Download presentation
Presentation is loading. Please wait.
Published byVincent Phillips Modified over 9 years ago
1
1 An Overview of Computer Security computer security
2
2 Outline Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues computer security
3
3 Status of security in computing (in early 2000s) In terms of security, computing is very close to the wild west days. Some computing professionals & managers do not even recognize the value of the resources they use or control. In the event of a computing crime, some companies do not investigate or prosecute. computer security Has the status changed for the better?
4
4 Characteristics of Computer Intrusion A computing system: a collection of hardware, software, data, and people that an organization uses to do computing tasks Any piece of the computing system can become the target of a computing crime. The weakest point is the most serious vulnerability. The principles of easiest penetration computer security
5
5 Security Breaches - Terminology Exposure –a form of possible loss or harm Vulnerability –a weakness in the system Attack Threats –Human attacks, natural disasters, errors Control – a protective measure Assets – h/w, s/w, data computer security
6
6 Types of Security Breaches Disclosure: unauthorized access to info –Snooping Deception: acceptance of false data –Modification, spoofing, repudiation of origin, denial of receipt Disruption: prevention of correct operation –Modification, man-in-the-middle attack Usurpation: unauthorized control of some part of the system ( usurp: take by force or without right ) –Modification, spoofing, delay, denial of service computer security
7
7 Security Components Confidentiality: The assets are accessible only by authorized parties. –Keeping data and resources hidden Integrity: The assets are modified only by authorized parties, and only in authorized ways. –Data integrity (integrity) –Origin integrity (authentication) Availability: Assets are accessible to authorized parties. –Enabling access to data and resources computer security
8
8 Computing System Vulnerabilities Hardware vulnerabilities Software vulnerabilities Data vulnerabilities Human vulnerabilities ? computer security
9
9 Software Vulnerabilities Destroyed (deleted) software Stolen (pirated) software Altered (but still run) software –Logic bomb –Trojan horse –Virus –Trapdoor –Information leaks computer security
10
10 Data Security The principle of adequate protection Storage of encryption keys Software versus hardware methods computer security
11
11 Other Exposed Assets Storage media Networks Access Key people computer security
12
12 People Involved in Computer Crimes Amateurs Crackers Career Criminals computer security
13
13 Methods of Defense Encryption Software controls Hardware controls Policies Physical controls computer security
14
14 Encryption at the heart of all security methods Confidentiality of data Some protocols rely on encryption to ensure availability of resources. Encryption does not solve all computer security problems. computer security
15
15 Software controls Internal program controls OS controls Development controls Software controls are usually the 1 st aspects of computer security that come to mind. computer security
16
16 Policies and Mechanisms Policy says what is, and is not, allowed –This defines “security” for the site/system/etc. Mechanisms enforce policies Mechanisms can be simple but effective –Example: frequent changes of passwords Composition of policies –If policies conflict, discrepancies may create security vulnerabilities Legal and ethical controls –Gradually evolving and maturing computer security
17
17 Principle of Effectiveness Controls must be used to be effective. –Efficient Time, memory space, human activity, … –Easy to use –appropriate computer security
18
18 Overlapping Controls Several different controls may apply to one potential exposure. H/w control + S/w control + Data control computer security
19
19 Goals of Security Prevention –Prevent attackers from violating security policy Detection –Detect attackers’ violation of security policy Recovery –Stop attack, assess and repair damage –Continue to function correctly even if attack succeeds computer security
20
20 Trust and Assumptions Underlie all aspects of security Trust and verify vs Verify before trust? Policies –Unambiguously partition system states –Correctly capture security requirements Mechanisms –Assumed to enforce policy –Support mechanisms work correctly computer security
21
21 Types of Mechanisms secure precise broad set of reachable statesset of secure states computer security
22
22 Assurance Specification –Requirements analysis –Statement of desired functionality Design –How system will meet specification Implementation –Programs/systems that carry out design computer security
23
23 Operational Issues Cost-Benefit Analysis –Is it cheaper to prevent or to recover? Risk Analysis –Should we protect something? –How much should we protect this thing? Laws and Customs –Are desired security measures illegal? –Will people do them? computer security
24
24 Human Issues Organizational Problems –Power and responsibility –Financial benefits People problems –Outsiders and insiders –Social engineering computer security “The methods that will most effectively minimize the ability of intruders to compromise information security are comprehensive user training and education. Enacting policies and procedures simply won't suffice. Even with oversight the policies and procedures may not be effective: my access to Motorola, Nokia, ATT, Sun depended upon the willingness of people to bypass policies and procedures that were in place for years before I compromised them successfully.” — Kevin Mitnick
25
25 Tying Together Threats Policy Specification Design Implementation Operation computer security
26
26 Key Points Policy defines security, and mechanisms enforce security –Confidentiality –Integrity –Availability Trust and knowing assumptions Importance of assurance The human factor computer security
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.