ABSTRACTThe both a great experience and convenience

ABSTRACTThe continuous development of computer network systembrings both a great experience and convenience but newsecurity threats for users. Computer security problem generallyincludes network system security and data security. Specifically, it refers to the reliability of network system, confidentiality, integrity and availability of data information inthe system. Network security problem exists through all thelayers of the computer network, and the network securityobjective is to maintain the confidentiality, authenticity, integrity, dependability, availability and audit-ability of the network. This paper mainly aims to discuss about the basicconcepts,implementations of security mechanisms, Policies and latest threats of various systems that are upcoming today. KeywordsGoals, Cryptography, Cryptanalysis, Access Control Lists, Mechanisms, Bell-LaPadula, Biba. 1. INTRODUCTIONComputer security should be seen as a basic management task. It is an extension of the duty to protect the organization’s assets against misuse or loss. Also, the information stored and processed by computers is the most significant asset of most organizations. (Some prefer tothe use the term information security to describe the process ofprotecting computing. It plays a major role in ensuring anorganization’s ability to survive as what the law calls a goingconcern. Increasingly, maintaining this process will involveensuring that the organization is complying with relevant statutory and regulatory agency requirements.)Information is inevitable in all kinds of entrepreneurial activities, and must be therefore protected as assets. Information security may be assured in various ways, including related policies, processes, procedures, organizational structures, software programs and hardwareequipment able to eliminate many sources of safetyjeopardizing such as espionage, computer fraud and deceit, sabotage, vandalism, fire or water. Computer Security is the protection of computing systems andthe data that they store or access. How many attacks to computers on campus do you think take place everyday?? Thousands of attacks per minute bombard our campus network. ? An unprotected computer can become infected or compromised within a few seconds after it is connectedto the network. ? A compromised computer is a hazard to everyone else, too – not just to you. 12. BASIC CONCEPTS2.1 Goals of Security: Computer security rests on Confidentiality, Integrity and Availability that is CIA. Theinterpretation of these aspects vary, as do the contexts in which they arise. The interpretation of aspect in a givenenvironment is dictated by the needs of the individuals, customs and laws of particular organizations. But we candefine it in a general way as follows- 1. ConfidentialityConfidentiality is the concealment of information or resources. The need of keeping information secret arises from the use of computer in sensitive fields such as government. Ex- Military,banks. 2. IntegrityIntegrity refers to the trustworthiness of data or resources andit usually phrased in terms of preventing improper or unauthorized change. Integrity includes data integrity(Contentinformation) and origin integrity(the source of data oftencalled authentication). 3. AvailabilityAvailability refers to the ability to use the information orresource desired. Computer security professionals usually address threecommon challenges to availability: Denial of service (DoS)due to intentional attacks or because of undiscovered flaws inimplementation (for example, a program written by a programmer who is unaware of a flaw that could crash the program if a certain unexpected input is encountered).Loss ofinformation system capabilities because of natural disasters(fires, floods, storms, or earthquakes) or human actions(bombs or strikes). And Equipment failures during normal use.22.2 Threats: A threat, in the context of computer security, refers to anything that has the potential to cause serious harmto a computer system. A threat is something that may or maynot happen, but has the potential to cause serious damage. Threats can lead to attacks on computer systems, networks and more. 2.3 Cryptography: Cryptography means secret writing. Basically writing text in secret form such that it’s not understandable to attackers. Cryptanalysis is the breaking of codes. The basic component of cryptography is Cryptosystem. 2.4 Policies: A. Security Policies- A security model is a model that represents a particular policyor set of policies. A model abstracts details relevant for analysis. Analyses rarely discuss particular policies; theyusually focus on specific characteristics of policies, because many policies exhibit these characteristics; and the more policies with those characteristics, the more useful the analysis. By the HRU result, no single nontrivial analysis can cover allpolicies, but restricting the class of security policiessufficiently allows meaningful analysis of that class ofpolicies.3B.Confidentiality Policies- Confidentiality is one of the factors of privacy, an issuerecognized in the laws of many government entities (such asthe Privacy Act of the United States and similar legislation in Sweden). Aside from constraining what information a government entity can legally obtain from individuals, suchacts place constraints on the disclosure and use of thatinformation. Unauthorized disclosure can result in penaltiesthat include jail or fines; also, such disclosure undermines theauthority and respect that individuals have for the government and inhibits them from disclosing that type of information tothe agencies so compromised. I. The Bell – LaPadula Model- The simplest type of confidentiality classification is a set of security clearances arranged in a linear (total) ordering . Theseclearances represent sensitivity levels. The higher the securityclearance, the more sensitive the information (and the greaterthe need to keep it confidential). A subject has a securityclearance. In the figure, Claire’s security clearance is C (for CONFIDENTIAL), and Thomas’ is TS (for TOP SECRET). Anobject has a security classification; the security classification ofthe electronic mail files is S (for SECRET), and that of thetelephone list files is UC (for UNCLASSIFIED). (When werefer to both subject clearances and object classifications, we use the term “classification.”) The goal of the Bell-LaPadulasecurity model is to prevent read access to objects at a securityclassification higher than the subject’s clearance. The Bell- LaPadula security model combines mandatory anddiscretionary access controls. In what follows, “S has discretionary read (write) access to O” means that the access control matrix entry for S and O corresponding to the discretionary access control component contains a read (write)right. In other words, were the mandatory controls not present, S would be able to read (write) O. 3Figure 1: Classification of Bell – LaPadula Model3C. Integrity Policies 1. Biba Integrity Model-In 1977, Biba studied the nature of the integrity of systems. Inhis model, a system consists of a set S of subjects, a set O of objects, and a set I of integrity levels.1 The levels are ordered. The relation ? ? I × I holds when the second integrity level either dominates or is the same as the first. The function i:S? O?I returns the integrity level of an object or a subject.32. Clark Wilsoon Integrity ModelsIn 1987, David Clark and David Wilson developed anintegrity model radically different from previous models. This model uses transactions as the basic operation, which models many commercial systems more realistically than previous models. One main concern of a commercial environment, as discussed above, is the integrity of the data in the system andof the actions performed on that data. The data is said to be ina consistent state (or consistent) if it satisfies given properties. For example, let D be the amount of money deposited so fartoday, W the amount of money withdrawn so far today, YBthe amount of money in all accounts at the end of yesterday, and TB the amount of money in all accounts so far today. Then the consistency property is D + YB – W = TB Beforeand after each action, the consistency conditions must hold. Awell-formed transaction is a series of operations that transitionthe system from one consistent state to another consistent state. For example, if a depositor transfers money from one accountto another, the transaction is the transfer; two operations, the deduction from the first account and the addition to the secondaccount, make up this transaction. Each operation may leavethe data in an inconsistent state, but the well-formedtransaction must preserve consistency. 33. IMPLEMENTATION – IImplementing Computer security techniques fall underfollowing types: 3.1 Cryptography- The art or science encompassing the principles and methods oftransforming an intelligible message into one that is unintelligible, and then re-transforming that message back toits original form.4The classical Cryptosystem consists of following types- 1. Transposition Cipher- A transposition cipher is a methodof encryption by which the positions held by units of plain text(which are commonly characters or groups of characters) areshifted according to a regular system, so that the cipher text constitutes a permutation of the plain text. 2. Substitution cipher- A substitution cipher is a method of encrypting by which units of plain text are replaced withcipher text, according to a fixed system; the “units” may besingle letters (the most common), pairs of letters, triplets ofletters, mixtures of the above, and so forth. 3. Vigenère cipher- The Vigenère cipher is a method of encrypting alphabetic text by using a series of interwoven Caesar ciphers based on the letters of a keyword. 4. One time pad- In this technique, a plain text is paired with arandom secret key (also referred to as a one-time pad). Then, each bit or character of the plain text is encrypted bycombining it with the corresponding bit or character from the pad using modular addition. If the key is truly random, is atleast as long as the plain text, is never reused in whole or inpart, and is kept completely secret, then theresulting ciphertext will be impossible to decrypt or break. 5. Public key Cryptosystem- PKC works in way illustrated in following figure.Figure 2: Working of Public key Cryptosystem5There are 2 types of PKCs as follows: a Diffie-HellmanIt was the first PKC proposed. It is based on Discrete Logarithm Problem. b. RSAIt is an exponential cipher. This type of cipher is evenused today. (Note: Algorithms to be followed in section)4. IMPLEMENTATION – IIProtecting cryptographic keys may sound simple: just put the key into file and use operating system access control mechanisms to protect it. But as we know in a number of ways these mechanisms can be compromised leading to keys getting invaded. In this section we discuss some mechanismsto prevent keys. Following are some key managementtechniques. 1. Kerberos Kerberos provides a centralized authentication server whosefunction is to authenticate users to servers and servers to users. Unlike most other authentication schemes described in this book, Kerberos relies exclusively on symmetric encryption, making no use of public-key encryption.Figure 3: Working of Kerberos62. Key escrow (also known as a “fair” Cryptosystem) is anarrangement in which the keys needed to decrypt encrypteddata are held in escrow so that, under certain circumstances, an authorized third party may gain access to those keys. Keyescrow is a data security measure in which a cryptographic key is entrusted to a third party (i.e., kept in escrow). Under normal circumstances, the key is not released to someone other than the sender or receiver without proper authorization. For the above key management techniques, various authentication techniques are used for verifying the user authenticity. Techniques include following: 1. Passwords 2. Challenge-Response (OTP)3. Biometrica. Fingerprintb. Face recognitionc. Retina Scand. Face scane. Voice recognition A combination of above three techniques is used for authenticity of users. Access Control is a set of controls to restrict access to certainresources. If we think about it, access controls are everywherearound us. A door to your room, the guards allowing you toenter the office building on seeing your access card, swipingyour card and scanning your fingers on the biometric system, a queue for food at the canteen or entering your credentials toaccess FB, all are examples of various types of access control. Here we focus only on the logical Access Control mechanisms. 1. Discretionary Access Control (DAC)Discretionary access controls base access rights on the identityof the subject and the identity of the object involved. Identityis the key; the owner of the object constrains who can access itby allowing only particular subjects to have access. The owner states the constraint in terms of the identity of the subject, orthe owner of the subject.EXAMPLE: Suppose a child keeps a diary. The child controls access to the diary, because she can allow someone to read it(grant read access) or not allow someone to read it (deny readaccess). The child allows her mother to read it, but no one else. This is a discretionary access control because access to the diary is based on the identity of the subject (mom) requestingread access to the object (the diary). 2. Mandatory Access Control (MAC)When a system mechanism controls access to an object and anindividual user cannot alter that access, the control is a mandatory access control (MAC), occasionally called a rule- based access control. The operating system enforces mandatory access controls. Neither the subject nor the owner of the object can determine whether access is granted. Typically, the system mechanism will check informationassociated with both the subject and the object to determine whether the subject should access the object. Rules describethe conditions under which access is allowed. EXAMPLE: The law allows a court to access driving records without the owners’ permission. This is a mandatory control, because the owner of the record has no control over thecourt’s accessing the information. 3. Role Based Access Control (RBAC)RBAC is the buzzword across enterprises today. In this modelthe access to a resource is governed based on the role that thesubject holds within an organization. RBAC is also known as non-discretionary Access Control because the user inherits privileges that are tied to his role. The user does not have acontrol over the role that he will be assigned. Each of theabove Access Models has its own advantages anddisadvantages. The selection of the appropriate Access Modelby an organization should be done by considering variousfactors such as type of business, no of users, organization’ssecurity policy etc. 4. Access Control lists(ACLs)An obvious variant of the access control matrix is to storeeach column with the object it represents. Thus, each objecthas associated with it a set of pairs, with each pair containinga subject and a set of rights. The named subject can access theassociated object using any of those rights. More formally: Let S be the set of subjects, and R the set of rights, of asystem. An access control list (ACL) l is a set of pairs l = { (s, r) : s ? S, r ? R }. Let acl be a function that determines theaccess control list l associated with a particular object o. Theinterpretation of the access control list acl(o) = { (si , ri ) : 1 ?i ? n } is that subject si may access o using any right in ri . 5. STEPWISE EXPLANATION OFALGORITHMS1. Diffie-HellmanFigure 4: Deffie – Hellman Steps7. RSA* Generating Public key: Select two prime no’s. Suppose P = 53 and Q = 59. Now First part of the Public key : n = P*Q = 3127. We also need a small exponent say e : But e Must be An integer. Not be a factor of n. 1 < e < ?(n) ?(n) is discussedbelow, Let us now consider it tobe equal to 3. * Generating Private Key : We need to calculate ?(n) : Such that ?(n) = (P-1)(Q-1) so, ?(n) = 3016Now calculate Private Key, d : d = (k*?(n) + 1) / e for someinteger kFor k = 2, value of d is 2011. Now we are ready with our – Public Key ( n = 3127 and e = 3) and Private Key(d = 2011) *Encryption: Now we will encrypt "HI" : Convert letters to numbers : H = 8 and I = 9Thus Encrypted Data c = 89e mod n. Thus our Encrypted Data comes out to be 1394Now we will decrypt 1349 : Decrypted Data = cd mod n. Thus our Encrypted Data comes out to be 898 = H and I = 9 i.e. "HI". 76. ALGORITHM COMPARISONNo. Parameters RSA Diffie-Hellman1. Encryption Cheaper Expensive CostPublic keyPublic key is Public key is 2. smaller toencoding bigger to encode. encode. Less More Robust(10243. Strength robust(1024bits). bits). Depends on Depends on4. Securitydifficulty of difficulty ofInteger Discrete Factorization. Logarithm. Authenticati Performs to Performs for both5. Sender andon only sender. Receiver. 6. Key Extremely Easier. generation difficult. Type of Common Man in the middle 7. attacks modulus andattack. possible cycle attack. Table 1: Comparison of RSA and Diffie-Hellman87. LATEST RISKY THREATSA popular technique used by website operators to observe the keystrokes, mouse movements and scrolling behavior of visitors on Web pages is fraught with risk, according toresearchers at Princeton's Center for Information TechnologyPolicy. The technique offered by a number of service providers usesscripts to capture the activity of a visitor on a Web page, storeit on the provider's servers, and play it back on demand for a website's operators. The idea behind the practice is to give operators insights intohow users are interacting with their websites and to identifybroken and confusing pages.Let us see a few threats that are upcoming since the past fewyears: 1. Peeping Scripts However, the extent of data collected by the scripts far exceeds user expectations, according to researchers Steven Englehardt, Gunes Acar and Arvind Narayanan. Text typed into forms is collected before a user submits theform, and precise mouse movements are saved -- all without any visual indication to the user, they noted in an online post. What's more, the data can't be reasonably expected to be kept anonymous. "In fact, some companies allow publishers to explicitly linkrecordings to a user's real identity," wrote the team. "Unliketypical analytics services that provide aggregate statistics, thesescripts are intended for the recording and playback ofindividual browsing sessions, as if someone is looking over your shoulder." That means that whether a visitor completes a form andsubmits it to the website or not, any information keyed in at the website can be seen by the operator.92. chaiOSSoftware developer Abraham Masri claimed to have found the bug, called "chaiOS,"The so-called "text bomb" typicallycauses an iPhone to crash and, in some cases, restart. Sending a message which contains the link to Masri's code would be all it takes to activate the bug — even if the recipientdid not click on the link. Meanwhile, on a Mac computer, thesecurity flaw was found to crash the Safari browser, as well as causing other slowdowns.103. Ransomware Holding organizations data for ransom has surged up in recenttimes at a phenomenal rate. And SonicWall reports that ransomware attempts have swelled up from 2.8 million in 2015to 638 million last year. The company's report also confirmsthat as much as $209 million was paid in 1Q of 2016 alone. Thus the amount paid says a lot about malware.114. Internet of things BotnetsIn late 2016, when an enormous DDoS attack was launched on DNS Service provider called DYN, the attack proved that many service providers were ill-equipped to deal with thescope of the latest cyber attacks. Mirai Botnet was found to bethe culprit and this instance shocked the entire business community which otherwise thought that security in IoTdevices was just secondary. So, IoT botnets are now standingsecond on the threats list. And Gartner expects that around 8.4billion of things will get connected to the Internet in this year- perhaps a lot of trouble will be in store in future.115. Phishing and whaling attacks'Phishing' is a concept where hackers send fraudulent emailsfrom trusted accounts to target businesses through individual staff members. When an innocent staff member clicks on theemail, then attachment which is tagged to the email startsfunctioning releasing a malware capable of stealing data. 'Whaling' takes the above said cyber attack strategy to nextlevel by targeting high worth individuals, often CIOs or CEOs of a firm. FBI has warned all corporates operating in and out of United States about this scam and confirmed that hackers have succeeded in making $3 million from such fraudulenttransactions last year.16. Business Process Compromise Attacks Trend Micro has described this concept of cyber attack as arelatively new phenomenon where hackers are usingtechniques to manipulate the day to day operations of a business in their favor. For instance, in the year 2013 drugtraffickers from South America managed to intercept the network of an Antwerp to track the movement and location containers. This helped the traffickers to retrieve the cargo at asecluded place before the naval police tried to arbitrate their operations. So, in this case, hackers were utilized tocompromise the business process of a government firm toevade law enforcement forces and for financial gains. 7. Machine Learning enabled attacksIt looks like the technology of Artificial Intelligence seems tobe serving both the good and bad people. According to arecent Intel Security report, machine learning is being used tolaunch social engineering attacks. Like, if hackers gain accessto publicly available data, they can use complex analysis toolsto pick targets more precisely and with a greater level of success. For example, in the UK, hackers are gaining access todatabases related to tax filing to launch ransomware relatedattacks on individuals who have filed for the highest ITreturns. This proves that the data available on public platforms can be used to launch attacks on individuals for minting money. 7. CONCLUSIONStatistics and a lot of research study shoes that data theft andabuse are becoming a profitable business worldwide. Perfect computer systems pose a significant barrier to illegal activities, yet there is always a chance to hack and misuse a system. Organizations such as ISO, IEC, OECD and IEE have therefore prepared a wide range of standards, guidelines and instructions on how to implement information security management, e.g.: a) ISO/IEC Guide 73: 2002 Risk management. Vocabulary. Guidelines for use in standards. b) ISO/IEC 13335-1: 2004 Information technology securitytechniques. c) ISO/IEC 27002: 2007 Information technology. Securitytechniques. Code of practice for information security management. d) Management of information and communicationstechnology security. Part 1: Concepts and models forinformation and communications technology security management. e) ISO/IEC 15408-1: 1999 Information technology. Security techniques. Evaluation criteria for IT security. Part 1: Introduction and general model.ISO/IEC 15489-1: 2001 Information and documentation. Records management. Part 1: General. g) OECD Guidelines for the Security of Information Systems and Networks. Towards a Culture of Security. 2002 ISO/IEC TR 18044 Information Technology. h) Security Techniques. Information security incident management. 12