Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Chapter 1 Security Problems in Computing

advertisement 
An Overview of
Computer Security
computer security
1
Outline
Components of computer security
 Threats
 Policies and mechanisms
 The role of trust
 Assurance
 Operational Issues
 Human Issues

computer security
2
Status of security in computing
(in early 2000s)



In terms of security, computing is very close to
the wild west days.
Some computing professionals & managers do
not even recognize the value of the resources
they use or control.
In the event of a computing crime, some
companies do not investigate or prosecute.
Has the status changed for the
better?
computer security
3
Characteristics of Computer
Intrusion

A computing system: a collection of
hardware, software, data, and people that an
organization uses to do computing tasks
 Any piece of the computing system can
become the target of a computing crime.
 The weakest point is the most serious
vulnerability.
 The principles of easiest penetration
computer security
4
Security Breaches
- Terminology

Exposure
– a form of possible loss or harm

Vulnerability
– a weakness in the system

Attack
 Threats
– Human attacks, natural disasters, errors
 Control – a protective measure

Assets – h/w, s/w, data
computer security
5
Types of Security Breaches

Disclosure: unauthorized access to info
– Snooping

Deception: acceptance of false data
– Modification, spoofing, repudiation of origin, denial
of receipt

Disruption: prevention of correct operation
– Modification, man-in-the-middle attack

Usurpation: unauthorized control of some part of
the system (usurp: take by force or without right)
– Modification, spoofing, delay, denial of service
computer security
6
Security Components

Confidentiality: The assets are accessible only
by authorized parties.
– Keeping data and resources hidden

Integrity: The assets are modified only by
authorized parties, and only in authorized ways.
– Data integrity (integrity)
– Origin integrity (authentication)

Availability: Assets are accessible to authorized
parties.
– Enabling access to data and resources
computer security
7
Computing System
Vulnerabilities
Hardware vulnerabilities
 Software vulnerabilities
 Data vulnerabilities
 Human vulnerabilities ?

computer security
8
Software Vulnerabilities
Destroyed (deleted) software
 Stolen (pirated) software
 Altered (but still run) software

– Logic bomb
– Trojan horse
– Virus
– Trapdoor
– Information leaks
computer security
9
Data Security
The principle of adequate protection
 Storage of encryption keys
 Software versus hardware methods

computer security
10
Other Exposed Assets
Storage media
 Networks
 Access
 Key people

computer security
11
People Involved in Computer
Crimes
Amateurs
 Crackers
 Career Criminals

computer security
12
Methods of Defense
Encryption
 Software controls
 Hardware controls
 Policies
 Physical controls

computer security
13
Encryption
at the heart of all security methods
 Confidentiality of data
 Some protocols rely on encryption to
ensure availability of resources.
 Encryption does not solve all computer
security problems.

computer security
14
Software controls
Internal program controls
 OS controls
 Development controls
 Software controls are usually the 1st
aspects of computer security that come
to mind.

computer security
15
Policies and Mechanisms

Policy says what is, and is not, allowed
– This defines “security” for the site/system/etc.

Mechanisms enforce policies
 Mechanisms can be simple but effective
– Example: frequent changes of passwords

Composition of policies
– If policies conflict, discrepancies may create
security vulnerabilities

Legal and ethical controls
– Gradually evolving and maturing
computer security
16
Principle of Effectiveness

Controls must be used to be effective.
– Efficient
• Time, memory space, human activity, …
– Easy to use
– appropriate
computer security
17
Overlapping Controls

Several different controls may apply to
one potential exposure.
H/w control + S/w control + Data control
computer security
18
Goals of Security

Prevention
– Prevent attackers from violating security
policy

Detection
– Detect attackers’ violation of security policy

Recovery
– Stop attack, assess and repair damage
– Continue to function correctly even if attack
succeeds
computer security
19
Trust and Assumptions
Underlie all aspects of security
 Trust and verify vs Verify before trust?
 Policies

– Unambiguously partition system states
– Correctly capture security requirements

Mechanisms
– Assumed to enforce policy
– Support mechanisms work correctly
computer security
20
Types of Mechanisms
secure
precise
set of reachable states
computer security
broad
set of secure states
21
Assurance

Specification
– Requirements analysis
– Statement of desired functionality

Design
– How system will meet specification

Implementation
– Programs/systems that carry out design
computer security
22
Operational Issues

Cost-Benefit Analysis
– Is it cheaper to prevent or to recover?

Risk Analysis
– Should we protect something?
– How much should we protect this thing?

Laws and Customs
– Are desired security measures illegal?
– Will people do them?
computer security
23
Human Issues

Organizational Problems
– Power and responsibility
– Financial benefits

People problems
– Outsiders and insiders
– Social engineering
“The methods that will most effectively minimize the ability of intruders to compromise
information security are comprehensive user training and education. Enacting policies and
procedures simply won't suffice. Even with oversight the policies and procedures may not be
effective: my access to Motorola, Nokia, ATT, Sun depended upon the willingness of
people to bypass policies and procedures that were in place for years before I
compromised them successfully.” — Kevin Mitnick
computer security
24
Tying Together
Threats
Policy
Specification
Design
Implementation
Operation
computer security
25
Key Points

Policy defines security, and
mechanisms enforce security
– Confidentiality
– Integrity
– Availability
Trust and knowing assumptions
 Importance of assurance
 The human factor

computer security
26
Related documents
PowerPoint Presentation - Network Security (4/27/98)
PowerPoint Presentation - Network Security (4/27/98)
CECS-478 Introduction to Computer Security
CECS-478 Introduction to Computer Security
Section 3 Directives & Best Practices
Section 3 Directives & Best Practices
Chapter Notes
Chapter Notes
10 General Security Rules
10 General Security Rules
Basic Computer Security (2)
Basic Computer Security (2)
Lecture 3
Lecture 3
Security Overview
Security Overview
Web Security: Deep Dive
Web Security: Deep Dive
Application Security - SoftServe United Blog
Application Security - SoftServe United Blog
Vendor security questions
Vendor security questions
AIC
AIC
Powerpoint 97
Powerpoint 97
10 Code Inspections - Software Engineering @ RIT
10 Code Inspections - Software Engineering @ RIT
Cisco – Automated Discovery of Memory Corruption Vulnerabilities
Cisco – Automated Discovery of Memory Corruption Vulnerabilities
SoTL Report - The Center for Teaching and Learning
SoTL Report - The Center for Teaching and Learning
Separate Domains of IT Infrastructure
Separate Domains of IT Infrastructure
Vulnerabilities and Security Concerns
Vulnerabilities and Security Concerns
Automated Security Testing with Formal Threat Models
Automated Security Testing with Formal Threat Models
SecurityInSE - Department of Computer Science
SecurityInSE - Department of Computer Science
CAP6135: Malware and Software Vulnerability Analysis Software Security Introduction Cliff Zou
CAP6135: Malware and Software Vulnerability Analysis Software Security Introduction Cliff Zou
CAP6135: Malware and Software Vulnerability Analysis Software Security Introduction Cliff Zou
CAP6135: Malware and Software Vulnerability Analysis Software Security Introduction Cliff Zou
Download
advertisement