Download presentation
Presentation is loading. Please wait.
Published byBennett Phelps Modified over 9 years ago
1
Chap1: Is there a Security Problem in Computing?
2
The risks involved in computing The goals of secure computing: confidentiality, integrity, availability The threats to security in computing: interception, interruption, modification, fabrication SE571 Security in Computing Dr. Ogara 2
3
Controls available to address these threats: encryption, programming controls, operating systems, network controls, administrative controls, law, and ethics SE571 Security in Computing Dr. Ogara 3
4
351 Security practitioners responded More attacks on Web applications Virtualization and cloud computing make security more complex Software is main culprit in breaches Outsourcing security fell IT budget trimmed NOT security SE571 Security in Computing Dr. Ogara 4
5
5
6
6
7
Computing System collection of hardware, software, storage media, data, and people that an organization uses to perform computing tasks. components: hardware, software, and data. SE571 Security in Computing Dr. Ogara 7
8
Vulnerability weakness in the security system Example, weaknesses in procedures, design, or implementation, that might be exploited to cause loss or harm. Figure 1.1 – Crack on the wall is a vulnerability SE571 Security in Computing Dr. Ogara 8
9
A threat A set of circumstances that has the potential to cause loss or harm. Human initiated e.g. human errors, attacks, denial of service Computer initiated e.g. natural disaster such as Katrina Figure1.1 – getting hurt or drowning SE571 Security in Computing Dr. Ogara 9
10
Control Protective measure against vulnerabilities and threats Action, device, procedure, or technique that removes or reduces a vulnerability A threat is blocked by control of a vulnerability. SE571 Security in Computing Dr. Ogara 10
11
Figure 1-1 Threats, Controls, and Vulnerabilities. SE571 Security in Computing Dr. Ogara 11
12
Interception Unauthorized party gains access to an asset The outside party can be a person, a program, or a computing system. Examples, illicit copying of program or data files, or wiretapping to obtain data in a network SE571 Security in Computing Dr. Ogara 12
13
Interruption An asset of the system becomes lost, unavailable, or unusable. Examples, malicious destruction of a hardware device, erasure/deletion of a program or data file, and denial of service attack SE571 Security in Computing Dr. Ogara 13
14
Modification Unauthorized party not only accesses but tampers with an asset. Example, change the values in a database, alter a program so that it performs an additional computation, or modify data being transmitted electronically (email). SE571 Security in Computing Dr. Ogara 14
15
Fabrication intruder may insert bogus transactions to a network communication system or add records to an existing database, create user accounts SE571 Security in Computing Dr. Ogara 15
16
Figure 1-2 System Security Threats. SE571 Security in Computing Dr. Ogara 16
17
Computer security addresses three important aspects/goals of any computer-related system (CIA): Confidentiality - Ensures that computer- related assets are accessed only by authorized parties Integrity - assets can be modified only by authorized parties or only in authorized ways Availability - assets are accessible to authorized parties at appropriate times SE571 Security in Computing Dr. Ogara 17
18
Confidentiality Also called secrecy or privacy Ensures that computer-related assets are accessed only by authorized parties (people or systems) Control encryption, access control lists, physical security SE571 Security in Computing Dr. Ogara 18
19
Integrity Means that assets can be modified only by authorized parties or only in authorized ways. Examples; writing, changing and deleting Control digital signatures, hashing, code review to detect covert channels SE571 Security in Computing Dr. Ogara 19
20
Availability Means that assets are accessible to authorized parties at appropriate times Applies both to data and to services (information and to information processing) Opposite of denial of service SE571 Security in Computing Dr. Ogara 20
21
Availability Meaning of availability It is present in a usable form. It has enough capacity to meet the service’s needs Control RAID, redundant components (power supply, fan), server clusters SE571 Security in Computing Dr. Ogara 21
22
Figure 1-3 Relationship Between Confidentiality, Integrity, and Availability. SE571 Security in Computing Dr. Ogara 22
23
Apply to all three broad categories of system resources (Figure 1-4) Hardware Theft Destruction Flooding SE571 Security in Computing Dr. Ogara 23
24
Software (operating system, controllers, utility programs, and application programs) Deletion Alteration Modification Example, Trojan horse, virus, trapdoor, and information leaks in a program Theft SE571 Security in Computing Dr. Ogara 24
25
Data Data attack is a more widespread and serious problem than either a hardware or software attack Data items have greater public value than hardware and software because more people know how to use or interpret data SE571 Security in Computing Dr. Ogara 25
26
Figure 1-4 Vulnerabilities of Computing Systems. SE571 Security in Computing Dr. Ogara 26
27
Other Exposed Assets Networks Access Intruder steals computer time but no attack Destroy software or data Deny service to legitimate users Key People Disgruntled employee may cause damage SE571 Security in Computing Dr. Ogara 27
28
Amateurs Crackers or Malicious Hackers Career Criminals organized crime and international groups engaged in computer crime Terrorists denial-of-service attacks and web site defacements are popular SE571 Security in Computing Dr. Ogara 28
29
Used to preserve Confidentiality Integrity Availability May prevent or mitigate attacks May inform us that security is compromised May detect a breach as it happens/after it occurs SE571 Security in Computing Dr. Ogara 29
30
Encryption Scrambles data so that interpretation is meaningless Unscrambled state, called cleartext Transformed data are called enciphered text or ciphertext May nullify modification or fabrication Important for integrity and confidentiality of data SE571 Security in Computing Dr. Ogara 30
31
Figure 1-6 Multiple Controls. SE571 Security in Computing Dr. Ogara 31
32
Hardware control hardware or smart card implementations of encryption locks or cables limiting access or deterring theft devices to verify users’ identities firewalls intrusion detection systems circuit boards that control access to storage media SE571 Security in Computing Dr. Ogara 32
33
Policies and Procedures among users Frequent changes of passwords Training and administration Ethical and legal issues SE571 Security in Computing Dr. Ogara 33
34
Physical Controls locks on doors guards at entry points backup copies of important software and data physical site planning that reduces the risk of natural disasters SE571 Security in Computing Dr. Ogara 34
35
Awareness of Problem Understand importance of security Likelihood of Use Controls must be used Overlapping Controls Use combination of controls /layered defense Periodic Review SE571 Security in Computing Dr. Ogara 35
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.