Introduction of Information Security 1

Information Security 2017. 9. 12. 13:05

Introduction

Computer Security Concepts

  • Before the widespread use of data processing equipment, the security of information valuable to an organization was provided primarily by physical and administrative means
  • With the introduction of the computer, the need for automated tools for protecting files and other information stored on the computer became evident
  • Another major change that affected security is the introduction of distributed systems and the use of networks and communications facilities for carrying data between terminal user and computer and between computer and computer
  • Computer security
    • The generic name for the collection of tools designed to protect data and to thwart hackers
  • Internet security (lower case "I" refers to any interconnected collection of network)
    • Consist of measures to deter, prevent, detect, and correct security violations that involve the transmission of information

Computer Security

  • The NIST Computer Security Handbook defines the term computer security as:

"The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications)"

Computer Security Objectives

  • Confidentiality
    • Data confidentiality
      • Assure that private of confidential information is not made available or disclosed to unauthorized individuals
    • Privacy
      • Assure that individuals control of influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed
  • Integrity
    • Data integrity
      • Assure that information and programs are changed only in a specified and authorized manner
    • System integrity
      • Assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system
    • Availability
      • Assures that  systems work promptly and service is not denied to authorized users

CIA Triad

Possible additional concepts:

Authenticity

Verifying that users are who they say they are and that each input arriving at the system came from a trusted source

Accountability

The security goal that generates the requirement for actions of an entity to be trace uniquely to that entity

Breach of Security Levels of Impact

  • High: the loss could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals
  • Moderate: the loss could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals
  • Low: the loss could be expected to have a limited adverse effect on organizations, organizational assets, or individuals

Examples of Security Requirements

Confidentiality

  • Students grade information is an asset whose confidentiality is considered to be highly important by students
  • Regulated by the Family Educational Right and Privacy Act (FERPA)

Integrity

  • Patient information stored in a database - inaccurate information could result in serious harm or death to a patient and expose the hospital to massive liability
  • A web site that offers a forum to registered users to discuss some specific topic would be assigned a moderate level of integrity
  • An example of a low-integrity requirement is an anonymous online poll

Availability

  • The more critical a component or service, the higher the level of availability required
  • A moderate availability requirement is a public Web site for a university
  • An online telephone directory lookup application would be classified as a low-availability requirement

Computer Security Challenges

  • Security is not simple
  • Potential attacks in the security features need to be considered
  • Procedures user to provide particular services are often counter-intuitive
  • It is necessary to decide where to user the various security mechanisms
  • Is too often an afterthought
  • Security mechanisms typically involve more than a particular algorithm or protocol
  • Security is essentially a battle of wits between a perpetrator and the designer
  • Little benefit from security investment is perceived until a security failure occurs
  • Strong security is often viewed as an impediment to efficient and user-friendly operation

OSI Model

OSI Security Architecture

  • Security attack
    • Any action that compromises the security of information owned by an organization
  • Security mechanism
    • A process (or a device incorporating such a process) that is designed to detect, prevent, or recover from a security attack
  • Security service
    • A processing or communication service that enhances the security of data processing systems and the information transfers of an organization
    • Intended to counter security attacks, and they make use of one or more security mechanisms to provide the service

Threats and Attacks (RFC 4949)

Threat

A potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. That is, a threat is a possible danger that might exploit a vulnerability

Attack

An assault in system security that derives from an intelligent threat; that is, an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of a system


Reference

Network Security Essentials: Applications and Standards (6th Edition)

저작자표시 비영리 변경금지
WRITTEN BY
ykiy
,