Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 1: Introduction

Published byΣαπφώ Ηλιόπουλος Modified over 5 years ago

Similar presentations

Presentation on theme: "Chapter 1: Introduction"— Presentation transcript:

1 Chapter 1: Introduction
Components of computer security Threats Policies and mechanisms Operational Issues Human Issues

2 Basic Components (CIA)
Confidentiality: a good example is cryptography, which traditionally is used to protect secret messages. But cryptography is traditionally used to protect data, not resources. Resources are protected by limiting information, for example by using firewalls or address translation mechanisms. Integrity: a good example here is that of an interrupted database transaction, leaving the database in an inconsistent state (this foreshadows the Clark-Wilson model). Trustworthiness of both data and origin affects integrity, as noted in the book’s example. That integrity is tied to trustworthiness makes it much harder to quantify than confidentiality. Cryptography provides mechanisms for detecting violations of integrity, but not preventing them (e.g., a digital signature can be used to determine if data has changed). Availability: this is usually defined in terms of “quality of service,” in which authorized users are expected to receive a specific level of service (stated in terms of a metric). Denial of service attacks are attempts to block availability.

3 Integrity Data integrity (integrity, correctness)
Origin integrity (authentication, trustworthiness) Confidentiality: a good example is cryptography, which traditionally is used to protect secret messages. But cryptography is traditionally used to protect data, not resources. Resources are protected by limiting information, for example by using firewalls or address translation mechanisms. Integrity: a good example here is that of an interrupted database transaction, leaving the database in an inconsistent state (this foreshadows the Clark-Wilson model). Trustworthiness of both data and origin affects integrity, as noted in the book’s example. That integrity is tied to trustworthiness makes it much harder to quantify than confidentiality. Cryptography provides mechanisms for detecting violations of integrity, but not preventing them (e.g., a digital signature can be used to determine if data has changed). Availability: this is usually defined in terms of “quality of service,” in which authorized users are expected to receive a specific level of service (stated in terms of a metric). Denial of service attacks are attempts to block availability.

4 Text Encryption & Image Encryption
WSU, OH, USA 10/16/2019 Text Encryption & Image Encryption Encrypt text information in music score, each note corresponds to a letter. --- Schott (1608 – 1666) Image Encryption with SCAN (Bourbakis) IDPT 2005

5 Information Hiding - Examples
APPARENTLY NEUTRAL’S PROTEST IS THOROUGHLY DISCOUNTED AND IGNORED. ISMAN HARD HIT. BLOCKADE ISSUE AFFECTS PRETEXT FOR EMBARGO ON BY-PRODUCTS, EJECTING SUETS AND VEGETABLE OILS. A message sent by a spy in World War II. PERSHING SAILS FROM NY JUNE 1. Extract the second letter from each word.

6 Information Hiding - Examples
(Maniccam & Bourbakis)

7 Classes of Threats Threat: potential violation of security;
Attack: the actual violation; Attacker: people who execute the violation; Snooping : an example is passive wiretapping, where the attacker monitors communications. Modification: an example is active wiretapping, where the attacker injects something into a communication or modifies parts of the communication. Modification is sometimes called alteration. Spoofing: delegation is basically authorized spoofing. The difference is that the ones to which authority is delegated does not impersonate the delegator; she simply asserts authority to act as an agent for the delegator. Delay: Denial of service: this may not be due to an attack, but due to limits of resources. However, the effect here is critical. If you define security in terms of what users need to access, the inability to access is a security problem regardless of whether the reason is intentional (an attack) or unintentional (not an attack).

8 Classes of Threats Disclosure: unauthorized access to information
Deception: acceptance of false data Disruption: interruption or prevention of correct operation Usurpation: unauthorized control of a part of a system Snooping : an example is passive wiretapping, where the attacker monitors communications. Modification: an example is active wiretapping, where the attacker injects something into a communication or modifies parts of the communication. Modification is sometimes called alteration. Spoofing: delegation is basically authorized spoofing. The difference is that the ones to which authority is delegated does not impersonate the delegator; she simply asserts authority to act as an agent for the delegator. Delay: Denial of service: this may not be due to an attack, but due to limits of resources. However, the effect here is critical. If you define security in terms of what users need to access, the inability to access is a security problem regardless of whether the reason is intentional (an attack) or unintentional (not an attack).

9 Policies and Mechanisms
Policy: may be expressed in natural language, which is usually imprecise but easy to understand; mathematics, which is usually precise but hard to understand; policy languages, which look like some form of programming language and try to balance precision with ease of understanding Mechanisms: may be technical, in which controls in the computer enforce the policy; for example, the requirement that a user supply a password to authenticate herself before using the computer procedural, in which controls outside the system enforce the policy; for example, firing someone for ringing in a disk containing a game program obtained from an untrusted source The composition problem requires checking for inconsistencies among policies. If, for example, one policy allows students and faculty access to all data, and the other allows only faculty access to all the data, then they must be resolved (e.g., partition the data so that students and faculty can access some data, and only faculty access the other data).

10 Goals of Security Prevention is ideal, because then there are no successful attacks. Detection occurs after someone violates the policy. The mechanism determines that a violation of the policy has occurred (or is underway), and reports it. The system (or system security officer) must then respond appropriately. Recovery means that the system continues to function correctly, possibly after a period during which it fails to function correctly. If the system functions correctly always, but possibly with degraded services, it is said to be intrusion tolerant. This is very difficult to do correctly; usually, recovery means that the attack is stopped, the system fixed (which may involve shutting down the system for some time, or making it unavailable to all users except the system security officers), and then the system resumes correct operations.

11 Types of Mechanisms A reachable state is one that the computer can enter. A secure state is a state defined as allowed by the security policy. The left figure shows a secure system: all reachable states are in the set of secure states. The system can never enter (reach) a non-secure state, but there are secure states that the system cannot reach. The middle figure shows a precise system: all reachable states are secure, and all secure states are reachable. Only the non-secure states are unreachable. The right figure shows a broad system. Some non-secure states are reachable. This system is also not secure.

Download ppt "Chapter 1: Introduction"

Similar presentations

Network Security Chapter 1 - Introduction.

Network Security Chapter 1 - Introduction.
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
September 10, 2012Introduction to Computer Security ©2004 Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.

September 10, 2012Introduction to Computer Security ©2004 Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.
Chap 1: Overview Concepts of CIA: confidentiality, integrity, and availability Confidentiality: concealment of information –The need arises from sensitive.

Chap 1: Overview Concepts of CIA: confidentiality, integrity, and availability Confidentiality: concealment of information –The need arises from sensitive.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
1 cs691 chow C. Edward Chow Overview of Computer Security CS691 – Chapter 1 of Matt Bishop.

1 cs691 chow C. Edward Chow Overview of Computer Security CS691 – Chapter 1 of Matt Bishop.
EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
1 Overview CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 8, 2004.

1 Overview CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 8, 2004.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues Computer.

Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues Computer.
Security 3 Distributed Systems Lecture # 16. Overview Steganography Digital Watermarking.

Security 3 Distributed Systems Lecture # 16. Overview Steganography Digital Watermarking.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.

July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.
Stephen S. Yau CSE465 & CSE591, Fall 2006 1 Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
April 1, 2004ECS 235Slide #1 Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational.

April 1, 2004ECS 235Slide #1 Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational.
Steganography Rayan Ghamri.

Steganography Rayan Ghamri.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
1 CSE 651: Introduction to Network Security Steve Lai Spring 2010.

1 CSE 651: Introduction to Network Security Steve Lai Spring 2010.

Similar presentations

Ads by Google