Course Overview Lesson Objectives Read and understand the course syllabus Summarize the CIA security model Recall some basic security mechanisms Express the fundamental security principles Learn the importance of computer security
Read and Understand the Course Syllabus http://www.cs.tamu.edu/faculty/pooch/cours e/CPSC665/Spring2001/index.html
Computer Security – Definition What is computer security? –Protection of an organizations assets from accidental or intentional disclosure, modification, destruction, or use –Alternately, it is the combination of administrative procedures, physical security measures, and systems security measures that are intended to protect computer assets
CIA Model of Security Computer security consists of maintaining three primary characteristics: –Confidentiality –Integrity –Availability
CIA Model Definitions - Confidentiality Confidentiality means that the information in a computer system (or in transit between systems) is accessible only by authorized parties. Authorized access includes printing, displaying, reading, or knowledge that information even exists.
CIA Model Definitions - Integrity Integrity means that information can only be modified by authorized parties or in authorized ways. Modification includes writing, changing, deleting, creating, delaying, or replaying information.
CIA Model Definitions - Availability Availability means that information is accessible to authorized parties when needed. An authorized party should not be prevented from accessing information to which they have legitimate access. Denial of service is the opposite of availability.
CIA Model Illustrated The 3 goals of confidentiality, integrity, and availability often overlap and can also conflict with one another. For example, strong confidentiality can severely limit availability. ConfidentialityIntegrity Availability
CIA Illustration 1 Consider the following: –User A transmits a file containing sensitive information to User B. User C, who is not authorized to read this file, is able to monitor the transmission of the file and obtain a copy. This is called an interception and is an attack on confidentiality. User A User B User C
CIA Illustration 2 Consider the following: –User B has requested information that he is authorized to have from User A. User C has disabled some component of the network which prevents information flow. This is called an interruption and is an attack on availability. It is also called a denial of service attack. User A User B User C
CIA Illustration 3 Consider the following: –User A transmits a file containing sensitive information to User B. User C, who is not authorized to read this file, gains access to the file during transmission, captures it, modifies it, and sends it on the User B. This is called a modification and is an attack on integrity. User A User B User C
Controls Various controls and countermeasures have been developed to strengthen system security –Cryptography –Software controls –Hardware controls –Physical controls –Policies
Controls - Cryptography Cryptography is an important tool that can enhance system security by providing: –Confidentiality, in that it prevents unauthorized parties from reading protected information –Integrity, because information that cannot be read cannot be easily altered in a useful way Cryptography will be covered thoroughly in future lessons.
Controls – Software Controls Programs themselves must be robust and secure from outside attack. Some examples where program controls are especially important are: –Operating system software –Software development tools –Access control software
Controls - Hardware Hardware devices can help support system security. Some examples include: –Smart cards –Secure circuit boards –Removable media
Controls - Physical Physical controls used to bolster computer security include many of the same controls used to secure other facilities, such as banks and government buildings: –Door locks –Backups –Sentries –Alarms –Shredders
Controls - Policies Policies aim to describe how an organization will posture itself with regard to security: –User awareness & training –What to audit and when –Etc.
Basic Security Principles In order to design effective security mechanisms we will refer to some general security principles. For example: 1.Principle of least privilege : Give a user or process only those privileges needed to perform task at hand -- no more, no less. 2.Minimize the amount of trusted components : Identify what components of the system need to be trusted and aim to keep those small and simple. 3.Do not aim for perfection : Total security is basically impossible. Instead be prepared to detect problems, to design countermeasures and to recover from attacks.