0% found this document useful (0 votes)
3 views

COMP416 Information Security Introduction 164851

The document outlines the foundations of information security, emphasizing key concepts such as confidentiality, integrity, and availability (CIA triad). It discusses the definitions of computer security, threats, vulnerabilities, and countermeasures, along with the importance of managing risks. Additionally, it highlights the challenges of computer security and the need for constant monitoring and effective security policies.

Uploaded by

nusman955
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
3 views

COMP416 Information Security Introduction 164851

The document outlines the foundations of information security, emphasizing key concepts such as confidentiality, integrity, and availability (CIA triad). It discusses the definitions of computer security, threats, vulnerabilities, and countermeasures, along with the importance of managing risks. Additionally, it highlights the challenges of computer security and the need for constant monitoring and effective security policies.

Uploaded by

nusman955
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 32

Information Security

LECTURE#01
Muhammad Yousif
Department of Computer Science (CS)
Minhaj Univeristy
[email protected]
Information Security Foundations

 Outline

Computer Security Concepts


Threats, Attacks, and Assets
Security Functional Requirements
Basic Definitions

What is security?
 According to a dictionary, security is the “freedom
from risk or danger”
 In practice, 100% security is unachievable
 Not about completely preventing loss, but about managing it
A definition of computer security

 Computer security: The protection afforded to an


automated information system in order to attain the
applicable objectives of preserving the integrity,
availability and confidentiality of information system
resources (includes hardware, software, firmware,
information/data, and telecommunications)
NIST 1995
How ?
How ?
Three key objectives (the CIA triad)
 Confidentiality
 Data confidentiality: Assures that confidential information is not disclosed to
unauthorized individuals
 Privacy: Assures that individual control or influence what information may be
collected and stored
 Integrity
 Data integrity: assures that information and programs are changed only in a specified
and authorized manner
 System integrity: Assures that a system performs its operations in unimpaired manner
 Availability: assure that systems works promptly and service is not denied to authorized
users
Key Security Concepts
Other concepts to a complete security picture

 Authenticity: the property of being genuine and being


able to be verified and trusted; confident in the
validity of a transmission, or a message, or its
originator
 Accountability: generates the requirement for actions
of an entity to be traced uniquely to that individual to
support nonrepudiation, deference, fault isolation, etc
Levels of security breach impact

 Low:the loss will have a limited impact, e.g., a degradation in mission


or minor damage or minor financial loss or minor harm
 Moderate: theloss has a serious effect, e.g., significance degradation on
mission or significant harm to individuals but no loss of life or
threatening injuries
 High:
the loss has severe or catastrophic adverse effect on operations,
organizational assets or on individuals (e.g., loss of life)
Examples of security requirements: Confidentiality

 Student grade information is an asset whose confidentiality is


considered to be very high
 The US FERPA Act: grades should only be available to students,
their parents, and their employers (when required for the job)
 Student enrollment information: may have moderate
confidentiality rating; less damage if enclosed
 Directory information: low confidentiality rating; often available
publicly
Examples of security requirements: Integrity

 A hospital patient’s allergy information (high integrity data): a


doctor should be able to trust that the info is correct and current
 If a nurse deliberately falsifies the data, the database should be
restored to a trusted basis and the falsified information traced
back to the person who did it
 An online newsgroup registration data: moderate level of integrity
 An example of low integrity requirement: anonymous online poll
(inaccuracy is well understood)
Examples of security requirements:
Availability

 A system that provides authentication: high availability requirement


 If customers cannot access resources, the loss of services could
result in financial loss
 A public website for a university: a moderate availably requirement;
not critical but causes embarrassment
 An online telephone directory lookup: a low availability requirement
because unavailability is mostly annoyance (there are alternative
sources)
Challenges of computer security

1. Computer security is not simple


2. One must consider potential (unexpected) attacks
3. Procedures used are often counter-intuitive
4. Must decide where to deploy mechanisms
5. Involve algorithms and secret info (keys)
6. A battle of wits between attacker / admin
7. It is not perceived on benefit until fails
8. Requires constant monitoring
9. Too often an after-thought (not integral)
10. Regarded as impediment to using system
Computer security terminology

 Adversary (threat agent) An entity that attacks, or is a threat to, a system


 Attack An assault on system security that derives from an intelligent threat; that
is, an intelligent act that is a deliberate attempt (especially in the sense of a
method or technique) to evade security services and violate the security policy of
a system. .
 Countermeasure An action, device, procedure, or technique that reduces a
threat, a vulnerability, or an attack by eliminating or preventing it, by
minimizing the harm it can cause, or by discovering and reporting it so that
corrective action can be taken.
Computer Security Terminology

 Risk An expectation of loss expressed as the probability that a particular threat will
exploit a particular vulnerability with a particular harmful result.
 Security Policy A set of rules and practices that specify or regulate how a system or
organization provides security services to protect sensitive and critical system
resources.
 System Resource (Asset) Data contained in an information system; or a service
provided by a system; or a system capability, such as processing power or
communication bandwidth; or an item of system equipment (i.e., a system
component— hardware, firmware, software, or documentation); or a facility that
houses system operations and equipment.
Threats

 A threat is a person or an entity that can harm you A threat can be


malicious or malignant
 Malicious: intending to hurt you
 Malignant: harmful, but no intent to hurt you
Vulnerabilities

 A vulnerability is a weakness that allows a threat to exploit you


Countermeasures

 A countermeasure is a precaution taken by you


Reduces your vulnerability
 Different types: physical, technical, operational,
personnel
Value

 Value measures the loss you can experience


 Easy to measure for hardware or other objects Much more
difficult to do so for information and reputation
Risk

 Risk measures your exposure to danger


 Basically, it is the potential or expected loss
 Combines the concepts mentioned before:

. .
Threat × Vulnerability
Risk = × Value
Countermeasures
Threat consequences

 Unauthorized disclosure: threat to confidentiality


 Exposure (release data), interception, inference, intrusion
 Deception: threat to integrity
 Masquerade, falsification (alter data), repudiation

 Disruption: threat to integrity and availability


 Incapacitation (destruction), corruption (backdoor logic), obstruction (infer
with communication, overload a line)
 Usurpation: threat to integrity
 Misappropriation (theft of service), misuse (hacker gaining unauthorized
access)
Threats & Consequences
Conti’:
Examples of threats

You might also like