Fundamentals of Security - Introduction PDF

Summary

This document provides an introduction to information and system security. It covers fundamental security concepts, including security attacks, security mechanisms, and security services. The document also touches on various security challenges and objectives.

Full Transcript

Information and System Security 1 Cyber Security 2 About This Course SWE3002 – Information and System Security Text Book - William Stallings, Cryptography & Network Security- Principles and Practices, Sixth Edition, Pearson...

Information and System Security 1 Cyber Security 2 About This Course SWE3002 – Information and System Security Text Book - William Stallings, Cryptography & Network Security- Principles and Practices, Sixth Edition, Pearson Publishers, 2014. Latest publication - William Stallings, Cryptography & Network Security- Principles and Practices, Seventh Edition, Pearson Publishers, 2017. Reference Books - William Stallings, Lawrie Brown, Computer Security: Principles and Practice, 3rd edition, 2014. - Christof Paar & Jan Pelzl, Understanding Cryptography, Springer, 2014. - Charles P. Pfleeger, Security in Computing, 4th Edition, Pearson, 2009. 3 Security Computer Security – Generic name for the collection of tools designed to protect data and to thwart hackers Network Security – Measures to protect data during their transmission Internet Security – Measures to protect data during their transmission over a collection of interconnected networks 4 Security Trends ……….. 5 Security Trends… - Impact on telecommunications cybersecurity Sample CERT report Report – as on 16th July 2024 Sample CERT report… Report – as on 16th July 2024 3 Aspects of Info Security Security Attack – Any action that compromises the security of information. Security Mechanism – A mechanism that is designed to detect, prevent, or recover from a security attack. Security Service – A service that enhances the security of data processing systems and information transfers. Makes use of one or more security mechanisms. OSI Security Architecture ITU-T X.800 “Security Architecture for OSI” – A systematic way of defining and providing security requirements – Provides a useful, if abstract, overview of concepts we will study ITU-T: International Telecommunication Union Telecommunication Standardization Sector OSI: Open Systems Interconnection Security Attacks Threat & attack – Often used equivalently There are a wide range of attacks – Two generic types of attacks Passive Active Security Attacks… A means of classifying security attacks, used both in X.800 and RFC 4949, is in terms of passive attacks and active attacks A passive attack attempts to learn or make use of information from the system but does not affect system resources An active attack attempts to alter system resources or affect their operation Passive Attacks Are in the nature of eavesdropping on, or monitoring of, transmissions Two types of passive Goal of the opponent is attacks are: to obtain information that – The release of message is being transmitted contents – Traffic analysis Active Attacks Takes place when one entity pretends to be a different entity Masquerade Involve some Usually includes one of the other forms of active attack modification of the data stream or the creation of a false stream Involves the passive capture of a data unit and its subsequent Replay retransmission to produce an Difficult to prevent unauthorized effect because of the wide variety of potential Some portion of a legitimate physical, software, and Modification message is altered, or messages of messages are delayed or reordered to network vulnerabilities produce an unauthorized effect Goal is to detect attacks and to recover from any Denial of Prevents or inhibits the normal disruption or delays use or management of service communications facilities caused by them Security Attack Classification Security Threats Security Attacks Interruption: This is an attack on availability Interception: This is an attack on confidentiality Modification: This is an attack on integrity Fabrication: This is an attack on authenticity 3 Primary Security Goals Fundamental security objectives for both data and information / computing services Computer Security Challenges Security is not simple Security mechanisms Potential attacks on the typically involve more than security features need to a particular algorithm or be considered protocol Procedures used to provide Security is essentially a particular services are battle of wits between a often counter-intuitive perpetrator and the designer It is necessary to decide Little benefit from security where to use the various investment is perceived security mechanisms until a security failure Requires constant occurs monitoring Strong security is often Is too often an viewed as an impediment to afterthought efficient and user-friendly operation Security Services X.800 – A service provided by a protocol layer of communicating open systems, which ensures adequate security of the systems or of data transfers Confidentiality (privacy) Authentication (who created or sent the data) Integrity (has not been altered) Non-repudiation (the order is final) Access control (prevent misuse of resources) Availability (permanence, non-erasure) – Denial of Service Attacks – Virus that deletes files Security Mechanism Designed to detect, prevent, or recover from a security attack One particular element underlies many of the security mechanisms in use: – Cryptographic techniques Security Mechanisms (X.800) Specific security mechanisms: – Encipherment, digital signatures, access controls, data integrity, authentication exchange, traffic padding, routing control, notarization Pervasive security mechanisms: – Trusted functionality, security labels, event detection, security audit trails, security recovery Security – Services Vs Mechanisms Sources : William Stallings, Cryptography & Network Security- Principles and Practices Model for Network Security Model for Network Security… Using this model requires us to: 1. design a suitable algorithm for the security transformation (message encryption/decryption) 2. generate the secret information (keys) used by the algorithm 3. develop methods to distribute and share the secret information (keys) 4. specify a protocol enabling the principals to use the transformation and secret information for a security service (ex. Secure Shell (SSH) - cryptographic network protocol) Model for Network Access Security Model for Network Access Security Using this model requires us to implement: 1. Authentication select appropriate gatekeeper functions to identify users 2. Authorization implement security controls to ensure only authorized users access designated information or resources Trusted computer systems may be useful to help implement this model Methods of Defense Encryption Software Controls – Limit access in a database or in operating systems – Protect each user from other users Hardware Controls – Smartcard (ICC, used for digital signature and secure identification) Policies – Frequent changes of passwords – Recent study shows controversial arguments Physical Controls Sample: on Net-banking authentication application - Attempts on compromising accounts The field of network and Internet security consists of: measures to deter, prevent, detect, and correct security violations that involve the transmission of information Cryptographic algorithms and protocols can be grouped into following areas: Symmetric encryption Used to conceal the contents of blocks or streams of data of any size, including messages, files, encryption keys, and passwords → using Single Key Asymmetric encryption Used to conceal small blocks of data, such as encryption keys and hash function values, which are used in digital signatures. → using Two different Keys Data integrity algorithms Used to protect blocks of data (ie. messages), from alteration Authentication protocols Schemes based on the use of cryptographic algorithms designed to authenticate the identity of entities Computer Security Objectives Confidentiality Data confidentiality Assures that private or confidential information is not made available or disclosed to unauthorized individuals Privacy Assures that individuals control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed Integrity Data integrity Assures that information and programs are not changed ( Can change only in a specified and authorized manner ) System integrity Assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system Availability Assures that systems work promptly and service is not denied to authorized users

Use Quizgecko on...
Browser
Browser