Information Security

Lecture 3
Delivered By: Dr.Ahthasham Sajid
Dated: 9th September 2024
 Agenda
• Types of Security
• Security Goals
• Security Terminologies
• Security Attack, Services and Mechanisms
• Security Attacks
• Active vs. Passive Attacks
• OSI Security Architecture X.800
• Model of Network Access Security
• Methods of Defense
• Risk
Types of Security
Security Goals

Confidentiali
ty

Integrity
Availabilit
y

4
Terminologies
 Security Service
• Is something that enhances the security of the data processing
systems and the information transfers of an organization
• Intended to counter security attacks
• Make use of one or more security mechanisms to provide the
service
• Replicate functions normally associated with physical documents
e.g.
• have signatures or dates
• need protection from disclosure, tampering, or destruction

8
Security Mechanism

9
Security Attack

Note: often threat & attack mean same

 Security Attacks

• Interruption: This is an attack on availability

• Interception: This is an attack on confidentiality

• Modification: This is an attack on integrity

• Fabrication: This is an attack on authenticity

12
Classify Security Attacks as
• Passive attacks - eavesdropping on, or monitoring of, transmissions
to:
• obtain message contents, or
• monitor traffic flows
• Active attacks – modification of data stream to:
• masquerade of one entity as some other
• replay previous messages
• modify messages in transit
• denial of service

13
Passive Attacks: Release of Message
Contents

14
Passive Attacks: Traffic Analysis

15
Active Attacks: Masquerade

16
Active Attacks: Replay

17
Active Attacks: Modification of
Messages

18
Active Attacks: Denial of Service

19
20
 OSI Security Architecture

• ITU-T X.800 Security Architecture for OSI

• Defines a systematic way of defining and providing security

requirements

21
 Security Services

• X.800 defines it as: a service provided by a protocol layer of

communicating open systems, which ensures adequate security of the
systems or of data transfers

• RFC 2828 defines it as: a processing or communication service

provided by a system to give a specific kind of protection to system
resources

22
 Security Services (X.800)
• X.800 defines security services in 5 major categories
• Authentication - assurance that the communicating entity is
the one claimed
• Access Control - prevention of the unauthorized use of a
resource
• Data Confidentiality –protection of data from unauthorized
disclosure
• Data Integrity - assurance that data received is as sent by an
authorized entity
• Non-Repudiation - protection against denial by one of the
parties in a communication

23
 Security Services
• Confidentiality (privacy)

• Authentication (who created or sent the data)

• Integrity (has not been altered)

• Non-repudiation (the order is final)

• Access control (prevent misuse of resources)

• Availability (permanence, non-erasure)

• Denial of Service Attacks
• Virus that deletes files
24
 Security Mechanisms
(X.800)
• Specific security mechanisms:
• Encipherment: Converting data into form that is not readable

• Digital signatures: To check authenticity and integrity of data

• Access controls: Enforcing access rights to resources

• Data integrity

• Authentication exchange

• Traffic padding: Insertion of bits to frustrate traffic analysis

• Routing control: Selection of secure routes

• Notarization: Use of trusted third party for data exchange

25
Model for Network Security

26
 Model for Network Security

• Using this model requires us to:

1. design a suitable algorithm for the security transformation

2. generate the secret information (keys) used by the algorithm

3. develop methods to distribute and share the secret information

4. specify a protocol enabling the principals to use the transformation and

secret information for a security service

27
Model for Network Access Security

28
 Model for Network Access Security

• Using this model requires us to:

1. select appropriate gatekeeper functions to identify users

2. implement security controls to ensure only authorised users access

designated information or resources

• Trusted computer systems can be used to implement this model

29
 Methods of Defense
• Encryption
• Software Controls (access limitations in a data base, in operating
system protect each user from other users)
• Hardware Controls (smartcard)
• Policies (frequent changes of passwords)
• Physical Controls

30