Chapter 5

Security Mechanism
Security mechanisms deal with prevention, detection, and recovery from a security attack.
Prevention involves mechanisms to prevent the computer from being damaged. Detection requires
mechanisms that allow detection of when, how, and by whom an attack occurred. Recovery
involves a mechanism to stop the attack, assess the damage done, and then repair the damage

Security mechanisms are built using personnel and technology.

• Personnel are used to frame security policy and procedures, and for training and awareness

• Security mechanisms use technologies like cryptography, digital signature, firewall, user
identification and authentication, and other measures like intrusion detection, virus protection,
and, data and information backup, as countermeasures for security attack.
Cryptography

Cryptography is the science of writing information in a “hidden” or “secret” form and is an ancient
art. Cryptography is necessary when communicating data over any network, particularly the
Internet. It protects the data in transit and also the data stored on the disk. Some terms commonly
used in cryptography are:

• Plaintext: readable text with no information hidden.

• Ciphertext: text with information hidden (the encrypted data).
• Encryption: the process of converting plaintext to ciphertext.
• Decryption: the process of reverting ciphertext to plaintext.
• Cipher: algorithm used for encryption and decryption.
• Key: a secret piece of information which is used for encryption & decryption.

ØSymmetric Cryptography (Private/secret key cryptography):

- These technique use single key for encryption as well decryption.

- The sender and receiver must have a shared key set up in advance and kept secret from all
other parties; the sender uses this key for encryption and receiver use the same key for
decryption.

Ø Asymmetric Cryptography (Public key cryptography):

- These technique use two key, namely private and public keys. One key is used for encryption
and the other is used for decryption.

- Public key is publically available while private key is kept secret.

Hash Function

Hash function is a function that maps a message of any length into a fixed length hash value, which
serves as the authenticator.
Digital Signature

Digital signature is an electronic signature that can be used to authenticate the identity of the sender
of a message and to ensure that the original content of the message or document that has been sent
is unchanged.

Digital signature schemes normally gives two algorithms, one for signing which involves the
user’s secret or private key and one for verifying signatures which involves the user’s public
key

In a digital signature process, the sender uses a signing algorithm to sign the message. The message
and the signature are sent to receiver. The receiver receives the message and the signature and
applies the verifying algorithm to the combination. If the result is true, the message is accepted
otherwise it is rejected.

Firewall

A firewall is a security mechanism to protect a local network from the threats it may face while
interacting with other networks (Internet). A firewall can be a hardware component, a software
component, or a combination of both. It prevents computers in one network domain from
communicating directly with other network domains. All communication takes place through the
firewall, which examines all incoming data before allowing it to enter the local network.

Functions of Firewall:
 The main purpose of firewall is to protect computers of an organization (local network) from
unauthorized access. Some of the basic functions of firewall are:

1. Firewalls provide security by examining the incoming data packets and allowing them to enter
the local network only if the conditions are met.

2. Firewalls provide user authentication by verifying the username and password. This ensures that
only authorized users have access to the local network.

3. Firewalls can be used for hiding the structure and contents of a local network from external
users. Network Address Translation (NAT) conceals the internal network addresses and replaces
all the IP addresses of the local network with one or more public IP addresses.

Types of Firewalls:

1. Packet Filtering Firewall:

Packet filtering firewalls work at the network layer (OSI model), or the IP layer (TCP/IP). In this
each packet is compared to a set of criteria before it is forwarded. Depending on the packet and
the criteria, the firewall can drop, forward the packet or send a message to the originator. Rules
can be source and destination IP address, source and destination port number and protocol used.
The advantages of packet filtering firewalls is their low cost and low impact on network
performance.

2. Circuit Level Gateway Firewall:

It work at the session layer (OSI model), or the TCP layer (TCP/IP). They monitor TCP
handshaking between packets to determine whether a requested session is legitimate. Information
passed to a remote computer through a circuit level gateway appears to have originated from the
gateway. This is useful for hiding information about protected networks. Circuit level gateways
are relatively inexpensive and have the advantage of hiding information about the private network
they protect. On the other hand, they do not filter individual packets.
3. Application Level Gateway Firewall:

Application level gateways, also called proxies, are similar to circuit-level gateways except that
they are application specific. They can filter packets at the application layer of the OSI model.
Incoming or outgoing packets cannot access services for which there is no proxy. In plain terms,
an application level gateway that is configured to be a web proxy acts as the server to the internal
network and client to the external network. Because they examine packets at application layer,
they can filter application specific commands such as http: post and get, etc. Application level
gateways can also be used to log user activity and logins. They offer a high level of security, but
have a significant impact on network performance.

4. Stateful Multilayer Inspection Firewall:

It combines the aspects of the other three types of firewalls. They filter packets at the network
layer, determine whether session packets are legitimate and evaluate contents of packets at the
application layer. They rely on algorithms to recognize and process application layer data instead
of running application specific proxies. Stateful multilayer inspection firewalls offer a high level
of security, good performance and transparency to end users. They are expensive however, and
due to their complexity are potentially less secure than simpler types of firewalls if not
administered by highly competent personnel.

A proxy server is an intermediary server that acts as a gateway between a client and
another server. When a client makes a request to access a resource, instead of directly
connecting to the server that hosts the resource, the client connects to the proxy
server. The proxy server then forwards the request to the appropriate server and relays
the response back to the client.
Proxy servers can serve multiple purposes, including:
1. Caching: Proxy servers can cache frequently accessed resources. When a client
requests a resource, the proxy server first checks if it has a cached copy. If it
does, the proxy server returns the cached copy, reducing the response time and
bandwidth usage.
2. Anonymity: Proxy servers can provide anonymity by acting as an intermediary
between the client and the server. The client's IP address is hidden from the
server, which can help protect privacy and bypass certain restrictions or filters.
3. Filtering: Proxy servers can be configured to filter content based on specific
rules or policies. This can be used to block access to certain websites or restrict
specific types of content.
4. Load balancing: Proxy servers can distribute client requests across multiple
servers, balancing the load and improving performance and scalability.
5. Security: Proxy servers can act as a security layer by inspecting and filtering
incoming and outgoing traffic. They can block malicious requests or filter out
potentially harmful content.
There are different types of proxy servers, including:
1. Forward proxy: A forward proxy is typically used by clients to access resources
on the internet. It sits between the client and the internet and forwards client
requests to external servers.
2. Reverse proxy: A reverse proxy is placed in front of web servers and acts as a
gateway for incoming client requests. It can handle tasks such as load
balancing, SSL termination, and caching.
3. Transparent proxy: A transparent proxy intercepts network traffic without
modifying it. Clients are unaware that their requests are being processed by a
proxy server.
4. Anonymous proxy: An anonymous proxy hides the client's IP address from the
server, providing a level of anonymity.

Virtual Private Network (VPN)

A virtual private network (VPN) is a secure, encrypted connection between a device
and a network. VPNs can help ensure that sensitive data is transmitted safely and
prevent unauthorized people from eavesdropping on traffic.
VPNs can also help users:

• Increase privacy and anonymity: VPNs can help users circumvent geographic-
based blocking and censorship.
• Avoid ISP throttling: VPNs can help prevent ISP throttling by keeping online
activities anonymous.
• Bypass website blocks and firewalls: VPNs can create a point-to-point tunnel
that masks a user's IP address.
Here's how a VPN works:
 • The user's device establishes a digital connection with a remote server owned
by a VPN provider.
• The VPN hides the user's public IP address and "tunnels" traffic between the
device and the remote server.
• The website sends data back to the VPN server, where the data is encrypted and
sent back to the user's device.
• Once the data arrives at the device, it's decrypted so the user can read it.

Users identification and authentication

1. User name and password,

2. Smart card

3. Biometrics

Identification is the process whereby a system recognizes a valid user’s identity. Authentication is
the process of verifying the claimed identity of a user. For example, a system uses user password
for identification. The user enters his password for identification. Authentication is the system
which verifies that the password is correct, and thus the user is a valid user. Before granting access
to a system, the user’s identity needs to be authenticated. If users are not properly authenticated
then the system is potentially vulnerable to access by unauthorized users. If strong identification
and authentication mechanisms are used, then the risk that unauthorized users will gain access to
a system is significantly decreased. Authentication is done using one or more combinations of -
what you have (like smartcards), what you know (Password), and what you are (Biometrics like
Fingerprints, retina scans).

Once the user is authenticated, the access controls for the user are also defined. Access controls is
what the user can access once he is authenticated.

Intrusion Detection System (IDS)

- Intrusion detection is the process of identifying and responding to malicious activity targeted
at resource.

- IDS is system designed to test/analyze network system traffic/events against a given set of
parameters and alert/capture data when these threshold are met.

- IDS uses collected information and pre-defined knowledge-based system to reason about the
possibility of an intrusion.

- IDS also provides services to cop with intrusion such as giving alarms, activating programs
to try to deal with intrusion, etc.
 Chapter 6
Authentication and access control
Terms related to authentication, including security definitions about passwords and words and
phrases about proving identity

• acceptable use policy (AUP) - An acceptable use policy (AUP) is a document stipulating
constraints and practices that a user must agree to for access to a corporate network, the
internet or other resources.

• access control - Access control is a security technique that regulates who or what can
view or use resources in a computing environment.

• access control list (ACL) - An access control list (ACL) is a list of rules that specifies
which users or systems are granted or denied access to a particular object or system
resource.

• active attack - An active attack is a network exploit in which a hacker attempts to make
changes to data on the target or data en route to the target.

• Active Directory Domain Services (AD DS) - Active Directory Domain Services (AD
DS) is a server role in Active Directory that allows admins to manage and store
information about resources from a network, as well as application data, in a distributed
database.

• Active Directory Federation Services (AD FS) - Active Directory Federation Services
(AD FS) is a feature of the Windows Server operating system (OS) that extends end
users' single sign-on (SSO) access to applications and systems outside the corporate
firewall.

• adaptive multifactor authentication (adaptive MFA) - Adaptive multifactor

authentication (MFA) is a security mechanism intended to authenticate and authorize
users through a variety of contextual authentication factors.

• Amazon Cognito - Amazon Cognito is an Amazon Web Services product that controls
user authentication and access for mobile applications on internet-connected devices.
• authentication - Authentication is the process of determining whether someone or
something is who or what they say they are.

• authentication factor - An authentication factor is a category of credential that is

intended to verify, sometimes in combination with other factors, that an entity involved in
some kind of communication or requesting access to some system is who, or what, they
are declared to be.

• authentication server - An authentication server is an application that facilitates the

authentication of an entity that attempts to access a network.

• authentication, authorization and accounting (AAA) - Authentication, authorization

and accounting (AAA) is a security framework for controlling and tracking user access
within a computer network.

• Automatic Identification and Data Capture (AIDC) - Automatic Identification and

Data Capture (AIDC) is a broad set of technologies used to collect information from an
object, image or sound without manual data entry.

• biometric authentication - Biometric authentication is a security process that relies on

the unique biological characteristics of individuals to verify they are who they say they
are.

• biometric verification - Biometric verification is any means by which a person can be

uniquely identified by evaluating one or more distinguishing biological traits.

• biometrics - Biometrics is the measurement and statistical analysis of people's unique

physical and behavioral characteristics.

• bitcoin mining - Bitcoin mining is a type of cryptomining in which new bitcoin are
entered into circulation and bitcoin transactions are verified and added to the blockchain.

• brute-force attack - A brute-force attack is a trial-and-error method used by application

programs to decode login information and encryption keys to use them to gain
unauthorized access to systems.
• BYOI (bring your own identity) - BYOI (bring your own identity) is an approach to
digital authentication in which an end user's username and password are managed by a
third party.

• channel partner portal - A channel partner portal is a web-based application that

provides a vendor's established partners (usually distributors, resellers, service providers
or other strategic partners) with access to deal registration, marketing resources, pricing
and sales information for products and services, as well as technical details and support
that are unavailable to other end users.

• CHAP (Challenge-Handshake Authentication Protocol) - CHAP (Challenge-

Handshake Authentication Protocol) is a challenge and response authentication method
that Point-to-Point Protocol (PPP) servers use to verify the identity of a remote user.

• claims-based identity - Claims-based identity is a means of authenticating an end user,

application or device to another system in a way that abstracts the entity's specific
information while providing data that authorizes it for appropriate and relevant
interactions.

• cloud security - Cloud security, also known as cloud computing security, is the practice
of protecting cloud-based data, applications and infrastructure from cyberthreats and
cyber attacks.

• cloud workload protection - Cloud workload protection is the safeguarding of

workloads spread out across multiple cloud environments.

• Common Access Card (CAC) - A Common Access Card (CAC) is a smart card issued
by the Unites States Department of Defense for accessing DOD systems and facilities.

• Consensus Algorithm - A consensus algorithm is a process in computer science used to

achieve agreement on a single data value among distributed processes or systems.

• continuous authentication - Continuous authentication is a method of verification aimed

at providing identity confirmation and cybersecurity protection on an ongoing basis.
• Counter Mode with Cipher Block Chaining Message Authentication Code Protocol
(CCMP) - Counter Mode with Cipher Block Chaining Message Authentication Code
Protocol (CCMP) is an encryption protocol based on the U.

• credential stuffing - Credential stuffing is the practice of using stolen login information
from one account to gain access to accounts on a number of sites through automated
login.

• credential theft - Credential theft is a type of cybercrime that involves stealing a victim's
proof of identity.

• cryptogram - A cryptogram is a word puzzle featuring encrypted text that the user
decrypts to reveal a message of some sort.

• CSR (Certificate Signing Request) - A Certificate Signing Request (CSR) is a specially

formatted encrypted message sent from a Secure Sockets Layer (SSL) digital certificate
applicant to a certificate authority (CA).

• data masking - Data masking is a method of creating a structurally similar but inauthentic
version of an organization's data that can be used for purposes such as software testing
and user training.

• decentralized identity - Decentralized identity is an approach to identify and authenticate

users and entities without a centralized authority.

• default password - A default password is a standard preconfigured password for a device

or software.

• deprovisioning - Deprovisioning is the part of the employee lifecycle in which access

rights to software and network services are taken away.

• digital identity - A digital identity is the body of information about an individual,

organization or electronic device that exists online.

• Digital Signature Standard (DSS) - The Digital Signature Standard (DSS) is a digital
signature algorithm (DSA) developed by the U.
• Directory Services Restore Mode (DSRM) - Directory Services Restore Mode (DSRM) is
a Safe Mode boot option for Windows Server domain controllers.

• disposable email - What is a disposable email?Disposable email is a service that allows a

registered user to receive email at a temporary address that expires after a certain time
period elapses.

• Duo Security - Duo Security is a vendor of cloud-based two-factor authentication

products.

• dynamic multipoint VPN (DMVPN) - A dynamic multipoint virtual private network

(DMVPN) is a secure network that exchanges data between sites/routers without passing
traffic through an organization's virtual private network (VPN) server or router located at
its headquarters.

• e-signature (electronic signature) - An e-signature (electronic signature) is a digital

version of a traditional pen and ink signature.

• e-ticket (electronic ticket) - An e-ticket (electronic ticket) is a paperless electronic

document used for ticketing purposes, such as airfare or concert admission.

• encryption key management - Encryption key management is the practice of generating,

organizing, protecting, storing, backing up and distributing encryption keys.

• enhanced driver's license (EDL) - An enhanced driver's license (EDL) is a government-

issued permit that, in addition to the standard features of a driver's license, includes an
RFID tag that allows officials to pull up the owner's biographical and biometric data.

• Extensible Authentication Protocol (EAP) - The Extensible Authentication Protocol

(EAP) is a protocol for wireless networks that expands the authentication methods used
by the Point-to-Point Protocol (PPP), a protocol often used when connecting a computer
to the internet.

• facial recognition - Facial recognition is a category of biometric software that maps an

individual's facial features mathematically and stores the data as a faceprint.
• federated identity management (FIM) - Federated identity management (FIM) is an
arrangement between multiple enterprises or domains that enables their users to use the
same identification data (digital identity) to access all their networks.

• FIDO (Fast Identity Online) - FIDO (Fast Identity Online) is a set of technology-agnostic
security specifications for strong authentication.

• four-factor authentication (4FA) - Four-factor authentication (4FA) is the use of four

types of identity-confirming credentials, typically categorized as knowledge, possession,
inherence and location factors.

• fraud detection - Fraud detection is a set of activities undertaken to prevent money or

property from being obtained through false pretenses.

• full-disk encryption (FDE) - Full-disk encryption (FDE) is a security method for

protecting sensitive data at the hardware level by encrypting all data on a disk drive.

• Google Authenticator - Google Authenticator is a mobile security application that

provides a second type of confirmation for websites and online services that use two-
factor authentication (2FA) to verify a user's identity before granting him or her access to
secure resources.

• hardware security module (HSM) - A hardware security module (HSM) is a physical

device that provides extra security for sensitive data.

• Hash-based Message Authentication Code (HMAC) - Hash-based Message

Authentication Code (HMAC) is a message encryption method that uses a cryptographic
key in conjunction with a hash function.

• identity management (ID management) - Identity management (ID management) is the

organizational process for ensuring that individuals have the appropriate access to
technology resources.

• identity provider - An identity provider (IdP) is a system component that provides an end
user or internet-connected device with a single set of login credentials that ensures the
entity is who or what it says it is across multiple platforms, applications and networks.
• identity theft - Identity theft, also known as identity fraud, is a crime in which an
imposter obtains key pieces of personally identifiable information (PII), such as Social
Security or driver's license numbers, to impersonate someone else.

• initialization vector - An initialization vector (IV) is an arbitrary number that can be used
with a secret key for data encryption to foil cyber attacks.

• Java Authentication and Authorization Service (JAAS) - The Java Authentication and
Authorization Service (JAAS) is a set of application program interfaces (APIs) that can
determine the identity of a user or computer attempting to run Java code, and ensure that
the entity has the privilege or permission to execute the functions requested.

• key fob - A key fob is a small, programmable device that provides access to a physical
object.

• key-value pair (KVP) - A key-value pair (KVP) is a set of two linked data items: a key,
which is a unique identifier for some item of data, and the value, which is either the data
that is identified or a pointer to the location of that data.

• knowledge-based authentication - Knowledge-based authentication (KBA) is an

authentication method in which users are asked to answer at least one secret question.

• LDAP injection - LDAP (Lightweight Directory Access Protocol) injection is a type of

security exploit that is used to compromise the authentication process used by some
websites.

• LEAP (Lightweight Extensible Authentication Protocol) - LEAP (Lightweight Extensible

Authentication Protocol) is a Cisco-proprietary version of EAP, the authentication
protocol used in wireless networks and Point-to-Point connections.

• logon (or login) - In computing, a logon is a procedure that enables an entity to access a
secure system such as an operating system, application, service, website or other
resource.

• machine authentication - Machine authentication is the authorization of an automated

human-to-machine or machine-to-machine (M2M) communication through verification
of a digital certificate or digital credentials.
• man-in-the-middle attack (MitM) - A man-in-the-middle (MiTM) attack is a type of
cyber attack in which the attacker secretly intercepts and relays messages between two
parties who believe they are communicating directly with each other.

• mandatory access control (MAC) - Mandatory access control (MAC) is a security

strategy that restricts the ability individual resource owners have to grant or deny access
to resource objects in a file system.

• Massachusetts data protection law - What is the Massachusetts data protection law?The
Massachusetts data protection law is legislation that stipulates security requirements for
organizations that handle the private data of residents.

• message authentication code (MAC) - A message authentication code (MAC) is a

cryptographic checksum applied to a message in network communication to guarantee its
integrity and authenticity.

• Microsoft Azure Key Vault - Microsoft Azure Key Vault is a cloud-based security
service offered by Microsoft as part of its Azure platform.

• Microsoft Network Device Enrollment Service (NDES) - Microsoft Network Device

Enrollment Service (NDES) is a security feature in Windows Server 2008 R2 and later
Windows Server operating versions.

• Microsoft Windows Azure Active Directory (Windows Azure AD) - Microsoft Windows
Azure Active Directory (Windows Azure AD or Azure AD) is a cloud service that
provides administrators with the ability to manage end-user identities and access
privileges.

• Microsoft Windows Hello - Microsoft Windows Hello is a biometric identity and access
control feature that supports fingerprint scanners, iris scanners and facial recognition
technology on compatible devices running Windows.

• mimikatz - Mimikatz is an open source malware program used by hackers and

penetration testers to gather credentials on Windows computers.

• mobile authentication - Mobile authentication is the verification of a user's identity via a

mobile device using one or more authentication methods for secure access.
• multifactor authentication - Multifactor authentication (MFA) is an account login process
that requires multiple methods of authentication from independent categories of
credentials to verify a user's identity for a login or other transaction.

• mutual authentication - Mutual authentication, also called two-way authentication, is a

process or technology in which both entities in a communications link authenticate each
other.

• national identity card - A national identity card is a portable document, typically a

plasticized card with digitally embedded information, that is used to verify aspects of a
person's identity.

• nonrepudiation - Nonrepudiation ensures that no party can deny that it sent or received a
message via encryption and/or digital signatures or approved some information.

• OAuth - OAuth (Open Authorization) is an open standard authorization framework for

token-based authorization on the internet.

• one-time password - A one-time password (OTP) is an automatically generated numeric

or alphanumeric string of characters that authenticates a user for a single transaction or
login one-time password session.

• Open System Authentication (OSA) - Open System Authentication (OSA) is a process by

which a computer could gain access to a wireless network that uses the Wired Equivalent
Privacy (WEP) protocol.

• OpenID (OpenID Connect) - OpenID is an open specification for authentication and

single sign-on.

• orphan account - An orphan account, also referred to as an orphaned account, is a user

account that can provide access to corporate systems, services and applications but does
not have a valid owner.

• out-of-band authentication - Out-of-band authentication is a type of two-factor

authentication that requires a secondary verification method through a separate
communication channel along with the typical ID and password.
 • pass the hash attack - A pass the hash attack is an exploit in which an attacker steals a
hashed user credential and -- without cracking it -- reuses it to trick an authentication
system into creating a new authenticated session on the same network.

• passphrase - A passphrase is a sentencelike string of words used for authentication that is

longer than a traditional password, easy to remember and difficult to crack.

• password - A password is a string of characters used to verify the identity of a user during
the authentication process.

• password cracking - Password cracking is the process of using an application program to

identify an unknown or forgotten password to a computer or network resource.

• password entropy - Password entropy is a measurement of a password's strength based on

how difficult it would be to crack the password through guessing or a brute-force attack.

• password manager - A password manager is a technology tool that helps internet users
create, save, manage and use passwords across different online services.

• password salting - Password salting is a technique to protect passwords stored in

databases by adding a string of 32 or more characters and then hashing them.

• passwordless authentication - Passwordless authentication is signing into a service

without using a password.

• perfect forward secrecy (PFS) - Perfect Forward Secrecy (PFS), also known as Forward
Secrecy, is an encryption style known for producing temporary private key exchanges
between clients and servers.

• personal identity verification (PIV) card - A personal identity verification (PIV) card is a
United States Federal smart card that contains the necessary data for the cardholder to be
granted to Federal facilities and information systems and assure appropriate levels of
security for all applicable Federal applications.

• physiognomy - Physiognomy is a pseudoscience based on associating personal characteristics

and traits with physical differences, and especially with elements of people's faces.