Chapter 1 Basic Security Concepts.pdf
Document Details
Uploaded by Deleted User
2024
Tags
Full Transcript
Welcome! Security Principles and Practice—ITBP301 Fall 2024 Basic Security Concepts—Countermeasures Ali Ismail Awad & Norziana Jamil Associate Professor College of Information Technology—UAEU...
Welcome! Security Principles and Practice—ITBP301 Fall 2024 Basic Security Concepts—Countermeasures Ali Ismail Awad & Norziana Jamil Associate Professor College of Information Technology—UAEU [email protected] 1 Outline ⚫ Introduction to security ⚫ Basic security concepts ⚫ Security vulnerabilities and threats 22 Learning Objectives ⚫ What assets do we need to protect? ⚫ How are those assets threatened? ⚫ What can we do to counter those threats? 3 Introduction to Security 44 Information Security vs. Cybersecurity ⚫ Cybersecurity is more comprehensive, and it includes: — Information or data security — Device security — Network security — People ⚫ Whatever is connected to the Internet -> Cyber Space 55 Information Security: The Big Picture ⚫ Combine Technical and Management information security ⚫ Technical implementation requires governance => decision-making Source: Whitman and Mattord, Management of Information Security, 6th edition, 2018 66 Historical Overview ⚫ Control access ⚫ Privacy Source: https://www.nextdaylocks.co.uk/ 7 Historical Overview ⚫ Secret messages ⚫ No change 8 Digital World Source: https://www.pcmag.com/news/in-an-internet-minute-way-too-much-is-happening-all-the-time 9 What is Security? ⚫ CIA security model — Confidentiality ⚫ Avoidance of any unauthorized disclosure of information — Integrity ⚫ Ensures that information is modified by authorized way — Availability ⚫ Ensures that information is available in time in an authorized way ⚫ Physical security 10 CIA Security Concepts ⚫ Confidentiality — Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information ⚫ Integrity — Guarding against improper information modification or destruction, including ensuring information nonrepudiation and authenticity ⚫ Availability — Ensuring timely and reliable access to and use of information 11 Computer Security Terminology 12 In-Class Exercise ⚫ Give an example of a situation where a compromise of confidentiality occurs ⚫ Give an example of a situation where a compromise of integrity occurs ⚫ Give an example of a situation where a compromise of availability occurs 13 Security Risks ⚫ To mitigate the risks to computing systems we need to —learn what the threats are to the security —know how vulnerabilities arise when we develop the system —know what mechanisms are available to reduce or block these threats 14 Security Concepts and Relationships 15 Vulnerabilities, Threats and Attacks ⚫ Categories of vulnerabilities — corrupted (loss of integrity) — leaky (loss of confidentiality) — unavailable or very slow (loss of availability) ⚫ Threats — capable of exploiting vulnerabilities — represent potential security harm to an asset ⚫ Attacks (threats carried out) — passive – does not affect system resources — active – attempt to alter system resources or affect their operation — insider – initiated by an entity inside the security perimeter — outsider – initiated from outside the perimeter 16 Passive and Active Attacks ⚫ Passive attacks attempt to learn or make use of information from the system but do not affect system resources — eavesdropping/monitoring transmissions — difficult to detect — emphasis is on prevention rather than detection — two types: ⚫ release of message contents ⚫ traffic analysis ⚫ Active attacks involve modification of the data stream — The goal is to detect them and then recover — four categories ⚫ Masquerade ⚫ Replay ⚫ modification of messages ⚫ denial of services 17 Threats Examples (Computer and Networks) 18 Scope of Computer Security 19 Computer Security Challenges ⚫ Computer security is not as simple as it might first appear to the novice ⚫ Potential attacks on the security features must be considered ⚫ Procedures used to provide particular services are often counterintuitive ⚫ Physical and logical placement needs to be determined ⚫ Additional algorithms or protocols may be involved 20 Computer Security Challenges ⚫ Attackers only need to find a single weakness, the developer needs to find all weaknesses ⚫ Users and system managers tend to not see the benefits of security until a failure occurs ⚫ Security requires regular and constant monitoring ⚫ Is often an afterthought to be incorporated into a system after the design is complete ⚫ Thought of as an impediment to efficient and user-friendly operation 21 Security Trends (Types of Attacks) 22 Security Requirements ⚫ Access control ⚫ Awareness and training ⚫ Configuration management ⚫ Identification and authentication 23 Security Requirements ⚫ Media protection ⚫ Security planning ⚫ Risk assessment 24 Security Functional Requirements functional areas that functional areas that functional areas that overlap primarily require computer primarily require computer security technical security technical measures management controls and measures and management include: procedures include: controls include: access control; awareness & training; audit configuration management; identification & & accountability; incident response; and authentication; system & certification, accreditation, media protection communication protection; & security assessments; and system & information contingency planning; integrity maintenance; physical & environmental protection; planning; personnel security; risk assessment; and systems & services acquisition 25 Security Architecture for OSI ⚫ ITU-T Recommendation X.800, Security Architecture for OSI — systematic way of defining the requirements for security and characterizing the approaches to satisfying them — was developed as an international standard — focuses on: ⚫ security attacks – action that compromises the security of information owned by an organization ⚫ security mechanism – designed to detect, prevent, or recover from a security attack ⚫ security service – intended to counter security attacks 26 Security Services ⚫ X.800 — defines a security service as a service that is provided by a protocol layer of communicating open systems and ensures adequate security of the systems or of data transfers ⚫ RFC 2828 — defines a security service as a processing or communication service that is provided by a system to give a specific kind of protection to system resources; security services implement security policies and are implemented by security mechanisms 27 Security Services 28 X.800 Security Mechanisms 29 Security Technologies Used 30 Q&A 31