Professional Documents
Culture Documents
Security
Security
Intro. to Security
Concepts
Threats, Attacks,
Assets
Comm. Security
Introduction to Security
Strategy
Summary
ITS335: IT Security
1/34
ITS335
Contents
Intro. to Security
Concepts
Threats, Attacks,
Assets
Computer Security Concepts
Comm. Security
Strategy
Summary
Threats, Attacks and Assets
Summary
2/34
ITS335
What Is Security?
Intro. to Security
3/34
ITS335
Key Security Objectives
Intro. to Security
Concepts Confidentiality
Threats, Attacks,
Assets I Data confidentiality: assure confidential information not
Comm. Security made available to unauthorized individuals
Strategy
I Privacy: assure individuals can control what information
Summary
related to them is collected, stored, distributed
Integrity
I Data integrity: assure information and programs are
changed only in a authorized manner
I System integrity: assure system performs intended
function
Availability
I Assure that systems work promptly and service is not
4/34
denied to authorized users
ITS335
Other Security Objectives
Intro. to Security
Concepts Authenticity
Threats, Attacks,
Assets I Users and system inputs are genuine and can be verified
Comm. Security and trusted
Strategy I Data authentication
Summary I Source authentication
Accountability
I Actions of an entity can be traced uniquely to that
entity
I Supports: non-repudiation, deterrence, fault isolation,
intrusion detection and prevention, after-action recovery
and legal action
5/34
ITS335
Computer Security Challenges
Intro. to Security
Concepts
I computer security is not as simple as it might first
Threats, Attacks,
appear to the novice
Assets I potential attacks on the security features must be
Comm. Security
considered
Strategy
I procedures used to provide particular services are often
Summary
counter-intuitive
I physical and logical placement needs to be determined
I additional algorithms or protocols may be involved
I attackers only need to find a single weakness, the
developer needs to find all weaknesses
I users and system managers tend to not see the benefits
of security until a failure occurs
I security requires regular and constant monitoring
I is often an afterthought to be incorporated into a
system after the design is complete
I thought of as an impediment to efficient and
6/34
user-friendly operation
ITS335
Computer Security Concepts
Intro. to Security
Concepts Assets
Threats, Attacks,
Assets I System resources that the users/owners wish to protect
Comm. Security I Hardware, software, data, communication lines
Strategy
Summary
Vulnerabilities
I Weakness in system implementation or operation
I Can make asset: corrupted, leaky, unavailable
Security Policy
I Set of rules and practices that specifies how a system
provides security services to protect assets
Threats
I Potential violation of security policy by exploiting a
7/34 vulnerability
ITS335
Computer Security Concepts
Intro. to Security
Concepts Attack
Threats, Attacks,
Assets
I A threat that is carried out; a successful attack leads to
Comm. Security
violation of security policy
Strategy
I Active attack: attempt to alter system resources or
Summary
operation
I Passive attack: attempt to learn information that does
not affect system resources
I Inside attack: initiated by entity with authorized access
to system
I Outside attack: initiated by unauthorized user of system
Countermeasure
I Means to deal with an attack
I Prevent, detect, respond, recover
I Even with countermeasures, vulnerabilities may exist,
leading to risk to the assets
8/34 I Aim to minimize the risks
ITS335
Computer Security Concepts
Intro. to Security
Concepts
Threats, Attacks,
Assets
Comm. Security
Strategy
Summary
9/34 Credit: Figure 1.2 in Stallings and Brown, Computer Security, 2nd Ed., Pearson 2012
ITS335
Contents
Intro. to Security
Concepts
Threats, Attacks,
Assets
Computer Security Concepts
Comm. Security
Strategy
Summary
Threats, Attacks and Assets
Summary
10/34
ITS335
Threat Consequences and Attacks
Intro. to Security
Concepts
Threat Action An attack
Threats, Attacks, Threat Agent Entity that attacks, or is threat to system
Assets
(adversary, attacker, malicious user)
Comm. Security
Strategy
Threat Consequence A security violation that results from a
Summary threat action
11/34
ITS335
Scope of Computer Security
Intro. to Security
Concepts
Threats, Attacks,
Assets
Comm. Security
Strategy
Summary
Credit: Figure 1.3 in Stallings and Brown, Computer Security, 2nd Ed., Pearson 2012
12/34
ITS335
Assets and Examples of Threats
Intro. to Security
Concepts
Credit: Table 1.3 in Stallings and Brown, Computer Security, 2nd Ed., Pearson 2012
13/34
ITS335
Contents
Intro. to Security
Concepts
Threats, Attacks,
Assets
Computer Security Concepts
Comm. Security
Strategy
Summary
Threats, Attacks and Assets
Summary
14/34
ITS335
Architecture for Communications Security
Intro. to Security
Concepts
I Systematic approach to define requirements for security
Threats, Attacks,
and approaches to satisfying those requirements
Assets
I ITU-T Recommendation X.800, Security Architecture
Comm. Security
for OSI
Strategy
Summary
I Provides abstract view of main issues of security
I Security aspects: Attacks, mechanisms and services
I Focuses on security of networks and communications
systems
I Concepts also apply to computer security
15/34
ITS335
Aspects of Security
Intro. to Security
Summary
Security Mechanism
A method for preventing, detecting or recovering from an
attack
Security Service
Uses security mechanisms to enhance the security of
information or facilities in order to stop attacks
16/34
ITS335
Defining a Security Service
Intro. to Security
Concepts
I ITU-T X.800: service that is provided by a protocol
Threats, Attacks,
layer of communicating systems and that ensures
Assets adequate security of the systems or of data transfers
Comm. Security
I IETF RFC 2828: a processing or communication service
Strategy
that is provided by a system to give a specific kind of
Summary
protection to system resources
I Security services implement security policies and are
implemented by security mechanisms
17/34
ITS335
Security Services
Intro. to Security
Concepts
1. Authentication Assure that the communicating entity is
Threats, Attacks,
the one that it claims to be. (Peer entity and data
Assets origin authentication)
Comm. Security
2. Access Control Prevent unauthorised use of a resource
Strategy
18/34
ITS335
Attacks on Communication Lines
Intro. to Security
Active Attack
I Alter system resources or operation, e.g.
1. Masquerade
2. Replay
3. Modification
4. Denial of service
I Relatively hard to prevent, but easier to detect
19/34
ITS335
Release Message Contents
Intro. to Security
Concepts
Threats, Attacks,
Assets
Comm. Security
Strategy
Summary
Credit: Figure 1.2(a) in Stallings, Cryptography and Network Security, 5th Ed., Pearson 2011
20/34
ITS335
Traffic Analysis
Intro. to Security
Concepts
Threats, Attacks,
Assets
Comm. Security
Strategy
Summary
Credit: Figure 1.2(b) in Stallings, Cryptography and Network Security, 5th Ed., Pearson 2011
21/34
ITS335
Masquerade Attack
Intro. to Security
Concepts
Threats, Attacks,
Assets
Comm. Security
Strategy
Summary
Credit: Figure 1.3(a) in Stallings, Cryptography and Network Security, 5th Ed., Pearson 2011
22/34
ITS335
“On the Internet, nobody knows you’re a dog”
Intro. to Security
Concepts
Threats, Attacks,
Assets
Comm. Security
Strategy
Summary
23/34
ITS335
Replay Attack
Intro. to Security
Concepts
Threats, Attacks,
Assets
Comm. Security
Strategy
Summary
Credit: Figure 1.3(b) in Stallings, Cryptography and Network Security, 5th Ed., Pearson 2011
24/34
ITS335
Modification Attack
Intro. to Security
Concepts
Threats, Attacks,
Assets
Comm. Security
Strategy
Summary
Credit: Figure 1.3(c) in Stallings, Cryptography and Network Security, 5th Ed., Pearson 2011
25/34
ITS335
Denial of Service Attack
Intro. to Security
Concepts
Threats, Attacks,
Assets
Comm. Security
Strategy
Summary
Credit: Figure 1.3(d) in Stallings, Cryptography and Network Security, 5th Ed., Pearson 2011
26/34
ITS335
Security Mechanisms
Intro. to Security
Concepts
I Techniques designed to prevent, detect or recover from
Threats, Attacks,
attacks
Assets
I No single mechanism can provide all services
Comm. Security
Strategy
I Common in most mechanisms: cryptographic techniques
Summary I Specific security mechanisms from ITU-T X.800:
Encipherment, digital signature, access control, data
integrity, authentication exchange, traffic padding,
routing control, notarization
I Pervasive security mechanisms from ITU-T X.800:
Trusted functionality, security label, event detection,
security audit trail, security recovery
27/34
ITS335
Security Services and Mechanisms
Intro. to Security
Concepts
Threats, Attacks,
Assets
Comm. Security
Strategy
Summary
Credit: Table 1.4 in Stallings, Cryptography and Network Security, 5th Ed., Pearson 2011
28/34
ITS335
Contents
Intro. to Security
Concepts
Threats, Attacks,
Assets
Computer Security Concepts
Comm. Security
Strategy
Summary
Threats, Attacks and Assets
Summary
29/34
ITS335
Computer Security Strategy and Principles
Intro. to Security
Concepts
Policy What is the security scheme supposed to do?
Threats, Attacks,
I Informal description or formal set of rules of desired
Assets
system behaviour
Comm. Security
I Consider: assets value; vulnerabilities; potential
Strategy
threats and probability of attacks
Summary
I Trade-offs: Ease of use vs security; cost of security
vs cost of failure and recovery
Implementation How does it do it?
I Prevention, detection, response, recovery
30/34
ITS335
Information Security Principles
Intro. to Security
Concepts
NIST Guide to General Server Security
Threats, Attacks, I Simplicity
Assets
Comm. Security
I Fail-safe
Strategy I Complete Mediation
Summary I Open Design
I Separation of Privilege
I Least Privilege
I Psychological Acceptability
I Least Common Mechanism
I Defense-in-Depth
I Work Factor
I Compromise Recording
31/34
ITS335
Contents
Intro. to Security
Concepts
Threats, Attacks,
Assets
Computer Security Concepts
Comm. Security
Strategy
Summary
Threats, Attacks and Assets
Summary
32/34
ITS335
Key Points
Intro. to Security
Concepts
I Objectives: confidentiality, integrity, availability
Threats, Attacks, I Protect assets: hardware, software, data, comms
Assets
I Attacks:
Comm. Security
Strategy
I Passive: release message, traffic analysis
I Active: masquerade, replay, modification, DoS
Summary
I Inside or outside
I Countermeasures, Security mechanisms: techniques to
prevent, detect, recover from attacks; often use
cryptographic techniques
33/34
ITS335
Areas To Explore
Intro. to Security
Strategy
Summary
Monitoring and trends in threats and attacks
I CERT, CVE, NVD . . .
34/34