IT 221: Introduction to Information Security Principles Lecture 1: Introduction to IT Security For Educational Purposes Only Revised: August 28, 2002

1 August 28, 2002 IT 221: Introduction to Information Security Priciples For Educational Purposes Only Chapter 1: Working Definitions of Security IT Security Principles Three Aspects of Security Types of Security Services Types of Security Threats Goals of Security Types of Security Attacks Model for Network Security Model for Network Access Security Chapter Outline

2 August 28, 2002 IT 221: Introduction to Information Security Priciples For Educational Purposes Only Information Security Defined: “The generic name for the collection of tools designed to protect data and to thwart [break-ins]”. [4] Working Definitions of Security

3 August 28, 2002 IT 221: Introduction to Information Security Priciples For Educational Purposes Only IT Security Principles Principle of Easiest Penetration: “An intruder must be expected to use any available means of penetration. This is not the most obvious means, nor is it the one against which the most solid defense has been installed.” (Pflegger) Principle of Adequate Protection: “Computer Items must be protected only until they lose their value. They must be protected to a degree consistent with their value.” (Pflegger)

4 August 28, 2002 IT 221: Introduction to Information Security Priciples For Educational Purposes Only Security Services fall into one of the following categories: Security Attack: Any Attack that compromises the security of information owned by an organization. Security Mechanism: A mechanism that is designed to detect, prevent or recover from a security attack. Security Service: A service that enhances the security of [information] systems and the information transfers of an organization. The services are intended to counter security attacks, and they make use of one or more security mechanisms to provide the service. Three Aspects of Security

5 August 28, 2002 IT 221: Introduction to Information Security Priciples For Educational Purposes Only Security Services fall into one of the following categories: Confidentiality: Ensures that the info in a system and transmitted info are accessible only for reading by authorized parties. (Data Privacy) Integrity: Ensures that only authorized parties are able to modify computer systems assets and transmitted information. (Data has not been altered) Authentication: Ensures that the origin of a message or electronic doc is correctly identified, with an assurance that the identity is not false. (Who created or sent the data) Types of Security Services

6 August 28, 2002 IT 221: Introduction to Information Security Priciples For Educational Purposes Only (a) Normal Flow (b) Interruption: An asset of a system becomes unavailable or unusable. [3] (c) Interception: Some unauthorized party which has gained access to an asset. [3] (d) Modification: Some unauthorized party not only gains access to, but also tampers with, an asset. [3] (e) Fabrication: Some unauthorized party fabricates objects on a system. [3] Types of Security Threats

7 August 28, 2002 IT 221: Introduction to Information Security Priciples For Educational Purposes Only Goals of Security Integrity Confidentiality Availability

8 August 28, 2002 IT 221: Introduction to Information Security Priciples For Educational Purposes Only Passive Threats: Release of Message Contents Traffic Analysis Active Threats: Masquerade Replay Modification of Mess. Contents Denial of Service Types of Security Attacks

9 August 28, 2002 IT 221: Introduction to Information Security Priciples For Educational Purposes Only Model for Network Security (1) A message is transferred from one party (Principal) to another. (2) A logical information channel is established between the two Principals by the cooperative use of some protocol, e.g. TCP/IP. (3) Goal is to provide the secure transmission of information from Opponents. (4) A trusted third-party may be needed for secure transmissions.

10 August 28, 2002 IT 221: Introduction to Information Security Priciples For Educational Purposes Only Model for Network Access Security (1) Gatekeeper functions include Password-based login authentications. (2) Various internal controls that monitor activity and analyze stored information in an attempt to detect the presence of unwanted intruders.

11 August 28, 2002 IT 221: Introduction to Information Security Priciples For Educational Purposes Only [1] Denning, Dorothy E. Cryptography and Data Security, Addison-Wesley, [2] Ghosh, Anup. E-Commerce Security, Weak Links, Best Defenses, Wiley Computer Publishing, [3] Pfleeger, Charles. Security In Computing, Prentice Hall, [4] Stallings, William. Cryptography and Network Security, Prentice Hall, Resources