04
/18
/20
23 Vam
see K
rishna K
iran, S
yste
m S
ecu
irty C
ourse
, CSE
, Am
rita
2Objectives
1. To understand the basic definition of system security
2. Principle of easiest penetration
3. Goals of system security
4. Terminology based on RFC 2828
5. Security threats
6. Types of vulnerabilities
04
/18
/20
23 Vam
see K
rishna K
iran, S
yste
m S
ecu
irty C
ourse
, CSE
, Am
rita
3Definition of system security
The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications) -- NIST 1995
04
/18
/20
23 Vam
see K
rishna K
iran, S
yste
m S
ecu
irty C
ourse
, CSE
, Am
rita
4Principle of easiest penetration
An intruder must be expected to use any available means of penetration. The penetration may not necessarily be by the most obvious, nor is it necessarily the one against which the most solid defense has been installed.
04
/18
/20
23 Vam
see K
rishna K
iran, S
yste
m S
ecu
irty C
ourse
, CSE
, Am
rita
5Three pillars of security (CIA Triad)
04
/18
/20
23 Vam
see K
rishna K
iran, S
yste
m S
ecu
irty C
ourse
, CSE
, Am
rita
6 Confidentiality
Data confidentiality: Assures that confidential information is not disclosed to unauthorized individuals
Privacy: Assures that individual control or influence what information may be collected and stored
Integrity Data integrity: assures that information and programs are changed
only in a specified and authorized manner
System integrity: Assures that a system performs its operations in unimpaired manner
Availability: assure that systems works promptly and service is not denied to authorized users
04
/18
/20
23 Vam
see K
rishna K
iran, S
yste
m S
ecu
irty C
ourse
, CSE
, Am
rita
7CIA + A + A = Complete Security
Authenticity: the property of being genuine and being able to be verified and trusted; confident in the validity of a transmission, or a message, or its originator
Accountability: generates the requirement for actions of an entity to be traced uniquely to that individual to support nonrepudiation, deference, fault isolation, etc.
04
/18
/20
23 Vam
see K
rishna K
iran, S
yste
m S
ecu
irty C
ourse
, CSE
, Am
rita
8Computer security terminology1. Adversary: An entity that attacks the system.
2. Attack: An assault on system security that derives from an intelligent threat; it is an intelligent act that is a deliberate attempt to evade security services and violate the security policies.
3. Countermeasure: An action, device, method, procedure or technique that reduces a threat, a vulnerability or an attack by eliminating or preventing it by reducing the harm it can cause.
4. Risk: An expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability.
5. Security Policy: A set of rules and practices that specify how a system provides security services to protect the sensitive data and critical system resources.
04
/18
/20
23 Vam
see K
rishna K
iran, S
yste
m S
ecu
irty C
ourse
, CSE
, Am
rita
9Terminology contd…
1. System resource(asset): information system, system capability, services of system, hardware component, communication lines etc.
2. Threat: A potential for violation of security. A possible danger that might exploit a vulnerability.
3. Vulnerability: A flaw of weakness in a system’s design or implementation that could be exploited to violate the system’s security policy.
04
/18
/20
23 Vam
see K
rishna K
iran, S
yste
m S
ecu
irty C
ourse
, CSE
, Am
rita
10Security concepts and relationships
04
/18
/20
23 Vam
see K
rishna K
iran, S
yste
m S
ecu
irty C
ourse
, CSE
, Am
rita
11System Security threats
1. Interception: Unauthorized party has gained access to an asset.
2. Interruption: An asset of a system becomes lost, unavailable or unusable.
3. Modification: Not only gaining unauthorized access but also tampering the asset.
4. Fabrication: Unauthorized party may create a fabrication of counterfeit objects on a computing system.
04
/18
/20
23 Vam
see K
rishna K
iran, S
yste
m S
ecu
irty C
ourse
, CSE
, Am
rita
12Vulnerabilities
1. Hardware vulnerabilities
2. Software vulnerabilities
3. Data vulnerabilities
04
/18
/20
23 Vam
see K
rishna K
iran, S
yste
m S
ecu
irty C
ourse
, CSE
, Am
rita
13Hardware vulnerabilities Any physical damage that is intentional or unintentional.
Damaging the systems, system resources or any system related equipment.
Causes major threat to Availability.
04
/18
/20
23 Vam
see K
rishna K
iran, S
yste
m S
ecu
irty C
ourse
, CSE
, Am
rita
14Software vulnerabilities
Hard to detect compared to hardware vulnerabilities.
Software can be replaced, changed, deleted or destroyed maliciously or modified.
Malicious s/w will work as intended, doing some extra operations in the background.
1. Software deletion
2. Software modification Logic bomb
Trojan horse
Virus
Trapdoor
3. Software theft
04
/18
/20
23 Vam
see K
rishna K
iran, S
yste
m S
ecu
irty C
ourse
, CSE
, Am
rita
15Data vulnerabilities Principle of adequate protection: Computer items must be
protected only until they lose their value.
Applying security goals to data:
1. Data confidentiality – prevents unauthorized disclosure of data
2. Data integrity – prevents unauthorized modification
3. Data availability – prevents denial of authorized access