cis326week1lesson1
TRANSCRIPT
1
Computer Security
CIS326
Dr Rachel Shipsey
2
This course will cover the following topics:
• passwords
• access controls
• symmetric and asymmetric encryption
• confidentiality
• authentication and certification
• security for electronic mail
• key management
3
The following books are recommended as additional reading to the CIS326 study guide
• Computer Security by Dieter Gollman• Secrets and Lies by Bruce Schneier• Security in Computing by Charles Pfleeger• Network Security Essentials by William Stallings• Cryptography - A Very Short Introduction by Fred
Piper and Sean Murphy• Practical Cryptography by Niels Ferguson and
Bruce Schneier
4
There are also many websites dealing with the subjects discussed in this course.
For example, the following website provides links to a large number of sites who have security and cryptography course on-line:
http://avirubin.com/courses.html
5
What is Security? Security is the protection of assets. The
three main aspects are:
• prevention
• detection
• re-action
6
Some differences between traditional security and information security
• Information can be stolen - but you still have it
• Confidential information may be copied and sold - but the theft might not be detected
• The criminals may be on the other side of the world
7
Computer Security deals with the prevention and detection of unauthorised actions by users of a computer system.
8
There is no single definition of security
What features should a computer security system provide?
9
Confidentiality
• The prevention of unauthorised disclosure of information.
• Confidentiality is keeping information secret or private.
• Confidentiality might be important for military, business or personal reasons.
10
Integrity
• Integrity is the unauthorised writing or modification of information.
• Integrity means that there is an external consistency in the system - everything is as it is expected to be.
• Data integrity means that the data stored on a computer is the same as the source documents.
11
Availability
• Information should be accessible and useable upon appropriate demand by an authorised user.
• Availability is the prevention of unauthorised withholding of information.
• Denial of service attacks are a common form of attack.
12
Non-repudiation
• Non-repudiation is the prevention of either the sender or the receiver denying a transmitted message.
• A system must be able to prove that certain messages were sent and received.
• Non-repudiation is often implemented by using digital signatures.
13
Authentication
• Proving that you are who you say you are, where you say you are, at the time you say it is.
• Authentication may be obtained by the provision of a password or a scan of your retina.
14
Access Controls
• The limitation and control of access through identification and authentication.
• A system needs to be able to indentify and authenticate users for access to data, applications and hardware.
• In a large system there may be a complex structure determining which users and applications have access to which objects.
15
Accountability
• The system managers are accountable to scrutiny from outside.
• Audit trails must be selectively kept and protected so that actions affecting security can be traced back to the responsible party
16
Security systems
• A security system is not just a computer package. It also requires security conscious personnel who respect the procedures and their role in the system.
• Conversely, a good security system should not rely on personnel having security expertise.
17
Risk Analysis
• The disadvantages of a security system are that they are time-consuming, costly, often clumsy, and impede management and smooth running of the organisation.
• Risk analysis is the study of the cost of a particular system against the benefits of the system.
18
Designing a Security SystemThere are a number of design considerations:• Does the system focus on the data, operations or the users
of the system?
• What level should the security system operate from? Should it be at the level of hardware, operating system or applications package?
• Should it be simple or sophisticated?• In a distributed system, should the security be centralised
or spread?• How do you secure the levels below the level of the
security system?
19
Security Models
A security model is a means for formally expressing the rules of the security policy in an abstract detached way.
The model should be:• easy to comprehend• without ambiguities• possible to implement• a reflection of the policies of the organisation.
20
SummaryBy now you should have some idea about
• Why we need computer security (prevention, detection and re-action)
• What a computer security system does (confidentiality, integrity, availability, non-repudiation, authentication, access control, accountability)
• What computer security exerts do (design, implement and evaluate security systems)