120 likes | 349 Views
IT 221: Introduction to Information Security Principles. Lecture 1: Introduction to IT Security For Educational Purposes Only Revised: August 28, 2002. Chapter Outline. Chapter 1: Working Definitions of Security IT Security Principles Three Aspects of Security
E N D
IT 221:Introduction to Information Security Principles Lecture 1: Introduction to IT Security For Educational Purposes Only Revised: August 28, 2002
Chapter Outline • Chapter 1: • Working Definitions of Security • IT Security Principles • Three Aspects of Security • Types of Security Services • Types of Security Threats • Goals of Security • Types of Security Attacks • Model for Network Security • Model for Network Access Security
Working Definitions of Security • Information Security Defined: • “The generic name for the collection of tools designed to protect data and to thwart [break-ins]”. [4]
IT Security Principles • Principle of Easiest Penetration: • “An intruder must be expected to use any available means of penetration. This is not the most obvious means, nor is it the one against which the most solid defense has been installed.” (Pflegger) • Principle of Adequate Protection: • “Computer Items must be protected only until they lose their value. They must be protected to a degree consistent with their value.” (Pflegger)
Three Aspects of Security • Security Services fall into one of the following categories: • Security Attack: Any Attack that compromises the security of information owned by an organization. • Security Mechanism: A mechanism that is designed to detect, prevent or recover from a security attack. • Security Service: A service that enhances the security of [information] systems and the information transfers of an organization. The services are intended to counter security attacks, and they make use of one or more security mechanisms to provide the service.
Types of Security Services • Security Services fall into one of the following categories: • Confidentiality: Ensures that the info in a system and transmitted info are accessible only for reading by authorized parties. (Data Privacy) • Integrity: Ensures that only authorized parties are able to modify computer systems assets and transmitted information. (Data has not been altered) • Authentication: Ensures that the origin of a message or electronic doc is correctly identified, with an assurance that the identity is not false. (Who created or sent the data)
Types of Security Threats • (a) Normal Flow • (b) Interruption: An asset of a system becomes unavailable or unusable. [3] • (c) Interception: Some unauthorized party which has gained access to an asset. [3] • (d) Modification: Some unauthorized party not only gains access to, but also tampers with, an asset. [3] • (e) Fabrication:Some unauthorized party fabricates objects on a system. [3]
Goals of Security Confidentiality Integrity Availability
Types of Security Attacks • Passive Threats: • Release of Message Contents • Traffic Analysis • Active Threats: • Masquerade • Replay • Modification of Mess. Contents • Denial of Service
Model for Network Security • (1) A message is transferred from one party (Principal) to another. • (2) A logical information channel is established between the two Principals by the cooperative use of some protocol, e.g. TCP/IP. • (3) Goal is to provide the secure transmission of information from Opponents. • (4) A trusted third-party may be needed for secure transmissions.
Model for Network Access Security • (1) Gatekeeper functions include Password-based login authentications. • (2) Various internal controls that monitor activity and analyze stored information in an attempt to detect the presence of unwanted intruders.
Resources • [1] Denning, Dorothy E. Cryptography and Data Security, Addison-Wesley, 1983. • [2] Ghosh, Anup. E-Commerce Security, Weak Links, Best Defenses, Wiley Computer Publishing, 1998. • [3] Pfleeger, Charles. Security In Computing, Prentice Hall, 1997. • [4] Stallings, William. Cryptography and Network Security, Prentice Hall, 1999.