UNIT-II

• Information Security Model

• Component of an Information security
• Aspect of information security
• Security attacks (Active and Passive Attacks)
• Security mechanism and Security Services (X.800)
 What is Information Security

Information security covers the tools and processes that organizations use to protect information. This
includes policy settings that prevent unauthorized people from accessing business or personal information.
Information Security is a growing and evolving field that covers a wide range of fields, from network and
infrastructure security to testing and auditing.

Information security protects sensitive information from unauthorized activities, including inspection,
modification, recording, and any disruption or destruction. The goal is to ensure the safety and privacy of
critical data such as customer account details, financial data or intellectual property.
Information Security Model
• A model describes the system
• e.g., a high level specification or an abstract machine
description of what the system does
• A security policy
• defines the security requirements for a given system
• Verification techniques that can be used to show that
a policy is satisfied by a system
• System Model + Security Policy = Security Model
A security model is a computer model which can be used to identify and impose security policies. It does not need some
prior formation it can be founded on the access right model or analyzing computing model or computation model.

A security model is a structure in which a security policy is developed. The development of this security policy is geared
to a specific setting or instance of a policy. A security policy is based upon authentication, but built inside the confines of a
security model. For example, designing a security model based upon authentication and authorization, one consider the 4-
factor model of security, such as authentication, authorization, availability, and authenticity.

A security policy determines how data is accessed, what level of security is needed, and what procedure should be taken
when these requirements are not met. The policy framework the expectations of a computer system or device.
If a security policy states that no one from a lower security level should be able to view or change data at a higher
security level, the supporting security model will define the essential logic and rules that require to be implemented to
provide that under no situations can a lower-level subject access a higher-level object in an unauthorized manner. A
security model supports a higher description of how a computer operating system should be created to properly provide a
definite security policy.

Information Security Models overpass the gap between security policy declarations (define which users should have
access to data) and the operating system execution (which allows a management to organize access control). The models
provide map theoretical objective onto mathematical associations that strengthen whichever execution is finally selected.
Component of an Information security

The protection of computer systems and networks from information disclosure, theft of, or damage to
their hardware, software, or electronic data, as well as from the disruption or misdirection of the services they
provide.[
 INFORMATION SECURITY MANAGEMENT

Information security management describes the set of policies and procedural controls that IT and
business organizations implement to secure their informational assets against threats and vulnerabilities.
Many organizations develop a formal, documented process for managing Info Sec ,called an Information
Security Management System
Network security is any activity designed to protect the
usability and integrity of your network and data.
•It includes both hardware and software technologies
•It targets a variety of threats
•It stops them from entering or spreading on your network
•Effective network security manages access to the network
Aspect of Information Security

•Security Attack: An attempt to gain unauthorized access to information resource or services,

or to cause harm or damage to information systems.
•Security Mechanism
•Security Service
Security Mechanisms
1.Encipherment: Encipherment is hiding or covering data and can provide confidentiality. It makes use of mathematical algorithms to transform
data into a form that is not readily intelligible. The transformation and subsequent recovery of the data depend on an algorithm and zero or more encryption keys.
Cryptography and Steganography techniques are used for enciphering.

2.Data integrity: The data integrity mechanism appends a short check value to the data which is created by a specific process from the data itself.
The receiver receives the data and the check value. The receiver then creates a new check value from the received data and compares the newly
created check value with the one received. If the two check values match, the integrity of data is being preserved.

3.Digital Signature: A digital signature is a way by which the sender can electronically sign the data and the receiver can electronically verify it.
The sender uses a process in which the sender owns a private key related to the public key that he or she has announced publicly.
The receiver uses the sender's public key to prove the message is indeed signed by the sender who claims to have sent the message.

4.Authentication exchange: A mechanism intended to ensure the identity of an entity by means of information exchange.
The two entities exchange some messages to prove their identity to each other. For example the three-way handshake in TCP.
5.Traffic padding: The insertion of bits into gaps in a data stream to frustrate traffic analysis attempts.

6.Routing control: Enables selection of particular physically secure routes for certain data and allows routing changes which means selecting and
continuously changing different available routes between the sender and the receiver to prevent the attacker from traffic analysis on a particular route.

7.Notarization: The use of a trusted third party to control the communication between the two parties. It prevents repudiation. The receiver involves a
trusted third party to store the request to prevent the sender from later denying that he or she has made such a request.

8.Access Control: A variety of mechanisms are used to enforce access rights to resources/data owned by a system, for example, PINS, and passwords.
Security Attack
 SECURITY SERVICES

X.800 defines a security service as a service that is provided by a protocol

layer of communicating open systems and that ensures adequate security
of the systems or of data transfers
X.800 divides these services into five categories and fourteen specific
services (Table 1.2).