1. Lecturer by: Sayed Zia Ashna
Department of Computer Science, Jahan University
Email: zia.ashna@hotmail.com 1
NETWORKSecurityConcept
2. Course Objectives
After successfully completing this course, you will be able to:
› Mastering Security Goals
› Exploring Control Types and Methods
› Securing your Networks
› Securing Hosts and Data
› Understanding Malware and Social Engineering
› Identifying Advanced Attacks
› Managing Risk
› Preparing for Business Continuity
› Understanding Cryptography
› Exploring Operational Security
2
NETWORK SECURITY (JAHAN UNIVERSITY, BCS), SAYED ZIA
ASHNA
3. Course Outline
› Mastering Security Goals
› Exploring Control Types and Methods
› Securing your Networks
› Securing Hosts and Data
› Understanding Malware and Social Engineering
› Identifying Advanced Attacks
› Managing Risk
› Preparing for Business Continuity
› Understanding Cryptography
› Exploring Operational Security
3
NETWORK SECURITY (JAHAN UNIVERSITY, BCS), SAYED ZIA
ASHNA
4. Text Books to Follow
› CompTia Security + Get Certified Get Ahead Sy0-401 Study
Guide by Darill Gibson
4
NETWORK SECURITY (JAHAN UNIVERSITY, BCS), SAYED ZIA
ASHNA
5. Introduction about Mastering Security Goals
NETWORK SECURITY (JAHAN UNIVERSITY, BCS), SAYED ZIA
ASHNA
5
CHAPTER ONE
7. Understanding Security Goals
› Security starts with several principles that
organizations include as core security goals.
These principles drive many security-
related decisions at multiple levels.
Understanding these basic concepts help to
give us a solid foundation in security
› Confidentiality, integrity, and availability
together form the security trait. Each
element is important to address in any
security program.
7
NETWORK SECURITY (JAHAN UNIVERSITY, BCS), SAYED ZIA
ASHNA
8. › Confidentiality use to Prevents an unauthorized disclosure of data
Authorized Users can access the data, but the unauthorized user cannot
access the data.
› Confidentiality implement by following methods:
1. Encryption
2. Access Control
A. Identification
B. Authentication
C. Authorization
3. Steganography
8
Confidentiality
NETWORK SECURITY (JAHAN UNIVERSITY, BCS), SAYED ZIA
ASHNA
9. Confidentiality -Encryption
› Scrambles data to make it unreadable by the unauthorized users. Authorized
users can decrypt data to access it, but the encryption techniques make it
extremely hard for the unauthorized personnel to access encrypted data.
9
NETWORK SECURITY (JAHAN UNIVERSITY, BCS), SAYED ZIA
ASHNA
10. Confidentiality -Access Control
› Identification, Authentication and Authorization combined provide access
controls and help ensure that only authorized personnel can access data.
› Following are the key elements of the access controls.
– Identification
– Authentication
– Authorization
10
NETWORK SECURITY (JAHAN UNIVERSITY, BCS), SAYED ZIA
ASHNA
11. Confidentiality -Access Control
11
NETWORK SECURITY (JAHAN UNIVERSITY, BCS), SAYED ZIA
ASHNA
Identification
Users claim an
identity with a
unique username.
To have access the
service
Authentication
Users prove their
identity with
authentication, such as
with a password.
Authorization
We can grant or
restrict access to the
resources using an
authorization method,
such as permissions
12. Confidentiality - Steganography
› Third method that we can use for confidentiality is steganography.
› steganography is a practice of hiding data within data. Many people refer to
it as hiding data in plain sight
12
NETWORK SECURITY (JAHAN UNIVERSITY, BCS), SAYED ZIA
ASHNA
13. Integrity
› Integrity provides assurances that data has
not changed. This includes ensuring that no
one has modified, tampered with, or
corrupted the data. Ideally, only authorized
users modify data.
› However there are times when unauthorized
or unintended changes occur. This can be
from unauthorized users, from malicious
software (malware), an through system and
human errors. When this occurs, the data has
lost the integrity.
13
NETWORK SECURITY (JAHAN UNIVERSITY, BCS), SAYED ZIA
ASHNA
14. Availability
› Availability Indicates that data and services are available when needed.
› For some organizations, this simply means that data and services must be
available between 8:00 am and 5:00 pm, Saturday through Thursday. For other
organizations, this means they must be available 24 hours a day, 7 days a week,
and 365 days a year.
› Organizations commonly implement redundancy and fault-tolerant methods to
ensure high levels of availability for key systems.
14
15. Availability – Redundancy and Fault Tolerance
› Redundancy adds duplication to critical systems and provides fault tolerance. If a
critical component has a fault, the duplication provided by the redundancy
allows the service to continue without interruption. In other words, a system
with fault tolerance can suffer a fault, but tolerate it and continue to operate
15
NETWORK SECURITY (JAHAN UNIVERSITY, BCS), SAYED ZIA
ASHNA
16. Availability – Patching
› Another method of ensuring system stays available is with patching.
› Software bugs cause a wide range of problems, including security issues
and even random crashes.
› When software vendors discover the bugs, they develop and release code
that patches or resolves these problems.
› Organizations commonly implement patch management programs to
ensure that systems stay up to date with current patches
16
NETWORK SECURITY (JAHAN UNIVERSITY, BCS), SAYED ZIA
ASHNA
17. Safety
› Another common goal of security is safety.
› It refers to the safety of both individuals and an organization’s assets can
always replace things, but cannot replace people, so safety of people
should always be a top priority
› The following identify to consider safety for both people and assets
– Safety of people
– Safety of assets
17
NETWORK SECURITY (JAHAN UNIVERSITY, BCS), SAYED ZIA
ASHNA
18. Layered Security/Defense in Depth
› Layered Security/defense in depth refers to the security of implementing
several layers of protection
› We can’t simply take a single action, such as implementing a firewall or
installing antivirus software, and consider yourself protected
› You must implement security at several different layers. This way, if one layer
fails, you still have additional layers to protect you.
18
NETWORK SECURITY (JAHAN UNIVERSITY, BCS), SAYED ZIA
ASHNA
19. Risk Concepts
› A threat is any circumstance or event that has the potential to compromise
confidentiality, integrity, or availability.
› A vulnerability is a weakness. It can be a weakness in the hardware, the
software, the configuration, or even the users operating the system.
› Threats can come from inside an organization, such as from a disgruntled
employee, or from the outside the organization, such as from an attacker who
could be located anywhere on the internet.
› Threats can be natural, such as hurricanes, tsunamis, or tornadoes, or man-
man, such as malware written by a criminal.
› Reducing risk is also known as risk mitigation. Risk mitigation reduces the
chances that a threat will exploit a vulnerability
19
NETWORK SECURITY (JAHAN UNIVERSITY, BCS), SAYED ZIA
ASHNA
20. Authentication Factors
› As an introduction, authentication factors are
– Something you know
– Something you have
– Something you are
20
NETWORK SECURITY (JAHAN UNIVERSITY, BCS), SAYED ZIA
ASHNA
21. Authentication Factors – Something you know
› This authentication factor typically refers to a shared secret, such as a password
or even a PIN. This factor is the least secure form of authentication. However,
security can be increased by following some simple guidelines
– Use Strong password
– Change passwords regularly
– Verify a user’s identity before resetting a password
– Change default passwords
– Do not write passwords down
– Do not share passwords
21
NETWORK SECURITY (JAHAN UNIVERSITY, BCS), SAYED ZIA
ASHNA
22. Authentication Factors – Something you have
› It refers to something you can physically hold.
› Common items in this factor are as follows
– Smart Cards
– Tokens or Key Fobs
22
NETWORK SECURITY (JAHAN UNIVERSITY, BCS), SAYED ZIA
ASHNA
23. Authentication Factors – Something you are
› This factor uses biometrics for the authentication
› Biometric methods are the strongest form of authentication because they
are the most difficult for an attacker to falsify
› Biometric uses a physical characteristics, such as:
– Fingerprint and Thumbprint
– Handprint
– Palm
– Retina
– Iris
23
NETWORK SECURITY (JAHAN UNIVERSITY, BCS), SAYED ZIA
ASHNA
24. Dual-Factor and Multifactor Authentication
› It uses two different factors of authentication such as something you have and
something you know.
› Dual-factor authentication often uses a smart card and a PIN, a USB token and a
PIN, or combining a smart card or hardware token with a password
› Multifactor uses two or more factors of authentication
24
NETWORK SECURITY (JAHAN UNIVERSITY, BCS), SAYED ZIA
ASHNA