To understand the need for security in a system it is
necessary to understand what threats or attaches the system is
subject to. A threat
is a potential violation of security. The security policy of a system
will identify the threats that are deemed to be important and will
dictate the measures that are to be taken to protect the system against
those threats. It is not possible to provide a detailed discussion
on threats in such a general text, however the primary threats against
which most security is directed are:
-
Disclosure.
Information kept within the system should be protected against disclosure
to unauthorized persons. Note that this can include who is talking to
whom, or even the fact that someone is talking at all. (Imagine
companies who normally compete discussing a merger by electronic mail
- share dealers would be tempted if they even knew of such
conversations. Imagine a list of people who subscribe to particular
sets of bulletin boards. Junk mailer/advertisers would also dearly like
such information to target their output). So there is explicit
disclosure of information, but never forget the implicit information in
the act of communication itself. Under some circumstances, it may be
that someone wishes to prove that they originated <#734#> some<#734#> information,
but wish to repudiate the contents. Thus a separation of
authentication and privacy can be seen to have requirements from both
secrecy and revelation.
-
Corruption.
Information in the system must be protected against unauthorized change.
Obviously, we do not want the integrity of our work to be
compromised.
-
Destruction or loss of information.
Where information is effectively unavailable for use within the system.
If information has value, then the cost of its loss is clear.
-
Denial of Service.
The resources of the system must be protected so that they are available
for use by authorized persons. This means preventing unauthorized
use of the resources. In some systems, it may be reasonable to share
resources which are idle. In others, this may prevent timely reaction
(e.g. safety critical systems, or again, share dealing systems, where
time is of the essence).
-
Covert Signaling
This is an not generally a direct threat to an organisation, but is
indirect. The use of their communications channels to carry another
organization's messages surreptitiously may deny them revenue. The
usual urban myth cited here is the technique of telephoning football
scores long distance by ringing tones on a deliberately unanswered
phone at an agreed time.
Denial of service is a threat that is covered to some extent by the
security concepts used to protect against disclosure and corruption.
For example, if access to a system is controlled by access controlled
quotas, then to deny service to other users may be prevented
Other measures fall into the area of physical security which are outside
the scope of this text. Consequently the rest of this chapter will
concentrate on the first three threats. In general, that passive
attacks are very difficult to detect, the general defense is to try
and prevent them. Conversely active attacks are easier to detect, but
perhaps harder to prevent. A combination of passive attack and replay
can lead to denial of service and is partciulalry pernicious.
An important threat that has to be tackled in any system which is
is being used by humans is that someone may subvert the system to
their own gain. In other words commit some form of fraud or damage
by using the legitimate operations of the system. The most common
technique that is used to overcome this is to ensure that no single
individual (not even the Security Administrator) can carry out all
of the actions necessary to commit a fraud. For instance no one who
is allowed to enter invoices into a system will be allowed to authorize
payment of invoices. This would stop someone entering their own fictional
invoices to obtain payment. There are lost of examples in other areas,
for instance two keys are necessary to open a bank vault, these will
be held by different people, or two different keys will be necessary
to launch a nuclear missile. The concept behind these examples is
that of <#736#> separation of duty<#736#>. To ensure that this concept
may be used in a distributed system it is necessary to provide the
underlying mechanisms, particularly access control and authentication.
Threats can be further classified into intentional or accidental,
which is self explanatory; and active or passive. An active threat
is one which will result in some unauthorized activity in the system
which can cause corruption, loss, or destruction of information. An
active threat can also cause a denial of service by monopolizing resources
within the system. A passive threat is one which does not intrude
on the system and utilizes no resources or activity within the system.
However, a passive threat can lead to disclosure of information, for
instance by passive wire tapping, or monitoring the radiation from
a VDU.
The security facility that is used to protect against disclosure is
that of confidentiality. This means the information in the system
is protected by appropriate confidentiality mechanisms (see section
4.7 below). The security facility that is used to protect against
corruption, or partial loss of information, is integrity. Unfortunately,
although integrity will tell you that your information has been corrupted
it would be better if some form of prevention is available. Similarly
for confidentiality: this will provide some protection to data once
it has been obtained by a third party, but it would be better if the
data was only made available to those authorized to see it. The main
mechanism used to prevent unauthorized access is that of access control.
The disclosure of information is usually achieved by copying the information
from some part of the system, either when it is on some storage device,
when it is moving through the system (especially over communications
links), or when it is being manipulated by processes within a system.
It is impossible to tell if information has been copied, since there
is no evidence left with the original information. The strategy for
preventing disclosure relies on making the data representing the information
indecipherable if it is copied! We are using the concept of information
to represent what is stored in the system and data to represent the
idea that information is stored in some set of symbols (usually a
bit pattern) for manipulation. Information represents the semantics,
data represents the syntax. Confidentiality is provided by translating
the data in such a way that it can only be turned back into its original
format by entities authorized to have access to the information.
Any other entities would only be able to access the gibberish version.
The corruption of information is difficult to prevent, hence the
need for access control, but it can be detected since there is evidence
left with the information that a change has taken place. It is not
necessary to transform data to detect corruption, usually a checksum
is carried with the data. The checksum is calculated in such a way
that only entities authorized to change the data can compute a valid
checksum.
Eventually, an authorized entity will want to access or change the
information in the system. To distinguish authorized access from unauthorized
access is the concept behind access control.