Computer Security

CIS326 Dr Rachel Shipsey


This course will cover the following topics: • • • • • • •

passwords access controls symmetric and asymmetric encryption confidentiality authentication and certification security for electronic mail key management

A Very Short Introduction by Fred Piper and Sean Murphy • Practical Cryptography by Niels Ferguson and Bruce Schneier 3 .The following books are recommended as additional reading to the CIS326 study guide • • • • • Computer Security by Dieter Gollman Secrets and Lies by Bruce Schneier Security in Computing by Charles Pfleeger Network Security Essentials by William Stallings Cryptography .

the following website provides links to a large number of sites who have security and cryptography course on-line: http://avirubin.There are also many websites dealing with the subjects discussed in this 4 . For example.

The three main aspects are: • prevention • detection • re-action 5 .What is Security? Security is the protection of assets.

but you still have it • Confidential information may be copied and sold .Some differences between traditional security and information security • Information can be stolen .but the theft might not be detected • The criminals may be on the other side of the world 6 .

Computer Security deals with the prevention and detection of unauthorised actions by users of a computer system. 7 .

There is no single definition of security What features should a computer security system provide? 8 .

• Confidentiality might be important for military.Confidentiality • The prevention of unauthorised disclosure of information. • Confidentiality is keeping information secret or private. business or personal reasons. 9 .

• Integrity means that there is an external consistency in the system . 10 .Integrity • Integrity is the unauthorised writing or modification of information.everything is as it is expected to be. • Data integrity means that the data stored on a computer is the same as the source documents.

Availability • Information should be accessible and useable upon appropriate demand by an authorised user. • Denial of service attacks are a common form of attack. 11 . • Availability is the prevention of unauthorised withholding of information.

• Non-repudiation is often implemented by using digital signatures.Non-repudiation • Non-repudiation is the prevention of either the sender or the receiver denying a transmitted message. 12 . • A system must be able to prove that certain messages were sent and received.

• Authentication may be obtained by the provision of a password or a scan of your retina. 13 . where you say you are.Authentication • Proving that you are who you say you are. at the time you say it is.

Access Controls • The limitation and control of access through identification and authentication. 14 . • In a large system there may be a complex structure determining which users and applications have access to which objects. • A system needs to be able to indentify and authenticate users for access to data. applications and hardware.

• Audit trails must be selectively kept and protected so that actions affecting security can be traced back to the responsible party 15 .Accountability • The system managers are accountable to scrutiny from outside.

It also requires security conscious personnel who respect the procedures and their role in the system.Security systems • A security system is not just a computer package. • Conversely. a good security system should not rely on personnel having security expertise. 16 .

often clumsy.Risk Analysis • The disadvantages of a security system are that they are time-consuming. costly. 17 . • Risk analysis is the study of the cost of a particular system against the benefits of the system. and impede management and smooth running of the organisation.

Designing a Security System There are a number of design considerations: • Does the system focus on the data. operating system or applications package? • Should it be simple or sophisticated? • In a distributed system. operations or the users of the system? • What level should the security system operate from? Should it be at the level of hardware. should the security be centralised or spread? • How do you secure the levels below the level of the security system? 18 .

19 .Security Models A security model is a means for formally expressing the rules of the security policy in an abstract detached way. The model should be: • easy to comprehend • without ambiguities • possible to implement • a reflection of the policies of the organisation.

access control. nonrepudiation. authentication. detection and re-action) • What a computer security system does (confidentiality. availability. implement and evaluate security systems) 20 . integrity.Summary By now you should have some idea about • Why we need computer security (prevention. accountability) • What computer security exerts do (design.

Sign up to vote on this title
UsefulNot useful