In order to be worthwhile, the digital signature must be identified with a particular user; thus, the integrity service must work with the identifica-tion and authenticaidentifica-tion f
Trang 1control mechanism is not configured to completely deny access but instead is configured
to allow for the reading of the file but not for the writing of changes Also, as with
confi-dentiality, it is very important to correctly identify the individual seeking to make a
change This can only be performed through the use of identification and authentication
The use of computer file access controls works well if the files reside on a single
com-puter system or a network within the control of the organization What if the file is to be
copied to other parties or organizations? In this case, it is clear that the access controls on a
single computer system or network are insufficient to provide protection Therefore,
there must be a mechanism that can identify when an unauthorized change has been
made to the file That mechanism is a digital signature (see Chapter 12 for more detail on
digital signatures) A digital signature on a file can identify if the file has been modified
since the signature was created In order to be worthwhile, the digital signature must be
identified with a particular user; thus, the integrity service must work with the
identifica-tion and authenticaidentifica-tion funcidentifica-tion
Integrity of Information Transmission
Information can be modified during transmission However, it is extremely difficult to
modify traffic without performing an interception attack Encryption can prevent most
forms of modification attacks during transmission When coupled with a strong
identifi-cation and authentiidentifi-cation function, even interception attacks can be thwarted (look back
to Figure 3-2)
Attacks That Can Be Prevented
The integrity service can prevent successful modification and repudiation attacks While
any modification attack may change a file or information in transit, modification attacks
cannot be successful if the integrity service is functioning properly as the unauthorized
change will be detected When coupled with a good identification and authentication
ser-vice, even changes to files outside of the organization can be detected
Successful repudiation attacks cannot be prevented without both a good integrity
ser-vice and good identification and authentication In this case, the mechanism to detect the
attack is a digital signature
AVAILABILITY
The availability service provides for information to be useful Availability allows users to
access computer systems, the information on the systems, and the applications that
per-form operations on the inper-formation Availability also provides for the communications
systems to transmit information between locations or computer systems The
informa-tion and capabilities most often thought of when we speak of availability are all
elec-tronic However, the availability of paper information files can also be protected
Trang 2Backups are the simplest form of availability The concept is to have a second copy of impor-tant information in storage at a safe location The backups can be paper files (copies of im-portant documents) or they can be electronic (computer backup tapes) Backups prevent the complete loss of information in the event of accidental or malicious destruction of the files Safe locations for backups may be on-site in a fireproof enclosure or at a remote site with physical security measures
While backups do provide for information availability, they do not necessarily provide for timely availability This means that the backups may have to be retrieved from a remote location, transported to the organization’s facility, and loaded on the appropriate system
Fail-Over
Fail-over provides for the reconstitution of information or a capability Unlike backups, systems configured with fail-over can detect failures and re-establish a capability (pro-cessing, access to information, or communications) by an automatic process through the use of redundant hardware
Fail-over is often thought of as an immediate reconstitution but it does not need to be configured in that manner A redundant system could be located on-site to be readied for use if a failure occurs on the primary system This is a much less expensive alternative to most immediate fail-over systems
Disaster Recovery
Disaster recovery protects systems, information, and capabilities from extensive disas-ters Disaster recovery is an involved process that reconstitutes an organization when en-tire facilities or important rooms within a facility become unavailable
Attacks That Can Be Prevented
Availability is used to recover from denial-of-service attacks There is no way to prevent a DoS attack, but the availability service can be used to reduce the effects of the attack and
to recover from it by bringing systems and capabilities back online
ACCOUNTABILITY
The accountability service is often forgotten when we speak of security The primary rea-son is that the accountability service does not protect against attacks by itself It must be used in conjunction with other services to make them more effective Accountability by itself is the worst part of security; it adds complications without adding value Account-ability adds cost and it reduces the usAccount-ability of a system However, without the account-ability service, both integrity and confidentiality mechanisms would fail
Trang 3Identification and Authentication
Identification and authentication (I&A) serves two purposes First, the I&A function
identifies the individual who is attempting to perform a function Second, the I&A
func-tion proves that the individual is who he or she claims to be Authenticafunc-tion can be
ac-complished by using any combination of three things:
▼ Something you know (like a password or PIN)
■ Something you have (like a smart card or a badge)
▲ Something you are (like fingerprints or a retina scan)
While any single item can be used, it is better to use combinations of factors such as a
password and a smart card This is usually referred to as two-factor authentication The
rea-son that two-factor authentication is deemed to be better than a single-factor
authentica-tion is that each factor has inherent weaknesses For example, passwords can be guessed
and smart cards can be stolen Biometric authentication is much harder to fake but
indi-viduals can be compelled to place their hand on a handprint scanner
In the physical world, authentication may be accomplished by a picture ID that is
shown to a guard This may provide sufficient authentication to allow an employee to
en-ter a facility Handprint scanners are also often used to authenticate individuals who
wish to enter certain parts of facilities The authentication mechanism is directly tied to
the physical presence and identity of the individual
In the electronic world, physical authentication mechanisms do not work as well
Tra-ditionally, the authentication mechanism that has been used for computers is the
pass-word The identity of the individual is linked via a user ID that was established by a
system administrator It is assumed that the administrator had some proof that the
indi-vidual receiving the user ID was in fact the indiindi-vidual being identified Passwords alone
are a single factor of authentication and thus inherently weak Unlike in the physical
world, there is no guarantee of the physical presence of the individual That is why
two-factor authentication is advocated for use with computer systems It provides a
stronger authentication mechanism
I&A obviously provides assistance to the computer file access controls that provide
confidentiality and integrity of electronic files on computer systems I&A is also
impor-tant with regard to encryption and digital signatures However, the I&A in this case must
be transmitted to a remote user The remote user proves his identity to the local
mecha-nism and provides proof to the far end of the connection For example, Figure 3-4 shows
how a digital signature is used for I&A when sending a message The user first must
au-thenticate to the mechanism that protects the signature on his local machine The local
machine then allows the use of the signature mechanism and sends the authenticated
message The user who receives the message then uses the digital signature as proof that
the sender was the author of the message
In many ways the I&A mechanism becomes the key to the other security services
within an organization If the I&A mechanism fails, integrity and confidentiality cannot
be guaranteed
Trang 4Audits provide a record of past events Audit records link an individual to actions taken
on a system or in the physical world Without proper I&A, the audit record is useless as
no one can guarantee that the recorded events were actually performed by the individual
in question
Audits in the physical world may take the form of entrance logs, sign-out sheets, or even video recordings The purpose of these physical records is to provide a record of ac-tions performed It should also be noted that the integrity service must guarantee that the audit records were not modified Otherwise, the information in the audit log becomes suspect as well
In the electronic world, the computer systems provide the logs that record actions by user IDs If the I&A function is working properly, these events can be traced back to
indi-Figure 3-4. I&A mechanisms for remote communication
Trang 5viduals As with paper records, the audit logs on a computer system must be protected
from unauthorized modification In fact, audit logs must be protected from any
modifica-tion whatsoever
Attacks That Can Be Prevented
The accountability service prevents no attacks It works with the other services,
spe-cifically confidentiality and integrity, to properly identify and authenticate the
indi-vidual who is attempting to perform an operation The accountability service also
provides a record of what actions were taken by the authenticated user so that the
events can be reconstructed
Trang 7PART II
Ground Work
39
Copyright 2001 The McGraw-Hill Companies, Inc Click Here for Terms of Use
Trang 8This page intentionally left blank.
TE AM
FL Y
Team-Fly®