COMP 2057 Lecture Notes - Lecture 5: Transport Layer Security, Family Educational Rights And Privacy Act, Health Insurance Portability And Accountability Act
27 Jun 2018
School
Department
Course
Professor
1
60-205 – INTRODUCTION TO THE INTERNET
WEEK #5 – INTERNET SECURITY & CSS
Contents
Dr. Stephanos Mavromoustakos
find more resources at oneclass.com
find more resources at oneclass.com
2
WEEK #5 – INTERNET SECURITY & CSS
Learning Objectives
This week, students should be able to:
Explain the challenges and scope of information security
Explain such basic security concepts as confidentiality, integrity, and availability
Identify tools and mechanisms for internet security
Apply HTML and CSS for designing websites
THEORY – INTERNET SECURITY
Information Security
A succinct definition of information security might run as follows:
“Information security is the collection of technologies, standards, policies and management practices
that are applied to information to keep it secure.” To learn more visit:
https://learn.saylor.org/mod/page/view.php?id=16037
Confidentiality, Integrity, Availability (CIA)
CIA (Confidentiality, Integrity, and Availability), not to be confused with CIA (Central Intelligence
Agency), is a widely used benchmark for evaluation of information systems security, focusing on the
three core goals of confidentiality, integrity and availability of information.
Data confidentiality
Confidentiality refers to limiting information access and disclosure to authorized users -- "the right
people" -- and preventing access by or disclosure to unauthorized ones -- "the wrong people."
Underpinning the goal of confidentiality are authentication methods like user-IDs and passwords, that
uniquely identify a data system's users, and supporting control methods that limit each identified user's
access to the data system's resources.
Also critical to confidentiality -- and data integrity and availability as well -- are protections
against malicious software (malware), spyware, spam and phishing attacks.
Confidentiality is related to the broader concept of data privacy -- limiting access to individuals' personal
information. In the US, a range of state and federal laws, with abbreviations like FERPA, FSMA,
and HIPAA, set the legal terms of privacy.
Dr. Stephanos Mavromoustakos
find more resources at oneclass.com
find more resources at oneclass.com
3
Data integrity
Integrity refers to the trustworthiness of information resources.
It includes the concept of "data integrity" -- namely, that data have not been changed inappropriately,
whether by accident or deliberately malign activity. It also includes "origin" or "source integrity" -- that
is, that the data actually came from the person or entity you think it did, rather than an imposter.
Integrity can even include the notion that the person or entity in question entered the right information
-- that is, that the information reflected the actual circumstances (in statistics, this is the concept of
"validity") and that under the same circumstances would generate identical data (what statisticians call
"reliability").
On a more restrictive view, however, integrity of an information system includes only preservation
without corruption of whatever was transmitted or entered into the system, right or wrong.
Data availability
Availability refers, unsurprisingly, to the availability of information resources. An information system
that is not available when you need it is at least as bad as none at all. It may be much worse, depending
on how reliant the organization has become on a functioning computer and communications
infrastructure.
Almost all modern organizations are highly dependent on functioning information systems. Many
literally could not operate without them.
Availability, like other aspects of security, may be affected by purely technical issues (e.g., a
malfunctioning part of a computer or communications device), natural phenomena (e.g., wind or water),
or human causes (accidental or deliberate).
While the relative risks associated with these categories depend on the particular context, the general
rule is that humans are the weakest link. (That's why each user's ability and willingness to use a data
system securely are critical.)
Prevention vs. detection
Security efforts to assure confidentiality, integrity and availability can be divided into those oriented to
prevention and those focused on detection. The latter aims to rapidly discover and correct for lapses
that could not be -- or at least were not -- prevented.
The balance between prevention and detection for depends on the circumstances, and the available
security technologies. For example, many homes have easily defeated door and window locks, but rely
on a burglar alarm to detect (and signal for help after) intrusions through a compromised window or
door.
Most information systems employ a range of intrusion prevention methods, of which user-IDs and
passwords are only one part. They also employ detection methods like audit trails to pick up suspicious
activity that may signal an intrusion.
Dr. Stephanos Mavromoustakos
find more resources at oneclass.com
find more resources at oneclass.com
Document Summary
Explain the challenges and scope of information security. Explain such basic security concepts as confidentiality, integrity, and availability. A succinct definition of information security might run as follows: Information security is the collection of technologies, standards, policies and management practices that are applied to information to keep it secure. to learn more visit: https://learn. saylor. org/mod/page/view. php?id=16037. Cia (confidentiality, integrity, and availability), not to be confused with cia (central intelligence. Agency), is a widely used benchmark for evaluation of information systems security, focusing on the three core goals of confidentiality, integrity and availability of information. Confidentiality refers to limiting information access and disclosure to authorized users -- "the right people" -- and preventing access by or disclosure to unauthorized ones -- "the wrong people. " Underpinning the goal of confidentiality are authentication methods like user-ids and passwords, that uniquely identify a data system"s users, and supporting control methods that limit each identified user"s access to the data system"s resources.
