The OSI (Open Systems Interconnection) Security Architecture is a systematic framework for applying security mechanisms, security services, and defining security attacks to reach confidentiality, integrity, and availability across all seven layers of network communication (known as the OSI model). The OSI model will be covered in the next blog post due to how extensive it is, but for now, we will focus on the security architecture and how it applies to the OSI model.
What is a Security Attack?
Even though it may seem obvious, a security attack is any action that gains unauthorised access to systems or compromise their confidentiality, integrity, or availability (NIST, 2023, p. 160). For example, a man-in-the-middle attack attempts to intercept communication between two parties, and since this is compromising the information of the two parties involved, it is classed as a security attack.
What is a Security Mechanism?
A security mechanism is a mechanism that is designed to detect, prevent, or recover from a security attack. For example, encryption is a security mechanism that prevents unauthorised access to information. Any action that is designed to prevent, detect, or recover from a security attack is considered a security mechanism.
What is a Security Service?
A security service is the specification of how security mechanisms are used together to provide a security service. For example, data confidentiality is a security service which implements encryption, zero-knowledge proofs, multi-factor authentication, IP whitelisting, etc. to achieve its goal of confidentiality. Think of it as a way to categorise security mechanisms to achieve a specific security goal.
Two Types of Security Attacks
Security attacks can be either be passive or active.
Passive Attacks
Passive attacks aim to learn information from a system without affecting system resources. Due to their nature, they are difficult to detect without producing thousands of false positives. Therefore, its countermeasure is prevention rather than detection. Some examples include:
- Keystroke logging
- Eavesdropping
- Wiretapping
- Packet sniffing
- Traffic analysis
- Shoulder surfing
Active Attacks
Active attacks are attacks that attempt to alter system resources. Due to how easy they are to detect, the countermeasure for an active attack is detection rather than prevention. Some examples include:
- Denial of Service (DoS) attack
- Man-in-the-middle attack
- Phishing attack
- Ransomware attack
- SQL injection attack
- Cross-site scripting (XSS) attack
- Brute-force attack
- Password spraying attack
- Credential stuffing attack
Types of Security Attacks
- Interruption: An attack that disrupts the normal functioning of a system (affects availability)
- Interception: An attack that involves intercepting communication between two parties (affects confidentiality)
- Modification: An attack that involves altering data during transmission or storage (affects integrity)
- Fabrication: An attack that involves creating false information or messages without a legitimate source (affects authenticity)
What is Authenticity?
Authenticity refers to the assurance that data is from a genuine source without any tampering. Unlike integrity, which focuses on ensuring data has not been altered, authenticity ensures that the source of the data is legitimate. A fabrication attack compromises authenticity since it creates false information posing as a legitimate source. In the information security community, many have argued for authenticity to be included in the CIA triad, but some have argued that it is too closely related to integrity to be considered a separate concept.
Security Services
X.800 Recommendation divides security services into six categories:
- Authentication
- Access Control
- Data Confidentiality
- Data Integrity
- Non-repudiation
- Availability
Authentication
The authentication service assures that communication is authentic between two parties. It ensures that the recipient can trust the source of the message and who they are communicating with.
It also ensures that all communicating parties can trust that their communication is not intercepted by a third-party.
Access Control
The access control service wants to prove four things:
- Who can have access to the resource
- Under what conditions can they have access to the resource
- What type of access they have to the resource
- What they can do with their access to the resource
To understand this concept better, let’s assume Bob has a bank account with Evil Corp. The access control service would want to prove the following:
- Who can have access to the resource: Bob and Evil Corp employees
- Under what conditions can they have access to the resource: Bob and Evil Corp can only access Bob’s account with valid authentication
- What type of access they have to the resource: Bob has read and write access, Evil Corp employees have read, write, modify, and delete access
- What they can do with their access to the resource: Bob can view his account balance, make transactions, transfer money, change his account details, request statements, categorise transactions, view his spending habits, etc. Evil Corp employees can do all of the above, plus modify and delete Bob’s account details, but they cannot modify or delete Bob’s transactions
Data Confidentiality
The data confidentiality service protects data from unauthorised access. It ensures this by implementing four other services:
- Connection confidentiality: Data is protected during transmission (e.g. transport layer security (TLS))
- Connectionless confidentiality: Data is protected when it is not being transmitted (e.g. asymmetric encryption)
- Selective field confidentiality: Only specific fields of data are protected (e.g. passwords, credit card details, etc.)
- Traffic flow confidentiality: Protects the patterns of communication between parties (e.g. who is communicating with who, how often, etc.)
Data Integrity
The data integrity service ensures that data was received exactly as it was sent from an authorised party, containing:
- No modification
- No insertion
- No deletion
- No replay
Replaying information is resending the same information more than once. For example, a double bank transaction for one transaction. Replays are actually insertions, by definition.
Non-repudiation
The non-repudiation service ensures that a party cannot deny their involvement in a communication. At a minimum, non-repudiation requires two proofs:
- Proof of origin: Proof that the message was sent by an authorised party
- Proof of delivery: Proof that a message was received by the intended recipient
It is especially important in legal contexts, for example, Bob buying flowers from the corner shop then later denying to his bank that he made the transaction.
Availability
The availability service ensures all authorised parties receive the resources they request on demand. For example, availability ensures Bob can view his bank account balance whenever he authenticates himself.
Availability often fights against denial of service (DoS) attacks because DoS attacks attempt to make resources unavailable to authorised parties.
The availability service depends on access control and authentication services to function properly. Without access control, the availability service would not know who can view or share confidential data. Without authentication, the availability service would not know who to deliver the confidential data to.
Test Your Knowledge
- Alice downloaded a file from the internet, but the file only monitored her keystrokes and sent them back to an attacker. What type of attack is this?
Answer
Passive attack: the malware is monitoring Alice’s keystrokes without affecting system resources.
- Bob is trying to access his bank account, but the bank’s website is down due to a DoS attack. What principle of the CIA triad is being compromised?
Answer
Availability: Bob cannot access his bank account which compromises the availability of the service.
- Which security service ensures that a party cannot deny their involvement in a communication?
Answer
Non-repudiation
- Which security service controls who can have access to a resource, under what conditions, what type of access they have, and what they can do with their access?
Answer
Access Control
- What is the difference between integrity and authenticity?
Answer
Integrity ensures that data has not been altered, while authenticity ensures that the source of the data is legitimate.
- What principle of the CIA triad is being compromised when an interception attack is performed?
Answer
Confidentiality: an interception attack compromises the confidentiality of the communication between two parties.
- What type of attack involves creating false information posing as a legitimate source?
Answer
Fabrication attack: it involves creating false information posing as a legitimate source, which compromises authenticity.
- What is the difference between an insertion attack and a replay attack?
Answer
They are two sides of the same coin: an insertion attack involves inserting false information into a communication, while a replay attack involves resending the same information more than once. Since replaying information is essentially inserting the same information more than once, it is considered an insertion attack by definition.
Conclusion
This post may have felt pedantic, but that is the whole point of #information-security: to cover all edges of a room and ensure no stone is left unturned. #information-security is the core philosophy behind protecting information and systems, and protecting your privacy.
In the next post, we will cover the The OSI Model, which is the 7-layer model of network communication.
References
- National Institute of Standards and Technology (NIST) (2023) Guide to Operational Technology (OT) Security. Gaithersburg, MD: National Institute of Standards and Technology. NIST Special Publication 800-82 Rev 3. https://doi.org/10.6028/NIST.SP.800-82r3