Introduction to System Security

Question 1

Classification of protective measures

Answer 1

• Prevention: Proactive steps to avert damage
• Detection: Early identification of threats and intrusions
• Reaction: Implement measures to restore assets after damage and considering unintended consequences like recovering from manipulated backups

Question 2

Computer security

Answer 2

Computer security deals with the prevention and detection of unauthorized actions by users of a computer system
-> Protection of information assets (how can they be jeopardized?)

Question 3

Data vs. information

Answer 3

• Data: Physical phenomena chosen by convention to represent certain aspects of our conceptual and real world by convention, raw material
  -> Functions: Transmit and store information, derive new information by processing data according to formal rules
• Information: Data that has been organized, structured, or interpreted to have meaning
  -> Characteristics: Information is the subjective interpretation of data

Question 4

Reliability

Answer 4

Related to (accidental) failures in the system

Question 5

Safety

Answer 5

Related to the impact of system failures on their environment, which also deal with situations where the system has to perform properly in adverse (ungünstigen) conditions

Question 6

Dependability

Answer 6

• Trustworthiness of a computing system allowing justifiable reliance on its service
• Encompasses availability, reliability, performance, maintainability, and maintenance support performance

Question 7

Classical Security Targets

Answer 7

• Confidentiality (Vertraulichkeit):
  -> Prevention of unauthorized disclosure of information
  -> Defining authorized users and relevant disclosure extents
  -> Regulating resource access based on permissions
• Integrity (Integrität):
  -> Ensuring the accuracy and consistency of information
  -> Maintaining precision, consistency, and authorized modifications
  -> Managing access to resources for authorized alterations
• Availability (Verfügbarkeit):
  -> Securing accuracy and consistency of information
  -> Maintaining availability is of absolute importance for security
  -> Guaranteeing reliable resource availability

Question 8

Continued security targets

Answer 8

• Authenticity (Authentizität): Safeguards the integrity and verifies the origin of a message’s content
• Accountability (Zurechenbarkeit):
  -> Availability and integrity of the identity of the subject who performed an operation
  -> Data origin authentication: Verifies the source of transmitted data
  -> Entity authentication: Confirms the identity of an entity
• Non-repudiation (Verbindlichkeit):
  -> Maintains the availability and integrity of the sender’s identity (non-repudiation of origin) or the receiver’s identity (non-repudiation of reception)
  -> Capability: Ability to prove this to (honest) third parties, particularly honest ones

Question 9

Privacy Targets

Answer 9

• Privacy: Confidentiality with respect to personal data, which can be either “information” or “meta-information”
• Anonymity: Confidentiality of the identity of a person by maintaining the state of being unindentifiable within a group of subjects
• Untraceability: Related to anonymity, actions or identities cannot be traced back to a source
• Unlinkability: Different transaction are not linkable
• Unobservability: The state of items of interest (IOI) being indistinguishable from any IOI (of the same type) at all (z.B. ob Nachricht gesendet wurde oder nicht)
  -> unobservability protects information about the very existence of the item of interest against uninvolved parties

Question 10

Dimensions of Computer Security

Answer 10

• Software
• Hardware
• Resource (object)
  -> generally refers to a passive entity (file or record in a database)
  -> However, object may indicate an active device from the systems resource pool (network printer or a programmable service that is managed as a resource)
• User (subject)
  -> generally refers to an active entity
  -> used to identify a running process
  -> Each subject assumes the identity and the privileges of a single principal
  -> A principal may launch several processes within a single login session and thus be associated with multiple subjects, each of which inherits the identity of the login session
• Horizontal axis between User and Resource represents the focus of the security policy
• Vertical axis between Software and Hardware represents the layers of the computer system where a protection mechanism is implemented

Question 11

Security Measures

Answer 11

• Technical Measures
  -> Cryptography, System Security
• Organizational
  -> Password Guidelines
  -> Security Training
• Physical
  -> Building Protection: Implementing physical security to safeguard premises and assets

Question 12

Physical Security Approaches

Answer 12

• Tamper resistant systems:
  -> bank vault approach
  -> Robust materials to slow down attack
  -> Usually the easiest to apply
• Tamper responding systems
  -> burglar alarm approach (defense is the detection of the intrusion)
  -> Good for portable systems or other systems where size and bulk are a disadvantage
  -> Sometimes destruction of secret data is employed to prevent theft in the case of isolated systems which cannot depend on outside response
• Tamper evident systems
  -> If a break occurs, evidence of the break-in is left behind
  -> Not designed to prevent an attack or to respond to the indication that one is in progress
  -> Audit policy must be in place