By computer security we mean protection applied to an information system with the aim of achieving the CIA triad: integrity, availability and confidentiality of resources.
Confidentiality: the objective of preserving restrictions on access to information. Confidential information is not made visible to unauthorised individuals; by confidentiality we mean that each individual decides what information to make available and to whom.
Data integrity: protects against the modification or destruction of information, including authenticity and deniability. Data integrity means that information and programs, if they are changed, are changed permanently and system integrity means making sure that a system performs its functions properly.
Availability: reliable access to information, without interruption of access to certain resources.
Authenticity**: information must be genuine and verifiable, i.e. that users are who they say they are.
Auditability**: means being able to trace all the actions of an entity in a system (audit is a system that saves information necessary for reliability).
Deniability**: provides protection against false denial of actions committed by users.
Let us now discuss the challenges of IT security:
Security requirements must be simple, but difficult mechanisms must be used to solve them.
There are 'always potential attacks to consider, and often the procedures to uncover them are counterintuitive.
Security mechanisms often involve more than one algorithm/protocol.
The hacker only needs to find one flaw in the system, while the designer has the task of covering them all.
It requires constant and regular supervision.
Users often fail to notice the benefits and see computer security as something irrelevant.
OSI security architecture (Open Systems Interconnection).
A security attack is an action that compromises the security of information and involves some modification of the data stream, the most common of which are:
- Spoofing**: authenticity attacks.
- Tampering**: attacks integrity.
- Replay/reflection**: attacks authenticity.
- Denial of service (DOS): attacks availability.
A security mechanism is a process to detect, prevent, and recover from security attacks, the most common of which are:
- Encryption
- Digital signature
- Access control
- Data integrity verification
- Authentication exchange
- Traffic padding
- Routing control
- Notarisation
A security service is a system that enhances the security of data transfer and processing, including:
- Communication/processing service provided by a system to give specific types of protection to resources (implemented by security mechanisms).
- Peer entity authentication**: provides confirmation of the identity of a peer during connection or data transfer.
- Authorization**: is the verification of permissions on a resource/system.
The design of a security system is done on the basis of the following principles:
- Economy of mechanism**: the design of security measures should be as simple as possible.
- Fail-safe defaults: rely on permissions rather than exclusion.
- Complete mediation**: every access must be verified by access control.
- Open design**: encryption keys must be secret but algorithms must be public.
- Privilege separation: multiple privilege attributes are required to access a restricted resource.
- Least privilege: each process must operate with the lowest possible number of permissions.
- Least common mechanism: the design must minimise the functions used by multiple users.
- Psychological acceptability: mechanisms must not interfere with users' work.
- Isolation:* applies to public access systems, which must be isolated from critical resources; to individual user processes and files, which must be isolated from each other; and to security mechanisms, which must not be accessed.
- Modularity: division of functions into modules.
- Layering: use of multiple protection approaches.
We conclude this first part with the basic model for network security.
The security techniques all include information transformation and shared secrecy:
- Design an algorithm for the transformation.
- Generate the secret information.
- Develop methods for distributing and sharing the secret.
- Specify a protocol that the entities participating in the algorithm can use.