* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Introduction to IT Security - Virginia Alliance for Secure Computing
Survey
Document related concepts
Distributed firewall wikipedia , lookup
Multilevel security wikipedia , lookup
Cyberwarfare wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Wireless security wikipedia , lookup
Post-quantum cryptography wikipedia , lookup
Mobile security wikipedia , lookup
Security printing wikipedia , lookup
Airport security wikipedia , lookup
Information security wikipedia , lookup
Cyber-security regulation wikipedia , lookup
Social engineering (security) wikipedia , lookup
Security-focused operating system wikipedia , lookup
Transcript
IT 221: Introduction to Information Security Principles Lecture 1: Introduction to IT Security For Educational Purposes Only Revised: August 28, 2002 Chapter Outline • Chapter 1: Working Definitions of Security IT Security Principles Three Aspects of Security Types of Security Services Types of Security Threats Goals of Security Types of Security Attacks Model for Network Security Model for Network Access Security 1 August 28, 2002 IT 221: Introduction to Information Security Priciples For Educational Purposes Only Working Definitions of Security • Information Security Defined: “The generic name for the collection of tools designed to protect data and to thwart [break-ins]”. [4] 2 August 28, 2002 IT 221: Introduction to Information Security Priciples For Educational Purposes Only IT Security Principles • Principle of Easiest Penetration: “An intruder must be expected to use any available means of penetration. This is not the most obvious means, nor is it the one against which the most solid defense has been installed.” (Pflegger) • Principle of Adequate Protection: “Computer Items must be protected only until they lose their value. They must be protected to a degree consistent with their value.” (Pflegger) 3 August 28, 2002 IT 221: Introduction to Information Security Priciples For Educational Purposes Only Three Aspects of Security • Security Services fall into one of the following categories: Security Attack: Any Attack that compromises the security of information owned by an organization. Security Mechanism: A mechanism that is designed to detect, prevent or recover from a security attack. Security Service: A service that enhances the security of [information] systems and the information transfers of an organization. The services are intended to counter security attacks, and they make use of one or more security mechanisms to provide the service. 4 August 28, 2002 IT 221: Introduction to Information Security Priciples For Educational Purposes Only Types of Security Services • Security Services fall into one of the following categories: Confidentiality: Ensures that the info in a system and transmitted info are accessible only for reading by authorized parties. (Data Privacy) Integrity: Ensures that only authorized parties are able to modify computer systems assets and transmitted information. (Data has not been altered) Authentication: Ensures that the origin of a message or electronic doc is correctly identified, with an assurance that the identity is not false. (Who created or sent the data) 5 August 28, 2002 IT 221: Introduction to Information Security Priciples For Educational Purposes Only Types of Security Threats •(a) Normal Flow •(b) Interruption: An asset of a system becomes unavailable or unusable. [3] •(c) Interception: Some unauthorized party which has gained access to an asset. [3] •(d) Modification: Some unauthorized party not only gains access to, but also tampers with, an asset. [3] •(e) Fabrication: Some unauthorized party fabricates objects on a system. [3] 6 August 28, 2002 IT 221: Introduction to Information Security Priciples For Educational Purposes Only Goals of Security Confidentiality Integrity Availability 7 August 28, 2002 IT 221: Introduction to Information Security Priciples For Educational Purposes Only Types of Security Attacks •Passive Threats: Release of Message Contents Traffic Analysis •Active Threats: Masquerade Replay Modification of Mess. Contents Denial of Service 8 August 28, 2002 IT 221: Introduction to Information Security Priciples For Educational Purposes Only Model for Network Security •(1) A message is transferred from one party (Principal) to another. •(2) A logical information channel is established between the two Principals by the cooperative use of some protocol, e.g. TCP/IP. •(3) Goal is to provide the secure transmission of information from Opponents. •(4) A trusted third-party may be needed for secure transmissions. 9 August 28, 2002 IT 221: Introduction to Information Security Priciples For Educational Purposes Only Model for Network Access Security •(1) Gatekeeper functions include Password-based login authentications. •(2) Various internal controls that monitor activity and analyze stored information in an attempt to detect the presence of unwanted intruders. 10 August 28, 2002 IT 221: Introduction to Information Security Priciples For Educational Purposes Only Resources •[1] Denning, Dorothy E. Cryptography and Data Security, Addison-Wesley, 1983. •[2] Ghosh, Anup. E-Commerce Security, Weak Links, Best Defenses, Wiley Computer Publishing, 1998. •[3] Pfleeger, Charles. Security In Computing, Prentice Hall, 1997. •[4] Stallings, William. Cryptography and Network Security, Prentice Hall, 1999. 11 August 28, 2002 IT 221: Introduction to Information Security Priciples For Educational Purposes Only