Computer Security Computer Security is defined as: The protection afforded to an automated information system in order to: attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications). Integrity Integrity is defined as : In daily usage, information has integrity when it is timely, accurate, complete, and consistent. However, computers are unable to provide or protect all of these qualities. Therefore, in the computer security field, integrity is often discussed more narrowly as having two facets: data integrity and system integrity. Integrity Data integrity is a requirement that information and programs are changed only in a specified and authorized manner. System integrity is a requirement that a system performs its intended function in an effective manner, free from unauthorized manipulation of the system." Availability Availability: A requirement intended to assure that systems work promptly and service is not denied to authorized users. Confidentiality Confidentiality: A requirement that private or confidential information not be disclosed to unauthorized individuals. Network Security Network security :uses the same basic set of controls as mainframe security or PC security. Example, secure gateways are discussed as a part of Access Control; Transmitting authentication data over insecure networks is discussed as the Identification and Authentication and the data communications contracts. COMMON THREATS Computer systems are vulnerable to many threats that can inflict various types of damage resulting in significant losses. This damage can range from errors harming database integrity to fires destroying entire computer centers. Losses can be, for example, from the actions of supposedly trusted employees defrauding a system, from outside hackers, or from careless data entry clerks. PHYSICAL AND ENVIRONMENTAL SECURITY Physical Access Controls Fire Safety Factors Failure of Supporting Utilities Mobile and Portable Systems Physical Access Controls (Theft of Systems or Storage Media) It restrict the entry and exit of personnel (and often equipment and media) from an area, such as an office building, suite, data center, or a room containing a LAN server. . Physical access controls The controls to the system can include the electric power service, the air conditioning and heating telephone and data lines, backup media and source documents, and any other elements required for system's operation. Physical access controls There are many types of physical access controls: including badges, memory cards, guards, keys, fences,and locks. Intrusion detectors, such as closed-circuit television cameras, motion detectors, and other devices. Fire Safety Factors Building fires are a security threat because of the destruction of both hardware and data and the risk to human life. Fire Safety Factors Typical Ignition sources are: Failures of electric devices and wiring, Carelessly discarded cigarettes, Improper storage of materials subject to spontaneous combustion, Improper operation of heating devices ..etc. Fire Safety Factors Fire resistant buildings Put away Fuel Sources. Fire Detection devices. Fire Extinguishment devices Failure of Supporting Utilities This applies to electric power distribution, Electromagnetic waves or magnetic fields, water, sewage , humidity, dust, smoke failures of heating and air-conditioning systems. Failure of Supporting Utilities Operating and security personnel should have rescue information immediately available for use in an emergency. In some cases, it may be possible to relocate system hardware, particularly distributed LAN hardware. Mobile and Portable Systems Portable and mobile systems share an increased risk of theft and physical damage. In addition, portable systems can be "misplaced" or left unattended by careless users. Mobile and Portable Systems Secure storage of Portable (laptop, backup media .. etc) computers is often required when they are not in use. Depending on the sensitivity of the system and its application, it may be appropriate to require signed briefing acknowledgments of users. Access Control Access is the ability to do something with a computer resource. This usually refers to a technical ability (e.g., read, create, modify, or delete a file, execute a program, or use an external connection). Access Control Authorization is the permission to use a computer resource. Permission is granted, directly or indirectly, by the application or system owner. Authentication is proving (to some reasonable degree) that users are who they claim to be. Access Control Access control often requires that the system be able to identify and differentiate among users. IDENTIFICATION AND AUTHENTICATION Identification and authentication (I&A) is the first line of defense. I&A is a technical measure that prevents unauthorized people (or unauthorized processes) from entering a computer system. Access Control Identification is the means by which a user provides a claimed identity to the system. Authentication is the means of establishing the validity of this claim. Access Control There are three means of authenticating a user's identity which can be used alone or in combination: 1. Something the individual knows (a secret e.g., a password, Personal Identification Number (PIN), or cryptographic key); Access Control 2. Something the individual possesses (a token e.g., an ATM card or a smart card); 3. Something the individual is (a biometric e.g., such characteristics as a voice pattern, handwriting dynamics, or a fingerprint). Access Control Passwords: Benefits of Passwords. Passwords have been successfully providing security for computer systems. They are integrated into many operating systems, and users and system administrators are familiar with them. When properly managed in a controlled environment, they can provide effective security. Access Control Problems With Passwords. 1. Guessing or finding passwords. 2. Giving passwords away. 3. Electronic monitoring (When passwords are transmitted to a computer system). 4. Accessing the password file. Access Control Cryptographic Keys the authentication derived from the knowledge of a cryptographic key may be based entirely on something the user knows, (or have access to) something that can perform the cryptographic computations, such as a PC or a smart card. Access Control Memory Tokens Memory tokens store, but do not process, information. Special reader/writer devices control the writing and reading of data to and from the tokens. The most common type of memory token is a magnetic striped card. Access Control Application of memory tokens for authentication to computer systems is the Automatic Teller Machine (ATM) card. This uses a combination of the user (card) with the user (PIN). Memory tokens when used with PINs provide more security than passwords. Access Control Smart Tokens expands the functionality of a memory token by incorporating one or more integrated circuits into the token itself. A smart token typically requires a user also to provide something the user knows (i.e., a PIN or password) in order to "unlock" the smart token for use. Access Control Benefits of Smart Tokens 1.One-time passwords. 2.Reduced risk of forgery. 3.Multi-application. Access Control Biometric authentication use the unique characteristics of an individual to authenticate that person‘s identity. These include physiological attributes (such as fingerprints, hand geometry, or retina patterns) or behavioral attributes (such as voice patterns and hand-written signatures). Access Control Biometric systems provide an increased level of security for computer systems. Imperfections in biometric authentication devices arise from technical difficulties in measuring and profiling physical attributes as well as from the variable nature of physical attributes. Access Control Due to their relatively high cost, biometric systems are typically used with other authentication means in environments requiring high security.