Chapter 1 Basic Security Concepts.pdf

Full Transcript

Welcome!

Security Principles and Practice—ITBP301
Fall 2024
Basic Security Concepts—Countermeasures

Ali Ismail Awad & Norziana Jamil
Associate Professor
College of Information Technology—UAEU
[email protected]

1
 Outline
⚫ Introduction to security
⚫ Basic security concepts
⚫ Security vulnerabilities and threats

22
 Learning Objectives
⚫ What assets do we need to protect?
⚫ How are those assets threatened?
⚫ What can we do to counter those threats?

3
Introduction to Security

44
 Information Security vs. Cybersecurity
⚫ Cybersecurity is more comprehensive, and it includes:
— Information or data security
— Device security
— Network security
— People
⚫ Whatever is connected to the Internet -> Cyber Space

55
 Information Security: The Big Picture
⚫ Combine Technical and
Management information security
⚫ Technical implementation requires
governance => decision-making

Source: Whitman and Mattord, Management of Information Security, 6th edition, 2018
66
 Historical Overview
⚫ Control access
⚫ Privacy

Source: https://www.nextdaylocks.co.uk/
7
 Historical Overview
⚫ Secret messages
⚫ No change

8
Digital World

Source: https://www.pcmag.com/news/in-an-internet-minute-way-too-much-is-happening-all-the-time
9
 What is Security?
⚫ CIA security model
— Confidentiality
⚫ Avoidance of any unauthorized disclosure of
information
— Integrity
⚫ Ensures that information is modified by
authorized way
— Availability
⚫ Ensures that information is available in time in an
authorized way

⚫ Physical security
10
 CIA Security Concepts
⚫ Confidentiality
— Preserving authorized restrictions on information access and
disclosure, including means for protecting personal privacy and
proprietary information
⚫ Integrity
— Guarding against improper information modification or destruction,
including ensuring information nonrepudiation and authenticity
⚫ Availability
— Ensuring timely and reliable access to and use of information

11
 Computer
Security
Terminology

12
 In-Class Exercise
⚫ Give an example of a situation where a compromise of
confidentiality occurs
⚫ Give an example of a situation where a compromise of
integrity occurs
⚫ Give an example of a situation where a compromise of
availability occurs

13
 Security Risks
⚫ To mitigate the risks to computing systems we need to
—learn what the threats are to the security
—know how vulnerabilities arise when we develop the system
—know what mechanisms are available to reduce or block these
threats

14
Security Concepts and Relationships

15
 Vulnerabilities, Threats and Attacks
⚫ Categories of vulnerabilities
— corrupted (loss of integrity)
— leaky (loss of confidentiality)
— unavailable or very slow (loss of availability)
⚫ Threats
— capable of exploiting vulnerabilities
— represent potential security harm to an asset
⚫ Attacks (threats carried out)
— passive – does not affect system resources
— active – attempt to alter system resources or affect their operation
— insider – initiated by an entity inside the security perimeter
— outsider – initiated from outside the perimeter

16
 Passive and Active Attacks
⚫ Passive attacks attempt to learn or make use of information from the system but do not
affect system resources
— eavesdropping/monitoring transmissions
— difficult to detect
— emphasis is on prevention rather than detection
— two types:
⚫ release of message contents
⚫ traffic analysis

⚫ Active attacks involve modification of the data stream
— The goal is to detect them and then recover
— four categories
⚫ Masquerade
⚫ Replay
⚫ modification of messages
⚫ denial of services

17
Threats Examples (Computer and Networks)

18
Scope of Computer Security

19
 Computer Security Challenges
⚫ Computer security is not as simple as it might first appear to
the novice
⚫ Potential attacks on the security features must be
considered
⚫ Procedures used to provide particular services are often
counterintuitive
⚫ Physical and logical placement needs to be determined
⚫ Additional algorithms or protocols may be involved
20
 Computer Security Challenges
⚫ Attackers only need to find a single weakness, the developer
needs to find all weaknesses
⚫ Users and system managers tend to not see the benefits of
security until a failure occurs
⚫ Security requires regular and constant monitoring
⚫ Is often an afterthought to be incorporated into a system after
the design is complete
⚫ Thought of as an impediment to efficient and user-friendly
operation

21
 Security Trends
(Types of Attacks)

22
 Security Requirements
⚫ Access control
⚫ Awareness and training
⚫ Configuration management
⚫ Identification and authentication

23
 Security Requirements
⚫ Media protection
⚫ Security planning
⚫ Risk assessment

24
 Security Functional Requirements
functional areas that functional areas that functional areas that overlap
primarily require computer primarily require computer security technical
security technical measures management controls and measures and management
include: procedures include: controls include:

access control; awareness & training; audit configuration management;
identification & & accountability; incident response; and
authentication; system & certification, accreditation, media protection
communication protection; & security assessments;
and system & information contingency planning;
integrity maintenance; physical &
environmental protection;
planning; personnel
security; risk assessment;
and systems & services
acquisition

25
 Security Architecture for OSI
⚫ ITU-T Recommendation X.800, Security Architecture for OSI
— systematic way of defining the requirements for security and
characterizing the approaches to satisfying them
— was developed as an international standard
— focuses on:
⚫ security attacks – action that
compromises the security of
information owned by an
organization
⚫ security mechanism – designed
to detect, prevent, or recover
from a security attack
⚫ security service – intended to
counter security attacks
26
 Security Services
⚫ X.800
— defines a security service as a service that is provided by a protocol
layer of communicating open systems and ensures adequate
security of the systems or of data transfers
⚫ RFC 2828
— defines a security service as a processing or communication service
that is provided by a system to give a specific kind of protection to
system resources; security services implement security policies and
are implemented by security mechanisms

27
Security
Services

28
X.800 Security
Mechanisms

29
 Security
Technologies
Used

30
Q&A

31