Computer Security:

Principles and Practice

Chapter 1 – Overview

by William Stallings and Lawrie Brown

 Overview
Computer Security:
protection afforded to an automated
information system in order to attain the
applicable objectives of preserving the
integrity, availability and confidentiality
of information system resources
(includes hardware, software, firmware,
information/data, and telecommunications).
Key Security Concepts
 Key Security Concepts
• Confidentiality: Preserving authorized
restrictions on information access and disclosure,
including means for protecting personal privacy
and proprietary information. A loss of
confidentiality is the unauthorized disclosure of
information. (Data Confidentiality and Privacy)
• Integrity (Data and System): Guarding against
improper information modification or destruction,
and includes ensuring information non-
repudiation and authenticity. A loss of integrity is
the unauthorized modification or destruction of
information.
• Availability: Ensuring timely and reliable access to and
use of information. A loss of availability is the disruption of
access to or use of information or an information system.
Although the use of the CIA triad to define security
objectives is well established, some in the security field feel
that additional concepts are needed to present a complete
picture. Two of the most commonly mentioned are:
• Authenticity: The property of being genuine and being
able to be verified and trusted; confidence in the validity of
a transmission, a message, or message originator. •
Accountability: Security goal that generates the
requirement for actions of an entity to be traced uniquely to
that entity.
Computer Security Challenges
Computer security is both fascinating and complex.
Some of the reasons follow:
1. Computer security is not as simple as it might first
appear to the novice. The requirements seem to be
straightforward, but the mechanisms used to meet
those requirements can be quite complex.
2. In developing a particular security mechanism or
algorithm, one must always consider potential
attacks (often unexpected) on those security features.
3. Hence procedures used to provide particular
services are often counterintuitive.
4. Having designed various security mechanisms, it is
necessary to decide where to use them.
 Computer Security Challenges
5. Security mechanisms typically involve more than a
particular algorithm or protocol, but also require
participants to have secret information, leading to
issues of creation, distribution, and protection of that
secret information. (must decide where to deploy
mechanisms )
6. Computer security is essentially a battle of wits
(cleverness) between a perpetrator who tries to
find holes and the designer or administrator who
tries to close them.
7. There is a natural tendency on the part of users and
system managers to perceive little benefit from
security investment until a security failure occurs.
Computer Security Challenges
8. Security requires regular monitoring, difficult in
today's short-term environment. (requires regular
monitoring)
9. Security is still too often an afterthought -
incorporated after the design is complete. (too often
an after-thought)
10. Many users / security administrators view strong
security as an impediment to efficient and user-
friendly operation of an information system or use of
information. (regarded as impediment to using
system)
 Recap of Computer Security
Challenges
1. not simple
2. must consider potential attacks
3. procedures used counter-intuitive
4. involve algorithms and secret info
5. must decide where to deploy mechanisms
6. battle of wits between attacker / admin
7. not perceived on benefit until fails
8. requires regular monitoring
9. too often an after-thought
10. regarded as impediment to using system
 Computer Security Terminology
Adversary (threat agent) - An entity that attacks, or is
a threat to, a system.
Attack -An assault on system security that derives from
an intelligent threat; a deliberate attempt to evade
security services and violate security policy of a system.
Countermeasure - An action, device, procedure, or
technique that reduces a threat, a vulnerability, or an
attack by eliminating or preventing it, by minimizing the
harm it can cause, or by discovering and reporting it so
that corrective action can be taken.
Risk - An expectation of loss expressed as the
probability that a particular threat will exploit a particular
vulnerability with a particular harmful result.
 Computer Security Terminology
Security Policy - A set of rules and practices that
specify how a system or org provides security services
to protect sensitive and critical system resources.
System Resource (Asset) - Data; a service provided by
a system; a system capability; an item of system
equipment; a facility that houses system operations and
equipment.
Threat - A potential for violation of security, which exists
when there is a circumstance, capability, action, or event
that could breach security and cause harm.
Vulnerability - Flaw or weakness in a system's design,
implementation, or operation and management that
could be exploited to violate the system's security policy.
Security Concept and Relationship
 Vulnerabilities and Attacks
 system resource vulnerabilities (Weakness)
may
 be corrupted (loss of integrity)
 become leaky (loss of confidentiality)
 become unavailable (loss of availability)
 attacks are threats carried out and may be
 passive
 active
 insider
 outsider
 Vulnerabilities and Attacks
In the context of security, our concern is with the
vulnerabilities of system resources which may be:
• Corrupted, so that it does the wrong thing or gives
wrong answers. e.g. data stored may be different from
what it should be because it has been improperly
modified.
• Become leaky. e.g. someone who should not have
access to some or all of the information available
through the network obtains such access.
• Become unavailable or very slow. e.g. using the
system / network impossible.
 Vulnerabilities and Attacks
Corresponding to the various types of vulnerabilities to a system
resource are threats that are capable of exploiting those
vulnerabilities, which represent a potential security harm to an
asset. An attack is a threat that is carried out.
We can distinguish two type of attacks:
• Active attack: attempts to alter system resources or affect their
operation
• Passive attack: attempts to learn or make use of information
from the system but does not affect system resources
We can also classify attacks based on the origin of the attack:
• Inside attack: Initiated by an entity inside the security perimeter
(an "insider)
• Outside attack: Initiated from outside the perimeter, by an
unauthorized or illegitimate user of the system (an "outsider").
 Countermeasures
 A countermeasure is any means taken to deal
with a security attack. It can be devised to
 Prevent a particular type of attack
 Detect the attack
 Recover from the effects of the attack
 It may result in new vulnerabilities
 will have residual vulnerability after the
imposition of countermeasures
 Goal is to minimize risk given other constraints
 Threat Consequences
 Unauthorized disclosure
 exposure, interception, inference, intrusion
 Deception
 masquerade, falsification, repudiation
 Disruption
 incapacitation, corruption, obstruction
 Usurpation
 misappropriation, misuse
 Types of Security Threats
RFC 2828 (Internet Security Glossary that defines Security
Service as: •a processing or communication service provided by a
system) describes four kinds of threat consequences and kinds of
attacks that result:
Unauthorized disclosure is a threat to confidentiality:
• Exposure: Sensitive data is directly released to an
unauthorized entity. (e.g. Credit Card number to an
outsider, Universities posting students confidential
information on the web)
• Interception: An unauthorized entity directly accesses
sensitive data in transit (communication) (e.g. on
shared LAN, such as Wireless LAN or broadcast
Ethernet, any device attached to LAN can receive a
copy of packet intended for another device)
 Threat Consequences
• Inference: an unauthorized entity indirectly
accesses sensitive data by reasoning from
characteristics or byproducts of communications.
(e.g. Traffic analysis, where adversary is able to
observe the pattern of traffic on a network,
Inference of detailed information from a database
by a user, who has only limited access)
• Intrusion: An unauthorized entity circumvents
system's security protections. (e.g. adversary gain
unauthorized access to sensitive data by
overcoming the system access control.)
 Threat Consequences
Deception is a threat to either system integrity or
data integrity:
• Masquerade: An unauthorized entity poses as
an authorized entity. (e.g. Malicious Logic,
such as Trojan horse that actually gain
unauthorized access)
• Falsification: False data deceives an
authorized entity. (e.g. Students may alter his
or her grades in school database)
• Repudiation: An entity deceives another by
falsely denying responsibility for an act. (e.g.
User either denies sending data or receiving data or
possessing data)
 Threat Consequences
Disruption is a threat to availability or system integrity:
• Incapacitation: Prevent/interrupt system operation
by disabling a system component (e.g. Malicious
software, such as Trojan horses, viruses or worms
operates in such a way)
• Corruption: adversely modifying system functions
or data or attack on system integrity (e.g. User get
access to the system and modify some of its
functions )
• Obstruction: interrupts delivery of system services
by hindering system operation. (e.g. Overload the
system by placing excess burden on
communication traffic)
 Threat Consequences
Usurpation is a threat to system integrity:
• Misappropriation: unauthorized logical or
physical control of a system resource (e.g. In
DDOS attack, when malicious software is
installed on number of hosts to be used as a
platform to launch traffic at a target host then
this malicious software makes unauthorized use
of processor and OS resources).
• Misuse: Causes system to perform a function or
service detrimental to security. (e.g. It can be
occur wither by means of malicious logic or a
hacker that has gained unauthorized access to a
system)
Scope of Computer Security
 Scope of Computer Security
Assets of a computer system can be categorized as
hardware, software, data, and communication
lines and networks.
Hardware - A major threat = is the threat to
availability. Hardware is the most vulnerable to attack
and the least susceptible to automated controls.
• Threats include accidental and deliberate
damage to equipment as well as theft.
• Theft of CDROMs and DVDs can lead to loss of
confidentiality.
• Physical and administrative security measures
are needed to deal with these threats.
 Scope of Computer Security
Software - includes the OS, utilities, and
application programs. A key threat is an attack
on availability. Software is often easy to delete
and can also be altered or damaged to render it
useless. Careful software configuration
management can maintain high availability. A
more difficult problem is software modification
(e.g. from virus/worm) that results in a
program that still functions but that behaves
differently than before, which is a threat to
integrity/authenticity.
 Scope of Computer Security
Data - involves files and other forms of data controlled
by individuals, groups, and business organizations.
Security concerns with respect to data are broad,
encompassing availability, secrecy, and integrity. In the
case of availability, the concern is with the destruction
of data files, which can occur either accidentally or
maliciously. The obvious concern with secrecy is the
unauthorized reading of data files or databases. A less
obvious secrecy threat involves the analysis of data
and manifests itself in the use of so-called statistical
databases, which provide summary or aggregate
information.
 Network Security Attacks
 Classify as passive or active
 Passive attack attempt to learn or make use of
information, but does not affect system resources
however active attack attempt to alter system
resources or affect their operations
 Passive attacks are eavesdropping
 release of message contents
 traffic analysis
 are hard to detect so aim to prevent
 Active attacks modify/fake data
 masquerade
 replay
 modification
 denial of service, and hard to prevent so aim to detect
 Network Security Attacks
One classification of network security attacks is in terms of:
Passive attacks are eavesdropping on, or monitoring of,
transmissions to obtain information that is being transmitted.
Two types of passive attacks are:
• Release of message contents - opponent learns contents of
sensitive transmissions (e.g. A telephone conversation, email
message, and a transferred file)
• Traffic analysis - can occur even when contents of
messages are masked, e.g using encryption, but an opponent
can still observe the pattern of messages and determine
location and identity of communicating hosts, frequency and
length of messages being exchanged, and hence guess
nature of communications.
• Passive attacks are very difficult to detect because they do not
involve any alteration of the data. However, it is feasible to
prevent the success of these attacks, usually by means of
 Network Security Attacks
Active attacks involve modification of data stream or
creation of false data:
• Masquerade - when one entity pretends to be
another. (e.g. authentication sequences can be
captured and replayed after a valid authentication
sequence has taken place, thus enabling an
authorized entity with few privileges to obtain extra
privileges by impersonating an entity that has those
privileges.)
• Replay involves the passive capture of data and
subsequent retransmission to produce an
unauthorized effect.
 Network Security Attacks
Modification of messages a legitimate message is
altered, delayed or reordered. (e.g. a message stating,
“Allow Ram to read confidential file accounts” is modified
to say, “Allow Shyam to read confidential file accounts.)
Denial of service prevents or inhibits the normal use or
management of communications facilities, or the
disruption of an entire network (e.g. an entity may
suppress all messages directed to a particular
destination (e.g., the security audit service))
• It is quite difficult to prevent active attacks
absolutely. Instead, the goal is to detect them
and to recover from any disruption or delays
caused by them.
 Security Functional Requirements
 Number of ways of classifying and characterizing
the countermeasures
 Technical measures:
 access control; identification & authentication; system &
communication protection; system & information integrity
 Management controls and procedures
 awareness & training; audit & accountability; certification,
accreditation, & security assessments; contingency
planning; maintenance; physical & environmental
protection; planning; personnel security; risk assessment;
systems & services acquisition
 Overlapping technical and management:
 configuration management; incident response; media
protection
 X.800 Security Architecture
 X.800, Security Architecture for OSI
 systematic way of defining requirements
for security and characterizing approaches
to satisfying them
 defines:
 security attacks - compromise security
 security mechanism - act to detect, prevent,
recover from attack
 security service - counter security attacks
Security Taxonomy (Scope)
 Security Taxonomy (Scope)
At a top level of detail, an attacker, or group of
attackers, achieves their objectives by performing
attacks. An incident may be comprised of a single or
multiple attacks, as illustrated by the return loop . The
key elements are:
• Action: A step taken by a user or process in order to
achieve a result
• Target: A computer or network logical entity or
physical entity
• Event: An action directed at a target that is intended
to result in a change of state, or status, of the target
• Tool: A means of exploiting a computer or network
vulnerability
 Security Taxonomy (Scope)
• Vulnerability: A weakness in a system allowing
unauthorized action
• Unauthorized result: An unauthorized consequence
of an event
• Attack: A series of steps taken by an attacker to
achieve an unauthorized result
• Attacker: An individual who attempts one or more
attacks in order to achieve an objective
• Objectives: The purpose or end goal of an incident
• Incident: a group of attacks that can be distinguished
from other attacks because of the distinctiveness of
the attackers, attacks, objectives, sites, and timing
Security Trends
Computer Security Losses
Security Technologies Used
 Computer Security Strategy
 specification/policy
 what is the security scheme supposed to do?
 codify in policy and procedures
 implementation/mechanisms
 how does it do it?
 prevention, detection, response, recovery
 correctness/assurance
 does it really work?
 assurance, evaluation
 Summary
 security concepts
 terminology
 functional requirements
 security architecture
 security trends
 security strategy
 Review Questions
1. Define computer security .
2. What is the OSI security architecture?
3. What is the difference between passive and
active security threats?
4. List and briefly define categories of passive
and active network security attacks.
5. List and briefly define categories of security
services.
6. List and briefly define categories of security
mechanisms.
 Solution
2. The OSI Security Architecture is a framework that provides a
systematic way of defining the requirements for security and
characterizing the approaches to satisfying those requirements.
The document defines security attacks, mechanisms, and
services, and the relationships among these categories.
3. Passive attacks have to do with eavesdropping on, or
monitoring, transmissions. Electronic mail, file transfers, and
client/server exchanges are examples of transmissions that can
be monitored. Active attacks include the modification of
transmitted data and attempts to gain unauthorized access to
computer systems.
4. Passive attacks: release of message contents and traffic
analysis. Active attacks: masquerade, replay, modification of
messages, and denial of service.
 Solution
5. Authentication: The assurance that the communicating entity is the one that
it claims to be.
 Access control: The prevention of unauthorized use of a resource
(i.e., this service controls who can have access to a resource, under what
conditions access can occur, and what those accessing the resource are
allowed to do).
 Data confidentiality: The protection of data from unauthorized
disclosure.
 Data integrity: The assurance that data received are exactly as sent
by an authorized entity (i.e., contain no modification, insertion, deletion, or
replay).
 Nonrepudiation: Provides protection against denial by one of the
entities involved in a communication of having participated in all or part of
the communication.
 Availability service: The property of a system or a system resource
being accessible and usable upon demand by an authorized system entity,
according to performance specifications for the system (i.e., a system is
available if it provides services according to the system design whenever
users request them).
Solution-Q-6