SlideShare a Scribd company logo

Technical seminar on Security

Download as PPT, PDF
STS , profile picture
STS

The document discusses computer security, including its objectives of secrecy, availability, and integrity. It covers security policies, threats like intercepted emails and unauthorized access. The goals of security are outlined as data confidentiality, integrity, and availability. Security mechanisms are used to provide services like confidentiality, integrity, authentication, and access control. Both passive attacks like interception and active attacks like modification are described. The document also discusses security classification, attacks, and tools to achieve security like encryption, public key cryptography, secure communication channels, firewalls, and proxies. It notes the tension between security and other values like ease of use and public safety.

Education
1 of 43
Downloaded 24 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
Security
Security Objectives Secrecy Prevent/detect/deter improper Disclosure of information Availability Prevent/detect/deter improper Denial of access to services IntegrityPrevent/detect/deter Improper modification of information
Policy Organizational policyOrganizational policy Information systems policyInformation systems policy
Security Overview Many fears to overcome Intercepted e-mail messages Unauthorized access to digital intelligence Credit card information falling into the wrong hands Two types of computer security Physical - protection of tangible objects Logical - protection of non-physical objects
What is security? Dictionary Definition: protection or defense against attack, interference, espionage, etc System correctness Good input ⇒ Good output Security Bad input ⇒ Bad output
Goals of Security DATA Integrity DATA Availability DATA Confidentiality
Aspects of Security consider 3 aspects of information security: security attack security mechanism (control) security service note terms threat – a potential for violation of security vulnerability – a way by which loss can happen attack – an assault on system security, a deliberate attempt to evade security services
Computer Security Classification SECURITY SERVICESSECURITY SERVICES DATA CONFIDENTIALITY DATA CONFIDENTIALITY DATA INTEGRITY DATA INTEGRITY AUTHENTICATIONAUTHENTICATION NONREPUDIATIONNONREPUDIATION ACCESS CONTROL ACCESS CONTROL
Computer Security Classification 1. ENCIPHERMENT 2. DATA INTEGRITY 3. DIGITAL SIGNATURE 4. AUTHENTICATION EXCHANGE 5. TRAFFIC PADDING 6. ROUTING CONTROL 7. NOTARIZATION 8. ACCESS CONTROL 1. ENCIPHERMENT 2. DATA INTEGRITY 3. DIGITAL SIGNATURE 4. AUTHENTICATION EXCHANGE 5. TRAFFIC PADDING 6. ROUTING CONTROL 7. NOTARIZATION 8. ACCESS CONTROL SECURITY MECHANISM SECURITY MECHANISM -To provide the services. - A method, tools or procedure for enforcing a security policy. DATA CONFIDENTIALITY DATA INTEGRITY AUTHENTICATION NONREPUDIATION ACCESS CONTROL 1,3,4 2,3,7 1,2,3 8 1
SECURITY ATTACKS PASSIVE ATTACKS ACTIVE ATTACKS Interception Traffic Analysis Interruption Fabrication Replay Modification
Passive Attack - Interception
Passive Attack: Traffic Analysis Observe traffic pattern
Active Attack: Interruption Block delivery of message
Active Attack: Fabrication Fabricate message
Active Attack: Replay
Active Attack: Modification Modify message
Handling Attacks Passive attacks – focus on Prevention Easy to stop Hard to detect Active attacks – focus on Detection and Recovery Hard to stop Easy to detect
System AttackerAlice General picture Security is about Honest user (e.g., Alice, Bob, …) Dishonest Attacker How the Attacker Disrupts honest user’s use of the system (Integrity, Availability) Learns information intended for Alice only (Confidentiality)
Databases and data security It’s your data – are you sure it’s safe?
Network Attacker Intercepts and controls network communication Alice System Network security
Web Attacker Sets up malicious site visited by victim; no control of network Alice System Web security
OS Attacker Controls malicious files and applications Alice Operating system security
System AttackerAlice Confidentiality : Attacker does not learn Alice’s secrets Integrity : Attacker does not undetectably corrupt system’s function for Alice Availability : Attacker does not keep system from being useful to Alice
How Viruses and Worms Spread
25 Defending Against Viruses and Worms Keys to protecting PCs Don’t open e-mails or IM attachments unless they are expected and have been inspected by antivirus software Keep up with software patches for your system Use caution when exploring Web sites Avoid software from untrusted sources Stay away from file-sharing networks
WHY INTERNET IS DIFFERENT? Paper-Based Commerce Electronic Commerce Signed paper Documents Digital Signature Person-to-person Electronic via Website Physical Payment System Electronic Payment System Merchant-customer Face-to-face Face-to-face Absence Easy Detectability of modification Difficult Detectability Easy Negotiability Special Security Protocol
Specific Elements of a Security Policy Authentication Who is trying to access the site? Access Control Who is allowed to logon and access the site? Secrecy Who is permitted to view selected information Data integrity Who is allowed to change data? Audit What and who causes selected events to occur, and when?
Three components to security Three perspectives User’s point of view Server’s point of view Both parties Three parts Client-side security Server-side security Document confidentiality
Client-side security Measures to protect the user’s privacy and the integrity of his computer Example technological solutions Protection from computer viruses and other malicious software Limit the amount of personal information that browser’s can transmit without the user’s consent Any others?
Server-side security Measures to protect the server and the machine it runs from break-ins, site vandalism, and denial-of-service attacks. Solutions range installing firewall systems tightening operating systems security measures
Document confidentiality Measures to protect private information from being disclosed to third parties. Example risks: Solutions range Password to identify users Cryptography
Tools Available to Achieve Site Security
Encryption  Transforms plain text or data into cipher text that cannot be read by anyone outside of the sender and the receiver. Purpose:  to secure stored information  to secure information transmission.  Cipher text  text that has been encrypted and thus cannot be read by anyone besides the sender and the receiver  Symmetric Key Encryption  DES standard most widely used
Encryption  Public key cryptography uses two mathematically related digital keys: a public key and a private key.  The private key is kept secret by the owner, and the public key is widely disseminated.  Both keys can be used to encrypt and decrypt a message.  A key used to encrypt a message, cannot be used to unencrypt the message
Public Key Cryptography - A Simple Case
Public Key Cryptography with Digital Signatures
Public Key Cryptography: Creating a Digital Envelope
Securing Channels of Communications  Secure Sockets Layer (SSL) is the most common form of securing channels  Secure negotiated session client-server session where the requested document URL, contents, forms, and cookies are encrypted.  Session key is a unique symmetric encryption key chosen for a single secure session
Securing Channels of Communications  Secure Hypertext Transfer Protocol (S-HTTP) secure message-oriented communications protocol for use with HTTP.  Virtual Private Networks (VPN) remote users can securely access internal networks via Point-to-Point Tunneling Protocol (PPTP)
Secure Negotiated Sessions Using SSL
Protecting Networks  Firewalls software applications that act as a filter between a private network and the Internet  Proxy server server that handles all communications originating from or being sent to the Internet, acting as a spokesperson or bodyguard for the organization
Tension Between Security and Other Values Ease of use  Often security slows down processors and adds significantly to data storage demands. Too much security can harm profitability; not enough can mean going out of business.  Public Safety & Criminal Use  claims of individuals to act anonymously vs. needs of public officials to maintain public safety in light of criminals or terrorists.
Why Care?  Online banking, trading, purchasing may be insecure Credit card and identity theft  Personal files could be corrupted All school work, music, videos, etc. may be lost  Computer may become too slow to run If you aren't part of the solution you are part of the problem  Pwn2Own contest - 2008 Mac (Leopard) fell first via Safari, Vista took time but was hacked via Flash Player, Ubuntu stood ground.  Upon discovery, vulnerabilities can be used against many computers connected to the internet. 43

More Related Content

What's hot (20)

PPTX
Information risk management
Akash Saraswat
 
PPTX
System security
invertis university
 
PPT
Chapter2 the need to security
Dhani Ahmad
 
PPT
Computer security overview
CAS
 
PPT
Chapter 01
nathanurag
 
PDF
Ch14
Francis Alamina
 
PPT
Information security management
UMaine
 
PPT
Symmetric and Asymmetric Encryption.ppt
HassanAli980906
 
PPT
Introduction to Cyber Security
Stephen Lahanas
 
PPTX
Information Security Lecture #1 ppt
vasanthimuniasamy
 
PPTX
Principles of public key cryptography and its Uses
Mohsin Ali
 
PPT
Basics of Information System Security
chauhankapil
 
PPTX
Cyber kill chain
Ankita Ganguly
 
PDF
Awareness Security Session 2023 v1.0.pptx.pdf
AbdullahKanash
 
PPTX
Computer security concepts
Prachi Gulihar
 
PPT
Legal, Ethical and professional issues in Information Security
Gamentortc
 
PDF
An overview of access control
Elimity
 
PPTX
Email security
Baliram Yadav
 
PDF
Network security - OSI Security Architecture
BharathiKrishna6
 
PPTX
A Career in Cybersecurity
lfh663
 
Information risk management
Akash Saraswat
 
System security
invertis university
 
Chapter2 the need to security
Dhani Ahmad
 
Computer security overview
CAS
 
Chapter 01
nathanurag
 
Ch14
Francis Alamina
 
Information security management
UMaine
 
Symmetric and Asymmetric Encryption.ppt
HassanAli980906
 
Introduction to Cyber Security
Stephen Lahanas
 
Information Security Lecture #1 ppt
vasanthimuniasamy
 
Principles of public key cryptography and its Uses
Mohsin Ali
 
Basics of Information System Security
chauhankapil
 
Cyber kill chain
Ankita Ganguly
 
Awareness Security Session 2023 v1.0.pptx.pdf
AbdullahKanash
 
Computer security concepts
Prachi Gulihar
 
Legal, Ethical and professional issues in Information Security
Gamentortc
 
An overview of access control
Elimity
 
Email security
Baliram Yadav
 
Network security - OSI Security Architecture
BharathiKrishna6
 
A Career in Cybersecurity
lfh663
 

Viewers also liked (10)

PPTX
Plan your security
Accord Group
 
PPTX
Integrated Physical Security
John N. Motlagh
 
DOCX
SOLAR TREE technical seminar report doc
Mohsin Khan
 
PPTX
Direct to home(DTH) Technical seminar
ram mettu
 
PPTX
Technical seminar power humps
Maltesh4jn10me051
 
PPT
Module 10 Physical Security
leminhvuong
 
PPS
Physical security.ppt
Faheem Ul Hasan
 
PPT
Network Security 1st Lecture
babak danyal
 
PPSX
6 Physical Security
Alfred Ouyang
 
PDF
Physical Security Presentation
Wajahat Rajab
 
Plan your security
Accord Group
 
Integrated Physical Security
John N. Motlagh
 
SOLAR TREE technical seminar report doc
Mohsin Khan
 
Direct to home(DTH) Technical seminar
ram mettu
 
Technical seminar power humps
Maltesh4jn10me051
 
Module 10 Physical Security
leminhvuong
 
Physical security.ppt
Faheem Ul Hasan
 
Network Security 1st Lecture
babak danyal
 
6 Physical Security
Alfred Ouyang
 
Physical Security Presentation
Wajahat Rajab
 
Ad

Similar to Technical seminar on Security (20)

PPTX
COMPUTER AND NETWORK SECURITY.pptx
DebmalyaSingha
 
PPT
Dos and Dont to be followed to protect information and technology
ssuser3baba2
 
PPTX
Cyber Security
RahulKirtoniya
 
PPT
Security And Ethical Challenges Of Infornation Technology
paramalways
 
PPTX
Introduction to information security
jayashri kolekar
 
PPT
Essentials Of Security
xsy
 
PPT
Basics of IT security
Dr. Ramkumar Lakshminarayanan
 
PPTX
Cyber security
Bablu Shofi
 
PDF
Windows 10: Windows 10 de ITPros a ITPros
Juan Ignacio Oller Aznar
 
PDF
Top Cyber Security Interview Questions and Answers 2022.pdf
Careerera
 
PPT
Security communication
Say Shyong
 
PPTX
Data security
Soumen Mondal
 
PPTX
Lecture2-InforSec-Computer and Internet security.pptx
markhorid1
 
PPTX
E comm jatin
Jatin Mandhyan
 
PPT
Objective 5 legal consideration in NIS.ppt
ZariabJohn
 
PPTX
Security for e commerce
Mohsin Ahmad
 
PPTX
Website security
RIPPER95
 
PPTX
What-is-Cyber-Security (2).pptxfile cybe
mishrasaket1028
 
DOCX
CCS354-NETWORK SECURITY-network-security notes
Kirubaburi R
 
PPTX
information security awareness course
Abdul Manaf Vellakodath
 
COMPUTER AND NETWORK SECURITY.pptx
DebmalyaSingha
 
Dos and Dont to be followed to protect information and technology
ssuser3baba2
 
Cyber Security
RahulKirtoniya
 
Security And Ethical Challenges Of Infornation Technology
paramalways
 
Introduction to information security
jayashri kolekar
 
Essentials Of Security
xsy
 
Basics of IT security
Dr. Ramkumar Lakshminarayanan
 
Cyber security
Bablu Shofi
 
Windows 10: Windows 10 de ITPros a ITPros
Juan Ignacio Oller Aznar
 
Top Cyber Security Interview Questions and Answers 2022.pdf
Careerera
 
Security communication
Say Shyong
 
Data security
Soumen Mondal
 
Lecture2-InforSec-Computer and Internet security.pptx
markhorid1
 
E comm jatin
Jatin Mandhyan
 
Objective 5 legal consideration in NIS.ppt
ZariabJohn
 
Security for e commerce
Mohsin Ahmad
 
Website security
RIPPER95
 
What-is-Cyber-Security (2).pptxfile cybe
mishrasaket1028
 
CCS354-NETWORK SECURITY-network-security notes
Kirubaburi R
 
information security awareness course
Abdul Manaf Vellakodath
 
Ad

Recently uploaded (20)

PDF
Right to Information.pdf by Sapna Maurya XI D
Directorate of Education Delhi
 
PPTX
HEALTH CARE DELIVERY SYSTEM - UNIT 2 - GNM 3RD YEAR.pptx
Priyanshu Anand
 
PPTX
Command Palatte in Odoo 18.1 Spreadsheet - Odoo Slides
Celine George
 
PDF
TOP 10 AI TOOLS YOU MUST LEARN TO SURVIVE IN 2025 AND ABOVE
digilearnings.com
 
PPTX
DIARRHOEA & DEHYDRATION: NURSING MANAGEMENT.pptx
PRADEEP ABOTHU
 
PPTX
INTESTINAL OBSTRUCTION: NURSING MANAGEMENT.pptx
PRADEEP ABOTHU
 
PPTX
Top 10 AI Tools, Like ChatGPT. You Must Learn In 2025
Digilearnings
 
PPTX
FAMILY HEALTH NURSING CARE - UNIT 5 - CHN 1 - GNM 1ST YEAR.pptx
Priyanshu Anand
 
PDF
Stepwise procedure (Manually Submitted & Un Attended) Medical Devices Cases
MUHAMMAD SOHAIL
 
PPTX
Electrophysiology_of_Heart. Electrophysiology studies in Cardiovascular syste...
Rajshri Ghogare
 
PPTX
Digital Professionalism and Interpersonal Competence
rutvikgediya1
 
PPTX
Artificial Intelligence in Gastroentrology: Advancements and Future Presprec...
AyanHossain
 
PPTX
20250924 Navigating the Future: How to tell the difference between an emergen...
McGuinness Institute
 
PDF
FULL DOCUMENT: Read the full Deloitte and Touche audit report on the National...
Kweku Zurek
 
PPTX
Constitutional Design Civics Class 9.pptx
bikesh692
 
PPTX
Virus sequence retrieval from NCBI database
yamunaK13
 
PPTX
Introduction to pediatric nursing in 5th Sem..pptx
AneetaSharma15
 
PPTX
Continental Accounting in Odoo 18 - Odoo Slides
Celine George
 
PPTX
Various Psychological tests: challenges and contemporary trends in psychologi...
santoshmohalik1
 
PPTX
10CLA Term 3 Week 4 Study Techniques.pptx
mansk2
 
Right to Information.pdf by Sapna Maurya XI D
Directorate of Education Delhi
 
HEALTH CARE DELIVERY SYSTEM - UNIT 2 - GNM 3RD YEAR.pptx
Priyanshu Anand
 
Command Palatte in Odoo 18.1 Spreadsheet - Odoo Slides
Celine George
 
TOP 10 AI TOOLS YOU MUST LEARN TO SURVIVE IN 2025 AND ABOVE
digilearnings.com
 
DIARRHOEA & DEHYDRATION: NURSING MANAGEMENT.pptx
PRADEEP ABOTHU
 
INTESTINAL OBSTRUCTION: NURSING MANAGEMENT.pptx
PRADEEP ABOTHU
 
Top 10 AI Tools, Like ChatGPT. You Must Learn In 2025
Digilearnings
 
FAMILY HEALTH NURSING CARE - UNIT 5 - CHN 1 - GNM 1ST YEAR.pptx
Priyanshu Anand
 
Stepwise procedure (Manually Submitted & Un Attended) Medical Devices Cases
MUHAMMAD SOHAIL
 
Electrophysiology_of_Heart. Electrophysiology studies in Cardiovascular syste...
Rajshri Ghogare
 
Digital Professionalism and Interpersonal Competence
rutvikgediya1
 
Artificial Intelligence in Gastroentrology: Advancements and Future Presprec...
AyanHossain
 
20250924 Navigating the Future: How to tell the difference between an emergen...
McGuinness Institute
 
FULL DOCUMENT: Read the full Deloitte and Touche audit report on the National...
Kweku Zurek
 
Constitutional Design Civics Class 9.pptx
bikesh692
 
Virus sequence retrieval from NCBI database
yamunaK13
 
Introduction to pediatric nursing in 5th Sem..pptx
AneetaSharma15
 
Continental Accounting in Odoo 18 - Odoo Slides
Celine George
 
Various Psychological tests: challenges and contemporary trends in psychologi...
santoshmohalik1
 
10CLA Term 3 Week 4 Study Techniques.pptx
mansk2
 

Technical seminar on Security

  • 2. Security Objectives Secrecy Prevent/detect/deter improper Disclosure of information Availability Prevent/detect/deter improper Denial of access to services IntegrityPrevent/detect/deter Improper modification of information
  • 3. Policy Organizational policyOrganizational policy Information systems policyInformation systems policy
  • 4. Security Overview Many fears to overcome Intercepted e-mail messages Unauthorized access to digital intelligence Credit card information falling into the wrong hands Two types of computer security Physical - protection of tangible objects Logical - protection of non-physical objects
  • 5. What is security? Dictionary Definition: protection or defense against attack, interference, espionage, etc System correctness Good input ⇒ Good output Security Bad input ⇒ Bad output
  • 7. Aspects of Security consider 3 aspects of information security: security attack security mechanism (control) security service note terms threat – a potential for violation of security vulnerability – a way by which loss can happen attack – an assault on system security, a deliberate attempt to evade security services
  • 8. Computer Security Classification SECURITY SERVICESSECURITY SERVICES DATA CONFIDENTIALITY DATA CONFIDENTIALITY DATA INTEGRITY DATA INTEGRITY AUTHENTICATIONAUTHENTICATION NONREPUDIATIONNONREPUDIATION ACCESS CONTROL ACCESS CONTROL
  • 9. Computer Security Classification 1. ENCIPHERMENT 2. DATA INTEGRITY 3. DIGITAL SIGNATURE 4. AUTHENTICATION EXCHANGE 5. TRAFFIC PADDING 6. ROUTING CONTROL 7. NOTARIZATION 8. ACCESS CONTROL 1. ENCIPHERMENT 2. DATA INTEGRITY 3. DIGITAL SIGNATURE 4. AUTHENTICATION EXCHANGE 5. TRAFFIC PADDING 6. ROUTING CONTROL 7. NOTARIZATION 8. ACCESS CONTROL SECURITY MECHANISM SECURITY MECHANISM -To provide the services. - A method, tools or procedure for enforcing a security policy. DATA CONFIDENTIALITY DATA INTEGRITY AUTHENTICATION NONREPUDIATION ACCESS CONTROL 1,3,4 2,3,7 1,2,3 8 1
  • 11. Passive Attack - Interception
  • 12. Passive Attack: Traffic Analysis Observe traffic pattern
  • 13. Active Attack: Interruption Block delivery of message
  • 17. Handling Attacks Passive attacks – focus on Prevention Easy to stop Hard to detect Active attacks – focus on Detection and Recovery Hard to stop Easy to detect
  • 18. System AttackerAlice General picture Security is about Honest user (e.g., Alice, Bob, …) Dishonest Attacker How the Attacker Disrupts honest user’s use of the system (Integrity, Availability) Learns information intended for Alice only (Confidentiality)
  • 19. Databases and data security It’s your data – are you sure it’s safe?
  • 21. Web Attacker Sets up malicious site visited by victim; no control of network Alice System Web security
  • 23. System AttackerAlice Confidentiality : Attacker does not learn Alice’s secrets Integrity : Attacker does not undetectably corrupt system’s function for Alice Availability : Attacker does not keep system from being useful to Alice
  • 24. How Viruses and Worms Spread
  • 25. 25 Defending Against Viruses and Worms Keys to protecting PCs Don’t open e-mails or IM attachments unless they are expected and have been inspected by antivirus software Keep up with software patches for your system Use caution when exploring Web sites Avoid software from untrusted sources Stay away from file-sharing networks
  • 26. WHY INTERNET IS DIFFERENT? Paper-Based Commerce Electronic Commerce Signed paper Documents Digital Signature Person-to-person Electronic via Website Physical Payment System Electronic Payment System Merchant-customer Face-to-face Face-to-face Absence Easy Detectability of modification Difficult Detectability Easy Negotiability Special Security Protocol
  • 27. Specific Elements of a Security Policy Authentication Who is trying to access the site? Access Control Who is allowed to logon and access the site? Secrecy Who is permitted to view selected information Data integrity Who is allowed to change data? Audit What and who causes selected events to occur, and when?
  • 28. Three components to security Three perspectives User’s point of view Server’s point of view Both parties Three parts Client-side security Server-side security Document confidentiality
  • 29. Client-side security Measures to protect the user’s privacy and the integrity of his computer Example technological solutions Protection from computer viruses and other malicious software Limit the amount of personal information that browser’s can transmit without the user’s consent Any others?
  • 30. Server-side security Measures to protect the server and the machine it runs from break-ins, site vandalism, and denial-of-service attacks. Solutions range installing firewall systems tightening operating systems security measures
  • 31. Document confidentiality Measures to protect private information from being disclosed to third parties. Example risks: Solutions range Password to identify users Cryptography
  • 32. Tools Available to Achieve Site Security
  • 33. Encryption  Transforms plain text or data into cipher text that cannot be read by anyone outside of the sender and the receiver. Purpose:  to secure stored information  to secure information transmission.  Cipher text  text that has been encrypted and thus cannot be read by anyone besides the sender and the receiver  Symmetric Key Encryption  DES standard most widely used
  • 34. Encryption  Public key cryptography uses two mathematically related digital keys: a public key and a private key.  The private key is kept secret by the owner, and the public key is widely disseminated.  Both keys can be used to encrypt and decrypt a message.  A key used to encrypt a message, cannot be used to unencrypt the message
  • 35. Public Key Cryptography - A Simple Case
  • 36. Public Key Cryptography with Digital Signatures
  • 37. Public Key Cryptography: Creating a Digital Envelope
  • 38. Securing Channels of Communications  Secure Sockets Layer (SSL) is the most common form of securing channels  Secure negotiated session client-server session where the requested document URL, contents, forms, and cookies are encrypted.  Session key is a unique symmetric encryption key chosen for a single secure session
  • 39. Securing Channels of Communications  Secure Hypertext Transfer Protocol (S-HTTP) secure message-oriented communications protocol for use with HTTP.  Virtual Private Networks (VPN) remote users can securely access internal networks via Point-to-Point Tunneling Protocol (PPTP)
  • 41. Protecting Networks  Firewalls software applications that act as a filter between a private network and the Internet  Proxy server server that handles all communications originating from or being sent to the Internet, acting as a spokesperson or bodyguard for the organization
  • 42. Tension Between Security and Other Values Ease of use  Often security slows down processors and adds significantly to data storage demands. Too much security can harm profitability; not enough can mean going out of business.  Public Safety & Criminal Use  claims of individuals to act anonymously vs. needs of public officials to maintain public safety in light of criminals or terrorists.
  • 43. Why Care?  Online banking, trading, purchasing may be insecure Credit card and identity theft  Personal files could be corrupted All school work, music, videos, etc. may be lost  Computer may become too slow to run If you aren't part of the solution you are part of the problem  Pwn2Own contest - 2008 Mac (Leopard) fell first via Safari, Vista took time but was hacked via Flash Player, Ubuntu stood ground.  Upon discovery, vulnerabilities can be used against many computers connected to the internet. 43

Editor's Notes

  • #8: The OSI security architecture focuses on security attacks, mechanisms, and services. These can be defined briefly as follows: • Security attack: Any action that compromises the security of information owned by an organization. • Security mechanism: A process (or a device incorporating such a process) that is designed to detect, prevent, or recover from a security attack. • Security service: A processing or communication service that enhances the security of the data processing systems and the information transfers of an organization. The services are intended to counter security attacks, and they make use of one or more security mechanisms to provide the service. In the literature, the terms threat and attack are commonly used to mean more or less the same thing. Table 1.1 provides definitions taken from RFC 2828, Internet Security Glossary. Threat - A potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. That is, a threat is a possible danger that might exploit a vulnerability. Attack - An assault on system security that derives from an intelligent threat; that is, an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of a system.
  • #12: A useful means of classifying security attacks, used both in X.800 and RFC 2828, is in terms of passive attacks and active attacks. A passive attack attempts to learn or make use of information from the system but does not affect system resources. Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions. The goal of the opponent is to obtain information that is being transmitted. Two types of passive attacks are: + release of message contents - as shown above in Stallings Figure 1.2a here + traffic analysis - monitor traffic flow to determine location and identity of communicating hosts and could observe the frequency and length of messages being exchanged These attacks are difficult to detect because they do not involve any alteration of the data.
  • #13: A useful means of classifying security attacks, used both in X.800 and RFC 2828, is in terms of passive attacks and active attacks. A passive attack attempts to learn or make use of information from the system but does not affect system resources. Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions. The goal of the opponent is to obtain information that is being transmitted. Two types of passive attacks are: + release of message contents - as shown above in Stallings Figure 1.2a here + traffic analysis - monitor traffic flow to determine location and identity of communicating hosts and could observe the frequency and length of messages being exchanged These attacks are difficult to detect because they do not involve any alteration of the data.
  • #14: A useful means of classifying security attacks, used both in X.800 and RFC 2828, is in terms of passive attacks and active attacks. A passive attack attempts to learn or make use of information from the system but does not affect system resources. Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions. The goal of the opponent is to obtain information that is being transmitted. Two types of passive attacks are: + release of message contents - as shown above in Stallings Figure 1.2a here + traffic analysis - monitor traffic flow to determine location and identity of communicating hosts and could observe the frequency and length of messages being exchanged These attacks are difficult to detect because they do not involve any alteration of the data.
  • #15: A useful means of classifying security attacks, used both in X.800 and RFC 2828, is in terms of passive attacks and active attacks. A passive attack attempts to learn or make use of information from the system but does not affect system resources. Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions. The goal of the opponent is to obtain information that is being transmitted. Two types of passive attacks are: + release of message contents - as shown above in Stallings Figure 1.2a here + traffic analysis - monitor traffic flow to determine location and identity of communicating hosts and could observe the frequency and length of messages being exchanged These attacks are difficult to detect because they do not involve any alteration of the data.
  • #16: Active attacks involve some modification of the data stream or the creation of a false stream and can be subdivided into four categories: masquerade, replay, modification of messages, and denial of service: masquerade of one entity as some other replay previous messages (as shown above in Stallings Figure 1.3b) modify/alter (part of) messages in transit to produce an unauthorized effect denial of service - prevents or inhibits the normal use or management of communications facilities Active attacks present the opposite characteristics of passive attacks. Whereas passive attacks are difficult to detect, measures are available to prevent their success. On the other hand, it is quite difficult to prevent active attacks absolutely, because of the wide variety of potential physical, software, and network vulnerabilities. Instead, the goal is to detect active attacks and to recover from any disruption or delays caused by them.
  • #17: Active attacks involve some modification of the data stream or the creation of a false stream and can be subdivided into four categories: masquerade, replay, modification of messages, and denial of service: masquerade of one entity as some other replay previous messages (as shown above in Stallings Figure 1.3b) modify/alter (part of) messages in transit to produce an unauthorized effect denial of service - prevents or inhibits the normal use or management of communications facilities Active attacks present the opposite characteristics of passive attacks. Whereas passive attacks are difficult to detect, measures are available to prevent their success. On the other hand, it is quite difficult to prevent active attacks absolutely, because of the wide variety of potential physical, software, and network vulnerabilities. Instead, the goal is to detect active attacks and to recover from any disruption or delays caused by them.
  • #18: Consider the role of a security service, and what may be required. Note both similarities and differences with traditional paper documents, which for example: have signatures & dates; need protection from disclosure, tampering, or destruction; may be notarized or witnessed; may be recorded or licensed