Shanto Mariam University of Creative Technology

Department of Computer Science and Engineering

Course Name: Operating system

Course Code: CSE 3167
Submitted to: Pelob Chakraborti

Submitted by: Rakibul Hasan Rakib

Department: CSE
ID: 181071019
Batch: 17th
Semester: 7th
Date of Submission: 11 June 2020.
 1. Security Threat: Make a short discussion on
the followings:
i. Authentication
ii. Authorization
iii. Confidentiality
iv. Data / Message Integrity
v. Accountability
vi. Availability

a.Authentication

Authentication is the act of verifying a claim of identity. When John Doe

goes into a bank to make a withdrawal, he tells the bank teller he is John
Doe, a claim of identity. The bank teller asks to see a photo ID, so he
hands the teller his driver's license. The bank teller checks the license to
make sure it has John Doe printed on it and compares the photograph on
the license against the person claiming to be John Doe. If the photo and
name match the person, then the teller has authenticated that John Doe is
who he claimed to be. Similarly, by entering the correct password, the user
is providing evidence that he/she is the person the username belongs to.
There are three different types of information that can be used for
authentication:

 Something you know: things such as a PIN, a password, or your

mother's maiden name
 Something you have: a driver's license or a magnetic swipe card
 Something you are: biometrics, including palm
prints, fingerprints, voice prints and retina (eye) scans
Strong authentication requires providing more than one type of
authentication information (two-factor authentication). The username is the
most common form of identification on computer systems today and the
password is the most common form of authentication. Usernames and
passwords have served their purpose, but they are increasingly
inadequate. Usernames and passwords are slowly being replaced or
supplemented with more sophisticated authentication mechanisms such
as Time-based One-time Password algorithms.

b.Authorization

After a person, program or computer has successfully been identified and

authenticated then it must be determined what informational resources they
are permitted to access and what actions they will be allowed to perform
(run, view, create, delete, or change). This is called authorization.
Authorization to access information and other computing services begins
with administrative policies and procedures. The policies prescribe what
information and computing services can be accessed, by whom, and under
what conditions. The access control mechanisms are then configured to
enforce these policies. Different computing systems are equipped with
different kinds of access control mechanisms. Some may even offer a
choice of different access control mechanisms. The access control
mechanism a system offers will be based upon one of three approaches to
access control, or it may be derived from a combination of the three
approaches.
The non-discretionary approach consolidates all access control under a
centralized administration. The access to information and other resources
is usually based on the individuals function (role) in the organization or the
tasks the individual must perform. The discretionary approach gives the
creator or owner of the information resource the ability to control access to
those resources. In the mandatory access control approach, access is
granted or denied basing upon the security classification assigned to the
information resource.
Examples of common access control mechanisms in use today
include role-based access control, available in many advanced database
management systems; simple file permissions provided in the UNIX and
Windows operating systems; Group Policy Objects provided in Windows
network systems; and Kerberos, RADIUS, TACACS, and the simple access
lists used in many firewalls and routers.
To be effective, policies and other security controls must be enforceable
and upheld. Effective policies ensure that people are held accountable for
their actions. The U.S. Treasury's guidelines for systems processing
sensitive or proprietary information, for example, states that all failed and
successful authentication and access attempts must be logged, and all
access to information must leave some type of audit trail.
Also, the need-to-know principle needs to be in effect when talking about
access control. This principle gives access rights to a person to perform
their job functions. This principle is used in the government when dealing
with difference clearances. Even though two employees in different
departments have a top-secret clearance, they must have a need-to-know
in order for information to be exchanged. Within the need-to-know principle,
network administrators grant the employee the least amount of privileges to
prevent employees from accessing more than what they are supposed to.
Need-to-know helps to enforce the confidentiality-integrity-availability triad.
Need-to-know directly impacts the confidential area of the triad.

c.Confidentiality

In information security, confidentiality "is the property, that

information is not made available or disclosed to unauthorized
individuals, entities, or processesWhile similar to "privacy," the
two words aren't interchangeable. Rather, confidentiality is a
component of privacy that implements to protect our data from
unauthorized viewers. Examples of confidentiality of electronic
data being compromised include laptop theft, password theft, or
sensitive emails being sent to the incorrect individuals.

d.Data / Message Integrity

In the world of secured communications, Message Integrity describes the
concept of ensuring that data has not been modified in transit. This is
typically accomplished with the use of a Hashing algorithm.  We learned
earlier what a Hashing Algorithm does. 
e.Accountability

Accountability means making sure every action can be tracked back to a single
person, not just a group or ID. And it requires more culture change, and needs to be
handled with a light touch.

To implement accountability, you can begin by eliminating areas where accountability

is not clear. I see that every day – shared IDs with no password vault; use of default
administrator accounts on firewall, routers, and servers, etc. Shared IDs are
sometimes required, I understand that. But put accountability in wherever you can. If
there is no opportunity to add a new ID in cases where IDs must be shared, such as
IDs on appliances, use some form of password vault that checks passwords out and
requires a new one to be checked back in. And get a vault that will alert if the
password is out too long (visibility again).

Additional thoughts:

f.Availability
For any information system to serve its purpose, the information must be available when
it is needed. This means the computing systems used to store and process the
information, the security controls used to protect it, and the communication channels
used to access it must be functioning correctly. High availability systems aim to remain
available at all times, preventing service disruptions due to power outages, hardware
failures, and system upgrades. Ensuring availability also involves preventing denial-of-
service attacks, such as a flood of incoming messages to the target system, essentially
forcing it to shut down.
In the realm of information security, availability can often be viewed as one of the most
important parts of a successful information security program. Ultimately end-users need
to be able to perform job functions; by ensuring availability an organization is able to
perform to the standards that an organization's stakeholders expect. This can involve
topics such as proxy configurations, outside web access, the ability to access shared
drives and the ability to send emails. Executives oftentimes do not understand the
technical side of information security and look at availability as an easy fix, but this often
requires collaboration from many different organizational teams, such as network
operations, development operations, incident response and policy/change
management. A successful information security team involves many different key roles
to mesh and align for the CIA triad to be provided effectively.
 2.Steganography

Steganography is the technique of hiding secret data within an ordinary, non-secret, file
or message in order to avoid detection; the secret data is then extracted at its
destination. The use of steganography can be combined with encryption as an extra
step for hiding or protecting data.