According to ITSEC (Department of Trade and Industry (United King- dom), 1991) the disciplines of Computer Security and IT Security base on three fundamental concerns:
• Confidentiality • Integrity • Availability
As Gollmann (1999) states, this list is subject to discussion depending on the individual viewpoint towards security and is therefore not necessar- ily complete. Other criteria such as accountability, reliability, and safety also contribute to the goal of IT Security.
Con dentiality
We use the definition of con dentiality from the US Department of Trade and Industry (United Kingdom).
Definition 6 (Confidentiality): Prevention of the unauthorized disclosure of
information (Department of Trade and Industry (United Kingdom), 1991)
The goal of confidentiality is concerned with keeping private informa- tion classified. Protection of classified information is a frequent require- ment for military environments or application settings where trade secrets are present. This involves a default protection scheme to forbid access to
Concern Description
Prevention Prevention helps to anticipate damage towards assets. This includes pre- cautions by technical and design mechanisms. Technical mechanisms are ideally implemented by invariants. Objects that cannot be changed by attackers such as read-only file-systems, read-only-memory, read-only en- vironments, non-executable stack areas of current microprocessors, like the non-executable stack (Ananthaswamy, 2004) reduce the attack sur- face. The contained execution model of the J2SE is also a technical pre- caution. It is known as the sandbox. Typical architectural mechanisms for prevention enforce access control checks such as prompting for the user identification and his password to force an authentication prior usage of a program.
Detection Detection aims to monitor attacks and the caused damage. Specialized tools, such as intrusion detection systems, like the open source product Snort (Snort Project, 2004), provide mechanisms to alert attacks or sus- picious behavior of entities. This is for example the case when repeated access to protected resource to a password file or a privileged user account or system port has occurred. Detection tools may work on several layers of the ISO/OSI communication reference model. Based on event trigger- ing are rule definitions that specify suspicious IP-packets on the network layer or signatures of HTTP-based attacks on the transport layer. Attacks that subvert the integrity of the application level such as viruses and tro- jans allow detection by comparing attack signatures to the content of an untrusted executable file. To document attacks it is important to collect
forensic material, such as network traces to prepare legal actions against the originator of the attack.
Recovery and Reaction
Recovery and Reaction is primarily responsible for re-establishing integrity after an attack has occurred. To repair the damage caused by an attack, the integrity breaches to the data the system have to be removed before re-launching the system. The second goal of recovery is to re-establish
availabilityafter the attack. In order not to be a target for a repetitive attack, the recovery step also includes the detection and analysis of the vulnerabilities that caused the success of the attack. Fixing the identified leaks is done either by recoding the vulnerable parts of the application or by applying a security patch in the case of vulnerable third party compo- nents, for example installing an update for the J2RE or a security update for the underlying operating system. Recovery should take place after the collection of forensic material. Active countermeasures against the at- tackers may also belong to the recovery process depending on the legal settings in the country where the attack target is located.
Computer Security 31
classified data and resources without the proper classification level of the reading entity. The Bell-LaPadula security model formalizes confidential- ity in systems.
Integrity
Integrity of information systems is especially important for businesses, as their transactional decisions and the resulting monetary success depends on the correctness and trustworthiness of data and the validity of the used algorithms.
The Department of Trade and Industry (United Kingdom) introduced this definition of integrity:
Definition 7 (Integrity): Prevention of the unauthorized modi cation of in-
formation; (Department of Trade and Industry (United Kingdom), 1991)
Content integrityaims to prevent attacks on both by intruders. Authen-
tication supports the goal of Origin Integrity to ensure that the origin is known and not anonymous.
Additional authorization checks guarantee that only authenticated enti- ties pass the access control checks according to their role or their in- dividual credentials. After passing the check, a client has the permis- sion to perform a privileged action. Credentials such as a User-Id and password or cryptographic keys are typical proofs for the identity of a user in a special access context. The standardized Subject class of the
javax.security.auth package contains this information in the JAVA
context.
The goal of content integrity is to protect data against unnoticed manip- ulation on the transport layer. To prevent violations to origin and con- tent integrity on stored data such as JAVA archive files systems crypto- graphic checksums provide a means to verify to the archive files (Sun Mi- crosystems, 2003a). Using digesting functionality such as the Checked-
InputStreamclass of the java.util.zip package helps to verify the cor- rect transmission of data.
Availability
According to ISO 17944, the term availability has the following definition:
Definition 8 (Availability): The property of being accessible and usable upon
demand by an authorized entity. (ISO, 2002)
Availability of information systems is the foundation for Internet-centric companies to have success in their business and receive revenue. Tradi- tional approaches to availability base on statistical models that incorporate average response times and the estimated number of normal users. Pe- riods of outage that are due to behavior of malicious users are an often- neglected risk, although they break the resulting estimations of availability models. Direct compromises of availability are denial-of-service attacks. These may either attack the implementation (Schönefeld, 2004f) to crash systems or limit the available bandwidth for systems (flooding) (Harrison, 2000).
Non-security related approaches to provide availability and disaster recov- ery base on middleware transparency concepts. Middleware systems typi- cally provide redundancy mechanisms such as backup and failover mech- anisms for computing facilities and locations as well as backup connection bandwidth for peak demand.
Accountability
The goal of accountability is to audit actions, which is different from pre- venting them. The Department of Defense (United States) (1985) provides the following definition:
Computer Security 33
Definition 9 (Accountability): Audit information must be selectively kept and
protected so that actions affecting security can be traced to the responsible sub- ject. (Department of Defense (United States), 1985)
On the technical level, accountability means to track actions of users. Priv- ileged users have the permission to access logs in an append-only mode. Audit trails allow archiving of security relevant actions that provide impor- tant forensic material in a misuse case.
On the business level accountability or the alias term Non-Repudiation of business transaction is important to establish trust between the busi- ness partners in business-to-business scenarios.
Implementations of proof mechanisms typically apply a digital signa- ture (Cooper et al., 2008) to electronic documents such to proof the con- firmation of receipt. The events during mutual remote agreement require a digital proof.