Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

An overview of IT security

advertisement 
Computer Security
An Overview
Copyright © 2013 – Curt Hill
Introduction
• We want to consider just the basics of
security
• There are several questions that need
answers:
– What assets need protection?
– What threats exist for these assets?
– What counter measures exist for the
threats?
• Security is a course of study all its own
– All we do here is introduce the topic
Copyright © 2013 – Curt Hill
NIST Definition
• National Institute of Standards and
Technology defines computer security:
• The protection afforded to an
automated information system in order
to attain the applicable objectives of
preserving the integrity, availability,
and confidentiality of information
system resources (includes hardware,
software, firmware, information/data
and telecommunications).
Copyright © 2013 – Curt Hill
Audience Participation
• What does this definition tell us?
• What is:
– Integrity?
– Availability?
– Confidentiality?
Copyright © 2013 – Curt Hill
The Heart
• Computer security centers around
these three concepts:
– Integrity
– Availability
– Confidentiality
• These are also known as the CIA
triangle
– Not Central Intelligence Agency
– Failures in one often leak into others
• Lets unpack this a little further
Copyright © 2013 – Curt Hill
Integrity
• Guarding against improper
modification or destruction of
information
• System integrity is about software
– System performs the functions it was
designed to accomplish
– We counter threats to the software itself
• Data integrity
– Data is changed only be those authorized
to do so and only in specified manners
• Both data and software are stored in
similar ways, so there is overlap
Copyright © 2013 – Curt Hill
Availability
• System is available to do the work it
was purchased to do
– Timely and reliable access
• It services authorized users and
denies service to those who are not
• One of the problems is that additional
security is overhead that reduces
amount of work that can be done
– Although not as extreme as the availability
issues of attacks
Copyright © 2013 – Curt Hill
Confidentiality
• Preserving authorized restrictions on
information
• Data confidentiality
– Private information is not disclosed to
those who are not authorized to access it
• Privacy
– The individuals to whom the data refers
have some influence on how the data is
used
– Ability to correct errors in the data
– Ability to limit who may use the data and
for what reason
Copyright © 2013 – Curt Hill
Triangle or Pentangle?
• Two more concepts that figure in
frequently are Authenticity and
Accountability
• Authenticity is about the verification
process of users or system
– Are they actually who they say they are?
• Accountability is about being able to
track actions in an uncompromised
way – often after a security breach
– We need to be able to connect each action
with the one who originated the action
Copyright © 2013 – Curt Hill
Levels of Impact
• A failure is categorized into three
levels:
• Low – limited adverse affect
– Organization is able to perform its primary
function with only minor financial loss
• Moderate – serious adverse affect
– Loss of capability or effectiveness
– Damage to assets and finances
• High – severe or catastrophic affect
– Major damage to assets
– Could involve life threatening injuries
Copyright © 2013 – Curt Hill
Your turn
• In regards to VCSU, what would
constitute failures of these
magnitudes?
– Low
– Moderate
– High
Copyright © 2013 – Curt Hill
The problems
• Computer security is complex, what
are some of the problems?
• The underlying software is complex –
small error can be exploited in a large
problem
• To succeed the developer has to plug
all holes, failure comes from only
finding one – a battle of wits
• Authentication requires the user to
possess some secret fact – how can
this be distributed?
Copyright © 2013 – Curt Hill
More problems
• To most users this is an annoyance,
thus they do not employ good
practices
• Security is often an afterthought to
system development – a porous
surface is hard to plug
• Continual monitoring is required, this
is a budget item that requires
justification
• Thinking about threats requires an
unusual mind set
Copyright © 2013 – Curt Hill
Attack Classifications
• Active attack – an attempt to alter
resources and operation
• Passive – an attempt to make use of
information without altering any of it
• Inside – usually mounted by an
employee or privileged person
– They know about the system and have a
starting point of some authorization
• Outside – not the above
– Ranges from high school pranks to
organized crime or even governments
Copyright © 2013 – Curt Hill
Countermeasures
• Any attempt to thwart an attack
• Prevention – predict the attack and
disable in advance
• Detection – look for suspicious activity
and unauthorized accesses
• Recovery – an attempt to undo the
effect of an attack
Copyright © 2013 – Curt Hill
Threat Consequences
Consequence Action or attack
Disclosure
Exposure – sensitive data is made available
Interception – access to data in transit
Inference – deduce information based on what was
visible
Intrusion – active gaining of access
Deception
Masquerade – Using other’s authorization
Falsification – false data to deceive authorization
Repudiation – denial of an unauthorized action
Disruption
Incapacitation – disabling a component to damage
system
Corruption – modify component to alter behavior
Obstruction – interrupt delivery of system services
Usurpation
Misappropriation – entity gains unauthorized control
Misuse – modification to perform another function
Copyright © 2013 – Curt Hill
Assets and Example Threats
Availability
Confidentiality
Integrity
Hardware
Theft
Software
Deletion of
pgms
Unauthorized
copy of pgms
Pgms modified
to fail or
provide
unauthorized
functions
Data
Delete files
Unauthorized
access
Modification of
files
Communication
lines
Messages are Messages are
destroyed or intercepted
mangled
Copyright © 2013 – Curt Hill
Messages are
falsified
Finally
• Security will continue to be an
important topic for the foreseeable
future
• We will continue to balance:
– The danger of security threats versus the
ease of use problems that security
requires
– Cost of security versus the cost of failure
and recovery
• Security concerns are also business
concerns
Copyright © 2013 – Curt Hill
Related documents
Document
Document
ENGL 102 Quiz 4 “How to Tell a True War Story”
ENGL 102 Quiz 4 “How to Tell a True War Story”
Small Business Book Insights – The E
Small Business Book Insights – The E
How to Tell a True War Story – Study Guide Questions (pgs 67-85)
How to Tell a True War Story – Study Guide Questions (pgs 67-85)
An introduction to Minecraft
An introduction to Minecraft
Questions Part 2 - Barren County Schools
Questions Part 2 - Barren County Schools
Energy Practice Problems
Energy Practice Problems
Download
advertisement