SlideShare une entreprise Scribd logo

Introduction to security

Mukesh Chinta
Mukesh Chinta

This ppt contains information about definition of computer & information security, types of attacks, services, mechanisms, controls and model for network security

Sciences
1  sur  37
Télécharger pour lire hors ligne
2  Data: raw facts {Alphanumeric, image, audio, and video}  Information: result of processing, manipulating and organizing data in a way that adds to the knowledge of the receiver. {Processed Data}  Knowledge: Knowledge is normally processed by means of structuring, grouping, filtering, organizing or pattern recognition. {Highly structured information} An Information System is a set of interrelated components that collect or retrieve, process, store and distribute information to support decision making and control in an organization. Mukesh Chinta, Asst Prof, CSE,VRSEC 'Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected’ BS ISO 27002:2005
3  Security is one of the oldest problem that governments, commercial organizations and almost every person has to face. The need of security exists since information became a valuable resource.  Introduction of computer systems to business has escalated the security problem even more.  The advances in networking and specially in distributed systems made the need for security even greater.  Any breach with the Information System will lead to Loss of productivity, loss of revenue, legal liabilities, loss of reputation and other losses.  Cyber crime is defined as criminal activity involving the IT infrastructure, including illegal access, illegal interception, data interference, misuse of devices, ID theft and electronic fraud Mukesh Chinta, Asst Prof, CSE,VRSEC
4 Mukesh Chinta, Asst Prof, CSE,VRSEC The e-commerce sector in India is facing a major hurdle due to ineffectiveness of cyber laws.
5
6  So now we know that we need security. BUT what is security anyway ?  Many people fail to understand the meaning of the word.  Many corporations install an antivirus software, and/or a firewall and believe they are protected. Are they ? “In the real world, security involves processes. It involves preventive technologies, but also detection and reaction processes, and an entire forensics system to hunt down and prosecute the guilty. Security is not a product; it itself is a process. …. ” Bruce Schneier
Mukesh Chinta, Asst Prof, CSE,VRSEC 7 The U.S. Government’s National Information Assurance Glossary defines INFOSEC as: “Protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats.”
8 ARPANET, the precursor to the modern internet allowed easy synchronization of information between data centers but has unsecure points between the data centers and the public. This vulnerability was addressed by securing physical locations and hardware. A task force formed by ARPA (Advanced Research Projects Agency) to study internet security in 1967 found this method to be inadequate, and released the Rand Report R-609 which determined additional steps must be taken to improve security. This report marked an important stage in the development of today's information security.  1960s: Organizations start to protect their computers  1970s: The first hacker attacks begin  1980s: Governments become proactive in the fight against cybercrime  1990s: Organized crime gets involved in hacking  2000s: Cybercrime becomes treated like a crime  2010s: Information security becomes serious Mukesh Chinta, Asst Prof, CSE,VRSEC
9 Mukesh Chinta, Asst Prof, CSE,VRSEC The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications). The NIST (National Institute of Standards & Technology} Computer Security Handbook [NIST95] (Available from: http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf) defines the term computer security as The definition introduces three key objectives that are at the heart of the computer security:  Confidentiality • Data Confidentiality • Privacy  Integrity • Data Integrity • System Integrity  Availability
10  Confidentiality • Data Confidentiality - Assures that private or confidential information is not made available or disclosed to unauthorized individuals. • Privacy - Assures that individuals control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed.  Integrity • Data Integrity - Assures that information and programs are changed only in a specified and authorized manner • System Integrity - Assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system.  Availability - Assures that systems work promptly and service is not denied to authorized users. Mukesh Chinta, Asst Prof, CSE,VRSEC
11 Federal Information Processing Standards Publications (FIPS PUB 199) provides a useful characterization of these three objectives in terms of requirements and the definition of a loss of security in each category: • Confidentiality : Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure of information. • Integrity: Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. A loss of integrity is the unauthorized modification or destruction of information. • Availability: Ensuring timely and reliable access to and use of information. A loss of availability is the disruption of access to or use of information or an information system. • Authenticity: The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator. • Accountability: The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity.
12 LOW MODERATE HIGH Effect on organizational operations, assets or individuals Limited Serious Severe or even catastrophic Primary functions of the organization and their effectiveness Minor degradation Significant degradation Severe degradation Damage to organizational assets Minor Significant Major Financial Loss Minor Significant Major Harm to individual Minor Significant Severe (loss of life or life-threatening injuries) FIPS PUB 199 define three levels of impact on organizations or individuals should there be a breach of security : Low, Moderate and High
13 1. Not simple – seems to be straight forward but very complex 2. Must consider potential attacks on security features 3. Procedures used are often counter-intuitive 4. Involves multiple algorithms and secret information 5. Must decide where to deploy security mechanisms 6. Battle of wits between attacker / admin 7. Not perceived on benefit until a security failure happens 8. Requires regular/constant monitoring which is difficult 9. Often an after-thought rather than an integral part of the process 10. Strong security is regarded as impediment to free usage of a system Mukesh Chinta, Asst Prof, CSE,VRSEC
14 Mukesh Chinta, Asst Prof, CSE,VRSEC ITU-T X.800 “Security Architecture for OSI” defines a systematic way of defining and providing security requirements. Three important aspects of OSI security architecture are: : Any action that compromises the security of information owned by an organization. : A process (or a device incorporating such a process) that is designed to detect, prevent, or recover from a security attack. : A processing or communication service that enhances the security of the data processing systems and the information transfers of an organization.
Threats Vulnerabilities Risk Asset valuesProtection Requirements Information assets Controls * reduce – a potential for violation of security – Something that can potentially cause damage to the organization, IT Systems or network – an assault on system security, a deliberate attempt to evade security services : A possibility that a threat exploits a vulnerability in an asset and causes damage or loss to the asset. Relationship between Risk, Threats, and Vulnerabilities Mukesh Chinta, Asst Prof, CSE,VRSEC
16 Mukesh Chinta, Asst Prof, CSE,VRSEC The security attacks are classified into and  A passive attack attempts to learn or make use of information from the system but does not affect system resources. These are difficult to detect and focus will be on prevention.  Active attacks involve some modification of the data stream or the creation of a false stream. These are difficult to prevent and focus is on detection and recovery.
17 Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions. The goal of the opponent is to obtain information that is being transmitted. Two types of passive attacks are:  Release of message contents – Any transferred message could be intercepted or listened to  Traffic analysis - monitor traffic flow to determine location and identity of communicating hosts and could observe the frequency and length of messages being exchanged. Release of Message Contents Traffic Analysis
18 An active attack is one in which an unauthorized change of the system is attempted. This could include, for example, the modification of transmitted or stored data, or the creation of new data streams relate to an entity (usually a computer or a person) taking on a false identity in order to acquire or modify information, and in effect achieve an unwarranted privilege status. involves the re-use of captured data at a later time than originally intended in order to repeat some action of benefit to the attacker. Mukesh Chinta, Asst Prof, CSE,VRSEC
19 could involve modifying a packet header address for the purpose of directing it to an unintended destination or modifying the user data. prevent the normal use or management of communication services, and may take the form of either a targeted attack on a particular service or a broad, incapacitating attack. Mukesh Chinta, Asst Prof, CSE,VRSEC
Security Services Authentication Access Control Data Confidentiality Data Integrity Non Repudiation Peer Entity Authentication Data-Origin Authentication Connection Confidentiality Connectionless Confidentiality Selective-Field Confidentiality Traffic-Flow Confidentiality Connection Integrity with Recovery Connection Integrity without Recovery Selective-Field Connection Integrity Connectionless Integrity Selective-Field Connectionless Integrity Nonrepudiation, Origin Nonrepudiation, Destination RFC 2828 defines Security Service as a processing or communication service that is provided by a system to give a specific kind of protection to system resources. X.800 divides security services into five categories and fourteen specific services. Security Services intend to counter security attacks and make use of one or more security mechanisms to provide the service
22 – Authentication service is concerned with assurance that communicating entity is the one claimed. It helps in establishing proof of identification. Two specific authentication services are defined: - provides corroboration of the identity of a peer entity in an association. This service provides confidence, at the time of usage only, that an entity is not attempting a masquerade or an unauthorized replay of a previous connection. - provides corroboration of the source of a data unit. In a connectionless transfer, provides assurance that the source of received data is as claimed – It is the protection of transmitted data from passive attacks, and the protection of traffic flow from analysis. : The protection of all user data on a connection : The protection of all user data in a single data block The confidentiality of selected fields within the user data on a connection or in a single data block The protection of the information that might be derived from observation of traffic flows Mukesh Chinta, Asst Prof, CSE,VRSEC
23 – It assures that messages are received as sent by an authorized entity, with no duplication, insertion, modification, reordering, replay, or loss. Provides for the integrity of all user data on a connection and detects any modification, insertion, deletion, or replay of any data within an entire data sequence, with recovery attempted As above, but provides only detection without recovery. Provides for the integrity of selected fields within the user data of a data block transferred over a connection and takes the form of determination of whether the selected fields have been modified, inserted, deleted, or replayed. Provides for the integrity of a single connectionless data block and may take the form of detection of data modification. Provides for the integrity of selected fields within a single connectionless data block – It is the ability to limit and control the access to host systems and applications via communications links. The prevention of unauthorized use of a resource (i.e., this service controls who can have access to a resource, under what conditions access can occur, and what those accessing the resource are allowed to do). Mukesh Chinta, Asst Prof, CSE,VRSEC
24 : This service does not allow the sender or receiver of a message to refuse the claim of not sending or receiving that message. : Proof that the message was sent by the specified party. : Proof that the message was received by the specified part. - It is the property of a system / resource being accessible and usable upon demand by an authorized system entity, according to performance specifications for the system. A variety of attacks can result in the loss of or reduction in availability.
25 Interception Is Private? Modification Has been altered? Forgery Who am I dealing with? Claim Who sent/received it? Not SENT ! Denial of Service Wish to access!! Have you privilege? Unauthorized access Security Needs for Network Communications Mukesh Chinta, Asst Prof, CSE,VRSEC
26 Security Mechanism: A mechanism that is designed to detect, prevent, or recover from a security attack. No single mechanism that will support all functions required.  The security mechanisms are divided into those that are implemented in a specific protocol layer called and those that are not specific to any particular protocol layer or security service called .
Security Mechanism Description Encipherment The use of mathematical algorithms to transform data into a form that is not readily intelligible. The transformation and subsequent recovery of the data depend on an algorithm and zero or more encryption keys. Digital Signature Data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery. Access Control A variety of mechanisms that enforce access rights to resources. Data Integrity A variety of mechanisms used to assure the integrity of a data unit or stream of data units. Authentication Exchange A mechanism intended to ensure the identity of an entity by means of information exchange Traffic Padding The insertion of bits into gaps in a data stream to frustrate traffic analysis attempts. Routing Control Enables selection of particular physically secure routes for certain data and allows routing changes, especially when a breach of security is suspected. Notarization The use of a trusted third party to assure certain properties of a data exchange. Mukesh Chinta, Asst Prof, CSE,VRSEC
28 Security Mechanism Description Trusted Functionality That which is perceived to be correct with respect to some criteria (e.g., as established by a security policy). Security Label The marking bound to a resource (which may be a data unit) that names or designates the security attributes of that resource. Event Detection Detection of security-relevant events Security Audit Trail Data collected and potentially used to facilitate a security audit, which is an independent review and examination of system records and activities. Security Recovery Deals with requests from mechanisms, such as event handling and management functions, and takes recovery actions.
29 Mukesh Chinta, Asst Prof, CSE,VRSEC
Data is transmitted over network between two communicating parties, who must cooperate for the exchange to take place. A logical information channel is established by defining a route through the internet from source to destination by use of communication protocols by the two parties. Two components are present in almost all the security providing techniques.  A security-related transformation on the information to be sent making it unreadable by the opponent, and the addition of a code based on the contents of the message, used to verify the identity of sender.  Some secret information shared by the two principals and, it, unknown to the opponent. A trusted third party may be needed to distribute the secret information or to arbitrate disputes between the principals.
31 The general model shows that there are four basic tasks in designing a particular security service: 1. Design an algorithm for performing the security-related transformation. The algorithm should be such that an opponent cannot defeat its purpose 2. Generate the secret information to be used with the algorithm 3. Develop methods for the distribution and sharing of the secret information 4. Specify a protocol to be used by the two principals that makes use of the security algorithm and the secret information to achieve a particular security service Various other threats to information system like unwanted access still exist. The existence of hackers attempting to penetrate systems accessible over a network remains a concern. Another threat is placement of some logic in computer system affecting various applications and utility programs. This inserted code presents two kinds of threats.  Information access threats intercept or modify data on behalf of users who should not have access to that data  Service threats exploit service flaws in computers to inhibit use by legitimate users Mukesh Chinta, Asst Prof, CSE,VRSEC
32 Viruses and worms are two examples of software attacks inserted into the system by means of a disk or also across the network. Placing a gatekeeper function, which includes a password-based login methods that provide access to only authorized users and screening logic to detect and reject worms, viruses etc. An internal control, monitoring the internal system activities analyzes the stored information and detects the presence of unauthorized users or intruders. Mukesh Chinta, Asst Prof, CSE,VRSEC
33 Security Controls are categorized based on their functionality and plane of application. Based on functionality, the types of controls are given as: - These try to prevent security violations and enforce access control. Like other controls, preventive controls may be physical, administrative, or technical: doors, security procedures, and authentication requirements - Detective controls are in place to detect security violations and alert the defenders. They come into play when preventive controls have failed or have been circumvented and are no less crucial than detective controls. Detective controls include cryptographic checksums, file integrity checkers, audit trails and logs, and similar mechanisms. - Corrective controls try to correct the situation after a security violation has occurred. Corrective controls vary widely, depending on the area being targeted, and they may be technical or administrative in nature. - Deterrent controls are intended to discourage potential attackers. Examples of deterrent controls include notices of monitoring and logging as well as the visible practice of sound information security management. – similar to corrective controls applied in more serious situations to recover from security violations and restore information and information processing resources. These include disaster recovery and business continuity mechanisms, backup systems and data, emergency key management arrangements, and similar controls. - are intended to be alternative arrangements for other controls when the original controls have failed or cannot be used. When a second set of controls addresses the same threats that are addressed by another set of controls, the second set of controls are compensating controls. Mukesh Chinta, Asst Prof, CSE,VRSEC
34 Based on plane of application, the types of controls are given as:  Physical Controls include doors, secure facilities, fire extinguishers, flood protection, and air conditioning.  Administrative Controls are the organization’s policies, procedures, and guidelines intended to facilitate information security.  Technical controls are the various technical measures, such as firewalls, authentication systems, intrusion detection systems, and file encryption, among others.  Logical access control models are the abstract foundations upon which actual access control mechanisms and systems are built.  Access control models define how computers enforce access of subjects (such as users, other computers, applications, and so on) to objects (such as computers, files, directories, applications, servers, and devices).  Three main access control models exist:
Discretionary Access Control (DAC) 35 • In the DAC model, the owner (creator) of information (file or directory) has the discretion to decide about and set access control restrictions on the object in question. • The advantage of DAC is its flexibility: users may decide who can access information and what they can do with it—read, write, delete, rename, execute, and so on. • At the same time, this flexibility is also a disadvantage of DAC because users may make wrong decisions regarding access control restrictions or maliciously set insecure or inappropriate permissions. Mandatory Access Control (MAC) • In systems utilizing MAC, users have little or no discretion as to what access permissions they can set on their information. • MAC-based systems use data classification levels (such as public, confidential, secret, and top secret) and security clearance labels corresponding to data classification levels to decide, in accordance with the security policy set by the system administrator, what access control restrictions to enforce. • Additionally, per-group and/or per-domain access control restrictions may be imposed—that is, in addition to having the required security clearance level, subjects(users or applications) must also belong to the appropriate group or domain. This concept is called Compartamentalization or need to know. • Though MAC systems are thought to be more secure than DAC systems, they are more difficult to use and administer because of the additional restrictions imposed by the OS. • Typically MAC systems are used in government, military and financial environments, where higher level of security is required and costs are tolerated. Mukesh Chinta, Asst Prof, CSE,VRSEC
36 Role-Based Access Control (RBAC) In the role-based access control model, rights and permissions are assigned to roles instead of individual users. This added layer of abstraction permits easier and more flexible administration and enforcement of access controls. Centralized vs. Decentralized Access Control In environments with centralized access control, a single, central entity makes access control decisions and manages the access control system; whereas in distributed access control environments, these decisions are made and enforced in a decentralized manner. The selection of a particular access control approach should be made only after careful consideration of an organization’s requirements and associated risks. Mukesh Chinta, Asst Prof, CSE,VRSEC
37 A vulnerability can occur anywhere in the IT environment, and can be the result of many different root causes. solutions gather comprehensive endpoint and network intelligence and apply advanced analytics to identify and prioritize the vulnerabilities that pose the most risk to critical systems. includes assessment of the environment for known vulnerabilities, and to assess IT components using the security configuration policies(by device role) that have been defined for the environment. is a dictionary of common names (i.e., CVE Identifiers) for publicly known information security vulnerabilities. provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. provides a common language of discourse for discussing, finding and dealing with the causes of software security vulnerabilities as they are found in code, design, or system architecture.

Recommandé

Information security
Information securityInformation security
Information securityavinashbalakrishnan2
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationTriCorps Technologies
 
Cyber Security Update: How to Train Your Employees to Prevent Data Breaches
Cyber Security Update: How to Train Your Employees to Prevent Data BreachesCyber Security Update: How to Train Your Employees to Prevent Data Breaches
Cyber Security Update: How to Train Your Employees to Prevent Data BreachesParsons Behle & Latimer
 
National cyber security policy final
National cyber security policy finalNational cyber security policy final
National cyber security policy finalIndian Air Force
 
Cybersecurity - Introduction and Preventive Measures
Cybersecurity - Introduction and Preventive MeasuresCybersecurity - Introduction and Preventive Measures
Cybersecurity - Introduction and Preventive MeasuresAditya Ratnaparkhi
 
Security Awareness & Training
Security Awareness & TrainingSecurity Awareness & Training
Security Awareness & Trainingnovemberchild
 
information security technology
information security technologyinformation security technology
information security technologygarimasagar
 
Cyber security & Importance of Cyber Security
Cyber security & Importance of Cyber SecurityCyber security & Importance of Cyber Security
Cyber security & Importance of Cyber SecurityMohammed Adam
 

Recommandé

Information security
Information securityInformation security
Information securityavinashbalakrishnan2
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationTriCorps Technologies
 
Cyber Security Update: How to Train Your Employees to Prevent Data Breaches
Cyber Security Update: How to Train Your Employees to Prevent Data BreachesCyber Security Update: How to Train Your Employees to Prevent Data Breaches
Cyber Security Update: How to Train Your Employees to Prevent Data BreachesParsons Behle & Latimer
 
National cyber security policy final
National cyber security policy finalNational cyber security policy final
National cyber security policy finalIndian Air Force
 
Cybersecurity - Introduction and Preventive Measures
Cybersecurity - Introduction and Preventive MeasuresCybersecurity - Introduction and Preventive Measures
Cybersecurity - Introduction and Preventive MeasuresAditya Ratnaparkhi
 
Security Awareness & Training
Security Awareness & TrainingSecurity Awareness & Training
Security Awareness & Trainingnovemberchild
 
information security technology
information security technologyinformation security technology
information security technologygarimasagar
 
Cyber security & Importance of Cyber Security
Cyber security & Importance of Cyber SecurityCyber security & Importance of Cyber Security
Cyber security & Importance of Cyber SecurityMohammed Adam
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber CrimeMuhammad Irfan
 
Types of attacks in cyber security
Types of attacks in cyber securityTypes of attacks in cyber security
Types of attacks in cyber securityBansari Shah
 
3 Most Common Threats Of Information Security
3 Most Common Threats Of Information Security3 Most Common Threats Of Information Security
3 Most Common Threats Of Information SecurityAna Meskovska
 
Cyber Security Presentation "It Will Never Happen To Me"
Cyber Security Presentation "It Will Never Happen To Me" Cyber Security Presentation "It Will Never Happen To Me"
Cyber Security Presentation "It Will Never Happen To Me" Simon Salter
 
Incident response
Incident responseIncident response
Incident responseAnshul Gupta
 
Cyber Security Vulnerabilities
Cyber Security VulnerabilitiesCyber Security Vulnerabilities
Cyber Security VulnerabilitiesSiemplify
 
Networking Fundamental Course by Haris Chughtai
Networking Fundamental Course by Haris ChughtaiNetworking Fundamental Course by Haris Chughtai
Networking Fundamental Course by Haris ChughtaiHaris Chughtai
 
Security threats
Security threatsSecurity threats
Security threatsQamar Farooq
 
Security patterns and model driven architecture
Security patterns and model driven architectureSecurity patterns and model driven architecture
Security patterns and model driven architecturebdemchak
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityAdri Jovin
 
InformationSecurity
InformationSecurityInformationSecurity
InformationSecuritylearnt
 
Ppt
PptPpt
PptGeetu Khanna
 
Computer Worms
Computer WormsComputer Worms
Computer Wormssadique_ghitm
 
Cyber security
Cyber securityCyber security
Cyber securityBhavin Shah
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness Net at Work
 
Cyber Security Emerging Threats
Cyber Security Emerging ThreatsCyber Security Emerging Threats
Cyber Security Emerging Threatsisc2dfw
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
Cyber Crime and Security
Cyber Crime and SecurityCyber Crime and Security
Cyber Crime and SecurityDipesh Waghela
 
Cyber warfare Threat to Cyber Security by Prashant Mali
Cyber warfare Threat to Cyber Security by Prashant MaliCyber warfare Threat to Cyber Security by Prashant Mali
Cyber warfare Threat to Cyber Security by Prashant MaliAdv Prashant Mali
 
Data link layer
Data link layer Data link layer
Data link layer Mukesh Chinta
 
Cyberprzestępczość 2.0 (TAPT 2014)
Cyberprzestępczość 2.0 (TAPT 2014)Cyberprzestępczość 2.0 (TAPT 2014)
Cyberprzestępczość 2.0 (TAPT 2014)Adam Ziaja
 

Contenu connexe

Tendances

Types of attacks in cyber security
Types of attacks in cyber securityTypes of attacks in cyber security
Types of attacks in cyber securityBansari Shah
 
3 Most Common Threats Of Information Security
3 Most Common Threats Of Information Security3 Most Common Threats Of Information Security
3 Most Common Threats Of Information SecurityAna Meskovska
 
Cyber Security Presentation "It Will Never Happen To Me"
Cyber Security Presentation "It Will Never Happen To Me" Cyber Security Presentation "It Will Never Happen To Me"
Cyber Security Presentation "It Will Never Happen To Me" Simon Salter
 
Cyber Security Vulnerabilities
Cyber Security VulnerabilitiesCyber Security Vulnerabilities
Cyber Security VulnerabilitiesSiemplify
 
Networking Fundamental Course by Haris Chughtai
Networking Fundamental Course by Haris ChughtaiNetworking Fundamental Course by Haris Chughtai
Networking Fundamental Course by Haris ChughtaiHaris Chughtai
 
Security patterns and model driven architecture
Security patterns and model driven architectureSecurity patterns and model driven architecture
Security patterns and model driven architecturebdemchak
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityAdri Jovin
 
InformationSecurity
InformationSecurityInformationSecurity
InformationSecuritylearnt
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness Net at Work
 
Cyber Security Emerging Threats
Cyber Security Emerging ThreatsCyber Security Emerging Threats
Cyber Security Emerging Threatsisc2dfw
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
Cyber Crime and Security
Cyber Crime and SecurityCyber Crime and Security
Cyber Crime and SecurityDipesh Waghela
 
Cyber warfare Threat to Cyber Security by Prashant Mali
Cyber warfare Threat to Cyber Security by Prashant MaliCyber warfare Threat to Cyber Security by Prashant Mali
Cyber warfare Threat to Cyber Security by Prashant MaliAdv Prashant Mali
 

Tendances (20)

Cyber Crime
Cyber CrimeCyber Crime
Cyber Crime
 
Types of attacks in cyber security
Types of attacks in cyber securityTypes of attacks in cyber security
Types of attacks in cyber security
 
3 Most Common Threats Of Information Security
3 Most Common Threats Of Information Security3 Most Common Threats Of Information Security
3 Most Common Threats Of Information Security
 
Cyber Security Presentation "It Will Never Happen To Me"
Cyber Security Presentation "It Will Never Happen To Me" Cyber Security Presentation "It Will Never Happen To Me"
Cyber Security Presentation "It Will Never Happen To Me"
 
Incident response
Incident responseIncident response
Incident response
 
Cyber Security Vulnerabilities
Cyber Security VulnerabilitiesCyber Security Vulnerabilities
Cyber Security Vulnerabilities
 
Networking Fundamental Course by Haris Chughtai
Networking Fundamental Course by Haris ChughtaiNetworking Fundamental Course by Haris Chughtai
Networking Fundamental Course by Haris Chughtai
 
Security threats
Security threatsSecurity threats
Security threats
 
Security patterns and model driven architecture
Security patterns and model driven architectureSecurity patterns and model driven architecture
Security patterns and model driven architecture
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
 
InformationSecurity
InformationSecurityInformationSecurity
InformationSecurity
 
Ppt
PptPpt
Ppt
 
Computer Worms
Computer WormsComputer Worms
Computer Worms
 
Cyber security
Cyber securityCyber security
Cyber security
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
 
Cyber Security Emerging Threats
Cyber Security Emerging ThreatsCyber Security Emerging Threats
Cyber Security Emerging Threats
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 
Cyber Crime and Security
Cyber Crime and SecurityCyber Crime and Security
Cyber Crime and Security
 
Cyber warfare Threat to Cyber Security by Prashant Mali
Cyber warfare Threat to Cyber Security by Prashant MaliCyber warfare Threat to Cyber Security by Prashant Mali
Cyber warfare Threat to Cyber Security by Prashant Mali
 

En vedette

Cyberprzestępczość 2.0 (TAPT 2014)
Cyberprzestępczość 2.0 (TAPT 2014)Cyberprzestępczość 2.0 (TAPT 2014)
Cyberprzestępczość 2.0 (TAPT 2014)Adam Ziaja
 
Dlaczego polskie firmy są tak łatwym celem dla cyberprzestępców?
Dlaczego polskie firmy są tak łatwym celem dla cyberprzestępców?Dlaczego polskie firmy są tak łatwym celem dla cyberprzestępców?
Dlaczego polskie firmy są tak łatwym celem dla cyberprzestępców?PwC Polska
 
Reference models in Networks: OSI & TCP/IP
Reference models in Networks: OSI & TCP/IPReference models in Networks: OSI & TCP/IP
Reference models in Networks: OSI & TCP/IPMukesh Chinta
 
Praktyczne ataki na aplikacje webowe (TAPT 2015)
Praktyczne ataki na aplikacje webowe (TAPT 2015)Praktyczne ataki na aplikacje webowe (TAPT 2015)
Praktyczne ataki na aplikacje webowe (TAPT 2015)Adam Ziaja
 
ERAU webinar november 2016 cyber security
ERAU webinar november 2016 cyber security ERAU webinar november 2016 cyber security
ERAU webinar november 2016 cyber security Bill Gibbs
 
ITU Security in Telecommunications & Information Technology
ITU Security in Telecommunications & Information TechnologyITU Security in Telecommunications & Information Technology
ITU Security in Telecommunications & Information TechnologyITU
 
Computer Networks And Topology
Computer Networks And Topology Computer Networks And Topology
Computer Networks And Topology Fatih Bingül
 
Tackling today's cyber security challenges - WISER Services & Solutions
Tackling today's cyber security challenges - WISER Services & SolutionsTackling today's cyber security challenges - WISER Services & Solutions
Tackling today's cyber security challenges - WISER Services & SolutionsCYBERWISER .eu
 
Security First: What it is and What it Means for Your Business
Security First: What it is and What it Means for Your BusinessSecurity First: What it is and What it Means for Your Business
Security First: What it is and What it Means for Your BusinessGeorgian
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
IP adress and routing(networking)
IP adress and routing(networking)IP adress and routing(networking)
IP adress and routing(networking)welcometofacebook
 
5. message authentication and hash function
5. message authentication and hash function5. message authentication and hash function
5. message authentication and hash functionChirag Patel
 
Firewall, Trusted Systems,IP Security ,ESP Encryption and Authentication
Firewall, Trusted Systems,IP Security ,ESP Encryption and AuthenticationFirewall, Trusted Systems,IP Security ,ESP Encryption and Authentication
Firewall, Trusted Systems,IP Security ,ESP Encryption and AuthenticationGopal Sakarkar
 

En vedette (20)

Data link layer
Data link layer Data link layer
Data link layer
 
Cyberprzestępczość 2.0 (TAPT 2014)
Cyberprzestępczość 2.0 (TAPT 2014)Cyberprzestępczość 2.0 (TAPT 2014)
Cyberprzestępczość 2.0 (TAPT 2014)
 
Dlaczego polskie firmy są tak łatwym celem dla cyberprzestępców?
Dlaczego polskie firmy są tak łatwym celem dla cyberprzestępców?Dlaczego polskie firmy są tak łatwym celem dla cyberprzestępców?
Dlaczego polskie firmy są tak łatwym celem dla cyberprzestępców?
 
Reference models in Networks: OSI & TCP/IP
Reference models in Networks: OSI & TCP/IPReference models in Networks: OSI & TCP/IP
Reference models in Networks: OSI & TCP/IP
 
Ch01
Ch01Ch01
Ch01
 
Praktyczne ataki na aplikacje webowe (TAPT 2015)
Praktyczne ataki na aplikacje webowe (TAPT 2015)Praktyczne ataki na aplikacje webowe (TAPT 2015)
Praktyczne ataki na aplikacje webowe (TAPT 2015)
 
ERAU webinar november 2016 cyber security
ERAU webinar november 2016 cyber security ERAU webinar november 2016 cyber security
ERAU webinar november 2016 cyber security
 
Subnetting
SubnettingSubnetting
Subnetting
 
ITU Security in Telecommunications & Information Technology
ITU Security in Telecommunications & Information TechnologyITU Security in Telecommunications & Information Technology
ITU Security in Telecommunications & Information Technology
 
Computer Networks And Topology
Computer Networks And Topology Computer Networks And Topology
Computer Networks And Topology
 
Path of Cyber Security
Path of Cyber SecurityPath of Cyber Security
Path of Cyber Security
 
Error control
Error controlError control
Error control
 
Triggering transmission
Triggering transmissionTriggering transmission
Triggering transmission
 
Tackling today's cyber security challenges - WISER Services & Solutions
Tackling today's cyber security challenges - WISER Services & SolutionsTackling today's cyber security challenges - WISER Services & Solutions
Tackling today's cyber security challenges - WISER Services & Solutions
 
Token ring
Token ringToken ring
Token ring
 
Security First: What it is and What it Means for Your Business
Security First: What it is and What it Means for Your BusinessSecurity First: What it is and What it Means for Your Business
Security First: What it is and What it Means for Your Business
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITY
 
IP adress and routing(networking)
IP adress and routing(networking)IP adress and routing(networking)
IP adress and routing(networking)
 
5. message authentication and hash function
5. message authentication and hash function5. message authentication and hash function
5. message authentication and hash function
 
Firewall, Trusted Systems,IP Security ,ESP Encryption and Authentication
Firewall, Trusted Systems,IP Security ,ESP Encryption and AuthenticationFirewall, Trusted Systems,IP Security ,ESP Encryption and Authentication
Firewall, Trusted Systems,IP Security ,ESP Encryption and Authentication
 

Similaire à Introduction to security

Computer Security Chapter 1
Computer Security Chapter 1Computer Security Chapter 1
Computer Security Chapter 1Temesgen Berhanu
 
S.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavur
S.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavurS.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavur
S.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavurvkarthi314
 
Network security-S.Karthika II-M.Sc computer science,Bon Securous college for...
Network security-S.Karthika II-M.Sc computer science,Bon Securous college for...Network security-S.Karthika II-M.Sc computer science,Bon Securous college for...
Network security-S.Karthika II-M.Sc computer science,Bon Securous college for...karthikasivakumar3
 
International Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentInternational Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentIJERD Editor
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security madunix
 
Information System Security Policy Studies as a Form of Company Privacy Prote...
Information System Security Policy Studies as a Form of Company Privacy Prote...Information System Security Policy Studies as a Form of Company Privacy Prote...
Information System Security Policy Studies as a Form of Company Privacy Prote...Editor IJCATR
 
Network security chapter 1
Network security chapter 1Network security chapter 1
Network security chapter 1osama elfar
 
Cybersecurity Interview Questions and Answers.pdf
Cybersecurity Interview Questions and Answers.pdfCybersecurity Interview Questions and Answers.pdf
Cybersecurity Interview Questions and Answers.pdfJazmine Brown
 
Information security
Information securityInformation security
Information securitySanjay Tiwari
 
Ia 124 1621324143 ia_124_lecture_01
Ia 124 1621324143 ia_124_lecture_01Ia 124 1621324143 ia_124_lecture_01
Ia 124 1621324143 ia_124_lecture_01ITNet
 
PPT0-Computer Security Concepts.pptx
PPT0-Computer Security Concepts.pptxPPT0-Computer Security Concepts.pptx
PPT0-Computer Security Concepts.pptxPiBits
 
Unit 1 Information Security.docx
Unit 1 Information Security.docxUnit 1 Information Security.docx
Unit 1 Information Security.docxPrernaThakwani
 
information security (network security methods)
information security (network security methods)information security (network security methods)
information security (network security methods)Zara Nawaz
 
Information security ist lecture
Information security ist lectureInformation security ist lecture
Information security ist lectureZara Nawaz
 

Similaire à Introduction to security (20)

Security Ch-1.pptx
Security Ch-1.pptxSecurity Ch-1.pptx
Security Ch-1.pptx
 
Computer Security Chapter 1
Computer Security Chapter 1Computer Security Chapter 1
Computer Security Chapter 1
 
S.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavur
S.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavurS.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavur
S.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavur
 
Network security-S.Karthika II-M.Sc computer science,Bon Securous college for...
Network security-S.Karthika II-M.Sc computer science,Bon Securous college for...Network security-S.Karthika II-M.Sc computer science,Bon Securous college for...
Network security-S.Karthika II-M.Sc computer science,Bon Securous college for...
 
International Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentInternational Journal of Engineering Research and Development
International Journal of Engineering Research and Development
 
Data Security
Data SecurityData Security
Data Security
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
 
Information System Security Policy Studies as a Form of Company Privacy Prote...
Information System Security Policy Studies as a Form of Company Privacy Prote...Information System Security Policy Studies as a Form of Company Privacy Prote...
Information System Security Policy Studies as a Form of Company Privacy Prote...
 
Network security chapter 1
Network security chapter 1Network security chapter 1
Network security chapter 1
 
Cybersecurity Interview Questions and Answers.pdf
Cybersecurity Interview Questions and Answers.pdfCybersecurity Interview Questions and Answers.pdf
Cybersecurity Interview Questions and Answers.pdf
 
Information security
Information securityInformation security
Information security
 
Ia 124 1621324143 ia_124_lecture_01
Ia 124 1621324143 ia_124_lecture_01Ia 124 1621324143 ia_124_lecture_01
Ia 124 1621324143 ia_124_lecture_01
 
PPT0-Computer Security Concepts.pptx
PPT0-Computer Security Concepts.pptxPPT0-Computer Security Concepts.pptx
PPT0-Computer Security Concepts.pptx
 
Unit 1 Information Security.docx
Unit 1 Information Security.docxUnit 1 Information Security.docx
Unit 1 Information Security.docx
 
security IDS
security IDSsecurity IDS
security IDS
 
information security (network security methods)
information security (network security methods)information security (network security methods)
information security (network security methods)
 
Information security ist lecture
Information security ist lectureInformation security ist lecture
Information security ist lecture
 
I0516064
I0516064I0516064
I0516064
 
internet security and cyber lawUnit1
internet security and cyber lawUnit1internet security and cyber lawUnit1
internet security and cyber lawUnit1
 
COMPUTER SECURITY
COMPUTER SECURITYCOMPUTER SECURITY
COMPUTER SECURITY
 

Plus de Mukesh Chinta

CCNA-2 SRWE Mod-10 LAN Security Concepts
CCNA-2 SRWE Mod-10 LAN Security ConceptsCCNA-2 SRWE Mod-10 LAN Security Concepts
CCNA-2 SRWE Mod-10 LAN Security ConceptsMukesh Chinta
 
CCNA-2 SRWE Mod-11 Switch Security Configuration
CCNA-2 SRWE Mod-11 Switch Security ConfigurationCCNA-2 SRWE Mod-11 Switch Security Configuration
CCNA-2 SRWE Mod-11 Switch Security ConfigurationMukesh Chinta
 
CCNA-2 SRWE Mod-12 WLAN Concepts
CCNA-2 SRWE Mod-12 WLAN ConceptsCCNA-2 SRWE Mod-12 WLAN Concepts
CCNA-2 SRWE Mod-12 WLAN ConceptsMukesh Chinta
 
CCNA-2 SRWE Mod-13 WLAN Configuration
CCNA-2 SRWE Mod-13 WLAN ConfigurationCCNA-2 SRWE Mod-13 WLAN Configuration
CCNA-2 SRWE Mod-13 WLAN ConfigurationMukesh Chinta
 
CCNA-2 SRWE Mod-15 Static IP Routing
CCNA-2 SRWE Mod-15 Static IP RoutingCCNA-2 SRWE Mod-15 Static IP Routing
CCNA-2 SRWE Mod-15 Static IP RoutingMukesh Chinta
 
CCNA-2 SRWE Mod-14 Routing Concepts
CCNA-2 SRWE Mod-14 Routing ConceptsCCNA-2 SRWE Mod-14 Routing Concepts
CCNA-2 SRWE Mod-14 Routing ConceptsMukesh Chinta
 
Protecting the Organization - Cisco: Intro to Cybersecurity Chap-4
Protecting the Organization - Cisco: Intro to Cybersecurity Chap-4Protecting the Organization - Cisco: Intro to Cybersecurity Chap-4
Protecting the Organization - Cisco: Intro to Cybersecurity Chap-4Mukesh Chinta
 
Protecting Your Data and Privacy- Cisco: Intro to Cybersecurity chap-3
Protecting Your Data and Privacy- Cisco: Intro to Cybersecurity chap-3Protecting Your Data and Privacy- Cisco: Intro to Cybersecurity chap-3
Protecting Your Data and Privacy- Cisco: Intro to Cybersecurity chap-3Mukesh Chinta
 
Attacks, Concepts and Techniques - Cisco: Intro to Cybersecurity Chap-2
Attacks, Concepts and Techniques - Cisco: Intro to Cybersecurity Chap-2Attacks, Concepts and Techniques - Cisco: Intro to Cybersecurity Chap-2
Attacks, Concepts and Techniques - Cisco: Intro to Cybersecurity Chap-2Mukesh Chinta
 
The need for Cybersecurity - Cisco Intro to Cybersec Chap-1
The need for Cybersecurity - Cisco Intro to Cybersec Chap-1The need for Cybersecurity - Cisco Intro to Cybersec Chap-1
The need for Cybersecurity - Cisco Intro to Cybersec Chap-1Mukesh Chinta
 
Cisco Cybersecurity Essentials Chapter- 7
Cisco Cybersecurity Essentials Chapter- 7Cisco Cybersecurity Essentials Chapter- 7
Cisco Cybersecurity Essentials Chapter- 7Mukesh Chinta
 
Protocols and Reference models CCNAv7-1
Protocols and Reference models CCNAv7-1Protocols and Reference models CCNAv7-1
Protocols and Reference models CCNAv7-1Mukesh Chinta
 
Basic Switch and End Device configuration CCNA7 Module 2
Basic Switch and End Device configuration CCNA7 Module 2Basic Switch and End Device configuration CCNA7 Module 2
Basic Switch and End Device configuration CCNA7 Module 2Mukesh Chinta
 
Introduction to networks CCNAv7 Module-1
Introduction to networks CCNAv7 Module-1Introduction to networks CCNAv7 Module-1
Introduction to networks CCNAv7 Module-1Mukesh Chinta
 
Process scheduling (CPU Scheduling)
Process scheduling (CPU Scheduling)Process scheduling (CPU Scheduling)
Process scheduling (CPU Scheduling)Mukesh Chinta
 
OS - Process Concepts
OS - Process ConceptsOS - Process Concepts
OS - Process ConceptsMukesh Chinta
 
Operating systems system structures
Operating systems system structuresOperating systems system structures
Operating systems system structuresMukesh Chinta
 
Introduction to Operating Systems
Introduction to Operating SystemsIntroduction to Operating Systems
Introduction to Operating SystemsMukesh Chinta
 
Cisco cybersecurity essentials chapter 8
Cisco cybersecurity essentials chapter 8Cisco cybersecurity essentials chapter 8
Cisco cybersecurity essentials chapter 8Mukesh Chinta
 
Cisco cybersecurity essentials chapter - 6
Cisco cybersecurity essentials chapter - 6Cisco cybersecurity essentials chapter - 6
Cisco cybersecurity essentials chapter - 6Mukesh Chinta
 

Plus de Mukesh Chinta (20)

CCNA-2 SRWE Mod-10 LAN Security Concepts
CCNA-2 SRWE Mod-10 LAN Security ConceptsCCNA-2 SRWE Mod-10 LAN Security Concepts
CCNA-2 SRWE Mod-10 LAN Security Concepts
 
CCNA-2 SRWE Mod-11 Switch Security Configuration
CCNA-2 SRWE Mod-11 Switch Security ConfigurationCCNA-2 SRWE Mod-11 Switch Security Configuration
CCNA-2 SRWE Mod-11 Switch Security Configuration
 
CCNA-2 SRWE Mod-12 WLAN Concepts
CCNA-2 SRWE Mod-12 WLAN ConceptsCCNA-2 SRWE Mod-12 WLAN Concepts
CCNA-2 SRWE Mod-12 WLAN Concepts
 
CCNA-2 SRWE Mod-13 WLAN Configuration
CCNA-2 SRWE Mod-13 WLAN ConfigurationCCNA-2 SRWE Mod-13 WLAN Configuration
CCNA-2 SRWE Mod-13 WLAN Configuration
 
CCNA-2 SRWE Mod-15 Static IP Routing
CCNA-2 SRWE Mod-15 Static IP RoutingCCNA-2 SRWE Mod-15 Static IP Routing
CCNA-2 SRWE Mod-15 Static IP Routing
 
CCNA-2 SRWE Mod-14 Routing Concepts
CCNA-2 SRWE Mod-14 Routing ConceptsCCNA-2 SRWE Mod-14 Routing Concepts
CCNA-2 SRWE Mod-14 Routing Concepts
 
Protecting the Organization - Cisco: Intro to Cybersecurity Chap-4
Protecting the Organization - Cisco: Intro to Cybersecurity Chap-4Protecting the Organization - Cisco: Intro to Cybersecurity Chap-4
Protecting the Organization - Cisco: Intro to Cybersecurity Chap-4
 
Protecting Your Data and Privacy- Cisco: Intro to Cybersecurity chap-3
Protecting Your Data and Privacy- Cisco: Intro to Cybersecurity chap-3Protecting Your Data and Privacy- Cisco: Intro to Cybersecurity chap-3
Protecting Your Data and Privacy- Cisco: Intro to Cybersecurity chap-3
 
Attacks, Concepts and Techniques - Cisco: Intro to Cybersecurity Chap-2
Attacks, Concepts and Techniques - Cisco: Intro to Cybersecurity Chap-2Attacks, Concepts and Techniques - Cisco: Intro to Cybersecurity Chap-2
Attacks, Concepts and Techniques - Cisco: Intro to Cybersecurity Chap-2
 
The need for Cybersecurity - Cisco Intro to Cybersec Chap-1
The need for Cybersecurity - Cisco Intro to Cybersec Chap-1The need for Cybersecurity - Cisco Intro to Cybersec Chap-1
The need for Cybersecurity - Cisco Intro to Cybersec Chap-1
 
Cisco Cybersecurity Essentials Chapter- 7
Cisco Cybersecurity Essentials Chapter- 7Cisco Cybersecurity Essentials Chapter- 7
Cisco Cybersecurity Essentials Chapter- 7
 
Protocols and Reference models CCNAv7-1
Protocols and Reference models CCNAv7-1Protocols and Reference models CCNAv7-1
Protocols and Reference models CCNAv7-1
 
Basic Switch and End Device configuration CCNA7 Module 2
Basic Switch and End Device configuration CCNA7 Module 2Basic Switch and End Device configuration CCNA7 Module 2
Basic Switch and End Device configuration CCNA7 Module 2
 
Introduction to networks CCNAv7 Module-1
Introduction to networks CCNAv7 Module-1Introduction to networks CCNAv7 Module-1
Introduction to networks CCNAv7 Module-1
 
Process scheduling (CPU Scheduling)
Process scheduling (CPU Scheduling)Process scheduling (CPU Scheduling)
Process scheduling (CPU Scheduling)
 
OS - Process Concepts
OS - Process ConceptsOS - Process Concepts
OS - Process Concepts
 
Operating systems system structures
Operating systems system structuresOperating systems system structures
Operating systems system structures
 
Introduction to Operating Systems
Introduction to Operating SystemsIntroduction to Operating Systems
Introduction to Operating Systems
 
Cisco cybersecurity essentials chapter 8
Cisco cybersecurity essentials chapter 8Cisco cybersecurity essentials chapter 8
Cisco cybersecurity essentials chapter 8
 
Cisco cybersecurity essentials chapter - 6
Cisco cybersecurity essentials chapter - 6Cisco cybersecurity essentials chapter - 6
Cisco cybersecurity essentials chapter - 6
 

Dernier

Thyroid Physiology_Dr.E. Muralinath_ Associate Professor
Thyroid Physiology_Dr.E. Muralinath_ Associate ProfessorThyroid Physiology_Dr.E. Muralinath_ Associate Professor
Thyroid Physiology_Dr.E. Muralinath_ Associate Professormuralinath2
 
chemical bonding Essentials of Physical Chemistry2.pdf
chemical bonding Essentials of Physical Chemistry2.pdfchemical bonding Essentials of Physical Chemistry2.pdf
chemical bonding Essentials of Physical Chemistry2.pdfTukamushabaBismark
 
Pests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdfPests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdfPirithiRaju
 
Digital Dentistry.Digital Dentistryvv.pptx
Digital Dentistry.Digital Dentistryvv.pptxDigital Dentistry.Digital Dentistryvv.pptx
Digital Dentistry.Digital Dentistryvv.pptxMohamedFarag457087
 
FAIRSpectra - Enabling the FAIRification of Analytical Science
FAIRSpectra - Enabling the FAIRification of Analytical ScienceFAIRSpectra - Enabling the FAIRification of Analytical Science
FAIRSpectra - Enabling the FAIRification of Analytical ScienceAlex Henderson
 
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 60009654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000Sapana Sha
 
Locating and isolating a gene, FISH, GISH, Chromosome walking and jumping, te...
Locating and isolating a gene, FISH, GISH, Chromosome walking and jumping, te...Locating and isolating a gene, FISH, GISH, Chromosome walking and jumping, te...
Locating and isolating a gene, FISH, GISH, Chromosome walking and jumping, te...Silpa
 
GBSN - Microbiology (Unit 1)
GBSN - Microbiology (Unit 1)GBSN - Microbiology (Unit 1)
GBSN - Microbiology (Unit 1)Areesha Ahmad
 
COST ESTIMATION FOR A RESEARCH PROJECT.pptx
COST ESTIMATION FOR A RESEARCH PROJECT.pptxCOST ESTIMATION FOR A RESEARCH PROJECT.pptx
COST ESTIMATION FOR A RESEARCH PROJECT.pptxFarihaAbdulRasheed
 
development of diagnostic enzyme assay to detect leuser virus
development of diagnostic enzyme assay to detect leuser virusdevelopment of diagnostic enzyme assay to detect leuser virus
development of diagnostic enzyme assay to detect leuser virusNazaninKarimi6
 
Vip profile Call Girls In Lonavala 9748763073 For Genuine Sex Service At Just...
Vip profile Call Girls In Lonavala 9748763073 For Genuine Sex Service At Just...Vip profile Call Girls In Lonavala 9748763073 For Genuine Sex Service At Just...
Vip profile Call Girls In Lonavala 9748763073 For Genuine Sex Service At Just...Monika Rani
 
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdfPests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdfPirithiRaju
 
High Profile 🔝 8250077686 📞 Call Girls Service in GTB Nagar🍑
High Profile 🔝 8250077686 📞 Call Girls Service in GTB Nagar🍑High Profile 🔝 8250077686 📞 Call Girls Service in GTB Nagar🍑
High Profile 🔝 8250077686 📞 Call Girls Service in GTB Nagar🍑Damini Dixit
 
Pulmonary drug delivery system M.pharm -2nd sem P'ceutics
Pulmonary drug delivery system M.pharm -2nd sem P'ceuticsPulmonary drug delivery system M.pharm -2nd sem P'ceutics
Pulmonary drug delivery system M.pharm -2nd sem P'ceuticssakshisoni2385
 
Call Girls Ahmedabad +917728919243 call me Independent Escort Service
Call Girls Ahmedabad +917728919243 call me Independent Escort ServiceCall Girls Ahmedabad +917728919243 call me Independent Escort Service
Call Girls Ahmedabad +917728919243 call me Independent Escort Serviceshivanisharma5244
 
GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)Areesha Ahmad
 
300003-World Science Day For Peace And Development.pptx
300003-World Science Day For Peace And Development.pptx300003-World Science Day For Peace And Development.pptx
300003-World Science Day For Peace And Development.pptxryanrooker
 

Dernier (20)

Thyroid Physiology_Dr.E. Muralinath_ Associate Professor
Thyroid Physiology_Dr.E. Muralinath_ Associate ProfessorThyroid Physiology_Dr.E. Muralinath_ Associate Professor
Thyroid Physiology_Dr.E. Muralinath_ Associate Professor
 
chemical bonding Essentials of Physical Chemistry2.pdf
chemical bonding Essentials of Physical Chemistry2.pdfchemical bonding Essentials of Physical Chemistry2.pdf
chemical bonding Essentials of Physical Chemistry2.pdf
 
Site Acceptance Test .
Site Acceptance Test .Site Acceptance Test .
Site Acceptance Test .
 
Pests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdfPests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdf
 
Clean In Place(CIP).pptx .
Clean In Place(CIP).pptx .Clean In Place(CIP).pptx .
Clean In Place(CIP).pptx .
 
Digital Dentistry.Digital Dentistryvv.pptx
Digital Dentistry.Digital Dentistryvv.pptxDigital Dentistry.Digital Dentistryvv.pptx
Digital Dentistry.Digital Dentistryvv.pptx
 
FAIRSpectra - Enabling the FAIRification of Analytical Science
FAIRSpectra - Enabling the FAIRification of Analytical ScienceFAIRSpectra - Enabling the FAIRification of Analytical Science
FAIRSpectra - Enabling the FAIRification of Analytical Science
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 60009654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
 
Locating and isolating a gene, FISH, GISH, Chromosome walking and jumping, te...
Locating and isolating a gene, FISH, GISH, Chromosome walking and jumping, te...Locating and isolating a gene, FISH, GISH, Chromosome walking and jumping, te...
Locating and isolating a gene, FISH, GISH, Chromosome walking and jumping, te...
 
GBSN - Microbiology (Unit 1)
GBSN - Microbiology (Unit 1)GBSN - Microbiology (Unit 1)
GBSN - Microbiology (Unit 1)
 
COST ESTIMATION FOR A RESEARCH PROJECT.pptx
COST ESTIMATION FOR A RESEARCH PROJECT.pptxCOST ESTIMATION FOR A RESEARCH PROJECT.pptx
COST ESTIMATION FOR A RESEARCH PROJECT.pptx
 
development of diagnostic enzyme assay to detect leuser virus
development of diagnostic enzyme assay to detect leuser virusdevelopment of diagnostic enzyme assay to detect leuser virus
development of diagnostic enzyme assay to detect leuser virus
 
Vip profile Call Girls In Lonavala 9748763073 For Genuine Sex Service At Just...
Vip profile Call Girls In Lonavala 9748763073 For Genuine Sex Service At Just...Vip profile Call Girls In Lonavala 9748763073 For Genuine Sex Service At Just...
Vip profile Call Girls In Lonavala 9748763073 For Genuine Sex Service At Just...
 
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdfPests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
 
High Profile 🔝 8250077686 📞 Call Girls Service in GTB Nagar🍑
High Profile 🔝 8250077686 📞 Call Girls Service in GTB Nagar🍑High Profile 🔝 8250077686 📞 Call Girls Service in GTB Nagar🍑
High Profile 🔝 8250077686 📞 Call Girls Service in GTB Nagar🍑
 
Pulmonary drug delivery system M.pharm -2nd sem P'ceutics
Pulmonary drug delivery system M.pharm -2nd sem P'ceuticsPulmonary drug delivery system M.pharm -2nd sem P'ceutics
Pulmonary drug delivery system M.pharm -2nd sem P'ceutics
 
Call Girls Ahmedabad +917728919243 call me Independent Escort Service
Call Girls Ahmedabad +917728919243 call me Independent Escort ServiceCall Girls Ahmedabad +917728919243 call me Independent Escort Service
Call Girls Ahmedabad +917728919243 call me Independent Escort Service
 
GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)
 
300003-World Science Day For Peace And Development.pptx
300003-World Science Day For Peace And Development.pptx300003-World Science Day For Peace And Development.pptx
300003-World Science Day For Peace And Development.pptx
 

Introduction to security

  • 1.
  • 2. 2  Data: raw facts {Alphanumeric, image, audio, and video}  Information: result of processing, manipulating and organizing data in a way that adds to the knowledge of the receiver. {Processed Data}  Knowledge: Knowledge is normally processed by means of structuring, grouping, filtering, organizing or pattern recognition. {Highly structured information} An Information System is a set of interrelated components that collect or retrieve, process, store and distribute information to support decision making and control in an organization. Mukesh Chinta, Asst Prof, CSE,VRSEC 'Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected’ BS ISO 27002:2005
  • 3. 3  Security is one of the oldest problem that governments, commercial organizations and almost every person has to face. The need of security exists since information became a valuable resource.  Introduction of computer systems to business has escalated the security problem even more.  The advances in networking and specially in distributed systems made the need for security even greater.  Any breach with the Information System will lead to Loss of productivity, loss of revenue, legal liabilities, loss of reputation and other losses.  Cyber crime is defined as criminal activity involving the IT infrastructure, including illegal access, illegal interception, data interference, misuse of devices, ID theft and electronic fraud Mukesh Chinta, Asst Prof, CSE,VRSEC
  • 4. 4 Mukesh Chinta, Asst Prof, CSE,VRSEC The e-commerce sector in India is facing a major hurdle due to ineffectiveness of cyber laws.
  • 5. 5
  • 6. 6  So now we know that we need security. BUT what is security anyway ?  Many people fail to understand the meaning of the word.  Many corporations install an antivirus software, and/or a firewall and believe they are protected. Are they ? “In the real world, security involves processes. It involves preventive technologies, but also detection and reaction processes, and an entire forensics system to hunt down and prosecute the guilty. Security is not a product; it itself is a process. …. ” Bruce Schneier
  • 7. Mukesh Chinta, Asst Prof, CSE,VRSEC 7 The U.S. Government’s National Information Assurance Glossary defines INFOSEC as: “Protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats.”
  • 8. 8 ARPANET, the precursor to the modern internet allowed easy synchronization of information between data centers but has unsecure points between the data centers and the public. This vulnerability was addressed by securing physical locations and hardware. A task force formed by ARPA (Advanced Research Projects Agency) to study internet security in 1967 found this method to be inadequate, and released the Rand Report R-609 which determined additional steps must be taken to improve security. This report marked an important stage in the development of today's information security.  1960s: Organizations start to protect their computers  1970s: The first hacker attacks begin  1980s: Governments become proactive in the fight against cybercrime  1990s: Organized crime gets involved in hacking  2000s: Cybercrime becomes treated like a crime  2010s: Information security becomes serious Mukesh Chinta, Asst Prof, CSE,VRSEC
  • 9. 9 Mukesh Chinta, Asst Prof, CSE,VRSEC The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications). The NIST (National Institute of Standards & Technology} Computer Security Handbook [NIST95] (Available from: http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf) defines the term computer security as The definition introduces three key objectives that are at the heart of the computer security:  Confidentiality • Data Confidentiality • Privacy  Integrity • Data Integrity • System Integrity  Availability
  • 10. 10  Confidentiality • Data Confidentiality - Assures that private or confidential information is not made available or disclosed to unauthorized individuals. • Privacy - Assures that individuals control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed.  Integrity • Data Integrity - Assures that information and programs are changed only in a specified and authorized manner • System Integrity - Assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system.  Availability - Assures that systems work promptly and service is not denied to authorized users. Mukesh Chinta, Asst Prof, CSE,VRSEC
  • 11. 11 Federal Information Processing Standards Publications (FIPS PUB 199) provides a useful characterization of these three objectives in terms of requirements and the definition of a loss of security in each category: • Confidentiality : Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure of information. • Integrity: Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. A loss of integrity is the unauthorized modification or destruction of information. • Availability: Ensuring timely and reliable access to and use of information. A loss of availability is the disruption of access to or use of information or an information system. • Authenticity: The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator. • Accountability: The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity.
  • 12. 12 LOW MODERATE HIGH Effect on organizational operations, assets or individuals Limited Serious Severe or even catastrophic Primary functions of the organization and their effectiveness Minor degradation Significant degradation Severe degradation Damage to organizational assets Minor Significant Major Financial Loss Minor Significant Major Harm to individual Minor Significant Severe (loss of life or life-threatening injuries) FIPS PUB 199 define three levels of impact on organizations or individuals should there be a breach of security : Low, Moderate and High
  • 13. 13 1. Not simple – seems to be straight forward but very complex 2. Must consider potential attacks on security features 3. Procedures used are often counter-intuitive 4. Involves multiple algorithms and secret information 5. Must decide where to deploy security mechanisms 6. Battle of wits between attacker / admin 7. Not perceived on benefit until a security failure happens 8. Requires regular/constant monitoring which is difficult 9. Often an after-thought rather than an integral part of the process 10. Strong security is regarded as impediment to free usage of a system Mukesh Chinta, Asst Prof, CSE,VRSEC
  • 14. 14 Mukesh Chinta, Asst Prof, CSE,VRSEC ITU-T X.800 “Security Architecture for OSI” defines a systematic way of defining and providing security requirements. Three important aspects of OSI security architecture are: : Any action that compromises the security of information owned by an organization. : A process (or a device incorporating such a process) that is designed to detect, prevent, or recover from a security attack. : A processing or communication service that enhances the security of the data processing systems and the information transfers of an organization.
  • 15. Threats Vulnerabilities Risk Asset valuesProtection Requirements Information assets Controls * reduce – a potential for violation of security – Something that can potentially cause damage to the organization, IT Systems or network – an assault on system security, a deliberate attempt to evade security services : A possibility that a threat exploits a vulnerability in an asset and causes damage or loss to the asset. Relationship between Risk, Threats, and Vulnerabilities Mukesh Chinta, Asst Prof, CSE,VRSEC
  • 16. 16 Mukesh Chinta, Asst Prof, CSE,VRSEC The security attacks are classified into and  A passive attack attempts to learn or make use of information from the system but does not affect system resources. These are difficult to detect and focus will be on prevention.  Active attacks involve some modification of the data stream or the creation of a false stream. These are difficult to prevent and focus is on detection and recovery.
  • 17. 17 Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions. The goal of the opponent is to obtain information that is being transmitted. Two types of passive attacks are:  Release of message contents – Any transferred message could be intercepted or listened to  Traffic analysis - monitor traffic flow to determine location and identity of communicating hosts and could observe the frequency and length of messages being exchanged. Release of Message Contents Traffic Analysis
  • 18. 18 An active attack is one in which an unauthorized change of the system is attempted. This could include, for example, the modification of transmitted or stored data, or the creation of new data streams relate to an entity (usually a computer or a person) taking on a false identity in order to acquire or modify information, and in effect achieve an unwarranted privilege status. involves the re-use of captured data at a later time than originally intended in order to repeat some action of benefit to the attacker. Mukesh Chinta, Asst Prof, CSE,VRSEC
  • 19. 19 could involve modifying a packet header address for the purpose of directing it to an unintended destination or modifying the user data. prevent the normal use or management of communication services, and may take the form of either a targeted attack on a particular service or a broad, incapacitating attack. Mukesh Chinta, Asst Prof, CSE,VRSEC
  • 20.
  • 21. Security Services Authentication Access Control Data Confidentiality Data Integrity Non Repudiation Peer Entity Authentication Data-Origin Authentication Connection Confidentiality Connectionless Confidentiality Selective-Field Confidentiality Traffic-Flow Confidentiality Connection Integrity with Recovery Connection Integrity without Recovery Selective-Field Connection Integrity Connectionless Integrity Selective-Field Connectionless Integrity Nonrepudiation, Origin Nonrepudiation, Destination RFC 2828 defines Security Service as a processing or communication service that is provided by a system to give a specific kind of protection to system resources. X.800 divides security services into five categories and fourteen specific services. Security Services intend to counter security attacks and make use of one or more security mechanisms to provide the service
  • 22. 22 – Authentication service is concerned with assurance that communicating entity is the one claimed. It helps in establishing proof of identification. Two specific authentication services are defined: - provides corroboration of the identity of a peer entity in an association. This service provides confidence, at the time of usage only, that an entity is not attempting a masquerade or an unauthorized replay of a previous connection. - provides corroboration of the source of a data unit. In a connectionless transfer, provides assurance that the source of received data is as claimed – It is the protection of transmitted data from passive attacks, and the protection of traffic flow from analysis. : The protection of all user data on a connection : The protection of all user data in a single data block The confidentiality of selected fields within the user data on a connection or in a single data block The protection of the information that might be derived from observation of traffic flows Mukesh Chinta, Asst Prof, CSE,VRSEC
  • 23. 23 – It assures that messages are received as sent by an authorized entity, with no duplication, insertion, modification, reordering, replay, or loss. Provides for the integrity of all user data on a connection and detects any modification, insertion, deletion, or replay of any data within an entire data sequence, with recovery attempted As above, but provides only detection without recovery. Provides for the integrity of selected fields within the user data of a data block transferred over a connection and takes the form of determination of whether the selected fields have been modified, inserted, deleted, or replayed. Provides for the integrity of a single connectionless data block and may take the form of detection of data modification. Provides for the integrity of selected fields within a single connectionless data block – It is the ability to limit and control the access to host systems and applications via communications links. The prevention of unauthorized use of a resource (i.e., this service controls who can have access to a resource, under what conditions access can occur, and what those accessing the resource are allowed to do). Mukesh Chinta, Asst Prof, CSE,VRSEC
  • 24. 24 : This service does not allow the sender or receiver of a message to refuse the claim of not sending or receiving that message. : Proof that the message was sent by the specified party. : Proof that the message was received by the specified part. - It is the property of a system / resource being accessible and usable upon demand by an authorized system entity, according to performance specifications for the system. A variety of attacks can result in the loss of or reduction in availability.
  • 25. 25 Interception Is Private? Modification Has been altered? Forgery Who am I dealing with? Claim Who sent/received it? Not SENT ! Denial of Service Wish to access!! Have you privilege? Unauthorized access Security Needs for Network Communications Mukesh Chinta, Asst Prof, CSE,VRSEC
  • 26. 26 Security Mechanism: A mechanism that is designed to detect, prevent, or recover from a security attack. No single mechanism that will support all functions required.  The security mechanisms are divided into those that are implemented in a specific protocol layer called and those that are not specific to any particular protocol layer or security service called .
  • 27. Security Mechanism Description Encipherment The use of mathematical algorithms to transform data into a form that is not readily intelligible. The transformation and subsequent recovery of the data depend on an algorithm and zero or more encryption keys. Digital Signature Data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery. Access Control A variety of mechanisms that enforce access rights to resources. Data Integrity A variety of mechanisms used to assure the integrity of a data unit or stream of data units. Authentication Exchange A mechanism intended to ensure the identity of an entity by means of information exchange Traffic Padding The insertion of bits into gaps in a data stream to frustrate traffic analysis attempts. Routing Control Enables selection of particular physically secure routes for certain data and allows routing changes, especially when a breach of security is suspected. Notarization The use of a trusted third party to assure certain properties of a data exchange. Mukesh Chinta, Asst Prof, CSE,VRSEC
  • 28. 28 Security Mechanism Description Trusted Functionality That which is perceived to be correct with respect to some criteria (e.g., as established by a security policy). Security Label The marking bound to a resource (which may be a data unit) that names or designates the security attributes of that resource. Event Detection Detection of security-relevant events Security Audit Trail Data collected and potentially used to facilitate a security audit, which is an independent review and examination of system records and activities. Security Recovery Deals with requests from mechanisms, such as event handling and management functions, and takes recovery actions.
  • 29. 29 Mukesh Chinta, Asst Prof, CSE,VRSEC
  • 30. Data is transmitted over network between two communicating parties, who must cooperate for the exchange to take place. A logical information channel is established by defining a route through the internet from source to destination by use of communication protocols by the two parties. Two components are present in almost all the security providing techniques.  A security-related transformation on the information to be sent making it unreadable by the opponent, and the addition of a code based on the contents of the message, used to verify the identity of sender.  Some secret information shared by the two principals and, it, unknown to the opponent. A trusted third party may be needed to distribute the secret information or to arbitrate disputes between the principals.
  • 31. 31 The general model shows that there are four basic tasks in designing a particular security service: 1. Design an algorithm for performing the security-related transformation. The algorithm should be such that an opponent cannot defeat its purpose 2. Generate the secret information to be used with the algorithm 3. Develop methods for the distribution and sharing of the secret information 4. Specify a protocol to be used by the two principals that makes use of the security algorithm and the secret information to achieve a particular security service Various other threats to information system like unwanted access still exist. The existence of hackers attempting to penetrate systems accessible over a network remains a concern. Another threat is placement of some logic in computer system affecting various applications and utility programs. This inserted code presents two kinds of threats.  Information access threats intercept or modify data on behalf of users who should not have access to that data  Service threats exploit service flaws in computers to inhibit use by legitimate users Mukesh Chinta, Asst Prof, CSE,VRSEC
  • 32. 32 Viruses and worms are two examples of software attacks inserted into the system by means of a disk or also across the network. Placing a gatekeeper function, which includes a password-based login methods that provide access to only authorized users and screening logic to detect and reject worms, viruses etc. An internal control, monitoring the internal system activities analyzes the stored information and detects the presence of unauthorized users or intruders. Mukesh Chinta, Asst Prof, CSE,VRSEC
  • 33. 33 Security Controls are categorized based on their functionality and plane of application. Based on functionality, the types of controls are given as: - These try to prevent security violations and enforce access control. Like other controls, preventive controls may be physical, administrative, or technical: doors, security procedures, and authentication requirements - Detective controls are in place to detect security violations and alert the defenders. They come into play when preventive controls have failed or have been circumvented and are no less crucial than detective controls. Detective controls include cryptographic checksums, file integrity checkers, audit trails and logs, and similar mechanisms. - Corrective controls try to correct the situation after a security violation has occurred. Corrective controls vary widely, depending on the area being targeted, and they may be technical or administrative in nature. - Deterrent controls are intended to discourage potential attackers. Examples of deterrent controls include notices of monitoring and logging as well as the visible practice of sound information security management. – similar to corrective controls applied in more serious situations to recover from security violations and restore information and information processing resources. These include disaster recovery and business continuity mechanisms, backup systems and data, emergency key management arrangements, and similar controls. - are intended to be alternative arrangements for other controls when the original controls have failed or cannot be used. When a second set of controls addresses the same threats that are addressed by another set of controls, the second set of controls are compensating controls. Mukesh Chinta, Asst Prof, CSE,VRSEC
  • 34. 34 Based on plane of application, the types of controls are given as:  Physical Controls include doors, secure facilities, fire extinguishers, flood protection, and air conditioning.  Administrative Controls are the organization’s policies, procedures, and guidelines intended to facilitate information security.  Technical controls are the various technical measures, such as firewalls, authentication systems, intrusion detection systems, and file encryption, among others.  Logical access control models are the abstract foundations upon which actual access control mechanisms and systems are built.  Access control models define how computers enforce access of subjects (such as users, other computers, applications, and so on) to objects (such as computers, files, directories, applications, servers, and devices).  Three main access control models exist:
  • 35. Discretionary Access Control (DAC) 35 • In the DAC model, the owner (creator) of information (file or directory) has the discretion to decide about and set access control restrictions on the object in question. • The advantage of DAC is its flexibility: users may decide who can access information and what they can do with it—read, write, delete, rename, execute, and so on. • At the same time, this flexibility is also a disadvantage of DAC because users may make wrong decisions regarding access control restrictions or maliciously set insecure or inappropriate permissions. Mandatory Access Control (MAC) • In systems utilizing MAC, users have little or no discretion as to what access permissions they can set on their information. • MAC-based systems use data classification levels (such as public, confidential, secret, and top secret) and security clearance labels corresponding to data classification levels to decide, in accordance with the security policy set by the system administrator, what access control restrictions to enforce. • Additionally, per-group and/or per-domain access control restrictions may be imposed—that is, in addition to having the required security clearance level, subjects(users or applications) must also belong to the appropriate group or domain. This concept is called Compartamentalization or need to know. • Though MAC systems are thought to be more secure than DAC systems, they are more difficult to use and administer because of the additional restrictions imposed by the OS. • Typically MAC systems are used in government, military and financial environments, where higher level of security is required and costs are tolerated. Mukesh Chinta, Asst Prof, CSE,VRSEC
  • 36. 36 Role-Based Access Control (RBAC) In the role-based access control model, rights and permissions are assigned to roles instead of individual users. This added layer of abstraction permits easier and more flexible administration and enforcement of access controls. Centralized vs. Decentralized Access Control In environments with centralized access control, a single, central entity makes access control decisions and manages the access control system; whereas in distributed access control environments, these decisions are made and enforced in a decentralized manner. The selection of a particular access control approach should be made only after careful consideration of an organization’s requirements and associated risks. Mukesh Chinta, Asst Prof, CSE,VRSEC
  • 37. 37 A vulnerability can occur anywhere in the IT environment, and can be the result of many different root causes. solutions gather comprehensive endpoint and network intelligence and apply advanced analytics to identify and prioritize the vulnerabilities that pose the most risk to critical systems. includes assessment of the environment for known vulnerabilities, and to assess IT components using the security configuration policies(by device role) that have been defined for the environment. is a dictionary of common names (i.e., CVE Identifiers) for publicly known information security vulnerabilities. provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. provides a common language of discourse for discussing, finding and dealing with the causes of software security vulnerabilities as they are found in code, design, or system architecture.