P. 1
note

note

|Views: 2|Likes:
note
note

More info:

Published by: Anamiya Bhattacharya on Jan 01, 2013
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PPT, PDF, TXT or read online from Scribd
See more
See less

09/12/2014

pdf

text

original

An Overview of Computer Security

computer security

1

Outline
Components of computer security  Threats  Policies and mechanisms  The role of trust  Assurance  Operational Issues  Human Issues

computer security 2

Status of security in computing (in early 2000s)    In terms of security. computing is very close to the wild west days. Has the status changed for the better? computer security 3 . some companies do not investigate or prosecute. Some computing professionals & managers do not even recognize the value of the resources they use or control. In the event of a computing crime.

and people that an organization uses to do computing tasks  Any piece of the computing system can become the target of a computing crime. software.  The principles of easiest penetration computer security 4 .Characteristics of Computer Intrusion  A computing system: a collection of hardware.  The weakest point is the most serious vulnerability. data.

errors Control – a protective measure  Assets – h/w.Security Breaches . natural disasters.Terminology   Exposure – a form of possible loss or harm Vulnerability – a weakness in the system  Attack  Threats – Human attacks. data  computer security 5 . s/w.

delay. spoofing. repudiation of origin. spoofing. denial of receipt   Disruption: prevention of correct operation – Modification.Types of Security Breaches  Disclosure: unauthorized access to info – Snooping  Deception: acceptance of false data – Modification. man-in-the-middle attack Usurpation: unauthorized control of some part of the system (usurp: take by force or without right) – Modification. denial of service computer security 6 .

and only in authorized ways.Security Components  Confidentiality: The assets are accessible only by authorized parties. – Enabling access to data and resources computer security 7 . – Keeping data and resources hidden  Integrity: The assets are modified only by authorized parties. – Data integrity (integrity) – Origin integrity (authentication)  Availability: Assets are accessible to authorized parties.

Computing System Vulnerabilities Hardware vulnerabilities  Software vulnerabilities  Data vulnerabilities  Human vulnerabilities ?  computer security 8 .

Software Vulnerabilities Destroyed (deleted) software  Stolen (pirated) software  Altered (but still run) software  – Logic bomb – Trojan horse – Virus – Trapdoor – Information leaks computer security 9 .

Data Security The principle of adequate protection  Storage of encryption keys  Software versus hardware methods  computer security 10 .

Other Exposed Assets Storage media  Networks  Access  Key people  computer security 11 .

People Involved in Computer Crimes Amateurs  Crackers  Career Criminals  computer security 12 .

Methods of Defense Encryption  Software controls  Hardware controls  Policies  Physical controls  computer security 13 .

 computer security 14 .Encryption at the heart of all security methods  Confidentiality of data  Some protocols rely on encryption to ensure availability of resources.  Encryption does not solve all computer security problems.

 computer security 15 .Software controls Internal program controls  OS controls  Development controls  Software controls are usually the 1st aspects of computer security that come to mind.

allowed – This defines “security” for the site/system/etc. discrepancies may create security vulnerabilities  Legal and ethical controls – Gradually evolving and maturing computer security 16 .Policies and Mechanisms  Policy says what is. and is not.  Mechanisms enforce policies  Mechanisms can be simple but effective – Example: frequent changes of passwords  Composition of policies – If policies conflict.

memory space. human activity. … – Easy to use – appropriate computer security 17 . – Efficient • Time.Principle of Effectiveness  Controls must be used to be effective.

H/w control + S/w control + Data control computer security 18 .Overlapping Controls  Several different controls may apply to one potential exposure.

Goals of Security  Prevention – Prevent attackers from violating security policy   Detection – Detect attackers’ violation of security policy Recovery – Stop attack. assess and repair damage – Continue to function correctly even if attack succeeds computer security 19 .

Trust and Assumptions Underlie all aspects of security  Trust and verify vs Verify before trust?  Policies  – Unambiguously partition system states – Correctly capture security requirements  Mechanisms – Assumed to enforce policy – Support mechanisms work correctly computer security 20 .

Types of Mechanisms secure precise broad set of reachable states computer security set of secure states 21 .

Assurance  Specification – Requirements analysis – Statement of desired functionality   Design – How system will meet specification Implementation – Programs/systems that carry out design computer security 22 .

Operational Issues   Cost-Benefit Analysis – Is it cheaper to prevent or to recover? Risk Analysis – Should we protect something? – How much should we protect this thing?  Laws and Customs – Are desired security measures illegal? – Will people do them? computer security 23 .

ATT. Nokia.” — Kevin Mitnick computer security 24 .Human Issues  Organizational Problems – Power and responsibility – Financial benefits  People problems – Outsiders and insiders – Social engineering “The methods that will most effectively minimize the ability of intruders to compromise information security are comprehensive user training and education. Sun depended upon the willingness of people to bypass policies and procedures that were in place for years before I compromised them successfully. Enacting policies and procedures simply won't suffice. Even with oversight the policies and procedures may not be effective: my access to Motorola.

Tying Together Threats Policy Specification Design Implementation Operation computer security 25 .

and mechanisms enforce security – Confidentiality – Integrity – Availability Trust and knowing assumptions  Importance of assurance  The human factor  computer security 26 .Key Points  Policy defines security.

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->