Presentation on theme: "Computer Security Computer Security is defined as:"— Presentation transcript:
1Computer Security Computer Security is defined as: The protection afforded to an automatedinformation system in order to:attain the applicable objectives of preserving the integrity, availability and confidentiality ofinformation system resources (includes hardware, software, firmware, information/data, andtelecommunications).
2Integrity Integrity is defined as : In daily usage, information has integrity when it is timely, accurate, complete, andconsistent. However, computers are unable to provide or protect all of these qualities.Therefore, in the computer security field, integrity is often discussed more narrowly as havingtwo facets: data integrity and system integrity.
3IntegrityData integrity is a requirement that information and programs are changed only in a specified and authorized manner.System integrity is a requirement that a system performs its intended function in an effective manner, free from unauthorized manipulation of the system."
4Availability Availability: A requirement intended to assure that systems work promptly and service is not denied to authorized users.
5Confidentiality Confidentiality: A requirement that private or confidential information not be disclosed tounauthorized individuals.
6Network SecurityNetwork security :uses the same basic set of controls as mainframe security orPC security.Example, secure gateways are discussed as a part of Access Control;Transmitting authentication data over insecure networks is discussed as theIdentification and Authentication and thedata communications contracts.
7COMMON THREATSComputer systems are vulnerable to many threats that can inflict various types of damage resulting in significant losses. This damage can range from errors harming database integrity tofires destroying entire computer centers. Losses can be, for example, from the actions ofsupposedly trusted employees defrauding a system, from outside hackers, or from careless data entry clerks.
8PHYSICAL AND ENVIRONMENTAL SECURITY Physical Access ControlsFire Safety FactorsFailure of Supporting UtilitiesMobile and Portable Systems
9Physical Access Controls (Theft of Systems or Storage Media)It restrict the entry and exit of personnel (and often equipment and media) from an area, such as an office building, suite, data center, or a room containing a LAN server..
10Physical access controls The controls to the system can includethe electric power service,the air conditioning and heatingtelephone and data lines,backup media and source documents,and any other elements required for system's operation.This means that all the areas in the building(s) that contain system elementsmust be identified.
11Physical access controls There are many types of physical access controls:-including badges,memory cards,guards,keys, fences,and locks.Intrusion detectors, such as closed-circuittelevision cameras, motion detectors, and other devices.
12Fire Safety FactorsBuilding fires are a security threat because of the destruction of both hardware and data and the risk to human life.
13Fire Safety Factors Typical Ignition sources are: Failures of electric devices and wiring,Carelessly discarded cigarettes,Improper storage of materials subject to spontaneous combustion,Improper operation of heating devices ..etc.
14Fire Safety Factors Fire resistant buildings Put away Fuel Sources. Fire Detection devices.Fire Extinguishment devices
15Failure of Supporting Utilities This applies to electric power distribution, Electromagnetic waves or magnetic fields, water, sewage , humidity, dust, smoke failures of heating and air-conditioning systems.
16Failure of Supporting Utilities Operating and security personnel should have rescue information immediately available for use in an emergency.In some cases, it may be possible to relocatesystem hardware, particularly distributed LAN hardware.
17Mobile and Portable Systems Portable and mobile systems share an increased risk of theft and physical damage. In addition, portable systems can be "misplaced" or left unattended by careless users.
18Mobile and Portable Systems Secure storage of Portable (laptop, backup media .. etc) computers is often required when they are not in use. Depending on the sensitivity of the system and its application, it may be appropriate to require signed briefing acknowledgments of users.
19Access Control Access is the ability to do something with a computer resource. This usually refers to atechnical ability (e.g., read, create, modify, ordelete a file, execute a program, or use an external connection).
20Access ControlAuthorization is the permission to use a computer resource. Permission is granted, directly or indirectly, by the application or system owner.Authentication is proving (to some reasonable degree) that users are who they claim to be.
21Access ControlAccess control often requires that the system be able to identify and differentiate among users.IDENTIFICATION AND AUTHENTICATIONIdentification and authentication (I&A) is the first line of defense.I&A is a technical measure that prevents unauthorized people (or unauthorized processes) from entering a computer system.
22Access Control Identification is the means by which a user provides a claimed identity to the system.Authentication is the means of establishing the validity of this claim.
23Access ControlThere are three means of authenticating a user's identity which can be used alone or in combination:1. Something the individual knows (a secret e.g., a password, Personal IdentificationNumber (PIN), or cryptographic key);
24Access Control2. Something the individual possesses (a token e.g., an ATM card or a smart card);3. Something the individual is (a biometric e.g., such characteristics as a voice pattern, handwriting dynamics, or a fingerprint).
25Access ControlPasswords: Benefits of Passwords. Passwords have been successfully providing security for computer systems.They are integrated into many operating systems, and users and systemadministrators are familiar with them. When properly managed in a controlled environment, they can provide effective security.
26Access Control Problems With Passwords. 1. Guessing or finding passwords.2. Giving passwords away.3. Electronic monitoring (When passwords are transmitted to a computer system).4. Accessing the password file.
27Access Control Cryptographic Keys the authentication derived from the knowledge of a cryptographic key may be based entirely on something the user knows, (or have access to) something that can perform the cryptographic computations, such as a PC or a smart card.
28Access Control Memory Tokens Memory tokens store, but do not process, information. Special reader/writer devices control the writing and reading of data to and from the tokens.The most common type of memory token is a magnetic striped card.
29Access ControlApplication of memory tokens for authentication to computer systems is the Automatic Teller Machine (ATM) card. This uses a combination of the user (card) with the user (PIN).Memory tokens when used with PINs provide more security than passwords.
30Access Control Smart Tokens expands the functionality of a memory token by incorporating one or more integrated circuits into the token itself.A smart token typically requires a user also to provide something the user knows (i.e., a PIN or password) in order to "unlock" the smart token for use.
31Access Control Benefits of Smart Tokens 1.One-time passwords. 2.Reduced risk of forgery.3.Multi-application.
32Access ControlBiometric authentication use the unique characteristics of an individual to authenticate that person‘s identity.These include physiological attributes (such as fingerprints, hand geometry, or retina patterns) or behavioral attributes (such as voice patterns and hand-written signatures).
33Access ControlBiometric systems provide an increased level of security for computer systems.Imperfections in biometric authentication devices arise from technical difficulties in measuring and profiling physical attributes as well as from the variable nature of physical attributes.
34Access ControlDue to their relatively high cost, biometric systems are typically used with other authentication means in environments requiring high security.