Professional Documents
Culture Documents
Eman Hato
1. Security Definition
The Information is the set of data, software, networks, procedures and policies that
deal with processing and distribution of information in an organization. Each
component has its own strengths, weaknesses, and its own security requirements.
Information security is the ability of providing the security requirements in order to
protect and prevent unauthorized use of information resources.
2. Security Aspects
It is helpful to have a model that can be used as a foundation or a baseline. This
gives a consistent set of terminology and concepts for defining the security
requirements and characterizing the approaches to satisfying those requirements.
The security aspects focus on security mechanisms, attacks, and services. These can
be defined briefly as follows:
Security Mechanisms: A process (or a device incorporating such a process) that is
designed to detect, prevent, or recover from a security attack.
Security Attacks: Any action that compromises the security of information owned
by an organization
Security Services: A processing or communication service that enhances the
security of the data processing systems and the information transfers of an
organization. The services are intended to counter security attacks, and they make
use of one or more security mechanisms to provide the service.
3. Security Services
Security services (also called security goals) are processing services that are
provided by a system to give a specific kind of protection to system resources.
Security services are implemented by security mechanisms.
Security services are addressing three important aspects to define security
objectives of any computer system: Confidentiality, Integrity, and Availability
which form what is referred to as the CIA triad as shown in Figure (1).
Confidentiality
Unauthorized access is prevented
Integrity Availability
Data cannot be Data cannot be available
modified to unauthorized
Although the use of the CIA triad to define security objectives is well established,
additional concepts are needed to present a complete picture. Two of the most
commonly mentioned are as follows:
4. Security Attacks
Security attacks can be classified into three groups related to the security goals as
shown in Figure (2).
The security attacks can also be classified in to passive attacks and active attacks as
shown in the Figure (2). A passive attack attempts to learn or make use of
information from the system but does not affect system resources.
An active attack attempts to alter system resources or affect their operation.
Passive Attacks
Attacks
Types
Active Attacks
Table below shows the relationship between this and the previous categorization.
The Snooping
Snooping refers to unauthorized access to or interception of data. For example, a
file transferred through the Internet may contain confidential information. An
unauthorized entity may intercept the transmission and use the contents for her
own benefit. To prevent snooping, the data can be encrypted by encipherment
techniques.
Traffic analysis
Suppose that we had a way of masking of information, so that the attacker even
if captured the message could not extract any information from the message.
The opponent could determine the location and identity of communicating host
and could observe the frequency and length of messages being exchanged. This
information might be useful in guessing the nature of the communication that
was taking place.
Note: passive attacks are very difficult to detect, because they do not involve any
alteration of the data and neither the sender nor receiver is aware that a third party
has read the messages or observed the traffic pattern. However, it is feasible to
prevent the success of these attacks, usually by means of encryption. Thus, the
passive attacks are prevented rather than detected.
Modification of messages
It means that some portion of a message is altered or that message is delayed or
reordered to produce an unauthorized effect. For example, a message meaning
"Allow Alice to read confidential file X" is modified as "Allow John to read
confidential file X".
Replay
It involves the passive capture of a message and its subsequent the transmission
to produce unauthorized effect.
Denial of Service
It prevents normal use of communication facilities. This attack may have a
specific target. For example, an entity may crush all messages directed to a
particular destination. Another form of service denial is the disarrangement of
the network by disabling the network or by overloading it by messages so as to
degrade performance.
man on the right of the wall: The water could rise, overflowing onto the man, or it
could stay under the height of the wall. So the threat of harm is the potential for
the man to get wet or get hurt. However, the small crack in the wall is a
vulnerability that threatens the man's security. If the water rises to the level of the
crack, it will exploit the vulnerability and harm the man.
5. Security Mechanisms
Security mechanisms are used to provide some of the security services. Some of
examples of these mechanisms are: