chap1: is there a security problem in computing?
TRANSCRIPT
SE571Security in Computing
Chap1: Is there a Security Problem in Computing?
SE571 Security in Computing Dr. Ogara2
Objectives
• The risks involved in computing • The goals of secure computing:
confidentiality, integrity, availability • The threats to security in computing:
interception, interruption, modification, fabrication
SE571 Security in Computing Dr. Ogara3
Objectives
• Controls available to address these threats: encryption, programming controls, operating systems, network controls, administrative controls, law, and ethics
SE571 Security in Computing Dr. Ogara4
2010/2011 CSI Computer Crime and Security Survey
351 Security practitioners responded More attacks on Web applications Virtualization and cloud computing
make security more complex Software is main culprit in breaches Outsourcing security fell IT budget trimmed NOT security
SE571 Security in Computing Dr. Ogara5
SE571 Security in Computing Dr. Ogara6
SE571 Security in Computing Dr. Ogara7
Computing System
Computing System • collection of hardware, software, storage
media, data, and people that an organization uses to perform computing tasks.
• components: hardware, software, and data.
SE571 Security in Computing Dr. Ogara8
Vulnerabilities, Threats, Attacks, and Controls
Vulnerability • weakness in the security system• Example, weaknesses in procedures,
design, or implementation, that might be exploited to cause loss or harm.
• Figure 1.1 – Crack on the wall is a vulnerability
SE571 Security in Computing Dr. Ogara9
Vulnerabilities, Threats, Attacks, and Controls
A threat • A set of circumstances that has the
potential to cause loss or harm.• Human initiated e.g. human errors, attacks,
denial of service• Computer initiated e.g. natural disaster
such as Katrina• Figure1.1 – getting hurt or drowning
SE571 Security in Computing Dr. Ogara10
Vulnerabilities, Threats, Attacks, and Controls
Control• Protective measure against vulnerabilities
and threats• Action, device, procedure, or technique that
removes or reduces a vulnerability• A threat is blocked by control of a
vulnerability.
SE571 Security in Computing Dr. Ogara11
Figure 1-1 Threats, Controls, and Vulnerabilities.
SE571 Security in Computing Dr. Ogara12
Four Classes of Security Threats
Interception • Unauthorized party gains access to an
asset• The outside party can be a person, a
program, or a computing system. • Examples, illicit copying of program or
data files, or wiretapping to obtain data in a network
SE571 Security in Computing Dr. Ogara13
Types of Threats
Interruption• An asset of the system becomes lost,
unavailable, or unusable. • Examples, malicious destruction of a
hardware device, erasure/deletion of a program or data file, and denial of service attack
SE571 Security in Computing Dr. Ogara14
Types of Threats
Modification• Unauthorized party not only accesses but
tampers with an asset.• Example, change the values in a
database, alter a program so that it performs an additional computation, or modify data being transmitted electronically (email).
SE571 Security in Computing Dr. Ogara15
Types of Threats
Fabrication • intruder may insert bogus transactions to
a network communication system or add records to an existing database, create user accounts
SE571 Security in Computing Dr. Ogara16
Figure 1-2 System Security Threats.
SE571 Security in Computing Dr. Ogara17
Meaning of Computer Security
Computer security addresses three important aspects/goals of any computer-related system (CIA): • Confidentiality - Ensures that computer-
related assets are accessed only by authorized parties
• Integrity - assets can be modified only by authorized parties or only in authorized ways
• Availability - assets are accessible to authorized parties at appropriate times
SE571 Security in Computing Dr. Ogara18
Computer Security
Confidentiality • Also called secrecy or privacy• Ensures that computer-related assets are
accessed only by authorized parties (people or systems)
• Control encryption, access control lists, physical
security
SE571 Security in Computing Dr. Ogara19
Computer Security
Integrity • Means that assets can be modified only
by authorized parties or only in authorized ways.
• Examples; writing, changing and deleting• Control
digital signatures, hashing, code review to detect covert channels
SE571 Security in Computing Dr. Ogara20
Computer Security
Availability • Means that assets are accessible to
authorized parties at appropriate times• Applies both to data and to services
(information and to information processing)
• Opposite of denial of service
SE571 Security in Computing Dr. Ogara21
Computer Security
Availability • Meaning of availability
It is present in a usable form. • It has enough capacity to meet the service’s
needs• Control
RAID, redundant components (power supply, fan), server clusters
SE571 Security in Computing Dr. Ogara22
Figure 1-3 Relationship Between Confidentiality, Integrity, and Availability.
SE571 Security in Computing Dr. Ogara23
Vulnerabilities
Apply to all three broad categories of system resources (Figure 1-4)• Hardware
Theft Destruction Flooding
SE571 Security in Computing Dr. Ogara24
Vulnerabilities
• Software (operating system, controllers, utility programs, and application programs) Deletion Alteration Modification
Example, Trojan horse, virus, trapdoor, and information leaks in a program
Theft
SE571 Security in Computing Dr. Ogara25
Vulnerabilities
• Data Data attack is a more widespread and serious
problem than either a hardware or software attack
Data items have greater public value than hardware and software because more people know how to use or interpret data
SE571 Security in Computing Dr. Ogara26
Figure 1-4 Vulnerabilities of Computing Systems.
SE571 Security in Computing Dr. Ogara27
Vulnerabilities
Other Exposed Assets Networks Access
Intruder steals computer time but no attack Destroy software or data Deny service to legitimate users
Key People Disgruntled employee may cause damage
SE571 Security in Computing Dr. Ogara28
Computer Criminals
Amateurs Crackers or Malicious Hackers Career Criminals
• organized crime and international groups engaged in computer crime
Terrorists • denial-of-service attacks and web site
defacements are popular
SE571 Security in Computing Dr. Ogara29
Methods of Defense - Controls
Used to preserve Confidentiality Integrity Availability
May prevent or mitigate attacks May inform us that security is
compromised May detect a breach as it
happens/after it occurs
SE571 Security in Computing Dr. Ogara30
Available Controls
Encryption • Scrambles data so that interpretation is
meaningless• Unscrambled state, called cleartext• Transformed data are called enciphered
text or ciphertext• May nullify modification or fabrication • Important for integrity and confidentiality
of data
SE571 Security in Computing Dr. Ogara31
Figure 1-6 Multiple Controls.
SE571 Security in Computing Dr. Ogara32
Available Controls
Hardware control• hardware or smart card implementations of
encryption • locks or cables limiting access or deterring
theft • devices to verify users’ identities • firewalls • intrusion detection systems • circuit boards that control access to storage
media
SE571 Security in Computing Dr. Ogara33
Available Controls
Policies and Procedures among users• Frequent changes of passwords• Training and administration • Ethical and legal issues
SE571 Security in Computing Dr. Ogara34
Available Controls
Physical Controls• locks on doors• guards at entry points• backup copies of important software and
data• physical site planning that reduces the
risk of natural disasters
SE571 Security in Computing Dr. Ogara35
Enhancing Controls
Awareness of Problem• Understand importance of security
Likelihood of Use • Controls must be used
Overlapping Controls • Use combination of controls /layered
defense Periodic Review