information security unit 1 notes ppt contents
Krishna681298
38 views
69 slides
Sep 19, 2024
Slide 1 of 69
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
About This Presentation
IS
Slide Content
INFORMATION SECURITY (21PC0IT23 ) UNIT-1 INTRODUCTION
Course objectives The aim of the course is to provide an understanding of various cryptographic algorithms and the basic categories of threats to computers and networks.
Course outcomes CO1: Understand the fundamentals of security attacks and identify the potential security issues. CO2: Apply various algorithms to evaluate the encryption and message authentication. CO3: Understand the various security applications. CO4: Identify the security issues in email and internet protocol. CO5: Acquire the knowledge of intruders, virus and firewalls to detect attacks.
What is Information security? Information security is a crucial concept in Computer Science that deals with protecting information and data from unauthorized access, use, disclosure, disruption, modification, or destruction. It encompasses various measures, policies, technologies, and practices aimed at ensuring the confidentiality, integrity, and availability of information and information systems.
The main objectives of information security Confidentiality Integrity Availability Authentication Authorization Risk Management
Information security encompasses a wide range of practices and technologies Cryptography Firewalls Access Controls Intrusion Detection and Prevention Systems (IDPS) Security Policies and Procedures. Security Auditing and Monitoring. Security Awareness and Training.
Security attacks A useful means of classifying security attacks, used both in X.800 and RFC 2828, is in terms of passive attacks and active attacks. A passive attack attempts to learn or make use of information from the system but does not affect system resources. An active attack attempts to alter system resources or affect their operation.
Passive ATTACK Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions. The goal of the opponent is to obtain information that is being transmitted. Two types of passive attacks are release of a) message contents and b) traffic analysis.
Message CONTENTS The release of message contents is easily understood using below example. A telephone conversation, an electronic mail message, and a transferred file may contain sensitive or confidential information. We would like to prevent an opponent from learning the contents of these transmissions
Message CONTENTS
T raffic analysis Suppose that we had a way of masking the contents of messages or other information traffic so that opponents, even if they captured the message, could not extract the information from the message. The common technique for masking contents is encryption. If we had encryption protection in place, an opponent might still be able to observe the pattern of these messages. The opponent could determine the location and identity of communicating hosts and could observe the frequency and length of messages being exchanged. This information might be useful in guessing the nature of the communication that was taking place.
T raffic analysis
Conclusion of passive attacks Passive attacks are very difficult to detect because they do not involve any alteration of the data. Typically, the message traffic is sent and received in an apparently normal fashion and neither the sender nor receiver is aware that a third party has read the messages or observed the traffic pattern. However, it is feasible to prevent the success of these attacks, usually by means of encryption. Security Attacks the emphasis in dealing with passive attacks is on prevention rather than detection.
ACTIVE ATTACKS Active attacks involve some modification of the data stream or the creation of a false stream and can be subdivided into four categories: a) masquerade, b) replay c) modification of messages, and d) denial of service.
masquerade A masquerade takes place when one entity pretends to be a different entity. A masquerade attack usually includes one of the other forms of active attack. For example, authentication sequences can be captured and replayed after a valid authentication sequence has taken place, thus enabling an authorized entity with few privileges to obtain extra privileges by impersonating an entity that has those privileges.
masquerade
b) replay Replay involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect
c) Modification of messages Modification of messages simply means that some portion of a legitimate message is altered, or that messages are delayed or reordered, to produce an unauthorized effect.
d) denial of service The denial of service prevents or inhibits the normal use or management of communications facilities. This attack may have a specific target; for example, an entity may suppress all messages directed to a particular destination (e.g., the security audit service). Another form of service denial is the disruption of an entire network, either by disabling the network or by overloading it with messages so as to degrade performance.
Security Services X.800 defines a security service as a service provided by a protocol layer of communicating open systems, which ensures adequate security of the systems or of data transfers. RFC 2828, which provides the following definition: a processing or communication service that is provided by a system to give a specific kind of protection to system resources; security services implement security policies and are implemented by security mechanisms. X.800 divides these services into five categories and fourteen specific services
SECURITY SERVICES X.800 1. AUTHENTICATION The assurance that the communicating entity is the one that it claims to be. a). PEER ENTITY AUTHENTICATION Used in association with a logical connection to provide confidence in the identity of the entities connected. b). DATA ORIGIN AUTHENTICATION In a connectionless transfer, provides assurance that the source of received data is as claimed. 2. ACCESS CONTROL The prevention of unauthorized use of a resource (i.e., this service controls who can have access to a resource, under what conditions access can occur, and what those accessing the resource are allowed to do).
SECURITY ISSUES 3. DATA CONFIDENTIALITY The protection of data from unauthorized disclosure. Connection Confidentiality The protection of all user data on a connection. Connectionless Confidentiality The protection of all user data in a single data block Selective-Field Confidentiality The confidentiality of selected fields within the user data on a connection or in a single data block. Traffic Flow Confidentiality The protection of the information that might be derived from observation of traffic flows.
4. DATA INTEGRITY The assurance that data received are exactly as sent by an authorized entity (i.e., contain no modification, insertion, deletion, or replay) Connection Integrity with Recovery Provides for the integrity of all user data on a connection and detects any modification, insertion, deletion, or replay of any data within an entire data sequence, with recovery attempted. Connection Integrity without Recovery As above, but provides only detection without recovery. Selective-Field Connection Integrity Provides for the integrity of selected fields within the user data of a data block transferred over a connection and takes the form of determination of whether the selected fields have been modified, inserted, deleted, or replayed. Connectionless Integrity Provides for the integrity of a single connectionless data block and may take the form of detection of data modification. Additionally, a limited form of replay detection may be provided. Selective-Field Connectionless Integrity Provides for the integrity of selected fields within a single connectionless data block; takes the form of determination of whether the selected fields have been modified.
5. NONREPUDIATION Provides protection against denial by one of the entities involved in a communication of having participated in all or part of the communication. Nonrepudiation, Origin Proof that the message was sent by the specified party. Nonrepudiation, Destination Proof that the message was received by the specified party
Security Mechanisms Service mechanisms are divided into those that are implemented in a specific protocol layer and those that are not specific to any particular protocol layer or security service. X.800 Security Services distinguishes between reversible encipherment mechanisms and irreversible encipherment mechanisms. A reversible encipherment mechanism is simply an encryption algorithm that allows data to be encrypted and subsequently decrypted. Irreversible encipherment mechanisms include hash algorithms and message authentication codes, which are used in digital signature and message authentication applications.
Encipherment : This security mechanism deals with hiding and covering of data which helps data to become confidential. It is achieved by applying mathematical calculations or algorithms which reconstruct information into not readable form. It is achieved by two famous techniques named Cryptography and Encipherment. Level of data encryption is dependent on the algorithm used for encipherment. Access Control : This mechanism is used to stop unattended access to data which you are sending. It can be achieved by various techniques such as applying passwords, using firewall, or just by adding PIN to data. Notarization : This security mechanism involves use of trusted third party in communication. It acts as mediator between sender and receiver so that if any chance of conflict is reduced. This mediator keeps record of requests made by sender to receiver for later denied. Data Integrity : This security mechanism is used by appending value to data to which is created by data itself. It is similar to sending packet of information known to both sending and receiving parties and checked before and after data is received. When this packet or data which is appended is checked and is the same while sending and receiving data integrity is maintained. Authentication Exchange : This security mechanism deals with identity to be known in communication. This is achieved at the TCP/IP layer where two-way handshaking mechanism is used to ensure data is sent or not Bit Stuffing : This security mechanism is used to add some extra bits into data which is being transmitted. It helps data to be checked at the receiving end and is achieved by Even parity or Odd Parity . Digital Signature : This security mechanism is achieved by adding digital data that is not visible to eyes. It is form of electronic signature which is added by sender which is checked by receiver electronically. This mechanism is used to preserve data which is not more confidential but sender’s identity is to be notified.
Security Mechanisms (X.800) SPECIFIC SECURITY MECHANISMS May be incorporated into the appropriate protocol layer in order to provide some of the OSI security services. Encipherment The use of mathematical algorithms to transform data into a form that is not readily intelligible. The transformation and subsequent recovery of the data depend on an algorithm and zero or more encryption keys. Digital Signature Data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery (e.g., by the recipient). Access Control A variety of mechanisms that enforce access rights to resources. Authentication Exchange A mechanism intended to ensure the identity of an entity by means of information exchange.
Security Mechanisms (X.800) SPECIFIC SECURITY MECHANISMS Traffic Padding The insertion of bits into gaps in a data stream to frustrate traffic analysis attempts. Routing Control Enables selection of particular physically secure routes for certain data and allows routing changes, especially when a breach of security is suspected. Notarization The use of a trusted third party to assure certain properties of a data exchange.
Security Mechanisms (X.800) PERVASIVE SECURITY MECHANISMS Mechanisms that are not specific to any particular OSI security service or protocol layer. Trusted Functionality That which is perceived to be correct with respect to some criteria (e.g., as established by a security policy). Security Label The marking bound to a resource (which may be a data unit) that names or designates the security attributes of that resource. Event Detection Detection of security-relevant events Security Audit Trail Data collected and potentially used to facilitate a security audit, which is an independent review and examination of system records and activities. Security Recovery Deals with requests from mechanisms, such as event handling and management functions, and takes recovery actions.
Relationship between Security Services and Mechanisms
A model for Internetwork security A message is to be transferred from one party to another across some sort of internet. The two parties, who are the principals in this transaction, must cooperate for the exchange to take place. A logical information channel is established by defining a route through the internet from source to destination and by the cooperative use of communication protocols (e.g., TCP/IP) by the two principals.
A model for Internetwork security Security aspects come into play when it is necessary or desirable to protect the information transmission from an opponent who may present a threat to confidentiality, authenticity, and so on. All the techniques for providing security have two components: A security-related transformation on the information to be sent. Examples include the encryption of the message, which scrambles the message so that it is unreadable by the opponent, and the addition of a code based on the contents of the message, which can be used to verify the identity of the sender Some secret information shared by the two principals and, it is hoped, unknown to the opponent. An example is an encryption key used in conjunction with the transformation to scramble the message before transmission and unscramble it on reception.
A Model for Network Security A trusted third party may be needed to achieve secure transmission. This general model shows that there are four basic tasks in designing a particular security service: 1. Design an algorithm for performing the security-related transformation. The algorithm should be such that an opponent cannot defeat its purpose. 2. Generate the secret information to be used with the algorithm. 3. Develop methods for the distribution and sharing of the secret information. 4. Specify a protocol to be used by the two principals that makes use of the security algorithm and the secret information to achieve a particular security service.
Other situations Above figure which reflects a concern for protecting an information system from unwanted access. Hackers , who attempt to penetrate systems that can be accessed over a network. The hacker can be someone who, with no malign intent, simply gets satisfaction from breaking and entering a computer system. Or, the intruder can be a disgruntled employee who wishes to do damage, or a criminal who seeks to exploit computer assets for financial gain (e.g., obtaining credit card numbers or performing illegal money transfers).
Other Situations Another type of unwanted access is the placement in a computer system of logic that exploits vulnerabilities in the system and that can affect application programs as well as utility programs, such as editors and compilers. Programs can present two kinds of threats: ● Information access threats intercept or modify data on behalf of users who should not have access to that data. ● Service threats exploit service flaws in computers to inhibit use by legitimate users
Viruses and worms are two examples of software attacks. Such attacks can be introduced into a system by means of a disk that contains the unwanted logic concealed in otherwise useful software. They can also be inserted into a system across a network; this latter mechanism is of more concern in network security. The security mechanisms needed to cope with unwanted access fall into two broad categories. The first category might be termed a gatekeeper function. It includes password-based login procedures that are designed to deny access to all but authorized users and screening logic that is designed to detect and reject worms, viruses, and other similar attacks. Once either an unwanted user or unwanted software gains access, the second line of defense consists of a variety of internal controls that monitor activity and analyze stored information in an attempt to detect the presence of unwanted intruders.
Internet Standards and RFCs Most of the protocols related to TCP/IP protocol suite are already standardized or under the process of standardization. An organization known as internet society is responsible for development and publication of these standards.
Three organizations under the internet society are responsible for actual work of standards development & publication 1. INTERNET ARICHITECTURE BOARD (IAB): 2. INETRNET ENGINEERING TASK FORCE (IETF): 3. INTERNET ENGINEERING STEERING GROUP (IESG):
The entire activities of the IETF are categorized into eight areas each having a categorized into eight areas each having it & numerous working groups
The Standardization Process: IESG decides which RFC’s become internet standard based on IETF recommendations. To become a standard, a specification must meet the following criteria. BE stable and easily understandable Be technically competent Have multiple, independent and interoperable implementations with substantial operations experience. Enjoy significant public support. Be recognizably useful in some or all parts of internet
The RFC publication process is shown below, in which a specification passes through a sequence of steps called standards track, in order to qualify as a standard. It involves excessive scrutinizing and testing. The actual process starts after the approval of internet draft documentation as an RFC by IESG.
Internet Standard Categories All the internet standards fall into two categories TECHINICAL SPECIFICATION (TS): APPLICABILITY STATEMENT (AS):
Buffer Overflow & Format String Vulnerabilities Vulnerability: Vulnerability is an inherent weakness in design, configuration, implementation or management of a network or system that renders it susceptible to a threat. Buffer Overflow: A buffer overflow occurs when a program or process tries to store more data in a buffer than it was intended to hold.
Exploiting(Attack) the overflowable buffer involves the following tasks Finding a way of injecting into the buffer Specify a return address where malicious code resides for the program to execute the code Determining the payload/code to be executed.
Buffer Injection Techniques For creating an exploit, it is important to determine a way of getting a large buffer into the overflowable buffer. A simple process of filling a buffer over the network Injection vector: It refers to the customized operational code needed to monitor and control an instruction pointer on the remote system. It depends on host and targeted machine and is used to execute the payload. Payload: Something like a virus that can run at anytime, anywhere irrespective of its injection into a remote machine.
Determining the location of payload Some common places to store payloads include Files on disk, which are then loaded into memory Environment variables controlled by a local user Environment variables passed within a web request User-controlled fields within a network protocol
Methods to execute payload There are several techniques that are used to execute payload. These are the ways to decide what to put into the saved EIP on the stack to make it finally point to our code. Direct Jump (Guessing offsets) Blind Return Pop Return Call Register Push Return
Stack Frame: The term ‘stack frame’ refers to the collection of the entire information related to a stack of any function. It can be effectively explained by the ‘call’ and ‘ret’ instructions. Call Instruction Ret Instruction
Session Hijacking : Session Hijacking is a common-cum valiant security threat to which most systems are prone to. It refers to the exploitation of a valid computer session to gain unauthorized access to information or services in a computer system. Sensitive user information is constantly transported between sessions after authentication and hackers put their best efforts to steal them.
Session hijack is a process whereby the attacker inserts themselves into an existing communication session between two computers. The three main protocols that manage the data flow on which session hijacking occurs are TCP, UDP, and HTTP. Session hijacking can be done at two levels: Network Level and Application Level. Network level hijacking involves TCP and UDP sessions, whereas Application level session hijack occurs with HTTP sessions.
TCP Session Hijacking
The connection between the client and the server begins with a three-way handshake Client sends a synchronization (SYN) packet to the server with initial sequence number X. Server responds by sending a SYN/ACK packet that contains the server's own sequence number p and an ACK number for the client's original SYN packet. This ACK number indicates the next sequence number the server expects from the client Client acknowledges receipt of the SYN/ACK packet by sending back to the server an ACK packet with the next sequence number it expects from the server, which in this case is P+1. After the handshake, it’s just a matter of sending packets and incrementing the sequence number to verify that the packets are getting sent and received.
To hijack the session in the TCP network the hijacker should employ following techniques: IP Spoofing: IP spoofing is “a technique used to gain unauthorized access to computers, whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host.” Once the hijacker has successfully spoofed an IP address, he determines the next sequence number that the server expects and uses it to inject the forged packet into the TCP session before the client can respond. By doing so, he creates the “desynchronized state.”
Blind Hijacking: If source routing is disabled, the session hijacker can also employ blind hijacking where he injects his malicious data into intercepted communications in the TCP session. It is called “blind” because the hijacker can send the data or commands, but cannot see the response. The hijacker is basically guessing the responses of the client and server.
Blind HIJACKING
Blind hijacking Here the attacker is looking for these hosts that risk of predictable sequence numbers. once identified, the attacker wants to desynchronize the connection between machines. they could send null data to the server, which means the synac numbers will increment on that server end, but not on the client side. Another approach would be to send a reset flag. TCP header there is an RST attribute. Once the attacker has successfully desynchronized the connection, they can then insert themselves back into the communication by taking advantage of the predictable sequence numbers and begin communicating directly with the host.
Man in the Middle attack (packet sniffing): This technique involves using a packet sniffer that intercepts the communication between the client and server. With all the data between the hosts flowing through the hijacker’s sniffer, he is free to modify the content of the packets. The trick to this technique is to get the packets to be routed through the hijacker’s host.
Here attacker comes into the picture and re-routes the packets. First option would be to forge ICMP packets so the internet control message protocol which would give them the ability to redirect traffic between the client and the host. such that it passes through the attacker's machine
Another option is app spoofing so exploiting the address resolution protocol such that the ARP tables are modified via a forged ARP reply and the victim's traffic is sent via the host
ARP Attacks: An ARP table controls the Media Access Control (MAC)-address-to-IP-address mapping on each machine. ARP is designed to be a dynamic protocol, so as new machines are added to a network or existing machines get new MAC addresses for whatever reason, the rest update automatically in a relatively short period of time. There is absolutely no authentication in this protocol.
ARP Example
EXAMPLE: Device A (attacker), Device B (victim), and the Router (default gateway). Initial Network Setup: Device A wants to intercept or manipulate traffic between Device B and the Router. The ARP cache of Device B contains the legitimate MAC address of the Router. Device A's ARP cache contains the legitimate MAC address of the Router. ARP Spoofing Attack Steps: Device A initiates an ARP spoofing attack against Device B to redirect its traffic. Device A sends an ARP reply to Device B, claiming that it (Device A) is the Router and providing its own MAC address. ARP Cache Update: Device B receives the ARP reply from Device A and updates its ARP cache, associating the Router's IP address with Device A's MAC address.
EXAMPLE: Device A (attacker), Device B (victim), and the Router (default gateway). Traffic Redirected: Now, whenever Device B wants to communicate with the Router, it sends traffic to Device A's MAC address, believing it to be the Router. Attacker's Actions: Device A can intercept, monitor, or manipulate the traffic between Device B and the Router. Device A can selectively forward or modify the intercepted traffic before sending it to the Router. Router's Responses: The Router responds to Device A's IP with packets meant for Device B. Device A intercepts these responses and can choose to forward or manipulate them.
UDP Session Hijacking UDP which stands for User Datagram Protocol is defined as “a connectionless protocol runs on top of IP networks. Unlike TCP/IP, UDP/IP provides very few error recovery services, offering instead a direct way to send and receive datagram’s over an IP network.”
Route Table Modification: An attacker would be able to put himself in such a position to block packets by modifying routing tables, so that packets flow through a system he has control of (Layer 3 redirection) , by changing bridge tables by playing games with spanning-tree frames (Layer 2 redirection), or by rerouting physical cables so that the frames must flow through the attacker’s system (Layer 1 redirection). Most of the time, an attacker will try to change route tables remotely. A more locally workable attack might be to spoof Internet Control Message Protocol (ICMP) and redirect packets to fool some hosts into thinking that there is a better route via the attacker’s IP address. Many OS’s accept ICMP redirects in their default configuration. Unless, the connection is to be broken entirely (or proxy it in some way), the packets have to be forwarded back to the real router, so they can reach their ultimate destination. When that happens, the real router is likely to send ICMP redirect packets to the original host, too, informing it that there is a better route. To attempt that sort of attack, it is necessary to keep up the flow of ICMP redirect messages.
Tags
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 38
- Slides 69
- Age 439 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
46 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
46 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
37 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
34 views
21
Know for Certain
DaveSinNM
21 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
26 views