CHAPTER 1 - INTRODUCTION

BASIC COMPONENTS
Confidentiality
: keep data and resource
hidden
Integrity
: prevent unauthorized modification
Availability : Enabling access to data and resources
THREAT
Definition:
A potential violation of security that can affect the
assets & resources associated with computer system.
E.g.: Virus
Classes of Threat:
Disclosure - unauthorized access to information
E.g.: snooping, wiretapping (Confidentiality)
Deception - acceptance of false data
E.g.: spoofing, denial of receipt (Integrity)
Disruption - interruption of correct operation
E.g.: modification (Integrity)
Usurpation- unauthorized control of some systems
part
E.g.: modification, denial of service
(Availability)
Areas of Threat:
Confidentiality threat - masquerade as recipient and
view message.
Integrity threat
hacker
accesses
the bank
computer system
compromising the integrity of the
record.
Availability threat - Spamming and causing server to
crashed.
ATTACK
Definition:
A threat executed by an attacker that exploits
vulnerabilities to cause threat to occur. E.g.: Hacking
into the network
SECURITY POLICY
A statement of what is or isnt allowed
Types:
Military - primarily protecting confidentiality
Commercial - primarily protecting integrity
Confidentiality - protecting only confidentiality
Integrity - protecting only integrity
SECURITY MECHANISMS
A method, tool, or procedure for enforcing a security
policy.

GOAL OF SECURITY
Prevention - stop attackers from violate security policy
Detection - discover attackers violation of security
policy
Recovery - prevent attack and repair damage

ASSUMPTION & TRUST - Underlie all aspect of

security
ASSURANCE
Definition
: A basis of how much one can trust
a system
Specification - requirement analysis
Design - How system meet specification
Implementation - System that carry out design
OPERATIONAL ISSUES
Cost-benefit Analysis
Risk Analysis
Laws and Customs
ORGANIZATIONAL PROBLEMS
- Power & responsibility
- NO Financial benefits
- Human limitation
- Lack of Resource
PEOPLE PROBLEM
- Outsider & Insider
- Social engineering
SECURE SYSTEM
A system that starts in an authorized state and cannot
enter an unauthorized state.
BREACH OF SECURITY
Occurs when a system enters an unauthorized state.
CONFIDENTIALITY POLICY
Bell-Lapadula Model (BLP)

O - Object, [_] - Subject

Information flow: No Read Up, No Write Down (NRU,
NWD)

INTEGRITY POLICY
Biba Integrity Model

CHAPTER 2 - AUTHENTICATION & IDENTIFICATION

Authorization - The granting of specific rights.
Identification - Establishing whether someones
identity.

Information flow: No Read Down, No Write Up (NRD,

NWU)
BIBA
Attach many integrity
levels to subjects and
objects.
No notion of certification
rules, trusted subjects
ensure actions obey rules.
Un-trusted data examined
before being made
trusted.

CLARK-WILSON
2 levels:
Object - CDI / UDI
Subjects - TP & others
Explicit requirements that
actions must meet
Trusted entity must certify
method to upgrade untrusted data

IDENTITY MANAGEMENT
A set of properties assigned to a given object.
- Creation & deletion of identity
- Management of properties assigned to identity
- Secure storage of identity
- Secure handling of queries regarding identity & their
property
LIGHTWIEGHT DIRECTORY ACCESS PROTOCOL
(LDAP)
A directory is a specialized database optimized for
searching and browsing.
LDAP entries are collections of attributes identified
by a unique distinguished name (dn).
Entries are characterized by types that determine
their format and syntax (e.g. ou = Organisational
Unit).
Entries are stored in a hierarchy. A relative
distinguished name defines a search path to an
entry.
Applications: User account management, Address
book (Outlook)
USER AUTHENTICATION
- Something you know: passwords
- Something you have: smart cards
- Something you are: biometrics, voice print
PASSWORDS
Maintenance:
- Generation & distribution
- Password synchronization
- Forgotten passwords; password reset
Threats:
- Brute force search
- Guessing
- Keylogging
- Shoulder surfing
- Identity spoofing / phishing

ACCESS CONTROL
Access control is the collection of mechanisms that
permits management to specify what users can do,
which resources they can access, and what operations
they can perform on a system.
ACCESS CONTROL MATRIX (ACM)
Advantage:
- Clarify of definition
- Easy to verify
Disadvantage:
- Poor scalability
- Poor handling of changes
ACCESS CONTROL LIST (ACL)
Advantage:
- Easy for administrator to see access rights for given
resource.
- Relative easiness of management using abstraction.
Disadvantage:
- Poor overview of access rights per subject
- Difficulty of renovation
- Difficulty of sharing
CAPABILITIES
- A piece of data possession which proves
authorization to access resource.
- Advantage: May be transferred offline between users.
Alice
: {edit.exe: execute}, {fun.com: execute,
read}
Bob : {bill.doc: read, write}, {edit.exe: execute},
{fun.com: execute, read, write}
Columns of Access Control Matrix
file1
file2
Andy
rx
r
Betty
rwxo
r
Charlie
rx
rwo

file3
rwo
w

Capabilities-Lists (CL) - Subject-centered

Andy : { (file1, rx) (file2, r) (file3, rwo) }
Betty : { (file1, rwxo) (file2, r) }
Charlie : { (file1, rx) (file2, rwo) (file3, w) }
Access Control List (ACL) - Object-centered
file1 : { (Andy, rx) (Betty, rwxo) (Charlie, rx) }
file2 : { (Andy, r) (Betty, r) (Charlie, rwo) }
file3 : { (Andy, rwo) (Charlie, w) }

Discretionary Access Control (DAC)

A system that uses discretionary

access control allows the owner of the resource to
specify which subjects can access which resources.

Access control is at the discretion of

the owner

Deployed in a majority of common

systems.

Advantages:
- Simple & efficient access rights management
- Scalability

Disadvantages:
- Intentional abuse of access rights
- No control over information flow
Mandatory Access Control (MAC)

Access control is based on a security

labeling system. Users have security clearances
and resources have security labels that contain
data classifications.

This model is used in environments

where information classification and confidentiality
is very important.

Advantages:
- Strict control over information flow
- Strong exploit containment

Disadvantages:
- Major usability problems
- Cumbersome administration
Role Based Access Control (RBAC)
RBAC uses a centrally administered set of controls
to determine how subjects & objects interact.
The best system for an organization that has high
turnover.
Attempts to handle complexity of access control by
extensive used of abstractions (Data types;
Procedures; Roles; Hierarchy).

CHAPTER 3 - DIGITAL CERTIFICATES

DEFINITION
A digital certificate (DC) is a digital file that certifies
the identity of an individual or institution, or
even a router seeking access to computer- based
information. It is issued by a Certification
Authority (CA) , and serves the same purpose as a
drivers license or a passport.
CERTIFICATION AUTHORITIES
Certification Authorities are the digital worlds
equivalent to passport offices. They issue digital
certificates and validate holders identity and
authority.
TYPES OF DIGITAL CERTIFICATE
SERVER CERTIFICATE

Allows
visitors
to
exchange
personal
information, free from the threat of interception or
tampering.

For building and designing e-commerce sites

as confidential information is shared between
clients, customers and vendors.
PERSONAL CERTIFICATE

Allow one to authenticate a visitors identity

and restrict access to specified content to particular
visitors.

For business to business communications such

as shipping dates and inventory management.
ORGANIZATION & DEVELOPER CERTIFICATE

Organization
Certificates
are
used
by
corporate entities to identify employees for secure
e-mail and web-based transaction.

Developer Certificates prove authorship and

retain integrity of distributed software programs.
DIGITAL CERTIFICATE COMPONENT
- Name
- Serial number
- Expiration date
- Copy of the certificate holders public key
- Digital signature of the certificate-issuing authority.
PURPOSE OF DIGITAL CERTIFICATE
1.
Proving the Identity of the sender of a
transaction
2.
Non Repudiation the owner of the certificate
cannot deny partaking in the transaction

3.

Encryption and checking the integrity of data provide the receiver with the means to encode a
reply.
4.
Single Sign-On - It can be used to validate a
user and log them into various computer systems
without having to use a different password for each
system
PUBLIC & PRIVATE KEY
Comprises of two related cryptographic keys,
mathematically related, and only the corresponding
private key can decrypt their corresponding public key.
Public Key - made assessable to anyone
Private Key
- confidential to its respective owner
USAGE OF DIGITAL CERTIFICATION
1. Secure Socket Layer (SSL) developed by Netscape
Communications Corporation.
2. Secure Multipurpose Internet Mail Extensions
(S/MIME) Standard for securing email and electronic
data interchange (EDI).
3. Secure Electronic Transactions (SET) protocol for
securing electronic payments
4. Internet Protocol Secure Standard (IPSec) for
authenticating networking devices
ADVANTAGES OF DIGITAL CERTIFICATION

Decrease the number of passwords a user has

to remember to gain access to different network
domains.

They create an electronic audit trail that allows

companies to track down who executed a
transaction or accessed an area.

CHAPTER 4
UNIX SECURITY
Security was not a primary design goal of UNIX;
dominant goals were modularity, portability and
efficiency.
UNIX provides sufficient security mechanisms that
have to be properly configured and administered.
The main security strength of UNIX systems comes
from open source implementation which helps
improve its code base.
The main security weakness of UNIX systems
comes from open source implementation resulting
in a less professional code base.
USER ACCOUNT INFORMATION: /etc/passwd
Username: used when user logs in, 132 characters
long
Password: x indicates that encrypted password is
stored in /etc/shadow
User ID (UID):
0 reserved for root, 1-99 for
other predefined accounts, 100-999 for system
accounts/groups
Group ID (GID): the primary group ID
User ID Info: a comment field
Home directory: The absolute path to the directory
the user will be in when they log in
Command/shell: The absolute path of a command
or shell (/bin/bash)
ROOT PRIVILAGES
Almost no security checks:
o all access control mechanisms turned off
o can become an arbitrary user
o can change system clock
Some restrictions remain but can be overcome:
o cannot write to read-only file system but can
remount them as writable
o cannot decrypt passwords but can reset them
Any user name can be root!
SUBJECTS
Subjects in UNIX processes identified by a process ID
(PID)
New process creation:
fork: spawns a new child process which is an
identical process to the parent except for a new PID
vfork: the same as fork except that memory is
shared between the two processes

exec family: replaces the current process with a

new process image
Processes are mapped to UID:
real UID is always inherited from the parent process
effective UID is either inherited from the parent
process or from the owner of the file to be executed
OBJECTS
Files, directories, memory devices, I/O devices etc.
are uniformly treated as resources subject to access
control.
All resources are organized in tree-structured
hierarchy
Each resource in a directory is a pointer to the
inode data structure that describes essential
resource properties.
WINDOW SECURITY
KERNEL MODE
Security Reference Monitor: ACL verification
USER MODE
Log-on process (winlogon): user logon
Local Security Authority (LSA): password
verification and change, access tokens, audit logs
(MS04-11 buffer overflow: Sasser worm!)
Security Accounts Manager (SAM): accounts
database, password encryption
User Account Control (UAC, Vista): enforcement of
limited user privileges
WINDOWS REGISTRY
A hierarchical database containing critical system
information
Key-value pairs, subkeys, 11 values types
A registry hive
is a group of keys, subkeys,
and values
WINDOWS DOMAIN
A domain is a collection of machines sharing user
accounts and security policies.
Domain authentication is carried out by a domain
controller (DC).
To avoid a single point of failure, a DC may be
replicated
ACCESS CONTROL IN WINDOWS
Access control is applied to objects: files, registry
keys and hives, Active Directory objects.
More than just access control on files!

Various means exist for expressing security policies

SUBJECTS
Subjects are active entities in OS primitives.
Windows subjects are processes and threads.
Security credentials for a subject are stored in a
token.
Tokens provide a principal/subject mapping and
may contain additional security attributes.
Tokens are inherited (possibly with restrictions)
during creation of new processes.

CHAPTER 5 - MALICIOUS CODE

CHAPTER 5 - WATERMARKING

MALWARE
A malware is a set of instructions that run on your
computer and make your system do something that an
attacker wants it to do.

WATERMARKING

A watermark is a secret message that is

embedded into a cover (original or host)
message.

Only the knowledge of a secret key allows us

to extract the watermark from the cover message.

Effectiveness of a watermarking algorithm is a

function of its

Resilience to attacks.

Capacity.

Stealth.

VIRUS
A program that can infect other programs by
modifying them to include a, possibly evolved, version
of itself
TYPES:
Polymorphic - uses a polymorphic engine to mutate
while keeping the original algorithm intact (packer)
Metamorphic - Change after each infection
TROJAN HORSE
A Trojan horse describes the class of malware that
appears to perform a desirable function but in fact
performs undisclosed malicious functions
ROOTKIT
A Rootkit is a component that uses stealth to maintain
a persistent and undetectable presence on the
machine
WORM
A computer worm is a self-replicating computer
program. It uses a network to send copies of itself to
other nodes and do so without any user intervention.
INFECTION METHODS
Overwritting, Prepending, Appending, Cavity, MultiCavity, and Document-based malware Micro virus - use
the built-in script engine
PROPAGATION VECTOR
Shared Folder, Email Propagation, Fake Antivirus,
Browser Hijacked, Fake Page!, P2P Files

MULTIMEDIA WATERMARKS

A digital watermark is a secret key

dependent
signal
inserted
into
digital
multimedia data.

Watermark can be later detected / extracted in

order to make an assertion about the data.

A digital watermark can be.

Visible (perceptible).

Invisible (imperceptible).
WATERMARKING APPLICATION

Proof of ownership.

Copy prevention or control.

Content protection (visible watermarks).

Authentication.

Media Bridging.

Broadcast Monitoring.

Fingerprinting.

Secret Communications.
REQUIREMENT

Perceptually transparent - must not

perceptually degrade original content.

Robust
survive
accidental
or
malicious attempts at removal.

Oblivious
or
Non-oblivious
Recoverable with or without access to original.

Capacity Number of watermark bits

embedded.

Efficient encoding and/or decoding.

WATERMARKING ATTACKS
Active Attacks:

Hacker attempts to remove or destroy

the watermark.

Watermark detector unable to detect

watermark.

Key issue in proof of ownership,

fingerprinting, copy control.

Not serious for authentication or covert

communication.
Passive Attacks:

Hacker tries to find if a watermark is

present.

Removal of watermark is not an aim.

Serious for covert communications.

Collusion Attacks:

Hacker uses several copies of

watermarked data to construct a copy with no
watermark.

Uses several copies to find the

watermark.

Serious for fingerprinting applications.

Forgery Attacks:
Hacker tries to embed a valid watermark.
Serious in authentication.
If hacker embeds a valid authentication watermark,
watermark detector can accept bogus or modified
media.
WATERMARKING RESEARCH

Information Theoretic Issues.

Decision Theoretic Issues.

Signal Processing Issues.

Watermarking protocols and system issues.

Steganalysis.

CHAPTER 6 - NETWORK SECURITY CONCEPTS

CIRCUIT SWITCHING
A methodology of implementing a network in which
two nodes establish a dedicated circuit through the
network before the nodes may communicate. The
circuit guarantees the full bandwidth of the channel
and remains connected for the duration of the
communication session.

b.

It also sends a FIN with the sequence

number of X.
c.
The originating computer sends a
packet with an ACK number of N+1. The connection
is closed.
Another way to close the connection is for one
computer to send a packet with the RST (reset) bit set
which will tell the other computer to immediately
terminate the connection.

PACKET SWITCHING
A methodology of implementing a network in which
divides
the
data
to
be
transmitted
into packets transmitted
through
the
network
independently. Packet switching shares available
network bandwidth between multiple communication
sessions.
TCP/IP ENCAPSULATION
When data moves from upper layer to lower level of
TCP/IP protocol stack (outgoing transmission) each
layer includes a bundle of relevant information called a
header along with the actual data. The data package
containing the header and the data from the upper
layer then becomes the data that is repackaged at the
next lower level with lower layer's header. This packing
of data at each layer is known as data encapsulation.
TCP CONNECTION SYNCHRONIZATION
To establish a connection, TCP uses a 3-way
handshake. Before a client attempts to connect with a
server, the server must first bind to a port to open it
up for connections: this is called a passive open. Once
the passive open is established, a client may initiate
an active open.
To establish a connection, the 3-way handshake
occurs:
a.
The active open is performed by
sending a SYN to the server.
b.
In response, the server replies with a
SYN-ACK.
c.
Finally the client sends an ACK back to
the server.
At this point, both the client and server have received
an acknowledgement of the connection.
TCP Connection Termination is implemented as follows:
One computer sends a FIN packet to the other
computer including an ACK for the last data received
(N).
a.
The other computer sends an ACK
number of N+1

PROBLEMS
Sniffing is "listening" to network traffic to collect
information. A common usage of sniffing is to listen to
network traffic to look for patterns of a worm
spreading itself.
Spoofing is sending network traffic that's pretending
to come from someone else. A common usage for
spoofing is sending an email message, but to reformat
the header.
Man-In-The-Middle is the type of attack where
attackers intrude into an existing connection to
intercept the exchanged data and inject false
information.
A denial-of-service (DoS attack) is an attempt to
make a computer resource unavailable to its intended
users.

TCP HIJACKING
TCP Hijacking is one of the Man-in-the-Middle attacks
in which an attacker can allow normal authentication
to proceed between the two hosts, and then seize
control of the connection.
There are two possible ways to do this: one is during
the TCP three-way handshake, and the other is in the
middle of an established connection.
SYN FLOOD
A form of denial-of-service attack in which an attacker
sends a succession of SYN requests to a target's
system.

IP LAYER SECURITY: IPSec

IPsec is a framework for a set of protocols for security
at the network or packet processing layer of network
communication.

A Security Association (SA) can be viewed as an

agreement between two devices about how to protect
information during transit.
The Security Association (SA) is one way (simplex).

IPsec provides two choices of security service:

Authentication Header (AH), which essentially allows
authentication
of
the
sender
of
data,
and
Encapsulating Security Payload (ESP), which supports
both authentication of the sender and encryption of
data as well.

One Security Association is used for processing outbound packets and other Security Association is used
for processing inbound packets.

Objective:
- Secure connectivity of branch offices
- Secure remote access
Advantages:
- Bypass resistence
- Transparency to endusers and applications
Disadvantages:
- Infrastructure support needed
- Performance degradation
AUTHENTICATION HEADER
AH provides data integrity, data origin authentication,
and optional anti-replay services to IP. AH does not
provide any data confidentiality (encryption), so there
is no need for an encryption algorithm.
ENCAPSULATED SECURITY PAYLOAD (ESP)
ESP protects the IP packet data from third party
interference, by encrypting the contents using
symmetric cryptography algorithms as Blowfish &
3DES.
IPSec MODES
Transport mode- The outer header determines the
IPsec policy that protects the inner IP packet.
Tunnel mode - The inner IP packet determines the
IPsec policy that protects its contents.
IPSec SECURITY ASSOCIATION (SA)
Security Association (SA) forms the basis of Internet
Protocol Security (IPSec).
A Security Association (SA) is a simplex (one-way
channel) and logical connection that provides
relationship between two or more systems to build a
unique secure connection.

A Security Association (SA) consists of three things.

1) A Security Parameter Index (SPI)
2) An IP destination address
3) A IPSec Protocol Identifier. IPSec protocols are
Authentication Header (AH) and Encapsulating
Security Payload (ESP).
TRANSPORT LAYER SECURITY: SSL/TLS
SSL/TLS is a cryptographic protocol that provides
communication security over the Internet.
SSL/TLS encrypt the segments of network connections
above
the transport
layer,
using asymmetric
cryptography for
key
exchange,
symmetric
encryption for privacy, and message authentication
code for message integrity.
Objectives:
o Secure information transmission in Internet
applications
o Mutual authentication in Internet applications
Advantages:
o Secure end-to-end communication over TCP
Disadvantages:
o PKI support needed,
o Potential use of weak cryptographic algorithms
SSL ARCHITECTURE

SSL connection corresponds to TCP connections

SSL sessions represent an association between a

cliend and a server. Sessions define parameters
that can be share between connections.
SSL RECORD PROTOCOL

Carries out information transfer

Provides confidentiality and message integrity

services.

APPLICATION LAYER SECURITY: SSH

Secure Shell (SSH) is a network protocol for secure
data communication, remote shell services or
command execution and other secure network services
between two networked computers that it connects via
a secure channel over an insecure network: a server
and
a
client
(running SSH
server and SSH
client programs, respectively).
The protocol specification distinguishes two major
versions that are referred to as SSH-1 and SSH-2.
Applications:
o Secure remote login
o Secure services (e.g.FTP, copy) over an insecure
network
o Secure port forwarding
Advantages:
o Various authentication methods
o A neat way to circumvent firewalls
Disadvantages:
o point-to-point only
o Some security vulnerabilities
SSH PREVENTABLE ATTACKS
o Eavesdropping
o TCP session hijacking
o Man-in-the-midle attacks
SSH NON-PREVENTABLE ATTACKS
o Password cracking
o TCP/IP attacks: SYN flood, desynchronization
o Traffic analysis
o Covert channels

CHAPTER 6 - IDPS
DEFINITION
Intrusions:
attempts
to
compromise
the
confidentiality, integrity, availability, or to bypass the
security mechanisms of a computer system or network
(illegal access).
Intrusion detection: is the process of monitoring the
events occurring in a computer system or network and
analyzing them for signs of possible intrusions
(incidents).
Intrusion Detection System (IDS): is software that
automates the intrusion detection process. The
primary responsibility of IDS is to detect unwanted and
malicious activities.
Intrusion Prevention System (IPS): is software that
has all the capabilities of an intrusion detection system
and can also attempt to stop possible incidents.
USAGE OF IDPS

Its a dire fact that while every enterprise has

a firewall, most still suffer from network security
problems.

Intrusion Prevention Systems have been

promoted as cost-effective ways to block
malicious traffic.
IDPS MAIN FUNCTIONS
Recording information related to observed
events:
Information is usually recorded locally, and might also
be sent to separate systems such as centralized
logging servers.
Notifying security administrators of important
observed events:
This notification, known as an alert, may take the form
of audible signals, e-mails, pager notifications, or log
entries.
Producing reports:
Reports summarize the monitored events or provide
details on particular events of interest.
PREVENTING ATTACK BY SEVERAL TECHNIQUES
The IDPS stops the attack itself:
Terminate the network connection or user session that
is being used for the attack such as block access to the
target.

The IDPS changes the security environment:

The IDPS could change the configuration of other
security controls to disrupt an attack such as
reconfiguring a network device (e.g. router or switch).

The IDPS changes the attacks content:

Some IDPS technologies can remove or replace
malicious portions of an attack to make it benign such
as removing an infected file attachment from an email.
METHODOLOGY OF DETECTION
Signature-Based Detection:
This method compares known threat signatures to
observed events to identify incidents.
This is very effective at detecting known threats but
largely ineffective at detecting unknown threats
and many variants on known threats.
Anomaly-Based Detection:
This method samples network activity to compare
to traffic that is known to be normal.
When measured activity is outside baseline
parameters or clipping level, IDPS will trigger an
alert.
Anomaly-based detection can detect new types of
attacks but it requires much more overhead and
processing capacity than signature-based.
Stateful Protocol Analysis:
A key development in IDPS technologies was the
use of protocol analyzers. It can decode applicationlayer network protocols, like HTTP or FTP. Once the
protocols are fully decoded, the IPS analysis engine
can evaluate different parts of the protocol for
anomalous behavior.
Problems with this type are it cannot detect attacks
that do not violate the characteristics of generally
acceptable protocol behavior.
FALSE POSITIVE

The normal activity is considered as an

intrusion.

IDPS technologies cannot provide completely

accurate detection.
FALSE NEGATIVE

The system fails to recognize an intrusion.

Altering the configuration of an IDPS to

improve its detection accuracy is known as
tuning.

TYPES OF IDPS
NETWORK-BASED
It performs packet sniffing and analyzes network
traffic to identify and stop suspicious activity.
It allows some attacks such as network service
worms and viruses with easily recognizable
characteristics, to be detected on networks before
they reach their intended targets.
Network-based products might be able to detect
and stop some unknown threats
through
application protocol analysis.
Although poorly written signature triggers false
positives, it can block a new malware threat hours
before antivirus signatures become available.
However, network-based products are generally not
capable of stopping malicious mobile code or Trojan
horses.
Placement of Network-based IDPS
Outside / inside firewall
Behind remote access server
Between business units
Between corporate network and partner networks
In all switched network segments
HOST-BASED
Similar to network-based, except that a host-based
product monitors the characteristics of a single host
and the events occurring within that host such as
monitoring network traffic.
They often use a combination of attack signatures
and knowledge of expected or typical behavior to
identify known and unknown attacks on systems.
Host-based IDPSs are most commonly deployed on
critical hosts such as publicly accessible servers
and servers containing sensitive information.
Placement of Host-based IDPS
Key servers that contain mission-critical and sensitive
information, Web servers, FTP and DNS servers, Ecommerce database servers,, and Other high value
assets.
NETWORK BEHAVIOR ANALYSIS (NBA)
It examines network traffic to identify threats that
generate unusual traffic flows, such as denial of
service (DoS) and distributed denial of service
(DDoS) attacks.
NBA systems are most often deployed to monitor
flows on an organizations internal networks, and
are also deployed where they can monitor flows

between an organizations networks and external

networks.

WIRELESS
This type monitors wireless network traffic and
analyzes its wireless networking protocols to
identify suspicious activity involving the protocols
themselves.
It cannot identify suspicious activity in the
application or higher-layer network protocols (e.g.,
TCP, UDP) that the wireless network traffic is
transferring.
EVALUATING IDPS
o Organizations should consider using multiple types
of
IDPS
technologies
to
achieve
more
comprehensive and accurate detection and
prevention of malicious activity.
o For most environments, a combination of networkbased and host-based IDPSs is needed for an
effective IDPS solution.
o NBA technologies can also be deployed if
organizations
desire
additional
detection
capabilities for DoS & DDoS attacks, worms, and
other threats that NBAs are particularly good at
detecting.
o Wireless IDPSs may also be needed if the
organization determines that its wireless networks
need additional monitoring.
o Organizations
need
to
understand
the
characteristics of their system or network
environment before a compatible IDPS can be
selected.
o Organizations should articulate the goals and
objectives they wish to attain by using an IDPS such
as stopping common attacks or identifying
misconfigured wireless network devices, etc.
o Organizations should also review their existing
security policies, which serve as a specification for
many of the features that the IDPS products need
to provide.
o Organizations also need to define specialized sets
of requirements for the following:
Security capabilities
It is including information gathering, logging,
detection, and prevention.
Performance
It is including maximum capacity and performance
features
Management
It is including design and implementation

CHAPTER 7 - TRUSTED COMPUTING

A technology developed and promoted by the

Trusted Computing Group (TCG)
In TC, the computer will consistently behave in
expected ways, and those behaviors will be
enforced by hardware and software.
Trusted Computing uses cryptography to help
enforce a selected behavior
TC is controversial because it is technically possible
not just to secure the hardware for its owner
TC was intended for Digital rights management
(DRM), a generic term for access control
technologies that can be used by hardware
manufacturers, publishers, copyright holders and
individuals to impose limitations on the usage of
digital content and devices.
Limits the abuse of file sharing over the network
Prevent making illegal copies without the
authorization from the vendor
Restrict users computing actions

TC FUNDAMENTAL CONCEPTS
Software runs and communicates securely over
applications and servers
Use locked-down architecture - Hardware level
cryptographic keys for encryption and
authentication
Seal secure data within curtained memory
I/O communication path are encrypted
TC should be expected the computing behave the
way we wanted and do what we wanted securely
Trusted Computing Platform (TCP) has the following
three fundamental features:

Protected Capabilities

Integrity Capabilities

Integrity Reporting
Trusted Computing encompasses six key technology
concepts as required for a fully trusted system:

Endorsement key

Secure input and output

Memory curtaining / protected

execution

Sealed storage

Remote attestation

Trusted Third Party (TTP)

LaGrande - Intel version of TC

Intels hardware implementation

Runs parallel to normal architecture
Uses hash values for modification detection
Operates in several different parts of chipset
Higher abstraction layers only as secure as
lower
Trusted CPU, chipset, and boot ROM
Each layer verifies hash of next layer before
execution
Built on top of secure bootstrap architecture
Instruction set extensions to create protected
processor partition
Extensions to create protected software stack
Trusted platform module (TPM) verifies
conditions
Changes to I/O controller, memory controller,
graphics controller, and CPU

NGSCB - Microsoft version of TC

Software side of TC

Domain Manager aka Nexus

Sealed Storage

Remote Attestation

Two primary system components in NGSCB

Nexus
o
Special kernel (core of the trusted
operating)
o
Goal: Isolate the process of normal
mode and trusted mode differently in memory
o
Functionality: Authenticate and protect
data (entered, stored, communicated, and
displayed) by data encryption
o
Nexus Computing Agent (NCA)

NSGCB operates two operating systems in ONE

system

Normal Mode:
o
Un-protected environment
o
Same as our current Windows series
o
Fully Controlled by the users

Trusted Mode:
o
Protected environment
o
Users have no authorities to modify,
delete, or copy ANY content.
o
Implemented
TC:
Hardware
and
Software implementation
o
Fully Controlled by the computers

Isolate protected and non-protected operating

environment that are stored in the same memory

Blocks the access of Direct Memory Access

(DMA) devices in term of writing and reading to
secured block of memory
Block access of malicious code
Claimed: no illegitimate access will occurring
in protected environment
Encrypts data on storage device
Key is not stored on storage device
Hash of creating program stored with file
TPM only decrypts for program that passes
modification detection
Decrypted only with same TPM / same program

USES OF TC

Remote banking, business-to-business ecommerce, and online auctioning

Digital rights management

Preventing cheating in online games

Securing data storage

Personal privacy protection, data

management, and record keeping
Shared computing and secure transactions
Secure home computing
Government agencies that require a high
level of security and trust
Software license enforcement