Information Security

Components / Functions of Security

Confidentiality

Integrity Availability

Confidentiality
Concealment of information or resource
Access Control Existence of data more revealing than data itself

Resource hiding

Mechanism - Cryptography

Integrity
Prevention of improper or unauthorized change of data
Data integrity (access control) Origin integrity (authentication)

Classes of Integrity

preventive blocking unauthorized change of data

change data in unauthorized way

detective report data integrity not trustworthy

Availability
Ability to use the information or resource

Denial of service or data

Threats
A potential violation of security
Actions that can cause a violation are called Attacks

Classes
Disclosure Unauthorized access of information
Deception Acceptance of false data

Disruption Interruption or prevention of correct operation

Usurpation Unauthorized control of a part of the system

Snooping
Unauthorized interception of information
Passive some entity is listening to communication

browsing through files or system information

? Disclosure . ? Deception ? Disruption ? Usurpation Passive Wiretapping Network is monitored Confidentiality

Modification / Alteration
Unauthorized change of information
Active ? Disclosure . ? Deception . ? Disruption ? Usurpation . Active Wiretapping data moving across the net is altered Integrity

Spoofing
Impersonation of one entity by another
Passive Data only accessed without authentication

Active user mislead about the source of the information

? Disclosure ? Deception . ? Disruption ? Usurpation . Unauthorized Delegation

Integrity

Denial of Receipt
A false denial that an entity received an information or message
? Disclosure ? Deception . ? Disruption ? Usurpation

Integrity & Availability

Delay
A temporary inhabitation of service
? Disclosure ? Deception .

? Disruption
? Usurpation .

Availability

Denial of Service
A server is prevented to provide a service
? Disclosure ? Deception

? Disruption
? Usurpation .

Availability

Security Policy

A security policy is a statement of what is, and what is not, allowed

Specification of secure state and non secure state

Security Mechanism
A security mechanism is a method, tool or procedure for enforcing a security policy Goals of Security Prevention An attack will fail (password)

Detection Accepts that an attack has occurred

Provides actions and information indicating an attack (Wrong password entry 3 times) Recovery Stop an attack assesses and repairs any damage caused by an attack

Assumption & Trust

Security rests on assumption specific to the type of security required and the environment in which it is to be employed Assumption Security correctly partitions the set of system states into two secure and non secure Security mechanism prevents the system from entering the non secure state secure precise broad R<Q R=Q r < R r <> Q

Specification
A statement of desired functioning of the system

A system is said to specify a specification if the specification correctly states how the system will function

Design

Design translates the specification into components that will implement them

Implementation
A program is correct if its implementation performs as specified
Testing is performed to check for the correctness of the code

Operational Issues
Any useful Policy or Mechanism must balance the benefits of protecting against cost of Design, Implementation & using the mechanism

Cost Benefit Analysis

Risk Analysis Laws

Security Life Cycle

Threat Policy Specification

Design
Implementation Operation & Maintenance

Classify each of the following as a violation of Confidentiality, of Integrity, of Availability or some combination 1. J copies Ms homework

2. P crashes Ws system 3. H changes the check amount of D from 100 to 1000 4. G forges Ls signature on a Deed 5. X registers a domain name and refuses to let the publishing house buy or use the domain name 6. J obtains Qs credit card and has the credit card company cancel the card and issue a new card 7. L spoofs Es IP address to gain access to her computer

Identify the mechanism for implementing the following Prevention, Protection or Recovery 1. A password changing program will reject passwords that are less than 5 character long or that are found in the dictionary.

2. Only students in the computer science class will be given accounts on the departments computer

3. The login program will disallow logins of any student who enters their password incorrectly 3 times
4. The permission of file containing as homework will prevent b from cheating & coping 5. When WW traffic climbs to more than 80% of the network capacity, system will disallow any further communication to or from the Web serve

Policy restricts the use of E-Mail on a particular system to faculty and staff. Students cannot send or receive mail on the host. Classify each of the following as Secure, Precise or Broad

1. The electronic mail sending and receiving programs are disabled

2. As each letter is send or received, the system looks up the sender or recipient in a database. If the party is listed as faculty or staff, the mail is processed otherwise it is rejected 3. The electronic mail sending program if he or she is a student. If so the Mail is refused . The electronic mailing programs are disabled

Classify each of the following as Secure, Precise or Broad

1. Download updates for me automatically 2. Notify me but dont automatically download or install them, let me choose when and what to install

3. Turn off automatic updates