The document discusses general concepts of computer security. It defines basic components of security including confidentiality, integrity, and availability. It describes threats such as snooping, modification, masquerading, and denial of service attacks. The document outlines security policies and mechanisms to enforce policies, including prevention, detection, and recovery. It discusses issues related to trust, assurance, operations, and human factors in security.
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
Part01 general security concepts
1. 2/19/2012
General Security Concepts
IT Faculty – Dalat University
February - 2012
LOGO
Outline
Components of computer security
Threats and Vulnerabilities
Policies and mechanisms
The role of trust
Assurance
Operational Issues
Human Issues
2 Phan Thi Thanh Nga - IT Faculty
Basic Components
Confidentiality
Keeping data and resources hidden
A secure system ensures the confidentiality
of data. This means that it allows individuals
to see only the data that they are supposed to
see
3 Phan Thi Thanh Nga - IT Faculty
1
2. 2/19/2012
Basic Components
Confidentiality
Access control mechanisms support confidentiality.
One access control mechanism for preserving
confidentiality is cryptography
Other system-dependent mechanisms can prevent
processes from illicitly accessing information
Confidentiality also applies to the existence of data,
which is sometimes more revealing than the data
itself
Resource hiding is another important aspect of
confidentiality: configuration, equipment,…
4 Phan Thi Thanh Nga - IT Faculty
Basic Components
Integrity
Integrity refers to the trustworthiness of data
or resources, and it is usually phrased in
terms of preventing improper or unauthorized
change
Data integrity (integrity)
Origin integrity (authentication)
5 Phan Thi Thanh Nga - IT Faculty
Basic Components
Integrity
A secure system ensures that the data it
contains is valid.
Data integrity means that data is protected
from deletion and corruption, both while it
resides within the database, and while it is
being transmitted over the network
Integrity mechanisms fall into two classes:
prevention mechanisms and detection
mechanisms.
6 Phan Thi Thanh Nga - IT Faculty
2
3. 2/19/2012
Basic Components
Availability
Enabling access to data and resources
A secure system makes data available to
authorized users, without delay. Denial-of-
service attacks are attempts to block
authorized users’ ability to access and use the
system when needed
7 Phan Thi Thanh Nga - IT Faculty
Basic Components
Confidentiality
Integrity
Avaliability
8 Phan Thi Thanh Nga - IT Faculty
Basic Components
Authentication
assurance that the communicating entity is
the one claimed
Access Control
prevention of the unauthorized use of a
resource
9 Phan Thi Thanh Nga - IT Faculty
3
4. 2/19/2012
Basic Components
Vulnerability
An error or weakness in design,
implementation or operation
Threat
An adversary motivated and capable of
exploiting a vulnerability
Attack
The means (sequence of actions) of
exploiting a vulnerability
10 Phan Thi Thanh Nga - IT Faculty
Information security threats
Loss of integrity: -> must prevent the
improper modification of information
Loss of non-repudiation/ authentication ->
auditing & accountability
ƒLoss of availability: -> must avoid
denial of service
(objective: 24/7 availability)
11 Phan Thi Thanh Nga - IT Faculty
Information security threats
Threat:
any situation or event, whether intentional or
unintentional, that will adversely affect a
system and consequently an organization
Loss of confidentiality: -> must
maintain secrecy over data
Note: privacy refers to the need to protect
data about individuals
12 Phan Thi Thanh Nga - IT Faculty
4
5. 2/19/2012
Classes of Threats
Disclosure: unauthorized access to
information
Snooping
Deception: acceptance of false data
Modification, spoofing, repudiation of origin, denial of
receipt
Disruption: interruption or prevention of
correct operation
Modification
ƒ Usurpation: unauthorized control of some
part of a system
Modification, spoofing, delay, denial of service
13 Phan Thi Thanh Nga - IT Faculty
Basic Threats
Snooping:
the unauthorized interception of information.
Some entity is listening to (or reading)
communications or browsing through files or
system information
14 Phan Thi Thanh Nga - IT Faculty
Basic Threats
Modification or alteration
unauthorized change of information, covers
three classes of threats
some entity relies on the modified data to
determine which action to take
incorrect information is accepted as correct
and is released
An example is the man-in-the-middle attack
15 Phan Thi Thanh Nga - IT Faculty
5
6. 2/19/2012
Basic Threats
Masquerading or spoofing
an impersonation of one entity by another, is
a form of both deception and usurpation
It lures a victim into believing that the entity
with which it is communicating is a different
entity.
Some forms of masquerading may be
allowed: delegation
16 Phan Thi Thanh Nga - IT Faculty
Basic Threats
Repudiation of origin
a false denial that an entity sent (or created)
something, is a form of deception
For example, suppose a customer sends a letter to a
vendor agreeing to pay a large amount of money for a
product.
The vendor ships the product and then demands
payment.
The customer denies having ordered the product
The customer has repudiated the origin of the letter. If
the vendor cannot prove that the letter came from the
customer, the attack succeeds.
17 Phan Thi Thanh Nga - IT Faculty
Basic Threats
Denial of receipt
a false denial that an entity received some information
or message, is a form of deception
Suppose a customer orders an expensive product,
but the vendor demands payment before shipment.
The customer pays, and the vendor ships the product.
The customer then asks the vendor when he will
receive the product.
If the customer has already received the product, the
question constitutes a denial of receipt attack
18 Phan Thi Thanh Nga - IT Faculty
6
7. 2/19/2012
Basic Threats
Delay
a temporary inhibition of a service, is a form of
usurpation
delivery of a message or service requires
some time t; if an attacker can force the
delivery to take more than time t, the attacker
has successfully delayed delivery
19 Phan Thi Thanh Nga - IT Faculty
Basic Threats
Denial of service
a long-term inhibition of service, is a form of
usurpation
The attacker prevents a server from providing
a service
The denial may occur at the source, at the
destination, or along the intermediate path
20 Phan Thi Thanh Nga - IT Faculty
Information security threats
Identification: a user claims who s/he is
ƒ uthentication: a mechanism that
A
determines whether a user is who he or she
claims to be (establishing the validity of the
above claim )
something the user knows (e.g., a password,
PIN)
something the user possesses (e.g., an ATM
card)
something the user is (e.g., a voice pattern, a
fingerprint)
21 Phan Thi Thanh Nga - IT Faculty
7
8. 2/19/2012
Access control
Access control:
Closed systems
Open systems
22 Phan Thi Thanh Nga - IT Faculty
Close system
23 Phan Thi Thanh Nga - IT Faculty
Open system
24 Phan Thi Thanh Nga - IT Faculty
8
9. 2/19/2012
Information security threats
25 Phan Thi Thanh Nga - IT Faculty
Information security threats
Protecting Data
Access Control
Encryption
Protecting Data in a Network
Environment
Confidential
Cannot be modified, replayed
Lost packets can be detected
User Identification and Authentication
Auditing
26 Phan Thi Thanh Nga - IT Faculty
Policies and Mechanisms
Policy says what is, and is not,
allowed
This defines “security” for the site/system/etc.
Mechanisms enforce policies
Composition of policies
If policies conflict, discrepancies may create
security vulnerabilities
27 Phan Thi Thanh Nga - IT Faculty
9
10. 2/19/2012
Prevention
Prevent attackers from violating security
policy
Detection
Detect attackers’ violation of security policy
Recovery
Stop attack, assess and repair damage
Continue to function correctly even if attack
succeeds
28 Phan Thi Thanh Nga - IT Faculty
Trust and Assumptions
Underlie all aspects of security
Policies
Unambiguously partition system states
Correctly capture security requirements
Mechanisms
Assumed to enforce policy
Support mechanisms work correctly
29 Phan Thi Thanh Nga - IT Faculty
Types of Mechanisms
30 Phan Thi Thanh Nga - IT Faculty
10
11. 2/19/2012
Assurance
Specification
Requirements analysis
Statement of desired functionality
Design
How system will meet specification
Implementation
Programs/systems that carry out design
31 Phan Thi Thanh Nga - IT Faculty
Operational Issues
Cost-Benefit Analysis
Is it cheaper to prevent or recover?
Risk Analysis
Should we protect something?
How much should we protect this thing?
Laws and Customs
Are desired security measures illegal?
Will people do them?
32 Phan Thi Thanh Nga - IT Faculty
Human Issues
Organizational Problems
Power and responsibility
Financial benefits
People problems
Outsiders and insiders
Social engineering
33 Phan Thi Thanh Nga - IT Faculty
11
12. 2/19/2012
Tying Together
34 Phan Thi Thanh Nga - IT Faculty
Homework
Matt Bishop, Introduction to
Computer Security, Chapter 1
Read more about DAC, MAC, RBAC
35 Phan Thi Thanh Nga - IT Faculty
References
Matt Bishop, Introduction to
Computer Security, Prentice Hall PTR,
2004
36 Phan Thi Thanh Nga - IT Faculty
12