0% found this document useful (0 votes)
13 views3 pagesLecture 1 (1) - 1-3
The document discusses key concepts in computer security including confidentiality, integrity, availability, and the CIA triad. It also discusses levels of impact from security breaches, examples of security requirements, and challenges of computer security.
Uploaded by
vaibhav shivhareCopyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
13 views3 pagesLecture 1 (1) - 1-3
The document discusses key concepts in computer security including confidentiality, integrity, availability, and the CIA triad. It also discusses levels of impact from security breaches, examples of security requirements, and challenges of computer security.
Uploaded by
vaibhav shivhareCopyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
/ 3
COMPUTER SECURITY CONCEPTS
The protection afforded to an automated information system in order to attain the applicable
objectives of preserving the integrity, availability, and confidentiality of information system
resources (includes hardware, software, firmware, information/data, and telecommunications).
This definition introduces three key objectives:
Confidentiality: This term covers two related concepts:
Data confidentiality: Assures that private or confidential information is not made available or
disclosed to unauthorized individuals.
Privacy: Assures that individuals control or influence what information related to them may be
collected and stored and by whom and to whom that information may be disclosed.
Integrity: This term covers two related concepts:
Data integrity: Assures that information (both stored and in transmitted packets) and programs
are changed only in a specified and authorized manner.
System integrity: Assures that a system performs its intended function in an unimpaired
manner, free from deliberate or inadvertent unauthorized manipulation of the system.
Availability: Assures that systems work promptly and service is not denied to authorized
users.
Figure: CIA Triad
These three concepts form what is often referred to as the CIA triad. The three concepts embody
the fundamental security objectives for both data and for information and computing services.
some in the security field feel that additional concepts are needed
Figure: Essential Network and Computer Security Requirements
Authenticity: The property of being genuine and being able to be verified and trusted;
confidence in the validity of a transmission, a message, or message originator. This means
verifying that users are who they say they are and that each input arriving at the system came
from a trusted source.
Accountability: The security goal that generates the requirement for actions of an entity to be
traced uniquely to that entity. This supports nonrepudiation, deterrence, fault isolation,
intrusion detection and prevention, and after-action recovery and legal action. Because truly
secure systems are not yet an achievable goal, we must be able to trace a security breach to a
responsible party. Systems must keep records of their activities to permit later forensic analysis
to trace security breaches or to aid in transaction disputes.
Levels of Impact
➢ can define 3 levels of impact from a security breach
⚫ Low
⚫ Moderate
⚫ High
Low Impact
➢ The loss could be expected to have a limited adverse effect on organizational
operations, organizational assets, or individuals.
➢ A limited adverse effect means that, for example, the loss of confidentiality, integrity,
or availability might
⚫ (i) cause a degradation in mission capability to an extent and duration that the
organization is able to perform its primary functions, but the effectiveness of
the functions is noticeably reduced;
⚫ (ii) result in minor damage to organizational assets;
⚫ (iii) result in minor financial loss; or
⚫ (iv) result in minor harm to individuals.
Moderate Impact
➢ The loss could be expected to have a serious adverse effect on organizational
operations, assets, or individuals.
➢ A serious adverse effect means that, e.g., the loss might
⚫ (i) cause a significant degradation in mission capability to an extent and duration
that the organization is able to perform its primary functions, but the
effectiveness of the functions is significantly reduced;
⚫ (ii) result in significant damage to organizational assets;
⚫ (iii) result in significant financial loss; or
⚫ (iv) result in significant harm to individuals that does not involve loss of life or
serious, life-threatening injuries.
High Impact
➢ The loss could be expected to have a severe or catastrophic adverse effect on
organizational operations, organizational assets, or individuals.
➢ A severe or catastrophic adverse effect means that, for example, the loss might
⚫ (i) cause a severe degradation in or loss of mission capability to an extent and
duration that the organization is not able to perform one or more of its primary
functions;
⚫ (ii) result in major damage to organizational assets;
⚫ (iii) result in major financial loss; or
⚫ (iv) result in severe or catastrophic harm to individuals involving loss of life or
serious life threatening injuries.
Examples of Security Requirements
➢ confidentiality – student grades
➢ integrity – patient information
➢ availability – authentication service
➢ authenticity – admission ticket
➢ non-repudiation – stock sell order
Computer Security Challenges
1. not simple – easy to get it wrong
2. must consider potential attacks
3. procedures used counter-intuitive
4. involve algorithms and secret info
5. must decide where to deploy mechanisms
6. battle of wits between attacker / admin
7. not perceived to be of benefit until it fails
8. requires regular monitoring
