Computer Systems Security - PowerPoint PPT Presentation

1 / 29
About This Presentation
Title:

Computer Systems Security

Description:

Martin Slade (module leader), room: K356, phone: 353554, e-mail: M.Slade_at_staffs.ac.uk ... 2 lectures 1 tutorial/practical per week - tutorial/practicals start ... – PowerPoint PPT presentation

Number of Views:48
Avg rating:3.0/5.0
Slides: 30
Provided by: martin159
Category:

less

Transcript and Presenter's Notes

Title: Computer Systems Security


1
Computer Systems Security
  • Teaching team
  • Martin Slade (module leader), room K356, phone
    353554, e-mail M.Slade_at_staffs.ac.uk
  • Pirooz Saeidi, room K244, phone 353270, e-mail
    P.Saeidi_at_staffs.ac.uk

2
Classes
  • Classes
  • 2 lectures 1 tutorial/practical per week -
    tutorial/practicals start next week - NONE this
    week!
  • 3 Tutorial/practical classes timetabled - Monday
    1pm K006, Wednesday 9am K006, Thursday 11am K006
  • choose an appropriate class, turn up and sign up
    for it

3
Slides and module information
  • For now
  • PowerPoint versions of lecture slides, the
    tutorial/practical questions and example answers
    will be made available on my web site at
  • www.soc.staffs.ac.uk/mss1/css/css-index.htm
  • lecture slides will be put on the web page the
    day before the lecture
  • Also information about assessments (at an
    appropriate time), announcements, and other
    information about the module will appear on the
    web page from time to time

4
  • Later
  • module will appear on Blackboard
  • Blackboard.staffs.ac.uk/
  • Information that appears on Web site will appear
    on Blackboard

5
Learning outcomes
  • 1. To be able to explain the fundamental
    principles and concepts involved in the securing
    of computer systems both stand-alone and networks
    based.
  • 2. To be able to specify, design and implement an
    exemplar component of a security system.
  • 3. To be able to critically evaluate various
    techniques used in exemplar security systems.

6
Assessment
  • Assignment (50) - researching about and writing
    a security component - learning outcomes 2 3
  • Exam (50) - 2 hours long - learning outcomes 1
    3

7
Study time guide
  • Module has a total of 150 hours allocated to it
    as
  • 36 hours for lectures/tutorials 2 hours for
    exam
  • Giving 112 hours left over to be organised by
    you, example breakdown
  • 26 hours revision for exam
  • 50 hours work on assignment
  • 36 hours for tutorial preparation and weekly
    reading 3 hours of reading and advance review
    of tutorial material per week - less on this will
    require more on the others

8
  • Textbook
  • Pfleeger, C.P., S. L. Pfleeger, Security in
    Computing, Prentice Hall, 3rd edition, 2002
  • Alternative book
  • Gollmann, D, Computer Security, Wiley, 2nd
    edition, 2006
  • Reference will be made to other books/articles as
    relevant, particularly Stallings book on network
    security

9
Lecture 1
  • In this lecture we will be looking at
  • 1. What is computer system security.
  • 2. How things are insecure.
  • Reading to accompany this lecture
  • Pfleeger, chapter 1.

10
Definition of Computer System
  • System a set of components/elements (hardware,
    software, people, organisations) that interact to
    produce specific input/output behaviour across
    some boundary
  • elements of a system may be systems themselves
    (sub-systems)
  • Computer a machine that can (in principle)
    execute any algorithm that is specified for it -
    an algorithmic mechanism
  • may be stand-alone, embedded or distributed

11
  • Computer System any system in which a computer
    executing an algorithm produces the outputs for
    the system
  • includes hardware (computer and I/O peripherals),
    software (algorithms) and data (inputs to and
    outputs from algorithms)
  • Network of computers that communicate with each
    other would count as a computer system because
    final outputs are determined by end nodes of
    network

12
Security - informal exposition
  • Security - notion we are familiar with as
    security of physical objects
  • useful analogy - informally something is secure
    if it is safe/protected from loss or harm
  • loss - we can no longer use object
  • harm - we can no longer use object in ways that
    we want to (because it no longer functions
    properly or as it should)
  • THUS - security is really about ensuring that
    something we have is available to us to use in
    ways that we want to use them

13
  • 3 fundamental concepts that underpin this
    common-sense notion of security are
  • Ownership
  • Authority
  • Possession

14
Ownership
  • Ownership - relationship that is recognised as
    legal between an owner (person or organisation,
    etc) and something owned i.e. property (object,
    resource, information, software, etc.)
  • owner can determine (subject to legal
    constraints) who does what with owners property
    - can also determine when, where and how
    something is used - although such things are
    often left as assumptions about reasonable use.
  • In other words - the owner determines the nature
    of the usage of the property/object

15
  • We can see this as a set of usage permissions (in
    literature on security these are often called
    Access Permissions)
  • Owner - has legal right to determine the usage
    permissions of their property, subject to
    constraints on usage specified by the legal
    authorities.

16
Authority
  • The legal right means that interference with an
    owners determination of usage permissions is
    subject to legal remedies (remedy action taken
    by legal authorities to punish wrongdoer or
    obtain appropriate restitution to wronged party)
  • Having legal right to do something means having
    the authority to do something
  • owner is authorised to determine the usage
    permissions of their property subject to legal
    constraints

17
  • someone is authorised to use some property in a
    given way (possibly, if specified, only at a
    given time or for a given length of time, at a
    certain location, etc) if owner of the property
    has given them usage permissions on the property
    to use property in a given way, etc.

18
Possession
  • Possession - possession gives possessor the
    capacity to determine/control the usage of the
    thing possessed, independently of whether or not
    they are legally entitled to determine usage of
    the thing
  • normally owner of property also possesses it, but
    owner can also not have possession e.g. if object
    is rented (owner has granted for a fee certain
    usage permissions on the property) or it is
    stolen (thief can determine how property is used
    i.e. determine usage, but does not have any legal
    right to determine such usage)

19
Security - definition
  • Property is secure if and only if the owners
    authority to determine usage permissions is not
    interfered with and if the property is used by
    all who use it, only according to the usage
    permissions of the owner.
  • Security is the process of attempting to ensure
    that property is secure by
  • mechanisms that seek to prevent breaches in
    security from happening
  • mechanisms that seek to detect attempts
    (successful and unsuccessful) to breach security
  • mechanisms that seek to recover from breaches in
    security (to minimise loss or harm)

20
Computer Systems Security
  • Computer system is secure if and only if
  • 1.owners of the various components of the system
    from hardware, software or data items can
    determine how those items are used without
    illegal interference
  • and
  • 2.users of those items only use them if they have
    been granted permission to use them and only use
    them in the ways specified by the owner of the
    item.

21
  • Computer systems security is process of
    attempting to ensure that computer system
    components (hardware, software, data) are secure
    by using mechanisms that prevent, detect and
    recover from breaches in security

22
Modes of loss or harm
  • Items in an insecure system can suffer loss or
    harm
  • Loss - of 2 types
  • 1. unauthorised change in possession of an item
  • unauthorised loss of possession of an item is a
    special case of this
  • 2. unauthorised destruction of an item (this may
    be classified as harm - it does not really
    matter)
  • Harm unauthorised change to an item

23
Loss 1. - unauthorised change in possession of an
item
  • not easy to see that information or software is
    property that may be stolen
  • theft of physical objects is something we
    understand, but different from theft of
    information
  • theft of physical objects leaves legal right
    unchanged but removes owners possession of the
    object stolen
  • theft of information involves copying information
    normally without deleting or damaging the
    original (thieves want to be covert)

24
  • theft of software and data leaves legal right
    unchanged but also usually leaves owner still in
    possession of software/data - possession
    (capacity to control how an item is used) however
    is now shared between owner and thief
  • hardware, software or information theft all
    involve unauthorised change in possession of an
    item (for hardware owner has nil possession for
    software/data owner now has shared possession)

25
  • Where software and data item is copied but the
    owners copy is deleted or destroyed, then the
    change in possession is similar to hardware theft
    - loss of possession of item rather than sharing
    possession - however such loss of possession may
    be temporary (item may be re-acquired)

26
Loss 2. - unauthorised destruction (deletion) of
item
  • physical item or software or data no longer
    exists - the item cannot be identified and even
    if components of item can be identified they are
    so damaged that the item itself cannot even be
    partially re-constructed from those components

27
Harm unauthorised change (modification) to item
  • item is modified in some way (data changed,
    software modified so that it behaves differently,
    hardware damaged so that it malfunctions, etc)
  • change is not authorised by owner or by user who
    has permission of owner to modify item in a given
    way
  • As a result the integrity of the item is
    compromised i.e. it may not hold the information
    that you expect it to (data corruption), or
    behave as specified (with software or hardware)

28
  • the modified data item may be accepted as valid,
    thus leading to the possibility of using modified
    data to present a false reality (deception and
    forgery)
  • Unauthorised change (modification) damage -
    original does not exist (in original
    form/matching its specification) - but unlike
    destruction can be partially (or even fully)
    re-constructed from its components

29
Person, Owner, User, Usage permissions, Resource
relationship
Write a Comment
User Comments (0)
About PowerShow.com