security in computing (c2021) week-1. module syllabus summary the main topics of study will include:...
TRANSCRIPT
Security in Computing (C2021)
Week-1
Module Syllabus SummaryThe main topics of study will include:
General Security Problems:
attacks; computer criminals; computer security; methods of defense.
Program Security:
secure programs; viruses and malicious code; controls against program
threats.
Security in Operating Systems:
user authentication; memory and address protection; file protections;
control of access to general objects; trusted operating systems.
Module Syllabus Summary contd.Database Security:
security requirements; integrity and reliability; inference; multilevel
security.
Security in Networks:
threats in networks; firewalls intrusion detection; secure email; security
control.
Legal, Privacy, and Ethical Issues:
protecting programs and data; information and the law; rights of
employees and employers; privacy; ethical issues.Cryptography: traditional ciphers; symmetric encryption; public key encryption; digital signatures and authentication; quantum cryptography.
Module Assessments
For more about Assessments:
http://learning.londonmet.ac.uk/computing/IC_Link/CompNetITSec/mo
dules/cc2021/cc2021_spec.html
Recommended Book List• Pfleeger, C.P & Pfleeger, S.L., 2007. Security in Computing. 4th ed.
Prentice Hall.
• Stallings, W., 2006. Cryptography and Network Security Principles and
Practices. 4th ed. Prentice Hall.
• Stallings, W & Brown, L., 2008. Computer Security: Principles and
Practice. Prentice Hall.
Introduction to Security in Computing
Chapter-1
Introduction – Security in Computing• Security in computing is about protecting computer-related assets, i.e.
valuable information
• The focus is security for computing systems
• How banks protect physical currency cf. people protecting information
(Pfleeger, p.2)
• Can we learn from our analysis of banks, i.e. how they have protected
e.g. money, gold etc.
Terms and DefinitionsSecure, protected
• Immune to attack
• Covered by certain controls
Threat
• A potential to do harm or cause loss
Vulnerability
• Weaknesses in defenses that could allow harm to occur
Terms and Definitions
Figure 1-1 Threats Controls and Vulnerabilities
The water is a THREAT to the man
The crack is a VULNERABILTIY that threatens the man’s security
The man placing his finger in the whole is controlling the threat.
Terms and DefinitionsAttack
• Threat + Vulnerability
Control, countermeasure
Risk, residual [remaining] risk
Penetration[making way through], weakest point
Attacks and AttackersAttacks
• Malicious; non-malicious; natural causes
•Accidental, intentional
Attackers
MOM – Method + Opportunity + Motive
• Method: tools, knowledge, capability
• Opportunity: time, physical access, availability
• Motivation: reason for attack
Work factor: difficult in pulling off attack; measured in time, skill,
resources
The Security Triad – C I A
Figure 1-2 Relationship Between Confidentiality, Integrity, and Availability
(Pfleeger, p.11)
The Security Triad – C I A
Figure 1-3 Security of Data (Pfleeger, p.18)
The Security Triad – C I AConfidentiality: protection from unauthorised disclosure
• Privacy; personal private information
• Sensitive information, e.g. student grades, company inventions,
juvenile arrest records
• Protection of classified information
The Security Triad – C I AIntegrity: protection from inappropriate modification
• Precision, accuracy
• Possible ways to limit modification
• Not modified ( for example, read-only)
• Only in acceptable ways, e.g. ?
• Only by acceptable people, e.g. ?
• Only using appropriate processes, e.g.?
The Security Triad – C I AIntegrity: protection from inappropriate modification
• Internally consistent
• The disk contents match what was originally recorded
• Update to once instance causes change to be propagated to all
instances
• Meaningful and usable
• Readable
• Not protected against legitimate access (see also availability)
The Security Triad – C I AAvailability
• Usable (readable, accessible)
• Sufficient capacity (bandwidth, sharable, or copied as needed)
• Is making progress (not hung in a loop or never attended to)
• Completes in an acceptable amount of time
These goals can conflict
• High confidentiality may limit availability
• Strong integrity controls may impose a slowdown that affect
availability
VulnerabilitiesKinds of Vulnerabilities
• Interruption (breaking a pathway of use, deleting, destroying)
• Interception (taking or obtaining without permission; either taking an
object itself or making an unauthorised copy)
• Modifications (changing without permission)
• Fabrication (creating a new – illicit – version)
VulnerabilitiesKinds of Vulnerabilities
Figure 1-4 System Security Threats
VulnerabilitiesKinds of Vulnerabilities
Figure 1-5 Vulnerabilities of Computer System
VulnerabilitiesTargets of vulnerabilities
• Hardware (including firmware)
• Software
• Data and Information
• Access, time, bandwidth, network resources(cable, switches and
routers, addressing and routing information, wireless services)
• People
• Supplies
Computer AttackersMost computers attacks are committed by insiders as unintentional,
non- malicious errors
• Security awareness is the most effective and least expensive control
Amateurs
• Often insiders with privileges (necessary to do their jobs)
• Outside probers or tinkerers
Computer Attackers contdCrackers
• Advanced form of probing or tinkering.
• Intention to undermine or circumvent security controls
• Various motivations: challenge, ego, curiosity, adventure,
experimentation
• Non-malicious attacks or attacks with non-malicious intent are still
attacks
Computer Attackers contdCriminals
• Motivation: payoff, revenge, competition
• Rapidly growing attack segment
• Financial reward potential is attractive
• Some evidence that organised crime is becoming involved in computer
crime – it’s where the money is
• Definition of “computer crime” not precise
Defence ObjectivesPrevent harm
• Block attack, close [plug] vulnerability
• Although obviously most effective, sometimes prevention is not
possible
o Insiders need elevated privileges to do work
o Vulnerabilities may be unknown
o Even a fortes can be breached with the right attack
Defence Objectives contd.Deter harm
• Make the attacker work harder or longer
• Hope the attacker will choose another easier target
• Example: protect bank tellers with bulletproof glass: not
impenetrable, but requires a long time and a lot of force
Deflect harm
• Push the attacker to another target
• Example: a “honeypot” [trap] - website to attract and occupy the
attacker
Defence Objectives contd.Detect harm
• Determine that attack is under way (realtime) or has occurred
sometime in the past (non-realtime)
Goals:
• to be able to increase defences (to block an attack in realtime)
• To determine the kind and extend of attack (after the fact) and
strengthen defences for the future (close vulnerability) or know what
has been lost
Defence Objectives contd.Recover from harm
• Resume normal operation
• Increase or strengthen so future attacks do not succeed
• Deal with loss or exposure of date
Note:
• More cost effective to allow unlikely harm to occur and spend money
on recovery than to spend much more money trying in vain to prevent
the harm
ControlsPhysical• Gates, guns, guards
• Access control devices, e.g., badge readers, motion detectors
• Fire suppression, extinguishers
Administrative
• Security awareness training
• Security policies, procedures, guidelines, practices
• Rules of acceptable use, code of ethics
• Hiring and termination practices
• Software development practices
• Human oversight, management, review
Controls contd.Technical
• Firewall
• Intrusion detection system
• Virus scanner
• Encryption
• Identification and authentication technologies (e.g. smart cards,
biometrics, password)
• Logical access controls (program-based controls limiting access based
on identity, proposed use, date, time etc); implemented by network
infrastructure, operating systems, database management, application
program, utility
Controls contd.Technical
• Honeypot
• Protocol
• Networking infrastructure, operating systems, database management
systems, applications
Controls contd.Technical
Figure 1-6 Multiple Controls