This chapter introduces fundamental concepts of computer and network security. It defines computer security and discusses security objectives of confidentiality, integrity, and availability. It also outlines common security attacks like passive eavesdropping and active modifications. The chapter then explains security services like authentication, access control, data confidentiality and integrity, non-repudiation, and availability. It provides models for network security and discusses standards organizations like NIST and IETC.
The document provides an overview of key concepts in internet security. It discusses computer security objectives like confidentiality, integrity and availability. It describes common security services defined by OSI like authentication, access control, data confidentiality, data integrity and non-repudiation. It also summarizes common security threats like passive attacks involving eavesdropping and active attacks aiming to modify systems. Standards bodies that define internet security standards like NIST and IETC are also mentioned.
This document provides information about the 60-467 Network Security course taught by Dr. Robert D. Kent at the University of Windsor. The 3-sentence summary is:
The course introduces advanced topics in network security including encryption, authentication, intrusion detection, and security of email and web access. Students must complete a midterm exam, individual research essay, presentation, and two projects (individual and group). The course website provides basic information, requirements are outlined, and the textbook for the course is Cryptography and Network Security by William Stallings which covers topics such as cryptography algorithms, network security services, and security attacks.
This document provides an overview of cryptography and network security concepts from the textbook "Cryptography & Network Security" by William Stallings. It covers topics like confidentiality, integrity, availability, security threats/attacks, security services, security mechanisms, and the OSI security architecture. The document includes chapter objectives, definitions of key terms, descriptions of security concepts, examples, and review questions. The overall purpose is to introduce fundamental cryptography and network security principles.
Module-1.ppt cryptography and network securityAparnaSunil24
The document provides an overview of cryptography and network security. It begins by defining key terms like computer security, network security, and internet security. It then discusses the OSI security architecture and how it defines security services, mechanisms, and attacks in a systematic way. The document also covers traditional cryptosystems including symmetric key cryptosystems, classical encryption techniques like substitution and transposition ciphers, and examples of monoalphabetic and polyalphabetic ciphers.
information security (network security methods)Zara Nawaz
This document provides an overview of information security concepts. It discusses basic security principles like how no system is completely secure but security measures can reduce risks. It then summarizes key aspects of network security such as protecting systems through configuration, detection of issues, and rapid response. Common network security methods are outlined like access control, anti-malware tools, and firewalls. Goals of security like confidentiality, integrity and availability are defined in relation to the CIA triad model. Threats to these goals are also summarized.
Cryptography is the study and practice of techniques for secure communication in the presence of third parties. It deals with developing and analysing protocols which prevents malicious third parties from retrieving information being shared between two entities. Some key principles of cryptography include confidentiality, data integrity, authentication, and non-repudiation. Cryptography is widely applied in computer security, network security, and internet security. Common techniques include symmetric encryption algorithms, cryptanalysis methods, and the use of substitution and transposition ciphers.
Cryptography and Network Security introduces key concepts in information security. It discusses (1) definitions of computer, network, and internet security, (2) the relationship between security services, mechanisms, and attacks, and (3) models for providing network and access security. The goal is to provide a systematic framework for defining security requirements and considering how cryptographic techniques can be used to detect, prevent, and recover from security attacks during data transmission.
The document provides an overview of key concepts in internet security. It discusses computer security objectives like confidentiality, integrity and availability. It describes common security services defined by OSI like authentication, access control, data confidentiality, data integrity and non-repudiation. It also summarizes common security threats like passive attacks involving eavesdropping and active attacks aiming to modify systems. Standards bodies that define internet security standards like NIST and IETC are also mentioned.
This document provides information about the 60-467 Network Security course taught by Dr. Robert D. Kent at the University of Windsor. The 3-sentence summary is:
The course introduces advanced topics in network security including encryption, authentication, intrusion detection, and security of email and web access. Students must complete a midterm exam, individual research essay, presentation, and two projects (individual and group). The course website provides basic information, requirements are outlined, and the textbook for the course is Cryptography and Network Security by William Stallings which covers topics such as cryptography algorithms, network security services, and security attacks.
This document provides an overview of cryptography and network security concepts from the textbook "Cryptography & Network Security" by William Stallings. It covers topics like confidentiality, integrity, availability, security threats/attacks, security services, security mechanisms, and the OSI security architecture. The document includes chapter objectives, definitions of key terms, descriptions of security concepts, examples, and review questions. The overall purpose is to introduce fundamental cryptography and network security principles.
Module-1.ppt cryptography and network securityAparnaSunil24
The document provides an overview of cryptography and network security. It begins by defining key terms like computer security, network security, and internet security. It then discusses the OSI security architecture and how it defines security services, mechanisms, and attacks in a systematic way. The document also covers traditional cryptosystems including symmetric key cryptosystems, classical encryption techniques like substitution and transposition ciphers, and examples of monoalphabetic and polyalphabetic ciphers.
information security (network security methods)Zara Nawaz
This document provides an overview of information security concepts. It discusses basic security principles like how no system is completely secure but security measures can reduce risks. It then summarizes key aspects of network security such as protecting systems through configuration, detection of issues, and rapid response. Common network security methods are outlined like access control, anti-malware tools, and firewalls. Goals of security like confidentiality, integrity and availability are defined in relation to the CIA triad model. Threats to these goals are also summarized.
Cryptography is the study and practice of techniques for secure communication in the presence of third parties. It deals with developing and analysing protocols which prevents malicious third parties from retrieving information being shared between two entities. Some key principles of cryptography include confidentiality, data integrity, authentication, and non-repudiation. Cryptography is widely applied in computer security, network security, and internet security. Common techniques include symmetric encryption algorithms, cryptanalysis methods, and the use of substitution and transposition ciphers.
Cryptography and Network Security introduces key concepts in information security. It discusses (1) definitions of computer, network, and internet security, (2) the relationship between security services, mechanisms, and attacks, and (3) models for providing network and access security. The goal is to provide a systematic framework for defining security requirements and considering how cryptographic techniques can be used to detect, prevent, and recover from security attacks during data transmission.
The document discusses cloud security concepts, threats, and challenges. It defines key terms like threat, vulnerability, risk, and asset. It describes common cloud security threats such as traffic eavesdropping, malicious intermediary, denial of service attacks, and overlapping trust boundaries. It also discusses virtual machine (VM) security challenges, including VM escape, external modification of VMs or hypervisors, and mixed trust level VMs. Finally, it outlines security risks in areas like policy, technology, legal issues, and others.
The document discusses various types of attacks on computer security including passive attacks like eavesdropping and traffic analysis, and active attacks like masquerade, replay, message modification, and denial of service. It defines security fundamentals such as confidentiality, integrity, availability, authentication, access control, and non-repudiation. It also outlines security services like authentication, access control, data confidentiality, data integrity, and non-repudiation. Specific security mechanisms described include encipherment and digital signatures.
This document provides an overview of key concepts in computer and information security. It discusses cyber security, data security, network security, and authentication, authorization and accounting (AAA). It also covers the NIST FIPS 199 standard for categorizing information systems based on potential impact, and different methodologies for modeling assets and threats such as STRIDE, PASTA, Trike and VAST. The key topics are introduced at a high level with definitions and examples to provide the essential information about common computer security concepts and frameworks.
Chapter 1 Introduction of Cryptography and Network security Dr. Kapil Gupta
(1) Cryptography and network security are important topics that involve terminology like plaintext, ciphertext, encryption, decryption, and cryptanalysis. (2) The document discusses principles of security like confidentiality, integrity, authentication, non-repudiation, and availability and how attacks can compromise them. (3) It also covers security services, mechanisms, and models in the OSI standard to enhance security and counter different types of security attacks.
This document discusses key concepts in security and risk management, including the CIA triad of confidentiality, integrity, and availability. It introduces principles of least privilege and need to know. Organizational roles in security governance and compliance are defined. Laws and frameworks related to information security are also summarized.
This document discusses key concepts in security and risk management, including the CIA triad of confidentiality, integrity, and availability. It explains various security principles such as least privilege and need to know. Organizational roles in security governance and compliance are defined. Common techniques for threat modeling like STRIDE and frameworks for risk analysis are also introduced.
Cryptography and Network Security introduces key concepts in information security. It discusses security services like authentication and confidentiality, mechanisms like encryption, and attacks like interception of data. The course will focus on internet security and cryptographic techniques. It presents models for providing security during data transmission and for controlling network access. The goal is a systematic approach to defining security requirements and countering different types of threats.
The document provides an introduction to cryptography, outlining key security objectives like confidentiality, integrity, and availability. It discusses security attacks, services, and mechanisms, explaining techniques like encryption, digital signatures, and access control. The document also covers cryptanalysis methods like known plaintext attacks that try to derive the encryption key from samples of plaintext and ciphertext.
This document provides an introduction to information security. It discusses the key concepts of security including the layers of security (physical, personal, operations, etc.) and defines information security as protecting information systems and data. The document outlines the critical characteristics of information security - confidentiality, integrity, availability, authorization, authentication, identification, and accountability. It then provides more detail on each of these concepts. The document also discusses emerging security technologies, education in cybersecurity, and the components that make up an information system including software, hardware, data, people, procedures, and networks. It covers types of attacks, securing system components, and the systems development life cycle as a methodology for implementing security.
This document discusses various types of security attacks and mechanisms. It describes passive attacks like eavesdropping and traffic analysis, as well as active attacks like masquerading, replaying, modifying messages, and denial of service. It also covers security services like authentication, access control, data confidentiality, integrity, non-repudiation, and availability. Finally, it discusses standards for internet security including RFCs, the standardization process, and standard categories.
This document provides an overview of network security. It discusses security attacks like passive attacks (eavesdropping) and active attacks (modifying data). It outlines security services like confidentiality, authentication, integrity, non-repudiation, and access control. It also discusses methods of defense against attacks, including encryption, software/hardware controls, security policies, and physical controls. The document defines key security terms and concepts.
Big data analytics document discusses security attacks and services in computer networks. It describes passive attacks like traffic analysis that involve monitoring communications, and active attacks like masquerading and message modification that disrupt communications. It also outlines five security services: availability, access control, authentication, data confidentiality, and data integrity. Specific security mechanisms are also listed that can be implemented at different network layers, like encryption and digital signatures, to provide these security services and defend against attacks.
This document provides an overview of information security and network security. It discusses security attacks like passive attacks (release of message contents, traffic analysis) and active attacks (masquerade, replay, modification, denial of service). It also covers security mechanisms, services (authentication, access control, data confidentiality, data integrity, nonrepudiation), and basic encryption terminology (plaintext, ciphertext, cipher, encryption, secret key, decryption, cryptanalysis). The document is a lecture on security that outlines these key concepts and issues.
Information and network security 2 nist security definitionVaibhav Khanna
Protection against intentional subversion or forced failure. A composite of four attributes – confidentiality, integrity, availability, and accountability – plus aspects of a fifth, usability, all of which have the related issue of their assurance
This document discusses types of attacks on computer and network security. It defines passive and active attacks. Passive attacks monitor systems for information without interaction and include interception and traffic analysis attacks. Interception involves unauthorized access to messages. Traffic analysis examines communication patterns. Active attacks make unauthorized changes and include masquerade, interruption, fabrication, session replay, modification, and denial of service attacks. Masquerade involves assuming another user's identity. Interruption obstructs communication. Fabrication inserts fake messages. Session replay steals login information. Modification alters packet addresses or data. Denial of service deprives access by overwhelming the target.
This document discusses types of attacks on computer and network security. It defines passive and active attacks. Passive attacks monitor systems without interaction and include interception and traffic analysis attacks. Interception involves unauthorized access to messages. Traffic analysis examines communication patterns. Active attacks make unauthorized changes and include masquerade, interruption, fabrication, session replay, modification, and denial of service attacks. Masquerade involves assuming another user's identity. Interruption obstructs communication. Fabrication inserts fake messages. Session replay steals login information. Modification alters packet addresses or data. Denial of service deprives access by overwhelming the target.
The document provides an overview of cryptography and network security concepts. It describes the key objectives of studying this topic as understanding security requirements like confidentiality, integrity, and availability. It also discusses types of security threats and attacks. The document summarizes the main cryptographic algorithms and security architecture. It defines security services like authentication, access control, data confidentiality, and data integrity. It also discusses security mechanisms, threats, and attacks in network security.
E content,S.Abirami,II-M.sc(computer Science),Bon Secours college for womenAbiramis19
E-content network security introduction discusses network security and different security attacks and services. It details ways networks can be made secure using various security mechanisms at different OSI layers. Security attacks are divided into passive and active categories. Passive attacks involve monitoring communications while active attacks modify communications. Security services include availability, access control, authentication, data confidentiality, and data integrity. Specific security mechanisms include encryption, digital signatures, and traffic padding while pervasive mechanisms involve trusted functionality and security auditing. The document provides an overview of key network security concepts and terminology.
The document discusses cloud security concepts, threats, and challenges. It defines key terms like threat, vulnerability, risk, and asset. It describes common cloud security threats such as traffic eavesdropping, malicious intermediary, denial of service attacks, and overlapping trust boundaries. It also discusses virtual machine (VM) security challenges, including VM escape, external modification of VMs or hypervisors, and mixed trust level VMs. Finally, it outlines security risks in areas like policy, technology, legal issues, and others.
The document discusses various types of attacks on computer security including passive attacks like eavesdropping and traffic analysis, and active attacks like masquerade, replay, message modification, and denial of service. It defines security fundamentals such as confidentiality, integrity, availability, authentication, access control, and non-repudiation. It also outlines security services like authentication, access control, data confidentiality, data integrity, and non-repudiation. Specific security mechanisms described include encipherment and digital signatures.
This document provides an overview of key concepts in computer and information security. It discusses cyber security, data security, network security, and authentication, authorization and accounting (AAA). It also covers the NIST FIPS 199 standard for categorizing information systems based on potential impact, and different methodologies for modeling assets and threats such as STRIDE, PASTA, Trike and VAST. The key topics are introduced at a high level with definitions and examples to provide the essential information about common computer security concepts and frameworks.
Chapter 1 Introduction of Cryptography and Network security Dr. Kapil Gupta
(1) Cryptography and network security are important topics that involve terminology like plaintext, ciphertext, encryption, decryption, and cryptanalysis. (2) The document discusses principles of security like confidentiality, integrity, authentication, non-repudiation, and availability and how attacks can compromise them. (3) It also covers security services, mechanisms, and models in the OSI standard to enhance security and counter different types of security attacks.
This document discusses key concepts in security and risk management, including the CIA triad of confidentiality, integrity, and availability. It introduces principles of least privilege and need to know. Organizational roles in security governance and compliance are defined. Laws and frameworks related to information security are also summarized.
This document discusses key concepts in security and risk management, including the CIA triad of confidentiality, integrity, and availability. It explains various security principles such as least privilege and need to know. Organizational roles in security governance and compliance are defined. Common techniques for threat modeling like STRIDE and frameworks for risk analysis are also introduced.
Cryptography and Network Security introduces key concepts in information security. It discusses security services like authentication and confidentiality, mechanisms like encryption, and attacks like interception of data. The course will focus on internet security and cryptographic techniques. It presents models for providing security during data transmission and for controlling network access. The goal is a systematic approach to defining security requirements and countering different types of threats.
The document provides an introduction to cryptography, outlining key security objectives like confidentiality, integrity, and availability. It discusses security attacks, services, and mechanisms, explaining techniques like encryption, digital signatures, and access control. The document also covers cryptanalysis methods like known plaintext attacks that try to derive the encryption key from samples of plaintext and ciphertext.
This document provides an introduction to information security. It discusses the key concepts of security including the layers of security (physical, personal, operations, etc.) and defines information security as protecting information systems and data. The document outlines the critical characteristics of information security - confidentiality, integrity, availability, authorization, authentication, identification, and accountability. It then provides more detail on each of these concepts. The document also discusses emerging security technologies, education in cybersecurity, and the components that make up an information system including software, hardware, data, people, procedures, and networks. It covers types of attacks, securing system components, and the systems development life cycle as a methodology for implementing security.
This document discusses various types of security attacks and mechanisms. It describes passive attacks like eavesdropping and traffic analysis, as well as active attacks like masquerading, replaying, modifying messages, and denial of service. It also covers security services like authentication, access control, data confidentiality, integrity, non-repudiation, and availability. Finally, it discusses standards for internet security including RFCs, the standardization process, and standard categories.
This document provides an overview of network security. It discusses security attacks like passive attacks (eavesdropping) and active attacks (modifying data). It outlines security services like confidentiality, authentication, integrity, non-repudiation, and access control. It also discusses methods of defense against attacks, including encryption, software/hardware controls, security policies, and physical controls. The document defines key security terms and concepts.
Big data analytics document discusses security attacks and services in computer networks. It describes passive attacks like traffic analysis that involve monitoring communications, and active attacks like masquerading and message modification that disrupt communications. It also outlines five security services: availability, access control, authentication, data confidentiality, and data integrity. Specific security mechanisms are also listed that can be implemented at different network layers, like encryption and digital signatures, to provide these security services and defend against attacks.
This document provides an overview of information security and network security. It discusses security attacks like passive attacks (release of message contents, traffic analysis) and active attacks (masquerade, replay, modification, denial of service). It also covers security mechanisms, services (authentication, access control, data confidentiality, data integrity, nonrepudiation), and basic encryption terminology (plaintext, ciphertext, cipher, encryption, secret key, decryption, cryptanalysis). The document is a lecture on security that outlines these key concepts and issues.
Information and network security 2 nist security definitionVaibhav Khanna
Protection against intentional subversion or forced failure. A composite of four attributes – confidentiality, integrity, availability, and accountability – plus aspects of a fifth, usability, all of which have the related issue of their assurance
This document discusses types of attacks on computer and network security. It defines passive and active attacks. Passive attacks monitor systems for information without interaction and include interception and traffic analysis attacks. Interception involves unauthorized access to messages. Traffic analysis examines communication patterns. Active attacks make unauthorized changes and include masquerade, interruption, fabrication, session replay, modification, and denial of service attacks. Masquerade involves assuming another user's identity. Interruption obstructs communication. Fabrication inserts fake messages. Session replay steals login information. Modification alters packet addresses or data. Denial of service deprives access by overwhelming the target.
This document discusses types of attacks on computer and network security. It defines passive and active attacks. Passive attacks monitor systems without interaction and include interception and traffic analysis attacks. Interception involves unauthorized access to messages. Traffic analysis examines communication patterns. Active attacks make unauthorized changes and include masquerade, interruption, fabrication, session replay, modification, and denial of service attacks. Masquerade involves assuming another user's identity. Interruption obstructs communication. Fabrication inserts fake messages. Session replay steals login information. Modification alters packet addresses or data. Denial of service deprives access by overwhelming the target.
The document provides an overview of cryptography and network security concepts. It describes the key objectives of studying this topic as understanding security requirements like confidentiality, integrity, and availability. It also discusses types of security threats and attacks. The document summarizes the main cryptographic algorithms and security architecture. It defines security services like authentication, access control, data confidentiality, and data integrity. It also discusses security mechanisms, threats, and attacks in network security.
E content,S.Abirami,II-M.sc(computer Science),Bon Secours college for womenAbiramis19
E-content network security introduction discusses network security and different security attacks and services. It details ways networks can be made secure using various security mechanisms at different OSI layers. Security attacks are divided into passive and active categories. Passive attacks involve monitoring communications while active attacks modify communications. Security services include availability, access control, authentication, data confidentiality, and data integrity. Specific security mechanisms include encryption, digital signatures, and traffic padding while pervasive mechanisms involve trusted functionality and security auditing. The document provides an overview of key network security concepts and terminology.
Discover the benefits of outsourcing SEO to Indiadavidjhones387
"Discover the benefits of outsourcing SEO to India! From cost-effective services and expert professionals to round-the-clock work advantages, learn how your business can achieve digital success with Indian SEO solutions.
Instagram has become one of the most popular social media platforms, allowing people to share photos, videos, and stories with their followers. Sometimes, though, you might want to view someone's story without them knowing.
Ready to Unlock the Power of Blockchain!Toptal Tech
Imagine a world where data flows freely, yet remains secure. A world where trust is built into the fabric of every transaction. This is the promise of blockchain, a revolutionary technology poised to reshape our digital landscape.
Toptal Tech is at the forefront of this innovation, connecting you with the brightest minds in blockchain development. Together, we can unlock the potential of this transformative technology, building a future of transparency, security, and endless possibilities.
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
Understanding User Behavior with Google Analytics.pdfSEO Article Boost
Unlocking the full potential of Google Analytics is crucial for understanding and optimizing your website’s performance. This guide dives deep into the essential aspects of Google Analytics, from analyzing traffic sources to understanding user demographics and tracking user engagement.
Traffic Sources Analysis:
Discover where your website traffic originates. By examining the Acquisition section, you can identify whether visitors come from organic search, paid campaigns, direct visits, social media, or referral links. This knowledge helps in refining marketing strategies and optimizing resource allocation.
User Demographics Insights:
Gain a comprehensive view of your audience by exploring demographic data in the Audience section. Understand age, gender, and interests to tailor your marketing strategies effectively. Leverage this information to create personalized content and improve user engagement and conversion rates.
Tracking User Engagement:
Learn how to measure user interaction with your site through key metrics like bounce rate, average session duration, and pages per session. Enhance user experience by analyzing engagement metrics and implementing strategies to keep visitors engaged.
Conversion Rate Optimization:
Understand the importance of conversion rates and how to track them using Google Analytics. Set up Goals, analyze conversion funnels, segment your audience, and employ A/B testing to optimize your website for higher conversions. Utilize ecommerce tracking and multi-channel funnels for a detailed view of your sales performance and marketing channel contributions.
Custom Reports and Dashboards:
Create custom reports and dashboards to visualize and interpret data relevant to your business goals. Use advanced filters, segments, and visualization options to gain deeper insights. Incorporate custom dimensions and metrics for tailored data analysis. Integrate external data sources to enrich your analytics and make well-informed decisions.
This guide is designed to help you harness the power of Google Analytics for making data-driven decisions that enhance website performance and achieve your digital marketing objectives. Whether you are looking to improve SEO, refine your social media strategy, or boost conversion rates, understanding and utilizing Google Analytics is essential for your success.
3. The combination of space, time, and strength that must be
considered as the basic elements of this theory of
defense makes this a fairly complicated matter.
Consequently, it is not easy to find a fixed point of
departure.
— On War, Carl Von Clausewitz
The art of war teaches us to rely not on the likelihood of the
enemy's not coming, but on our own readiness to receive
him; not on the chance of his not attacking, but rather on
the fact that we have made our position unassailable.
—The Art of War, Sun Tzu
4. Computer Security Concepts
• Before the widespread use of data processing equipment, the
security of information valuable to an organization was provided
primarily by physical and administrative means
• With the introduction of the computer, the need for automated tools
for protecting files and other information stored on the computer
became evident
• Another major change that affected security is the introduction of
distributed systems and the use of networks and communications
facilities for carrying data between terminal user and computer and
between computer and computer
• Computer security
• The generic name for the collection of tools designed to protect data and
to thwart hackers
• internet security (lower case “i” refers to any interconnected
collection of network)
• Consists of measures to deter, prevent, detect, and correct security
violations that involve the transmission of information
5. Computer
Security
“The protection afforded
to an automated
information system in
order to attain the
applicable objectives of
preserving the integrity,
availability, and
confidentiality of
information system
resources (includes
hardware, software,
firmware,
information/data, and
telecommunications)”
The NIST Computer
Security Handbook defines
the term computer security
as:
6. Computer Security
Objectives
• Data confidentiality
• Assures that private or confidential information is not made available or
disclosed to unauthorized individuals
• Privacy
• Assures that individuals control or influence what information related to them
may be collected and stored and by whom and to whom that information may
be disclosed
Confidentiality
• Data integrity
• Assures that information and programs are changed only in a specified and
authorized manner
• System integrity
• Assures that a system performs its intended function in an unimpaired manner,
free from deliberate or inadvertent unauthorized manipulation of the system
Integrity
• Assures that systems work promptly and service is not denied to
authorized users
Availability
8. Possible additional concepts:
Authenticity
• Verifying that users
are who they say
they are and that
each input arriving at
the system came
from a trusted source
Accountability
• The security goal
that generates the
requirement for
actions of an entity to
be traced uniquely to
that entity
9. Breach of Security
Levels of Impact
• The loss could be expected to have a severe or
catastrophic adverse effect on organizational
operations, organizational assets, or individuals
High
• The loss could be expected to have a
serious adverse effect on
organizational operations,
organizational assets, or individuals
Moderate
• The loss could be
expected to have a limited
adverse effect on
organizational operations,
organizational assets, or
individuals
Low
10. Examples of Security
Requirements
Confidentiality
Student grade
information is an asset
whose confidentiality is
considered to be highly
important by students
Regulated by the Family
Educational Rights and
Privacy Act (FERPA)
Integrity
Patient information
stored in a database –
inaccurate information
could result in serious
harm or death to a
patient and expose the
hospital to massive
liability
A Web site that offers a
forum to registered users
to discuss some specific
topic would be assigned
a moderate level of
integrity
An example of a low-
integrity requirement is an
anonymous online poll
Availability
The more critical a
component or service,
the higher the level of
availability required
A moderate availability
requirement is a public
Web site for a university
An online telephone
directory lookup
application would be
classified as a low-
availability requirement
11. Computer Security
Challenges
• Security is not simple
• Potential attacks on the
security features need to be
considered
• Procedures used to provide
particular services are often
counter-intuitive
• It is necessary to decide
where to use the various
security mechanisms
• Requires constant
monitoring
• Is too often an afterthought
• Security mechanisms
typically involve more than a
particular algorithm or
protocol
• Security is essentially a
battle of wits between a
perpetrator and the designer
• Little benefit from security
investment is perceived until
a security failure occurs
• Strong security is often
viewed as an impediment to
efficient and user-friendly
operation
12. OSI Security Architecture
• Security attack
• Any action that compromises the security of information
owned by an organization
• Security mechanism
• A process (or a device incorporating such a process) that is
designed to detect, prevent, or recover from a security attack
• Security service
• A processing or communication service that enhances the
security of the data processing systems and the information
transfers of an organization
• Intended to counter security attacks, and they make use of
one or more security mechanisms to provide the service
14. Security Attacks
•A means of classifying security
attacks, used both in X.800 and RFC
4949, is in terms of passive attacks
and active attacks
•A passive attack attempts to learn
or make use of information from the
system but does not affect system
resources
•An active attack attempts to alter
system resources or affect their
operation
15. Passive Attacks
• Two types of passive
attacks are:
• The release of message
contents
• Traffic analysis
• Are in the nature of
eavesdropping on, or
monitoring of,
transmissions
• Goal of the opponent is to
obtain information that is
being transmitted
16. Active Attacks
• Involve some modification of the
data stream or the creation of a
false stream
• Difficult to prevent because of
the wide variety of potential
physical, software, and network
vulnerabilities
• Goal is to detect attacks and to
recover from any disruption or
delays caused by them
• Takes place when one entity
pretends to be a different entity
• Usually includes one of the other
forms of active attack
Masquerade
• Involves the passive capture of a
data unit and its subsequent
retransmission to produce an
unauthorized effect
Replay
• Some portion of a legitimate
message is altered, or messages
are delayed or reordered to
produce an unauthorized effect
Modification
of messages
• Prevents or inhibits the normal use
or management of
communications facilities
Denial of
service
17. Security Services
• Defined by X.800 as:
• A service provided by a protocol layer of communicating
open systems and that ensures adequate security of the
systems or of data transfers
•Defined by RFC 4949 as:
• A processing or communication service provided by a
system to give a specific kind of protection to system
resources
18. X.800 Service Categories
• Authentication
• Access control
• Data confidentiality
• Data integrity
• Nonrepudiation
20. Authentication
• Concerned with assuring that a communication is
authentic
• In the case of a single message, assures the recipient
that the message is from the source that it claims to be
from
• In the case of ongoing interaction, assures the two
entities are authentic and that the connection is not
interfered with in such a way that a third party can
masquerade as one of the two legitimate parties
Two specific authentication services are defined in X.800:
• Peer entity authentication
• Data origin authentication
21. Access Control
• The ability to limit and control the access to host
systems and applications via communications links
• To achieve this, each entity trying to gain access
must first be indentified, or authenticated, so that
access rights can be tailored to the individual
22. Data Confidentiality
• The protection of transmitted data from passive attacks
• Broadest service protects all user data transmitted between
two users over a period of time
• Narrower forms of service include the protection of a single
message or even specific fields within a message
• The protection of traffic flow from analysis
• This requires that an attacker not be able to observe the
source and destination, frequency, length, or other
characteristics of the traffic on a communications facility
23. Data Integrity
Can apply to a stream of messages, a single
message, or selected fields within a message
Connection-oriented integrity service deals with a
stream of messages and assures that messages
are received as sent with no duplication,
insertion, modification, reordering, or replays
A connectionless integrity service deals with
individual messages without regard to any larger
context and generally provides protection against
message modification only
24. Nonrepudiation
• Prevents either sender or receiver from denying a
transmitted message
• When a message is sent, the receiver can prove that
the alleged sender in fact sent the message
• When a message is received, the sender can prove
that the alleged receiver in fact received the
message
25. Availability service
• Availability
• The property of a system or a system resource being
accessible and usable upon demand by an authorized
system entity, according to performance specifications
for the system
• Availability service
• One that protects a system to ensure its availability
• Addresses the security concerns raised by denial-of-
service attacks
• Depends on proper management and control of
system resources
29. Unwanted Access
• Placement in a computer
system of logic that exploits
vulnerabilities in the system
and that can affect
application programs as
well as utility programs
Programs can
present two kinds of
threats:
Information access
threats
Intercept or modify
data on behalf of
users who should
not have access to
that data
Service threats
Exploit service
flaws in computers
to inhibit use by
legitimate users
30. standards
NIST
• National Institute of Standards
and Technology
• U.S. federal agency that deals
with measurement science,
standards, and technology related
to U.S. government use and to the
promotion of U.S. private-sector
innovation
• NIST Federal Information
Processing Standards (FIPS) and
Special Publications (SP) have a
worldwide impact
ISOC
• Internet Society
• Professional membership society
with worldwide organizational and
individual membership
• Provides leadership in addressing
issues that confront the future of
the Internet
• Is the organization home for the
groups responsible for Internet
infrastructure standards, including
the Internet Engineering Task
Force (IETF) and the Internet
Architecture Board (IAB)
• Internet standards and related
specifications are published as
Requests for Comments (RFCs)
31. Summary
• Computer security
concepts
• Definition
• Examples
• Challenges
• The OSI security
architecture
• Security attacks
• Passive attacks
• Active attacks
• Security services
• Authentication
• Access control
• Data confidentiality
• Data integrity
• Nonrepudiation
• Availability service
• Security mechanisms
• Model for network security
• Standards