1 / 66

Computer Security

Computer Security. The expression computer security often conjures up notions that are related to: reliability availability safety integrity confidentiality privacy. . Defining Computer Security.

havyn
Download Presentation

Computer Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer Security • The expression computer security often conjures up notions that are related to: • reliability • availability • safety • integrity • confidentiality • privacy.

  2. Defining Computer Security • As applied to cybertechnology, security can be thought of in terms of various measures designed to protect against: • (i) unauthorized access to computer systems • (ii) alteration of data that resides in and is transmitted between computer systems • (iii) disruption, vandalism, and sabotage of computers systems and networks.

  3. Defining Computer Security (continued) • Garfinkel and Spafford (1996) suggest that a computer is secure • "if you can depend on it and its software behaves as you expect."   • According to this definition, at least two conditions must be satisfied: • (a) you can depend on your computer (i.e., it is reliable and available) • (b) your computer system's software does what it is supposed to do.

  4. Defining Computer Security (continued) • Kizza (1998) argues that computer security involves three elements: • Confidentiality; • Integrity; • Availability. • Confidentiality focuses on protecting against un- authorized disclosure of information to third parties. • Integrity can be understood aspreventing unauthorized modification of files. • Availability means preventing unauthorized withholding of information from those who need it when they need it.

  5. Computer Security and Computer Crime • Computer security issues often overlap with issues analyzed under the topic of computer crime. • Virtually every violation of security involving cybertechnology is also criminal in nature. • But not every instance of crime in cyberspace necessarily involves a breach or violation of security.

  6. Computer Security Issues as Distinct from Computer Crime • Some computer-related crimes have no direct implications for computer security. • An individual can use a personal computer to: • Make unauthorized copies of software programs; • Stalk a victim in cyberspace; • Elicit sex with young children; • Distribute child pornography; • Engage in illegal gambling activities. • None of these kinds of crimes are a direct result of insecure computer systems.

  7. Security as Related to Privacy • Cyber-related issues involving privacy and security often overlap. • Some important distinctions can be drawn. • Privacy concerns often arise because on-line users are concerned about losing control over ways in which personal information about them can be accessed by organizations (especially by businesses and government agencies). • Many of these organizations claim to have some legitimate need for that personal information in order to make important decisions.

  8. Security as Related to Privacy (continued) • Cyber-related security concerns (unlike those of privacy) typically arise because of either: • Fears that many individuals and organizations have that their data could be accessed by those who have no legitimate need for, or right to, such information. • Worries that personal data or proprietary information, or both, could be retrieved and possibly altered by individuals and organizations who are not authorized to access that data.

  9. Security as Related to Privacy (continued) • Privacy and security concerns can be thought of as two sides of a single coin, where each side complements and completes the other. • Many people wish to control who has information about them, and how that information is accessed by others. • Securing personal information stored in computer databases is an important element in helping individuals to achieve and maintain their privacy. • The objectives of privacy would seem compatible with, and even complementary to, security.

  10. Security as Related to Privacy (continued) • Sometimes the objectives of privacy and security seem to be at odds with each other. • i.e., a tension exists between these two notions. • When cyberethics issues are examined from the perspective of security, the goal of protecting personal autonomy is not given the same importance as it is when those issues are analyzed from the vantage-point of privacy.

  11. Security as Related to Privacy (continued) • When examined from the perspective of security rather than privacy: • (a) the protection of system resources and proprietary data are generally considered more critical; • (b) those issues will receive a higher priority than protecting the privacy and anonymity of individual users of a computer system.

  12. How Do Security Issues Raise Ethical Concerns? • To realize autonomy, individuals need to be able to have some control over how information about them is gathered and used. • Computer security can help users realize this goal. • Personal privacy also requires that certain kinds of information stored in electronic databases be kept confidential. • Secure computers are needed to ensure this.

  13. Two Distinct Aspects of Computer Security • The expression “computer security" is sometimes used ambiguously. • In one sense, "computer security" refers to concerns related to a computer system's vulnerability to attacks involving system hardware and software resources from "malicious programs" (viruses and worms). • This aspect of computer security can be referred to as system security.

  14. Two Senses of “Security” • Another sense of "computer security" is concerned with vulnerability to unauthorized access of data. • The data can be either: • (a)resident in one or more disk drives or databases in a computer system; • (b)transmitted between two or more computer systems. •  We call this “data security.”

  15. Figure 6-1 Computer Security System Security Data Security Resident Data Transmitted Data

  16. System Security • Examples of malicious programs that disrupted system security: • Internet Worm (1988) • ILOVEYOU Virus (2001) • Code Red Worm (2002) • Blaster virus (2004)

  17. System Security (Continued) • Richard Power (2000) differentiates between a virus and a worm in the following way. • A virus is a "program that can 'infect' other programs by modifying them to include a possibly evolved copy of itself." • A worm is an "independent program that replicates from machine to machine across network connections often clogging networks and information systems as it spreads."

  18. Data Security: Protecting Information Integrity • Spinello (2000) notes that information integrity requires that: …proprietary or sensitive information under one's custodial care is kept confidential and secure, that information being transmitted is not altered in form or content and cannot be read by unauthorized parties, and that all information being disseminated or otherwise made accessible through Web sites and on-line data repositories is as accessible and reliable as possible. [Italics Added]

  19. Computer Security and Computer Hackers • Levy (1984) describes the “Hacker Ethic” as a system comprising the following beliefs: • (i)Access to computers should be unlimited and total. • (ii)All information should be free. • (iii)Mistrust Authority - Promote Decentralization. • (iv)Hackers should be judged by their hacking, not bogus criteria such as degrees, age, race, or position. • (v)You can create art and beauty on a computer. • (vi)Computers can change life for the better.

  20. Hacking Activities • Hacking activities in cyberspace embrace three principles: • (1) Information should be free; • (2) Hackers provide society with a useful and important service; • (3) Activities in cyberspace are virtual in nature and thus do not harm real people in the real (physical) world. 

  21. “Information Wants to Be Free” • This view is regarded by critics as idealistic or romantic. • According to Spafford (1992), it is also naïve. • Spafford points out that if information were free, privacy would not be possible because we would not be able to control how infor- mation about them was collected and used. • Also, it would not be possible to ensure integrity and accuracy of that information since information that was freely available.

  22. Do Hackers Really Provide an Important Service? • Spafford (1992) provides counterexamples to this version of the hacker argument • Spafford asks whether we would permit someone to start a fire in a crowded shopping mall in order to expose the fact that the mall's sprinkler system was not adequate. • Would you be willing to thank a burglar who successfully broke into your house? • e.g., would you thank a burglar who shows that your home security system was inadequate?

  23. Does Hacking Causes Only Virtual Harm, Not Real Harm? • Some argue that break-ins and vandalism in cyberspace cause no real harm to persons because they are activities that occur only in the virtual realm. • This argument commits a logical fallacy by confusing the connection between the real and the virtual regarding harm by reasoning: • The virtual world in not the real (physical) world; so any harms that occur in the virtual world are not real harms. (James Moor calls this the Virtuality Fallacy.)

  24. Can Computer Break-ins Ever Be Ethically Justified? • Spafford (1992) believes that in certain extreme cases, breaking into a com- puter could be the "right thing to do." • e.g., breaking into a computer to get medical records to save one’s life. • He also argues that computer break-ins always cause harm; and from this point, he infers that hacker break-ins are never ethically justifiable.

  25. Cyberterrorism • Denning (2000) defines cyberterrorism as the "convergence of cyberspace and terrorism." • Cyberterrorism covers a range of politically motivated hacking operations intended to cause grave harm that can result in either loss of life or severe economic loss, or both. • In some cases, it is difficult to separate acts of hacking and cybervandalism from cyberterrorism.

  26. Cyberterrorismvs. Hacktivism • In February 2000, "denial-of-service" attacks prevented tens of thousands of persons from accessing e-commerce Web sites. • These attacks resulted in severe economic loss for major corporations. • Should these particular cyber-attacks be classified as instances of cyberterrorism? • Or are they better understood as another form of malicious hacking by individuals with no particular political agenda or ideology?

  27. Hacktivism • Manion and Goodrum (2000) questioned whether some cyber-attacks might not be better understood as acts of hacktivism. • They consider the growing outrage on the part of some hackers and political activists over an increasingly "commodified Internet.“ • They also question whether this behavior suggests a new form of civil disobedience, which they describe as hacktivism.

  28. Hacktivism (continued) • Hacktivism integrates the talent of traditional computer hackers with the interests and social consciousness of political activists. • Manion and Godrum note that while hackers continue to be portrayed as vandals, terrorists, and saboteurs, hardly anyone has considered the possibility that at least some of these individuals might be "electronic political activists" or hacktivists.

  29. Hacktivism vs. Cyberterrorism • Can a meaningful distinction be drawn between hacktivism and cyberterrorism? • Denning (1999) attempts to draw some critical distinctions among three related notions: • activism • hacktivism • Cyberterrorism.

  30. Activism, Hacktivism, and Cyberterrorism • Activism includes the normal, non-disruptive use of the Internet to support a cause. • e.g, an activist could use the Internet to discuss issues, form coalitions, and plan and coordinate activities. • Activists could engage in a range of activities from browsing the Web to sending e-mail, posting material to a Web site, constructing a Web site dedicated to their political cause or causes, and so forth.

  31. Activism, Hacktivism, and Cyberterrorism (continued) • Hacktivism is the convergence of activism and computer hacking, which uses hacking techniques against a target Internet site with intent to disrupt normal operations but without intending to cause serious damage. • These disruptions could be caused by "e-mail bombs" and "low grade" viruses that cause only minimal disruption, and would not result in severe economic damage or loss of life.

  32. Activism, Hacktivism, and Cyberterrorism (continued) • Cyberterorism consists of operations that are intended to cause great harm such as loss of life or severe economic damage, or both. • e.g., a cyberterrorist might attempt to bring down the US stock market or take control of a trans- portation unit in order to cause trains to crash. • Denning believes that conceptual distinctions can be used to differentiate various activities included under the headings of activism, hacktivism, and cyberterrorism.

  33. Denning’s Analysis • Denning admits that as we progress from activism to cyberterrorism the boundaries become "fuzzy." • e.g., should an "e-mail bomb" sent by a hacker who is also a political activist be classified as a form of hacktivism or as an act of cyberterrorism? • Many in law-enforcement argue that more effort should be devoted to finding ways to deter and catch these individuals rather than trying to understand their ideological beliefs, goals, and objectives.

  34. Cybertechnology and Terrorist Organizations • Some members of al Quaeda have fairly sophisticated computer devices, despite the fact that some operate out of caves in Afghanistan. • It is not clear that terrorists have used cyber-technology to enhance their acts of terrorism in ways that technology could have been. • Why have terrorists not made more direct use of cyber-technology so far I carrying out specific acts of terror?

  35. Cybertechnology and Terrorism (continued) • One explanation is that they have not yet gained the expertise with cybertechnology. • This may change as the next generation of terrorists, who will likely be more skilled in the use of computers and cyber-technology, replace those currently in leadership roles. • When terrorists targeted the the Twin Towers, many gave up their lives. • Imagine if terrorists are someday be able to gain control of onboard computer systems on airplanes and override the airplane’s computerized controls.

  36. Information Warfare • Denning (1999) defines information warfare (or IW) as "operations that target or exploit information media in order to win some objective over an adversary." • Certain aspects of cyberterrorism also seem to conform to Denning's definition of IW. • Information warfare is a slightly broader concept than cyberterrorism; e.g., it need not involve loss of life or severe economic loss, even though such results can occur.

  37. Information Warfare (continued) • IW, unlike conventional or physical warfare, tends to be more disruptive than destructive. • The instruments of war in IW typically strike at a nation's infrastructure. • The "weapons" used, which are deployable from cyberspace, consist of "logic bombs" and viruses. • The disruption caused by viruses and worms can be more damaging, in certain respects, than physical damage caused to a nation by conventional weapons.

  38. Table 6-1: Hacktivism, Cyberterrorism, and Information Warfare

  39. Security Countermeasures • Power (2000) defines a countermeasure as an action, device, procedure, technique or other measure that reduces the vulnerability of a threat to a computer system. • We have come to rely increasingly on countermeasures. • Many security analysts believe that countermeasures would not be as necessary as they currently are if better security features were built into computer systems.

  40. Security Countermeasures (continued) • Spafford (2002) argues that successful security cannot be thought of as an "add-on" to computer systems. • Security should be embedded in the systems themselves (not added on). • Until that is accomplished, however, it is prudent to use existing tools and technologies to combat security threats involving computer systems.

  41. Four Types of Security Counterreasures • Firewalls • Anti-Virus Software • Encryption Tools • Anonymity Tools

  42. Firewall Technology • Power (2000) defines a firewall as a system or combination of systems that enforces a boundary between two or more networks. • Firewalls help to secure systems not only from unauthorized access to information in databases, but also help prevent unwanted and unauthorized communication into or out of a privately owned network. • A firewall is a "blockade" between an internal privately owned network and an external network, which is not assumed to be secure (Oplinger, 1997).

  43. Anti-Virus Software • Anti-virus software is designed to "inoculate" computer systems against viruses, worms, and other malicious or rogue programs. • Anti-virus software, now considered a standard security countermeasure, has been installed on most networked computer systems, including desktop computers. • Typically used in conjunction with firewall technology to protect individual computer systems as well as network domains in universities, and governmental and commercial organizations.

  44. Encryption Tools • Encryption is the technique used to convert the information in a message composed in ordinary text ("plain text"), into "ciphertext." • The use of dataencryption or cryptography techniques in communicating sensitive information is not new. • Dates back as least as far as the Roman era, where Julius Caesar encrypted messages sent to his generals.

  45. Encryption Tools (Continued) • The party receiving the encrypted message uses a "key" to decrypt the ciphertext back into plain text. • So long as both parties have the appropriate key, they can decode a message back into its original form (i.e., plain text). • One challenge in ensuring the integrity of encrypted communications has been to make sure that the key, which must remain private, can be successfully communicated.

  46. Encryption Tools (Continued) • An encrypted communication will be only as secure and private as its key. • In private-key encryption, both parties use the same encryption algorithm and the same private key. • Public cryptography uses two keys: one public and the other private.

  47. Encryption (Continued) – public Cryptography • If A wishes to communicate with B, A uses B's public key to encode the message. • That message can then only be decoded with B's private key, which is secret. • Similarly when B responds to A, B uses A's public key to encrypt the message. • That message can be decrypted only by using A's private key. Although information about an individual's public key is accessible to others, that individual's ability to communicate encrypted information is not compromised.

  48. Anonymity Tools • Users want to secure the integrity and confi- dentiality of their electronic communications. • They also wish to protect their identity while engaging in on-line activities. • Anonymity tools such as the Anonymizer, and pseudonymity agents such as Lucent's Personalized Web Assistant, enable users to roam the Web either anonymously or pseudonymously.

  49. Anonymity Tools (Continued) • Wallace (1999) describes a person as being anonymous when that person has no traits that can be coordinated in way that would make that person uniquely identifiable. • An individual is anonymous in cyberspace when that person is able to navigate the Internet is a way that his or her personal identity is not revealed. • e.g., the user cannot be identified beyond certain technical information such as the user's IP (Internet protocol) address, ISP, and so forth.

  50. Security and a Code of Networks Ethics • Is a Code of Network Ethics Needed to Address Security Concerns in Cyberspace? • Are currently available countermeasures sufficient to safeguard our contemporary infrastructure, which increasingly depends on secure and reliable networked computer systems? • Some believe a code of ethics is needed to require to require computer companies to produce more secure computer systems than those that are currently being sold to consumers and to organizations.

More Related