Computer and Data Security - Introduction
description
Transcript of Computer and Data Security - Introduction
![Page 1: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/1.jpg)
1
Computer and Data Security - Introduction
![Page 2: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/2.jpg)
2
What is Computer Security? The protection afforded to an automated
information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications) is called Computer Security.
![Page 3: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/3.jpg)
3
What is Computer Security? For some Computer Security is controlling access to
hardware, software and data of a computerized system. A large measure of computer security is simply keeping the
computer system's information secure. In broader terms, computer security can be thought of as
the protection of the computer and its resources against accidental or intentional disclosure of confidential data, unlawful modification of data or programs, the destruction of data, software or hardware.
Computer security also includes the denial of use of one’s computer facilities for criminal activities including computer related fraud and blackmail.
Finally, computer security involves the elimination of weaknesses or vulnerabilities that might be exploited to cause loss or harm.
![Page 4: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/4.jpg)
4
The Need for Computer Security
Why the need for Computer Security?The value of computer assets and services
What is the new IT environment?Networks and distributed applications/servicesElectronic Commerce (E-commerce, E-business)
![Page 5: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/5.jpg)
5
The Value of Computer Assets and Services
Most companies use electronic information extensively to support their daily business processes.
Data is stored on customers, products, contracts, financial results, accounting etc.
If this electronic information were to become available to competitors or to become corrupted, false or disappear, what would happen? What would the consequences be? Could the business still function?
![Page 6: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/6.jpg)
6
Network Security Issues “The network is the computer” Proliferation of networks has increased security risks
much more. Sharing of resources increases complexity of system. Unknown perimeter (linked networks), unknown path. Many points of attack. Computer security has to find answers to network
security problems. Hence today the field is called Computer and Network
Security.
![Page 7: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/7.jpg)
7
Is there a Security Problem in Computing?
Computer fraud in the U.S. alone exceeds $3 billion each year.
Less than 1% of all computer fraud cases are detectedover 90% of all computer crime goes unreported.
“Although no one is sure how much is lost to EFT crime annually, the consensus is that the losses run in the billions of dollars. Yet few in the financial community are paying any heed.”
Average computer bank theft amounts to $1.5 million.
![Page 8: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/8.jpg)
8
Computer Crimes ... Over 25% of all Fortune 500 corporations have been
victimized by computer crime with an average loss of $2-10 million.
Total estimated losses due to computer crime range from $300 million to $500 billion per year.
Computer-related crime has been escalating at a dramatic rate.
Computer crimes continue to grow and plague companies.
Computer crime is almost inevitable in any organization unless adequate protections are put in place.
![Page 9: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/9.jpg)
9
Data From Real World The following figures are included (source:
Datapro Research) as example, to give an idea what is going on in the real world. Common Causes of damage: Human Error 52%, Dishonest
people 10%, Technical Sabotage 10%, Fire 15%, Water 10% and Terrorism 3%.
Who causes damage? Current employees 81%, Outsiders 13%, Former employees 6%.
Types of computer crime: Money theft 44%, Damage of software 16%, Theft of information 16%, Alteration of data 12%, Theft of services 10%, Trespass 2%.
![Page 10: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/10.jpg)
10
Computer Viruses 53% of BYTE readers have suffered losses of
data that cost an average of $14,000 per occurrence.
There are over 3000 viruses with new ones developed daily.
A survey of over 600 companies and government agencies in the U.S. and Canada shows that 63% found at least one virus on their PCs last year.
![Page 11: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/11.jpg)
11
Natural Disasters – Another Dimension
Millions of dollars of damage resulted from the 1989 San Francisco earthquake.
The fire at Subang International Airport knocked out the computers controlling the flight display system. A post office near the Computer Room was also affected by the soot which decommissioned the post office counter terminals. According to the caretaker, the computers were not burnt but crashed because soot entered the hard disks.
Fire, Earthquakes, Floods, Electrical hazards, etc. How to prevent?
![Page 12: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/12.jpg)
12
Negligence - The Human Factor
Over 85% of the destruction of valuable computer data involves inadvertent acts.
How to prevent?Proper user trainingIdiot proofing
![Page 13: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/13.jpg)
13
Computer Security Requirements
Secrecy Integrity Availability Authenticity Non-repudiation Access control
![Page 14: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/14.jpg)
14
Secrecy (Confidentiality) Secrecy requires that the information in a
computer system only be accessible for reading by authorized parties.
This type of access includes:PrintingDisplayingOther forms of disclosure, including simply
revealing the existing of an object
![Page 15: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/15.jpg)
15
Integrity Integrity requires that the computer system
asset can be modified only by authorized parties.
Modification includes:WritingChangingChanging statusDeleting and Creating
![Page 16: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/16.jpg)
16
More About Integrity Integrity: In lay usage, information has integrity when it is timely,
accurate, complete, and consistent. However, computers are unable to provide or protect all of these qualities. Therefore, in the computer security field, integrity is often discussed more narrowly as having two data integrity and system integrity.
“Data integrity is a requirement that information and programs are changed only in a specified and authorized manner.”
System integrity is a requirement that a system “performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system.”
The definition of integrity has been, and continues to be, the subject of much debate among computer security experts.
![Page 17: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/17.jpg)
17
Availability Availability requires that computer system
assets are available to authorized parties. Availability is a requirement intended to assure
that systems work promptly and service is not denied to authorized users.
![Page 18: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/18.jpg)
18
Security of Data
Data
Confidentiality
Data
Integrity
Data
Availability
Secure Data
Data
![Page 19: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/19.jpg)
19
Authenticity Authenticity means that parties in a information
services can ascertain the identity of parties trying to access information services.
Also means that the origin of the message is certain.
Therefore two types:Principal AuthenticationMessage Authentication
![Page 20: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/20.jpg)
20
Non-repudiation Originator of communications can’t deny it
later. Without non-repudiation you could place an
order for 1 million dollars of equipment online and then simply deny it later.
Or you could send an email inviting a friend to the dinner and then disclaim it later.
Non-repudiation associates the identity of the originator with the transaction in a non-deniable way.
![Page 21: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/21.jpg)
21
Access Control Unauthorized users are kept out of the system. Unauthorized users are kept out of places on
the system/disk. Typically makes use of Directories or Access
Control Lists (ACLs) or Access Control Matrix Objects: Resources that need to be protected Subjects: Entities that need access to resources Rights: Permissions Each entry is a triple <subject, object, rights>
![Page 22: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/22.jpg)
22
Access Control Matrix
OBJECT 1 OBJECT 2 OBJECT 3 OBJECT 4
SUBJECT 1 ORW ORW R X
SUBJECT 2 R RW R R
SUBJECT 3 X X ORW ORW
SUBJECT 4 R R R RW
SUBJECT N X R R X
![Page 23: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/23.jpg)
23
Multiple Access Controls
![Page 24: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/24.jpg)
24
Security Requirements are often Combined
For example: User authentication
used for access authorization control purposes in confidentiality.
Non-repudiation is combined with authentication.
Confidentiality
AvailabilityIntegrity
![Page 25: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/25.jpg)
25
Type of Attacks/Threats in Computer Systems
A threat is a danger which could affect the security (confidentiality, integrity, availability) of assets, leading to a potential loss or damage.
Interruption Interception Modification Fabrication
![Page 26: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/26.jpg)
26
Type of Attacks in Computer Systems
![Page 27: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/27.jpg)
27
Normal Flow of Information
![Page 28: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/28.jpg)
28
Interruption An asset of the system is destroyed or becomes
unavailable or unusable. This is an attack on the availability.
Examples include destruction of a piece of hardware, such as a hard disk, the cutting of a communication link, or the disabling of the file management system.
DOS - Denial of Service Attacks have become very well known.
![Page 29: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/29.jpg)
29
Interruption
![Page 30: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/30.jpg)
30
Interception Information disclosure/information leakage An unauthorized party gains access to an asset. This is an attack on confidentiality. The unauthorized party could be a person, a
program, or a computer. Examples include:
wiretapping to capture data in a networkthe illicit copying of files or programs
![Page 31: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/31.jpg)
31
Interception
![Page 32: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/32.jpg)
32
Modification Modification is integrity violation. An unauthorized party not only gains access to
but tampers with an asset. This is an attack on the integrity. Examples include changing values in a data
file, altering a program so that it performs differently, and modifying the content of a message being transmitted in a network.
![Page 33: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/33.jpg)
33
Modification
![Page 34: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/34.jpg)
34
Fabrication An unauthorized party inserts counterfeit
objects into the system. This is an attack on the authenticity.
Examples include the insertion of spurious messages in a network or the addition of records to a file.
![Page 35: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/35.jpg)
35
Fabrication
![Page 36: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/36.jpg)
36
Classification of Attacks Computer Security attacks can be classified
into two broad categories:Passive Attacks can only observe communications
or data.Active Attacks can actively modify
communications or data. Often difficult to perform, but very powerful. Examples include Mail forgery/modification TCP/IP spoofing/session hijacking
![Page 37: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/37.jpg)
37
Passive Attacks and Active Attacks
![Page 38: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/38.jpg)
38
Passive Attacks and Active Attacks
![Page 39: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/39.jpg)
39
Passive Attacks Eavesdropping on or monitoring of
transmission. The goal of the opponent is to obtain
information that is being transmitted. Two types:
Release-of-message contentsTraffic Analysis
![Page 40: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/40.jpg)
40
Release-of-message Contents
Opponent finds out the contents or the actual messages being transmitted.
How to protect?EncryptionSteganography
![Page 41: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/41.jpg)
41
Traffic Analysis More subtle than release-of-message contents. Messages may be kept secret by masking or
encryption but … The opponent figures out information being
carried by the messages based on the frequency and timings of the message.
How to protect?Data/Message PaddingFiller Sequences
![Page 42: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/42.jpg)
42
Passive Attacks Problems Difficult to detect because there is no
modification of data. Protection approach should be based on
prevention rather than detection.
![Page 43: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/43.jpg)
43
Active Attacks Active attacks involve some sort of
modification of the data stream or the creation of a false stream.
Four sub-categories:MasqueradeReplayModification of MessagesDenial of service
![Page 44: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/44.jpg)
44
Masquerade An entity pretends to be another. For the purpose of doing some other form of
attack. Example a system claims its IP address to be
what it is not, IP spoofing. How to protect?
Principal/Entity Authentication
![Page 45: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/45.jpg)
45
Replay First passive capture of data and then its
retransmission to produce an unauthorized effect.
Could be disastrous in case of critical messages such as authentication sequences, even if the password were encrypted.
How to protect?Time stampsSequence Numbers
![Page 46: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/46.jpg)
46
Modification of Messages Some portion of a legitimate message is altered
or messages are delayed or reordered to produce an unauthorized effect.
How to protect?Message Authentication CodesChaining
![Page 47: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/47.jpg)
47
Denial of Service - DOS Prevents the normal use or management of
communication facilities. Such attacks have become very common on the
Internet especially against web servers. On the Internet remotely located hackers can
crash the TCP/IP software by exploiting known vulnerabilities in various implementations.
One has to constantly look out for software updates and security patches to protect against these attacks.
![Page 48: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/48.jpg)
48
Problems with Active Attacks
Easy to detect but difficult to prevent. Efforts are directed to quickly recover from
disruption or delays. Good thing is that detection will have a
deterrent effect.
![Page 49: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/49.jpg)
49
How Threats Affect Computer Systems
HARDWARE
SOFTWARE
DATA
Interception (Theft)
Interruption (Denial of Service)
Interception (Eavesdropping)
Interruption (Loss)
Interception (Theft)
Interruption (Deletion)
Modification (Malicious Code)
FabricationModification
![Page 50: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/50.jpg)
50
A Model for Network Security
![Page 51: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/51.jpg)
51
Security Protocols A protocol is a series of steps, involving two or more
parties, designed to accomplish a task. Every one involved in a protocol must know the protocol
and all of the steps to follow in advance. Everyone involved in the protocols must agree to follow it. The protocol must be unambiguous; each step must be well
defined and there must be no chance of misunderstanding. The protocol must be complete; there must be a specified
action for every possible situation. It should not be possible to do more or learn more than what
is specified in the protocol.
![Page 52: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/52.jpg)
52
The Actors in Security Protocols
Alice First participant in all the protocols Bob Second participant in all the protocols Carol Participant in three- and four-party protocols Dave Participant in four-party protocols Eve Eavesdropper Mallory Malicious active intruder Trent Trusted arbitrator Victor Verifier PeggyProver Walter Warden; he’ll be guarding Alice and Bob in
some protocols
![Page 53: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/53.jpg)
53
Security Protocol Types
Arbitrated Protocols Adjudicated Protocols Self Enforcing
Protocols Example Protocols
Key Exchange Protocols
Authentication Protocols
Time stamping Service Digital Cash
Bob
Trent
Alice
(a) Arbitrated Protocol
Bob TrentAlice
(b) Adjudicated Protocol
Evidence Evidence(After the fact)
BobAlice
(c) Self-enforcing Protocol
![Page 54: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/54.jpg)
54
Security Protocol Layers
The further down you go, the more transparent it is
The further up you go, the easier it is to deploy
Application
Presentation
Session
Transport
Netw ork
Datalink
Physical
Application
Presentation
Session
Transport
Netw ork
Datalink
Physical
Email - S/M IM E
SSL
IPSec
PPP - ECP
PHYSICAL NETW ORKEncrypting
NICEncrypting
NIC
![Page 55: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/55.jpg)
55
Security Services Provided by Security Protocols
Access control: Protects against unauthorized use.
Authentication: Provides assurance of someone's identity.
Confidentiality: Protects against disclosure to unauthorized identities.
Integrity: Protects from unauthorized data alteration.
Non-repudiation: Protects against originator of communications later denying it.
![Page 56: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/56.jpg)
56
Security Mechanisms Three basic building blocks are used:
Encryption is used to provide confidentiality, can provide authentication and integrity protection.
Digital signatures are used to provide authentication, integrity protection, and non-repudiation.
Checksums/hash algorithms are used to provide integrity protection, can provide authentication.
One or more security mechanisms are combined to provide a security service/protocol.
![Page 57: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/57.jpg)
57
Services, Mechanisms, Algorithms
A typical security protocol provides one or more security services (authentication, secrecy, integrity, etc.)
Services are built from mechanisms. Mechanisms are implemented using algorithms.
SSL
Signatures Encryption Hashing
DSA RSA RSA DES SHA1 MD5
Services (Security Protocols)
Mechanisms
Algorithms
![Page 58: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/58.jpg)
58
Security Protocols (Services)
Standards-based Security Protocols Proprietary Security Protocols
SSL IPSec PrivateWire Big Brother
Mechanisms
Encryption Signature Hashing Key Exchange
Algorithms
Symmetric Asymmetric Asymmetric Symmetric
MD-5SHA-1
Diffie-HellmanDESAES
RSAECC
DSARSA
DESMAC
Services, Mechanisms, Algorithms
![Page 59: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/59.jpg)
59
Encryption and Security Encryption is a key enabling technology to
implement computer security. But Encryption is to security like bricks are to
buildings. In the next module we will study encryption in
detail.
![Page 60: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/60.jpg)
60
Network Access Security Model
Firewalls and Security Gateways are based on this model
![Page 61: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/61.jpg)
61
Computer security is based on eight major elements:
1. Computer security should support the mission of the organization.
2. Computer security is an integral element of sound management.
3. Computer security should be cost-effective.4. Computer security responsibilities and accountability
should be made explicit.5. System owners have computer security responsibilities
outside their own organizations.6. Computer security requires a comprehensive and integrated
approach.7. Computer security should be periodically reassessed.8. Computer security is constrained by societal factors.
![Page 62: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/62.jpg)
62
Usability and Security
Security
Convenience / Usability
0
Determine where on this
line your organization
needs lie
![Page 63: Computer and Data Security - Introduction](https://reader030.fdocuments.us/reader030/viewer/2022020117/55cf94fb550346f57ba5baf1/html5/thumbnails/63.jpg)
63
Typical Security Solutions and Technologies
Physical security Encryption Access control Automatic call back Node authentication Differentiated access
rights Antivirus software Public Key
Infrastructure Firewalls
User authentication Passwords and
passphrases Challenge-response
systems Token or smart cards Exchange of secret
protocol Personal characteristics -
Biometrics