Professional Documents
Culture Documents
Assignment#01
Assignment#01
Information security
Submitted By:
Submit to:
Sir
Ans) OSI security architecture is systematic approach that is useful to managers as a way of organizing
the task of providing security. This architecture was developed as an international standard, computer and
communications vendors (suppliers) have developed security features for their products and services that
relate to this structured definition of services and mechanisms. The OSI security architecture focuses on
security attacks, mechanisms, and services.
Security attack: Any action or any activity that compromises/disturbed the security of information
owned by an organization.
Security mechanism: A process or a device incorporating that is designed to detect, prevent, or recover
from a security attack. E.g. anti-various
Security service: A processing or communication service that enhances the security of the data
processing systems and the information transfers of an organization. The services are intended to counter
security attacks, and they make use of one or more security mechanisms to provide the service.
Q#02) what is the difference between passive and active security threats?
Passive Attacks
Passive attacks are the ones in which the attacker observes all the messages and copy the content of
messages or information. They focus on monitoring all the transmission and gaining the data. ... Unlike
the Active attacks, these are difficult to detect as it does not involve alteration in data or information
Active attacks
Active attacks are attacks in which the hacker attempts to change or transform the content of messages or
information. These attacks are a threat to the integrity and availability of the system. Due to these attacks,
systems get damaged, and information can be altered. The prevention of these attacks is difficult due to
their high range of physical and software vulnerabilities. The damage that is done with these attacks can
be very harmful to the system and its resources.
Q #03) List and briefly define categories of passive and active security attacks.
Masquerade
A masquerade takes place when one entity pretends to be a different entity. A masquerade
attack usually includes one of the other forms of active attack. For example, authentication
sequences can be captured and replayed after a valid authentication sequence has taken place,
thus enabling an authorized entity with few privileges to obtain extra privileges by impersonating
an entity that has those privileges.
Replay
Replay involves the passive capture of a data unit and its subsequent retransmission to
produce an unauthorized effect (paths 1, 2, and 3 active).
Modification of messages
Ans) A security service as a service that is provided by a protocol layer of communicating open
systems and that ensures adequate security of the systems or of data transfers. A processing or
communication service that is provided by a system to give a specific kind of protection to system
resources; security services implement security policies and are implemented by security
mechanisms.
Authentication
Peer entity authentication is provided for use at the establishment of, or at times during the data
transfer phase of, a connection. It attempts to provide confidence that an entity is not performing
either a masquerade or an unauthorized replay of a previous connection
Data authentication is the process of confirming the origin and integrity of data. The term is
typically related to communication, messaging and integration. Data authentication has two
elements: authenticating that you're getting data from the correct entity and validating the integrity
of that data.
Access control
Access control is a security technique that regulates who or what can view or use resources in a
computing environment. It is a fundamental concept in security that minimizes risk to the business or
organization. ... Logical access control limits connections to computer networks, system files and
data.
Data confidentiality
Data integrity
Data integrity refers to the accuracy and consistency (validity) of data over its lifecycle.
Compromised data, after all, is of little use to enterprises, not to mention the dangers presented by
sensitive data loss
Repudiation
A repudiation attack happens when an application or system does not adopt controls to properly track
and log users' actions, thus permitting malicious manipulation or forging the identification of new
actions. ... If this attack takes place, the data stored on log files can be considered invalid or
misleading
Availability service
Ans) security mechanisms are field in computer technology that deals with ensuring security of
computer network infrastructure. As the network is very necessary for sharing of information
whether it is at hardware level such as printer, scanner, or at software level. Therefore security
mechanism can also be termed as is set of processes that deal with recovery from security attack.
Various mechanisms are designed to recover from these specific attacks at various protocol layers.
3. Notarization:
This security mechanism involves use of trusted third party in communication. It acts as mediator
between sender and receiver so that if any chance of conflict is reduced. This mediator keeps record
of requests made by sender to receiver for later denied.
4. Data Integrity:
This security mechanism is used by appending value to data to which is created by data itself. It is
similar to sending packet of information known to both sending and receiving parties and checked
before and after data is received. When this packet or data which is appended is checked and is the
same while sending and receiving data integrity is maintained.
5. Authentication exchange:
This security mechanism deals with identity to be known in communication. This is achieved at the
TCP/IP layer where two-way handshaking mechanism is used to ensure data is sent or not
6. Bit stuffing:
This security mechanism is used to add some extra bits into data which is being transmitted. It
helps data to be checked at the receiving end and is achieved by Even parity or Odd Parity.
7. Digital Signature:
This security mechanism is achieved by adding digital data that is not visible to eyes. It is form of
electronic signature which is added by sender which is checked by receiver electronically. This
mechanism is used to preserve data which is not more confidential but sender’s identity is to be
notified
Problems
Q#01) Consider an automated teller machine (ATM) in which users provide a personal identification
number (PIN) and a card for account access. Give examples of confidentiality, integrity, and
availability requirements associated with the system and, in each case, indicate the degree of
importance of the requirement.
Ans)
1. The system must keep personal identification numbers confidential, both in the host system
and during transmission for a transaction. It must protect the integrity of account records and
of individual transactions.
2. Availability of the host system is important to the economic well-being of the bank, but not to
its fiduciary responsibility. The availability of individual teller machines is of less concern.
3. The system does not have high requirements for integrity on individual transactions, as
lasting damage will not be incurred by occasionally losing.
4. The communication should be encrypted
5. Pin should also be encrypted
6. The actions accomplish through the bank should link with the bank link.