Presentation on theme: "Computer Security Computer Security is defined as:"— Presentation transcript:
1 Computer Security Computer Security is defined as: The protection afforded to an automatedinformation system in order to:attain the applicable objectives of preserving the integrity, availability and confidentiality ofinformation system resources (includes hardware, software, firmware, information/data, andtelecommunications).
2 Integrity Integrity is defined as : In daily usage, information has integrity when it is timely, accurate, complete, andconsistent. However, computers are unable to provide or protect all of these qualities.Therefore, in the computer security field, integrity is often discussed more narrowly as havingtwo facets: data integrity and system integrity.
3 IntegrityData integrity is a requirement that information and programs are changed only in a specified and authorized manner.System integrity is a requirement that a system performs its intended function in an effective manner, free from unauthorized manipulation of the system."
4 Availability Availability: A requirement intended to assure that systems work promptly and service is not denied to authorized users.
5 Confidentiality Confidentiality: A requirement that private or confidential information not be disclosed tounauthorized individuals.
6 Network SecurityNetwork security :uses the same basic set of controls as mainframe security orPC security.Example, secure gateways are discussed as a part of Access Control;Transmitting authentication data over insecure networks is discussed as theIdentification and Authentication and thedata communications contracts.
7 COMMON THREATSComputer systems are vulnerable to many threats that can inflict various types of damage resulting in significant losses. This damage can range from errors harming database integrity tofires destroying entire computer centers. Losses can be, for example, from the actions ofsupposedly trusted employees defrauding a system, from outside hackers, or from careless data entry clerks.
8 PHYSICAL AND ENVIRONMENTAL SECURITY Physical Access ControlsFire Safety FactorsFailure of Supporting UtilitiesMobile and Portable Systems
9 Physical Access Controls (Theft of Systems or Storage Media)It restrict the entry and exit of personnel (and often equipment and media) from an area, such as an office building, suite, data center, or a room containing a LAN server..
10 Physical access controls The controls to the system can includethe electric power service,the air conditioning and heatingtelephone and data lines,backup media and source documents,and any other elements required for system's operation.This means that all the areas in the building(s) that contain system elementsmust be identified.
11 Physical access controls There are many types of physical access controls:-including badges,memory cards,guards,keys, fences,and locks.Intrusion detectors, such as closed-circuittelevision cameras, motion detectors, and other devices.
12 Fire Safety FactorsBuilding fires are a security threat because of the destruction of both hardware and data and the risk to human life.
13 Fire Safety Factors Typical Ignition sources are: Failures of electric devices and wiring,Carelessly discarded cigarettes,Improper storage of materials subject to spontaneous combustion,Improper operation of heating devices ..etc.
14 Fire Safety Factors Fire resistant buildings Put away Fuel Sources. Fire Detection devices.Fire Extinguishment devices
15 Failure of Supporting Utilities This applies to electric power distribution, Electromagnetic waves or magnetic fields, water, sewage , humidity, dust, smoke failures of heating and air-conditioning systems.
16 Failure of Supporting Utilities Operating and security personnel should have rescue information immediately available for use in an emergency.In some cases, it may be possible to relocatesystem hardware, particularly distributed LAN hardware.
17 Mobile and Portable Systems Portable and mobile systems share an increased risk of theft and physical damage. In addition, portable systems can be "misplaced" or left unattended by careless users.
18 Mobile and Portable Systems Secure storage of Portable (laptop, backup media .. etc) computers is often required when they are not in use. Depending on the sensitivity of the system and its application, it may be appropriate to require signed briefing acknowledgments of users.
19 Access Control Access is the ability to do something with a computer resource. This usually refers to atechnical ability (e.g., read, create, modify, ordelete a file, execute a program, or use an external connection).
20 Access ControlAuthorization is the permission to use a computer resource. Permission is granted, directly or indirectly, by the application or system owner.Authentication is proving (to some reasonable degree) that users are who they claim to be.
21 Access ControlAccess control often requires that the system be able to identify and differentiate among users.IDENTIFICATION AND AUTHENTICATIONIdentification and authentication (I&A) is the first line of defense.I&A is a technical measure that prevents unauthorized people (or unauthorized processes) from entering a computer system.
22 Access Control Identification is the means by which a user provides a claimed identity to the system.Authentication is the means of establishing the validity of this claim.
23 Access ControlThere are three means of authenticating a user's identity which can be used alone or in combination:1. Something the individual knows (a secret e.g., a password, Personal IdentificationNumber (PIN), or cryptographic key);
24 Access Control2. Something the individual possesses (a token e.g., an ATM card or a smart card);3. Something the individual is (a biometric e.g., such characteristics as a voice pattern, handwriting dynamics, or a fingerprint).
25 Access ControlPasswords: Benefits of Passwords. Passwords have been successfully providing security for computer systems.They are integrated into many operating systems, and users and systemadministrators are familiar with them. When properly managed in a controlled environment, they can provide effective security.
26 Access Control Problems With Passwords. 1. Guessing or finding passwords.2. Giving passwords away.3. Electronic monitoring (When passwords are transmitted to a computer system).4. Accessing the password file.
27 Access Control Cryptographic Keys the authentication derived from the knowledge of a cryptographic key may be based entirely on something the user knows, (or have access to) something that can perform the cryptographic computations, such as a PC or a smart card.
28 Access Control Memory Tokens Memory tokens store, but do not process, information. Special reader/writer devices control the writing and reading of data to and from the tokens.The most common type of memory token is a magnetic striped card.
29 Access ControlApplication of memory tokens for authentication to computer systems is the Automatic Teller Machine (ATM) card. This uses a combination of the user (card) with the user (PIN).Memory tokens when used with PINs provide more security than passwords.
30 Access Control Smart Tokens expands the functionality of a memory token by incorporating one or more integrated circuits into the token itself.A smart token typically requires a user also to provide something the user knows (i.e., a PIN or password) in order to "unlock" the smart token for use.
31 Access Control Benefits of Smart Tokens 1.One-time passwords. 2.Reduced risk of forgery.3.Multi-application.
32 Access ControlBiometric authentication use the unique characteristics of an individual to authenticate that person‘s identity.These include physiological attributes (such as fingerprints, hand geometry, or retina patterns) or behavioral attributes (such as voice patterns and hand-written signatures).
33 Access ControlBiometric systems provide an increased level of security for computer systems.Imperfections in biometric authentication devices arise from technical difficulties in measuring and profiling physical attributes as well as from the variable nature of physical attributes.
34 Access ControlDue to their relatively high cost, biometric systems are typically used with other authentication means in environments requiring high security.