Computer Security and the CIA Triad
Explore the fundamental principles of Computer Security, including the CIA Triad - Confidentiality, Integrity, and Availability. Learn how these concepts safeguard information systems to preserve data confidentiality, integrity, and availability. Discover key security concepts and levels of impact in securing organizational operations and assets.
Uploaded on | 0 Views
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Computer SECURITY Computer SECURITY CONFIDENTIALITY AND DATA INTEGRITY, CONFIDENTIALITY AND DATA INTEGRITY, AVAILABILITY AVAILABILITY 1
Computer Security Overview The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources Includes hardware, information/data and telecommunications. The NIST Computer Security Handbook defines the term Computer Security as: software, firmware,
The CIA Triad This definition introduces three key objectives that are at the heart of computer security: Confidentiality: This term covers two related concepts: Data confidentiality : 1 Assures that private or confidential information is not made available or disclosed to unauthorized individuals. Privacy : Assures that individuals control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed. Integrity: This term covers two related concepts: Data integrity : Assures that information and programs are changed only in a specified and authorized manner. System integrity : Assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system. Availability: Assures that systems work promptly and service is not denied to authorized users. 4
Key Security Concepts Confidentiality Integrity Availability preserving authorized restrictions on information access and disclosure. including means for protecting personal privacy and proprietary information guarding against improper information modification or destruction, including ensuring information nonrepudiation and authenticity ensuring timely and reliable access to and use of information
Levels of Impact Low Moderate High The loss could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals The loss could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals The loss could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals
Computer Security Terminology Computer Security Terminology Adversary (threat agent) An entity that attacks, or is a threat to, a system. Attack An assault on system security that derives from an intelligent threat; a deliberate attempt to evade security services and violate security policy of a system. Countermeasure An action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.
Computer Security Terminology Computer Security Terminology Risk An expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result. Security Policy A set of rules and practices that specify how a system or org provides security services to protect sensitive and critical system resources. System Resource (Asset) Data; a service provided by a system; a system capability; an item of system equipment; a facility that houses system operations and equipment. 8
Computer Security Terminology Computer Security Terminology Threat A potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. Vulnerability Flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy. 9
Security Concepts and Relationships Security Concepts and Relationships 10
Assets of a Computer System Assets of a Computer System Hardware Hardware Software Software Data Data Communication facilities and networks Communication facilities and networks
Assets of a Computer System Assets of a Computer System The assets of a computer system can be categorized as follows: Hardware: Including computer systems and other data processing, data storage, and data communications devices Software: Including the operating system, system utilities, and applications. Data: Including files and databases, as well as security-related data, such as password files. Communication facilities and networks: Local and wide area network communication links, bridges, routers, and so on. 12
Computer and Network Assets Computer and Network Assets Availability Equipment is stolen or disabled, thus denying service. Confidentiality Integrity An unencrypted CD- ROM or DVD is stolen. Hardware A working program is modified, either to cause it to fail during execution or to cause it to do some unintended task. Jamming Programs are deleted, denying access to users. An unauthorized copy of software is made. Software An unauthorized read of data is performed. An analysis of statistical data reveals underlying data. Existing files are modified or new files are fabricated. Files are deleted, denying access to users. Data Messages are destroyed or deleted. Communication lines or networks are rendered unavailable. Messages are modified, delayed, reordered, or duplicated. False messages are fabricated. Messages are read. The traffic pattern of messages is observed. Communication Lines and Networks 13
connection confidentiality Data Confidentiality Service connectionless confidentiality selective-field confidentiality traffic-flow confidentiality protection of transmitted data from passive attacks protects user data transmitted over a period of time 14
connectionless integrity service provides protection against message modification only Data Integrity Service connection-oriented integrity service assures that messages are received as sent no duplication, insertion modification, reordering, or replays can apply to a stream of messages, a single message, or selected fields within a message with and without recovery 15
a variety of attacks can result in the loss of or reduction in availability some of these attacks are amenable to authentication and encryption some attacks require a physical action to prevent or recover from loss of availability Availability Service depends on proper management and control of system resources a service that protects a system to ensure its availability being accessible and usable upon demand by an authorized system entity 16
Security Implementation Security Implementation Detection Prevention Complementary courses of action Recovery Response 17
Security Mechanism Security Mechanism Feature designed to Prevent attackers from violating security policy Detect attackers violation of security policy Response to mitigate attack Recover continue to function correctly even if attack succeeds No single mechanism that will support all services Authentication, authorization, availability, confidentiality, integrity, non-repudiation 18
