Conventional Security Objective
- Availability-The ongoing availability of systems addresses the processes, policies, and controls used to ensure authorized users have prompt access to information. This objective protects against intentional or accidental attempts to deny legitimate users access to information or systems.
- Integrity of Data or Systems-System and data integrity relate to the processes, policies, and controls used to ensure information has not been altered in an unauthorized manner and that systems are free from unauthorized manipulation that will compromise accuracy, completeness, and reliability.
- Confidentiality of Data or Systems-Confidentiality covers the processes, policies, and controls employed to protect information of customers and the institution against unauthorized access or use.
- Accountability-Clear accountability involves the processes, policies, and controls necessary to trace actions to their source. Accountability directly supports non-repudiation, deterrence, intrusion prevention, security monitoring, recovery, and legal admissibility of records.
- Assurance-Assurance addresses the processes, policies, and controls used to develop confidence that technical and operational security measures work as intended. Assurance levels are part of the system design and include availability, integrity, confidentiality, and accountability. Assurance highlights the notion that secure systems provide the intended functionality while preventing undesired actions.
Integrity and accountability combine to produce what is known as non-repudiation. Non-repudiation can reduce fraud and promote the legal enforceability of electronic agreements and transactions. While non-repudiation is a goal and is conceptually clear, the manner in which non-repudiation can be achieved for electronic systems in a practical, legal sense may have to wait for further judicial clarification.
OSI Security Service
The following are considered to be the security services which can be provided optionally within the framework of the OSI Reference Model.
Authentication: Provide for the authentication of a communicating peer entity and the source of data, including peer entity authentication and data origin authentication.
Access Control: This service provides protection against unauthorized use of resources accessible via OSI. These may be OSI or non-OSI resources accessed via OSI protocols. This protection service may be applied to various types of access to a resource or to all accesses to a resource.
Data Confidentiality: Including Connection Confidentiality, Connectionless Confidentiality, Selective Field Confidentiality and Traffic Flow Confidentiality. These services provide for the protection of data from unauthorized disclosure.
Data integrity: These services counter active threats and may take one of the forms: Connection integrity with recovery, Connection integrity without recovery, Selective field connection integrity, Connectionless integrity, Selective field connectionless integrity.
Non-repudiation: This service may take one or both of two forms.Non-repudiation with proof of origin and Non-repudiation with proof of delivery.
Social Network Security Objects
From lecture week 10, I gained knowledge about security objectives on OSNs ( Online Social Networks). There are 3 main security identified in the context of OSNs: Privacy, Integrity and Availability.
Privacy: Privacy in OSNs encompasses user profile privacy, communication privacy, message confidentiality and information disclosure. In principle, privacy calls for the possibility to hide any information about any user, even to the extent of hiding their participation in the OSN in the first place. Moreover privacy has to be met by default. Requiring explicit disclosure leads to the need for access control.
Integrity: As part of integrity, the user's identity and data must be protected against unauthorized and tampering.
Availability: Availability of user profiles is consequently required as a basic feature, even though considering recreational use. In OSNs, this availability specifically has to include robustness against censorship, and the seizure or hijacking of names and other key words.
Social Network Security Objectives VS Conventional Online Network Security Objectives
As above mentioned, there are some differences between OSNs security objectives and conventional network security objectives.
Privacy in OSNs security includes many aspects of conventional network security objectives, such as authentication, access control and data confidentiality. In principle, privacy calls for the possibility to hide any information about any user, even to the extent of hiding their participation in the OSN in the first place. In OSN, it requires more: all information on all users and their actions has to be hidden from any other party internal or external to the system, unless explicitly disclosed by the users themselves. Access to information on any user may only be granted by the user directly, the access control has to be as finegrained as the profile, and each attribute has to be separately manageable. For example, on Facebook we can set privacy settings to prevent strangers getting our information or sending messages to us.
When it comes to integrity, as part of integrity, the user's identity and data must be protected against unauthorized modification and tampering. In addition to conventional modification detection and message authentication, integrity in the context of OSNs has to be extended, and the authentication has to ensure the existence of real persons behind registered OSN members. Recently, some movie stars' weibo accounts are stolen, hackers take advantage of these accounts to post some false news on weibo, causing a lot of negative effects, which is really terrible. This example tells us it is important to ensure the identity behind a certain accounts is real.
OSNs also have more requirements on availability. Since some social network service are used as professional tools to aid their members' business or careers, data published by users has to be continuously available. In OSNs, this availability specifically has to include robustness against censorship, and the seizure or hijacking of names and other key words. Apart from availability of data access, availability has to be ensured along with message exchange among members. For example, nowadays many companies advertise or do marketing promotion on facebook, so it is very important to ensure the service on these social network is available.
I cannot agree with you any more about the conventional security and social network security issues. I like your pictures, which helps you to describe your ideas.
回复删除Thank you...Security is a very important issue in our daily life, and there's no exception when it comes to network related field. To protect our information and improve the experience on the net, we should pay more attention to the security issues. I think this course really teaches us something useful.
删除I strongly agree that the security on social network should not be underestimated. Nowadays security risks in SNS are sharply increasing. One of the reasons is that lots of people provided their personal and sensitive information on SNS platforms. If the OSNs security objectives, privacy, can be ensured more preferably, there will not be so much security accidents.
回复删除Your blog compares with conventional security objective and social network security objects, which is I ignored before. In OSN, it requires more security and privacy. However, some social network websites do not have enough security measures to prevent hackers. Therefore, a considerable number of people do not want to update their real information on the websites. One of the most things, for these social network sites, is to improve their security measures as soon as possible, which will do good to their websites development.
回复删除I am disappointed about discovering other people update their fake information on the website. This is one of the critical factors that eventually discourage the development of social networking among the social network site. If everyone keep ignoring the security of social networking site and just post fake information on the internet, what is the remaining value of the social networking sites?
删除