2. UNIT-4 Computer Security Classification

3. 2 Online Security Issues Overview Computer security – The protection of assets from unauthorized access, use, alteration, or destruction Physical security – Includes tangible protection devices Logical security – Protection of assets using nonphysical means Threat – Any act or object that poses a danger to computer assets

4. 12/15/00EMTM 5533 Three Scenarios Alice buys a book from Bob’s book store. Inter-corporate trading for Charlie’s Plastic Company. Daisy electronic market.

5. 1/15/00EMTM 5534 Additional Issues to be focussed Accountability -- Security relevant activities on a system can be traced to individuals who may be held responsible for their actions Availability -- System resources are safeguarded from tampering and are available for authorized users at the time and in the format needed Access Control -- Access to the system resources is limited to authorized individuals, entities, or processes Confidentiality -- Information is not accessed by or disclosed to unauthorized individuals, entities, or processes Identification and Authentication -- Verification that the originator of a transaction is the originator Integrity -- Information is not undetectably altered or destroyed by an unauthorized person or process Non-repudiation -- Undeniable proof of participation by the sender and/or receiver in a transaction Privacy – individual rights to nondisclosure

6. 5 Managing Risk Countermeasure – General name for a procedure that recognizes, reduces, or eliminates a threat Eavesdropper – Person or device that can listen in on and copy Internet transmissions Crackers or hackers – Write programs or manipulate technologies to obtain unauthorized access to computers and networks

7. 6 Risk Management Models

8. 12/15/00EMTM 5537 What are the issues? Accountability -- Security relevant activities on a system can be traced to individuals who may be held responsible for their actions Availability -- System resources are safeguarded from tampering and are available for authorized users at the time and in the format needed Access Control -- Access to the system resources is limited to authorized individuals, entities, or processes Confidentiality -- Information is not accessed by or disclosed to unauthorized individuals, entities, or processes Identification and Authentication -- Verification that the originator of a transaction is the originator Integrity -- Information is not undetectably altered or destroyed by an unauthorized person or process Non-repudiation -- Undeniable proof of participation by the sender and/or receiver in a transaction Privacy – individual rights to nondisclosure

9. 12/15/00EMTM 5538 What is Security? Dictionary Definition: protection or defense against attack, interference, espionage, etc. Computer Security Classification: – Confidentiality (or Secrecy) Protecting against unauthorized data disclosure and ensuring the authenticity of the data’s source – Integrity Preventing unauthorized data modification – Availability (or Necessity) Preventing data delays or denials (removal)

10. 12/15/00EMTM 5539 Goals of Security DATA Integrity DATA Availability DATA Confidentiality Source: GUNTER

11. Computer Security Classification Secrecy/Confidentiality – Protecting against unauthorized data disclosure and ensuring the authenticity of the data’s source Privacy – The ability to ensure the use of information about oneself Integrity – Preventing unauthorized data modification by an unauthorized party Necessity – Preventing data delays or denials (removal)

12. Computer Security Classification Nonrepudiation – Ensure that e-commerce participants do not deny (i.e., repudiate) their online actions Authenticity – The ability to identify the identity of a person or entity with whom you are dealing on the Internet