03_Handout_1.pdf

Full Transcript

IT2028

Security Attacks deliberate or inadvertent unauthorized manipulation of
Security Objectives (Torra, 2018) the system.
The identification of security objectives is the first step you can Availability ensures that systems work promptly and the service
take to help ensure the security of your application. is not denied to authorized users. A loss of availability is the
Security objectives are goals and constraints that affect the disruption of access to or use of information or an information
confidentiality, integrity, and availability of your data and system.
application. Authenticity: The property of being genuine and being able to
Although the use of the CIA triad to define security objectives is be verified and trusted; confidence in the validity of a
well established, many in the security field feel that additional transmission, a message, or a message originator. This means
concepts are needed to present a complete picture, as illustrated verifying that users are who they say they are and that each input
in Figure 1. arriving at the system came from a trusted source.
Accountability: The security goal that generates the
requirement for actions of an entity to be traced uniquely to that
entity. This supports nonrepudiation, deterrence, fault isolation,
intrusion detection and prevention, and after-action recovery and
legal action. Because truly secure systems are not yet an
achievable goal, it must be possible to trace a security breach to
a responsible party. Systems must keep records of their activities
to permit later forensic analysis to trace security breaches or to
aid in transaction disputes.

OSI Security Architecture (Torra, 2018)
The security architecture for Open Systems Interconnection
(OSI) defines a general security architecture that is useful to
managers as a way of organizing the task of providing security
This standardized architecture defines security requirements.
Figure 1. Security Objectives The key concepts that are covered in these sections are
summarized in Figures 2-3.
Confidentiality: Also known as data confidentiality, this property o Security attacks are any action that compromises the
means that information is not made available or disclosed to security of information owned by an organization.
unauthorized individuals, entities, or processes. A loss of o Security attacks attempt to gain unauthorized access to
confidentiality is the unauthorized disclosure of information. information resources or services, or cause harm or
Integrity: This term covers two (2) related concepts: damage to information systems.
o Data integrity ensures that data (both stored and is
transmitted packets) and programs are changed only in
a specified and authorized manner. A loss of data
integrity is the unauthorized modification or destruction
of information.
o System integrity ensures that a system performs its
intended function in an unimpaired manner, free from
03 Handout 1 *Property of STI
 [email protected] Page 1 of 3
 IT2028

unencrypted email or telephone call and intercept it for
sensitive information.
o Traffic analysis: In this type, an attacker monitors
communication channels to collect a range of
information, including human and machine identities,
locations of these identities, and types of encryption
used, if applicable.
Passive attacks are very difficult to detect because they do not
involve any alteration of the data.
Figure 2. Attacks The message traffic is sent and received in a normal fashion,
o Security mechanisms are technical tools and and neither the sender nor the receiver is aware that a third party
techniques that are used to implement security services has read the messages or observed the traffic pattern.
o A process that is designed to detect, prevent, or recover The best way to prevent a passive attack is by using strong
from a security attack. network encryption methods. This means that the original
o Security service is a processing or communication message should be well encrypted into an unintelligible
service that enhances the security of the data language at the sender’s end and should be decoded into an
processing systems, and the information transfers of an understandable language at the receiver’s end.
organization. Security services are intended to counter Active Attack (Torra, 2018)
security attacks, and they make use of security Active attacks involve some modification of stored or
mechanisms to provide the services. transmitted data or the creation of false data. There are four
categories of active attacks: replay, masquerade,
modification of messages, and denial of service.
o A masquerade takes place when one entity
pretends to be a different entity. A masquerade
attack usually includes one of the other forms of
active attack. For example, authentication
sequences can be captured and replayed after a
valid authentication sequence has taken place, thus
enabling an authorized entity with few privileges to
obtain extra privileges by impersonating an entity
that has those privileges.
Figure 3. Services o Replay involves the passive capture of a data unit
Passive Attack (Torra, 2018) and its subsequent retransmission to produce an
Passive attacks are like eavesdropping or monitoring unauthorized effect.
transmissions. The goal of the attacker is to obtain information o Data modification simply means that some portion
that is being transmitted. Two types of passive attacks are the of a legitimate message is altered or that messages
release of message contents and traffic analysis: are delayed or reordered to produce an
o Release of message contents: In this type, an attacker unauthorized effect. For example, a message
will monitor an unprotected communication medium like stating “Allow Kit Estrada to read confidential file,

03 Handout 1 *Property of STI
 [email protected] Page 2 of 3
 IT2028

Accounts” might be modified to say, “Allow Fred authentication service is to ensure the recipient that the
Brown to read confidential file, Accounts.” message is from the source that it claims to be from.
o A denial-of-service attack prevents or inhibits the Access control is the ability to limit and control access to
normal use or management of communication host systems and applications via communications links. To
facilities. Such an attack may have a specific target; achieve this, each entity trying to gain access must first be
for example, an entity may suppress all messages identified or authenticated so that access rights can be
directed to a particular destination (e.g., the security tailored to the individual.
audit service). Another form of service denial is the Data confidentiality is the protection of transmitted data
disruption of an entire network, either by disabling from passive attacks. Concerning the content of data
the network or by overloading it with messages to transmission, several levels of protection can be identified.
degrade performance. The broadest service protects all user data transmitted
between two users over a period. For example, when a
logical network connection is set up between two systems,
this broad protection prevents the release of any user data
transmitted over the connection.
Data integrity ensures that messages are received as sent,
with no duplication, insertion, modification, reordering, or
replays
Data integrity ensures that information is modified only in
appropriate ways by persons authorized to change it.
Nonrepudiation prevents either a sender or a receiver from
denying a transmitted message. Thus, when a message is
sent, the receiver can prove that the alleged sender sent the
message. Similarly, when a message is received, the sender
can prove that the alleged receiver received the message.
Availability service means that a system or a system
resource is accessible and usable upon demand by an
authorized system entity, according to performance
specifications for the system; that is, a system is available if
it provides services according to the system design
whenever users request them.

References:

Figure 4. Types of attacks in the context of a client/server Kumar, G., Saini, DK., Huy Cuong, NH. (2020). Cyber defense mechanisms: Security,
privacy, and challenges. CRC Press.
interaction. Stallings, W. (2019). Information privacy engineering and privacy by design:
Security Services (Torra, 2018) Understanding privacy threats, technologies, and regulations. Assison-Wesley
Authentication service is concerned with ensuring that Professional. Torra, V. (2018). Data privacy: foundations, new developments, and the
big data challenge. Springer International Publishing.
communication is authentic. In the case of a single message,
such as a warning or an alarm signal, the function of the
03 Handout 1 *Property of STI
 [email protected] Page 3 of 3