Threats and Protection

To understand the need for security in a system it is necessary to understand what threats or attaches the system is subject to. A threat is a potential violation of security. The security policy of a system will identify the threats that are deemed to be important and will dictate the measures that are to be taken to protect the system against those threats. It is not possible to provide a detailed discussion on threats in such a general text, however the primary threats against which most security is directed are:
  1. Disclosure. Information kept within the system should be protected against disclosure to unauthorized persons. Note that this can include who is talking to whom, or even the fact that someone is talking at all. (Imagine companies who normally compete discussing a merger by electronic mail - share dealers would be tempted if they even knew of such conversations. Imagine a list of people who subscribe to particular sets of bulletin boards. Junk mailer/advertisers would also dearly like such information to target their output). So there is explicit disclosure of information, but never forget the implicit information in the act of communication itself. Under some circumstances, it may be that someone wishes to prove that they originated <#734#> some<#734#> information, but wish to repudiate the contents. Thus a separation of authentication and privacy can be seen to have requirements from both secrecy and revelation.
  2. Corruption. Information in the system must be protected against unauthorized change. Obviously, we do not want the integrity of our work to be compromised.
  3. Destruction or loss of information. Where information is effectively unavailable for use within the system. If information has value, then the cost of its loss is clear.
  4. Denial of Service. The resources of the system must be protected so that they are available for use by authorized persons. This means preventing unauthorized use of the resources. In some systems, it may be reasonable to share resources which are idle. In others, this may prevent timely reaction (e.g. safety critical systems, or again, share dealing systems, where time is of the essence).
  5. Covert Signaling This is an not generally a direct threat to an organisation, but is indirect. The use of their communications channels to carry another organization's messages surreptitiously may deny them revenue. The usual urban myth cited here is the technique of telephoning football scores long distance by ringing tones on a deliberately unanswered phone at an agreed time.
Denial of service is a threat that is covered to some extent by the security concepts used to protect against disclosure and corruption. For example, if access to a system is controlled by access controlled quotas, then to deny service to other users may be prevented Other measures fall into the area of physical security which are outside the scope of this text. Consequently the rest of this chapter will concentrate on the first three threats. In general, that passive attacks are very difficult to detect, the general defense is to try and prevent them. Conversely active attacks are easier to detect, but perhaps harder to prevent. A combination of passive attack and replay can lead to denial of service and is partciulalry pernicious. An important threat that has to be tackled in any system which is is being used by humans is that someone may subvert the system to their own gain. In other words commit some form of fraud or damage by using the legitimate operations of the system. The most common technique that is used to overcome this is to ensure that no single individual (not even the Security Administrator) can carry out all of the actions necessary to commit a fraud. For instance no one who is allowed to enter invoices into a system will be allowed to authorize payment of invoices. This would stop someone entering their own fictional invoices to obtain payment. There are lost of examples in other areas, for instance two keys are necessary to open a bank vault, these will be held by different people, or two different keys will be necessary to launch a nuclear missile. The concept behind these examples is that of <#736#> separation of duty<#736#>. To ensure that this concept may be used in a distributed system it is necessary to provide the underlying mechanisms, particularly access control and authentication. Threats can be further classified into intentional or accidental, which is self explanatory; and active or passive. An active threat is one which will result in some unauthorized activity in the system which can cause corruption, loss, or destruction of information. An active threat can also cause a denial of service by monopolizing resources within the system. A passive threat is one which does not intrude on the system and utilizes no resources or activity within the system. However, a passive threat can lead to disclosure of information, for instance by passive wire tapping, or monitoring the radiation from a VDU. The security facility that is used to protect against disclosure is that of confidentiality. This means the information in the system is protected by appropriate confidentiality mechanisms (see section 4.7 below). The security facility that is used to protect against corruption, or partial loss of information, is integrity. Unfortunately, although integrity will tell you that your information has been corrupted it would be better if some form of prevention is available. Similarly for confidentiality: this will provide some protection to data once it has been obtained by a third party, but it would be better if the data was only made available to those authorized to see it. The main mechanism used to prevent unauthorized access is that of access control. The disclosure of information is usually achieved by copying the information from some part of the system, either when it is on some storage device, when it is moving through the system (especially over communications links), or when it is being manipulated by processes within a system. It is impossible to tell if information has been copied, since there is no evidence left with the original information. The strategy for preventing disclosure relies on making the data representing the information indecipherable if it is copied! We are using the concept of information to represent what is stored in the system and data to represent the idea that information is stored in some set of symbols (usually a bit pattern) for manipulation. Information represents the semantics, data represents the syntax. Confidentiality is provided by translating the data in such a way that it can only be turned back into its original format by entities authorized to have access to the information. Any other entities would only be able to access the gibberish version. The corruption of information is difficult to prevent, hence the need for access control, but it can be detected since there is evidence left with the information that a change has taken place. It is not necessary to transform data to detect corruption, usually a checksum is carried with the data. The checksum is calculated in such a way that only entities authorized to change the data can compute a valid checksum. Eventually, an authorized entity will want to access or change the information in the system. To distinguish authorized access from unauthorized access is the concept behind access control.