Computer SecurityComputer Security

Computer Security“Measures and controls that ensure confidentiality, integrity, and

availability of ISassets including hardware, software, firmware, and information being

processed, stored, and communicated.” -- National Information System Security Glossary (NSTISSC)

Confidentiality

Availability

Integrity

Authenticity

What access is possible? • privacy • secrecy • confidentiality of content or existence

Is the resource ... present? ... accessible in a timely fashion? ... usable?

Is the resource correct? • accurate • unmodified • consistent • meaningful

Is it owned/created/transmitted by a trusted source? (integrity of the origin)

TerminologyTerminology

Computer System- computer hardware and software, including storage media and its associated

data, network connectivity, operating system and application software

Vulnerability- a weakness in the security of a computer system

Threat- a potential harm to computer security

Attack- an attempt to exploit a security vulnerability

Security Aspect Threat

confidentiality interception (snooping)

availabilityinterruption (denial of

service)

integrity modification

authenticity fabrication (spoofing)

VulnerabilitiesVulnerabilities

• An email server crashes as the result of excessive spam.

Type of vulnerability? (authenticity, availability, confidentiality, or integrity)

• A loan company’s program rounds fees up to the nearest cent and adds all remaining fractions to the programmer’s weekly salary.

• A CS101 student “borrows” a copy of a preliminary version of the final exam from a university dumpster.

• Using a stolen password, a student alters prior course grades in the university record.

• The download of a compiler requires four hours because the campus Internet connection is swamped with mp3 downloads.

• A computer programmer modifies the company payroll program so that it crashes when that programmer no longer appears in the employee database.

• The transmission line from an ATM to its associated bank is wiretapped and an intercepted message is retransmitted.

• A flood destroys the disk drive containing all of a company’s accounting records.

Hardware Vulnerabilities

Security DefensesSecurity DefensesPREVENT

DETER

DEFLECTDETECT

RECOVER

Is it worth the cost?

The “lightning rod” solution.

Why back up data?

Hardware Controls (examine vulnerabilities)

Defense - ControlsDefense - Controls

TrustTrust

• We trust that our security policies are sufficient.

• We trust in our security procedures: ⇒ trust that each procedure contributes to policy

⇒ trust that, collectively, our procedures accomplish our policies⇒ trust that our procedures are correctly implemented

⇒ trust that our procedures are properly installed and implemented

• We have X% trust in the integrity of our data.

• We trust the authenticity of the source of some software/data download.

• We trust that confidentiality has been maintained for important email. • We trust that key computing resources will be available when needed.

Risk ManagementRisk Management

Risk“Possibility that a particular threat will adversely impact an IS by

exploiting a particular vulnerability.” -- National Information System Security Glossary (NSTISSC)

secu

ri

ty

Risk Management“The total process to identify, control, and manage the impact of

uncertain harmful events, commensurate with the value of the protected assets.”

-- National Information System Security Glossary (NSTISSC)