Security Page
Knowledge is Security!
What is then Security?
-
Security is the totality of mechanisms and techniques that protect system
assets [ISO 85]
- Security is used in a sense of minimizing the risk of exposure of assets
and resources to various vulnerabilities [ISO 86]
- Security is the protection of system elements from accidental or malicious access, use, modification, destruction, or disclosure [ISO7.30].
-
Security refers to a complex of procedural, logical and physical measures
aimed at prevention, detection and correction of certain kinds of accidents,
failures and misuse [ECMA 86]
-
Security refers to fault tolerance against deliberate interaction faults (intrusion) from internal or external sources [IEC65A 94:International Engineering Consortium].
- Security is the ability of the system to protect from unauthorised
attempts to access information or interfere with its operations [IEC65A WG8 - International Engineering Consortium]. It is concerned with Confidentiality, Integrity, Availability, and Accountability
- Security is a combination of methods, procedures, hardware, firmware and software used by a system to minimize the vulnerabilities of assets and resources [IISP - International Infrastructure Standards Panel]
- Security - Computer Security Definition
- Security - a Whatis definition: [Word list for Security]
- Security is also Privacy: the rights and responsibilities that govern the acquisition, disclosure, and use of personal information [HA].
- Privacy - a whatis definition
Basic Security Objectives
-
Availability: ensuring access to information
-
Confidentiality: keeping information secret only to those who are
authorised to see it.
-
Anonymity: concealing the identity of an entity involved in a process.
- Privacy: the rights and responsibilities that govern the acquisition, disclosure, and use of personal information.
-
Data Integrity: ensuring information has not been altered by unauthorised
means.
-
Time Integrity: ensuring that the indicated time of creation of
a peace of information is correct
-
Identification and Authentication: corroborating the identity of an entity(person, computer, process, etc.)
-
Message authentication: corroborating the source of information, includes integrity as subgoals.
-
Authorization:corroborating the process of establishing the scope/domain
of legal activities for active entities, once they have been identified
and authenticated.
-
Access control: restricting access to resources to authorised entities
-
Non-repudiation: preventing the denial of previous commitments or
actions.
-
Accountability: ensuring that entities can be accounted for their
actions.
-
Auditability: ensuring that the previous system states can later
be reconstructed.
Threats, risks and attacks
[Maurer 98]:
-
Accidental threats and risks:Catastrophes, power failure, noise
on communication channels, software and hardware bugs, user errors, etc.
-
Origin of malicious threats:
-
an intelligent attacker attacks the weakest point
-
hackers, crackers
-
criminals, criminal organizations (fraud, extortion)
-
disgruntled employees
-
industrial espionage
-
secre services, national intelligence services
-
Some types of attacks
- steal storage media and devices
- penetrate user account or obtain illegitimate privileges (false user authentication or circumvent OS protection)
- illegitimate access to data channel /e.g. network sniffing)
- insertion of false data (e.g. network spoofing)
- deletion of information
- denial of generation, transmission or receipt of information
- denial of service
- traffic analysis
- repaly attacks
- malicious software: viruses, Trojan horses, logic bombs
- "social engineering"
- ......
- The 4 Phases of managing IT risks
- Security policy: what need to be protected?
- Risk analysis: threats, damage potential, probabilities
- Risk reduction: avoid risks, security measures, damage limitation, recovery stategies, insurances
- Accept remaining risks (no system is absolutely secure).
Security measures and mechanisms
[Maurer 98]:
- technical
- Cryptography (transformation of information)
- operating system security
- physical at macro-level: buildings, secure areas, shielding against electromagnetic radiation
- physical at micro-level: tamper-resistant devices
- processor technology
- biometric technology
- organizational: e.g. security policy, classification of information
- people-related: screening, motivation, education, responsibilities
- legal: e.g. liability regulations, insurances
References
(also to come Security Literature List)
[ECMA 86] European Computer Manufacturers Association. Framework
for
Distributed Office Applications, ECMA TC32-TG5, Dec. 1986
[ISO 85] International Standards
Organization. Addendum to ISO 7498 on
Security Architecture, ISO/TC 97/SC 21/WG 16.1 (Ad Hoc group
on Security)
[ISO 86] International Standards
Organization. Use of Encipherment Techniques
in Communication Architectures. ISO/TC 97/SC 20/WG 3, N66,
September 1986
[ISO 87] International Standards
Organization. Information Processing Systems-
OSI RM. Part 2: Security Architecture. ISO/TC 97 DIS 7498-2,
June 1987
[Maurer 98] Ueli Maurer, Cryptography, Fundamentals and Applications,
Advanced
technology seminars, 1998
Useful Web Sites on Security
-
COAST:
Comprehensive set of links to sites related to cryptography and network
security.
-
IETF
Security Area
-
Computer
and Network Security Reference Index: Index to vendor and commercial
products.
-
The
Cryptography FAQ: FAQ covering all aspects of cryptography.
-
Tom
Dunigan's Security Page: Pointers to cryptography and network security
web sites.
-
IEEE
Technical Committee on Security and Privacy: Cryptography and network
security web sites.
E-Mail Security
-
PGP
Home Page: PGP Web site by Network Associates.
-
MIT
Distribution Site for PGP: Leading distributer of freeware PGP.
-
S/MIME
Charter: Latest RFCs and internet drafts for S/MIME.
-
S/MIME
Central: Latest RFCs and internet drafts for S/MIME.
IP Security
-
IPSEC
Charter: Latest RFCs and internet drafts for IPsec.
-
IPSEC
Working Group News: Working group documents.
-
IPSEC
Resources: List of companies implementing IPSec
Web Security
-
Netscape's
SSL Page: Contains the SSL specification.
-
TLS
Charter: Latest RFCs and internet drafts for TLS.
-
MasterCard
SET Site: Latest SET documents
-
Visa
Electronic Commerce Site: Similar information to that at the MasterCard
Site.
Intruders and Alerts
-
CERT Coordination
Center: Internet security threats, vulnerabilities, and attack statistics.
-
Anti-Virus
On Line: IBM's site on virus information.
General Security Pointers
-
Computer
Associates: Site Search Results
-
An
LDAP Roadmap & FAQ
-
MIT
distribution site for PGP
-
Pretty Good
Privacy, Inc. Home Page
-
Secured
Commercial Hosting Services
-
ECMA information
centre
-
ENTIRE
SECURITY SAF GATEWAY
-
Best
Practices in Packaged-Applications Security
-
rootshell.com
- official mirror site
-
Internet
Security for the Enterprise
-
Welcome
to Computer Associates
-
Microsoft
Security Advisor Program
-
Raptor
Systems, Inc - Corporate Pages
-
ISM
AccessMaster
-
SESAME
V3
-
Absolute
security, from your Internet access to the core of your Intranet
-
Entrust
-
Security,
Transactions,...and More.
-
Safeword
-
L0pht
Heavy Industries Security Advisories
-
Cryptography
Research Home PageCryptography Research
-
Security
and Hackerscene