Scribd
Upload
38 views4 pages

6 CS1FC16 Information Security

The document discusses information security concepts including confidentiality, integrity, and availability. It covers security threats like viruses, worms, and phishing. The document also discusses security measures for operating systems, networks, encryption, and cloud computing.

Uploaded by

Anna Abcxyz
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
38 views4 pages

6 CS1FC16 Information Security

The document discusses information security concepts including confidentiality, integrity, and availability. It covers security threats like viruses, worms, and phishing. The document also discusses security measures for operating systems, networks, encryption, and cloud computing.

Uploaded by

Anna Abcxyz
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

CS1FC16 INFORMATION SECURITY

Introduction
Information security is concerned with "protecting information and information systems from
unauthorized access, use, disclosure, modification, disruption or destruction".
From the computer security point of view it mainly covers:
 Data security
 Computer security
 Network security
Information security is also concerned with:
 Application security – good practice in programming
 Security operations – day to day management of security functions in a computer system
 Physical security – IT infrastructure security, good practice in using computer system.

Key objectives of computer security


The 3 main objectives of computer security are:
 Confidentiality
o Data confidentiality – protection from unauthorized access
o Privacy – assuring that individuals can control the collection and storing of information
related to themselves
 Integrity
o Data integrity – protection from unauthorized modifications
o System integrity – protection from unauthorized manipulation
 Availability – assuring that the system works properly and service is not denied to authorized
users
These 3 concepts form the fundamental security objectives.

FIPS199 characterization
 Confidentiality – preserving authorized restrictions on information access and disclosure,
including means of protecting personal privacy and proprietary information. A loss of
confidentiality is the unauthorized disclosure of information.
 Integrity – guarding against improper information modification or destruction. A loss of integrity
is the unauthorized modification or destruction of information.
 Availability – ensuring timely and reliable access to and use of the information. A loss of
availability is the disruption of access to or use of the information.

Additional security concepts


o Authenticity – being able to verify that users are who they say they are
o Accountability – being able to trace actions to the responsible parties

Security concepts and relations


Terminology:
 Threat agent – an entity that attacks or is a threat to the system
 Attack – an assault on system security that derives from an intelligent threat
 Threat – possible danger for violation of security
 Countermeasure – an action taken deal with a security attack
o Prevent them if possible
o Detect and recover if preventing is impossible
 Asset – a resource that owners want to protect. It can be:
o Software
o Hardware
o Data
o Communication facility

General vulnerabilities of assets:


 Can become corrupted – using them gives incorrect results
 Can become leaky – someone obtains unauthorized access to them
 Can become unavailable – using them becomes impossible

Attacks to computer systems


Attacks can be classified as:
 Active – an attempt to alter resources or their operation
 Passive – an attempt to learn information from the system (doesn’t affect resources)

Attacks can also be classified as:


 Inside – initialized by an authorized user
 Outside – initialized from outside of the security parameter

Types of threats
 Virus – infects a computer by inserting itself into a program. When the program is launched, the
virus is executed too.
 Worm – an autonomous program that transfers itself through a network, takes up residence in a
computer and forwards copies of itself to other computers
 Trojan horse – a program disguised as a desirable application but after execution performs
malicious activities in the background
 Spyware – software that collects information about activities on a computer
 Phishing – obtaining information by posing as an institution and asking for it
 Spam – unwanted junk mail, often a medium for phishing and spreading viruses
A computer in a network can also be attacked by software being executed on other computers in the
system, e.g. denial of service (DoS) - overloading a computer with messages – usually done by planting
software on numerous machines that generate messages when a signal is given

Prevention
Computer security strategy should involve 3 aspects:
Policy – what is the security scheme supposed to do?
Developing a security policy is the first step in devising security services. A security policy is a
description of the desired system behavior.
o Factors to consider:
 Value of the assets
 System vulnerabilities
 Potential threats, likelihood of attacks
o Trade-offs
 Ease of use vs security
 Cost of security vs cost of failure and recovery
Security policy is a business decision, possibly influenced by legal requirements.
Implementation – how does it do it?
o Prevention – an ideal scheme is one in which no attack is successful
o Detection – in a number of cases, absolute protection is not feasible, but it is practical to
detect security attacks
o Response – if an attack is detected, the system may be able to stop it and prevent
further damage
o Recovery after an attack
Assurance and evaluation – does it really work?
o Assurance – degree of confidence that the security measures work as intended
o Evaluation – process of examining a system with respect to certain criteria

Security of an operating system


Security of a computer requires a well-designed, dependable operating system to protect against:
Attacks from the outside
Operating system must protect computer resources from unauthorized access – this is done by
creating accounts (name, password, privileges) and user authentication. Accounts are
established by administrators – highly privileged users who can alter setting and perform other
activities denied for normal users. Administrators can also monitor activity trying to detect
destructive behavior – possibly using auditing software for assistance
Attacks from within
Privileged/non-privileged mode – only a limited set of machine instructions available in
unprivileged mode

Network security
 Primary prevention technique is to filter traffic passing through a certain point – usually with a
firewall
 Proxy server – software unit that acts as an intermediary between a client and a server –
shielding the client from possible adverse actions of the server
 Network auditing software – administrator's tools for identifying problems before they get out
of control
 Antivirus software – detects and removes known viruses

Data is often encrypted to protect its confidentiality. Many traditional Internet applications have secure
versions, e.g. HTTPS is a secure version of HTTP. It works on Secure Socket Layer (SSL) protocol system
and uses public key encryption.

Security in cloud computing


Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared
pool of configurable computing resources
Characteristics:
 Broad network access
 Rapid elasticity
 Measured service
 On-demand self-service
 Resource pooling
Cloud specific security threats:
 Abuse of cloud computing – it's easy to get inside the cloud and conduct attacks
 Insecure interfaces and APIs
 Malicious insiders
 Shared technology issue
 Data loss or leakage
 Account or service hijacking
 Unknown risk profile

You might also like