Computer Security

advertisement
Computer Security
Computer Security is defined as:
The protection afforded to an automated
information system in order to:
attain the applicable objectives of preserving the integrity,
availability and confidentiality of
information system resources (includes hardware, software,
firmware, information/data, and
telecommunications).
Integrity
Integrity is defined as :
In daily usage, information has integrity when it is
timely, accurate, complete, and
consistent. However, computers are unable to provide
or protect all of these qualities.
Therefore, in the computer security field, integrity is
often discussed more narrowly as having
two facets: data integrity and system integrity.
Integrity
Data integrity is a requirement that
information and programs are changed only
in a specified and authorized manner.
System integrity is a requirement that a
system performs its intended function in an
effective manner, free from unauthorized
manipulation of the system."
Availability
Availability:
A requirement intended to assure that systems
work promptly and service is not denied to
authorized users.
Confidentiality
Confidentiality:
A requirement that private or confidential
information not be disclosed to
unauthorized individuals.
Network Security
Network security :uses the same basic set of
controls as mainframe security or
PC security.
Example, secure gateways are discussed as a
part of Access Control;
Transmitting authentication data over insecure
networks is discussed as the
Identification and Authentication and the
data communications contracts.
COMMON THREATS
Computer systems are vulnerable to many threats
that can inflict various types of damage resulting in
significant losses. This damage can range from
errors harming database integrity to
fires destroying entire computer centers. Losses can
be, for example, from the actions of
supposedly trusted employees defrauding a system,
from outside hackers, or from careless data entry
clerks.
PHYSICAL AND ENVIRONMENTAL
SECURITY




Physical Access Controls
Fire Safety Factors
Failure of Supporting Utilities
Mobile and Portable Systems
Physical Access Controls
(Theft of Systems or Storage Media)
It restrict the entry and exit of personnel (and
often equipment and media) from an area,
such as an office building, suite, data
center, or a room containing a LAN server.
.
Physical access controls
The controls to the system can include





the electric power service,
the air conditioning and heating
telephone and data lines,
backup media and source documents,
and any other elements required for system's
operation.
Physical access controls
There are many types of physical access controls: including badges,
 memory cards,
 guards,
 keys, fences,and locks.
 Intrusion detectors, such as closed-circuit
 television cameras, motion detectors, and other
devices.
Fire Safety Factors
Building fires are a security threat because
of the destruction of both hardware and data
and the risk to human life.
Fire Safety Factors
Typical Ignition sources are:
 Failures of electric devices and wiring,
 Carelessly discarded cigarettes,
 Improper storage of materials subject to
spontaneous combustion,
 Improper operation of heating devices ..etc.
Fire Safety Factors
Fire resistant buildings
 Put away Fuel Sources.
 Fire Detection devices.
 Fire Extinguishment devices

Failure of Supporting Utilities
This applies to electric power distribution,
Electromagnetic waves or magnetic fields,
water, sewage , humidity, dust, smoke
failures of heating and air-conditioning
systems.
Failure of Supporting Utilities
Operating and security personnel should have
rescue information immediately available for
use in an emergency.
In some cases, it may be possible to relocate
system hardware, particularly distributed LAN
hardware.
Mobile and Portable Systems
Portable and mobile systems share an
increased risk of theft and physical damage.
In addition, portable systems can be
"misplaced" or left unattended by careless
users.
Mobile and Portable Systems
Secure storage of Portable (laptop, backup
media .. etc) computers is often required
when they are not in use.
Depending on the sensitivity of the system and
its application, it may be appropriate to require
signed briefing acknowledgments of users.
Access Control
Access is the ability to do something with a
computer resource. This usually refers to a
technical ability (e.g., read, create, modify, or
delete a file, execute a program, or use an
external connection).

Access Control


Authorization is the permission to use a
computer resource. Permission is granted,
directly or indirectly, by the application or
system owner.
Authentication is proving (to some
reasonable degree) that users are who they
claim to be.
Access Control
Access control often requires that the
system be able to identify and differentiate
among users.
IDENTIFICATION AND AUTHENTICATION
 Identification and authentication (I&A) is the
first line of defense.
 I&A is a technical measure that prevents
unauthorized people (or unauthorized
processes) from entering a computer system.

Access Control
Identification is the means by which a user
provides a claimed identity to the system.


Authentication is the means of establishing
the validity of this claim.
Access Control

There are three means of authenticating a
user's identity which can be used alone or
in combination:
1. Something the individual knows (a secret
e.g., a password, Personal Identification
Number (PIN), or cryptographic key);
Access Control
2. Something the individual possesses (a
token e.g., an ATM card or a smart card);
3. Something the individual is (a biometric
e.g., such characteristics as a voice pattern,
handwriting dynamics, or a fingerprint).
Access Control
Passwords: Benefits of Passwords.
Passwords have been successfully providing
security for computer systems.
 They are integrated into many operating
systems, and users and system
administrators are familiar with them. When
properly managed in a controlled
environment, they can provide effective
security.

Access Control
Problems With Passwords.
1. Guessing or finding passwords.
2. Giving passwords away.
3. Electronic monitoring (When passwords
are transmitted to a computer system).
4. Accessing the password file.

Access Control


Cryptographic Keys
the authentication derived from the
knowledge of a cryptographic key may be
based entirely on something the user knows,
(or have access to) something that can
perform the cryptographic computations,
such as a PC or a smart card.
Access Control



Memory Tokens
Memory tokens store, but do not process,
information. Special reader/writer devices
control the writing and reading of data to and
from the tokens.
The most common type of memory token is a
magnetic striped card.
Access Control


Application of memory tokens for
authentication to computer systems is the
Automatic Teller Machine (ATM) card. This
uses a combination of the user (card) with
the user (PIN).
Memory tokens when used with PINs provide
more security than passwords.
Access Control



Smart Tokens
expands the functionality of a memory token
by incorporating one or more integrated
circuits into the token itself.
A smart token typically requires a user also
to provide something the user knows (i.e., a
PIN or password) in order to "unlock" the
smart token for use.
Access Control
Benefits of Smart Tokens
1.One-time passwords.
2.Reduced risk of forgery.
3.Multi-application.

Access Control

Biometric authentication use the unique
characteristics of an individual to
authenticate that person‘s identity.
These include physiological attributes (such
as fingerprints, hand geometry, or retina
patterns) or behavioral attributes (such as
voice patterns and hand-written signatures).
Access Control


Biometric systems provide an increased
level of security for computer systems.
Imperfections in biometric authentication
devices arise from technical difficulties in
measuring and profiling physical attributes as
well as from the variable nature of physical
attributes.
Access Control

Due to their relatively high cost, biometric
systems are typically used with other
authentication means in environments
requiring high security.
Download