2. INTRODUCTIONINTRODUCTION
What is security?What is security?
Security is about the protection of assets.Security is about the protection of assets.
- Computer-related assets.- Computer-related assets.
Computing system :- hardware, software,Computing system :- hardware, software,
storage media, data and people.storage media, data and people.
Principle of Easiest PenetrationPrinciple of Easiest Penetration
Intruder must be expected to use allIntruder must be expected to use all
available means of penetration. Use theavailable means of penetration. Use the
‘weakest point’.‘weakest point’.
3. INTRODUCTIONINTRODUCTION
There are 3 classification of protection:There are 3 classification of protection:
– PreventionPrevention: take measures that prevent your: take measures that prevent your
assets from being damaged.assets from being damaged.
– DetectionDetection: take measures that allow you to: take measures that allow you to
detect when an asset has been damageddetect when an asset has been damaged
– ReactionReaction: take measures that allow you to: take measures that allow you to
recover your assets or to recover from damagerecover your assets or to recover from damage
to your assets.to your assets.
4. Example from physical world:Example from physical world:
– PreventionPrevention: locks at the door or window bars,: locks at the door or window bars,
wall around the propertywall around the property
– DetectionDetection: you detect when something has been: you detect when something has been
stolen if it is no longer there, a burglar alarmstolen if it is no longer there, a burglar alarm
goes on when break-in occurs, cctv providegoes on when break-in occurs, cctv provide
information that allows you to identify intrudersinformation that allows you to identify intruders
– ReactionReaction: you can call the police or you may: you can call the police or you may
decide to replace the stolen itemdecide to replace the stolen item
INTRODUCTIONINTRODUCTION
5. INTRODUCTIONINTRODUCTION
Example from cyber world: consider credit card fraudExample from cyber world: consider credit card fraud
cases.cases.
– PreventionPrevention: use encryption when placing an order,: use encryption when placing an order,
rely on the merchant to perform some checks on therely on the merchant to perform some checks on the
caller before accepting a credit card order or don’tcaller before accepting a credit card order or don’t
use credit card number on the Internet.use credit card number on the Internet.
– DetectionDetection: a transaction that you had not authorized: a transaction that you had not authorized
appears on your credit card statements.appears on your credit card statements.
– ReactionReaction: you can ask for new credit card number,: you can ask for new credit card number,
the cost of the fraudulent may be recovered by thethe cost of the fraudulent may be recovered by the
card holder or the merchant where the fraudster hadcard holder or the merchant where the fraudster had
made the purchase or the credit card issuer.made the purchase or the credit card issuer.
6. SECURITY
GOALS
SECURITY
GOALS
INTEGRITY: An assets can be
modified only by authorized or
only in authorized ways.
CONFIDENTIALITY: an assets of
computing systems are available
only by authorized parties (also
known as secrecy).
AVAILABILITY : An assets are
accessible to authorized parties
when needed without any
delay.
7. SECURITY
THREATS
INTERRUPTION: An asset of the
system is destroyed or become
unavailable or unusable – attack
on AVAILABILTY
INTERCEPTION: An
unauthorized party (program,
person, computer) gains access
to an asset – attack on
CONFIDENTIALITY
MODIFICATION: An
unauthorized party not only gain
access to but tampers with an
assets – attack on INTEGRITY
FABRICATION: An unauthorized
party insert counterfeit objects
into the system – an attack on
AUTHENTICITY
9. Examples of security threats/attacks:Examples of security threats/attacks:
Interruption
~ destruction of piece of hardware (hard disk)
~ cutting of communication line or
~ disabling of the file management system
Interception
~ wiretapping
~ illicit copy of files or programs
Modification
~ changing values in data file,
~ altering a program so that
it performs differently,
~ modifying the content of messages being transmitted in a network.
Fabrication
~ addition of records to a file,
~ insertion of spurious messages in a network
12. VulnerabilitiesVulnerabilities
Threats to Hardware
• involuntary machine-slaughter: accidental acts not intended
to do serious damage.
• voluntary machine-slaughter: intended to do harm
Threats to Software
• deletion
• modification – trojan horse, virus, trapdoor, logic bomb
• theft - piracy
13. VulnerabilitiesVulnerabilities
Threats to Data
• loss of data
•interception
• modification
• fabrication
Threats to other exposed assets
• storage media – consider backups
• networks – very expose medium, access from distant
• access – steal computer time, denial of service
• key people – disgruntled employees
14. Methods of DefenseMethods of Defense
Encryption provides
~ confidentiality for data
~ integrity
~ basis for protocol
SOFTWARE/HARDWARE
CONTROLSENCRYPTION
POLICIES
Software controls:
~ Internal program controls
~ Operating system controls
~ Development controls
Hardware controls:
~ hardware devices :
- smartcard (encryption)
- circuit board ctrl disk
drives in PCs~ frequent changes
of password
~ training
Legal and ethical controls
~ codes of ethics ~ locks of doors
~ backup copies of important s/w and data
~ physical site planning (reduce natural disasters)
PHYSICAL CONTROLS
METHODS OF
DEFENSE
METHODS OF
DEFENSE
15. Who are the people?Who are the people?
AmateursAmateurs:: not career criminal but normal people
who observe a flaw in a security system – have
access to something valuable.
Crackers: may be university or high school
students who attempt to access computing facilities
for which they have not been authorized.
Career criminal: understands the targets of
computer crime, international groups, electronic
spies, information brokers.
Hackers: someone with deep knowledge and
interest in operating systems or multiple OS. Do not
attempt to intentionally break any system (non-
malicious).
16. How to makes a systemHow to makes a system
secure?secure?
There are four methods how computer security provideThere are four methods how computer security provide
protection:protection:
(1)(1) System Access ControlSystem Access Control : ensuring that unauthorized: ensuring that unauthorized
users don’t get into the system.users don’t get into the system.
(2)(2) Data Access ControlData Access Control : monitoring who can access: monitoring who can access
what data and for what purposes.what data and for what purposes.
(3)(3) System and Security AdministrationSystem and Security Administration : performing: performing
certain procedures (system administrator’s responsibilities orcertain procedures (system administrator’s responsibilities or
training users appropriately)training users appropriately)
(4)(4) System DesignSystem Design: Taking advantage of basic hardware: Taking advantage of basic hardware
and software security characteristics.and software security characteristics.
17. System Access ControlSystem Access Control
The first way in which system provides computerThe first way in which system provides computer
security is by controlling access to that system:security is by controlling access to that system:
– Who’s allowed to log in?Who’s allowed to log in?
– How does the system decide whether a user is legitimate?How does the system decide whether a user is legitimate?
Identification and authentication provides theIdentification and authentication provides the
above.above.
18. Identification & AutheticationIdentification & Authetication
IdentificationIdentification tells the system who you aretells the system who you are
AuthenticationAuthentication proves to the system that you areproves to the system that you are
who you are.who you are.
There are 3 ways to prove ourselves:There are 3 ways to prove ourselves:
– Something you knowSomething you know
– Something you haveSomething you have
– Something you areSomething you are
System Access ControlSystem Access Control
19. e.g.: password
~ you know the
password,
you the owner
IDENTIFICATION
&
AUTHENTICATION
IDENTIFICATION
&
AUTHENTICATION
SOMETHING YOU
HAVE
SOMETHING YOU
KNOW
SOMETHING YOU
ARE
e.g.: tokens, keys &
smart cards
~ you have the key,
you must be the owner
of it
e.g: fingerprints, retina pattern, handprint etc.
20. Username and PasswordUsername and Password
Typical first line of defenseTypical first line of defense
User name (Login ID) – identificationUser name (Login ID) – identification
Password – authenticationPassword – authentication
Login will succeed if you entered a valid user nameLogin will succeed if you entered a valid user name
and corresponding password.and corresponding password.
System Access ControlSystem Access Control
21. User plays an important role inUser plays an important role in
password protection – authenticationpassword protection – authentication
is compromised when you gave awayis compromised when you gave away
your own password by telling others.your own password by telling others.
Common threats on password:Common threats on password:
– Password guessing: exhaustive searchPassword guessing: exhaustive search
and intelligent searchand intelligent search
– Password spoofingPassword spoofing
– Compromise of the password fileCompromise of the password file
System Access ControlSystem Access Control
22. How we can defend password security:How we can defend password security:
– Compulsory to set a passwordCompulsory to set a password
– Change default passwordChange default password
– Password lengthPassword length
– Password formatPassword format
– Avoid obvious passwordsAvoid obvious passwords
How system help to improve password security:How system help to improve password security:
– Password checkersPassword checkers
– Password generationPassword generation
– Password ageingPassword ageing
– Limit login attemptsLimit login attempts
– Inform usersInform users
System Access ControlSystem Access Control
23. Data Access ControlData Access Control
On the most elementary level, a subjectOn the most elementary level, a subject
may observe an object or alter an object,may observe an object or alter an object,
therefore the common access modes aretherefore the common access modes are
defined as below:defined as below:
– Observe: look at the contents of an objectObserve: look at the contents of an object
– Change: change the contents of an objectChange: change the contents of an object
24. Data Access ControlData Access Control
Observe
Change
execute append read write
√
√ √
√
Access rights in the Bell-LaPadula model
{execute, read, write}
Alice
Bill
bill.doc edit.exe fun.com
{read, write}
{execute}
{execute}
{execute, read}
-
An access control matrix
25. Effectiveness of ControlsEffectiveness of Controls
Awareness of ProblemsAwareness of Problems : people will cooperate: people will cooperate
with security requirements only if they understandwith security requirements only if they understand
why security is appropriate in each specificwhy security is appropriate in each specific
situation.situation.
Likelihood of useLikelihood of use : controls must be used to be: controls must be used to be
effective – therefore it must be easy to use andeffective – therefore it must be easy to use and
appropriate.appropriate.
Overlapping controlsOverlapping controls : combinations of control: combinations of control
on one exposure.on one exposure.
Periodic reviewPeriodic review: ongoing task in judging the: ongoing task in judging the
effectiveness of a control.effectiveness of a control.