1 / 30

Introduction to Computer Security

Introduction to Computer Security. Dr. Shahriar Bijani Shahed University. Slide References. Matt Bishop, Computer Security: Art and Science , the author homepage, 2004.

margarital
Download Presentation

Introduction to Computer Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction to Computer Security Dr. ShahriarBijani Shahed University

  2. Slide References • Matt Bishop, Computer Security: Art and Science, the author homepage, 2004. • Michael E. Whitman, Principles of Information Security: Chapter 1: Introduction to Information Security, 4/e, 2011. • Chris Clifton, CS 526: Information Security course, Purdue university, 2010. • Patrick Traynor, CS 8803 - Cellular and Mobile Network Security, Georgia Tec, 2012.

  3. What is Security? Security /sɪˈkjʊərɪti/ noun • the state of being free from danger or threat. • synonyms: certainty, safe future, assured future, safety, reliability, dependability, solidness, soundness

  4. What is Security? • A successful organization should have multiple layers of security in place: • Physical security: to protect the physical items, objects, or areas of an organization from unauthorized access and misuse. • Personal security: to protect the (group of) authorized individual. • Operations security: to protect the details of a particular operation or series of activities. • Communications security: to protect an organization’s communications media, technology, and content. • Network security: to protect networking components, connections, and contents. • Information security

  5. Basic Components • An Information System is secure if it supports CIA: • Confidentiality • Keeping data and resources hidden • Integrity • Data integrity (integrity) • Origin integrity (authentication) • Availability • Enabling access to data and resources The CIA triangle

  6. The History of Information Security • Began immediately following development first mainframes • Developed for code-breaking computations • During World War II • Multiple levels of security were implemented • Physical controls • Elementary • Mainly composed of simple document classification • Defending against physical theft, espionage, and sabotage

  7. The 1960s • Original communication by mailing tapes • Advanced Research Project Agency (ARPA) • Examined feasibility of networked communications • Larry Roberts developed ARPANET • Plan • Link computers • Resource sharing • Link 17 Computer Research Centers • Cost 3.4M $ • ARPANET is predecessor to the Internet

  8. The 1970s and 80s • ARPANET grew in popularity • Potential for misuse grew • Fundamental problems with ARPANET security • Individual remote sites were not secure from unauthorized users • Vulnerability of password structure and formats • No safety procedures for dial-up connections to ARPANET • Non-existent user identification and authorization to system

  9. The 1970s and 80s‏ … • Rand Report R-609 • Paper that started the study of computer security • Information Security as we know it began‏ • Scope of computer security grew from physical security to include: • Safety of data • Limiting unauthorized access to data • Involvement of personnel from multiple levels of an organization

  10. The 1990s • Networks of computers became more common • Need to interconnect networks grew • Internet became first demonstration of a global network of networks • Initially based on de-facto standards • In early Internet deployments, security was treated as a low priority

  11. 2000 to Present • Millions of computer networks communicate • Many of the communication unsecured • Ability to secure a computer’s data influenced by the security of every computer to which it is connected • Growing threat of cyber attacks has increased the need for improved security

  12. Challenges of computer security • Computer security is not simple • One must consider potential (unexpected) attacks • Must decide where to deploy mechanisms • Involve algorithms and secret info (keys) • A battle between attacker / admin • It is not perceived on benefit until fails • Requires constant monitoring • Too often incorporated after the design is complete (not integral) • Regarded as a barrier to using system

  13. Key Information Security Concepts • Access • Adversary • Asset • Attack • Control, Safeguard, or Countermeasure • Exploit • Exposure • Hack • Loss • Nonrepudiation • Subjects / Objects • Risk • Threat • Vulnerability

  14. Relationships of Security Concepts

  15. Key Information Security Concepts • Computer can be subject or object of an attack • When the subject of an attack • An active tool to conduct attack • When the object of an attack • An entity being attacked Source: Principles of Information Security, 4th Edition

  16. Information Security vs. Access • Perfect security is impossible • Security is a process • Security should be considered balance between protection and availability • Must allow reasonable access, yet protect against threats

  17. Information Security vs. Access Source: Principles of Information Security, 4th Edition

  18. Vulnerabilities Principles of Information Security, 4/e

  19. Threats • A threat is a potential violation of security.

  20. Classes of Threats • Interruption (Disruption) • interruption or prevention of correct operation • DOS attack: Denial of Service • Interception / Disclosure • Unauthorized access to information • Snooping: the unauthorized interception of information • Modification • An unauthorized party not only gains access to but modify an asset. • Masquerading or spoofing: an impersonation of one entity by another. • Fabrication • An unauthorized party inserts fake objects into the system.

  21. Classes of Threats

  22. Examples of threats

  23. Adversary • An adversary is anyone attempting to bypass the security infrastructure. • The curious and generally inexperienced (e.g., script-kiddies) • Unintended attackers seeing to understand systems • Malicious and terrorist groups • Competitors (industrial espionage) • Governments

  24. Attack • An attack occurs when someone attempts to exploit a vulnerability • Type of attacks • Passive (e.g., eavesdropping) • Active (e.g., password guessing, DoS) • A compromise occurs when an attack is successful

  25. Trust • Trust • The degree to which an entity is expected to behave. • Trust is a particular level of the subjective probability with which an agent assesses that another agent will perform a particular action in a context that affects his actions [Gambetta, 1990] • Reputation • Expectation about an entity’s behavior based on past behavior [Abdul-Rahman, 2000] • May be used to determine trust

  26. Trust Management • Trust Management as a countermeasure: • Trust relationships between peers help establish confidence • Two types of trust management systems • Credential and Policy-based • Reputation-based

  27. Security Model • A security model is the combination of a trust and threat models that address the: • set of perceived risks • The “security requirements” used to develop some cogent and comprehensive design • Every design must have security model • LAN network or global information system? Java applet or operating system? • The single biggest mistake seen in use of security is the lack of a coherent • security model • It is very hard to retrofit security (design time) • This class is going to talk a lot about security models • What are the security concerns (risks)? Threats? • Who are our adversaries? • Who do we trust and to do what? • Systems must be explicit about these things to be secure

  28. Policies and Mechanisms • Policy says what is, and is not, allowed • This defines “security” for the site/system/etc. • Mechanisms enforce policies • Composition of policies • If policies conflict, inconsistencies may create security vulnerabilities

  29. Trust and Assumptions • Underlie all aspects of security • Policies • Unambiguously partition system states • Correctly capture security requirements • Mechanisms • Assumed to enforce policy • Support mechanisms work correctly

  30. Goals of Security • Prevention(پیشگیری) • Prevent attackers from violating security policy • Detection (تشخیص) • Detect attackers’ violation of security policy • Recovery(ترمیم) • Stop attack, assess and repair damage • Continue to function correctly even if attack succeeds

More Related