Chapter 1 Introduction: Computer and Network Security
//Modified by Prof. M. Singhal// Henric Johnson Blekinge Institute of Technology, Sweden www.its.bth.se/staff/hjo/ [email protected]
+46 708 250375
Henric Johnson 1
�Outline
Information security Attacks, services and mechanisms Security attacks Security services Methods of Defense A model for Internetwork Security Internet standards and RFCs
Henric Johnson 2
�Information Security
Protection of data. Has gone two major changes: 1. Computer Security: oTimesharing systems: multiple users share the H/W and S/W resources on a computer. o Remote login is allowed over phone lines. Measures and tools to protect data and thwart hackers is called Computer Security.
Henric Johnson 3
�Information Security
2. Network Security: Computer networks are widely used to connect computers at distant locations. Raises additional security problems: o Data in transmission must be protected. o Network connectivity exposes each computer to more vulnerabilities.
Henric Johnson 4
�Attacks, Services and Mechanisms
Three aspects of Information Security: Security Attack: Any action that
compromises the security of information. Security Mechanism: A mechanism that is designed to detect, prevent, or recover from a security attack. Security Service: A service that enhances the security of data processing systems and information transfers. A security service makes use of one or more security mechanisms.
Henric Johnson 5
�Security Attacks
Henric Johnson
�Security Attacks
Interruption: An asset of the system is destroyed or becomes unavailable or unusable. This is an attack on availability. Examples: Destroying some H/W (disk or wire). Disabling file system. Swamping a computer with jobs or communication link with packets.
Henric Johnson 7
�Security Attacks
Interception: An unauthorized party gains access to an asset. O This is an attack on confidentiality. Examples: >Wiretapping to capture data in a network. >Illicitly copying data or programs.
Henric Johnson 8
�Security Attacks
Modification: An unauthorized party gains access and tampers an asset. oThis is an attack on integrity. Examples: Changing data files. Altering a program. Altering the contents of a message.
Henric Johnson 9
�Security Attacks
Fabrication: An unauthorized party inserts a counterfeit object into the system. O This is an attack on authenticity. Examples: > Insertion of records in data files. > Insertion of spurious messages in a network. (message replay).
Henric Johnson 10
�Passive vs. Active Attacks
1. Passive Attacks: o Eavesdropping on information without modifying it. (difficult to detect ). 2. Active Attacks: o Involve modification or creation of info.
Henric Johnson 11
�Henric Johnson
12
�Passive Threats
Release of a message contents: Contents of a message are read. > A message may be carrying sensitive or confidential data. Traffic analysis: An intruder makes inferences by observing message patterns. > Can be done even if messages are encrypted. > Inferences: location and identity of hosts.
Henric Johnson 13
�Active Threats
Masquerade: An entity pretends to be some other entity. Example: An entity captures an authentication sequence and replays it later to impersonate the original entity. Replay: Involves capture of a data unit and its retransmission to produce an unauthorized effect.
Henric Johnson 14
�Active Threats
Modification of messages: A portion of a legitimate message has been altered to produce an undesirable effect. Denial of service: Inhibits normal use of computer and communications resources. > Flooding of computer network. >Swamping of CPU or a server.
Henric Johnson 15
�Security Services
A classification of security services:
Confidentiality (privacy)
Authentication (who created or sent the data) Integrity (has not been altered)
Non-repudiation (the order is final)
Access control (prevent misuse of resources) Availability (permanence, non-erasure) Denial of Service Attacks Virus that deletes files
Henric Johnson 16
�Security Goals
Confidentiality
Integrity
Avalaibility
Henric Johnson
17
�Henric Johnson
18
�Henric Johnson
19
�Methods of Defence
Encryption Software Controls (access limitations in a data base, in operating system protect each user from other users) Hardware Controls (smartcard) Policies (frequent changes of passwords) Physical Controls
Henric Johnson 20
�Internet standards and RFCs
The Internet society
Internet Architecture Board (IAB) Internet Engineering Task Force (IETF) Internet Engineering Steering Group (IESG)
Henric Johnson
21
�Internet RFC Publication Process
Henric Johnson
22
�Recommended Reading
Pfleeger, C. Security in Computing. Prentice Hall, 1997.
Mel, H.X. Baker, D. Cryptography Decrypted. Addison Wesley, 2001.
Henric Johnson
23
