This document provides an overview of a computer and network security course. It discusses what topics will and won't be covered, including security threats, protocols, cryptography, and practical security issues but not advanced cryptography or computer networks. It also defines key security concepts like the CIA triad of confidentiality, integrity and availability. Additional topics covered include security attacks, services, and mechanisms like encryption, authentication, access control and intrusion detection.
This document provides an overview of a computer and network security course. It discusses topics like security needs, threats, and protocols. It will cover security threats, practical security issues, common security protocols, and introductory cryptography. It will not cover advanced cryptography, computer networks, operating systems, or hacking techniques. The document also defines key security concepts like prevention, detection, and reaction. It provides examples of how security is implemented for real world scenarios and online shopping.
This document summarizes key concepts in cryptography and network security. It defines computer, network, and internet security and outlines security services, mechanisms, and common attacks. The document discusses the OSI security architecture and how it defines five major security services: authentication, access control, data confidentiality, data integrity, and non-repudiation. It also summarizes security mechanisms and how to classify security attacks as either passive or active. The document introduces models for network security and network access security and discusses requirements for implementing these models, such as designing encryption algorithms and distributing secret keys.
The document provides an overview of cryptography and network security concepts. It describes the key objectives of studying this topic as understanding security requirements like confidentiality, integrity, and availability. It also discusses types of security threats and attacks. The document summarizes the main cryptographic algorithms and security architecture. It defines security services like authentication, access control, data confidentiality, and data integrity. It also discusses security mechanisms, threats, and attacks in network security.
The document discusses computer security, including its objectives of secrecy, availability, and integrity. It covers security policies, threats like intercepted emails and unauthorized access. The goals of security are outlined as data confidentiality, integrity, and availability. Security mechanisms are used to provide services like confidentiality, integrity, authentication, and access control. Both passive attacks like interception and active attacks like modification are described. The document also discusses security classification, attacks, and tools to achieve security like encryption, public key cryptography, secure communication channels, firewalls, and proxies. It notes the tension between security and other values like ease of use and public safety.
This document discusses information security and the importance of protecting the confidentiality, integrity, and availability of information systems and data. It defines these three aspects of information security and explains how human error, technical issues, fraud, and other threats can compromise systems. The document recommends having response plans, backing up critical data, keeping systems updated, training employees, and other measures to help secure information systems and realize business benefits like increased efficiency, customer confidence, and risk reduction.
Information system security deals with securing systems, information in transit, and establishing security services, mechanisms, and policies. It aims to provide confidentiality, integrity, authentication, and controlled access. Cryptography is the study of mathematical techniques used for these security objectives and includes symmetric and asymmetric encryption methods. Cryptanalysis involves attempting to defeat cryptographic techniques.
This document provides an overview of cryptography and network security concepts from the textbook "Cryptography & Network Security" by William Stallings. It covers topics like confidentiality, integrity, availability, security threats/attacks, security services, security mechanisms, and the OSI security architecture. The document includes chapter objectives, definitions of key terms, descriptions of security concepts, examples, and review questions. The overall purpose is to introduce fundamental cryptography and network security principles.
This document provides information about a network security course, including the instructor's contact details, course schedule, grading policy, reference materials, expectations, and course contents. The course will cover topics such as cryptography, network security applications, system security, and intrusion detection. Students will learn about network security principles, cryptography, authentication and encryption techniques, and security practices and applications.
This document provides an overview of a computer and network security course. It discusses topics like security needs, threats, and protocols. It will cover security threats, practical security issues, common security protocols, and introductory cryptography. It will not cover advanced cryptography, computer networks, operating systems, or hacking techniques. The document also defines key security concepts like prevention, detection, and reaction. It provides examples of how security is implemented for real world scenarios and online shopping.
This document summarizes key concepts in cryptography and network security. It defines computer, network, and internet security and outlines security services, mechanisms, and common attacks. The document discusses the OSI security architecture and how it defines five major security services: authentication, access control, data confidentiality, data integrity, and non-repudiation. It also summarizes security mechanisms and how to classify security attacks as either passive or active. The document introduces models for network security and network access security and discusses requirements for implementing these models, such as designing encryption algorithms and distributing secret keys.
The document provides an overview of cryptography and network security concepts. It describes the key objectives of studying this topic as understanding security requirements like confidentiality, integrity, and availability. It also discusses types of security threats and attacks. The document summarizes the main cryptographic algorithms and security architecture. It defines security services like authentication, access control, data confidentiality, and data integrity. It also discusses security mechanisms, threats, and attacks in network security.
The document discusses computer security, including its objectives of secrecy, availability, and integrity. It covers security policies, threats like intercepted emails and unauthorized access. The goals of security are outlined as data confidentiality, integrity, and availability. Security mechanisms are used to provide services like confidentiality, integrity, authentication, and access control. Both passive attacks like interception and active attacks like modification are described. The document also discusses security classification, attacks, and tools to achieve security like encryption, public key cryptography, secure communication channels, firewalls, and proxies. It notes the tension between security and other values like ease of use and public safety.
This document discusses information security and the importance of protecting the confidentiality, integrity, and availability of information systems and data. It defines these three aspects of information security and explains how human error, technical issues, fraud, and other threats can compromise systems. The document recommends having response plans, backing up critical data, keeping systems updated, training employees, and other measures to help secure information systems and realize business benefits like increased efficiency, customer confidence, and risk reduction.
Information system security deals with securing systems, information in transit, and establishing security services, mechanisms, and policies. It aims to provide confidentiality, integrity, authentication, and controlled access. Cryptography is the study of mathematical techniques used for these security objectives and includes symmetric and asymmetric encryption methods. Cryptanalysis involves attempting to defeat cryptographic techniques.
This document provides an overview of cryptography and network security concepts from the textbook "Cryptography & Network Security" by William Stallings. It covers topics like confidentiality, integrity, availability, security threats/attacks, security services, security mechanisms, and the OSI security architecture. The document includes chapter objectives, definitions of key terms, descriptions of security concepts, examples, and review questions. The overall purpose is to introduce fundamental cryptography and network security principles.
This document provides information about a network security course, including the instructor's contact details, course schedule, grading policy, reference materials, expectations, and course contents. The course will cover topics such as cryptography, network security applications, system security, and intrusion detection. Students will learn about network security principles, cryptography, authentication and encryption techniques, and security practices and applications.
Information security aims to balance information risks and controls. It began with early computer security focused on physical threats. A successful security approach uses multiple layers including physical, personal, operations, communications, network, and information security. Managing information security requires a structured methodology similar to implementing a major system, such as the Security Systems Development Life Cycle.
Chapter 1 Introduction of Cryptography and Network security Dr. Kapil Gupta
(1) Cryptography and network security are important topics that involve terminology like plaintext, ciphertext, encryption, decryption, and cryptanalysis. (2) The document discusses principles of security like confidentiality, integrity, authentication, non-repudiation, and availability and how attacks can compromise them. (3) It also covers security services, mechanisms, and models in the OSI standard to enhance security and counter different types of security attacks.
Ics & computer security for nuclear facilitiesomriyad
The document discusses computer security guidance for nuclear facilities' instrumentation and control (I&C) systems. It reviews Nuclear Security Series No. 17 (NSS-17) and a new publication NST036. NST036 aims to provide more robust guidance on applying computer security throughout the lifecycle of I&C systems, including addressing both safety and security considerations. It outlines key principles like prioritizing safety over security if there is a conflict. The document also discusses potential security controls and measures that could be applied to I&C systems, such as system hardening, application whitelisting, data diodes, and intrusion detection systems. It emphasizes the importance of considering computer security for vendors and during maintenance/testing activities involving
This document discusses security and ethical challenges of information technology. It covers topics like the impacts of IT on society including issues around crime, privacy, employment, health and working conditions. It then discusses the need for security measures like encryption, firewalls, denial of service defenses, email and virus monitoring to minimize errors, fraud and losses. The goal of security management is to balance high quality products with maintaining privacy, security and ethics in society. Some challenges discussed are cyber terrorism and the need for companies and government to work together on security defenses and education.
The document discusses the OSI security architecture and common network security threats and defenses. It begins with an introduction to the OSI security architecture proposed by ITU-T as a standard for defining and providing security across network layers. It then discusses (1) specific security mechanisms like encryption and digital signatures and pervasive mechanisms like security audits; (2) common passive and active security threats like eavesdropping and denial of service attacks; and (3) that passive attacks focus on prevention while active attacks require detection and recovery. It concludes with exercises asking about these topics.
The document discusses the OSI security architecture, including security attacks, services, and mechanisms. It defines passive and active security attacks and lists examples. It also defines security services like authentication, access control, data confidentiality, data integrity, and nonrepudiation. Finally, it discusses security mechanisms like encipherment and the use of secret information shared between principals.
This document provides an introduction to information security concepts. It defines information security as protecting information and systems from unauthorized access, use, disclosure, disruption or destruction. The key aspects of information security are confidentiality, integrity and availability. Basic security terminology like identification, authentication, access control and confidentiality are explained. Common network vulnerabilities like weak passwords, protocol design flaws, and unauthorized access through modems are also discussed. The importance of network security is to protect company assets, gain competitive advantage and ensure regulatory compliance.
Information is processed data obtained from raw facts. Information security aims to safeguard data by ensuring confidentiality, integrity and availability (CIA) through technical, administrative and physical protections. While technology plays an important role, people are the key factor as over 90% of security issues are caused by human error. When online, one should use strong and private passwords, lock computers when unattended, avoid risky sites, beware of email attachments that could contain Trojans, and use tools like SiteAdvisor to surf more safely.
The document discusses implementing a real-time security monitoring and management system using open-source tools. It describes how intrusion detection systems (IDS) can detect attacks by closely monitoring network and system activities. The document then discusses how open-source tools like Snort can be used to build an IDS, providing real-time monitoring to detect intrusions and security violations. It analyzes some advantages and limitations of Snort compared to other open-source IDS tools. Specifically, Snort provides tested signatures and is portable but may face information overload from large rule databases.
Cryptography and Network Security introduces key concepts in information security. It discusses (1) definitions of computer, network, and internet security, (2) the relationship between security services, mechanisms, and attacks, and (3) models for providing network and access security. The goal is to provide a systematic framework for defining security requirements and considering how cryptographic techniques can be used to detect, prevent, and recover from security attacks during data transmission.
The document discusses various security challenges and controls related to information technology and e-commerce. It covers privacy, authenticity, integrity, and reliability as key security requirements. It then describes different types of controls including input controls, processing controls, output controls, storage controls, facility controls like encryption and firewalls, procedural controls, and auditing. Key points around spoofing, outsourcing, information protection goals of confidentiality, integrity and availability are also summarized.
S.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavurvkarthi314
The document discusses network security. It defines computer security, network security, and internet security. The key aspects of network security are confidentiality, integrity, and availability. It describes different types of security attacks like passive attacks involving interception and traffic analysis, and active attacks like masquerade, replay, message modification, and denial of service. It also discusses different impact levels of security breaches and challenges in computer security. Finally, it presents models for network security and network access security.
Vulnerabilities are weaknesses that attackers can exploit to gain unauthorized access to a network or its resources. Attacks are attempts to damage, access, or misuse assets without permission. Network security mechanisms detect, prevent, and recover from attacks using methods like routing control, traffic padding, encryption, access control, digital signatures, and ensuring data integrity.
This document provides an introduction and overview of key concepts in computer and network security. It defines three main security goals of confidentiality, integrity and availability. It also discusses common security attacks that threaten these goals and security services and mechanisms to protect against attacks. Finally, it introduces cryptography and steganography as two main techniques used to implement security mechanisms.
This chapter introduces key concepts in cryptography and network security. It defines computer, network, and internet security and discusses security attacks, services, and mechanisms. The chapter presents models for providing network security and controlling network access security using cryptographic techniques and trusted systems. The overall aim is to understand measures for protecting data transmission and storage.
This document discusses modern network security issues and challenges. It covers topics such as security methods, technology options, wide area network (WAN) security, and a case study on securing a software development company's network. The document also looks at future work needed to help organizations better protect against intensifying malicious attacks and damage.
IT Security and Management - Prelim Lessons by Mark John LadoMark John Lado, MIT
Learning topics:
1. ACCESS CONTROL
2. ASSET MANAGEMENT
3. BUSINESS CONTINUITY
--------------------------------------------------
By the end of this chapter, learners will be able to;
Know about access control.
Differentiate the physical and logical access control.
Engage with different examples of access control.
Apply the role of access control in their future projects.
Recognize about asset management.
Distinguish the three goals of an asset management program.
Engage with different types of IT asset Management.
Elaborate about business continuity.
Engage with the types of business continuity.
Know about the steps for building and executing of business continuity.
Familiarize the business continuity strategy.
This document provides an overview of network security concepts including:
- Types of network security such as access control, application security, email security, and wireless security.
- Security attacks are classified as either passive (eavesdropping) or active (modifying data).
- Security mechanisms are designed to detect, prevent, or recover from security attacks using techniques like cryptography.
- Security services enhance system protection by using mechanisms to counter attacks and replicate functions of physical documents.
- Defense methods include encryption, software/hardware controls, policies, and physical controls.
This document summarizes the key topics covered in a class on network security. It introduces common security concepts like authentication, access control, data confidentiality and integrity. It also discusses common security threats like passive attacks, active attacks, and security services defined by the ITU-T standard X.800. The document provides examples of security mechanisms and an outline of the topics to be covered, including a whirlwind tour of computer networks and an anatomy of an attack in five phases.
This document provides an introduction to basic security concepts, including definitions of security, principles of penetration, and classifications of protection. It discusses goals of security including integrity, confidentiality, and availability. Common security threats are also outlined such as interruption, interception, modification, and fabrication. The document then covers methods of defense for computer security including access controls, encryption, policies, physical controls, and system design approaches. Identification and authentication methods are described for system access control. Data access control and access rights models are also summarized.
UNIT- I & II_ 3R-Cryptography-Lectures_2021-22_VSM.pdfVishwanathMahalle
This document outlines the syllabus for a course on cryptography. It includes 6 units that cover topics such as attacks on computers and computer security, symmetric and asymmetric key algorithms, digital signatures, public key infrastructure, internet security protocols, and user authentication. The objectives of the course are to teach security concepts and the need for security. Key topics covered include types of attacks, symmetric and asymmetric cryptography, encryption and decryption, digital certificates, and authentication methods. References for textbooks and additional reading materials are also provided.
Information security aims to balance information risks and controls. It began with early computer security focused on physical threats. A successful security approach uses multiple layers including physical, personal, operations, communications, network, and information security. Managing information security requires a structured methodology similar to implementing a major system, such as the Security Systems Development Life Cycle.
Chapter 1 Introduction of Cryptography and Network security Dr. Kapil Gupta
(1) Cryptography and network security are important topics that involve terminology like plaintext, ciphertext, encryption, decryption, and cryptanalysis. (2) The document discusses principles of security like confidentiality, integrity, authentication, non-repudiation, and availability and how attacks can compromise them. (3) It also covers security services, mechanisms, and models in the OSI standard to enhance security and counter different types of security attacks.
Ics & computer security for nuclear facilitiesomriyad
The document discusses computer security guidance for nuclear facilities' instrumentation and control (I&C) systems. It reviews Nuclear Security Series No. 17 (NSS-17) and a new publication NST036. NST036 aims to provide more robust guidance on applying computer security throughout the lifecycle of I&C systems, including addressing both safety and security considerations. It outlines key principles like prioritizing safety over security if there is a conflict. The document also discusses potential security controls and measures that could be applied to I&C systems, such as system hardening, application whitelisting, data diodes, and intrusion detection systems. It emphasizes the importance of considering computer security for vendors and during maintenance/testing activities involving
This document discusses security and ethical challenges of information technology. It covers topics like the impacts of IT on society including issues around crime, privacy, employment, health and working conditions. It then discusses the need for security measures like encryption, firewalls, denial of service defenses, email and virus monitoring to minimize errors, fraud and losses. The goal of security management is to balance high quality products with maintaining privacy, security and ethics in society. Some challenges discussed are cyber terrorism and the need for companies and government to work together on security defenses and education.
The document discusses the OSI security architecture and common network security threats and defenses. It begins with an introduction to the OSI security architecture proposed by ITU-T as a standard for defining and providing security across network layers. It then discusses (1) specific security mechanisms like encryption and digital signatures and pervasive mechanisms like security audits; (2) common passive and active security threats like eavesdropping and denial of service attacks; and (3) that passive attacks focus on prevention while active attacks require detection and recovery. It concludes with exercises asking about these topics.
The document discusses the OSI security architecture, including security attacks, services, and mechanisms. It defines passive and active security attacks and lists examples. It also defines security services like authentication, access control, data confidentiality, data integrity, and nonrepudiation. Finally, it discusses security mechanisms like encipherment and the use of secret information shared between principals.
This document provides an introduction to information security concepts. It defines information security as protecting information and systems from unauthorized access, use, disclosure, disruption or destruction. The key aspects of information security are confidentiality, integrity and availability. Basic security terminology like identification, authentication, access control and confidentiality are explained. Common network vulnerabilities like weak passwords, protocol design flaws, and unauthorized access through modems are also discussed. The importance of network security is to protect company assets, gain competitive advantage and ensure regulatory compliance.
Information is processed data obtained from raw facts. Information security aims to safeguard data by ensuring confidentiality, integrity and availability (CIA) through technical, administrative and physical protections. While technology plays an important role, people are the key factor as over 90% of security issues are caused by human error. When online, one should use strong and private passwords, lock computers when unattended, avoid risky sites, beware of email attachments that could contain Trojans, and use tools like SiteAdvisor to surf more safely.
The document discusses implementing a real-time security monitoring and management system using open-source tools. It describes how intrusion detection systems (IDS) can detect attacks by closely monitoring network and system activities. The document then discusses how open-source tools like Snort can be used to build an IDS, providing real-time monitoring to detect intrusions and security violations. It analyzes some advantages and limitations of Snort compared to other open-source IDS tools. Specifically, Snort provides tested signatures and is portable but may face information overload from large rule databases.
Cryptography and Network Security introduces key concepts in information security. It discusses (1) definitions of computer, network, and internet security, (2) the relationship between security services, mechanisms, and attacks, and (3) models for providing network and access security. The goal is to provide a systematic framework for defining security requirements and considering how cryptographic techniques can be used to detect, prevent, and recover from security attacks during data transmission.
The document discusses various security challenges and controls related to information technology and e-commerce. It covers privacy, authenticity, integrity, and reliability as key security requirements. It then describes different types of controls including input controls, processing controls, output controls, storage controls, facility controls like encryption and firewalls, procedural controls, and auditing. Key points around spoofing, outsourcing, information protection goals of confidentiality, integrity and availability are also summarized.
S.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavurvkarthi314
The document discusses network security. It defines computer security, network security, and internet security. The key aspects of network security are confidentiality, integrity, and availability. It describes different types of security attacks like passive attacks involving interception and traffic analysis, and active attacks like masquerade, replay, message modification, and denial of service. It also discusses different impact levels of security breaches and challenges in computer security. Finally, it presents models for network security and network access security.
Vulnerabilities are weaknesses that attackers can exploit to gain unauthorized access to a network or its resources. Attacks are attempts to damage, access, or misuse assets without permission. Network security mechanisms detect, prevent, and recover from attacks using methods like routing control, traffic padding, encryption, access control, digital signatures, and ensuring data integrity.
This document provides an introduction and overview of key concepts in computer and network security. It defines three main security goals of confidentiality, integrity and availability. It also discusses common security attacks that threaten these goals and security services and mechanisms to protect against attacks. Finally, it introduces cryptography and steganography as two main techniques used to implement security mechanisms.
This chapter introduces key concepts in cryptography and network security. It defines computer, network, and internet security and discusses security attacks, services, and mechanisms. The chapter presents models for providing network security and controlling network access security using cryptographic techniques and trusted systems. The overall aim is to understand measures for protecting data transmission and storage.
This document discusses modern network security issues and challenges. It covers topics such as security methods, technology options, wide area network (WAN) security, and a case study on securing a software development company's network. The document also looks at future work needed to help organizations better protect against intensifying malicious attacks and damage.
IT Security and Management - Prelim Lessons by Mark John LadoMark John Lado, MIT
Learning topics:
1. ACCESS CONTROL
2. ASSET MANAGEMENT
3. BUSINESS CONTINUITY
--------------------------------------------------
By the end of this chapter, learners will be able to;
Know about access control.
Differentiate the physical and logical access control.
Engage with different examples of access control.
Apply the role of access control in their future projects.
Recognize about asset management.
Distinguish the three goals of an asset management program.
Engage with different types of IT asset Management.
Elaborate about business continuity.
Engage with the types of business continuity.
Know about the steps for building and executing of business continuity.
Familiarize the business continuity strategy.
This document provides an overview of network security concepts including:
- Types of network security such as access control, application security, email security, and wireless security.
- Security attacks are classified as either passive (eavesdropping) or active (modifying data).
- Security mechanisms are designed to detect, prevent, or recover from security attacks using techniques like cryptography.
- Security services enhance system protection by using mechanisms to counter attacks and replicate functions of physical documents.
- Defense methods include encryption, software/hardware controls, policies, and physical controls.
This document summarizes the key topics covered in a class on network security. It introduces common security concepts like authentication, access control, data confidentiality and integrity. It also discusses common security threats like passive attacks, active attacks, and security services defined by the ITU-T standard X.800. The document provides examples of security mechanisms and an outline of the topics to be covered, including a whirlwind tour of computer networks and an anatomy of an attack in five phases.
This document provides an introduction to basic security concepts, including definitions of security, principles of penetration, and classifications of protection. It discusses goals of security including integrity, confidentiality, and availability. Common security threats are also outlined such as interruption, interception, modification, and fabrication. The document then covers methods of defense for computer security including access controls, encryption, policies, physical controls, and system design approaches. Identification and authentication methods are described for system access control. Data access control and access rights models are also summarized.
UNIT- I & II_ 3R-Cryptography-Lectures_2021-22_VSM.pdfVishwanathMahalle
This document outlines the syllabus for a course on cryptography. It includes 6 units that cover topics such as attacks on computers and computer security, symmetric and asymmetric key algorithms, digital signatures, public key infrastructure, internet security protocols, and user authentication. The objectives of the course are to teach security concepts and the need for security. Key topics covered include types of attacks, symmetric and asymmetric cryptography, encryption and decryption, digital certificates, and authentication methods. References for textbooks and additional reading materials are also provided.
Network security is important for protecting companies and users from various threats. There are many types of network security attacks, including malware, social engineering, and insider threats. These attacks can have major impacts on companies like reduced transactions and stock prices following breaches. Strategies to improve security include using VPNs, cryptography, firewalls, intrusion detection systems, and penetration testing. With greater awareness and education, network security benefits companies through enhanced reputation and protection of valuable information.
CS8792 - Cryptography and Network Securityvishnukp34
this is an engineering subject.this consist of
pgno: 5 - Information security in past & present
pgno: 7 - Aim of Course
pgno: 8 - OSI Security Architecture
pgno: 9 - Security Goals – CIA Triad
pgno: 13 - Aspects of Security
pgno: 17 - ATTACKS
pgno: 22 - Passive Versus Active Attacks
pgno: 23 - SERVICES AND MECHANISMS
This document provides an overview of cryptography and network security. It defines key terms like computer security, network security, and internet security. It describes common security attacks like eavesdropping, tampering, fabrication, and denial of service. It also outlines security services, security mechanisms, and the OSI security architecture. The document models network security and network access security.
This document provides an overview of network security for a course, including discussing cryptography algorithms and protocols, network security applications and tools, system security issues, and standards for internet security. The course will cover topics such as encryption, digital signatures, key exchange, and network security protocols and applications. Students will complete homework assignments, projects implementing cryptography and a secure messaging system, and exams.
This document provides an overview of network security for a course, including discussing cryptography algorithms and protocols, network security applications and tools, system security issues, and standards for internet security. The course will cover topics such as encryption, digital signatures, key exchange, and network security protocols and applications. Students will complete homework assignments, projects implementing cryptography and a secure messaging system, and exams.
This document provides an overview of network security for a course, including discussing cryptography algorithms and protocols, network security applications and tools, system security issues, and standards for internet security. The course will cover topics such as encryption, digital signatures, key exchange, and network security protocols and applications. Students will complete homework assignments, projects implementing cryptography and a secure messaging system, and exams.
This document provides an overview of a university course on Cryptography and Network Security. It begins with the course syllabus, which outlines topics like security concepts, cryptography concepts and techniques, and types of security attacks. It then discusses key security concepts such as security services, security mechanisms, security attacks, and models for network and access security. It provides examples of security services like authentication, access control, and data confidentiality. It also describes security mechanisms and different classes of security attacks. The document concludes by listing reference books, online videos, related courses, tutorials, and sample multiple choice and problems related to cryptography and network security.
Cyber security involves protecting computer systems, networks, and data from malicious attacks and damage. It works to defend against threats through practices like authentication, access control, encryption, and integrity checks. Common security services include authentication to verify identities, access control to restrict unauthorized use of resources, encryption to protect confidential data, and integrity checks to ensure data hasn't been altered. Security mechanisms implement these services using techniques like encryption, digital signatures, access controls, and auditing. Attacks can be passive like eavesdropping or active like masquerading, replaying messages, or denial of service.
This document outlines the key objectives and concepts covered in the Connecting with Computer Science course. The objectives include learning about computer hacking, system intruders, malicious code, social engineering, types of attacks, security measures, passwords, encryption, firewalls, and computer crime laws. The document also discusses ethics and privacy in computing.
Module-1.ppt cryptography and network securityAparnaSunil24
The document provides an overview of cryptography and network security. It begins by defining key terms like computer security, network security, and internet security. It then discusses the OSI security architecture and how it defines security services, mechanisms, and attacks in a systematic way. The document also covers traditional cryptosystems including symmetric key cryptosystems, classical encryption techniques like substitution and transposition ciphers, and examples of monoalphabetic and polyalphabetic ciphers.
Cryptography and Network Security introduces key concepts in information security. It discusses security services like authentication and confidentiality, mechanisms like encryption, and attacks like interception of data. The course will focus on internet security and cryptographic techniques. It presents models for providing security during data transmission and for controlling network access. The goal is a systematic approach to defining security requirements and countering different types of threats.
information security (network security methods)Zara Nawaz
This document provides an overview of information security concepts. It discusses basic security principles like how no system is completely secure but security measures can reduce risks. It then summarizes key aspects of network security such as protecting systems through configuration, detection of issues, and rapid response. Common network security methods are outlined like access control, anti-malware tools, and firewalls. Goals of security like confidentiality, integrity and availability are defined in relation to the CIA triad model. Threats to these goals are also summarized.
This document discusses legal, ethical, and professional issues in information security. It begins by outlining the objectives and outcomes of the lesson, which are to understand these issues. It then provides an overview of security needs like ensuring business continuity, threats like human error and cyber attacks, and how businesses rely on information security to protect functionality, applications, data, and technology assets. Examples of common attacks are also described like malware, backdoors, password cracking, and spoofing. The document emphasizes understanding security needs and threats to make informed decisions about protecting an organization's information.
System security involves protecting assets from unauthorized access both internally and externally. It is a process that reduces risks through various security procedures. Key aspects of security include awareness, access control, identification, authentication, authorization, integrity, confidentiality, and accountability. Common security procedures are firewalls to filter network access, intrusion detection systems to monitor traffic, and cryptography techniques like encryption and digital signatures to authenticate users and ensure message integrity.
This document discusses basic security concepts, including definitions of security, assets, and the principle of easiest penetration. It describes three classifications of protection: prevention, detection, and reaction. Examples are given for physical and cyber security. The goals of security are defined as integrity, confidentiality, and availability. Common security threats are interruption, interception, modification, and fabrication. Vulnerabilities in computing systems can occur in data, software, hardware, and exposed assets. Methods of defense include encryption, software/hardware controls, policies, and physical controls. System access control and data access control are important methods for making systems secure using identification, authentication, and access authorization.
This document discusses basic security concepts. It defines security as protecting computing assets like hardware, software, data and people. There are three types of protection: prevention, detection, and reaction. Prevention methods like locks and firewalls stop damage from occurring. Detection methods like alarms and monitoring find problems. Reaction allows recovering from damage through measures like replacing stolen items or recovering fraudulent charges. The document also discusses security threats, vulnerabilities, and different methods of defense like access controls, encryption, policies and procedures.
The document discusses a technology and security class. It provides an agenda that covers IT news, an exam follow-up, and a focus on security. Under security news, it lists several recent computer virus and hacking incidents. It then discusses common security myths and holds a quick security assessment activity. The rest of the document outlines various security topics like definitions of security concepts, security risks, protection methods, and ways to assess security risks. It emphasizes the importance of backups, strong passwords, and keeping systems updated with patches.
"Choosing proper type of scaling", Olena SyrotaFwdays
Imagine an IoT processing system that is already quite mature and production-ready and for which client coverage is growing and scaling and performance aspects are life and death questions. The system has Redis, MongoDB, and stream processing based on ksqldb. In this talk, firstly, we will analyze scaling approaches and then select the proper ones for our system.
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Keywords: AI, Containeres, Kubernetes, Cloud Native
Event Link: https://meine.doag.org/events/cloudland/2024/agenda/#agendaId.4211
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...DanBrown980551
This LF Energy webinar took place June 20, 2024. It featured:
-Alex Thornton, LF Energy
-Hallie Cramer, Google
-Daniel Roesler, UtilityAPI
-Henry Richardson, WattTime
In response to the urgency and scale required to effectively address climate change, open source solutions offer significant potential for driving innovation and progress. Currently, there is a growing demand for standardization and interoperability in energy data and modeling. Open source standards and specifications within the energy sector can also alleviate challenges associated with data fragmentation, transparency, and accessibility. At the same time, it is crucial to consider privacy and security concerns throughout the development of open source platforms.
This webinar will delve into the motivations behind establishing LF Energy’s Carbon Data Specification Consortium. It will provide an overview of the draft specifications and the ongoing progress made by the respective working groups.
Three primary specifications will be discussed:
-Discovery and client registration, emphasizing transparent processes and secure and private access
-Customer data, centering around customer tariffs, bills, energy usage, and full consumption disclosure
-Power systems data, focusing on grid data, inclusive of transmission and distribution networks, generation, intergrid power flows, and market settlement data
Essentials of Automations: Exploring Attributes & Automation ParametersSafe Software
Building automations in FME Flow can save time, money, and help businesses scale by eliminating data silos and providing data to stakeholders in real-time. One essential component to orchestrating complex automations is the use of attributes & automation parameters (both formerly known as “keys”). In fact, it’s unlikely you’ll ever build an Automation without using these components, but what exactly are they?
Attributes & automation parameters enable the automation author to pass data values from one automation component to the next. During this webinar, our FME Flow Specialists will cover leveraging the three types of these output attributes & parameters in FME Flow: Event, Custom, and Automation. As a bonus, they’ll also be making use of the Split-Merge Block functionality.
You’ll leave this webinar with a better understanding of how to maximize the potential of automations by making use of attributes & automation parameters, with the ultimate goal of setting your enterprise integration workflows up on autopilot.
Getting the Most Out of ScyllaDB Monitoring: ShareChat's TipsScyllaDB
ScyllaDB monitoring provides a lot of useful information. But sometimes it’s not easy to find the root of the problem if something is wrong or even estimate the remaining capacity by the load on the cluster. This talk shares our team's practical tips on: 1) How to find the root of the problem by metrics if ScyllaDB is slow 2) How to interpret the load and plan capacity for the future 3) Compaction strategies and how to choose the right one 4) Important metrics which aren’t available in the default monitoring setup.
In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weaknesses, significantly enhancing system security.
This presentation delves into the development of a system designed to mimic Galileo's Open Service signal using software-defined radio (SDR) technology. We'll begin with a foundational overview of both Global Navigation Satellite Systems (GNSS) and the intricacies of digital signal processing.
The presentation culminates in a live demonstration. We'll showcase the manipulation of Galileo's Open Service pilot signal, simulating an attack on various software and hardware systems. This practical demonstration serves to highlight the potential consequences of unaddressed vulnerabilities, emphasizing the importance of offensive security practices in safeguarding critical infrastructure.
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillLizaNolte
HERE IS YOUR WEBINAR CONTENT! 'Mastering Customer Journey Management with Dr. Graham Hill'. We hope you find the webinar recording both insightful and enjoyable.
In this webinar, we explored essential aspects of Customer Journey Management and personalization. Here’s a summary of the key insights and topics discussed:
Key Takeaways:
Understanding the Customer Journey: Dr. Hill emphasized the importance of mapping and understanding the complete customer journey to identify touchpoints and opportunities for improvement.
Personalization Strategies: We discussed how to leverage data and insights to create personalized experiences that resonate with customers.
Technology Integration: Insights were shared on how inQuba’s advanced technology can streamline customer interactions and drive operational efficiency.
From Natural Language to Structured Solr Queries using LLMsSease
This talk draws on experimentation to enable AI applications with Solr. One important use case is to use AI for better accessibility and discoverability of the data: while User eXperience techniques, lexical search improvements, and data harmonization can take organizations to a good level of accessibility, a structural (or “cognitive” gap) remains between the data user needs and the data producer constraints.
That is where AI – and most importantly, Natural Language Processing and Large Language Model techniques – could make a difference. This natural language, conversational engine could facilitate access and usage of the data leveraging the semantics of any data source.
The objective of the presentation is to propose a technical approach and a way forward to achieve this goal.
The key concept is to enable users to express their search queries in natural language, which the LLM then enriches, interprets, and translates into structured queries based on the Solr index’s metadata.
This approach leverages the LLM’s ability to understand the nuances of natural language and the structure of documents within Apache Solr.
The LLM acts as an intermediary agent, offering a transparent experience to users automatically and potentially uncovering relevant documents that conventional search methods might overlook. The presentation will include the results of this experimental work, lessons learned, best practices, and the scope of future work that should improve the approach and make it production-ready.
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...GlobalLogic Ukraine
Під час доповіді відповімо на питання, навіщо потрібно підвищувати продуктивність аплікації і які є найефективніші способи для цього. А також поговоримо про те, що таке кеш, які його види бувають та, основне — як знайти performance bottleneck?
Відео та деталі заходу: https://bit.ly/45tILxj
What is an RPA CoE? Session 1 – CoE VisionDianaGray10
In the first session, we will review the organization's vision and how this has an impact on the COE Structure.
Topics covered:
• The role of a steering committee
• How do the organization’s priorities determine CoE Structure?
Speaker:
Chris Bolin, Senior Intelligent Automation Architect Anika Systems
ScyllaDB is making a major architecture shift. We’re moving from vNode replication to tablets – fragments of tables that are distributed independently, enabling dynamic data distribution and extreme elasticity. In this keynote, ScyllaDB co-founder and CTO Avi Kivity explains the reason for this shift, provides a look at the implementation and roadmap, and shares how this shift benefits ScyllaDB users.
What is an RPA CoE? Session 2 – CoE RolesDianaGray10
In this session, we will review the players involved in the CoE and how each role impacts opportunities.
Topics covered:
• What roles are essential?
• What place in the automation journey does each role play?
Speaker:
Chris Bolin, Senior Intelligent Automation Architect Anika Systems
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...AlexanderRichford
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation Functions to Prevent Interaction with Malicious QR Codes.
Aim of the Study: The goal of this research was to develop a robust hybrid approach for identifying malicious and insecure URLs derived from QR codes, ensuring safe interactions.
This is achieved through:
Machine Learning Model: Predicts the likelihood of a URL being malicious.
Security Validation Functions: Ensures the derived URL has a valid certificate and proper URL format.
This innovative blend of technology aims to enhance cybersecurity measures and protect users from potential threats hidden within QR codes 🖥 🔒
This study was my first introduction to using ML which has shown me the immense potential of ML in creating more secure digital environments!
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving
What began over 115 years ago as a supplier of precision gauges to the automotive industry has evolved into being an industry leader in the manufacture of product branding, automotive cockpit trim and decorative appliance trim. Value-added services include in-house Design, Engineering, Program Management, Test Lab and Tool Shops.
Dandelion Hashtable: beyond billion requests per second on a commodity serverAntonios Katsarakis
This slide deck presents DLHT, a concurrent in-memory hashtable. Despite efforts to optimize hashtables, that go as far as sacrificing core functionality, state-of-the-art designs still incur multiple memory accesses per request and block request processing in three cases. First, most hashtables block while waiting for data to be retrieved from memory. Second, open-addressing designs, which represent the current state-of-the-art, either cannot free index slots on deletes or must block all requests to do so. Third, index resizes block every request until all objects are copied to the new index. Defying folklore wisdom, DLHT forgoes open-addressing and adopts a fully-featured and memory-aware closed-addressing design based on bounded cache-line-chaining. This design offers lock-free index operations and deletes that free slots instantly, (2) completes most requests with a single memory access, (3) utilizes software prefetching to hide memory latencies, and (4) employs a novel non-blocking and parallel resizing. In a commodity server and a memory-resident workload, DLHT surpasses 1.6B requests per second and provides 3.5x (12x) the throughput of the state-of-the-art closed-addressing (open-addressing) resizable hashtable on Gets (Deletes).
AI in the Workplace Reskilling, Upskilling, and Future Work.pptxSunil Jagani
Discover how AI is transforming the workplace and learn strategies for reskilling and upskilling employees to stay ahead. This comprehensive guide covers the impact of AI on jobs, essential skills for the future, and successful case studies from industry leaders. Embrace AI-driven changes, foster continuous learning, and build a future-ready workforce.
Read More - https://bit.ly/3VKly70
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
Network Security
1. 1
CS 432/532
Computer and Network Security
Spring 2019
Albert Levi
levi@sabanciuniv.edu
FENS 1091, ext.9563
2. 2
What is this course about?
This course is to discuss
– security needs
– security services
– security mechanisms and protocols
for data stored in computers and transmitted
across computer networks
3. 3
What we will/won’t cover?
We will cover
– security threats
– practical security issues (practice in labs)
– security protocols in use
– security protocols not in use
– securing computer systems
– introductory cryptography
We will not cover
– advanced cryptography
– computer networks
– operating systems
– computers in general
– how to hack
4. 4
What security is about in
general?
Security is about protection of assets
– D. Gollmann, Computer Security, Wiley
Prevention
– take measures that prevent your assets from
being damaged (or stolen)
Detection
– take measures so that you can detect when, how,
and by whom an asset has been damaged
Reaction
– take measures so that you can recover your
assets
5. 5
Real world example
Prevention
– locks at doors, window bars, secure the walls
around the property, hire a guard
Detection
– missing items, burglar alarms, closed circuit TV
Reaction
– attack on burglar (not recommended ), call the
police, replace stolen items, make an insurance
claim
6. 6
Internet shopping example
Prevention
– encrypt your order and card number, enforce
merchants to do some extra checks, using PIN
even for Internet transactions, don’t send card
number via Internet
Detection
– an unauthorized transaction appears on your
credit card statement
Reaction
– complain, dispute, ask for a new card number, sue
(if you can find of course )
– Or, pay and forget (a glass of cold water)
7. 7
Information security in past & present
Traditional Information Security
– keep the cabinets locked
– put them in a secure room
– human guards
– electronic surveillance systems
– in general: physical and administrative
mechanisms
Modern World
– Data are in computers
– Computers are interconnected
Computer and Network Security
8. 8
Terminology
Computer Security
– 2 main focuses: Information and Computer itself
– tools and mechanisms to protect data in a computer
(actually an automated information system), even if
the computers/system are connected to a network
– tools and mechanisms to protect the information
system itself (hardware, software, firmware, *ware )
Against?
– against hackers (intrusion)
– against viruses
– against denial of service attacks
– etc. (all types of malicious behavior)
9. 9
Terminology
Network and Internet Security
– measures to prevent, detect, and correct security
violations that involve the transmission of
information in a network or interconnected networks
10. 10
A note on security terminology
No single and consistent terminology in the
literature!
Be careful not to confuse while reading
papers and books
See the next slide for some terminology taken
from Stallings and Brown, Computer Security
who took from RFC4949, Internet Security
Glossary
14. The global average cost of cyber
crime/attacks
14
2017 Cost
of Cyber
Crime
Study by
Accenture*
* https://www.accenture.com/t20170926T072837Z__w__/us-en/_acnmedia/PDF-61/Accenture-2017-CostCyberCrimeStudy.pdf
Steeper
increasing
trend in the
recent
years
15. Average cost of cyber crime for
seven countries
15
2017 Cost
of Cyber
Crime
Study by
Accenture*
* https://www.accenture.com/t20170926T072837Z__w__/us-en/_acnmedia/PDF-61/Accenture-2017-CostCyberCrimeStudy.pdf
- Germany
has highest
percentage
increase;
- UK, US
are around
the mean in
percentage
increase
254 institutions
responded
16. A Scattergram of Respondents
16
2017 Cost
of Cyber
Crime
Study by
Accenture*
* https://www.accenture.com/t20170926T072837Z__w__/us-en/_acnmedia/PDF-61/Accenture-2017-CostCyberCrimeStudy.pdf
- Mean is
US$11.7 M
- High
variance
- 163
institutions
are below
mean (out
of 254)
17. Breakdown by Sector
17
2017 Cost
of Cyber
Crime
Study by
Accenture*
* https://www.accenture.com/t20170926T072837Z__w__/us-en/_acnmedia/PDF-61/Accenture-2017-CostCyberCrimeStudy.pdf
- Financial
Services
Sector has
the Highest
Cost due to
Cyber
Crime
18. Types of cyber attacks experienced
18
2017 Cost
of Cyber
Crime
Study by
Accenture*
* https://www.accenture.com/t20170926T072837Z__w__/us-en/_acnmedia/PDF-61/Accenture-2017-CostCyberCrimeStudy.pdf
- Percentage
of the
respondents
experienced
- Ransomware
doubled
19. Deployment Rate of Security
Technologies
19
2017 Cost
of Cyber
Crime
Study by
Accenture*
* https://www.accenture.com/t20170926T072837Z__w__/us-en/_acnmedia/PDF-61/Accenture-2017-CostCyberCrimeStudy.pdf
- Percentage
of the
respondents
experienced
- Ransomware
doubled
20. Annual Return of Investment (RoI)
20
2017 Cost of Cyber Crime
Study by Accenture*
* https://www.accenture.com/t20170926T072837Z__w__/us-en/_acnmedia/PDF-61/Accenture-2017-CostCyberCrimeStudy.pdf
- More or less in
parallel with
deployment rate
- But AI, Data
Mining based
novel techniques
have higher RoI
- Bad performance
for encryption and
DLP, but they are
needed
22. Computer Security Objectives
• Data confidentiality
• Assures that private or confidential information is not made available or
disclosed to unauthorized individuals
• Privacy
• Assures that individuals control or influence what information related to
them may be collected and stored and by whom and to whom that
information may be disclosed
Confidentiality
• Data integrity
• Assures that information changed only in a specified and authorized
manner
• System integrity
• Assures that a system performs its intended function in an unimpaired
manner, free from deliberate or inadvertent unauthorized manipulation of
the system
Integrity
• Assures that systems work promptly and service is not denied to
authorized users
Availability
23. Additional concepts:
Authenticity
• Verifying that users
are who they say
they are and that
each input arriving at
the system came
from a trusted source
Accountability
• Being able to trace
the responsible
party/process/entity
in case of a security
incident or action.
24. 24
Services, Mechanisms, Attacks
3 aspects of information security:
– security attacks (and threats)
• actions that (may) compromise security
– security services
• services counter to attacks
– security mechanisms
• used by services
• e.g. secrecy is a service, encryption (a.k.a.
encipherment) is a mechanism
25. 25
Attacks
Attacks on computer systems
– break-in to destroy information
– break-in to steal information
– blocking to operate properly
– malicious software
• wide spectrum of problems
Source of attacks
– Insiders
– Outsiders
26. 26
Attacks
Network Security
– Active attacks
– Passive attacks
Passive attacks
– interception of the messages
– What can the attacker do?
• use information internally
– hard to understand
• release the content
– can be understood
• traffic analysis
– hard to avoid
– Hard to detect, try to prevent
27. 27
Attacks
Active attacks
– Attacker actively
manipulates
the communication
– Masquerade
• pretend as someone else
• possibly to get more privileges
– Replay
• passively capture data
and send later
– Denial-of-service
• prevention the normal use of
servers, end users, or network
itself
28. 28
Attacks
Active attacks (cont’d)
– deny
• repudiate sending/receiving a message later
– modification
• change the content of a message
29. 29
Security Services
to prevent or detect attacks
to enhance the security
replicate functions of physical
documents
– e.g.
• have signatures, dates
• need protection from disclosure, tampering, or
destruction
• notarize
• record
30. 30
Basic Security Services
Authentication
– assurance that the communicating entity is the
one it claims to be
– peer entity authentication
• mutual confidence in the identities of the parties involved
in a connection
– Data-origin authentication
• assurance about the source of the received data
Access Control
– prevention of the unauthorized use of a resource
– to achieve this, each entity trying to gain access
must first be identified and authenticated, so that
access rights can be tailored to the individual
31. 31
Basic Security Services
Data Confidentiality
– protection of data from unauthorized disclosure
(against eavesdropping)
– traffic flow confidentiality is one step ahead
• this requires that an attacker not be able to observe the
source and destination, frequency, length, or other
characteristics of the traffic on a communications facility
Data Integrity
– assurance that data received are exactly as sent
by an authorized sender
– i.e. no modification, insertion, deletion, or replay
32. 32
Basic Security Services
Non-Repudiation
– protection against denial by one of the
parties in a communication
– Origin non-repudiation
• proof that the message was sent by the
specified party
– Destination non-repudiation
• proof that the message was received by the
specified party
34. Security Mechanisms
Cryptographic Techniques
– will see next
Software and hardware for access limitations
– Firewalls
Intrusion Detection and Prevention Systems
Traffic Padding
– against traffic analysis
Hardware for authentication
– Smartcards, security tokens
Security Policies / Access Control
– define who has access to which resources.
Physical security
– Keep it in a safe place with limited and authorized
physical access 34
35. 35
Cryptographic Security Mechanisms
Encryption (a.k.a. Encipherment)
– use of mathematical algorithms to
transform data into a form that is not
readily intelligible
• keys are involved
36. 36
Cryptographic Security Mechanisms
Message Digest
– similar to encryption, but one-way (recovery not
possible)
– generally no keys are used
Digital Signatures and Message
Authentication Codes
– Data appended to, or a cryptographic
transformation of, a data unit to prove the source
and the integrity of the data
Authentication Exchange
– ensure the identity of an entity by exchanging
some information
37. 37
Security Mechanisms
Notarization
– use of a trusted third party to assure certain
properties of a data exchange
Timestamping
– inclusion of correct date and time within messages
38. 38
And the Oscar goes to …
On top of everything, the most
fundamental problem in security is
–SECURE KEY EXCHANGE
• mostly over an insecure channel
40. 40
Model for Network Security
using this model requires us to:
– design a suitable algorithm for the security
transformation
– generate the secret information (keys) used by the
algorithm
– develop methods to distribute and share the
secret information
– specify a protocol enabling the principals to use
the transformation and secret information for a
security service
42. 42
Model for Network Access Security
using this model requires us to:
– select appropriate gatekeeper functions to
identify users and processes and ensure
only authorized users and processes
access designated information or
resources
– Internal control to monitor the activity and
analyze information to detect unwanted
intruders
43. 43
More on Computer System Security
Based on “Security Policies”
– Set of rules that specify
• How resources are managed to satisfy the security
requirements
• Which actions are permitted, which are not
– Ultimate aim
• Prevent security violations such as unauthorized access,
data loss, service interruptions, etc.
– Scope
• Organizational or Individual
– Implementation
• Partially automated, but mostly humans are involved
– Assurance and Evaluation
• Assurance: degree of confidence to a system
• Security products and systems must be evaluated using
certain criteria in order to decide whether they assure
security or not
44. 44
Aspects of Computer Security
Mostly related to Operating Systems
Similar to those discussed for Network
Security
– Confidentiality
– Integrity
– Availability
– Authenticity
– Accountability
– Dependability
45. 45
Aspects of Computer Security
Confidentiality
– Prevent unauthorised disclosure of information
– Synonyms: Privacy and Secrecy
• any differences? Let’s discuss
Integrity
– two types: data integrity and system integrity
– In general, “make sure that everything is as it is
supposed to be”
– More specifically, “no unauthorized modification,
deletion” on data (data integrity)
– System performs as intended without any
unauthorized manipulations (system integrity)
46. 46
Aspects of Computer Security
Availability
– services should be accessible when needed and
without extra delay
Accountability
– audit information must be selectively kept and
protected so that actions affecting security can be
traced to the responsible party
– How can we do that?
• Users have to be identified and authenticated to have a
basis for access control decisions and to find out
responsible party in case of a violation.
• The security system keeps an audit log (audit trail) of
security relevant events to detect and investigate
intrusions.
Dependability
– Can we trust the system as a whole?
47. Attack Surfaces
An attack surface consists of the reachable and
exploitable vulnerabilities in a system
Examples:
– Open ports on outward facing Web and other
servers, and code listening on those ports
– Services available in a firewall
– Code that processes incoming data, email, XML,
office documents, etc.
– Interfaces and Web forms
– An employee with access to sensitive information
vulnerable to a social engineering attack
48. Attack Surface Categories
Network attack surface
– Refers to vulnerabilities over an enterprise
network, wide-area network, or the Internet
• E.g. DoS, intruders exploiting network protocol
vulnerabilities
Software attack surface
– Refers to vulnerabilities in application, utility,
or operating system code
Human attack surface
– Refers to vulnerabilities created by personnel
or outsiders
– E.g. social engineering, insider traitors
49. 49
Fundamental Dilemma of
Security
“Security unaware users have specific
security requirements but no security
expertise.”
– from D. Gollmann
– Solution: level of security is given in predefined
classes specified in some common criteria
• Orange book (Trusted Computer System Evaluation
Criteria) is such a criteria
50. 50
Fundamental Tradeoff
Between security and ease-of-use
Security may require clumsy and
inconvenient restrictions on users and
processes
“If security is an add-on that people have to do
something special to get, then most of the time they
will not get it”
Martin Hellman,
co-inventor of Public Key Cryptography
51. 51
Good Enough Security
“Everything should be as secure as
necessary, but not securer”
Ravi Sandhu, “Good Enough Security”, IEEE Internet
Computing, January/February 2003, pp. 66- 68.
Read the full article at
http://dx.doi.org/10.1109/MIC.2003.1167341
52. 52
Some Other Security Facts
Not as simple as it might first appear to the novice
Must consider all potential attacks when designing a
system
Generally yields complex and counterintuitive systems
Battle of intelligent strategies between attacker and
admin
Requires regular monitoring
Not considered as a beneficial investment until a security
failure occurs
Actually security investments must be considered as insurance
against attacks
too often an afterthought
Not only from investment point of view, but also from design
point of view