Add to collection(s) Add to saved
  1. No category
Uploaded by mohamed.ali.issr

Part1 Introduction

advertisement 
Networks
& Information
Security
Prof. Shawkat K. Guirguis
Professor of Computer Science & Informatics
Information Technology Department
Institute of Graduate Studies & Research
Alexandria University
Security




Why do you lock your house before you
leave?
How do you choose the kind of lock for
your house?
Any added devices (such as alarms, Locks,
etc…)
What you do when you observe that
things in the house are scattered around?
Network & Information
Security
Prof. Shawkat K. Guirguis
2
What are you protecting?




Brick and walls
Money and jewellery
Music CDs and tapes
Etc ….
Network & Information
Security
Prof. Shawkat K. Guirguis
3
There are Problems





Theft - of equipment
Theft – e.g. Copying of confidential material
Modification - for gain – e.g. Adding false names
to payroll
Modification - malicious – e.g. Virus infections
Access - easy for ‘us’ and difficult for ‘them’
….
Network & Information
Security
Prof. Shawkat K. Guirguis
4
Fact sheet





Bank robbery through computers
Industrial espionage on corporate
information
Loss of individual privacy (email, mobile
phone/computer, fax, ...)
Information vandalism
Computer viruses
Network & Information
Security
Prof. Shawkat K. Guirguis
5
What we mean by Security?

Protection of assets - can take several
forms:



Prevention
Detection
Reaction
Network & Information
Security
Prof. Shawkat K. Guirguis
6
Reactions
active research in security & privacy
(numerous conferences each year)
 new laws
 education
 collaborations between governments,
industries & academia
 employment of computer security
specialists
Network & Information

Security
Prof. Shawkat K. Guirguis
7
What that means for computer
assets?

What are the assets (for system
security)?
(Give examples)
Network & Information
Security
Prof. Shawkat K. Guirguis
8
Information Security

Shift from the physical security to the
protection of data (on systems) and to
thwart hackers (by means of automated
software tools) – called
System and information security
Network & Information
Security
Prof. Shawkat K. Guirguis
9
Network Security

With the widespread use of distributed
systems and the use of networks and
communications the protection of data
during transmission is called
network security
Network & Information
Security
Prof. Shawkat K. Guirguis
10
Internetwork security

The term Network Security may be
misleading, because virtually all
businesses, govt., and academic
organizations interconnect their data
processing equipment with a collection of
interconnected networks – probably we
should call it as
(inter)network security
Network & Information
Security
Prof. Shawkat K. Guirguis
11
Aspects of System and
(information) security




Security attack: any action that compromises the
security of system and information.
Security mechanism: to detect, prevent, or recover
from a security attack.
Security service: service that enhances and counters
security attacks.
Vulnerability: a weakness in a computer system that might be
exploited to cause loss or harm

Threat: circumstances that have the potential to cause loss or
harm

Control: protective measure
Network & Information
Security
Prof. Shawkat K. Guirguis
12
Security mechanisms



No single mechanism that can provide the
services mentioned in the previous slide.
However one particular aspect that
underlines most (if not all) of the security
mechanism is the cryptographic
techniques.
Encryption or encryption-like
transformation of information are the most
common means of providing security.
Network & Information
Security
Prof. Shawkat K. Guirguis
13
Security cost!





Security is not simple as it might first appear.
In developing a particular security measure one
has to consider potential counter measures.
Because of the counter measures, the problem
itself becomes complex.
Once you have designed the security measure, it
is necessary to decide where to use them.
Security mechanisms usually involve more than
a particular algorithm or protocol.
Network & Information
Security
Prof. Shawkat K. Guirguis
14
Security and Cost Analysis
cost
100%
Network & Information
Security
Security level
Prof. Shawkat K. Guirguis
15
Security Attacks - Taxonomy




Interruption – attack on availability
Interception – attack on confidentiality
Modification – attack on integrity
Fabrication – attack on authenticity
Network & Information
Security
Prof. Shawkat K. Guirguis
16
Interruption



Also known as denial of services.
Information resources (hardware,
software and data) are deliberately made
unavailable, lost or unusable, usually
through malicious destruction.
e.g: cutting a communication line,
disabling a file management system, etc.
Network & Information
Security
Prof. Shawkat K. Guirguis
17
Interception



Also known as un-authorized access.
Difficult to trace as no traces of intrusion
might be left.
e.g: illegal eavesdropping or wiretapping
or sniffing, illegal copying.
Network & Information
Security
Prof. Shawkat K. Guirguis
18
Modification


Also known as tampering a resource.
Resources can be data, programs,
hardware devices, etc.
Network & Information
Security
Prof. Shawkat K. Guirguis
19
Fabrication




Also known as counterfeiting (of objects
such as data, programs, devices, etc).
Allows to bypass the authenticity checks.
e.g: insertion of spurious messages in a
network, adding a record to a file,
counterfeit bank notes, fake cheques,…
impersonation/masquerading

to gain access to data, services etc.
Network & Information
Security
Prof. Shawkat K. Guirguis
20
Security Attacks - Taxonomy
Source and Destination - can be
what is supposed to be and
what you get
Information
Source
Information
Destination
Normal
Information
Source
Information
Destination
Information
Source
Interruption
Information
Source
Interception
Information
Destination
Network & Information
Modification
Security
Information
Destination
Prof. Shawkat K. Guirguis
Information
Source
Information
Destination
Fabrication
21
Attacks – Passive types



Passive (interception) – eavesdropping
on, monitoring of, transmissions.
The goal is to obtain information that is
being transmitted.
Types here are: release of message
contents and traffic analysis.
Network & Information
Security
Prof. Shawkat K. Guirguis
22
Attacks – Active types

1.
2.
3.
4.
Involve modification of the data stream
or creation of a false stream and can be
subdivided into:
masquerade,
replay,
modification of messages and
denial of service.
Network & Information
Security
Prof. Shawkat K. Guirguis
23
Attacks
Active
Passive
Interception
(confidentiality)
Release of
Message
contents
Network & Information
Security
Interruption
(availability)
Modification Fabrication
(authenticity)
(integrity)
Traffic
analysis
Prof. Shawkat K. Guirguis
24
Remember we need to
maintain:
Confidentiality
 Integrity
 Availability



to give us secure data (and
information)
Authenticity
Network & Information
Security
Prof. Shawkat K. Guirguis
25
Confidentiality
Only accessible by authorised parties
 Not revealed
 More than just not reading
 Confidentiality is distinct from secrecy
and privacy (?)

Network & Information
Security
Prof. Shawkat K. Guirguis
26
Integrity
Associated with loss and corruption
 Data Integrity as

Computerised data same as external,
source data
 Data not exposed to alteration or
destruction


No inappropriate modification
Network & Information
Security
Prof. Shawkat K. Guirguis
27
Availability
The property of being accessible and
usable (without delay) upon demand
by an authorized entity
 We want here to have:
no denial of service

Network & Information
Security
Prof. Shawkat K. Guirguis
28
Other issues:
 Accountability
 Reliability
 Safety
 Dependability
Network & Information
Security
Prof. Shawkat K. Guirguis
29
Security is defined as

Computer security deals with the
prevention and detection of
unauthorized actions by users of a
computer system
Network & Information
Security
Prof. Shawkat K. Guirguis
30
The security dilemma


security deals with the ready availability of
valuable assets by authorized agents, and
the denial of that access to all others.
Security-unaware users have specific
security requirements but (usually) no
security expertise.
But
Network & Information
Security
Prof. Shawkat K. Guirguis
31
The security dilemma (cont.)




The costs of additional resources to
implement security mechanisms need to
be quantified
Security mechanisms interfere with users,
and can lead to loss of productivity.
Managing security also costs.
Need to perform risk analysis
Network & Information
Security
Prof. Shawkat K. Guirguis
32
More principles of Security

Principle of easiest penetration


Principles of timeliness


an intruder will use any but simple means of
penetration first
items only need to be protected until they
lose their value
Principles of effectiveness

controls must work, and they should be
efficient, easy to use, and appropriate.
Network & Information
Security
Prof. Shawkat K. Guirguis
33
Layers of technology
(Onion Model)

Operating System
Kernel
Hardware

Services
Applications
Network & Information
Security
Prof. Shawkat K. Guirguis
In which layer
should security
mechanisms be
placed ?
Should controls
be placed in
more than one
layer ?
34
Concept of Layers





The presence of layers is a feature of
technology
Separate layers often perform very different
functions
Similar functions are combined in one layer
The boundary between two layers is usually
easily defined
Layers can often be independently
implemented
Network & Information
Security
Prof. Shawkat K. Guirguis
35
Vulnerabilities to hardware,
software and data

The three broad computing system
resources are

hardware


software


interruption (denial of service), interception (theft)
interruption (deletion), interception, modification
data

interruption (loss), interception, modification and
fabrication
Network & Information
Security
Prof. Shawkat K. Guirguis
36
A method of defense

By controls

What should be the focus of the controls?


For example: should protection mechanisms focus
on data or operations on that data or on the users
who use the data?
Since there are layers of technology, where
controls should apply?

Applications, services, operating systems, kernel,
hardware.
Network & Information
Security
Prof. Shawkat K. Guirguis
37
Which type of control?




Can be applied at hardware, software,
physical or polices?
Simple mechanisms or lots of features?
Should defining and enforcing security
mechanism be a centralized function?
How to prevent access to the layer below
the security mechanism?
Network & Information
Security
Prof. Shawkat K. Guirguis
38
Examples of Controls

Modern cryptology


Encryption, authentication code, digital
signature,etc.
Software controls




Standard development tools (design, code,
test, maintain, etc)
Operating systems controls
Internal program controls (e.g: access
controls to data in a database)
Firewalls
Network & Information
Security
Prof. Shawkat K. Guirguis
39
Examples of Controls (cont.)

Hardware controls
Security

devices, smart cards, …
Physical controls
Lock,
guards, backup of data and software,
thick walls, ….
Security polices and procedures
 User education
 Law

Network & Information
Security
Prof. Shawkat K. Guirguis
40
Related documents
Department Faculty DUGS Centre for Applied Linguistics
Department Faculty DUGS Centre for Applied Linguistics
XVI. MECHANICAL TRANSLATION R. B. Lees
XVI. MECHANICAL TRANSLATION R. B. Lees
QUEENSBOROUGH COMMUNITY COLLEGE
QUEENSBOROUGH COMMUNITY COLLEGE
the presentation - St. Mary Coptic Orthodox Church
the presentation - St. Mary Coptic Orthodox Church
Download
advertisement