Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chap1: Is there a Security Problem in Computing?.

Published byBennett Phelps Modified over 9 years ago

Similar presentations

Presentation on theme: "Chap1: Is there a Security Problem in Computing?."— Presentation transcript:

1 Chap1: Is there a Security Problem in Computing?

2 The risks involved in computing The goals of secure computing: confidentiality, integrity, availability The threats to security in computing: interception, interruption, modification, fabrication SE571 Security in Computing Dr. Ogara 2

3 Controls available to address these threats: encryption, programming controls, operating systems, network controls, administrative controls, law, and ethics SE571 Security in Computing Dr. Ogara 3

4  351 Security practitioners responded  More attacks on Web applications  Virtualization and cloud computing make security more complex  Software is main culprit in breaches  Outsourcing security fell  IT budget trimmed NOT security SE571 Security in Computing Dr. Ogara 4

5 5

6 6

7  Computing System collection of hardware, software, storage media, data, and people that an organization uses to perform computing tasks. components: hardware, software, and data. SE571 Security in Computing Dr. Ogara 7

8  Vulnerability weakness in the security system Example, weaknesses in procedures, design, or implementation, that might be exploited to cause loss or harm. Figure 1.1 – Crack on the wall is a vulnerability SE571 Security in Computing Dr. Ogara 8

9  A threat A set of circumstances that has the potential to cause loss or harm. Human initiated e.g. human errors, attacks, denial of service Computer initiated e.g. natural disaster such as Katrina Figure1.1 – getting hurt or drowning SE571 Security in Computing Dr. Ogara 9

10  Control Protective measure against vulnerabilities and threats Action, device, procedure, or technique that removes or reduces a vulnerability A threat is blocked by control of a vulnerability. SE571 Security in Computing Dr. Ogara 10

11 Figure 1-1 Threats, Controls, and Vulnerabilities. SE571 Security in Computing Dr. Ogara 11

12  Interception Unauthorized party gains access to an asset The outside party can be a person, a program, or a computing system. Examples, illicit copying of program or data files, or wiretapping to obtain data in a network SE571 Security in Computing Dr. Ogara 12

13  Interruption An asset of the system becomes lost, unavailable, or unusable. Examples, malicious destruction of a hardware device, erasure/deletion of a program or data file, and denial of service attack SE571 Security in Computing Dr. Ogara 13

14  Modification Unauthorized party not only accesses but tampers with an asset. Example, change the values in a database, alter a program so that it performs an additional computation, or modify data being transmitted electronically (email). SE571 Security in Computing Dr. Ogara 14

15  Fabrication intruder may insert bogus transactions to a network communication system or add records to an existing database, create user accounts SE571 Security in Computing Dr. Ogara 15

16 Figure 1-2 System Security Threats. SE571 Security in Computing Dr. Ogara 16

17  Computer security addresses three important aspects/goals of any computer-related system (CIA): Confidentiality - Ensures that computer- related assets are accessed only by authorized parties Integrity - assets can be modified only by authorized parties or only in authorized ways Availability - assets are accessible to authorized parties at appropriate times SE571 Security in Computing Dr. Ogara 17

18  Confidentiality Also called secrecy or privacy Ensures that computer-related assets are accessed only by authorized parties (people or systems) Control  encryption, access control lists, physical security SE571 Security in Computing Dr. Ogara 18

19  Integrity Means that assets can be modified only by authorized parties or only in authorized ways. Examples; writing, changing and deleting Control  digital signatures, hashing, code review to detect covert channels SE571 Security in Computing Dr. Ogara 19

20  Availability Means that assets are accessible to authorized parties at appropriate times Applies both to data and to services (information and to information processing) Opposite of denial of service SE571 Security in Computing Dr. Ogara 20

21  Availability Meaning of availability  It is present in a usable form. It has enough capacity to meet the service’s needs Control  RAID, redundant components (power supply, fan), server clusters SE571 Security in Computing Dr. Ogara 21

22 Figure 1-3 Relationship Between Confidentiality, Integrity, and Availability. SE571 Security in Computing Dr. Ogara 22

23  Apply to all three broad categories of system resources (Figure 1-4) Hardware  Theft  Destruction  Flooding SE571 Security in Computing Dr. Ogara 23

24 Software (operating system, controllers, utility programs, and application programs)  Deletion  Alteration  Modification  Example, Trojan horse, virus, trapdoor, and information leaks in a program  Theft SE571 Security in Computing Dr. Ogara 24

25 Data  Data attack is a more widespread and serious problem than either a hardware or software attack  Data items have greater public value than hardware and software because more people know how to use or interpret data SE571 Security in Computing Dr. Ogara 25

26 Figure 1-4 Vulnerabilities of Computing Systems. SE571 Security in Computing Dr. Ogara 26

27  Other Exposed Assets  Networks  Access  Intruder steals computer time but no attack  Destroy software or data  Deny service to legitimate users  Key People  Disgruntled employee may cause damage SE571 Security in Computing Dr. Ogara 27

28  Amateurs  Crackers or Malicious Hackers  Career Criminals organized crime and international groups engaged in computer crime  Terrorists denial-of-service attacks and web site defacements are popular SE571 Security in Computing Dr. Ogara 28

29  Used to preserve  Confidentiality  Integrity  Availability  May prevent or mitigate attacks  May inform us that security is compromised  May detect a breach as it happens/after it occurs SE571 Security in Computing Dr. Ogara 29

30  Encryption Scrambles data so that interpretation is meaningless Unscrambled state, called cleartext Transformed data are called enciphered text or ciphertext May nullify modification or fabrication Important for integrity and confidentiality of data SE571 Security in Computing Dr. Ogara 30

31 Figure 1-6 Multiple Controls. SE571 Security in Computing Dr. Ogara 31

32  Hardware control hardware or smart card implementations of encryption locks or cables limiting access or deterring theft devices to verify users’ identities firewalls intrusion detection systems circuit boards that control access to storage media SE571 Security in Computing Dr. Ogara 32

33  Policies and Procedures among users Frequent changes of passwords Training and administration Ethical and legal issues SE571 Security in Computing Dr. Ogara 33

34  Physical Controls locks on doors guards at entry points backup copies of important software and data physical site planning that reduces the risk of natural disasters SE571 Security in Computing Dr. Ogara 34

35  Awareness of Problem Understand importance of security  Likelihood of Use Controls must be used  Overlapping Controls Use combination of controls /layered defense  Periodic Review SE571 Security in Computing Dr. Ogara 35

Download ppt "Chap1: Is there a Security Problem in Computing?."

Similar presentations

Chapter 1 - 1 ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.

Chapter ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.
Advanced Networks and Computer Security Curt Carver & Jeff Humphries © 1999 Texas A&M University.

Advanced Networks and Computer Security Curt Carver & Jeff Humphries © 1999 Texas A&M University.
1 MIS 2000 Class 22 System Security Update: Winter 2015.

1 MIS 2000 Class 22 System Security Update: Winter 2015.
Crime and Security in the Networked Economy Part 4.

Crime and Security in the Networked Economy Part 4.
Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.

Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.
The University of Adelaide, School of Computer Science

The University of Adelaide, School of Computer Science
Introduction to Security in Computing 01204427 Computer and Network Security Semester 1, 2011 Lecture #01.

Introduction to Security in Computing Computer and Network Security Semester 1, 2011 Lecture #01.
Is There a Security Problem in Computing? Network Security / G. Steffen1.

Is There a Security Problem in Computing? Network Security / G. Steffen1.
Cryptography and Network Security Chapter 1

Cryptography and Network Security Chapter 1
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 

11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 3 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 3 Wenbing Zhao Department of Electrical and Computer Engineering.
EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
CSA 223 network and web security Chapter one

CSA 223 network and web security Chapter one
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Note1 (Intr1) Security Problems in Computing. Overview of Computer Security2 Outline Characteristics of computer intrusions –Terminology, Types Security.

Note1 (Intr1) Security Problems in Computing. Overview of Computer Security2 Outline Characteristics of computer intrusions –Terminology, Types Security.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

Similar presentations

Ads by Google