Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIS/TCOM 551 Computer and Network Security Slide Set 2 Carl A. Gunter Spring 2004.

Published byBertram Knight Modified over 9 years ago

Similar presentations

Presentation on theme: "CIS/TCOM 551 Computer and Network Security Slide Set 2 Carl A. Gunter Spring 2004."— Presentation transcript:

1 CIS/TCOM 551 Computer and Network Security Slide Set 2 Carl A. Gunter Spring 2004

2 Introduction to Security l Goals  Availability  Integrity  Confidentiality l Targets  Hardware  Software  Data l Controls  Physical security  Limited interface  Identification and authorization  Encryption l Analysis of costs and benefits

3 Progress and Risk l Risk = (Probability of failure) * (Size of loss) l Safety-critical considerations  Dutch port authority  RER train  Software in automobiles  Intelligent highways

4 Progress and Risk, cont. l Security-critical considerations  Credit card purchases on the web  Voting on the web  Banking on the web  Mobile agents and active networks l Safety and security considerations  Military systems, eg. Star Wars  Actuators on public networks

5 Security Requirements l Banking l Government l Public Telecommunications Carriers l Corporate / Private Networks l Electronic Commerce Ref: Computer Communications Security, W. Ford, 94.

6 Banking l Electronic Funds Transfer (EFT)  Prosecution of fraud problematic  Financial system overall at risk l Automated Teller Machine (ATM)

7 Automatic Teller Machines l Goals  Availability: Provide automated teller operations 24x7 in convenient locations  Integrity: Authorized users only, transactional guarantees  Confidentiality: Private communication with branches or center l Vulnerabilities and controls l Risk analysis and liabilities

8 Government l National security of course, but also l “Unclassified but sensitive information” must not be disclosed  Example: social security web page l Electronic signatures approved for government contractors

9 Public Telecom Carriers l Operations, Administration, Maintenance, and Provisioning (OAM&P) l Availability is a key concern l Significant insider risks

10 Corporate Private Networks l Completely private networks are becoming a thing of the past because of telecommuting. l Protection of proprietary information of course, but also concerns like privacy in the health care industry. l Foreign government threat?

11 Electronic Commerce l Electronic Data Interchange (EDI) l Electronic contracts need to be binding l ABA Resolution: “recognize that information in electronic form, where appropriate, may be considered to satisfy legal requirements regarding a writing or signature to the same extent as information on paper or in other conventional forms, when appropriate security techniques, practices, and procedures have been adopted.”

12 Goals of Security DATA Integrity DATA Availability DATA Confidentiality Ref: Pfleeger.

13 Safety and Security l Many things in common and some major differences. l Some similarities aid understanding of both. l System vs. Environment. l Accident, breach. l Hazard, vulnerability.

14 System vs. Environment (Safety) Environment System

15 System vs. Environment (Security) System Environment

16 Accident and Security Breach l Accident  Loss of life  Injury  Damage to property l Security Breach  Secret is revealed  Service is disabled  Data is altered  Messages are fabricated

17 Accident Definition l An accident is an undesired and unplanned (but not necessarily unexpected) event that results in (at least) a specified level of harm. l Define breach similarly. l A security threat is a possible form of breach

18 Hazards and Vulnerabilities l Hazard  No fire alarms  No fire extinguishers  Rags close to furnace l Vulnerability  Password too short  Secret sent in plaintext over public network  Files not write protected

19 Hazard Definition l A hazard is a state or set of conditions of a system that, together with other conditions in the environment of the system, will lead inevitably to an accident. l Define security vulnerability similarly.

20 Other Terms l Asset: object of value. l Exposure: threat to an asset. l Attack: effort by an agent to exploit a vulnerability and create a breach.

21 Major Threats l Interruption l Interception l Modification l Fabrication

22 Major Assets l Hardware l Software l Data

23 Threats to Hardware l Interruption: crash, performance degradation l Interception: theft l Modification: tapping l Fabrication: spoofed devices

24 Threats to Software Code l Interruption: deletion l Interception: theft l Modification  Trojan horse  Logic bomb  Virus  Back door  Information leak l Fabrication: spoofing software distribution on the web

25 Threats to Software Processes l Interruption: bad inputs l Interception: attacks on agents l Modification: of exploited data l Fabrication: service spoofing (man-in- the-middle)

26 Threats to Data l Interruption: deletion, perceived integrity violation l Interception: eavesdropping, snooping memory l Modification: alteration of important information l Fabrication: spoofing web pages

27 Principles of Security l Easiest Penetration: An intruder must be expected to use any available means of penetration. l Adequate Protection: Computer items must be protected only until they lose their value. They must be protected to a degree consistent with their value. l Effectiveness: Controls must be used to be effective. They must be efficient, easy to use, and appropriate.

28 Controls l Physical security l Limited interface l Identification and authorization l Encryption

29 Breakdown of S/W Controls l Program controls  as exercised by the programmer  as dictated by the programming language or programming environment l Operating system controls l Development process controls

30 Security Models l Multi-layer security l Graham-Denning model Ref: Pfleeger.

31 Military Security l Familiar hierarchy of sensitivities, partitioned in to compartments.

32

33 Compartments l Each piece of information is coded with its security level and one or more compartments

34 Classification and Clearance l l Each piece of information, or object, o is classified by its rank and compartments. C(o) = classification of o l Each actor, or subject, s is given a clearance by rank and compartments. C(s) = clearance of s l Dominance  iff r  r’ and c is a subset of c’. l C(o)  C(s) if the classification of o is dominated by the clearance of s.

35 Guarantees l A subject s is only able to access an object o if  the rank of s is higher than that of o, and  s is cleared for all of the compartments of o. l The first is called a hierarchical requirement, the second a non- hierarchical requirement.

36 Top Secret Secret Confidential Restricted Unclassified A B C D x y z w v

37 Graham-Denning Model Subject executing command is x. Transferable rights are denoted r*. Non-transferable rights are denoted r. A[x,s]

Download ppt "CIS/TCOM 551 Computer and Network Security Slide Set 2 Carl A. Gunter Spring 2004."

Similar presentations

Chapter 1 - 1 ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.

Chapter ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.
IT Security Policy Framework

IT Security Policy Framework
Computer Security Computer Security is defined as:

Computer Security Computer Security is defined as:
Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Crime and Security in the Networked Economy Part 4.

Crime and Security in the Networked Economy Part 4.
Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.

Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.
Is There a Security Problem in Computing? Network Security / G. Steffen1.

Is There a Security Problem in Computing? Network Security / G. Steffen1.
1 Network Security Ola Flygt Växjö University +46 470 70 86 49.

1 Network Security Ola Flygt Växjö University
Chapter 9: Privacy, Crime, and Security

Chapter 9: Privacy, Crime, and Security
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
7.1 Copyright © 2011 Pearson Education, Inc. 7 Chapter Securing Information Systems.

7.1 Copyright © 2011 Pearson Education, Inc. 7 Chapter Securing Information Systems.
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
Note1 (Intr1) Security Problems in Computing. Overview of Computer Security2 Outline Characteristics of computer intrusions –Terminology, Types Security.

Note1 (Intr1) Security Problems in Computing. Overview of Computer Security2 Outline Characteristics of computer intrusions –Terminology, Types Security.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
FIT3105 Security and Identity Management Lecture 1.

FIT3105 Security and Identity Management Lecture 1.
Wireless Encryption By: Kara Dolansky Network Management Spring 2009.

Wireless Encryption By: Kara Dolansky Network Management Spring 2009.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Threats and Attacks Principles of Information Security, 2nd Edition

Threats and Attacks Principles of Information Security, 2nd Edition
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Similar presentations

Ads by Google