Professional Documents
Culture Documents
Integrity Availability
Confidentiality
Concealment of information or resource
Access Control Existence of data more revealing than data itself
Resource hiding
Mechanism - Cryptography
Integrity
Prevention of improper or unauthorized change of data
Data integrity (access control) Origin integrity (authentication)
Classes of Integrity
Availability
Ability to use the information or resource
Threats
A potential violation of security
Actions that can cause a violation are called Attacks
Classes
Disclosure Unauthorized access of information
Deception Acceptance of false data
Snooping
Unauthorized interception of information
Passive some entity is listening to communication
Modification / Alteration
Unauthorized change of information
Active ? Disclosure . ? Deception . ? Disruption ? Usurpation . Active Wiretapping data moving across the net is altered Integrity
Spoofing
Impersonation of one entity by another
Passive Data only accessed without authentication
Integrity
Denial of Receipt
A false denial that an entity received an information or message
? Disclosure ? Deception . ? Disruption ? Usurpation
Delay
A temporary inhabitation of service
? Disclosure ? Deception .
? Disruption
? Usurpation .
Availability
Denial of Service
A server is prevented to provide a service
? Disclosure ? Deception
? Disruption
? Usurpation .
Availability
Security Policy
Security Mechanism
A security mechanism is a method, tool or procedure for enforcing a security policy Goals of Security Prevention An attack will fail (password)
Specification
A statement of desired functioning of the system
A system is said to specify a specification if the specification correctly states how the system will function
Design
Design translates the specification into components that will implement them
Implementation
A program is correct if its implementation performs as specified
Testing is performed to check for the correctness of the code
Operational Issues
Any useful Policy or Mechanism must balance the benefits of protecting against cost of Design, Implementation & using the mechanism
Design
Implementation Operation & Maintenance
Classify each of the following as a violation of Confidentiality, of Integrity, of Availability or some combination 1. J copies Ms homework
2. P crashes Ws system 3. H changes the check amount of D from 100 to 1000 4. G forges Ls signature on a Deed 5. X registers a domain name and refuses to let the publishing house buy or use the domain name 6. J obtains Qs credit card and has the credit card company cancel the card and issue a new card 7. L spoofs Es IP address to gain access to her computer
Identify the mechanism for implementing the following Prevention, Protection or Recovery 1. A password changing program will reject passwords that are less than 5 character long or that are found in the dictionary.
2. Only students in the computer science class will be given accounts on the departments computer
3. The login program will disallow logins of any student who enters their password incorrectly 3 times
4. The permission of file containing as homework will prevent b from cheating & coping 5. When WW traffic climbs to more than 80% of the network capacity, system will disallow any further communication to or from the Web serve
Policy restricts the use of E-Mail on a particular system to faculty and staff. Students cannot send or receive mail on the host. Classify each of the following as Secure, Precise or Broad
1. Download updates for me automatically 2. Notify me but dont automatically download or install them, let me choose when and what to install