BAHAGIAN TEKNIK DAN VOKASIONAL

KEMENTERIAN PENDIDIKAN MALAYSIA

ARAS 5 & 6, BLOK E14, KOMPLEKS E,
PUSAT PENTADBIRAN KERAJAAN PERSEKUTUAN
62604 PUTRAJAYA

KOLEJ VOKASIONAL SEBERANG PERAI

NOTA KULIAH 1
SEMESTER SEMESTER 3 DVM SESI 2018/2019

JABATAN JABATAN TEKNOLOGI MAKLUMAT

PROGRAM DIPLOMA TEKNOLOGI MAKLUMAT ( RANGKAIAN KOMPUTER )

KOD/KURSUS KSK7023 COMPUTER NETWORK SECURITY DEPLOYMENT

KOMPETENSI 1.0 COMPUTER NETWORK SECURITY DEPLOYMENT REQUIREMENTS

1.1 Computer System Security and Network Security Standard

1.2 Computer network security tools

1.3 Computer system security threats and network security threats

KOMPETENSI UNIT
1.4 Risk and business impact related to computer network security

1.5 Computer system security parameters and network security

zone

Trainee must be able to:

1. Analyze computer network security requirements to plan for

KOMPETENSI network security environment deployment (C4, PLO1)
PEMBELAJARAN 2. Perform the network security deployment in group to ensure
the security in network environment (P2, PLO2)
3. Write report of network security deployment based on user
requirements (A2, PLO3)

KSK 7023/K 1.0/NK

NO KOD 1/2
EDISI 1/JAN 2018 MUKA : 01 DARIPADA 06
IT-030-3:2013
NO KOD JPK
IT-030-3:2013-C03
 NO KOD / CODE NO KSK 7023 Muka: 2 Drp: 6

1. Computer Security Categories

Security measures fall basically in two categories:

Computer security: Computer security is the protection of information within a computer. It

embraces such sub-categories as operating system security and database security.

Communication security: Computer security and communication security measures need to

inter-work with security measures in other categories, such as physical security and personnel
security. The term security service is used in the context of technology-based security functions
provided in network systems and network products.

2. Basic component of Security Services

Computer and network security has been considered to security services as below:
2.1 Confidentiality- Ensures that information is not disclosed or revealed to unauthorized
persons.
2.2 Authentication- Ensures that the origin of a message or electronic document is correctly
identified, with an assurance that the identity is not false.
2.3 Integrity- Ensures that only authorized parties are able to modify computer system
assets and transmitted information. It ensures consistency of data; in particular,
preventing unauthorized creation, alteration, or destruction of data.
2.4 No repudiation- Requires that neither the sender nor the receiver of a mssage be able
to deny the transmission.
2.5 Access Control- Requires that access to information resources may be controlled by or
for the target system.
2.6 Availability- Ensures that legitimate users are not unduly denied access to information
and resources when needed.

3. Security goals and vulnerabilities

Computer security consists of maintaining three characteristics:

3.1 Confidentiality: the assets of a computing system are accessible only by authorized
parties. The type of access is read-type access: reading, viewing, printing or even just
knowing the existence of an object. Confidentiality is also called secrecy or privacy.

3.2 Integrity: means that assets can be modified only by authorized parties or only in
authorized ways. Modification includes writing, changing, changing status, deleting and
creating. Some meanings of integrity are:
 Precise
 Accurate
 Unmodified
 modified only in acceptable ways
 modified only by authorized people
 modified only by authorized processes
 consistent
 internally consistent
 meaningful and correct results

In summary - three aspects of integrity: authorized actions, separation and protection

of resources, and error detection and correction.
 NO KOD / CODE NO KSK 7023 Muka: 3 Drp: 6

3.3. Availability - assets are accessible to authorized parties. Goals of availability are:
 timely response
 fair allocation
 fault tolerance
 utility or usability
 controlled concurrency: support for simultaneous access, deadlock management,
and exclusive access

These three qualities can overlap and be mutually exclusive

4. Aspects of Computer Security

To assess the security needs of an organization effectively and to evaluate and choose various
security products and policies, one easier approach is to consider three aspects of computer
security:

4.1. Security Attack: Any action that compromises the security of information owned by an
organization.
4.2. Security Mechanism: A mechanism that is designed to detect, prevent, or recover from
a security attack.
4.3. Security Services: A service that enhances the security of the data processing systems
and the information transfers of an organization. The services are intended to counter
security attacks, and

5. Threat
A threat is a person, thing, event, or idea which poses some danger to an asset, in terms of
that asset's confidentiality, integrity, availability, or legitimate use. Threats can be classified as
being deliberate (e.g., hacker penetration) or accidental (e.g., message sent in error to the
wrong address). Deliberate threats may be further classified as being passive or active.

5.1. Passive threats involve monitoring or interception but not alteration of information (e.g.
wiretapping). These include release of message contents and traffic analysis.
5.2. Active threats involve deliberate alteration of information (e.g., changing the amount
of a financial transaction). These include interruption (availability), modification
(integrity) and fabrication (authenticity).
In general, passive attacks are easier and less costly to engineer than active attacks.

Note : Attack is an actual realization of a threat.

5.3 There are four fundamental threats, directly reflecting the four security objectives
identified earlier:

i. Information leakage: Information is disclosed or revealed to an unauthorized

person or entity. This might involve direct attacks, such as eavesdropping or
wiretapping, or more subtle types of information observation.

ii. Integrity violation: The consistency of data is compromised through unauthorized

creation, alteration, or destruction of data.

iii. Denial of service: Legitimate access to information or other resources is

deliberately impeded. This might involve, for example, making a resource
unavailable to legitimate users through a heavy load of illegitimate.
 NO KOD / CODE NO KSK 7023 Muka: 4 Drp: 6

iv. Illegitimate use: A resource is used by an unauthorized person or in an

unauthorized way. Examples are an intruder penetrating a computer system and
using that system either as the basis of theft of telecommunications services or as
an staging point for penetrating another system.

5.4 Four kinds of threats to the security of a computing system: interruption, interception,
modification and fabrication:

i. Interruption - an asset of the system becomes lost, unavailable or unusable. e.g. a

malicious destruction of a hardware device, erasure of a program or data file or
malfunction of an operating system file manager so that it cannot find a particular disk
file.
ii. Interception - Some unauthorized party has gained access to an asset. The outside
party may be a person, a program or a computing system. Examples - illicit copying of
program or data files, wiretapping to obtain data in a network.
iii. Modification - if an unauthorized party not only accesses but tampers with an asset e.g.
someone might change the values in a data base, alter a program so that it performs
an additional computation, or modify data being transmitted electronically.
iv. Fabrication - an unauthorized party might fabricate counterfeit objects on a computing
system. The intruder may insert spurious transactions to a network communication
system or add records to an existing database.

5.5 These threats enable the fundamental threats. Such threats are significant because a
realization of any of these threats can lead directly to a realization of any of the fundamental
threats. The primary enabling threats comprise of penetration threats and planting threats.

The main penetration threats are:

i. Masquerade: An entity (person or system) pretends to be a different entity. This is the

most common way of penetrating a security parameter, e.g., a computer's log-in
perimeter. An unauthorized entity convinces a perimeter guard that he is an authorized
entity and therefore assumes the rights and privileges of the authorized entity. Hackers
succeed largely through the use of masquerade.
ii. Bypassing controls: An attacker exploits systems flaws or security weaknesses (e.g.,
system features whose existence was intended to be kept secret), in order to acquire
unauthorized rights and privileges.
iii. Authorization violation: A person authorized to use a system or resource for one
purpose uses it for another, unauthorized purpose. This is known as an insider threat.
iv. Replay: Replay involves the passive capture of a data unit and its subsequent
retransmission to produce an unauthorized effect.
v. Modification of Message: Modification of Message simply means that some portion of
a legitimate message is altered.

vi. Denial of Service: The denial of service prevents or inhibits the normal use or
management of communications facilities. Another form of service denial is the
disruption of an entire network, either by disabling the network or by overloading it with
message so as to degrade performance.
 NO KOD / CODE NO KSK 7023 Muka: 5 Drp: 6

5.6 The main planting threats are:

i. Trojan horse: Software contains an invisible or apparently innocuous part which, when
executed, compromises the security of its user. An example of a Trojan horse is a
software application which has an outwardly legitimate purpose, e.g., text editing, but
which also has a surreptitious purpose, e.g., copying user documents into a hidden
private file which is read later by the attacker who planted the Trojan horse.

ii. Trapdoor: A feature is built into a system or system component such that the provision
of specific input data allows security policy to be violated. An example is a log-in
processing subsystem which allows processing of a particular user-identifier to bypass
the usual password checks.

iii. Planting threats are usually realized by the planting party only after the planted
capability has been left dormant for a period of time.

iv. Safeguards: Safeguards are physical controls, mechanisms, policies, and procedures
that protect assets from threats.

Note:

 Vulnerabilities: Vulnerabilities are weaknesses in a safeguard, or the absence of a

safeguard.

 Risk: Risk is a measure of the cost of a realized vulnerability that incorporates the
probability of a successful attack. Risk is high if the value of a vulnerable asset is high,
and the probability of a successful attack is high. Conversely, risk is low if the value of
the vulnerable asset is low and the probability of a successful attack is low. Risk
analysis can provide a quantitative means of determining whether the expenditure on
safeguards is warranted.

6. Methods of defense
6.1 Controls
i. Encryption
Most powerful tool - coding - transforming data so that it is unintelligible to the outside observer
provides confidentiality for data. Encryption can be used to achieve integrity since data that
cannot be read, generally also cannot be changed in a meaningful manner. Encryption is the
basis of some protocols, which are agreed-upon sequences of actions to accomplish some
task. Some protocols ensure availability of resources. Therefore, encryption is at the heart of
methods for ensuring all three goals of computer security.

ii. Software controls

 Internal program controls: parts of the program that enforce security restrictions, e.g.
access limitations in a database management program
 Operating system controls: limitations enforced by the operating system to protect each
user from all other users
 Development controls: quality standards, under which a program is designed, coded,
tested and maintained.
 NO KOD / CODE NO KSK 7023 Muka: 6 Drp: 6

iii. Hardware controls

iv. Policies

v. Physical Controls

vi. System access controls

Ensure that unauthorized users don't get into the system and by encouraging authorized
users to be security -conscious e.g. by changing their passwords on a regular basis.
System protects password data and keeps track of who's doing what in the system,
especially if what they're doing is security-related e.g. logging in, trying to open a file, using
special privileges.

6.2 Data access controls

Monitoring who can access what data and for what purpose:
i. System support discretionary access controls - you determine whether others can
read or change your data
ii. Mandatory access controls - system determines access rules based on the security
levels of the people, the files and the other objects in the system.

6.3 System and security administration

Performing offline procedures that make or break a secure system - delineate system
administrator responsibilities, by training users appropriately and by monitoring users to
make sure that security policies are observed, figuring out the security threats your system
faces and what it will cost to protect them.

6.4 System design

Take advantage of basic hardware and software security characteristics e.g. a system
architecture that is able to segment memory thus isolating privileged processes from non-
privileged processes.

RUJUKAN :

1. Charles P. Pfleeger, Shari Lawrence Pfleeger (2006). Security in Computing, Prentice

Hall, ISBN 0132390779, 9780132390774
2. William Stallings (2006). Cryptography and Network Security: Principles and Practice,
Prentice Hall, ISBN 0131873164, 9780131873162