Академический Документы
Профессиональный Документы
Культура Документы
Introduction
Course: System Security
Contents
• Basic Components of Computer security(CIA)
• Vulnerabilities and threats ,
• Attacks and controls ,
• Goals of security,
• Computer criminals,
• Internet Standards and RFC.
2
What does “SECURE” mean?
• How do we protect our most valuable assets?
3
Objectives of this unit
• What kind of vulnerabilities computing systems are prone to
• Why these vulnerabilities are exploited
• Different kinds of attacks that are possible
• Kinds of people who contribute to the security problem
• How to prevent possible attacks on systems
4
Basic components of Computer
Security
• A computer based system has 3 separate and valuable
components:
– Hardware
– Software
– Data
• Each of these assets offers value to different members.
5
Basic components of Computer
Security
• Computer Security rests on
– Confidentiality
– Integrity and
– Availability
6
Components of Security:
Confidentiality
• Only authorized people or systems can access data.
• Concealment of information or resources.
• Keeping information secret arise in the fields of government
and industry…
• Eg: military and civilian institutions in the government often
restrict access to information to unauthorized users.
• Access control mechanisms support confidentiality
– Eg: cryptography
– Passwords
– Two-factor authentication
7
Components of Security: Integrity
• Trustworthiness of data or resources
• Includes
– Data integrity
• The content of the information
– Origin integrity
• The source of the data ,called authentication
• Includes both correctness and trustworthiness of the data.
• Factors affecting the integrity of data
– The origin of the data
– How well the data was protected before it arrived at
the current machine.
– How well the data is protected on the current machine.
8
Components of Security: Availability
• Means the assets are accessible to authorized parties at
appropriate times.
• The ability to use the information or resource desired.
• An object/service is said to be available if:
– It is present in usable form
– It has capacity enough to meet the service’s needs
– It is making clear progress and if in wait mode, it has bounded waiting
time
– The service is completed in an acceptable period of time.
• Attempt to block availability, called denial of service attacks,
can be the most difficult to detect.
9
Security Goals
• Addresses three
security goals
– Confidentiality
– Integrity
– Availability
• Challenges in building a
secure system is finding
the right balance
among the goals, which
often conflict.
10
Vulnerability, Treats, Attacks and Control
Vulnerability is a weakness in the security system that might be
exploited to cause loss or harm
Eg., a system may be vulnerable to unauthorized data manipulation
because the system does not verify user’s identity before allowing
data access.
Threat is a set of circumstances that has potential to cause loss or
harm.
• It can be human-initiated and computer-initiated ones, natural
disasters
A human/system who exploits a vulnerability perpetrates an attack on
the system.
• To address these problems, we use a control as protective measure.
Control is an action/procedure that reduces or removes a vulnerability
A threat is blocked by control of a vulnerability.
11
Difference between threat and
vulnerability
12
TYPES OF THREATS
• They are of 4 kinds:
– Interception :- unauthorized party has gained access to an
asset. Ex: illicit copying of program or data files or
wiretapping to obtain data in a network.
– Interruption :- asset of the system becomes lost or
unavailable. Ex: destruction of h/w device, erasure of a
program or data file
– Modification:- unauthorized party not only accesses but
hampers with an asset. Ex: changing the values in a
database, alter a program so that it performs an additional
computation.
– Fabrication :- unauthorized party might create a fabrication
of counterfeit objects. Ex: add records to an existing
database
13
TYPES OF THREATS
Information Information
Source Destination
Normal
15
Vulnerabilities
• It is a weakness in the security system, in procedures, in
design or implementation
– H/W Vulnerabilities:-
• H/W is clearly visible as it is composed of physical
objects.
• H/W can be damaged by drenching water ,burned,
frozen ,gassed etc.
Interruption Interception
(denial of service) (theft)
Hardware
Modification Fabrication
(Substitution)
16
Vulnerabilities contd…
• S/W Vulnerabilities-
– The malicious modification in the S/W can be notified
whereas in most cases it goes undetected.
17
Vulnerabilities contd…
S/W modification:-
– modification can either fail the program or it will
perform an unintended task.
– Some categories of s/w modification are:
logic bomb, trojan horse, virus, trapdoor, information
leaks.
• Software theft:-
– Unauthorized copying of software
18
Vulnerabilities
Interruption Interception
(deletion)
Software
Modification Fabrication
Interruption Interception
(loss)
Data
Modification Fabrication
19
Vulnerabilities contd…
• Data Vulnerabilities:
– Data attacks are most dangerous because unlike S/W or
H/W, data can be readily interpreted by general public.
– Data incorrectly measured or changed can turn into major
economic loss or loss of life.
– S/W & H/W have really long life but data is time sensitive
therefore major aim of security is to keep the data secure
until the data value is lost.
20
Attacks
• An attack is any action that violates security
• Two types: passive and active
• Passive:– eavesdropping on, monitoring of, transmissions.
Goal is to:
– obtain message contents, or
– monitor traffic flows
• Active: modification of the data stream or creation of a false
stream , subdivided into – masquerade, replay, modification of
messages and denial of service.
21
Controls
• Is an action, procedure or technique that removes or reduces a
vulnerability.
• Types of controls:
– Encryption
– Software controls
– Hardware Controls
– Policies and procedures
– Physical controls
22
Encryption
• Scrambling process
• Data in normal and unscrambled state is called clear text.
• Transformed data that is unintelligible to outside observer is
called enciphered text or ciphertext.
• Addresses the need for confidentiality of data. it can also be
used to ensure Integrity.
23
Software controls
• Programs must be secure enough to prevent outside attack.
• Program Controls include
– Internal program controls
• enforces security restrictions such as access limitations in a
database management program
– Operating system and network system controls
• Limitations enforced by OS & N/W to protect each user from
all other users.
– Independent control programs:
• Application programs that protect against certain
vulnerabilities such as password checkers, virus scanners etc.
– Development controls
• Quality standards to prevent s/w faults from becoming
exploitable vulnerabilities.
24
Hardware controls
• H/W devices created to assist in providing computer security.
• devices such as
– Smart card implementations of encryption
– Locks or cables limiting access or deterring theft
– Devices to verify users identities
– Firewalls
– Intrusion detection systems (IDS)
25
Policies and Procedures
• Agreed- upon procedures or policies among users.
– Eg: frequent change of passwords..
• Training and administration follow immediately after
establishment of policies to reinforce the importance of
security policy and to ensure their proper use.
• Legal and ethical controls
26
Physical controls
• Easiest, most effective and least expensive controls
• Using of
– locks on doors,
– guard at entry points,
– Back up copies of important software and data
– Physical site planning that reduces the risk of natural
disasters.
27
Effectiveness of controls
• There is no use of controls unless they are used
properly.
– Aspects that can enhance the effectiveness of
controls
• Awareness of problem
• Likelihood of use
• Overlapping Controls
• Periodic review
28
Computer Criminals
– Amateurs
• Normal people, who observe the weakness in a security
system that allows them to access resources
– Crackers or malicious hackers
• Attack for curiosity, personal gain or self satisfaction
– Career Criminals
• Understand the targets of computer crime.
– Terrorists
• Targets of attack: denial-of-service
• Methods of attack
29
Conclusion
• Security goals
• CIA triad
• Vulnerability, threat, attack and control
• Types of threats
• Types of vulnerabilities
• Types of attacks
• Types of controls
• Types of computer criminals
30