An Overview of Computer Security - PowerPoint PPT Presentation

1 / 26
About This Presentation
Title:

An Overview of Computer Security

Description:

An Overview of Computer Security – PowerPoint PPT presentation

Number of Views:44
Avg rating:3.0/5.0
Slides: 27
Provided by: T395
Category:

less

Transcript and Presenter's Notes

Title: An Overview of Computer Security


1
An Overview ofComputer Security
2
Outline
  • Components of computer security
  • Threats
  • Policies and mechanisms
  • The role of trust
  • Assurance
  • Operational Issues
  • Human Issues

3
Status of security in computing
  • In terms of security, computing is very close to
    the wild west days.
  • Some computing professionals managers do not
    even recognize the value of the resources they
    use or control.
  • In the event of a computing crime, some companies
    do not investigate or prosecute.

4
Characteristics of Computer Intrusion
  • A computing system a collection of hardware,
    software, data, and people that an organization
    uses to do computing tasks
  • Any piece of the computing system can become the
    target of a computing crime.
  • The weakest point is the most serious
    vulnerability.
  • The principles of easiest penetration

5
Security Breaches- Terminology
  • Exposure
  • a form of possible loss or harm
  • Vulnerability
  • a weakness in the system
  • Attack
  • Threats
  • Human attacks, natural disasters, errors
  • Control a protective measure
  • Assets h/w, s/w, data

6
Types of Security Breaches
  • Disclosure unauthorized access to info
  • Snooping
  • Deception acceptance of false data
  • Modification, spoofing, repudiation of origin,
    denial of receipt
  • Disruption prevention of correct operation
  • Modification, man-in-the-middle attack
  • Usurpation unauthorized control of some part of
    the system (usurp take by force or without
    right)
  • Modification, spoofing, delay, denial of service

7
Security Components
  • Confidentiality The assets are accessible only
    by authorized parties.
  • Keeping data and resources hidden
  • Integrity The assets are modified only by
    authorized parties, and only in authorized ways.
  • Data integrity (integrity)
  • Origin integrity (authentication)
  • Availability Assets are accessible to authorized
    parties.
  • Enabling access to data and resources

8
Computing System Vulnerabilities
  • Hardware vulnerabilities
  • Software vulnerabilities
  • Data vulnerabilities
  • Human vulnerabilities ?

9
Software Vulnerabilities
  • Destroyed (deleted) software
  • Stolen (pirated) software
  • Altered (but still run) software
  • Logic bomb
  • Trojan horse
  • Virus
  • Trapdoor
  • Information leaks

10
Data Security
  • The principle of adequate protection
  • Storage of encryption keys
  • Software versus hardware methods

11
Other Exposed Assets
  • Storage media
  • Networks
  • Access
  • Key people

12
People Involved in Computer Crimes
  • Amateurs
  • Crackers
  • Career Criminals

13
Methods of Defense
  • Encryption
  • Software controls
  • Hardware controls
  • Policies
  • Physical controls

14
Encryption
  • at the heart of all security methods
  • Confidentiality of data
  • Some protocols rely on encryption to ensure
    availability of resources.
  • Encryption does not solve all computer security
    problems.

15
Software controls
  • Internal program controls
  • OS controls
  • Development controls
  • Software controls are usually the 1st aspects of
    computer security that come to mind.

16
Policies and Mechanisms
  • Policy says what is, and is not, allowed
  • This defines security for the site/system/etc.
  • Mechanisms enforce policies
  • Mechanisms can be simple but effective
  • Example frequent changes of passwords
  • Composition of policies
  • If policies conflict, discrepancies may create
    security vulnerabilities
  • Legal and ethical controls
  • Gradually evolving and maturing

17
Principle of Effectiveness
  • Controls must be used to be effective.
  • Efficient
  • Time, memory space, human activity,
  • Easy to use
  • appropriate

18
Overlapping Controls
  • Several different controls may apply to one
    potential exposure.
  • H/w control S/w control Data control

19
Goals of Security
  • Prevention
  • Prevent attackers from violating security policy
  • Detection
  • Detect attackers violation of security policy
  • Recovery
  • Stop attack, assess and repair damage
  • Continue to function correctly even if attack
    succeeds

20
Trust and Assumptions
  • Underlie all aspects of security
  • Policies
  • Unambiguously partition system states
  • Correctly capture security requirements
  • Mechanisms
  • Assumed to enforce policy
  • Support mechanisms work correctly

21
Types of Mechanisms
secure
broad
precise
set of reachable states
set of secure states
22
Assurance
  • Specification
  • Requirements analysis
  • Statement of desired functionality
  • Design
  • How system will meet specification
  • Implementation
  • Programs/systems that carry out design

23
Operational Issues
  • Cost-Benefit Analysis
  • Is it cheaper to prevent or to recover?
  • Risk Analysis
  • Should we protect something?
  • How much should we protect this thing?
  • Laws and Customs
  • Are desired security measures illegal?
  • Will people do them?

24
Human Issues
  • Organizational Problems
  • Power and responsibility
  • Financial benefits
  • People problems
  • Outsiders and insiders
  • Social engineering

25
Tying Together
Threats
Policy
Specification
Design
Implementation
Operation
26
Key Points
  • Policy defines security, and mechanisms enforce
    security
  • Confidentiality
  • Integrity
  • Availability
  • Trust and knowing assumptions
  • Importance of assurance
  • The human factor
Write a Comment
User Comments (0)
About PowerShow.com