We will cover:

1
Lecture 2

• We will cover
• 1.What are the critical issues and tasks for a
  security system.
• 2. The MOST IMPORTANT information about computer
  systems security.
• Reading to accompany this lecture
• Pfleeger, chapter 1.

2
Classes of threat (Pfleeger)

• Pfleeger identifies 4 classes/types of threat -
  actually they are really modes of loss or harm -
  I do not particularly like his categorisation as
  these categories are not given a justification
  and group together elements that need to be
  distinguished
• 4 types of threat - interception, interruption,
  modification, fabrication

3

• interception - some unauthorised agent (person,
  program, etc.) has gained access to an asset -
  but this does not distinguish between different
  types of access e.g. copying the asset
  (disclosure of information), modification of the
  asset, or destruction of the asset, etc.
• interruption - assets are unavailable or unusable
  - but this does not distinguish how it is
  unavailable -because destroyed or because of loss
  of possession
• modification - asset is changed by agent - OK
• fabrication - counterfeit objects are created -
  but this is a sub-type of modification or of
  copying and is differentiated only on the basis
  of an attacker's intention

4
Security violation unauthorised usage of an item

• The various modes of loss or harm are all by
  definition the consequence of the usage of an
  item without the appropriate usage permission
  (unauthorised usage of an item) - this may be by
• 1. Use of an item by someone or something who is
  not authorised by owner to use item at all
• 2. Use of item by someone or something who is not
  authorised by owner to use item in a given way -
  if reading(copying) item then this is theft, if
  modifying item then this is damage

5
Interference with usage permissions of owner

• Any of the possible modes of loss or harm may
  occur as a result of direct action on the item
  e.g. if you want a file of data steal the hard
  disk the file resides on, but most commonly they
  result from action on the owners control over the
  determination of usage permissions
• For example
• 1. If owners usage permissions for some item can
  be modified without the owners agreement then
  actions on items that result in loss or harm may
  appear to be valid (at least at the time they
  occur)

6

• 2. If system can be fooled into thinking an
  intruder is the owner of some item, then actions
  on that item appear valid to internal system
  although stemming from unauthorised individual
• Almost all security breaches in computer systems
  occur as a result of fooling the system into
  thinking the action is authorised when it is not

7
Critical issues - Access Control and
Authentication

• Thus 2 issues are critical to computer system
  security
• 1. How to organise usage permissions for items of
  data or software (even hardware) - usually called
  Access Control
• 2. How to ensure that you can identify the owner
  of an item (and identify those who have been
  granted by the owner various usage permissions,
  etc.) - usually called Authentication

8
Security goals - Confidentiality, Integrity,
Availability

• The different modes of harm or loss lead to 3
  different standard security goals
• A security system seeks to ensure
• 1. Confidentiality of items prevention of
  unauthorised disclosure of information - thus
  confidentiality ensures protection against
  unauthorised change in possession (copying or
  theft of data/software)
• confidentiality also refers to knowledge of the
  existence of data or resource not just content

9

• 2. Integrity of items prevention of
  unauthorised modification of items - thus
  integrity ensures protection against unauthorised
  change (modification) to item
• 3. Availability of items prevention of
  unauthorised withholding of information or
  resources - thus availability ensures protection
  against unauthorised destruction of an item and
  against unauthorised loss of possession

10

• The security mechanisms must attempt to ensure
  confidentiality, integrity and availability.
• Issue - security mechanisms rely on computer
  system to carry out functions - thus may be
  subject to attack themselves and must themselves
  be protected (i.e. Protect themselves)
• Issue - goals can conflict e.g. mechanisms that
  ensure confidentiality may make a given item
  (data/software) less readily available for
  legitimate users

11
Threat, Vulnerability, Control

• 3 concepts that describe the task of the security
  system
• Threat anything that has the ability to cause
  loss or harm to the components of the computer
  system - threat can be human (criminal), but
  other examples include natural disasters or
  errors(bugs) in software
• attack deliberate attempt by a human to realise
  a threat

12

• Vulnerability weakness in the computer system
  that might allow a threat to cause loss or harm -
  something that might allow an attack to be
  successful (weakness in defences)
• Control action, device, procedure or technique
  that removes or reduces a vulnerability
• The design of a security system must attempt to
  identify possible/probable threats, identify
  vulnerabilities in the computer system and
  attempt to establish effective controls to
  eliminate or reduce those vulnerabilities.

13
Accountability

• computer security must embed the principle of
  accountability - agents within the computer
  system are responsible for their actions and any
  actions that affect the security of the system
  should be traceable back to the responsible party
  - this implicitly accepts that no system is
  ultimately secure and that we must be able to
  prosecute and punish breaches and deter attempts
  because of the threat of detection

14

• but to do this we need to maintain an audit of
  information concerning any actions carried out
  on the system and this in turn requires the
  system to be able to authenticate and identify
  users and their actions in a reliable way - not
  that easy

15
Some fundamental dilemmas of computer security

• 1. Ease of use ( productivity) v. specific
  security requirements.
• Spread in use of computers to people who have no
  expertise in computing - results in dilemma -
  security unaware users have specific security
  requirements but usually no security expertise -
  how do you make security transparent to user, but
  adaptive to users security needs?
• There is often a trade-off between security and
  ease of use
• Security mechanisms may hinder (reduce)
  productivity by increasing time required to
  complete various tasks

16

• 2. Cost of security v. Cost of loss/harm to given
  resource.
• security mechanisms have to be bought and
  maintained - this costs. Plus security mechanisms
  use resources - and this costs money and time
• risk analysis is a process that tries to
  determine whether cost worth it
• This leads to principle of adequate protection -
  items must be protected in a way consistent with
  their value and only until they lose their value

17
Design issues in computer security

• 1. focus of control - integrity has to do with
  identifying authorised users, authorised actions,
  authorised values/states of asset - thus issue -
  should protection mechanism focus on users,
  operations or data?
• 2. In which layer of the system to place security
  controls - lower down (closer to hardware) easier
  to implement and more generic, more concerned
  with access to resources, more computer focused,
  but not specific or fine grained or flexible for
  users needs

18

• 3. complexity v. assurance - should you prefer
  simplicity and higher assurance that the security
  works or more complexity/flexibility but with
  less assurance
• 4. centralise v. decentralised controls - easier
  to control and better assurance if centralised,
  but centralised security controls can produce
  efficiency bottlenecks, the centralised system
  becomes critical (less redundancy) and less
  flexible

19
5 problems

• The computer systems operation (what it does to
  the data) depends upon hardware and software and
  users. This leads to 5 problems (among others).
• 1. Results from computability theory tell us that
  in general it is impossible to prove that a
  program is correct (works according to its
  specification) - i.e. We can never be sure that a
  (complex) program does not have bugs in it.

20

• 2. It is also impossible to prove that a given
  hardware component meets its specification i.e.
  is fault free.
• 3. Owners and authorised users of components of
  the computer system are human beings, thus the
  proper running of the computer system has to make
  reference to entities that are external to itself
  (and whose behaviour is not controllable by the
  computer security system or even predictable by
  the computer security system).

21

• 4. Any security system is only as strong as its
  weakest link - i.e. one part of the system may be
  perfect, but if any one part is flawed (by having
  a bug in it for instance), then the whole system
  is compromised - a leaky bucket is only flawed
  where the hole is and holds water perfectly
  everywhere else, but who cares that the bucket is
  perfect apart from the hole - it still leaks!!
• 5. Humans will attack any system for any reason
  (any system will be subject to attack by some
  humans for a wide variety of reasons, many of
  which are unpredictable).

22
IMPORTANT

• The next 4 slides contain the
• MOST IMPORTANT
• information about computer systems security.

23
The 3 Security Laws

• 3 Laws for computer security (acknowledging
  Murphys inspiration) - actually they are Laws
  that are true for any system.
• 1. Over a long enough period of time everything
  that can go wrong, will go wrong.
• 2. It is impossible to predict what things will
  go wrong and how they will go wrong.
• 3. It is impossible to predict when something
  will go wrong next.

24
Critical Systems corollary

• Critical Systems corollary to above Laws
• All the above laws apply to resources/processes
  that are critical (which have disastrous effects
  when they go wrong) as well as those that are
  not. The consequence of this is that sometimes
  when things go wrong, things will go wrong in
  critical systems at the precise moment when it
  will cause maximum damage.

25
Consequences from the Laws

• We need to design computer systems and computer
  systems security mechanisms assuming that ALL and
  ANY security feature will go wrong and may
  actually be the component exploited to actually
  by-pass the security of the system.
• Make security systems redundant - combinations of
  mechanisms each of which provides complete
  security if they work perfectly, but that work in
  different ways (hopefully fail in different ways
  at different times, etc).
• Build redundancy (duplication and spare capacity)
  and fault tolerance into the computer systems
  wherever possible.

26
Not secure, but less insecure

• We cannot make computer systems secure - EVER!
• (unless they are very simple systems and even
  then....given enough time)
• We CAN make computer systems comparatively secure
  (secure against an ever wider range of attacks
  and threatening events) by a continuous process
  of improvement - identify vulnerabilities
  attempt to eliminate vulnerabilities evaluate
  and review and try to identify new
  vulnerabilities and repeat.

27
(No Transcript)