Design Principles

BY : PROF. PATRICK :P

C H A PT E R TA K E N F RO M :
P R I N C I P L ES O F I N FO R M AT I O N S EC U R I T Y , W H I T M A N
GOOGLE :P
 Contents
1. Various Security Attacks *****
2. Method of Defense **
3. Design Principles **
4. Security Policies and Types *****
From Where I should Study
Contents Resource Material
Various Security Attacks **** Principles of Information Security , Whitman (
Page no 63-72 – Chapter 2)

Method of Defense ** Notes will be Provided ( Chapter 1 Notes )

Design Principles ** Principles of Information Security , Whitman (–

Chapter 2)

Security Policies and Types ***** Notes will be Provided

Pedagogy Used
1. PPT
2. Videos
3. Case Study
 Various Security Attacks
 Following types of attacks :
1. Malicious Codes
2. Hoaxes
3. Back Doors
4. Password Crack
5. Brute Force
6. Dictionary
7. DoS Denial of Service
8. Spoofing
9. Man in the Middle
10. Spam
11. Mail Bombing
12. Sniffers
13. Social Engineering
14. Phishing
15. Timing Attack
 Method of Defense
Ethical Hacking as a Defense Mechanism :
Hacking can be used as a methodology to provide security solutions to computer systems in all
possible ways and its called as ethical hacking.
Methodology of hacking :
1. Foot Printing :
The phase involves the process of gathering information about the system to be attacked. This information can be collected
internally or externally .
Social Engineering can be one method of collecting information from user.

2. Scanning
Hacker uses tools /techniques to detect vulnerabilities of the user’s system.
 Method of Defense
Ethical Hacking as a Defense Mechanism
3. Gaining Access
Hacker tries to gain access on to the system either directly or may be using forged IP address of authenticated client.
Hacker may use technique like spoofing in which a packet containing bug is sent to target machine to exploit vulnerability .

4. Maintenance Access
Once the hacker gains access to the target system , he can use the access to secure the system to work as an ethical hacker
or damage the system to work as an attacker.

5. Covering tracks
◦ In this stage attacker tries to hide his all identity on target computer systems.
 Method of Defense
Controls :
(Which we have already covered in Chapter 1 )
Sleeping ?? Video ???
 Security Policies and Types
Consider a computer system to be a finite-state automaton with a set of transition functions that
change state. Then : A security policy is a statement that partitions the states of the system into a
set of authorized, or secure, states and a set of unauthorized, or non-secure, states.

A security policy sets the context in which we can define a secure system. What is secure under one
policy may not be secure under a different policy. More precisely: A secure system is a system that
starts in an authorized state and cannot enter an unauthorized state.
Security Policies and Types
Consider the finite-state machine in Figure .
It consists of four states and five transitions.
The security policy partitions the states into a set
of authorized states A = { s1, s2 } and a set of
unauthorized states UA = { s3, s4 }.
This system is not secure, because regardless of
which authorized state it starts in, it can enter an
unauthorized state.
However, if the edge from s1 to s3 were not
present, the system would be secure, because it
could not enter an unauthorized state from an
authorized state.
 Types of Security Policies
A military security policy – To provide confidentiality
Definition: A military security policy (also called a governmental security policy) is a security
policy developed primarily to provide confidentiality.
 Types of Security Policies
A commercial security policy – To Provide Integrity
Definition: A commercial security policy is a security policy developed primarily to provide integrity.
Example :
When a customer moves money from one account to another, the bank uses a well-formed transaction.
This transaction has two distinct parts: money is first debited to the original account and then credited to
the second account.
Unless both parts of the transaction are completed, the customer will lose the money.
With a well-formed transaction, if the transaction is interrupted, the state of the database is still
consistent—either as it was before the transaction began or as it would have been when the transaction
ended.
Hence, part of the bank’s security policy is that all transactions must be well-formed.