IT Security

!"#" $%&#'
‫ت‬#&)*%+‫ ا‬#-').)/01 $-*2
Lecture 1 ‫ت‬#&)*%+‫ت ا‬#034 567
Introduction to security
$8.#8.‫ ا‬$*9:+‫ا‬

‫<س‬/=+‫?)ر ا‬2<.‫ا‬
@‫<ا‬3A 5B:0.‫<ا‬3A ‫رث‬#D.‫ا‬
What Is Security?

l Computer Security
The protection afforded to an automated information
system in order to attain the applicable objectives of
preserving the integrity, availability, and confidentiality
of information system resources.
Key Security Objectives

l Confidentiality
Ø Data confidentiality: assure confidential information not made
available to unauthorized individuals
Ø Privacy: assure individuals can control what information related to
them is collected, stored, distributed
l Integrity
Ø Data integrity: assure information and programs are changed only in
a authorized manner
Ø System integrity: assure system performs intended function
l Availability
Ø Assure that systems work promptly and service is not denied to
authorized users
Other Security Objectives

l Authenticity
Ø Users and system inputs are genuine and can be verified and
trusted
- Data authentication
- Source authentication
l Accountability
Ø Actions of an entity can be traced uniquely to that entity
Ø Supports: non-repudiation, deterrence, fault isolation, intrusion
detection and prevention, after-action recovery and legal action
Computer Security Challenges

l computer security is not as simple as it might first appear

to the novice
l potential attacks on the security features must be
considered
l procedures used to provide particular services are often
counter-intuitive
l physical and logical placement needs to be determined
l additional algorithms or protocols may be involved
l attackers only need to find a single weakness, the
developer needs to find all weaknesses
Computer Security Challenges

l users and system managers tend to not see the

benefits of security until a failure occurs
l security requires regular and constant monitoring
l is often an afterthought to be incorporated into a
system after the design is complete
l thought of as an impediment to efficient and user-
friendly operation
Computer Security Concepts

l Assets
Ø System resources that the users/owners wish to protect
Ø Hardware, software, data, communication lines
l Vulnerabilities
Ø Weakness in system implementation or operation
Ø Can make asset: corrupted, leaky, unavailable
l Security Policy
Ø Set of rules and practices that specifies how a system provides
security services to protect assets
l Threats
Ø Potential violation of security policy by exploiting a vulnerability
Computer Security Concepts

l Attack
Ø A threat that is carried out; a successful attack leads to violation of
security policy

- Active attack: attempt to alter system resources or operation

- Passive attack: attempt to learn information that does not
affect system resources
- Inside attack: initiated by entity with authorized access to system
- Outside attack: initiated by unauthorized user of system
Computer Security Concepts

l Countermeasure
Ø Means to deal with an attack
- Prevent, detect, respond, recover
Ø Even with countermeasures, vulnerabilities may exist, leading
to risk to the assets
Ø Aim to minimize the risks
Computer Security Concepts
Threat Consequences and Attacks

l Threat Action An attack

l Threat Agent Entity that attacks, or is threat to
system (adversary, attacker, malicious user)
l Threat Consequence A security violation that results
from a threat action
Ø Unauthorized Disclosure: exposure, interception, inference,
intrusion
Ø Deception: masquerade, falsification, repudiation
Ø Disruption: incapacitation, corruption, obstruction
Ø Usurpation: misappropriation, misuse
Scope of Computer Security
Assets and Examples of Threats
Architecture for Communications
Security

l Systematic approach to define requirements for security

and approaches to satisfying those requirements
l ITU-T Recommendation X.800, Security Architecture for
OSI
l Provides abstract view of main issues of security
l Security aspects: Attacks, mechanisms and services
l Focuses on security of networks and communications
systems
l Concepts also apply to computer security
Aspects of Security

l Security Attack
Any action that attempts to compromise the security of
information or facilities
l Security Mechanism
A method for preventing, detecting or recovering from an
attack
l Security Service
Uses security mechanisms to enhance the security of
information or facilities in order to stop attacks
Defining a Security Service

l ITU-T X.800: service that is provided by a protocol

layer of communicating systems and that ensures
adequate security of the systems or of data transfers
l IETF RFC 2828: a processing or communication
service that is provided by a system to give a specific
kind of protection to system resources
l Security services implement security policies and are
implemented by security mechanisms
Security Services

l Authentication Assure that the communicating entity is the one

that it claims to be. (Peer entity and data origin authentication)
l Access Control Prevent unauthorized use of a resource
l Data Confidentiality Protect data from unauthorized disclosure
l Data Integrity Assure data received are exactly as sent by
authorized entity
l Non-repudiation Protect against denial of one entity involved in
communications of having participated in communications
l Availability System is accessible and usable on demand by
authorized users according to intended goal
Attacks on Communication Lines
l Passive Attack
Make use of information, but not affect system resources, e.g.
1. Release message contents
2. Traffic analysis
Relatively hard to detect, but easier to prevent
l Active Attack
Alter system resources or operation, e.g.
1. Masquerade
2. Replay
3. Modification
4. Denial of service
Relatively hard to prevent, but easier to detect
Release Message Contents
Traffic Analysis
Masquerade Attack
Replay Attack
Modification Attack
Denial of Service Attack
Security Mechanisms

l Techniques designed to prevent, detect or recover from

attacks
l No single mechanism can provide all services
l Common in most mechanisms: cryptographic techniques
l Specific security mechanisms from ITU-T X.800:
Encipherment, digital signature, access control, data
integrity, authentication exchange, traffic padding,
routing control, notarization
l Pervasive security mechanisms from ITU-T X.800:
Trusted functionality, security label, event detection,
security audit trail, security recovery
Security Services and
Mechanisms
 Computer Security Strategy and
Principles
l Policy What is the security scheme supposed to do?
Ø Informal description or formal set of rules of desired system behavior
Ø Consider: assets value; vulnerabilities; potential threats and
probability of attacks
Ø Trade-offs: Ease of use vs security; cost of security vs cost of failure
and recovery
l Implementation How does it do it?
Ø Prevention, detection, response, recovery
l Assurance Does it really work?
Ø Assurance: degree of confidence that security measures work as
intended
Ø Evaluation: process of evaluating system with respect to certain criteria
Information Security Principles

NIST Guide to General Server Security

Ø Simplicity
Ø Fail-safe
Ø Complete Mediation
Ø Open Design
Ø Separation of Privilege
Ø Least Privilege
Ø Psychological Acceptability
Ø Least Common Mechanism
Ø Defense-in-Depth
Ø Work Factor
Ø Compromise Recording
Key Points

l Objectives: confidentiality, integrity, availability

l Protect assets: hardware, software, data, comms
l Attacks:
Ø Passive: release message, traffic analysis
Ø Active: masquerade, replay, modification, DoS
Ø Inside or outside
l Countermeasures, Security mechanisms: techniques
to prevent, detect, recover from attacks; often use
cryptographic techniques
Areas To Explore

l Standards and procedures for computer security

Ø ISO/ITU,NISTFIPS,IETF,IEEE,...
l Monitoring and trends in threats and attacks
Ø CERT, CVE, NVD ...
l Certification and professional associations
Ø SANS, CISSP, CCSP, GIAC, CompTIA,...