Introduction

CYB 215: Fundamentals of Information Assurance By: Saleh Almowuena

The field of network and
Internet security consists of:

measures to prevent,
detect, and correct
security violations that
involve the
transmission of
information
Motivation Examples
n A transmits file contains sensitive information to B
¨ C, unauthorized, monitor transmission and get a copy of the file
during its transmission
n Network manager, D, sends file to computer E to update
accounts file with new users
¨ F intercept message, add/delete, transmit
n F constructs his own message and send it to E as if it
had come from D
n Fired employee delays a message to deactivate his
account until he retrieves sensitive information
n Customer sends instructions to stockbroker
¨ investments lose value; customer denies sending

3
Computer Security
The NIST Computer Security Handbook defines
the term computer security as:
“the protection afforded to an automated
information system in order to attain the
applicable objectives of preserving the
integrity, availability and confidentiality of
information system resources” (includes
hardware, software, firmware, information/
data, and telecommunications)
Computer Security Objectives
Confidentiality
• Data confidentiality
• Assures that private or confidential information is not made available or
disclosed to unauthorized individuals
• Privacy
• Assures that individuals control or influence what information related to them
may be collected and stored and by whom and to whom that information may
be disclosed

Integrity
• Data integrity
• Assures that information and programs are changed only in a specified and
authorized manner
• System integrity
• Assures that a system performs its intended function in an unimpaired manner,
free from deliberate or inadvertent unauthorized manipulation of the system

Availability
• Assures that systems work promptly and service is not denied to
authorized users
Possible additional concepts:

Authenticity Accountability
• Verifying that users • The security goal
are who they say that generates the
they are and that requirement for
each input arriving at actions of an entity to
the system came be traced uniquely to
from a trusted source that entity
Breach of Security - Levels of Impact

• The loss could be expected to have a severe or

High catastrophic adverse effect on organizational
operations, organizational assets, or individuals

• The loss could be expected to have a

Moderate serious adverse effect on organizational

operations, organizational assets, or
individuals

• The loss could be expected

to have a limited adverse

Low effect on organizational

operations, organizational
assets, or individuals
Examples
Confidentiality Integrity Availability
High Student grade Patient’s allergy Authentication of
information critical system
Moderate Student’s Online forum Public university
enrollment info website
Low Student’s contact Anonymous Public telephone
information online poll directory

9
OSI* Security Architecture
n Security attack
¨ Any action that compromises the security of information
owned by an organization
n Security mechanism
¨ A process (or a device incorporating such a process)
that is designed to detect, prevent, or recover from a
security attack
n Security service
¨ A processing or communication service that enhances
the security of the data processing systems and the
information transfers of an organization
¨ Intended to counter security attacks, and they make use
of one or more security mechanisms to provide the
service
*(OSI) Open Systems Interconnection model
Security Attacks
We can classify the security
attacks in terms of passive
attacks and active attacks
• A passive attack attempts to
learn or make use of
information from the system
but does not affect system
resources
• An active attack attempts to
alter system resources or
affect their operation
Passive Attacks
• Are in the nature of
eavesdropping on, or
monitoring of,
transmissions
• Goal of the opponent is to
obtain information that is
being transmitted

n Two types of passive attacks are:

¨ The release of message contents
n tap on phone line to hear conversation
n get unauthorized copy of email message
¨ Traffic analysis
n determine location and identity of parties
n observe the pattern of these messages.
Active Attacks
n Involve some modification of • Takes place when one
the data stream or the creation entity pretends to be a
of a false stream Masquerade different entity
• Usually includes one of the
n Difficult to prevent because of other forms of active attack
the wide variety of potential
physical, software, and network • Involves the passive
capture of a data unit and
vulnerabilities Replay its subsequent
n Goal is to detect attacks and to retransmission to produce
an unauthorized effect
recover from any disruption or
delays caused by them • Some portion of a
legitimate message is
Modification altered, or messages are
of messages delayed or reordered to
produce an unauthorized
effect

• Prevents or inhibits the

Denial of normal use or
service management of
communications facilities
Security Services
n X.800:
“a service provided by a protocol layer of
communicating open systems, which ensures
adequate security of the systems or of data
transfers”

n RFC 4949:
“a processing or communication service
provided by a system to give a specific kind of
protection to system resources”
14
Security Services (X.800)
n Authentication - assurance that communicating
entity is the one claimed
n Access Control - prevention of the
unauthorized use of a resource
n Data Confidentiality –protection of data from
unauthorized disclosure
n Data Integrity - assurance that data received is
as sent by an authorized entity
n Non-Repudiation - protection against denial by
one of the parties in a communication
n Availability – resource accessible/usable
15
Slides of W. Stallings 5/E by L. Brawn.
 Goals of Security

• Prevention:
- Prevent attackers from violating security
policy;
• Detection:
- Detect attackers’ violation of security policy;
• Recovery:
- Stop attack, assess and repair damage;
- Continue to function correctly even if attack
succeeds;

CYB 215: Fundamentals of Information Assurance

 Policies and Mechanisms

• Policy says what is, and is not, allowed

- This defines “security” for the site / system /
... / etc.
• Mechanisms enforce policies;
• Composition of policies;
- If policies conflict, discrepancies may create
security vulnerabilities;

CYB 215: Fundamentals of Information Assurance

 Trust and Assumptions

Underlie all aspects of security:

• Policies:
- Unambiguously partition system states;
- Correctly capture security requirements;
• Mechanisms:
- Assumed to enforce policy;
- Support mechanisms work correctly;

CYB 215: Fundamentals of Information Assurance

 Assurance

• Specification:
- Requirements analysis;
- Statement of desired functionality;
• Design:
- How system will meet specification;
• Implementation:
- Programs/systems that carry out design;

CYB 215: Fundamentals of Information Assurance

 Operational Issues

• Cost-Benefit Analysis:
- Is it cheaper to prevent or recover?
• Risk Analysis:
- Should we protect something?
- How much should we protect this thing?
• Laws and Customs:
- Are desired security measures illegal?
- Will people do them?

CYB 215: Fundamentals of Information Assurance

 Human Issues

• Organizational Problems:
- Power and responsibility;
- Financial benefits;
• People problems:
- Outsiders and insiders;
- Social engineering;

CYB 215: Fundamentals of Information Assurance

 Tying Together

Threats
Policy
Specification
Design

Implementation

Operation

CYB 215: Fundamentals of Information Assurance

 Key Points

• Policy defines security, and mechanisms enforce

security:
- Confidentiality;
- Integrity;
- Availability;
• Trust and knowing assumptions;
• Importance of assurance;
• The human factor;

CYB 215: Fundamentals of Information Assurance

 Introduction

CYB 215: Fundamentals of Information Assurance By: Saleh Almowuena