Information Assurance and

Security
Chapter 2

Overview of Commercial Issues

 2.1. Basics of Cryptography
• Cryptography is the science of using mathematics to encrypt and decrypt
data.
• Cryptography enables you to store sensitive information or transmit it across
insecure networks (like the Internet) so that it cannot be read by anyone except
the intended recipient.
• While cryptography is the science of securing data, cryptanalysis is the
science of analyzing and breaking secure communication.
• Classical cryptanalysis involves an interesting combination of analytical
reasoning, application of mathematical tools, pattern finding, patience,
determination, and luck.
• Cryptanalysts are also called attackers.
• When Julius Caesar sent messages to his generals, he didn't trust his
messengers. So he replaced every A in his messages with a D, every B with an E,
and so on through the alphabet. Only someone who knew the “shift by 3”rule could
decipher his messages. And so we begin.
Cryptography (Encryption
Techniques)
• Cryptography: Schemes for encryption and decryption.
• Encryption: The process by which plaintext is converted into
cipher-text.
• Decryption: Recovering plaintext from the cipher-text.
• Secret key: Used to set some or all of the various parameters used
by the encryption algorithm.
• Cryptanalysis: The study of “breaking the code”.
• Cryptology: Cryptography and cryptanalysis together constitute
the area of cryptology.
Cryptography has five
ingredients
1. Plaintext
2. Encryption algorithm
3. Secret Key
4. Ciphertext
5. Decryption algorithm
Security depends on the secrecy of the key, not the secrecy of the
algorithm.
 2.2. What is Web Security?

• The web poses some additional security troubles because:

• so very many different computers are involved in any networked
environment;
• the fundamental protocols of the Internet were not designed with
security in mind;
• the physical infrastructure of the Internet is not owned or controlled by
any one organization, and no guarantees can be made concerning the
integrity and security of any part of the Internet.
• Unfortunately, a web-based system is often advertised as "secure"
merely because the web server uses SSL encryption to protect portions
of the site.
• As we'll soon see, there is a great deal more to the story than that.
Layers Involved in Web Security
• Many "layers" must work in concert to produce a
functioning web-based system.
• Each layer has its own security vulnerabilities, and its
own procedures and techniques for coping with these
vulnerabilities.
• We'll examine each such layer in turn, proceeding from the
hardware (furthest from the end user) to the web browser
(closest to the end user).
• Keep in mind that many attacks take advantage of
weaknesses in multiple layers.
• Even if one such weakness does not expose the service to
attack, that weakness in concert with others can be used
a. Hardware
• Physical access to computer hardware gives even a slightly-skilled person total
control of that hardware.
• Without physical security to protect hardware (i.e. doors that lock) nothing else about
a computer system can be called secure.
b. Operating System
• As the software charged with controlling access to the hardware, the file
system, and the network, weaknesses in an operating system are the most valued
amongst crackers.
• Most OS authentication is handled through user names and passwords.
• Biometric (e.g. voice, face, retina, iris, fingerprint) and physical token-based
(swipe cards, pin-generating cards) authentication are sometimes used to augment
simple passwords, but the costs and accuracy of the technology limit their adoption.
• Once authenticated, the OS is responsible for enforcing authorization rules for a
user’s account.
• The guiding thought here is the Principle of Least Privilege: disallow every
permission that isn't explicitly required.
c. Service
• For our purposes, a "service" is any class of software that
typically runs unattended on a server-style computer and
performs some task in response to a network-originated
request.
• Web servers (e.g. Apache, IIS, including server-side scripting
platforms), FTP servers, email servers (e.g. Sendmail, Qmail,
Exim), Telnet and SSH servers, file and print servers (e.g.
SMB/Samba), database servers (e.g. Oracle, SQL Server,
MySQL, DB/2, PostgreSQL) and so on are all example of
these services.
d. Data
• As an organization's most valuable IT asset, the nonchalant treatment and
security of data is often surprising.
• What is not surprising is that crackers know this and most of their efforts are
ultimately focused on displaying, corrupting, or stealing an organization's
data.
• Finally, backups should be encrypted in some way to prevent any of the many
people that come into contact with the media from reading all of the
organization's data.
• In practice, this encryption is rarely performed.
e. Application
• The main vulnerability of web applications is Cross-Site Scripting (XSS).
• Cross-Site Scripting (a.k.a. XSS, script embedding, or script injection) is more an
attack on the users of a web application, than on the web system itself.
• It usually involves injecting some client-side browser scripting code (i.e.
JavaScript) into one of the application's forms that, once displayed on the site,
results in that code being run (on the end user's browser).
f. Network Protocol
• It is at the network protocol layer that most of the web system security is addressed by
product marketing departments.
• While important, as we've seen this is only one piece of a very large pie.
• The primary technology that protects the web application protocol in question, HTTP, is the
Secure Sockets Layer (SSL), now renamed Transport Layer Security (TLS).
• TLS provides both authentication and encryption services to communicating
computers using digital certificates issued by Certificate Authorities (CAs) also
known as Trust Authorities.
g. Browser
• Unfortunately, given the design of the HTTP protocol (even when secured through
SSL/TLS), there is very little that can be done to protect the web system at the
browser layer.
• Hence, web applications may never trust any data originating from a client browser.
• TLS-based client digital certificates can be used to more positively identify
clients to servers, but they are as yet rarely used, partially because of expense, but also
because they are difficult to move from one client computer to another, thereby
diminishing one of the benefits of web systems: client location transparency.
2.3. Public-Key Infrastructure
(PKI)
• A public key infrastructure (PKI) is a set of rules, policies, and procedures needed to create,
manage, distribute, use, store, and revoke digital certificates and manage public-key
encryption.
• The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of
network activities such as e-commerce, internet banking and confidential email.
• It is required for activities where simple passwords are inadequate authentication methods and
more rigorous proof is required to confirm the identity of the parties involved in the communication
and to validate the information being transferred
• The PKI role that assures valid and correct registration is called a registration authority
(RA).
• An RA is responsible for accepting requests for digital certificates and authenticating the
entity making the request.
• In a Microsoft PKI, a registration authority is usually called a subordinate CA.
• A public key infrastructure (PKI) is a system for the creation, storage, and distribution of
digital certificates which are used to verify that a particular public key belongs to a certain
entity.
• The PKI creates digital certificates which map public keys to entities, securely stores these
certificates in a central repository and revokes them if needed.
Public-Key Infrastructure
(cont…)
A PKI consists of:
• A certificate authority (CA): that stores, issues and signs the digital certificates
• A registration authority (RA): which verifies the identity of entities requesting their digital
certificates to be stored at the CA
• A central directory(Certificate Repository): a secure location in which to store and index
keys.
• It is a location where all certificates are stored as well as their public keys, validity
details, revocation lists, and root certificates.
• These locations are accessible through LDAP, FTP or web servers.
• A certificate management system: managing things like the access to stored certificates or
the delivery of the certificates to be issued.
• A certificate policy: stating the PKI's requirements concerning its procedures. Its purpose is
to allow outsiders to analyze the PKI's trustworthiness
• A Validation Authority (VA) provides validation of PKI certificates. Certificate validation
services can include access to Certificate Revocation Lists (CRL), Online Certificate Status
Protocol (OCSP) and CA chain certificate downloads.
Public-Key Infrastructure
(cont…)
 Uses of PKI

1. Encryption and/or sender authentication of e-mail messages

2. Encryption and/or authentication of documents (e.g., the XML Signature or XML Encryption
standards if documents are encoded as XML)
3. Authentication of users to applications (e.g., smart card logon, client authentication
with SSL).
4. Bootstrapping secure communication protocols, such as Internet key exchange (IKE)
and SSL.
5. Mobile signatures are electronic signatures that are created using a mobile device
and rely on signature or certification services in a location independent
telecommunication environment.
6. Internet of things requires secure communication between mutually trusted devices. A
public key infrastructure enables devices to obtain and renew X509 certificates
which are used to establish trust between devices and encrypt communications using
TLS.
 2.4. Enterprise Security Architecture (ESA)

• Enterprise security architecture (ESA) is a framework for

understanding, designing, and implementing security controls to protect
an organization's information assets.
• It can help organizations to improve their security, reduce their costs,
increase their efficiency, and improve their compliance.
• It provides a holistic view of an organization's security risks and helps to
ensure that security controls are aligned with the organization's business
objectives.
• ESA is an important part of information security governance (ISG), which is
the process of setting and enforcing policies and procedures for managing an
organization's information security risks.
• ISG helps to ensure that an organization's security controls are effective and
that they are implemented in a consistent and cost-effective manner.
 Benefits of ESA

• There are many benefits to implementing ESA, including:

• Improved security: ESA can help to improve an organization's
security by identifying and addressing its security risks.
• Reduced costs: ESA can help to reduce an organization's
security costs by optimizing its security controls.
• Increased efficiency: ESA can help to increase an
organization's security efficiency by streamlining its security
processes.
• Improved compliance: ESA can help an organization to
improve its compliance with security regulations.
 ESA Methodology
• The ESA methodology typically involves the following steps:
1.Define the business goals and objectives. The first step is to define the
organization's business goals and objectives. This will help to ensure that the ESA is
aligned with the organization's overall strategy.
2.Understand the business risk and threats. The next step is to understand the
business risks and threats that the organization faces. This can be done by conducting a
risk assessment.
3.Understand compliance, regulation and legal requirements. The organization
must also understand the compliance, regulation and legal requirements that it must
meet.
4.Identify the appropriate framework and architecture vision. Once the
organization has a good understanding of its business goals, risks, and threats, it can
identify the appropriate ESA framework and architecture vision.
5.Identify the appropriate security controls. The next step is to identify the
appropriate security controls to mitigate the organization's risks. This can be done by
conducting a gap analysis.
6.Implement and monitor security controls. Finally, the organization must implement
ESA Components

• ESA typically consists of the following components:

1. Security policy: The security policy is a high-level
statement of the organization's security goals and
objectives.
2. Security architecture: The security architecture is a
diagram that shows how the organization's security controls
are implemented.
3. Security procedures: Security procedures are detailed
instructions on how to implement and use security controls.
4. Security tools: Security tools are software programs that
help to implement and manage security controls.
 ESA Tools
• There are a number of ESA tools available, including:
1. Risk assessment tools: These tools help to identify and
assess an organization's security risks.
2. Gap analysis tools: These tools help to identify the gaps
between an organization's current security controls and its
desired security posture.
3. Compliance management tools: These tools help to track an
organization's compliance with security regulations.
4. Configuration management tools: These tools help to
manage the configuration of an organization's security controls.
 ESA Implementation
• Implementing ESA can be a complex and time-consuming process.
However, the benefits of ESA can be significant, and it is an important
investment for any organization that wants to protect its information
assets.
• ESA for IT professionals
• IT professionals can play a key role in implementing ESA.
• They can help to identify and assess security risks, develop and implement
security controls, and monitor the effectiveness of security controls.
• ESA for business leaders
• Business leaders can also play a key role in implementing ESA.
• They can provide the necessary resources and support for ESA projects, and they
can help to ensure that ESA is aligned with the organization's overall strategy.
• ESA for government agencies
• Government agencies can also benefit from implementing ESA.
• ESA can help agencies to protect their sensitive information and to comply with
 2.5. Overview of Intrusion Detection Systems:

• An intrusion detection system (IDS) is a system that monitors

a network or system for malicious activity and reports
that activity to an administrator.
• It can also take action to stop the activity, such as blocking
traffic or resetting connections.
 What are intrusions?
• Any set of actions that threatens the integrity, availability, or
confidentiality of a network resource.
• E.g. Denial of service (DOS): Attempts to starve a host of resources
needed to function correctly.
What is intrusion detection?
• Intrusion detection is the process of monitoring the events occurring in
a computer system or network and analyzing them for signs of
intrusions.
• Intrusions are caused by attackers accessing the systems from the
Internet, authorized users of the systems who attempt to gain
additional privileges for which they are not authorized, and authorized
users who misuse the privileges given to them.
• Intrusion Detection Systems (IDSs) are software or hardware
products that automate this monitoring and analysis process.
IDS can use different methods for detection:

• Signature-based Detection: Involves comparing observed events against a database of known attack signatures
or patterns. If a match is found, the IDS raises an alert.

• Anomaly-based Detection: Establishes a baseline of normal behavior and alerts on any deviations from this
baseline. This method is effective at detecting previously unknown threats but may generate false positives.

• Heuristic-based Detection: Involves the use of rule sets or algorithms to identify suspicious behavior that may
indicate an attack. This method is more flexible than signature-based detection but may also produce false
positives.

• Behavioral Analysis: Focuses on understanding the normal behavior of systems or users and identifies
deviations from this behavior. This can be particularly useful for detecting advanced persistent threats (APTs)
that may operate stealthily over an extended period.

• Once an IDS detects a potential security incident, it can respond in various ways, such as generating alerts,
logging the event, or triggering automated responses.
• In some cases, an IDS may work in conjunction with other security measures, such as firewalls or intrusion
prevention systems (IPS), to provide a comprehensive security posture for a network or system.
 IDS Taxonomy
• Intrusion Detection Systems (IDS) can be classified into different categories based on various criteria,
resulting in a taxonomy that helps categorize and understand the diverse approaches and functionalities of
IDS. Here is a common taxonomy for IDS:
1.Based on Deployment Location:
1. Network-Based IDS (NIDS): Monitors network traffic for suspicious patterns and behaviors. It is typically deployed at
strategic points within the network.
2. Host-Based IDS (HIDS): Monitors activities on individual devices or hosts, looking for signs of malicious behavior or
unauthorized access.
2.Based on Detection Methodology:
1. Signature-Based IDS (Knowledge-Based or Misuse Detection): Relies on predefined patterns or signatures of known
attacks. It identifies threats by comparing observed data to a database of signatures.
2. Anomaly-Based IDS (Behavioral or Heuristic Detection): Establishes a baseline of normal behavior and raises alerts
when deviations from this baseline are detected. It looks for abnormal activities that might indicate a security threat.
3.Based on Detection Timing:
1. Real-Time IDS: Analyzes events and generates alerts in real-time as suspicious activities occur.
2. Batch IDS: Collects and analyzes data periodically, often after the fact. It may not provide real-time alerts but can assist
in forensic analysis.
4.Based on Response Mechanism:
1. IDS with Passive Response: Generates alerts but does not take direct action to prevent or stop the detected activity.
2. IDS with Active Response: Can take automated actions to respond to detected threats, such as blocking malicious
traffic or reconfiguring firewall rules.
5.Based on Implementation Architecture:
1. Traditional IDS (Signature-Based): Uses pattern matching to identify known threats based on signatures.
2. Machine Learning-Based IDS: Utilizes machine learning algorithms to detect anomalies or patterns indicative of
malicious behavior.
 IDS Taxonomy (Cont…)
6. Based on Scope:
1. Single-Point IDS: Monitors a specific segment or point within the network or on a host.
2. Distributed IDS: Involves multiple sensors or agents distributed across various points in the network
or on multiple hosts.
7. Based on Openness:
3. Closed IDS: Relies on proprietary algorithms and databases.
4. Open-Source IDS: Uses open-source technologies, allowing users to modify and extend the system.
8. Based on Purpose:
5. Signature-Based IDS for Specific Threats: Focuses on detecting specific types of threats with
known signatures.
6. Generic Signature-Based IDS: Covers a broader range of threats but may have a higher false
positive rate.
7. Behavioral IDS: Focuses on identifying unusual behaviors and deviations from normal patterns.

Understanding these different classifications helps organizations choose or design an IDS that best fits
their security needs and the characteristics of their network environment.
Often, a combination of different IDS types is used in a layered security strategy to provide
comprehensive coverage against a wide range of threats.
• A distributed intrusion detection system is one where data is collected and
analyzed in multiple hosts, as opposed to a centralized intrusion detection
system.
• Both distributed and centralized intrusion detection systems may use host-
or network-based data collection methods, or most likely a combination of
the two.
• IDS can react to intrusion in two ways:
• Active - takes some action as a reaction to intrusion (such shutting down
services, connection, logging user...)
• Passive - generates alarms or notification.
• Audit information analysis can be done generally in two modes.
• Intrusion detection process can run continuously, also called in real-
time.
• The term "real-time" indicates not more than a fact that IDS reacts to
an intrusion "quick enough".
• Intrusion detection process also can be run periodically.
 IDS Analysis:

There are two primary approaches to analyzing events to detect attacks:

1. misuse detection
2. anomaly detection.
• Misuse detection, in which the analysis targets something known to be “bad”, is the
technique used by most commercial systems.
• Anomaly detection, in which the analysis looks for abnormal patterns of
activity, has been, and continues to be, the subject of a great deal of
research.
Anomaly detection is used in limited form by a number of IDSs.
1. Misuse Detection:
• Misuse detectors analyze system activity, looking for events or sets of events that match a predefined
pattern of events that describe a known attack (abnormal Behavior).
• As the patterns corresponding to known attacks are called signatures, misuse detection is also
called “signature-based detection.”
• Abnormal system behavior is defined first and then all other behavior is defined as normal behavior.
2. Anomaly Detection:
• Anomaly detectors identify abnormal, unusual behavior (anomalies) on a host or network.
• They function on the assumption that attacks are different from predefined “normal” (legitimate) activity
and can therefore be detected by systems that identify these differences.
• Anomaly detectors construct profiles representing normal behavior of users, hosts, or
network connections.
• These profiles are constructed from historical data collected over a period of normal operation.
• The detectors then collect event data and use a variety of measures to determine when monitored
activity deviates from the norm.
Five Major Types of Intrusion Detection System (IDS)

1. Host Based IDS

2. Network Based IDS
3. Stack Based IDS
4. Signature Based IDS
5. Anomaly Based IDS
 3. Stack Based IDS:
• Stack IDS is a technology, which are integrated with the TCP/IP stack.
• A Stack-Based Intrusion Detection System (IDS) is a type of intrusion
detection system that utilizes a stack to monitor and analyze
network or system activities. This type of IDS is often associated with
the inspection of the network protocol stack or the system call stack.
Let's explore the concept:
Stack-Based IDS:
1.Description: In a network context, a stack-based IDS examines the various
layers of the network protocol stack, such as the OSI model or the TCP/IP
protocol suite. It analyzes packets at different layers, looking for anomalies or
patterns indicative of known attacks.
2.Functionality: Each layer of the protocol stack represents a level of
abstraction (e.g., application layer, transport layer, network layer). The IDS
monitors the interactions between these layers to identify suspicious
behavior or deviations from normal communication patterns.
 5. Anomaly Based IDS

• Anomaly detection technique is a centralized process that works

on the concept of a baseline for network behavior.
• This baseline is a description of accepted network behavior,
which is learned or specified by the network administrators, or both.
• It’s like a guard dog personally interviewing everyone at the gate
before they are let down the drive.
 Intrusion Prevention System and types of Network Threats
• What is an Intrusion Prevention System (IPS)?
• An Intrusion Prevention System is a network device/software that goes
deeper than a firewall to identify and block network threats by assessing
each packet based on the network protocols in the application layer, the
context of the communication and tracking of each session.
• Intrusion prevention systems are network security devices that monitor
network and/or system activities for malicious activity (intrusion)
Main functions of Intrusion Prevention System (IPS) are,
– Identify intrusion
– Log information about intrusion
– Attempt to block/stop intrusion and
– Report intrusion
- Intrusion Detection System (IDS) only detect intrusions.
Intrusion Prevention System
 What are the ways in which Intrusion Prevention Systems work?
1. Signature based threat detection: Intrusion detection/prevention systems
contain a large repository of signatures that help identify attacks by matching
attempts to known vulnerability patterns.
2. Anomaly threat detection: Anomaly detection techniques protect against first
strike or unknown threats. This is done by comparing the network traffic to a baseline
to identify abnormal and potentially harmful behavior.
3. Passive Network Monitoring: IPS can also be set to passively monitor network
traffic at certain points and identify abnormal behavior/ deviation of certain security
threshold parameters and report the same by generating reports/alerts (like email
alerts) about the device communications to the security administrator.
Terminology
False positive – Incorrectly identifying gentle activity as being malicious
False negative – Failing to identify malicious activity has occurred
Many organizations choose to decrease false negatives at the cost of increasing false
positives.
Altering the configuration of an IPS to improve its detection accuracy is known as
tuning
What are the important IPS performance metrics?
IPS performance metrics are measured in terms of:
 Dynamic alerting capability
 Lower false positives
 Threat blocking capability
 High availability/ redundancy/ speed of working
 Ability to correctly identifying attacks and dropping packets accurately
Some IPS solutions offer the flexibility to implement different protection
options (rules) for different segments of the networks, which is especially
useful for large networks. Some of them are capable of isolating the attack
traffic to a network segment and limiting the bandwidth to reduce the effect
of network threats. IPS help identify and mitigate the following types of
network
threats.
Difference between IDS (Intrusion Detection System) and IPS (Intrusion
Prevention System)
1. Both increase the security level of networks, monitoring traffic and inspecting and
scanning packets for suspicious data.
2. Detection in both systems is mainly based on signatures already detected and
recognized.
3. The main difference between one system and the other is the action they take when
an attack is detected in its initial phases (network scanning and port scanning).
4. The Intrusion Detection System (IDS) provides the network with a level of preventive
security against any suspicious activity. The IDS achieves this objective through early
warnings aimed at systems administrators.
However, IDS, it is not designed to block attacks.
5. An Intrusion Prevention System (IPS) is a device that controls access to IT networks in
order to protect systems from attack and abuse.
It is designed to inspect attack data and take the corresponding action, blocking it as it is
developing and before it succeeds, creating a series of rules in the corporate firewall.
In summary, an Intrusion Prevention System provides an additional layer of
defense beyond intrusion detection, actively working to prevent security
incidents and protect networks and systems from a wide range of threats.
Difference between Firewall and Intrusion Detection System
• A firewall is a hardware and/or software which functions in a networked
environment to block unauthorized access while permitting authorized
communications.
• Firewall is a device and/or a software that stands between a local network
and the Internet, and filters traffic that might be harmful.
• An Intrusion Detection System (IDS) is a software or hardware device
installed on the network (NIDS) or host (HIDS) to detect and report
intrusion attempts to the network.
• We can think a firewall as security personnel at the gate and an
IDS device is a security camera after the gate.
• A firewall can block connection, while a Intrusion Detection System (IDS)
cannot block connection.
• An Intrusion Detection System (IDS) alert any intrusion attempts to the
security administrator.
• However an Intrusion Detection and Prevention System (IDPS) can block
connections if it finds the connection is an intrusion attempt.