Copyright 2003 2013 by Curt Hill Transaction Management An Overview.
Copyright 2013 Curt Hill Computer Security An Overview.
-
Upload
annabella-harrison -
Category
Documents
-
view
224 -
download
0
description
Transcript of Copyright 2013 Curt Hill Computer Security An Overview.
Copyright © 2013 – Curt Hill
Computer Security
An Overview
Introduction• We want to consider just the basics of
security• There are several questions that need
answers:– What assets need protection?– What threats exist for these assets?– What counter measures exist for the
threats?• Security is a course of study all its own
– All we do here is introduce the topicCopyright © 2013 – Curt Hill
NIST Definition• National Institute of Standards and
Technology defines computer security:• The protection afforded to an
automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources (includes hardware, software, firmware, information/data and telecommunications).
Copyright © 2013 – Curt Hill
Audience Participation• What does this definition tell us?• What is:
– Integrity?– Availability?– Confidentiality?
Copyright © 2013 – Curt Hill
The Heart• Computer security centers around
these three concepts:– Integrity– Availability– Confidentiality
• These are also known as the CIA triangle– Not Central Intelligence Agency– Failures in one often leak into others
• Lets unpack this a little furtherCopyright © 2013 – Curt Hill
Integrity• Guarding against improper modification
or destruction of information• System integrity is about software
– System performs the functions it was designed to accomplish
– We counter threats to the software itself• Data integrity
– Data is changed only be those authorized to do so and only in specified manners
• Both data and software are stored in similar ways, so there is overlap
Copyright © 2013 – Curt Hill
Availability• System is available to do the work it
was purchased to do– Timely and reliable access
• It services authorized users and denies service to those who are not
• One of the problems is that additional security is overhead that reduces amount of work that can be done– Although not as extreme as the
availability issues of attacksCopyright © 2013 – Curt Hill
Confidentiality• Preserving authorized restrictions on
information• Data confidentiality
– Private information is not disclosed to those who are not authorized to access it
• Privacy– The individuals to whom the data refers
have some influence on how the data is used
– Ability to correct errors in the data– Ability to limit who may use the data and
for what reasonCopyright © 2013 – Curt Hill
Triangle or Pentangle?• Two more concepts that figure in
frequently are Authenticity and Accountability
• Authenticity is about the verification process of users or system– Are they actually who they say they are?
• Accountability is about being able to track actions in an uncompromised way – often after a security breach– We need to be able to connect each action
with the one who originated the action
Copyright © 2013 – Curt Hill
Levels of Impact• A failure is categorized into three levels:• Low – limited adverse affect
– Organization is able to perform its primary function with only minor financial loss
• Moderate – serious adverse affect– Loss of capability or effectiveness– Damage to assets and finances
• High – severe or catastrophic affect– Major damage to assets – Could involve life threatening injuries
Copyright © 2013 – Curt Hill
Your turn• In regards to VCSU, what would
constitute failures of these magnitudes?– Low– Moderate– High
Copyright © 2013 – Curt Hill
The problems• Computer security is complex, what are
some of the problems?• The underlying software is complex –
small error can be exploited in a large problem
• To succeed the developer has to plug all holes, failure comes from only finding one – a battle of wits
• Authentication requires the user to possess some secret fact – how can this be distributed?
Copyright © 2013 – Curt Hill
More problems• To most users this is an annoyance,
thus they do not employ good practices• Security is often an afterthought to
system development – a porous surface is hard to plug
• Continual monitoring is required, this is a budget item that requires justification
• Thinking about threats requires an unusual mind set
Copyright © 2013 – Curt Hill
Attack Classifications• Active attack – an attempt to alter
resources and operation• Passive – an attempt to make use of
information without altering any of it• Inside – usually mounted by an
employee or privileged person– They know about the system and have a
starting point of some authorization• Outside – not the above
– Ranges from high school pranks to organized crime or even governments
Copyright © 2013 – Curt Hill
Countermeasures• Any attempt to thwart an attack• Prevention – predict the attack and
disable in advance• Detection – look for suspicious
activity and unauthorized accesses• Recovery – an attempt to undo the
effect of an attack
Copyright © 2013 – Curt Hill
Threat Consequences
Copyright © 2013 – Curt Hill
Consequence
Action or attack
Disclosure Exposure – sensitive data is made availableInterception – access to data in transitInference – deduce information based on what was visibleIntrusion – active gaining of access
Deception Masquerade – Using other’s authorizationFalsification – false data to deceive authorizationRepudiation – denial of an unauthorized action
Disruption Incapacitation – disabling a component to damage systemCorruption – modify component to alter behaviorObstruction – interrupt delivery of system services
Usurpation
Misappropriation – entity gains unauthorized control Misuse – modification to perform another function
Assets and Example Threats
Copyright © 2013 – Curt Hill
Availability Confidentiality Integrity
Hardware Theft
Software Deletion of pgms
Unauthorized copy of pgms
Pgms modified to fail or provide unauthorized functions
Data Delete files Unauthorized access
Modification of files
Communication lines
Messages are destroyed or mangled
Messages are intercepted
Messages are falsified
Finally• Security will continue to be an
important topic for the foreseeable future
• We will continue to balance:– The danger of security threats versus the
ease of use problems that security requires
– Cost of security versus the cost of failure and recovery
• Security concerns are also business concerns
Copyright © 2013 – Curt Hill