Technic Dynamic is a source of education focused in the following categories of technology: (Computer - Design - Gadgets - Networking - Security) Link : http://technicdynamic.com
The purpose of this document is to familiarize readers with the basics of computer security, as defined in ISO 7498-2, for example.
The objectives of computer security
Computer security has several objectives, of course related to the types of threats and types of resources, etc ...However, the main points points are:
prevent the unauthorized disclosure of data
prevent the unauthorized modification of data
prevent the unauthorized use of network resources or computer in general
The scope of information security
These objectives apply in different areas or fields of applications, each using different techniques to attain the same objectives, and these fields are:
physical security programs (screens, power cables, power consumption curves ...)
the security of operating systems
communications security
Terminology of computer security
Computer security uses a well-defined vocabulary that we use in our articles.In order to understand these articles, it is necessary to define some terms:
Vulnerabilities: what are the security vulnerabilities in one or more systems. Any system as a whole has seen vulnerabilities, which can be exploited or not.
Attacks (exploits) represent the means to exploit a vulnerability. There may be several attacks for the same vulnerability but all vulnerabilities are not exploitable.
The cons-measures: these are the procedures or techniques to address a vulnerability or to counter a specific attack (in which case there may be other attacks on the same vulnerability).
Threats: These are determined opponents can mount an attack exploiting a vulnerability.
For other definitions, see ISO 7498-2 defines no fewer than 59 words, while other definitions are also available in our lexicon.
Types of attacks
Attacks may at first be classified into two broad categories:
passive attacks: are to listen to without changing the data or the network. They are generally undetectable but prevention is possible.
active attacks: are to change data or messages, to get into network equipment or interfere with proper operation of this network.Note that an active attack can be executed without the ability to listen. In addition, there is generally not possible to prevent these attacks, although they are detectable (allowing an adequate response).
Profiles and capabilities of attackers
The attackers can be categorized not only by their knowledge (newbies, experts, etc ...) but also according to their capacities of attacks in a well-defined situation.Thus, there are the following capabilities:
transmission of messages without listening skills (IP spoofing ...)
listening and messaging
listening and disruption of communications (blocking packets, DoS and DDoS ...)
listening, disturbance and message transmission
listen and relay messages (attacks man-in-the-middle)
Another feature of the attackers will be their hold uni-directional or bi-directional communications, due to the asymmetric nature of these.Indeed, most of the transmission channels over the Internet or any other heterogeneous network are uni-directional and take different paths depending on the routing rules.For example, many security protocols are unidirectional and must be established multiple channels to allow an exchange in "duplex".These channels are at least two in number, are mostly managed completely independently by the security protocol.This is the case for SSL / TLS but for which IPSec security associations (SA) are unidirectional and independent, each defining its own set of keys, algorithms, etc ...
Core services of information security
To remedy the flaws and to counter the attacks, computer security is based on a number of services that implement an appropriate response to each threat. At this level, no technique has yet been considered and it is only one level of abstraction to obtain a minimum granularity to deploy a security policy optimally (as analyzed the practical aspects of risk , technological solutions and will cost in the future. See the "Site Security Handbook", RFC 1244 for details). Describe the main security services:
offline mode, packet-level (exchange of request-response, such as UDP)
connection-oriented mode (all of the exchange, such as TCP)
partial sequence integrity (VoIP, applications, etc ... avoids the DoS for example)
access control (= authorization, to differentiate the authentication)
non-repudiation (proof of issue or proof of receipt)
Note that encryption, digital signatures and other techniques reflect the lower level of abstraction, described as the set of security mechanisms to provide the services described above. Several mechanisms can produce such authentication service (authentication schemes, encryption, digital signatures ...). However, these security mechanisms are not yet final solutions that will actually be implemented. This will make a final refinement of choosing symmetric algorithms, asymmetric algorithms, key size, etc ...
Finally, there are other concepts that can not be classified directly in these lists; confidence (trust) is a good example. Indeed, although it is very expensive, trust is required for effective security mechanisms in place. An example of an encapsulation protocol encryption (tunneling), developed in soft, to exchange data while preserving confidentiality. Now if only the data is protected, it is easier for an attacker to break into one of the machines at the ends (PC or otherwise), modify the corresponding library in order to distort the security mechanism (random number forced to a constant value, key values predefined algorithms NULL) and then you can access at your leisure to the transmitted data. Hence the need to establish a trust scheme to ban this type of attack, it is necessary to trust the safety equipment because otherwise, the utility of security mechanisms is called into question.