2. CPSC 6126 Computer Security Information Assurance

3. Is there a Security Problem in Computing?  Risks involved in computing  Goals of secure computing: confidentiality, integrity, availability  Threats to security in computing: interception, interruption, modification, fabrication  Controls: encryption, programming controls, operating systems, network controls, administrative controls, law, ethics

4. What does “Secure” mean?  Protecting computer-related assets  Information Systems H’wareH’ware S’wareS’ware DataData People (& procedures)People (& procedures)  Computer Security  Information Assurance

5. What does “Secure” mean?  Control Risk of Computer Security Learn about threats to computer securityLearn about threats to computer security Understand what causes these threats by studying how vulnerabilities arise in the development and use of computer systems.Understand what causes these threats by studying how vulnerabilities arise in the development and use of computer systems. Survey controls that can reduce or block these threats.Survey controls that can reduce or block these threats. Develop computing style that balances security and risk.Develop computing style that balances security and risk.  Principle of Easiest Penetration “An intruder must be expected to use any available means of penetration. The penetration may not necessarily be by the most obvious means, nor is it necessarily the one against which the most solid defense has been installed.”“An intruder must be expected to use any available means of penetration. The penetration may not necessarily be by the most obvious means, nor is it necessarily the one against which the most solid defense has been installed.”

6. 1.2 Attacks (threats, vulnerabilities and controls)  Vulnerability – weakness in the security system that might be exploited to cause loss or harm.  Threat – set of circumstances that has the potential to cause loss or harm.  Control – protective measure that removes or reduces the vulnerability  A threat is blocked by control of a vulnerability

7. 1.2 Attacks (threats, vulnerabilities and controls)  Threats Interception : unauthorized party has gained access to an assetInterception : unauthorized party has gained access to an asset Interruption : asset becomes lost, unavailable, or unusableInterruption : asset becomes lost, unavailable, or unusable Modification : asset is tampered withModification : asset is tampered with Fabrication : counterfeit objects are added to the assetFabrication : counterfeit objects are added to the asset

8. 1.2 Attacks (method, opportunity, and motive)  Method – the skills, knowledge, tools, and other things with which to be able to pull off the attack  Opportunity – the time and access to accomplish the attack  Motive – a reason to want to perform this attack against this system

9. 1.3 The Meaning of Computer Security  Security Goals Confidentiality (secrecy, privacy) : ensure that assets are accessed only by authorized parties.Confidentiality (secrecy, privacy) : ensure that assets are accessed only by authorized parties. Integrity : assets can be modified only by authorized parties in authorized ways.Integrity : assets can be modified only by authorized parties in authorized ways. Availability : assets are accessible to authorized parties at appropriate times (opposite of denial of service)Availability : assets are accessible to authorized parties at appropriate times (opposite of denial of service)

10. 1.3 The Meaning of Computer Security  Vulnerabilities HardwareHardware  Interruption (denial of service), modification, interception (theft), fabrication (substitution) SoftwareSoftware  Interruption (deletion), modification, interception (theft), fabrication DataData  Interruption (loss), modification, interception, fabrication  Principle of Adequate Protection: Computer items must be protected only until they lose their value. They must be protected to a degree consistent with their value.

11. 1.3 The Meaning of Computer Security  Other Exposed Assets NetworksNetworks AccessAccess Key PeopleKey People

12. 1.4 Computer Criminals  Computer Crime – any crime involving a computer or aided by the use of one  Amateurs  Crackers (NOT hackers)  Career Criminals

13. 1.5 Methods of Defense  Harm occurs when a threat is realized against a vulnerability  Need to neutralize the threat or close the vulnerability Prevent it by blocking the attack or closing the vulnerabilityPrevent it by blocking the attack or closing the vulnerability Deter it by making the the attack harderDeter it by making the the attack harder Deflect it by making this target less attractiveDeflect it by making this target less attractive Detect it (as it happens or after the fact)Detect it (as it happens or after the fact) Recover from its effectsRecover from its effects

14. 1.5 Methods of Defense  Controls  Multi-pronged approach  Encryption  Software controls (internal program controls, independent control programs, operating systems and network system controls, development controls)  Hardware controls  Policies and Procedures  Physical controls

15. 1.5 Methods of Defense  Effectiveness of Controls Awareness of problemAwareness of problem Likelihood of UseLikelihood of Use  Principle of Effectiveness – Controls must be used-and used properly- to be effective. They must be efficient, easy to use, and appropriate. Overlapping controlsOverlapping controls Periodic ReviewPeriodic Review  Principle of Weakest Link – Security can be no stronger than its weakest link.