Professional Documents
Culture Documents
(CoSc4151)
Fundamentals of Computer
Security
Outline
Overview
Security Goals
Vulnerabilities
Threats
Countermeasures
Computer Security Overview
Definitions
Dictionary.com says:
1. Freedom from risk or danger; safety.
2. Freedom from doubt, anxiety, or fear; confidence
6
Computer Security / History
Confidentiality:
Preserving authorized restrictions on information access and
disclosure
prevent/detect/deter improper disclosure of information
Two concepts:
Data confidentiality: Assures that private or confidential
information is not made available or disclosed to
unauthorized individuals.
Privacy: Assures that individuals control or influence
what information related to them may be collected and
stored and by whom and to whom that information may be
disclosed.
9
Confidentiality
Concered with access to assets
“Need to know” basis for data access
How do we know who needs what data?
Approach: access control specifies who can access what
How do we know a user is the person s/he claims to be?
Need her identity and need to verify this identity
Approach: identification and authentication
Confidentiality is:
difficult to ensure
Why????
easiest to assess in terms of success
Computer Security Factors
Integrity:
Guarding against improper information modification or
destruction
Prevent/detect/deter improper modification of information
Two concepts:
Data integrity: Assures that information and programs are
changed only in a specified and authorized manner.
System integrity : Assures that a system performs its intended
function in an unimpaired manner, free from deliberate or
inadvertent unauthorized manipulation of the system.
11
Integrity
Concerned with unauthorized modification of assets
Integrity is more difficult to measure than
confidentiality
Not binary – degrees of integrity
Context-dependent - means different things in
different contexts
Could mean any subset of these asset properties:
{ precision / accuracy / currency / consistency /
meaningfulness / usefulness / ...}
Computer Security Factors
Availability:
Assures that systems work promptly and service is not
denied to authorized users.
prevent/detect/deter improper denial of access to services
Additional
Authenticity: The property of being genuine and being
able to be verified and trusted; confidence in the validity of a
transmission, a message, or message originator.
Accountability: The security goal that generates the
requirement for actions of an entity to be traced uniquely to
that entity.
13
Availability
Not understood very well yet
Full implementation of availability is security’s next challenge
Complex and Context-dependent
Could mean any subset of these asset (data or service)
properties : { usefulness / sufficient capacity / progressing at
a proper pace /completed in an acceptable period of time / ...}
We can say that an asset (resource) is available if:
Timely request response
Fair allocation of resources (no starvation!)
Fault tolerant (no total breakdown)
Easy to use in the intended way
Provides controlled concurrency (concurrency control, deadlock
control, ...)
Example
Military example
Confidentiality: target coordinates of a missile should not be
improperly disclosed
Integrity: target coordinates of missile should be correct/precise
Availability: missile should fire when proper command is issued
Commercial example
Confidentiality: patient’s medical information should not be
improperly disclosed
Integrity: patient’s medical information should be correct
Availability: patient’s medical information can be accessed when
needed for treatment
Education
Confidentiality: Student’s information should not be disclosed
Integrity: student’s information must be correct
Availability: Student’s information has to be accessed by those
allowed anytime 15
Need to Balance CIA
Example 1: C vs. I+A
Disconnect computer from Internet to increase confidentiality
Availability suffers, integrity suffers due to lost updates
18
Computer Security
Computer Security can be broken down into two distinct
areas:
Physical security refers to the issues related to the
physical security of the equipment that comprises or is
connected to the network.
Logical security is concerned with security of data held
on devices connected to the network.
involves controlling
• passwords and password policies
• Access to data on servers
• Access to backup tapes
• sources outside the network from gaining access to
the network
Computer Security/ Vulnerabilities
Computer Security /Vulnerabilities
Corruption
It does the wrong thing or gives wrong answers
Leaky
For example, someone who should not have access to
information available through the network obtains such
Computer Security /Vulnerabilities
Can be
Physical - weather, natural disaster, bombs, power
failures, etc.
Human - stealing, trickery, bribery, spying,
sabotage, accidents.
Software- viruses, Trojan horses, logic bombs,
denial of service, worms,etc.
Computer security/Threats
A threat consequence can be:
Unauthorized Disclosure
Exposure
• Can be deliberate or accidental
Interception
• Unauthorized party gains access to a protected asset.
Inference
Intrusion
Deception
Masquerade
• Stealing username/password
Falsification
Repudiation/rejection
Computer security/Threats
A threat consequence can be:
Disruption
Interruption
• An asset of a computing system becomes lost,
unavailable or unusable
Modification
• Unauthorized party gains access and tamper a
protected asset.
Forgery
• Unauthorized party fabricate counterfeit
objects on a computing system
Computer security/Threats
Digital threats are very similar to physical world threats BUT
Automation
Repeated attack on hardware/software weakness
is easy.
Action at distance
In computing system, all computers are
equidistant.
Propagation
Computing system facilitate reproduction of data
or software.
Electronic plan distributed on the Web
Exploit/Crack/Serial
Computer Security/ Attacks
Attack
A threat that is carried out
An intelligent act that is a deliberate attempt to
evade security services and violate the security
policy of a system
Active attack:
An attempt to alter system resources or affect their
operation.
Passive attack:
An attempt to learn or make use of information from the
system that does not affect system resources.
29
Types of Attacks
Passive attacks: attempts to learn or make use of information
from the system but does not affect system resources
Eavesdropping
Monitoring
Active attacks: involve some modification of the data stream
Masquerade – one entity pretends to be a different
entity
Replay – passive capture of information and its
retransmission
Modification– legitimate message is altered
Denial of service – prevents normal use of
resources
30
Computer Security/Attacks
Interruption Interception
Modification Fabrication
Computer security/Attacks
Types of Threats/Attacks (Chuck Eastom)
Malware Attack:
Hacking Attack
Denial of Service Attack
Physical Attack
Computer security/Attackers
Types of Attackers
Amateurs
Opportunistic attackers: (use a password they found)
Script kiddies
Hackers – non-malicious
In broad use beyond security community: also malicious
Crackers – malicious
Career criminals
Nation-supported spies and information warriors
Attackers need MOM
Method : Skill, knowledge, tools, etc. with which to pull
off an attack
Opportunity: Time and access to accomplish an attack
Motive: Reason to perform an attack
Computer security/Countermeasures
Can be:
Prevention: avoid attacks from being
carried out
Detection : identify when, how & by
whom an asset has been damaged
Recovery: restore assets after the damage
Countermeasures
Five basic approaches to defense of computing systems
Prevent attack
Block attack / Close vulnerability
Deter attack
Make attack harder (can’t make it impossible )
Deflect attack
Make another target more attractive than this target
Detect attack
During or after