Computer security introduction l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 32

Computer Security Introduction PowerPoint PPT Presentation


Computer Security Introduction. Introduction. What is the goal of Computer Security? A first definition: To prevent or detect unauthorized actions by users of the system. Introduction. How do we achieve Computer Security:

Download Presentation

Computer Security Introduction

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Computer security introduction l.jpg

Computer SecurityIntroduction


Introduction l.jpg

Introduction

What is the goal of Computer Security?

A first definition:

To prevent or detect unauthorized actions by users

of the system.


Introduction3 l.jpg

Introduction

How do we achieve Computer Security:

  • Security principles/concepts: explore general principles/concepts that can be used as a guide to design secure information processing systems.

  • Security mechanisms: explore some of the security mechanisms that can be used to secure information processing systems.

  • Physical/Organizational security: consider physical & organizational security measures (policies)


Security l.jpg

Security

Security is about protecting assets.

This involves:

  • Prevention

  • Detection

  • Reaction (recover/restore assets)


Computer security l.jpg

Computer Security

  • Confidentiality: prevent unauthorized disclosure of information.

  • Integrity: prevent unauthorized modification of information.

  • Availability: prevent unauthorized withholding of information.

    Additionally:

    Authenticity, accountability, reliability, safety,

    dependability, survivability . . .


Computer security6 l.jpg

Computer Security

Even at this general level there is disagreement on

the precise definitions of some of the required security

aspects.

References:

  • TCSEC or Orange book – US Dept of Defense, Trusted Computer System Evaluation Criteria.

  • ITSEC– European Trusted Computer System Product Criteria.

  • CTCPEC – Canadian Trusted Computer System Product Criteria


Confidentiality l.jpg

Confidentiality

Historically, security is closely linked to secrecy.

Security involved a few organizations dealing mainly

with classified data.

However, nowadays security extends far beyond

confidentiality.

Confidentiality involves:

  • privacy: protection of private data,

  • secrecy: protection of organizational data.


Integrity l.jpg

Integrity

“Making sure that everything is as it is supposed to be.”

For Computer Security this means:

Preventing unauthorized writing or modifications.


Availability l.jpg

Availability

For Computer Systems this means that:

Services are accessible and useable (without undue

Delay) whenever needed by an authorized entity.

For this we need fault-tolerance.

Faults may be accidental or malicious (Byzantine).

Denial of Service attacks are an example of malicious

attacks.


Relationship between confidentiality integrity and availability l.jpg

Relationship between Confidentiality Integrity and Availability

Confidentiality

Integrity

Secure

Availability


Accountability l.jpg

Accountability

Actions affecting security must be traceable

to the responsible party.

For this,

  • Audit information must be kept and protected,

  • Access control is needed.


Other security requirements l.jpg

Other security requirements

  • Reliability – deals with accidental damage,

  • Safety – deals with the impact of the environment on system failure

  • Dependability – reliance can be justifiably placed on the system

  • Survivability – deals with the recovery of the system after massive failure.


Computer security13 l.jpg

Computer Security

If I must give a definition…. (again)

Computer Security deals with the prevention and

detection of unauthorized actions by users of the

System.


Fundamental dilemma of computer security l.jpg

Fundamental dilemma of Computer Security

Functionality or Assurance: which one?

  • Security mechanisms need additional computational resources.

  • Security policies interfere with working patterns, and can be very inconvenient.

  • Managing security requires additional effort and costs.

  • Ideally there should be a tradeoff.


Principles of computer security fundamental design parameters l.jpg

Principles of Computer Security-- fundamental design parameters

Application Software

|

|

User ---------------------------|--------------------Resource

(subject) | (object)

|

Hardware

The dimensions of Computer Security


Principles of computer security l.jpg

Principles of Computer Security

Integrity = compliance with a given set of rules.

Rules:

  • Internal consistency of data items

  • Authorized operations on data items

  • Access control


1 st design decision l.jpg

1st Design decision

Should protection focus on data, operations

or users?


Layers of an it system l.jpg

Layers of an IT system

  • Application – users run application programs tailored to meet specific requirements

  • Services – application programs make use of services provided by a software packages like a Database Management System (DBMS) or an Object Reference Broker (ORB).

  • OS – The software packages run on top of the OS which controls access to resources

  • OS kernel – the OS may have a kernel that mediates every access to the processor or memory

  • Hardware – (processor & memory) physically stores and manipulates data.


2 nd design decision l.jpg

2nd Design decision

In which layer should security be placed?


The onion model of protection mechanisms l.jpg

The onion model of protection mechanisms

Application

Services

OS

OS Kernel

Hardware


Complexity vs assurance l.jpg

Complexity vs Assurance

3rd Design decision

Should security focus on simplicity or security?


Centralized vs decentralized l.jpg

Centralized vs Decentralized

4th Design decision

Should security control tasks be given to a central entity of left to individual components?


The layer below l.jpg

The layer below

Physical and organizational security mechanisms

define a security perimeter or boundary.

Attackers may try to bypass this boundary.

Computer Security

Physical and organizational security measures protection boundary


The layer below24 l.jpg

The layer below

Access to the layer below is controlled through

physical and organizational security measures.

  • Parts of the system that can malfunction without compromising the protection mechanisms lie beyond the perimeter.

  • Parts that can be used to disable the protection mechanisms lie within the perimeter.


5th design decision l.jpg

5th Design decision

How to prevent the attacker from accessing the layer below the protection boundary?


Vulnerabilities l.jpg

Vulnerabilities

  • Hardware: Interruption (DOS), Modification, Interception (Theft), Fabrication (Substitution)

  • Software: Interruption (Deletion), Modification, Interception, Fabrication

  • Data: Interruption (Loss), Modification, Interception, Fabrication


Hardware l.jpg

Hardware

Hardware is more visible, so it is more easy to

add/remove/change devices, intercept traffic, flood

with traffic and generally control their functionality.

Attacks: physical damage


Software l.jpg

Software

  • Interruption (Deletion):surprisingly easy!

  • Modification:

    • Logic bombs –failure when certain conditions are met)

    • Trojan horses –a program that overtly does one thing while covertly does another

    • Viruses –a specific Trojan horse that can be used to spread its “infection”.

    • Trapdoors –a program that has a specific entry point

    • Information leaks in programs –code that makes information accessible to unauthorized users

  • Interception (Theft): unauthorized copying


Slide29 l.jpg

Data

Hardware security is usually the concern of a relatively

small number of staff. Software extends to programmers

and analysts who create an modify programs.

However data can be readily interpreted by the general

public.

Because of its visibility data attacks are much more

widespread.


Slide30 l.jpg

Data

  • Data Confidentiality: wiretapping, planting bugs, sifting though trash receptacles, monitoring electromagnetic radiation, bribing, inferring, requesting …

  • Data Integrity: a higher level of sophistication is needed.

    • Salami attacks –shave off a little from many accounts to form a valuable result

    • Replay attacks


Computer criminals l.jpg

Computer Criminals

  • Amateurs

    • Normal people who observe a weakness in a security system

    • Disgruntled over some negative work situation

    • Have committed most of computer crimes to date

  • Crackers

    • Often high school or university students: cracking is seen as the ultimate victimless crime

    • Attack for curiosity, self-satisfaction and personal gain

    • No common profile or motivation


Computer criminals32 l.jpg

Computer Criminals

  • Career criminals

    • Understand the targets of computer crime

    • Usually begin as computer professionals who later engage in computer crime finding the prospects and payoff good.

    • Electronic spies and information brokers who recognize

    • That trading in companies secrets can be lucrative.


  • Login