Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2013-2016 – Curt Hill Computer Security An Introduction.

Published byMarsha O’Neal’ Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright © 2013-2016 – Curt Hill Computer Security An Introduction."— Presentation transcript:

1 Copyright © 2013-2016 – Curt Hill Computer Security An Introduction

2 Introduction There are several questions that need answers: –What assets need protection? –What threats exist for these assets? –What counter measures exist for the threats? Security is a course of study all its own –All we do here is introduce the topic An insecure networked system cannot be classified as reliable Copyright © 2013-2016 – Curt Hill

3 NIST Definition National Institute of Standards and Technology defines computer security: The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources (includes hardware, software, firmware, information/data and telecommunications). Copyright © 2013-2016 – Curt Hill

4 Audience Participation What does this definition tell us? What is: –Integrity? –Availability? –Confidentiality? Copyright © 2013-2016 – Curt Hill

5 The Heart Computer security centers around these three concepts: –Integrity –Availability –Confidentiality These are also known as the CIA triangle –Failures in one often leak into others Lets unpack this a little further Copyright © 2013-2016 – Curt Hill

6 Integrity Guarding against improper modification or destruction of information System integrity is about software –System performs the functions it was designed to accomplish –We counter threats to the software itself Data integrity –Data is changed only be those authorized to do so and only in specified manners Both data and software are stored in similar ways, so there is overlap Copyright © 2013-2016 – Curt Hill

7 Availability System is available to do the work it was purchased to do –Timely and reliable access It services authorized users and denies service to those who are not One of the problems is that additional security is overhead that reduces amount of work that can be done –Although not as extreme as the availability issues of attacks Copyright © 2013-2016 – Curt Hill

8 Confidentiality Preserving authorized restrictions on information Data confidentiality –Private information is not disclosed to those who are not authorized to access it Privacy –The individuals to whom the data refers have some influence on how the data is used –Ability to correct errors in the data –Ability to limit who may use the data and for what reason Copyright © 2013-2016 – Curt Hill

9 Triangle or Pentangle? Two more concepts that figure in frequently are Authenticity and Accountability Authenticity is about the verification process of users or system –Are they actually who they say they are? Accountability is about being able to track actions in an uncompromised way – often after a security breach –We need to be able to connect each action with the one who originated the action Copyright © 2013-2016 – Curt Hill

10 Definitions Asset – something of value needing protection –Hardware or software Attack – attempt to exploit vulnerability Control – mechanism that reduces vulnerability Exposure – opportunity for loss or harm Threat – potential for an attack Vulnerability – any weakness that might allow an attack Copyright © 2013-2016 – Curt Hill

11 Levels of Impact A failure is categorized into three levels: Low – limited adverse affect –Organization is able to perform its primary function with only minor financial loss Moderate – serious adverse affect –Loss of capability or effectiveness –Damage to assets and finances High – severe or catastrophic affect –Major damage to assets –Could involve life threatening injuries Copyright © 2013-2016 – Curt Hill

12 Examples Asset – student records Attack – stolen account/password attempting to access records Control – program that checks for weak passwords vulnerability Exposure – damaged reputation Threat – guessing a password Vulnerability – weak password requirements Copyright © 2013-2016 – Curt Hill

13 Your turn In regards to VCSU, what would constitute failures of these magnitudes? –Low –Moderate –High Copyright © 2013-2016 – Curt Hill

14 The problems Computer security is complex, what are some of the problems? The underlying software is complex – small error can be exploited to a large problem To succeed the developer has to plug all holes, failure comes from only missing one that is detected Authentication requires the user to possess some secret fact – how can this be distributed? Copyright © 2013-2016 – Curt Hill

15 More problems To most users this is an annoyance, thus they do not employ good practices Security is often an afterthought to system development – a porous surface is hard to plug Continual monitoring is required, this is a budget item that requires justification Thinking about threats requires an unusual mind set Copyright © 2013-2016 – Curt Hill

16 Audience Participation You are familiar with many of these threats –What do they do? What is the danger? Infection by malware Phishing Denial of service Packet sniffers Theft of mobile devices Copyright © 2013-2016 – Curt Hill

17 Survey A survey in 2015 of 1200 businesses and institutions considered system attacks and their sources –This was a broad cross section of different industries What is shown on the next screen is the type of attack and percent of organizations that endured one or more such attacks Copyright © 2013-2016 – Curt Hill

18 Results Phishing – 68% Malware – 66% Hacking – 50% Social engineering – 46% Loss of mobile device – 44% Insider theft – 25% SQL injection – 22% Among others Copyright © 2013-2016 – Curt Hill

19 Attack Classifications Active attack – an attempt to alter resources and operation Passive – an attempt to make use of information without altering any of it Inside – usually mounted by an employee or privileged person –They know about the system and have a starting point of some authorization Outside – not the above –Ranges from high school pranks to organized crime or even governments Copyright © 2013-2016 – Curt Hill

20 Attack Types I Another way to classify attacks is in the type of access they gain Interception – gain access to the asset –While it is on the network –Using falsified authorization –Does not imply modification Interruption – disallow legitimate users from accessing the system –Denial of service attack –Ransomware encryption of data Copyright © 2013-2016 – Curt Hill

21 Attack Types II Modification – change software or data –Reduce a customer balance or change their contact information –Ransomware could be here as well Fabrication – insert false information –Bogus payments –False transfers to the bad guy’s account Copyright © 2013-2016 – Curt Hill

22 Countermeasures Any attempt to thwart an attack Prevention – predict the attack and disable in advance Detection – look for suspicious activity and unauthorized accesses Recovery – an attempt to undo the effect of an attack Copyright © 2013-2016 – Curt Hill

23 Threat Consequences Copyright © 2013-2016 – Curt Hill ConsequenceAction or attack Disclosure Exposure – sensitive data is made available Interception – access to data in transit Inference – deduce information based on what was visible Intrusion – active gaining of access Deception Masquerade – Using other’s authorization Falsification – false data to deceive authorization Repudiation – denial of an unauthorized action Disruption Incapacitation – disabling a component to damage system Corruption – modify component to alter behavior Obstruction – interrupt delivery of system services Usurpation Misappropriation – entity gains unauthorized control Misuse – modification to perform another function

24 Assets What are the things that need protection? Assets fall into several categories: –Hardware –Software –Data –Communication lines Copyright © 2013-2016 – Curt Hill

25 Assets and Example Threats Copyright © 2013-2016 – Curt Hill AvailabilityConfidentialityIntegrity HardwareTheft SoftwareDeletion of pgms Unauthorized copy of pgms Pgms modified to fail or provide unauthorized functions DataDelete filesUnauthorized access Modification of files Communication lines Messages are destroyed or mangled Messages are intercepted Messages are falsified

26 Where to start? Historically, security is an afterthought –After we get burned, we make sure we do not get burned again Enterprises now live in a world of forest fires –It is not a question of if a problem will occur, but when Therefore security should be considered in every project –Security requirements should be treated with the same level of concern as functional or usability requirements Copyright © 2013-2016 – Curt Hill

27 Risk Assessment I Identify the assets –What hardware, software and data provide support for the enterprise? Value the assets –What is the value of each asset? Assess the asset exposure –What losses would occur if asset were damaged? Identify the threats –Where are the likely dangers against this asset? Copyright © 2013-2016 – Curt Hill

28 Risk Assessment II Assess the attack –What are the ways that an attack on the asset could occur? Consider the defense –How may the asset be protected against the proposed attacks? Feasibility study –How does the cost of the defense compare with the cost of damage and likelihood of attack? Define security requirements Copyright © 2013-2016 – Curt Hill

29 Audience Participation What assets does VCSU have? What value do these assets have? What is their exposure? What are the threats? What type of attacks? What defense can be formed? Compare cost of defense and expense of damage times likelihood Copyright © 2013-2016 – Curt Hill

30 Requirements A normal component of requirements are use cases In the security domain there are misuse cases These involve ways that an attacker could misuse the system These include all the classes of threats –Interception, interruption, modification and fabrication Copyright © 2013-2016 – Curt Hill

31 Project Security Design –It is difficult to add security after the design or implementation Assurance –The quality of data must be protected from unauthorized or accidental change Authentication –Data changes must be verified to prevent incorrect access Access –Ability to control who views and uses Copyright © 2013-2016 – Curt Hill

32 Compromises Security is a necessary burden to any system It will usually slow performance and reduce usability These are usually minor issues compared to an attacker misusing the system –The stakeholders must be aware of this from the beginning Copyright © 2013-2016 – Curt Hill

33 Security Assurance Avoid vulnerabilities –A function of design Detect and eliminate attacks –The application is self-checking looking for intrusion evidence Limit and recover –Backup and recovery functions prevent data modification Copyright © 2013-2016 – Curt Hill

34 Security Policies These are enterprise-wide and layout the general goals –Should be short and readable so that all will use –Everyone should be informed This should indicate those assets that require protection and the level of protection Should make clear the responsibilities or individuals at various levels Copyright © 2013-2016 – Curt Hill

35 Some Design Guidelines Design should reflect security policy A single point of failures should be avoided Fail gracefully without exposing assets Balance usability with security Log actions of users and applications Reduce risks with redundancy and diversity Specify and check input validity Partition assets into separate areas to minimize exposure Design for backup and recovery Copyright © 2013-2016 – Curt Hill

36 Validation of Security Is hard – need to think like a hacker Use tools that may be helpful –Such as password strength testers Formal verification is good but hard to apply Form teams for the purpose of attacking the system and testing its vulnerabilities Copyright © 2013-2016 – Curt Hill

37 Finally Security will continue to be an important topic for the foreseeable future We will continue to balance: –The danger of security threats versus the ease of use problems that security requires –Cost of security versus the cost of failure and recovery Security concerns are also business concerns –Failures can be expensive Copyright © 2013-2016 – Curt Hill

Download ppt "Copyright © 2013-2016 – Curt Hill Computer Security An Introduction."

Similar presentations

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
Chapter 18: Computer and Network Security Threats

Chapter 18: Computer and Network Security Threats
Chap 1: Overview Concepts of CIA: confidentiality, integrity, and availability Confidentiality: concealment of information –The need arises from sensitive.

Chap 1: Overview Concepts of CIA: confidentiality, integrity, and availability Confidentiality: concealment of information –The need arises from sensitive.
Cryptography and Network Security Chapter 1

Cryptography and Network Security Chapter 1
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 1: Overview.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 1: Overview.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
CSA 223 network and web security Chapter one

CSA 223 network and web security Chapter one
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Stephen S. Yau CSE465 & CSE591, Fall 2006 1 Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Cryptography and Network Security Overview & Chapter 1 Fifth Edition by William Stallings Lecture slides by Lawrie Brown Editied by R. Newman.

Cryptography and Network Security Overview & Chapter 1 Fifth Edition by William Stallings Lecture slides by Lawrie Brown Editied by R. Newman.
Introduction (Pendahuluan)  Information Security.

Introduction (Pendahuluan)  Information Security.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Topics in Information Security Prof. JoAnne Holliday Santa Clara University.

Topics in Information Security Prof. JoAnne Holliday Santa Clara University.
An Introduction to Information Assurance COEN 150 Spring 2007.

An Introduction to Information Assurance COEN 150 Spring 2007.
C OMPUTER S ECURITY C ONCEPTS By: Qubilah D’souza 411109 TE computer.

C OMPUTER S ECURITY C ONCEPTS By: Qubilah D’souza TE computer.
Software Dependability CIS 376 Bruce R. Maxim UM-Dearborn.

Software Dependability CIS 376 Bruce R. Maxim UM-Dearborn.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”.
Cryptography and Network Security Overview & Chapter 1 Fifth Edition by William Stallings.

Cryptography and Network Security Overview & Chapter 1 Fifth Edition by William Stallings.

Similar presentations

Ads by Google