Information

Security

Information Security
Week 1

1
Roadmap
• Security?
• Security types
• Possible Security violation
• Threat consequences

Information Security
• Key objectives of computer security
• OSI security architecture
• Security policy
• Security terminology

2
What is Security?
• “The quality or state of being secure—to be free
from danger”
• A successful organization should have multiple
layers of security in place:

Information Security
• Physical security
• Personal security
• Operations security
• Communications security
• Network security
3
• Information security
What is security?
• The protection of information and its critical elements,
including systems and hardware that use, store, and transmit
that information
• Necessary tools: policy, awareness, training, education,

Information Security
technology

4
Definitions
• Computer Security - generic name for the collection of tools
designed to protect data and to thwart hackers
• Network Security - measures to protect data during their
transmission over a network
• Internet Security - measures to protect data during their

Information Security
transmission over a collection of interconnected networks

5
Information security:
• a “well-informed sense of assurance that the information risks
and controls are in balance.” — Jim Anderson, (2002)

Information Security
6
Network and Internet security
• The field of network and Internet security consists of
measures to deter, prevent, detect, and correct security
violations that involve the transmission of information.

Information Security
7
Possible security violations:
• User A transmits a file to user B. The file contains sensitive
information(e.g., payroll records) that is to be protected from
disclosure. User C, who is not authorized to read the file, is
able to monitor the transmission and capture a copy of the file
during its transmission.
• D transmits a message to computer E, instructing E to update

Information Security
an authorization file. User F intercepts the message, alters its
contents to add or delete entries and forward to E which
accepts the message as being from D.
• User F constructs its own message and transmits to E as if
coming from D
• Denying sending a message
8
Threat Consequences
Unauthorized disclosure is a threat to confidentiality

• Exposure: This can be deliberate or be the result of a

human, hardware, or software error

Information Security
• Interception: unauthorized access to data

• Inference: e.g., traffic analysis, use of limited access to

get detailed information

9
• Intrusion: unauthorized access to sensitive data
Threat Consequences
Deception is a threat to either system or data integrity
• Masquerade: e.g., an attempt by an unauthorized
user to gain access to a system by posing as an
authorized user; Trojan horse.

Information Security
• Falsification: altering or replacing of valid data or
the introduction of false data

• Repudiation: denial of sending, receiving or

possessing the data. 10
Threat Consequences
Disruption is a threat to availability or system integrity

• Incapacitation: a result of physical destruction of or

damage to system hardware

Information Security
• Corruption: system resources or services function in an
unintended manner; unauthorized modification

• Obstruction: e.g. overload the system or interfere with

communications
11
Threat Consequences
Usurpation is a threat to system integrity.

• Misappropriation: e.g., theft of service, distributed

denial of service attack

Information Security
• Misuse: security functions can be disabled or thwarted

12
Key Objectives of Computer Security:
 Three key objectives of computer security are:
• Confidentiality
• Integrity
• Availability

Information Security
 Two additional most commonly mentioned security concepts :
• Authenticity
• Accountability

13
Confidentiality:
This term covers two related concepts:
Data confidentiality:
Assures that private or confidential information is not made
available or disclosed to unauthorized individuals.

Information Security
Privacy:
Assures that individuals control or influence what information
related to them may be collected and stored and by whom and to
whom that information may be disclosed.

14
Integrity
This term covers two related concepts:
Data integrity:
Assures that information and programs are changed only in a
specified and authorized manner.

Information Security
System integrity:
Assures that a system performs its intended function in an
unimpaired manner, free from inadvertent unauthorized
manipulation of the system.

15
Availability
• Assures that systems work promptly and service is not denied
to authorized users.

Information Security
16
 CIA Triad

Information Security
17
Authenticity:
• The property of being genuine and being able to be verified
and trusted; confidence in the validity of a transmission, a
message, or message originator.
• This means verifying that users are who they say they are and
that each input arriving at the system came from a trusted

Information Security
source.

18
 Accountability
• The security goal that generates the requirement for actions of
an entity to be traced uniquely to that entity. This supports
nonrepudiation, deterrence, fault isolation, intrusion
detection and prevention, and after-action recovery and legal
action.

Information Security
19
OSI Security architecture
• ITU-T X.800 Security Architecture for OSI local copy defines a
systematic way of defining and providing security
requirements provides a useful, although abstract, overview of
network security concepts

Information Security
• The OSI security architecture focuses on
• security attack
• security mechanism
• security service

20
Security Attack
• any action that compromises the security of information
owned by an organization
• information security is about how to prevent attacks, or failing
that, to detect attacks on information-based systems
• have a wide range of attacks

Information Security
Threat Vs. Attack
• Threat: a circumstance or scenario with the potential to
exploit a vulnerability, and cause harm to a system.
• Attack: A deliberate attempt to breach system security.
• note: often threat & attack mean same

21
 Classify Security Attacks
• PASSIVE ATTACKS - eavesdropping on, or monitoring
of, transmissions to:
• obtain message contents, or
• monitor traffic flows

Information Security
• ACTIVE ATTACKS -modification of data stream to:
• masquerade of one entity as some other
• replay previous messages
• modify messages in transit
• denial of service 22
 Passive attack

Information Security
23
 …

Information Security
24
 Active attack

Information Security
25
 …

Information Security
26
 …

Information Security
27
 …

Information Security
28
Security Service
• is something that enhances the security of the data
processing systems and the information transfers of
an organization
• intended to counter security attacks

Information Security
• make use of one or more security mechanisms to
provide the service
• replicate functions normally associated with
physical documents
• eg have signatures, dates; need protection from
disclosure, tampering, or destruction; be
notarized or witnessed; be recorded or licensed 29
Security Services
X.800 defines it as:
A service provided by a protocol layer of
communicating open systems, which ensures adequate
security of the systems or of data transfers

Information Security
RFC 2828 defines it as:
A processing or communication service provided by a
system to give a specific kind of protection to system
resources
X.800 defines it in 5 major categories

30
Security Services (X.800)
• Authentication - assurance that the
communicating entity is the one claimed
• Access Control - prevention of the unauthorized
use of a resource

Information Security
• Data Confidentiality –protection of data from
unauthorized disclosure
• Data Integrity - assurance that data received is as
sent by an authorized entity
• Non-Repudiation - protection against denial by
one of the parties in a communication 31
Security Mechanism
• A mechanism that is designed to detect, prevent, or
recover from a security attack.
• Examples of mechanisms are encryption algorithms,
digital signatures, and authentication protocols.

Information Security
32
Security Mechanisms (X.800)
• specific security mechanisms:
• encipherment, digital signatures, access
controls, data integrity, authentication
exchange, traffic padding, routing control,

Information Security
notarization
• pervasive security mechanisms:
• trusted functionality, security labels, event
detection, security audit trails, security
recovery
33
Security Policy
• At the least, a security policy is an informal description of
desired systems behaviors.
• More usefully, a security policy is a formal statement of rules
and practices that specify or regulate how a system or
organization provides security services to protect sensitive and

Information Security
critical system resources.

34
Factors needed to consider while
developing a Security Policy

• The value of asset being protected

• The vulnerabilities of the system
• Potential threats

Information Security
35
Computer Security Terminology
• Adversary (threat agent) - An entity that attacks, or is a threat
to, a system.
• Attack - An assault on system security that derives from an
intelligent threat; a deliberate attempt to evade security
services and violate security policy of a system.
• Countermeasure - An action, device, procedure, or technique
that reduces a threat, a vulnerability, or an attack by
eliminating or preventing it, by minimizing the harm it can
cause, or by discovering and reporting it so that corrective
action can be taken.
Computer Security
Terminology
• Risk - An expectation of loss expressed as the probability
that a particular threat will exploit a particular vulnerability
with a particular harmful result.
• Security Policy - A set of rules and practices that specify
how a system or org provides security services to protect
sensitive and critical system resources.
• System Resource (Asset) - Data; a service provided by a
system; a system capability; an item of system equipment;
a facility that houses system operations and
equipment.
Computer Security Terminology
• Threat - A potential for violation of security,
which exists when there is a circumstance,
capability, action, or event that could breach
security and cause harm.

• Vulnerability - Flaw or weakness in a system's

design, implementation, or operation and
management that could be exploited to violate
the system's security policy.
Security Concepts and Relationships
Further Readings
• Computer Security by William Stallings and Lawrie Brown

• Cryptography and Network Security by William Stalling 6th

Edition, 2012

Information Security
40
 Questions

Information Security
41