8/18/20151 FINANCIAL MANAGEMENT. 8/18/20152 Financial Ratio Analysis.
12/18/20151 Computer Security Introduction. 12/18/20152 Basic Components 1.Confidentiality:...
-
Upload
corey-jennings -
Category
Documents
-
view
232 -
download
0
Transcript of 12/18/20151 Computer Security Introduction. 12/18/20152 Basic Components 1.Confidentiality:...
04/21/23 1
Computer Security
Introduction
04/21/23 2
Basic Components
1. Confidentiality: Concealment of information (prevent unauthorized disclosure of information).2. Integrity: Trustworthiness of data/resources (prevent unauthorized modifications).
• Data integrity• Origin integrity (authentication)
3. Availability: Ability to use information/resources. (prevent unauthorized withholding of information/resources).
04/21/23 3
Basic Components
Additionally:Authenticity, accountability, reliability, safety, dependability, survivability . . .
04/21/23 4
Confidentiality
Historically, security is closely linked to secrecy. Security involved a few organizations dealing mainlywith classified data.However, nowadays security extends far beyond confidentiality.Confidentiality involves:• privacy: protection of private data,• secrecy: protection of organizational data.
04/21/23 5
Integrity
“Making sure that everything is as it is supposed to be.”For Computer Security this means: Preventing unauthorized writing or modifications.
04/21/23 6
Availability
For Computer Systems this means that:Services are accessible and useable (without undue Delay) whenever needed by an authorized entity.
For this we need fault-tolerance.Faults may be accidental or malicious (Byzantine).Denial of Service attacks are an example of malicious attacks.
04/21/23 7
Relationship between Confidentiality Integrity and Availability
Integrity
Confidentiality
Secure
Availability
04/21/23 8
Other security requirements• Reliability – deals with accidental damage,• Safety – deals with the impact of system failure caused by the
environment,• Dependability – reliance can be justifiably placed on the system• Survivability – deals with the recovery of the system after
massive failure.• Accountability -- actions affecting security must be traceable to the responsible party. For this,
– Audit information must be kept and protected,– Access control is needed.
04/21/23 9
Basic Components
Threats – potential violations of securityAttacks – violationsAttackers – those who execute the violations
04/21/23 10
Threats
• Disclosure or unauthorized access• Deception or acceptance of falsified data• Disruption or interruption or prevention• Usurpation or unauthorized control
04/21/23 11
More threats• Snooping (unauthorized interception)• Modification or alteration
– Active wiretapping– Man-in-the-middle attacks
• Masquerading or spoofing• Repudiation of origin• Denial of receipt• Delay• Denial of Service
04/21/23 12
Policy and Mechanisms
1. A security policy is a statement of what is / is not allowed.
2. A security mechanism is a method or tool that enforces a security policy.
04/21/23 13
Assumptions of trustLet • P be the set of all possible states of a system
• Q be the set of secure states
A mechanism is secure if P ≤ Q A mechanism is precise if P = Q A mechanism is broad if there are states in P which
are not in Q
04/21/23 14
AssuranceTrust cannot be quantified precisely. System specifications design and implementation can provide a basis for how much one can trust a system. This is called assurance.
04/21/23 15
Goals of Computer Security
Security is about protecting assets.This involves:• Prevention• Detection • Reaction (recover/restore assets)
04/21/23 16
Computer Security
How to achieve Computer Security: 1. Security principles/concepts: explore general
principles/concepts that can be used as a guide to design secure information processing systems.
2. Security mechanisms: explore some of the security mechanisms that can be used to secure information processing systems.
3. Physical/Organizational security: consider physical & organizational security measures (policies)
04/21/23 17
Computer Security
Even at this general level there is disagreement on the precise definitions of some of the required security aspects.References:• Orange book – US Dept of Defense, Trusted Computer System
Evaluation Criteria.• ITSEC – European Trusted Computer System Product Criteria.• CTCPEC – Canadian Trusted Computer System Product
Criteria
04/21/23 18
Fundamental Dilemma: Functionality or Assurance
• Security mechanisms need additional computational
• Security policies interfere with working patterns, and can be very inconvenient.
• Managing security requires additional effort and costs.
• Ideally there should be a tradeoff.
04/21/23 19
Operational issues
Operational issues– Cost-benefit analysis
• Example: a database with salary info, which is used by a second system to print pay checks
– Risk analysis• Environmental dependence• Time dependence• Remote risk
04/21/23 20
Laws and Customs
• Export controls• Laws of multiple jurisdiction• Human issues
– Organizational problems (who is responsible for what)– People problems (outsiders/insiders)
04/21/23 21
Tying it all together: how ????