An Overview of
Computer Security
computer security
1
Outline
Components of computer security
 Threats
 Policies and mechanisms
 The role of trust
 Assurance
 Operational Issues
 Human Issues

computer security
2
Status of security in computing
(in early 2000s)



In terms of security, computing is very close to
the wild west days.
Some computing professionals & managers do
not even recognize the value of the resources
they use or control.
In the event of a computing crime, some
companies do not investigate or prosecute.
Has the status changed for the
better?
computer security
3
Characteristics of Computer
Intrusion

A computing system: a collection of
hardware, software, data, and people that an
organization uses to do computing tasks
 Any piece of the computing system can
become the target of a computing crime.
 The weakest point is the most serious
vulnerability.
 The principles of easiest penetration
computer security
4
Security Breaches
- Terminology

Exposure
– a form of possible loss or harm

Vulnerability
– a weakness in the system

Attack
 Threats
– Human attacks, natural disasters, errors
 Control – a protective measure

Assets – h/w, s/w, data
computer security
5
Types of Security Breaches

Disclosure: unauthorized access to info
– Snooping

Deception: acceptance of false data
– Modification, spoofing, repudiation of origin, denial
of receipt

Disruption: prevention of correct operation
– Modification, man-in-the-middle attack

Usurpation: unauthorized control of some part of
the system (usurp: take by force or without right)
– Modification, spoofing, delay, denial of service
computer security
6
Security Components

Confidentiality: The assets are accessible only
by authorized parties.
– Keeping data and resources hidden

Integrity: The assets are modified only by
authorized parties, and only in authorized ways.
– Data integrity (integrity)
– Origin integrity (authentication)

Availability: Assets are accessible to authorized
parties.
– Enabling access to data and resources
computer security
7
Computing System
Vulnerabilities
Hardware vulnerabilities
 Software vulnerabilities
 Data vulnerabilities
 Human vulnerabilities ?

computer security
8
Software Vulnerabilities
Destroyed (deleted) software
 Stolen (pirated) software
 Altered (but still run) software

– Logic bomb
– Trojan horse
– Virus
– Trapdoor
– Information leaks
computer security
9
Data Security
The principle of adequate protection
 Storage of encryption keys
 Software versus hardware methods

computer security
10
Other Exposed Assets
Storage media
 Networks
 Access
 Key people

computer security
11
People Involved in Computer
Crimes
Amateurs
 Crackers
 Career Criminals

computer security
12
Methods of Defense
Encryption
 Software controls
 Hardware controls
 Policies
 Physical controls

computer security
13
Encryption
at the heart of all security methods
 Confidentiality of data
 Some protocols rely on encryption to
ensure availability of resources.
 Encryption does not solve all computer
security problems.

computer security
14
Software controls
Internal program controls
 OS controls
 Development controls
 Software controls are usually the 1st
aspects of computer security that come
to mind.

computer security
15
Policies and Mechanisms

Policy says what is, and is not, allowed
– This defines “security” for the site/system/etc.

Mechanisms enforce policies
 Mechanisms can be simple but effective
– Example: frequent changes of passwords

Composition of policies
– If policies conflict, discrepancies may create
security vulnerabilities

Legal and ethical controls
– Gradually evolving and maturing
computer security
16
Principle of Effectiveness

Controls must be used to be effective.
– Efficient
• Time, memory space, human activity, …
– Easy to use
– appropriate
computer security
17
Overlapping Controls

Several different controls may apply to
one potential exposure.
H/w control + S/w control + Data control
computer security
18
Goals of Security

Prevention
– Prevent attackers from violating security
policy

Detection
– Detect attackers’ violation of security policy

Recovery
– Stop attack, assess and repair damage
– Continue to function correctly even if attack
succeeds
computer security
19
Trust and Assumptions
Underlie all aspects of security
 Trust and verify vs Verify before trust?
 Policies

– Unambiguously partition system states
– Correctly capture security requirements

Mechanisms
– Assumed to enforce policy
– Support mechanisms work correctly
computer security
20
Types of Mechanisms
secure
precise
set of reachable states
computer security
broad
set of secure states
21
Assurance

Specification
– Requirements analysis
– Statement of desired functionality

Design
– How system will meet specification

Implementation
– Programs/systems that carry out design
computer security
22
Operational Issues

Cost-Benefit Analysis
– Is it cheaper to prevent or to recover?

Risk Analysis
– Should we protect something?
– How much should we protect this thing?

Laws and Customs
– Are desired security measures illegal?
– Will people do them?
computer security
23
Human Issues

Organizational Problems
– Power and responsibility
– Financial benefits

People problems
– Outsiders and insiders
– Social engineering
“The methods that will most effectively minimize the ability of intruders to compromise
information security are comprehensive user training and education. Enacting policies and
procedures simply won't suffice. Even with oversight the policies and procedures may not be
effective: my access to Motorola, Nokia, ATT, Sun depended upon the willingness of
people to bypass policies and procedures that were in place for years before I
compromised them successfully.” — Kevin Mitnick
computer security
24
Tying Together
Threats
Policy
Specification
Design
Implementation
Operation
computer security
25
Key Points

Policy defines security, and
mechanisms enforce security
– Confidentiality
– Integrity
– Availability
Trust and knowing assumptions
 Importance of assurance
 The human factor

computer security
26