1 / 29

Chapter 1

Chapter 1. Is There a Security Problem in Computing? . In This Chapter . The risks involved in computing The goal of secure computing: confidentiality, integrity, availability The threats to security in computing: interception, interruption, modifications, fabrication

thuong
Download Presentation

Chapter 1

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 1 Is There a Security Problem in Computing? Information security / MahmoudObeidat

  2. In This Chapter • The risks involved in computing • The goal of secure computing: confidentiality, integrity, availability • The threats to security in computing: interception, interruption, modifications, fabrication • Controls available to address these threats: encryption, programming controls, operating systems, network controls, administrative controls, laws and ethics Information security / Mahmoud Obeidat

  3. What Does “Secure” Mean? • Are you Secure? • What makes you feel secure? • Example: Banks • Yesterday – learning from the past • Today • Protecting Valuables • Protecting Money Vs. Protecting Information • Size and Portability (large vs. small) • Ability to Avoid Physical Contact (lots vs. little) • Value of Asset (very high vs. variable) Information security / Mahmoud Obeidat

  4. Developing an Understanding • Examine the risk of security in computing • Consider available countermeasures or controls • Stimulate thought about uncovered vulnerabilities • Identify areas where more work is needed Information security / Mahmoud Obeidat

  5. Characteristics of Computer Intrusion • Any computer system can be a target: • Hardware, Software, Storage, Data, People/User • Any system is most vulnerable at its weakest point. • Principle of Easiest Penetration - An intruder must be expected to use any available means of penetration. Penetration may not necessarily be by the most obvious means, nor via the one we have the most defense against. • Consider all the means of penetration • Checked repeated times • Don’t underestimate the attacker/think like an attacker • Strengthening one thin might weaken another Information security / Mahmoud Obeidat

  6. Attacks • The components to attack: • Hardware • Software • Data • Vulnerability – a weakness in the security system that could be exploited to cause harm or loss. For instance, a particular system may be vulnerable to unauthorized data manipulation because the system does not verify a user's identity before allowing data access. • Threat – a set of circumstances that has the potential to cause loss or harm. • Wall holding back water • Threat to get wet • Vulnerability is a crack in the wall Information security / Mahmoud Obeidat

  7. in Figure 1-1. Here, a wall is holding water back. The water to the left of the wall is a threat to the man on the right of the wall: The water could rise, overflowing onto the man, or it could stay beneath the height of the wall, causing the wall to collapse. So the threat of harm is the potential for the man to get wet, get hurt, or be drowned. For now, the wall is intact, so the threat to the man is unrealized. • However, we can see a small crack in the walla vulnerability that threatens the man's security. If the water rises to or beyond the level of the crack, it will exploit the vulnerability and harm the man. Information security / Mahmoud Obeidat

  8. Attack – human who exploits a vulnerability • Control – a protective measure against an attack a control is an action, device, procedure, or technique that removes or reduces a vulnerability • A threat is blocked by control of vulnerability • Type of System Security Threats in computing • Interception • Interruption • Modification • Fabrication Information security / Mahmoud Obeidat

  9. interception : some unauthorized party has gained access to an asset. The outside party can be a person, a program, or a computing system. Examples of this type of failure are illicit copying of program or data files, or wiretapping to obtain data in a network. • Interruption : an asset of the system becomes lost, unavailable, or unusable. An example is malicious destruction of a hardware device, erasure of a program or data file. • Modification: unauthorized party tampers with an asset. For example, someone might change the values in a database, alter a program so that it performs an additional computation, or modify data being transmitted electronically. • fabrication : The intruder may insert spurious transactions to a network communication system or add records to an existing database. Information security / MahmoudObeidat

  10. Figure 1-2. System Security Threats. Information security / MahmoudObeidat

  11. Method, Opportunity & Motive • Attacker must have three things: • Method – the skill, knowledge and tool • Opportunity – the time and access • Motive – a reason to want to perform an attack Information security / Mahmoud Obeidat

  12. Security Goals • Secure is: • Confidentiality (Secrecy or Privacy)- assets accessed only by authorized parties • Not only reading but viewing, printing or knowing about the asset • Integrity – assets modified only by authorized parties • Includes writing, changing, changing the status, deleting or creating • Availability – assets are accessible to authorized parties at appropriate times. • Denial of Service Information security / Mahmoud Obeidat

  13. Figure 1-3. Relationship Between Confidentiality, Integrity, and Availability. Information security / MahmoudObeidat

  14. Availability • Availability applies both to data and to services • A data item, service, or system is available if • There is a timely response to our request. • Resources are allocated fairly so that some requesters are not favored over others. • The service or system involved follows a philosophy of fault tolerance. • The service or system can be used easily and in the way it was intended to be used. • Concurrency is controlled. Information security / Mahmoud Obeidat

  15. Vulnerabilities • Hardware • It is very visible • Easy to attack • adding devices, changing them, removing them, intercepting the traffic to them • Water, burned, frozen, gassed and electrocuted, dust, time, environment • Voluntary Machine Slaughter or Machinicide Machines have been shot with guns, stabbed with knives, and smashed with all kinds of things. Bombs, fires, and collisions have destroyed computer rooms Information security / Mahmoud Obeidat

  16. Software • Software Deletion • Software Modification (cause it to fail or cause it to perform an unintended task) • Software Theft • Software replaced • Software destroyed the attacks are obvious, as when the software no longer runs. More subtle are attacks in which the software has been altered but seems to run normally. Information security / Mahmoud Obeidat

  17. Figure 1-4. Vulnerabilities of Computing Systems. Information security / Mahmoud Obeidat

  18. Malicious Modification of Software • Logic Bomb:  a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. • Trojan Horse: a program that overtly does one thing while covertly doing another • Virus • Trapdoor : a program that has a secret entry point • Information leaks : code that makes information accessible to unauthorized people or programs Information security / Mahmoud Obeidat

  19. Data Vulnerabilities • Effects everyone • Data is more than just an electronic file • Principle of Adequate Protection – Computer items must be protected only until they lose their value. • Data Confidentiality Data can be gathered by many means, such as tapping wires, planting bugs in output devices, sifting through trash receptacles, monitoring electromagnetic radiation, bribing key employees, inferring one data point from other values, or simply requesting the data. • Data Integrity Printed data, however, can be readily interpreted by the general public. Because of its visible nature, a data attack is a more widespread and serious problem than either a hardware or software attack. Thus, data items have greater public value than hardware and software because more people know how to use or interpret data. Information security / Mahmoud Obeidat

  20. Other Exposed Assets • Networks very exposed storage medium or access from distant and potentially untrustworthy computing systems. • Access steal computer time to do general-purpose computing, destroys software or data and deny service to a legitimate user • Key People People can be crucial weak points in security. If only one person knows how to use or maintain a particular program, trouble can arise if that person is ill, suffers an accident, or leaves the organization . In particular, a disgruntled employee can cause serious damage by using inside knowledge of the system and the data that are manipulated. Information security / Mahmoud Obeidat

  21. Information security / MahmoudObeidat Figure 1-5. Security of Data.

  22. Computer Criminals • Amateurs • Crackers or Hackers • Career Criminal • Terrorists Information security / Mahmoud Obeidat

  23. The security community distinguishes between a "hacker," someone who programs, manages, or uses computing systems, and a "cracker," someone who attempts to access computing systems for malicious purposes. Crackers are the "evildoers." Now, hacker has come to be used outside security to mean both benign and malicious users. Information security / Mahmoud Obeidat

  24. Terrorists terrorists using computers in three ways: • targets of attack: denial-of-service attacks and web site defacements are popular for any political organization because they attract attention to the cause and bring undesired negative attention to the target of the attack. • propaganda vehicles: web sites, web logs, and e-mail lists are effective, fast, and inexpensive ways to get a message to many people. • methods of attack: to launch offensive attacks requires use of computers Information security / Mahmoud Obeidat

  25. Methods of Defense • Harm occurs when a threat is realized against a vulnerability • Risk – the possibility of harm • Dealing with Harm • prevent it, by blocking the attack or closing the vulnerability • deter it, by making the attack harder but not impossible • deflect it, by making another target more attractive (or this one less so) • detect it, either as it happens or some time after the fact • recover from its effects Information security / Mahmoud Obeidat

  26. Controls • Control – attempt to prevent the exploitation of a vulnerability • Computer Security has lots of controls • Simple or Difficulty • Inexpensive or Expensive • Type of Control • Encryption – formal name for the scrambling process • deals with confidentially and integrity • Does not solve computer security problems. • Cleartext • Ciphertext • Protocols Information security / Mahmoud Obeidat

  27. Software Controls • Programs must be secure to prevent attacks • Program Controls: • Internal Program Controls • Operating System and Network System Controls • Independent Control Programs (virus checker) • Development Controls (quality standards in construction) • Software controls effect the user • Hardware Controls • Smart cards, locks, devices to ID users, firewalls, intrusion detection systems, circuitry control • Policies and Procedures • Policies – an agreement of way things are done • Must be written and training provided • Physical Controls – locks/security officer/backups Information security / Mahmoud Obeidat

  28. Effectiveness of Controls • Controls must be properly used! • Awareness of Problem • Likelihood of Use • Principles of Effectiveness - Control must be used-and used properly- to be effective. They must be efficient, easy to use, and appropriate. • Overlapping Controls (good) • Periodic Review – controls are not permanent • Principle of Weakest Link – Security can be no stronger than its weakest link. Information security / Mahmoud Obeidat

  29. Conclusion • The risks involved in computing • The goal of secure computing: confidentiality, integrity, availability • The threats to security in computing: interception, interruption, modifications, fabrication • Controls available to address these threats: encryption, programming controls, operating systems, network controls, administrative controls, laws and ethics Information security / Mahmoud Obeidat

More Related