Professional Documents
Culture Documents
computer security
Outline
Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues
computer security 2
In terms of security, computing is very close to the wild west days. Some computing professionals & managers do not even recognize the value of the resources they use or control. In the event of a computing crime, some companies do not investigate or prosecute.
A computing system: a collection of hardware, software, data, and people that an organization uses to do computing tasks Any piece of the computing system can become the target of a computing crime. The weakest point is the most serious vulnerability. The principles of easiest penetration
computer security 4
Exposure
a form of possible loss or harm
Vulnerability
a weakness in the system
Attack Threats
Human attacks, natural disasters, errors
computer security 5
Usurpation: unauthorized control of some part of the system (usurp: take by force or without right)
Modification, spoofing, delay, denial of service
computer security
Security Components
computer security
Software Vulnerabilities
Destroyed (deleted) software Stolen (pirated) software Altered (but still run) software
Data Security
The principle of adequate protection Storage of encryption keys Software versus hardware methods
computer security
10
computer security
11
computer security
12
Methods of Defense
Encryption Software controls Hardware controls Policies Physical controls
computer security
13
Encryption
at the heart of all security methods Confidentiality of data Some protocols rely on encryption to ensure availability of resources. Encryption does not solve all computer security problems.
computer security
14
Software controls
Internal program controls OS controls Development controls Software controls are usually the 1st aspects of computer security that come to mind.
computer security
15
Composition of policies
If policies conflict, discrepancies may create security vulnerabilities
Principle of Effectiveness
Easy to use
appropriate
computer security
17
Overlapping Controls
computer security
18
Goals of Security
Prevention
Prevent attackers from violating security policy
Detection
Detect attackers violation of security policy
Recovery
Stop attack, assess and repair damage Continue to function correctly even if attack succeeds
computer security 19
Mechanisms
Assumed to enforce policy Support mechanisms work correctly
computer security 20
Types of Mechanisms
secure
precise
broad
Assurance
Specification
Requirements analysis Statement of desired functionality
Design
How system will meet specification
Implementation
Programs/systems that carry out design
computer security 22
Operational Issues
Cost-Benefit Analysis
Is it cheaper to prevent or to recover?
Risk Analysis
Should we protect something? How much should we protect this thing?
Human Issues
Organizational Problems
Power and responsibility Financial benefits
People problems
Outsiders and insiders Social engineering
The methods that will most effectively minimize the ability of intruders to compromise information security are comprehensive user training and education. Enacting policies and procedures simply won't suffice. Even with oversight the policies and procedures may not be effective: my access to Motorola, Nokia, ATT, Sun depended upon the willingness of people to bypass policies and procedures that were in place for years before I compromised them successfully. Kevin Mitnick
computer security
24
Tying Together
Threats Policy Specification Design Implementation Operation
computer security 25
Key Points
computer security 26