Chapter 5

Security at Different Layers

Objectives

oPhysical Security
oSoftware Security
oNetwork Security
oWeb security

2
Physical Security
Physical security is the use of physical
controls to protect premises, site, facility,
building or other physical asset of an
organization.

Physical security protects your physical

computer facility (your building, your computer
room, your computer, your disks and other
media)
3
Physical Security Cont’d…
In the early days of computing, physical
security was simple because computers were
big, standalone, expensive machines.
It is almost impossible to move them (not
portable)
They were very few and it is affordable to
spend on physical security for them
Management was willing to spend money
Everybody understands and accepts that there
is restriction

4
Physical Security Cont’d…
Today
 Computers are more and more portable (PC, laptop,
PDA, Smartphone)
 They have a good physical security for each of them
 They are not “too expensive” to justify spending more
money on physical security until a major crisis occurs
 Users don’t accept restrictions easily
 Accessories (Eg. Network components) are not
considered as important for security until there is a
problem
 Access to a single computer may endanger many more
computers connected through a network
5
Physical threats/Vulnerabilities
Natural Disasters
 Fire and smoke
 Firecan occur anywhere
 Solution – Minimize risk

Good policies: NO SMOKING, etc..

Fire extinguisher, good procedure and training
Fireproof cases (and other techniques) for backup tapes
Fireproof doors
 Climate
 Heat
 Direct
sun
 Humidity
6
Threats/vulnerabilities cont’d…
Natural Disasters …
 Hurricane, storm
 Earthquakes
 Water
 Flooding can occur even when a water tab is not properly closed
 Waterproof cases for storage media
 Electric supply
 Voltage fluctuation
Voltage regulator
 Lightning
Solution
 Avoid having servers in areas often hit by Natural
Disasters!
 Disaster Recovery Site need to be arranged.

7
Threats/vulnerabilities
People
 Intruders
 Thieves
 People who have been given access unintentionally
(Insiders)
 Employees, contractors, etc. who have legitimate access to
the facilities
 External thieves
 Portable computing devices can be stolen outside the
organization’s premises
Loss of a computing device
 Mainly laptop
8
Safe Area
Safe area often is a locked place where only
authorized personnel can have access into
Organizations usually have safe area for
keeping computers and related devices
Data Centers….

9
Safe Area Challenges
Is the area inaccessible through other
openings (window, roof-ceilings, ventilation
hole, etc.)?
Designof the building with security in mind
Know the architecture of your building
During opening hours, is it always possible to
detect when unauthorized person tries to get
to the safe area?
Surveillance/guards,video-surveillance,
automatic-doors with security code locks,
alarms, etc.
10
Safe Area Locks
Are the locks reliable?
 The effectiveness of locks depends on the design, manufacture,
installation and maintenance of the keys!
 Among the attacks on locks are:
 Illicit keys
Duplicate keys
Avoid access to the key by unauthorized persons even for a few seconds
Change locks/keys frequently
Key management procedure
Lost keys
Notify responsible person when a key is lost
There should be no label on keys
 Circumventing of the internal barriers of the lock
Directly operating the bolt completely bypassing the locking mechanism which
remains locked
 Forceful attacks:
Punching, Drilling, Hammering, etc.

11
Safe Area Surveillance
Surveillance with guards
The most common in Ethiopia
Not always the most reliable since it adds a
lot of human factor
Not always practical for users (employees
don’t like to be questioned by guards
wherever they go)

12
Surveillance Cont’d…
Surveillance with video
 Uses Closed Circuit Television (CCTV)
 Started in the 1960s
 Become more and more popular with the worldwide increase of
theft and terrorism
 Advantages
A single person can monitor more than one location
 The intruder doesn’t see the security personnel
 It is cheaper after the initial investment
 It can be recorded and be used for investigation
 Since it can be recorded the security personnel is more careful
 Today’s digital video-surveillance can use advanced techniques such
as face recognition to detect terrorists, wanted people, etc.
 Drawback
 Privacy concerns
13
Physical Access Controls
 Walls, fencing, and gates
 Guards
 Dogs
 ID cards and badges
 Locks and keys
 Mantraps
 Electronic monitoring
 Alarms and alarm systems
 Computer rooms and wiring closets
 Interior walls and doors
14
Internal Human Factor-personnel
Choose employees carefully
Personal integrity should be as important a
factor in the hiring process as technical skills
Create an atmosphere in which the levels of
employee loyalty, morale, and job
satisfaction are high
Remind employees, on a regular basis, of
their continuous responsibilities to protect
the organization’s information

15
Internal Human Factor-personnel
Establish procedures for proper destruction and
disposal of obsolete programs, reports, and data
Act defensively when an employee must be
discharged, either for cause or as part of a cost
reduction program
Such an employee should not be allowed access
to the system and should be carefully watched
until he or she leaves the premises
Any passwords used by the former employee
should be immediately disabled
16
Software Security

17
Software Security
Majority of security incidents result from
defects in software design or code
Attackers exploit the security holes left out by
software developers
Post-deployment security is more popular than
pre-deployment because:
 Easily understood by administrators
 Difficult to get security “assurance” from vendor
 Vendors are obsessed by “time-to-market”
 Difficult to know security requirements for general purpose
software

18
Risk Management Approaches
In Software Development
Methods of risk treatment:
 Defend- attempts to prevent the abuse of the vulnerability
 Mitigate or suppress (Reduce Risk by Planning and
Management)
 Accept (accept the consequences of the Risk /Threat and
Operate)
 Transfer (transfer the risk to another entity -insurance)
 Ignore (poor – often used)/Terminate/ Avoid Risk i.e Do not
take the risk.
Types of countermeasures (Functionally)
 Preventive
 Detective
 Corrective
 Deterrent
 Recovery
 Compensating
19
Software Security cont’d…
Software security as risk management!
Risk: “The possibility of suffering harm or loss-
i.e. possibility of being attacked”
Management: “The act or art of treating,
directing, carrying on, or using for a purpose”
Risk Management is the process concerned with
 identification, measurement, control and
minimization of security risks in information systems
to a level that proportionate with the value of the
assets protected
20
Risk Management Cont’d…
Use a high quality software engineering
methodology
Risk analysis should be performed at every stage
of the development
 Requirement analysis
 Design
 Coding
 Testing, etc
Can use a Risk Management Framework (RMF).

21
Risk management Cont’d…
Risk management involves three major
undertakings:
Risk identification
Risk assessment, and
Risk control

22 Security at Different Layers 12/4/2022

Risk management Cont’d…
 Risk identification: is the examination and
documentation of the security posture of an
organization’s information technology and the risks it
faces.
 Risk assessment: is the determination of the extent
to which the organization’s information assets are
exposed or are at risk.
 Risk control: is the application of controls to
reduce the risks to an organization’s data and
information systems
23 Security at Different Layers 12/4/2022
Selecting Technologies
Languages
 The choice of a programming language has an
impact on how secure the software will be
 Some Security problems are common for some
languages
 C, C++ => Buffer overflow
 Java => Exception handling, etc
 High level languages hide what they are doing
(ex. Swapping to disk)
 The programmer doesn’t know that
24
 The attackers may use this
Selecting Technologies
Operating systems
 Typical Operating Systems (Windows,
Linux, etc) have
 Authentication of users
 Resource access control (authorization &
limitation)
Memory, Files, etc.
 Integrity of shared resources
 Operating systems have different levels of
security
25
Selecting Technologies
Authentication technologies
 Password
 Host-Based (ex. IP)
 Physical token (ex. Smartcard)
 Biometrics

26
Open/Closed Source of a Software
Free Software
 Freedoms to use, copy, study, modify and
redistribute both modified and unmodified
copies of software programs with out
permissions
Open Source: Similar in idea to "free
software" but slightly less rigid –owned
by the community.
FOSS/Free and open-source software is
software that can be classified as both
free software and open-source software.
27
Open/closed source…
FOSS/Free and open-source software is software
that can be classified as both free software and open-
source software.
• That is, anyone is freely licensed to use, copy, study,
and change the software in any way, and the source
code is openly shared so that people are encouraged
to voluntarily improve the design of the software..
FOSS provides a number of benefits to security,
because security by obscurity does not work!
Hackers may not always need the code to find
security vulnerabilities

28
Network Security

29
Network security services
Network Security Provides the following
services
Confidentiality
Authentication
Integrity
Non- Repudiation
Access Control
Availability
30
Network Security
In today’s highly networked world, we can’t
talk of Information Systems security without
talking about network security
Focus is on:
 Internet and Intranet security (TCP/IP based
networks)
 Attacks that use security holes of the network
protocol and their defenses
 Passive attack
 Active attack
31
Network Security/ Types of Attacks
Passive attacks
Listen to the network and make use of the information
without altering.
gain information about the target and no data is changed on the target.
 Passive wiretapping attack
 Traffic analysis/intercepting
Most networks use a broadcast medium and it is easy to
access other machines packets
 Utilities such as etherfind and tcpdump
 Network management utilities such as SnifferPro
Defense
 Using switching tools rather than mere repeating hubs limits this
possibility
 Using cryptography; -does not protect against traffic analysis though.
32
Network Security/ Types of Attacks
Active attacks
An active attack threatens the integrity and
availability of data being transmitted
 The transmitted data is fully controlled by the intruder
 The attacker can modify, extend, delete or play any data
This is quite possible in TCP/IP since the frames
and packets are not protected in terms of
authenticity and integrity
Denial of service or degrading of service attack
 Prevention of authorized access to resources
 Examples: E-mail bombing: flooding someone's mail
33
store
Network Security/ Types of Attacks
Active attacks
Spoofing attack: a situation in which one person or
program successfully imitate another by falsifying
data and thereby gaining an illegitimate advantage.
 IP spoofing
 Putting a wrong IP address in the source IP address of an IP
packet
 DNS spoofing
 Changing the DNS information so that it directs to a wrong
machine
 URL spoofing/Webpage phishing
 A legitimate web page such as a bank's site is reproduced in "look
and feel" on another server under control of the attacker
 E-mail address spoofing
34
Protocols and vulnerabilities
Attacks on TCP/IP Networks

TCP/IP was designed to be used by a trusted

group of users
The protocols are not designed to resist attacks
Internet is now used by all sorts of people
Attackers exploit vulnerabilities of every protocol
to achieve their goals

35
ARP Spoofing
Generally, the aim is to associate the attacker's
MAC address with the IP address of another host,
such as the default gateway, causing any traffic
meant for that IP address to be sent to the
attacker instead.
Helps to start Man in the Middle (MITM) or DoS
attack by modifying the entries in the ARP table
of each machine (Poisoning).
ARP spoofing can enable malicious parties to
intercept, modify or even stop data in-transit
36
Protocols and vulnerabilities
Network Layer: IP Vulnerabilities
IP packets can be intercepted
 In the LAN broadcast, In the router, switch
Since the packets are not protected they can be
easily read
Since IP packets are not authenticated they can
be easily modified
Even if the user encrypts his/her data it will still
be vulnerable to traffic analysis attack
Information exchanged between routers to
maintain their routing tables is not authenticated
37  All sort of problems can happen if a router is
compromised
Protocols and vulnerabilities

Network Layer: IP security (IPSec) overview

IPSec is a standard suite of protocols
between 2 communication points across the
IP network that provide data authentication,
integrity, and confidentiality.
It defines the encrypted, decrypted and
authenticated packets
It is used in virtual private networks (VPNs).

38
Protocols and vulnerabilities
Network Layer: IP security (IPSec) overview
Applications of IPSec
 Secure branch office connectivity over the Internet
 Secure remote access over the Internet
 Establsihing extranet and intranet connectivity with
partners
 Enhancing electronic commerce security
IPsec can protect data flows between:
A pair of hosts (host-to-host),
A pair of security gateways (network-to-network), or
A security gateway and a host (network-to-host).
39
Protocols and vulnerabilities

Network Layer: IP security (IPSec) services

Access Control
Connectionless integrity (UDP)
Data origin authentication
Rejection of replayed packets
Confidentiality (encryption)

40
Protocols and vulnerabilities
Application layer: DNS spoofing
If the attacker has access to a domain
name server it can modify it so that it
gives false information
 Ex: redirecting www.ebay.com to map to
attackers own IP address
The cache of a DNS name server can be
poisoned with false information using
some simple techniques

41
Protocols and vulnerabilities

Application layer:Web browser

We obtain most of our browsers on-line
 How do we make sure that some Trojan horse is not inserted
Potential problems that can come from malicious code
within the browser
 Inform the attacker of the activities of the user
 Inform the attacker of passwords typed in by the user
 Downgrade browser security
Helper applications are used by browsers
 Example: MS Word, Ghost view, etc
 The helpers can have Trojan horse code
 Downloaded data can exploit vulnerabilities of helpers
42
Protocols and vulnerabilities

Application layer:Web browser

Cookies
 cookies are set by web servers and stored by web
browsers
 A cookie set by a server is sent back to the server
when the browser visits the server again
 Cookies can be used to track what sites the user
visits (can lead to serious privacy violation!)
Others
 JavaScript / Java applet: interpreted by the browser
itself and may initiate attacks
43
Protocols and vulnerabilities

Application layer:Web browser

Interactive web sites are based on
forms and scripts
 By writing malicious scripts the client
can
 Crash the server (ex. Buffer overflow)
 Gain control over the server

44
Protocols and vulnerabilities

Application layer: E-mail Security

E-mails transit through various servers before
reaching their destinations
By default, they are visible by anybody who has
access to the servers
SMTP protocol itself has some security holes
E-mail security can be improved using some
tools and protocols
 Example: PGP, S-MIME
PGP: Pretty Good Privacy
S-MIME: Secure Multi-Purpose Internet Mail Extension
45
Protocols and vulnerabilities
Application layer: Security-enhanced
application protocols
The solution to most application layer security
problems has been found by developing
security-enhanced application protocols
Examples
 For telnet and rlogin => SSLTelnet …
 For FTP => FTPS
 For HTTP => HTTPS
 For SMTP => SMTPS
 For DNS => DNSSEC
46
WEB Security

47
WEB Security
Web (WWW) is a client/server application running over the
Internet
Web presents new challenges not well appreciated in the
context of the main stream computer/network security
 It is a very visible opening for corporate and business
transactions that may lead to damages and loses
 Web servers are easy to configure and web content is easy to
develop and manage, but the underlying software is getting
extraordinarily complex that may hide many potential
security flaws/faults
 Web server can be exploited to attack corporate data systems
as users are usually not aware of the risks

48
WEB Security
Types of threats faced in using the Web are:
 Integrity
 Data, memory and/or message modification
 Trojan horse browser
 Confidentiality
 Theft of data/information from client/server
 Access to information about network configuration
 Denial of Service
 Killing of user thread
 Filling up disk/memory
 Isolating machine by DNS attacks
 Authentication
49  Data forgery