1 / 21

Computer Security Introduction

Computer Security Introduction. Basic Components. Confidentiality: Concealment of information (prevent unauthorized disclosure of information). Integrity: Trustworthiness of data/resources (prevent unauthorized modifications). Data integrity

cheng
Download Presentation

Computer Security Introduction

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer SecurityIntroduction

  2. Basic Components • Confidentiality: Concealment of information (prevent unauthorized disclosure of information). • Integrity: Trustworthiness of data/resources (prevent unauthorized modifications). • Data integrity • Origin integrity (authentication) • Availability: Ability to use information/resources. (prevent unauthorized withholding of information/resources).

  3. Basic Components Additionally: Authenticity, accountability, reliability, safety, dependability, survivability . . .

  4. Confidentiality Historically, security is closely linked to secrecy. Security involved a few organizations dealing mainly with classified data. However, nowadays security extends far beyond confidentiality. Confidentiality involves: • privacy: protection of private data, • secrecy: protection of organizational data.

  5. Integrity “Making sure that everything is as it is supposed to be.” For Computer Security this means: Preventing unauthorized writing or modifications.

  6. Availability For Computer Systems this means that: Services are accessible and useable (without undue Delay) whenever needed by an authorized entity. For this we need fault-tolerance. Faults may be accidental or malicious (Byzantine). Denial of Service attacks are an example of malicious attacks.

  7. Relationship between Confidentiality Integrity and Availability Confidentiality Integrity Secure Availability

  8. Other security requirements • Reliability – deals with accidental damage, • Safety – deals with the impact of system failure on the environment, • Dependability – reliance can be justifiably placed on the system • Survivability – deals with the recovery of the system after massive failure. • Accountability -- actions affecting security must be traceable to the responsible party. For this, • Audit information must be kept and protected, • Access control is needed.

  9. Basic Components Threats – potential violations of security Attacks – violations Attackers – those who execute the violations

  10. Threats • Disclosure or unauthorized access • Deception or acceptance of falsified data • Disruption or interruption or prevention • Usurpation or unauthorized control

  11. More threats • Snooping (unauthorized interception) • Modification or alteration • Active wiretapping • Man-in-the-middle attacks • Masquerading or spoofing • Repudiation of origin • Denial of receipt • Delay • Denial of Service

  12. Policy and Mechanisms • A security policy is a statement of what is / is not allowed. • A security mechanism is a method or tool that enforces a security policy.

  13. Assumptions of trust Let • P be the set of all possible states of a system • Q be the set of secure states A mechanism is secure if P ≤ Q A mechanism is precise if P = Q A mechanism is broad if there are states in P which are not in Q

  14. Assurance Trust cannot be quantified precisely. System specifications design and implementation can provide a basis for how much one can trust a system. This is called assurance.

  15. Goals of Computer Security Security is about protecting assets. This involves: • Prevention • Detection • Reaction (recover/restore assets)

  16. Computer Security How to achieve Computer Security: • Security principles/concepts: explore general principles/concepts that can be used as a guide to design secure information processing systems. • Security mechanisms: explore some of the security mechanisms that can be used to secure information processing systems. • Physical/Organizational security: consider physical & organizational security measures (policies)

  17. Computer Security Even at this general level there is disagreement on the precise definitions of some of the required security aspects. References: • Orange book – US Dept of Defense, Trusted Computer System Evaluation Criteria. • ITSEC– European Trusted Computer System Product Criteria. • CTCPEC – Canadian Trusted Computer System Product Criteria

  18. Fundamental Dilemma: Functionality or Assurance • Security mechanisms need additional computational • Security policies interfere with working patterns, and can be very inconvenient. • Managing security requires additional effort and costs. • Ideally there should be a tradeoff.

  19. Operational issues Operational issues • Cost-benefit analysis • Example: a database with salary info, which is used by a second system to print pay checks • Risk analysis • Environmental dependence • Time dependence • Remote risk

  20. Laws and Customs • Export controls • Laws of multiple jurisdiction • Human issues • Organizational problems (who is responsible for what) • People problems (outsiders/insiders)

  21. Tying it all together: how ????

More Related