computer security: principles and practice, 1/e · computer security challenges 1. not simple 2....
TRANSCRIPT
Computer Security: Computer Security: Principles and PracticePrinciples and Practice
First EditionFirst Editionby William Stallings and Lawrie Brownby William Stallings and Lawrie Brown
Lecture slides by Lawrie BrownLecture slides by Lawrie Brown
Chapter 1 – Chapter 1 – OverviewOverview
OverviewOverview
Computer Security:Computer Security: protection afforded protection afforded to an automated information system in to an automated information system in order to attain the applicable objectives of order to attain the applicable objectives of preserving the integrity, availability and preserving the integrity, availability and confidentiality of information system confidentiality of information system resources (includes hardware, software, resources (includes hardware, software, firmware, information/data, and firmware, information/data, and telecommunications).
Key Security ConceptsKey Security Concepts
Computer Security ChallengesComputer Security Challenges1.1. not simplenot simple2.2. must consider potential attacksmust consider potential attacks3.3. procedures used counter-intuitiveprocedures used counter-intuitive4.4. involve algorithms and secret infoinvolve algorithms and secret info5.5. must decide where to deploy mechanismsmust decide where to deploy mechanisms6.6. battle of wits between attacker / adminbattle of wits between attacker / admin7.7. not perceived on benefit until failsnot perceived on benefit until fails8.8. requires regular monitoringrequires regular monitoring9.9. too often an after-thoughttoo often an after-thought10.10. regarded as impediment to using systemregarded as impediment to using system
Security TerminologySecurity Terminology
Vulnerabilities and AttacksVulnerabilities and Attacks
system resource vulnerabilities maysystem resource vulnerabilities may be corrupted (loss of integrity)be corrupted (loss of integrity) become leaky (loss of confidentiality)become leaky (loss of confidentiality) become unavailable (loss of availability)become unavailable (loss of availability)
attacks are threats carried out and may beattacks are threats carried out and may be passivepassive activeactive insiderinsider outsideroutsider
CountermeasuresCountermeasures
means used to deal with security attacksmeans used to deal with security attacks preventprevent detectdetect recoverrecover
may result in new vulnerabilitiesmay result in new vulnerabilities will have residual vulnerabilitywill have residual vulnerability goal is to minimize risk given constraintsgoal is to minimize risk given constraints
Threat ConsequencesThreat Consequences
unauthorized disclosureunauthorized disclosure exposure, interception, inference, intrusionexposure, interception, inference, intrusion
deceptiondeception masquerade, falsification, repudiationmasquerade, falsification, repudiation
disruptiondisruption incapacitation, corruption, obstructionincapacitation, corruption, obstruction
usurpationusurpation misappropriation, misusemisappropriation, misuse
Scope of Computer SecurityScope of Computer Security
Network Security AttacksNetwork Security Attacks classify as passive or activeclassify as passive or active passive attacks are eavesdroppingpassive attacks are eavesdropping
release of message contentsrelease of message contents traffic analysistraffic analysis are hard to detect so aim to preventare hard to detect so aim to prevent
active attacks modify/fake dataactive attacks modify/fake data masquerademasquerade replayreplay modificationmodification denial of servicedenial of service hard to prevent so aim to detecthard to prevent so aim to detect
Security Functional Security Functional RequirementsRequirements
technical measures:technical measures: access control; identification & authentication; system & access control; identification & authentication; system &
communication protection; system & information integritycommunication protection; system & information integrity management controls and procedures management controls and procedures
awareness & training; audit & accountability; certification, awareness & training; audit & accountability; certification, accreditation, & security assessments; contingency accreditation, & security assessments; contingency planning; maintenance; physical & environmental planning; maintenance; physical & environmental protection; planning; personnel security; risk assessment; protection; planning; personnel security; risk assessment; systems & services acquisitionsystems & services acquisition
overlapping technical and management:overlapping technical and management: configuration management; incident response; media configuration management; incident response; media
protectionprotection
X.800 Security ArchitectureX.800 Security Architecture
X.800, X.800, Security Architecture for OSISecurity Architecture for OSI systematic way of defining requirements systematic way of defining requirements
for security and characterizing approaches for security and characterizing approaches to satisfying themto satisfying them
defines:defines: security attacks - compromise security security attacks - compromise security security mechanism - act to detect, prevent, security mechanism - act to detect, prevent,
recover from attackrecover from attack security service - counter security attackssecurity service - counter security attacks
Security TaxonomySecurity Taxonomy
Security TrendsSecurity Trends
Computer Security LossesComputer Security Losses
Security Technologies UsedSecurity Technologies Used
Computer Security StrategyComputer Security Strategy specification/policyspecification/policy
what is the security scheme supposed to do?what is the security scheme supposed to do? codify in policy and procedurescodify in policy and procedures
implementation/mechanismsimplementation/mechanisms how does it do it?how does it do it? prevention, detection, response, recoveryprevention, detection, response, recovery
correctness/assurancecorrectness/assurance does it really work?does it really work? assurance, evaluationassurance, evaluation
SummarySummary
security conceptssecurity concepts terminologyterminology functional requirementsfunctional requirements security architecturesecurity architecture security trendssecurity trends security strategysecurity strategy