2021-2022
Information and Data Security
Dr.Alaa Frahan
University of technology-Baghdad
Information and Data Security 2021-2022
1. Information & Data security
An information system (IS) is an organized system for the collection,
organization, storage and communication of information.
.
‫( ﻧظﺎم اﻟﻣﻌﻠوﻣﺎت‬IS) ‫ھو ﻧظﺎم ﻣﻧظم ﻟﺟﻣﻊ وﺗﻧظﯾم وﺗﺧزﯾن وﻧﻘل اﻟﻣﻌﻠوﻣﺎت‬.
Information Systems is an academic study of systems with a specific reference to
information and the complementary networks of hardware and software that people
and organizations use to collect, filter, process, create and also distribute data. An
emphasis is placed on an information system having a definitive boundary, users,
processors, storage, inputs, outputs and the aforementioned communication
Page
2
‫ﻧظم اﻟﻣﻌﻠوﻣﺎت ھﻲ دراﺳﺔ أﻛﺎدﯾﻣﯾﺔ ﻟﻸﻧظﻣﺔ ذات ﻣرﺟﻊ ﻣﺣدد ﻟﻠﻣﻌﻠوﻣﺎت واﻟﺷﺑﻛﺎت‬
‫اﻟﺗﻛﻣﯾﻠﯾﺔ ﻟﻸﺟﮭزة واﻟﺑراﻣﺞ اﻟﺗﻲ ﯾﺳﺗﺧدﻣﮭﺎ اﻷﻓراد واﻟﻣﻧظﻣﺎت ﻟﺟﻣﻊ اﻟﺑﯾﺎﻧﺎت وﺗﺻﻔﯾﺗﮭﺎ‬
‫وﻣﻌﺎﻟﺟﺗﮭﺎ وإﻧﺷﺎءھﺎ وﺗوزﯾﻌﮭﺎ أﯾﺿًﺎ‬
Information and Data Security 2021-2022
component but are not purely concerned with ICT, focusing instead on the end use
of information technology. Information systems are also different from business
processes. Information systems help to control the performance of business
processes.
Alte. argues for advantages of viewing an information system as a special type of
work system. A work system is a system in which humans or machines perform
processes and activities using resources to produce specific products or services for
customers. An information system is a work system whose activities are devoted to
capturing,
transmitting,
storing,
retrieving,
manipulating
and
displaying
information.
As such, information systems inter-relate with data systems on the one hand and
activity systems on the other. An information system is a form of communication
system in which data represent and are processed as a form of social memory. An
information system can also be considered a semi-formal language which supports
Page
3
human decision making and action.
Information and Data Security 2021-2022
2. Threads and risk in Information security
Upon completion of this material, you should be able to:
§ Identify and understand the threats posed to information security
§ Identify and understand the more common attacks associated with those threats
‫ ﯾﺟب أن ﺗﻛون ﻗﺎدرًا ﻋﻠﻰ‬، ‫ﻋﻧد اﻻﻧﺗﮭﺎء ﻣن ھذه اﻟﻣﺎدة‬:§
‫§ﺗﺣدﯾد وﻓﮭم اﻟﺗﮭدﯾدات اﻟﺗﻲ ﯾﺗﻌرض ﻟﮭﺎ أﻣن اﻟﻣﻌﻠوﻣﺎت‬
‫ﺗﺣدﯾد وﻓﮭم اﻟﮭﺟﻣﺎت اﻷﻛﺛر ﺷﯾوﻋًﺎ اﻟﻣرﺗﺑطﺔ ﺑﮭذه اﻟﺗﮭدﯾدات‬
Learning Objectives
Terminology
‫ اﻟﺿﻌف أو اﻟﺧطﺄ اﻟذي ﯾﻣﻛن أن ﯾؤدي إﻟﻰ اﻻﻧﻛﺷﺎف‬:‫ﻟﺿﻌف‬
§ Vulnerability: Weakness or fault that can lead to an exposure
§ Threat: Generic term for objects, people who pose a potential danger to an asset
(via attacks)
‫ اﻷﺷﺧﺎص اﻟذﯾن ﯾﺷﻛﻠون ﺧطرًا ﻣﺣﺗﻣﻼً ﻋﻠﻰ أﺣد اﻷﺻول (ﻋﺑر اﻟﮭﺟﻣﺎت‬، ‫ ﻣﺻطﻠﺢ ﻋﺎم ﻟﻸﺷﯾﺎء‬:‫اﻟﺗﮭدﯾد‬
§Threat agent: Specific object, person who poses such a danger (by carrying out
‫ اﻟﺷﺧص اﻟذي ﯾﺷﻛل ﻣﺛل ھذا اﻟﺧطر (ﻣن ﺧﻼل ﺗﻧﻔﯾذ ھﺟوم‬، ‫ ﻛﺎﺋن ﻣﺣدد‬:‫ﻋﺎﻣل اﻟﺗﮭدﯾد‬
an attack)
§ DDoS attacks are a threat; if a hacker carries out a DDoS attack, he’s a threat
agent
‫ ﻓﮭو وﻛﯾل ﺧطﯾر‬، DDoS‫ ﺧطﯾرة ؛ إذا ﻧﻔذ أﺣد اﻟﻣﺗطﻔﻠﯾن ھﺟوم‬DDoS‫ﺗﻌﺗﺑر ھﺟﻣﺎت‬
§ Risk: Probability that “something bad” happens times expected damage to the
organization
‫ اﺣﺗﻣﺎﻟﯾﺔ ﺣدوث "ﺷﻲء ﺳﻲء" أوﻗﺎت اﻟﺿرر اﻟﻣﺗوﻗﻊ ﻟﻠﻣﻧظﻣﺔ‬:‫اﻟﺧطر‬
§Unlike vulnerabilities/exploits; e.g., a web service running on a server may have
vulnerability, but if it’s not connected to the network, risk is 0.0
§ Exposure: a successful attack
Page
4
‫ ﻗد ﺗﺣﺗوي ﺧدﻣﺔ اﻟوﯾب اﻟﺗﻲ ﺗﻌﻣل ﻋﻠﻰ اﻟﺧﺎدم ﻋﻠﻰ ﺛﻐرة أﻣﻧﯾﺔ‬، ‫ اﻟﺛﻐرات ؛ ﻋﻠﻰ ﺳﺑﯾل اﻟﻣﺛﺎل‬/ ‫§ ﻋﻠﻰ ﻋﻛس اﻟﺛﻐرات اﻷﻣﻧﯾﺔ‬
0.0 ‫ ﻓﺈن اﻟﻣﺧﺎطرة ﺗﺑﻠﻎ‬، ‫وﻟﻛن إذا ﻟم ﺗﻛن ﻣﺗﺻﻠﺔ ﺑﺎﻟﺷﺑﻛﺔ‬
‫ ھﺟوم ﻧﺎﺟﺢ‬:‫اﻟﺗﻌرض‬
Information and Data Security 2021-2022
Terminology (2)
§ Malware: malicious code such as viruses, worms, Trojan horses, bots,
backdoors, spyware, adware, etc.
§ Disclosure: responsible, full, partial, none, delayed, etc.
§ Authentication: determining the identity of a person, computer, or service on a
computer
§ Authorization: determining whether an entity (person, program, computer) has
access to object
§ Can be implicit (email account access) or explicit (attributes
specifying users/groups who can read/write/execute file)
Page
5
§ ‫ اﻟﺗﻌﻠﯾﻣﺎت اﻟﺑرﻣﺟﯾﺔ اﻟﺿﺎرة ﻣﺛل اﻟﻔﯾروﺳﺎت واﻟدﯾدان وأﺣﺻﻧﺔ طروادة‬:‫اﻟﺑراﻣﺞ اﻟﺿﺎرة‬
‫واﻟروﺑوﺗﺎت واﻷﺑواب اﻟﺧﻠﻔﯾﺔ وﺑراﻣﺞ اﻟﺗﺟﺳس وﺑراﻣﺞ اﻹﻋﻼﻧﺎت اﻟﻣﺗﺳﻠﻠﺔ وﻣﺎ إﻟﻰ ذﻟك‬.
§ ‫ إﻟﺦ‬، ‫ ﻣﺗﺄﺧر‬، ‫ ﻻ ﺷﻲء‬، ‫ ﺟزﺋﻲ‬، ‫ ﻛﺎﻣل‬، ‫ ﻣﺳؤول‬:‫إﻓﺷﺎء‬.
§ ‫ ﺗﺣدﯾد ھوﯾﺔ ﺷﺧص أو ﻛﻣﺑﯾوﺗر أو ﺧدﻣﺔ ﻋﻠﻰ ﺟﮭﺎز ﻛﻣﺑﯾوﺗر‬:‫اﻟﻣﺻﺎدﻗﺔ‬
§ ‫ ﻛﻣﺑﯾوﺗر( ﺣﻖ اﻟوﺻول إﻟﻰ‬، ‫ ﺑرﻧﺎﻣﺞ‬، ‫ ﺗﺣدﯾد ﻣﺎ إذا ﻛﺎن ﻟدى اﻟﻛﯾﺎن )ﺷﺧص‬:‫اﻟﺗﻔوﯾض‬
‫اﻻﻋﺗراض‬
§ ‫ﯾﻣﻛن أن ﯾﻛون ﺻرﯾﺣًﺎ )اﻟوﺻول إﻟﻰ ﺣﺳﺎب اﻟﺑرﯾد اﻹﻟﻛﺗروﻧﻲ( أو ﺻرﯾﺢ )اﻟﺳﻣﺎت‬
‫ھل‬
‫ ﺗﻧﻔﯾذ اﻟﻣﻠف‬/ ‫ ﻛﺗﺎﺑﺔ‬/ ‫ اﻟﻣﺟﻣوﻋﺎت اﻟذﯾن ﯾﻣﻛﻧﮭم ﻗراءة‬/ ‫)ﺗﺣدﯾد اﻟﻣﺳﺗﺧدﻣﯾن‬
Information and Data Security 2021-2022
3. Vulnerability
In computer security, vulnerability is a weakness which allows an attacker to
reduce a system's information assurance. Vulnerabilities are the intersection of
three elements: a system susceptibility or flaw, attacker access to the flaw, and
attacker capability to exploit the flaw. To exploit vulnerability, an attacker must
‫ اﻟﺛﻐرة اﻷﻣﻧﯾﺔ ھﻲ ﻧﻘطﺔ ﺿﻌف ﺗﺳﻣﺢ ﻟﻠﻣﮭﺎﺟﻣﯾن‬، ‫ﻓﻲ أﻣن اﻟﻛﻣﺑﯾوﺗر‬
‫ ﻧﻘﺎط اﻟﺿﻌف ھﻲ ﺗﻘﺎطﻊ‬.‫ﺗﻘﻠﯾل ﺿﻣﺎن ﻣﻌﻠوﻣﺎت اﻟﻧظﺎم‬
‫ و‬، ‫ وﺻول اﻟﻣﮭﺎﺟم إﻟﻰ اﻟﺧﻠل‬، ‫ ﻗﺎﺑﻠﯾﺔ اﻟﻧظﺎم أو ﻋﯾﺑﮫ‬:‫ﺛﻼﺛﺔ ﻋﻧﺎﺻر‬
‫ﻗدرة اﻟﻣﮭﺎﺟم ﻋﻠﻰ اﺳﺗﻐﻼل اﻟﺧﻠل‬
A security risk may be classified as vulnerability. The use of vulnerability with the
same meaning of risk can lead to confusion. The risk is tied to the potential of a
significant loss. Then there are vulnerabilities without risk:
‫ ﯾﻣﻛن أن ﯾؤدي اﺳﺗﺧدام اﻟﺿﻌف اﻟذي ﯾﺣﻣل ﻧﻔس ﻣﻌﻧﻰ اﻟﻣﺧﺎطرة إﻟﻰ ﺣدوث ارﺗﺑﺎك‬.‫ﻗد ﯾﺗم ﺗﺻﻧﯾف ﻣﺧﺎطر اﻷﻣﺎن ﻋﻠﻰ أﻧﮭﺎ ﺛﻐرة أﻣﻧﯾﺔ‬.
‫ ﯾرﺗﺑط‬Therisk ‫ ﺛم ھﻧﺎك ﻧﻘﺎط ﺿﻌف ﺑدون ﻣﺧﺎطر‬.‫ﺑﺎﺣﺗﻣﺎل ﺧﺳﺎرة ﻛﺑﯾرة‬:
a vulnerability for which can exploit exists. The window of vulnerability is the
time from when the security hole was introduced or manifested in deployed
software, to when access was removed, a security fix was available/deployed, or
the attacker was disabled see zero-day attack.
Security bug (security defect) is a narrower concept: there are vulnerabilities that
are not related to software: hardware, site, personnel vulnerabilities are examples
Page
6
of vulnerabilities that are not software security bugs.
Information and Data Security 2021-2022
Vulnerability and risk factor models
A resource (either physical or logical) may have one or more vulnerabilities that
can be exploited by a threat agent in a threat action. The result can potentially
compromise the confidentiality, integrity or availability of resources (not
necessarily the vulnerable one) belonging to an organization and/or other parties
involved( customers, suppliers).The so-called CIA triad is the basis of Information
Security.
An attack can be active when it attempts to alter system resources or affect their
operation, compromising integrity or availability. A "passive attack" attempts to
learn or make use of information from the system but does not affect system
resources, compromising confidentiality.[5]
‫ﯾﻣﻛن أن ﯾﻛون اﻟﮭﺟوم ﻧﺷطًﺎ ﻋﻧدﻣﺎ ﯾﺣﺎول ﺗﻐﯾﯾر ﻣوارد اﻟﻧظﺎم أو اﻟﺗﺄﺛﯾر ﻋﻠﻰ‬
‫ ﯾﺣﺎول "اﻟﮭﺟوم اﻟﺳﻠﺑﻲ‬.‫ ﻣﻣﺎ ﯾﮭدد اﻟﻧزاھﺔ أو اﻟﺗواﻓر‬، ‫"اﻟﺗﺷﻐﯾل‬
‫ﺗﻌﻠم أو اﻻﺳﺗﻔﺎدة ﻣن اﻟﻣﻌﻠوﻣﺎت ﻣن اﻟﻧظﺎم وﻟﻛﻧﮭﺎ ﻻ ﺗؤﺛر ﻋﻠﻰ اﻟﻧظﺎم‬
‫ ﻣﻣﺎ ﯾﻌرض ﻟﻠﺧطر اﻟﺳرﯾﺔ‬، ‫اﻟﻣوارد‬.
Vulnerability disclosure
Responsible disclosure (many now refer to it as 'coordinated disclosure' because
the first is a biased word) of vulnerabilities is a topic of great debate. As reported
by The Tech Herald in August 2010, "Google, Microsoft, TippingPoint, and
Rapid7 have recently issued guidelines and statements addressing how they will
deal with disclosure going forward.
Page
7
A responsible disclosure first alerts the affected vendors confidentially before
alerting CERT two weeks later, which grants the vendors another 45-day grace
period before publishing a security advisory.
‫ﯾﻧﺑﮫ اﻹﻓﺻﺎح اﻟﻣﺳؤول أوﻻً ﺳرﯾﺔ اﻟﻣوردﯾن اﻟﻣﺗﺄﺛرﯾن ﻗﺑل إﺻدار‬
CERT 45 ‫ ﻣﻣﺎ ﯾﻣﻧﺢ اﻟﺑﺎﺋﻌﯾن ﻓﺗرة ﺳﻣﺎح أﺧرى ﻣدﺗﮭﺎ‬، ‫ﺑﻌد أﺳﺑوﻋﯾن‬
‫ﯾوﻣًﺎ ﻗﺑل ﻧﺷر اﺳﺗﺷﺎرة أﻣﻧﯾﺔ‬.
Information and Data Security 2021-2022
Full disclosure is done when all the details of vulnerability is publicized, perhaps
with the intent to put pressure on the software or procedure authors to find a fix
urgently.
‫ رﺑﻣﺎ ﺑﻘﺻد اﻟﺿﻐط ﻋﻠﻰ ﻣؤﻟﻔﻲ اﻟﺑرﻧﺎﻣﺞ أو اﻹﺟراء‬، ‫ﯾﺗم اﻟﻛﺷف اﻟﻛﺎﻣل ﻋﻧدﻣﺎ ﯾﺗم اﻹﻋﻼن ﻋن ﺟﻣﯾﻊ ﺗﻔﺎﺻﯾل اﻟﺛﻐرة اﻷﻣﻧﯾﺔ‬
‫ﻹﯾﺟﺎد ﺣل ﻋﺎﺟل‬.
Well respected authors have published books on vulnerabilities and how to exploit
them: Hacking: The Art of Exploitation Second Edition is a good example.
Security researchers catering to the needs of the cyber warfare or cybercrime
industry have stated that this approach does not provide them with adequate
income for their efforts.[29] Instead, they offer their exploits privately to enable
Zero day attacks.
‫ﺻرح ﺑﺎﺣﺛو اﻷﻣن اﻟذﯾن ﯾﻠﺑﯾون اﺣﺗﯾﺎﺟﺎت اﻟﺣرب اﻹﻟﻛﺗروﻧﯾﺔ أو ﺻﻧﺎﻋﺔ اﻟﺟراﺋم اﻹﻟﻛﺗروﻧﯾﺔ أن ھذا اﻟﻧﮭﺞ ﻻ‬
‫ ﯾﻌرﺿون ﻣﺂﺛرھم ﺑﺷﻛل ﺧﺎص ﻟﺗﻣﻛﯾن ھﺟﻣﺎت‬، ‫] ﺑدﻻً ﻣن ذﻟك‬29] .‫ ﯾوﻓر ﻟﮭم اﻟدﺧل اﻟﻛﺎﻓﻲ ﻟﺟﮭودھم‬Zero
day
The never ending effort to find new vulnerabilities and to fix them is called
Computer insecurity. ‫ﯾُطﻠﻖ ﻋﻠﻰ اﻟﺟﮭد اﻟذي ﻻ ﯾﻧﺗﮭﻲ أﺑدًا ﻟﻠﻌﺛور ﻋﻠﻰ ﺛﻐرات أﻣﻧﯾﺔ ﺟدﯾدة وﻣﻌﺎﻟﺟﺗﮭﺎ ﻋدم أﻣﺎن اﻟﻛﻣﺑﯾوﺗر‬.
In January 2014 when Google revealed a Microsoft vulnerability before Microsoft
released a patch to fix it, a Microsoft representative called for coordinated practices
among software companies in revealing disclosures.
Vulnerability inventory
Mitre Corporation maintains a list of disclosed vulnerabilities in a system called
Common Vulnerabilities and Exposures, where vulnerability are classified (scored)
using Common Vulnerability Scoring System (CVSS). OWASP collects a list of
potential vulnerabilities with the aim of educating system designers and
programmers, therefore reducing the likelihood of vulnerabilities being written
Page
8
unintentionally into the software.
Information and Data Security 2021-2022
Vulnerability disclosure date
The time of disclosure of vulnerability is defined differently in the security
community and industry. It is most commonly referred to as "a kind of public
disclosure of security information by a certain party". Usually, vulnerability
information is discussed on a mailing list or published on a security web site and
results in a security advisory afterward.
The time of disclosure is the first date security vulnerability is described on a
channel where the disclosed information on the vulnerability has to fulfill the
‫وﻗت اﻟﻛﺷف ھو أول ﺗﺎرﯾﺦ ﯾﺗم ﻓﯾﮫ وﺻف ﺛﻐرة أﻣﻧﯾﺔ ﻓﻲ‬
following requirement: ‫اﻟﻘﻧﺎة اﻟﺗﻲ ﯾﺟب أن ﺗﻔﻲ ﺑﮭﺎ اﻟﻣﻌﻠوﻣﺎت اﻟﺗﻲ ﺗم اﻟﻛﺷف ﻋﻧﮭﺎ ﺣول اﻟﺛﻐرة اﻷﻣﻧﯾﺔ‬
‫اﻟﻣﺗطﻠﺑﺎت اﻟﺗﺎﻟﯾﺔ‬
•
The information is freely available to the public ‫اﻟﻣﻌﻠوﻣﺎت ﻣﺗﺎﺣﺔ ﻣﺟﺎﻧًﺎ ﻟﻠﺟﻣﮭور‬
•
The vulnerability information is published by a trusted and independent
channel/source ‫ﯾﺗم ﻧﺷر ﻣﻌﻠوﻣﺎت اﻟﺛﻐرة اﻷﻣﻧﯾﺔ ﻣن ﻗﺑل ﺟﮭﺔ ﻣوﺛوق ﺑﮭﺎ وﻣﺳﺗﻘﻠﺔ‬
‫ اﻟﻣﺻدر‬/ ‫اﻟﻘﻧﺎة‬
•
The vulnerability has undergone analysis by experts such that risk rating
information is included upon disclosure
‫ﺧﺿﻌت اﻟﺛﻐرة ﻟﺗﺣﻠﯾل ﻣن ﻗﺑل ﺧﺑراء ﻣﺛل ﺗﺻﻧﯾف اﻟﻣﺧﺎطر ھذا‬
‫ﯾﺗم ﺗﺿﻣﯾن اﻟﻣﻌﻠوﻣﺎت ﻋﻧد اﻟﻛﺷف‬
Identifying and removing vulnerabilities
Many software tools exist that can aid in the discovery (and sometimes removal) of
vulnerabilities in a computer system. Though these tools can provide an auditor
with a good overview of possible vulnerabilities present, they can not replace
human judgment. Relying solely on scanners will yield false positives and a
Page
9
limited-scope view of the problems present in the system.
‫)ﺗوﺟد اﻟﻌدﯾد ﻣن أدوات اﻟﺑراﻣﺞ اﻟﺗﻲ ﯾﻣﻛن أن ﺗﺳﺎﻋد ﻓﻲ اﻛﺗﺷﺎف )وأﺣﯾﺎﻧًﺎ إزاﻟﺗﮭﺎ‬
‫ ﻋﻠﻰ اﻟرﻏم ﻣن أن ھذه اﻷدوات ﯾﻣﻛن أن ﺗوﻓر ﻣدﻗﻖ ﺣﺳﺎﺑﺎت‬.‫ﻧﻘﺎط اﻟﺿﻌف ﻓﻲ ﻧظﺎم اﻟﻛﻣﺑﯾوﺗر‬
‫ ﻻ ﯾﻣﻛن اﺳﺗﺑداﻟﮭﺎ‬، ‫ﻣﻊ ﻧظرة ﻋﺎﻣﺔ ﺟﯾدة ﻋﻠﻰ ﻧﻘﺎط اﻟﺿﻌف اﻟﻣﺣﺗﻣﻠﺔ اﻟﻣوﺟودة‬
‫ﺣﻛم ﺑﺷري‬
Information and Data Security 2021-2022
Vulnerabilities have been found in every major operating system [citation
needed]
including Windows, macOS, various forms of Unix and Linux, OpenVMS, and
others. The only way to reduce the chance of a vulnerability being used against a
system is through constant vigilance, including careful system maintenance (e.g.
applying software patches), best practices in deployment (e.g. the use of firewalls
and access controls) and auditing (both during development and throughout the
deployment lifecycle).
Examples of vulnerabilities
Vulnerabilities are related to:
‫ﺗرﺗﺑط ﻧﻘﺎط اﻟﺿﻌف ﺑﻣﺎ ﯾﻠﻲأﻣﺛﻠﺔ ﻋﻠﻰ ﻧﻘﺎط اﻟﺿﻌف‬:
• ‫اﻟﺑﯾﺋﺔ اﻟﻣﺎدﯾﺔ ﻟﻠﻧظﺎم‬
• ‫اﻟﻣوظﻔﯾن‬
• ‫إدارة‬
• ‫اﻹﺟراءات اﻹدارﯾﺔ واﻟﺗداﺑﯾر اﻷﻣﻧﯾﺔ داﺧل اﻟﻣﻧظﻣﺔ‬
• ‫ﺗﺷﻐﯾل اﻷﻋﻣﺎل وﺗﻘدﯾم اﻟﺧدﻣﺎت‬
• ‫اﻟﻣﻌدات‬
• ‫اﻟﺑرﻣﺟﯾﺎت‬
• ‫ﻣﻌدات وﻣراﻓﻖ اﻻﺗﺻﺎل‬
•
physical environment of the system
•
the personnel
•
management
•
administration procedures and security measures within the organization
•
business operation and service delivery
•
hardware
•
software
•
communication equipment and facilities
It is evident that a pure technical approach cannot even protect physical assets: one
should have administrative procedure to let maintenance personnel to enter the
Page
10
facilities and people with adequate knowledge of the procedures, motivated to
follow it with proper care. See Social engineering (security).
Information and Data Security 2021-2022
Four examples of vulnerability exploit:
•
an attacker finds and uses an overflow weakness to install malware to export
sensitive data;
•
‫ﯾﺟد اﻟﻣﮭﺎﺟم ﻧﻘطﺔ ﺿﻌف ﻓﻲ ﺗﺟﺎوز اﻟﺳﻌﺔ وﯾﺳﺗﺧدﻣﮭﺎ ﻟﺗﺛﺑﯾت ﺑراﻣﺞ ﺿﺎرة ﻟﻠﺗﺻدﯾر‬
‫ﺑﯾﺎﻧﺎت ﺣﺳﺎﺳﺔ؛‬
an attacker convinces a user to open an email message with attached
malware; ‫ﯾﻘﻧﻊ اﻟﻣﮭﺎﺟم اﻟﻣﺳﺗﺧدم ﺑﻔﺗﺢ رﺳﺎﻟﺔ ﺑرﯾد إﻟﻛﺗروﻧﻲ ﻣرﻓﻘﺔ‬
‫اﻟﺑرﻣﺟﯾﺎت اﻟﺧﺑﯾﺛﺔ‬.
•
an insider copies a hardened, encrypted program onto a thumb drive and
cracks it at home; ‫ﯾﻘوم أﺣد اﻟﻣطﻠﻌﯾن ﺑﻧﺳﺦ ﺑرﻧﺎﻣﺞ ﻣﻘوى وﻣﺷﻔّر ﻋﻠﻰ ﻣﺣرك أﻗراص ﻣﺻﻐر و‬
‫ﺗﺷﻘﻘﺎﺗﮫ ﻓﻲ اﻟﻣﻧزل‬
•
a flood damages one's computer systems installed at ground floor.
‫ﯾﺗﺳﺑب اﻟﻔﯾﺿﺎن ﻓﻲ إﺗﻼف أﻧظﻣﺔ اﻟﻛﻣﺑﯾوﺗر اﻟﻣﺛﺑﺗﺔ ﻓﻲ اﻟطﺎﺑﻖ اﻷرﺿﻲ‬
Software vulnerabilities
Common types of software flaws that lead to vulnerabilities include:
•
Page
11
•
Memory safety violations, such as:
o
Buffer overflows and over-reads
o
Dangling pointers
Input validation errors, such as:
o
Code injection
o
Cross-site scripting in web applications
o
Directory traversal
o
E-mail injection
o
Format string attacks
o
HTTP header injection
‫ﻧﻘﺎط ﺿﻌف اﻟﺑراﻣﺞ‬
‫ﺗﺷﻣل اﻷﻧواع اﻟﺷﺎﺋﻌﺔ ﻣن ﻋﯾوب اﻟﺑراﻣﺞ‬
‫اﻟﺗﻲ ﺗؤدي إﻟﻰ ﻧﻘﺎط اﻟﺿﻌف ﻣﺎ ﯾﻠﻲ‬:
• ‫ ﻣﺛل‬، ‫اﻧﺗﮭﺎﻛﺎت ﺳﻼﻣﺔ اﻟذاﻛرة‬:
o ‫ﯾﻔﯾض اﻟﻣﺧزن اﻟﻣؤﻗت واﻟﻘراءة اﻟزاﺋدة‬
‫س اﻟﻣؤﺷرات اﻟﻣﺗدﻟﯾﺔ‬
• ‫ أﺧطﺎء ﻓﻲ اﻟﺗﺣﻘﻖ ﻣن ﺻﺣﺔ اﻹدﺧﺎل‬،
‫ﻣﺛل‬:
o ‫إدﺧﺎل اﻟﻛود‬
o ‫اﻟﺑرﻣﺟﺔ اﻟﻧﺻﯾﺔ ﻋﺑر اﻟﻣواﻗﻊ ﻓﻲ ﺗطﺑﯾﻘﺎت‬
‫اﻟوﯾب‬
o ‫اﺟﺗﯾﺎز اﻟدﻟﯾل‬
o ‫ﺣﻘن اﻟﺑرﯾد اﻹﻟﻛﺗروﻧﻲ‬
o ‫ﺗﻧﺳﯾﻖ ﺳﻠﺳﻠﺔ اﻟﮭﺟﻣﺎت‬
o ‫ إدﺧﺎل رأس‬HTTP
Information and Data Security 2021-2022
o
•
HTTP response splitting
Privilege-confusion bugs, such as:
o
Click jacking
o
Cross-site request forgery in web applications
o
FTP bounce attack
•
Privilege escalation
•
Race conditions, such as:
•
o
Symlink races
o
Time-of-check-to-time-of-use bugs
o
SQL injection
Side-channel attack
o
•
Timing attack
User interface failures, such as:
o
‫ ﺗﻘﺳﯾم اﺳﺗﺟﺎﺑﺔ‬HTTP
• ‫ ﻣﺛل‬، ‫أﺧطﺎء اﻟﺗﺑﺎس اﻻﻣﺗﯾﺎز‬:
‫س اﻧﻘر ﻓوق اﻻﺻطﯾﺎد‬
o ‫طﻠب ﺗزوﯾر ﻋﺑر اﻟﻣواﻗﻊ ﻓﻲ ﺗطﺑﯾﻘﺎت اﻟوﯾب‬
o ‫ھﺟوم ارﺗداد ﺑروﺗوﻛول ﻧﻘل اﻟﻣﻠﻔﺎت‬
• ‫اﻟﺗﺻﻌﯾد اﻣﺗﯾﺎز‬
• ‫ ﻣﺛل‬، ‫ظروف اﻟﻌرق‬:
o ‫ ﺳﺑﺎﻗﺎت‬Symlink
o ‫وﻗت اﻟﺗﺣﻘﻖ ﻣن أﺧطﺎء وﻗت اﻻﺳﺗﺧدام‬
o ‫ ﺣﻘن‬SQL
• ‫ھﺟوم اﻟﻘﻧﺎة اﻟﺟﺎﻧﺑﯾﺔ‬
o ‫ﺗوﻗﯾت اﻟﮭﺟوم‬
• ‫ ﻣﺛل‬، ‫ﺣﺎﻻت ﻓﺷل واﺟﮭﺔ اﻟﻣﺳﺗﺧدم‬:
o ‫إﻟﻘﺎء اﻟﻠوم ﻋﻠﻰ اﻟﺿﺣﯾﺔ ﻣﻣﺎ دﻓﻊ اﻟﻣﺳﺗﺧدم إﻟﻰ‬
‫اﺗﺧﺎذ ﻗرار أﻣﻧﻲ‬
‫دون إﻋطﺎء اﻟﻣﺳﺗﺧدم ﻣﻌﻠوﻣﺎت ﻛﺎﻓﯾﺔ ﻟﻺﺟﺎﺑﺔ‬
32] ‫]ﻋﻠﯾﮫ‬
o ‫ﺷروط اﻟﺳﺑﺎق‬
o ‫ﺗﺣذﯾر ﻣن اﻟﺗﻌب أو ﺗﻛﯾﯾف اﻟﻣﺳﺗﺧدم‬.
Blaming the Victim prompting a user to make a security decision
without giving the user enough information to answer it[32]
o
Race Conditions
o
Warning fatigue or user conditioning.
Page
12
Some set of coding guidelines have been developed and a large number of static
code analyzers has been used to verify that the code follows the guidelines
Information and Data Security 2021-2022
4 .Wireless network
A wireless network is a computer network that uses wireless data connections
between network nodes.[1] ‫اﻟﺷﺑﻛﺔ اﻟﻼﺳﻠﻛﯾﺔ ھﻲ ﺷﺑﻛﺔ ﻛﻣﺑﯾوﺗر ﺗﺳﺗﺧدم اﺗﺻﺎﻻت اﻟﺑﯾﺎﻧﺎت اﻟﻼﺳﻠﻛﯾﺔ‬
‫ﺑﯾن ﻋﻘد اﻟﺷﺑﻛﺔ‬
Wireless networking is a method by which homes, telecommunications networks
and business installations avoid the costly process of introducing cables into a
building, or as a connection between various equipment locations. [2] Wireless
telecommunications networks are generally implemented and administered using
radio communication. This implementation takes place at the physical level (layer)
of the OSI model network structure.[3]
Examples of wireless networks include cell phone networks, wireless local area
networks (WLANs), wireless sensor networks, satellite communication networks,
and terrestrial microwave networks.[4] ‫ﺗﺗﺿﻣن أﻣﺛﻠﺔ اﻟﺷﺑﻛﺎت اﻟﻼﺳﻠﻛﯾﺔ ﺷﺑﻛﺎت اﻟﮭواﺗف اﻟﻣﺣﻣوﻟﺔ وﺷﺑﻛﺎت اﻟﻣﻧطﻘﺔ اﻟﻣﺣﻠﯾﺔ‬
‫( اﻟﻼﺳﻠﻛﯾﺔ‬WLAN) ‫وﺷﺑﻛﺎت اﻻﺳﺗﺷﻌﺎر اﻟﻼﺳﻠﻛﯾﺔ وﺷﺑﻛﺎت اﻻﺗﺻﺎﻻت ﻋﺑر اﻷﻗﻣﺎر‬
‫اﻟﺻﻧﺎﻋﯾﺔ وﺷﺑﻛﺔ اﻟﻣﯾﻛرووﯾف اﻷرﺿﯾﺔ‬
Types of wireless networks
Wireless PAN
Wireless personal area networks (WPANs) internet devices within a relatively
small area, that is generally within a person's reach. [5] For example, both Bluetooth
radio and invisible infrared light provides a WPAN for interconnecting a headset to
a laptop. ZigBee also supports WPAN applications. [6] Wi-Fi PANs are becoming
commonplace (2010) as equipment designers start to integrate Wi-Fi into a variety
of consumer electronic devices. Intel "My WiFi" and Windows 7 "virtual Wi-Fi"
Page
13
capabilities have made Wi-Fi PANs simpler and easier to set up and configure.[7]
‫( أﺟﮭزة اﻹﻧﺗرﻧت اﻟﺧﺎﺻﺔ ﺑﺷﺑﻛﺎت اﻟﻣﻧطﻘﺔ اﻟﺷﺧﺻﯾﺔ اﻟﻼﺳﻠﻛﯾﺔ‬WPAN) ‫ﺿﻣن ﻧطﺎق ﻧﺳﺑﻲ‬
‫ ﻛﻼ اﻟﺑﻠوﺗوث‬، ‫] ﻋﻠﻰ ﺳﺑﯾل اﻟﻣﺛﺎل‬5] .‫ ﺗﻛون ﻓﻲ ﻣﺗﻧﺎول اﻟﺷﺧص ﺑﺷﻛل ﻋﺎم‬، ‫ﻣﺳﺎﺣﺔ ﺻﻐﯾرة‬
‫ ﯾوﻓر اﻟرادﯾو وﺿوء اﻷﺷﻌﺔ ﺗﺣت اﻟﺣﻣراء ﻏﯾر اﻟﻣرﺋﻲ ﺷﺑﻛﺔ‬WPAN ‫ﻟﺗوﺻﯾل ﺳﻣﺎﻋﺔ رأس ﺑـ‬
‫ ﯾدﻋم‬.‫ ﺟﮭﺎز ﻛﻣﺑﯾوﺗر ﻣﺣﻣول‬ZigBee ‫ أﯾﺿًﺎ ﺗطﺑﯾﻘﺎت‬WPAN. [6] ‫ أﺻﺑﺣت ﺷﺑﻛﺎت‬Wi-Fi
PAN
Commonplace (2010) ‫ ﺣﯾث ﺑدأ ﻣﺻﻣﻣو اﻟﻣﻌدات ﻓﻲ دﻣﺞ‬Wi-Fi ‫ﻓﻲ ﻣﺟﻣوﻋﺔ ﻣﺗﻧوﻋﺔ‬
‫ﻣن اﻷﺟﮭزة اﻹﻟﻛﺗروﻧﯾﺔ اﻻﺳﺗﮭﻼﻛﯾﺔ‬. Intel "My WiFi" ‫ و‬Windows 7 "Virtual Wi-Fi"
‫ ﺟﻌﻠت اﻹﻣﻛﺎﻧﺎت ﺷﺑﻛﺎت‬Wi-Fi PAN ‫أﺑﺳط وأﺳﮭل ﻓﻲ اﻹﻋداد واﻟﺗﮭﯾﺋﺔ‬.
Information and Data Security 2021-2022
Wireless LAN
Wireless LANs are often used for connecting to local resources and to the Internet
‫ﻏﺎﻟﺑًﺎ ﻣﺎ ﺗﺳﺗﺧدم اﻟﺷﺑﻛﺎت اﻟﻣﺣﻠﯾﺔ اﻟﻼﺳﻠﻛﯾﺔ ﻟﻼﺗﺻﺎل ﺑﺎﻟﻣوارد اﻟﻣﺣﻠﯾﺔ واﻹﻧﺗرﻧت‬
A wireless local area network (WLAN) links two or more devices over a short
distance using a wireless distribution method, usually providing a connection
through an access point for internet access. The use of spread-spectrum or OFDM
technologies may allow users to move around within a local coverage area, and
‫( ﺗرﺑط ﺷﺑﻛﺔ اﻟﻣﻧطﻘﺔ اﻟﻣﺣﻠﯾﺔ‬WLAN) ‫ﺟﮭﺎزﯾن أو أﻛﺛر ﻋﺑر ﻣﺳﺎﻓﺔ ﻗﺻﯾرة‬
still remain connected to the network. ‫اﻟﻼﺳﻠﻛﯾﺔ‬
‫ وﻋﺎدةً ﻣﺎ ﺗوﻓر اﺗﺻﺎﻻً ﻣن ﺧﻼل ﻧﻘطﺔ وﺻول‬، ‫ﺑﺎﺳﺗﺧدام طرﯾﻘﺔ اﻟﺗوزﯾﻊ اﻟﻼﺳﻠﻛﻲ‬
‫ﻟﻠوﺻول إﻟﻰ اﻹﻧﺗرﻧت‬
Products using the IEEE 802.11 WLAN standards are marketed under the Wi-Fi
brand name. Fixed wireless technology implements point-to-point links between
computers or networks at two distant locations, often using dedicated microwave
or modulated laser light beams over line of sight paths. It is often used in cities to
connect networks in two or more buildings without installing a wired link.
Wireless ad hoc network
Page
14
A wireless ad hoc network, also known as a wireless mesh network or mobile ad
hoc network (MANET), is a wireless network made up of radio nodes organized in
a mesh topology. Each node forwards messages on behalf of the other nodes and
‫ﺷﺑﻛﺔ ﻻﺳﻠﻛﯾﺔ ﻣﺧﺻﺻﺔ‬
‫ ﺗُﻌرف أﯾﺿًﺎ ﺑﺎﺳم ﺷﺑﻛﺔ ﻣﺗداﺧﻠﺔ ﻻﺳﻠﻛﯾﺔ أو إﻋﻼن ﻣﺣﻣول‬، ‫ﺷﺑﻛﺔ ﻻﺳﻠﻛﯾﺔ ﻣﺧﺻﺻﺔ‬
hoc network (MANET) ، ‫ھﻲ ﺷﺑﻛﺔ ﻻﺳﻠﻛﯾﺔ ﻣﻛوﻧﺔ ﻣن ﻋﻘد رادﯾو ﻣﻧظﻣﺔ ﻓﻲ‬
‫ ﺗﻌﯾد ﻛل ﻋﻘدة ﺗوﺟﯾﮫ اﻟرﺳﺎﺋل ﻧﯾﺎﺑﺔ ﻋن اﻟﻌﻘد اﻷﺧرى و‬.‫طوﺑوﻟوﺟﯾﺎ ﺷﺑﻛﺔ‬
Information and Data Security 2021-2022
each node performs routing. Ad hoc networks can "self-heal", automatically rerouting around a node that has lost power. Various network layer protocols are
needed to realize ad hoc mobile networks, such as Distance Sequenced Distance
Vector routing, Associatively-Based Routing, Ad hoc on-demand Distance Vector
routing, and Dynamic source routing.
Wireless MAN
‫ وإﻋﺎدة اﻟﺗوﺟﯾﮫ‬، "‫ ﯾﻣﻛن ﻟﻠﺷﺑﻛﺎت اﻟﻣﺧﺻﺻﺔ "اﻹﺻﻼح اﻟذاﺗﻲ‬.‫ﻛل ﻋﻘدة ﺗؤدي اﻟﺗوﺟﯾﮫ‬
‫ ﺑروﺗوﻛوﻻت طﺑﻘﺔ اﻟﺷﺑﻛﺔ اﻟﻣﺧﺗﻠﻔﺔ‬.‫ﺗﻠﻘﺎﺋﯾًﺎ ﺣول اﻟﻌﻘدة اﻟﺗﻲ ﻓﻘدت طﺎﻗﺗﮭﺎ‬
‫ ﻣﺛل اﻟﻣﺳﺎﻓﺔ اﻟﻣﺗﺳﻠﺳﻠﺔ ﻋن ﺑﻌد‬، ‫اﻟﻼزﻣﺔ ﻟﺗﺣﻘﯾﻖ ﺷﺑﻛﺎت اﻟﻣﺣﻣول اﻟﻣﺧﺻﺻﺔ‬
‫ ﻣﺗﺟﮫ اﻟﻣﺳﺎﻓﺎت ﺣﺳب اﻟطﻠب‬، ‫ اﻟﺗوﺟﯾﮫ اﻟﻘﺎﺋم ﻋﻠﻰ اﻟﺗﺟﻣﯾﻊ‬، ‫اﻟﺗوﺟﯾﮫ اﻟﻣﺗﺟﮫ‬
‫ وﺗوﺟﯾﮫ اﻟﻣﺻدر اﻟدﯾﻧﺎﻣﯾﻛﻲ‬، ‫اﻟﺗوﺟﯾﮫ‬
Wireless metropolitan area networks are a type of wireless network that connects
several wireless LANs.
•
WiMAX is a type of Wireless MAN and is described by the IEEE 802.16
standard.[8]
‫ ﻋدة ﺷﺑﻛﺎت‬LAN ‫ﻻﺳﻠﻛﯾﺔ‬.
• WiMAX ‫ ھو ﻧوع ﻣن أﻧواع اﻟﺷﺑﻛﺎت اﻟﻼﺳﻠﻛﯾﺔ‬MAN ‫ وﻗد ﺗم وﺻﻔﮫ ﺑواﺳطﺔ ﻣﻌﯾﺎر‬IEEE 802.16
‫اﺳﺎﺳﻲ‬
Wireless WAN
Wireless wide area networks are wireless networks that typically cover large areas,
such as between neighboring towns and cities, or city and suburb. These networks
can be used to connect branch offices of business or as a public Internet access
system. The wireless connections between access points are usually point to point
microwave links using parabolic dishes on the 2.4 GHz band, rather than
unidirectional antennas used with smaller networks. A typical system contains base
station gateways, access points and wireless bridging relays. Other configurations
are mesh systems where each access point acts as a relay also. When combined
with renewable energy systems such as photovoltaic solar panels or wind systems
Page
15
they can be stand alone systems.
‫ اﻟﺷﺑﻛﺎت اﻟﻼﺳﻠﻛﯾﺔ اﻟواﺳﻌﺔ ھﻲ ﺷﺑﻛﺎت ﻻﺳﻠﻛﯾﺔ ﺗﻐطﻲ ﻋﺎدةً ﻣﻧﺎطﻖ ﻛﺑﯾرة‬،
‫ ھذه اﻟﺷﺑﻛﺎت‬.‫ أو اﻟﻣدﯾﻧﺔ واﻟﺿﺎﺣﯾﺔ‬، ‫ﻣﺛل ﺑﯾن اﻟﺑﻠدات واﻟﻣدن اﻟﻣﺟﺎورة‬
‫ﯾﻣﻛن اﺳﺗﺧداﻣﮭﺎ ﻟﺗوﺻﯾل اﻟﻣﻛﺎﺗب اﻟﻔرﻋﯾﺔ ﻟﻸﻋﻣﺎل أو ﻛوﺻول ﻋﺎم إﻟﻰ اﻹﻧﺗرﻧت‬
‫ ﻋﺎدة ﻣﺎ ﺗﻛون اﻻﺗﺻﺎﻻت اﻟﻼﺳﻠﻛﯾﺔ ﺑﯾن ﻧﻘﺎط اﻟوﺻول ﻣن ﻧﻘطﺔ إﻟﻰ ﻧﻘطﺔ‬.‫اﻟﻧظﺎم‬
‫ ﺑدﻻً ﻣن‬، ‫ ﺟﯾﺟﺎ ھرﺗز‬2.4 ‫وﺻﻼت ﻣﯾﻛرووﯾف ﺑﺎﺳﺗﺧدام أطﺑﺎق ﻣﻛﺎﻓﺋﺔ ﻋﻠﻰ ﻧطﺎق‬
‫ ﻧظﺎم ﻧﻣوذﺟﻲ ﯾﺣﺗوي ﻋﻠﻰ ﻗﺎﻋدة‬.‫ھواﺋﯾﺎت أﺣﺎدﯾﺔ اﻻﺗﺟﺎه ﺗﺳﺗﺧدم ﻣﻊ ﺷﺑﻛﺎت أﺻﻐر‬
‫ ﺗﻛوﯾﻧﺎت أﺧرى‬.‫ﺑواﺑﺎت اﻟﻣﺣطﺔ وﻧﻘﺎط اﻟوﺻول وﻣرﺣﻼت اﻟﺟﺳور اﻟﻼﺳﻠﻛﯾﺔ‬
‫ ﻋﻧد اﻟﺟﻣﻊ ﺑﯾﻧﮭﻣﺎ‬.‫ھﻲ أﻧظﻣﺔ ﺷﺑﻛﯾﺔ ﺣﯾث ﺗﻌﻣل ﻛل ﻧﻘطﺔ وﺻول ﻛﻣرﺣل أﯾﺿًﺎ‬
‫ﻣﻊ أﻧظﻣﺔ اﻟطﺎﻗﺔ اﻟﻣﺗﺟددة ﻣﺛل اﻷﻟواح اﻟﺷﻣﺳﯾﺔ اﻟﻛﮭروﺿوﺋﯾﺔ أو أﻧظﻣﺔ اﻟرﯾﺎح‬
‫ﯾﻣﻛن أن ﺗﻛون أﻧظﻣﺔ ﻗﺎﺋﻣﺔ ﺑذاﺗﮭﺎ‬
Information and Data Security 2021-2022
Cellular network
Main article: cellular network
Example of frequency reuses factor or pattern 1/4
‫اﻟﺷﺑﻛﺔ اﻟﺧﻠوﯾﺔ أو ﺷﺑﻛﺔ اﻟﮭﺎﺗف اﻟﻣﺣﻣول ھﻲ ﺷﺑﻛﺔ رادﯾو ﻣوزﻋﺔ ﻋﻠﻰ اﻷرض‬
‫ﻣﻧﺎطﻖ ﺗﺳﻣﻰ اﻟﺧﻼﯾﺎ‬
A cellular network or mobile network is a radio network distributed over land
areas called cells, each served by at least one fixed-location transceiver, known as
a cell site or base station. In a cellular network, each cell characteristically uses a
different set of radio frequencies from all their immediate neighbouring cells to
avoid any interference.
When joined together these cells provide radio coverage over a wide geographic
area. This enables a large number of portable transceivers (e.g., mobile phones,
Page
16
pagers, etc.) to communicate with each other and with fixed transceivers and
telephones anywhere in the network, via base stations, even if some of the
transceivers are moving through more than one cell during transmission.
Information and Data Security 2021-2022
Although originally intended for cell phones, with the development of smart
phones, cellular telephone networks routinely carry data in addition to telephone
conversations:
•
Global System for Mobile Communications (GSM): The GSM network is
divided into three major systems: the switching system, the base station
system, and the operation and support system. The cell phone connects to
the base system station which then connects to the operation and support
station; it then connects to the switching station where the call is transferred
to where it needs to go. GSM is the most common standard and is used for a
majority of cell phones.[9]
•
‫( اﻟﻧظﺎم اﻟﻌﺎﻟﻣﻲ ﻟﻼﺗﺻﺎﻻت اﻟﻣﺗﻧﻘﻠﺔ‬GSM): ‫ ﺷﺑﻛﺔ‬GSM ‫ھﻲ‬
‫ اﻟﻣﺣطﺔ اﻷﺳﺎﺳﯾﺔ‬، ‫ ﻧظﺎم اﻟﺗﺣوﯾل‬:‫ﻣﻘﺳﻣﺔ إﻟﻰ ﺛﻼﺛﺔ أﻧظﻣﺔ رﺋﯾﺳﯾﺔ‬
‫اﻟﻧظﺎم وﻧظﺎم اﻟﺗﺷﻐﯾل واﻟدﻋم‬
Personal Communications Service (PCS): PCS is a radio band that can be
used by mobile phones in North America and South Asia. Sprint happened
to be the first service to set up a PCS.
•
D-AMPS: Digital Advanced Mobile Phone Service, an upgraded version of
AMPS, is being phased out due to advancement in technology. The newer
GSM networks are replacing the older system.D-AMPS: ‫ ﻧﺳﺧﺔ‬، ‫ﺧدﻣﺔ اﻟﮭﺎﺗف اﻟﻣﺣﻣول اﻟرﻗﻣﯾﺔ اﻟﻣﺗﻘدﻣﺔ‬
Global area network
‫ﻣطورة ﻣن‬
AMPS ، ‫ﯾﺟري اﻟﺗﺧﻠص اﻟﺗدرﯾﺟﻲ ﺑﺳﺑب اﻟﺗﻘدم ﻓﻲ‬
‫ اﻷﺣدث‬.‫اﻟﺗﻛﻧوﻟوﺟﯾﺎ‬
‫ ﺗﺣل ﺷﺑﻛﺎت‬GSM ‫ﻣﺣل اﻟﻧظﺎم اﻟﻘدﯾم‬.
A global area network (GAN) is a network used for supporting mobile across an
arbitrary number of wireless LANs, satellite coverage areas, etc. The key challenge
in mobile communications is handing off user communications from one local
coverage area to the next. In IEEE Project 802, this involves a succession of
Page
17
terrestrial wireless LANs.[10]
‫( ﺷﺑﻛﺔ اﻟﻣﻧطﻘﺔ اﻟﻌﺎﻟﻣﯾﺔ‬GAN) ‫ھﻲ ﺷﺑﻛﺔ ﺗﺳﺗﺧدم ﻟدﻋم اﻟﮭﺎﺗف اﻟﻣﺣﻣول ﻋﺑر ﻧطﺎق‬
‫ وﻣﻧﺎطﻖ ﺗﻐطﯾﺔ اﻷﻗﻣﺎر اﻟﺻﻧﺎﻋﯾﺔ‬، ‫ﻋدد ﻋﺷواﺋﻲ ﻣن اﻟﺷﺑﻛﺎت اﻟﻣﺣﻠﯾﺔ اﻟﻼﺳﻠﻛﯾﺔ‬
Information and Data Security 2021-2022
➢ Wireless security
is the prevention of unauthorized access or damage to computers using wireless
networks. The most common types of wireless security are Wired Equivalent
Privacy (WEP) and Wi-Fi Protected Access (WPA). WEP is a notoriously weak
security standard. The password it uses can often be cracked in a few minutes with
a basic laptop computer and widely available software tools. WEP is an old IEEE
802.11 standard from 1999, which was outdated in 2003 by WPA, or Wi-Fi
Protected Access. WPA was a quick alternative to improve security over WEP.
The current standard is WPA2; some hardware cannot support WPA2 without
firmware upgrade or replacement. WPA2 uses an encryption device that encrypts
the network with a 256-bit key; the longer key length improves security over WEP.
Enterprises often enforce security using a certificate based system to authenticate
the connecting device, following the standard 802.1X.
Many laptop computers have wireless cards pre-installed. The ability to enter a
network while mobile has great benefits. However, wireless networking is prone to
some security issues. Hackers have found wireless networks relatively easy to
break into, and even use wireless technology to hack into wired networks. [1] As a
result, it is very important that enterprises define effective wireless security
policies that guard against unauthorized access to important resources. [2] Wireless
Intrusion Prevention Systems (WIPS) or Wireless Intrusion Detection Systems
Page
18
(WIDS) are commonly used to enforce wireless security policies.
‫ھو ﻣﻧﻊ اﻟوﺻول ﻏﯾر اﻟﻣﺻرح ﺑﮫ أو إﺗﻼف أﺟﮭزة اﻟﻛﻣﺑﯾوﺗر اﻟﺗﻲ ﺗﺳﺗﺧدم اﻟﻼﺳﻠﻛﻲ‬
‫ أﻛﺛر أﻧواع اﻷﻣﺎن اﻟﻼﺳﻠﻛﻲ ﺷﯾوﻋًﺎ ھﻲ‬.‫ اﻟﺷﺑﻛﺎت‬Wired Equivalent
‫( اﻟﺧﺻوﺻﯾﺔ‬WEP) ‫( واﻟوﺻول اﻟﻣﺣﻣﻲ ﺑﺎﻟواي ﻓﺎي‬WPA). WEP ‫ﻣﻌروف ﺑﺿﻌف‬
‫ ﻏﺎﻟﺑًﺎ ﻣﺎ ﯾﻣﻛن اﺧﺗراق ﻛﻠﻣﺔ اﻟﻣرور اﻟﺗﻲ ﺗﺳﺗﺧدﻣﮭﺎ ﻓﻲ ﺑﺿﻊ دﻗﺎﺋﻖ‬.‫ﻣﻌﯾﺎر اﻷﻣﺎن‬
‫ﻛﻣﺑﯾوﺗر ﻣﺣﻣول أﺳﺎﺳﻲ وأدوات ﺑرﻣﺟﯾﺔ ﻣﺗوﻓرة ﻋﻠﻰ ﻧطﺎق واﺳﻊ‬. WEP ‫ ھو أﺣد إﺻدارات‬IEEE ‫اﻟﻘدﯾﻣﺔ‬
‫ ﺑواﺳطﺔ‬2003 ‫ واﻟذي ﻋﻔﺎ ﻋﻠﯾﮫ اﻟزﻣن ﻓﻲ‬، 1999 ‫ ﻣن ﻋﺎم‬802.11 ‫ ﻣﻌﯾﺎر‬WPA ‫ أو‬Wi-Fi
‫ ﻛﺎن‬.‫ اﻟوﺻول اﻟﻣﺣﻣﻲ‬WPA ‫ ﺑدﯾﻼً ﺳرﯾﻌًﺎ ﻟﺗﺣﺳﯾن اﻷﻣﺎن ﻋﺑر‬WEP.
‫ اﻟﻣﻌﯾﺎر اﻟﺣﺎﻟﻲ ھو‬WPA2 ‫ ؛ ﺑﻌض اﻷﺟﮭزة ﻻ ﯾﻣﻛﻧﮭﺎ دﻋم‬WPA2 ‫ﺑدون‬
‫ ﯾﺳﺗﺧدم‬.‫ ﺗرﻗﯾﺔ اﻟﺑراﻣﺞ اﻟﺛﺎﺑﺗﺔ أو اﺳﺗﺑداﻟﮭﺎ‬WPA2 ‫ﺟﮭﺎز ﺗﺷﻔﯾر ﯾﻘوم ﺑﺎﻟﺗﺷﻔﯾر‬
‫ ﺑت ؛ ﯾﻌﻣل طول اﻟﻣﻔﺗﺎح اﻷطول ﻋﻠﻰ ﺗﺣﺳﯾن اﻷﻣﺎن ﻋﺑر‬256 ‫ اﻟﺷﺑﻛﺔ ﺑﻣﻔﺗﺎح‬WEP.
‫ﻏﺎﻟﺑًﺎ ﻣﺎ ﺗﻔرض اﻟﺷرﻛﺎت اﻷﻣن ﺑﺎﺳﺗﺧدام ﻧظﺎم ﻗﺎﺋم ﻋﻠﻰ اﻟﺷﮭﺎدة ﻟﻠﻣﺻﺎدﻗﺔ‬
802.1 ‫ وﻓﻘًﺎ ﻟﻣﻌﯾﺎر‬، ‫ﺟﮭﺎز اﻻﺗﺻﺎل‬X.
Information and Data Security 2021-2022
Security settings panel for a DD-WRT router
‫ازدادت اﻟﻣﺧﺎطر اﻟﺗﻲ ﯾﺗﻌرض ﻟﮭﺎ ﻣﺳﺗﺧدﻣو اﻟﺗﻛﻧوﻟوﺟﯾﺎ اﻟﻼﺳﻠﻛﯾﺔ ﻣﻊ ﺗطور اﻟﺧدﻣﺔ‬
‫اﻛﺛر ﺷﮭرة‬
The risks to users of wireless technology have increased as the service has become
more popular. There were relatively few dangers when wireless technology was
first introduced. Hackers had not yet had time to latch on to the new technology,
and wireless networks were not commonly found in the work place. However,
there are many security risks associated with the current wireless protocols and
encryption methods, and in the carelessness and ignorance that exists at the user
and corporate IT level.[3] Hacking methods have become much more sophisticated
and innovative with wireless access. Hacking has also become much easier and
more accessible with easy-to-use Windows- or Linux-based tools being made
available on the web at no charge.
Some organizations that have no wireless access points installed do not feel that
they need to address wireless security concerns. In-Stat MDR and META Group
have estimated that 95% of all corporate laptop computers that were planned to be
purchased in 2005 were equipped with wireless cards. Issues can arise in a
supposedly non-wireless organization when a wireless laptop is plugged into the
corporate network. A hacker could sit out in the parking lot and gather information
Page
19
from it through laptops and/or other devices, or even break in through this wireless
card–equipped laptop and gain access to the wired network
Information and Data Security 2021-2022
4. Access control
In the fields of physical security and information security, access control (AC) is
the selective restriction of access to a place or other resource.[1] The act of
accessing may mean consuming, entering, or using. Permission to access a
resource is called authorization.
‫ ﻓﺈن اﻟﺗﺣﻛم ﻓﻲ اﻟوﺻول‬، ‫( ﻓﻲ ﻣﺟﺎﻻت اﻷﻣن اﻟﻣﺎدي وأﻣن اﻟﻣﻌﻠوﻣﺎت‬AC)
‫] ﻗد ﯾﻌﻧﻲ ﻓﻌل اﻟوﺻول‬1] .‫ھو ﺗﻘﯾﯾد اﻧﺗﻘﺎﺋﻲ ﻟﻠوﺻول إﻟﻰ ﻣﻛﺎن أو ﻣورد آﺧر‬
‫ إذن اﻟوﺻول إﻟﻰ اﻟﻣورد ﯾﺳﻣﻰ اﻟﺗﺧوﯾل‬.‫اﻻﺳﺗﮭﻼك أو اﻟدﺧول أو اﻻﺳﺗﺧدام‬.
Locks and login credentials are two analogous mechanisms of access control.
‫ اﻟﺗﺣﻛم ﻓﻲ اﻟوﺻول‬.‫ ﻣرﺣﻠﺔ ﺗﺣدﯾد اﻟﺳﯾﺎﺳﺔ ﺣﯾثﺗﻌﺗﻣد أﻧظﻣﺔ وﺷﺑﻛﺎت اﻟﻛﻣﺑﯾوﺗر ﻋﻠﻰ ﺳﯾﺎﺳﺎت اﻟوﺻول‬:‫اﻟﺗﺎﻟﯾﺔ‬
‫ وﻣرﺣﻠﺔ إﻧﻔﺎذ اﻟﺳﯾﺎﺳﺔ ﺣﯾث ﺗﻛون طﻠﺑﺎت اﻟوﺻولﯾﻣﻛن ﺗﻘﺳﯾم اﻟﻌﻣﻠﯾﺔ إﻟﻰ اﻟﻣراﺣل‬، ‫اﻟﺳﯾﺎﺳﺔاﻟوﺻول ﻣﺳﻣوح ﺑﮫ‬
‫ اﻟﺗﻔوﯾض ھو وظﯾﻔﺔ ﺗﻌرﯾف‬.‫ﻣواﻓﻖ ﻋﻠﯾﮫ أو ﻣرﻓوض‬
In computer systems and networks rely on access policies. The access control
process can be divided into the following phases: policy definition phase where
access is authorized, and policy enforcement phase where access requests are
approved or disapproved. Authorization is the function of the policy definition
phase which precedes the policy enforcement phase where access requests are
approved or disapproved based on the previously defined authorizations.
Most modern, multi-user operating systems include access control and thereby rely
on authorization. Access control also uses authentication to verify the identity of
consumers. When a consumer tries to access a resource, the access control process
checks that the consumer has been authorized to use that resource. Authorization is
the responsibility of an authority, such as a department manager, within the
application domain, but is often delegated to a custodian such as a system
administrator. Authorizations are expressed as access policies in some types of
Page
20
"policy definition application", e.g. in the form of an access control list or a
capability, on the basis of the "principle of least privilege": consumers should only
be authorized to access whatever they need to do their jobs. Older and single user
Information and Data Security 2021-2022
operating systems often had weak or non-existent authentication and access control
systems.
"Anonymous consumers" or "guests", are consumers that have not been required to
authenticate. They often have limited authorization. On a distributed system, it is
often desirable to grant access without requiring a unique identity. Familiar
examples of access tokens include keys and tickets: they grant access without
proving identity.
Trusted consumers are often authorized for unrestricted access to resources on a
system, but must be authenticated so that the access control system can make the
access approval decision. "Partially trusted" and guests will often have restricted
authorization in order to protect resources against improper access and usage. The
access policy in some operating systems, by default, grant all consumers full
access to all resources. Others do the opposite, insisting that the administrator
explicitly authorizes a consumer to use each resource.
Even when access is controlled through a combination of authentication and access
control lists, the problems of maintaining the authorization data is not trivial, and
often represents as much administrative burden as managing authentication
credentials. It is often necessary to change or remove a user's authorization: this is
done by changing or deleting the corresponding access rules on the system. Using
atomic authorization is an alternative to per-system authorization management,
Page
21
where a trusted third party securely distributes authorization information
Information and Data Security 2021-2022
Access control system components
Various control system components
An access control point can be a door, turnstile, parking gate, elevator, or other
physical barrier, where granting access can be electronically controlled. Typically,
the access point is a door. An electronic access control door can contain several
elements. At its most basic, there is a stand-alone electric lock. The lock is
unlocked by an operator with a switch. To automate this, operator intervention is
replaced by a reader. The reader could be a keypad where a code is entered, it
could be a card reader, or it could be a biometric reader. Readers do not usually
make an access decision, but send a card number to an access control panel that
verifies the number against an access list. To monitor the door position a magnetic
door switch can be used. In concept, the door switch is not unlike those on
refrigerators or car doors. Generally only entry is controlled, and exit is
uncontrolled
Authorization is the function of specifying access rights/privileges to
resources related to information security and computer security in general and to
access control in particular
[1]
. More formally, "to authorize" is to define an access
Page
22
policy. For example, human resources staff is normally authorized to access
employee records and this policy is usually formalized as access control rules in a
computer system. During operation, the system uses the access control rules to
Information and Data Security 2021-2022
decide whether access requests from (authentication) shall be approved (granted)
or disapproved (rejected). Resources include individual files or an item's data,
computer programs, computer devices and functionality provided by computer
applications. Examples of consumers are computer users, computer Software and
other Hardware on the computer.
Authentication (from Greek: αὐθεντικός authentikos, "real, genuine", from
αὐθέντης authentic, "author") is the act of confirming the truth of an attribute of a
single piece of data claimed true by an entity. In contrast with identification, which
refers to the act of stating or otherwise indicating a claim purportedly attesting to a
person or thing's identity, authentication is the process of actually confirming that
identity. It might involve confirming the identity of a person by validating their
identity documents, verifying the authenticity of a website with a digital
certificate,[1] determining the age of an artifact by carbon dating, or ensuring that a
product is what its packaging and labeling claim to be. In other words,
authentication often involves verifying the validity of at least one form of
identification.
Digital authentication ‫اﻟﻣﺻﺎدﻗﺔ اﻟرﻗﻣﯾﺔ‬
‫ﯾﻣﻛن أن ﺗﺳﺑب ﻣﺻﺎدﻗﺔ اﻟﻣﻌﻠوﻣﺎت ﻣﺷﺎﻛل ﺧﺎﺻﺔ ﻣﻊ اﻹﻟﻛﺗروﻧﯾﺔ‬
‫ ﻣﺛل اﻟﺗﻌرض ﻟﮭﺟﻣﺎت‬، ‫ اﻟﺗواﺻل‬man-in-the-middle
The authentication of information can pose special problems with electronic
communication, such as vulnerability to man-in-the-middle attacks, whereby a
third party taps into the communication stream, and poses as each of the two other
Page
23
communicating parties, in order to intercept information from each. Extra identity
factors can be required to authenticate each party's identity.
Information and Data Security 2021-2022
The term digital authentication refers to a group of processes where the confidence
for user identities is established and presented via electronic methods to an
information system. It is also referred to as e-authentication. The digital
authentication process creates technical challenges because of the need to
authenticate individuals or entities remotely over a network. The American
National Institute of Standards and Technology (NIST) has created a generic
model for digital authentication that describes the processes that are used to
accomplish secure authentication:
1. Enrollment – an individual applies to a credential service provider (CSP) to
initiate the enrollment process. After successfully proving the applicant’s
identity, the CSP allows the applicant to become a subscriber.
2. Authentication – After becoming a subscriber, the user receives an
authenticator e.g., a token and credentials, such as a user name. He or she is
then permitted to perform online transactions within an authenticated session
with a relying party, where they must provide proof that he or she possesses
one or more authenticators.
3. Life-cycle maintenance – the CSP is charged with the task of maintaining the
user’s credential of the course of its lifetime, while the subscriber is
responsible for maintaining his or her authenticator(s).[1][10]
Factors and identity
The ways in which someone may be authenticated fall into three categories, based
on what are known as the factors of authentication: something the user knows,
Page
24
something the user has, and something the user is. Each authentication factor
covers a range of elements used to authenticate or verify a person's identity prior to
Information and Data Security 2021-2022
being granted access, approving a transaction request, signing a document or other
work product, granting authority to others, and establishing a chain of authority.
Security research has determined that for a positive authentication, elements from
at least two, and preferably all three, factors should be verified.[4] The three factors
(classes) and some of elements of each factor are:
This is a picture of the front (top) and back (bottom) of an ID Card.
•
the knowledge factors: Something the user knows (e.g., a password, partial
password, pass phrase, or personal identification number (PIN), challenge
response (the user must answer a question, or pattern), Security question
•
the ownership factors: Something the user has (e.g., wrist band, ID card,
security token, cell phone with built-in hardware token, software token, or
cell phone holding a software token)
•
the inherence factors: Something the user is or does (e.g., fingerprint,
retinal pattern, DNA sequence (there are assorted definitions of what is
sufficient), signature, face, voice, unique bio-electric signals, or other
Page
25
biometric identifier).
Information and Data Security 2021-2022
Security Audit
A computer security audit is a manual or systematic measurable technical
assessment of a system or application. Manual assessments include interviewing
staff, performing security vulnerability scans, reviewing application and operating
system access controls, and analyzing physical access to the systems. Automated
assessments, or CAAT's, include system generated audit reports or using software
to monitor and report changes to files and settings on a system. Systems can
include personal computers, servers, mainframes, network routers, switches.
Audit Event Reporting
During the last few decades systematic audit record generation (also called audit
event reporting) can only be described as ad hoc. Ironically, in the early days of
mainframe and mini-computing with large scale, single-vendor, custom software
systems from companies such as IBM and Hewlett Packard, auditing was
considered a mission-critical function. Over the last thirty years, commercial offthe-shelf (COTS) software applications and components, and micro computers
have gradually replaced custom software and hardware as more cost-effective
business management solutions.…
During this transition, the critical nature of audit event reporting gradually
transformed into low priority customer requirements. Software consumers, having
little else to fall back on, have simply accepted the lesser standards as normal. The
consumer licenses of existing COTS software disclaim all liability for security,
Page
26
performance and data integrity issues.
Traditional Logging
Information and Data Security 2021-2022
Using traditional logging methods, applications and components submit free-form
text messages to system logging facilities such as the Unix Syslog process, or the
Microsoft Windows System, Security or Application event logs. Java applications
often fall back to the standard Java logging facility, log4j. These text messages
usually contain information only assumed to be security-relevant by the application
developer, who is often not a computer- or network-security expert.
Modern Auditing Services
Most contemporary enterprise operating systems, including Microsoft Windows,
Solaris, Mac OS X, and FreeBSD (via the TrustedBSD Project) support audit event
logging due to requirements in the Common Criteria (and more historically, the
Orange Book). Both FreeBSD and Mac OS X make use of the open source
OpenBSM library and command suite to generate and process audit records.
The importance of audit event logging has increased with recent new (post-2000)
US and worldwide legislation mandating corporate and enterprise auditing
requirements. Open source projects such as OpenXDAS, a Bandit project identity
component, have begun to be used in software security reviews. OpenXDAS is
based on the Open Group Distributed Auditing Service specification.
Who Performs Audits
Generally, computer security audits are performed by:
1. Federal or State Regulators - Certified accountants, CISA. Federal OTS,
Page
27
OCC, DOJ, etc.
2. Corporate Internal Auditors - Certificated accountants, CISA, Certified
Internet Audit Professional (CIAP).[1]
Information and Data Security 2021-2022
3. External Auditors - Specialized in the areas related to technology auditing.
4. Consultants - Outsourcing the technology auditing where the organization
Page
28
lacks the specialized skill set.
Information and Data Security 2021-2022
5. Cryptography
Basic Terminology
Suppose that someone wants to send a message to a receiver, and wants to be sure
that no-one else can read the message. However, there is the possibility that
someone else opens the letter or hears the electronic communication.
In cryptographic terminology, the message is called plaintext or cleartext.
Encoding the contents of the message in such a way that hides its contents from
outsiders is called encryption. The encrypted message is called the ciphertext.
The process of retrieving the plaintext from the ciphertext is called decryption.
Encryption and decryption usually make use of a key, and the coding method is
such that decryption can be performed only by knowing the proper key.
Cryptography is the art or science of keeping messages secret. Cryptanalysis is
the art of breaking ciphers, i.e. retrieving the plaintext without knowing the proper
key. People who do cryptography are cryptographers, and practitioners of
cryptanalysis are cryptanalysts.
Cryptography deals with all aspects of secure messaging, authentication, digital
signatures, electronic money, and other applications. Cryptology is the branch of
mathematics that studies the mathematical foundations of cryptographic methods.
1.4. Basic Cryptographic Algorithms
29
methods rely on the secrecy of the algorithms; such algorithms are only of
Page
A method of encryption and decryption is called a cipher. Some cryptographic
historical interest and are not adequate for real-world needs. All modern algorithms
Information and Data Security 2021-2022
use a key to control encryption and decryption; a message can be decrypted only if
the key matches the encryption key. The key used for decryption can be different
from the encryption key, but for most algorithms they are the same.
There are two classes of key-based algorithms, symmetric (or secret-key) and
asymmetric (or public-key) algorithms. The difference is that symmetric
algorithms use the same key for encryption and decryption (or the decryption key
is easily derived from the encryption key), whereas asymmetric algorithms use a
different key for encryption and decryption, and the decryption key cannot be
Page
30
derived from the encryption key.
Information and Data Security 2021-2022
Symmetric algorithms can be divided into stream ciphers and block ciphers.
Stream ciphers can encrypt a single bit of plaintext at a time, whereas block ciphers
take a number of bits (typically 64 bits in modern ciphers), and encrypt them as a
single unit.
Asymmetric ciphers (also called public-key algorithms or generally public-key
cryptography) permit the encryption key to be public (it can even be published in
a newspaper), allowing anyone to encrypt with the key, whereas only the proper
recipient (who knows the decryption key) can decrypt the message. The encryption
key is also called the public key and the decryption key the private key or secret
key.
Page
31
Generally, symmetric algorithms are much faster to execute on a computer than
asymmetric ones. In practice they are often used together, so that a public-key
Information and Data Security 2021-2022
algorithm is used to encrypt a randomly generated encryption key, and the random
key is used to encrypt the actual message using a symmetric algorithm.
Cryptographic Random Number Generators
Cryptographic random number generators generate random numbers for use in
cryptographic applications, such as for keys. Conventional random number
generators
available
in
most
programming
languages
or
programming
environments are not suitable for use in cryptographic applications (they are
designed for statistical randomness, not to resist prediction by cryptanalysts).
▪ In the optimal case, random numbers are based on true physical sources of
randomness that cannot be predicted. Such sources may include the noise
from a semiconductor device, the least significant bits of an audio input, or
the intervals between device interrupts or user keystrokes.
1. The noise obtained from a physical source is then "distilled" by a
cryptographic hash function to make every bit depend on every other
bit.
2. Quite often a large pool (several thousand bits) is used to contain
randomness, and every bit of the pool is made to depend on every bit
of input noise and every other bit of the pool in a cryptographically
strong way.
Page
32
▪ When true physical randomness is not available, pseudorandom numbers
must be used. This situation is undesirable, but often arises on general
purpose computers. It is always desirable to obtain some environmental
Information and Data Security 2021-2022
noise - even from device latencies, resource utilization statistics, network
statistics, keyboard interrupts, or whatever. The point is that the data must be
unpredictable for any external observer; to achieve this, the random pool
must contain at least 128 bits of true entropy.
▪ Cryptographic pseudorandom generators typically have a large pool ("seed
value") containing randomness. Bits are returned from this pool by taking
data from the pool, optionally running the data through a cryptographic hash
function to avoid revealing the contents of the pool. When more bits are
needed, the pool is stirred by encrypting its contents by a suitable cipher
with a random key (that may be taken from an unreturned part of the pool) in
a mode which makes every bit of the pool depend on every other bit of the
pool. New environmental noise should be mixed into the pool before stirring
to make predicting previous or future values even more impossible.
▪ Even though cryptographically strong random number generators are not
very difficult to build if designed properly, they are often overlooked. The
importance of the random number generator must thus be emphasized - if
done badly; it will easily become the weakest point of the system.
Strength of Cryptographic Algorithms
Good cryptographic systems should always be designed so that they are as difficult
to break as possible. It is possible to build systems that cannot be broken in
Page
33
practice (though this cannot usually be proved). This does not significantly
increase system implementation effort; however, some care and expertise is
required. There is no excuse for a system designer to leave the system breakable.
Information and Data Security 2021-2022
Any mechanisms that can be used to circumvent security must be made explicit,
documented, and brought into the attention of the end users.
In theory, any cryptographic method with a key can be broken by trying all
possible keys in sequence. If using brute force to try all keys is the only option,
the required computing power increases exponentially with the length of the key.
▪ A 32 bit key takes 2^32 (about 10^9) steps. This is something any amateur
can do on his/her home computer.
▪ A system with 56 bit keys (such as DES) takes a substantial effort, but is
quite easily breakable with special hardware.
▪
Keys with 64 bits are probably breakable now by major governments, and
will be within reach of organized criminals, major companies, and lesser
governments in a few years.
▪ Keys with 80 bits may become breakable in future.
▪ Keys with 128 bits will probably remain unbreakable by brute force for the
foreseeable future. Even larger keys are possible; in the end we will
encounter a limit where the energy consumed by the computation, using the
minimum energy of a quantum mechanic operation for the energy of one
step, will exceed the energy of the mass of the sun or even of the universe.
▪ The key lengths used in public-key cryptography are usually much longer
than those used in symmetric ciphers. There the problem is not that of
Page
34
guessing the right key, but deriving the matching secret key from the public
key. In the case of RSA, this is equivalent to factoring a large integer that
has two large prime factors. In the case of some other cryptosystems it is
Information and Data Security 2021-2022
equivalent to computing the discrete logarithm modulo a large integer
(which is believed to be roughly comparable to factoring). Other
cryptosystems are based on yet other problems.
However, key length is not the only relevant issue. Many ciphers can be broken
without trying all possible keys. In general, it is very difficult to design ciphers that
could not be broken more effectively using other methods. One should generally be
very wary of unpublished or secret algorithms. Quite often the designer is then not
sure of the security of the algorithm, or its security depends on the secrecy of the
algorithm.
Cryptanalysis and Attacks on Cryptosystems
Cryptanalysis is the art of deciphering encrypted communications without knowing
the proper keys. There are many cryptanalytic techniques. Some of the more
important ones for a system implementer are described below.
•
Ciphertext-only attack ( Only know algorithm / ciphertext, statistical, can
identify plaintext): This is the situation where the attacker does not know
anything about the contents of the message, and must work from ciphertext
only. In practice it is quite often possible to make guesses about the
Page
35
plaintext, as many types of messages have fixed format headers. Even
ordinary letters and documents begin in a very predictable way. It may also
be possible to guess that some ciphertext block contains a common word.
Information and Data Security 2021-2022
Ciphertext-only attack
•
Known-plaintext attack (know/suspect plaintext & ciphertext to attack
cipher): The attacker knows or can guess the plaintext for some parts of the
ciphertext. The task is to decrypt the rest of the ciphertext blocks using this
information. This may be done by determining the key used to encrypt the
data, or via some shortcut.
Page
36
Known-plaintext attack
Information and Data Security 2021-2022
•
Chosen-plaintext attack (selects plaintext and obtain ciphertext to attack
cipher): The attacker is able to have any text he likes encrypted with the
unknown key. The task is to determine the key used for encryption. Some
encryption methods, particularly RSA, are extremely vulnerable to chosenplaintext attacks. When such algorithms are used, extreme care must be
taken to design the entire system so that an attacker can never have chosen
plaintext encrypted.
Chosen-plaintext attack
• Chosen Ciphertext Attacks (select ciphertext and obtain plaintext to attack
cipher): Attacker obtains the decryption of any ciphertext of its choice
Page
37
(under the key being attacked)
Information and Data Security 2021-2022
Chosen-ciphertext attack
6. Security policy
38
organization or other entity. For an organization, it addresses the constraints on
Page
Security policy is a definition of what it means to be secure for a system,
behavior of its members as well as constraints imposed on adversaries by
Information and Data Security 2021-2022
mechanisms such as doors, locks, keys and walls. For systems, the security policy
addresses constraints on functions and flow among them, constraints on access by
external systems and adversaries including programs and access to data by people.
Significance
If it is important to be secure, then it is important to be sure all of the security
policy is enforced by mechanisms that are strong enough. There are many
organized methodologies and risk assessment strategies to assure completeness of
security policies and assure that they are completely enforced. In complex systems,
such as information systems, policies can be decomposed into sub-policies to
facilitate the allocation of security mechanisms to enforce sub-policies. However,
this practice has pitfalls. It is too easy to simply go directly to the sub-policies,
which are essentially the rules of operation and dispense with the top level policy.
That gives the false sense that the rules of operation address some overall
definition of security when they do not. Because it is so difficult to think clearly
with completeness about security, rules of operation stated as "sub-policies" with
no "super-policy" usually turn out to be rambling rules that fail to enforce anything
with completeness. Consequently, a top-level security policy is essential to any
serious security scheme and sub-policies and rules of operation are meaningless
without it.
Information protection policy is a document which provides guidelines to users
Page
39
on the processing, storage and transmission of sensitive information. Main goal is
to ensure information is appropriately protected from modification or disclosure. It
may be appropriate to have new employees sign policy as part of their initial
orientation. It should define sensitivity levels of information.
Information and Data Security 2021-2022
Content
•
Should define who can have access to sensitive information.
•
Should define how sensitive information is to be stored and transmitted
(encrypted, archive files, unencoded, etc.).
•
Should define on which systems sensitive information can be stored.
•
Should discuss what levels of sensitive information can be printed on
physically insecure printers.
•
Should define how sensitive information is removed from systems and
storage devices.
•
Should discuss any default file and directory permissions defined in systemwide configuration files.
National security refers to the security of a nation state, including its citizens,
economy, and institutions, and is regarded as a duty of government.
Originally conceived as protection against military attack, national security is now
widely understood to include non-military dimensions, including economic
security, energy security, environmental security, food security, cyber security etc.
Similarly, national security risks include, in addition to the actions of other nation
states, action by violent non-state actors, narcotic cartels, and multinational
corporations, and also the effects of natural disasters.
Governments rely on a range of measures, including political, economic, and
military power, as well as diplomacy. They may also act to build the conditions of
Page
40
security regionally and internationally by reducing transnational causes of
insecurity, such as climate change, economic inequality, political exclusion, and
militarization.
Page
41
Information and Data Security 2021-2022