Computer Security- An Introduction-

T.A 2013/2014

Wake Up Call!

• Malware hijacks your email, sends death threats. Found in Japan (Oct 2012)

• Standford University Recent Network Hack May Cost Them Millions.– Its network had been hacked for the 2nd time in three months. (August

2013)

• Three Georgia Tech Hackers have disclosed how to hack iPhones and iPad with malwer in under sixty seconds using a “malicious charger”. (August 2013).

“If you know your enemy and know your self, you need not fear the result of a hundred battles”

(art of war by Sun Tzu)

Why Computer Security?• If your personnel do not know or understand how to maintain

confidentiality of information, • or how to secure it appropriately, not only do you risk having one of

your most valuable business assets (information) mishandled, inappropriately used, or obtained by unauthorized persons, • but you also risk being in non-compliance of a growing number of

laws and regulations that require certain types of information security and privacy awareness and training activities. • You also risk damaging another valuable asset, corporate

reputation.

(Rebecca Herold, "Managing an Information Security and Privacy Awareness and Training Program" 2005)

Definition

NIST Computer security handbook : Computer security : the protection afforded

to an automated information system in order to attain the application of preserving the integrity, availability, and confidentiality of incoming system resources (includes hardware, software, firmware, information/data, and telecommunications)

Key Security Concepts

Secure System

Aspect of Computer Security• Confidentiality– The protection of data from unauthorized disclosure.

• Availability– protects a system to ensure its availability

• Integrity– The assurance that data received are exactly as sent

by an authorized entity (i.e., contain no modification, insertion, deletion, or replay).

Aspect of Computer Security

• Authentication– The assurance that the communicating entity is the one

that it claims to be

• Access control– The prevention of unauthorized use of a resource

• Non-repudiation– Provides protection against denial by one of the entities

involved in a communication of having participated in all or part of the communication.

The Scope of Computer Security

Computer Security Challenges1. not simple2. must consider potential attacks (on mechanisms)3. procedures used counter-intuitive4. involve algorithms and secret info5. must decide where to deploy mechanisms6. battle of wits between attacker / admin7. not perceived (appreciated) on benefit until fails8. requires regular monitoring9. too often an after-thought10. regarded as impediment to using system

The Threat• Interruption• Interception• Modification• Fabrication

The Damage

Implementation of Security Technology

Security Taxonomy

The Strategy

• Policy : what is the security scheme supposed to do?– Value from protected asset– System Vulnerability– Potential treat

• Implementation : How does it to do?– Preventing– Detection– Responding– Recovery

• Assurance and evaluation : Does it really work?

Summary• security concepts• Terminology• The threat• The damage• security taxonomy• security strategy

end