2/19/2012   General Security Concepts              IT Faculty – Dalat University                    February - 2012       ...
2/19/2012                  Basic ComponentsConfidentiality   Access control mechanisms support confidentiality.   One a...
2/19/2012                  Basic Components Availability   Enabling access to data and resources   A secure system make...
2/19/2012                Basic Components Vulnerability   An error or weakness in design,    implementation or operation...
2/19/2012                 Classes of Threats Disclosure: unauthorized access to  information    Snooping Deception: acc...
2/19/2012                    Basic Threats Masquerading or spoofing   an impersonation of one entity by another, is    a...
2/19/2012                 Basic ThreatsDelay  a temporary inhibition of a service, is a form of   usurpation  delivery ...
2/19/2012             Access control Access control:   Closed systems   Open systems                     22       Phan ...
2/19/2012        Information security threats                          25          Phan Thi Thanh Nga - IT Faculty        ...
2/19/2012Prevention   Prevent attackers from violating security    policyDetection   Detect attackers’ violation of se...
2/19/2012                  Assurance Specification   Requirements analysis   Statement of desired functionalityDesign ...
2/19/2012            Tying Together                   34        Phan Thi Thanh Nga - IT Faculty              Homework Mat...
Upcoming SlideShare
Loading in …5
×

Part01 general security concepts

593 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
593
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Part01 general security concepts

  1. 1. 2/19/2012 General Security Concepts IT Faculty – Dalat University February - 2012 LOGO OutlineComponents of computer securityThreats and VulnerabilitiesPolicies and mechanismsThe role of trustAssuranceOperational IssuesHuman Issues 2 Phan Thi Thanh Nga - IT Faculty Basic ComponentsConfidentiality  Keeping data and resources hidden  A secure system ensures the confidentiality of data. This means that it allows individuals to see only the data that they are supposed to see 3 Phan Thi Thanh Nga - IT Faculty 1
  2. 2. 2/19/2012 Basic ComponentsConfidentiality  Access control mechanisms support confidentiality.  One access control mechanism for preserving confidentiality is cryptography  Other system-dependent mechanisms can prevent processes from illicitly accessing information  Confidentiality also applies to the existence of data, which is sometimes more revealing than the data itself  Resource hiding is another important aspect of confidentiality: configuration, equipment,… 4 Phan Thi Thanh Nga - IT Faculty Basic ComponentsIntegrity  Integrity refers to the trustworthiness of data or resources, and it is usually phrased in terms of preventing improper or unauthorized change  Data integrity (integrity)  Origin integrity (authentication) 5 Phan Thi Thanh Nga - IT Faculty Basic ComponentsIntegrity  A secure system ensures that the data it contains is valid.  Data integrity means that data is protected from deletion and corruption, both while it resides within the database, and while it is being transmitted over the network  Integrity mechanisms fall into two classes: prevention mechanisms and detection mechanisms. 6 Phan Thi Thanh Nga - IT Faculty 2
  3. 3. 2/19/2012 Basic Components Availability  Enabling access to data and resources  A secure system makes data available to authorized users, without delay. Denial-of- service attacks are attempts to block authorized users’ ability to access and use the system when needed 7 Phan Thi Thanh Nga - IT Faculty Basic Components Confidentiality Integrity Avaliability 8 Phan Thi Thanh Nga - IT Faculty Basic ComponentsAuthentication  assurance that the communicating entity is the one claimedAccess Control  prevention of the unauthorized use of a resource 9 Phan Thi Thanh Nga - IT Faculty 3
  4. 4. 2/19/2012 Basic Components Vulnerability  An error or weakness in design, implementation or operationThreat  An adversary motivated and capable of exploiting a vulnerabilityAttack  The means (sequence of actions) of exploiting a vulnerability 10 Phan Thi Thanh Nga - IT Faculty Information security threats Loss of integrity: -> must prevent the improper modification of information  Loss of non-repudiation/ authentication -> auditing & accountabilityƒLoss of availability: -> must avoid denial of service  (objective: 24/7 availability) 11 Phan Thi Thanh Nga - IT Faculty Information security threatsThreat:  any situation or event, whether intentional or unintentional, that will adversely affect a system and consequently an organizationLoss of confidentiality: -> must maintain secrecy over data  Note: privacy refers to the need to protect data about individuals 12 Phan Thi Thanh Nga - IT Faculty 4
  5. 5. 2/19/2012 Classes of Threats Disclosure: unauthorized access to information  Snooping Deception: acceptance of false data  Modification, spoofing, repudiation of origin, denial of receipt Disruption: interruption or prevention of correct operation  Modificationƒ Usurpation: unauthorized control of some part of a system  Modification, spoofing, delay, denial of service 13 Phan Thi Thanh Nga - IT Faculty Basic ThreatsSnooping: the unauthorized interception of information. Some entity is listening to (or reading) communications or browsing through files or system information 14 Phan Thi Thanh Nga - IT Faculty Basic ThreatsModification or alteration  unauthorized change of information, covers three classes of threats  some entity relies on the modified data to determine which action to take  incorrect information is accepted as correct and is released  An example is the man-in-the-middle attack 15 Phan Thi Thanh Nga - IT Faculty 5
  6. 6. 2/19/2012 Basic Threats Masquerading or spoofing  an impersonation of one entity by another, is a form of both deception and usurpation  It lures a victim into believing that the entity with which it is communicating is a different entity.  Some forms of masquerading may be allowed: delegation 16 Phan Thi Thanh Nga - IT Faculty Basic Threats Repudiation of origin  a false denial that an entity sent (or created) something, is a form of deception  For example, suppose a customer sends a letter to a vendor agreeing to pay a large amount of money for a product.  The vendor ships the product and then demands payment.  The customer denies having ordered the product  The customer has repudiated the origin of the letter. If the vendor cannot prove that the letter came from the customer, the attack succeeds. 17 Phan Thi Thanh Nga - IT Faculty Basic ThreatsDenial of receipt  a false denial that an entity received some information or message, is a form of deception  Suppose a customer orders an expensive product, but the vendor demands payment before shipment.  The customer pays, and the vendor ships the product. The customer then asks the vendor when he will receive the product.  If the customer has already received the product, the question constitutes a denial of receipt attack 18 Phan Thi Thanh Nga - IT Faculty 6
  7. 7. 2/19/2012 Basic ThreatsDelay  a temporary inhibition of a service, is a form of usurpation  delivery of a message or service requires some time t; if an attacker can force the delivery to take more than time t, the attacker has successfully delayed delivery 19 Phan Thi Thanh Nga - IT Faculty Basic ThreatsDenial of service  a long-term inhibition of service, is a form of usurpation  The attacker prevents a server from providing a service  The denial may occur at the source, at the destination, or along the intermediate path 20 Phan Thi Thanh Nga - IT Faculty Information security threats Identification: a user claims who s/he is ƒ uthentication: a mechanism that A determines whether a user is who he or she claims to be (establishing the validity of the above claim )  something the user knows (e.g., a password, PIN)  something the user possesses (e.g., an ATM card)  something the user is (e.g., a voice pattern, a fingerprint) 21 Phan Thi Thanh Nga - IT Faculty 7
  8. 8. 2/19/2012 Access control Access control:  Closed systems  Open systems 22 Phan Thi Thanh Nga - IT Faculty Close system 23 Phan Thi Thanh Nga - IT Faculty Open system 24 Phan Thi Thanh Nga - IT Faculty 8
  9. 9. 2/19/2012 Information security threats 25 Phan Thi Thanh Nga - IT Faculty Information security threats Protecting Data  Access Control  EncryptionProtecting Data in a Network Environment  Confidential  Cannot be modified, replayed  Lost packets can be detectedUser Identification and AuthenticationAuditing 26 Phan Thi Thanh Nga - IT Faculty Policies and Mechanisms Policy says what is, and is not, allowed  This defines “security” for the site/system/etc.Mechanisms enforce policiesComposition of policies  If policies conflict, discrepancies may create security vulnerabilities 27 Phan Thi Thanh Nga - IT Faculty 9
  10. 10. 2/19/2012Prevention  Prevent attackers from violating security policyDetection  Detect attackers’ violation of security policyRecovery  Stop attack, assess and repair damage  Continue to function correctly even if attack succeeds 28 Phan Thi Thanh Nga - IT Faculty Trust and Assumptions Underlie all aspects of securityPolicies  Unambiguously partition system states  Correctly capture security requirementsMechanisms  Assumed to enforce policy  Support mechanisms work correctly 29 Phan Thi Thanh Nga - IT Faculty Types of Mechanisms 30 Phan Thi Thanh Nga - IT Faculty 10
  11. 11. 2/19/2012 Assurance Specification  Requirements analysis  Statement of desired functionalityDesign  How system will meet specificationImplementation  Programs/systems that carry out design 31 Phan Thi Thanh Nga - IT Faculty Operational Issues Cost-Benefit Analysis  Is it cheaper to prevent or recover?Risk Analysis  Should we protect something?  How much should we protect this thing?Laws and Customs  Are desired security measures illegal?  Will people do them? 32 Phan Thi Thanh Nga - IT Faculty Human Issues Organizational Problems  Power and responsibility  Financial benefitsPeople problems  Outsiders and insiders  Social engineering 33 Phan Thi Thanh Nga - IT Faculty 11
  12. 12. 2/19/2012 Tying Together 34 Phan Thi Thanh Nga - IT Faculty Homework Matt Bishop, Introduction to Computer Security, Chapter 1Read more about DAC, MAC, RBAC 35 Phan Thi Thanh Nga - IT Faculty References Matt Bishop, Introduction to Computer Security, Prentice Hall PTR, 2004 36 Phan Thi Thanh Nga - IT Faculty 12

×