Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd Logo
Upload

Welcome to Scribd!

  • 72 views

    CH01 CompSec2e

    Uploaded by

    Dayton Good Kush Allen
    This document provides an overview of computer security concepts. It defines computer security as protecting the confidentiality, integrity and availability of information system resources. The key security concepts discussed include the CIA triad of confidentiality, integrity and availability. The document also examines security services like authentication, access control, data confidentiality, data integrity and availability. It explores security threats, attacks and countermeasures, and outlines strategies for developing an effective computer security policy and implementation.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd

    CH01 CompSec2e

    Uploaded by

    Dayton Good Kush Allen
    72 views32 pages
    This document provides an overview of computer security concepts. It defines computer security as protecting the confidentiality, integrity and availability of information system resources. The key security concepts discussed include the CIA triad of confidentiality, integrity and availability. The document also examines security services like authentication, access control, data confidentiality, data integrity and availability. It explores security threats, attacks and countermeasures, and outlines strategies for developing an effective computer security policy and implementation.

    Original Description:

    Network security

    Original Title

    CH01-CompSec2e

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document provides an overview of computer security concepts. It defines computer security as protecting the confidentiality, integrity and availability of information system resources. The key security concepts discussed include the CIA triad of confidentiality, integrity and availability. The document also examines security services like authentication, access control, data confidentiality, data integrity and availability. It explores security threats, attacks and countermeasures, and outlines strategies for developing an effective computer security policy and implementation.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Download as pptx, pdf, or txt
    72 views32 pages

    CH01 CompSec2e

    Uploaded by

    Dayton Good Kush Allen
    This document provides an overview of computer security concepts. It defines computer security as protecting the confidentiality, integrity and availability of information system resources. The key security concepts discussed include the CIA triad of confidentiality, integrity and availability. The document also examines security services like authentication, access control, data confidentiality, data integrity and availability. It explores security threats, attacks and countermeasures, and outlines strategies for developing an effective computer security policy and implementation.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Download as pptx, pdf, or txt
    You are on page 1of 32

    Chapter 1

    Overview

    Computer Security
    Overview
    The NIST Computer Security
    Handbook defines the term Computer
    Security as:
    The protection afforded to an
    automated information system in
    order to attain the applicable
    objectives of preserving the integrity,
    availability and confidentiality of
    information system resources
    (includes hardware, software,
    firmware, information/data, and

    The CIA Triad


    Confidentiality
    data

    confidentiality
    privacy

    Integrity

    - data integrity
    - system integrity

    Availabilit
    y

    Key Security Concepts

    Computer Security Challenges


    computer security is not

    as simple as it might first


    appear to the novice
    potential attacks on the
    security features must be
    considered
    procedures used to
    provide particular
    services are often
    counterintuitive
    physical and logical
    placement needs to be
    determined
    additional algorithms or
    protocols may be involved

    attackers only need to find a

    single weakness, the


    developer needs to find all
    weaknesses
    users and system managers
    tend to not see the benefits
    of security until a failure
    occurs
    security requires regular
    and constant monitoring
    is often an afterthought to
    be incorporated into a
    system after the design is
    complete
    thought of as an
    impediment to efficient and
    user-friendly operation

    Table 1.1
    Computer
    Security
    Terminolo
    gy
    RFC 2828,
    Internet
    Security
    Glossary, May
    2000

    Figure 1.2
    Security Concepts and Relationships

    Vulnerabilities, Threats
    and Attacks
    categories of vulnerabilities
    corrupted (loss of integrity)
    leaky (loss of confidentiality)
    unavailable or very slow (loss of availability)

    threats
    capable of exploiting vulnerabilities
    represent potential security harm to an asset

    attacks (threats carried out)


    passive does not affect system resources
    active attempt to alter system resources or affect their

    operation
    insider initiated by an entity inside the security

    parameter
    outsider initiated from outside the perimeter

    Countermeasures

    Table 1.2
    Threat
    Consequen
    ces

    Figure 1.3
    Scope of Computer Security

    Table 1.3
    Computer and Network Assets
    Examples of Threats

    Table 1.3

    Computer and Network Assets, with Examples of Threats.

    Passive and Active


    Attacks
    Passive attacks attempt to learn or make use of
    information from the system but does not affect system
    resources
    eavesdropping/monitoring transmissions
    difficult to detect
    emphasis is on prevention rather than detection
    two types:
    release of message contents

    traffic analysis

    Active attacks involve modification of the data stream


    goal is to detect them and then recover
    four categories:
    masquerade
    replay
    modification of messages
    denial of service

    Table
    1.4
    (FIPS PUB
    200)

    Secu
    rity
    Requ
    irem
    ents

    Security Functional
    Requirements

    Security Architecture For


    Open Systems
    ITU-T Recommendation X.800, Security

    Architecture for OSI


    systematic way of defining the requirements

    for security and characterizing the


    approaches to satisfying them
    was developed as an international standard
    focuses on:
    security attacks action that compromises the

    security of information owned by an


    organization
    security mechanism designed to detect,
    prevent, or recover from a security attack
    security service intended to counter security

    Security Services
    X.800
    defines a security

    service as a service
    that is provided by
    a protocol layer of
    communicating
    open systems and
    ensures adequate
    security of the
    systems or of data
    transfers

    defines a security

    RFC 2828

    service as a
    processing or
    communication
    service that is
    provided by a
    system to give a
    specific kind of
    protection to
    system resources;
    security services
    implement security
    policies and are
    implemented by
    security
    mechanisms

    Table 1.5
    Security
    Services

    Source: From X.800, Security Architecture for OSI

    Data Origin Authentication


    provides for the

    Authentication
    Service

    concerned with assuring

    that a communication is
    from the source that it
    claims to be from
    must assure that the

    connection is not
    interfered with by a third
    party masquerading as
    one of the two legitimate
    parties

    corroboration of the
    source of a data unit
    does not provide
    protection against the
    duplication or
    modification of data units
    this type of service
    supports applications like
    Peer
    email
    where
    there are no
    Entity
    Authentication
    provides
    for the corroboration
    prior
    interactions
    of the identity
    between
    the of a peer entity
    in an association
    communicating
    entities
    provided for use at the
    establishment of, or at times
    during the data transfer phase
    of, a connection
    attempts to provide confidence
    that an entity is not performing
    either a masquerade or an
    unauthorized replay of a
    previous connection

    Access
    Control
    Service

    the ability to limit and

    control the access to host


    systems and applications
    via communications links
    each entity trying to gain

    access must first be


    identified, or
    authenticated, so that
    access rights can be
    tailored to the individual

    Nonrepudiation
    Service

    prevents either

    sender or receiver
    from denying a
    transmitted message
    receiver can prove

    that the alleged


    sender in fact sent
    the message
    the sender can prove

    protects the traffic flow from

    Data
    Confidentiality
    Service

    analysis
    this requires that an attacker

    not be able to observe the


    source and destination,
    frequency, length, or other
    characteristics of the traffic
    on a communications facility

    connectionless

    confidentiality
    the protection of transmitted

    data from passive attacks


    the broadest service protects

    all user data transmitted


    between two users over a
    period of time
    connection confidentiality
    the protection of all user data
    on a connection

    protection of all user data in

    a single data block


    selective-field confidentiality
    confidentiality of selected
    fields within the user data on
    a connection or a single data
    block
    traffic-flow confidentiality
    protection of the information

    a connection-oriented

    Data
    Integrity
    Service

    integrity service assures


    that messages are received
    as sent, with no duplication,
    insertion modification,
    reordering, or replays
    destruction of data is also

    can apply to a stream of

    messages, a single
    message, or selected
    fields within a message
    a connectionless integrity

    service generally provides


    protection against
    message modification only

    covered under this service


    addresses both message
    stream modification and
    denial of service
    need to make a distinction

    between the service with


    and without recovery
    concerned with detection

    rather than prevention


    the incorporation of
    automated recovery
    mechanisms is the more
    attractive alternative

    a variety of attacks can

    result in the loss of or


    reduction in availability

    Availability
    Service

    a service that protects a

    system to ensure its


    availability
    defined as the property

    of a system or a system
    resource being accessible
    and usable upon demand
    by an authorized system
    entity, according to
    performance
    specifications of the
    system

    some of these attacks

    are amenable to
    authentication and
    encryption
    some attacks require a
    physical action to
    prevent or recover from
    loss of availability

    X.800 treats availability as

    a property to be
    associated with various
    security services
    addresses the security

    concerns raised by denialof-service attacks


    depends on proper

    management and control

    Table
    1.6
    X.800
    Security
    Mechanisms

    Figur
    e 1.4
    Securi
    ty
    Trend
    s

    Figure 1.5
    Security Technologies
    Used

    Computer Security
    Strategy

    Security Policy
    formal statement of rules and practices

    that specify or regulate how a system or


    organization provides security services to
    protect sensitive and critical system
    resources
    factors to consider:
    trade-offs to
    value of the assets
    consider:
    being protected
    vulnerabilities of the

    ease of use versus

    system
    potential threats and
    the likelihood of
    attacks

    security
    cost of security versus
    cost of failure and
    recovery

    Security Implementation

    involves four
    complementary
    courses of
    action:

    Assurance and
    Evaluation
    assurance
    the degree of confidence one has that the security

    measures work as intended to protect the system


    and the information it processes
    encompasses both system design and system
    implementation
    evaluation
    process of examining a computer product or

    system with respect to certain criteria


    involves testing and formal analytic or
    mathematical techniques

    Summary
    security concepts
    CIA triad
    confidentiality preserving
    the disclosure of information
    integrity guarding against
    modification or destruction
    of information
    availability ensuring timely
    and reliable access to
    information
    terminology table 1.1

    security architecture
    security services enhances the

    security of systems and


    information transfers, table 1.5
    security mechanisms
    mechanisms designed to detect,
    prevent, or recover from a
    security attack, table 1.6
    security attack any action that
    compromises the security of
    information owned by an
    organization

    threats exploits

    vulnerabilities
    attack a threat carried out
    countermeasure means to
    deal with a security attack
    assets hardware, software,
    data, communication lines,
    networks

    security trends
    figure 1.4
    security strategy
    policy, implementation,

    assurance and evaluation

    You might also like