advanced networks and computer security curt carver & jeff humphries © 1999 texas a&m...
TRANSCRIPT
Advanced Networks and Computer Security
Curt Carver & Jeff Humphries © 1999
Texas A&M University
Course Overview
Lesson Objectives• Read and understand the course syllabus• Summarize the CIA security model• Recall some basic security mechanisms• Express the fundamental security principles• Learn the importance of computer security
Read and Understand the Course Syllabus http://www.cs.tamu.edu/faculty/pooch/
course/CPSC665/Spring2001/index.html
Summarize the CIA Security Model
Computer Security – Definition
What is computer security?– Protection of an organization’s assets from
accidental or intentional disclosure, modification, destruction, or use
– Alternately, it is the combination of administrative procedures, physical security measures, and systems security measures that are intended to protect computer assets
CIA Model of Security
Computer security consists of maintaining three primary characteristics:– Confidentiality– Integrity– Availability
CIA Model Definitions - Confidentiality Confidentiality means that the information
in a computer system (or in transit between systems) is accessible only by authorized parties.
Authorized access includes printing, displaying, reading, or knowledge that information even exists.
CIA Model Definitions - Integrity Integrity means that information can only
be modified by authorized parties or in authorized ways.
Modification includes writing, changing, deleting, creating, delaying, or replaying information.
CIA Model Definitions - Availability Availability means that information is
accessible to authorized parties when needed.
An authorized party should not be prevented from accessing information to which they have legitimate access.
Denial of service is the opposite of availability.
CIA Model Illustrated
The 3 goals of confidentiality, integrity, and availability often overlap and can also conflict with one another. For example, strong confidentiality can severely limit availability.
Confidentiality Integrity
Availability
CIA Illustration 1
Consider the following:– User A transmits a file containing sensitive information
to User B. User C, who is not authorized to read this file, is able to monitor the transmission of the file and obtain a copy. This is called an interception and is an attack on confidentiality.
User A User B
User C
CIA Illustration 2
Consider the following:– User B has requested information that he is authorized
to have from User A. User C has disabled some component of the network which prevents information flow. This is called an interruption and is an attack on availability. It is also called a denial of service attack.
User A User B
User C
CIA Illustration 3
Consider the following:– User A transmits a file containing sensitive information
to User B. User C, who is not authorized to read this file, gains access to the file during transmission, captures it, modifies it, and sends it on the User B. This is called a modification and is an attack on integrity.User A User B
User C
Recall Some Basic Security Mechanisms
Controls
Various controls and countermeasures have been developed to strengthen system security– Cryptography
– Software controls
– Hardware controls
– Physical controls
– Policies
Controls - Cryptography
Cryptography is an important tool that can enhance system security by providing:– Confidentiality, in that it prevents unauthorized parties
from reading protected information
– Integrity, because information that cannot be read cannot be easily altered in a useful way
Cryptography will be covered thoroughly in future lessons.
Controls – Software Controls
Programs themselves must be robust and secure from outside attack. Some examples where program controls are especially important are:– Operating system software
– Software development tools
– Access control software
Controls - Hardware
Hardware devices can help support system security. Some examples include:– Smart cards
– Secure circuit boards
– Removable media
Controls - Physical
Physical controls used to bolster computer security include many of the same controls used to secure other facilities, such as banks and government buildings:– Door locks
– Backups
– Sentries
– Alarms
– Shredders
Controls - Policies
Policies aim to describe how an organization will posture itself with regard to security:– User awareness & training– What to audit and when– Etc.
Express the Fundamental Security Principles
Basic Security Principles In order to design effective security mechanisms
we will refer to some general security principles. For example:1. Principle of least privilege : Give a user or process only
those privileges needed to perform task at hand -- no more, no less.
2. Minimize the amount of trusted components : Identify what components of the system need to be trusted and aim to keep those small and simple.
3. Do not aim for perfection : Total security is basically impossible. Instead be prepared to detect problems, to design countermeasures and to recover from attacks.
Learn the Importance of Computer Security
Course Overview Glossary
Availability Computer security Confidentiality Denial of service
Integrity Interception Interruption Modification
References Pfleeger, Charles, Security in Computing, 2nd Ed., 1997,
Prentice-Hall. Stallings, William, Network and Internetwork Security:
Principles and Practice, 1995, Prentice-Hall.