overview of key security concepts and vocabulary this document was funded by the national science...

Overview of Key Security Overview of Key Security CConcepts and Vocabularyoncepts and Vocabulary

This Document was Funded by the National Science Foundation Federal Cyber Service Scholarship For Service Program: Grant No. 0113627

Distributed October 2002

Embry-Riddle Aeronautical University • Prescott, Arizona • USA

Overview of Key Concepts & Vocabulary. ©2002, Matt Jaffe, Jan G. Hogle, Susan Gerhart. http://nsfsecurity.pr.erau.edu


Some Underlying Vocabulary and Some Underlying Vocabulary and Integrating ConceptsIntegrating Concepts

To have accessaccess is to be able to do something

AuthorizationAuthorization means that you’re supposed to have access

A security policypolicy describes who is authorized which type(s) of access to what

MechanismsMechanisms are the physical, electronic, and procedural means of enforcing a security policy

A system’s security architecturesecurity architecture consists of all the mechanisms involved in enforcing its security policy

An attackattack is a deliberate attempt to circumvent some mechanism and violate a security policy


The Mechanisms of Information SecurityThe Mechanisms of Information Security

Crypto Crypto COMSECCOMSEC

INFOSEC

Information Assurance

COMPUSECCOMPUSEC

Information SecurityInformation Security

Emissions Security

Emissions Security

Physical Security

Physical Security

OPSECOPSECPersonnelSecurity

PersonnelSecurity


INFOSEC: INFOSEC: Information Systems SecurityInformation Systems Security

InformallyInformally:: Security of information in electronic form Security of information in electronic form

Formally:

“The protection of Information Systems (IS) against unauthorized access to or modification of information, whether in storage, processing or transit, and against denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats.”


COMPUSEC: Computer SecurityCOMPUSEC: Computer Security

Informally: Informally: Security of information in computers

Formally:

“Measures and controls that ensure confidentiality, integrity, and availability of the information processed and stored by a computer.”


COMSEC:COMSEC:Communication SecurityCommunication Security

Informally:Informally: Protection of information as it is being transmitted from Protection of information as it is being transmitted from one place to anotherone place to another

Formally:“Measures and controls taken to deny unauthorized persons information derived from telecommunications and to ensure the authenticity of such telecommunications. Communications security includes cryptosecurity, transmission security, emissions security, and physical security of COMSEC material.”


CryptographyCryptography

Informally: Concealing information (in a reversible manner)Informally: Concealing information (in a reversible manner)

Formally:

“The principles, means, and methods for rendering plain information unintelligible and for restoring encrypted information to intelligible form.”


Emissions SecurityEmissions Security

Informally: Protection against electronic eavesdropping Informally: Protection against electronic eavesdropping (which can come in some surprisingly nasty forms)(which can come in some surprisingly nasty forms)

Formally:

“Protection resulting from all measures taken to deny unauthorized persons information of value which might be derived from intercept and analysis of compromising emanations from crypto-equipment, AIS, and telecommunications systems.”


OPSECOPSECOperations SecurityOperations Security

Informally: Informally:

““We can tell something is up at the White House by keeping We can tell something is up at the White House by keeping track of the number of pizzas delivered after midnight”track of the number of pizzas delivered after midnight”

Formally:

“[The] process denying to potential adversaries information about capabilities and/or intentions by identifying, controlling and protecting generally unclassified evidence of the planning and execution of sensitive activities.


Physical SecurityPhysical Security

InformallyInformally:: Keeping the bad guys out of places they’re Keeping the bad guys out of places they’re not supposed to benot supposed to be

Formally:

“The physical measures necessary to safeguard equipment, material, and documents from access thereto or observation thereof by unauthorized persons.”


Personnel SecurityPersonnel Security

Informally: Not hiring bad guys and keeping good guys Informally: Not hiring bad guys and keeping good guys from becoming bad guysfrom becoming bad guys

Formally: The ongoing screening, selection, management, and evaluation of people with security clearances, sensitive positions, and/or special access


Why So Much Overlap in the Jargon?Why So Much Overlap in the Jargon?

As is often the case, what we now realize is basically one subject with several key aspects evolved from originally disparate disciplines, each with its own vocabulary

Many of the key concepts appear in slightly different guises in the separate disciplines; they each had their own, separate terms for essentially the same concepts but the overlap isn’t perfect so use of the older terms still persists

Many of the fields are young enough that the basic insights are still being developed --- a potentially major new vulnerability to computers with CRT displays was just published this year (2002) for the first time; young fields are often characterized by an excess of inconsistent and overlapping jargon


Another Note on the Jargon Another Note on the Jargon (and Further References)(and Further References)

Except where otherwise noted, the acronyms and formal definitions used here come from American National Standard T1.523-2001 Telecom Glossary 2000

As of October 2002, the Telecom Glossary 2000 was available online at http://www.atis.org/tg2k/; it provides a comprehensive set of references for further information


About this ProjectAbout this Project

This presentation is part of a larger package of materials on security issues. For This presentation is part of a larger package of materials on security issues. For more information, go to: more information, go to: http://nsfsecurity.pr.erau.edu

Other material available on this topic are:Other material available on this topic are:

Introduction to Information SecurityIntroduction to Information Security

The Key Mechanisms of Information Security: Their strengths, weaknesses and inter-The Key Mechanisms of Information Security: Their strengths, weaknesses and inter-

dependenciesdependencies

Exercises (html): Decision Maze, Crossword Puzzle, Security SceneExercises (html): Decision Maze, Crossword Puzzle, Security Scene

Quizzes (html): Multiple choice, Fill-in-the-blankQuizzes (html): Multiple choice, Fill-in-the-blank

Please complete a feedback form at http://nsfsecurity.pr.erau.edu/feedback.html to Please complete a feedback form at http://nsfsecurity.pr.erau.edu/feedback.html to tell us how you used this material and to offer suggestions for improvements.tell us how you used this material and to offer suggestions for improvements.

overview of key security concepts and vocabulary this document was funded by the national science...

Documents