An overview of computer security
This presentation is the property of its rightful owner.
Sponsored Links
1 / 26

An Overview of Computer Security PowerPoint PPT Presentation


  • 82 Views
  • Uploaded on
  • Presentation posted in: General

An Overview of Computer Security. Outline. Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues. Status of security in computing (in early 2000s). In terms of security, computing is very close to the wild west days.

Download Presentation

An Overview of Computer Security

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


An overview of computer security

An Overview ofComputer Security

computer security


Outline

Outline

  • Components of computer security

  • Threats

  • Policies and mechanisms

  • The role of trust

  • Assurance

  • Operational Issues

  • Human Issues

computer security


Status of security in computing in early 2000s

Status of security in computing (in early 2000s)

  • In terms of security, computing is very close to the wild west days.

  • Some computing professionals & managers do not even recognize the value of the resources they use or control.

  • In the event of a computing crime, some companies do not investigate or prosecute.

Has the status changed for the better?

computer security


Characteristics of computer intrusion

Characteristics of Computer Intrusion

  • A computing system: a collection of hardware, software, data, and people that an organization uses to do computing tasks

  • Any piece of the computing system can become the target of a computing crime.

  • The weakest point is the most serious vulnerability.

  • The principles of easiest penetration

computer security


Security breaches terminology

Security Breaches- Terminology

  • Exposure

    • a form of possible loss or harm

  • Vulnerability

    • a weakness in the system

  • Attack

  • Threats

    • Human attacks, natural disasters, errors

  • Control – a protective measure

  • Assets – h/w, s/w, data

computer security


Types of security breaches

Types of Security Breaches

  • Disclosure: unauthorized access to info

    • Snooping

  • Deception: acceptance of false data

    • Modification, spoofing, repudiation of origin, denial of receipt

  • Disruption: prevention of correct operation

    • Modification, man-in-the-middle attack

  • Usurpation: unauthorized control of some part of the system (usurp: take by force or without right)

    • Modification, spoofing, delay, denial of service

computer security


Security components

Security Components

  • Confidentiality: The assets are accessible only by authorized parties.

    • Keeping data and resources hidden

  • Integrity: The assets are modified only by authorized parties, and only in authorized ways.

    • Data integrity (integrity)

    • Origin integrity (authentication)

  • Availability: Assets are accessible to authorized parties.

    • Enabling access to data and resources

computer security


Computing system vulnerabilities

Computing System Vulnerabilities

  • Hardware vulnerabilities

  • Software vulnerabilities

  • Data vulnerabilities

  • Human vulnerabilities ?

computer security


Software vulnerabilities

Software Vulnerabilities

  • Destroyed (deleted) software

  • Stolen (pirated) software

  • Altered (but still run) software

    • Logic bomb

    • Trojan horse

    • Virus

    • Trapdoor

    • Information leaks

computer security


Data security

Data Security

  • The principle of adequate protection

  • Storage of encryption keys

  • Software versus hardware methods

computer security


Other exposed assets

Other Exposed Assets

  • Storage media

  • Networks

  • Access

  • Key people

computer security


People involved in computer crimes

People Involved in Computer Crimes

  • Amateurs

  • Crackers

  • Career Criminals

computer security


Methods of defense

Methods of Defense

  • Encryption

  • Software controls

  • Hardware controls

  • Policies

  • Physical controls

computer security


Encryption

Encryption

  • at the heart of all security methods

  • Confidentiality of data

  • Some protocols rely on encryption to ensure availability of resources.

  • Encryption does not solve all computer security problems.

computer security


Software controls

Software controls

  • Internal program controls

  • OS controls

  • Development controls

  • Software controls are usually the 1st aspects of computer security that come to mind.

computer security


Policies and mechanisms

Policies and Mechanisms

  • Policy says what is, and is not, allowed

    • This defines “security” for the site/system/etc.

  • Mechanisms enforce policies

  • Mechanisms can be simple but effective

    • Example: frequent changes of passwords

  • Composition of policies

    • If policies conflict, discrepancies may create security vulnerabilities

  • Legal and ethical controls

    • Gradually evolving and maturing

computer security


Principle of effectiveness

Principle of Effectiveness

  • Controls must be used to be effective.

    • Efficient

      • Time, memory space, human activity, …

    • Easy to use

    • appropriate

computer security


Overlapping controls

Overlapping Controls

  • Several different controls may apply to one potential exposure.

    H/w control + S/w control + Data control

computer security


Goals of security

Goals of Security

  • Prevention

    • Prevent attackers from violating security policy

  • Detection

    • Detect attackers’ violation of security policy

  • Recovery

    • Stop attack, assess and repair damage

    • Continue to function correctly even if attack succeeds

computer security


Trust and assumptions

Trust and Assumptions

  • Underlie all aspects of security

  • Trust and verify vs Verify before trust?

  • Policies

    • Unambiguously partition system states

    • Correctly capture security requirements

  • Mechanisms

    • Assumed to enforce policy

    • Support mechanisms work correctly

computer security


Types of mechanisms

Types of Mechanisms

secure

broad

precise

set of reachable states

set of secure states

computer security


Assurance

Assurance

  • Specification

    • Requirements analysis

    • Statement of desired functionality

  • Design

    • How system will meet specification

  • Implementation

    • Programs/systems that carry out design

computer security


Operational issues

Operational Issues

  • Cost-Benefit Analysis

    • Is it cheaper to prevent or to recover?

  • Risk Analysis

    • Should we protect something?

    • How much should we protect this thing?

  • Laws and Customs

    • Are desired security measures illegal?

    • Will people do them?

computer security


Human issues

Human Issues

  • Organizational Problems

    • Power and responsibility

    • Financial benefits

  • People problems

    • Outsiders and insiders

    • Social engineering

“The methods that will most effectively minimize the ability of intruders to compromise information security are comprehensive user training and education. Enacting policies and procedures simply won't suffice. Even with oversight the policies and procedures may not be effective: my access to Motorola, Nokia, ATT, Sun depended upon the willingness of people to bypass policies and procedures that were in place for years before I compromised them successfully.” — Kevin Mitnick

computer security


Tying together

Tying Together

Threats

Policy

Specification

Design

Implementation

Operation

computer security


Key points

Key Points

  • Policy defines security, and mechanisms enforce security

    • Confidentiality

    • Integrity

    • Availability

  • Trust and knowing assumptions

  • Importance of assurance

  • The human factor

computer security


  • Login