2. Previously …
• Computer security - protection of information related assets:
– Data
– Hardware
– Software
– People
– Intangible assets
• Information security requirements:
– Confidentiality
– Integrity
– Availability
Computer Security Management
Page 2
3. Definitions
• Harm
– Something happens to an asset that we do not want to happen
• Threat
– Possible source of harm
• Attack
– Threatening event (instance of a threat)
• Attacker
– Someone or something that mounts a threat
• Vulnerability
– Weakness in the system (asset) that makes an attack more likely to successes
• Risk
– Possibility that a threat will affect the business or organisation
Computer Security Management
Page 3
4. Harm and threats
• Six basic types of harm:
– Modification
– Destruction
– Disclosure
– Interception
– Interruption
– Fabrication
• A threat is a possible source of harm
• Example: a virus formats the hard disk of a computer
• Threats exploit vulnerabilities of systems
Computer Security Management
Page 4
5. Vulnerabilities
• Weaknesses in a system
• Might arise from:
– Poor design
– Poor implementation
– technological advances
• Examples:
– Password management flaws
– Fundamental operating system design flaws
– Software bugs
– Unchecked user input
– Social engineering
– Etc.
Computer Security Management
Page 5
7. Today ...
• Protection against harm
• Methods of defence (countermeasures)
Computer Security Management
Page 7
8. Defence
• Protection against harm:
– Prevent it by blocking attack or closing vulnerabilities
– Deter it by making the attack harder (but not impossible!)
– Deflect it by making another target more attractive
– Detect it either as it happens or some time after
– Recover from effects
– Using any combination of the above
• Methods of defence
– Software controls
– Encryption
– Physical and hardware controls
Computer Security Management
Page 8
9. Software
• Software provides functionality in an information processing system
– Weak link in the security chain
• Three aspects:
– Operating systems
– Applications
– Software development process
• Each of these need to be controlled
Computer Security Management
Page 9
10. Operating system controls
• Limitations need to be built into OSs to
– Protect system against unauthorised users
– protect each user from other users
– Protect OS (from users)
• Access control
– authentication
– authorisation
Computer Security Management
Page 10
11. Application controls
• Internal to software applications
• Limit access to
– Program
– data
• Might check on computing environment
Computer Security Management
Page 11
12. Software development controls
• Aim: preventing vulnerabilities in the software
• Using quality standards
– ISO S9001
– Capability Maturity Model (CMM)
– etc
• Using established development methodologies
– V model
– Appropriate and Effective Guidance for Information Security (AEGIS)
– Security Development Lifecycle (SDL)
– Etc.
• Use appropriate languages, libraries, architectures and patterns
• Sophisticated testing, coding, and maintenance
Computer Security Management
Page 12
13. Encryption
• Transforming data (plain text) in a way so that it becomes
meaningless for an observer (cipher text)
• Done by using an encryption algorithm (cipher)
• Encryption based on a key or pass phrase
• Can be used to
– Scramble messages
– Scramble data base
• If legitimate user wants to read the data (cipher text) it needs to be
transformed back into plain text
• Only the person doing the scrambling (and possibly another person
receiving the message) can decrypt it, because the original
encryption was done on an agreed set of keys
Computer Security Management
Page 13
14. Physical and hardware controls
• Physical controls
– Locks on doors
– Guards at entry points
– Physical site planning
– Limited emissions (e.g. CRT radiation, power analysis, etc)
– etc
• Hardware controls
– Hardware encryption systems
– Locks or cables limiting access (or deterring from theft)
– Devices to verify user’s identity
– Firewalls
– Intrusion detection systems
– Trusted computer platform
– etc
Computer Security Management
Page 14
15. Summary
Today we learned:
• Protection against harm
• Using countermeasures (controls)
– Software controls
– Encryption
– Physical and hardware controls
Computer Security Management
Page 15