Computer Security Concepts

• Definition of Computer Security by NIST

• Protection afforded to an automated information system in order to

preserve the integrity, availability and confidentiality of information
system resources.

• Three key objectives considered as the heart of the computer security

are as follows :

• Confidentiality (Data Confidentiality, privacy)

• Integrity (Data and System Integrity) and
• Availability (Referred as CIA triad)

• NIST Standard FIPS 199 (Standards for Security Categorization of

Federal Information and Information Systems).

• Authenticity and Accountability.

 Confidentiality

Security
Triads
Integrity Availability
• Levels of impact on organization and individual
• Low
• Moderate and
• High
•
Low Moderate High
1. Cause a degradation in 1. Cause a significant 1. Cause a severe degradation
mission capability to degradation in mission in loss of mission capability.
an extent. capability to an extent. 2. Result in major damage to
2. Result in minor 2. Result in significant organizational assets.
damage to damage to organizational 3. Result in major financial
organizational assets assets. loss.
3. Result in minor 3. Result in significant 4. Result in severe (or)
financial loss financial loss. catastrophic harm to
4. Result in minor harm 4. Result in significant harm individuals involving loss of
to individuals. to individuals that does life.
not involve loss of life
(or) serious life-
threatening injuries.
• Confidentiality (Student Grade Information)
• US, Family Educational Rights and Privacy Act (FERPA)
• Low confidential, Moderately Confidential and Highly Confidential

• Integrity
• Hospital (Patient’s Allergy Stored in a Database)
• Anonymous Online Poll.

• Availability
• Online Telephone Directory Lookup Application (Low Availability
Requirement)
• There are two ways to access the information such as,
• Hard Copy
• Operator
 RFC 4949 Internet Security Glossary
• Threat
• A threat is a possible danger that might exploit a vulnerability.

• Attack
• An assault on system security that derives from an intelligent threat.

• Security Attacks
• Passive Attacks
• Active Attacks

• Passive Attacks
• Attempts to learn or make use of information from the system but
does not affect system resources.

• Active Attacks
• Attempts to alter system resources (or) affect their operation.
• Passive Attacks
• It’s a kind of eaves dropping on.
• Monitoring of transmissions.

• Types of Passive Attacks

• Release of message contents.
• Traffic Analysis.

• Active Attacks
• Involves some modification of the data stream or the creation of false
alarm.

• Active Attacks are subdivided into four categories :

• Masquerade Attack,
• Replay Attack,
• Modification of Messages,
• Denial of Service.
 Security Services
• X.800 defines a security service as a service that is provided by a protocol
layer of communicating open systems.

• RFC 4949 clearly defines that :

• A processing (or) communication service that is provided by the

system to give a specific kind of protection to system resources.

• X.800 divides security services into five categories and 14 specific

services listed in Table 1.2.