190 likes | 284 Views
Introduction (Pendahuluan). Information Security. Information Security – Why?. Information is a strategic resource Information security requirements have changed in recent decades Traditionally provided by physical & administrative mechanisms
E N D
Introduction (Pendahuluan) Information Security
Information Security – Why? • Information is a strategic resource • Information security requirements have changed in recent decades • Traditionally provided by physical & administrative mechanisms • Use of computer requires automated tools to protect files and other stored information • Use of networks and communication links requires measures to protect data during transmission
Definition • Computer Security : generic name for the collection of tools designed to protect data and to thwart hackers • Network Security : measures to protect data during their transmission • Internet Security : measures to protect data during their transmission over a collection of interconnected networks
3 aspects of information security: • Security Attacks • Security Services • Security Mechanisms
Security Attacks • Definition: • Any action that compromises the security of information owned by an organization • Often threat & attack used to mean same thing • Threat : A potential for violation of security • Attack : An assault on system security that derives from an intelligent threat
Classification of security attacks • Passive Attacks: attempt to learn or make use of information from the system but does not affect system resources • Active Attacks: attempt to alter system resource or affect their operation
Security Threats • Threats can come from a range of sources • Various surveys, with results of order: • 55% human error • 10% disgruntled employees • 10% dishonest employees • 10% outsider access • also have "acts of god" (fire, flood etc) • Note that in the end, it always comes back to PEOPLE. • Technology can only assist so much, always need to be concerned about the role of people in the threat equation - who and why.
Passive Attacks • Only involve monitoring (interception) of the information, leading to loss of confidentiality or • Traffic analysis (monitoring exchange of information without knowing precise contents), • hard to detect
Release of message contents: attacks confidentiality • Eavesdropping • Learn the content of transmitted messages
Traffic Analysis: attacks confidentiality, or anonymity • Monitoring the pattern of transmitted messages • Include: the source & destination, frequency, and length of messages • Determine the location and identity of communicating hosts
Active Attacks • Active attacks involve some modification of the data stream or the creation of a false stream, and • hard to prevent.
Masquerade • pretends to be a different entity
Replay • passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect
Modification of messages • alters some portion of a legitimate message
Denial of service • prevents or inhibits the normal use or management of communications facilities
Security Services • Enhance security of data processing systems and information transfers of an organization • Intended to counter security attacks using one or more security mechanisms • Security services implement security policies • Often replicate functions normally associated with physical documents • have signatures, dates • need protection from disclosure, tampering, or destruction; • be notarized or witnessed • be recorded or licensed
Security Services • Authentication - protect info origin (sender) • Access control - control access to info/resources • Data Confidentiality - protect info content/access • Data Integrity - protect info accuracy • Non-repudiation - protect from deniability • Availability - ensure a system (info) is available to authorized entities when needed. One Useful Classification of Security Services:
Security Mechanisms • Features designed to detect, prevent, or recover from a security attack • Personnel : Access Tokens, Biometrics • Physical : Integrated Access Control • Managerial : Security Education • Data Networking : Encryption, Config. Control • S/W & O/S : Testing, Evaluation, Trusted O/S • .
Facts: security mechanism • No single mechanism can provide all the security services wanted. • But encryptionor encryption-like information transformation (and hence the cryptography) is a key enabling technology