NETE0519 & ITEC4614Computer Network Security

Asst.Prof.Supakorn Kungpisdan, Ph.D.supakorn@mut.ac.th

NETE0519-ITEC4614 2

Supakorn Kungpisdan, Ph.D.

Assistant Professor of Information Technology Education

PhD (Computer Science and Software Engineering), Monash University, Australia

M.Eng. (Computer Engineering), KMUTT Specializations

Information and Network Security, Electronic Commerce, Formal Methods, Computer Networking

NETE0519-ITEC4614 3

Course Descriptions Textbook

W. Stallings: Cryptography and Network Security, 4th Edition, Pearson Prentice Hall, ISBN 0-13-202322-9 or later

Supplementary materials M. E. Whitman and H. J. Mattord, Principles of Information

Security, 3rd Edition, Thomson, ISBN 1-4239-0177-0 G. De Laet and G. Schauwers: Network Security Fundamentals,

Cisco Press, ISBN 1-58705-167-2

http://www.msit.mut.ac.th/media

NETE0519-ITEC4614 4

Evaluation Criteria

Quizzes 10% Lab 30% Midterm exam 20% Final exam 40%

Course Outlines

Network Security Overview Information Security

Symmetric Cryptography, Public-key Cryptography, Hash Functions and MAC

Network Security IP Security, Web Security, Email Security, Firewalls, Intrusion Detection

Systems

Security Management Security Standards and Policy

NETE0519-ITEC4614 5

Lecture 01 Network Security Overview

Supakorn Kungpisdan, Ph.D.supakorn@mut.ac.th

NETE0519-ITEC4614 7

What is Security?

“The quality or state of being secure—to be free from danger”

A successful organization should have multiple layers of security in place: Information Security Systems Security Network Security Security Management Physical security

NETE0519-ITEC4614 8

Source: http://www.technewsworld.com/story/76109.html

NETE0519-ITEC4614 9

Source:http://www.networkworld.com/research/2012/100812-security-manager39s-journal-i-hired-263130.html?source=nww_rss

NETE0519-ITEC4614 10

Security Trends

NETE0519-ITEC4614 11

C.I.A Triangle

Confidentiality Integrity Availability

NETE0519-ITEC4614 12

Vulnerabilities, Threats, and Attacks

Vulnerability Threat Attack

NETE0519-ITEC4614 13

NETE0519-ITEC4614 14

NETE0519-ITEC4614 15

How Hackers Exploit Weaknesses

NETE0519-ITEC4614 16

Types of Attacks

Interruption Attack on Availability

Interception Attack on Confidentiality

NETE0519-ITEC4614 17

Types of Attacks (cont.)

Modification Attack on Integrity Tampering a resource

Fabrication Attack on Authenticity Impersonation,

masquerading

Passive VS Active Attacks

Passive Attacks To obtain information that is

being transmitted. E.g. Release of confidential

information and Traffic analysis Difficult to detect Initiative to launch an active

attack Interception Relieved by using encryption

Active Attacks Involve modification of the data

stream or creation of a false stream

E.g. Masquerade, replay, message modification, denial of services

Potentially detected by security mechanisms

Interruption, Modification, Fabrication

NETE0519-ITEC4614 18

NETE0519-ITEC4614 19

Hackers White Hat Hackers Grey Hat Hackers Script Kiddies Hacktivists Crackers or Black Hat Hackers

Malicious Codes

Viruses A destructive program code

that attaches itself to a host and copies itself and spreads to other hosts

Viruses replicates and remains undetected until being activated.

Worms Unlike viruses, worms is

independent of other programs or files. No trigger is needed.

Trojans Externally harmless program

but contains malicious code

Spyware Software installed on a target

machine sending information back to an owning server

NETE0519-ITEC4614 20

NETE0519-ITEC4614 21

Security at Each Layer

NETE0519-ITEC4614 22

A Model for Network Security

NETE0519-ITEC4614 23

A Model for Network Access Security

NETE0519-ITEC4614 24

Security Controls

NETE0519-ITEC4614 25

NETE0519-ITEC4614 26

NSTISSC Security Model

The National Security Telecommunications and Information Systems Security Committee

NETE0519-ITEC4614 27

Balancing Information Security and Access

NETE0519-ITEC4614 28

Approaches to Information Security Implementation

NETE0519-ITEC4614 29

Approaches to Information Security Implementation: Bottom-Up Approach

Grassroots effort: systems administrators attempt to improve security of their systems

Key advantage: technical expertise of individual administrators

Seldom works, as it lacks a number of critical features:

Participant support

Organizational staying power

NETE0519-ITEC4614 30

Approaches to Information Security Implementation: Top-Down Approach

Initiated by upper management

Issue policy, procedures, and processes

Dictate goals and expected outcomes of project

Determine accountability for each required action

The most successful also involve formal development strategy referred to as systems development life cycle

NETE0519-ITEC4614 31

Security as a Social Science

Social science examines the behavior of individuals interacting with systems

Security begins and ends with the people that interact with the system

Security administrators can greatly reduce levels of risk caused by end users, and create more acceptable and supportable security profiles

Questions?

Next weekSymmetric Cryptography and

Applications