Introduction to Cyber Security

Chapter 1: Introduction

WiSe 23/24

Chair of IT Security
https://www.b-tu.de/en/fg-it-sicherheit/
 Welcome at BTU to all new students!

Learn German
Do (BTU) sports

Visit surroundings: at least Spree Forest and Saxon Switzerland ;)

2 IT-Security 1 - Chapter 1: Introduction
 Organizational

§ V4/Ü2, 8 or 6 ECTS points

§ Compulsory course for Cyber Security program
§ Elective course for
□ Computer Science
□ Artificial Intelligence, AI Engineering (6 ECTS points!)
□ eBusiness, Information and Media Technology, …
§ Lectures (Prof. A. Panchenko)
§ Tue 3:30pm ZHG / HS C
§ Thu 3:30pm ZHG / HS C
§ Exercises (Simon Undt, MSc.)
§ Thu 1:45pm LG 1A / Room 304

3 IT-Security 1 - Chapter 1: Introduction

 Organizational (cont’d)

§ Consultation hours:
§ Lecture: Wed 10am-11am
§ Exercise: Thu 9am-11am
§ Register at the secretary (time slot and topic):
Katrin.Willhoeft@b-tu.de
§ Offices: VG1C, room 2.18, 2.14
§ Material will be made available in moodle
§ Please register for the course
§ Exercises will consist of two types
§ Regular exercises
§ Practical tasks / labs

4 IT-Security 1 - Chapter 1: Introduction

 Organizational (cont’d)

§ Practical tasks / labs

§ CryptTool – cryptography and cryptoanalysis
§ WebGoat – web security
§ Buffer Overflow – software security
§ Man-in-the-middle – network security
§ …
§ Cyber Security, Computer Science: You need to
successfully complete all the practical tasks to get
admitted to the exam (8 ECTS credits)
§ AI, AI Engineering: you don’t have to do the labs to
get admission to the exam, but you get only 6 ECTS
credits

5 IT-Security 1 - Chapter 1: Introduction

 „Missing Semester“

§ (Optional) online course that covers crucial topics of

computer science that you would need:
§ Command shell, scripting
§ Version control
§ Text editing
§ Remote machines
§ File operations, finding files
§ Data wrangling (modification, parsing, plotting directly from
command line)
§ Virtual machines
§ ...
https://missing.csail.mit.edu/

6 IT-Security 1 - Chapter 1: Introduction

 Teaching Offer WiSe 23/24

§ Lecture: Introduction to Cyber Security (8 ECTS)

§ Seminar/Proseminar: (Advanced) Topics in Network and
System Security (6 ECTS)
§ Wed 13:45
§ Study Project: Adversarial Machine Learning (8 ECTS)
§ Wed 15:30
§ Mathematics for Cyber Security: start Nov 17th at 9:15
§ Voluntary offer, please register in moodle to be up to date
§ Preview next semester:
§ Network and System Security (lecture)
§ Secure Cyber-Physical Systems (lecture)
§ Ethical Hacking Lab (practical)
§ Seminar
7 IT-Security 1 - Chapter 1: Introduction
 Focus of this Course

§ Cryptographic Basics
§ Symmetric Cryptography
§ Asymmetric Cryptography
§ Integrity Protection
§ Authentication and Key Agreement
§ Certificates and Public Key Infrastructures
§ Network Security
§ Security Protocols on different network layers
(SSL/TLS, Kerberos, IPSec, DNSSec, PGP/SMIME, SMTP,
BGP…)
§ Related topics
§ Spam, Botnets, Phishing
Based on IT Security course at RWTH Aachen University (Prof. Meyer)
8 IT-Security 1 - Chapter 1: Introduction
 Introduction - ITSec 1 – Network Security

Related

DNSsec, SSH, SMTP

SSL/TLS Protocols
IPsec

Encryption Algorithms
Integrity Protection
Basics
Digital Signatures
Certificates and PKIs

9 IT-Security 1 - Chapter 1: Introduction

 Focus of this Course (cont’d)

§ Only cursory overview of cryptography

§ To dive deeper into cryptography attend
§ Cryptography of Prof. Meer (SoSe)
§ Compulsory course for Cyber Security students

§ Foundations for further specialization in more

advanced topics
§ Secure Cyber-Physical Systems (SoSe)
§ Network and System Security (SoSe)
§ Continuation of this course
§ Elective course for Cyber Security Methods

10 IT-Security 1 - Chapter 1: Introduction

 Cyber Security

§ What is Cyber?
“Relating to or characteristic of the culture of computers,
information technology, and virtual reality.” Oxford dictionary

“of, relating to, or involving computers or computer networks

(such as the Internet)” Miriam Webster

Origin: 1980s: abbreviation of cybernetics

§ What is Security?

11 IT-Security 1 - Chapter 1: Introduction

 Definitions

§ Computer Security
§ Generic name for the collection of tools
§ Designed to protect data and to thwart hackers
§ Network Security
§ Measures to protect data during their transmission
§ Internet Security
§ Measures to protect data during their transmission
§ Over a collection of interconnected networks
§ Protection measures include measures
§ To deter, prevent, detect, and correct security violations
§ That involve the transmission & storage of information

12 IT-Security 1 - Chapter 1: Introduction

 Definitions

§ What is privacy?
“Privacy is the claim of individuals, groups, or institutions to determine
for themselves when, how and to what extent information about them
is communicated to others” [Westin 68]
Right to digital self-determination
§ Anonymity
“The state of being not identifiable within a set of subjects, the
anonymity set” [Pfitzmann]
§ Steganography
§Conceals the existence of the message

13 IT-Security 1 - Chapter 1: Introduction

 Who needs privacy?

§ Privacy-aware individuals
§ Journalists and political dissidents in oppressive regimes
§ Organizations and companies
§ Law enforcement
§ Government, intelligence agencies, and military
§ You?

14 IT-Security 1 - Chapter 1: Introduction

 Correctness versus Security

§ System correctness: system satisfies specification

§ For reasonable input, get reasonable output
§ System security: system properties preserved in face
of attack
§ For unreasonable input, output not completely disastrous
§ Main difference: interference from adversary

§ Note: Security is a property of a system that can only

be defined negatively
§ A system is secure as long as there are no attacks against it

15 IT-Security 1 - Chapter 1: Introduction

 Safety vs. Security

§ Safety addresses the trustworthiness of the IT

system whether it does not pose a threat to its
environment (persons, material, infrastructure)
§ Security addresses the trustworthiness of the IT
system to the effect that it does not pose any risk of
misuse by the environment (information, services)
§ Security vulnerabilities can lead to safety incidents (e.g.,
security violation causes functional failure of the system)
§ Safety incidents can lead to security vulnerabilities that can
be exploited in attacks (e.g., logical system error that grants
access rights)

16 IT-Security 1 - Chapter 1: Introduction

 Why do we need Security?

Wirelessly controlled
pacemaker / defibrillator

17 IT-Security 1 - Chapter 1: Introduction

 Why do we need Security? (cont’d)

WannaCry ransomware 12.5.2017

Infected more than 250.000 Windows
PCs in 150 countries

Cash only payments in China on 20,000

gas stations because of WCRY

Img sources: Wikipedia

18 IT-Security 1 - Chapter 1: Introduction

 Why do we need Security (cont’d)
§ Internet is an open system
§ Increasing connection of systems to the Internet
§ Internet of Things (sensors, objects)
§ Information systems, proprietary systems
§ Smartphones, tablets, …
§ Growing threats to critical infrastructures (those with
an essential importance for the society)
§ Energy supply networks
§ Telecommunication, transport and traffic system
§ Water supply, sewage
§ Healthcare, food supply
ÞSteadily increasing threat potential
ÞProtection of IT systems / infrastructures is an
essential prerequisite for their use and acceptance
19 IT-Security 1 - Chapter 1: Introduction
 SCADA Security

§ Supervisory Control and Data Acquisition (SCADA)

§ Industrial control system
§ Hierarchical structure
§ Trend towards using standard Internet Protocol

20 IT-Security 1 - Chapter 1: Introduction

 Reasons for Security Issues

§ Design and implementation errors

§ Specification gaps
§ Feature orientation
§ Implementation errors
§ Configuration errors
§ Careless behavior of system users
§ Abuse by people
§ Internal (employees – curiosity, revenge, espionage)
□ Legal system access, inside the firewall
□ Familiar with policies and system architectures
§ External (hackers, spies, terrorists)
§ System interconnectivity via the Internet

21 IT-Security 1 - Chapter 1: Introduction

 Preventive vs. Reactive Security

Two complementary approaches

§ Preventive
§ Measures to prevent security violations (e.g., encryption,
authentication, access control, firewalls, cryptographic hash
functions)
§ Reactive
§ Measures to detect security violations and limit their effect
(e.g., intrusion detection system, virus scanner, honeypots)

22 IT-Security 1 - Chapter 1: Introduction

 Network Defenses

Firewalls, intrusion
Systems Implementations detection…

SSL, IPSec,
Blueprints Protocols and policies access control…

Building
blocks Cryptographic primitives RSA, AES, HMAC,
SHA-3…

§ The defense mechanisms on all abstraction layers

have to be “secure”
§ They have to interact properly → modular design
difficult
23 IT-Security 1 - Chapter 1: Introduction
 Example Problems

§ OpenSSL bug: implementation problem on Debian-

based systems
§ Not a vulnerability in the protocol design
§ “Just” a problem in the implementation of the pseudo-
random function
§ Lead to only 32,767 different keys
§ Wired equivalent privacy problem in Wireless LAN
§ Not a vulnerability of the RC4 cipher itself
§ Problem(s) how RC4 is used → protocol design
§ Total break of the encryption algorithm A5/2 in GSM
§ Weakness in the cryptographic building block itself
§ Combined with the fact that encryption is done after error
correction

24 IT-Security 1 - Chapter 1: Introduction

 OpenSSL BugOpenSSL Bug

Dilbert ©2009, United Feature Syndicate, Inc.

Dilbert ©2009, United Feature Syndicate, Inc.

25 IT-Security 1 - Chapter 1: Introduction

 Bad News

§ Security often not a primary consideration

§ Performance, usability, and cost take precedence
§ Feature-rich systems are often poorly understood
§ Higher-level protocols make wrong assumptions
§ Implementations are buggy
§ Buffer overflows are the “vulnerability of the decade”
§ Networks are more open and accessible than ever
§ Increased exposure, easier to cover tracks
§ Many attacks are not even technical in nature
§ Phishing, impersonation, etc.

26 IT-Security 1 - Chapter 1: Introduction

 Better News

§ There are a lot of defense mechanisms

§ We’ll study some, but by no means all, in this course
§ It’s important to understand their limitations
§ “If you think cryptography will solve your problem, then you
don’t understand cryptography… and you don’t understand
your problem” -- Bruce Schneier
§ Many security holes are based on misunderstanding
§ Security awareness and user “buy-in” help
§ Other important factors: usability and economics
§ For cyber security studies also ethics and legal
aspects

27 IT-Security 1 - Chapter 1: Introduction

 Objectives of this Chapter

§ Define security goals

§ Define security attacks that threaten security
goals
§ Define security services and their relation to
the security goals
§ Define security mechanisms to provide
security services
§ Define models for network and access
security
§ Provide an overview on the rest of the course

28 IT-Security 1 - Chapter 1: Introduction

 Security Goals
Security
Goals

Confidentiality Integrity Availability

§ Confidentiality
§ Ensure only authorized entities obtain information
§ Applies to storage and transmission of information
§ Integrity
§ Changes to data on storage or during transmission only by
authorized persons or processes
§ Availability
§ Information stored by an organization needs to be available to
authorized entities
29 IT-Security 1 - Chapter 1: Introduction
 An Attack is...

§ …any action that compromises the security of

information owned by an organization
§ Information security is about how to
§ prevent attacks, or, failing that, to
§ detect attacks on information-based systems
§ Often threat & attack are used to mean same thing
§ There is a wide range of attacks
§ We will - for now - focus on generic types of attacks
§ passive
§ active

30 IT-Security 1 - Chapter 1: Introduction

 Passive Attacks

31 IT-Security 1 - Chapter 1: Introduction

 Active Attacks

32 IT-Security 1 - Chapter 1: Introduction

 Taxonomy of Attacks
Security Attacks

Eavesdropping Modification Denial of

Service

Traffic Analysis Masquerading Delay

Threat to Threat to
confidentiality availability
Replaying

Repudiation

Threat to
integrity

33 IT-Security 1 - Chapter 1: Introduction

 Attacks Threatening Confidentiality

§ Eavesdropping
§ Unauthorized access to or interception of data
§ If content hidden: Traffic Analysis
§ Monitoring online traffic may reveal confidential information
§ E.g. email address of sender/receiver

§ Note: in this lecture we use eavesdropping,

intercepting and recording in the following way
§ Eavesdropping = recovering the plaintext
§ Interception = cipher-text
§ Recording = cipher-text

34 IT-Security 1 - Chapter 1: Introduction

 Attacks Threatening Integrity

§ Modification
§ After intercepting or accessing information, the attacker
modifies the information to make it beneficial to himself
§ Includes simple deletion or delay of messages
§ Masquerading
§ Also called spoofing
§ An attacker impersonates somebody else
§ Replaying
§ An attacker obtains a copy of a message sent by an entity
and later on tries to replay it to the receiver

35 IT-Security 1 - Chapter 1: Introduction

 Attacks Threatening Integrity

§ Repudiation
§ The sender of a message later on denies that he has sent it
§ The receiver of a message later on denies that he has
received it

§ As of today repudiation is often not technically

guaranteed
§ E.g. phone bills: call detail records exchanged between cell
phone providers can be legally repudiated by subscribers

36 IT-Security 1 - Chapter 1: Introduction

 Attacks Threatening Availability

§ Denial of Service
§ Slows down or totally interrupts the service of a system
§ Attacker may e.g.
§ send bogus requests to a server such that the server
crashes because of the heavy load
§ Intercept and delete a server’s response to a client, making
the client believe that the server is not responding
§ Block the requests from a client such that the client sends
requests many times
§ …

37 IT-Security 1 - Chapter 1: Introduction

 Categorization in Active and Passive

38 IT-Security 1 - Chapter 1: Introduction

 Further Definitions

§ Threat: is a potential event or sequence of events

that could lead to an abuse or malfunction of the IT
system
§ Attack: implementation of a threat that exploits a
vulnerability
§ Exploit: program that executes the attack
§ Incident: executed attack

Objective of IT security is to compensate and minimize

the risks and threats existing in the respective
application environment

39 IT-Security 1 - Chapter 1: Introduction

 Security Mechanisms and Services

§ Security Mechanism
§ A mechanism that is designed to detect, prevent, or recover
from a security attack.
§ Security Service
§ A service that enhances the security of data processing
systems and information transfers. A security service
makes use of one or more security mechanisms.

40 IT-Security 1 - Chapter 1: Introduction

 Security Services

§ Definitions of Security Services

§ ITU-T X.800:
“A service provided by a protocol layer of communicating
open systems, which ensures adequate security of the
systems or of data transfers”

§ IETF RFC 2828:

“A processing or communication service provided by a
system to give a specific kind of protection to system
resources”

41 IT-Security 1 - Chapter 1: Introduction

 Security Services

Security
Services

Data Data Non- Access

Authentication
Confidentiality Integrity repudiation Control

§ Data Confidentiality - protection of data from

unauthorized disclosure
§ Data Integrity - assurance that data received is as
sent by an authorized entity

42 IT-Security 1 - Chapter 1: Introduction

 Security Services

Security
Services

Data Data Non- Access

Authentication
Confidentiality Integrity repudiation Control

§ Authentication - assurance that the communicating

entity is the one claimed
§ Access Control - prevention of the unauthorized use
of a resource
§ Non-Repudiation - protection against denial by one
of the parties in a communication
43 IT-Security 1 - Chapter 1: Introduction
 Security Mechanisms: ITU-T X.800

§ Specific security mechanisms:

§ encryption, digital signatures, access controls, data integrity,
authentication exchange, traffic padding, routing control,
notarization
§ Pervasive security mechanisms:
§ trusted functionality, security labels (indicate how sensitive
or critical system resources are), event detection, security
audit trails (chronological record of system activities),
security recovery

44 IT-Security 1 - Chapter 1: Introduction

 Security Mechanisms

§ Encryption – hides or covers complete or partial data,

may additionally bind data blocks together
§ Data integrity – appends check value to data
§ Digital Signatures – mechanism by which a sender
can electronically sign data and the receiver can
check the signature, contains integrity
§ Authentication exchange – proofs the identity of an
entity to another entity
§ Key agreement – allows two or more parties to agree
upon secret keys, used to ensure continuous
authenticity, typically required for all other
mechanisms
45 IT-Security 1 - Chapter 1: Introduction
 Security Mechanisms

§ Traffic padding – inserting bogus data into traffic to

thwart traffic analysis
§ Routing control – continuously changing available
routes between sender and receiver to prevent
opponent from eavesdropping on a particular route
§ Notarization – selecting a third party to control the
communication between two entities e.g. to thwart
repudiation
§ Access Control – method to prove that an entity has
access right to the data or resource owned by a
system and to guarantee that only authorized entities
can access the data or resource
46 IT-Security 1 - Chapter 1: Introduction
 Model for Network Security

47 IT-Security 1 - Chapter 1: Introduction

 Model for Network Security

§ Using this model requires us to:

§ Design a suitable algorithm for the security
transformation
§ Generate the secret information (keys) used by
the algorithm
§ Develop methods to distribute and share the
secret information
§ Specify a protocol enabling the principals to use
the transformation and secret information for a
security service

48 IT-Security 1 - Chapter 1: Introduction

 Model for Access Control

49 IT-Security 1 - Chapter 1: Introduction

 Model for Access Control

§ Using this model requires us to:

§ Select appropriate gatekeeper functions to identify users
§ Implement security controls to ensure only authorized users
access designated information or resources
§ Trusted computer systems may be useful to help
implement this model

50 IT-Security 1 - Chapter 1: Introduction

 A Note on Policies

§ A security policy is a statement of what is, and what

is not allowed
§ A security policy is typically derived from analyzing
and evaluating the potential threats to a system
§ A security mechanism is a method, tool or procedure
for enforcing a security policy

51 IT-Security 1 - Chapter 1: Introduction

 Who are Attackers and What Drives them?

§ Criminals
§ Put up a fake financial website, collect users’ logins
and passwords, empty out their accounts
§ Insert a hidden program into unsuspecting users’
computers, use them to spread spam
§ Subvert copy protection, gain access to music and
video files
§ Stage denial of service attacks on websites, extort
money
§ Crackers
§ Wreak havoc, achieve fame and glory in the blackhat
community

52 IT-Security 1 - Chapter 1: Introduction

 Who are Attackers and What Drives them?

§ Insiders (criminal as well as harmless ones!!)

§ E.g. anyone authorized to access confidential data
§ E.g. administrators, regular personnel
§ Secret Services, Terrorists, Military Personal

53 IT-Security 1 - Chapter 1: Introduction

 Offender Classes

§ Insiders vs. outsiders

§ Users of a system/software
§ Provider of a system/software
§ Maintenance service
§ Developers of a system
§ Producers of design and development tools
ÞIn IT Security, no one is excluded as a potential
offender
White-Hat (idealists, hobby)
Grey-Hat (also accepts legal violations)
Black-Hat (destructive, espionage) hackers

54 IT-Security 1 - Chapter 1: Introduction

 Next Topics

Symmetric Encryption Certificates and PKI

E-Mail Security
Integrity Protection

Kerberos
Asymmetric Crypto

Authentication and SSH, IPSec, TLS, DNSSec

Key Agreement

55 IT-Security 1 - Chapter 1: Introduction

 Some Notable Standardization Bodies
§ ANSI - American National Standards Institute
§ http://www.ansi.org
§ X9 - Standards for Financial Services Industry
§ http://www.x9.org
§ X.509 – Public Key Certificates
§ IEEE - Institute of Electrical and Electronics Engineers
§ http://www.ieee.org
§ P1363 - Specifications for Public-Key Cryptography
§ http://grouper.ieee.org/groups/1363
§ SC 27 - Information Technology – Security Techniques
§ http://www.jtc1sc27.din.de (joint work of ISO and IEC)
§ ISO - International Organization for Standardization
§ http://www.iso.ch
§ IEC - International Electronic Commission
§ http://www.iec.ch
59 IT-Security 1 - Chapter 1: Introduction
 More Notable Standardization Bodies

§ NIST — National Institute of Standards and

Technology
§ http://www.nist.gov
§ FIPS — Federal Information Processing Standards
§ http://www.itl.nist.gov/fipspubs
§ IETF — Internet Engineering Task Force
§ http://www.ietf.org/
§ PKCS — Public-Key Cryptography Standards
§ http://rsa.com/rsalabs/

60 IT-Security 1 - Chapter 1: Introduction

 Recommended Reading

§ Book chapters for this chapter

§ Introductory chapter of Stallings: Cryptography and Network
Security: Principles and Practices
§ Introductory chapter of Forouzan: Introduction to
Cryptography and Network Security

§ Image sources:
§ Stallings: Cryptography and Network Security: Principles
and Practices (active / passive attacks)
§ Forouzan: Introduction to Cryptography and Network
Security (inspirational)

62 IT-Security 1 - Chapter 1: Introduction