You are on page 1of 19

CHAPTER 1

Is there a Security Problem in Computing?

(c) by Syed Ardi Syed Yahya Kamal, UTM 2004

SECURE mean
Protecting Valuables. Computer-related assets, not gold & money. Protecting Money vs. Protecting Information.

(c) by Syed Ardi Syed Yahya Kamal, UTM 2004

SECURE mean (cont)


Characteristic Bank Protecting Money
Sites storing money are large, not portable. Building need guards, etc. Difficult. Criminal can carry it away from banks premises. Very high.
(c) by Syed Ardi Syed Yahya Kamal, UTM 2004

People Protecting Information


Sites storing info are very small and portable. Physical device fit in briefcase. Simple. Info that handle by electronic. Variable, from very high to very low.
3

Size and portability Ability to avoid physical contact Value of assets

Characteristics of Computer Intrusion


Target of crime : hardware, software, storage media, data and people. Do not assume that some parts of computing system are not valuable to an outsider (money or information???). Any system is most vulnerable at its weakest point.

(c) by Syed Ardi Syed Yahya Kamal, UTM 2004

Characteristics of Computer Intrusion (cont)

Principle of Easiest Penetration


An intruder must be expected to use any available means of penetration. The penetration may not necessarily be by the most obvious means, nor is it necessarily the one against which the most solid defense has been installed.
(c) by Syed Ardi Syed Yahya Kamal, UTM 2004 5

ATTACKS
When we test any computer system, we need to imagine how the system could malfunction. Then we improve the systems design so that the system can withstand any of the problems that we have identified.

(c) by Syed Ardi Syed Yahya Kamal, UTM 2004

Threats, Vulnerabilities and Control


Three valuable components: hardware, software and data. Vulnerability : weakness in the security system, for example in procedures, design or implementation that might be exploited to cause loss or harm. Data manipulation user identity.

(c) by Syed Ardi Syed Yahya Kamal, UTM 2004

Threats, Vulnerabilities and Control (cont)


Threat : circumstances that has the potential to cause loss or harm. Human-initiated, computer-initiated and also natural disasters for example flood. Control : an action, device, procedure or technique that removes or reduce the vulnerability.

(c) by Syed Ardi Syed Yahya Kamal, UTM 2004

Threats, Vulnerabilities and Control (cont)

A threat is blocked by control of a vulnerability.

(c) by Syed Ardi Syed Yahya Kamal, UTM 2004

Threats, Vulnerabilities and Control (cont)


4 kinds of threat : Interception : some unauthorized party has gained access to an asset. illicit copying of program or a computing system. Interruption : an asset of the system becomes lost, unavailable or unusable. erasure of a data file or malfunction of an operating system.
(c) by Syed Ardi Syed Yahya Kamal, UTM 2004 10

Threats, Vulnerabilities and Control (cont)


Modification : unauthorized party not only accesses but tampers with an asset. changes the values in a database. Fabrication : intruder insert spurious transaction to an existing computing system. forgeries.

(c) by Syed Ardi Syed Yahya Kamal, UTM 2004

11

Attacker syndrome
MOM syndrome Method : the skills, knowledge, tools and other things with which to be able to pull of the attack. Opportunity : the time and access to accomplish the attack. Motive : a reason to want to perform this attack against this system.
(c) by Syed Ardi Syed Yahya Kamal, UTM 2004 12

The Meaning of Computer Security


Confidentiality : ensures that computer related assets are accessed only by authorized parties. It is sometime called secrecy or privacy. Integrity : assets can be modified only by authorized parties or only in authorized ways. Availability : assets are accessible to authorized parties at appropriate times. Also known by its opposite, denial of service.
(c) by Syed Ardi Syed Yahya Kamal, UTM 2004 13

Computer Criminals
Amateurs : committed most of the computer crimes reported to date. Ordinary computer professionals or users. When they become disgruntled, they vow to get even with management by wreaking havoc on a computing installation.

(c) by Syed Ardi Syed Yahya Kamal, UTM 2004

14

Computer Criminals (cont)


Crackers : often high school or university students, attempt to access computing facilities for which they have not been authorized. It is seen as the ultimate victimless crime. They enjoy the simple challenge of trying to log in, just to see whether it can be done. There is no common profile or motivation for these attackers.
(c) by Syed Ardi Syed Yahya Kamal, UTM 2004 15

Computer Criminals (cont)


Career criminals : understand the target of computer crime. There is some evidence that organized crime and international groups are engaging in computer crime. Some companies are reticent to prosecute computer criminals.

(c) by Syed Ardi Syed Yahya Kamal, UTM 2004

16

Methods of Defense : Concepts


Prevent it, by blocking the attack or closing the vulnerability. Deter it, by making the attack harder, but not impossible. Deflect it, by making another target more attractive. Detect it, either as it happens or some time after the fact. Recover from its effects.
(c) by Syed Ardi Syed Yahya Kamal, UTM 2004 17

Methods of Defense : The Methods


Controls : strong gate or door. Encryption : Scrambling process. Software Controls : OS and development control. Hardware Controls : firewalls, intrusion detecting system. Policies and Procedures : codes of ethics. Physical Control : locks the door, backup.
(c) by Syed Ardi Syed Yahya Kamal, UTM 2004 18

Methods of Defense : Effectiveness

Awareness of Problem Likelihood of Use Overlapping Controls Periodic Review

(c) by Syed Ardi Syed Yahya Kamal, UTM 2004

19