Information Security PDF
Document Details
Uploaded by GenuinePrime
Charles P. Pfleeger
Tags
Summary
This document is lecture notes on information security, covering topics such as course goals, topics, and an overview of information security concepts. It discusses the importance of information security in today's world and describes different security properties.
Full Transcript
Information Security 2nd Level/1st Semester: CYS Program 3nd Level/1st Semester: CS & IS Program Course Goals primary goals to this course, a student able to: Describe and classify security issues, tools and techniques, including: − Security goals, threats,...
Information Security 2nd Level/1st Semester: CYS Program 3nd Level/1st Semester: CS & IS Program Course Goals primary goals to this course, a student able to: Describe and classify security issues, tools and techniques, including: − Security goals, threats, − Attackers and attack types, and countermeasures, − identification & authentication, − access controls, and cryptography. Identify security and privacy issues in various aspects of computing, including: − Programs − Operating systems − Networks − Internet applications use this ability to design systems that are more protective of security and privacy. Course Topicss & Textbook Course Topics: Introduction; Security Policy Concept; Toolbox: Authentication, Access Control, and Cryptography; Programs and Programming; The Web—User Side (may be); Operating Systems; Networks; Textbook: Charles P. Pfleeger, etc., 2024, “Security in Computing”, 6th Ed., Pearson Education, Inc. Information Security Chapter 1: Introduction Charles P. Pfleeger Overview Early, the bank robberies are more; Kept large amount of cash, gold & silver, which could not be traced easily, Communication & transportation facilities it might be; ― hours before to were informed of a robbery, ― days before they could arrives at the scene of the crime. A single guard for the night was only marginally effective. Today; many factors work against the potential criminal; Very sophisticated alarm systems and camera systems silently protect secure places, Ex.; banks. The techniques of criminal investigation have become very effective; a person can be identified by; ― Composite sketch, ballistics evidence, ― Fingerprint, voice recognition, retinal patterns, and ― genetic material (DNA), for examples. Overview The security differences between computing systems and banks; Size and portability: ― the physical devices in computing are so small or large, Ability to avoid physical contact: ― Electronic funds transfer account for most transfer of money between banks, Value of assets: ― Variable; from very high to very low, ― an information stored in a computer is also high; Confidentiality information; About a person’s taxes, investments, medical history, or education, Very sensitive information; About new product lines, sales figures, marketing strategy, Military information; military targets, troop movements, weapons capabilities. Importance of Information Security The importance of information security: The rapid development of information and communication technology (ICT). Increased using of ICT in public and private sectors. Increases needing to create and use a safety of an electronically environment that serve the public and private sectors, for examples: Military, security, manufacturing and economic sectors which dependent on the accuracy and truly information. Need of companies and organizations to deal with other companies and organizations locally or globally. Individual needing to kept an information integrity, confidentiality and privacy. Increasing impacts of attacks and e-crimes within growth of using and development of an ICT. The needing to protect an infrastructure of information systems, network systems and web sites from e-crimes. Information Security & Cybersecurity; Computer security, Network security, Information security, Cybersecurity: All of these terms are used to describe the protection of information assets [ISAC 2015], In current discussions of security; both terms of “cybersecurity” and “information security”, are often used interchangeably, − but in reality cybersecurity is a part of information security. Marketing, vendors and analysts often use the term “cyber” too broadly; ‒ due to the increasingly complex nature of information in the digital age. Additionally, the interconnected nature of critical infrastructure systems has introduced a host of new vulnerabilities with far-reaching implications. All of these factors have influenced the shift from information security to cybersecurity. Definition of Information Security; Information Security defined as; protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability. is the protection of information and its critical elements, including the systems and HW that use, store, and transmit that information. − information security includes the broad areas of: information security management, computer and data security, and network security. Cybersecurity can be defined as: the protection of information assets by addressing threats to information processed, stored and transported by internetworked information systems. Information Security vs Cybersecurity; Information security: deals with information, regardless of its format-it encompasses paper documents, digital and intellectual property in people’s minds, and verbal or visual communications. Cybersecurity: is concerned with protecting digital assets-everything from networks to hardware and information that is processed, stored or transported by internetworked information systems. Additionally, concepts such as: − nation-state-sponsored attacks and − advanced persistent threats (APTs) belong almost exclusively to cybersecurity. Characteristics of Computer Intrusion Any part of a computing system can be the target of a crime; For instance, the most valuable property in a bank is the cash, gold, or silver in the vault; ―in fact the customer information in the bank's computer may be far more valuable; Stored on paper, recorded on a storage medium, resident in memory, or transmitted over telephone lines or satellite links. ―this information can be used in myriad ways to make money illicitly, How? Characteristics of Computer Intrusion Ex: A robber intent on stealing something from your house will not attempt to penetrate a two-inch-thick metal door if a window gives easier access. The weakest point is the most serious vulnerability; A Principle of Easiest Penetration: ‘An intruder must be expected to use any available means of penetration’ What Is Computer Security? Computer security is the protection of the items you value, called the assets of a computer or computer system; A computing system is a collection of HW, SW, storage media, data, and person that an organization uses to do computing tasks. A computer assets, involving; HW, SW, data, people, processes, or combinations of these. FIGURE 1-2: Computer Objects of Value What Is Computer Security? Values of Assets; To determine what to protect, we must; first identify what has value and to whom. After identifying the assets to protect, we next determine their value; The value of an asset depends on; the asset owner’s or user’s perspective, and it may be independent of monetary cost. Assets’ values are personal, time dependent, and often imprecise; FIGURE 1-3: Values of Assets. What Is Computer Security? The Vulnerability–Threat–Control Paradigm; The goal of computer security is protecting valuable assets; To study different ways of protection, we use a framework that describes; how assets may be harmed, and; how to counter or mitigate that harm. A vulnerability: are a weaknesses in the system, for example, in procedures, design, or implementation, that might be exploited to cause loss or harm; Or; are weaknesses in products, systems, protocols, algorithms, programs, interfaces, and designs. Examples; ─ The system may be vulnerable to unauthorized data manipulation, the system does not verify a user's identity before allowing data access. What Is Computer Security? The Vulnerability–Threat–Control Paradigm; Threats: a threats to computing systems; are circumstances that have the potential to cause loss or harm; Or; A threat is a condition that could exercise a vulnerability. Examples; ─ Human attacks, Natural disasters, ─ Inadvertent human errors; and ─ Internal HW or SW flaws. Figure 1-4 illustrates a difference between a threat and a vulnerability FIGURE 1-4: Threat and Vulnerability What Is Computer Security? The Vulnerability–Threat–Control Paradigm; A Control; is a protective measure- an action, a device, a procedure, or a technique- that removes or reduces a vulnerability; Attacker: is a human who exploits a vulnerability and perpetrates an attack on the system; An attack can also be launched by another system; − Unauthorized disclosure of data, − modification of data, or − one system sends an overwhelming set of messages to another system, virtually shutting down the second system's ability to function. denial of legitimate access to computing. How do we address these problems? We use a control or countermeasure as protection. What Is Computer Security? The Vulnerability–Threat–Control Paradigm; There are many threats to a computer system, including human-initiated and computer initiated ones; We have all experienced, for example; the results of inadvertent human errors, HW design flaws, and SW failures, natural disasters are threats, too; they can bring a system down when the computer room is flooded or the data center collapses from an earthquake. In general, we can describe the relationship among threats, controls, and vulnerabilities in this way: A threat is blocked by control of a vulnerability. What makes your computer valuable to you; Threats: CIA Triad We can consider potential harm to assets in two ways: we can look at; what bad things can happen to assets, and; who or what can cause or allow those bad things to happen. − These two perspectives enable us to determine how to protect assets; A Computer security mean that we are addressing three important properties (goals) of any computer-related system; Confidentiality, Integrity, and Availability. Threats: CIA Triad The security properties are; confidentiality: the ability of a system to ensure that an asset is viewed only by authorized parties, ─ means that the assets of computing system are accessible only by authorized parties, “read”-type access: reading, viewing, printing. integrity: the ability of a system to ensure that an asset is modified only by authorized parties, ─ means that assets can be modified by authorized parties, writing, changing status, deleting, and creating. availability: the ability of a system to ensure that an asset can be used by any authorized parties, ─ means that assets are accessible to authorized parties at appropriate times, (denial of service). These properties are called the C-I-A/security triad; The privacy is the fourth leg of the three legs of the CIA triad; Threats: reinforcement CIA Triad ISO 7498-2 adds to them two more properties that are desirable, particularly in communication networks: authentication: the ability of a system to confirm the identity of a sender, nonrepudiation or accountability: the ability of a system to confirm that a sender cannot convincingly deny having sent something. U.S. Department of Defense adds auditability: Auditability: the ability of a system to trace all actions related to a given asset. Authorization: Determining whether a user/subject is permitted certain services from an object; authorization makes sense only if the requesting subject has been authenticated. checking that the user/subject has the rights to access C the data or undertake the transaction requested. The following figure illustrates the relationship Asset between security C-I-A and how they apply to every asset we protect; I A Threats: CIA Triad The C-I-A triad can be viewed from a different perspectives: the nature of the harm caused to assets; Harm can also be characterized by four acts: ‒ interception, ‒ interruption, ‒ modification, and ‒ fabrication. From this point of view; confidentiality can suffer if someone intercepts data, integrity can fail if someone or something modifies data or fabricates false data, and availability is lost if someone or something interrupts a flow of data or access to a computer. Threats: Harm acts Interception; means that some unauthorized party has gained access to an asset; ─ The outside party can be a person, a program, or a computing system, ─ Example: illicit copying of program or data files; or ─ wiretapping to obtain data in network. a silent interceptor may leave no traces by which the interception can be readily detected, Effect on confidentiality. Interruption; an asset of the system becomes lost or unavailable or unusable, Examples; ─ malicious destruction of a HW device, ─ Erasure of a program or data file, or ─ Malfunction or failure of an OS file manager. Effect on availability. Threats Harm acts Modification; when an unauthorized party can be access and tampers with an asset; ─ modify the values in a data base, Alter program, or ─ Modify data being transmitted electrically, ─ It is possible to modify HW. Some cases of modification can be detected with simple measures, but other, ─ more subtle, changes may be almost impossible to detect. Effect on integrity. Fabrication; when an unauthorized party can be fabricates counterfeit objects for a computing system; ─ The intruder may wish to; add spurious transactions to a network communication system, add records to an existing data base. Effect on authenticity & integrity Threats Harm acts The fig. illustrates the four acts to cause a security harm; FIGURE 1-5: Four Acts to Cause Security Harm