Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Part 1, INTRODUCTION - FSU Computer Science

advertisement 
Computer Security
Introduction
3/15/2016
1
Basic Components
1. Confidentiality: Concealment of information
(prevent unauthorized disclosure of information).
2. Integrity: Trustworthiness of data/resources
(prevent unauthorized modifications).
•
•
Data integrity
Origin integrity (authentication)
3. Availability: Ability to use information/resources.
(prevent unauthorized withholding of
information/resources).
3/15/2016
2
Basic Components
Additionally:
Authenticity, accountability, reliability, safety,
dependability, survivability . . .
3/15/2016
3
Confidentiality
Historically, security is closely linked to secrecy.
Security involved a few organizations dealing mainly
with classified data.
However, nowadays security extends far beyond
confidentiality.
Confidentiality involves:
• privacy: protection of private data,
• secrecy: protection of organizational data.
3/15/2016
4
Integrity
“Making sure that everything is as it is supposed to be.”
For Computer Security this means:
Preventing unauthorized writing or modifications.
3/15/2016
5
Availability
For Computer Systems this means that:
Services are accessible and useable (without undue
Delay) whenever needed by an authorized entity.
For this we need fault-tolerance.
Faults may be accidental or malicious (Byzantine).
Denial of Service attacks are an example of malicious
attacks.
3/15/2016
6
Relationship between Confidentiality
Integrity and Availability
Confidentiality
Secure
Integrity
Availability
3/15/2016
7
Other security requirements
• Reliability – deals with accidental damage,
• Safety – deals with the impact of system failure caused by the
environment,
• Dependability – reliance can be justifiably placed on the system
• Survivability – deals with the recovery of the system after
massive failure.
• Accountability -- actions affecting security must be traceable
to the responsible party. For this,
– Audit information must be kept and protected,
– Access control is needed.
3/15/2016
8
Basic Components
Threats – potential violations of security
Attacks – violations
Attackers – those who execute the violations
3/15/2016
9
Threats
•
•
•
•
Disclosure or unauthorized access
Deception or acceptance of falsified data
Disruption or interruption or prevention
Usurpation or unauthorized control
3/15/2016
10
More threats
•
•
Snooping (unauthorized interception)
Modification or alteration
–
–
•
•
•
•
•
Active wiretapping
Man-in-the-middle attacks
Masquerading or spoofing
Repudiation of origin
Denial of receipt
Delay
Denial of Service
3/15/2016
11
Policy and Mechanisms
1. A security policy is a statement of what is / is not
allowed.
2. A security mechanism is a method or tool that
enforces a security policy.
3/15/2016
12
Assumptions of trust
Let
• P be the set of all possible states of a system
• Q be the set of secure states
A mechanism is secure if P ≤ Q
A mechanism is precise if P = Q
A mechanism is broad if there are states in P which
are not in Q
3/15/2016
13
Assurance
Trust cannot be quantified precisely.
System specifications design and implementation can
provide a basis for how much one can trust a system.
This is called assurance.
3/15/2016
14
Goals of Computer Security
Security is about protecting assets.
This involves:
• Prevention
• Detection
• Reaction (recover/restore assets)
3/15/2016
15
Computer Security
How to achieve Computer Security:
1. Security principles/concepts: explore general
principles/concepts that can be used as a guide to design
secure information processing systems.
2. Security mechanisms: explore some of the security
mechanisms that can be used to secure information
processing systems.
3. Physical/Organizational security: consider physical &
organizational security measures (policies)
3/15/2016
16
Computer Security
Even at this general level there is disagreement on
the precise definitions of some of the required security
aspects.
References:
• Orange book – US Dept of Defense, Trusted Computer
System Evaluation Criteria.
• ITSEC – European Trusted Computer System Product Criteria.
• CTCPEC – Canadian Trusted Computer System Product
Criteria
3/15/2016
17
Fundamental Dilemma: Functionality or Assurance
• Security mechanisms need additional computational
• Security policies interfere with working patterns, and
can be very inconvenient.
• Managing security requires additional effort and
costs.
• Ideally there should be a tradeoff.
3/15/2016
18
Operational issues
Operational issues
– Cost-benefit analysis
• Example: a database with salary info, which is used by a
second system to print pay checks
– Risk analysis
• Environmental dependence
• Time dependence
• Remote risk
3/15/2016
19
Laws and Customs
• Export controls
• Laws of multiple jurisdiction
• Human issues
– Organizational problems (who is responsible for what)
– People problems (outsiders/insiders)
3/15/2016
20
Tying it all together: how ????
3/15/2016
21
Related documents
Taipei-Wego-International-Program-Composition-Class
Taipei-Wego-International-Program-Composition-Class
Click here to add title
Click here to add title
Math 160A - Winter 2016 - Homework #4
Math 160A - Winter 2016 - Homework #4
Seminar Special Topics course Environmental Data Analysis W2016
Seminar Special Topics course Environmental Data Analysis W2016
Abstract Template
Abstract Template
Confirmation Gr. 9 & 10
Confirmation Gr. 9 & 10
Download
advertisement