chap1: is there a security problem in computing?

SE571Security in Computing

Chap1: Is there a Security Problem in Computing?

SE571 Security in Computing Dr. Ogara2

Objectives

• The risks involved in computing • The goals of secure computing:

confidentiality, integrity, availability • The threats to security in computing:

interception, interruption, modification, fabrication


Objectives

• Controls available to address these threats: encryption, programming controls, operating systems, network controls, administrative controls, law, and ethics


2010/2011 CSI Computer Crime and Security Survey

351 Security practitioners responded More attacks on Web applications Virtualization and cloud computing

make security more complex Software is main culprit in breaches Outsourcing security fell IT budget trimmed NOT security


Computing System

Computing System • collection of hardware, software, storage

media, data, and people that an organization uses to perform computing tasks.

• components: hardware, software, and data.


Vulnerabilities, Threats, Attacks, and Controls

Vulnerability • weakness in the security system• Example, weaknesses in procedures,

design, or implementation, that might be exploited to cause loss or harm.

• Figure 1.1 – Crack on the wall is a vulnerability



A threat • A set of circumstances that has the

potential to cause loss or harm.• Human initiated e.g. human errors, attacks,

denial of service• Computer initiated e.g. natural disaster

such as Katrina• Figure1.1 – getting hurt or drowning



Control• Protective measure against vulnerabilities

and threats• Action, device, procedure, or technique that

removes or reduces a vulnerability• A threat is blocked by control of a

vulnerability.


Figure 1-1 Threats, Controls, and Vulnerabilities.


Four Classes of Security Threats

Interception • Unauthorized party gains access to an

asset• The outside party can be a person, a

program, or a computing system. • Examples, illicit copying of program or

data files, or wiretapping to obtain data in a network


Types of Threats

Interruption• An asset of the system becomes lost,

unavailable, or unusable. • Examples, malicious destruction of a

hardware device, erasure/deletion of a program or data file, and denial of service attack


Types of Threats

Modification• Unauthorized party not only accesses but

tampers with an asset.• Example, change the values in a

database, alter a program so that it performs an additional computation, or modify data being transmitted electronically (email).


Types of Threats

Fabrication • intruder may insert bogus transactions to

a network communication system or add records to an existing database, create user accounts


Figure 1-2 System Security Threats.


Meaning of Computer Security

Computer security addresses three important aspects/goals of any computer-related system (CIA): • Confidentiality - Ensures that computer-

related assets are accessed only by authorized parties

• Integrity - assets can be modified only by authorized parties or only in authorized ways

• Availability - assets are accessible to authorized parties at appropriate times


Computer Security

Confidentiality • Also called secrecy or privacy• Ensures that computer-related assets are

accessed only by authorized parties (people or systems)

• Control encryption, access control lists, physical

security


Computer Security

Integrity • Means that assets can be modified only

by authorized parties or only in authorized ways.

• Examples; writing, changing and deleting• Control

digital signatures, hashing, code review to detect covert channels


Computer Security

Availability • Means that assets are accessible to

authorized parties at appropriate times• Applies both to data and to services

(information and to information processing)

• Opposite of denial of service


Computer Security

Availability • Meaning of availability

It is present in a usable form. • It has enough capacity to meet the service’s

needs• Control

RAID, redundant components (power supply, fan), server clusters


Figure 1-3 Relationship Between Confidentiality, Integrity, and Availability.


Vulnerabilities

Apply to all three broad categories of system resources (Figure 1-4)• Hardware

Theft Destruction Flooding


Vulnerabilities

• Software (operating system, controllers, utility programs, and application programs) Deletion Alteration Modification

Example, Trojan horse, virus, trapdoor, and information leaks in a program

Theft


Vulnerabilities

• Data Data attack is a more widespread and serious

problem than either a hardware or software attack

Data items have greater public value than hardware and software because more people know how to use or interpret data


Figure 1-4 Vulnerabilities of Computing Systems.


Vulnerabilities

Other Exposed Assets Networks Access

Intruder steals computer time but no attack Destroy software or data Deny service to legitimate users

Key People Disgruntled employee may cause damage


Computer Criminals

Amateurs Crackers or Malicious Hackers Career Criminals

• organized crime and international groups engaged in computer crime

Terrorists • denial-of-service attacks and web site

defacements are popular


Methods of Defense - Controls

Used to preserve Confidentiality Integrity Availability

May prevent or mitigate attacks May inform us that security is

compromised May detect a breach as it

happens/after it occurs


Available Controls

Encryption • Scrambles data so that interpretation is

meaningless• Unscrambled state, called cleartext• Transformed data are called enciphered

text or ciphertext• May nullify modification or fabrication • Important for integrity and confidentiality

of data


Figure 1-6 Multiple Controls.


Available Controls

Hardware control• hardware or smart card implementations of

encryption • locks or cables limiting access or deterring

theft • devices to verify users’ identities • firewalls • intrusion detection systems • circuit boards that control access to storage

media


Available Controls

Policies and Procedures among users• Frequent changes of passwords• Training and administration • Ethical and legal issues


Available Controls

Physical Controls• locks on doors• guards at entry points• backup copies of important software and

data• physical site planning that reduces the

risk of natural disasters


Enhancing Controls

Awareness of Problem• Understand importance of security

Likelihood of Use • Controls must be used

Overlapping Controls • Use combination of controls /layered

defense Periodic Review

chap1: is there a security problem in computing?

Documents