What does “secure” mean? Protecting Valuables A computer based system has three separate valuable component: Hardware, Software and Data Attacks When you test your system, one of your job is to imagine how the system could malfunction.
Threats, Vulnerability, and Control - Only legitimate users have access to the data. - We want our security system to make sure that no data are to be disclosed to unauthorized parties. In this way we can identify weakness in the system. -A vulnerability is a weakness in the security system (Ex: Particular system is vulnerable to unauthorized data manipulation because it does not verify a users identity before allowing data access) - A threat to a computing system is a set of circumstances that has the potential to cause loss or harm.
A human who exploits (make use of) a vulnerability commits an attack on the system. -”A threat is blocked by the control of vulnerability” Threat is of four kind 1. Interception (Unauthorized access, Wiretapping) 2. Interruption ( asset is lost, unavailable) 3. Modification (changes/alteration in to database/program file) 4. Fabrication ( insert spurious transaction, add record in to database) Note: Systems vulnerabilities are useful to set security Goals
Method, Opportunity and Motive (MOM) A malicious attacker must have three things: 1. Method: the skill, knowledge, tools to pull-off the attack. 2. Opportunity: the time and access to accomplish the task. 3. Motive: a reason to want to perform attack against the system
Chapter-1 Introduction Computer Security -when we talk about “computer security” we mean that we are addressing three very important aspects of computer related system. “Confidentiality, Integrity and availability” Confidentiality: ensures that computer related assets are accessed only by authorized parties. Integrity: means that the assets can be modified only by authorized parties or in authorized ways. Availability: means that assets are accessible to authorized parties at appropriate times. That means for legitimate users access should not be prevented.
Graphically relationship between Confidentiality, Integrity and availability is shown by
Computer Criminals Most computer criminals are ordinary computer professionals. Types are: Amateurs: are normal people and not career criminals, they observe a weakness in a security system that allows them to access cash or other valuables. Crackers: - are often University Students, attempt to access unauthorized computing facilities . - trying to log-in, just to see it can be done or not. - attacks for curiosity, personal gain, or self-satisfaction Career Criminals: - The Career computer criminals begin as a computer professionals who engage in computer crime. - good prospects and pay-off
Methods of Defense. -Computer crime is going to continue Methods of Defense -Computer crime is going to continue. - For this reason we must look carefully at controls for preserving C-I-A. Controls: -Physical security in early ages (Castle, fort, strong gate, heavy walls, etc.) -Today we use strong locks on the doors and burglar alarm to secure our valuables. Different controls available are: 1. Encryption (Scrambling): data is unintelligible to the outside observer. 2. Software Controls: Program must be secure enough to prevent outside attack.
Program control includes:. -Internal program control (e. g Program control includes: -Internal program control (e.g. Access limitation) - Operating system and Network control: ( e.g. to protect one user from another ) - Independent program control: (e.g. application program such as password checker, IDS, virus scanner,etc.) - Development control: Quality standards under which a program is designed, coded and tested. 3. Hardware Controls - Smart cards with Encryption - Locks or cables limiting access - Devices to verify users identity. - Firewalls, IDS, etc.
Policies and procedures: -sometimes we can rely upon agreed upon policies and procedures among users. (e.g. such as frequent changes of password ) - Training and administration follow immediately after establishment of policies. Effectiveness of controls: use control properly and effectively . 1. Awareness of problem: People should aware of the need of security. 2. Likelihood of use: Controls must be used and used properly- to be effective. 3. Overlapping controls: Several different controls may apply to address a single vulnerability. (Sometimes overlapping control is called as layered defense)