Module 4: Introduction to Cyber Security/
• Security Architecture and Models.
• System Security
• OS Security
• Wireless network and Security.
Chapter 1: Security Architecture and
• Designing Secure OS
• CPU (central Processing Unit); is a microprocessor that contains a
control unit, an arithmetic logic unit(ALU).
• Memory: the OS instruction, application and data are held in the
Basic Input Output System.(BIOS)
• There are basically two types of memories :
• Primary Memory:- (RAM) random access memory, is a type of
temporary storage facility where data can be held and altered.
• is a type of volatile.
• Secondary Memory:- (ROM) Read Only memory, is a type of
permanent storage facility where data can be held and altered.
• Is a type of non-volatile memory.
Malicious Software Attacks
– Wide variety of damaging or annoying
– Enters a computer system without the
owner’s knowledge or consent
• Primary objectives of malware
– Infect a computer system with
– Conceal a malicious action
• Types of hardware that is
– USB devices
– Cell phones
– Physical theft of laptop
computers and information
• Basic Input/Output System (BIOS)
– Coded program embedded on the
– Recognizes and controls different
devices on the computer system
• Read Only Memory (ROM) chip
– Older systems
• PROM (Programmable Read Only
– Newer computers
– Flashing the BIOS
Why E-mail Security
The Internet is an expansive network of
computers, much of which is unprotected
against malicious attacks. From the time an
email composed to the time it is read, an email
travels through this unprotected Internet,
exposed to various electronic dangers.
What is E-mail Privacy
The protection of email from unauthorized
access and inspection is known as electronic
privacy. In countries with a constitutional
guarantee of the secrecy of correspondence,
email is equated with letters and thus legally
protected from all forms of eavesdropping.
• PGP-(pretty Good Privacy)
• General purpose application to protect files.
• Can be used to protect e-mail messages.
• Can be used by co-operations and individuals
• PGP is now on an internet standards tracks.
• S/MIME-(Secure/ Multipurpose Internet Mail Extension)
• A security enhancement to MIME.
• Provide similar services to PGP.
• Defines a format for text messages to be sent using email.
• Web Authentication
• SSL and SET
• SSL(Secure Socket Layer)
• It is not a payment protocol, can be used for any secure
communication like credit card numbers.
• SSL is secure data exchange protocol providing-
• Privacy between to internet communications.
• Authentication of servers.
What Is Database Security?
It is a collection of information stored in a computer.
It is being free from danger.
It is the mechanisms that protect the database against
intentional or accidental threats.
Protection from malicious attempts to steal (view) or
• It is protecting the database from
• Ensures that users are allowed to do the things
they are trying to do.
• For example:-
– The employees should not see the salaries of their
• Protecting the database from authorized users.
• Ensures that what users are trying to do is
• For examples,
• An employee should be able to modify his or her
• Authorized users should be able to access data
for Legal purposes as necessary.
• For examples,
– Payment orders regarding taxes should be
made on time by the tax law.
Importance of Data
• Bank/Demat accounts
• Credit card, Salary, Income tax data
• University admissions, marks/grades
• Land records, licenses
• Data = crown jewels for organizations
Importance of Data (contd…)
• Recent headlines:
– Personal information of millions of credit card
• Laws on privacy in the US
• Theft of US data in India
– Criminal gangs get into identity theft
– Earlier this year in Mumbai
• Hackers steal credit card data using card reader
and make fraudulent purchases
• Hacker creates fake Web site to phish for credit
– Auto-rickshaw license fraud in New Delhi
Levels of Data Security
• Human level: Corrupt/careless User.
• Network/User Interface.
• Database application program.
• Database system.
• Operating System.
• Physical level.
• Physical level
– Traditional lock-and-key security.
– Protection from floods, fire, etc.
• E.g. WTC (9/11), fires in IITM, WWW conf website, etc.
– Protection from administrator error
• E.g. delete critical files.
• Remote backup for disaster recovery.
• Plus archival backup (e.g. DVDs/tapes).
• Operating system level
– Protection from virus/worm attacks critical.
Security at the Database/Application
• Authentication and
mechanisms to allow
specific users access
only to required data
• Authentication: who are
you? Prove it!
• Authorization: what
you are allowed to do?
Database vs. Application
• Application authenticates/authorizes users
• Application itself authenticates itself to
– Database password
– Most users abuse passwords. For e.g.
• Easy to guess password
• Share passwords with others
– Need smartcard
– + a PIN or password
• Central authentication systems allow users to
be authenticated centrally
– LDAP or MS Active Directory often used for central
authentication and user management in
• Single sign-on: authenticate once, and access
multiple applications without fresh
– Microsoft passport, Pub Cookie etc
– Avoids plethora of passwords
– Password only given to central site, not to
• Applications are often the biggest source
–Poor coding of application may allow
–Application code may be very big, easy to
make mistakes and leave security holes.
–Very large surface area.
• Used in fewer places
– Some security by obfuscation.
– Lots of holes due to poor/hasty programming.
• Data security is critical.
• Requires security at different levels.
• Several technical solutions .
• But human training is essential.
OS Security(Operating System)
• OS security vulnerabilities, Updates and Patches
• OS Integrity Checks.
• Antivirus S/W:-
• A computer program that can copy itself and
infect a computer without permission of the
• Viruses, Worms, Trojan Horses = MALWARE
– Software security update intended to cover
vulnerabilities that have been discovered after
the program was released
• Automatic update configuration options for
most operating systems
– Install updates automatically
– Download updates but let me choose when to
– Check for updates but let me choose whether to
download and install them
– Never check for updates
• How viruses spread:
– Internet downloads
– Removable media
– Across the network
– Email attachments
• Protecting your system
– Antivirus software
– Be smart about email attachments
• Unknown senders
• Known senders
• Recovering from a virus attack
– Run a full system scan (in Safe Mode if necessary)
– Run an “autofix” tool
– Replace infected files
– Reformat hard drive
• 6 to 8 characters long using lower/upper case letters,
numbers, and symbols (Microsoft recommends 14…)
– 4 characters – 14 million possible passwords – 2 seconds
– 8 characters – 200 trillion possible passwords – 1 year
– 9 characters – 13 quadrillion possible passwords – 70 years
– 10 characters – 840 quadrillion possible passwords – 4000 years
• Avoid words in the dictionary (easier to guess)
• Use a sentence that means something to you
– Every Sunday I go to church at 9
• Change passwords regularly