1. What security is about in general? Security is about protection of assets –D. Gollmann, Computer Security, Wiley Prevention –take measures that prevent your assets from being damaged (or stolen) Detection –take measures so that you can detect when, how, and by whom an asset has been damaged Reaction –take measures so that you can recover your assets

2. Real world example Prevention –locks at doors, window bars, secure the walls around the property, hire a guard Detection –missing items, burglar alarms, closed circuit TV Reaction –attack on burglar, call the police, replace stolen items, make an insurance claim

4. 4 components of security objectives: Confidentiality Integrity Availability Authenticity

5. Prevent unauthorized disclosure of information. (unauthorized reading) Prevent unauthorized modification of Information. (unauthorized writing) Prevent unauthorized deprivation of access to an asset Able to authenticate authorized users so that action affecting security can be traced to responsible party.

6. Attacks, Services and Mechanisms Security Attack: Any action that compromises the security of information. Security Mechanism: A mechanism that is designed to detect, prevent, or recover from a security attack. Security Service: A service that enhances the security of data processing systems and information transfers. A security service makes use of one or more security mechanisms.

7. Security Attacks Interruption: This is an attack on availability Interception: This is an attack on confidentiality Modfication: This is an attack on integtrity Fabrication: This is an attack on authenticity

8. Security Attacks

9. Security Services to prevent or detect attacks to enhance the security replicate functions of physical documents –e.g. have signatures, dates need protection from disclosure, tampering, or destruction notarize record

10. Basic Security Services Authentication –assurance that the communicating entity is the one it claims to be –peer entity authentication mutual confidence in the identities of the parties involved in a connection –Data-origin authentication assurance about the source of the received data Access Control –prevention of the unauthorized use of a resource

11. Basic Security Services Data Confidentiality –protection of data from unauthorized disclosure (against eavesdropping) –traffic flow confidentiality is one step ahead Data Integrity –assurance that data received are exactly as sent by an authorized sender –i.e. no modification, insertion, deletion, or replay

12. Basic Security Services Non-Repudiation –protection against denial by one of the parties in a communication –Origin non-repudiation proof that the message was sent by the specified party –Destination non-repudiation proof that the message was received by the specified party

13. Computer and Network Security Lecture 1 Richard Newman Assets - Valuables, liability, ability to function / compete Exposures - Forms of losses Vulnerability - Weakness that could lead to a loss Attack - Attempt to exploit a vulnerability Threat - Source of attack/circumstance by which loss may occur Control - Means of reducing vulnerability (Physical, Procedural, Logical) Cost - Up front and ongoing overhead to implement controls in terms of $, time, space, convenience

14. Computer and Network Security Lecture 1 Richard Newman Goals Confidentiality (Who can read it ? ) Right accessibility(read, view, print, know of existence) by authorized party. Integrity (Who can write it ? - Consistency / accuracy) Modify assets in authorized ways only by authorized party. Availability (How readily the asset may be accessed - How/when/where...) Assets accessible to authorized parties without disruption Secondary Goals Reliability Safety Non-repudiation

15. Computer and Network Security Lecture 1 Richard Newman Threats Theft With interruption- Removal of H/W, deletion of software, loss of data Without interruption (S/W piracy, intercept H/W, S/W, data), Modification H/W S/W (Can be subtle and hard to detect, easy and effective) e.g. Logic bomb, Trojan horse, virus, trapdoor, information leaks Data Destruction H/W (Drench, burn, gas, electrocute, spill food/drinks, hit, dust, bomb, fire...) S/W (Delete, virus) Data Fabrication Data Leaks Data

16. Computer and Network Security Lecture 1 Richard Newman Principle of Adequate Protection Assets must be protected only till they have their value and to a degree consistent with their value. Principle of Effectiveness Controls must be effective, efficient, easy to use and appropriate. Controls H/W Internal S/W Operating system Encryption and Cryptography Timing Other measures like video cameras, alarms.

17. Computer and Network Security Lecture 1 Richard Newman H/W control –Lock and Key –Fault tolerant computing –RAID devices –Dangles (In-line encryption, authentication) –Firewalls – parity check – mode bits

18. Computer and Network Security Lecture 1 Richard Newman Internal S/W control Controls continuation... –License check –custom compile (CPU ID, …) –Password –Roles/Access levels –Syntactic/Semantic

19. Computer and Network Security Lecture 1 Richard Newman Operating System control Controls continuation... –umask –file access –chroot –confinement, protection –stack access, RAM access, CPU access –Protection modes –Run levels –passwords, groups

20. Computer and Network Security Lecture 1 Richard Newman Development control Controls continuation... –Good Software Engineering practice –Structured development (Documentation) –Code walk through / Inspection