Overview of computer security
Download
1 / 28

Overview of Computer Security - PowerPoint PPT Presentation


  • 290 Views
  • Updated On :

Overview of Computer Security City University of Hong Kong Division of Computer Studies Y K Choi What is security? (a general definition) Defined by Ron Kurtus, http://www.school-for-champions.com/security/whatis.htm ,

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Overview of Computer Security' - jaden


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Overview of computer security l.jpg

Overview of Computer Security

City University of Hong Kong

Division of Computer Studies

Y K Choi

Y K Choi


What is security a general definition l.jpg
What is security? (a general definition)

  • Defined by Ron Kurtus, http://www.school-for-champions.com/security/whatis.htm ,

    Security is the protection of a person, property or organization from an attack.

  • There are people who have distorted motivations to perform such attacks. The types of protection include prevention, response and pre-emptive attacks. There are Three Questions you may ask:

    • What are the types of possible attacks?

    • What reasons do people have to attack others?

    • What type of defenses can you have?

Y K Choi


What is security l.jpg
What is security?

  • A simple and less academic definition is: To make it inconvenient to unauthorized persons. Some of the examples are given below:

    • Place a security guard on the ground floor to keep track of each visitor and write down his/her particulars. (so that it imposes an extra inconvenience to the intruder (illegal visitor))

    • To install a door lock (so that you need to use a key to open it)

    • To double-install an iron gate (so that you have to open two doors, iron gate and wooden door)

Y K Choi


What is computer security l.jpg
What is Computer Security?

Three items: integrity, availability and confidentiality

Computer security is a protection that is afforded to an information system in order to attain the applicable objectives or preserving the integrity, availabilityandconfidentiality of information system resources. The information resources include hardware, software, information and data.

Y K Choi


Explanation to confidentiality integrity and authentication l.jpg
Explanation to confidentiality, integrity and authentication

  • Assume that you wrote a cheque of HKD 1000 to your friend John and sent by mail. You should ensure that only John can get it. Even others get this, they should not know the details. (This is confidentiality)

  • Both you and John should ensure that no one can tamper (modify) the contents such as the amount and signature. (This is integrity.)

  • John will ensure that the cheque is from you, no from others. (This is authentication)

Y K Choi


Example of confidentiality l.jpg
Example of Confidentiality

John

Alice

X

Bob

John is sending a mail to Alice. Confidentiality means only Alice can access the mail. Bob is not supposed to receive and view the content.

Y K Choi


Example of authentication l.jpg
Example of Authentication

John

Alice

X

Bob

John is sending a mail to Alice. Authentication means Alice proves that the mail is from John not from Bob.

Y K Choi


Example of integrity l.jpg
Example of Integrity

John

Alice

I love you

I love you

X

I hate you

Bob

John is sending a mail to Alice saying “I love you”. Integrity means that the message will not be captured and modified by Bob as “ I hate you” as from John to Alice.

Y K Choi


Example to consider affordable l.jpg
Example to consider - affordable

  • We could build an extremely secure computer room to protect a computer system that costs thirty thousands. The computer room might cost million dollars which we could not afford.

  • It is better to use a traditional key/lock system with password protection. (Although it is easily broken, it is cheaper and affordable.)

100

per night

Y K Choi


Agenda l.jpg
Agenda

  • Although all the assets of an organization are subject to loss, damage etc. information systems (computer networks and applications) tend to be particularly susceptible to these dangers.

  • IT components are comparatively fragile (easily broken)

  • Computer hardware can be damaged more easily (last for a couple of years)

  • Computer systems and networks are likely to be the target of disgruntled workers and criminals.

  • Security issue:

  • Areas of vulnerability

  • People in computer crime

  • Methods of trespassing (hacking)

  • Ways to counteract intrusion (protect the system)

Y K Choi


Areas of vulnerability means easily attacked l.jpg
Areas of Vulnerability (means easily attacked)

There are four basic items: the most difficulty part is people, as it is difficult to control them.

  • Hardware: physical devices such as CPU, keyboard

  • Software: this includes Operating system, applications and network

  • Data: without the data, this is useless (the essence of computer systems)

  • People: can cause a great deal of damage

    • From Computer security management by Karen A. Forcht, Chapter 1

Y K Choi


Hardware l.jpg
Hardware

  • It means all physical devices.

  • The most visible parts such as monitor, mouse, keyboard, router, disk etc. (be careful the keyboard)

  • Subject to common mishaps such as coffee spills, crumbs getting into keyboards, dust and steal

  • Prevention: by placing locks on computer rooms, cabinets, motherboard, monitor etc.

Y K Choi


Software l.jpg
Software

  • Software piracy: illegal coping and distribution of software (even free of charge using BT) is a serious offense

  • Deletion of software: accidental deletion of software, configuration etc.

  • Software alteration: changing a few lines of code is hard to find out, which can change the behaviour of software

Y K Choi


Slide14 l.jpg
Data

  • It is crucial to the organization (it means it is important)

  • Re-construction of lost data is expensive and time consuming (that is why it is better to protect it.)

  • Another threat is damage of personal data and leakage of data (privacy law)

  • Sensitive data should be revealed with authorized access (imposes security level)

  • To safeguard the data: kept in a safe place and shred (destroy) the sensitive data

Y K Choi


People l.jpg
People

  • Intruders: disgruntled (unhappy) employees might seek revenge to plant a logic bomb (software bomb)

  • Hackers: break the computer system. Hackers have the following profile

    • Relatively young

    • Highly motivated

    • Intelligent and personable

    • Happy with job

    • Proficiency in computer systems and programming

No need to memorise the profile

Y K Choi


Hacker the definition l.jpg
Hacker – the definition

  • The definition is Quite interesting(based on MIT and Stanford’s definition)

  • A person who enjoys learning the details of programming systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary (means who wants to learn more)

  • One who programs enthusiastically, or who enjoys programming rather than just theorizing about programming

Y K Choi


People computer criminals l.jpg
People – Computer Criminals

There are Four areas of computer crime

  • Theft of computer time: common practice to remote log into the system (not common in the Internet). This includes the time it takes to repair the computer system after infected by virus, bomb etc.

  • Theft of data: physical remove data from files

  • Manipulation of computer programs: change or insert/delete program

  • Software piracy: illegal copying of software

Y K Choi


Threats to security l.jpg
Threats to security

  • Natural disasters: such as fire, floods, windstorms, earthquakes etc. We can do little to prevent natural disasters. (In Hong Kong, fire is the most serious.)

  • Malfunctions: They cause much less damage, but occur frequently such as power surges (sudden change of power), stray electrical forces, dust, operation error etc.

    • Hardware reliability: routine and preventive maintenance

    • Software reliability: testing and debugging

Y K Choi


Threats to security cont l.jpg
Threats to security (cont.)

  • Criminal Acts – Crimes against computers and defenses against computer crime. These include the use of password to prevent intruders. Data diddling (means the alteration of data)

  • Operating integrity – system managers still need to take precautions to safeguard data. A common term is “Garbage in and garbage out” as the process – changing, adding and deleting data may raise error

Y K Choi


Security measures means how to protect l.jpg
Security Measures (means how to protect)

  • Passwords: the most common means of user authentication. Generally used. Rules of choosing password:

    • Don’t leave your password open

    • Don’t write it down

    • Choose a password with at least six characters: there are 26^6 (308915776) combination

    • Don’t choose a password that is obvious such as John or “Chan Tai Man” if your name is John or “Chan Tai Man”

Y K Choi


Security measures 2 l.jpg
Security Measures (2)

  • Encryption: Encrypt the data. There are many standards such as Data Encryption Standard (DES) by IBM

  • Dial-back devices: The system will disconnect the telephone line and verify the caller, then call the caller. (it is getting outdated as we are using the Internet, I list this method so that you have an idea.)

  • Control: from planning to final implementation. This involves the progress review and acceptance test, post-installation review and periodic audits

Y K Choi


Security measure 3 l.jpg
Security Measure (3)

  • Progress review: it is unusual for a project to proceed on schedule. The purpose of a progress review is to bring changes to light to revise the master plan.

  • Acceptance test: It is the final activity before conversion to the new system. (very important in commercial world to accept the modified version of software)

  • Contingency planning: It is the backup plan in case an event my or may not occur. For example, if the application cannot operate, what should we do? (example. if the system is down, go back to manual system such as using the log book to keep the transaction)

Y K Choi


Management s role 3 steps l.jpg
Management’s role (3 steps)

As stated by Jay BloomBecker, the approach to security is:

  • Technology (try to prevent illegal users to hack the system. For example, the use of firewall, password, private line, virtual path network, etc.)

  • Management techniques: proper handling the flow of data, procedure of accessing data etc. (in order to achieve this, impose policy.)

  • Laws and legal actions: For those who cannot be stopped (or avoided) by technology, impose law to prevent such as sue hackers etc.

Y K Choi


Computer security information no need to memorise l.jpg
Computer Security Information(no need to memorise)

http://www.alw.nih.gov/Security/security.html

  • Advisories  (advisories)

    • A number of groups from around the world provide information about security vulnerabilities and methods to remove or reduce the danger of particular vulnerabilities for different computer operating systems. 

  • Documents  (documents)

    • Many articles have been written about various topics in computer and network security that have been published on the Internet. 

  • Electronic Magazines, Newsletters and News Sites  (electronic magazines)

    • There are some magazines, newsletters and news sites available online that provide timely information about computer security. 

  • Y K Choi


    Web information about security no need to memorise l.jpg
    Web information about security (no need to memorise)

    • Frequently Asked Questions (FAQ)  (FAQ)

      • A FAQ is a summary document written by knowledgeable individuals for a particular topic and it contains commonly requested information about the topic. 

    • Groups and Organizations  (organisations)

      • A number of computer security organizations exists that provide information to the public or to their members. 

    • Mailing Lists  (mailing lists)

      • Mailing Lists provide a dialog on areas of interest to the members of the list. 

    • http://www.itsd.gov.hk/itsd/secure/g3_r1_disclose.pdfThis the web site of ITSD, Hong Kong Government

    Y K Choi


    Web information l.jpg
    Web information

    • Newsgroups  (Newsgroups)

      • USENET newsgroups are a series of discussion groups that can be useful to obtain current information of a specific topic. Some newsgroups are a better source of information than others. 

    • Request for Comments (RFC) on computer and network security topics  (RFC)

    • Software

      • A large amount of software is available to improve the security of a system. 

    • World Wide Web (WWW) Sites  (WWW)

      • Many WWW sites provide a large amount of information about various topics in computer security. Some of these sites are simply large indexes but others contain a collection of information on a specific topic.

    Y K Choi


    Summary l.jpg
    Summary

    • Security is the protection of a person, property or organization from an attack.

    • Computer systems and data are susceptible to loss, damage etc.

    • Areas of vulnerability (easily damaged) are: hardware, software, data and people

    • Principles of Security: confidentiality, integrity and authentication

    • Methods of protecting the system: the use of checksum, data encryption, password, logs, firewall,

    • Information System (IS) plan: To go through all the necessary steps such as progress review, acceptance testing, post installation etc. to ensure the software quality is secure.

    Y K Choi


    Next week l.jpg
    Next Week

    • Identify the natural disasters

    • Determine the damage assessment and reconstruction techniques

    • Design and select the physical location of a computer server

    • Describe the various access control mechanisms to prevent unauthorised entries

    Y K Choi


    ad