Computer Security

The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications)

C.I.A.
Confidentiality-prevent unauthorized disclosure (Threat: unauthorized access)

Integrity-ensure accuracy and authenticity (Threat: altered,

deleted, or added data) Availability-ensure that information and systems are there when

we need them
(Threat: Denial of service)

Other Concerns
Liability: someone can use our computers to do bad things that leave us with the liability Reputation: security issues can make us look bad, affecting parental trust, recruiting Legal: a growing body of law requires that we do certain things to secure our systems (FERPA, HIPAA)

Financial: security issues cost money, directly or indirectly

Traceability, auditability: bad things happen, and you need to find out what and why (and sometimes who)

Why Internet is Different?

Paper-Based Commerce Signed paper Documents
Person-to-person Physical Payment System Merchant-customer Face-to-face

Electronic Commerce Digital Signature

Electronic via Website Electronic Payment System Face-to-face Absence

Easy Detectability of modification Difficult Detectability

Easy Negotiability

Special Security Protocol

Did You Know?

In 1980 a computer cracked a 3-character password within one minute.

In 1999 a team of computers cracked a 56-character password within one day.

In 2004 a computer virus infected 1 million computers within one hour. Today ?????

Introduction to Security Risks

Hackers and crackers

The Internet: open

$$

virus

Your network: data!

Security attacks
Computer Viruses Trojan Horses Address Book theft DNS Poisoning Zombies, IP Spoofing Password Grabbers Network Worms Logic Bombs Hijacked Home Pages Denial of Service Attacks Buffer Overruns Password Crackers

Popular Fallacies

If I never log off then my computer can never get a virus If I lock my office door then my computer can never get a virus Companies create viruses so they can sell anti-virus software will protect me

Microsoft

I got this disc from my (mother, boss, friend) so it must be okay

You cannot get a virus by opening an attachment from someone you know

But I only downloaded one file

Hacker Motivations
Attack the Evil Empire (Microsoft)

Display of dominance Showing off, revenge

Misdirected creativity Embezzlement, greed

Typical Symptoms
File deletion
File corruption

Visual effects
Pop-Ups

Erratic (and unwanted) behavior

Computer crashes

Computer Security Challenges

1. 2. 3. 4. 5.

6.
7. 8. 9. 10.

not simple easy to get it wrong must consider potential attacks procedures used counter-intuitive involve algorithms and secret info must decide where to deploy mechanisms battle of wits between attacker / admin not perceived on benefit until fails requires regular monitoring a process, not an event too often an after-thought regarded as impediment to using system Unusable security is not secure

Aspects of Security
consider three aspects of e-security: security attack security mechanism (control) security service
Security Attacks:

Interruption

Interceptor
Modification Fabrication Viruses

Security Attack
Passive Attacks:
Release of message contents Interception(confidentiality) Traffic Analysis

Active Attacks: Interruption (availability) Modification (integrity) Fabrication (integrity)

Passive Attack - Interception

Passive Attack: Traffic Analysis

Observe traffic pattern

Active Attack: Interruption

Block delivery of message

Active Attack: Fabrication

Fabricate message

Active Attack: Replay

Active Attack: Modification

Modify message

Handling Attacks
Passive attacks focus on Prevention
Easy to stop

Hard to detect

Active attacks focus on Detection and Recovery

Hard to stop

Easy to detect

Security Perimeter

o Firewalls o Authentication

o Virtual Private Networks (VPN)

o Intrusion Detection Devices

Possible Security Holes

Passwords
Transmitted in plain text Could be temporarily stored in unsafe files

Could be easy to guess

Directory structure
Access to system directories could be a threat

In the operating system software

Some operating system software is not designed for secure operation Security system manager should subscribe to its OS

Security Strategies
Use a separate host
Permanently connected to the Internet, not to your network. Users dial in to a separate host and get onto the Internet through it.

Passwords
Most important protection Should be at least eight characters long

Use a mixture of alpha and numeric

Should not be able to be found in dictionary
should not be associated with you!

Change regularly

Security Services
Authentication - assurance that communicating entity is the one
claimed have both peer-entity & data origin authentication

Access Control - prevention of the unauthorized use of a resource

Data Confidentiality protection of data from unauthorized disclosure Data Integrity - assurance that data received is as sent by an

authorized entity
Non-Repudiation - protection against denial by one of the parties in a communication Availability resource accessible/usable

Security Mechanism
feature designed to detect, prevent, or recover from a security attack

no single mechanism that will support all services

required however one particular element underlies many of the security mechanisms in use:
cryptographic techniques

Security Mechanisms
specific security mechanisms:
digital signatures, access controls, data integrity, authentication exchange, traffic padding, routing control, notarization

pervasive security mechanisms:

trusted functionality, security labels, event detection, security audit trails, security recovery

Model for Network Security

Model for Network Security

using this model requires us to:
design a suitable algorithm for the security transformation generate the secret information (keys) used by the

algorithm
develop methods to distribute and share the secret information

specify a protocol enabling the principals to use the

transformation and secret information for a security service

Model for Network Access Security

Model for Network Access Security

note that model does not include:

monitoring of system for successful penetration monitoring of authorized users for misuse audit logging for forensic uses, etc.