Assignment -2 (Information Security)

Name: Gulsher Arid Number:17-ARID-1710

Session: Morning Section: A

Answer the following questions:

1. Explain computer security with examples.

Answer: Computer security, the protection of computer systems and information from
harm, theft, and unauthorized use. Computer hardware is typically protected by the same
means used to protect other valuable or sensitive equipment, namely, serial numbers,
doors and locks, and alarms. The protection of information and system access, on the
other hand, is achieved through other tactics, some of them quite complex.

The security precautions related to computer information and access address four major
threats:
 Theft of data, such as that of military secrets from government computers.
 Vandalism, including the destruction of data by a computer virus.
 Fraud, such as employees at a bank channeling funds into their own accounts.
 Invasion of privacy, such as the illegal accessing of protected personal financial or
medical data from a large database.
2. What is the OSI security architecture? Explain each point with help of valid
diagram.
Answer: ITU-T Recommendation X.800, Security
Architecture for OSI defines systematic way to
• Defining the requirements for security
• Characterizing the approaches to satisfying those
requirements
ITU-T – international Telecommunication Union
Telecommunication Standardization Sector
OSI – Open Systems Interconnections
The following concepts are used:
• Security attack: Any actions that compromises the
security of information owned by an organization (or a
person)
• Security mechanism: a mechanism that is designed to
detect, prevent, or recover from a security attack
• Security service: a service that enhances the security of
the data processing systems and the information transfers
of an organization. The services make use of one or more
security mechanisms to provide the service.

3. For our purposes, the OSI security architecture provides a useful, if abstract, overview of
many of the concepts that this book deals with. The OSI security architecture focuses on
security attacks, mechanisms, and services.
4. What is the difference between passive and active security threats? Give
any two example of each with the help of diagrams.
Answer: Active attacks: An Active attack attempts to alter system resources or effect their
operations. Active attack involve some modification of the data stream or creation of false
statement. Types of active attacks are as following:

1. Masquerade:
Masquerade attack takes place when one entity pretends to be different entity. A
Masquerade attack involves one of the other form of active attacks.
 2. Modification of messages :
It means that some portion of a message is altered or that message is delayed or
reordered to produce an unauthorised effect. For example, a message meaning “Allow
JOHN to read confidential file X” is modified as “Allow Smith to read confidential file X”.

Passive attacks: A Passive attack attempts to learn or make use of information from the
system but does not affect system resources. Passive Attacks are in the nature of
eavesdropping on or monitoring of transmission. The goal of the opponent is to obtain
information is being transmitted. Types of Passive attacks are as following:

1. The release of message content:

Telephonic conversation, an electronic mail message or a transferred file may contain
sensitive or confidential information. We would like to prevent an opponent from
learning the contents of these transmissions.

2. Traffic analysis :
Suppose that we had a way of masking (encryption) of information, so that the attacker
even if captured the message could not extract any information from the message.
The opponent could determine the location and identity of communicating host and
could observe the frequency and length of messages being exchanged. This information
might be useful in guessing the nature of the communication that was taking place.
5. List and briefly define categories of passive and active network security
attacks.
Answer: The two types of passive attacks are: Release of message, this is where the
attacker listens to the data stream and then share the confidential information. Traffic
analysis, this involves analysis of the traffic and observe the time taken and the size of the
message being sent and received. The types of active security attacks are as follows:
Masquerade, this involves the attacker to impersonate the sender of the message. Replay,
this is where the data are captured and then retransmit in view of creating an unauthorised
effect. Modification of messages – in this case the message is are modified or delayed or the
sequence of the message is reordered in view of creating an unauthorised effect. Denial of
service, this is where the attacker prevents the authorised person to use the infrastructure
in an authorised manner by disabling the network.

6. List and briefly define categories of security services.

Answer: The assurance that the communicating entity is the one that it claims to be.
Access control: The prevention of unauthorized use of a resource (i.e., this service controls
who can have access to a resource, under what conditions access can occur, and what those
accessing the resource are allowed to do).
Data confidentiality: The protection of data from unauthorized disclosure.
Data integrity: The assurance that data received are exactly as sent by an authorized entity
(i.e., contain no modification, insertion, deletion, or replay).
Nonrepudiation: Provides protection against denial by one of the entities involved in a
communication of having participated in all or part of the communication.
Availability service: The property of a system or a system resource being accessible and
usable upon demand by an authorized system entity, according to performance specifications
for the system (i.e., a system is available if it provides services according to the system design
whenever users request them).

7. List and briefly define categories of security mechanisms.

Answer: May be incorporated into the appropriate protocol layer in order to provide some
of the OSI security services.
Encipherment :
The use of mathematical algorithms to transform data into a form that is not readily
intelligible.
The transformation and subsequent recovery of the data depend on an algorithm and zero or
more encryption keys.
Digital Signature:
Data appended to, or a cryptographic transformation of, a data unit that allows a recipient of
the data unit to prove the source and integrity of the data unit and protect against forgery
(e.g., by the recipient).
Access Control:
A variety of mechanisms that enforce access rights to resources.
Data Integrity:
A variety of mechanisms used to assure the integrity of a data unit or stream of data units.
Authentication Exchange:
A mechanism intended to ensure the identity of an entity by means of information exchange.
Traffic Padding:
The insertion of bits into gaps in a data stream to frustrate traffic analysis attempts.
Routing Control:
Enables selection of particular physically secure routes for certain data and allows routing
changes, especially when a breach of security is suspected.
Notarization :
The use of a trusted third party to assure certain properties of a data exchange.
PERVASIVE SECURITY MECHANISMS:
Mechanisms that are not specific to any particular OSI security service or protocol layer.
Trusted Functionality:
That which is perceived to be correct with respect to some criteria (e.g., as established by a
security policy).
Security Label:
The marking bound to a resource (which may be a data unit) that names or designates the
security attributes of that resource.
Event Detection:
Detection of security-relevant events.
Security Audit Trail:
Data collected and potentially used to facilitate a security audit, which is an independent
review
and examination of system records and activities.
Security Recovery:
Deals with requests from mechanisms, such as event handling and management functions,
and takes recovery actions.

8. Consider an automated teller machine (ATM) in which users provide a

personal identification number (PIN) and a card for account access. Give
 examples of confidentiality, integrity, and availability requirements
associated with the system and, in each case, indicate the degree of
importance of the requirement.
Answer: Confidentiality:To access debit or credit cards one must enter a security
password which is available only to authorized users and aimed at further enhancing the level
of security. While securing the PIN of a respective card it is the responsibility of end user to
ensure they use a strong pin. Banks also need to ensure privacy whenever a communication is
happening in between ATM and bank server to prevent hacking. The entire transaction needs
to be properly secured so to avoid any kind of harm or hackers cracking the card pins and
accessing.Proper encryption of PIN ensures that high level of confidentiality is maintained
while lack of attention towards the same could lead to breach of data or customers
information. Moreover, the policy related to changing PIN after regular intervals will help
boost the customers and keep data and information secure.

Integrity:Use of advanced, efficient technology and proper optimization & Collaboration of

ATMs is necessary to ensure their integrity is maintained and customers information is
secure. Both in case of withdraw and deposit, systems must be updated chronologically with
authentic data and does not affect the customer account in any manner. Withdrawals of
money should reflect as debits on the account, deposit of funds would result in credit of
account.Moreover, a section or committee should be incorporated to handle queries of
customers which are related with mismatch of account due to use of ATM.

Availability:The frequency of ATM should enhance depending upon the demand of the
customers and further should be frequently updated with cash to provide accurate services.
While ATM which is out of service could lead to customer dissatisfaction, that of ATM with
accuracy in services could attract more and more customers.

9. Consider a desktop publishing system used to produce documents for

various organizations.
  Give an example of a type of publication for which confidentiality
of the stored data is the most important requirement.
Answer: In this type of publication is a corporate proprietary material then
the confidential of provided data is most important. Since the proprietary material
contains confi denti al informati on,confidential should be assured for the stored the
data related to work.

 Give an example of a type of publication in which data integrity is

the most important requirement.
Answer: In this type of publication it’s related to law and regulates the
integrity of the provided data is most important. Here we have law and
regulati ons have marginally diff erence of each organization the exact law and
regulation provided by the organization is stored. Integrity documents are essential.

 Give an example in which system availability is the most

important requirement.
Answer: In this type of publicati on is associated with daily
updated view for example daily news magazines. The availability of this data is
very essential Such as daily news magazines are update and released to market with most
necessary.

10. Explain three aspects that involves comprehensive security strategy in

any organization.

Answer: By following these three key pillars to achieve the confidentiality, integrity,
and availability of data in your network, you will be protecting your data, your
customers, and your business.

Pillar 1: Confidentiality

The central driving vision for any data security approach is to ensure customer data
remains confidential at all times. This requires an end-to-end security solution protecting
network traffic from the end point to the data centre.

Data confidentiality in the network begins at the physical layer, where fibre tapping
devices can be used to steal sensitive data. To combat this, all your in-flight data should
be bulk encrypted from end-to-end, making it undecipherable and, ultimately, useless to
hackers.

Another key strategy for enhancing data confidentiality –that also reduces legacy
infrastructure costs – is to selectively add service layer encryption at the edge by
deploying next-generation, virtualized security solutions in your network. This requires a
flexible, open infrastructure that allows you to deliver and provision virtual network
functions (VNFs) in real time. Deploying virtual security appliances, including firewalls,
intrusion detection systems, and identity/access management systems, while enabling
routing of traffic to virtual-honeypots to deceive and detect adversaries, are all part of a
multi-layered security solution. In the virtualized security environment, advanced
analytics and orchestration tools ensure all VNFs work together effectively.

Pillar 2: Integrity

Data integrity combats cyberattacks by ensuring that information and flows are not
altered through unauthorized methods. To achieve true data integrity in the network,
you need to trust that the core network elements operate in a trusted state.  Network
providers and partners should have secure, well-documented life cycle management
processes and procedures covering component sourcing and manufacturing, network
design, deployment, and operations. Your network partners should also have security
accreditations from independent third parties, as well as comply with all the latest
security and quality standards.  These steps ensure the devices and network elements
that pass your critical data have been designed, manufactured, and delivered in a trusted
state.

Pillar 3: Availability
Today, data protection legislation requires companies to take technical and
organizational measures to ensure the security of data processing. This includes ongoing
availability and resilience of processing systems and services, even in the event of a
cyberattack or natural disaster. This means your network should incorporate fully
redundant infrastructure components including power supplies, processors, and
switching fabrics ensuring that traffic is rerouted to an alternative infrastructure if
required, and that primary paths are automatically restored as soon as possible.

Availability can be maximized using advanced network analytics.  Analytics and reporting
identify anomalous network behaviour and empower your operations teams to respond
to cyberattacks faster. This approach helps minimize the impact of cyberattacks and gives
organizations actionable insights that maximize uptime and improve capacity planning
and preventive maintenance.

A well-trained operations team is a key component to maintaining a network. Disaster

recovery and incident response training helps the team prepare for cyberattacks quickly
and in an appropriate and coordinated manner, minimising the potential impact for your
business and your customers. Expect your business partners and vendors to be willing
and able to provide training which prepares your operations team for the attacks that are
inevitable.