Академический Документы
Профессиональный Документы
Культура Документы
Security
Chapter 1
Introduction
Overview
Security Goals
The need for security
OSI Security Architecture
Attacks, services and mechanisms
Security attacks
Security services
Methods of Defense
A model for Internetwork Security
Internet standards and RFCs
V.THILEEBAN B.Sc(Hons)
Computer Security
Is defined as the protection afforded
to an automated information system in
order to attain the applicable objectives
of preserving the integrity, availability
and confidentiality of information
system resources (includes hardware,
software, firmware, information/data,
and telecommunications)
V.THILEEBAN B.Sc(Hons)
CIA Triad
V.THILEEBAN B.Sc(Hons)
Key Objectives
Confidentiality
Data Confidentiality-information not disclosed to
unauthorized individuals
Privacy individuals control how their information is
collected, stored, shared
Integrity
Data Integrity
System Integrity
Security Goals
Confidentiality
Integrity
Avalaibility
V.THILEEBAN B.Sc(Hons)
Security Goals
Confidentiality
Concealment of information or resources
Integrity
Trustworthiness of data or resources
Availability
Ability to use information or resources
V.THILEEBAN B.Sc(Hons)
Confidentiality
Need for keeping information secret arises
from use of computers in sensitive fields such
as government and industry
Access mechanisms, such as cryptography,
support confidentiality
Example: encrypting income tax return
Lost through unauthorized disclosure of
information
V.THILEEBAN B.Sc(Hons)
Integrity
Often requires preventing unauthorized
changes
Includes data integrity (content) and origin
integrity (source of data also called
authentication)
Include prevention mechanisms and detection
mechanisms
Availability
Is an aspect of reliability and system design
Attempts to block availability, called denial of
service attacks (DoS) are difficult to detect
Example: bank with two servers one is blocked, the
other provides false information
11
Authenticity and
Accountability
Two additional objectives:
Authenticity- being genuine and able to be
verified or trust; verifying that users are who
they say they are
Accountability-actions of an entity can be
traced uniquely to that entity; supports
nonrepudiation, deterrence, fault isolation,
intrusion, detection and prevention.
V.THILEEBAN B.Sc(Hons)
12
Levels of Impact
We can define 3 levels of impact from
a security breach:
Low
Moderate
High
V.THILEEBAN B.Sc(Hons)
13
Security Breach
Low Impact
Loss has limited adverse effect
For example:
Effectiveness of the functions of an
organization are noticeably reduced
Results in minor damage to organizational
assets
Results in minor financial loss
Results in minor harm to individuals
V.THILEEBAN B.Sc(Hons)
14
Security Breach
Moderate Impact
Loss may have serious adverse effect on
organizational operations, assets or individuals.
For example:
Effectiveness of the functions of an
organization are significantly reduced
Results in significant damage to organizational
assets
Results in significant financial loss
Results in significant harm to individuals
V.THILEEBAN B.Sc(Hons)
15
Security Breach
High Impact
Loss is expected to have severe or catastrophic adverse
effect on organizational operations, assets or individuals.
For example:
Effectiveness of the functions of an organization are
reduced so that the organization cannot perform its
primary function(s).
Results in major damage to organizational assets
Results in major financial loss
Results in severe or catastrophic harm to individuals,
involving loss of life or serious life-threatening
injuries
V.THILEEBAN B.Sc(Hons)
16
Examples of Security
Requirements
Confidentiality student grades
High confidentiality - grades
Regulated by FERPA
Only available to students, parents and employees
(who need it to do their job)
17
Examples of Security
Requirements
Integrity- patient information
High requirement for integrity
Medical database, if falslified or inaccurate, could
cause harm ( allergies, etc.)
18
Examples of Security
Requirements
Availability - The more critical a component or
service is, the higher the level of availability
required:
High availability- authentication service
19
20
Security
Motivation: Why do we need security?
Increased reliance on Information technology with or
with out the use of networks
The use of IT has changed our lives drastically.
We depend on E-mail, Internet banking, and several
other governmental activities that use IT
Increased use of E-Commerce and the World wide web
on the Internet as a vast repository of various kinds of
information (immigration databases, flight tickets,
stock markets etc.)
21
Security Concerns
Damage to any IT-based system or activity can result
in severe disruption of services and losses
Systems connected by networks are more prone to
attacks and also suffer more as a result of the
attacks than stand-alone systems (Reasons?)
Concerns such as the following are common
22
Concerns continued
Is the web site I am downloading information
from a legitimate one, or a fake?
23
That is why
..we need security
To safeguard the confidentiality, integrity,
authenticity and availability of data transmitted
over insecure networks
Internet is not the only insecure network in this
world
Many internal networks in organizations are prone
to insider attacks
In fact, insider attacks are greater both in terms
of likelihood of happening and damage caused
V.THILEEBAN B.Sc(Hons)
24
https://
V.THILEEBAN B.Sc(Hons)
25
However, in reality
Security is often over looked (not one of the top criteria)
Availability, efficiency and performance tend to be the
ones
Buggy implementations
Systems too complex in nature and rich in features can
be filled with security holes
Incorporation of security into networks, not growing with
the rapidly growing number and size of networks
Attacking is becoming so common and easy there are
books clearly explaining how to launch them
Security and attacks are a perpetual cat-and-mouse play.
The only way to avoid attacks is to keep up-to-date with
latest trends and stay ahead of malicious netizens
V.THILEEBAN B.Sc(Hons)
26
V.THILEEBAN B.Sc(Hons)
27
Computer Security
Challenges
Computer Security is both fascinating and
complex:
1. not simple
2. must consider potential attacks
3. procedures used counter-intuitive
4. involve algorithms and secret info
5. must decide where to deploy
mechanisms
V.THILEEBAN B.Sc(Hons)
28
Computer Security
Challenges
battle of wits between attacker/administrator
7. not perceived to be a benefit until fails
8. requires regular monitoring
9. too often an after-thought
10. regarded as impediment to efficient and user
friendly use of system
These difficulties will be explored
throughout the course.
6.
V.THILEEBAN B.Sc(Hons)
29
30
OSI Model
(Details in Appendix D)
7 Layer Model
Describes the protocols and details of
transmitting data at each layer
Please do not throw sausage pizza away.
V.THILEEBAN B.Sc(Hons)
31
Functions
7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 Data Link
1 Physical
32
email,Web,NFS
presentation
session
transport
network
data link
RPC
TCP
IP
802.11
physical
33
34
Aspects of Security
consider 3 aspects of information security:
security attack
security mechanism
security service
note terms:
35
36
37
Security Threats/Attacks
38
Security Attacks
Interruption: This is an attack on
availability
Disrupting traffic
Physically breaking communication line
39
40
Threats
Disclosure unauthorized access to
information
Deception acceptance of false data
Disruption- interruption or prevention
of correct operation
Usurpation- unauthorized control of
some part of a system
V.THILEEBAN B.Sc(Hons)
41
Examples of Threats
Snooping intercepting information
(passive wiretapping)
Modification or alteration of
information by active wiretapping
Masquerading or spoofing
Repudiation of origin
Delay or denial of service
V.THILEEBAN B.Sc(Hons)
42
Safeguards and
Vulnerabilities
A Safeguard is a countermeasure to protect
against a threat
V.THILEEBAN B.Sc(Hons)
43
44
45
Passive Attacks
V.THILEEBAN B.Sc(Hons)
46
Passive Attacks
V.THILEEBAN B.Sc(Hons)
47
Active Attacks
V.THILEEBAN B.Sc(Hons)
48
Active Attacks
V.THILEEBAN B.Sc(Hons)
49
V.THILEEBAN B.Sc(Hons)
50
51
Security Services
enhance security of data processing systems
and information transfers of an organization
are intended to counter security attacks
use one or more security mechanisms
often replicate functions normally associated
with physical documents
which, for example, have signatures, dates; need
protection from disclosure, tampering, or
destruction; are notarized or witnessed; are
recorded or licensed
V.THILEEBAN B.Sc(Hons)
52
Security Services
(X.800) defines a security service as a service
provided by the protocol layer of a
communicating system, that ensures adequate
security of the systems or data transfers
5 Categories
Authentication
Access Control
Data confidentiality
Data Integrity
Nonrepudiation (and Availability)
V.THILEEBAN B.Sc(Hons)
53
Security services
RFC 2828 defines a security service
as a processing or communication
service provided by a system to give a
specific kind of protection to system
resources
Security services implement security
policies and are implemented by
security mechanisms.
V.THILEEBAN B.Sc(Hons)
54
Security Services
Authentication (who created or sent the data)
Access control (prevent misuse of resources)
Confidentiality (privacy)
Integrity (has not been altered)
Non-repudiation (the order is final)
55
Security Services
Examples
Authentication
Ensuring the proper identification of entities and origins of
data before communication
have both peer-entity & data origin authentication
Access control
Preventing unauthorized access to system resources
Data confidentiality
Data integrity
Non-repudiation
Availability
56
Security Mechanism
feature designed to detect, prevent, or
recover from a security attack
no single mechanism that will support all
services required
however one particular element underlies
many of the security mechanisms in use:
cryptographic techniques
57
Security Mechanisms
Examples
Two types
Specific mechanisms existing to provide certain
security services
E.g. encryption used for authentication
Other examples: encipherment, digital signatures, access
controls, data integrity, authentication exchange, traffic
padding, routing control, notarization
58
59
V.THILEEBAN B.Sc(Hons)
60
Security Models
Part 1 and 2 of this book concentrate on the
model for Network Security
There are other security related situations that
do not fit into this model and are covered in
Part 3.
A Network Access Security Model reflects the
concern for protecting an information system
from unwanted access, for example by hackers
or malware (malicious programs).
V.THILEEBAN B.Sc(Hons)
61
Service threats
Exploit service flaws in computers to inhibit use by
legitimate uses.
62
General Security
Access Model
V.THILEEBAN B.Sc(Hons)
63
1.
64
Integrity violation
Denial of service
Unavailability of system/service/network
Yahoo!, 2000, 1Gbps
Illegitimate use
65
Methods of Defense
Encryption
Software Controls
Hardware Controls
(smartcard)
Policies
Physical Controls
V.THILEEBAN B.Sc(Hons)
66
67
V.THILEEBAN B.Sc(Hons)
68
Outline of Course
Part One - Introduction
Part TwoUse of Cryptographic algorithms and
security protocols to provide security over the
Internet. Topics include: key management,
authentication, as well as transport-level,
wireless, email and IP security
Part Three-Deals with security facilities to
protect against threats, including intruders,
viruses and worms.
V.THILEEBAN B.Sc(Hons)
69
Summary
topic roadmap & standards organizations
security concepts:
confidentiality, integrity, availability
70