Professional Documents
Culture Documents
01-CH01-CompSec2e-ver02 Overview PDF
01-CH01-CompSec2e-ver02 Overview PDF
and Cryptography
Basics of Information Security
Professor dr.sc.ing. Viktor Gopejenko
Department of Computer Technologies and Natural Sciences
ISMA University of Applied Science, Riga, Latvia
Lecture 1
Overview
Learning Objectives
The types of security threats and attacks that must be dealt with
and examples of the security threats and attacks that apply to
different categories of computer and network assets
Integrity
- data integrity
- system integrity
Availability
Key Security Concepts
Authenticity Accountability
Computer
Security
Terminology
RFC 2828, Internet
Security Glossary,
May 2000
Security Concepts and Relationships
Figure 1.2
Vulnerabilities, Threats
and Attacks
categories of vulnerabilities
corrupted (loss of integrity)
leaky (loss of confidentiality)
unavailable or very slow (loss of availability)
threats
capable of exploiting vulnerabilities
represent potential security harm to an asset
• prevent
means used to deal with • detect
security attacks • recover
residual vulnerabilities
may remain
Threat
Consequences
Scope of Computer Security
Figure 1.3
Computer and Network Assets
Examples of Threats
Table 1.3 Computer and Network Assets, with Examples of Threats. Table 1.3
Passive and Active Attacks
Passive attacks attempt to learn or make use of information
from the system but does not affect system resources
eavesdropping/monitoring transmissions
difficult to detect
emphasis is on prevention rather than detection
two types:
release of message contents
traffic analysis
functional areas that functional areas that functional areas that overlap
primarily require computer primarily require computer security technical
security technical measures management controls and measures and management
include: procedures include: controls include:
Security
Services
Security
Trends
Security
Technologies
Used
Computer Security Strategy
what is the
how does it do does it really
security scheme
it? work?
supposed to do?
Security Policy
formal statement of rules and practices that specify or
regulate how a system or organization provides security
services to protect sensitive and critical system resources
prevention response
detection response
• secure encryption • upon detection,
•algorithms
intrusion detection •being
uponable
detection,
to halt
systems being able to halt
an attack and
• prevent an attack
prevent and
further
•unauthorized
detection of denial prevent further
of service damage
access to attacks damage
encryption keys
involves four
complementary
courses of action:
detection
recovery
• intrusion detection prevention
•systems
use of backup involves four
systems of denial • secure encryption
complementary
• detection
algorithms
of service attacks courses of
• prevent
action:
unauthorized
access to
encryption keys
Assurance and Evaluation
assurance
the degree of confidence one has that the security measures
work as intended to protect the system and the information
it processes
encompasses both system design and system
implementation
evaluation
process of examining a computer product or system with
respect to certain criteria
involves testing and formal analytic or mathematical
techniques
Summary
security concepts security architecture
CIA triad security services – enhances the
security of systems and information
confidentiality – preserving the
transfers, table 1.5
disclosure of information
security mechanisms – mechanisms
integrity – guarding against
designed to detect, prevent, or
modification or destruction of recover from a security attack, table
information 1.6
availability – ensuring timely and security attack – any action that
reliable access to information compromises the security of
terminology – table 1.1 information owned by an
threats – exploits vulnerabilities
organization
attack – a threat carried out security trends
countermeasure – means to deal figure 1.4
with a security attack security strategy
assets – hardware, software, policy, implementation,
data, communication lines, assurance and evaluation
networks functional requirements
table 1.4