 very light introduction to some concepts and some terminology of what do we mean by security, in particular computer security and computer network security. Let's look at some concepts, what can we see, some notation and terminology about attacks on computer systems and then some different models for communications and computer security. Here's just a definition from one organisation, computer security, the protection afforded to an automated information system, a computer system, in order to attain the applicable objectives of preserving integrity, availability and confidentiality of information resources. So here's one definition of what some people think of computer security, who wrote this? There's an organisation called NIST, the National Institute of Standards and Technology in the US, they create many standards for the US, but they are quite prominent and especially in computer security, they create many standards for computer security and there's their definition of computer security. So for some information system or some general computer system, we have some objectives of preserving integrity, availability and confidentiality of information system resources. So our computer system, we have a set of resources and we talk about what type of resources, we want to protect those resources and the protection should preserve integrity, availability and confidentiality, so we need to talk about what those three are to make some sense of that. Confidentiality, integrity and availability, what do they mean? And often people group them together, these three things or objectives, CIA, confidentiality, integrity, availability, confidentiality, there are different interpretations of it, but we can think of data confidentiality of we have some information, some data. We want to make sure that only authorized people can access that information. So we can say we keep that data confidential. If I have the exam for this course, it should be confidential in terms of I should be able to read it, the data, the information, but you, the student should not be able to read the exam, at least before the exam. If that's the information stored on my computer, then we want this objective of confidentiality of that data, of that information. And that's the most common thing we think about, many people think about when we talk about security and later encryption, keeping things confidential. Sometimes we say keeping it secret or keeping it private. No one else can see the information unless they're authorized to do so. Another aspect is sometimes term privacy is letting people control what information about them is collected, stored and distributed to others. So this is slightly different in that privacy we often talk about, I have a lot of information about me, my birth date, my passport number, personal identifying information, things that are specific to me, and for different reasons I may not want other people to know those things. So or I may want to limit the amount of distribution of that information to other people. So privacy is often we talk about, well, how can we control how much information about individuals is collected and stored and distributed to others? There is a lot of overlap between the terms confidentiality, privacy, secrecy, okay? Sometimes people use them to mean the same thing, but we'll try and distinguish and talk about confidentiality of keeping something secret, no one else can see the value, whereas privacy is more general about letting people control what information others can collect about them. So if you think of an organization, a company, an organization like SIT, we have an amount of, we have information which we want to keep confidential. We want to keep confidential from the students, exams, okay? We want to keep confidential across students, so one student cannot see the grades of all other students, and we have financial information. We want to keep confidential from outside people for the running of the organization. Another objective, integrity, data integrity, assure the information and programs, the software, are changed only in an authorized manner. So we have some data, we want to make sure that if that data is changed, it's the person changing it and the way that they change it has been authorized in the past. For example, my exam stored on my computer. If I transmit that exam from my computer to the secretary's computer across some network, so the secretary's print exam, then what I would like is that the exam that I have on my computer and send from my computer and that is received by the secretary's computer to be the same. I wouldn't like my computer to send an exam and there's something modified along the way such that the received copy is different from what was sent. Then we've lost the integrity of the data in that case. So that's one example of sending data across a network. We want to make sure that the data is not modified in any way or any unauthorized way. We're going to see more examples of these as we go through this topic. System integrity. Data integrity is about the information, the files, the databases, the messages. Systemed integrity, make sure the system performs as intended. What system? Think of a computer system. A computer system may be a single computer, but in more complex systems a set of computers, servers, printers, we think of one large system. We want to make sure that it provides the intended functions. One simple example with my computer, I want to make sure that it provides the function of, what's in a simple example, not availability. I want to make sure a financial server, so there's some server from some organization that collects financial data, some accounting system. It provides some service to the users. It provides the ability to track financial accounts, to track transactions. We want to make sure that those operations, those functions that are provided by that server, always provide it and work correctly. It's important that they work correctly. If we assume that this accounting server adds up the numbers correctly, when we count the total of how much was spent, it just adds up the values. If someone modifies the code such that when it adds the values that actually doesn't add them correctly, then that would not be working correctly and we've lost the system integrity. So it's more about the operations that the system, the software and hardware performs must be maintained and must not be modified. Confidentiality, integrity, availability. We make sure the system works properly and promptly and is not denied to authorize users. Again, I have a server, a web server. Many users go to that web server to get information. Let's say I sell some product via that web server. So all the customers go to my web server and purchase the product and like online and then it's delivered to them. If that web server is for some reason not working or is very slow to respond to the customers or the website is down, then those customers aren't going to spend the money with my company and go somewhere else. So we need to make sure that that computer system, the web server in this case, is available to the intended users. If it's not, then we have consequences. We'll see some types of attacks on these objectives shortly. So that are the three main objectives that people talk about with computer security. But there are others. Some people are classifier, also authenticity and accountability. Authenticity makes sure the users are genuine and makes sure the data that is input to a computer system is genuine. So authenticate the data. A simple example, a website. Someone gets to, there's a form on a website and a user goes to that website and types in some information on that web page and then it's stored in a database. So there may be a role of authenticating the data that's entered in that case. Make sure that data is appropriate, is not going to cause problems. And another part of that may be authenticating the user. Make sure the user of the website is who they say they are. So use login mechanisms, passwords and so on to provide some form of source authentication, authenticate who is creating this information. So check that things are genuine, that we can trust the users, we can trust the information. Another key part of security or objective is accountability. We often wanna make sure that all actions on a computer system can be traced in case something goes wrong from the security perspective. We'll see that nothing's perfect, so when things go wrong, it's important to be able to trace and trace back, well, who performed that action, what software went wrong, such that there was a security breach. So it'd be able to accountability to verify after the fact what went wrong and what happened is important. If we can verify, let's say we have a, on my laptop, the exam for this course is stored, I don't want students to access it. But for some reason something goes wrong and a student gets access to the exam, not good. Well, if I can, if I know that someone has access to the exam, what happens, well, I have to write a new exam. Otherwise, everyone will have the answers. I would like to be able to detect that someone has accessed the exam. And even better, I would like to be able to detect and trace who accessed my computer. Maybe I can trace back and trace back to the IP address of the computer that accessed my computer and go through some other mechanisms to trace who accessed my computer. Not only do I have to write a new exam, now I can take some other action against that student for accessing my computer. So if we can trace what happens, we can help with solving after security breaches. And it helps with deterring attackers, we'll see. If you know that if you access the exam on my computer, if you know that I will be able to detect that you did it, then it's unlikely that you'll try and access that exam. It deters you from accessing the exam. Because you know that there'll be some other consequence if I find out you access it. So we'll see accountability is another important part of what we require for computer security. Computer security is hard, okay? It's not something that we just download some software, apply some procedures, and it works. Especially for large organizations, maintaining the security of a computer system is a challenge. What are some of the challenges? What's hard about computer security? Why is it hard? Some examples are listed here. It may look easy on first appearance, okay? We need to make sure that a user can log into my website, all right? Provide a username and password, easy. Most people can think of that. But how do you store the password? How does a user send the username and password from their computer to my computer? What happens if someone accesses the database where the password is stored? Then they've obtained the passwords of many users. So there are many things that may look easy in the first instance, but further investigation means that they're not so easy. What that may result in is that they look easy, so someone tries to implement that, but they don't consider all situations, and they still lead to an insecure system. To secure a computer system, we implement security features. Malicious people, attackers, may try and attack those security features. So we need to design the security technologies to withstand some attack. And we'll talk about many examples of that through this course. Let's just select some of them so we can keep going. All right, an attacker only needs to find a single weakness. The developer needs to find all weaknesses. That is, you have the responsibility for securing SIT's network. You need to implement mechanisms to make sure any weaknesses in the SIT network overcome. Whereas an attacker only needs to find one hole in the network. Because if they can find that weakness, they can get access to the SIT network and then do bad things. So from the attacker's perspective, it's easier than from the person who's trying to implement that security, who must stop all the holes. The attacker only needs to find one hole to get in. Often users, managers, CEOs, may not see the benefits of security until a failure occurs. Okay, to secure the SIT network, there's some cost involved. Buying software, hardware, some man hours, some personnel to implement the mechanisms. So we spend all that money to secure the network and it's secure. What does the manager see as a benefit there? If it works well, they don't really see any benefits. They only see the benefits of securing that network once it fails. Because when it fails, there are many drawbacks. Okay, we have large costs if the security fails. So therefore, people think, well, why implement security? Because it's hard to see what the benefits are. What else? It's often thought that having some security mechanism makes things less efficient and less user-friendly. Think of password controls on your favorite websites. You set up an account. You need to choose a password. Often websites now will have some controls and say, your password must be of a particular strength. It cannot be too short. You cannot use a two-letter password. It must contain characters from these. It can't just be letters. It must be letters, numbers, punctuation marks, uppercase, lowercase. So those mechanisms are there to add security. But it starts to become less user-friendly. You now need to remember a password which is not easy to remember and maybe not so easy to type in. It takes you, you have to look it up, and it takes you a minute to type the password every time you want to log in. So often security mechanisms can be implemented in such a way that they become harder to use and lead to performance problems in software and computer systems. Many challenges to overcome. Really today we're just going through a mix of concepts, some definitions, terminology, and in the subsequent topics we're going to look at the techniques that are relevant for all of these. Some concepts. In computer security we can talk about assets, vulnerabilities, policies, threats, attacks and countermeasures. This slide tries to relate all of them together, but you can look at the picture. Let's talk about each of those concepts. A computer system we can talk about assets. The things that we want to protect. Now a computer system may be a single computer, we can think of it as a collection of computers. Very simple to very complex. But we have some resources that we want to protect that are the assets. What are they? We can classify them as four different types. Hardware, software, data, and communications network or communication lines. So four different types of assets. We want to protect them. So hardware, think of a hospital. They have hardware that does monitoring of patients, of involved in operations. We wouldn't want someone to be able to get unauthorized access to someone else's heart monitor or to a different machinery inside the hospital that performs or is involved in operations or testing blood and testing things. Because if someone can get access to this hardware and make the hardware do things it's not supposed to do, then we can have unintended consequences. It can be considered a security breach. So often we want to protect hardware. Another example where hardware is an important asset, you may have heard of Stuxnet. Stuxnet was a worm, a very successful worm that infected originally via USB keys and people think infected the nuclear power plants in Iran with the intention of disabling some of the hardware there. The way that people think it worked is that it made the hardware, the centrifuges there, operate in a manner such that they'd break down, make them work, say, too fast so that eventually they'd break down so they can't do bad things. So that was an attack on hardware. It used software to do it, but attacks specifically on hardware. So in that case, the hardware is an asset that we'd like to protect. Software we want to protect. We want to make sure that people can't modify software to do the wrong thing. Of course, we often want to protect data, the information. And we want to protect communication lines, the links between computers. Usually we have a network, our computer system, and our data passes the communication lines. So to protect the data as it passes the communication lines, we want to protect those communication lines. So things we want to protect, we call assets. Vulnerabilities are weaknesses in some system implementation or operation, some flaw in some software, some hardware, a communication network. Something that will see an attacker can potentially take advantage of. So maybe there's some bugs in software. You download Adobe Acrobat Reader. It has some bugs in it. There are vulnerabilities, and potentially we'll see that threats, a threat from a security perspective may take advantage of that vulnerability and do something bad. So vulnerabilities are weaknesses in the system with respect to our assets. They can make them corrupted, leaky, or unavailable. For example, corrupted data. That is, if we have a vulnerability such that our data becomes corrupted, we store some files. And if there's a vulnerability such that those files get modified, then that can be a problem. Leaky means information gets out. We can think of leaky communication lines. We have a wireless network. That's part of our communication network. We can, a vulnerability, maybe we don't use encryption or the encryption across that wireless network is not strong, then we can, the information sent across those communication lines may be made available to unauthorized users. The information leaks out to others. Or hardware, for example, may become unavailable. There's some vulnerability in the hardware such that if a malicious user takes advantage of that vulnerability, then that hardware will not be available for the intended purposes. So we have assets we want to protect, but those systems, computer systems, may have weaknesses or vulnerabilities. And it's hard to avoid them. We cannot avoid all bugs in software and complex software. We talk about security policies. The rules or practices that specify how a system provides security services to protect our assets. So we can think of an organization has a security policy. We have a set of assets we want to protect. Well, what steps are we going to take to protect those assets? That's our security policy. How do we want to protect those assets? Which are the important ones? Which ones, if we lose those assets, what is the consequence going to be? So we have some procedures that we apply to try and protect assets. We classify them as our security policy. So for SIT, for example, the most important asset may be the data, the student grade information. We want to protect that. But there may be some vulnerabilities in software, the database software that we use to store the data. Well, we may define a policy that talks about the software we use, the procedures we use, as a who can access the database, who can access the student grades, which students can access other students' grades, none. Which faculty members can access other students' grades? Well, you can access the grades of the students in your class. I can access the grades of my advisees. But I cannot access the grades of all students in SIT. So there's some policy there of, how do we protect that asset of the data? And threats. A potential violation of that policy by exploiting one of the vulnerabilities. So a potential. It's not something that's carried out, but we may have threats. So coming back to student grades, let's say the system is that I am not allowed to access the grades of students I don't teach or who are not my advisees. Then if there's some vulnerability in the database or the website that provides access to grades, then there may be a threat that I do get access to those grades of those that I'm not supposed to. So a potential of violating the policy by taking advantage of a vulnerability. An attack is a threat carried out. A threat is a potential violation. An attack is a threat carried out, an actual violation. A successful attack is an actual violation. We may have unsuccessful attacks that don't violate the policy. So we will see over this topic and others there are different types of attacks or we can classify attacks in different ways. Active and passive attacks. We'll come back to that later. I've got another slide that describes in a bit more detail later. Inside-outside attacks, depending on who's attacking. Inside is by an entity that has authorized access. So if I, a faculty member, try and get access to a student's grades that I'm not allowed to, then that would be considered an inside attack because I'm an entity that normally considered trusted inside the system. But if someone out on the internet is trying to get access to some student's grades, we'll think of that as an outside attack depending upon where the attacker is coming from. And we have to deal with them in different ways. So, SIT should protect information from outside attacks, definitely, but it may be much harder to prevent inside attacks because there may be many more vulnerabilities in that case. Countermeasures are ways to deal with attacks. We want to prevent attacks. Make sure they don't occur. Detect them if they do occur. We cannot prevent everything. If we cannot prevent it, the next best option is to detect, find out an attack is taking place or it took place and respond, take some action. And if necessary, recover. Let's say an attack is such that someone's trying to change the grades in the student's transcript. Reduce a student's grades from A's down to F's. Then, if we cannot prevent that attack, then we'd like to be able to at least detect that it happened. And if we detect it, then maybe we can trace back and find out who did the attack and take some response, either some legal response or some other response. And recover, revert back to the original grades. So, we may not be able to prevent all attacks. So, we have other approaches. Unfortunately, in most complex systems, even with countermeasures, which try to stop attacks, there are still vulnerabilities that exist. Still things we, potential flaws, which lead to risks for assets. So, there's still some risk that someone may modify our data or stop our hardware from working. This is very annoying. Work that out later. The aim is to minimise the risks, okay? So, look at what assets are most important. Try to identify vulnerabilities, potential threats and attacks. Implement countermeasures with the intention of trying to minimise the risks. Reduce them to zero if possible, but in practice, it may not be possible. So, minimise the risks. That tries to, a picture from the textbook tries to relate those different concepts together. Have a follow that through and you'll see that it makes some sense. A little bit more detail about threats, attacks and assets. A little bit different terminology here. We said threats is a potential violation of security and attack is a threat carried out. Here we look at it from a different perspective and this notation comes from some standard or some document by the Internet Engineering Task Force. It's a glossary of internet security. And in fact, I think I've given you, I intended to give you a hard copy of this. Go to the end of this set of lecture notes, or not at the entire document. See if I can, something called threat consequences. Do you have this document? Maybe one I forgot. It should be after the security lecture notes. Yes, just after the lecture notes on introduction to security, you have this document, which is just a cut and paste from this original document. It's just some definitions. You can read through them. We will not go through all of them. We'll just mention the overview. So it's three or four pages talking about threat consequences. A threat action is an attack. Back to our lecture notes. A threat action is an attack. A threat agent is an entity that attacks. Another name, an attacker, a malicious user, an adversary. So we have different terms to talk about who is doing the attack. Sometimes you'll hear of a hacker. We'll try and avoid the word hacker or to hack because it has different meanings in some cases. I'll say an attacker or a malicious user is a threat agent. And we have a consequence. So some security violation that results from some attack. This document, the one you have printed, splits the consequences into four types. Unauthorized disclosure, deception, disruption and usurption. And within them breaks them into subcategories listed there. Just go back to the document itself. Just pull out a few examples. Unauthorized disclosure. An event where an entity gains access to data for which they're not authorized. So we disclose information that we shouldn't have. That's a consequence of some attacks. Someone performs an attack and the information becomes available to people who shouldn't have it. We ask, and what are the actions? The course is consequence. Exposure, data is released to some unauthorized entity. It may be deliberate. That is, I get access to all of your grades as you're my students. If I give all of that information to someone who's not supposed to have access, then I've exposed that information. And the consequence is unauthorized disclosure in this case. And there are different ways that this exposure can occur. So they're listed here. It can be deliberate. If I deliberately give that to someone, that's one case. It could be human error. Maybe I make a mistake with sending an email. Here are the grades of this person. I try to send it to one person by sending it to the wrong person. So some error on my part may still expose the information leading to the consequence of unauthorized disclosure of that information. Some hardware or software error may lead to the disclosure. What other types of actions or attacks lead to the consequence of unauthorized disclosure? They're listed here, interception. I send some confidential information from my computer to someone else's computer. Someone intercepts that information along the way and reads that information. So we have this consequence as a result of an interception attack. And this document talks about the different types of interception. Inference is using some usually publicly available information to work out some information that should not be disclosed. Intrusion, someone gains access to a system that they should not have access to. They intrude, maybe get access to a database that they shouldn't have access to. All leads to potentially unauthorized disclosure. I think this one, these are best examples of unauthorized disclosure. I think this one, these are best to read through to understand all the different types of threat actions in there. Another consequence, deception. Pretending to be someone else, for example. You're deceived. You receive some data coming from, and it says it's coming from this person, but it actually came from someone else. You're deceived into thinking that data is correct when it's incorrect. That's a consequence of some attacks. Attacks that lead to deception. A masquerade attack. A threat action is an attack, remember? Masquerade, someone pretending to be someone else. A masquerade is someone else. Falsification. False data is sent to someone. So wrong or incorrect data is sent to someone. What's repudiation? Repudiation is denying something happened. We'll see that come out in other slides. Repudiation is I denied that I either sent a message or I denied I received a message. I repudiate that I received that message. That can lead to a consequence. And the best example of repudiation is say with contracts or some commercial exchange. You buy something. You get a receipt when you buy that. What's the purpose of a receipt? One purpose of a receipt is to provide evidence that you've paid the money for that product. So that receipt acts as some evidence. So that maybe you can go back to the shop later and say, here, I bought this product. The shop can't say no, you didn't because you have the receipt. They say no, you didn't because you have the receipt of evidence to say that you did buy that product. So the receipt acts as evidence in that case. The shop cannot repudiate and say no, you didn't buy it and therefore I will not give you a refund or I'll not fix it. The receipt acts as evidence. We need the same type of service in computer systems sometimes where someone sends a message. You receive a message to deny that you received it. Or the sender later denies that they sent that message. That can have consequences and therefore we'll consider that as an attack to deny something's happened. Disruption. We have a computer system if we disrupt that computer system. So it doesn't perform its correct operation. We can destruct hardware, for example, physical destruction. It may be an attack. We can have attacks which corrupt data. So we change data again. We tamper with computer software, hardware and data to attacks that lead to disruption of a computer service. And the last consequence, usurption, what is that? A circumstance that results in control of services by an unauthorized entity. Someone takes over. Someone takes control of some services that they're not supposed to have control of. So someone gets access to a system that they shouldn't have access to is the best example then. Misappropriation. Or theft of service. For example, you get free access to the Wi-Fi offered by some commercial provider. You're supposed to pay for it, free access. That is a case of theft of service. That's an attack. I will not go through others there. Just a classification of attacks, threat actions and the consequences of those attacks. The things that go wrong. The violations of the security policy. We'll come back to the previous picture. This gives some examples of relating threats. Our assets here. Hardware, software, data, communication lines. And those objectives that we started with in one of the first slides. The CIA of confidentiality, integrity and availability. So some examples of threats of those assets with respect to those objectives. For example, the availability of hardware. If the equipment is stolen or disabled, somehow it's broken through some attack, then that hardware is no longer available. Or there's some data stored in our database if there may be a threat such that that data is deleted. That makes the data unavailable. Or there may be a threat, a potential action that can take place where someone unauthorized can read the data. That's against our objective of confidentiality. Or that someone modifies the data in the database. And that's against our objective of integrity. Integrity, remember, is keeping the data the same. Maintaining its integrity. Not allowing someone So just some examples of threats and with respect to the objectives and the different assets that we want to protect. I think we will not go through this diagram, just presents different concepts together that we have users of some computer system. Computer system may be made up of multiple computers that communicate through some communication network. There's a link or a line here to computers. Users access those computers. We have data on those computers. Files, for example. Data in databases. And we have software processes running on those computers that represent the users. And it highlights some of the things that we need to control. For example, control access from users to the computer. Control access from software processes to data. Secure the data and secure the communication lines. So computer security is not just about the security of an individual computer. We think about a computer system. Multiple computers. The way that users interact with those computers and the way that those computers communicate with each other. So computer security includes network security. The computer itself and interaction from users to computers. In the last 10 minutes let's look at a different view of security from the perspective of communications. The concepts we're about to present come from some standard or some document by ITU, the International Telecommunications Union and the documents called X800 Security Architecture for OSI. That's not so important. The concepts that they talk about are important because they used when we talk about different technologies. And the important thing is that they talk about security aspects. Three aspects of communication security. Especially the part of communicating between different computers, across networks, across links. How do we secure the communications? Well the aspects are attacks, mechanisms and services. What are they? Again, different terminology from a different perspective from what we've seen in other slides. In another perspective was the threat action threat consequences, threat agent is from a perspective of the network part. We talk about security attacks some attempt to compromise the security of information or facilities of data or hardware or software, the facilities. A security mechanism is a method for preventing attacks and a security service uses mechanisms to enhance the security in order to stop attacks. So we've got potential attacks on a communication network. There are a range of mechanisms available to stop attacks and we combine those mechanisms together to implement some service so that the attacks are not possible. Let's look at those three. Attacks, mechanisms and services. What do we mean by security service? Two definitions here. The second one will take a processing or communication service provided by a system by some computer system or network system to give some specific kind of protection. That's quite a very general definition. We use security services and we'll list them in a moment, implement policies. So we can think an organization or a user has some objective of securing their system. They specify a policy and the policy for SIT is that no student can access any other student's grades. A faculty member can only access the grades of the students they teach and they advise. So there's part of a policy. And then we think, okay, to implement that policy we'll use different security services and then we'll see to implement those security services, there are a range of mechanisms available with the intention that they stop attacks such an attack would violate that policy. These are the main six security services people talk about. And again, remember this is from a communications perspective. So it's focusing about sending data across some network or link. What are the services that we'd like to provide to a user of a network? Authentication. The service of authentication is making sure that the entity we're communicating with is who they say they are and the data that we're receiving the entity that we're communicating with is who they claim to be. So, for example, I receive a message and the message an email says this is from Tanarak at SIT. Dr. Tanarak, the head of school, I receive the email. I would like to make sure that that email actually comes from Dr. Tanarak not from some student pretending to be Dr. Tanarak. So an authentication service would provide that. The ability for me to be sure that it's come from the entity who I think it should be. Access control is intended to prevent unauthorized use of some resource. Think of a resource like a computing facility do some processing on a computer or to access some data. We want to control who can access the resources. The best example is a firewall. A firewall sits at the edge of a network normally, say the connection from SIT's network to the outside world. A firewall sits there and controls what outside people can do in terms of accessing computers inside SIT. So it controls access to resources inside SIT. So this is a service that we often want to provide. Control access to resources. Data confidentiality, this one's almost obvious, we want to often protect our data. Make sure no one can read data that should be confidential. I send again an exam to the secretary. I don't want to and I send it using Wi-Fi from my laptop via an access point to the secretary's computer. I don't want you to sit there on your mobile phone and laptop and intercept and receive the exam as my laptop is sending it wirelessly to the access point. Because that means you'll get access to confidential data. So we need some mechanisms to provide this service. This is what we require for this service. Data integrity. Make sure that the data that we receive has not been modified. Again, I send the exam. The secretary wants to make sure that the exam that she received hasn't been intercepted by some student and modified along the way. And they change the questions to easier questions. So we want to make sure that what is received is the same there's no modification. Non-repudiation. We introduced repudiation before. We'd like to be able to make sure that no one can deny something taking place. In particular in terms of communications no one can deny that they sent a message or deny that they received a message that they actually did. That's the service of non-repudiation. And the final service is availability. We want to make sure that our computer system is available. Our computer network is available for the intended users. SIT provides a Wi-Fi service to the users, to the students. If there was an attack such that you couldn't use the Wi-Fi then you would not be happy. And it degrades the service provided to the students. So that would be considered an attack. So the requirement there is to make sure the communications network is available for the intended users. What we'll go through next lecture is some attacks that try and violate the security and will relate them to these security services. So different types of attacks especially in a communication network will classify them. And then we'll finish by looking at what mechanisms are available to try and stop those attacks to implement these services. Think of these as requirements. Attacks may take place. We still want to meet these requirements. What mechanisms do we have to meet those requirements? That's enough for today. So all we're doing so far is introducing terminology. Introducing concepts. Once we finish this topic we'll start to look at techniques. So different security techniques. What's your homework? Read the website. Make sure you have your hard copies of your notes. Browse the website and make some notes of questions that you want to ask me in the next lecture on Thursday. So this week's the time to ask questions about the structure of the course. So I will assume from now on that you know everything that's on the website. I will not give further explanations. Deadlines, how to submit and those things. If it's on their website you must know it. Let's continue Thursday.