1

What does “secure” mean? Protecting Valuables

A computer based system has three separate valuable component:Hardware, Software and Data

AttacksWhen you test your system, one of

your job is to imagine how the system could malfunction.

2

Threats, Vulnerability, and Control

- Only legitimate users have access to the data.- We want our security system to make sure that no data are to be disclosed to unauthorized parties.

In this way we can identify weakness in the system.-A vulnerability is a weakness in the security system (Ex: Particular system is vulnerable to unauthorized data manipulation because it does not verify a users identity before allowing data access) - A threat to a computing system is a set of circumstances that has the potential to cause loss or harm.

3

-A human who exploits (make use of) a vulnerability commits an attack on the system.-”A threat is blocked by the control of vulnerability”

Threat is of four kind1. Interception (Unauthorized access, Wiretapping)2. Interruption ( asset is lost, unavailable)3. Modification (changes/alteration in to database/program file) 4. Fabrication ( insert spurious transaction, add record in

to database)Note: Systems vulnerabilities are useful to set security Goals

4

Method, Opportunity and Motive (MOM) A malicious attacker must have three things:

1. Method: the skill, knowledge, tools to pull-off the attack. 2. Opportunity: the time and access to accomplish the task. 3. Motive: a reason to want to perform attack against the system

5

Computer Security-when we talk about “computer security” we mean that we are addressing three very important aspects of computer related system.

“Confidentiality, Integrity and availability” Confidentiality: ensures that computer related assets are accessed only by authorized parties.

Integrity: means that the assets can be modified only by authorized parties or in authorized ways.

Availability: means that assets are accessible to authorized parties at appropriate times. That means for legitimate users access should not be prevented.

6

Graphically relationship between Confidentiality, Integrity and availability is

shown by

Integrity

Availability

Confidentiality

7

Computer Criminals Most computer criminals are ordinary computer professionals.

Types are: Amateurs: are normal people and not career criminals, they observe a weakness in a security system that allows them to access cash or other valuables.

Crackers: - are often University Students, attempt to access unauthorized computing facilities . - trying to log-in, just to see it can be done or not. - attacks for curiosity, personal gain, or self-satisfaction Career Criminals: - The Career computer criminals begin as a computer professionals who engage in computer crime. - good prospects and pay-off

8

Methods of Defense-Computer crime is going to continue.- For this reason we must look carefully at controls for

preserving C-I-A.Controls: -Physical security in early ages (Castle, fort, strong gate, heavy walls, etc.)

-Today we use strong locks on the doors and burglar alarm to secure our valuables.

Different controls available are:1. Encryption (Scrambling):

data is unintelligible to the outside observer. 2. Software Controls:

Program must be secure enough to prevent outside attack.

9

Program control includes:-Internal program control

(e.g. Access limitation)

- Operating system and Network control: ( e.g. to protect one user from another )

- Independent program control: (e.g. application program such as password checker, IDS, virus scanner,etc.)

- Development control: Quality standards under which a program is designed, coded and tested.

3. Hardware Controls - Smart cards with Encryption

- Locks or cables limiting access- Devices to verify users identity. - Firewalls, IDS, etc.

10

Policies and procedures:-sometimes we can rely upon agreed upon policies and procedures among users. (e.g. such as frequent changes of password )- Training and administration follow immediately after establishment of policies. Effectiveness of controls: use control properly and effectively .1. Awareness of problem: People should aware of the need of security.2. Likelihood of use: Controls must be used and used properly- to be effective.3. Overlapping controls: Several different controls may apply to address a single vulnerability. (Sometimes overlapping control is called as layered defense)