CH01
CH01
Principles and
Practice
Fourth Edition, Global Edition
5. Security mechanisms typically involve more than a particular algorithm or protocol and also
require that participants be in possession of some secret information which raises questions about
the creation, distribution, and protection of that secret information
6. Attackers only need to find a single weakness, while the designer must find and eliminate
all weaknesses to achieve perfect security
7. Security is still too often an afterthought to be incorporated into a system after the design
is complete, rather than being an integral part of the design process
9. There is a natural tendency on the part of users and system managers to perceive little
benefit from security investment until a security failure occurs
10. Many users and even security administrators view strong security as an impediment to
efficient and user-friendly operation of an information system or use of information
Table 1.1
Computer Security Terminology, from RFC 2828, Internet Security Glossary, May 2000
Attack
Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or the information itself.
Countermeasure
A device or techniques that has as its objective the impairment of the operational effectiveness of undesirable or adversarial activity, or the
prevention of espionage, sabotage, theft, or unauthorized access to or use of sensitive information or information systems.
Risk
A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of 1) the adverse impacts
that would arise if the circumstance or event occurs; and 2) the likelihood of occurrence.
Security Policy
A set of criteria for the provision of security services. It defines and constrains the activities of a data processing facility in order to maintain a
condition of security for systems and data.
Threat
Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation),
organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure,
modification of information, and/or denial of service.
Vulnerability
Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a
threat source.
Software
Data
• Threats
• Capable of exploiting vulnerabilities
• Represent potential security harm to an asset
Residual
vulnerabilitie
s may remain
Threat
Consequences,
and the
Types of
Threat Actions
That Cause
Each
Consequence
Based on
RFC 4949
• Two types:
o Release of message contents
o Traffic analysis
Standards
• Standards have been developed to cover
management practices and the overall architecture of
security mechanisms and services
• The most important of these organizations are:
o National Institute of Standards and Technology (NIST)
• NIST is a U.S. federal agency that deals with measurement
science, standards, and technology related to U.S. government
use and to the promotion of U.S. private sector innovation
o Internet Society (ISOC)
• ISOC is a professional membership society that provides
leadership in addressing issues that confront the future of the
Internet, and is the organization home for the groups
responsible for Internet infrastructure standards
o International Telecommunication Union (ITU-T)
• ITU is a United Nations agency in which governments and the
private sector coordinate global telecom networks and services
o International Organization for Standardization (ISO)
• ISO is a nongovernmental organization whose work results in
international agreements that are published as International