1 TMK 264: COMPUTER SECURITY CHAPTER ONE: AN OVERVIEW OF COMPUTER SECURITY 2 INTRODUCTION Computer security is the effort to create a secure computing platform, designed so that agents (users or programs) can only perform actions that have been allowed. This involves specifying and implementing a security policy. The actions in question can be reduced to operations of access, modification and deletion. 3 INTRODUCTION Computer security can be seen as a sub field of security engineering, which looks at broader security issues in addition to computer security. In a secure system the legitimate users of that system are still able to do what they should be able to do. While one might be able to secure a computer beyond misuse using extreme measures (locked in a vault without any means of power or communication for example), this would not be regarded as a useful secure system because of the above requirement. 4 SECURITY DEFINITION Security Value How do we protect our most valuable assets? One of the options to place them in a safe place. Characteristics of Computer Intrusion: An intruder must be expected to use any available means of penetration. The penetration may not necessarily be by the most obvious means. This principle implies and considers all possible means ofpenetration. 5 COMPUTER SECURITY PURPOSE What is Computing System? A collection of hardware, software, storage media, data and people that an organization uses to perform computing task. Security Purpose The purpose of the security is to devise ways to prevent the weaknesses from being exploited. 6 COMPUTER SECURITY GOALS Three important aspect of any computer- related system: Confidentiality Integrity Availability 7 CONFIDENTIALITY Confidentiality is sometimes called secrecy or privacy. Only authorized entities may read info. Means the property that data or information is not made available or disclosed to unauthorized persons or processes Confidentiality ensures that computer related assets are accessed only by authorized parties. 8 INTEGRITY Assets can be modified only by authorized parties or only in authorized ways. Also means different things in different contexts: Item in Integrity: Precision Accuracy - Degree of conformity of a measure to a standard or true value. Unmodified Consistency Only modified in acceptable ways by authorized entities Welke & Mayfield recognize three particular aspects of integrity: Authorized actions Separation & protection of resources Error detection & correction 9 AVAILABILITY Availability means that assets are accessible to authorized parties at appropriate times. Implies to both data and services and it is similarly complex. The property of a system or a system resource that ensures it is accessible and usable upon demand by an authorized system user. Usability Capacity to meet needs Timely access/results Fairness 10 Figure: Relationship between Confidentiality, Integrity and Availability 11 Figure: Security of Data THREAT A threat to a computing system is a set of circumstances or agents that could cause loss or harm. Each threat exploits vulnerabilities of the assets in computing system; the threats are illustrated in figure above. 12 SYSTEM SECURITY THREATS 13 THREAT Four types of threats are: Interception Some authorized party has gained access to an asset. Example: illicit copying a program or data files, or wiretapping to obtain data in a network. Interruption An asset of the system becomes lost, unavailable or unusable. Example: Malicious destruction of a hardware device, erasure of a program or data files, or malfunction of operating system. Modification An authorized party not only accesses but tampers with an asset. Example: Someone might change the values in a database, alter the program or modify the data. Fabrication Unauthorized party might create a fabrication of counterfeit objects on a computer system. Example: The intruder may insert spurious transactions to network communications system. 14 15 PROTECTING YOUR PRIVACY Privacy advocates agree that the key lies in giving citizens the right to be informed when personal information is being collected as well as the right to refuse to provide this information. In the European Union (EU): Consumer must be informed exactly what information is being collected and how it will be used. Consumer must be allowed to choose whether they want to divulge the requested information and how collected information will be used. Consumer must be allowed to request that information about themselves be removed from marketing and other databases 16 COMPUTER CRIMINALS Some computer criminals are mean and sinister types. But many more wear business suit, have university degrees and appear to be pillars of their communities. Computer Crime is any crime involving a computer or aided by the use of one. It allows us to consider ways to protect ourselves, our business and our communities against those who use computer. Cybercriminals are individuals who use computers, networks and the Internet to perpetrate crime. Anyone with a computer and the wherewithal to arm themselves with the appropriate knowledge can be cybercriminal. 17 COMPUTER CRIMINALS HACKERS Person who gains access to computer systems illegally, usually from a personal computer. We can differentiate the hackers into three groups: White Hat Black Hat Grey Hat 18 White Hat Hackers Upon finding vulnerability in a system, will report the vulnerability to the vendor of that system. For example: if they discover some flaw in Red Hat Linux, they would thenthe Red Hat company and explain exactly what the flaw is and how it was exploited. 19 Black Hat Hackers The people normally depicted in the media. Once they gain access to a system, their goal is to cause some type of harm. Sometimes are referred to as crackers. Example: stealing data, erase file or deface Web sites. 20 Gray Hat Hackers Typically law-abiding citizens, but in some cases will venture into illegal activities. They may do so for a wide variety of reasons. Example: hacking into a system belonging to a corporation that the hackers feels is engaged in unethical activities. 21 22 METHOD OF DEFENSE Harm occurs when a threat is realized against vulnerability. To protect against harm, then, we can neutralize the threat, close the vulnerability, or both. Ways to deal with harm: Prevent it. Deter it. Deflect it. Detect it. Recover from its effects. 23 METHOD OF DEFENSE Generally, method of defense can be grouped into fivemethod: Controls Encryption Software Control Hardware Control Policies and Procedures 24 EFFECTIVENESS OF CONTROLS A control is an action, device, procedure or technique that removes or reduces vulnerability. Several aspect that can enhance the effectiveness of controls: Awareness of Problem Many user unaware of the need of security. Likehood of Use The lock on a computer room door does no good if people block the door open. Refer to the article below: 25 EFFECTIVENESS OF CONTROLS Overlapping Controls Several different controls may apply to address a single vulnerability. For example, we may choose to implement security for a microcomputer application by using a combination of controls on program access to the data, on physical access to the microcomputer and storage media, and even by file locking to control access to the processing programs. Periodic Review Article above reports on periodic review of computer security. 26 27 28 Security Concept & Term Exposure - form of loss. Vulnerability is a weakness that may be exploited for loss in the security system. Hardware vulnerabilities User can see what devices are hooked to the system. It is rather simple to attack by adding devices, changing them, intercepting the traffic. Computer can be attacked physically (spilled soft drink, burned, etc). Software vulnerabilities. Software can be replaced, changed, destroyed, modified and deleted. Example: Virus attack and software theft. Data Vulnerabilities. The general public however can readily interpret data. Data attack is a more widespread and serious problem than either 29 WHY IS COMPUTER SECURITY NECESSARY? Because a lot of money is handled by computers. Because a lot of important information is stored on and handled by computers. Would you want anyone to find your credit history, medical history? Because society is increasingly dependent on the correct information of computers. 30 CONCLUSION Please take note the following terms: Security Value Security Purpose Security Goals Threat Computer Criminals Method of Defense Computer Security Controls