Principles of Information Security

MIS 1201
(Introduction)

Kasun De Zoysa

Department of Communication and Media Technologies

University of Colombo School of Computing
University of Colombo
Sri Lanka
MIS1201: Principles of Information Security
Having completed this course the student will be able to:

communicate knowledge of the concepts, models and terms commonly used
in the area of ICT security.

understand the basic concepts and scientific thinking in information security.

identify the current ICT security issues.

evaluate factors that influence the security of systems.

Syllabus:
Introduction to information security, Introduction to cryptography, Digital
signatures, Public-Key Infrastructure (PKI),e-mail security, Security Models
and Policies, Program Security, Malicious Software, Operating system
security, Privacy and Privacy Enhancement Tools, Social Engineering,
Security threats on Social networks

Literature:

Matt Bishop, Introduction to Computer Security, Addison Wesley, 2005,

Charles P. Pfleeger, Shari Lawrence Pfleeger, Security in Computing,
Prentice Hall, 2007 2
 What do we mean by “secure”?

• At one time Bank robbery was common. Now

its very rare. What has changed or been
implemented to provide this security?
– Sophisticated alarms
– Criminal investigation techniques (DNA testing)
– Change in “assets” (cash was/is inherently
insecure)
– Improvements in communication and
transportation
• Risk becomes so high that it is no longer
beneficial.
 Security is all about protecting
valuables

• In our case the “valuables” are computer

related assets instead of money
– Though these days money is so electronic that
one can argue that the protection of money is a
subset of computer asset security
• Information seems to be the currency of the
21st century.
 Trends in Usage of Information
Systems

Business (international) transactions

Storage of business documents

Financial flows

Industrial cooperation

Functionality and Dependability

 Money vs. Information
• Size and portability
– Banks are large and unportable.
– Storage of information can be very small and extremely
portable. (So small that an entire corporations intellectual
property can be stored on something the size of a postage
stamp.)Ability to avoid physical contact
– Banks: physical interaction with the bank and the loot is
unavoidable or impossible to circumvent
– Computers: require no physical contact to either gain
access to, copy or remove data.
• Value of assets:
– Bank: generally very high (or why would somebody bother
to put it in a bank?)
– Computers: Variable, from very low (useless) to very high.
Required Properties of Information
Systems

Availability

Reliability (accountability)

New functionalities

Resistance to attacks

Computer Security
 Past Situation (Single
Systems)

Physical security and control of access to computers

Current Situation (Int’l networks and
open systems)

Authentication, message protection, authorization

 Method, Opportunity and Motive
• Method: The skills knowledge and tools that
enable the attack
• Opportunity: The time, access and
circumstances that allow for the attack
• Motive: The reason why the perpetrator
wants to commit the attack
Motives for Computer Security

Development of computer and

information technologies

Global connectivity

Distributed systems

New (advanced) functionalities

 The People Involved

Amateurs . . . Accidental access

to unauthorized resources
Crackers
and execution of
unauthorized operations
Criminals
(no harm to regular users)
Regular
users
The People Involved

Amateurs Active attempts to access

sensitive resources and to
Crackers . . . discover system
vulnerabilities
Criminals (minor inconveniences
to regular users)
Regular
users
 The People Involved

Amateurs Active attempts to utilize

weaknesses in protection
Crackers system in order to steal or
destroy resources
Criminals . . (serious problems to
. regular users)
Regular
users
 The People Involved

Amateurs Special requirements:

authentication in open
Crackers
networks, authorization,
Criminals message integrity,
non-repudiation,
Regular users . special transactions
..
Attack, Vulnerability,Control, Problems,
Threats, and Risks
• Attack: A human exploitation of a vulnerability.
• Vulnerability: A weakness in the security system.
• Control: A protective measure. An action, device
or measure taken that removes, reduces or
neutralizes a vulnerability.
• Problems : Consequences of unintentional
accidental errors
• Threat: a set of circumstances that has the
potential to cause loss or harm.
• Risks : Probabilities that some threat or problem
will occur due to system vulnerabilities
Types of Concerns

Attacks on hardware or software

(Active threats)

Problems with data and software

transfer and manipulation
(Accidental errors)

Requirements for reliable, trusted

and authorized transactions
Categories of Attacks

Attacks on hardware : destruction

Attacks on software :
- Software deletion
- Software modification
- Software theft

Attacks on data :
- Data secrecy
- Data integrity
Categories of Threats

Interruption : A resource is lost,unavailable

or unusable

Interception : Unauthorized access to some

computer resource

Modification : Illegal or accidental change

(tampering) with a resource

Fabrication : Creation of illegal or

incorrect resources
 Threats with a single system

– Illegal access to a system

– Authentication of users
 Threats with international networks

– Communications security
– Authentication of unknown users
– Access authorizations
– Verification of transactions
Security is not always about locks,
firewalls, virus scanner and
hardware
• Public Image often gets in the way of defeats
security.
– Would you deposit your money in a bank that just
revealed that it lost fifteen million dollars due to a
computer security oversight?
– Things like this probably happen a lot more often
than we care to have nightmares about.
 So what does computer security
concern itself with?
• The entire system:
– Hardware
– Software
– Storage media
– Data
– Memory
– People
– Organizations
– Communications
The Dimensions of Computer Security
 Security Goals (Requirements)
• What makes a “secure” system?
– Financial “Security” requirements
– Home “security”
– Homeland “security”
– Physical “security”
– Computer “security”
• All these concepts of security have different
requirements. We are, of course, interested
mostly on computer security; which requires
three items:
 Presence of all three
• The presence of all three things yields a
secure system:

Confidentiality

Secure

Integrity
Availability
 Thing one:
• Confidentiality:
Computer related assets are only available to authorized
parties. Only those that should have access to
something will actually get that access.
• “Access” isn't limited to reading. But also to viewing,
printing or...
• Simply even knowing that the particular asset exists
(steganography)
– Straight forward concept but very hard to
implement.
 Thing two:
• Integrity
Can mean many things: Something has integrity if it is:
• Precise
• Accurate
• Unmodified
• Consistent
• Meaningful and usable
 Integrity
• Three important aspects towards providing
computer related integrity:
– Authorized actions
– Seperation and protection of resources
– Error detection and correction.
• Again, rather hard to implement; usually done
so through rigorous control of who or what
can have access to data and in what ways.
 Thing three:

• Availability
– There is a timely response to our requests
– There is a fair allocation of resources (no
starvation)
– Reliability (software and hardware failures lead to
graceful cessation of services and not an abrupt
crash)
– Service can be used easily and in the manner it
was intended to be used.
– Controlled concurrency, support for simultaneous
access with proper deadlock and access
management.
 Principles of Computer Security

Confidentiality . Threats to Data and Programs

.. illegal read, illegal access,
Integrity data (files) deletion,
illegal users, criminal acts,
Availability sabotage, etc.

Functionality
Principles of Computer Security

Confidentiality Threats to software

and data: technical
Integrity . . errors,
. software errors,
Availability processing errors,
transmission
Functionality
correctness,
etc.
Principles of Computer Security

Confidentiality Requirements for:

timely response, fair
Integrity allocation, fault
tolerance,
Availability . . usability, controlled
. concurrency
Functionality
Principles of Computer Security

Confidentiality New functions needed

for
Integrity electronic data
transactions:
Availability authentication,
digital signature,
Functionality
confidentiality, and
...
others
“Definition” of Computer Security

Computer security
are methods and technologies
for protection, integrity,
availability,
authenticity and extended
functionality
of computer programs and data
 Goals and Principles

Simplicity . . . to understand, develop and

use
Consistency . . . policies and existing
schemes
Scalability . . . in a single WS, LAN, WAN,
Internet
Independence . . . of technologies
Hierarchy Model of Protection
Mechanisms
Protection Methods

Encryption

SW & HW Controls

Policies

Physical controls
 Protection Methods

Encryption . . . Effective for:

confidentiality,
users and messages
SW & HW authentication, access
Controls control
Policies

Physical
controls
 Protection Methods

Encryption Available methods:

software and hardware
SW & HW controls (internal SW, OS
Controls controls, development
controls, special HW
Policies devices)

Physical
controls
 Protection Methods

Encryption Precise specifications:

special procedures,
security methods,
SW & HW
security parameters,
Controls
organizational issues
Policies . . .

Physical
controls
 Protection Methods
Encryption Measures for:
isolation of equipment,
SW & HW access to equipment,
Controls authorization for personnel,
backup and archiving
Policies

Physical
controls
Groups of Security Services

Confidentiality

Integrity

Availability

Functionality

Security
Mechanisms
. . . in Single Systems

Confidentiality

Integrity

Availability

Functionality
 . . . in Global Networks

Confidentiality

Integrity

Availability

Functionality
Security Reference Model
Security reference model are
components of a security
system and their
relationships (security
protocols) linked into
security infrastructure,
supporting various secure
applications

Component Component Component

Security Reference Model

Security Protocols

User
Security Reference Model

Security
Infrastructure
Security Reference Model

Secure Applications
Course Coordinator: Dr. Kasun De Zoysa
e-mail: [email protected]
50