Information Security Services

 Information security are base level services used to combat attacks. Security services are the basic building block concepts of security. The services discussed here should not be confused with security mechanisms. The specifics of how information security is used, depends on proper risk assessment. To understand the basic requirements for security, you must understand how security services can be used to counter specific types of attacks.
2

Information Security Services

Confidentiality
The Confidentiality service handles the secrecy of information. Confidentiality only allows authorized users to have access to information. Proper performance of Confidentiality services relies on the Accountability Service. Confidentiality service takes into account that information may reside in physical form in paper files of in electronic files.
3

Confidentiality of Files I
There are different ways to provide for confidentiality of files.
It depends on the way the file exists

For paper files, the physical paper must be protected.

Particular location or restricted rooms Safe, Lock & Key Patrol, Security Guards, etc

Paper based confidentiality services rely on Physical Access Controls.

4

Confidentiality of Files II
Electronic Files have different characteristics Files may exists in several locations at the same time. i.e on:
Hard Disks Floppy Disks Zip Disks, CDROM, Tapes etc

Physical access may not be necessary, unless access to hard copy is required.
In which case Confidentiality requires physical access controls.
5

Confidentiality of Files III

Access to electronic files relies on some type of computer access control
Encryption Password Enabled Files etc.

Computer Access Control relies on proper identification & authentication (accountability) Computer Access Control also relies on proper system configuration

Security Services Vs Attacks

Confidentiality Integrity Availability Accountability
Access

X X X X

X X

Modification
Denial of Service Repudiation

Confidentiality of Information in Transmission

Protecting only the information stored in files is not sufficient. Data can be attacked while in transmission. Information in transit can be protected by on a need basis or all traffic on a network. Encryption, alone can prevent eavesdropping. Encryption, cannot completely prevent interception .
8

Information in Transmission
To protect information from being intercepted, proper identification and authentication must be used. Why? To identify the remote end point

 Is concerned with the fact that some form of traffic is occurring between two end points. Traffic flow confidentiality is not concerned with the actual information being stored or transmitted. The amount of traffic flowing between two end points may also indicate specific information. Can someone provide an example? Many news organizations watch pizza deliveries to the White House & the Pentagon. WHY?
10

Traffic Flow Confidentiality I

 The idea that an increase in the number of pizzas may indicate that a crisis is occurring. The term used for this type of work is Traffic & Pattern Analysis Traffic flow can also be used for obscuring information flow between two end points. The military may set up 2 communication sites and then send a constant flow of traffic regardless of the number of messages that are actually sent. (The rest is Garbage)
11

Traffic Flow Confidentiality II

Attacks that Can be Prevented

Confidentiality can prevent access attacks. However confidentiality alone cannot completely solve the problem. The confidentiality must work with the accountability service to establish identity of the individual who is attempting to access information. When both are combined, the confidentiality & accountability services can reduce the risk of unauthorized access.
12

 The integrity service provides for the correctness of information. When properly used, integrity allows users to have confidence that the information is correct and has not been modified by an unauthorized individual. The integrity service protects against modification attacks. Information protected by the integrity service may exist in both physical an electronic form.
13

Integrity

Integrity of Files
Paper files are generally easier to protect for integrity than electronic files. Paper based files are much harder to modify, delete, copy or replace. Electronic files require stringent Access Control mechanisms for proper protection. The use of Access Controls works well if the files reside on a single computer or on a network.
14

Integrity of Information During Transmission

It is important to understand that information can be modified during transmission. It is extremely difficult to modify traffic without performing an intercept attack. Encryption technologies can prevent most forms of modification attacks. Strong identification & authentication aid in preventing intercept attacks.
15

Attacks that Can be Prevented I

Integrity services can prevent successful modification & repudiation attacks. Modification attacks cannot be successful if the integrity service is functioning properly. Hence Unauthorized Changes will be detected immediately. When coupled with a good identification & authentication service, even changes to files outside of the organization can be detected.
16

Attacks that Can be Prevented II

Repudiation attacks cannot be prevented without both a good integrity service & good identification & authentication services. One mechanism to detect Repudiation Attacks is by using the Digital Signature. What is a Digital Signature? Is a method of using encryption for authenticating electronic information.
17

Availability Service
Availability service is the mechanism used to make information accessible. Availability service aids the communications system to transmit information between locations or computer systems. Availability service serves primarily as a parallel supporting or monitoring function.

18

Availability Service - Backups

Backups are the simplest forms of availability. The concept of this service is to have a second copy of important information in storage at a safe location. Backups prevent the complete loss of information in the event of accidental or malicious destruction of files. What are some important issues? Frequency of Backup, Location of Backup, Protection of Backup, Synchronization of Backup
19

Availability Service Fail Over

Fail-over provides for the reconstitution of information or capability. Fail-over have the capability to detect failures and reestablish availability to information by an automatic process using redundant hardware. A redundant system could be located on site, ready for use in the event of a failure of a primary system. Availability mechanisms can be the most expensive security mechanisms in an organizations.

20

 Disaster Recovery protects systems, information and capabilities from extensive disasters such as fires and floods. Disaster recover is a complicated process that reconstitutes an organization when the entire facility becomes unavailable. Availability is used to recover from Denial-ofService attacks. Availability services can be used to reduce the effects of an attack.
21

Availability Service Disaster Recovery

 The Accountability service is normally forgotten. The Accountability service alone does not protect against attacks. Accountability alone, is the worst part of security. Accountability adds costs & complications without adding value. However without the accountability service, both integrity and confidentiality mechanism would fail.
22

Accountability Service

 I&A serve two primary purposes:

Identification & Authentication (I&A)

The first I&A function identifies the individual who is attempting to perform a function The second I&A function proves the individual is who he or she claims to be.

Authentication can be accomplished by using any combination of three things:

Something only you know Password or Pin Something only you have Smartcard, ID card Something only you own Fingerprints or Retina Scan
23

Identification & Authentication (I&A)

While any single item can be used, it is better to use combination of authentication elements. This is usually referred to as two-factor authentication. Single factor authentications have inherent weaknesses.
Passwords can be guessed Smartcards can be stolen

If the I&A mechanism fails, integrity & confidentiality cannot be guaranteed.

24

Audit provides a record of past events. Audit records link an individual to actions taken on a system. Without proper I&A, the audit record is useless. Audit records rely on the Integrity service. Why? To make sure that information has not been modified. If I&A is functioning correctly, Audit records or Logs can be traced back to individuals. The accountability service provides a record of what actions where taken by authenticated users, for the purpose of event reconstruction.

Audit Service

25