2. Computer Security Defined by
NIST - National Institute of Standards and Technology
http://csrc.nist.gov/
“The protection afforded to an automated
information system in order to attain the applicable
objectives of preserving the integrity, availability,
and confidentiality of information system resources
(includes hardware, software, firmware,
information/data, and telecommunications).”
17. This all happened because the hackers were
able to get a hold of Honan’s email address,
his billing address and the last four digits of a
credit card he has on file. Once the hacker
had this info, he or she called Apple, asked
for a reset to the iCloud account in Honan’s
name, and was given a temporary password.
18. Availability – disruption of access
to or use of information or an
information system.
Confidentiality and Integrity matter
not if the system is not available!
19. Availability
Threats
● Attacks against
Availability = DoS
● Natural Disasters
● Manmade Disasters
Protective
Mechanisms
● Business continuity
● Disaster Recovery
Planning
● regular/reliable
backups to minimize
loss
21. Identification – scope, locality,
uniqueness of IDs
Authentication – prove to be the
person you say you claim to be!
Identify-authenticate-authorize
login – password – permissions
22. Methods of Authentication
● What you know (low strength)
● Passwords, passphrases, secret codes,
PINs (low cost)
● What you have (low strength)
● Keys, smart cards, tokens
● (in possession of = higher cost)
● What you are (potential high strength)
● Biometrics
23. Authorization
● Role Privileges, Rights, Permissions
● Guest
● Participant
● Admin
permissions to view, insert, delete, modify, admin
24. How does anybody do this?
http://live.wsj.com/video/news-hub-google-gmail-hit-with-china-based-scam/D
25. Accountability – who sent
what where?
Ability to trace actions back to a
person, place and time, back to a
system and what processes were
performed on it!
Provided by logs and audit trails.
26. Accountability
System/Application
Logs
● Ordered list of:
● Events
● Actions
● Must have integrity
● Time Stamped across
entire system
● High Level Actions
(email, web page served)
Audit Trail
● Ordered list of:
● Events
● Actions
● Open files
● Writing to files
● Sending packets
across network
28. Privacy = do you really have any?
Organizations should take necessary precautions
to protect the confidentiality and integrity of
personal information they collect, store and
process.
29.
30. Some Things to Ponder:
What are the types of threats?
Who is conducting these?
Why?