Upload
cory-heath
View
213
Download
0
Embed Size (px)
Citation preview
1
What does “secure” mean? Protecting Valuables
A computer based system has three separate valuable component:Hardware, Software and Data
AttacksWhen you test your system, one of
your job is to imagine how the system could malfunction.
2
Threats, Vulnerability, and Control
- Only legitimate users have access to the data.- We want our security system to make sure that no data are to be disclosed to unauthorized parties.
In this way we can identify weakness in the system.-A vulnerability is a weakness in the security system (Ex: Particular system is vulnerable to unauthorized data manipulation because it does not verify a users identity before allowing data access) - A threat to a computing system is a set of circumstances that has the potential to cause loss or harm.
3
-A human who exploits (make use of) a vulnerability commits an attack on the system.-”A threat is blocked by the control of vulnerability”
Threat is of four kind1. Interception (Unauthorized access, Wiretapping)2. Interruption ( asset is lost, unavailable)3. Modification (changes/alteration in to database/program file) 4. Fabrication ( insert spurious transaction, add record in
to database)Note: Systems vulnerabilities are useful to set security Goals
4
Method, Opportunity and Motive (MOM) A malicious attacker must have three things:
1. Method: the skill, knowledge, tools to pull-off the attack. 2. Opportunity: the time and access to accomplish the task. 3. Motive: a reason to want to perform attack against the system
5
Computer Security-when we talk about “computer security” we mean that we are addressing three very important aspects of computer related system.
“Confidentiality, Integrity and availability” Confidentiality: ensures that computer related assets are accessed only by authorized parties.
Integrity: means that the assets can be modified only by authorized parties or in authorized ways.
Availability: means that assets are accessible to authorized parties at appropriate times. That means for legitimate users access should not be prevented.
6
Graphically relationship between Confidentiality, Integrity and availability is
shown by
Integrity
Availability
Confidentiality
7
Computer Criminals Most computer criminals are ordinary computer professionals.
Types are: Amateurs: are normal people and not career criminals, they observe a weakness in a security system that allows them to access cash or other valuables.
Crackers: - are often University Students, attempt to access unauthorized computing facilities . - trying to log-in, just to see it can be done or not. - attacks for curiosity, personal gain, or self-satisfaction Career Criminals: - The Career computer criminals begin as a computer professionals who engage in computer crime. - good prospects and pay-off
8
Methods of Defense-Computer crime is going to continue.- For this reason we must look carefully at controls for
preserving C-I-A.Controls: -Physical security in early ages (Castle, fort, strong gate, heavy walls, etc.)
-Today we use strong locks on the doors and burglar alarm to secure our valuables.
Different controls available are:1. Encryption (Scrambling):
data is unintelligible to the outside observer. 2. Software Controls:
Program must be secure enough to prevent outside attack.
9
Program control includes:-Internal program control
(e.g. Access limitation)
- Operating system and Network control: ( e.g. to protect one user from another )
- Independent program control: (e.g. application program such as password checker, IDS, virus scanner,etc.)
- Development control: Quality standards under which a program is designed, coded and tested.
3. Hardware Controls - Smart cards with Encryption
- Locks or cables limiting access- Devices to verify users identity. - Firewalls, IDS, etc.
10
Policies and procedures:-sometimes we can rely upon agreed upon policies and procedures among users. (e.g. such as frequent changes of password )- Training and administration follow immediately after establishment of policies. Effectiveness of controls: use control properly and effectively .1. Awareness of problem: People should aware of the need of security.2. Likelihood of use: Controls must be used and used properly- to be effective.3. Overlapping controls: Several different controls may apply to address a single vulnerability. (Sometimes overlapping control is called as layered defense)