Defining Computer Security - PowerPoint PPT Presentation

1 / 36
About This Presentation
Title:

Defining Computer Security

Description:

Defining Computer Security cybertechnology security can be thought of in terms of various counter measures: (i) unauthorized access to systems – PowerPoint PPT presentation

Number of Views:109
Avg rating:3.0/5.0
Slides: 37
Provided by: danie505
Category:

less

Transcript and Presenter's Notes

Title: Defining Computer Security


1
Defining Computer Security
  • cybertechnology security can be thought of in
    terms of various counter measures
  • (i) unauthorized access to systems
  • (ii) alteration of data that resides in and is
    transmitted between computer systems
  • (iii) disruption, vandalism, and sabotage of
    computers systems and networks.

2
Defining Computer Security (continued)
  • Confidentiality protecting against un-
    authorized disclosure of information to third
    parties.
  • Integrity preventing unauthorized modification
    of files.
  • Availability preventing unauthorized
    withholding of information from those who need it
    when they need it. DOS

3
Figure 6-1
Computer Security
System Security Data
Security
vulnerability to access of data.
vulnerability to "malicious programs" (viruses
and worms).

Resident Data
Transmitted Data
4
Dont Hack. Hacking is bad.
  • And what is good?

5
Hackers and Ethics
  • The original Hacker Ethic
  • 50s and 60s Informal ethical code by hackers of
    MIT and Stanford (SAIL).
  • The first generation of programmers
    time-sharing terminal access to 'dumb'
    mainframes,
  • Confronted bureaucratic interference in exploring
    technological systems (computers, model trains,
    steam tunnels, phone systems, etc.).
  • The ethic reflects their resistance to these
    obstacles, and their ideology of the liberating
    power of technology.

6
Hacker Ethic Steven Levy 1984 Hackers
Heroes of the Computer Revolution
  • describes the following beliefs
  • (i)  Access to computers should be unlimited and
    total.
  • Rather than limited to big business and elite
  • (ii)  All information should be free.
  • freedom of movement no censorship
  • without control (freedom of change/evolution no
    ownership or authorship, no intellectual property
  • without monetary value (no cost.)

7
Hacker Ethic
  • (iii)  Mistrust Authority - Promote
    Decentralization
  • Distrust large institutions (The State,
    corporations, the IBM 'priesthood)
  • (iv)  Hackers should be judged by their hacking,
    not bogus criteria such as degrees, age, race, or
    position.
  • (v)  You can create art and beauty on a computer.
  • (vi)  Computers can change life for the better.

8
New Hacker Ethics
  • "Above all else, do no harm" Do not damage
    computers or data if at all possible.
  • based on intent.
  • what constitutes "harm" is left open. pranks and
    practical jokes harmless?
  • Protect Privacy control over personal
    information.
  • Still no codified right to privacy for U.S.
    citizens,
  • Supreme Court -- implicit in judgments
    (legalizing distribution of birth control and the
    right to abortion).
  • Means a certain kind of information should not be
    free --contradiction to the original hacker
    ethic.

9
New Hacker Ethic
  • "Waste not, want not."
  • Computers should not lie idle and wasted.
  • "joy riders' ethic"
  • If you borrow someone's car, and return it with
    no damage, a full tank of gas, improvements?
  • Is it an ethical to make a set of keys for
    yourself so you can borrow it whenever you feel
    like? (sysadmin privileges).

10
New Hacker Ethic
  • Exceed Limitations
  • "Extropians" universal force of expansion and
    growth, inverse to entropy, which they call
    "extropy."
  • Falsificationism Should seek its own demise
    flaws, weaknesses
  • The Communicational Imperative
  • Right to communicate with their peers freely.
  • 1st amendment rights to communication and
    assembly -- for the free flow of information.
  • Phreakers people (poor), right to communicate
    cheaply .

11
New Hacker Ethic
  • Leave No Traces
  • Keep quiet, so everyone can enjoy what you have
  • to protect other hackers from being caught or
    losing access.
  • Share!
  • Information increases in value by sharing
  • Don't hoard, don't hide
  • Just because it wants to be free, does not mean
    you must give it to as many people as possible.
    Pirates are NOT freeloaders

12
New Hacker Ethic
  • Self Defense be vigilant against cyber-tyranny
    and
  • Cyberpunk Future Hacking
  • to overcome more powerful forces that can control
    their lives.
  • If governments and corporations know they can be
    hacked, then they will not overstep their power
    to afflict the citizenry.
  • Hacking Helps Security
  • "Tiger team ethic" it is useful and courteous to
    find security holes, and then tell people how to
    fix them.
  • Trust, but Test! security and system integrity
  • lest it fail when it is most needed (like the AT
    T phone switches did in 1990.)

13
3 Principles in Hacker Ethic
  • (1) Information should be free
  • (2) Hackers provide society with a useful and
    important service
  • (3) Activities in cyberspace are virtual in
    nature and thus do not harm real people in the
    real (physical) world. 

14
Information Wants to Be Free
  • Eugene H. Spafford "Spaf (1992) CS Purdue,
    leading computer security expert.
  • Idealistic, romantic, naïve
  • If information were free, privacy would not be
    possible
  • It would not be possible to ensure integrity and
    accuracy of the information
  • Would we permit someone to start a fire in a
    shopping mall in order to test the sprinkler
    system?
  • Would you thank a burglar who shows that your
    home security system was inadequate?

15
Can Computer Break-ins Ever Be Ethically
Justified?
  • Spafford (1992) believes that in certain extreme
    cases, breaking into a com- puter could be the
    "right thing to do."
  • e.g., breaking into a computer to get medical
    records to save ones life.
  • He also argues that computer break-ins always
    cause harm and from this point, he infers that
    hacker break-ins are never ethically justifiable.

16
Hacktivism
  • Manion and Goodrum (2000) questioned whether some
    cyber-attacks might not be better understood as
    acts of hacktivism.
  • They consider the growing outrage on the part of
    some hackers and political activists over an
    increasingly "commodified Internet.
  • They also question whether this behavior suggests
    a new form of civil disobedience, which they
    describe as hacktivism.

17
Hacktivism (continued)
  • Hacktivism integrates the talent of traditional
    computer hackers with the interests and social
    consciousness of political activists.
  • Manion and Godrum note that while hackers
    continue to be portrayed as vandals, terrorists,
    and saboteurs, hardly anyone has considered the
    possibility that at least some of these
    individuals might be "electronic political
    activists" or hacktivists.

18
Activism, Hacktivism, and Cyberterrorism
  • Activism includes the normal, non-disruptive use
    of the Internet to support a cause.
  • e.g, an activist could use the Internet to
    discuss issues, form coalitions, and plan and
    coordinate activities.
  • Activists could engage in a range of activities
    from browsing the Web to sending e-mail, posting
    material to a Web site, constructing a Web site
    dedicated to their political cause or causes, and
    so forth.

19
Activism, Hacktivism, and Cyberterrorism
(continued)
  • Hacktivism activism and hacking
  • target sites with intent to disrupt normal
    operations
  • but without intending to cause serious damage.
  • "e-mail bombs" and "low grade" viruses
  • cause only minimal disruption and would not
    result in severe economic damage or loss of life.

20
Activism, Hacktivism, and Cyberterrorism
(continued)
  • Cyberterorism consists of operations that are
    intended to cause
  • great harm such as loss of life
  • or severe economic damage, or both.
  • e.g., attempt to bring down stock market
  • or take control of a transportation unit in order
    to cause trains to crash.

21
Table 6-1 Hacktivism, Cyberterrorism, and
Information Warfare
Hacktivism The convergence of political activism and computer hacking techniques to engage in a new form of civil disobedience.
Cyberterrorism The convergence of cyber-technology and terrorism for carrying acts of terror in (or via) cyberspace.
Information Warfare Using information to deceive the enemy and using conventional warfare tactics to take out an enemy's computer and information systems.
22
Four Types of Security Countermeasures
  • Firewalls
  • Anti-Virus Software
  • Encryption Tools
  • Anonymity Tools
  • Others??
  • Security through obscurity

23
New Security Problems ?
  • Collaboration
  • Multi-User Applications
  • Ubiquitous / Wireless Net
  • Limiting access (e.g. in schools)
  • Others ???

24

25
Encryption Tools (Continued)
  • An encrypted communication will be only as secure
    and private as its key.
  • In private-key encryption, both parties use the
    same encryption algorithm and the same private
    key.
  • Public cryptography uses two keys one public and
    the other private.

26
Encryption (Continued) public Cryptography
  • If A wishes to communicate with B, A uses B's
    public key to encode the message.
  • That message can then only be decoded with B's
    private key, which is secret.
  • Similarly when B responds to A, B uses A's public
    key to encrypt the message.
  • That message can be decrypted only by using A's
    private key. Although information about an
    individual's public key is accessible to others,
    that individual's ability to communicate
    encrypted information is not compromised.

27
Anonymity Tools
  • Users want to secure the integrity and confi-
    dentiality of their electronic communications.
  • They also wish to protect their identity while
    engaging in on-line activities.
  • Anonymity tools such as the Anonymizer, and
    pseudonymity agents such as Lucent's Personalized
    Web Assistant, enable users to roam the Web
    either anonymously or pseudonymously.

28
Anonymity Tools (Continued)
  • able to navigate the Internet without personal
    identity being revealed.
  • e.g., the user cannot be identified beyond
    certain technical information such as
  • the user's IP (Internet protocol) address,
  • ISP, and so forth.

29
Code of Network Ethics for Security (continued)
  • Would you would be willing to purchase an
    automobile that could not be locked (secured) and
    thus protected against theft?
  • Steele points out that there are no adequate
    "locks" for computers.
  • He blames Microsoft and other large computer
    corporations for not ensuring and guaranteeing
    that the computer software products are more
    secure.

30
Code of Network Ethics for Security (Continued)
  • Steele also believes that corporations that
    produce computer software should assume full
    responsibility, legal and moral, for any insecure
    software products they sell.
  • He concludes that we need a "Code of Network
    Ethics" with a "due diligence" clause, which
    would spell out specific requirements for
    businesses engaged in the production of software.

31
Criticism of Steeles Argument for a Network Code
of Ethics
  • We can agree with Steele's assumptions that
    consumers desire reliable products and that they
    expect dependable computer systems.
  • We can also question whether the analogy that
    Steele draws between computer systems and
    automobiles is a useful one, or whether it breaks
    down in certain crucial respects.
  • It is not yet possible to test computer systems
    for reliability in the same way that we can test
    automobile systems.

32
Total Security in Cyberspace
  • Can total security in cyberspace be achieved?
  • If so, would it be a desirable goal?
  • When asked if we would prefer a secure
    cyberspace, we would likely answer "yes."
  • But we might not be willing to accept the
    consequences of such a level of security.
  • e.g., more secure systems might require certain
    additional features in cyber-technology that
    would result in computer systems being less
    friendly and thus more difficult for ordinary
    users to operate.

33
Viewing Security as a Process Rather Than as a
Product
  • Scheier (2000) claims that anyone who promises a
    totally secure or "hacker proof" system is
    selling "snake oil.
  • Many security experts assume we simply need to
    find the right technology or the foolproof
    encryption device or the right security
    countermeasures.

34
Security as a Process (continued)
  • For Schneier, security is a process, not a
    product.
  • Schneier believes that an important element in
    that process is risk assessment.
  • Seeking perfect security would make a system
    useless, because "anything worth doing requires
    some risk."

35
Computer Security and Risk Analysis
  • Risk analysis is a methodology used to come to an
    informed decision about the most cost-effective
    controls to limit the risks to your assets
    vis-à-vis the spectrum of threats.
  • Banks and credit card companies can tolerate a
    considerable amount of credit risk and fraud
    because they know how to anticipate loses and
    price their services accordingly.
  • What is the acceptable level of risk in computer
    systems? How can we assess it?

36
Risk Assessment (Continued)
  • Many of the ethical issues surrounding computer
    security are not trivial.
  • They have implications for public safety that can
    result in the deaths of significant numbers of
    persons.
  • So it is not clear that all computer security
    issues can be understood simply in terms of the
    risk analysis model advocated by Schneier.
Write a Comment
User Comments (0)
About PowerShow.com