02-Basis Terminology and Concepts

Page 1: Introduction to Information Security

  • Security Technologies in CIT 3620 Lecture 2.

  • Focus on basic terminologies and concepts in information security.

  • Objective: Explain fundamental concepts of information security.

Page 2: Importance of Information Security

  • Quote by Gene Spafford: Security systems are impervious only when powered off and secured.

  • Emphasizes skepticism regarding absolute security.

Page 3: Information Security Management

  • Overview of information security components:

    • Information Security Attacks

    • Security Mechanisms

    • Security Services

    • Attackers

    • Security Policies

Page 4: Core Terminology

  • Security Attacks: Assaults on system security violating security objectives.

  • Security Mechanisms: Tools to prevent, detect, or recover from attacks.

  • Security Services: Functions required for security, including identification and authorization.

  • Security Objectives: Defined by the security policy.

Page 5: Vulnerability, Threat, and Attack Terminology

  • Vulnerability: Weakness in the system that can be exploited.

  • Threat: Potential danger exploiting the vulnerability; can be accidental (e.g., natural disasters) or malicious (e.g., hackers).

  • Attack: Deliberate attempts to circumvent security and compromise the policy.

Page 6: Information Security Roles

  • Prevention: Measures to safeguard assets.

  • Detection: Measures to identify damage.

  • Response: Actions to recover from asset damage; includes investigation of incidents.

Page 7: Overview of Information Security Services

  • Definition and functions of necessary security services.

Page 8: Information Security Services

  • Privacy/Confidentiality: Keeping info secret from unauthorized entities.

  • Data Integrity: Ensuring information is unaltered by unauthorized means.

  • Identification: Validating entity identities.

  • Message Authentication: Validating information source.

  • Authorization: Granting permission for actions.

Page 9: Additional Information Security Services

  • Access Control: Restricting resource access.

  • Certification: Endorsement by a trusted entity.

  • Timestamping: Recording info creation time.

  • Witnessing: Verification by another entity.

  • Ownership: Legal rights to resources.

Page 10: Continued Information Security Services

  • Anonymity: Concealing entity identities.

  • Non-repudiation: Preventing denial of past actions.

  • Revocation: Retracting authorization or certification.

Page 11: Security Threats Overview

  • Introduction to the types of security threats in information systems.

Page 12: Security Threat Flow

  • Illustration of information flow vulnerabilities (source, destination).

Page 13: Security Threats - Interruption

  • Interruption Threat: Assets become unavailable (e.g., hardware destruction, DoS attacks).

Page 14: Security Threats - Interception

  • Interception Threat: Unauthorized access to information (e.g., spying, file copying).

Page 15: Security Threats - Modification

  • Modification Threat: Unauthorized changes to assets (e.g., database alterations).

Page 16: Security Threats - Fabrication

  • Fabrication Threat: Unauthorized insertion into systems (e.g., fake messages).

Page 17: Passive Attacks

  • Passive Attacks: Efforts to learn information without affecting system resources (e.g., eavesdropping).

  • Types: Traffic analysis, interception.

Page 18: Active Attacks

  • Active Attacks: Attempts to alter system resources (e.g., interruption, modification).

  • Characteristics: Involve attacking system functions directly.

Page 19: Types of Active Attacks

  • Masquerade: Pretending to be someone else to gain privileges.

  • Replay: Capturing and resending data later.

  • Denial-of-Service: Disabling system functionalities.

Page 20: Summary of Security Threats

  • Clear link between attacks and successful exploitation of vulnerabilities.

  • Security mechanisms aim to counteract these threats to maintain services.

Page 21: Information Security Mechanisms

  • Cryptography: Encrypting data for confidentiality.

  • Other mechanisms include IDS, IPS, hashing, digital signatures.

Page 22: Conclusion

  • Final thoughts and discussion invitation for information security topics.

Page 23: References

  • Key texts: Stallings' Cryptography and Network Security, Handbook of Applied Cryptography.

  • Lecture notes by G. Chaddoud, Damascus University.