system security

System security, 2013 Slide 1

System security

System security, 2013 Slide 2

Security• The security of a system is a

system property that reflects the system’s ability to protect itself from accidental or deliberate external attack.

System security, 2013 Slide 3

Principal dependability properties

System security, 2013 Slide 4

• Security is essential as most systems are networked so that external access to the system through the Internet is possible.

• Security is a pre-condition for availability, reliability and safety.

System security, 2013 Slide 5

Damage from insecurity

• Denial of service– The system is forced into a state

where normal services are unavailable or where service provision is significantly degraded

System security, 2013 Slide 6

• Corruption of programs or data– The programs or data in the system

may be modified in an unauthorised way

System security, 2013 Slide 7

• Disclosure of confidential information– Information that is managed by the

system may be exposed to people who are not authorised to read or use that information

System security, 2013 Slide 8

• Asset– Something, such as a computer

system, that needs to be protected

– Example: The records of patients receiving treatment in a hospital

System security, 2013 Slide 9

• Exposure– Possible loss or harm that could result from a

security failure

– Potential financial loss from future patients who do not seek treatment because they do not trust the clinic to maintain their data. Financial loss from legal action by patients. Loss of reputation.

System security, 2013 Slide 10

• Vulnerability– A weakness in a system that may be

exploited to cause loss or harm

– A weak password system which makes it easy for users to set guessable passwords

System security, 2013 Slide 11

• Attack– An exploitation of a system’s vulnerability

that is a deliberate attempt to cause some damage

– An impersonation of an authorized user to gain access to records system

System security, 2013 Slide 12

• Threat– A system vulnerability that is

subjected to an attack.

– An unauthorized user will gain access to the system by guessing the credentials (login name and password) of an authorized user.

System security, 2013 Slide 13

• Control– A protective measure that reduces a

system’s vulnerability.

– A password checking system that disallows user passwords that are proper names or words that are normally included in a dictionary.

System security, 2013 Slide 14

Security assurance• Vulnerability avoidance

– The system is designed so that vulnerabilities do not occur. For example, if there is no external network connection then external attack is impossible

System security, 2013 Slide 15

• Attack detection and elimination– The system is designed so that

attacks on vulnerabilities are detected and neutralised before they result in an exposure. For example, virus checkers find and remove viruses before they infect a system

System security, 2013 Slide 16

• Exposure limitation and recovery– The system is designed so that the

adverse consequences of a successful attack are minimised. For example, a backup policy allows damaged information to be restored

System security, 2013 Slide 17

Summary• Security is a system property that reflects the

system’s ability to protect itself from malicious use

• A system has to be secure if we are to be confident in its dependability

• Damage includes– Denial of service

– Loss or corruption of data

– Disclosure of confidential information

System security, 2013 Slide 18

Summary• Security can be maintained through strategies

such as– Vulnerability avoidance

– Attack detection and elimination

– Exposure limitation and recovery