1.

1 COMPUTER SECURITY CONCEPTS

Computer Security: The protection afforded to an automated information system in order to attain
the applicable objectives of preserving the integrity, availability, and confidentiality of information
system resources (includes hardware, software, firmware, information/data, and
telecommunications).

This definition introduces three key objectives that are at the heart of com- puter security:
■ Confidentiality: This term covers two related concepts:
Data confidentiality: Assures that private or confidential information is not made
available or disclosed to unauthorized individuals.

Privacy: Assures that individuals control or influence what information re- lated to them
may be collected and stored and by whom and to whom that information may be disclosed.

Integrity: This term covers two related concepts:

Data integrity: Assures that information (both stored and in transmit- ted packets) and
programs are changed only in a specified and authorized manner.
System integrity: Assures that a system performs its intended function in an unimpaired
manner, free from deliberate or inadvertent unauthorized manipulation of the system.
Availability: Assures that systems work promptly and service is not denied to authorized users.
These three concepts form what is often referred to as the CIA triad.
The three concepts embody the fundamental security objectives for both data and for
information and computing services.
For example, the NIST standard FIPS 199 (Standards for Security Categorization of Federal
Information and Information Systems) lists confidentiality, integrity, and availability as the
three security objec- tives for information and for information systems. FIPS 199 provides a
useful char- acterization of these three objectives in terms of requirements and the definition
of a loss of security in each category:

■ Confidentiality: Preserving authorized restrictions on information access and

disclosure, including means for protecting personal privacy and propri- etary
information. A loss of confidentiality is the unauthorized disclosure of
information.
■ Integrity: Guarding against improper information modification or destruc- tion,
including ensuring information nonrepudiation and authenticity. A loss of
integrity is the unauthorized modification or destruction of information.
■ Availability: Ensuring timely and reliable access to and use of information. A loss of
availability is the disruption of access to or use of information or an
information system.

Although the use of the CIA triad to define security objectives is well estab- lished, some in the security
field feel that additional concepts are needed to present a complete picture (Figure 1.1). Two of the most
commonly mentioned are as follows
 Figure 1.1 Essential Network and Computer Security Requirements

Authenticity: The property of being genuine and being able to be verified and trusted; confidence
in the validity of a transmission, a message, or message originator.

This means verifying that users are who they say they are and that each input arriving at
the system came from a trusted source.

Accountability: The security goal that generates the requirement for actions of an
entity to be traced uniquely to that entity.
This supports nonrepudia- tion, deterrence, fault isolation, intrusion detection and
prevention, and after- action recovery and legal action.
Examples
We now provide some examples of applications that illustrate the requirements For these
examples, we use three levels of impact on organizations or individuals should there be a breach
of security (i.e., a loss of confidentiality, integ- rity, or availability). These levels are defined in
FIPS PUB 199:
Low: The loss could be expected to have a limited adverse effect on organi- zational
operations, organizational assets, or individuals.
A limited adverse effect means that, for example, the loss of confidentiality, integrity, or
avail- ability might
(i) cause a degradation in mission capability to an extent and duration that the
organization is able to perform its primary functions, but the effectiveness of the
functions is noticeably reduced;
(ii) result in minor dam- age to organizational assets;
(iii) result in minor financial loss; or (iv) result in minor harm to individuals.
■ Moderate: The loss could be expected to have a serious adverse effect on
organizational operations, organizational assets, or individuals.
■ A serious adverse effect means that, for example, the loss might (i) cause a
signifi- cant degradation in mission capability to an extent and duration that
the organization is able to perform its primary functions, but the effectiveness
of the functions is significantly reduced;
■ (ii) result in significant damage to organizational assets;

■ (iii) result in significant financial loss; or

 ■ (iv) result in significant harm to individuals that does not involve loss of life
or serious, life-threatening injuries.
■ High: The loss could be expected to have a severe or catastrophic adverse
effect on organizational operations, organizational assets, or individuals.
■ A severe or catastrophic adverse effect means that, for example, the loss might
■ (i) cause a severe degradation in or loss of mission capability to an extent and
duration that the organization is not able to perform one or more of its primary
functions;
■ (ii) result in major damage to organizational assets;
(iii) result in major financial loss; or
(iv) result in severe or catastrophic harm to individuals involving loss of life
or serious, life-threatening injuries.

CONFIDENTIALITY Student grade information is an asset whose confidentiality is

considered to be highly important by students. In the United States, the release of
such information is regulated by the

Student enrollment information may have a moderate confidentiality rating. While

still covered by FERPA, this information is seen by more people on a daily basis, is
less likely to be targeted than grade information, and results in less damage if
disclosed.

Directory information, such as lists of students or faculty or departmental lists, may

be as- signed a low confidentiality rating or indeed no rating.

This information is typically freely available to the public and published on a

school’s Web site.
INTEGRITY Several aspects of integrity are illustrated by the example of a hospital
patient’s allergy information stored in a database. The doctor should be able to trust
that the information is correct and current. Now suppose that an employee (e.g., a
nurse) who is authorized to view and update this information deliberately falsifies
the data to cause harm to the hospital. The database needs to be restored to a trusted
basis quickly, and it should be possible to trace the error back to the person
responsible. Patient allergy information is an example of an asset with a high requirement
for integrity. Inaccurate information could result in serious harm or death to a
patient and expose the hospital to massive liability.
An example of an asset that may be assigned a moderate level of integrity requirement is
a Web site that offers a forum to registered users to discuss some specific topic.
Either a registered user or a hacker could falsify some entries or deface the Web
site. If the forum exists only for the enjoyment of the users, brings in little or no
advertising revenue, and is not used for something important such as research, then
potential damage is not severe. The Web master may experience some data,
financial, and time loss.
An example of a low integrity requirement is an anonymous online poll. Many
Web sites, such as news organizations, offer these polls to their users with very few
safeguards. However, the inaccuracy and unscientific nature of such polls is well
understood.
 AVAILABILITY The more critical a component or service, the higher is the level of
availability required. Consider a system that provides authentication services for
critical systems, applications, and devices. An interruption of service results in the
inability for customers to access computing resources and staff to access the re-
sources they need to perform critical tasks. The loss of the service translates into a
large financial loss in lost employee productivity and potential customer loss.
An example of an asset that would typically be rated as having a moderate
availability requirement is a public Web site for a university; the Web site provides
information for current and prospective students and donors. Such a site is not a
critical component of the university’s information system, but its unavailability will cause
some embarrassment.
An online telephone directory lookup application would be classified as a low
availability requirement. Although the temporary loss of the application may be an
annoyance, there are other ways to access the information, such as a hardcopy
directory or the operator.

The Challenges of Computer Security

Computer and network security is both fascinating and complex. Some of the
reasons follow:
Computer and network security is both fascinating and complex. Some of the reasons follow:

1. Security is not as simple as it might first appear to the novice. The requirements seem to be
straightforward; indeed, most of the major requirements for security services can be given self-
explanatory, one-word labels: confidentiality, authentication, non repudiation, or integrity

2. In developing a particular security mechanism or algorithm, one must always consider

potential attacks on those security features.

3. Typically, a security mechanism is complex, and it is not obvious from the statement of a
particular requirement that such elaborate measures are needed.

4. Having designed various security mechanisms, it is necessary to decide where to use them.
This is true both in terms of physical placement and in a logical sense
.
5. Security mechanisms typically involve more than a particular algorithm or protocol

6. Computer and network security is essentially a battle of wits between a perpetrator who tries
to find holes and the designer or administrator who tries to close them. The great advantage that
the attacker has is that he or she need only find a single weakness, while the designer must find
and eliminate all weaknesses to achieve perfect security.

7. There is a natural tendency on the part of users and system managers to perceive little
benefit from security investment until a security failure occurs.

8. Security requires regular, even constant, monitoring, and this is difficult in today‟s short-term,
overloaded environment.
9. Security is still too often an afterthought to be incorporated into a system after the design is
complete rather than being an integral part of the design process.

10. Many users and even security administrators view strong security as an impediment to
efficient and user-friendly operation of an information system or use of information.

THE OSI SECURITY ARCHITECTURE

ITU-T Recommendation X.800, Security Architecture for OSI, defines such a systematic
approach. The OSI security architecture is useful to managers as a way of organizing the task of
providing security. This architecture was developed as an international standard, computer and
communications vendors have developed security features for their products and services that
relate to this structured definition of services and mechanisms.
The OSI security architecture focuses on security attacks, mechanisms, and services.
These can be defined briefly as

• Security attack: Any action that compromises the security of information owned by an
organization.

• Security mechanism: A process (or a device incorporating such a process) that is designed to
detect, prevent, or recover from a security attack.

• Security service: A processing or communication service that enhances the security of the data
processing systems and the information transfers of an organization. The services are intended to
counter security attacks, and they make use of one or more security mechanisms to provide the
service. In the literature, the terms threat and attack are commonly used to mean more or less the
same thing.
•
Table 1.1 provides definitions taken from RFC 2828, InternetSecurity Glossary.
Threat
A potential for violation of security, which exists when there is a circumstance, capability,
action, or event that could breach security and cause harm. That is, a threat is a possible danger
that might exploit a vulnerability.
Attack
An assault on system security that derives from an intelligent threat; that is, an intelligent act
that is a deliberate attempt (especially in the sense of a method or technique) to evade security
services and violate the security policy of a system.

ATTACKS
The security attacks can be classified into two types’ passive attacks and active attacks. A
passive attack attempts to learn or make use of information from the system but does not affect
system resources. An active attack attempts to alter system resources or affect their operation.
Passive Attacks
Two types of passive attacks are the release of message contents and traffic analysis.

The release of message contents is easily understood (Figure 1.5a).A telephone

conversation, an electronic mail message, and a transferred file may contain sensitive or
confidential information. We would like to prevent an opponent from learning the contents of
these transmissions.

A second type of passive attack, traffic analysis, is subtler (Figure 1.5b). Suppose that
we had a way of masking the contents of messages or other information traffic so that opponents,
even if they captured the message, could not extract the information from the message. The
common technique for masking contents is encryption. If we had encryption protection in place,
an opponent might still be able to observe the pattern of these messages.

Passive attacks are very difficult to detect, because they do not involve any alteration of the data.
Typically, the message traffic is not sent and received in an apparently normal fashion and the
sender nor receiver is aware that a third party has read the messages or observed the traffic
pattern.

Figure 1.5 Passive Attacks

Active Attacks
Active attacks involve some modification of the data stream or the creation of a false stream and
can be subdivided into four categories: masquerade, replay, modification of messages, and denial
of service.

A masquerade takes place when one entity pretends to be a different entity (Figure 1.6a). A
masquerade attack usually includes one of the other forms of active attack. For example,
authentication sequences can be captured and replayed after a valid authentication sequence has
taken place, thus enabling an authorized entity with few privileges to obtain extra privileges by
impersonating an entity that has those privileges.

Replay involves the passive capture of a data unit and its subsequent retransmission to produce
an unauthorized effect (Figure 1.6b).

Modification of messages simply means that some portion of a legitimate message is altered, or
that messages are delayed or reordered, to produce an unauthorized effect (Figure 1.6c). For
example, a message meaning “Allow John Smith to read confidential file accounts” is modified
to mean “Allow Fred Brown to read confidential file account.

The denial of service prevents or inhibits the normal use or management of communications
facilities (Figure 1.6d). This attack may have a specific target.

Active attacks present the opposite characteristics of passive attacks. Whereas passive attacks
are difficult to detect, measures are available to prevent their success.

Figure 1.6 Active Attack

SECURITY SERVICES

X.800 defines a security service as a service that is provided by a protocol layer of

communicating open systems and that ensures adequate security of the systems or of data
transfers. Perhaps a clearer definition is found in RFC 2828, which provides the following
definition: a processing or communication service that is provided by a system to give a specific
kind of protection to system resources; security services implement security policies and are
implemented by security mechanisms.
X.800 divides these services into five categories and fourteen specific services (Table 1.2)

Table 1.2 Security Services (X.800)

SECURITY MECHANISMS

Table 1.3 lists the security mechanisms defined in X.800. The mechanisms are
divided into those that are implemented in a specific protocol layer, such as
TCP or an application-layer protocol, and those that are not specific to any
particular protocol layer or security service

. Table 1.3 Security Mechanisms (X.800)

A MODEL OF NETWORK SECURITY

A model for much of what we will be discussing is captured, in very

general terms, in Figure 1.5.
A message is to be transferred from one party to another across some
sort of Internet service.
 The two parties, who are the principals in this transaction, must
cooperate for the exchange to take place.
A logical information channel is established by defining a route
through the Internet from source to destination.
. All the techniques for providing security have two components:
■ A security-related transformation on the information to be
sent. Examples include the encryption of the message, which
scrambles the message so that it is unreadable by the opponent,
and the addition of a code based on the con- tents of the
message, which can be used to verify the identity of the
sender.
■ Some secret information shared by the two principals and, it is
hoped, unknown to the opponent. An example is an encryption
key used in conjunc- tion with the transformation to scramble
the message before transmission and unscramble it on
reception.6
A trusted third party may be needed to achieve secure
transmission. For example, a third party may be responsible for
distributing the secret information

Trusted third party

(e.g., arbiter, distributer
of secret information)

Sender
Recipient
Security-related Information Security-related
transformation channel transformation
Message

Message
message
message

Secure
Secure

Secret Secret
information information

Opponent
Figure 1.5 Model for Network Security
 to the two principals while keeping it from any opponent. Or a third party may
be needed to arbitrate disputes between the two principals concerning the
authenticity of a message transmission.
This general model shows that there are four basic tasks in designing a par-
ticular security service:
1. Design an algorithm for performing the security-related transformation. The
algorithm should be such that an opponent cannot defeat its purpose.
2. Generate the secret information to be used with the algorithm.
3. Develop methods for the distribution and sharing of the secret information.
4. Specify a protocol to be used by the two principals that makes use of the
security algorithm and the secret information to achieve a particular security
service.

MODEL FOR NETWORK ACCESS SECURITY

Using this model requires us to:

– select appropriate gatekeeper functions to identify users

– implement security controls to ensure only authorized users access
designated information or resources
• Trusted computer systems can be used to implement this model