1. Copyright © 2013 – Curt Hill Computer Security An Overview

2. Introduction We want to consider just the basics of security There are several questions that need answers: –What assets need protection? –What threats exist for these assets? –What counter measures exist for the threats? Security is a course of study all its own –All we do here is introduce the topic Copyright © 2013 – Curt Hill

3. NIST Definition National Institute of Standards and Technology defines computer security: The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources (includes hardware, software, firmware, information/data and telecommunications). Copyright © 2013 – Curt Hill

4. Audience Participation What does this definition tell us? What is: –Integrity? –Availability? –Confidentiality? Copyright © 2013 – Curt Hill

5. The Heart Computer security centers around these three concepts: –Integrity –Availability –Confidentiality These are also known as the CIA triangle –Not Central Intelligence Agency –Failures in one often leak into others Lets unpack this a little further Copyright © 2013 – Curt Hill

6. Integrity Guarding against improper modification or destruction of information System integrity is about software –System performs the functions it was designed to accomplish –We counter threats to the software itself Data integrity –Data is changed only be those authorized to do so and only in specified manners Both data and software are stored in similar ways, so there is overlap Copyright © 2013 – Curt Hill

7. Availability System is available to do the work it was purchased to do –Timely and reliable access It services authorized users and denies service to those who are not One of the problems is that additional security is overhead that reduces amount of work that can be done –Although not as extreme as the availability issues of attacks Copyright © 2013 – Curt Hill

8. Confidentiality Preserving authorized restrictions on information Data confidentiality –Private information is not disclosed to those who are not authorized to access it Privacy –The individuals to whom the data refers have some influence on how the data is used –Ability to correct errors in the data –Ability to limit who may use the data and for what reason Copyright © 2013 – Curt Hill

9. Triangle or Pentangle? Two more concepts that figure in frequently are Authenticity and Accountability Authenticity is about the verification process of users or system –Are they actually who they say they are? Accountability is about being able to track actions in an uncompromised way – often after a security breach –We need to be able to connect each action with the one who originated the action Copyright © 2013 – Curt Hill

10. Levels of Impact A failure is categorized into three levels: Low – limited adverse affect –Organization is able to perform its primary function with only minor financial loss Moderate – serious adverse affect –Loss of capability or effectiveness –Damage to assets and finances High – severe or catastrophic affect –Major damage to assets –Could involve life threatening injuries Copyright © 2013 – Curt Hill

11. Your turn In regards to VCSU, what would constitute failures of these magnitudes? –Low –Moderate –High Copyright © 2013 – Curt Hill

12. The problems Computer security is complex, what are some of the problems? The underlying software is complex – small error can be exploited in a large problem To succeed the developer has to plug all holes, failure comes from only finding one – a battle of wits Authentication requires the user to possess some secret fact – how can this be distributed? Copyright © 2013 – Curt Hill

13. More problems To most users this is an annoyance, thus they do not employ good practices Security is often an afterthought to system development – a porous surface is hard to plug Continual monitoring is required, this is a budget item that requires justification Thinking about threats requires an unusual mind set Copyright © 2013 – Curt Hill

14. Attack Classifications Active attack – an attempt to alter resources and operation Passive – an attempt to make use of information without altering any of it Inside – usually mounted by an employee or privileged person –They know about the system and have a starting point of some authorization Outside – not the above –Ranges from high school pranks to organized crime or even governments Copyright © 2013 – Curt Hill

15. Countermeasures Any attempt to thwart an attack Prevention – predict the attack and disable in advance Detection – look for suspicious activity and unauthorized accesses Recovery – an attempt to undo the effect of an attack Copyright © 2013 – Curt Hill

16. Threat Consequences Copyright © 2013 – Curt Hill ConsequenceAction or attack Disclosure Exposure – sensitive data is made available Interception – access to data in transit Inference – deduce information based on what was visible Intrusion – active gaining of access Deception Masquerade – Using other’s authorization Falsification – false data to deceive authorization Repudiation – denial of an unauthorized action Disruption Incapacitation – disabling a component to damage system Corruption – modify component to alter behavior Obstruction – interrupt delivery of system services Usurpation Misappropriation – entity gains unauthorized control Misuse – modification to perform another function

17. Assets and Example Threats Copyright © 2013 – Curt Hill AvailabilityConfidentialityIntegrity HardwareTheft SoftwareDeletion of pgms Unauthorized copy of pgms Pgms modified to fail or provide unauthorized functions DataDelete filesUnauthorized access Modification of files Communication lines Messages are destroyed or mangled Messages are intercepted Messages are falsified

18. Finally Security will continue to be an important topic for the foreseeable future We will continue to balance: –The danger of security threats versus the ease of use problems that security requires –Cost of security versus the cost of failure and recovery Security concerns are also business concerns Copyright © 2013 – Curt Hill