Replay Attack : An attack on an authentication system by recording and
replaying previously sent valid messages (or parts of messages). Any constant authentication information, such as a password or electronically transmitted biometric data, can be recorded and used later to forge messages that appear to be authentic. Security services : services that are provided by a system to give a specific kind of protection to system resources are called security services. Passive Attack A passive attack monitors unencrypted traffic and looks for clear-text passwords and sensitive information that can be used in other types of attacks. Passive attacks include traffic analysis, monitoring of unprotected communications, decrypting weakly encrypted traffic, and capturing authentication information such as passwords. Passive interception of network operations enables adversaries to see upcoming actions. Passive attacks result in the disclosure of information or data files to an attacker without the consent or knowledge of the user. Active Attack In an active attack, the attacker tries to bypass or break into secured systems. This can be done through stealth, viruses, worms, or Troan horses. Active attacks include attempts to circumvent or break protection features, to introduce malicious code, and to steal or modify information. These attacks are mounted against a network backbone, exploit information in transit, electronically penetrate an enclave, or attack an authori!ed remote user during an attempt to connect to an enclave. Active attacks result in the disclosure or dissemination of data files, "o#, or modification of data. 5. (is given in the book) 6. Access $ontrol is a set of controls to restrict access to certain resources. If we think about it, access controls are everywhere around us. A door to your room, the guards allowing you to enter the office building on seeing your access card, swiping your card etc. all are examples of various types of access control. A security policy may use two types of access controls, alone or in combination. In one, access control is left to the discretion of the owner. In the other, the operating system controls access, and the owner cannot override the controls. DAC- If an individual user can set an access control mechanism to allow or deny access to an object, that mechanism is a discretionary access control (A!). iscretionary access controls base access rights on the identity of the subject and the identity of the object involved. Identity is the key" the owner of the object constrains who can access it by allowing only particular subjects to have access. #he owner states the constraint in terms of the identity of the subject, or the owner of the subject. $%A&'($) *uppose a child keeps a diary. #he child controls access to the diary, because she can allow someone to read it (grant read access) or not allow someone to read it (deny read access). #he child allows her mother to read it, but no one else. #his is a discretionary access control because access to the diary is based on the identity of the subject (mom) re+uesting read access to the object (the diary). Mandatory Access Control (MAC) ,hen a system mechanism controls access to an object and an individual user cannot alter that access, the control is a mandatory access control (&A!), occasionally called a rule- based access control. #he operating system enforces mandatory access controls. -either the subject nor the owner of the object can determine whether access is granted. #ypically, the system mechanism will check information associated with both the subject and the object to determine whether the subject should access the object. .ules describe the conditions under which access is allowed. This is a stricter and rather static Access $ontrol model as compared to "A$ and is mostly suited for military organi!ations where data classification and confidentiality is of prime importance. #pecial types of the %nix operating systems are based on &A$ model. $%A&'($) #he law allows a court to access driving records without the owners/ permission. #his is a mandatory control, because the owner of the record has no control over the court/s accessing the information. originator controlled access control (0.!0- or 0.1!0-) - originator controlled access control (0.!0- or 0.1!0-bases access on the creator of an object (or the information it contains). #he goal of this control is to allow the originator of the file (or of the information it contains) to control the dissemination of the information. #he owner of the file has no control over who may access the file. *ection 2.3 discusses this type of control in detail. 7. 8.