Information Security: Terminology - PowerPoint PPT Presentation

1 / 26
About This Presentation
Title:

Information Security: Terminology

Description:

Information Security: Terminology. This course is part of ... Confidentiality concealment of information or resources. Includes whether or not data exists. ... – PowerPoint PPT presentation

Number of Views:47
Avg rating:3.0/5.0
Slides: 27
Provided by: joanneh5
Category:

less

Transcript and Presenter's Notes

Title: Information Security: Terminology


1
Information Security Terminology
2
  • This course is part of the SCU Information
    Assurance curriculum which was recently certified
    by the Committee on National Systems Security of
    the National Security Agency as meeting the
    standards of the National INFOSEC Education and
    Training Program.
  • http//www.nsa.gov/ia/academia/iace.cfm

3
Reading Assignment
  • Read section 3 of faq http//www.w3.org/Security/
    Faq/
  • CERT is a coordination center for Internet
    security operated by Carnegie Mellon. Read CERT
    article on security http//www.cert.org/encyc_art
    icle/tocencyc.html

4
Terminology Overview
  • Attacks, Services and Mechanisms
  • Security Services
  • Threats, Attacks and Vulnerabilities
  • Security Policies and Mechanisms for Defense
  • Readings, standards, etc.

5
Definitions
  • Security Attack Any action that compromises the
    security of information.
  • Security Mechanism A mechanism that is designed
    to detect, prevent, or recover from a security
    attack.
  • Security Service A service that enhances the
    security of data processing systems and
    information transfers. A security service makes
    use of one or more security mechanisms.

6
Security Services (Goals)
  • Confidentiality concealment of information or
    resources. Includes whether or not data exists.
    Implies authorization so that only authorized
    people can access confidential data.

7
Security Services (cont)
  • Integrity the trustworthiness and the
    correctness of data or resources. Usually in
    terms of preventing improper or unauthorized
    change. Can have several types of integrity
    data integrity and origin integrity (was the
    email spoofed?). Two types of integrity services
    prevention and detection.

8
Security Services (cont)
  • Availability the ability of authorized entities
    to use the information or resource. Denial of
    service attacks inhibit this service
  • Confidentiality, Integrity, Availability

9
Vulnerabilities, Threats and Attacks
  • A vulnerability is a weakness in the system that
    might be exploited to cause loss or harm (and a
    violation of security services).
  • A threat is a potential violation of security.
    Security services counter threats.
  • An attack is the actual attempt to violate
    security. It is the manifestation of the threat.

10
Classifying Threats/Attacks
11
Types of Threats/Attacks
  • Interruption This is an attack on availability
  • Interception This is an attack on
    confidentiality
  • Modification This is an attack on integrity
  • Fabrication This is an attack on integrity

12
Additional Threats/Attacks
  • Repudiation of origin a false denial that an
    entity sent or created something (I didnt send
    that order to but Enron stock the day before it
    crashed). Attack on integrity
  • Denial of receipt a false denial that an entity
    received some information or message. (I didnt
    receive the diamond shipment). Attack on
    integrity and availability.
  • Denial of Service long term inhibition of
    information or service. Attack on availability.

13
Passive and Active Threats
14
Security Policy and Mechanisms
  • A security policy is a statement of what is and
    is not allowed.
  • A security mechanism is a method, tool, or
    procedure for enforcing security policy.
  • These should clearly be separate things.

15
Policy and Mechanism Example
  • Policy only the systems administrator is
    allowed to access the password file and then only
    in encrypted form
  • Mechanism the password file is not stored in
    clear text, but only in encrypted form with
    algorithm XYZ. The O.S. checks the access
    authorization of any process attempting to read
    the password file immediately before the access
    and whenever access is denied, that attempt is
    recorded in a log of suspicious activity.

16
Security Mechanisms
  • Prevention, Detection, Recovery
  • Prevention
  • Encryption
  • Software Controls (DB access limitations,
    operating system process protection)
  • Enforce policies (frequent password change)
  • Physical Controls
  • Detection Intrusion detection systems (IDS)

17
Prevention Mechanisms
  • Adequate prevention means that an attack will
    fail. Prevention usually involves mechanisms
    that the user cannot override.
  • Prevention mechanisms are often cumbersome and do
    not always work perfectly or fail because they
    are circumvented.
  • Passwords are a prevention mechanism to prevent
    unauthorized access. They fail when the password
    becomes known to a person other than the owner.

18
Detection Mechanisms
  • Detection is used when an attack cannot be
    prevented and it also indicates the effectiveness
    of prevention measures.
  • The goal is to determine that an attack is
    underway or has occurred and report it.
  • Audit logs are detection mechanisms. When you
    log into the design centers unix servers, it
    gives you the IP address of the last successful
    login.

19
Recovery
  • Recovery has several aspects. The first is to
    stop an attack and repair the damage.
  • Another is to trace the evidence back to the
    attacker and discover the identity of the
    attacker (this could result in legal
    retaliation).
  • Yet another aspect is to determine the
    vulnerability that was exploited and fix it or
    devise a way of preventing a future attack.

20
Example Private Property
  • Prevention locks at doors, window bars, walls
    round the property
  • Detection stolen items are missing, burglar
    alarms, closed circuit TV
  • Recovery call the police, replace stolen items,
    make an insurance claim

21
Example E-Commerce
  • Prevention encrypt your orders, rely on the
    merchant to perform checks on the caller, dont
    use the Internet (?)
  • Detection an unauthorized transaction appears on
    your credit card statement
  • Recovery complain, ask for a new card number,
    etc.
  • Footnote Your credit card number has not been
    stolen. Your card can be stolen, but not the
    number. Confidentiality is violated.

22
Problems with Security Mechanisms
  • Laws and Customs - is it legal? Might not be
    legal to retaliate against an attacker.
  • Is it acceptable practice? How many hoops do we
    have to jump through to authenticate?
  • Is it convenient? Users with security needs are
    often not aware of vulnerabilities and will not
    put up with excessive cost and inconvenience.

23
Other Terminology
  • CompuSec computer security (protect computers
    and the information in them)
  • ComSec communication security (protect
    information as it is transmitted)
  • OpSec operations security (security policies and
    procedures)

24
Non-required but Worth a Glance
  • Common vulnerabilities and Exposures
    http//www.cve.mitre.org/
  • SANS top 20 vulnerabilities http//www.sans.org/t
    op20/
  • NIST Computer Security Resource Center
    http//csrc.nist.gov/

25
What the Government is Doing
  • National Strategy to Secure Cyberspace
    http//www.whitehouse.gov/pcipb/

26
What you can do
  • Scholarships for IA study designated CAE
  • http//www.c3i.osd.mil/iasp/studentsMain.htm
  • http//cisr.nps.navy.mil/scholarships.html
  • IA at SCU
  • AMTH 387 Cryptology
  • COEN 250 Info Security Management
  • COEN 252 Computer Forensics
  • COEN 253 Secure Systems Development
  • COEN 350 Secure Distributed Systems
  • COEN 351 Internet and E-Commerce Security
Write a Comment
User Comments (0)
About PowerShow.com