Copyright 2013 Curt Hill Computer Security An Overview.

Copyright © 2013 – Curt Hill

Computer Security

An Overview

Introduction• We want to consider just the basics of

security• There are several questions that need

answers:– What assets need protection?– What threats exist for these assets?– What counter measures exist for the

threats?• Security is a course of study all its own

– All we do here is introduce the topicCopyright © 2013 – Curt Hill

NIST Definition• National Institute of Standards and

Technology defines computer security:• The protection afforded to an

automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources (includes hardware, software, firmware, information/data and telecommunications).


Audience Participation• What does this definition tell us?• What is:

– Integrity?– Availability?– Confidentiality?


The Heart• Computer security centers around

these three concepts:– Integrity– Availability– Confidentiality

• These are also known as the CIA triangle– Not Central Intelligence Agency– Failures in one often leak into others

• Lets unpack this a little furtherCopyright © 2013 – Curt Hill

Integrity• Guarding against improper modification

or destruction of information• System integrity is about software

– System performs the functions it was designed to accomplish

– We counter threats to the software itself• Data integrity

– Data is changed only be those authorized to do so and only in specified manners

• Both data and software are stored in similar ways, so there is overlap


Availability• System is available to do the work it

was purchased to do– Timely and reliable access

• It services authorized users and denies service to those who are not

• One of the problems is that additional security is overhead that reduces amount of work that can be done– Although not as extreme as the

availability issues of attacksCopyright © 2013 – Curt Hill

Confidentiality• Preserving authorized restrictions on

information• Data confidentiality

– Private information is not disclosed to those who are not authorized to access it

• Privacy– The individuals to whom the data refers

have some influence on how the data is used

– Ability to correct errors in the data– Ability to limit who may use the data and

for what reasonCopyright © 2013 – Curt Hill

Triangle or Pentangle?• Two more concepts that figure in

frequently are Authenticity and Accountability

• Authenticity is about the verification process of users or system– Are they actually who they say they are?

• Accountability is about being able to track actions in an uncompromised way – often after a security breach– We need to be able to connect each action

with the one who originated the action


Levels of Impact• A failure is categorized into three levels:• Low – limited adverse affect

– Organization is able to perform its primary function with only minor financial loss

• Moderate – serious adverse affect– Loss of capability or effectiveness– Damage to assets and finances

• High – severe or catastrophic affect– Major damage to assets – Could involve life threatening injuries


Your turn• In regards to VCSU, what would

constitute failures of these magnitudes?– Low– Moderate– High


The problems• Computer security is complex, what are

some of the problems?• The underlying software is complex –

small error can be exploited in a large problem

• To succeed the developer has to plug all holes, failure comes from only finding one – a battle of wits

• Authentication requires the user to possess some secret fact – how can this be distributed?


More problems• To most users this is an annoyance,

thus they do not employ good practices• Security is often an afterthought to

system development – a porous surface is hard to plug

• Continual monitoring is required, this is a budget item that requires justification

• Thinking about threats requires an unusual mind set


Attack Classifications• Active attack – an attempt to alter

resources and operation• Passive – an attempt to make use of

information without altering any of it• Inside – usually mounted by an

employee or privileged person– They know about the system and have a

starting point of some authorization• Outside – not the above

– Ranges from high school pranks to organized crime or even governments


Countermeasures• Any attempt to thwart an attack• Prevention – predict the attack and

disable in advance• Detection – look for suspicious

activity and unauthorized accesses• Recovery – an attempt to undo the

effect of an attack


Threat Consequences


Consequence

Action or attack

Disclosure Exposure – sensitive data is made availableInterception – access to data in transitInference – deduce information based on what was visibleIntrusion – active gaining of access

Deception Masquerade – Using other’s authorizationFalsification – false data to deceive authorizationRepudiation – denial of an unauthorized action

Disruption Incapacitation – disabling a component to damage systemCorruption – modify component to alter behaviorObstruction – interrupt delivery of system services

Usurpation

Misappropriation – entity gains unauthorized control Misuse – modification to perform another function

Assets and Example Threats


Availability Confidentiality Integrity

Hardware Theft

Software Deletion of pgms

Unauthorized copy of pgms

Pgms modified to fail or provide unauthorized functions

Data Delete files Unauthorized access

Modification of files

Communication lines

Messages are destroyed or mangled

Messages are intercepted

Messages are falsified

Finally• Security will continue to be an

important topic for the foreseeable future

• We will continue to balance:– The danger of security threats versus the

ease of use problems that security requires

– Cost of security versus the cost of failure and recovery

• Security concerns are also business concerns


Copyright 2013 Curt Hill Computer Security An Overview.

Documents

Transcript of Copyright 2013 Curt Hill Computer Security An Overview.