CHAPTER 3 Information Security Services 27 Copyright 2001 The McGraw-Hill Companies, Inc. Click Here for Terms of Use. I nformation security services are the base-level services that are used to combat the at - tacks defined in Chapter 2. Each of the four security services combats specific attacks (see Table 3-1). The services defined here should not be confused with security mecha - nisms, which are the actual implementations of these services. The specifics of how information security services are used within an organization de - pend upon proper risk assessment and security planning (see Chapters 6 and 7). However, to understand the basic requirements for security within an organization, it is important to understand how security services can be used to counter specific types of attacks. CONFIDENTIALITY The confidentiality service provides for the secrecy of information. When properly used, confidentiality only allows authorized users to have access to information. In order to perform this service properly, the confidentiality service must work with the accountability service to properly identify individuals. In performing this function, the confidentiality service protects against the access attack. The confidentiality ser- vice must take into account the fact that information may reside in physical form in paper files, in electronic form in electronic files, and in transit. Confidentiality of Files There are different ways to provide for the confidentiality of files depending upon the way in which the file exists. For paper files, the physical paper file must be protected. The physical file must exist at a particular location; therefore, access to this location must be controlled. The confidentiality service for paper files relies on physical access controls. This includes locks on file cabinets or desk drawers, restricted rooms within a site, or ac- cess restrictions on the site itself. If the files are electronic, they have different characteristics. First, the files may exist in several locations at the same time (backup tapes, various computer systems, floppy disks or 28 Network Security: A Beginner’s Guide Security Service Attack Confidentiality Integrity Availability Accountability Access X X Modification X X Denial of service X Repudiation X X Table 3-1. Information Security Services vs. Attacks CDs, and so on). Second, physical access to the file’s physical location may not be necessary. Handling the confidentiality of tapes and disks is similar to handling the physical security of paper files. Since an attacker must physically access the tape or disk, confidentiality requires physical access controls. Access to electronic files on computer systems relies on some type of computer access control (this may include the encryption of files). Computer access con - trol relies on proper identification and authentication (an accountability service) and proper system configuration so that an unauthorized user cannot become an authorized user by by - passing the identification and authentication function (such as via a system vulnerability). Table 3-2 shows the mechanisms and requirements for the confidentiality of files. Confidentiality of Information in Transmission Only protecting information stored in files is not sufficient to properly protect the infor - mation. Information can also be attacked while in transmission. Therefore, protecting the confidentiality of information in transmission may also be necessary (see Figure 3-1); this is done through the use of encryption. Information can be protected on a per-message basis or by encrypting all traffic on a link. Encryption by itself can prevent eavesdropping but it cannot completely prevent intercep- tion. In order to protect information from being intercepted, proper identification and au- thentication must be used to determine the identity of the remote end point (see Figure 3-2). Traffic Flow Confidentiality Unlike other confidentiality services, traffic flow confidentiality is not concerned with the actual information being stored or transmitted. Traffic flow confidentiality is concerned with the fact that some form of traffic is occurring between two end points (see Fig- ure 3-3). This type of information can be used (by a traffic analyst) to identify organiza- tions that are communicating. The amount of traffic flowing between the two end points may also indicate some information. For example, many news organizations watch deliv - eries of pizza to the White House and the Pentagon. The idea is that an increase in the number of pizzas may indicate a crisis is occurring. Chapter 3: Information Security Services 29 Confidentiality mechanisms Physical security controls Computer file access control Encryption of files File confidentiality requirements Identification and authentication Proper computer system configuration Proper key management if encryption is used Table 3-2. File Confidentiality Mechanisms and Requirements Traffic flow confidentiality can be provided by obscuring information flows between two end points within a much larger flow of traffic. In the military, two sites may set up communications and then send a constant flow of traffic regardless of the number of mes - sages that are actually sent (the remainder is filled up with garbage). In this way, the amount of traffic remains constant and any changes to the message rate will not be detected. Attacks That Can Be Prevented Confidentiality can prevent access attacks. However, confidentiality by itself cannot completely solve the problem. The confidentiality service must work with the account - ability service to establish the identity of the individual who is attempting to access infor - mation. Combined, the confidentiality and accountability services can reduce the risk of unauthorized access. INTEGRITY The integrity service provides for the correctness of information. When properly used, in - tegrity allows users to have confidence that the information is correct and has not been modified by an unauthorized individual. As with confidentiality, this service must work 30 Network Security: A Beginner’s Guide Figure 3-1. Encryption can protect information in transmission. TEAMFLY Team-Fly ® with the accountability service to properly identify individuals. The integrity service pro- tects against modification attacks. Information to be protected by the integrity service may exist in physical paper form, in electronic form, or in transit. Integrity of Files Information may exist in paper or electronic files. Paper files are generally easier to pro - tect for integrity than electronic files, and it is generally easier to identify when a paper file was modified. I say “generally” here as there is some amount of skill required to mod - ify a paper file in such a way that it will pass inspection while an electronic file can be modified by anyone with access to it. There are several ways to protect paper files from modification. These include using sig - nature pages, initialing every page, binding the information in a book, and distributing mul - tiple copies of the file in question. The integrity mechanisms are used to make it very difficult for a modification to go unnoticed. Certainly forgers can copy signatures but this is a difficult skill. Initialing every page makes a simple page replacement difficult. Binding documents into books makes the insertion or deletion of entries or pages difficult. Making multiple copies of the information and distributing the copies to interested parties makes it difficult to successfully change all of the documents at the same time. Chapter 3: Information Security Services 31 Figure 3-2. Encryption coupled with identification and authentication can protect against interception Of course, another way to prevent the modification of paper documents is to prevent unauthorized access completely. This can be accomplished through the same mecha - nisms used for confidentiality (that is, physical security measures). Electronic files are generally easier to modify. In many cases, all it takes is to bring the file up in a word processor and insert or delete the appropriate information. When the file is saved, the new information takes the place of the old. The primary method of protect - ing the integrity of electronic information files is the same as for protecting the confidenti - ality of the information, computer file access control. In this case, however, the access 32 Network Security: A Beginner’s Guide Figure 3-3. Traffic flows can identify which organizations are working together control mechanism is not configured to completely deny access but instead is configured to allow for the reading of the file but not for the writing of changes. Also, as with confi - dentiality, it is very important to correctly identify the individual seeking to make a change. This can only be performed through the use of identification and authentication. The use of computer file access controls works well if the files reside on a single com - puter system or a network within the control of the organization. What if the file is to be copied to other parties or organizations? In this case, it is clear that the access controls on a single computer system or network are insufficient to provide protection. Therefore, there must be a mechanism that can identify when an unauthorized change has been made to the file. That mechanism is a digital signature (see Chapter 12 for more detail on digital signatures). A digital signature on a file can identify if the file has been modified since the signature was created. In order to be worthwhile, the digital signature must be identified with a particular user; thus, the integrity service must work with the identifica - tion and authentication function. Integrity of Information Transmission Information can be modified during transmission. However, it is extremely difficult to modify traffic without performing an interception attack. Encryption can prevent most forms of modification attacks during transmission. When coupled with a strong identifi- cation and authentication function, even interception attacks can be thwarted (look back to Figure 3-2). Attacks That Can Be Prevented The integrity service can prevent successful modification and repudiation attacks. While any modification attack may change a file or information in transit, modification attacks cannot be successful if the integrity service is functioning properly as the unauthorized change will be detected. When coupled with a good identification and authentication ser - vice, even changes to files outside of the organization can be detected. Successful repudiation attacks cannot be prevented without both a good integrity ser - vice and good identification and authentication. In this case, the mechanism to detect the attack is a digital signature. AVAILABILITY The availability service provides for information to be useful. Availability allows users to access computer systems, the information on the systems, and the applications that per - form operations on the information. Availability also provides for the communications systems to transmit information between locations or computer systems. The informa - tion and capabilities most often thought of when we speak of availability are all elec - tronic. However, the availability of paper information files can also be protected. Chapter 3: Information Security Services 33 . exists. For paper files, the physical paper file must be protected. The physical file must exist at a particular location; therefore, access to this location must be controlled. The confidentiality. difficult. Making multiple copies of the information and distributing the copies to interested parties makes it difficult to successfully change all of the documents at the same time. Chapter. or a network within the control of the organization. What if the file is to be copied to other parties or organizations? In this case, it is clear that the access controls on a single computer