Presentation is loading. Please wait.

Presentation is loading. Please wait.

EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University"— Presentation transcript:

1 EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University wenbing@ieee.org

2 2 Spring 2007EEC693: Secure & Dependable ComputingWenbing Zhao Outline Reminder: No class next Monday 1/21! Dependability concepts Security in computing systems –Security in Computing, Third Edition By Charles P. Pfleeger, Shari Lawrence Pfleeger http://proquest.safaribooksonline.com/0130355488 –Security in Computing, 4th Edition is also available http://proquest.safaribooksonline.com/0132390779

3 3 Spring 2007EEC693: Secure & Dependable ComputingWenbing Zhao What Do We Mean by Dependability* Dependability: –Def1: Ability to deliver service that can justifiably be trusted –Def2: Ability to avoid service failures that are more frequent or more severe than is acceptable When service failures are more frequent or more severe than acceptable, we say there is a dependability failure *This and the rest of the slides are based on: A. Avizienis, J.C. Laprie, B. Randell, C. Landwehr: ‘Basic Concepts and Taxonomy of Dependable and Secure Computing’, IEEE Trans. on Dependable and Secure Computing, vol. 1, no. 1, Jan-March 2004, pp.11-33; and based on Dr. Laprie’s keynote speak slides on COMSAC 2004

4 4 Spring 2007EEC693: Secure & Dependable ComputingWenbing Zhao Dependability Related Terminology A system is an entity that interacts with other entities, i.e., other systems, including hardware, software, humans, and the physical world with its natural phenomena These other systems are the environment of the given system The system boundary is the common frontier between the system and its environment System Environment System Boundary

5 5 Spring 2007EEC693: Secure & Dependable ComputingWenbing Zhao Dependability Related Terminology Service delivered by a system: its behavior as it is perceived by its users User: another system that interacts with the former Function of a system: what the system is intended to do (Functional) Specification: description of the system function Correct service: when the delivered service implements the system function

6 6 Spring 2007EEC693: Secure & Dependable ComputingWenbing Zhao Dependability Related Terminology Service failure: event that occurs when the delivered service deviates from correct service, either –because the system does not comply with the specification, –or because the specification did not adequately describe its function Part of system state that may cause a subsequent service failure: error Adjudged or hypothesized cause of an error: fault Failure modes: the ways in which a system can fail, ranked according to failure severities

7 7 Spring 2007EEC693: Secure & Dependable ComputingWenbing Zhao It is not included in some def for dependability

8 8 Spring 2007EEC693: Secure & Dependable ComputingWenbing Zhao The Threats to Dependability and Security: Failures, Errors, Faults

9 9 Spring 2007EEC693: Secure & Dependable ComputingWenbing Zhao Dependability and its Attributes Original definitions of dependability: ability to deliver service that can justifiably be trusted –Aimed at generalizing availability, reliability, safety, confidentiality, integrity, maintainability, that are then attributes of dependability –Focus on trust, i.e. accepted dependence –=> Dependence of system A on system B is the extent to which system A’s dependability is (or would be) affected by that of system B

10 10 Spring 2007EEC693: Secure & Dependable ComputingWenbing Zhao Dependability and its Attributes Alternate definition of dependability: ability to avoid service failures that are more frequent or more severe than is acceptable –A system can, and usually does, fail. Is it however still dependable? When does it become undependable? –This def defines the criterion for deciding whether or not, in spite of service failures, a system is still to be regarded as dependable –Dependability failure  fault(s)

11 11 Spring 2007EEC693: Secure & Dependable ComputingWenbing Zhao Dependability and Security Tree

12 12 Spring 2007EEC693: Secure & Dependable ComputingWenbing Zhao Dependability vs. High Confidence vs. Survivability vs. Trustworthiness

13 13 Spring 2007EEC693: Secure & Dependable ComputingWenbing Zhao

14 14 Spring 2007EEC693: Secure & Dependable ComputingWenbing Zhao

15 15 Spring 2007EEC693: Secure & Dependable ComputingWenbing Zhao

16 16 Spring 2007EEC693: Secure & Dependable ComputingWenbing Zhao Non-Malicious Faults

17 17 Spring 2007EEC693: Secure & Dependable ComputingWenbing Zhao Malicious Faults: Statistics from SEI/CERT

18 18 Spring 2007EEC693: Secure & Dependable ComputingWenbing Zhao Global Information Security Survey 2004 — Ernst & Young Non-malicious fault: 370 (76%) Malicious fault: 115 (24%) Note: what’s shown here is the number of occurrence, not the damage done

19 19 Spring 2007EEC693: Secure & Dependable ComputingWenbing Zhao

20 20 Spring 2007EEC693: Secure & Dependable ComputingWenbing Zhao

21 21 Spring 2007EEC693: Secure & Dependable ComputingWenbing Zhao Security in Computing Systems Security in computing systems = protecting valuable computer-related asset Computer-related asset (valuable components): –Hardware, software, and data Means to achieve security –Protecting programs –Protecting operating systems –Protecting networks

22 22 Spring 2007EEC693: Secure & Dependable ComputingWenbing Zhao Principle of Easiest Penetration An intruder may use any available means of penetration –The penetration may not necessarily be by the most obvious means –Nor is it the one against which the most solid defense has been installed

23 23 Spring 2007EEC693: Secure & Dependable ComputingWenbing Zhao Principle of Easiest Penetration This principle implies that –Computer security specialists must consider all possible means of penetration –The penetration analysis must be done repeatedly, and especially whenever the system and its security changes –Strengthening one aspect of a system may simply make another means of penetration more appealing to intruders

24 24 Spring 2007EEC693: Secure & Dependable ComputingWenbing Zhao Threats, Vulnerabilities, and Controls A threat to a computing system is a set of circumstances that has the potential to cause loss or harm A vulnerability is a weakness in the security system –For instance, a particular system may be vulnerable to unauthorized data manipulation because the system does not verify a user's identity before allowing data access How do we address these problems? We use a control as a protective measure –A control is an action, device, procedure, or technique that removes or reduces a vulnerability –A threat is blocked by control of a vulnerability

25 25 Spring 2007EEC693: Secure & Dependable ComputingWenbing Zhao Threats, Vulnerabilities, and Controls

26 26 Spring 2007EEC693: Secure & Dependable ComputingWenbing Zhao Type of Threats An interception means that some unauthorized party has gained access to an asset In an interruption, an asset of the system becomes lost, unavailable, or unusable If an unauthorized party not only accesses but tampers with an asset, the threat is a modification An unauthorized party might create a fabrication of counterfeit objects on a computing system

27 27 Spring 2007EEC693: Secure & Dependable ComputingWenbing Zhao Type of Threats

28 28 Spring 2007EEC693: Secure & Dependable ComputingWenbing Zhao Interception An interception means that some unauthorized party has gained access to an asset –Example: illicit copying of program or data files, or wiretapping to obtain data in a network –Unlike a loss, which may be discovered fairly quickly, a silent interceptor may leave no traces by which the interception can be readily detected

29 29 Spring 2007EEC693: Secure & Dependable ComputingWenbing Zhao Interruption In an interruption, an asset of the system becomes lost, unavailable, or unusable –Example: malicious destruction of a hardware device –Example: erasure of a program or data file –Example: (distributed) denial of service attacks

30 30 Spring 2007EEC693: Secure & Dependable ComputingWenbing Zhao Modification If an unauthorized party not only accesses but tampers with an asset, the threat is a modification –Example: someone might change the values in a database, alter a program so that it performs an additional computation –Example: modify message being transmitted over the network –Some cases of modification can be detected with simple measures, but other, more subtle, changes may be almost impossible to detect

31 31 Spring 2007EEC693: Secure & Dependable ComputingWenbing Zhao Fabrication An unauthorized party might create a fabrication of counterfeit objects on a computing system –Example: the intruder may insert spurious transactions to a network communication system or add records to an existing database –Sometimes these additions can be detected as forgeries, but if skillfully done, they are virtually indistinguishable from the real thing

32 32 Spring 2007EEC693: Secure & Dependable ComputingWenbing Zhao Threats: Methods, Opportunity, and Motive A malicious attacker must have three things: –Method: the skills, knowledge, tools, and other things with which to launch an attack –Opportunity: the time and access to accomplish the attack –Motive: a reason to want to perform this attack against this system

Download ppt "EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University"

Similar presentations

Advanced Networks and Computer Security Curt Carver & Jeff Humphries © 1999 Texas A&M University.

Advanced Networks and Computer Security Curt Carver & Jeff Humphries © 1999 Texas A&M University.
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
30/04/2015Tim S Roberts 20081 COIT13152 Operating Systems T1, 2008 Tim S Roberts.

30/04/2015Tim S Roberts COIT13152 Operating Systems T1, 2008 Tim S Roberts.
EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Is There a Security Problem in Computing? Network Security / G. Steffen1.

Is There a Security Problem in Computing? Network Security / G. Steffen1.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 3 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 3 Wenbing Zhao Department of Electrical and Computer Engineering.
Software Testing and Quality Attributes Software Testing Module (0721430) Dr. Samer Hanna.

Software Testing and Quality Attributes Software Testing Module ( ) Dr. Samer Hanna.
EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
IT 221: Introduction to Information Security Principles Lecture 1: Introduction to IT Security For Educational Purposes Only Revised: August 28, 2002.

IT 221: Introduction to Information Security Principles Lecture 1: Introduction to IT Security For Educational Purposes Only Revised: August 28, 2002.
Informationsteknologi Thursday, October 11, 2007Computer Systems/Operating Systems - Class 161 Today’s class Security.

Informationsteknologi Thursday, October 11, 2007Computer Systems/Operating Systems - Class 161 Today’s class Security.
6/2/2015B.Ramamurthy1 Security B.Ramamurthy. 6/2/2015B.Ramamurthy2 Computer Security Collection of tools designed to thwart hackers Became necessary with.

6/2/2015B.Ramamurthy1 Security B.Ramamurthy. 6/2/2015B.Ramamurthy2 Computer Security Collection of tools designed to thwart hackers Became necessary with.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Note1 (Intr1) Security Problems in Computing. Overview of Computer Security2 Outline Characteristics of computer intrusions –Terminology, Types Security.

Note1 (Intr1) Security Problems in Computing. Overview of Computer Security2 Outline Characteristics of computer intrusions –Terminology, Types Security.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Evidor: The Evidence Collector Software using for: Software for lawyers, law firms, corporate law and IT security departments, licensed investigators,

Evidor: The Evidence Collector Software using for: Software for lawyers, law firms, corporate law and IT security departments, licensed investigators,
Lecture 1 Page 1 CS 236, Spring 2008 What Are Our Security Goals? Confidentiality –If it’s supposed to be a secret, be careful who hears it Integrity –Don’t.

Lecture 1 Page 1 CS 236, Spring 2008 What Are Our Security Goals? Confidentiality –If it’s supposed to be a secret, be careful who hears it Integrity –Don’t.
EEC 688/788 Secure and Dependable Computing Lecture 3 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 3 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
CPE 5002 Network security. Look at the surroundings before you leap.

CPE 5002 Network security. Look at the surroundings before you leap.

Similar presentations

Ads by Google