computer security introduction l.
Download
Skip this Video
Download Presentation
Computer Security Introduction

Loading in 2 Seconds...

play fullscreen
1 / 21

Computer Security Introduction - PowerPoint PPT Presentation


  • 108 Views
  • Uploaded on

Computer Security Introduction. Basic Components. Confidentiality: Concealment of information (prevent unauthorized disclosure of information). Integrity: Trustworthiness of data/resources (prevent unauthorized modifications). Data integrity

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Computer Security Introduction' - cheng


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
basic components
Basic Components
  • Confidentiality: Concealment of information

(prevent unauthorized disclosure of information).

  • Integrity: Trustworthiness of data/resources

(prevent unauthorized modifications).

      • Data integrity
      • Origin integrity (authentication)
  • Availability: Ability to use information/resources.

(prevent unauthorized withholding of

information/resources).

basic components3
Basic Components

Additionally:

Authenticity, accountability, reliability, safety,

dependability, survivability . . .

confidentiality
Confidentiality

Historically, security is closely linked to secrecy.

Security involved a few organizations dealing mainly

with classified data.

However, nowadays security extends far beyond

confidentiality.

Confidentiality involves:

  • privacy: protection of private data,
  • secrecy: protection of organizational data.
integrity
Integrity

“Making sure that everything is as it is supposed to be.”

For Computer Security this means:

Preventing unauthorized writing or modifications.

availability
Availability

For Computer Systems this means that:

Services are accessible and useable (without undue

Delay) whenever needed by an authorized entity.

For this we need fault-tolerance.

Faults may be accidental or malicious (Byzantine).

Denial of Service attacks are an example of malicious

attacks.

relationship between confidentiality integrity and availability
Relationship between Confidentiality Integrity and Availability

Confidentiality

Integrity

Secure

Availability

other security requirements
Other security requirements
  • Reliability – deals with accidental damage,
  • Safety – deals with the impact of system failure on the environment,
  • Dependability – reliance can be justifiably placed on the system
  • Survivability – deals with the recovery of the system after massive failure.
  • Accountability -- actions affecting security must be traceable

to the responsible party. For this,

    • Audit information must be kept and protected,
    • Access control is needed.
basic components9
Basic Components

Threats – potential violations of security

Attacks – violations

Attackers – those who execute the violations

threats
Threats
  • Disclosure or unauthorized access
  • Deception or acceptance of falsified data
  • Disruption or interruption or prevention
  • Usurpation or unauthorized control
more threats
More threats
  • Snooping (unauthorized interception)
  • Modification or alteration
    • Active wiretapping
    • Man-in-the-middle attacks
  • Masquerading or spoofing
  • Repudiation of origin
  • Denial of receipt
  • Delay
  • Denial of Service
policy and mechanisms
Policy and Mechanisms
  • A security policy is a statement of what is / is not allowed.
  • A security mechanism is a method or tool that enforces a security policy.
assumptions of trust
Assumptions of trust

Let

  • P be the set of all possible states of a system
  • Q be the set of secure states

A mechanism is secure if P ≤ Q

A mechanism is precise if P = Q

A mechanism is broad if there are states in P which

are not in Q

assurance
Assurance

Trust cannot be quantified precisely.

System specifications design and implementation can

provide a basis for how much one can trust a system.

This is called assurance.

goals of computer security
Goals of Computer Security

Security is about protecting assets.

This involves:

  • Prevention
  • Detection
  • Reaction (recover/restore assets)
computer security
Computer Security

How to achieve Computer Security:

  • Security principles/concepts: explore general principles/concepts that can be used as a guide to design secure information processing systems.
  • Security mechanisms: explore some of the security mechanisms that can be used to secure information processing systems.
  • Physical/Organizational security: consider physical & organizational security measures (policies)
computer security17
Computer Security

Even at this general level there is disagreement on

the precise definitions of some of the required security

aspects.

References:

  • Orange book – US Dept of Defense, Trusted Computer System Evaluation Criteria.
  • ITSEC– European Trusted Computer System Product Criteria.
  • CTCPEC – Canadian Trusted Computer System Product Criteria
fundamental dilemma functionality or assurance
Fundamental Dilemma: Functionality or Assurance
  • Security mechanisms need additional computational
  • Security policies interfere with working patterns, and can be very inconvenient.
  • Managing security requires additional effort and costs.
  • Ideally there should be a tradeoff.
operational issues
Operational issues

Operational issues

  • Cost-benefit analysis
    • Example: a database with salary info, which is used by a second system to print pay checks
  • Risk analysis
    • Environmental dependence
    • Time dependence
    • Remote risk
laws and customs
Laws and Customs
  • Export controls
  • Laws of multiple jurisdiction
  • Human issues
    • Organizational problems (who is responsible for what)
    • People problems (outsiders/insiders)