Scribd
Upload
29 views4 pages

CCS Notes

The document provides an overview of computer security concepts, focusing on the CIA triad (Confidentiality, Integrity, Availability) and additional concepts like Authenticity and Accountability. It outlines the OSI Security Architecture, detailing security attacks, mechanisms, and services, as well as classifying attacks into passive and active types. The document emphasizes the importance of encryption in preventing passive attacks and discusses the nature of active attacks that modify data streams.

Uploaded by

revicse
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
29 views4 pages

CCS Notes

The document provides an overview of computer security concepts, focusing on the CIA triad (Confidentiality, Integrity, Availability) and additional concepts like Authenticity and Accountability. It outlines the OSI Security Architecture, detailing security attacks, mechanisms, and services, as well as classifying attacks into passive and active types. The document emphasizes the importance of encryption in preventing passive attacks and discusses the nature of active attacks that modify data streams.

Uploaded by

revicse
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

UNIT I INTRODUCTION TO SECURITY 9

Computer Security Concepts – The OSI Security Architecture – Security Attacks – Security
Services and Mechanisms – A Model for Network Security – Classical encryption techniques:
Substitution techniques, Transposition techniques, Steganography – Foundations of modern
cryptography: Perfect security – Information Theory – Product Cryptosystem – Cryptanalysis.

COMPUTER SECURITY CONCEPTS

Computer Security: The protection afforded to an automated information system in order to


attain the applicable objectives of preserving the integrity, availability, and confidentiality of
information system resources (includes hardware, software, firmware, information/data, and
telecommunications).
This definition introduces three key objectives that are at the heart of computer security:
Confidentiality: This term covers two related concepts:
Data confidentiality: Assures that private or confidential information is not made available or
disclosed to unauthorized individuals.
Privacy: Assures that individuals control or influence what information related to them may be
collected and stored and by whom and to whom that information may be disclosed.
Integrity: This term covers two related concepts:
Data integrity: Assures that information (both stored and in transmitted packets) and programs
are changed only in a specified and authorized manner.
System integrity: Assures that a system performs its intended function in an unimpaired
manner, free from deliberate or inadvertent unauthorized manipulation of the system.
Availability: Assures that systems work promptly and service is not denied to authorized users.
Although the use of the CIA triad to define security objectives is well established, some in the
security field feel that additional concepts are needed. Two of the most commonly mentioned are
as follows:
Authenticity: The property of being genuine and being able to be verified and trusted;
confidence in the validity of a transmission, a message, or message originator. This means
verifying that users are who they say they are and that each input arriving at the system came
from a trusted source.
Accountability: The security goal that generates the requirement for actions of an entity to be
traced uniquely to that entity. This supports non repudiation, deterrence, fault isolation, intrusion
detection and prevention, and after action recovery and legal action. Because truly secure
systems are not yet an achievable goal, we must be able to trace a security breach to a
responsible party. Systems must keep records of their activities to permit later forensic analysis
to trace security breaches or to aid in transaction disputes.

THE OSI SECURITY ARCHITECTURE


To assess effectively the security needs of an organization and to evaluate and choose various
security products and policies, the manager responsible for security needs some systematic way
of defining the requirements for security and characterizing the approaches to satisfying those
requirements. ITU-T3 Recommendation X.800, Security Architecture for OSI, defines such a
systematic approach.4 The OSI security architecture is useful to managers as a way of organizing
the task of providing security. The OSI security architecture focuses on security attacks,
mechanisms, and services.
These can be defined briefly as
Security attack: Any action that compromises the security of information owned by an
organization.
Security mechanism: A process (or a device incorporating such a process) that is designed to
detect, prevent, or recover from a security attack.
Security service: A processing or communication service that enhances the security of the data
processing systems and the information transfers of an organization. The services are intended to
counter security attacks, and they make use of one or more security mechanisms to provide the
service.
Threat
A potential for violation of security, which exists when there is a circumstance, capability,
action, or event that could breach security and cause harm. That is, a threat is a possible danger
that might exploit vulnerability.
Attack
An assault on system security that derives from an intelligent threat; that is, an intelligent act that
is a deliberate attempt (especially in the sense of a method or technique) to evade security
services and violate the security policy of a system.
SECURITY ATTACKS
A useful means of classifying security attacks, used both in X.800 and RFC 4949, is in terms of
passive attacks and active attacks (Figure 1.2). A passive attack attempts to learn or make use of
information from the system but does not affect system resources. An active attack attempts to
alter system resources or affect their operation.
Passive Attacks
Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions. The goal
of the opponent is to obtain information that is being transmitted. Two types of passive attacks
are the release of message contents and traffic analysis.

 The release of message contents is easily understood. A telephone conversation, an


electronic mail message, and a transferred file may contain sensitive or confidential
information. We would like to prevent an opponent from learning the contents of these
transmissions.
 A second type of passive attack, traffic analysis, is subtler. Suppose that we had a way
of masking the contents of messages or other information traffic so that opponents, even
if they captured the message, could not extract the information from the message. The
common technique for masking contents is encryption. If we had encryption protection in
place, an opponent might still be able to observe the pattern of these messages. The
opponent could determine the location and identity of communicating hosts and could
observe the frequency and length of messages being exchanged. This information might
be useful in guessing the nature of the communication that was taking place.
Passive attacks are very difficult to detect, because they do not involve any alteration of the data.
Typically, the message traffic is sent and received in an apparently normal fashion, and neither
the sender nor receiver is aware that a third party has read the messages or observed the traffic
pattern.
However, it is feasible to prevent the success of these attacks, usually by means of encryption.
Thus, the emphasis in dealing with passive attacks is on prevention rather than detection.
Active Attacks
Active attacks (Figure 1.2b) involve some modification of the data stream or the
creation of a false stream and can be subdivided into four categories: masquerade,
replay, modification of messages, and denial of service.

You might also like