Академический Документы
Профессиональный Документы
Культура Документы
Dr Hans Georg Schaathun What is Computer Security? Autumn 2010 – Week 1 1 / 43 Dr Hans Georg Schaathun What is Computer Security? Autumn 2010 – Week 1 3 / 43
Dr Hans Georg Schaathun What is Computer Security? Autumn 2010 – Week 1 4 / 43 Dr Hans Georg Schaathun What is Computer Security? Autumn 2010 – Week 1 5 / 43
The session The problem
Dr Hans Georg Schaathun What is Computer Security? Autumn 2010 – Week 1 7 / 43 Dr Hans Georg Schaathun What is Computer Security? Autumn 2010 – Week 1 9 / 43
Dr Hans Georg Schaathun What is Computer Security? Autumn 2010 – Week 1 11 / 43 Dr Hans Georg Schaathun What is Computer Security? Autumn 2010 – Week 1 12 / 43
The problem Three faces of security The problem Three faces of security
Dr Hans Georg Schaathun What is Computer Security? Autumn 2010 – Week 1 14 / 43 Dr Hans Georg Schaathun What is Computer Security? Autumn 2010 – Week 1 15 / 43
The problem Three faces of security The problem Three faces of security
Availability Integrity
Can we maintain availability and confidentiality at the same time? If integrity is not ensured.
Denial of Service (DoS) attacks violate availability. I could change your bank account to send money to my Swiss bank
E.g. a horde of computers send dummy request to a web server, account.
causing a congestion which prevents legitimate users from using We could forge a file to incriminate the PM.
the web services in a timely fasion. Integrity problems lead to loss of other assets (money and
No confidentiality at stake – server data are public
goodwill)
but not available to the public
You cannot trust your computer.
Potentially costly damage.
Dr Hans Georg Schaathun What is Computer Security? Autumn 2010 – Week 1 16 / 43 Dr Hans Georg Schaathun What is Computer Security? Autumn 2010 – Week 1 17 / 43
The problem Three faces of security The problem Three faces of security
Confidentiality
Dr Hans Georg Schaathun What is Computer Security? Autumn 2010 – Week 1 18 / 43 Dr Hans Georg Schaathun What is Computer Security? Autumn 2010 – Week 1 19 / 43
owns one
Security incidents happen for a reason Organisation or more Asset
adverse effect on
Threat potential events and actions which could harm the assets t on may be asso-
effec ciated with
e rse
Threats are potential adv caused by
The exist and must be addressed before they are may result in Threat Threat Source
realised
may be re-
Threat Source an entity with a will and potential to cause harm Impact alised through
A threat source will have a motive may exploit
hackers – do it for the challenge Vulnerability
may reduce
thieves – do it for gain
competitors – want to gain a competitive advantage may be reduced by
blackmailers
Without a motive, there is no threat
Control
Dr Hans Georg Schaathun What is Computer Security? Autumn 2010 – Week 1 21 / 43 Dr Hans Georg Schaathun What is Computer Security? Autumn 2010 – Week 1 22 / 43
Basic ontology Basic ontology
Dr Hans Georg Schaathun What is Computer Security? Autumn 2010 – Week 1 23 / 43 Dr Hans Georg Schaathun What is Computer Security? Autumn 2010 – Week 1 24 / 43
Three main classes of threat sources Attacks is an important group of incidents (impact)
Adversaries – sentient beings with an intention to cause harm
Honest, but fallible users – accidentally causing harm
Random events – accidents like flood and fire
Common distinction
Security against intentional attacks, i.e. adversaries Modification
Useability user interface design to avoid human error
Interception
Reliability against random events
Fuzzy boundaries between the three
Similar protection mechanisms
Arson and accidental fire
Incident in one area leads to vulnerabilites in others
Useability problems ⇒ misconfigured security mechanisms Interruption Fabrication
Dr Hans Georg Schaathun What is Computer Security? Autumn 2010 – Week 1 25 / 43 Dr Hans Georg Schaathun What is Computer Security? Autumn 2010 – Week 1 26 / 43
Risk analysis Risk analysis
Dr Hans Georg Schaathun What is Computer Security? Autumn 2010 – Week 1 28 / 43 Dr Hans Georg Schaathun What is Computer Security? Autumn 2010 – Week 1 29 / 43
Dr Hans Georg Schaathun What is Computer Security? Autumn 2010 – Week 1 30 / 43 Dr Hans Georg Schaathun What is Computer Security? Autumn 2010 – Week 1 31 / 43
Risk analysis Risk analysis
Dr Hans Georg Schaathun What is Computer Security? Autumn 2010 – Week 1 32 / 43 Dr Hans Georg Schaathun What is Computer Security? Autumn 2010 – Week 1 33 / 43
Accountability:
Every user is responsible for his actions
Audit trails are used to trace users accountable
Nonrepudiation:
A user cannot deny previous actions
A payment issued cannot be revoked
An authorisation signed cannot be revoked
Dr Hans Georg Schaathun What is Computer Security? Autumn 2010 – Week 1 34 / 43 Dr Hans Georg Schaathun What is Computer Security? Autumn 2010 – Week 1 35 / 43
Defining Computer Security Defining Computer Security
Definition (Gollmann)
Computer Security deals with the prevention and detection of Definitions vary
unauthorised actions by users of a computer system. When you write, define it
When you read, read the definition
Definition (Gollmann (explaining causes)) Don’t use your intuition
Computer Security concerns the measures we can take to deal with
intentional actions by parties behaving in some unwelcome fashion.
Dr Hans Georg Schaathun What is Computer Security? Autumn 2010 – Week 1 37 / 43 Dr Hans Georg Schaathun What is Computer Security? Autumn 2010 – Week 1 38 / 43
Dr Hans Georg Schaathun What is Computer Security? Autumn 2010 – Week 1 39 / 43 Dr Hans Georg Schaathun What is Computer Security? Autumn 2010 – Week 1 41 / 43
Exercise Exercise
Dr Hans Georg Schaathun What is Computer Security? Autumn 2010 – Week 1 42 / 43 Dr Hans Georg Schaathun What is Computer Security? Autumn 2010 – Week 1 43 / 43