Module 2
Security Methodology
MModified by :Ahmad Al Ghoul
PPhiladelphia University
FFaculty Of Administrative & Financial Sciences
BBusiness Networking & System Management Department
RRoom Number 32406
EE-mail Address: ahmad4_2_69@hotmail.com
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
1
Some standards bodies
 the IETF (the Internet Engineering Task
Force).
 AES the Advanced Encryption Standard
 ETSI (the European Telecommunications
Standards Institute)
 IEEE the Institute of Electrical and
Electronics Engineers
 ISO international standard organization
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
2
The 10 Major Headings










Security Policy
Security Organisation
Asset Classification and Control
Personnel Security
Physical and Environmental Security
Operational Management
Access Control
Systems Development and Maintenance
Business Continuity Management
Compliance
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
3
International Standards
 International Standards in Information
Security are developed by Security
Techniques Committee ISO/IEC
JTC 1 SC 27
 Three Areas
– WG 1 - Security Management
– WG 2 - Security Algorithms/Techniques
– WG 3 - Security Assessment/Evaluation
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
4
Participating Members
 SAI Australia
 KATS Korea, Rep of
 IBN Belgium
 DSM Malaysia
 ABNT Brazil
 NEN Netherlands
 SCC Canada
 CSBTS/CESI









 NTS/IT Norway
China
CSNI Czech Rep
DS Denmark
SFS Finland
AFNOR France
DIN Germany
MSZT Hungary
BIS India
UNINFO Italy
JISC Japan
Network Security
Philadelphia University
 PKN Poland
 GOST R Russian Fed
 SABS South Africa
 AENOR Spain
 SIS Sweden
 SNV Switzerland
 BSI UK
 DSTU Ukraine
 ANSI USA
Ahmad Al-Ghoul 2010-2011
5
WG 1 Security Management
 Two key standards:
– Guidelines for Information Security Management (GMITS) (TR
13335)
– Code of Practice for Information Security Management (IS 17799)
 Other standards:
– Guidelines on the use and management of trusted third parties (TR
14516)
– Guidelines for implementation, operation and management of
Intrusion Detection Systems (WD 18043)
– Guidelines for security incident management (WD 18044)
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
6
WG 2 Security Techniques
 There are International Standards for:
– Encryption (WD 18033)
– Modes of Operation (IS 8372)
– Message Authentication Codes (IS 9797)
– Entity Authentication (IS 9798)
– Non-repudiation Techniques (IS 13888)
– Digital Signatures (IS 9796, IS 14888))
– Hash Functions (IS 10118)
– Key Management (IS 11770)
– Elliptic Curve Cryptography (WD 15946)
– Time Stamping Services (WD 18014)
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
7
WG 3 Security Evaluation
 Third Party Evaluation
– Criteria for an independent body to form an
impartial and repeatable assessment of the
presence, correctness and effectiveness of
security functionality
 “Common Criteria” (CC) (IS 15408
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
8
Common Criteria
 Produced by a consortium of Government bodies
in North America / European Union
– Mainly National Security Agencies
 Influenced by International Standardisation
committee
– Adopted as International Standard 15408
 Adopted and recognised by other major
Governments
– All EU, Australia, Japan, Russia
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
9
 Security Architecture
– For end-to-end communications
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
10
Security Architecture
for End-to-End Communications
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
11
 Authentication is the process of confirming a
user's identity.
 Authentication is one of the basic building blocks
of computer security. It is achieved through the
execution of an authentication protocol between
two or more parties. One such protocol, the Secure
Socket Layer (SSL) protocol
 Authorization determines what services and
access a user is authorized for.
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
12
Authentication
3 types of authentication:

Something you know - Password, PIN,
mother’s maiden name, passcode.
Something you have - ATM card, smart
card, token, key, ID Badge, driver license,
passport

Something you are - Fingerprint, voice
scan, DNA
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
13
 Authentication is a process in which a
system identifies a user. Access control
determines what is permitted after
authentication. Authentication is often
closely tied to the concept of accounts,
which are, generically, a set of information
tied to a unique identifier. This information
usually comprises the data needed to let
someone use system resources. For
example, it provides the location of the
user's personal files or the user's real name.
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
14
Models: Access Control
• What is access control?
– Limiting who is allowed to do what
• What is an access control model?
– Specifying who is allowed to do what
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
15
What is access control?
 Access control is the heart of security
 Definitions:
– The ability to allow only authorized users, programs or
processes system or resource access
– The granting or denying, according to a particular
security model, of certain permissions to access a
resource
– An entire set of procedures performed by hardware,
software and administrators, to monitor access, identify
users requesting access, record access attempts, and
grant or deny access based on reestablished rules.
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
16
How can AC be implemented?
– Hardware
– Software
• Application
• Protocol (Kerberos, IPSec)
– Physical
– Logical (policies)
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
17
What does AC hope to protect?
 Data - Unauthorized viewing, modification
or copying
 System - Unauthorized use, modification or
denial of service
 It should be noted that nearly every network
operating system (NT, Unix, Vines,
NetWare) is based on a secure physical
infrastructure
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
18
Access control lists (ACL)
 A file used by the access control system to
determine who may access what programs
and files, in what method and at what time
 Different operating systems have different
ACL terms
 Types of access:
– Read/Write/Create/Execute/Modify/Delete/Ren
ame
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
19
Defending Against Threats
 When talking about information security, vulnerability is a
weakness in your information system (network, systems,
processes, and so on) that has the greatest potential of
being compromised. There might be a single vulnerability,
but typically there are a number of them. For instance, if
you have five servers that have the latest security updates
for the operating system and applications running, but have
a sixth system that is not current, the sixth system would
be considered a vulnerability. Although this would be a
vulnerability, it would most likely not be the only one. To
defend against threats, you must identify the threats to your
C-I-A triad, determine what your vulnerabilities are, and
minimize them.
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
20
Building a Defense
 When building a defense, you should use a layered approach
that includes securing the network infrastructure, the
communications protocols, servers, applications that run on the
server, and the file system, and you should require some form of
user authentication.
 When you configure a strong, layered defense , an intruder has
to break through several layers to reach his or her objective. For
instance, to compromise a file on a server that is part of your
internal network, a hacker would have to breach your network
security, break the server's security, break an application's
security, and break the local file system's security. The hacker
has a better chance of breaking one defense than of breaking
four layers of defense.
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
21
Methods of Defense
 Having controls does no good unless they are used
properly, the next are some factors that affect the
effectiveness of controls.
 Effectiveness of Controls
– Awareness of Problem
– Likelihood of Use: the suitable and effective use
– Overlapping Controls: combinations of controls could be
provided to one exposure.
– Periodic Review: few controls are permanently effective.
When we finds a way to secure assets, the opposition doubles its
efforts in an effort to defeat the the security mechanism. Thus,
judging the effectiveness of a control is an ongoing task.
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
22
–Principle of Effectiveness:
Controls must be used to be effective. They must
be efficient, easy to use, and appropriate.
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
23
Methods of Defense
 Controls
 In this section we will study some security
control tools that attempt to prevent exploitation
of the vulnerabilities of computing system.
 Encryption
 Software Controls
– internal program controls(data base): parts of the
program that enforce security restrictions, such as
access limitations in a data base management program.
– operating system controls: limitations enforced
by the system to protect each user from all other users.
– development controls: quality standards under
which a program is designed, coded, tested, and
maintained.
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
24
Methods of Defense
 Hardware Controls
– use the devices which have been invented to assist in computer security
(e.g. smart card)
 Hardware security modules (HSM) perform cryptographic operations,
protected by hardware (PCI boards, SCSI boxes, smart cards, etc.)
 These operations include:
– Random number generation
– Key generation (asymmetric and symmetric)
– Private key hiding (security) from attack (no unencrypted private
keys in software or memory)
• Private keys used for signing and decryption
• Private keys used in PKI for storing Root Keys
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
25
Methods of Defense
 Policies
– operation policy: some of the simplest controls could do by change the
password frequently, and that can be achieved essentially no cost but with
tremendous effect.
– legal and ethical control:the law is slow to evolve, and the technology
involving computers has emerged suddenly. Although legal protection is
necessary and desirable.
– The area of computer ethics is unclear. It is not that computer people are
unethical, but rather that society in general and the computing community
in particular have not adopted formal standards of ethical behavior. Some
organizations are attempting to devise codes of ethics for computer
professionals.
 Physical Controls
– Some of the easiest, most effective, and least expensive controls
are physical controls. locks on door, guard at entry point, backup,
etc.
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
26
Basic Encryption and Decryption
 Encryption and Decryption
– encryption: a process of encoding a message so that its
meaning is not obvious
– decryption: the reverse process
 encode(encipher) vs. decode(decipher)
– encoding: the process of translating entire words or
phrases to other words or phrases
– enciphering: translating letters or symbols individually
– encryption: the group term that covers both encoding
and enciphering
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
27
What is Encryption?
This is
confidential.
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
28
What is Encryption?
CJIN Network
This is
confidential.
This
is
Confiden
tial.
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
29
Plaintext vs. Ciphertext
 Plaintext vs. Ciphertext
– P(plaintext): the original form of a message
– C(ciphertext): the encrypted form
 Basic operations
– plaintext to ciphertext: encryption: C = E(P)
– ciphertext to plaintext: decryption: P = D(C)
– requirement: P = D(E(P))
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
30
Encryption Strategy
 Provide confidentiality of communications
 Ensure integrity of information
 Enhance Authentication
 Provide for non-repudiation of sender or
receiver
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
31
Encryption with key
–
–
–
–
encryption key: KE
daecryption key: KD
C = E(KE, P)
P = D(KD, E(KE, P))
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
32
Encryption with key
 Symmetric Cryptosystem: KE = KD
 Asymmetric Cryptosystem: KE  KD
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
33
Secret Key Encryption
Not a
secure
line
This is a
secret message
1. Bob types message to Jane and
encrypts the message with secret
key and sends it.
3. Somehow he lets her know
what his secret key is.
Network Security
Philadelphia University
This is a
secret message
1. Jane receives Bobs secret
message and is later told by Bob
the secret key to unlock the
message
2. She decrypts and reads the
message
Ahmad Al-Ghoul 2010-2011
34
Public Key Encryption
Bob
Jane,
This is a secret
message
- Bob
Jane
Not a
secure
line
Jane’s public key
Jane,
This is a secret
message
- Bob
Jane’s private key
1. Bob writes the message and
encrypts it using Jane’s public
key which is known to everyone
1. Jane receives the message
and decodes it with her private
key, which only she knows.
2. Bob sends the message over
the internet to Jane
2. The secrecy of the private
key is crucial
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
35
Uses of Encryption
 Digital Certificates use Public Key
 Web Access with SSL
 Virtual Private Networks (VPNs)
 Desktop Encryption
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
36
Digital signature
Digital signature is a sort of
protocol that provides authenticity
and identification of the user.
It is similar to the signature of a
person on a paper or check
It is used for many purposes in the
network security provision
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
37
Physical security
 Network security should begin by first
emphasizing the necessity for physical
security. Most organizations limit physical
access to hosts and servers, but it must talk
into consideration networking devices, such
as routers, switches, and the like. Even such
simple elements as cabling and wiring.
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
38