Scribd
Upload
3 views

Introduction To Information Security

Uploaded by

raman7913523
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
3 views

Introduction To Information Security

Uploaded by

raman7913523
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 16

Introduction to

Information
Security
Computer Security Concepts
Computer Security -- Definition
The protection afforded to an automated information system in order
to attain the applicable objectives of preserving the integrity,
availability, and confidentiality of information system resources
(includes hardware, software, firmware, information/data, and
telecommunications).
-
NIST
Threat
A potential for violation of security, which exists when there is a
circumstance, capability, action, or event that could breach security and
cause harm. That is, a threat is a possible danger that might exploit a
vulnerability. Eg : Viruses, Malwares, Worms,etc.

Attack
An assault on security that derives from an intelligent threat; that is, an
intelligent act that is a deliberate attempt (especially in the sense of a
method or technique) to evade security services and violate the
security policy of a system.
Types of attack
• Passive Attacks
• Release of message contents
• Traffic analysis(location, length of message, identity of communicating-host,
frequency of message transmission)
• Active Attacks
• Masquerade
• Replay
• Modification of message
• Denial of service
Security Functional Requirements
Security functional requirements are the capabilities that a system or
product must posses to prevent unauthorized access, protect data
from unauthorized disclosures, and ensure the reliability of the
system.
Elements of security functional requirements
• Access Control
• Encryption
• Authentication
• Logging Monitoring
• Incident Response
Security Design Principles
Despite years of research and development, it has not been possible
to develop security design and implementation techniques that
systematically exclude security flaws and prevent all unauthorized
actions. In the absence of such foolproof techniques, it is useful to
have a set of widely agreed design principles that can guide the
development of protection mechanisms.
The National Centers of Academic Excellence in Information
Assurance/Cyber Defense list the following as fundamental security
design principles:
■ Economy of mechanism
■ Fail-safe defaults
■ Complete mediation
■ Open design
■ Separation of privilege
■ Least privilege
■ Least common mechanism
■ Psychological acceptability
■ Isolation
■ Encapsulation
■ Modularity
■ Layering
■ Least astonishment
Model for Network Security
Attack Surfaces

An attack surface consists of the reachable and exploitable


vulnerabilities in a system.
Examples :
■ Open ports on outward facing Web and other servers, and code listening on
those ports
■ Services available on the inside of a firewall
■ Code that processes incoming data, email, XML, office documents, and
industry-specific custom data exchange formats
■ Interfaces, SQL, and Web forms
■ An employee with access to sensitive information vulnerable to a social
engineering attack
Attack Surface Categories
• Network attack surface
• Software attack surface
• Human attack surface
Attack Trees
• An attack tree is a branching, hierarchical data structure that represents a set of potential
techniques for exploiting security vulnerabilities
• The security incident that is the goal of the attack is represented as the root node of the tree, and
the ways that an attacker could reach that goal are iteratively and incrementally represented as
branches and sub nodes of the tree.
• Each sub node defines a subgoal, and each subgoal may have its own set of further subgoals, and
so on.
• The final nodes on the paths outward from the root, that is, the leaf nodes, represent different
ways to initiate an attack.
• Each node other than a leaf is either an AND-node or an OR-node.
• To achieve the goal represented by an AND-node, the subgoals represented by all of that node’s
sub nodes must be achieved; and for an OR-node, at least one of the subgoals must be achieved.
• Branches can be labeled with values representing difficulty, cost, or other attack attributes, so that
alternative attacks can be compared.
Computer Security Strategies
• Encipherment
• Digital Signature
• Access Control
• Data Integrity
• Trusted Functionality
• Security Label
• Traffic Padding
• Authentication Exchange
• Event Detection ,etc

You might also like