CHAPTER
3
Information
Security Services
27
Copyright 2001 The McGraw-Hill Companies, Inc. Click Here for Terms of Use.
I
nformation security services are the base-level services that are used to combat the at
-
tacks defined in Chapter 2. Each of the four security services combats specific attacks
(see Table 3-1). The services defined here should not be confused with security mecha
-
nisms, which are the actual implementations of these services.
The specifics of how information security services are used within an organization de
-
pend upon proper risk assessment and security planning (see Chapters 6 and 7). However,
to understand the basic requirements for security within an organization, it is important to
understand how security services can be used to counter specific types of attacks.
CONFIDENTIALITY
The confidentiality service provides for the secrecy of information. When properly
used, confidentiality only allows authorized users to have access to information. In
order to perform this service properly, the confidentiality service must work with the
accountability service to properly identify individuals. In performing this function,
the confidentiality service protects against the access attack. The confidentiality ser-
vice must take into account the fact that information may reside in physical form in
paper files, in electronic form in electronic files, and in transit.
Confidentiality of Files
There are different ways to provide for the confidentiality of files depending upon the
way in which the file exists. For paper files, the physical paper file must be protected. The
physical file must exist at a particular location; therefore, access to this location must be
controlled. The confidentiality service for paper files relies on physical access controls.

is done through the use of encryption.
Information can be protected on a per-message basis or by encrypting all traffic on a link.
Encryption by itself can prevent eavesdropping but it cannot completely prevent intercep-
tion. In order to protect information from being intercepted, proper identification and au-
thentication must be used to determine the identity of the remote end point (see Figure 3-2).
Traffic Flow Confidentiality
Unlike other confidentiality services, traffic flow confidentiality is not concerned with the
actual information being stored or transmitted. Traffic flow confidentiality is concerned
with the fact that some form of traffic is occurring between two end points (see Fig-
ure 3-3). This type of information can be used (by a traffic analyst) to identify organiza-
tions that are communicating. The amount of traffic flowing between the two end points
may also indicate some information. For example, many news organizations watch deliv
-
eries of pizza to the White House and the Pentagon. The idea is that an increase in the
number of pizzas may indicate a crisis is occurring.
Chapter 3: Information Security Services
29
Confidentiality mechanisms Physical security controls
Computer file access control
Encryption of files
File confidentiality requirements Identification and authentication
Proper computer system configuration
Proper key management if encryption is used
Table 3-2.
File Confidentiality Mechanisms and Requirements
Traffic flow confidentiality can be provided by obscuring information flows between
two end points within a much larger flow of traffic. In the military, two sites may set up
communications and then send a constant flow of traffic regardless of the number of mes
-
sages that are actually sent (the remainder is filled up with garbage). In this way, the amount


tiple copies of the file in question. The integrity mechanisms are used to make it very
difficult for a modification to go unnoticed. Certainly forgers can copy signatures but this is
a difficult skill. Initialing every page makes a simple page replacement difficult. Binding
documents into books makes the insertion or deletion of entries or pages difficult. Making
multiple copies of the information and distributing the copies to interested parties makes it
difficult to successfully change all of the documents at the same time.
Chapter 3: Information Security Services
31
Figure 3-2.
Encryption coupled with identification and authentication can protect against
interception
Of course, another way to prevent the modification of paper documents is to prevent
unauthorized access completely. This can be accomplished through the same mecha
-
nisms used for confidentiality (that is, physical security measures).
Electronic files are generally easier to modify. In many cases, all it takes is to bring the
file up in a word processor and insert or delete the appropriate information. When the file
is saved, the new information takes the place of the old. The primary method of protect
-
ing the integrity of electronic information files is the same as for protecting the confidenti
-
ality of the information, computer file access control. In this case, however, the access
32
Network Security: A Beginner’s Guide
Figure 3-3.
Traffic flows can identify which organizations are working together
control mechanism is not configured to completely deny access but instead is configured
to allow for the reading of the file but not for the writing of changes. Also, as with confi
-
dentiality, it is very important to correctly identify the individual seeking to make a

AVAILABILITY
The availability service provides for information to be useful. Availability allows users to
access computer systems, the information on the systems, and the applications that per
-
form operations on the information. Availability also provides for the communications
systems to transmit information between locations or computer systems. The informa
-
tion and capabilities most often thought of when we speak of availability are all elec
-
tronic. However, the availability of paper information files can also be protected.
Chapter 3: Information Security Services
33