Information Security: Terminology

1
Information Security Terminology
2

• This course is part of the SCU Information
  Assurance curriculum which was recently certified
  by the Committee on National Systems Security of
  the National Security Agency as meeting the
  standards of the National INFOSEC Education and
  Training Program.
• http//www.nsa.gov/ia/academia/iace.cfm

3
Reading Assignment

• Read section 3 of faq http//www.w3.org/Security/
  Faq/
• CERT is a coordination center for Internet
  security operated by Carnegie Mellon. Read CERT
  article on security http//www.cert.org/encyc_art
  icle/tocencyc.html

4
Terminology Overview

• Attacks, Services and Mechanisms
• Security Services
• Threats, Attacks and Vulnerabilities
• Security Policies and Mechanisms for Defense
• Readings, standards, etc.

5
Definitions

• Security Attack Any action that compromises the
  security of information.
• Security Mechanism A mechanism that is designed
  to detect, prevent, or recover from a security
  attack.
• Security Service A service that enhances the
  security of data processing systems and
  information transfers. A security service makes
  use of one or more security mechanisms.

6
Security Services (Goals)

• Confidentiality concealment of information or
  resources. Includes whether or not data exists.
  Implies authorization so that only authorized
  people can access confidential data.

7
Security Services (cont)

• Integrity the trustworthiness and the
  correctness of data or resources. Usually in
  terms of preventing improper or unauthorized
  change. Can have several types of integrity
  data integrity and origin integrity (was the
  email spoofed?). Two types of integrity services
  prevention and detection.

8
Security Services (cont)

• Availability the ability of authorized entities
  to use the information or resource. Denial of
  service attacks inhibit this service
• Confidentiality, Integrity, Availability

9
Vulnerabilities, Threats and Attacks

• A vulnerability is a weakness in the system that
  might be exploited to cause loss or harm (and a
  violation of security services).
• A threat is a potential violation of security.
  Security services counter threats.
• An attack is the actual attempt to violate
  security. It is the manifestation of the threat.

10
Classifying Threats/Attacks
11
Types of Threats/Attacks

• Interruption This is an attack on availability
• Interception This is an attack on
  confidentiality
• Modification This is an attack on integrity
• Fabrication This is an attack on integrity

12
Additional Threats/Attacks

• Repudiation of origin a false denial that an
  entity sent or created something (I didnt send
  that order to but Enron stock the day before it
  crashed). Attack on integrity
• Denial of receipt a false denial that an entity
  received some information or message. (I didnt
  receive the diamond shipment). Attack on
  integrity and availability.
• Denial of Service long term inhibition of
  information or service. Attack on availability.

13
Passive and Active Threats
14
Security Policy and Mechanisms

• A security policy is a statement of what is and
  is not allowed.
• A security mechanism is a method, tool, or
  procedure for enforcing security policy.
• These should clearly be separate things.

15
Policy and Mechanism Example

• Policy only the systems administrator is
  allowed to access the password file and then only
  in encrypted form
• Mechanism the password file is not stored in
  clear text, but only in encrypted form with
  algorithm XYZ. The O.S. checks the access
  authorization of any process attempting to read
  the password file immediately before the access
  and whenever access is denied, that attempt is
  recorded in a log of suspicious activity.

16
Security Mechanisms

• Prevention, Detection, Recovery
• Prevention
• Encryption
• Software Controls (DB access limitations,
  operating system process protection)
• Enforce policies (frequent password change)
• Physical Controls
• Detection Intrusion detection systems (IDS)

17
Prevention Mechanisms

• Adequate prevention means that an attack will
  fail. Prevention usually involves mechanisms
  that the user cannot override.
• Prevention mechanisms are often cumbersome and do
  not always work perfectly or fail because they
  are circumvented.
• Passwords are a prevention mechanism to prevent
  unauthorized access. They fail when the password
  becomes known to a person other than the owner.

18
Detection Mechanisms

• Detection is used when an attack cannot be
  prevented and it also indicates the effectiveness
  of prevention measures.
• The goal is to determine that an attack is
  underway or has occurred and report it.
• Audit logs are detection mechanisms. When you
  log into the design centers unix servers, it
  gives you the IP address of the last successful
  login.

19
Recovery

• Recovery has several aspects. The first is to
  stop an attack and repair the damage.
• Another is to trace the evidence back to the
  attacker and discover the identity of the
  attacker (this could result in legal
  retaliation).
• Yet another aspect is to determine the
  vulnerability that was exploited and fix it or
  devise a way of preventing a future attack.

20
Example Private Property

• Prevention locks at doors, window bars, walls
  round the property
• Detection stolen items are missing, burglar
  alarms, closed circuit TV
• Recovery call the police, replace stolen items,
  make an insurance claim

21
Example E-Commerce

• Prevention encrypt your orders, rely on the
  merchant to perform checks on the caller, dont
  use the Internet (?)
• Detection an unauthorized transaction appears on
  your credit card statement
• Recovery complain, ask for a new card number,
  etc.
• Footnote Your credit card number has not been
  stolen. Your card can be stolen, but not the
  number. Confidentiality is violated.

22
Problems with Security Mechanisms

• Laws and Customs - is it legal? Might not be
  legal to retaliate against an attacker.
• Is it acceptable practice? How many hoops do we
  have to jump through to authenticate?
• Is it convenient? Users with security needs are
  often not aware of vulnerabilities and will not
  put up with excessive cost and inconvenience.

23
Other Terminology

• CompuSec computer security (protect computers
  and the information in them)
• ComSec communication security (protect
  information as it is transmitted)
• OpSec operations security (security policies and
  procedures)

24
Non-required but Worth a Glance

• Common vulnerabilities and Exposures
  http//www.cve.mitre.org/
• SANS top 20 vulnerabilities http//www.sans.org/t
  op20/
• NIST Computer Security Resource Center
  http//csrc.nist.gov/

25
What the Government is Doing

• National Strategy to Secure Cyberspace
  http//www.whitehouse.gov/pcipb/

26
What you can do

• Scholarships for IA study designated CAE
• http//www.c3i.osd.mil/iasp/studentsMain.htm
• http//cisr.nps.navy.mil/scholarships.html
• IA at SCU
• AMTH 387 Cryptology
• COEN 250 Info Security Management
• COEN 252 Computer Forensics
• COEN 253 Secure Systems Development
• COEN 350 Secure Distributed Systems
• COEN 351 Internet and E-Commerce Security