Computer Security

1
Computer Security
2
Chapter 1 Introduction

• The art of war teaches us to rely not on the
  likelihood of the enemy's not coming, but on our
  own readiness to receive him not on the chance
  of his not attacking, but rather on the fact that
  we have made our position unassailable (secure).
• The Art of War, Sun Tzu

3
Background

• Information Security requirements have changed in
  recent times
• traditionally provided by physical and
  administrative mechanisms
• computer use requires automated tools to protect
  files and other stored information
• use of networks and communications links requires
  measures to protect data during transmission

4
Definitions

• Computer Security - generic name for the
  collection of tools designed to protect data and
  to thwart hackers
• Network Security - measures to protect data
  during their transmission
• Internet Security - measures to protect data
  during their transmission over a collection of
  interconnected networks

5
Aim of Course

• our focus is on Internet Security
• consists of measures to deter, prevent, detect,
  and correct security violations that involve the
  transmission of information

6
Services, Mechanisms, Attacks

• need systematic way to define requirements
• consider three aspects of information security
• security attack
• security mechanism
• security service
• consider in reverse order

7
Security Service

• is something that enhances the security of the
  data processing systems and the information
  transfers of an organization
• intended to counter security attacks
• make use of one or more security mechanisms to
  provide the service
• replicate functions normally associated with
  physical documents
• eg. have signatures, dates need protection from
  disclosure, tampering, or destruction be
  notarized or witnessed be recorded or licensed

8
Security Mechanism

• a mechanism that is designed to detect, prevent,
  or recover from a security attack
• no single mechanism that will support all
  functions required
• however one particular element underlies many of
  the security mechanisms in use cryptographic
  techniques
• hence our focus on this area

9
Security Attack

• any action that compromises the security of
  information owned by an organization
• information security is about how to prevent
  attacks, or failing that, to detect attacks on
  information-based systems
• have a wide range of attacks
• can focus of generic types of attacks
• note often threat attack mean same

10
OSI Security Architecture

• ITU-T X.800 Security Architecture for OSI
• defines a systematic way of defining and
  providing security requirements
• for us it provides a useful, if abstract,
  overview of concepts we will study

11
Security Services

• X.800 defines it as a service provided by a
  protocol layer of communicating open systems,
  which ensures adequate security of the systems or
  of data transfers
• RFC 2828 defines it as a processing or
  communication service provided by a system to
  give a specific kind of protection to system
  resources
• X.800 defines it in 5 major categories

12
Security Services (X.800)

• Authentication - assurance that the communicating
  entity is the one claimed
• Access Control - prevention of the unauthorized
  use of a resource
• Data Confidentiality protection of data from
  unauthorized disclosure
• Data Integrity - assurance that data received is
  as sent by an authorized entity
• Non-Repudiation - protection against denial by
  one of the parties in a communication

13
Security Mechanisms (X.800)

• specific security mechanisms
• encipherment, digital signatures, access
  controls, data integrity, authentication
  exchange, traffic padding, routing control,
  notarization
• pervasive security mechanisms
• trusted functionality, security labels, event
  detection, security audit trails, security
  recovery

14
Classify Security Attacks as

• passive attacks - eavesdropping on, or monitoring
  of, transmissions to
• obtain message contents, or
• monitor traffic flows
• active attacks modification of data stream to
• masquerade of one entity as some other
• replay previous messages
• modify messages in transit
• denial of service

15
Security Fundamentals

• Security properties worth guarding
• Confidentiality
• Integrity
• Authentication
• Availability
• Access Control
• Nonrepudiation

16
Confidentiality

• Ensures that the information in a computer system
  and transmitted information are accessible only
  for reading by authorized parties.

17
Integrity

• Integrity requires that the computer system asset
  can be modified only by authorized parties.

18
Authentication

• Authenticity means that parties in a information
  services can ascertain the identity of parties
  trying to access information services.

19
Availability

• Availability means requirement intended to assure
  that systems work promptly and service is not
  denied to authorized users.

20
Access Control

• Unauthorized users are kept out of the system.

21
Non Repudiation

• Originator of communications cant deny it later

22
Security Attacks/Threats

• A threat is a danger which could affect the
  security.
• Interruption
• Interception
• Modification
• Fabrication

23
Interruption

• An asset of the system is destroyed or becomes
  unavailable or unusable.
• This is an attack on the Availability.

24
Interception

• Information disclosure/information leakage.
• This is an attack on Confidentiality.

25
Modification

• An unauthorized party not only gains access to
  but tampers with an asset
• This is an attack on the Integrity

26
Fabrication

• An unauthorized part inserts counterfeit objects
  into the system.
• This is an attack on the Authenticity.

27
Classification of Attacks

• Computer Security attacks can be classified into
  two broad categories
• Passive Attacks can only observe communications
  or data
• Active Attacks can actively modify communications
  or data.
• Mail forgery/modification
• TCP/IP spoofing/session hijacking

28
(No Transcript)
29
Model for Network Security
30
Model for Network Security

• using this model requires us to
• design a suitable algorithm for the security
  transformation
• generate the secret information (keys) used by
  the algorithm
• develop methods to distribute and share the
  secret information
• specify a protocol enabling the principals to use
  the transformation and secret information for a
  security service

31
Model for Network Access Security
32
Model for Network Access Security

• using this model requires us to
• select appropriate gatekeeper functions to
  identify users
• implement security controls to ensure only
  authorised users access designated information or
  resources
• trusted computer systems can be used to implement
  this model

33
Summary

• have considered
• computer, network, internet security defs
• security services, mechanisms, attacks
• X.800 standard
• models for network (access) security