SlideShare a Scribd company logo

cyber security notes

•Download as PPTX, PDF•
•
S
SHIKHAJAIN163

AKTU University Notes

Engineering
1 of 115
CYBER Security Notes Shikha Jain Assistant Professor KIET Group Of Institutions
Cyber Security • Actions which are taken in order to prevent the computer systems or the Internet from unauthorized access or against attacks. • Reducing vulnerabilities. • Understand current trends in IT and develop effective solution. Tools used for cyber security: • Passwords, Anti-virus, Firewalls,, Two-factor authentication, Encryption. Reason of increasing Cyber Threats: • IOT • Data Proliferation • Lack of Awareness • Wide-open Internet access • Network traffic
Important Terminologies • Vulnerability: any weakness in the system, product or process that compromise the basic security principles. Thereby, the system becomes susceptible to attacks. • Threat: when there is a possibility for violation of security, due to circumstance or capability or action or event, it may cause harm. Threat is a possible danger to assets that might exploit vulnerability. • Attack: is a deliberate attempt to evade security services and violate the security policy of a system. • Risk: The possibility of suffering a loss. Risk is a fundamental part of operations. It is not something to fear, but something to manage.
Cyber Threat/Need of Information Security • There are a number of ways with the actor or adversary attempting to gain access to a system. Threats try to gain access to a network through malicious attempts to compromise or disrupt a computer network or system. The types of threats are increasing in its landscape by two technology trends. IOT (Internet of Things) and ii. Data Proliferation. • The very fundamental concept in security is CIA triad referring to Confidentiality, Integrity and Availability. One or more facets of the triad are protected by the security methods. The asset can be exploited by threats to compromise the triad. The threats which are either intentional or accidental fall under three categories based on the triad principles. • The speed with which the malwares spread, the multitude of organizations harmed, which include critical infrastructure, and the serious obstacles in restoring the corrupted data once again underline today’s priority of cyber security. The cyber-attacks on the information and data on the Internet can affect these three fundamental principles of cyber security. So, there is a great need to setup cyber security principles in terms of Confidentiality, integrity and availability. The elements of the triad are considered as the most crucial components of cyber security. These are also termed as security goals.
• There are three common categories of cyber threats based on the triad are: • Attack on confidentiality: Stealing, or rather copying, the target's personal information. For example, attacks like credit card fraud, identity theft, or stealing bitcoin wallets. Confidentiality attacks are the major portion of work of International spies to acquire confidential information for political, military, or economic gains. • Attack on integrity: The common name used is sabotage. Integrity attacks seek to corrupt, damage, or destroy information or systems, and the people who rely on them. Offenders can range from script kiddies to international or national attackers • Attack on availability: Preventing a target from accessing by the genuine users is the most frequent occurrence today. For example, ransomware and denial-of-service attacks. Ransomware encrypts the target's data and demands a ransom to decrypt it.A denial-of-service attack, also known as DoS attacks, typically in the form of a distributed denial-of-service (DDoS) attack, floods a network resource with requests, making it unavailable due to jam.
First Viruses and Anti-virus(“VIRUS: Vital Information Resource UnderSlege”) • Creeper (1971): In 1970's, Robert (Bob) Thomas who was a researcher for BBN Technologies in Cambridge, Massachusetts created the first computer worm (virus). He realized that it was possible for a computer program to move across a network, leaving a small trail (series of signs) wherever it went. He named the program Creeper, and designed it to travel between Tenex terminals on the early ARPANET, printing the message "I'M THE CREEPER: CATCH ME IF YOU CAN." • An American computer programmer named Ray Tomlinson, the inventor of email, was also working for BBN Technologies at the time. He saw this idea and liked it. He tinkered (an act of attempting to repair something) with the program and made it self-replicating "the first computer worm." He named the program Reaper, the first antivirus software which would found copies of The Creeper and delete it. First Cyber Attack • In 1988, an American computer scientist, Robert Morris, wanted to check the size of the internet. He wrote a program for testing the size of the internet. This program went through networks, invaded Unix terminals, and copied itself. The program became the first famous network virus and named as Moris worm or internet worm. The Morris worm could be infected a computer multiple times, and each additional process would slow the machine down, eventually to the point of being damaged. Robert Morris was charged under the Computer Fraud and Abuse Act. The act itself led to the founding of the Computer Emergency Response Team. This is a non-profit research centre for issues that could endanger the internet as a whole.
Information System
Fundamental Concepts of Information System “An information system (IS) is an organized system for collecting, organizing, storing and communicating with the information. Here the organizations that use Information system do data collection, filtration, processing, creation and distribution in complementary networks.”
(end user, IT specialist) (Machine, Media) (Programs, Procedure) (Database, Kbase) (Communication Support)
An information system is essentially made up of five components hardware, software, database, network and people. These five components integrate to perform input, process, output, feedback and control. • Hardware consists of input/output device, processor, operating system and media devices. • Software consists of various programs and procedures. • Database consists of data organized in the required structure. • Network consists of hubs, communication media and network devices. • People consist of device operators, network administrators and system specialist. Components of Information System
Information System Activities (Major Functions of IS)
• Transaction Processing System (TPS): • Basic business systems that serve the operational level. • A computerized system that performs and records the daily routine transactions necessary to the conduct of the business. • Major functions of systems: Budgeting, general ledger, billing, cost accounting. • Examples - super market grocery check out (billing systems) or bank transaction processes, Airline Reservation System, Payroll Processing System, Transport Ticket Reservation System, Purchase Order Entry Systems and Markets Tabulation System. Transaction Processing • Real-time/Online • Batch Data Entry Document and Report Generation Inquiry Processing Database Management
Transaction Processing Systems (TPS):
Management Information System: • Managers require precise information in a specific format to undertake an organizational decision. • A system which facilitates an efficient decision making process for managers is called management Information system. • An MIS provides managers with information and support for effective decision making, and provides feedback on daily operations. • MIS provides information to the users in the form of reports. • Output, or reports, are usually generated through accumulation of transaction processing data. • MIS is an integrated collection of subsystems, which are typically organized along functional lines within an organization. • Management level : 1. Inputs: High volume data 2. Processing: Simple models 3. Outputs: Summary reports 4. Users: Middle managers • Example: Annual budgeting, Structured and semi-structured decisions, Report control oriented applications.
Business Intelligence (BI): (TPS)+(MIS)
• Decision support system: • Management information system provides information to manager facilitating the routine decision-making process. • Decision support system provides information to manager facilitating specific issue related solution. • Applications of Decision support Systems are Medical Diagnosis, Agricultural Production, Forest Management, Business and Management , Anti-terrorism Systems • Management level 1. Inputs: Low volume data 2. Processing: Interactive 3. Outputs: Decision analysis 4. Users: Professionals, staff Example: Contract cost analysis • Advantages: Time savings, Enhance effectiveness, Improve interpersonal communication, Competitive advantage, Cost reduction, Increase decision maker satisfaction, Promote learning, Increase organizational control.
Decision Support Systems
• Executive support system/Executive Information System: • Strategic level 1. Inputs: Aggregate data 2. Processing: Interactive 3. Outputs: Projections 4. Users: Senior managers • Example: 5-year operating plan
Executive Information Systems
Distributed Information Systems “A set of information systems physically distributed over multiple sites, which are connected with some kind of communication network” Current Trends: • Cloud computing • Designing of Bigdata • Cloud of IOT Architectures of DIS: • Peer to Peer Architecture (P2P) • Client-Server Architecture • Three-tier Architecture
Distributed Information Systems Advantages: • Sharing Data • Autonomy • Availability Disadvantages: • Software development cost • Greater potential of bugs • Increased processing overhead Applications: • Military • Government • Commercial
Information Assurance “Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.”
Security Services: What types of problems can occur? • Confidentiality: the assurance that information is not disclosed to unauthorized persons, processes or devices. • Integrity: the assurance that data can not be created, changed, or deleted without proper authorization • Availability: Timely, reliable access to data and information services for authorized users. • Authentication: Security service designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual’s authorizations to receive specific categories of information. • Non Repudiation: The assurance the sender of the data is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the data. Information States: Where is the data? • Transmission: Time in which the data is in transit between processing/process steps. • Storage: Time during which data is on a persistent medium such as a hard drive or tape. • Processing: Time during which the data is actually in the control of a processing step.
Security Countermeasures: Who can enforce/check security? People: The heart and soul of secure systems. Awareness, literacy, training, education in sound practice. Must follow policy and practice or the systems will be compromised no matter how good the design! Both strength and vulnerability. Policy and Practice (operations): System users, System administrators, Software conventions, Trust validation. Also a countermeasure and a vulnerability. Technology: Evolves rapidly Crypto systems, Hardware, Software, Network(Firewalls, Routers, Intrusion detection, Other), Platform(Operating systems, Transaction monitoring), Especially vulnerable to misconfiguration and other “people” errors.
Security Services: What types of problems can occur? • Confidentiality: the assurance that information is not disclosed to unauthorized persons, processes or devices. • Integrity: the assurance that data can not be created, changed, or deleted without proper authorization • Availability: Timely, reliable access to data and information services for authorized users. • Authentication: Security service designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual’s authorizations to receive specific categories of information. • Non Repudiation: The assurance the sender of the data is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the data.
Cyber Security Risk Analysis Risk analysis refers to the review of risks associated with the particular action or event. The risk analysis is applied to information technology, projects, security issues and any other event where risks may be analysed based on a quantitative and qualitative basis. The analysis of risk should be occurred on a regular basis and be updated to identify new potential threats. The strategic risk analysis helps to minimize the future risk probability and damage. Steps in the risk analysis process: The basic steps followed by a risk analysis process are: 1. Conduct a risk assessment survey: Getting the input from management and department heads is critical to the risk assessment process. The risk assessment survey refers to begin documenting the specific risks or threats within each department. 2. Identify the risks: This step is used to evaluate an IT system or other aspects of an organization to identify the risk related to software, hardware, data, and IT employees. It identifies the possible adverse events that could occur in an organization such as human error, flooding, fire, or earthquakes.
Cyber Security Risk Analysis 3. Analyze the risks: Once the risks are evaluated and identified, the risk analysis process should analyse each risk that will occur, as well as determine the consequences linked with each risk. It also determines how they might affect the objectives of an IT project. 4. Develop a risk management plan: After analysis of the Risk that provides an idea about which assets are valuable and which threats will probably affect the IT assets negatively, we would develop a plan for risk management to produce control recommendations that can be used to mitigate, transfer, accept or avoid the risk. 5. Implement the risk management plan: The primary goal of this step is to implement the measures to remove or reduce the analyses risks. We can remove or reduce the risk from starting with the highest priority and resolve or at least mitigate each risk so that it is no longer a threat. 6. Monitor the risks: This step is responsible for monitoring the security risk on a regular basis for identifying, treating and managing risks that should be an essential part of any risk analysis process.
Risk Management Planning Risk Identification Risk response planning risk analyses Risk monitoring and control 1. Decide How 2. Find them 3. Measure 4. Decide Actions5. Act and Measure Risk Analyses and Management
Types of Risk Analysis Qualitative Risk Analysis: • The qualitative risk analysis process is a project management technique that prioritizes risk on the project by assigning the probability and impact number. Probability is something a risk event will occur whereas impact is the significance of the consequences of a risk event. • The objective of qualitative risk analysis is to assess and evaluate the characteristics of individually identified risk and then prioritize them based on the agreed-upon characteristics. • The assessing individual risk evaluates the probability that each risk will occur and effect on the project objectives. The categorizing risks will help in filtering them out. • Qualitative analysis is used to determine the risk exposure of the project by multiplying the probability and impact. Quantitative Risk Analysis: • The objectives of performing quantitative risk analysis process provide a numerical estimate of the overall effect of risk on the project objectives. • It is used to evaluate the likelihood of success in achieving the project objectives and to estimate contingency reserve, usually applicable for time and cost. • Quantitative analysis is not mandatory, especially for smaller projects. Quantitative risk analysis helps in calculating estimates of overall project risk which is the main focus.
Systems development life cycle (SDLC) – a structured step-by-step approach for developing information systems . -Waterfall Model -Prototyping Model -Evolutionary Model -Spiral Model -Incremental Model
• Phase 1: Planning/Investigation Develop the project plan including tasks, resources, and timeframes Project plan - defines the what, when, and who questions of system development Project manager - an individual who is an expert in project planning and management, defines and develops the project plan and tracks the plan to ensure all key project milestones are completed on time Project milestones - represent key dates for which you need a certain group of activities performed Phase 2: Analysis involves end users and IT specialists working together to gather, understand, and document the business requirements for the proposed system Two primary analysis activities: 1. Gather the business requirements Business requirements - the detailed set of knowledge worker requests that the system must meet in order to be successful Joint application development (JAD) - knowledge workers and IT specialists meet, sometimes for several days, to define or review the business requirements for the system 2. Prioritize the requirements Requirements definition document – prioritizes the business requirements and places them in a formal comprehensive document
Phase 3: Design • build a technical blueprint of how the proposed system will work • Two primary design activities: 1. Design the technical architecture • Technical architecture - defines the hardware, software, and telecommunications equipment required to run the system 2. Design system models • Modeling - the activity of drawing a graphical representation of a design • Graphical user interface (GUI) - the interface to an information system • GUI screen design - the ability to model the information system screens for an entire system Phase 4: Implementation • Implementation phase - distribute the system to all of the knowledge workers and they begin using the system to perform their everyday jobs • Two primary implementation activities 1. Write detailed user documentation • User documentation - highlights how to use the system 2. Provide training for the system users • Online training - runs over the Internet or off a CD-ROM • Workshop training - is held in a classroom environment and lead by an instructor
• Phase 5: Maintenance • Maintenance phase - monitor and support the new system to ensure it continues to meet the business goals • Two primary maintenance activities: 1. Build a help desk to support the system users • Help desk - a group of people who responds to knowledge workers’ questions 2. Provide an environment to support system changes
Waterfall Strengths • Easy to understand, easy to use • Provides structure to inexperienced staff • Milestones are well understood • Sets requirements stability • Good for management control (plan, staff, track) • Works well when quality is more important than cost or schedule
Waterfall Deficiencies • All requirements must be known upfront • Deliverables created for each phase are considered frozen – inhibits flexibility • Can give a false impression of progress • Does not reflect problem-solving nature of software development – iterations of phases • Integration is one big bang at the end • Little opportunity for customer to preview the system (until it may be too late)
When to use the Waterfall Model • Requirements are very well known • Product definition is stable • Technology is understood • New version of an existing product • Porting an existing product to a new platform.
Iterative Enhancement Model • Iterative process starts with a simple implementation of a subset of the software requirements and iteratively enhances the evolving versions until the full system is implemented. At each iteration, design modifications are made and new functional capabilities are added. The basic idea behind this method is to develop a system through repeated cycles (iterative) and in smaller portions at a time (incremental).
The advantages of the Iterative and Incremental SDLC Model are as follows − • Some working functionality can be developed quickly and early in the life cycle. • Results are obtained early and periodically. • Progress can be measured. • Less costly to change the scope/requirements. • Testing and debugging during smaller iteration is easy. • With every increment, operational product is delivered. • Issues, challenges and risks identified from each increment can be utilized/applied to the next increment. • It supports changing requirements. • Better suited for large and mission-critical projects. • During the life cycle, software is produced early which facilitates customer evaluation and feedback.
The disadvantages of the Iterative and Incremental SDLC Model are as follows − • More resources may be required. • Although cost of change is lesser, but it is not very suitable for changing requirements. • More management attention is required. • System architecture or design issues may arise because not all requirements are gathered in the beginning of the entire life cycle. • Defining increments may require definition of the complete system. • Not suitable for smaller projects. • Management complexity is more. • End of project may not be known which is a risk. • Highly skilled resources are required for risk analysis. • Projects progress is highly dependent upon the risk analysis phase.
Iterative VS Evolutionary Models Iterative Models Evolutionary Models 1. A usable product is delivered at the end of each cycle. 1. No usable product at the end of each cycle. 2. Requirement implemented priority- wise 2. Requirement implemented category-wise.
Evolutionary Model
Prototyping Model • The prototyping model suggest that before carrying out the development of the actual software, a working prototype of the system should be built. • It can help engineers to critically examine the technical issues associated with product development. • A prototype usually exhibits limited functional capabilities, low reliability, and insufficient performance compared to actual software.
The advantages of the Prototyping Model are as follows − • Increased user involvement in the product even before its implementation. • Since a working model of the system is displayed, the users get a better understanding of the system being developed. • Reduces time and cost as the defects can be detected much earlier. • Quicker user feedback is available leading to better solutions. • Missing functionality can be identified easily. • Confusing or difficult functions can be identified. The Disadvantages of the Prototyping Model are as follows − • Risk of insufficient requirement analysis owing to too much dependency on the prototype. • Users may get confused in the prototypes and actual systems. • Practically, this methodology may increase the complexity of the system as scope of the system may expand beyond original plans. • Developers may try to reuse the existing prototypes to build the actual system, even when it is not technically feasible. • The effort invested in building prototypes may be too much if it is not monitored properly.
Spiral Model • Spiral model is a combination of sequential and prototype model. This model is best used for large projects which involves continuous enhancements. There are specific activities which are done in one iteration (spiral) where the output is a small prototype of the large software. The same activities are then repeated for all the spirals till the entire software is build.
Why Spiral Model is called Meta Model ? The Spiral model is called as a Meta Model because it subsumes all the other SDLC models. For example, a single loop spiral actually represents the Iterative Waterfall Model. The spiral model incorporates the stepwise approach of the Classical Waterfall Model. The spiral model uses the approach of Prototyping Model by building a prototype at the start of each phase as a risk handling technique. Also, the spiral model can be considered as supporting the evolutionary model – the iterations along the spiral can be considered as evolutionary levels through which the complete system is built.
The advantages of the Spiral SDLC Model are as follows − • Changing requirements can be accommodated. • Allows extensive use of prototypes. • Requirements can be captured more accurately. • Users see the system early. • Development can be divided into smaller parts and the risky parts can be developed earlier which helps in better risk management. The disadvantages of the Spiral SDLC Model are as follows − • Management is more complex. • End of the project may not be known early. • Not suitable for small or low risk projects and could be expensive for small projects. • Process is complex • Spiral may go on indefinitely. • Large number of intermediate stages requires excessive documentation.
Cyber security Unit 2
Application Security • Attackers not only targets server or operating system but also target client application like browsers, multimedia program, document reader • Most common attack: phishing, malware Vendor challenges for Application Security • Available various operating system • Compatibility issue • Updates • Proper risk management • Need to take specific measure to secure client side application Guidelines • Provide incentives who find flaws , sharing knowledge with vendors, mitigation of attack, standardizing application, updating software to newer version
Database Security • A database are individual records or groups of records to satisfy various criteria. • It is essential to first implement security within the organization, to make sure the right people have access to right data. • Without these security measures in place, someone must destroy the valuable data or selling the company’s secrets to competitors, or someone invading the privacy of others. • Authentication: to verify a username and a password, a smartcard, retina scan, fingerprints and voice recognition. After a specified login name and password, SQL Server performs the authentication. • Authorization: the mechanism to determine the what level of access a particular authenticated user should have. Role-based security is a form of user-level security where a server doesn’t focus on the individual user’s identity but rather on a logical role he is in. There are 3 types of role in SQL: Fixed Server Roles, Fixed Database Role, Securable/Application Role. • SQL Injection: technique whereby an intruder enters data that cause the application to execute SQL statements not intended to be executed.
E-Mail Security • Email security is a collective measure used to secure the access and content of an email account or services. • An email service provider implements email security to secure subscriber email account and data from hackers. • From an individual/end user standpoint, proactive email security measures include : strong passwords, password rotation, spam filters, desktop-based antivirus/anti-spam applications. • A service provider also ensues email security by using strong password and access control mechanism on an email server; encrypting and digital signing email messages. • These must be view as a part of total security agenda. The security of mail flow is focused around the auditing and emailing of mails into and out of the organization. • There must be a plan for inevitable request to retouch data from backups and archives.
Internet Security • The Internet is a network of networks , connecting billions of computers located on every continent. • Internet Security encompasses browser security, the security of data entered through a web form, and overall authentication and protection of data sent via Internet Protocol. • The untrusted network data is passed through external router, firewall, and internal router. The network security perimeter is composed of outer security perimeter and internal security perimeter network. • Internet security relies on specific resources and standards for protecting data that gets sent through the Internet. • This includes encryption, firewalls, anti-malware, anti-spyware and anti-virus programs. • The Internet Protocol security(IPSec) protocol suite provides a techniques of setting up a secure channel for protected data exchange between 2 devices such as two servers, two routers, a workstation and a server, or 2 gateways between different networks. • IPSec use strong encryption and authentication methods, and although it can be used to enable tunneled communication between two computers(VPN).
Fig: Network Security System
Data security considerations • Related to data backup, archival and disposal • Goal: security against any kind of accident or loss of data due to malicious activities 1. Data backup security • In case of data loss you can restore the original data from backup • Reasons of data loss: failure of hardware, failure in software / media, hacking, virus, power failure, erroneous human activity 2. Data Archival • The process of separating active data from inactive data • Active data: frequently used, Inactive data: Less frequently used • Goal: reduce complexity, keep active parts of data fresh • Selection of archival solution depends on: a. Longevity of storage solution b. Manageability of storage solution (role-based) c. Intelligence of content (all data not equally worth) d. Optimization of total cost of ownership e. Type of available solution (scaling)
3. Data Disposal • Permanent delete or destroy the data • The national institute of standard and technology (NIST) describe 3 primary ways in which data can be disposed. I. Overwriting hard drives (at least thrice) II. Degaussing hard drivers and backup tapes (demagnetized HDD) III. Destroying storage media • Data disposal process: I. Building a plan for disposal II. Archiving important information III. Cleaning storage media IV. Proper disposal with security constraints V. Make sure no important data gets deleted
Intrusion Detection System • IDS monitors network traffic for suspicious activity • Functions of IDS: Anomaly detection and reporting • Problem with IDS: Prone to false alarms or false positives
Components of IDS
Components of IDS • An IDS comprises Management console and sensors • It has a database of attack signatures • Sensors detect any malicious activity • It also matches the malicious packet against the database • If found a match, the sensor reports the malicious activity to the management console Techniques applied for IDS
Network Intrusion Detection System (NIDS) NIDS examines the traffic on a whole subnet. It compares with the traffic passed by the attacks in existing database Network Node Intrusion Detection System (NNIDS) The traffic in NNIDS is only monitored on a single host unlike NIDS Host Intrusion Detection System (HIDS) HIDS takes an Image of entire system’s file set and compares it to the preceding picture
NIDS Vs. HIDS
Overall classification of IDS
Anomaly based IDS/ Behavior based IDS: Detects attack based on behavior Misuse Detection/ Signature based IDS: Detects known attacks Centralized IDS: IDS are present on the centralized part of the network and communicate with each other Distributed IDS: IDS present on the network operate in a distributed manner and communicate with each other Active IDS: detect and prevents intrusion active IDS is also known as IDPS Passive IDS: only detect intrusions IDS Tools
IDS Vs. IPS
Actions of IPS • Notifying the administrator • Filtering out the malicious data • Blocking further data transfers from the address • Reconnecting the network Types of IPS
NIPS (Network based IPS): NIPS detect suspicious traffic by monitoring the entire network WIPS (wireless IPS): WIPS checks for suspicious activity by reviewing wireless networking protocols NBA (Network Behavior Analysis): NBA is network monitoring programs It decreases the time exhausted by network administrators in identifying and resolving network issues HIPS (Host Based IPS): HIPS checks for suspicious activity in single host
Digital Signature • a digital signature is a technique for establishing the origin of a particular message in order to settle later disputes about what message (if any) was sent • We use the term signer for an entity who creates a digital signature, and the term verifier for an entity who receives a signed message and attempts to check whether the digital signature is “correct” or not. • Non-Repudiation: A digital signature can be stored by anyone who receives the signed message as evidence that the message was sent and of who sent it. This evidence could later be presented to a third party who could use the evidence to resolve any dispute that relates to the contents and/or origin of the message
Creating an RSA signature with appendix message hash function hash Signature algorithm signature signature key message signature 1 2 3
Verifying an RSA signature with appendix message signature Verification algorithm verification key hash function = ? 3 Decision 1 2
True digital signature requirements Public key encryption requirements Only the holder of some secret data can sign a message “Anyone” can encrypt a message “Anyone” can verify that a signature is valid Only the holder of some secret data can decrypt a message • Question: In the digital signature who use the private key and who use the public key? Private key: sender Public key: receiver • Generic attacks: Obtain someone else’s private signature key In a digital signature scheme “you are your private key”. This is one aspect of the problem of identity theft.
Cryptography To ensure secure transmission, data is sent in such a way that it looks completely different from the original data • Plain text: data that to be secured • Cipher text: data after encryption • Encryption: the process of converting a plain text to cipher text. • Decryption: the process of regenerating the plaintext from cipher text
Categories of Cryptography Key used in Cryptography Private Key Encryption/ Symmetric Key Cryptography: In symmetric-key cryptography, the same key is used by the sender (for encryption) and the receiver (for decryption).The key is shared. Public Key Encryption/ Asymmetric Key Cryptography: Two keys are used to encrypt and decrypt the data. Public key for encryption and private key for decryption.
Categories of Cryptography
Cryptanalysis: Study of different methods to decrypt some encrypted data without the knowledge of decryption key or algorithms. Cryptanalyst: the person that performs cryptanalysis. Code breaking methodologies: 1. Brute Force 2. Frequency analysis 3. Trickery Cryptanalysis Vs. Cryptography: Cryptography is the process to secure the data with encryption techniques while Cryptanalysis is the attack that are performed on data to uncover it.
E-commerce “E-commerce security is protection of the various ecommerce assets from unauthorized access, its use or modification.” Threats to e-commerce: Phishing, money theft, data misuse, hacking, credit card frauds, unprotected services. Reasons of security threat: Inaccurate management, price manipulation, snowshoe attack, malicious code threat, Wi-Fi eavesdropping, spoofing etc.
Electronic payment systems/ e-payment schemes • Secure Electronic Payment Protocol/ Secure electronic transaction (SEPP/SET): use of digital signature and user authentication. SEPP provides usage of internet keyed payment protocol (ikP) and SEPP messages transmitted using multipurpose internet mail extensions (MIME) • Secure Courier E-payment scheme: it encrypts data • Check free wallet: It is based on client server architecture and use RSA algorithm for encryption • Cyber Cash: it is a digital cash software system that encrypts credit card related information. • VeriSign: it verifies digital signature • Digicash: It is e-cash based software
E-cash: Electronic transfer of money in the form of a block of data Problem in e-cash: double spending money by customer
Access Control • It regulates who and what can view or use resources in a computing environment. • it provides security feature through which system permits or revokes the right to access any data and resource in a system • It includes file permissions, program permissions, data rights permissions. • Identification: Identify a user • Authentication: Verify whether a user is valid or not Types of authentication: 1. Single factor 2. Multifactor
Types of Access Control 1. Mandatory access control (MAC): A security model in which access rights are regulated by a central authority based on multiple levels of security. 2. Discretionary access control (DAC): An access control method in which owners or administrators of the protected system, data or resource set the policies defining who or what is authorized to access the resource. 3. Role-based access control (RBAC): A widely used access control mechanism that restricts access to computer resources based on individuals or groups with defined business functions . 4. Rule-based access control: A security model in which the system administrator defines the rules that to govern access to resource objects. 5. Attribute-based access control (ABAC): A methodology that manages access rights by evaluating a set of rules, policies and relationships using the attributes of users, systems and environmental conditions.
Firewall • Block unauthorized access • Permitting authorized communication • Based on certain rule and criteria • Prevents from hacker and viruses from internet • It is hardware, software or combination of both • E.g. broadband router, Norton Internet security , Kaspersky Internet security
Types of Firewall • Packet filter: inspects data packet based on user defined rules • Application level gateway: apply security measures to specific application such as FTP, TELNET • Circuit level gateway: apply security mechanism after TCP handshaking, works at session layer of OSI layer • Proxy server: check all incoming and outgoing messages but hides the true network address and interrupts all messages Identify a Firewall Prior to hacking a system or a network , a hacker tries to knows what kind of firewall is implemented in it • Port scanning: identify active port • Fire-walking :collect information from remote network to identify mapping • Banner grabbing : detecting services run by firewall
VPN • It is a private communication network • It creates virtual tunnel through which data travels from one computer to other over a public network such as internet • VPN data: data transferred through VPN is called payload. • VPN tunnel: a logical path for transmitting VPN data from one node to other. VPN tunnel can be established one of the following 2 layer of OSI reference model: data link layer (PPTP) and network layer (IPsec) Authentication Mechanism 1. User Level Authentication (use PPP (point to point protocol)P for mutual authentication) 2. Computer Level Authentication (use iKE (Ipsec/L2TP protocol) to exchange either their computer certificate or a predefined key) 3. Data origin authentication and data Integrity (cryptography checksum)
Types of VPN tunneling 1. Voluntary tunneling: the client directly sets up the connection with the server 2. Compulsory tunneling: a connection is established between 2 VPN servers and VPN access devices such as router
Types of VPN 1. PPTP VPN (point to point tunneling protocol): widely used protocol. Use VPN password to log on. No need of extra hardware or software. Do not use encryption. 2. Site-to-site VPN: no dedicated line for transmission. Routing , encryption and decryption is done by router. 3. L2TP VPN: similar to PPTP. Provides confidentiality and Integrity. 4. IPsec: designed for IP traffic. Very secure. Need to install certain programs. Expensive and time consuming. 5. SSL(secure socket layer): creates secure session between browser and application server. 6. MPLS (multi-purpose label switching): MPLS+ISP tuned VPN and very good site to site connectivity. 7. Hybrid: Combine feature of SSL, IPsec etc. highly flexible, very expensive.
Cyber security Unit 3
Application Development Security • An organization applies computer security measures to protect its information assets by selecting and applying a set of measures that will be appropriate for the security of information • Development of secure information requires specific training for what the meaning of security is for an organization and for its application, how secure code is written, and why it is needed to provide security to the application. • Although we have several security measures, such as antivirus, IDS protection, firewalls, VPNs, etc., to secure the assets, yet reliability of such measures to provide full protection is always in question.
Why applications are unsecure?????? Primary issues related to secure development of applications • Less trained/skilled developers • Less educational focus on secure development • Difficulty of finding the right information related to specific security measures for particular applications • Life cycle systems considering security mostly in the last phases only • Compilers, interpreters, and programming being unable to utilize the system recourses in the best way possible
What to do?????? Benefits of common framework • Developers can refer to the common standard provided in the framework to develop secure applications • Strict guidelines and design principles included in the framework are time tested and universal • Developers get a comprehensive view and understand security policy, programming language, and tools • Organization can improve its development strategy to apply best methods, development effort, standards and procedures, and security policy. • The view of the management becomes more objective towards consideration and mitigation of risks.
What a framework include?????? Factors include in framework • Foundation: Basic knowledge of the development procedure (programming language , compiler, etc) • Principles: basic rules to be followed (rules for security, authentication, logging-monitoring-auditing, etc) • Design guidelines: best code implementation methods (validating input, Handling exceptions, applying cryptography, using random number)
Information security governance and risk management • “Information has become one of the most crucial business drivers in recent years”, according to NIST. • Information systems are subject to serious threats that can have adverse effects on organizational operations (missions, functions, image, reputation) • We must protect all information assets from threats. This can be done only if managers at different levels in organization are ready to take the security responsibility. • Security governance and risk management should be a part of overall organizational goals rather that a single, highly overlooked discipline.
Risk Management: Activities involve in risk management process • Framing: analyze the possible risks associated with the security of information systems and the organizations • Assessing: analyze the level of the risks and the level of security provided with our organization and its information systems. • Monitoring: continuously checking the information system and keeping an eye on other threats and vulnerability that may be encountered by the organization. • Responding: take preventive and corrective measures
Fig: Risk Management Process
Security Architecture and Design Secure System Design • Layering: arrange hardware, drivers for kernel and devices, OS, and application in a sequential order. • Abstraction: conceal the irrelevant details from common user. • Security Domain: lower level domain cannot access higher level domain. Ex: kernel have two access level : user mode and kernel mode • The ring model: ring 0: kernel, ring 1: OS, ring 2: device and drivers, ring 3: user application • Open-closed systems: Open systems designed by employing open hardware and standard that may include hardware from a variety of vendors. Close system, only use proprietary hardware or software from specific vendor.
Secure Hardware System Architecture • Physical computer hardware security includes not only the mother board, CPU, and memory, but also system buses and memory protection. Secure Operating System and software Architecture • The secure hardware forms the base to provide security in the software and operating system. • Virtualization separates the software from hardware by including a layer between them. This platform can be used by a single host OS to run a number of guest OS at same time. • This complexity may cause conflict between different operating environments that will lead to security issues and flaws in the system.
Security Issues in hardware, data storage and downloadable devices • Securing computer systems means to protect all its components that include hardware, software, storage devices, operating system, and peripheral devices. Virtualization separates the software from hardware by including a layer between them. This platform can be used by a single host OS to run a number of guest OS at same time. • Each component has its own vulnerability. Security Issues with hardware • Stealing, destruction, gaining unauthorized access, breaking the security code Security Issues with storage device(DVD, CD) • Data loss and theft, disposal, stealing of data, denial of data, malware. Security Issues with downloadable (peripheral devices)(PDA, USB) • Vulnerable to theft and destruction
Physical security and IT assets • Primary threats: 1. Physical access exposure to human being 2. Physical access exposure to natural disaster • Physical security to IT assets 1. Physical access control 2. Electronic and visual surveillance systems: closed circuit television (CCTV) 3. IDS
CCTV working IDS
Backup Security Measures • Assigning responsibility, authority, and accountability • Assessing risk • Developing data protection process • Communicating the process to concern people • Executing and testing the process

Recommended

Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacyPawan Arya
 
S/MIME
S/MIMES/MIME
S/MIMEmaria azam
 
Classical encryption techniques
Classical encryption techniquesClassical encryption techniques
Classical encryption techniquesDr.Florence Dayana
 
Network management and security
Network management and securityNetwork management and security
Network management and securityAnkit Bhandari
 
IP Security
IP SecurityIP Security
IP SecurityKeshab Nath
 
Cloud Computing Security Challenges
Cloud Computing Security ChallengesCloud Computing Security Challenges
Cloud Computing Security ChallengesYateesh Yadav
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security toolsVicky Fernandes
 
User authentication
User authenticationUser authentication
User authenticationCAS
 

Recommended

Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacyPawan Arya
 
S/MIME
S/MIMES/MIME
S/MIMEmaria azam
 
Classical encryption techniques
Classical encryption techniquesClassical encryption techniques
Classical encryption techniquesDr.Florence Dayana
 
Network management and security
Network management and securityNetwork management and security
Network management and securityAnkit Bhandari
 
IP Security
IP SecurityIP Security
IP SecurityKeshab Nath
 
Cloud Computing Security Challenges
Cloud Computing Security ChallengesCloud Computing Security Challenges
Cloud Computing Security ChallengesYateesh Yadav
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security toolsVicky Fernandes
 
User authentication
User authenticationUser authentication
User authenticationCAS
 
CMACs and MACS based on block ciphers, Digital signature
CMACs and MACS based on block ciphers, Digital signatureCMACs and MACS based on block ciphers, Digital signature
CMACs and MACS based on block ciphers, Digital signatureAdarsh Patel
 
What is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in itWhat is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in itlavakumar Thatisetti
 
Digital signature
Digital signatureDigital signature
Digital signatureHossain Md Shakhawat
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingAltacit Global
 
Authentication techniques
Authentication techniquesAuthentication techniques
Authentication techniquesIGZ Software house
 
Steganography
Steganography Steganography
Steganography Uttam Jain
 
Cyber security presentation
Cyber security presentationCyber security presentation
Cyber security presentationParab Mishra
 
Network security - OSI Security Architecture
Network security - OSI Security ArchitectureNetwork security - OSI Security Architecture
Network security - OSI Security ArchitectureBharathiKrishna6
 
Security Mechanisms
Security MechanismsSecurity Mechanisms
Security Mechanismspriya_trehan
 
Digital signature schemes
Digital signature schemesDigital signature schemes
Digital signature schemesravik09783
 
Etical and professional issues of computer
Etical and professional issues of computerEtical and professional issues of computer
Etical and professional issues of computerAbdullah Khosa
 
Digital Signature
Digital SignatureDigital Signature
Digital SignatureMohamed Talaat
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security conceptsG Prachi
 
Key management and distribution
Key management and distributionKey management and distribution
Key management and distributionRiya Choudhary
 
Cryptography
CryptographyCryptography
CryptographyEmaSushan
 
Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMACKrishna Gehlot
 
Network security
Network securityNetwork security
Network securityGichelle Amon
 
Network security cryptography ppt
Network security cryptography pptNetwork security cryptography ppt
Network security cryptography pptThushara92
 
Authentication Application in Network Security NS4
Authentication Application in Network Security NS4Authentication Application in Network Security NS4
Authentication Application in Network Security NS4koolkampus
 
Types of attacks
Types of attacksTypes of attacks
Types of attacksVivek Gandhi
 
Vulenerability Management.pptx
Vulenerability Management.pptxVulenerability Management.pptx
Vulenerability Management.pptxThavaselviMunusamy1
 
Cyber security
Cyber securityCyber security
Cyber securityAnkush Verma
 

More Related Content

What's hot

CMACs and MACS based on block ciphers, Digital signature
CMACs and MACS based on block ciphers, Digital signatureCMACs and MACS based on block ciphers, Digital signature
CMACs and MACS based on block ciphers, Digital signatureAdarsh Patel
 
What is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in itWhat is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in itlavakumar Thatisetti
 
Authentication techniques
Authentication techniquesAuthentication techniques
Authentication techniquesIGZ Software house
 
Steganography
Steganography Steganography
Steganography Uttam Jain
 
Cyber security presentation
Cyber security presentationCyber security presentation
Cyber security presentationParab Mishra
 
Network security - OSI Security Architecture
Network security - OSI Security ArchitectureNetwork security - OSI Security Architecture
Network security - OSI Security ArchitectureBharathiKrishna6
 
Security Mechanisms
Security MechanismsSecurity Mechanisms
Security Mechanismspriya_trehan
 
Digital signature schemes
Digital signature schemesDigital signature schemes
Digital signature schemesravik09783
 
Etical and professional issues of computer
Etical and professional issues of computerEtical and professional issues of computer
Etical and professional issues of computerAbdullah Khosa
 
Digital Signature
Digital SignatureDigital Signature
Digital SignatureMohamed Talaat
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security conceptsG Prachi
 
Key management and distribution
Key management and distributionKey management and distribution
Key management and distributionRiya Choudhary
 
Cryptography
CryptographyCryptography
CryptographyEmaSushan
 
Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMACKrishna Gehlot
 
Network security
Network securityNetwork security
Network securityGichelle Amon
 
Network security cryptography ppt
Network security cryptography pptNetwork security cryptography ppt
Network security cryptography pptThushara92
 
Authentication Application in Network Security NS4
Authentication Application in Network Security NS4Authentication Application in Network Security NS4
Authentication Application in Network Security NS4koolkampus
 
Types of attacks
Types of attacksTypes of attacks
Types of attacksVivek Gandhi
 

What's hot (20)

CMACs and MACS based on block ciphers, Digital signature
CMACs and MACS based on block ciphers, Digital signatureCMACs and MACS based on block ciphers, Digital signature
CMACs and MACS based on block ciphers, Digital signature
 
What is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in itWhat is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in it
 
Digital signature
Digital signatureDigital signature
Digital signature
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Authentication techniques
Authentication techniquesAuthentication techniques
Authentication techniques
 
Steganography
Steganography Steganography
Steganography
 
Cyber security presentation
Cyber security presentationCyber security presentation
Cyber security presentation
 
Network security - OSI Security Architecture
Network security - OSI Security ArchitectureNetwork security - OSI Security Architecture
Network security - OSI Security Architecture
 
Security Mechanisms
Security MechanismsSecurity Mechanisms
Security Mechanisms
 
Digital signature schemes
Digital signature schemesDigital signature schemes
Digital signature schemes
 
Etical and professional issues of computer
Etical and professional issues of computerEtical and professional issues of computer
Etical and professional issues of computer
 
Digital Signature
Digital SignatureDigital Signature
Digital Signature
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security concepts
 
Key management and distribution
Key management and distributionKey management and distribution
Key management and distribution
 
Cryptography
CryptographyCryptography
Cryptography
 
Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMAC
 
Network security
Network securityNetwork security
Network security
 
Network security cryptography ppt
Network security cryptography pptNetwork security cryptography ppt
Network security cryptography ppt
 
Authentication Application in Network Security NS4
Authentication Application in Network Security NS4Authentication Application in Network Security NS4
Authentication Application in Network Security NS4
 
Types of attacks
Types of attacksTypes of attacks
Types of attacks
 

Similar to cyber security notes

Vulenerability Management.pptx
Vulenerability Management.pptxVulenerability Management.pptx
Vulenerability Management.pptxThavaselviMunusamy1
 
Cyber security
Cyber securityCyber security
Cyber securityAnkush Verma
 
Security (IM).ppt
Security (IM).pptSecurity (IM).ppt
Security (IM).pptGooglePay16
 
Cyber security for business
Cyber security for businessCyber security for business
Cyber security for businessDaniel Thomas
 
Lec 1- Intro to cyber security and recommendations
Lec 1- Intro to cyber security and recommendationsLec 1- Intro to cyber security and recommendations
Lec 1- Intro to cyber security and recommendationsBilalMehmood44
 
MISO L007 managing system security
MISO L007 managing system securityMISO L007 managing system security
MISO L007 managing system securityJan Wong
 
ERP - Complete Syllabus - 4 June 2023.pptx
ERP - Complete Syllabus - 4 June 2023.pptxERP - Complete Syllabus - 4 June 2023.pptx
ERP - Complete Syllabus - 4 June 2023.pptxMuhammadZeeshan347767
 
Topic_14_IT_systems_in_organisations.pptx
Topic_14_IT_systems_in_organisations.pptxTopic_14_IT_systems_in_organisations.pptx
Topic_14_IT_systems_in_organisations.pptxNiraliSoni5
 
Cyber security with ai
Cyber security with aiCyber security with ai
Cyber security with aiBurhan Ahmed
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceMarlabs
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeAaron White
 
INFORMATICS, INFORMATION SYSTEMS
INFORMATICS, INFORMATION SYSTEMSINFORMATICS, INFORMATION SYSTEMS
INFORMATICS, INFORMATION SYSTEMSJennifer De Julio
 
Securing information system (Management Information System)
Securing information system (Management Information System)Securing information system (Management Information System)
Securing information system (Management Information System)Masudur Rahman
 
First line of defense for cybersecurity : AI
First line of defense for cybersecurity : AIFirst line of defense for cybersecurity : AI
First line of defense for cybersecurity : AIAhmed Banafa
 
Information security
Information securityInformation security
Information securityLJ PROJECTS
 

Similar to cyber security notes (20)

Vulenerability Management.pptx
Vulenerability Management.pptxVulenerability Management.pptx
Vulenerability Management.pptx
 
Cyber security
Cyber securityCyber security
Cyber security
 
Security (IM).ppt
Security (IM).pptSecurity (IM).ppt
Security (IM).ppt
 
Unit 1.pptx
Unit 1.pptxUnit 1.pptx
Unit 1.pptx
 
Cyber security for business
Cyber security for businessCyber security for business
Cyber security for business
 
Lec 1- Intro to cyber security and recommendations
Lec 1- Intro to cyber security and recommendationsLec 1- Intro to cyber security and recommendations
Lec 1- Intro to cyber security and recommendations
 
Security.pdf
Security.pdfSecurity.pdf
Security.pdf
 
Unit-1.pptx
Unit-1.pptxUnit-1.pptx
Unit-1.pptx
 
MISO L007 managing system security
MISO L007 managing system securityMISO L007 managing system security
MISO L007 managing system security
 
ERP - Complete Syllabus - 4 June 2023.pptx
ERP - Complete Syllabus - 4 June 2023.pptxERP - Complete Syllabus - 4 June 2023.pptx
ERP - Complete Syllabus - 4 June 2023.pptx
 
Topic_14_IT_systems_in_organisations.pptx
Topic_14_IT_systems_in_organisations.pptxTopic_14_IT_systems_in_organisations.pptx
Topic_14_IT_systems_in_organisations.pptx
 
Cyber security with ai
Cyber security with aiCyber security with ai
Cyber security with ai
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat Landscape
 
INFORMATICS, INFORMATION SYSTEMS
INFORMATICS, INFORMATION SYSTEMSINFORMATICS, INFORMATION SYSTEMS
INFORMATICS, INFORMATION SYSTEMS
 
Securing information system (Management Information System)
Securing information system (Management Information System)Securing information system (Management Information System)
Securing information system (Management Information System)
 
U nit 4
U nit 4U nit 4
U nit 4
 
INT407.pptx
INT407.pptxINT407.pptx
INT407.pptx
 
First line of defense for cybersecurity : AI
First line of defense for cybersecurity : AIFirst line of defense for cybersecurity : AI
First line of defense for cybersecurity : AI
 
Information security
Information securityInformation security
Information security
 

Recently uploaded

Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girlsssuser7cb4ff
 
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfCCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfAsst.prof M.Gokilavani
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...VICTOR MAESTRE RAMIREZ
 
Introduction to Microprocesso programming and interfacing.pptx
Introduction to Microprocesso programming and interfacing.pptxIntroduction to Microprocesso programming and interfacing.pptx
Introduction to Microprocesso programming and interfacing.pptxvipinkmenon1
 
Current Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCLCurrent Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCLDeelipZope
 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024Mark Billinghurst
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxpurnimasatapathy1234
 
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ
 
main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidNikhilNagaraju
 
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
power system scada applications and uses
power system scada applications and usespower system scada applications and uses
power system scada applications and usesDevarapalliHaritha
 
complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...asadnawaz62
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort servicejennyeacort
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130Suhani Kapoor
 
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfCCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfAsst.prof M.Gokilavani
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024hassan khalil
 

Recently uploaded (20)

Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girls
 
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfCCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...
 
Introduction to Microprocesso programming and interfacing.pptx
Introduction to Microprocesso programming and interfacing.pptxIntroduction to Microprocesso programming and interfacing.pptx
Introduction to Microprocesso programming and interfacing.pptx
 
Current Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCLCurrent Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCL
 
POWER SYSTEMS-1 Complete notes examples
POWER SYSTEMS-1 Complete notes examplesPOWER SYSTEMS-1 Complete notes examples
POWER SYSTEMS-1 Complete notes examples
 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptx
 
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
 
main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfid
 
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCRCall Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
 
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
 
power system scada applications and uses
power system scada applications and usespower system scada applications and uses
power system scada applications and uses
 
complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
 
Design and analysis of solar grass cutter.pdf
Design and analysis of solar grass cutter.pdfDesign and analysis of solar grass cutter.pdf
Design and analysis of solar grass cutter.pdf
 
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfCCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024
 
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
 

cyber security notes

  • 1. CYBER Security Notes Shikha Jain Assistant Professor KIET Group Of Institutions
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9. Cyber Security • Actions which are taken in order to prevent the computer systems or the Internet from unauthorized access or against attacks. • Reducing vulnerabilities. • Understand current trends in IT and develop effective solution. Tools used for cyber security: • Passwords, Anti-virus, Firewalls,, Two-factor authentication, Encryption. Reason of increasing Cyber Threats: • IOT • Data Proliferation • Lack of Awareness • Wide-open Internet access • Network traffic
  • 10. Important Terminologies • Vulnerability: any weakness in the system, product or process that compromise the basic security principles. Thereby, the system becomes susceptible to attacks. • Threat: when there is a possibility for violation of security, due to circumstance or capability or action or event, it may cause harm. Threat is a possible danger to assets that might exploit vulnerability. • Attack: is a deliberate attempt to evade security services and violate the security policy of a system. • Risk: The possibility of suffering a loss. Risk is a fundamental part of operations. It is not something to fear, but something to manage.
  • 11. Cyber Threat/Need of Information Security • There are a number of ways with the actor or adversary attempting to gain access to a system. Threats try to gain access to a network through malicious attempts to compromise or disrupt a computer network or system. The types of threats are increasing in its landscape by two technology trends. IOT (Internet of Things) and ii. Data Proliferation. • The very fundamental concept in security is CIA triad referring to Confidentiality, Integrity and Availability. One or more facets of the triad are protected by the security methods. The asset can be exploited by threats to compromise the triad. The threats which are either intentional or accidental fall under three categories based on the triad principles. • The speed with which the malwares spread, the multitude of organizations harmed, which include critical infrastructure, and the serious obstacles in restoring the corrupted data once again underline today’s priority of cyber security. The cyber-attacks on the information and data on the Internet can affect these three fundamental principles of cyber security. So, there is a great need to setup cyber security principles in terms of Confidentiality, integrity and availability. The elements of the triad are considered as the most crucial components of cyber security. These are also termed as security goals.
  • 12. • There are three common categories of cyber threats based on the triad are: • Attack on confidentiality: Stealing, or rather copying, the target's personal information. For example, attacks like credit card fraud, identity theft, or stealing bitcoin wallets. Confidentiality attacks are the major portion of work of International spies to acquire confidential information for political, military, or economic gains. • Attack on integrity: The common name used is sabotage. Integrity attacks seek to corrupt, damage, or destroy information or systems, and the people who rely on them. Offenders can range from script kiddies to international or national attackers • Attack on availability: Preventing a target from accessing by the genuine users is the most frequent occurrence today. For example, ransomware and denial-of-service attacks. Ransomware encrypts the target's data and demands a ransom to decrypt it.A denial-of-service attack, also known as DoS attacks, typically in the form of a distributed denial-of-service (DDoS) attack, floods a network resource with requests, making it unavailable due to jam.
  • 13.
  • 14. First Viruses and Anti-virus(“VIRUS: Vital Information Resource UnderSlege”) • Creeper (1971): In 1970's, Robert (Bob) Thomas who was a researcher for BBN Technologies in Cambridge, Massachusetts created the first computer worm (virus). He realized that it was possible for a computer program to move across a network, leaving a small trail (series of signs) wherever it went. He named the program Creeper, and designed it to travel between Tenex terminals on the early ARPANET, printing the message "I'M THE CREEPER: CATCH ME IF YOU CAN." • An American computer programmer named Ray Tomlinson, the inventor of email, was also working for BBN Technologies at the time. He saw this idea and liked it. He tinkered (an act of attempting to repair something) with the program and made it self-replicating "the first computer worm." He named the program Reaper, the first antivirus software which would found copies of The Creeper and delete it. First Cyber Attack • In 1988, an American computer scientist, Robert Morris, wanted to check the size of the internet. He wrote a program for testing the size of the internet. This program went through networks, invaded Unix terminals, and copied itself. The program became the first famous network virus and named as Moris worm or internet worm. The Morris worm could be infected a computer multiple times, and each additional process would slow the machine down, eventually to the point of being damaged. Robert Morris was charged under the Computer Fraud and Abuse Act. The act itself led to the founding of the Computer Emergency Response Team. This is a non-profit research centre for issues that could endanger the internet as a whole.
  • 16. Fundamental Concepts of Information System “An information system (IS) is an organized system for collecting, organizing, storing and communicating with the information. Here the organizations that use Information system do data collection, filtration, processing, creation and distribution in complementary networks.”
  • 17.
  • 18. (end user, IT specialist) (Machine, Media) (Programs, Procedure) (Database, Kbase) (Communication Support)
  • 19. An information system is essentially made up of five components hardware, software, database, network and people. These five components integrate to perform input, process, output, feedback and control. • Hardware consists of input/output device, processor, operating system and media devices. • Software consists of various programs and procedures. • Database consists of data organized in the required structure. • Network consists of hubs, communication media and network devices. • People consist of device operators, network administrators and system specialist. Components of Information System
  • 21.
  • 22.
  • 23. • Transaction Processing System (TPS): • Basic business systems that serve the operational level. • A computerized system that performs and records the daily routine transactions necessary to the conduct of the business. • Major functions of systems: Budgeting, general ledger, billing, cost accounting. • Examples - super market grocery check out (billing systems) or bank transaction processes, Airline Reservation System, Payroll Processing System, Transport Ticket Reservation System, Purchase Order Entry Systems and Markets Tabulation System. Transaction Processing • Real-time/Online • Batch Data Entry Document and Report Generation Inquiry Processing Database Management
  • 25. Management Information System: • Managers require precise information in a specific format to undertake an organizational decision. • A system which facilitates an efficient decision making process for managers is called management Information system. • An MIS provides managers with information and support for effective decision making, and provides feedback on daily operations. • MIS provides information to the users in the form of reports. • Output, or reports, are usually generated through accumulation of transaction processing data. • MIS is an integrated collection of subsystems, which are typically organized along functional lines within an organization. • Management level : 1. Inputs: High volume data 2. Processing: Simple models 3. Outputs: Summary reports 4. Users: Middle managers • Example: Annual budgeting, Structured and semi-structured decisions, Report control oriented applications.
  • 27. • Decision support system: • Management information system provides information to manager facilitating the routine decision-making process. • Decision support system provides information to manager facilitating specific issue related solution. • Applications of Decision support Systems are Medical Diagnosis, Agricultural Production, Forest Management, Business and Management , Anti-terrorism Systems • Management level 1. Inputs: Low volume data 2. Processing: Interactive 3. Outputs: Decision analysis 4. Users: Professionals, staff Example: Contract cost analysis • Advantages: Time savings, Enhance effectiveness, Improve interpersonal communication, Competitive advantage, Cost reduction, Increase decision maker satisfaction, Promote learning, Increase organizational control.
  • 29. • Executive support system/Executive Information System: • Strategic level 1. Inputs: Aggregate data 2. Processing: Interactive 3. Outputs: Projections 4. Users: Senior managers • Example: 5-year operating plan
  • 31. Distributed Information Systems “A set of information systems physically distributed over multiple sites, which are connected with some kind of communication network” Current Trends: • Cloud computing • Designing of Bigdata • Cloud of IOT Architectures of DIS: • Peer to Peer Architecture (P2P) • Client-Server Architecture • Three-tier Architecture
  • 32.
  • 33.
  • 34. Distributed Information Systems Advantages: • Sharing Data • Autonomy • Availability Disadvantages: • Software development cost • Greater potential of bugs • Increased processing overhead Applications: • Military • Government • Commercial
  • 35. Information Assurance “Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.”
  • 36. Security Services: What types of problems can occur? • Confidentiality: the assurance that information is not disclosed to unauthorized persons, processes or devices. • Integrity: the assurance that data can not be created, changed, or deleted without proper authorization • Availability: Timely, reliable access to data and information services for authorized users. • Authentication: Security service designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual’s authorizations to receive specific categories of information. • Non Repudiation: The assurance the sender of the data is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the data. Information States: Where is the data? • Transmission: Time in which the data is in transit between processing/process steps. • Storage: Time during which data is on a persistent medium such as a hard drive or tape. • Processing: Time during which the data is actually in the control of a processing step.
  • 37. Security Countermeasures: Who can enforce/check security? People: The heart and soul of secure systems. Awareness, literacy, training, education in sound practice. Must follow policy and practice or the systems will be compromised no matter how good the design! Both strength and vulnerability. Policy and Practice (operations): System users, System administrators, Software conventions, Trust validation. Also a countermeasure and a vulnerability. Technology: Evolves rapidly Crypto systems, Hardware, Software, Network(Firewalls, Routers, Intrusion detection, Other), Platform(Operating systems, Transaction monitoring), Especially vulnerable to misconfiguration and other “people” errors.
  • 38. Security Services: What types of problems can occur? • Confidentiality: the assurance that information is not disclosed to unauthorized persons, processes or devices. • Integrity: the assurance that data can not be created, changed, or deleted without proper authorization • Availability: Timely, reliable access to data and information services for authorized users. • Authentication: Security service designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual’s authorizations to receive specific categories of information. • Non Repudiation: The assurance the sender of the data is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the data.
  • 39.
  • 40. Cyber Security Risk Analysis Risk analysis refers to the review of risks associated with the particular action or event. The risk analysis is applied to information technology, projects, security issues and any other event where risks may be analysed based on a quantitative and qualitative basis. The analysis of risk should be occurred on a regular basis and be updated to identify new potential threats. The strategic risk analysis helps to minimize the future risk probability and damage. Steps in the risk analysis process: The basic steps followed by a risk analysis process are: 1. Conduct a risk assessment survey: Getting the input from management and department heads is critical to the risk assessment process. The risk assessment survey refers to begin documenting the specific risks or threats within each department. 2. Identify the risks: This step is used to evaluate an IT system or other aspects of an organization to identify the risk related to software, hardware, data, and IT employees. It identifies the possible adverse events that could occur in an organization such as human error, flooding, fire, or earthquakes.
  • 41. Cyber Security Risk Analysis 3. Analyze the risks: Once the risks are evaluated and identified, the risk analysis process should analyse each risk that will occur, as well as determine the consequences linked with each risk. It also determines how they might affect the objectives of an IT project. 4. Develop a risk management plan: After analysis of the Risk that provides an idea about which assets are valuable and which threats will probably affect the IT assets negatively, we would develop a plan for risk management to produce control recommendations that can be used to mitigate, transfer, accept or avoid the risk. 5. Implement the risk management plan: The primary goal of this step is to implement the measures to remove or reduce the analyses risks. We can remove or reduce the risk from starting with the highest priority and resolve or at least mitigate each risk so that it is no longer a threat. 6. Monitor the risks: This step is responsible for monitoring the security risk on a regular basis for identifying, treating and managing risks that should be an essential part of any risk analysis process.
  • 42. Risk Management Planning Risk Identification Risk response planning risk analyses Risk monitoring and control 1. Decide How 2. Find them 3. Measure 4. Decide Actions5. Act and Measure Risk Analyses and Management
  • 43. Types of Risk Analysis Qualitative Risk Analysis: • The qualitative risk analysis process is a project management technique that prioritizes risk on the project by assigning the probability and impact number. Probability is something a risk event will occur whereas impact is the significance of the consequences of a risk event. • The objective of qualitative risk analysis is to assess and evaluate the characteristics of individually identified risk and then prioritize them based on the agreed-upon characteristics. • The assessing individual risk evaluates the probability that each risk will occur and effect on the project objectives. The categorizing risks will help in filtering them out. • Qualitative analysis is used to determine the risk exposure of the project by multiplying the probability and impact. Quantitative Risk Analysis: • The objectives of performing quantitative risk analysis process provide a numerical estimate of the overall effect of risk on the project objectives. • It is used to evaluate the likelihood of success in achieving the project objectives and to estimate contingency reserve, usually applicable for time and cost. • Quantitative analysis is not mandatory, especially for smaller projects. Quantitative risk analysis helps in calculating estimates of overall project risk which is the main focus.
  • 44. Systems development life cycle (SDLC) – a structured step-by-step approach for developing information systems . -Waterfall Model -Prototyping Model -Evolutionary Model -Spiral Model -Incremental Model
  • 45. • Phase 1: Planning/Investigation Develop the project plan including tasks, resources, and timeframes Project plan - defines the what, when, and who questions of system development Project manager - an individual who is an expert in project planning and management, defines and develops the project plan and tracks the plan to ensure all key project milestones are completed on time Project milestones - represent key dates for which you need a certain group of activities performed Phase 2: Analysis involves end users and IT specialists working together to gather, understand, and document the business requirements for the proposed system Two primary analysis activities: 1. Gather the business requirements Business requirements - the detailed set of knowledge worker requests that the system must meet in order to be successful Joint application development (JAD) - knowledge workers and IT specialists meet, sometimes for several days, to define or review the business requirements for the system 2. Prioritize the requirements Requirements definition document – prioritizes the business requirements and places them in a formal comprehensive document
  • 46. Phase 3: Design • build a technical blueprint of how the proposed system will work • Two primary design activities: 1. Design the technical architecture • Technical architecture - defines the hardware, software, and telecommunications equipment required to run the system 2. Design system models • Modeling - the activity of drawing a graphical representation of a design • Graphical user interface (GUI) - the interface to an information system • GUI screen design - the ability to model the information system screens for an entire system Phase 4: Implementation • Implementation phase - distribute the system to all of the knowledge workers and they begin using the system to perform their everyday jobs • Two primary implementation activities 1. Write detailed user documentation • User documentation - highlights how to use the system 2. Provide training for the system users • Online training - runs over the Internet or off a CD-ROM • Workshop training - is held in a classroom environment and lead by an instructor
  • 47. • Phase 5: Maintenance • Maintenance phase - monitor and support the new system to ensure it continues to meet the business goals • Two primary maintenance activities: 1. Build a help desk to support the system users • Help desk - a group of people who responds to knowledge workers’ questions 2. Provide an environment to support system changes
  • 48.
  • 49. Waterfall Strengths • Easy to understand, easy to use • Provides structure to inexperienced staff • Milestones are well understood • Sets requirements stability • Good for management control (plan, staff, track) • Works well when quality is more important than cost or schedule
  • 50. Waterfall Deficiencies • All requirements must be known upfront • Deliverables created for each phase are considered frozen – inhibits flexibility • Can give a false impression of progress • Does not reflect problem-solving nature of software development – iterations of phases • Integration is one big bang at the end • Little opportunity for customer to preview the system (until it may be too late)
  • 51. When to use the Waterfall Model • Requirements are very well known • Product definition is stable • Technology is understood • New version of an existing product • Porting an existing product to a new platform.
  • 52. Iterative Enhancement Model • Iterative process starts with a simple implementation of a subset of the software requirements and iteratively enhances the evolving versions until the full system is implemented. At each iteration, design modifications are made and new functional capabilities are added. The basic idea behind this method is to develop a system through repeated cycles (iterative) and in smaller portions at a time (incremental).
  • 53.
  • 54. The advantages of the Iterative and Incremental SDLC Model are as follows − • Some working functionality can be developed quickly and early in the life cycle. • Results are obtained early and periodically. • Progress can be measured. • Less costly to change the scope/requirements. • Testing and debugging during smaller iteration is easy. • With every increment, operational product is delivered. • Issues, challenges and risks identified from each increment can be utilized/applied to the next increment. • It supports changing requirements. • Better suited for large and mission-critical projects. • During the life cycle, software is produced early which facilitates customer evaluation and feedback.
  • 55. The disadvantages of the Iterative and Incremental SDLC Model are as follows − • More resources may be required. • Although cost of change is lesser, but it is not very suitable for changing requirements. • More management attention is required. • System architecture or design issues may arise because not all requirements are gathered in the beginning of the entire life cycle. • Defining increments may require definition of the complete system. • Not suitable for smaller projects. • Management complexity is more. • End of project may not be known which is a risk. • Highly skilled resources are required for risk analysis. • Projects progress is highly dependent upon the risk analysis phase.
  • 56. Iterative VS Evolutionary Models Iterative Models Evolutionary Models 1. A usable product is delivered at the end of each cycle. 1. No usable product at the end of each cycle. 2. Requirement implemented priority- wise 2. Requirement implemented category-wise.
  • 58. Prototyping Model • The prototyping model suggest that before carrying out the development of the actual software, a working prototype of the system should be built. • It can help engineers to critically examine the technical issues associated with product development. • A prototype usually exhibits limited functional capabilities, low reliability, and insufficient performance compared to actual software.
  • 59.
  • 60. The advantages of the Prototyping Model are as follows − • Increased user involvement in the product even before its implementation. • Since a working model of the system is displayed, the users get a better understanding of the system being developed. • Reduces time and cost as the defects can be detected much earlier. • Quicker user feedback is available leading to better solutions. • Missing functionality can be identified easily. • Confusing or difficult functions can be identified. The Disadvantages of the Prototyping Model are as follows − • Risk of insufficient requirement analysis owing to too much dependency on the prototype. • Users may get confused in the prototypes and actual systems. • Practically, this methodology may increase the complexity of the system as scope of the system may expand beyond original plans. • Developers may try to reuse the existing prototypes to build the actual system, even when it is not technically feasible. • The effort invested in building prototypes may be too much if it is not monitored properly.
  • 61. Spiral Model • Spiral model is a combination of sequential and prototype model. This model is best used for large projects which involves continuous enhancements. There are specific activities which are done in one iteration (spiral) where the output is a small prototype of the large software. The same activities are then repeated for all the spirals till the entire software is build.
  • 62.
  • 63.
  • 64. Why Spiral Model is called Meta Model ? The Spiral model is called as a Meta Model because it subsumes all the other SDLC models. For example, a single loop spiral actually represents the Iterative Waterfall Model. The spiral model incorporates the stepwise approach of the Classical Waterfall Model. The spiral model uses the approach of Prototyping Model by building a prototype at the start of each phase as a risk handling technique. Also, the spiral model can be considered as supporting the evolutionary model – the iterations along the spiral can be considered as evolutionary levels through which the complete system is built.
  • 65. The advantages of the Spiral SDLC Model are as follows − • Changing requirements can be accommodated. • Allows extensive use of prototypes. • Requirements can be captured more accurately. • Users see the system early. • Development can be divided into smaller parts and the risky parts can be developed earlier which helps in better risk management. The disadvantages of the Spiral SDLC Model are as follows − • Management is more complex. • End of the project may not be known early. • Not suitable for small or low risk projects and could be expensive for small projects. • Process is complex • Spiral may go on indefinitely. • Large number of intermediate stages requires excessive documentation.
  • 67. Application Security • Attackers not only targets server or operating system but also target client application like browsers, multimedia program, document reader • Most common attack: phishing, malware Vendor challenges for Application Security • Available various operating system • Compatibility issue • Updates • Proper risk management • Need to take specific measure to secure client side application Guidelines • Provide incentives who find flaws , sharing knowledge with vendors, mitigation of attack, standardizing application, updating software to newer version
  • 68. Database Security • A database are individual records or groups of records to satisfy various criteria. • It is essential to first implement security within the organization, to make sure the right people have access to right data. • Without these security measures in place, someone must destroy the valuable data or selling the company’s secrets to competitors, or someone invading the privacy of others. • Authentication: to verify a username and a password, a smartcard, retina scan, fingerprints and voice recognition. After a specified login name and password, SQL Server performs the authentication. • Authorization: the mechanism to determine the what level of access a particular authenticated user should have. Role-based security is a form of user-level security where a server doesn’t focus on the individual user’s identity but rather on a logical role he is in. There are 3 types of role in SQL: Fixed Server Roles, Fixed Database Role, Securable/Application Role. • SQL Injection: technique whereby an intruder enters data that cause the application to execute SQL statements not intended to be executed.
  • 69. E-Mail Security • Email security is a collective measure used to secure the access and content of an email account or services. • An email service provider implements email security to secure subscriber email account and data from hackers. • From an individual/end user standpoint, proactive email security measures include : strong passwords, password rotation, spam filters, desktop-based antivirus/anti-spam applications. • A service provider also ensues email security by using strong password and access control mechanism on an email server; encrypting and digital signing email messages. • These must be view as a part of total security agenda. The security of mail flow is focused around the auditing and emailing of mails into and out of the organization. • There must be a plan for inevitable request to retouch data from backups and archives.
  • 70. Internet Security • The Internet is a network of networks , connecting billions of computers located on every continent. • Internet Security encompasses browser security, the security of data entered through a web form, and overall authentication and protection of data sent via Internet Protocol. • The untrusted network data is passed through external router, firewall, and internal router. The network security perimeter is composed of outer security perimeter and internal security perimeter network. • Internet security relies on specific resources and standards for protecting data that gets sent through the Internet. • This includes encryption, firewalls, anti-malware, anti-spyware and anti-virus programs. • The Internet Protocol security(IPSec) protocol suite provides a techniques of setting up a secure channel for protected data exchange between 2 devices such as two servers, two routers, a workstation and a server, or 2 gateways between different networks. • IPSec use strong encryption and authentication methods, and although it can be used to enable tunneled communication between two computers(VPN).
  • 72. Data security considerations • Related to data backup, archival and disposal • Goal: security against any kind of accident or loss of data due to malicious activities 1. Data backup security • In case of data loss you can restore the original data from backup • Reasons of data loss: failure of hardware, failure in software / media, hacking, virus, power failure, erroneous human activity 2. Data Archival • The process of separating active data from inactive data • Active data: frequently used, Inactive data: Less frequently used • Goal: reduce complexity, keep active parts of data fresh • Selection of archival solution depends on: a. Longevity of storage solution b. Manageability of storage solution (role-based) c. Intelligence of content (all data not equally worth) d. Optimization of total cost of ownership e. Type of available solution (scaling)
  • 73. 3. Data Disposal • Permanent delete or destroy the data • The national institute of standard and technology (NIST) describe 3 primary ways in which data can be disposed. I. Overwriting hard drives (at least thrice) II. Degaussing hard drivers and backup tapes (demagnetized HDD) III. Destroying storage media • Data disposal process: I. Building a plan for disposal II. Archiving important information III. Cleaning storage media IV. Proper disposal with security constraints V. Make sure no important data gets deleted
  • 74. Intrusion Detection System • IDS monitors network traffic for suspicious activity • Functions of IDS: Anomaly detection and reporting • Problem with IDS: Prone to false alarms or false positives
  • 76. Components of IDS • An IDS comprises Management console and sensors • It has a database of attack signatures • Sensors detect any malicious activity • It also matches the malicious packet against the database • If found a match, the sensor reports the malicious activity to the management console Techniques applied for IDS
  • 77. Network Intrusion Detection System (NIDS) NIDS examines the traffic on a whole subnet. It compares with the traffic passed by the attacks in existing database Network Node Intrusion Detection System (NNIDS) The traffic in NNIDS is only monitored on a single host unlike NIDS Host Intrusion Detection System (HIDS) HIDS takes an Image of entire system’s file set and compares it to the preceding picture
  • 80. Anomaly based IDS/ Behavior based IDS: Detects attack based on behavior Misuse Detection/ Signature based IDS: Detects known attacks Centralized IDS: IDS are present on the centralized part of the network and communicate with each other Distributed IDS: IDS present on the network operate in a distributed manner and communicate with each other Active IDS: detect and prevents intrusion active IDS is also known as IDPS Passive IDS: only detect intrusions IDS Tools
  • 82. Actions of IPS • Notifying the administrator • Filtering out the malicious data • Blocking further data transfers from the address • Reconnecting the network Types of IPS
  • 83. NIPS (Network based IPS): NIPS detect suspicious traffic by monitoring the entire network WIPS (wireless IPS): WIPS checks for suspicious activity by reviewing wireless networking protocols NBA (Network Behavior Analysis): NBA is network monitoring programs It decreases the time exhausted by network administrators in identifying and resolving network issues HIPS (Host Based IPS): HIPS checks for suspicious activity in single host
  • 84. Digital Signature • a digital signature is a technique for establishing the origin of a particular message in order to settle later disputes about what message (if any) was sent • We use the term signer for an entity who creates a digital signature, and the term verifier for an entity who receives a signed message and attempts to check whether the digital signature is “correct” or not. • Non-Repudiation: A digital signature can be stored by anyone who receives the signed message as evidence that the message was sent and of who sent it. This evidence could later be presented to a third party who could use the evidence to resolve any dispute that relates to the contents and/or origin of the message
  • 85. Creating an RSA signature with appendix message hash function hash Signature algorithm signature signature key message signature 1 2 3
  • 86. Verifying an RSA signature with appendix message signature Verification algorithm verification key hash function = ? 3 Decision 1 2
  • 87. True digital signature requirements Public key encryption requirements Only the holder of some secret data can sign a message “Anyone” can encrypt a message “Anyone” can verify that a signature is valid Only the holder of some secret data can decrypt a message • Question: In the digital signature who use the private key and who use the public key? Private key: sender Public key: receiver • Generic attacks: Obtain someone else’s private signature key In a digital signature scheme “you are your private key”. This is one aspect of the problem of identity theft.
  • 88. Cryptography To ensure secure transmission, data is sent in such a way that it looks completely different from the original data • Plain text: data that to be secured • Cipher text: data after encryption • Encryption: the process of converting a plain text to cipher text. • Decryption: the process of regenerating the plaintext from cipher text
  • 89. Categories of Cryptography Key used in Cryptography Private Key Encryption/ Symmetric Key Cryptography: In symmetric-key cryptography, the same key is used by the sender (for encryption) and the receiver (for decryption).The key is shared. Public Key Encryption/ Asymmetric Key Cryptography: Two keys are used to encrypt and decrypt the data. Public key for encryption and private key for decryption.
  • 91. Cryptanalysis: Study of different methods to decrypt some encrypted data without the knowledge of decryption key or algorithms. Cryptanalyst: the person that performs cryptanalysis. Code breaking methodologies: 1. Brute Force 2. Frequency analysis 3. Trickery Cryptanalysis Vs. Cryptography: Cryptography is the process to secure the data with encryption techniques while Cryptanalysis is the attack that are performed on data to uncover it.
  • 92. E-commerce “E-commerce security is protection of the various ecommerce assets from unauthorized access, its use or modification.” Threats to e-commerce: Phishing, money theft, data misuse, hacking, credit card frauds, unprotected services. Reasons of security threat: Inaccurate management, price manipulation, snowshoe attack, malicious code threat, Wi-Fi eavesdropping, spoofing etc.
  • 93. Electronic payment systems/ e-payment schemes • Secure Electronic Payment Protocol/ Secure electronic transaction (SEPP/SET): use of digital signature and user authentication. SEPP provides usage of internet keyed payment protocol (ikP) and SEPP messages transmitted using multipurpose internet mail extensions (MIME) • Secure Courier E-payment scheme: it encrypts data • Check free wallet: It is based on client server architecture and use RSA algorithm for encryption • Cyber Cash: it is a digital cash software system that encrypts credit card related information. • VeriSign: it verifies digital signature • Digicash: It is e-cash based software
  • 94. E-cash: Electronic transfer of money in the form of a block of data Problem in e-cash: double spending money by customer
  • 95. Access Control • It regulates who and what can view or use resources in a computing environment. • it provides security feature through which system permits or revokes the right to access any data and resource in a system • It includes file permissions, program permissions, data rights permissions. • Identification: Identify a user • Authentication: Verify whether a user is valid or not Types of authentication: 1. Single factor 2. Multifactor
  • 96. Types of Access Control 1. Mandatory access control (MAC): A security model in which access rights are regulated by a central authority based on multiple levels of security. 2. Discretionary access control (DAC): An access control method in which owners or administrators of the protected system, data or resource set the policies defining who or what is authorized to access the resource. 3. Role-based access control (RBAC): A widely used access control mechanism that restricts access to computer resources based on individuals or groups with defined business functions . 4. Rule-based access control: A security model in which the system administrator defines the rules that to govern access to resource objects. 5. Attribute-based access control (ABAC): A methodology that manages access rights by evaluating a set of rules, policies and relationships using the attributes of users, systems and environmental conditions.
  • 97. Firewall • Block unauthorized access • Permitting authorized communication • Based on certain rule and criteria • Prevents from hacker and viruses from internet • It is hardware, software or combination of both • E.g. broadband router, Norton Internet security , Kaspersky Internet security
  • 98. Types of Firewall • Packet filter: inspects data packet based on user defined rules • Application level gateway: apply security measures to specific application such as FTP, TELNET • Circuit level gateway: apply security mechanism after TCP handshaking, works at session layer of OSI layer • Proxy server: check all incoming and outgoing messages but hides the true network address and interrupts all messages Identify a Firewall Prior to hacking a system or a network , a hacker tries to knows what kind of firewall is implemented in it • Port scanning: identify active port • Fire-walking :collect information from remote network to identify mapping • Banner grabbing : detecting services run by firewall
  • 99. VPN • It is a private communication network • It creates virtual tunnel through which data travels from one computer to other over a public network such as internet • VPN data: data transferred through VPN is called payload. • VPN tunnel: a logical path for transmitting VPN data from one node to other. VPN tunnel can be established one of the following 2 layer of OSI reference model: data link layer (PPTP) and network layer (IPsec) Authentication Mechanism 1. User Level Authentication (use PPP (point to point protocol)P for mutual authentication) 2. Computer Level Authentication (use iKE (Ipsec/L2TP protocol) to exchange either their computer certificate or a predefined key) 3. Data origin authentication and data Integrity (cryptography checksum)
  • 100. Types of VPN tunneling 1. Voluntary tunneling: the client directly sets up the connection with the server 2. Compulsory tunneling: a connection is established between 2 VPN servers and VPN access devices such as router
  • 101. Types of VPN 1. PPTP VPN (point to point tunneling protocol): widely used protocol. Use VPN password to log on. No need of extra hardware or software. Do not use encryption. 2. Site-to-site VPN: no dedicated line for transmission. Routing , encryption and decryption is done by router. 3. L2TP VPN: similar to PPTP. Provides confidentiality and Integrity. 4. IPsec: designed for IP traffic. Very secure. Need to install certain programs. Expensive and time consuming. 5. SSL(secure socket layer): creates secure session between browser and application server. 6. MPLS (multi-purpose label switching): MPLS+ISP tuned VPN and very good site to site connectivity. 7. Hybrid: Combine feature of SSL, IPsec etc. highly flexible, very expensive.
  • 103. Application Development Security • An organization applies computer security measures to protect its information assets by selecting and applying a set of measures that will be appropriate for the security of information • Development of secure information requires specific training for what the meaning of security is for an organization and for its application, how secure code is written, and why it is needed to provide security to the application. • Although we have several security measures, such as antivirus, IDS protection, firewalls, VPNs, etc., to secure the assets, yet reliability of such measures to provide full protection is always in question.
  • 104. Why applications are unsecure?????? Primary issues related to secure development of applications • Less trained/skilled developers • Less educational focus on secure development • Difficulty of finding the right information related to specific security measures for particular applications • Life cycle systems considering security mostly in the last phases only • Compilers, interpreters, and programming being unable to utilize the system recourses in the best way possible
  • 105. What to do?????? Benefits of common framework • Developers can refer to the common standard provided in the framework to develop secure applications • Strict guidelines and design principles included in the framework are time tested and universal • Developers get a comprehensive view and understand security policy, programming language, and tools • Organization can improve its development strategy to apply best methods, development effort, standards and procedures, and security policy. • The view of the management becomes more objective towards consideration and mitigation of risks.
  • 106. What a framework include?????? Factors include in framework • Foundation: Basic knowledge of the development procedure (programming language , compiler, etc) • Principles: basic rules to be followed (rules for security, authentication, logging-monitoring-auditing, etc) • Design guidelines: best code implementation methods (validating input, Handling exceptions, applying cryptography, using random number)
  • 107. Information security governance and risk management • “Information has become one of the most crucial business drivers in recent years”, according to NIST. • Information systems are subject to serious threats that can have adverse effects on organizational operations (missions, functions, image, reputation) • We must protect all information assets from threats. This can be done only if managers at different levels in organization are ready to take the security responsibility. • Security governance and risk management should be a part of overall organizational goals rather that a single, highly overlooked discipline.
  • 108. Risk Management: Activities involve in risk management process • Framing: analyze the possible risks associated with the security of information systems and the organizations • Assessing: analyze the level of the risks and the level of security provided with our organization and its information systems. • Monitoring: continuously checking the information system and keeping an eye on other threats and vulnerability that may be encountered by the organization. • Responding: take preventive and corrective measures
  • 110. Security Architecture and Design Secure System Design • Layering: arrange hardware, drivers for kernel and devices, OS, and application in a sequential order. • Abstraction: conceal the irrelevant details from common user. • Security Domain: lower level domain cannot access higher level domain. Ex: kernel have two access level : user mode and kernel mode • The ring model: ring 0: kernel, ring 1: OS, ring 2: device and drivers, ring 3: user application • Open-closed systems: Open systems designed by employing open hardware and standard that may include hardware from a variety of vendors. Close system, only use proprietary hardware or software from specific vendor.
  • 111. Secure Hardware System Architecture • Physical computer hardware security includes not only the mother board, CPU, and memory, but also system buses and memory protection. Secure Operating System and software Architecture • The secure hardware forms the base to provide security in the software and operating system. • Virtualization separates the software from hardware by including a layer between them. This platform can be used by a single host OS to run a number of guest OS at same time. • This complexity may cause conflict between different operating environments that will lead to security issues and flaws in the system.
  • 112. Security Issues in hardware, data storage and downloadable devices • Securing computer systems means to protect all its components that include hardware, software, storage devices, operating system, and peripheral devices. Virtualization separates the software from hardware by including a layer between them. This platform can be used by a single host OS to run a number of guest OS at same time. • Each component has its own vulnerability. Security Issues with hardware • Stealing, destruction, gaining unauthorized access, breaking the security code Security Issues with storage device(DVD, CD) • Data loss and theft, disposal, stealing of data, denial of data, malware. Security Issues with downloadable (peripheral devices)(PDA, USB) • Vulnerable to theft and destruction
  • 113. Physical security and IT assets • Primary threats: 1. Physical access exposure to human being 2. Physical access exposure to natural disaster • Physical security to IT assets 1. Physical access control 2. Electronic and visual surveillance systems: closed circuit television (CCTV) 3. IDS
  • 115. Backup Security Measures • Assigning responsibility, authority, and accountability • Assessing risk • Developing data protection process • Communicating the process to concern people • Executing and testing the process