Advanced Networks and Computer Security

Curt Carver & Jeff Humphries © 1999

Texas A&M University

Course Overview

Lesson Objectives• Read and understand the course syllabus• Summarize the CIA security model• Recall some basic security mechanisms• Express the fundamental security principles• Learn the importance of computer security

Read and Understand the Course Syllabus http://www.cs.tamu.edu/faculty/pooch/

course/CPSC665/Spring2001/index.html

Summarize the CIA Security Model

Computer Security – Definition

What is computer security?– Protection of an organization’s assets from

accidental or intentional disclosure, modification, destruction, or use

– Alternately, it is the combination of administrative procedures, physical security measures, and systems security measures that are intended to protect computer assets

CIA Model of Security

Computer security consists of maintaining three primary characteristics:– Confidentiality– Integrity– Availability

CIA Model Definitions - Confidentiality Confidentiality means that the information

in a computer system (or in transit between systems) is accessible only by authorized parties.

Authorized access includes printing, displaying, reading, or knowledge that information even exists.

CIA Model Definitions - Integrity Integrity means that information can only

be modified by authorized parties or in authorized ways.

Modification includes writing, changing, deleting, creating, delaying, or replaying information.

CIA Model Definitions - Availability Availability means that information is

accessible to authorized parties when needed.

An authorized party should not be prevented from accessing information to which they have legitimate access.

Denial of service is the opposite of availability.

CIA Model Illustrated

The 3 goals of confidentiality, integrity, and availability often overlap and can also conflict with one another. For example, strong confidentiality can severely limit availability.

Confidentiality Integrity

Availability

CIA Illustration 1

Consider the following:– User A transmits a file containing sensitive information

to User B. User C, who is not authorized to read this file, is able to monitor the transmission of the file and obtain a copy. This is called an interception and is an attack on confidentiality.

User A User B

User C

CIA Illustration 2

Consider the following:– User B has requested information that he is authorized

to have from User A. User C has disabled some component of the network which prevents information flow. This is called an interruption and is an attack on availability. It is also called a denial of service attack.

User A User B

User C

CIA Illustration 3

Consider the following:– User A transmits a file containing sensitive information

to User B. User C, who is not authorized to read this file, gains access to the file during transmission, captures it, modifies it, and sends it on the User B. This is called a modification and is an attack on integrity.User A User B

User C

Recall Some Basic Security Mechanisms

Controls

Various controls and countermeasures have been developed to strengthen system security– Cryptography

– Software controls

– Hardware controls

– Physical controls

– Policies

Controls - Cryptography

Cryptography is an important tool that can enhance system security by providing:– Confidentiality, in that it prevents unauthorized parties

from reading protected information

– Integrity, because information that cannot be read cannot be easily altered in a useful way

Cryptography will be covered thoroughly in future lessons.

Controls – Software Controls

Programs themselves must be robust and secure from outside attack. Some examples where program controls are especially important are:– Operating system software

– Software development tools

– Access control software

Controls - Hardware

Hardware devices can help support system security. Some examples include:– Smart cards

– Secure circuit boards

– Removable media

Controls - Physical

Physical controls used to bolster computer security include many of the same controls used to secure other facilities, such as banks and government buildings:– Door locks

– Backups

– Sentries

– Alarms

– Shredders

Controls - Policies

Policies aim to describe how an organization will posture itself with regard to security:– User awareness & training– What to audit and when– Etc.

Express the Fundamental Security Principles

Basic Security Principles In order to design effective security mechanisms

we will refer to some general security principles. For example:1. Principle of least privilege : Give a user or process only

those privileges needed to perform task at hand -- no more, no less.

2. Minimize the amount of trusted components : Identify what components of the system need to be trusted and aim to keep those small and simple.

3. Do not aim for perfection : Total security is basically impossible. Instead be prepared to detect problems, to design countermeasures and to recover from attacks.

Learn the Importance of Computer Security

Course Overview Glossary

Availability Computer security Confidentiality Denial of service

Integrity Interception Interruption Modification

References Pfleeger, Charles, Security in Computing, 2nd Ed., 1997,

Prentice-Hall. Stallings, William, Network and Internetwork Security:

Principles and Practice, 1995, Prentice-Hall.