Basic Security Concepts PDF

CHAPTER 1 Basic Security Concepts Dr. Sayed El- Sayed Public INTRODUCTION What is computer security? – Computer security is the protection of assets of a computer or computer system (asset means items that has value). – Types of assets: hardware, software, data, processes, storage media, and people. Principle of Easiest Penetration – Intruder must be expected to use any available means Public 1 of INTRODUCTION Computer systems (hardware, software, and data) have value and deserve security protection. There are 3 classifications of protection: – Prevention: take measures that prevent your assets from being damaged. – Detection: take measures so that you can detect when, how, and by whom an asset has been damaged. – Reaction: take measures that allow you to recover your assets or to recover from damage to your assets. Public 2 INTRODUCTI ON Example from physical world: – Prevention: locks at the door or window bars, wall around the property – Detection: you detect when something has been stolen if it is no longer there, a burglar alarm goes on when break-in occurs, CCTV cameras provides information that allows you to identify intruders – Reaction: you can call the police, or you may decide to replace the stolen item Public 3 INTRODUCTION Example from cyber world: consider credit card fraud cases. – Prevention: use encryption when placing an order, rely on the merchant to perform some checks on the caller before accepting a credit card order or don’t use credit card number on the Internet. – Detection: a transaction that you had not authorized appears on your credit card statements. – Reaction: you can ask for new credit card number, the cost of the fraudulent may be recovered by the card holder or the merchant where the fraudster had made the purchase or the credit card issuer. Public 4 Security Goals – CIA Triad CONFIDENTIALITY: Assets of computing systems are available only to authorized parties (also known as secrecy or privacy). INTEGRITY: Assets can be modified AVAILABILITY : Assets only by authorized are accessible to parties or only in authorized parties when authorized ways. needed without any delay. Security is achieved through a combination of the three characteristics. CIA is from assets point of view; not the user’s point of view. Public 5 Confidentia Ensures that computer-related assets are lity accessed only by authorized parties Access given only to those who should have access to something. – “access”-not only reading, but also viewing, printing, and knowing that the asset exists Notice the general pattern of the following statement: A person, process, or program is (or is not) authorized to access a data item in a particular way. We call the person, process, or program a subject, the data item an object, the kind of access (such as read, write, or execute) an access mode, and the authorization a policy Public 6 Integri Assets can be modifiedty only by authorized parties in authorized ways Modification includes writing, changing, changing status, deleting, and creating Integrity – means different things in different contexts. For example; if we say that we have preserved the integrity of an item, we may mean that the item is: – Precise – Accurate – Unmodified – Modified only in acceptable ways – Modified only by authorized people – Modified only by authorized processes – Consistent – Internally consistent – Meaningful and usable Public 7 Integrity (cont.) Integrity can also mean two or more of these properties [Welke & Mayfield] recognize three particular aspects: 1. Authorized actions 2. Separation and protection of resources 3. Error detection and correction Some forms of integrity are well represented in the real world, and those precise representations can be implemented in computerized environment. Public 8 – But not all interpretations of integrity are well Availabili Assets are accessiblety to authorized parties at appropriate times Access to particular sets of objects should not be prevented from person/system who has legitimate access. – For this reason, availability is sometimes known by its opposite – denial of service (DoS). Availability applies to both data (info.) and services (info. processing) Definition of availability depends on following: – is present in a usable form – has capacity enough to meet service’s needs Public 9 – it is making clear progress, and, if it Other Protection Requirements (AAA)CIA is from “assets” point of view. Remember: The AAA system is from the user point of view. It is a three-process framework used to manage user access, enforce user policies and privileges, and measure the consumption of network resources. – Authentication Who the user is? (genuine user) – Authorization What can the user do? (permission to access resources) – Accounting Tracking user activities and events Public 10 Vulnerabilities and Threats A vulnerability is a weakness in the system (procedures, design, or implementation) that might be exploited to cause loss or harm – For example, a system may be vulnerable to unauthorized data manipulation because the system does not verify user’s identity before allowing data access A threat to a computing system is a set of circumstances that has the potential to cause loss or harm. – To Here, seeis holding a wall the difference water between a threat and a vulnerability, vulnerability that threatens back. The water is a threat to the man’s security. consider the following illustration: the man. The threat of harm If the water rises to or above is the potential for the man the Thelevel smallofcrack the crack, is a it will to get wet, get hurt, or be exploit the vulnerability and drowned harm the man. Temporary solution: the man placing his finger in the hole – controlling the threat of water leaks “A threat is blocked by control of a vulnerability” Public 11 Computer Network Vulnerabilities Public 12 SECURITY THREATS The CIA triad can be viewed from a different perspective: the nature of the harm caused to assets. Harm can also be characterized by four acts, called Security Threats: - interception, interruption, modification, and fabrication. INTERRUPTION: An asset of the system is destroyed or become unavailable or unusable – attack on AVAILABILTY INTERCEPTION: An SECURIT unauthorized party (program, Y person, computer) gains access THREAT to an asset – attack on S CONFIDENTIALITY MODIFICATION: An unauthorized party not only gain access to but tampers with an asset – attack on INTEGRITY FABRICATION: An unauthorized party insert counterfeit objects into the system – an attack on INTEGRITY Public 13 SECURITY THREATS Information Information Information Information source destination source destination INTERRUPTION INTERCEPTION Information Information Information Information source destination source destination MODIFICATION FABRICATION Public 14 Examples of security threats/attacks: Interruption ~destruction of piece of hardware (hard disk) ~cutting of communication line or ~disabling of the file management system Interception ~wiretapping ~illicit copy of files or programs Modification ~changing values in data file, ~ altering a program so that it performs differently, ~modifying the content of messages Fabrication ~being transmitted addition of recordsinto a file, ~a network. insertion of spurious messages in a network Public 15

Basic Security Concepts PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue