Lecture 1 - Intro to Computer Security
Lecture 1 - Intro to Computer Security CSCI 4531
Popular in Computer Security
Popular in Computer science
verified elite notetaker
This 6 page Class Notes was uploaded by Leslie Ogu on Wednesday August 31, 2016. The Class Notes belongs to CSCI 4531 at George Washington University taught by Mohamed Tamer Abdelrahman Refaei in Fall 2016. Since its upload, it has received 38 views. For similar materials see Computer Security in Computer science at George Washington University.
Reviews for Lecture 1 - Intro to Computer Security
Report this Material
What is Karma?
Karma is the currency of StudySoup.
You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!
Date Created: 08/31/16
Leslie Ogu CSCI 4531 08/30/2016 C hapter 1: Overview Computer Security: the protection afforded to an automated information system in order to attain the applicable objectives or preserving the integrity, availability and confidentiality of information system resources” (includes hardware, software, firmware, information/data, and telecommunications) ~ NIST Computer Security Handbook Definition The CIA Triad ● Confidentiality (trying to make sure the data can only be accessed and seen by authorized entities) ○ data confidentiality ○ privacy ● Integrity ○ data integrity ○ system integrity ● Availability (system is accessible) Key Security Concepts + Confidentiality + preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information + Integrity + guarding against improper information modification or destruction, including ensuring information nonrepudiation (assurance that someone cannot deny something) and authenticity + Availability + ensuring timely and reliable access to and use of information Computer Security Challenges Computer security is not as simple as it might first appear to the novice Attackers only need to find a single weakness, the developer needs to find all weaknesses Potential attacks on the security features must be considered Security requires regular and constant monitoring Is often an afterthought to be incorporated into a system after the design is complete Physical and logical placement needs to be determined Procedures used to provide particular services are often counterintuitive Lax Security is also good business: + Cheaper cost of deploying software + Private information for marketing + Selling antivirus & security products + Cleaning up incidents + Few benefit from secure computers Terminology ● Adversary (threat agent): an entity that attacks, or is a threat, to a system ● Attack: an assault on a system security that derives from an intelligent threat; that is, an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of a system ● Countermeasure: an action, device, procedure, or technique that reduces a threat, vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken ● Risk: an expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result ● Security Policy: a set of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources ● Security Resource (Asset): data contained in an information system; or a service provided by a system; or a system capability, such as processing power or communication bandwidth; or an item of system equipment (i.e., a system component hardware, firmware, software, or documentation); or a facility that houses system operations and equipment ● Threat: a potential violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. That is, a threat is a possible danger that might exploit a vulnerability ● Vulnerability: a flaw or weakness in a system’s design, implementation, or operation and management that could be exploited to violate the system’s security policy Asset v. Threat v. Vulnerability v. Risk ● Asset is what you are trying to protect ● Threat is what you are trying to protect against ● Vulnerability is a weakness or a gap in security ● Risk is the intersection of all three: loss or damage to an asset as a result of a threat exploiting a vulnerability Vulnerabilities, Threats and Attacks Categories of vulnerabilities Corrupted (loss of integrity) Leaky (loss of confidentiality) Unavailable or very slow (loss of availability) Threats Capable of exploiting vulnerabilities Represent potential security harm to an asset Attacks (threats carried out) Passive: does not affect system resources Active: attempt to alter system resources or affect their operation Insider: initiated by an entity inside the security parameter Outsider: initiated from outside the perimeter Countermeasures + Prevention + Detection + Recover + You hear about attacks because prevention failed and there was something detected + These are all means used to deal with security attacks + May introduce new vulnerabilities Threat Consequences Unauthorized Disclosure: a circumstance or event whereby an entity gains access to data for which the entity is not authorized Threat Action (attack) Exposure: sensitive data are directly related to an unauthorized entity Interception: an unauthorized entity directly accesses sensitive data traveling between authorized sources and destinations Inference: a threat action whereby an unauthorized entity indirectly accesses sensitive data (but not necessarily the data contained in the communication) by reasoning from characteristics or byproducts of communications Intrusion: an unauthorized entity gains access to sensitive data by circumventing a system’s security protections Deception: a circumstance or event that may result in an authorized entity receiving false data and believing it to be true Threat Action (attack) Masquerade: an unauthorized entity gains access to a system or performs a malicious act by posing as an authorized entity Falsification: false data deceive an authorized entity Repudiation: an entity deceives another by falsely denying responsibility for an act Disruption: a circumstance or event that interrupts or prevents the correct operation of system services and functions Threat Action (attack) Incapacitation: prevents or interrupts system operation by disabling a system component Corruption: undesirably alters system operation by adversely modifying system functions or data Obstruction: a threat that interrupts delivery of system services by hindering system operation Usurpation: a circumstance or event that results in control of system services or functions by an unauthorized entity Threat Action (attack) Misappropriation: an entity assumes unauthorized logical or physical control of a system resource Misuse: causes a system component to perform a function or service that is determined to system security Passive and Active Attacks ● Passive attacks attempt to learn or make use of information from the system but does not affect system resources ○ eavesdropping/monitoring transmissions ○ difficult to detect ○ emphasis is on prevention rather than detection ○ two types: ■ release of message contents ■ traffic analysis ● Active attacks involve modification of the data stream ○ goal is to detect them and recover ○ Four Categories: ■ masquerade ■ replay ■ modification of messages ■ denial of service Security Functional Requirements + Functional areas that primarily require computer security technical measures include: + access control + identification and authentication + system and communication protection + system and information integrity + Functional areas that primarily require management controls and procedures include: + awareness and training + audit and accountability + certification, accreditation, and security assessments + contingency planning + maintenance + physical and environmental protection + planning + personnel security + risk assessment + systems and services acquisition + Functional areas that overlap computer security technical measures and management controls include: + Configuration management + Incident response Computer Security Strategy + Specification / Policy + What is the security scheme supposed to do? + Implementation / Mechanisms + How does it do it? + Correctness / Assurance + Does it really work? Security Policy ● Def: formal statement of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources ● Factors to consider: ○ Value of the assets being protected ○ Vulnerabilities of the system ○ Potential threats and the likelihood of attacks ● Involves four complementary courses of action: ○ Ease of use versus security ○ Cost of security versus cost of failure and recovery Security Implementation + Involves Four Complementary Courses of Action: + Detection + Intrusion detection systems + Detection of denial of service attacks + Response + Upon detection, being able to halt an attack and prevent further damage + Recovery + Use of backup systems + Prevention + Secure encryption algorithms + Prevent unauthorized access to encryption keys Assurance and Evaluation ● Assurance: the degree of confidence one has that the security measures work as intended to protect the system and the information it processes ○ Encompasses both system design and system implementation ● Evaluation: process of examining a computer product or system with respect to certain criteria ○ Involves testing and formal analytic or mathematical techniques
Are you sure you want to buy this material for
You're already Subscribed!
Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'