ReviewQuestions

1. Consider an automated teller machine (ATM) in which users provide a personal identification
number (PIN) and a card for account access. Give examples of confidentiality, integrity, and
availability requirements associated with the system. In each case, indicate the degree of
importance of the requirement.

Confidentiality:PersonalIdentificationNumber(PIN)isanassetwhoseconfidentialityis
consideredtobehighlyimportantbyanindividual.PINinformationshouldonlybeavailable
toindividual.DegreeofImportance:HIGH
Integrity:Anindividualshouldbeabletotrustthatthecardprovidedforaccountaccessis
correctandcurrent.Andanindividualshouldbeabletowithdrawamounts/hewishesto
fromhis/heravailableaccount.Nowsupposebankstaffthatisauthorizedtoviewandupdate
individualsaccountdeliberatelyfalsifiesthedatainit,Integrityislost.Thedatabaseneedsto
berestoredtoatrustedbasisquickly,anditshouldbepossibletotracetheerrorbacktothe
personresponsible.DegreeofImportance:High.
Availability:AutomatedTellerMachine(ATM)providesawayforindividualstowithdraw
moneywheneverandfromwherevertheywant.Therefore,anindividualshouldbeableto
withdrawmoneyfromATM(i.e.ATMshouldalwaysbeavailableforwithdrawal)provided
s/hehasPINandCardforaccountaccess.However,thisisthefacilityprovidedbybanksto
facilitateitscustomerforeasyaccesstotheirbankaccount.Thisisnotcriticalcomponentof
thebanksinformationsystem,butunavailabilityofthisservicewillcausesome
embarrassmenttothecustomer.DegreeofImportance:Moderate.

Network Security - Introduction

1. WhatistheOSIsecurityarchitecture?
The OSI Security Architecture is a framework that provides a systematic way of defining the
requirements for security and characterizing the approaches to satisfying those requirements.
The document defines security attacks, mechanisms, and services, and the relationships
among these categories.
2. Whatisthedifferencebetweenpassiveandactivesecuritythreats?
Passive attacks have to do with eavesdropping on, or monitoring, transmissions. Electronic
mail, file transfers, and client/server exchanges are examples of transmissions that can be
monitored. Active attacks include the modification of transmitted data and attempts to gain
unauthorized access to computer systems.

Problems
1. Draw a matrix that shows the relationship between Security Services and Security Attacks.

2. Draw a matrix that shows the relationship between Security Mechanisms and Attacks.

3. Draw a matrix that shows the relationship between Security Services and Security
Mechanisms.