An Overview of Computer Security

1
An Overview ofComputer Security
2
Outline

• Components of computer security
• Threats
• Policies and mechanisms
• The role of trust
• Assurance
• Operational Issues
• Human Issues

3
Status of security in computing

• In terms of security, computing is very close to
  the wild west days.
• Some computing professionals managers do not
  even recognize the value of the resources they
  use or control.
• In the event of a computing crime, some companies
  do not investigate or prosecute.

4
Characteristics of Computer Intrusion

• A computing system a collection of hardware,
  software, data, and people that an organization
  uses to do computing tasks
• Any piece of the computing system can become the
  target of a computing crime.
• The weakest point is the most serious
  vulnerability.
• The principles of easiest penetration

5
Security Breaches- Terminology

• Exposure
• a form of possible loss or harm
• Vulnerability
• a weakness in the system
• Attack
• Threats
• Human attacks, natural disasters, errors
• Control a protective measure
• Assets h/w, s/w, data

6
Types of Security Breaches

• Disclosure unauthorized access to info
• Snooping
• Deception acceptance of false data
• Modification, spoofing, repudiation of origin,
  denial of receipt
• Disruption prevention of correct operation
• Modification, man-in-the-middle attack
• Usurpation unauthorized control of some part of
  the system (usurp take by force or without
  right)
• Modification, spoofing, delay, denial of service

7
Security Components

• Confidentiality The assets are accessible only
  by authorized parties.
• Keeping data and resources hidden
• Integrity The assets are modified only by
  authorized parties, and only in authorized ways.
• Data integrity (integrity)
• Origin integrity (authentication)
• Availability Assets are accessible to authorized
  parties.
• Enabling access to data and resources

8
Computing System Vulnerabilities

• Hardware vulnerabilities
• Software vulnerabilities
• Data vulnerabilities
• Human vulnerabilities ?

9
Software Vulnerabilities

• Destroyed (deleted) software
• Stolen (pirated) software
• Altered (but still run) software
• Logic bomb
• Trojan horse
• Virus
• Trapdoor
• Information leaks

10
Data Security

• The principle of adequate protection
• Storage of encryption keys
• Software versus hardware methods

11
Other Exposed Assets

• Storage media
• Networks
• Access
• Key people

12
People Involved in Computer Crimes

• Amateurs
• Crackers
• Career Criminals

13
Methods of Defense

• Encryption
• Software controls
• Hardware controls
• Policies
• Physical controls

14
Encryption

• at the heart of all security methods
• Confidentiality of data
• Some protocols rely on encryption to ensure
  availability of resources.
• Encryption does not solve all computer security
  problems.

15
Software controls

• Internal program controls
• OS controls
• Development controls
• Software controls are usually the 1st aspects of
  computer security that come to mind.

16
Policies and Mechanisms

• Policy says what is, and is not, allowed
• This defines security for the site/system/etc.
• Mechanisms enforce policies
• Mechanisms can be simple but effective
• Example frequent changes of passwords
• Composition of policies
• If policies conflict, discrepancies may create
  security vulnerabilities
• Legal and ethical controls
• Gradually evolving and maturing

17
Principle of Effectiveness

• Controls must be used to be effective.
• Efficient
• Time, memory space, human activity,
• Easy to use
• appropriate

18
Overlapping Controls

• Several different controls may apply to one
  potential exposure.
• H/w control S/w control Data control

19
Goals of Security

• Prevention
• Prevent attackers from violating security policy
• Detection
• Detect attackers violation of security policy
• Recovery
• Stop attack, assess and repair damage
• Continue to function correctly even if attack
  succeeds

20
Trust and Assumptions

• Underlie all aspects of security
• Policies
• Unambiguously partition system states
• Correctly capture security requirements
• Mechanisms
• Assumed to enforce policy
• Support mechanisms work correctly

21
Types of Mechanisms
secure
broad
precise
set of reachable states
set of secure states
22
Assurance

• Specification
• Requirements analysis
• Statement of desired functionality
• Design
• How system will meet specification
• Implementation
• Programs/systems that carry out design

23
Operational Issues

• Cost-Benefit Analysis
• Is it cheaper to prevent or to recover?
• Risk Analysis
• Should we protect something?
• How much should we protect this thing?
• Laws and Customs
• Are desired security measures illegal?
• Will people do them?

24
Human Issues

• Organizational Problems
• Power and responsibility
• Financial benefits
• People problems
• Outsiders and insiders
• Social engineering

25
Tying Together
Threats
Policy
Specification
Design
Implementation
Operation
26
Key Points

• Policy defines security, and mechanisms enforce
  security
• Confidentiality
• Integrity
• Availability
• Trust and knowing assumptions
• Importance of assurance
• The human factor