computer security “measures and controls that ensure confidentiality, integrity, and availability...
TRANSCRIPT
Computer SecurityComputer Security
Computer Security“Measures and controls that ensure confidentiality, integrity, and
availability of ISassets including hardware, software, firmware, and information being
processed, stored, and communicated.” -- National Information System Security Glossary (NSTISSC)
Confidentiality
Availability
Integrity
Authenticity
What access is possible? • privacy • secrecy • confidentiality of content or existence
Is the resource ... present? ... accessible in a timely fashion? ... usable?
Is the resource correct? • accurate • unmodified • consistent • meaningful
Is it owned/created/transmitted by a trusted source? (integrity of the origin)
TerminologyTerminology
Computer System- computer hardware and software, including storage media and its associated
data, network connectivity, operating system and application software
Vulnerability- a weakness in the security of a computer system
Threat- a potential harm to computer security
Attack- an attempt to exploit a security vulnerability
Security Aspect Threat
confidentiality interception (snooping)
availabilityinterruption (denial of
service)
integrity modification
authenticity fabrication (spoofing)
VulnerabilitiesVulnerabilities
• An email server crashes as the result of excessive spam.
Type of vulnerability? (authenticity, availability, confidentiality, or integrity)
• A loan company’s program rounds fees up to the nearest cent and adds all remaining fractions to the programmer’s weekly salary.
• A CS101 student “borrows” a copy of a preliminary version of the final exam from a university dumpster.
• Using a stolen password, a student alters prior course grades in the university record.
• The download of a compiler requires four hours because the campus Internet connection is swamped with mp3 downloads.
• A computer programmer modifies the company payroll program so that it crashes when that programmer no longer appears in the employee database.
• The transmission line from an ATM to its associated bank is wiretapped and an intercepted message is retransmitted.
• A flood destroys the disk drive containing all of a company’s accounting records.
Hardware Vulnerabilities
Security DefensesSecurity DefensesPREVENT
DETER
DEFLECTDETECT
RECOVER
Is it worth the cost?
The “lightning rod” solution.
Why back up data?
Hardware Controls (examine vulnerabilities)
Defense - ControlsDefense - Controls
TrustTrust
• We trust that our security policies are sufficient.
• We trust in our security procedures: ⇒ trust that each procedure contributes to policy
⇒ trust that, collectively, our procedures accomplish our policies⇒ trust that our procedures are correctly implemented
⇒ trust that our procedures are properly installed and implemented
• We have X% trust in the integrity of our data.
• We trust the authenticity of the source of some software/data download.
• We trust that confidentiality has been maintained for important email. • We trust that key computing resources will be available when needed.
Risk ManagementRisk Management
Risk“Possibility that a particular threat will adversely impact an IS by
exploiting a particular vulnerability.” -- National Information System Security Glossary (NSTISSC)
secu
ri
ty
Risk Management“The total process to identify, control, and manage the impact of
uncertain harmful events, commensurate with the value of the protected assets.”
-- National Information System Security Glossary (NSTISSC)