Computer%20Security%20Introduction - PowerPoint PPT Presentation

About This Presentation
Title:

Computer%20Security%20Introduction

Description:

Computer Security Introduction * * – PowerPoint PPT presentation

Number of Views:116
Avg rating:3.0/5.0
Slides: 26
Provided by: MikeB261
Learn more at: http://www.cs.fsu.edu
Category:

less

Transcript and Presenter's Notes

Title: Computer%20Security%20Introduction


1
Computer SecurityIntroduction
2
Basic Components
  • Confidentiality Concealment of information
  • (prevent unauthorized disclosure of
    information).
  • Integrity Trustworthiness of data/resources
  • (prevent unauthorized modifications).
  • Data integrity
  • Origin integrity (authentication)
  • Availability Ability to use information/resources
    .
  • (prevent unauthorized withholding of
  • information/resources).

3
Basic Components
  • Additionally
  • Authenticity, accountability, reliability,
    safety,
  • dependability, survivability . . .

4
Confidentiality
  • Historically, security is closely linked to
    secrecy.
  • Security involved a few organizations dealing
    mainly
  • with classified data.
  • However, nowadays security extends far beyond
  • confidentiality.
  • Confidentiality involves
  • privacy protection of private data,
  • secrecy protection of organizational data.

5
Integrity
  • Making sure that everything is as it is supposed
    to be.
  • For Computer Security this means
  • Preventing unauthorized writing or modifications.

6
Availability
  • For Computer Systems this means that
  • Services are accessible and useable (without
    undue
  • Delay) whenever needed by an authorized entity.
  • For this we need fault-tolerance.
  • Faults may be accidental or malicious
    (Byzantine).
  • Denial of Service attacks are an example of
    malicious
  • attacks.

7
Relationship between Confidentiality Integrity
and Availability
  • Confidentiality

Integrity
Secure
Availability
8
Other security requirements
  • Reliability deals with accidental damage,
  • Safety deals with the impact of system failure
    caused by the environment,
  • Dependability reliance can be justifiably
    placed on the system
  • Survivability deals with the recovery of the
    system after massive failure.
  • Accountability -- actions affecting security must
    be traceable
  • to the responsible party. For this,
  • Audit information must be kept and protected,
  • Access control is needed.

9
Basic Components
  • Threats potential violations of security
  • Attacks violations
  • Attackers those who execute the violations

10
Threats
  • Disclosure or unauthorized access
  • Deception or acceptance of falsified data
  • Disruption or interruption or prevention
  • Usurpation or unauthorized control

11
More threats
  • Snooping (unauthorized interception)
  • Modification or alteration
  • Active wiretapping
  • Man-in-the-middle attacks
  • Masquerading or spoofing
  • Repudiation of origin
  • Denial of receipt
  • Delay
  • Denial of Service

12
Policy and Mechanisms
  • A security policy is a statement of what is / is
    not allowed.
  • A security mechanism is a method or tool that
    enforces a security policy.

13
Goals of Computer Security
  • Security is about protecting assets.
  • This involves
  • Prevention
  • Detection
  • Recovery (reaction / restore assets)

14
Assumptions of trust
  • Let
  • P be the set of all possible states of a system
  • Q be the set of secure states
  • A mechanism is secure if P Q
  • A mechanism is precise if P Q
  • A mechanism is broad if there are states in P
    which
  • are not in Q

15
Assurance
  • Trust cannot be quantified precisely.
  • System specifications design and implementation
    can
  • provide a basis for how much one can trust a
    system.
  • This is called assurance.
  • A system is said to satisfy a specification if
    the specification correctly states how the system
    will function.

16
Assurance - Specifications
  • A specification is a statement of the desired
    functioning of a system.
  • It can be highly mathematical using any of
    several languages for that purpose.

17
Assurance Design/Implementation
  • A design of a system translates the
    specifications into components that will
    implement them.
  • Given a design the implementation creates a
    system that satisfies the design.
  • A program is correct if its implementation
    performs as specified.

18
Assurance Testing
  • Proofs of correctness require that each line of
    source code be checked for mathematical
    correctness.
  • Because formal proofs of correctness are time
    consuming, a posteriori verification techniques
    known as testing have become widespread.
  • Testing techniques are considerably simpler than
    formal methods, but do not provide the same
    degree of assurance their value is in
    eliminating common sources of error and forcing
    designers to define precisely what the system is
    supposed to do.

19
Operational issues
  • Operational issues
  • Cost-benefit analysis
  • Example a database with salary info, which is
    used by a second system to print pay checks
  • Risk analysis
  • Environmental dependence
  • Time dependence
  • Remote risk
  • Laws and customs

20
Fundamental DilemmaFunctionality or Assurance
  • Security mechanisms need additional computational
  • Security policies interfere with working
    patterns, and can be very inconvenient.
  • Managing security requires additional effort and
    costs.
  • Ideally there should be a tradeoff.

21
Laws and Customs
  • Export controls
  • Laws of multiple jurisdiction
  • Human issues

22
Human issues
  • Organizational problems (who is responsible for
    what)
  • People problems (outsiders/insiders)

23
Tying it all together how ????
Threats Policy Specification Design
Implementation Operation Maintenance The
security life cycle
24
Computer Security -- Summary
  • How to achieve Computer Security
  • Security principles/concepts explore general
    principles/concepts that can be used as a guide
    to design secure information processing systems.
  • Security mechanisms explore some of the security
    mechanisms that can be used to secure information
    processing systems.
  • Physical/Organizational security consider
    physical organizational security measures

25
Computer Security
  • Even at this general level there is disagreement
    on the precise definitions of some of the
    required security aspects.
  • References
  • Orange book US Dept of Defense, Trusted
    Computer System Evaluation Criteria.
  • ITSEC European Trusted Computer System Product
    Criteria.
  • CTCPEC Canadian Trusted Computer System Product
    Criteria
Write a Comment
User Comments (0)
About PowerShow.com