2015/6/15Y K Choi1 Overview of Computer Security City University of Hong Kong Division of Computer...
-
date post
20-Dec-2015 -
Category
Documents
-
view
214 -
download
1
Transcript of 2015/6/15Y K Choi1 Overview of Computer Security City University of Hong Kong Division of Computer...
112/04/18 Y K Choi 1
Overview of Computer Security
City University of Hong Kong
Division of Computer Studies
Y K Choi
112/04/18Y K Choi 2
What is security? (a general definition)
Defined by Ron Kurtus, http://www.school-for-champions.com/security/whatis.htm ,
Security is the protection of a person, property or organization from an attack. There are people who have distorted motivations to perform such attacks. The types of protection include prevention, response and pre-emptive attacks. There are Three Questions you may ask:
What are the types of possible attacks? What reasons do people have to attack others? What type of defenses can you have?
112/04/18Y K Choi 3
What is security?
A simple and less academic definition is: To make it inconvenient to unauthorized persons. Some of the examples are given below:
Place a security guard on the ground floor to keep track of each visitor and write down his/her particulars. (so that it imposes an extra inconvenience to the intruder (illegal visitor))
To install a door lock (so that you need to use a key to open it)
To double-install an iron gate (so that you have to open two doors, iron gate and wooden door)
112/04/18Y K Choi 4
What is Computer Security?
Computer security is a protection that is afforded to an information system in order to attain the applicable objectives or preserving the integrity, availability and confidentiality of information system resources. The information resources include hardware, software, information and data.
Three items: integrity,
availability and
confidentiality
112/04/18Y K Choi 5
Explanation to confidentiality, integrity and authentication
Assume that you wrote a cheque of HKD 1000 to your friend John and sent by mail. You should ensure that only John can get it. Even others get this, they should not know the details. (This is confidentiality)
Both you and John should ensure that no one can tamper (modify) the contents such as the amount and signature. (This is integrity.)
John will ensure that the cheque is from you, no from others. (This is authentication)
112/04/18Y K Choi 6
Example of Confidentiality
John is sending a mail to Alice. Confidentiality means only Alice can access
the mail. Bob is not supposed to receive and view the content.
112/04/18Y K Choi 7
Example of Authentication
John is sending a mail to Alice. Authentication means Alice proves that the
mail is from John not from Bob.
112/04/18Y K Choi 8
Example of Integrity
I love you
John is sending a mail to Alice saying “I love you”. Integrity means that the message will not be captured and modified by Bob as “ I hate you” as from John
to Alice.
I love you
I hate you
112/04/18Y K Choi 9
Example to consider - affordable
We could build an extremely secure computer room to protect a computer system that costs thirty thousands. The computer room might cost million dollars which we could not afford.
It is better to use a traditional key/lock system with password protection. (Although it is easily broken, it is cheaper and affordable.)
112/04/18Y K Choi 10
AgendaAlthough all the assets of an organization are subject to loss, damage etc. information systems (computer networks and applications) tend to be particularly susceptible to these dangers.
•IT components are comparatively fragile (easily broken)
•Computer hardware can be damaged more easily (last for a couple of years)
•Computer systems and networks are likely to be the target of disgruntled workers and criminals.
Security issue:
• Areas of vulnerability
• People in computer crime
• Methods of trespassing (hacking)
• Ways to counteract intrusion (protect the system)
112/04/18Y K Choi 11
Areas of Vulnerability (means easily attacked)
There are four basic items: the most difficulty part is people, as it is difficult to control them.
Hardware: physical devices such as CPU, keyboard
Software: this includes Operating system, applications and network
Data: without the data, this is useless (the essence of computer systems)
People: can cause a great deal of damageFrom Computer security management by Karen A. Forcht, Chapter 1
112/04/18Y K Choi 12
Hardware
It means all physical devices.The most visible parts such as monitor, mouse, keyboard, router, disk etc. (be careful the keyboard)Subject to common mishaps such as coffee spills, crumbs getting into keyboards, dust and stealPrevention: by placing locks on computer rooms, cabinets, motherboard, monitor etc.
112/04/18Y K Choi 13
Software
Software piracy: illegal coping and distribution of software (even free of charge using
BT) is a serious offense
Deletion of software: accidental deletion of software, configuration etc.
Software alteration: changing a few lines of code is hard to find out, which can change the behaviour of software
112/04/18Y K Choi 14
Data
It is crucial to the organization (it means it is important)
Re-construction of lost data is expensive and time consuming (that is why it is better to protect it.)
Another threat is damage of personal data and leakage of data (privacy law)
Sensitive data should be revealed with authorized access (imposes security level)
To safeguard the data: kept in a safe place and shred (destroy) the sensitive data
112/04/18Y K Choi 15
People
Intruders: disgruntled (unhappy) employees might seek revenge to plant a logic bomb (software bomb)Hackers: break the computer system. Hackers have the following profile
Relatively youngHighly motivatedIntelligent and personableHappy with jobProficiency in computer systems and programming
No need to
memorise the
profile
112/04/18Y K Choi 16
Hacker – the definition
The definition is Quite interesting (based on MIT and Stanford’s definition)
1. A person who enjoys learning the details of programming systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary (means who wants
to learn more)
2. One who programs enthusiastically, or who enjoys programming rather than just theorizing about programming
112/04/18Y K Choi 17
People – Computer Criminals
There are Four areas of computer crime
Theft of computer time: common practice to remote log into the system (not common in the Internet). This includes the time it takes to repair the computer system after infected by virus, bomb etc.
Theft of data: physical remove data from files
Manipulation of computer programs: change or insert/delete program
Software piracy: illegal copying of software
112/04/18Y K Choi 18
Threats to security
Natural disasters: such as fire, floods, windstorms, earthquakes etc. We can do little to prevent natural disasters. (In Hong Kong, fire is the most serious.)
Malfunctions: They cause much less damage, but occur frequently such as power surges (sudden change of power), stray electrical forces, dust, operation error etc.
Hardware reliability: routine and preventive maintenanceSoftware reliability: testing and debugging
112/04/18Y K Choi 19
Threats to security (cont.)
Criminal Acts – Crimes against computers and defenses against computer crime. These include the use of password to prevent intruders. Data diddling (means the alteration of data)
Operating integrity – system managers still need to take precautions to safeguard data. A common term is “Garbage in and garbage out” as the process – changing, adding and deleting data may raise error
112/04/18Y K Choi 20
Security Measures (means how to protect)
Passwords: the most common means of user authentication. Generally used. Rules of choosing password:
1. Don’t leave your password open
2. Don’t write it down
3. Choose a password with at least six characters: there are 26^6 (308915776) combination
4. Don’t choose a password that is obvious such as John or “Chan Tai Man” if your name is John or “Chan Tai Man”
112/04/18Y K Choi 21
Security Measures (2)
Encryption: Encrypt the data. There are many standards such as Data Encryption Standard (DES) by IBM
Dial-back devices: The system will disconnect the telephone line and verify the caller, then call the caller. (it is getting outdated as we are using the Internet, I list this method so that you have an idea.)
Control: from planning to final implementation. This involves the progress review and acceptance test, post-installation review and periodic audits
112/04/18Y K Choi 22
Security Measure (3)
Progress review: it is unusual for a project to proceed on schedule. The purpose of a progress review is to bring changes to light to revise the master plan.Acceptance test: It is the final activity before conversion to the new system. (very important in commercial world to accept the modified version of software)
Contingency planning: It is the backup plan in case an event my or may not occur. For example, if the application cannot operate, what should we do? (example. if the system is down, go back to manual system such as using the log book to keep the transaction)
112/04/18Y K Choi 23
Management’s role (3 steps)
As stated by Jay BloomBecker, the approach to security is:Technology (try to prevent illegal users to hack the system. For example, the use of firewall, password, private line, virtual path network, etc.)Management techniques: proper handling the flow of data, procedure of accessing data etc. (in order to achieve this, impose policy.)Laws and legal actions: For those who cannot be stopped (or avoided) by technology, impose law to prevent such as sue hackers etc.
112/04/18Y K Choi 24
Computer Security Information (no need to memorise)
http://www.alw.nih.gov/Security/security.htmlAdvisories (advisories)
• A number of groups from around the world provide information about security vulnerabilities and methods to remove or reduce the danger of particular vulnerabilities for different computer operating systems.
Documents (documents)• Many articles have been written about various topics in computer
and network security that have been published on the Internet.
Electronic Magazines, Newsletters and News Sites (electronic magazines)
There are some magazines, newsletters and news sites available online that provide timely information about computer security.
112/04/18Y K Choi 25
Web information about security (no
need to memorise)
Frequently Asked Questions (FAQ) (FAQ)A FAQ is a summary document written by knowledgeable individuals for a particular topic and it contains commonly requested information about the topic.
Groups and Organizations (organisations)A number of computer security organizations exists that provide information to the public or to their members.
Mailing Lists (mailing lists)Mailing Lists provide a dialog on areas of interest to the members of the list.
http://www.itsd.gov.hk/itsd/secure/g3_r1_disclose.pdf This the web site of ITSD, Hong Kong Government
112/04/18Y K Choi 26
Web informationNewsgroups (Newsgroups)
USENET newsgroups are a series of discussion groups that can be useful to obtain current information of a specific topic. Some newsgroups are a better source of information than others.
Request for Comments (RFC) on computer and network security topics (RFC)Software
A large amount of software is available to improve the security of a system.
World Wide Web (WWW) Sites (WWW)Many WWW sites provide a large amount of information about various topics in computer security. Some of these sites are simply large indexes but others contain a collection of information on a specific topic.
112/04/18Y K Choi 27
SummarySecurity is the protection of a person, property or organization from an attack. Computer systems and data are susceptible to loss, damage etc.Areas of vulnerability (easily damaged) are: hardware, software, data and peoplePrinciples of Security: confidentiality, integrity and authentication
Methods of protecting the system: the use of checksum, data encryption, password, logs, firewall, Information System (IS) plan: To go through all the necessary steps such as progress review, acceptance testing, post installation etc. to ensure the software quality is secure.