Lecture 2

What is computer security?

The protection offered to an automated information system to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources

What are the 3 key objectives of computer security?

1. Confidentiality

2. Integrity

3. Availability

What is confidentiality?

Prevent sensitive information from reach the wrong people while making sure the right people get it

What are the two concepts converted by confidentiality?

• Data confidentiality: Assures that private or confidential information is not made available or disclosed to unauthorized individuals

• Privacy: Assures that individuals control or influence what information related to them may be collected and shared and by whom and to whom that information may be disclosed

What is integrity?

Maintaining data and systems consistency, accuracy, and trustworthiness over their entire lifecycle

What do integrity measurements guarantee?

That data/ system cannot be changed by unauthorized people, and if the data/system is changed by unauthorized people we can detect that

What are the two types of integrity?

• Data integrity: Assures that information and programs are changed only in a specified and unauthorized manner

• System integrity: Assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system

What is availability?

• Assures that systems work promptly and service is not denied to authorized users

• Ensuring a timely and reliable access to and use of information

What is authenticity?

• The property of being genuine and able to be verified

• Confidence in the validity of a transmission, verifiably of a message originator, inputs arriving from trusted sources

• Verifiability of users identity

What is accountability?

• Actions can be uniquely traced to their origination

• Essential for non repudiation, deference, fault isolation, intrusion detection, after action recovery, legal action

• Truly secure systems are not achievable, so security breaches must be traceable

What is authorization?

The process of specifying access rights to resources

What are attacks on communication networks?

Any action with the intention to compromise the security of data and systems owned by an organization

What are the 2 types of attacks?

• Passive attacks: Attempts to learn or make use of information from the system but does not affect the system resources

• Active attacks: Attempts to alter system resources or affect their operation

What are the 2 types of passive attacks?

• Snooping: Release of message contents

• Spoofing: Traffic analysis

What are the 4 types of active attacks?

• Masquerade

• Delay attacks

• Modification attack

• Denial of service

What is the masquerade active attack?

One entity pretends to be a different entity

What are delay attacks in active attacks?

Passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect

What are modification attacks in active attacks?

Some portion of a legitimate message is altered or messages are reproduced to produce an unauthorized effect

What are denial of service attacks in active attacks?

Prevents or inhibits the normal use of management of communication facilities

What is a security threat?

A potential for security violation exists when a circumstance, capability, action , or event could breach security and cause harm

What is a security vulnerability?

A flaw in the system that can leave it open to attacks

What is a security mechanism?

A process designed to prevent or detect, or recover from a security attack

What is the security mechanism used for?

To achieve security objectives and requirements

What is a security service?

A processing or communication service that enhances the security of the data processing systems and the information transfers of an organization

What are security services intended to do?

Counter security attacks and use one or more security mechanisms to provide the service

What is a security policy?

A statement that clearly states what it means to be secure for a system, organization or other entity

What does the security policy state?

How a company plans to protect is physical and information technology (IT) assets