Data & Network Security

Chapter 1 - Foundational
Concepts in Security
Outline
1.1 Introduction
1.2 CIA (Confidentiality, Integrity, Availability)
1.3 Concepts of risk, threats, vulnerabilities,
and attack vectors.
1.4 Authentication, Authorization, and Access
control
1.5 Concept of Trust And Trustworthiness.
1.6 Ethics
Learning Outcome
At the end of this chapter the students able to
● Define security concepts
● Explain the authentications, authorization
concepts.
● Define the concepts of trust and
trustworthiness and analyse their influences
on data and network security.
● Understand the concept of ethics.
Introduction –
● Information Security - “The protection afforded to an
automated information system in order to attain the
applicable objectives of preserving the integrity, availability
and confidentiality of information system resources”
(William 2015)
● Network security - " refers to any activity designed to
protect the usability and integrity of your network and
data. It includes both hardware and software technologies.
Effective network security manages access to the network.
It targets a variety of threats and stops them from entering
or spreading on your network.” (CISCO)
CIA triad

Confidentiality

Data &
Services
Integrity Availability
 Confidentiality, Integrity, Availability (CIA)
● Confidentiality
○ Confidentiality is the protection of information from unauthorized access
○ data confidentiality and privacy
○ preserving authorized restrictions on information access and disclosure, in protecting personal privacy and proprietary information.
○ A loss of confidentiality is the unauthorized disclosure of information.
● Integrity
○ integrity is the condition where information is kept accurate and consistent unless authorized changes are made
○ data and system integrity
○ Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity
○ A loss of integrity is the unauthorized modification or destruction of information.
• Availability
○ availability is the situation where information is available when and where it is rightly needed
○ Ensuring timely and reliable access to and use of information.
○ A loss of availability is the disruption of access to or use of information or an information system.
Concepts of risk, threats, vulnerabilities, and
attack vectors
● Risk - someone or something that is a risk to safety Any package
left unattended will be deemed a security risk.
● Threats—The people eager, willing, and qualified to take
advantage of each security weakness, and they continually
search for new exploits and weaknesses.
● Vulnerability—A weakness that is inherent in every network and
device. This includes routers, switches, desktops, servers, and
even security devices themselves.
● Attacks—The threats use a variety of tools, scripts, and programs
to launch attacks against networks and network devices.
Typically, the network devices under attack are the endpoints,
such as servers and desktops.
Threat
● A threat refers to a new or newly discovered incident that
has the potential to harm a system or your company
overall. There are three main types of threats:
● Natural threats, such as floods, hurricanes, or tornadoes
● Unintentional threats, like an employee mistakenly
accessing the wrong information
● Intentional threats, such as spyware, malware, adware
companies, or the actions of a disgruntled employee
● Worms and viruses are categorized as threats because
they could cause harm to your organization
Vulnerability
● A vulnerability refers to a known weakness of an
asset (resource) that can be exploited by one or
more attackers. In other words, it is a known
issue that allows an attack to succeed.
● For example, when a team member resigns and
you forget to disable their access to external
accounts, change logins, or remove their names
from company credit cards, this leaves your
business open to both intentional and
unintentional threats.
Risk
● Risk is defined as the potential for loss or
damage when a threat exploits a vulnerability.
Examples of risk include financial losses, loss
of privacy, reputational damage, legal
implications, and even loss of life.
● Risk can also be defined as follows:
Risk = Threat X Vulnerability
Attack
● The main difference between threat and attack is a
threat can be either intentional or unintentional
where as an attack is intentional.
● Threat is a circumstance that has potential to cause
loss or damage whereas attack is attempted to cause
damage
● Attack vector: A method or way an attacker can gain
unauthorized access to a network or computer
system.
Concepts of risk, threats, vulnerabilities, and attack
vectors
● Attack Vectors - (Ligier, 2016)
○ Network
○ User
○ Email
○ Web Application
○ Remote Access
○ Mobile
● attacks (threats carried out)
○ passive – does not affect system resources
○ active – attempt to alter system resources or affect their operation
○ insider – initiated by an entity inside the security parameter
○ outsider – initiated from outside the perimeter
 Authentication, Authorization, and Access control
A framework for controlling access to computer resources, enforcing policies, auditing
usage, and providing the information necessary

• A process to identify a user.

Authenti • typically by having the user enter a valid user name and valid password before access is granted
cation
• Levels of granting permission
• process determines whether the user has the authority to issue such commands.
Authoriz • authorization is the process of enforcing policies: determining what types or qualities of activities, resources, or
services a user is permitted
ation
• Access control is a security term used to refer to a set of policies for restricting access to information, tools, and
physical locations.
Access • measures the resources a user consumes during access.
• authorization control, billing, trend analysis, resource utilization, and capacity planning activities.
Control
Ethics
● Ethics is about:
○ primarily enforces the ethical implementation and use of computing resources.
○ entails the behaviour and approach of a human operator, workplace ethics and
compliance

● Core Issues
○ scenarios arising from the use of the Internet
■ Internet privacy, the publication of copyrighted content and user interaction with
websites, software and related services.
Responsible disclosure

● Responsible disclosure is the process of inviting security

researchers to find and report security issues in the systems.
● Step in order to create responsible disclosure:
○ Prepare your organization
○ Create a public disclosure policy
○ Publish your policy
○ Be responsive and communicate clearly
○ Be transparent
○ Don’t Panic
○ Acknowledge and credit
○ Fix fast
Concept of Trust And Trustworthiness
● Trustworthy is basically the quality of being reliable, dependable and
honest. In other words, able to be relied on as honest or truthful. The
traditional dictionary meaning of "worthy of trust" is in this sense of
being reliable, etc.
○ E.g: Upload a confidential file using cloud storage.
● Trusted means held in a position of trust -- in the sense of established
as credible, dependable and favoured through previous experience or
dealings (ideally) or by general reputation (less ideally). "Trusted"
articulates with the traditional, literal dictionary meaning of trustworthy
(worthy of trust).
○ E.g: A worker in a company

Trust has been defined as a relationship between a trustor and a trustee.

Trustworthiness means that the (predicted) trustee will work on behalf of
the trustor to fulfil their confident expectation without taking advantage of
the vulnerability of the trustor by acting in an opportunistic manner.
Conclusion
● Security concept
● CIA Triad
● Different of Risk, Threat, Vulnerabilities and
attack
● Concept of ethic and Responsible disclosure
● Concept of Trust and Trustworthiness
References
Stallings, W. and L. Brown, Computer Security: Principles and Practice. 2015, Pearson Education.

CISCO. What Is Network Security? [cited 2017 22 August 2017]; Available from:
https://www.cisco.com/c/en/us/products/security/what-is-network-security.html.

Techopedia. Computer Ethics. [cited 2017 22 August 2017]; Available from:

https://www.techopedia.com/definition/5499/computer-ethics.

Larson, S.F.S. The uncertain future of Internet privacy. 2017 [cited 2017 22 August 2017]; Available from:
http://money.cnn.com/2017/04/05/technology/internet-privacy-future/index.html.

Ligier, S. Threat vectors – what are they and why do you need to know them? 2016 17 Nov 2016 [cited 2017 4
Sep 2017]; Available from: https://blog.barracuda.com/2016/11/17/threat-vectors-what-are-they-and-
why-do-you-need-to-know-them/.