INFORMATION SECURITY LECTURE
NOTES
(Subject Code: BIT 301)
for
Bachelor of Technology
in
Information Technology
Department of Computer Science and Engineering & Information
Technology
Veer Surendra Sai University of Technology (Formerly UCE,
Burla)
Burla, Sambalpur, Odisha
Lecture Note Prepared by:
Asst.Prof. Sumitra Kisan
Asst.Prof. D. Chandrasekhar Rao
, SYLLABUS
BIT-301 INFORMATION SECURITY (3-1-0) Credit-04
Module I (10 LECTURES)
The Security Problem in Computing: The meaning of computer Security, Computer
Criminals, Methods of Defense, Elementary Cryptography: Substitution Ciphers,
Transpositions, Making “Good” Encryption algorithms, The Data Encryption Standard, The
AES Encryption Algorithms, Public Key Encryptions, Uses of Encryption.
Module II (10 LECTURES)
Program Security: Secure Programs, Nonmalicious Program Errors, viruses and other
malicious code, Targeted Malicious code, controls Against Program Threats, Protection in
General- Purpose operating system protected objects and methods of protection memory and
addmens protection, File protection Mechanisms, User Authentication Designing Trusted
O.S: Security polices, models of security, trusted O.S design, Assurance in trusted O.S.
Implementation examples.
Module III (10 LECTURES)
Data base Security: Security requirements, Reliability and integrity, Sensitive data, Inference,
multilevel database, proposals for multilevel security.
Security in Network: Threats in Network, Network Security Controls, Firewalls, Intrusion
Detection Systems,Secure E-Mail.
Module IV (10 LECTURES)
Administering Security: Security Planning, Risk Analysis, Organizational Security policies,
Physical Security. Legal Privacy and Ethical Issues in Computer Security: Protecting
Programs and data, Information and the law, Rights of Employees and Employers, Software
failures, Computer Crime, Praia, Ethical issues in Computer Security, case studies of Ethics.
,MODULE 1
The security problem in computing
1.1 The meaning of computer security
The meaning of the term computer security has evolved in recent years. Before the problem
of data security became widely publicized in the media, most people’s idea of computer
security focused on the physical machine. Traditionally, computer facilities have been
physically protected for three reasons:
• To prevent theft of or damage to the hardware
• To prevent theft of or damage to the information
• To prevent disruption of service
Computer security is security applied to computing devices such as
computers and smartphones, as well as computer networkssuch as private and public
networks, including the whole Internet. The field covers all the processes and mechanisms by
which digital equipment, information and services are protected from unintended or
unauthorized access, change or destruction, and are of growing importance in line with the
increasing reliance on computer systems of most societies worldwide. It includes physical
security to prevent theft of equipment, and information security to protect the data on that
equipment. It is sometimes referred to as "cyber security" or "IT security", though these terms
generally do not refer to physical security (locks and such).
Some important terms used in computer security are:
Vulnerability
Vulnerability is a weakness which allows an attacker to reduce a system's information
assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw,
attacker access to the flaw, and attacker capability to exploit the flaw. To exploit
vulnerability, an attacker must have at least one applicable tool or technique that can connect
to a system weakness. In this frame, vulnerability is also known as the attack surface.
Vulnerability management is the cyclical practice of identifying, classifying, remediating,
and mitigating vulnerabilities.This practice generally refers to software vulnerabilities in
computing systems.
Backdoors
A backdoor in a computer system, is a method of bypassing normal authentication, securing
remote access to a computer, obtaining access to plaintext, and so on, while attempting to
remain undetected.
, The backdoor may take the form of an installed program (e.g., Back Orifice), or could be a
modification to an existing program or hardware device. It may also fake information about
disk and memory usage.
Denial-of-service attack
Unlike other exploits, denials of service attacks are not used to gain unauthorized access or
control of a system. They are instead designed to render it unusable. Attackers can deny
service to individual victims, such as by deliberately entering a wrong password enough
consecutive times to cause the victim account to be locked, or they may overload the
capabilities of a machine or network and block all users at once. These types of attack are, in
practice, very hard to prevent, because the behaviour of whole networks needs to be
analyzed, not only the behaviour of small pieces of code. Distributed denial of
service (DDoS) attacks are common, where a large number of compromised hosts
(commonly referred to as "zombie computers", used as part of a botnet with, for example;
a worm, trojan horse, or backdoor exploit to control them) are used to flood a target system
with network requests, thus attempting to render it unusable through resource exhaustion.
Direct-access attacks
An unauthorized user gaining physical access to a computer (or part thereof) can perform
many functions, install different types of devices to compromise security, including operating
system modifications, software worms, key loggers, and covert listening devices. The
attacker can also easily download large quantities of data onto backup media, for
instance CD-R/DVD-R, tape; or portable devices such as key drives, digital
cameras or digital audio players. Another common technique is to boot an operating system
contained on a CD-ROM or other bootable media and read the data from the hard drive(s)
this way. The only way to defeat this is to encrypt the storage media and store the key
separate from the system. Direct-access attacks are the only type of threat
to Standalone computers (never connect to internet), in most cases.
Eavesdropping
Eavesdropping is the act of surreptitiously listening to a private conversation, typically
between hosts on a network. For instance, programs such as Carnivore and NarusInsight have
been used by the FBI and NSA to eavesdrop on the systems of internet service providers.
Spoofing
Spoofing of user identity describes a situation in which one person or program successfully
masquerades as another by falsifying data and thereby gaining an illegitimate advantage.
Tampering
Tampering describes an intentional modification of products in a way that would make them
harmful to the consumer.
Repudiation
Repudiation describes a situation where the authenticity of a signature is being challenged.
NOTES
(Subject Code: BIT 301)
for
Bachelor of Technology
in
Information Technology
Department of Computer Science and Engineering & Information
Technology
Veer Surendra Sai University of Technology (Formerly UCE,
Burla)
Burla, Sambalpur, Odisha
Lecture Note Prepared by:
Asst.Prof. Sumitra Kisan
Asst.Prof. D. Chandrasekhar Rao
, SYLLABUS
BIT-301 INFORMATION SECURITY (3-1-0) Credit-04
Module I (10 LECTURES)
The Security Problem in Computing: The meaning of computer Security, Computer
Criminals, Methods of Defense, Elementary Cryptography: Substitution Ciphers,
Transpositions, Making “Good” Encryption algorithms, The Data Encryption Standard, The
AES Encryption Algorithms, Public Key Encryptions, Uses of Encryption.
Module II (10 LECTURES)
Program Security: Secure Programs, Nonmalicious Program Errors, viruses and other
malicious code, Targeted Malicious code, controls Against Program Threats, Protection in
General- Purpose operating system protected objects and methods of protection memory and
addmens protection, File protection Mechanisms, User Authentication Designing Trusted
O.S: Security polices, models of security, trusted O.S design, Assurance in trusted O.S.
Implementation examples.
Module III (10 LECTURES)
Data base Security: Security requirements, Reliability and integrity, Sensitive data, Inference,
multilevel database, proposals for multilevel security.
Security in Network: Threats in Network, Network Security Controls, Firewalls, Intrusion
Detection Systems,Secure E-Mail.
Module IV (10 LECTURES)
Administering Security: Security Planning, Risk Analysis, Organizational Security policies,
Physical Security. Legal Privacy and Ethical Issues in Computer Security: Protecting
Programs and data, Information and the law, Rights of Employees and Employers, Software
failures, Computer Crime, Praia, Ethical issues in Computer Security, case studies of Ethics.
,MODULE 1
The security problem in computing
1.1 The meaning of computer security
The meaning of the term computer security has evolved in recent years. Before the problem
of data security became widely publicized in the media, most people’s idea of computer
security focused on the physical machine. Traditionally, computer facilities have been
physically protected for three reasons:
• To prevent theft of or damage to the hardware
• To prevent theft of or damage to the information
• To prevent disruption of service
Computer security is security applied to computing devices such as
computers and smartphones, as well as computer networkssuch as private and public
networks, including the whole Internet. The field covers all the processes and mechanisms by
which digital equipment, information and services are protected from unintended or
unauthorized access, change or destruction, and are of growing importance in line with the
increasing reliance on computer systems of most societies worldwide. It includes physical
security to prevent theft of equipment, and information security to protect the data on that
equipment. It is sometimes referred to as "cyber security" or "IT security", though these terms
generally do not refer to physical security (locks and such).
Some important terms used in computer security are:
Vulnerability
Vulnerability is a weakness which allows an attacker to reduce a system's information
assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw,
attacker access to the flaw, and attacker capability to exploit the flaw. To exploit
vulnerability, an attacker must have at least one applicable tool or technique that can connect
to a system weakness. In this frame, vulnerability is also known as the attack surface.
Vulnerability management is the cyclical practice of identifying, classifying, remediating,
and mitigating vulnerabilities.This practice generally refers to software vulnerabilities in
computing systems.
Backdoors
A backdoor in a computer system, is a method of bypassing normal authentication, securing
remote access to a computer, obtaining access to plaintext, and so on, while attempting to
remain undetected.
, The backdoor may take the form of an installed program (e.g., Back Orifice), or could be a
modification to an existing program or hardware device. It may also fake information about
disk and memory usage.
Denial-of-service attack
Unlike other exploits, denials of service attacks are not used to gain unauthorized access or
control of a system. They are instead designed to render it unusable. Attackers can deny
service to individual victims, such as by deliberately entering a wrong password enough
consecutive times to cause the victim account to be locked, or they may overload the
capabilities of a machine or network and block all users at once. These types of attack are, in
practice, very hard to prevent, because the behaviour of whole networks needs to be
analyzed, not only the behaviour of small pieces of code. Distributed denial of
service (DDoS) attacks are common, where a large number of compromised hosts
(commonly referred to as "zombie computers", used as part of a botnet with, for example;
a worm, trojan horse, or backdoor exploit to control them) are used to flood a target system
with network requests, thus attempting to render it unusable through resource exhaustion.
Direct-access attacks
An unauthorized user gaining physical access to a computer (or part thereof) can perform
many functions, install different types of devices to compromise security, including operating
system modifications, software worms, key loggers, and covert listening devices. The
attacker can also easily download large quantities of data onto backup media, for
instance CD-R/DVD-R, tape; or portable devices such as key drives, digital
cameras or digital audio players. Another common technique is to boot an operating system
contained on a CD-ROM or other bootable media and read the data from the hard drive(s)
this way. The only way to defeat this is to encrypt the storage media and store the key
separate from the system. Direct-access attacks are the only type of threat
to Standalone computers (never connect to internet), in most cases.
Eavesdropping
Eavesdropping is the act of surreptitiously listening to a private conversation, typically
between hosts on a network. For instance, programs such as Carnivore and NarusInsight have
been used by the FBI and NSA to eavesdrop on the systems of internet service providers.
Spoofing
Spoofing of user identity describes a situation in which one person or program successfully
masquerades as another by falsifying data and thereby gaining an illegitimate advantage.
Tampering
Tampering describes an intentional modification of products in a way that would make them
harmful to the consumer.
Repudiation
Repudiation describes a situation where the authenticity of a signature is being challenged.
