Computer Security: Computer Security: Principles and PracticePrinciples and Practice

First EditionFirst Editionby William Stallings and Lawrie Brownby William Stallings and Lawrie Brown

Lecture slides by Lawrie BrownLecture slides by Lawrie Brown

Chapter 1 – Chapter 1 – OverviewOverview

OverviewOverview

Computer Security:Computer Security: protection afforded protection afforded to an automated information system in to an automated information system in order to attain the applicable objectives of order to attain the applicable objectives of preserving the integrity, availability and preserving the integrity, availability and confidentiality of information system confidentiality of information system resources (includes hardware, software, resources (includes hardware, software, firmware, information/data, and firmware, information/data, and telecommunications).

Key Security ConceptsKey Security Concepts

Computer Security ChallengesComputer Security Challenges1.1. not simplenot simple2.2. must consider potential attacksmust consider potential attacks3.3. procedures used counter-intuitiveprocedures used counter-intuitive4.4. involve algorithms and secret infoinvolve algorithms and secret info5.5. must decide where to deploy mechanismsmust decide where to deploy mechanisms6.6. battle of wits between attacker / adminbattle of wits between attacker / admin7.7. not perceived on benefit until failsnot perceived on benefit until fails8.8. requires regular monitoringrequires regular monitoring9.9. too often an after-thoughttoo often an after-thought10.10. regarded as impediment to using systemregarded as impediment to using system

Security TerminologySecurity Terminology

Vulnerabilities and AttacksVulnerabilities and Attacks

system resource vulnerabilities maysystem resource vulnerabilities may be corrupted (loss of integrity)be corrupted (loss of integrity) become leaky (loss of confidentiality)become leaky (loss of confidentiality) become unavailable (loss of availability)become unavailable (loss of availability)

attacks are threats carried out and may beattacks are threats carried out and may be passivepassive activeactive insiderinsider outsideroutsider

CountermeasuresCountermeasures

means used to deal with security attacksmeans used to deal with security attacks preventprevent detectdetect recoverrecover

may result in new vulnerabilitiesmay result in new vulnerabilities will have residual vulnerabilitywill have residual vulnerability goal is to minimize risk given constraintsgoal is to minimize risk given constraints

Threat ConsequencesThreat Consequences

unauthorized disclosureunauthorized disclosure exposure, interception, inference, intrusionexposure, interception, inference, intrusion

deceptiondeception masquerade, falsification, repudiationmasquerade, falsification, repudiation

disruptiondisruption incapacitation, corruption, obstructionincapacitation, corruption, obstruction

usurpationusurpation misappropriation, misusemisappropriation, misuse

Scope of Computer SecurityScope of Computer Security

Network Security AttacksNetwork Security Attacks classify as passive or activeclassify as passive or active passive attacks are eavesdroppingpassive attacks are eavesdropping

release of message contentsrelease of message contents traffic analysistraffic analysis are hard to detect so aim to preventare hard to detect so aim to prevent

active attacks modify/fake dataactive attacks modify/fake data masquerademasquerade replayreplay modificationmodification denial of servicedenial of service hard to prevent so aim to detecthard to prevent so aim to detect

Security Functional Security Functional RequirementsRequirements

technical measures:technical measures: access control; identification & authentication; system & access control; identification & authentication; system &

communication protection; system & information integritycommunication protection; system & information integrity management controls and procedures management controls and procedures

awareness & training; audit & accountability; certification, awareness & training; audit & accountability; certification, accreditation, & security assessments; contingency accreditation, & security assessments; contingency planning; maintenance; physical & environmental planning; maintenance; physical & environmental protection; planning; personnel security; risk assessment; protection; planning; personnel security; risk assessment; systems & services acquisitionsystems & services acquisition

overlapping technical and management:overlapping technical and management: configuration management; incident response; media configuration management; incident response; media

protectionprotection

X.800 Security ArchitectureX.800 Security Architecture

X.800, X.800, Security Architecture for OSISecurity Architecture for OSI systematic way of defining requirements systematic way of defining requirements

for security and characterizing approaches for security and characterizing approaches to satisfying themto satisfying them

defines:defines: security attacks - compromise security security attacks - compromise security security mechanism - act to detect, prevent, security mechanism - act to detect, prevent,

recover from attackrecover from attack security service - counter security attackssecurity service - counter security attacks

Security TaxonomySecurity Taxonomy

Security TrendsSecurity Trends

Computer Security LossesComputer Security Losses

Security Technologies UsedSecurity Technologies Used

Computer Security StrategyComputer Security Strategy specification/policyspecification/policy

what is the security scheme supposed to do?what is the security scheme supposed to do? codify in policy and procedurescodify in policy and procedures

implementation/mechanismsimplementation/mechanisms how does it do it?how does it do it? prevention, detection, response, recoveryprevention, detection, response, recovery

correctness/assurancecorrectness/assurance does it really work?does it really work? assurance, evaluationassurance, evaluation

SummarySummary

security conceptssecurity concepts terminologyterminology functional requirementsfunctional requirements security architecturesecurity architecture security trendssecurity trends security strategysecurity strategy