sppn.info Laws Internet Security Pdf


Friday, February 7, 2020

make your digital communication and data more secure and by . that manuals in general can't guarantee total security and that it is by no. With the ever-increasing usage of Internet, numerous activities take place in your In this tutorial, we will discuss how to use Internet in a safe and secure way. PDF | On Mar 1, , Kevin Naughton and others published Internet Security.

Internet Security Pdf

Language:English, Spanish, Japanese
Genre:Health & Fitness
Published (Last):
ePub File Size: MB
PDF File Size: MB
Distribution:Free* [*Regsitration Required]
Uploaded by: ELIJAH

Internet. We discuss their security requirements, potential security threats and different mech- building blocks to create secure, Internet enabled applications. Introduction to Internet. Infrastructure Security. □ Introduction to the main network security issues that infrastructure operators need to be aware. Internet security is a branch of computer security specifically related to not only the Internet, .. Print/export. Create a book · Download as PDF · Printable version .

I Management procedures and constraints to prevent unauthorized access to a system. See: "third law" under "Courtney's laws", manager, operational security, procedural security, security architecture.

Compare: technical security. Examples: Clear delineation and separation of duties; configuration control.

What Is Network Security?

Usage: Administrative security is usually understood to consist of methods and mechanisms that are implemented and executed primarily by people, rather than by automated systems. O "The management constraints, operational procedures, accountability procedures, and supplemental controls established to provide an acceptable level of protection for sensitive data. See: administrative security. Government standard [ FP ] the successor to DES that a specifies "the AES algorithm", which is a symmetric block cipher that is based on Rijndael and uses key sizes of , , or bits to operate on a bit block, and b states policy for using that algorithm to protect unclassified, sensitive data.

I An entity that attacks a system.

Compare: cracker, intruder, hacker. I An entity that is a threat to a system.

See: classification. See: sneaker net. Compare: gateway. Example: Computer A and computer B are on opposite sides of a room. To move data from A to B, a person carries a disk across the room. If A and B operate in different security domains, then moving data across the air gap may involve an upgrade or downgrade operation.

See: cryptographic algorithm. These and other dramatis personae are listed by Schneier [ Schn ]. Tutorial: ANSI has approximately 1, member organizations, including equipment users, manufacturers, and others.

These include commercial firms, governmental agencies, and other institutions and international entities. ANSI is the sole U. National Committee the International Electrotechnical Commission IEC , which are the two major, non-treaty, international standards organizations. Example: [ A ]. Forms the basis of the character set representations used in most computers and many Internet standards. Anderson for the U. Air Force [ Ande ]. Tutorial: Anderson collaborated with a panel of experts to study Air Force requirements for multilevel security.

The study recommended research and development that was urgently needed to provide secure information processing for command and control systems and support systems. The report introduced the reference monitor concept and provided development impetus for computer and network security technology. However, many of the security problems that the report called "current" still plague information systems today. See: IDS. Compare: misuse detection. See: alias, anonymizer, anonymous credential, anonymous login, identity, onion routing, persona certificate.

Compare: privacy. Tutorial: An application may require security services that maintain anonymity of users or other system entities, perhaps to preserve their privacy or hide them from attack. To hide an entity's real name, an alias may be used; for example, a financial institution may assign account numbers.

Parties to transactions can thus remain relatively anonymous, but can also accept the transactions as legitimate. Real names of the parties cannot be easily determined by observers of the transactions, but an authorized third party may be able to map an alias to a real name, such as by presenting the institution with a court order.

In other applications, anonymous entities may be completely untraceable. That is, the service enables a client to access servers a without allowing Shirey Informational [Page 18] RFC Internet Security Glossary, Version 2 August anyone to gather information about which servers the client accesses and b without allowing the accessed servers to gather information about the client, such as its IP address. For example, when the credential is an X. Instead, use "attribute certificate", "organizational certificate", or "persona certificate" depending on what is meant, and provide additional explanations as needed.

See: anonymity. Tutorial: This feature exposes a system to more threats than when all the users are known, pre-registered entities that are individually accountable for their actions. A user logs in using a special, publicly known user name e. To use the public login name, the user is not required to know a secret password and may not be required to input anything at all except the name.

In other cases, to complete the normal sequence of steps in a login protocol, the system may require the user to input a matching, publicly known password such as "anonymous" or may ask the user for an e-mail address or some other arbitrary character string. See: trust anchor, top CA.

Compare: backup, repository. Compare: back up. Tutorial: A digital signature may need to be verified many years after the signing occurs. The CA -- the one that issued the certificate containing the public key needed to verify that signature -- may not stay in operation that long. So every CA needs to provide for long-term storage of the information needed to verify the signatures of those to whom it issues certificates.

Government; b led to the development of today's Internet; and c was decommissioned in June See: security association.

Website Menu

Example: U. Government guidance [ M ] describes four assurance levels for identity authentication, where each level "describes the [U. Federal Government] agency's degree of certainty that the user has presented [a credential] that refers to [the user's] identity.

However, as noted there, an assurance level is "a degree of confidence, not a true measure of how secure the system actually is. This distinction is necessary because it is extremely difficult -- and in many cases, virtually impossible -- to know exactly how secure a system is. See: key pair, symmetric cryptography.

Tutorial: Asymmetric algorithms have key management advantages over equivalently strong symmetric ones. First, one key of the pair need not be known by anyone but its owner; so it can more easily be kept secret. Second, although the other key is shared by all entities that use the algorithm, that key need not be kept secret from other, non-using entities; thus, the key-distribution part of key management can be done more easily.

Asymmetric cryptography can be used to create algorithms for encryption, digital signature, and key agreement: - In an asymmetric encryption algorithm e. Only Bob has the matching private key that is needed to decrypt the data. Compare: seal. To verify the signature, Bob uses the matching public key that Alice has provided. Then each uses their own private key and the other's public key to compute the new key value.

See: asymmetric cryptography, private key, public key. I An intentional act by which an entity attempts to evade security services and violate the security policy of a system. That is, an actual assault on system security that derives from an intelligent threat. See: penetration, violation, vulnerability.

I A method or technique used in an assault e. See: blind attack, distributed attack. The object of a passive attack might be to obtain data that is needed for an off-line attack. Attacks can be characterized according to point of initiation: - An "inside attack" is one that is initiated by an entity inside the security perimeter an "insider" , i.

Internet security

In the Internet, potential outside attackers range from amateur pranksters to organized criminals, international terrorists, and hostile governments. Attacks can be characterized according to method of delivery: - In a "direct attack", the attacker addresses attacking packets to the intended victim s.

The third party responds by sending one or more attacking packets to the intended victims. The attacker can use third parties as attack amplifiers by providing a broadcast address as the victim address e. See: reflector attack. Compare: reflection attack, replay attack. Compare: threat, risk. See: indicator. The security incident that is the goal of the attack is represented as the root node of the tree, and the ways that an attacker could reach that goal are iteratively and incrementally represented as branches and subnodes of the tree.

Each subnode defines a subgoal, and each subgoal may have its own set of further subgoals, etc. The final nodes on the paths outward from the root, i. To achieve the goal represented by an AND-node, the subgoals represented by all of that node's subnodes must be achieved; and for an OR-node, at least one of the subgoals must be achieved. Branches can be labeled with values representing difficulty, cost, or other attack attributes, so that alternative attacks can be compared.

An "attribute type" is the component of an attribute that indicates the class of information given by the attribute; and an "attribute value" is a particular instance of the class of information indicated by an attribute type.

See: attribute certificate. N A CA that issues attribute certificates. O "An authority [that] assigns privileges by issuing attribute certificates. I A digital certificate that binds a set of descriptive data items, other than a public key, either directly to a subject name or to the identifier of another certificate that is a public-key certificate. See: capability token. O "A data structure, digitally signed by an [a]ttribute [a]uthority, that binds some attribute values with identification information about its holder.

Other attributes of a subject, such as a security clearance, may be certified in a separate kind of digital certificate, called an attribute certificate. A subject may have multiple attribute certificates associated with its name or with each of its public-key certificates.

An attribute certificate might be issued to a subject in the following situations: - Different lifetimes: When the lifetime of an attribute binding is shorter than that of the related public-key certificate, or when it is desirable not to need to revoke a subject's public key just to revoke an attribute.

There is no requirement that an attribute certificate be issued by the same CA that issued the associated public-key certificate.

See: security audit. See: authentication, validate vs. Deprecated Usage: In general English usage, this term is used with the meaning "to prove genuine" e. Instead, use "verify". Instead, use "validate". See: attribute, authenticate, authentication exchange, authentication information, credential, data origin authentication, peer entity authentication, "relationship between data integrity service and authentication services" under "data integrity service", simple authentication, strong authentication, verification, X.

Shirey Informational [Page 26] RFC Internet Security Glossary, Version 2 August Tutorial: Security services frequently depend on authentication of the identity of users, but authentication may involve any type of attribute that is recognized by a system. A claim may be made by a subject about itself e.

An authentication process consists of two basic steps: - Identification step: Presenting the claimed attribute value e. See: verification. Instead, use "checksum", "Data Authentication Code", "error detection code", "hash", "keyed hash", "Message Authentication Code", "protected checksum", or some other recommended term, depending on what is meant.

The term mixes concepts in a potentially misleading way. The word "authentication" is misleading because the checksum may be used to perform a data integrity function rather than a data origin authentication function. I A mechanism to verify the identity of an entity by means of information exchange. O "A mechanism intended to ensure the identity of an entity by means of information exchange. See: IPsec. Compare: ESP. However, some IP header fields may change in transit, and the value of these fields, when the packet arrives at the receiver, may not be predictable by the sender.

Thus, the values of such fields cannot be protected end-to-end by AH; protection of the IP header by AH is only partial when such fields are present. AH may be used alone, or in combination with the ESP, or in a nested fashion with tunneling.

Security services can be provided between a pair of communicating hosts, between a pair of communicating security gateways, or between a host and a gateway. See: authentication, credential, user. Compare: identification information. Tutorial: Authentication information may exist as, or be derived from, one of the following: a Something the entity knows see: password ; b something the entity possesses see: token ; c something the entity is see: biometric authentication.

See: authentication. Tutorial: In a network, there are two general forms of authentication service: data origin authentication service and peer entity authentication service. See: authenticate, authentication, validate vs. Instead, use the full term at the first instance of usage and then, if it is necessary to shorten text, use AA, CA, RA, and other abbreviations defined in this Glossary. Instead, use the full term "certification authority certificate", "attribute authority certificate", "registration authority certificate", etc.

Information and services may include on-line validation services and CA policy data. I An approval that is granted to a system entity to access a system resource.

Prof. Dr. Adrian Perrig

Compare: permission, privilege. Usage: Some synonyms are "permission" and "privilege". See: privileged process, privileged user. Tutorial: The semantics and granularity of authorizations depend on the application and implementation see: "first law" under "Courtney's laws".

An authorization may specify a particular access mode -- such as read, write, or execute -- for one or more system resources. I A process for granting approval to a system entity to access a system resource.

This process assesses transaction risk, confirms that a given transaction does not raise the account holder's debt above the account's credit limit, and reserves the specified amount of credit. When a merchant obtains authorization, payment for the authorized amount is guaranteed -- provided, of course, that the merchant followed the rules associated with the authorization process. Compare: insider, outsider, unauthorized user. I The property of a system or a system resource being accessible, or usable or operational upon demand, by an authorized system entity, according to performance specifications for the system; i.

See: critical, denial of service. Compare: precedence, reliability, survivability. O "The property of being accessible and usable upon demand by an authorized entity. D "Timely, reliable access to data and information services for authorized users.

See: reliability. Shirey Informational [Page 30] RFC Internet Security Glossary, Version 2 August Tutorial: Availability requirements can be specified by quantitative metrics, but sometimes are stated qualitatively, such as in the following: - "Flexible tolerance for delay" may mean that brief system outages do not endanger mission accomplishment, but extended outages may endanger the mission.

Tutorial: This service addresses the security concerns raised by denial-of-service attacks. It depends on proper management and control of system resources, and thus depends on access control service and other security services. See: maintenance hook.

Compare: Trojan Horse. Example: A way to access a computer other than through a normal login. Such an access path is not necessarily designed with malicious intent; operating systems sometimes are shipped by the manufacturer with hidden accounts intended for use by field service technicians or the vendor's maintenance programmers.

Example: A feature that makes it possible to decrypt cipher text much more quickly than by brute-force cryptanalysis, without having prior knowledge of the decryption key. See: contingency plan. Compare: archive. Example: A reserve copy of data, preferably one that is stored separately from the original, for use if the original becomes lost or damaged.

A person who has caused some trouble, inadvertently or otherwise, typically by failing to program the computer properly. Deprecated Term: It is likely that other cultures use different metaphors for these concepts. The best antimalware programs not only scan for malware upon entry, but also continuously track files afterward to find anomalies, remove malware, and fix damage.

Advanced Malware Protection Application security Any software you use to run your business needs to be protected, whether your IT staff builds it or whether you download it.

Unfortunately, any application may contain holes, or vulnerabilities, that attackers can use to infiltrate your network. Application security encompasses the hardware, software, and processes you use to close those holes. Behavioral analytics tools automatically discern activities that deviate from the norm.

Your security team can then better identify indicators of compromise that pose a potential problem and quickly remediate threats. Cognitive Threat Analytics Stealthwatch Network as a Sensor Data loss prevention Organizations must make sure that their staff does not send sensitive information outside the network. Data loss prevention, or DLP, technologies can stop people from uploading, forwarding, or even printing critical information in an unsafe manner.

Data Loss Prevention Email security Email gateways are the number one threat vector for a security breach. Attackers use personal information and social engineering tactics to build sophisticated phishing campaigns to deceive recipients and send them to sites serving up malware.

An email security application blocks incoming attacks and controls outbound messages to prevent the loss of sensitive data. Email Security Firewalls Firewalls put up a barrier between your trusted internal network and untrusted outside networks, such as the Internet.

They use a set of defined rules to allow or block traffic. A firewall can be hardware, software, or both. Cisco offers unified threat management UTM devices and threat-focused next-generation firewalls. More about firewalls Intrusion prevention systems An intrusion prevention system IPS scans network traffic to actively block attacks. Cisco Next-Generation IPS NGIPS appliances do this by correlating huge amounts of global threat intelligence to not only block malicious activity but also track the progression of suspect files and malware across the network to prevent the spread of outbreaks and reinfection.

Learn the fundamentals of IPS min Mobile device security Cybercriminals are increasingly targeting mobile devices and apps. Within the next 3 years, 90 percent of IT organizations may support corporate applications on personal mobile devices.

Of course, you need to control which devices can access your network. You will also need to configure their connections to keep network traffic private. Mobile Device Management Network segmentation Software-defined segmentation puts network traffic into different classifications and makes enforcing security policies easier.The report introduced the reference monitor concept and provided development impetus for computer and network security technology.

I An intentional act by which an entity attempts to evade security services and violate the security policy of a system. However, to allow legitimate internal and external users to access application resources through the firewall, higher-layer protocols and services need to be relayed and forwarded by the bastion host. Handbook of Information and Communication Security. Pronunciation: star property.

This method outputs a MAC value that can be decrypted by the receiver, using the same secret key used by the sender.

Other glossaries e. This process is network access control NAC. Compare: gateway. System entities are in one-to-one relationships with their billets, but may be in many-to-one and one-to-many relationships with their roles.