Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security in Computing (C2021) Week-1. Module Syllabus Summary The main topics of study will include: General Security Problems: attacks; computer criminals;

Published byAlyson Katherine Singleton Modified over 9 years ago

Similar presentations

Presentation on theme: "Security in Computing (C2021) Week-1. Module Syllabus Summary The main topics of study will include: General Security Problems: attacks; computer criminals;"— Presentation transcript:

1 Security in Computing (C2021) Week-1

2 Module Syllabus Summary The main topics of study will include: General Security Problems: attacks; computer criminals; computer security; methods of defense. Program Security: secure programs; viruses and malicious code; controls against program threats. Security in Operating Systems: user authentication; memory and address protection; file protections; control of access to general objects; trusted operating systems.

3 Module Syllabus Summary contd. Database Security: security requirements; integrity and reliability; inference; multilevel security. Security in Networks: threats in networks; firewalls intrusion detection; secure email; security control. Legal, Privacy, and Ethical Issues: protecting programs and data; information and the law; rights of employees and employers; privacy; ethical issues. Cryptography: traditional ciphers; symmetric encryption; public key encryption; digital signatures and authentication; quantum cryptography.

4 Module Assessments For more about Assessments: http://learning.londonmet.ac.uk/computing/IC_Link/CompNetITSec/mo dules/cc2021/cc2021_spec.html

5 Recommended Book List Pfleeger, C.P & Pfleeger, S.L., 2007. Security in Computing. 4th ed. Prentice Hall. Stallings, W., 2006. Cryptography and Network Security Principles and Practices. 4th ed. Prentice Hall. Stallings, W & Brown, L., 2008. Computer Security: Principles and Practice. Prentice Hall.

6 Introduction to Security in Computing Chapter-1

7 Introduction – Security in Computing Security in computing is about protecting computer-related assets, i.e. valuable information The focus is security for computing systems How banks protect physical currency cf. people protecting information (Pfleeger, p.2) Can we learn from our analysis of banks, i.e. how they have protected e.g. money, gold etc.

8 Terms and Definitions Secure, protected Immune to attack Covered by certain controls Threat A potential to do harm or cause loss Vulnerability Weaknesses in defenses that could allow harm to occur

9 Terms and Definitions Figure 1-1 Threats Controls and Vulnerabilities The water is a THREAT to the man The crack is a VULNERABILTIY that threatens the man’s security The man placing his finger in the whole is controlling the threat.

10 Terms and Definitions Attack Threat + Vulnerability Control, countermeasure Risk, residual [remaining] risk Penetration[making way through], weakest point

11 Attacks and Attackers Attacks Malicious; non-malicious; natural causes Accidental, intentional Attackers  MOM – Method + Opportunity + Motive Method: tools, knowledge, capability Opportunity: time, physical access, availability Motivation: reason for attack  Work factor: difficult in pulling off attack; measured in time, skill, resources

12 The Security Triad – C I A Figure 1-2 Relationship Between Confidentiality, Integrity, and Availability (Pfleeger, p.11)

13 The Security Triad – C I A Figure 1-3 Security of Data (Pfleeger, p.18)

14 The Security Triad – C I A Confidentiality: protection from unauthorised disclosure Privacy; personal private information Sensitive information, e.g. student grades, company inventions, juvenile arrest records Protection of classified information

15 The Security Triad – C I A Integrity: protection from inappropriate modification Precision, accuracy Possible ways to limit modification Not modified ( for example, read-only) Only in acceptable ways, e.g. ? Only by acceptable people, e.g. ? Only using appropriate processes, e.g.?

16 The Security Triad – C I A Integrity: protection from inappropriate modification Internally consistent The disk contents match what was originally recorded Update to once instance causes change to be propagated to all instances Meaningful and usable Readable Not protected against legitimate access (see also availability)

17 The Security Triad – C I A Availability Usable (readable, accessible) Sufficient capacity (bandwidth, sharable, or copied as needed) Is making progress (not hung in a loop or never attended to) Completes in an acceptable amount of time These goals can conflict High confidentiality may limit availability Strong integrity controls may impose a slowdown that affect availability

18 Vulnerabilities Kinds of Vulnerabilities Interruption (breaking a pathway of use, deleting, destroying) Interception (taking or obtaining without permission; either taking an object itself or making an unauthorised copy) Modifications (changing without permission) Fabrication (creating a new – illicit – version)

19 Vulnerabilities Kinds of Vulnerabilities Figure 1-4 System Security Threats

20 Vulnerabilities Kinds of Vulnerabilities Figure 1-5 Vulnerabilities of Computer System

21 Vulnerabilities Targets of vulnerabilities Hardware (including firmware) Software Data and Information Access, time, bandwidth, network resources(cable, switches and routers, addressing and routing information, wireless services) People Supplies

22 Computer Attackers Most computers attacks are committed by insiders as unintentional, non- malicious errors Security awareness is the most effective and least expensive control Amateurs Often insiders with privileges (necessary to do their jobs) Outside probers or tinkerers

23 Computer Attackers contd Crackers Advanced form of probing or tinkering. Intention to undermine or circumvent security controls Various motivations: challenge, ego, curiosity, adventure, experimentation Non-malicious attacks or attacks with non-malicious intent are still attacks

24 Computer Attackers contd Criminals Motivation: payoff, revenge, competition Rapidly growing attack segment Financial reward potential is attractive Some evidence that organised crime is becoming involved in computer crime – it’s where the money is Definition of “computer crime” not precise

25 Defence Objectives Prevent harm Block attack, close [plug] vulnerability Although obviously most effective, sometimes prevention is not possible o Insiders need elevated privileges to do work o Vulnerabilities may be unknown o Even a fortes can be breached with the right attack

26 Defence Objectives contd. Deter harm Make the attacker work harder or longer Hope the attacker will choose another easier target Example: protect bank tellers with bulletproof glass: not impenetrable, but requires a long time and a lot of force Deflect harm Push the attacker to another target Example: a “honeypot” [trap] - website to attract and occupy the attacker

27 Defence Objectives contd. Detect harm Determine that attack is under way (realtime) or has occurred sometime in the past (non-realtime) Goals: to be able to increase defences (to block an attack in realtime) To determine the kind and extend of attack (after the fact) and strengthen defences for the future (close vulnerability) or know what has been lost

28 Defence Objectives contd. Recover from harm Resume normal operation Increase or strengthen so future attacks do not succeed Deal with loss or exposure of date Note: More cost effective to allow unlikely harm to occur and spend money on recovery than to spend much more money trying in vain to prevent the harm

29 Controls Physical Gates, guns, guards Access control devices, e.g., badge readers, motion detectors Fire suppression, extinguishers Administrative Security awareness training Security policies, procedures, guidelines, practices Rules of acceptable use, code of ethics Hiring and termination practices Software development practices Human oversight, management, review

30 Controls contd. Technical Firewall Intrusion detection system Virus scanner Encryption Identification and authentication technologies (e.g. smart cards, biometrics, password) Logical access controls (program-based controls limiting access based on identity, proposed use, date, time etc); implemented by network infrastructure, operating systems, database management, application program, utility

31 Controls contd. Technical Honeypot Protocol Networking infrastructure, operating systems, database management systems, applications

32 Controls contd. Technical Figure 1-6 Multiple Controls

Download ppt "Security in Computing (C2021) Week-1. Module Syllabus Summary The main topics of study will include: General Security Problems: attacks; computer criminals;"

Similar presentations

Chapter 1 - 1 ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.

Chapter ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.
Computer Security CIS326 Dr Rachel Shipsey.

Computer Security CIS326 Dr Rachel Shipsey.
Advanced Networks and Computer Security Curt Carver & Jeff Humphries © 1999 Texas A&M University.

Advanced Networks and Computer Security Curt Carver & Jeff Humphries © 1999 Texas A&M University.
Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.

Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.
Introduction to Security in Computing 01204427 Computer and Network Security Semester 1, 2011 Lecture #01.

Introduction to Security in Computing Computer and Network Security Semester 1, 2011 Lecture #01.
Is There a Security Problem in Computing? Network Security / G. Steffen1.

Is There a Security Problem in Computing? Network Security / G. Steffen1.
McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.

McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 3 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 3 Wenbing Zhao Department of Electrical and Computer Engineering.
EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Note1 (Intr1) Security Problems in Computing. Overview of Computer Security2 Outline Characteristics of computer intrusions –Terminology, Types Security.

Note1 (Intr1) Security Problems in Computing. Overview of Computer Security2 Outline Characteristics of computer intrusions –Terminology, Types Security.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Introducing Computer and Network Security

Introducing Computer and Network Security
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 222 C HAPTER 7 Information Systems Controls for Systems.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 222 C HAPTER 7 Information Systems Controls for Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
FIT3105 Security and Identity Management Lecture 1.

FIT3105 Security and Identity Management Lecture 1.
EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

Similar presentations

Ads by Google