Académique Documents
Professionnel Documents
Culture Documents
• Security Objectives
• Security objectives differ from technology and the usage purpose of a
certain resource or service. They aim for a smooth and proper usage or
operation (Availability) of the ICT system
• Security Threats
• Threats describe any possible circumstances, actions or events, which
actively or passively lead to a breach of one or more security objectives
• Security Attacks
• Attacks describe the occurrence of such events or the respective malicious
exploit
• Security Mechanism
• A mechanism that is designed to detect, prevent or recover from a security
attack
• Security Service
• A service that enhances the security of ICT systems. A security service
makes use of one or more security mechanisms
• Computer Security
• generic name for the collection of tools to protect data
• Network Security
• protect data during their transmission
Note: there are no clear boundaries between these two forms of security
• Confidentiality
• Ensuring that information is accessible only to those authorized to have access (ISO-17799)
• Cryptography is usually the technology to fulfil this objective
• Integrity
• Message (or generally Data) Integrity ensures the unmodified transmission or storage of a message
• Modification Detection Code (MDC) hash functions are usually the technology to fulfil this objective
• Access Control see AAA (Triple A)
• Accountability / Non-repudiation
• Tracking of security relevant actions in order to identify the responsible entity
• Log files, recording network probes, versioning databases and Message Authentication Codes
(MAC) are usually the technology to fulfil this objective
• Privacy
• As opposed to confidentiality, where information within a communication should not be accessible,
privacy is concerned about related information / statistics, that one might be able to deduce from
possibly confidential communication events
• Communication end point addresses, time and duration logging, geo information (access network
used etc.), inter-packet delay (for type speed analysis) etc. can be used to profile users and make
“informed” guesses about locations, service usages and possibly typed words
Triple A – AAA:
• Authentication
• making sure, that the entity's identity is actually the one it claims to be using
credentials (a password, certificate, location, way of access, biometrical
characteristics or even relayed authentication) as digital proof
• Authorization
• making sure (by means of some determining function – such as profile
lookup, filtering, usage statistics, time restrictions), that the entity is entitled
to use a certain service (access/modify data etc.)
• Accounting
• usage tracking of services (network and application resources) over time or
volume for billing and management purposes (usage statistics, forecasts
and service ressource planning)
• Eavesdropping
• unauthorized copying / snatching of information during transit or elsewhere
• usually performed by wire tapping, route manipulation, glimpsing on screens or paper prints etc.
• Access Violation
• unauthorized usage of services/resources
• usually performed by stolen/faked access credentials or the malicious exploit of overload situations
• Identity Theft (Identity Masquerading)
• misguidance of authorities or communication partners by hiding the original identity with a stolen one
• typically performed by means of faked sender email addresses, sender IP and MAC addresses,
digital signatures and stolen encryption keys
• Message Manipulation Integrity violation
• delay, deletion, modification, replay or insertion of communication messages
• often used to perform access violations or identity thefts
• Denial of Service (DoS)
• sabotage of service or resource availability through excessive - supposedly proper - usage
• usually performed by synchronously submitted service requests overloading the installed resource
base
• Destributed Denial of Service (DDoS)
• sabotage of service or resource availability through excessive - supposedly proper - usage through a
widespread (distributed) load of requests to obfuscate detection and combat activities
Network Security SS19 Page 7
Threats - Classification
8
7
8
6 5
4 3 2
8 1
8
7 Anwendung Application 7
Application protocol
Application
6 Darstellung Presentation 6 oriented
Network
2 Sicherung 2 2 Data link 2 dependent
1 1
1 Bitübertragung Physical 1
Physical
Übertragungsmedium 1 Transmission media 1
transmission
media
Network Security SS19 Page 11
Attacks - L1 (PHY Layer) Attacks
• Traffic analysis:
• Masquerade:
• Replay:
• Message modification:
• Denial of Service:
• Authentication
• Ensuring, that an entity has the identity it claims to have
• Integrity
• Ensuring, that data created by specific entities may not be modified without
detection
• Confidentiality
• Ensuring the secrecy of protected data
• Access Control
• Controls that each identity accesses only those services / information it is
entitled to
• Non Repudiation
• Protects against that entities participating in a communication exchange
can later falsely deny that the exchange occurred
• General mechanisms:
• Key management
• All aspects of the lifecycle of cryptographic keys
• Random number generation
• Generation of cryptographically secure random numbers
• Event detection / security audit trail
• Detection and recording of events that might be used in order to detect attacks or
conditions that might be exploited by attacks
• Intrusion detection
• Analysis of recorded security data in order to detect successful intrusions or
attacks
• Communication specific mechanisms:
• Traffic Padding
• Creation of bogus traffic in order to prevent traffic flow analysis
• Routing Control
• Influencing the routing of packets in a network
Security Layers
Applications Security
Communication Security
THREATS
Access Management
Data Confidentiality
Integrity
Non-repudiation
Destruction
Authentication
Authentication
Availability
Control
Corruption
Integrity
Privacy
VULNERABILITIES
Services Security
Removal
Data
Vulnerabilities Disclosure
Can Exist
In Each Interruption
Layer, Infrastructure Security
Plane ATTACKS