SlideShare ist ein Scribd-Unternehmen logo

Introduction to Computer Security

Als PPTX, PDF herunterladen
K
Kamal Acharya

The document provides an introduction to computer security including: - The basic components of security such as confidentiality, integrity, and availability. - Common security threats like snooping, modification, and denial of service attacks. - Issues with security including operational challenges and human factors. - An overview of security policies, access control models, and security models like Bell-LaPadula and Biba.

Bildung
1 von 56
Unit 1 Introduction to computer security
Syllabus:  Basic components of security (Confidentiality, Integrity and Availability),  Security threats (Snooping, Modification, Masquerading, repudiation of origin, denial of receipt, Delay, Denial of service),  Issues with security (Operational issues, human issues),  Security Policies, Type of security policy,  Access control, Type of access control (Introduction to MAC, DAC, Originator Controlled Access Control, Role Based Access Control)  Overview of the Bell-LaPadula Model and Biba integrity model. 2
Network Security: Analogy..!! “The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.” - The Art of War, Sun Tzu 3
Computer Security: ?  The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources  (includes hardware, software, firmware, information/data, and telecommunications) - NIST 1995 4
Basic components of security Figure: CIA Triad 5
Basic components of security  Confidentiality  Data confidentiality: Assures that confidential information is not disclosed to unauthorized individuals  Privacy: Assures that individual control or influence what information may be collected and stored  Integrity  Data integrity: assures that information and programs are changed only in a specified and authorized manner  System integrity: Assures that a system performs its operations in unimpaired manner  Availability: assure that systems works promptly and service is not denied to authorized users 6
Basic components of security  Although the use of the CIA triad to define security objectives is well established, some in the security field feel that additional concepts are needed to present a complete picture.  Two of the most commonly mentioned are:  Authenticity: The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator.  Accountability: The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. 7
Levels of security breach impact  Low: the loss will have a limited impact,  e.g., a degradation in mission or minor damage or minor financial loss or minor harm  Moderate: the loss has a serious effect,  e.g., significance degradation on mission or significant harm to individuals but no loss of life or threatening injuries  High: the loss has severe or catastrophic adverse effect on operations, organizational assets or on individuals  e.g., loss of life 8
Examples of security requirements: Confidentiality  Student grade information is an asset whose confidentiality is considered to be very high  The US FERPAAct: grades should only be available to students, their parents, and their employers (when required for the job)  Student enrollment information: may have moderate confidentiality rating; less damage if enclosed  Directory information: low confidentiality rating; often available publicly 9
Examples of security requirements: Integrity  A hospital patient’s allergy information (high integrity data): a doctor should be able to trust that the info is correct and current  If a nurse deliberately falsifies the data, the database should be restored to a trusted basis and the falsified information traced back to the person who did it  An online newsgroup registration data: moderate level of integrity  An example of low integrity requirement: anonymous online poll (inaccuracy is well understood) 10
Examples of security requirements: Availability  A system that provides authentication: high availability requirement  If customers cannot access resources, the loss of services could result in financial loss  A public website for a university: a moderate availably requirement; not critical but causes embarrassment  An online telephone directory lookup: a low availability requirement because unavailability is mostly annoyance (there are alternative sources) 11
Security Life Cycle Assessment Policy Development ImplementationTraining Auditing 12
Security Wheels: Re-engineering 13
Who Attacks ?? Information Insiders Ex Employees Competitors CustomersDisasters Hacker / Cracker Cyber Terrorist 14
Hacker vs. Cracker: Assignment “All Crackers are Hackers, But Not all Hackers are Crackers” Is This Statement True ??? Justify this Statement with a Suitable Example. 15
Threat Vs. Attack  A threat is a “potential” violation of security  The violation need not actually occur  The fact that the violation might occur makes it a threat  It is important to guard against threats and be prepared for the actual violation  The actual violation of security is called an attack 16
Challenges of computer security  Computer security is not simple  One must consider potential (unexpected) attacks  Procedures used are often counter-intuitive  Must decide where to deploy mechanisms  Involve algorithms and secret info (keys)  A battle of wits between attacker / admin  It is not perceived on benefit until fails  Requires constant monitoring  Too often an after-thought (not integral)  Regarded as impediment to using system 17
Security: Categories ?? Information Security  Protecting Information from Intruders who could possibly harm the state of Information.  Information in encrypted form is most widely used form of security. Network Security  Protecting Information from Intruders during its transmission.  Protecting Network Services From Intruders.  Very Critical and difficult to maintain 18
Security: Categories ?? Computer Security  Protecting system from malicious software, network attacks.  Generic name for the collection of tools designed to protect data and to prevent hackers.  Keep up a system running. Internet Security  Measure to protect data during their transmission over a collection of interconnected networks. 19
Security: Attacks..!!  Security Attacks Exploitation of Vulnerability. Types of Security Attacks.  Passive Attacks  A passive attack attempts to learn or make use of information from the system but does not affect system resources.  Active Attacks  An active attack attempts to alter system resources or affect their operation. 20
Security Attacks: Passive Attacks 21
Security Attacks: Passive Attacks 22
Security Attacks: Active Attacks 23
Security Attacks: Active Attacks 24
Security Attacks: Active Attacks 25
Security Attacks: Active Attacks 26
Common security attacks  Interruption, delay, or denial of service  System assets or information become unavailable or are rendered unavailable  Interception or snooping  Unauthorized party gains access to information by browsing through files or reading communications  Modification or alteration  Unauthorized party changes information in transit or information stored for subsequent access  Fabrication, masquerade, or spoofing  Spurious information is inserted into the system or network by making it appear as if it is from a legitimate entity  Repudiation of origin  False denial that an entity created/sent something  Denial of Receipt  False denial that an entity received something 27
Classes of Threats  Disclosure: unauthorized access to information  Snooping  Deception: acceptance of false data  Modification, masquerading/spoofing, repudiation of origin, denial of receipt  Disruption: interruption/prevention of correct operation  Modification  Usurpation: unauthorized control of a system component  Modification, masquerading/spoofing, delay, denial of service 28
Threat consequences (tabular form) 29
Policy and Mechanism  Security Policy:  A statement of what is, and what is not, allowed.  Security Mechanism:  A method, tool, or procedure for enforcing a security policy. 30
Types of Security Policies  A military security policy (also called a governmental security policy) is a security policy developed primarily to provide confidentiality.  A commercial security policy is a security policy developed primarily to provide integrity.  A confidentiality policy is a security policy dealing only with confidentiality.  An integrity policy is a security policy dealing only with integrity. 31
Types of Security Policies: Some common security policies  Acceptable use policy  Defines what actions users of a system may perform while using computing and networking equipment  Human resource policy  Policies of the organization that address human resources  Password management policy  A password management policy should clearly address how passwords are managed  Privacy policy  Organizations should have a privacy policy that outlines how the organization uses information it collects  Disposal and destruction policy  A disposal and destruction policy that addresses the disposing of resources is considered essential  Service-level agreement  Contract between a vendor and an organization for services 32
Types of Security Policies Figure: Security Policies Cycle along with Types of Security Policies 33
Types of Security Policies: Examples 34
Types of Security Policies 35
Goals of Security  Prevention: Guarantee that an attack will fail  Detection: Determine that a system is under attack, or has been attacked, and report it  Recovery:  Off-line recovery: stop an attack, assess and repair damage  On-line recovery: respond to an attack reactively to maintain essential services 36
Issues with Security: Operational Issues  Cost-Benefit Analysis  Benefits vs. total cost  Is it cheaper to prevent or recover?  Risk Analysis  Should we protect something?  How much should we protect this thing?  Risk depends on environment and change with time  Laws and Customs  Are desired security measures illegal?  Will people do them?  Affects availability and use of technology 37
Issues with Security: Human Issues  Organizational Problems  Power and responsibility  Financial benefits  People problems  Outsiders and insiders  Which do you think is the real threat?  Social engineering 38
Access Control  Security technique for the prevention of unauthorized use of a resource in a computing environment  (i.e., this service controls who can have access to a resource, under what conditions access can occur, and what those accessing the resource are allowed to do).  In the context of network security, access control is the ability to limit and control the access to host systems and applications via communications links. To achieve this, each entity trying to gain access must first be identified, or authenticated, so that access rights can be tailored to the individual. 39
Access Control Principles 40
Access Control  Access control systems perform authorization identification, authentication, access approval, and accountability of entities through login credentials including passwords, personal identification numbers (PINs), biometric scans, and physical or electronic keys.  There are two main types of access control: physical and logical.  Physical access control limits access to campuses, buildings, rooms and physical IT assets.  Logical access limits connections to computer networks, system files and data. 41
Access Control: Categories  Some times Categories of access control are also called Types of access control  The four main categories of access control are:  Mandatory Access Control (MAC) or Rule-based Access Control  Discretionary Access Control (DAC)  Role-based Access Control (RBAC)  Originator Controlled Access Control (ORCON or ORG-CON) 42
Access Control: MAC  When a system mechanism controls access to an object and an individual user cannot alter that access, the control is a mandatory access control (MAC), occasionally called a rule-based access control.  The operating system enforces MAC. Neither the subject nor the owner of the object can determine whether access is granted.  Typically, the system mechanism will check information associated with both the subject and the object to determine whether the subject should access the object.  Rules describe the conditions under which access is allowed. 43
Access Control: DAC  If an individual user can set an access control mechanism to allow or deny access to an object, that mechanism is a discretionary access control (DAC), also called an identity-based access control (IBAC).  DAC base access rights on the identity of the subject and the identity of the object involved.  Identity is the key; the owner of the object constrains who can access it by allowing only particular subjects to have access.  The owner states the constraint in terms of the identity of the subject, or the owner of the subject. 44
Access Control: RBAC  Role-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within an enterprise.  In this context, access is the ability of an individual user to perform a specific task, such as view, create, or modify a file.  Roles are defined according to job competency, authority, and responsibility within the enterprise. 45
Access Control: ORCON or ORG-CON  An originator controlled access control (ORCON or ORGCON) bases access on the creator of an object (or the information it contains).  The goal of this control is to allow the originator of the file (or of the information it contains) to control the dissemination of the information.  The owner of the file has no control over who may access the file. 46
Security Models  Bell-LaPadula Model (1973)  Biba Model (1977)  Clark-Wilson Model (1987)  Access Control Matrix  Information Flow Model  Noninterference Model  Chinese Wall Model  Lattice Model  Confidentiality  Integrity  Availability Security Requirements Security Models 47
Overview of the Bell-LaPadula Model  Funded by the U.S. government, Bell-LaPadula model is the first mathematical model of a multilevel security policy. Because users with different clearances use the system, and the system processes data with different classifications.  Is a state machine model that enforce the confidentiality aspects of access control, but not with integrity or availability  Is an information flow security model as it ensures information does not flow in an insecure manner.  All mandatory access control (MAC) model are based on the Bell-LaPadula model. 48
Overview of the Bell-LaPadula Model  The Simple Security Property (ss Property) states that a subject at a given security level cannot read data that resides at a higher security level (No Read Up).  The * (star) Security Property states that a subject in a given security level cannot write information to a lower security level. (No Write Down).  The Strong Star Property states that a subject that has read and write capabilities can only perform those functions at the same security level, nothing higher and nothing lower. A subject to be able to read and write to an object, the clearance and classification must be equal. 49
Overview of the Bell-LaPadula Model Simple Security Property Star (*) Property Strong Star (*) Property Layer of Lower Secrecy Layer of Higher Secrecy Read Write Read/Write Divulging Secrets Divulging SecretsΧ Χ Χ Reading Secrets Reading Secrets Χ 50
Bell-LaPadula Model: Example security level subject object Top Secret Tamara Personnel Files Secret Samuel E-Mail Files Confidential Claire Activity Logs Unclassified James Telephone Lists • Tamara can read all files • Claire cannot read Personnel or E-Mail Files • James can only read Telephone Lists 51
Overview of the Biba Integrity Model  Developed in 1977, the Biba integrity model mathematically describes read and write restrictions based on integrity access classes of subjects and objects. It is the first model to address integrity.  Is an information flow model as it is concerned about data flowing from one level to another.  The model looks similar to the Bell-LaPadula Model; however, the read-write conditions are reversed. 52
Overview of the Biba Integrity Model  The Simple Integrity Axiom: States that a subject at one level of integrity is not permitted to observe (read) an object of a lower integrity. No Read Down.  The * (Star) Integrity Axiom: States that an object at one level of integrity is not permitted to modify (write to) an object of a higher level of integrity. No Write Up.  Invocation property states that a subject at one level of integrity cannot invoke (call up) a subject at a higher level of integrity. 53
Overview of the Biba Integrity Model Simple Integrity Property Integrity Star (*) Property Layer of Lower Secrecy Read Write Χ ContaminationΧ Get Contaminated 54
Overview of the Biba Integrity Model  The Biba model can be extended to include an access operation called invoke. A subject can invoke another subject, such as a software utility, to access an object.  The subject cannot send message (logical request for service) to subjects of higher integrity. Subjects are only allowed to invoke utilities or tools at the same or lower integrity level (otherwise, a dirty subject could use a clean tool to access or contaminate a clean object). 55
Thank You 56

Empfohlen

Threat Modelling And Threat Response
Threat Modelling And Threat ResponseThreat Modelling And Threat Response
Threat Modelling And Threat Response
Vivek Jindaniya
 
Chapter 1 overview
Chapter 1 overviewChapter 1 overview
Chapter 1 overview
dr_edw777
 
Information security
Information securityInformation security
Information security
Onkar Sule
 
Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?
John Gilligan
 
Cybersecurity: How to Protect Your Firm from a Cyber Attack
Cybersecurity: How to Protect Your Firm from a Cyber AttackCybersecurity: How to Protect Your Firm from a Cyber Attack
Cybersecurity: How to Protect Your Firm from a Cyber Attack
Shawn Tuma
 
Network Security
Network Security Network Security
Network Security
Vipul Mosaic
 
Intro
IntroIntro
Intro
JustineJohn3
 
Incident Response
Incident ResponseIncident Response
Incident Response
MichaelRodriguesdosS1
 

Empfohlen

Threat Modelling And Threat Response
Threat Modelling And Threat ResponseThreat Modelling And Threat Response
Threat Modelling And Threat Response
Vivek Jindaniya
 
Chapter 1 overview
Chapter 1 overviewChapter 1 overview
Chapter 1 overview
dr_edw777
 
Information security
Information securityInformation security
Information security
Onkar Sule
 
Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?
John Gilligan
 
Cybersecurity: How to Protect Your Firm from a Cyber Attack
Cybersecurity: How to Protect Your Firm from a Cyber AttackCybersecurity: How to Protect Your Firm from a Cyber Attack
Cybersecurity: How to Protect Your Firm from a Cyber Attack
Shawn Tuma
 
Network Security
Network Security Network Security
Network Security
Vipul Mosaic
 
Intro
IntroIntro
Intro
JustineJohn3
 
Incident Response
Incident ResponseIncident Response
Incident Response
MichaelRodriguesdosS1
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber Resilience
Donald Tabone
 
Information Security Intelligence
Information Security IntelligenceInformation Security Intelligence
Information Security Intelligence
guest08b1e6
 
Cyber Security Awareness Month 2017-Nugget 6
Cyber Security Awareness Month 2017-Nugget 6Cyber Security Awareness Month 2017-Nugget 6
Cyber Security Awareness Month 2017-Nugget 6
Chinatu Uzuegbu
 
The red book
The red book The red book
The red book
habiba Elmasry
 
Week 1&2 intro_ v2-upload
Week 1&2 intro_ v2-uploadWeek 1&2 intro_ v2-upload
Week 1&2 intro_ v2-upload
Vinoth Sn
 
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceOrchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
IBM Security
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30
Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Architecting for Security Resilience
Architecting for Security ResilienceArchitecting for Security Resilience
Architecting for Security Resilience
Joel Aleburu
 
Cybersecurity a short business guide
Cybersecurity a short business guideCybersecurity a short business guide
Cybersecurity a short business guide
larry1401
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
Empired
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Sirius
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
newbie2019
 
Introduction to information security - by Ivan Nganda
Introduction to information security - by Ivan NgandaIntroduction to information security - by Ivan Nganda
Introduction to information security - by Ivan Nganda
See You Rise Holdings
 
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
patmisasi
 
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk SummitThe Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
Shawn Tuma
 
Gainful Information Security 2012 services
Gainful Information Security 2012 servicesGainful Information Security 2012 services
Gainful Information Security 2012 services
Cade Zvavanjanja
 
Network security Topic 2 overview continued
Network security Topic 2 overview continuedNetwork security Topic 2 overview continued
Network security Topic 2 overview continued
Khawar Nehal khawar.nehal@atrc.net.pk
 
Management Information Systems
Management Information SystemsManagement Information Systems
Management Information Systems
msd11
 
Computer Security Incident Handling Guide
Computer Security Incident Handling GuideComputer Security Incident Handling Guide
Computer Security Incident Handling Guide
Muhammad FAHAD
 
001.itsecurity bcp v1
001.itsecurity bcp v1001.itsecurity bcp v1
001.itsecurity bcp v1
Mohammad Ashfaqur Rahman
 
PPT0-Computer Security Concepts.pptx
PPT0-Computer Security Concepts.pptxPPT0-Computer Security Concepts.pptx
PPT0-Computer Security Concepts.pptx
PiBits
 
Lecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.pptLecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.ppt
shahadd2021
 

Weitere ähnliche Inhalte

Was ist angesagt?

Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceOrchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
IBM Security
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
Empired
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Sirius
 
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
patmisasi
 

Was ist angesagt? (20)

Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber Resilience
 
Information Security Intelligence
Information Security IntelligenceInformation Security Intelligence
Information Security Intelligence
 
Cyber Security Awareness Month 2017-Nugget 6
Cyber Security Awareness Month 2017-Nugget 6Cyber Security Awareness Month 2017-Nugget 6
Cyber Security Awareness Month 2017-Nugget 6
 
The red book
The red book The red book
The red book
 
Week 1&2 intro_ v2-upload
Week 1&2 intro_ v2-uploadWeek 1&2 intro_ v2-upload
Week 1&2 intro_ v2-upload
 
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceOrchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30
 
Architecting for Security Resilience
Architecting for Security ResilienceArchitecting for Security Resilience
Architecting for Security Resilience
 
Cybersecurity a short business guide
Cybersecurity a short business guideCybersecurity a short business guide
Cybersecurity a short business guide
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
 
Introduction to information security - by Ivan Nganda
Introduction to information security - by Ivan NgandaIntroduction to information security - by Ivan Nganda
Introduction to information security - by Ivan Nganda
 
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
 
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk SummitThe Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
 
Gainful Information Security 2012 services
Gainful Information Security 2012 servicesGainful Information Security 2012 services
Gainful Information Security 2012 services
 
Network security Topic 2 overview continued
Network security Topic 2 overview continuedNetwork security Topic 2 overview continued
Network security Topic 2 overview continued
 
Management Information Systems
Management Information SystemsManagement Information Systems
Management Information Systems
 
Computer Security Incident Handling Guide
Computer Security Incident Handling GuideComputer Security Incident Handling Guide
Computer Security Incident Handling Guide
 
001.itsecurity bcp v1
001.itsecurity bcp v1001.itsecurity bcp v1
001.itsecurity bcp v1
 

Ähnlich wie Introduction to Computer Security

Lecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.pptLecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.ppt
shahadd2021
 
About the PresentationsThe presentations cover the objectives .docx
About the PresentationsThe presentations cover the objectives .docxAbout the PresentationsThe presentations cover the objectives .docx
About the PresentationsThe presentations cover the objectives .docx
aryan532920
 
About the PresentationsThe presentations cover the objectives .docx
About the PresentationsThe presentations cover the objectives .docxAbout the PresentationsThe presentations cover the objectives .docx
About the PresentationsThe presentations cover the objectives .docx
bartholomeocoombs
 
Ia 124 1621324143 ia_124_lecture_01
Ia 124 1621324143 ia_124_lecture_01Ia 124 1621324143 ia_124_lecture_01
Ia 124 1621324143 ia_124_lecture_01
ITNet
 
Strategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity RisksStrategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity Risks
Matthew Rosenquist
 

Ähnlich wie Introduction to Computer Security (20)

PPT0-Computer Security Concepts.pptx
PPT0-Computer Security Concepts.pptxPPT0-Computer Security Concepts.pptx
PPT0-Computer Security Concepts.pptx
 
Lecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.pptLecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.ppt
 
Cloud Security.pptx
Cloud Security.pptxCloud Security.pptx
Cloud Security.pptx
 
introduction of ethical hacking. (ppt)
introduction of ethical hacking. (ppt)introduction of ethical hacking. (ppt)
introduction of ethical hacking. (ppt)
 
introduction of ethical hacking. ppt
introduction of ethical hacking. pptintroduction of ethical hacking. ppt
introduction of ethical hacking. ppt
 
About the PresentationsThe presentations cover the objectives .docx
About the PresentationsThe presentations cover the objectives .docxAbout the PresentationsThe presentations cover the objectives .docx
About the PresentationsThe presentations cover the objectives .docx
 
About the PresentationsThe presentations cover the objectives .docx
About the PresentationsThe presentations cover the objectives .docxAbout the PresentationsThe presentations cover the objectives .docx
About the PresentationsThe presentations cover the objectives .docx
 
Security in network computing
Security in network computingSecurity in network computing
Security in network computing
 
Ia 124 1621324143 ia_124_lecture_01
Ia 124 1621324143 ia_124_lecture_01Ia 124 1621324143 ia_124_lecture_01
Ia 124 1621324143 ia_124_lecture_01
 
S.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavur
S.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavurS.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavur
S.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavur
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
 
Ch1 cse
Ch1 cseCh1 cse
Ch1 cse
 
Information security
Information securityInformation security
Information security
 
01-introductiontosecurity-111122004432-phpapp02.pdf
01-introductiontosecurity-111122004432-phpapp02.pdf01-introductiontosecurity-111122004432-phpapp02.pdf
01-introductiontosecurity-111122004432-phpapp02.pdf
 
Cybersecurity Interview Questions and Answers.pdf
Cybersecurity Interview Questions and Answers.pdfCybersecurity Interview Questions and Answers.pdf
Cybersecurity Interview Questions and Answers.pdf
 
IT Security & Risk
IT Security & Risk IT Security & Risk
IT Security & Risk
 
Cyber Crime and Security Ch 1 .ppt
Cyber Crime and Security Ch 1 .pptCyber Crime and Security Ch 1 .ppt
Cyber Crime and Security Ch 1 .ppt
 
Strategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity RisksStrategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity Risks
 
Computer Security Chapter 1
Computer Security Chapter 1Computer Security Chapter 1
Computer Security Chapter 1
 
ch01_overview_nemo.ppt
ch01_overview_nemo.pptch01_overview_nemo.ppt
ch01_overview_nemo.ppt
 

Mehr von Kamal Acharya

Mehr von Kamal Acharya (20)

Programming the basic computer
Programming the basic computerProgramming the basic computer
Programming the basic computer
 
Computer Arithmetic
Computer ArithmeticComputer Arithmetic
Computer Arithmetic
 
Session and Cookies
Session and CookiesSession and Cookies
Session and Cookies
 
Functions in php
Functions in phpFunctions in php
Functions in php
 
Web forms in php
Web forms in phpWeb forms in php
Web forms in php
 
Making decision and repeating in PHP
Making decision and repeating in PHPMaking decision and repeating in PHP
Making decision and repeating in PHP
 
Working with arrays in php
Working with arrays in phpWorking with arrays in php
Working with arrays in php
 
Text and Numbers (Data Types)in PHP
Text and Numbers (Data Types)in PHPText and Numbers (Data Types)in PHP
Text and Numbers (Data Types)in PHP
 
Introduction to PHP
Introduction to PHPIntroduction to PHP
Introduction to PHP
 
Capacity Planning of Data Warehousing
Capacity Planning of Data WarehousingCapacity Planning of Data Warehousing
Capacity Planning of Data Warehousing
 
Data Warehousing
Data WarehousingData Warehousing
Data Warehousing
 
Search Engines
Search EnginesSearch Engines
Search Engines
 
Web Mining
Web MiningWeb Mining
Web Mining
 
Information Privacy and Data Mining
Information Privacy and Data MiningInformation Privacy and Data Mining
Information Privacy and Data Mining
 
Cluster Analysis
Cluster AnalysisCluster Analysis
Cluster Analysis
 
Association Analysis in Data Mining
Association Analysis in Data MiningAssociation Analysis in Data Mining
Association Analysis in Data Mining
 
Classification techniques in data mining
Classification techniques in data miningClassification techniques in data mining
Classification techniques in data mining
 
Data Preprocessing
Data PreprocessingData Preprocessing
Data Preprocessing
 
Introduction to Data Mining and Data Warehousing
Introduction to Data Mining and Data WarehousingIntroduction to Data Mining and Data Warehousing
Introduction to Data Mining and Data Warehousing
 
Functions in Python
Functions in PythonFunctions in Python
Functions in Python
 

Kürzlich hochgeladen

Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
ciinovamais
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
QucHHunhnh
 
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdfVishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
ssuserdda66b
 

Kürzlich hochgeladen (20)

Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
Spatium Project Simulation student brief
Spatium Project Simulation student briefSpatium Project Simulation student brief
Spatium Project Simulation student brief
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdfVishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 

Introduction to Computer Security

  • 1. Unit 1 Introduction to computer security
  • 2. Syllabus:  Basic components of security (Confidentiality, Integrity and Availability),  Security threats (Snooping, Modification, Masquerading, repudiation of origin, denial of receipt, Delay, Denial of service),  Issues with security (Operational issues, human issues),  Security Policies, Type of security policy,  Access control, Type of access control (Introduction to MAC, DAC, Originator Controlled Access Control, Role Based Access Control)  Overview of the Bell-LaPadula Model and Biba integrity model. 2
  • 3. Network Security: Analogy..!! “The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.” - The Art of War, Sun Tzu 3
  • 4. Computer Security: ?  The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources  (includes hardware, software, firmware, information/data, and telecommunications) - NIST 1995 4
  • 5. Basic components of security Figure: CIA Triad 5
  • 6. Basic components of security  Confidentiality  Data confidentiality: Assures that confidential information is not disclosed to unauthorized individuals  Privacy: Assures that individual control or influence what information may be collected and stored  Integrity  Data integrity: assures that information and programs are changed only in a specified and authorized manner  System integrity: Assures that a system performs its operations in unimpaired manner  Availability: assure that systems works promptly and service is not denied to authorized users 6
  • 7. Basic components of security  Although the use of the CIA triad to define security objectives is well established, some in the security field feel that additional concepts are needed to present a complete picture.  Two of the most commonly mentioned are:  Authenticity: The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator.  Accountability: The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. 7
  • 8. Levels of security breach impact  Low: the loss will have a limited impact,  e.g., a degradation in mission or minor damage or minor financial loss or minor harm  Moderate: the loss has a serious effect,  e.g., significance degradation on mission or significant harm to individuals but no loss of life or threatening injuries  High: the loss has severe or catastrophic adverse effect on operations, organizational assets or on individuals  e.g., loss of life 8
  • 9. Examples of security requirements: Confidentiality  Student grade information is an asset whose confidentiality is considered to be very high  The US FERPAAct: grades should only be available to students, their parents, and their employers (when required for the job)  Student enrollment information: may have moderate confidentiality rating; less damage if enclosed  Directory information: low confidentiality rating; often available publicly 9
  • 10. Examples of security requirements: Integrity  A hospital patient’s allergy information (high integrity data): a doctor should be able to trust that the info is correct and current  If a nurse deliberately falsifies the data, the database should be restored to a trusted basis and the falsified information traced back to the person who did it  An online newsgroup registration data: moderate level of integrity  An example of low integrity requirement: anonymous online poll (inaccuracy is well understood) 10
  • 11. Examples of security requirements: Availability  A system that provides authentication: high availability requirement  If customers cannot access resources, the loss of services could result in financial loss  A public website for a university: a moderate availably requirement; not critical but causes embarrassment  An online telephone directory lookup: a low availability requirement because unavailability is mostly annoyance (there are alternative sources) 11
  • 12. Security Life Cycle Assessment Policy Development ImplementationTraining Auditing 12
  • 15. Hacker vs. Cracker: Assignment “All Crackers are Hackers, But Not all Hackers are Crackers” Is This Statement True ??? Justify this Statement with a Suitable Example. 15
  • 16. Threat Vs. Attack  A threat is a “potential” violation of security  The violation need not actually occur  The fact that the violation might occur makes it a threat  It is important to guard against threats and be prepared for the actual violation  The actual violation of security is called an attack 16
  • 17. Challenges of computer security  Computer security is not simple  One must consider potential (unexpected) attacks  Procedures used are often counter-intuitive  Must decide where to deploy mechanisms  Involve algorithms and secret info (keys)  A battle of wits between attacker / admin  It is not perceived on benefit until fails  Requires constant monitoring  Too often an after-thought (not integral)  Regarded as impediment to using system 17
  • 18. Security: Categories ?? Information Security  Protecting Information from Intruders who could possibly harm the state of Information.  Information in encrypted form is most widely used form of security. Network Security  Protecting Information from Intruders during its transmission.  Protecting Network Services From Intruders.  Very Critical and difficult to maintain 18
  • 19. Security: Categories ?? Computer Security  Protecting system from malicious software, network attacks.  Generic name for the collection of tools designed to protect data and to prevent hackers.  Keep up a system running. Internet Security  Measure to protect data during their transmission over a collection of interconnected networks. 19
  • 20. Security: Attacks..!!  Security Attacks Exploitation of Vulnerability. Types of Security Attacks.  Passive Attacks  A passive attack attempts to learn or make use of information from the system but does not affect system resources.  Active Attacks  An active attack attempts to alter system resources or affect their operation. 20
  • 27. Common security attacks  Interruption, delay, or denial of service  System assets or information become unavailable or are rendered unavailable  Interception or snooping  Unauthorized party gains access to information by browsing through files or reading communications  Modification or alteration  Unauthorized party changes information in transit or information stored for subsequent access  Fabrication, masquerade, or spoofing  Spurious information is inserted into the system or network by making it appear as if it is from a legitimate entity  Repudiation of origin  False denial that an entity created/sent something  Denial of Receipt  False denial that an entity received something 27
  • 28. Classes of Threats  Disclosure: unauthorized access to information  Snooping  Deception: acceptance of false data  Modification, masquerading/spoofing, repudiation of origin, denial of receipt  Disruption: interruption/prevention of correct operation  Modification  Usurpation: unauthorized control of a system component  Modification, masquerading/spoofing, delay, denial of service 28
  • 30. Policy and Mechanism  Security Policy:  A statement of what is, and what is not, allowed.  Security Mechanism:  A method, tool, or procedure for enforcing a security policy. 30
  • 31. Types of Security Policies  A military security policy (also called a governmental security policy) is a security policy developed primarily to provide confidentiality.  A commercial security policy is a security policy developed primarily to provide integrity.  A confidentiality policy is a security policy dealing only with confidentiality.  An integrity policy is a security policy dealing only with integrity. 31
  • 32. Types of Security Policies: Some common security policies  Acceptable use policy  Defines what actions users of a system may perform while using computing and networking equipment  Human resource policy  Policies of the organization that address human resources  Password management policy  A password management policy should clearly address how passwords are managed  Privacy policy  Organizations should have a privacy policy that outlines how the organization uses information it collects  Disposal and destruction policy  A disposal and destruction policy that addresses the disposing of resources is considered essential  Service-level agreement  Contract between a vendor and an organization for services 32
  • 33. Types of Security Policies Figure: Security Policies Cycle along with Types of Security Policies 33
  • 34. Types of Security Policies: Examples 34
  • 35. Types of Security Policies 35
  • 36. Goals of Security  Prevention: Guarantee that an attack will fail  Detection: Determine that a system is under attack, or has been attacked, and report it  Recovery:  Off-line recovery: stop an attack, assess and repair damage  On-line recovery: respond to an attack reactively to maintain essential services 36
  • 37. Issues with Security: Operational Issues  Cost-Benefit Analysis  Benefits vs. total cost  Is it cheaper to prevent or recover?  Risk Analysis  Should we protect something?  How much should we protect this thing?  Risk depends on environment and change with time  Laws and Customs  Are desired security measures illegal?  Will people do them?  Affects availability and use of technology 37
  • 38. Issues with Security: Human Issues  Organizational Problems  Power and responsibility  Financial benefits  People problems  Outsiders and insiders  Which do you think is the real threat?  Social engineering 38
  • 39. Access Control  Security technique for the prevention of unauthorized use of a resource in a computing environment  (i.e., this service controls who can have access to a resource, under what conditions access can occur, and what those accessing the resource are allowed to do).  In the context of network security, access control is the ability to limit and control the access to host systems and applications via communications links. To achieve this, each entity trying to gain access must first be identified, or authenticated, so that access rights can be tailored to the individual. 39
  • 41. Access Control  Access control systems perform authorization identification, authentication, access approval, and accountability of entities through login credentials including passwords, personal identification numbers (PINs), biometric scans, and physical or electronic keys.  There are two main types of access control: physical and logical.  Physical access control limits access to campuses, buildings, rooms and physical IT assets.  Logical access limits connections to computer networks, system files and data. 41
  • 42. Access Control: Categories  Some times Categories of access control are also called Types of access control  The four main categories of access control are:  Mandatory Access Control (MAC) or Rule-based Access Control  Discretionary Access Control (DAC)  Role-based Access Control (RBAC)  Originator Controlled Access Control (ORCON or ORG-CON) 42
  • 43. Access Control: MAC  When a system mechanism controls access to an object and an individual user cannot alter that access, the control is a mandatory access control (MAC), occasionally called a rule-based access control.  The operating system enforces MAC. Neither the subject nor the owner of the object can determine whether access is granted.  Typically, the system mechanism will check information associated with both the subject and the object to determine whether the subject should access the object.  Rules describe the conditions under which access is allowed. 43
  • 44. Access Control: DAC  If an individual user can set an access control mechanism to allow or deny access to an object, that mechanism is a discretionary access control (DAC), also called an identity-based access control (IBAC).  DAC base access rights on the identity of the subject and the identity of the object involved.  Identity is the key; the owner of the object constrains who can access it by allowing only particular subjects to have access.  The owner states the constraint in terms of the identity of the subject, or the owner of the subject. 44
  • 45. Access Control: RBAC  Role-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within an enterprise.  In this context, access is the ability of an individual user to perform a specific task, such as view, create, or modify a file.  Roles are defined according to job competency, authority, and responsibility within the enterprise. 45
  • 46. Access Control: ORCON or ORG-CON  An originator controlled access control (ORCON or ORGCON) bases access on the creator of an object (or the information it contains).  The goal of this control is to allow the originator of the file (or of the information it contains) to control the dissemination of the information.  The owner of the file has no control over who may access the file. 46
  • 47. Security Models  Bell-LaPadula Model (1973)  Biba Model (1977)  Clark-Wilson Model (1987)  Access Control Matrix  Information Flow Model  Noninterference Model  Chinese Wall Model  Lattice Model  Confidentiality  Integrity  Availability Security Requirements Security Models 47
  • 48. Overview of the Bell-LaPadula Model  Funded by the U.S. government, Bell-LaPadula model is the first mathematical model of a multilevel security policy. Because users with different clearances use the system, and the system processes data with different classifications.  Is a state machine model that enforce the confidentiality aspects of access control, but not with integrity or availability  Is an information flow security model as it ensures information does not flow in an insecure manner.  All mandatory access control (MAC) model are based on the Bell-LaPadula model. 48
  • 49. Overview of the Bell-LaPadula Model  The Simple Security Property (ss Property) states that a subject at a given security level cannot read data that resides at a higher security level (No Read Up).  The * (star) Security Property states that a subject in a given security level cannot write information to a lower security level. (No Write Down).  The Strong Star Property states that a subject that has read and write capabilities can only perform those functions at the same security level, nothing higher and nothing lower. A subject to be able to read and write to an object, the clearance and classification must be equal. 49
  • 50. Overview of the Bell-LaPadula Model Simple Security Property Star (*) Property Strong Star (*) Property Layer of Lower Secrecy Layer of Higher Secrecy Read Write Read/Write Divulging Secrets Divulging SecretsΧ Χ Χ Reading Secrets Reading Secrets Χ 50
  • 51. Bell-LaPadula Model: Example security level subject object Top Secret Tamara Personnel Files Secret Samuel E-Mail Files Confidential Claire Activity Logs Unclassified James Telephone Lists • Tamara can read all files • Claire cannot read Personnel or E-Mail Files • James can only read Telephone Lists 51
  • 52. Overview of the Biba Integrity Model  Developed in 1977, the Biba integrity model mathematically describes read and write restrictions based on integrity access classes of subjects and objects. It is the first model to address integrity.  Is an information flow model as it is concerned about data flowing from one level to another.  The model looks similar to the Bell-LaPadula Model; however, the read-write conditions are reversed. 52
  • 53. Overview of the Biba Integrity Model  The Simple Integrity Axiom: States that a subject at one level of integrity is not permitted to observe (read) an object of a lower integrity. No Read Down.  The * (Star) Integrity Axiom: States that an object at one level of integrity is not permitted to modify (write to) an object of a higher level of integrity. No Write Up.  Invocation property states that a subject at one level of integrity cannot invoke (call up) a subject at a higher level of integrity. 53
  • 54. Overview of the Biba Integrity Model Simple Integrity Property Integrity Star (*) Property Layer of Lower Secrecy Read Write Χ ContaminationΧ Get Contaminated 54
  • 55. Overview of the Biba Integrity Model  The Biba model can be extended to include an access operation called invoke. A subject can invoke another subject, such as a software utility, to access an object.  The subject cannot send message (logical request for service) to subjects of higher integrity. Subjects are only allowed to invoke utilities or tools at the same or lower integrity level (otherwise, a dirty subject could use a clean tool to access or contaminate a clean object). 55