Introduction to Computer

Security
ICT 325
 Computer Security
• Computer Security: The protection afforded to an automated
information system in order to attain the applicable objectives of
preserving the integrity, availability, and confidentiality of
information system resources. (NIST95 Handbook)
• CIA- Confidentiality Integrity Availability
Information System
• Information System is a combination of interrelated
components that work together with the aim of collecting
data, processing data and managing the dissemination of
information.
❖Data
❖Hardware
❖Software
❖Network/Telecommunication
❖People
Information Security Levels

Hardware Software
C

INFORMATION
I OR A
DATA

Communications
CIA
• Confidentiality: Preserving authorized restrictions on
information access and disclosure, including means for
protecting personal privacy and proprietary information
• Integrity: Guarding against improper information
modification or destruction, including ensuring information
nonrepudiation and authenticity.
• Availability: Ensuring timely and reliable access to and use of
information.
 Computer and Network Assets, with
Examples of Threats
Availability
Hardware Equipment is stolen or
disabled, thus denying
service.
Software Programs are deleted,
Denying access to users.
Data Files are deleted, denying
access to users.
Communication Messages are destroyed or
Lines and deleted. Communication lines
Networks or networks are rendered
unavailable
Confidentiality
An unencrypted
USB drive is stolen.
An unauthorized copy of
software is made.
An unauthorized read
of data is performed. An
analysis of statistical data
reveals underlying data.
Messages are read. The
traffic pattern of messages is
observed.
Integrity
A working program is
modified, either to cause it to
fail during execution or to
cause it to do some
unintended task.
Existing files are modified or
new files are fabricated.
Messages are modified,
delayed, reordered, or
duplicated. False messages are
fabricated.
Additional concepts on Security Goals
Authenticity & Accountability
• Authenticity: The property of being genuine and being able to
be verified and trusted; confidence in the validity of a
transmission, a message, or message originator.
• Accountability: The security goal that generates the
requirement for actions of an entity to be traced uniquely to
that entity.
The OSI security architecture
• The OSI security architecture is an international and
systematic standard of defining and providing security
requirement.
• The OSI security architecture focus on;
❖Security attacks
❖Security Mechanism
❖Security Service
 The OSI security architecture Cont.
• Security attack: Any action that compromises the security of
information owned by an organization.
• Security mechanism: A process (or a device incorporating such a
process) that is designed to detect, prevent, or recover from a security
attack
• Security service: A processing or communication service that
enhances the security of the data processing systems and the
information transfers of an organization. The services are intended to
counter security attacks, and they make use of one or more security
mechanisms to provide the service
Security attacks
• Use of a computer or any digital device to gain unauthorized
access to information system resource
• Security Attack can be;-
❖Passive Attack
❖Active Attack
Passive Attacks
• The goal of the opponent is to obtain information that is being
transmitted.
• Two types of passive attacks are the release of message
contents and traffic analysis.
Active Attack
• Active attacks involve some modification of the data stream
or the creation of a false stream
• Active Attack can be subdivided into four categories:
❖Masquerade
❖Replay
❖Modification of messages
❖Denial of service.
 Active Attack Cont.
• A masquerade takes place when one entity pretends to be a different
entity. A masquerade attack usually includes one of the other forms of
active attack.
• Replay involves the passive capture of a data unit and its subsequent
retransmission to produce an unauthorized effect
• Modification of messages simply means that some portion of a
legitimate message is altered, or that messages are delayed or reordered,
to produce an unauthorized effect
• The denial of service prevents or inhibits the normal use or
management of communications facilities
Masquerade
Replay
Modification of messages
The denial of service
Security Services
• Security Services are services that are provided by a protocol
layer of communicating open systems that ensure adequate
security of the system or data
• Security service is a processing or communication service
that is provided by the system to give a specific kind of
protection to system resources
• Security service implement security policy and are
implemented by security mechanism
Security Services
• Authentication
Ensuring that the communicating entity are the one that claims
they are
• Access Control
This focus on the prevention of unauthorized use of resource
• Data Confidentiality
Protection of data against unauthorized disclosure
Security Services Cont.
• Data Integrity
Ensuring that data received are exactly as sent by authorized
entity
• Non Repudiation
Provide protection against denial by one of the entity involved
in the process of communication
Security Mechanism
• Any process that is designed to detect, prevent or recover from
a security attacks.
• Security Mechanisms
❖Encipherment
❖Digital Signature
❖Access Control
❖Data Integrity
❖Authentication Exchange
❖Traffic Padding
❖Routing Control
❖Notarization
 Security Mechanisms Cont.
• Encipherment
The use of mathematical algorithms to transform data into a form that
is not readily intelligible. The transformation and subsequent recovery
of the data depend on an algorithm and zero or more encryption keys
• Digital Signature
Data appended to, or a cryptographic transformation of, a data unit
that allows a recipient of the data unit to prove the source and
integrity of the data unit and protect against forgery
 Security Mechanisms Cont.
• Authentication Exchange
A mechanism intended to ensure the identity of an entity by means of
information exchange.
• Traffic Padding
The insertion of bits into gaps in a data stream to frustrate traffic analysis
attempts.
• Routing Control
Enables selection of particular physically secure routes for certain data
and allows routing changes, especially when a breach of security is
suspected.
 Security Mechanisms Cont.
• Authentication Exchange
A mechanism intended to ensure the identity of an entity by means of
information exchange
• Traffic Padding
The insertion of bits into gaps in a data stream to frustrate traffic analysis
attempts
• Routing Control
Enables selection of particular physically secure routes for certain data and
allows routing changes, especially when a breach of security is suspected.
Relationship Between Security Services and
Mechanisms
Model for Network Security
Network Access Security Model
 Standards
• Various organizations have been involved in the development or promotion of these
standards.
• National Institute of Standards and Technology: NIST is a U.S. federal agency that
deals with measurement science, standards, and technology related to U.S.
government
• Internet Society: It provides leadership in addressing issues that confront the future of
the Internet
❖Internet Engineering Task Force (IETF)
❖Internet Architecture Board (IAB).
❖These organizations develop Internet standards and related specifications, all of
which are published as Requests for Comments (RFCs)
Standards Cont.
• ITU-T: The International Telecommunication Union (ITU) is
an international organization within the United Nations
System in which governments and the private sector
coordinate global telecom networks and services
❖ITU-T standards are referred to as Recommendations.
• ISO: The International Organization for Standardization is a
worldwide federation of national standards bodies from more
than 140 countries, one from each country