The combination of space, time, and strength, which must be considered as the basic elements of this theory of defense, makes this a fairly complicated matter. Consequently, it is not easy to find a fixed point of departure. —On War, Carl Von Clausewitz
The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable. —The Art of War, Sun Tzu
The requirements of information security within an organization have undergone two major changes in the last several decades. Before the widespread use of data processing equipment, the security of information deemed valuable to an organization was provided primarily by physical and administrative means. An example of the former is the use of sturdy filing cabinets with combination locks for storing sensitive documents, while an example of the latter is personnel screening procedures used during the hiring process.
With the introduction of computers, the need for automated tools to protect files and other information stored on computers became evident. This need is particularly crucial for shared systems, such as a time-sharing system, and even more critical for systems accessible over a public telephone network, data network, or the Internet. The collection of tools designed to protect data and thwart hackers is generally known as computer security.
The second significant change that affected security is the introduction of distributed systems and the use of networks and communication facilities for data transmission between user terminals and computers, as well as between computers themselves. Network security measures are necessary to protect data during transmission. However, the term "network security" is somewhat misleading because virtually all business, government, and academic organizations interconnect their data processing equipment with a collection of interconnected networks. Such a collection is often referred to as an internet, and the term "internet security" is used correspondingly.
There are no clear boundaries between these two forms of security. For example, one of the most publicized types of attacks on information systems is the computer virus. A virus may be introduced into a system physically when it arrives on an optical disk and is subsequently loaded onto a computer, or it may arrive over an internet. In either case, once the virus resides on a computer system, internal computer security tools are necessary to detect and recover from the virus.
This book focuses on internet security, which consists of measures to deter, prevent, detect, and correct security violations involving the transmission of information. That is a broad statement covering numerous possibilities. To give you a sense of the areas covered in this book, consider the following examples of security violations:
1. User A transmits a file to user B that contains sensitive information (e.g., payroll records) intended to be protected from disclosure. User C, who is unauthorized to read the file, monitors the transmission and captures a copy during its journey.
2. A network manager, D, sends a message to computer E under its management, instructing it to update an authorization file to include new users who are to be granted access. User F intercepts the message, alters its contents by adding or deleting entries, and forwards the altered message to E. E accepts the message as legitimate and updates its authorization file accordingly.
3. Instead of intercepting a message, user F crafts its own message with the desired entries and transmits it to E, impersonating manager D. Computer E accepts the message as genuine and updates its authorization file.
4. An employee is terminated without warning. The personnel manager sends a message to a server system to invalidate the employee’s account. The server is to post confirmation in the employee’s file once the invalidation is accomplished. The employee intercepts the message, delays it long enough to retrieve sensitive information, then forwards the message. The action is taken and the confirmation posted, but the employee's actions may go unnoticed for some time.
5. A customer sends a message to a stockbroker with transaction instructions. When the investments lose value, the customer denies sending the message.
Although this list is not exhaustive, it illustrates the range of concerns in network security.
This chapter provides a general overview of the subject areas structuring the remainder of the book. We begin with a general discussion of network security services and mechanisms and the types of attacks they are designed to counter. Then, we develop a comprehensive model within which security services and mechanisms can be understood.
0 Comments