CPSC 6126 Computer
Security
Information Assurance
Is there a Security Problem in
Computing?
Risks involved in computing
 Goals of secure computing:
confidentiality, integrity, availability
 Threats to security in computing:
interception, interruption,
modification, fabrication
 Controls: encryption, programming
controls, operating systems, network
controls, administrative controls, law,
ethics

What does “Secure” mean?
Protecting computer-related assets
 Information Systems

• H’ware
• S’ware
• Data
• People (& procedures)
Computer Security
 Information Assurance

What does “Secure” mean?

Control Risk of Computer Security
• Learn about threats to computer security
• Understand what causes these threats by
studying how vulnerabilities arise in the
development and use of computer systems.
• Survey controls that can reduce or block
these threats.
• Develop computing style that balances
security and risk.

Principle of Easiest Penetration
• “An intruder must be expected to use any
available means of penetration. The
penetration may not necessarily be by the
most obvious means, nor is it necessarily
the one against which the most solid
defense has been installed.”
1.2 Attacks (threats,
vulnerabilities and controls)
Vulnerability – weakness in the
security system that might be
exploited to cause loss or harm.
 Threat – set of circumstances that
has the potential to cause loss or
harm.
 Control – protective measure that
removes or reduces the vulnerability
 A threat is blocked by control of a
vulnerability

1.2 Attacks (threats,
vulnerabilities and controls)

Threats
• Interception : unauthorized party has
gained access to an asset
• Interruption : asset becomes lost,
unavailable, or unusable
• Modification : asset is tampered with
• Fabrication : counterfeit objects are
added to the asset
1.2 Attacks (method,
opportunity, and motive)
Method – the skills, knowledge,
tools, and other things with which to
be able to pull off the attack
 Opportunity – the time and access to
accomplish the attack
 Motive – a reason to want to perform
this attack against this system

1.3 The Meaning of Computer
Security

Security Goals
• Confidentiality (secrecy, privacy) :
ensure that assets are accessed only by
authorized parties.
• Integrity : assets can be modified only
by authorized parties in authorized
ways.
• Availability : assets are accessible to
authorized parties at appropriate times
(opposite of denial of service)
1.3 The Meaning of Computer Security

Vulnerabilities
• Hardware

Interruption (denial of service), modification,
interception (theft), fabrication (substitution)
• Software

Interruption (deletion), modification, interception
(theft), fabrication
• Data


Interruption (loss), modification, interception,
fabrication
Principle of Adequate Protection:
Computer items must be protected only
until they lose their value. They must
be protected to a degree consistent
with their value.
1.3 The Meaning of Computer Security

Other Exposed Assets
• Networks
• Access
• Key People
1.4 Computer Criminals
Computer Crime – any crime
involving a computer or aided by the
use of one
 Amateurs
 Crackers (NOT hackers)
 Career Criminals

1.5 Methods of Defense
Harm occurs when a threat is
realized against a vulnerability
 Need to neutralize the threat or
close the vulnerability

• Prevent it by blocking the attack or
closing the vulnerability
• Deter it by making the the attack
harder
• Deflect it by making this target less
attractive
• Detect it (as it happens or after the
fact)
• Recover from its effects
1.5 Methods of Defense







Controls
Multi-pronged approach
Encryption
Software controls (internal program
controls, independent control programs,
operating systems and network system
controls, development controls)
Hardware controls
Policies and Procedures
Physical controls
1.5 Methods of Defense

Effectiveness of Controls
• Awareness of problem
• Likelihood of Use

Principle of Effectiveness – Controls
must be used-and used properly- to be
effective. They must be efficient, easy to
use, and appropriate.
• Overlapping controls
• Periodic Review

Principle of Weakest Link – Security
can be no stronger than its weakest link.