Introduction to IT Security - Virginia Alliance for Secure Computing

Download Report

Transcript Introduction to IT Security - Virginia Alliance for Secure Computing 

IT 221:
Introduction to Information Security Principles
Lecture 1: Introduction to IT Security
For Educational Purposes Only
Revised: August 28, 2002
Chapter Outline
• Chapter 1:
Working Definitions of Security
IT Security Principles
Three Aspects of Security
Types of Security Services
Types of Security Threats
Goals of Security
Types of Security Attacks
Model for Network Security
Model for Network Access Security
1
August 28, 2002
IT 221: Introduction to Information Security Priciples
For Educational Purposes Only
Working Definitions of Security
•
Information Security Defined:
“The generic name for the collection of tools designed to
protect data and to thwart [break-ins]”. [4]
2
August 28, 2002
IT 221: Introduction to Information Security Priciples
For Educational Purposes Only
IT Security Principles
•
Principle of Easiest Penetration:
“An intruder must be expected to use any available means of penetration.
This is not the most obvious means, nor is it the one against which the most
solid defense has been installed.” (Pflegger)
•
Principle of Adequate Protection:
“Computer Items must be protected only until they lose their value. They
must be protected to a degree consistent with their value.” (Pflegger)
3
August 28, 2002
IT 221: Introduction to Information Security Priciples
For Educational Purposes Only
Three Aspects of Security
• Security Services fall into one of the following categories:
Security Attack: Any Attack that compromises the security of information owned
by an organization.
Security Mechanism: A mechanism that is designed to detect, prevent or recover
from a security attack.
Security Service: A service that enhances the security of [information] systems and
the information transfers of an organization. The services are intended to counter
security attacks, and they make use of one or more security mechanisms to provide
the service.
4
August 28, 2002
IT 221: Introduction to Information Security Priciples
For Educational Purposes Only
Types of Security Services
•
Security Services fall into one of the following categories:
Confidentiality: Ensures that the info in a system and transmitted info are accessible
only for reading by authorized parties. (Data Privacy)
Integrity: Ensures that only authorized parties are able to modify computer systems
assets and transmitted information. (Data has not been altered)
Authentication: Ensures that the origin of a message or electronic doc is correctly
identified, with an assurance that the identity is not false. (Who created or sent the data)
5
August 28, 2002
IT 221: Introduction to Information Security Priciples
For Educational Purposes Only
Types of Security Threats
•(a) Normal Flow
•(b) Interruption: An asset of a system
becomes unavailable or unusable. [3]
•(c) Interception: Some unauthorized
party which has gained access to an
asset. [3]
•(d) Modification: Some unauthorized
party not only gains access to, but also
tampers with, an asset. [3]
•(e) Fabrication: Some unauthorized
party fabricates objects on a system. [3]
6
August 28, 2002
IT 221: Introduction to Information Security Priciples
For Educational Purposes Only
Goals of Security
Confidentiality
Integrity
Availability
7
August 28, 2002
IT 221: Introduction to Information Security Priciples
For Educational Purposes Only
Types of Security Attacks
•Passive Threats:
 Release of Message Contents
Traffic Analysis
•Active Threats:
 Masquerade
Replay
Modification of Mess. Contents
Denial of Service
8
August 28, 2002
IT 221: Introduction to Information Security Priciples
For Educational Purposes Only
Model for Network Security
•(1) A message is transferred
from one party (Principal) to
another.
•(2) A logical information
channel is established between
the two Principals by the
cooperative use of some
protocol, e.g. TCP/IP.
•(3) Goal is to provide the secure
transmission of information
from Opponents.
•(4) A trusted third-party may
be needed for secure
transmissions.
9
August 28, 2002
IT 221: Introduction to Information Security Priciples
For Educational Purposes Only
Model for Network Access Security
•(1) Gatekeeper functions
include Password-based login
authentications.
•(2) Various internal controls
that monitor activity and
analyze stored information in
an attempt to detect the
presence of unwanted
intruders.
10
August 28, 2002
IT 221: Introduction to Information Security Priciples
For Educational Purposes Only
Resources
•[1] Denning, Dorothy E. Cryptography and Data Security, Addison-Wesley,
1983.
•[2] Ghosh, Anup. E-Commerce Security, Weak Links, Best Defenses, Wiley
Computer Publishing, 1998.
•[3]
Pfleeger, Charles. Security In Computing, Prentice Hall, 1997.
•[4]
Stallings, William. Cryptography and Network Security, Prentice Hall, 1999.
11
August 28, 2002
IT 221: Introduction to Information Security Priciples
For Educational Purposes Only