csci5233 computer security & integrity 1 an overview of computer security

26
csci5233 computer securit y & integrity 1 of Computer Security

Upload: claud-booker

Post on 18-Jan-2016

230 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Csci5233 computer security & integrity 1 An Overview of Computer Security

csci5233 computer security & integrity

1

An Overview ofComputer Security

Page 2: Csci5233 computer security & integrity 1 An Overview of Computer Security

csci5233 computer security & integrity

2

Outline Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues

Page 3: Csci5233 computer security & integrity 1 An Overview of Computer Security

csci5233 computer security & integrity

3

Status of security in computing

In terms of security, computing is very close to the wild west days.

Some computing professionals & managers do not even recognize the value of the resources they use or control.

In the event of a computing crime, some companies do not investigate or prosecute.

Page 4: Csci5233 computer security & integrity 1 An Overview of Computer Security

csci5233 computer security & integrity

4

Characteristics of Computer Intrusion A computing system: a collection of

hardware, software, data, and people that an organization uses to do computing tasks

Any piece of the computing system can become the target of a computing crime.

The weakest point is the most serious vulnerability.

The principles of easiest penetration

Page 5: Csci5233 computer security & integrity 1 An Overview of Computer Security

csci5233 computer security & integrity

5

Security Breaches- Terminology Exposure

– a form of possible loss or harm Vulnerability

– a weakness in the system Attack Threats

– Human attacks, natural disasters, errors Control – a protective measure Assets – h/w, s/w, data

Page 6: Csci5233 computer security & integrity 1 An Overview of Computer Security

csci5233 computer security & integrity

6

Types of Security Breaches Disclosure: unauthorized access to info

– Snooping Deception: acceptance of false data

– Modification, spoofing, repudiation of origin, denial of receipt

Disruption: prevention of correct operation

– Modification, man-in-the-middle attack

Usurpation: unauthorized control of some part of

the system (usurp: take by force or without right)– Modification, spoofing, delay, denial of service

Page 7: Csci5233 computer security & integrity 1 An Overview of Computer Security

csci5233 computer security & integrity

7

Security Components Confidentiality: The assets are accessible only by

authorized parties.– Keeping data and resources hidden

Integrity: The assets are modified only by authorized parties, and only in authorized ways.– Data integrity (integrity)– Origin integrity (authentication)

Availability: Assets are accessible to authorized parties.– Enabling access to data and resources

Page 8: Csci5233 computer security & integrity 1 An Overview of Computer Security

csci5233 computer security & integrity

8

Computing System Vulnerabilities Hardware vulnerabilities Software vulnerabilities Data vulnerabilities Human vulnerabilities ?

Page 9: Csci5233 computer security & integrity 1 An Overview of Computer Security

csci5233 computer security & integrity

9

Software Vulnerabilities Destroyed (deleted) software Stolen (pirated) software Altered (but still run) software

– Logic bomb– Trojan horse– Virus– Trapdoor– Information leaks

Page 10: Csci5233 computer security & integrity 1 An Overview of Computer Security

csci5233 computer security & integrity

10

Data Security

The principle of adequate protection Storage of encryption keys Software versus hardware methods

Page 11: Csci5233 computer security & integrity 1 An Overview of Computer Security

csci5233 computer security & integrity

11

Other Exposed Assets

Storage media Networks Access Key people

Page 12: Csci5233 computer security & integrity 1 An Overview of Computer Security

csci5233 computer security & integrity

12

People Involved in Computer Crimes

Amateurs Crackers Career Criminals

Page 13: Csci5233 computer security & integrity 1 An Overview of Computer Security

csci5233 computer security & integrity

13

Methods of Defense

Encryption Software controls Hardware controls Policies Physical controls

Page 14: Csci5233 computer security & integrity 1 An Overview of Computer Security

csci5233 computer security & integrity

14

Encryption

at the heart of all security methods Confidentiality of data Some protocols rely on encryption to

ensure availability of resources. Encryption does not solve all computer

security problems.

Page 15: Csci5233 computer security & integrity 1 An Overview of Computer Security

csci5233 computer security & integrity

15

Software controls

Internal program controls OS controls Development controls Software controls are usually the 1st

aspects of computer security that come to mind.

Page 16: Csci5233 computer security & integrity 1 An Overview of Computer Security

csci5233 computer security & integrity

16

Policies and Mechanisms Policy says what is, and is not, allowed

– This defines “security” for the site/system/etc.

Mechanisms enforce policies Mechanisms can be simple but effective

– Example: frequent changes of passwords

Composition of policies– If policies conflict, discrepancies may create

security vulnerabilities

Legal and ethical controls– Gradually evolving and maturing

Page 17: Csci5233 computer security & integrity 1 An Overview of Computer Security

csci5233 computer security & integrity

17

Principle of Effectiveness

Controls must be used to be effective.– Efficient

• Time, memory space, human activity, …

– Easy to use

– appropriate

Page 18: Csci5233 computer security & integrity 1 An Overview of Computer Security

csci5233 computer security & integrity

18

Overlapping Controls

Several different controls may apply to one potential exposure.

H/w control + S/w control + Data control

Page 19: Csci5233 computer security & integrity 1 An Overview of Computer Security

csci5233 computer security & integrity

19

Goals of Security Prevention

– Prevent attackers from violating security policy

Detection– Detect attackers’ violation of security policy

Recovery– Stop attack, assess and repair damage– Continue to function correctly even if attack

succeeds

Page 20: Csci5233 computer security & integrity 1 An Overview of Computer Security

csci5233 computer security & integrity

20

Trust and Assumptions

Underlie all aspects of security Policies

– Unambiguously partition system states– Correctly capture security requirements

Mechanisms– Assumed to enforce policy– Support mechanisms work correctly

Page 21: Csci5233 computer security & integrity 1 An Overview of Computer Security

csci5233 computer security & integrity

21

Types of Mechanisms

secure precise broad

set of reachable states set of secure states

Page 22: Csci5233 computer security & integrity 1 An Overview of Computer Security

csci5233 computer security & integrity

22

Assurance

Specification– Requirements analysis– Statement of desired functionality

Design– How system will meet specification

Implementation– Programs/systems that carry out design

Page 23: Csci5233 computer security & integrity 1 An Overview of Computer Security

csci5233 computer security & integrity

23

Operational Issues

Cost-Benefit Analysis– Is it cheaper to prevent or to recover?

Risk Analysis– Should we protect something?– How much should we protect this thing?

Laws and Customs– Are desired security measures illegal?– Will people do them?

Page 24: Csci5233 computer security & integrity 1 An Overview of Computer Security

csci5233 computer security & integrity

24

Human Issues

Organizational Problems– Power and responsibility– Financial benefits

People problems– Outsiders and insiders– Social engineering

Page 25: Csci5233 computer security & integrity 1 An Overview of Computer Security

csci5233 computer security & integrity

25

Tying Together

Threats

Policy

Specification

Design

Implementation

Operation

Page 26: Csci5233 computer security & integrity 1 An Overview of Computer Security

csci5233 computer security & integrity

26

Key Points Policy defines security, and

mechanisms enforce security– Confidentiality– Integrity– Availability

Trust and knowing assumptions Importance of assurance The human factor