The document introduces basic concepts of computer security including defining security goals of confidentiality, integrity and availability. It explains key terms like threats, vulnerabilities, attacks and controls and gives examples for each concept.
The document introduces basic concepts of computer security including defining security goals of confidentiality, integrity and availability. It explains key terms like threats, vulnerabilities, attacks and controls and gives examples for each concept.
The document introduces basic concepts of computer security including defining security goals of confidentiality, integrity and availability. It explains key terms like threats, vulnerabilities, attacks and controls and gives examples for each concept.
The document introduces basic concepts of computer security including defining security goals of confidentiality, integrity and availability. It explains key terms like threats, vulnerabilities, attacks and controls and gives examples for each concept.
Download as PPTX, PDF, TXT or read online from Scribd
Download as pptx, pdf, or txt
You are on page 1/ 32
1
SECURITY IN COMPUTING, FIFTH EDITION Chapter 1: Introduction
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. 2
Objectives for Chapter 1
• Define computer security as well as basic computer security terms • Introduce the C-I-A Triad • Introduce basic access control terminology • Explain basic threats, vulnerabilities, and attacks • Show how controls map to threats
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. 3
Introduction • Computer security • is a branch of technology known as Information Security as applied to computers. • The objective of computer security • protection of • Information • from • theft • Corruption • the preservation of availability.
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. 4
Introduction • imposes requirements • what computers are not supposed to do. • particularly challenging • computer security is often • more technical and • mathematical than some computer science fields.
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. 5
What Is Computer Security?
• The protection of the assets of a computer system • Hardware • Software • Data
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. 6
Assets
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. 7
Values of Assets
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. 8
Basic Terms • Vulnerability • Threat • Attack • Countermeasure or control
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. 9
Threat and Vulnerability
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. 10
C-I-A Triad • Confidentiality • Integrity • Availability • Sometimes two other desirable characteristics: • Authentication • Nonrepudiation
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. 11
Information Security Components
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. 12
Confidentiality • is the property of preventing disclosure (discover) of information to unauthorized individuals or systems. • Example – Confidentiality violation scenario • A credit card transaction on the Internet requires the credit card number to be transmitted from the buyer to the merchant and from the merchant to a transaction processing network. • The system attempts to enforce confidentiality by • encrypting the card number during transmission, • limiting the places where it might appear (in databases, log files, backups, printed receipts, and so on), and • restricting access to the places where it is stored. • If an unauthorized party obtains the card number in any way, a breach of confidentiality has occurred.
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. 13
Confidentiality • Forms confidentiality • Permitting someone to look over your shoulder at your computer screen while you have confidential data displayed on it. • If a laptop computer containing sensitive information about a company's employees is stolen or sold. • Giving out confidential information over the telephone. • if the caller is not authorized to have the information. • Confidentiality is necessary for maintaining the privacy of the people whose personal information a system holds.
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. 14
Integrity • Means that • data cannot be modified without authorization. • ! Referential integrity in databases. • Integrity violation - with malicious intent • an employee accidentally or with malicious intent deletes important data files. • A computer virus infects a computer. • an employee is able to modify his own salary in a payroll database. • an unauthorized user vandalizes a web site • someone is able to cast a very large number of votes in an online poll • …… so on.
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. 15
Integrity • Violated without malicious intent • Simple • a user on a system could miss-type someone's address. • Larger • if an automated process is not written and tested correctly, bulk updates to a database could alter data in an incorrect way, leaving the integrity of the data compromised. • Information security professionals are tasked with finding ways to implement controls that prevent errors of integrity.
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. 16
Availability • The information must be available when it is needed. • Means • the computing systems • used to store and process the information, • the security controls • used to protect it, and • the communication channels • used to access it must be functioning correctly.
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. 17
Availability • High availability systems aim to • remain available at all times, • preventing service disruptions (interrupt) due to • power outages, hardware failures, and system upgrades. • Ensuring availability also involves preventing Denial-of-Service attacks (DoS).
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. 18
Alternative Model • Six atomic elements of information (2002, Donn Parker) CIA triad. • The elements are • confidentiality, • Possession • integrity, • Authenticity, • availability, • Utility. • The merits of the Parkerian hex ad are a subject of debate amongst security professionals.
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. 19
• Draw a table to distinguish between Parkerian hex ad and
CIA triad. Due next lecture.
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. 20
Access Control
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. 21
Types of Threats
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. 22
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. 23
Types of Attackers
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. 24
Types of Harm
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. 25
Method—Opportunity--Motive Ho Wh Wh w en y skills, knowledge, tools the time and access to execute an attack
script kiddie, Alternative terms
, example tool
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. 26
r a n a t t ack to a l l n e ce ssary fo d m o ti v e are tt a c k w i l l fail. o p p o rt unity, an h e se a n d the a Method , d e n y a n y of t o t at tack succeed; ck e r cann , th e atta e r ab ilities o c cur. l n t o m o ves vu o w h arm n d er re ca n all t h e def e s e s th at hr eat, I f knes he t w e a z e t i l i ti e s are e u trali rab an n oth. Vulne ,w e c rb h e n t y, o a rm ,t e rabili a i n st h e vu l n t ec t ag lose th ro c To p
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. 27
Controls/Countermeasures • We can deal with harm in several ways: • prevent it, by blocking the attack or closing the vulnerability • deter it, by making the attack harder but not impossible • deflect it, by making another target more attractive (or this one less so) • mitigate it, by making its impact less severe • detect it, either as it happens or some time after the fact • recover from its effects From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. 28
Security professionals the cost and balance
effectiveness of controls with the likelihood and severity of harm.
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. 29
should have in place
incident-response procedures = IRP incident-response team = IRT
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. 30
Controls/Countermeasures
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. 31
Different Types of Controls
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. 32
Summary • Vulnerabilities are weaknesses in a system; threats exploit those weaknesses; controls protect those weaknesses from exploitation • Confidentiality, integrity, and availability are the three basic security primitives • Different attackers pose different kinds of threats based on their capabilities and motivations • Different controls address different threats; controls come in many flavors and can exist at various points in the system
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
