
Too many passwords to remember
◦ Results in password reuse
◦ Why is this a problem?
Who suffers from bad password?
◦ Login password vs ATM PIN
Failure to change default passwords
Social engineering
Error logs may contain “almost”
passwords
Bugs, keystroke logging, spyware, etc.
71
Passwords
Thebottom line
Password cracking is too easy!
◦ One weak password may break security
◦ Users choose bad passwords
◦ Social engineering attacks, etc.
The bad guy has all of the advantages
All of the math favors bad guys
Passwords are a big security problem

72
Password Cracking Tools
Popular password cracking tools
◦ Password Crackers
◦ Password Portal
◦ L0phtCrack and LC4 (Windows)
◦ John the Ripper (Unix)
Admins should use these tools to test for
weak passwords since attackers will!
Good article on password cracking
◦ Passwords - Conerstone of Computer Security

73
Biometrics

74
Something You Are
Biometric
◦ “You are your key”  Schneier
 Examples
o Fingerprint
o Handwritten signature Are
o Facial recognition
Know Have
o Speech recognition
o Gait (walking) recognition
o “Digital doggie” (odor
recognition)
o Many more!

75
Why Biometrics?
Biometrics seen as desirable
replacement for passwords
Cheap and reliable biometrics needed
Today, a very active area of research
Biometrics are used in security today
◦ Thumbprint mouse
◦ Palm print for secure entry
◦ Fingerprint to unlock car door, etc.
But biometrics not too popular
◦ Has not lived up to its promise (yet)

76
Biometric Modes
Identification  Who goes there?
◦ Compare one to many
◦ Example: The FBI fingerprint database
Authentication  Is that really you?
◦ Compare one to one
◦ Example: Thumbprint mouse
Identification problem more difficult
◦ More “random” matches since more
comparisons
We are interested in authentication
77
 Hand Geometry
 Popular form of biometric
 Measures shape of hand
o Width of hand, fingers
o Length of fingers, etc.
 Human hands not unique
 Hand geometry sufficient
for many situations
 Suitable for
authentication
 Not useful for ID problem

78
Hand Geometry
Advantages
◦ Quick
◦ 1 minute for enrollment
◦ 5 seconds for recognition
◦ Hands symmetric (use other hand
backwards)
Disadvantages
◦ Cannot use on very young or very old
◦ Relatively high equal error rate

79
Iris Patterns

Iris pattern development is “chaotic”

Little or no genetic influence
Different even for identical twins
Pattern is stable through lifetime

80
Attack on Iris Scan
Good photo of eye can be
scanned
◦ Attackerwoman
Afghan could use
wasphoto of eye
authenticated
by iris scan of old photo

 To prevent photo attack, scanner

could use light to be sure it is a
“live” iris

81
Biometrics: The Bottom
Line
Biometrics are hard to forge
But attacker could
◦ Steal Alice’s thumb
◦ Photocopy Bob’s fingerprint, eye, etc.
◦ Subvert software, database, “trusted path”,
…
Also,how to revoke a “broken”
biometric?
Biometrics are not foolproof!
That should change in the future…

82
 Something You Have

Something in your possession

Examples include
◦ Car key
◦ Laptop computer
 Or specific MAC address
◦ ATM card, smartcard, etc.

83
 2-factor Authentication
 Requires 2 out of 3 of
1. Something you know
2. Something you have
3. Something you are
 Examples
◦ ATM: Card and PIN
◦ Credit card: Card and signature
◦ Smartcard with password/PIN

84
End of Chapter 1

Questions

85