Chap' 1 Introduction

1
Chap. 1 Introduction
2
Information Security Why?
Information Security

• Information is a strategic resource
• Information security requirements have changed in
  recent decades
• Traditionally provided by physical
  administrative mechanisms
• Use of Computer requires automated tools to
  protect files and other stored information
• Use of networks and communication links requires
  measures to protect data during transmission
• Definitions
• Computer Security generic name for the
  collection of tools designed to protect data and
  to thwart hackers
• Network Security measures to protect data
  during their transmission
• Internet Security measures to protect data
  during their transmission over a collection of
  interconnected networks

3
Aim of Course
Aim of Course

• Focuses on Internet Security
• Consists of measures to deter, prevent, detect,
  and correct security violations that involve the
  transmission storage of information

4
Security Trends
Security Trends
5
OSI Security Architecture
Security Architecture

• ITU-T X.800 Security Architecture for OSI
• defines a systematic way of defining and
  providing security requirements
• for us it provides a useful, if abstract,
  overview of concepts we will study
• Consider 3 aspects of information security

• Security Attacks
• Security Services
• Security Mechanisms

6
Security Attacks
Security Attacks

• Any action that compromises the security of
  information owned by an organization
• Often threat attack used to mean same thing
• Classification of security attacks

• Threat A potential for violation of security
• Attack An assault on system security that
  derives from an intelligent threat

• Used both in X.800 and RFC 2828
• Passive Attacks attempt to learn or make use of
  information from the system but does not affect
  system resources
• Active Attacks attempt to alter system resource
  or affect their operation

7
Security Threats
Security Threats

• Threats can come from a range of sources
• Various surveys, with results of order
• 55 human error
• 10 disgruntled employees
• 10 dishonest employees
• 10 outsider access
• also have "acts of god" (fire, flood etc)
• Note that in the end, it always comes back to
  PEOPLE. Technology can only assist so much,
  always need to be concerned about the role of
  people in the threat equation - who and why.

8
Passive Attacks
Security Attacks

• Passive Attacks
• Only involve monitoring (interception) of the
  information, leading to loss of confidentiality
  or traffic analysis (monitoring exchange of
  information without knowing precise contents),
  and are hard to detect
• Release of message contents attacks
  confidentiality
• Eavesdropping
• Learn the content of transmitted messages
• Traffic Analysis attacks confidentiality, or
  anonymity
• Monitoring the pattern of transmitted messages
• Include the source destination, frequency, and
  length of messages
• Determine the location and identity of
  communicating hosts

9
Passive Attacks
Security Attacks
10
Active Attacks
Security Attacks

• Active Attacks
• Active attacks involve some modification of the
  data stream or the creation of a false stream,
  and are hard to prevent.
• Masquerade
• pretends to be a different entity
• Replay
• passive capture of a data unit and its subsequent
  retransmission to produce an unauthorized effect
• Modification of messages
• alters some portion of a legitimate message
• Denial of service
• prevents or inhibits the normal use or management
  of communications facilities

11
Active Attacks
Security Attacks
12
Security Attack Examples
Security Attack Examples
13
Security Services
Security Services

• X.800
• a service provided by a protocol layer of
  communicating open systems, which ensures
  adequate security of the systems or of data
  transfers
• RFC 2828
• a processing or communication service provided
  by a system to give a specific kind of protection
  to system resources

14
Security Services
Security Services

• Enhance security of data processing systems and
  information transfers of an organization
• Intended to counter security attacks using one or
  more security mechanisms
• Security services implement security policies
• Often replicate functions normally associated
  with physical documents
• have signatures, dates
• need protection from disclosure, tampering, or
  destruction
• be notarized or witnessed
• be recorded or licensed

15
Security Services (X.800)
Security Services
One Useful Classification of Security Services

• Authentication - protect info origin (sender)
• Access control - control access to info/resources
  
• Data Confidentiality - protect info
  content/access
• Data Integrity - protect info accuracy
• Non-repudiation - protect from deniability
• Availability - ensure a system (info) is
  available to authorized entities when needed.

16
Definitions - 1
Security Services

• Authentication
• Assurance that the communicating entity is the
  one claimed
• Peer Entity Authentication
• Data Origin Authentication
• e.g., your drivers license and photo
  authenticates your image to a name, address, and
  birth date.
• Access Control
• Prevention of the unauthorized use of a resource
• Ensures that specific entities may perform
  specific operations on a secure object.
• Data Confidentiality
• Protection of data from unauthorized disclosure
• Protection of traffic analysis

17
Definitions - 2
Security Services

• Data Integrity
• Assurance that data received is as sent by an
  authorized entity
• It allows the recipient of a message to verify it
  has not been modified in transit.
• Non-repudiation
• Protection against denial by one of the parties
  in a communication
• Makes it difficult for the originator of a
  message to falsely deny later that they were the
  party that sent the message.
• Availability
• Ensures that a service or information is
  available to an (authorized) user upon demand and
  without delay.
• Denial of Service (DoS) attacks seek to interrupt
  a service or make some information unavailable to
  legitimate users.

18
Security Mechanisms
Security Mechanisms

• Features designed to detect, prevent, or recover
  from a security attack
• Personnel Access Tokens, Biometrics
• Physical Integrated Access Control
• Managerial Security Education
• Data Networking Encryption, Config Control
• S/W O/S Testing, Evaluation, Trusted O/S,
• H/W (Various Techniques)
• No single mechanism can provide all the security
  services wanted. Usually have a range to choose
  from. But encryption or encryption-like
  information transformation (and hence the
  cryptography) is a key enabling technology.

19
Security Mechanisms (X.800)
Security Mechanisms

• Specific security mechanisms
• Encipherment, Digital signatures, Access
  controls, Data integrity, Authentication
  exchange, Traffic padding, Routing control,
  Notarization
• Pervasive security mechanisms
• Trusted functionality, Security labels, Event
  detection, Security audit trails, Security
  recovery

20
Service Mechanisms (X.800)
Security Mechanisms
Relationship between Security Services and
Mechanisms
21
Model for Network Security
Network Security Model
22
Model for Network Security
Network Security Model

• Using this model requires us to
• Design a suitable algorithm for the security
  transformation
• Generate the secret information (keys) used by
  the algorithm
• Develop methods to distribute and share the
  secret information
• Specify a protocol enabling the principals to
  use the transformation and secret information for
  a security service

23
Model for Network Access Security
Network Security Model

• Using this model requires us to
• Select appropriate gatekeeper functions to
  identify users
• Implement security controls to ensure only
  authorised users access designated information or
  resources
• Trusted computer systems may be useful to help
  implement this model