Summary
Summary Network Security Essentials: Applications and Standards
- Institution
- Unicaf
In this summary, you have access to all the fundamental and basic information you need to understand the network security.
[Show more]
Connected book
Book Title:
Author(s):
- Edition:
- ISBN:
- Edition:
1 review
By: niwasreddy • 2 year ago
very detailed and useful
Content preview
Stallings, W. (2017). Network Security Essentials: Applications and Standards. 6 thEdition. Prentice Hall: Boston.
…………………..
Chapter 1: Introduction (pages 17-44)
With the introduction of the computer, the need for automated tools for protecting files
and other information stored on the computer became evident. This is especially the
case for a shared system, such as a time-sharing system, and the need is even more
acute for systems that can be accessed over a public telephone network, data network,
or the Internet. The generic name for the collection of tools designed to protect data and
to thwart hackers is computer security. The second major change that affected
security is the introduction of distributed systems and the use of networks and
communications facilities for carrying data between terminal user and computer and
between computer and computer. Network security measures are needed to protect
data during their transmission. In fact, the term network security is somewhat
misleading, because virtually all business, government, and academic organizations
interconnect their data processing equipment with a collection of interconnected
networks. Such a collection is often referred to as an internet,1 and the term internet
security is used. (Stallings, 2017, p.18)
A Definition of Computer Security
Computer Security: The protection afforded to an automated information system in
order to attain the applicable objectives of preserving the integrity, availability, and
confidentiality of information system resources (includes hardware, software, firmware,
information/data, and telecommunications). (Stallings, 2017, p.20)
This definition introduces three key objectives that are at the heart of computer security.
■■ Confidentiality: This term covers two related concepts:
Data2 confidentiality: Assures that private or confidential information is not made
available or disclosed to unauthorized individuals.
Privacy: Assures that individuals control or influence what information related to them
may be collected and stored and by whom and to whom that information may be
disclosed.
■■ Integrity: This term covers two related concepts:
Data integrity: Assures that data (both stored and in transmitted packets) and
programs are changed only in a specified and authorized manner.
System integrity: Assures that a system performs its intended function in an
unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of
the system.
■■ Availability: Assures that systems work promptly and service is not denied to
authorized users.
,These three concepts form what is often referred to as the CIA triad. The three
concepts embody the fundamental security objectives for both data and for information
and computing services. (Stallings, 2017, p.20)
These levels are defined in FIPS 199:
■■ Low: The loss could be expected to have a limited adverse effect on organizational
operations, organizational assets, or individuals. A limited adverse effect means that, for
example, the loss of confidentiality, integrity, or availability might (i) cause a degradation
in mission capability to an extent and duration that the organization is able to perform its
primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result
in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result
in minor harm to individuals.
■■ Moderate: The loss could be expected to have a serious adverse effect on
organizational operations, organizational assets, or individuals. A serious adverse effect
means that, for example, the loss might (i) cause a significant degradation in mission
capability to an extent and duration that the organization is able to perform its primary
functions, but the effectiveness of the functions is significantly reduced; (ii) result in
significant damage to organizational assets; (iii) result in significant financial loss; or (iv)
result in significant harm to individuals that does not involve loss of life or serious, life-
threatening injuries.
■■ High: The loss could be expected to have a severe or catastrophic adverse effect on
organizational operations, organizational assets, or individuals. A severe or catastrophic
adverse effect means that, for example, the loss might (i) cause a severe degradation in
or loss of mission capability to an extent and duration that the organization is not able to
perform one or more of its primary functions; (ii) result in major damage to
organizational assets; (iii) result in major financial loss; or (iv) result in severe or
catastrophic harm to individuals involving loss of life or serious, life-threatening injuries.
(Stallings, 2017, p.21-22)
The Challenges of Computer Security
Computer and network security is both fascinating and complex. Some of the reasons
include:
1. Security is not as simple as it might first appear to the novice. The requirements
seem to be straightforward; indeed, most of the major requirements for security services
can be given self-explanatory, one-word labels: confidentiality, authentication,
,nonrepudiation, and integrity. But the mechanisms used to meet those requirements
can be quite complex, and understanding them may involve rather subtle reasoning.
2. In developing a particular security mechanism or algorithm, one must always
consider potential attacks on those security features. In many cases, successful attacks
are designed by looking at the problem in a completely different way, therefore
exploiting an unexpected weakness in the mechanism.
3. Because of point 2, the procedures used to provide particular services are often
counterintuitive. Typically, a security mechanism is complex, and it is not obvious from
the statement of a particular requirement that such elaborate measures are needed. It is
only when the various aspects of the threat are considered that elaborate security
mechanisms make sense.
4. Having designed various security mechanisms, it is necessary to decide where to use
them. This is true both in terms of physical placement (e.g., at what points in a network
are certain security mechanisms needed) and in a logical sense [e.g., at what layer or
layers of an architecture such as TCP/IP (Transmission Control Protocol/Internet
Protocol) should mechanisms be placed].
5. Security mechanisms typically involve more than a particular algorithm or protocol.
They also require that participants be in possession of some secret information (e.g., an
encryption key), which raises questions about the creation, distribution, and protection
of that secret information. There also may be a reliance on communications protocols
whose behavior may complicate the task of developing the security mechanism. For
example, if the proper functioning of the security mechanism requires setting time limits
on the transit time of a message from sender to receiver, then any protocol or network
that introduces
variable, unpredictable delays may render such time limits meaningless.
6. Computer and network security is essentially a battle of wits between a perpetrator
who tries to find holes and the designer or administrator who tries to close them. The
great advantage that the attacker has is that he or she need only find a single
weakness, while the designer must find and eliminate all weaknesses to achieve perfect
security.
7. There is a natural tendency on the part of users and system managers to perceive
little benefit from security investment until a security failure occurs.
8. Security requires regular, even constant, monitoring, and this is difficult in today’s
short-term, overloaded environment.
9. Security is still too often an afterthought to be incorporated into a system after the
design is complete rather than being an integral part of the design process.
10. Many users (and even security administrators) view strong security as an
impediment
to efficient and user-friendly operation of an information system or use of information.
(Stallings, 2017, p.23-24)
Threat
, A potential for violation of security, which exists when there is a circumstance,
capability, action, or event that could breach security and cause harm. That is, a threat
is a possible danger that might exploit a vulnerability.
Attack
An assault on system security that derives from an intelligent threat. That is, an
intelligent act that is a deliberate attempt (especially in the sense of a method or
technique) to evade security services and violate the security policy of a system.
(Stallings, 2017, p.25)
the OSI security architecture provides a useful, if abstract, overview of many of the
concepts that this book deals with. The OSI security architecture focuses on security
attacks, mechanisms, and services. These can be defined briefly as
■■ Security attack: Any action that compromises the security of information owned by
an organization.
■■ Security mechanism: A process (or a device incorporating such a process) that is
designed to detect, prevent, or recover from a security attack.
■■ Security service: A processing or communication service that enhances the
security of the data processing systems and the information transfers of an
organization. The services are intended to counter security attacks, and they make use
of one or more security mechanisms to provide the service. (Stallings, 2017, p.25)
Security Attack: A useful means of classifying security attacks, used both in X.800 and
RFC 4949, is in terms of passive attacks and active attacks. A passive attack attempts
to learn or make use of information from the system but does not affect system
resources. An active attack attempts to alter system resources or affect their operation.
Passive Attacks
Passive attacks (Figure 1.2a) are in the nature of eavesdropping on, or monitoring of,
transmissions. The goal of the opponent is to obtain information that is being
transmitted. Two types of passive attacks are the release of message contents and
traffic analysis.
The release of message contents is easily understood. A telephone conversation, an
electronic mail message, and a transferred file may contain sensitive or confidential
information. We would like to prevent an opponent from learning the contents of these
transmissions. (Stallings, 2017, p.25)
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through EFT, credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying this summary from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller moloodmohammadi. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy this summary for R0,00. You're not tied to anything after your purchase.
Can Stuvia be trusted?
4.6 stars on Google & Trustpilot (+1000 reviews)
76669 documents were sold in the last 30 days
Founded in 2010, the go-to place to buy summaries for 14 years now