We have already read in the zero part of the collection of articles on the basics of information security why having knowledge of information security is a necessity for all IT activists.
Confidentiality and accuracy of information and accessibility are the basic concepts that we want to address in the continuation of the collection of articles teaching the basics of information security. In these articles, we look at ways to ensure that these conditions are met. But first we must have a clear understanding of the definition of these words to know exactly what goals we are seeking to achieve.
Welcome to Jafar Bank
Meet the characters that are going to accompany us in these articles.
This is Jafar. Jafar has recently set up a bank called Jafar Bank.
This is Morteza. Morteza is one of the people who has an account in Jafar Bank. He uses Jafar Bank online system to perform transactions and receive financial reports. He is a law-abiding and ordinary user and never takes any action that damages the system.
Unlike Morteza, Javad, whom you see in the picture above, is always looking to damage the system. He intends to harm Jafar in any way possible. You are looking for solutions that can stop Javad.
Confidentiality means preventing information from being read without permission. For example, the balance of Morteza’s account in Jafar Bank is confidential information, if Javad can read this information, the confidentiality of the information is endangered.
To maintain the confidentiality of your information, you must ensure that any information is readable only by authorized persons.
You should always make sure that the information in your system is correct. To do this, it must not be possible to write information without permission, or at least write information without permission must be recognizable so that you can identify which information in the system is incorrect.
Information integrity, then, means preventing unauthorized writing or at least detecting unauthorized writing.
Note that the accuracy of the information and the confidentiality of the information should not be confused. Javad may not be able to read the balance of Morteza’s account, in which case the confidentiality of the information is preserved,
but if he can replace the amount saved as the balance of Morteza’s account with a new value, then the accuracy of the information is compromised.
DOS attacks or denial of access are relatively new attacks. In these attacks, access to the system becomes impossible without disclosing confidential information or altering existing information. Javad,
who cannot be informed of the confidential information in the system and cannot destroy the accuracy of the information, may want to block access to Jafar Bank’s online system.
In this case, Morteza loses his trust in Jafar Bank and withdraws his money and opens an account in another bank.
You need to make sure that systems and information are always accessible while maintaining the confidentiality and accuracy of the information.
Consider Morteza turning on his laptop and using it to make a transaction in Jafar Bank online system. In the first stage, how should Morteza laptop know that the person who works with the laptop is Morteza?
In a single computer, this is usually done by assigning a password to users, and encryption methods are used to make this process secure.
And In the next article, we will look at cryptography.
The process by which we verify a user’s identity is called Authentication. Morteza’s laptop has a password that only Morteza knows, so when he enters the password correctly, it becomes clear that the person using the laptop is really Morteza.
But network authentication faces more threats. For example, Javad may be able to eavesdrop on messages exchanged on the network. He may also be able to manipulate them. Suppose he can resend one of the previous messages sent by Morteza to Jafar Bank.
In this case, he may be able to introduce himself as Morteza. This type of attack is called a Man in the middle attack, which we will cover in later articles.
To prevent this from happening, the exchange of messages must be done exactly according to certain protocols. This means that the composition and order of the messages exchanged is very important and must follow a certain pattern. Encryption methods also have wide applications in the network-based authentication process.
After Morteza’s authentication process was done correctly in Jafar Bank’s online system and it was verified that the person claiming to be Morteza is really Morteza, what information should be made available to him?
After authentication, permissions and permissible behaviors should be restricted, for example, Morteza should not be able to access the account balance. But Jafar, as the bank manager, can access the account balance of Morteza and Ali.
The mechanism that imposes restrictions on authenticated users is called Authorization.
Now that you are familiar with the key definitions of information security, it is time to know how each of these goals is met. What are the mechanisms to achieve these goals?
In the next few articles , we will get acquainted with one of the most important security mechanisms by entering the world of cryptography .