security introduction and overview lecture1 .pptx
- 3. Introduction • Computer security- ways and means taken to protects computer and everything associated with it : - Hardware -Software -Storage media -Data -Persons( authorized users) -Information( Information Security) • Secure computing resources against unauthorized users ( attackers, outsider) as well as from natural disasters
- 4. Introduction • Computer security: • -Preventing attackers from achieving objectives through unauthorized access or unauthorized use of computers and networks. • -Keeping anyone from doing things you don not want them to do, with on or from your computers or any peripheral devices
- 5. Introduction • The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications)
- 7. Network and computer security Requirements CIA • Confidentiality – Data Confidentiality :protection of data from unauthorized disclosure • Integrity – Data Integrity: assurance that data received is as sent by an authorized entity • Availability – Systems work promptly and service is not denied to authorized users.( resource accessible/usable)
- 8. Computer Security Challenges 1. not simple 2. must consider potential attacks 3. involve algorithms and secret info 4. battle of wits between attacker / admin 5. requires regular monitoring 6. regarded as impediment to using system
- 9. Principles of Secure Design 1. Least Priviledge 2. Fail Safe Defaults 3. Economy of Mechanism 4. Complete Mediation 5. Defense in depth 6. Open Design 7. Separation of priviledge 8. Least Common Mechanism 9. Psychological Acceptability
- 10. Principle of Least Priviledge • Asubject should only be given the priviledges it needs to complete its task and no more. • The priviledges should be controlled by the function , not the identity ,similar to the right to know principle. • Foe example, a cashier cannot write checks.
- 11. Principle of Fail-Safe Defaults • Unless explicit acess has been granted ,access should be denied.Moreover, if a system is unable to complete a task, it should roll back to the start state, for safety. • Example: A regular user may not modify other people’s mail files; in addition, if the mail program cannot deliver mail, the only thing it can do is report failure.
- 12. Principle of Economy of Mechanism • Security mechanisms should be as simple as possible. • This way, it is easier to check for errors.
- 13. Principle of Complete Mediation • All accesses to objects must be checked to ensure that they are still allowed.
- 14. Principle of Defense in Depth • The more lines of defense there are against an attacker, the better the defense, specially if the additional line(s) are of different nature.
- 15. Principle of Open Design • The security of a mechanism should not depend on the secrecy of its design or implementation. • Specially important for crypto. • Example DVD’s
- 16. Principle of Separation of Priviledge • A system should not grant permission based on a single condition. • Example :on BSD systems, su users must belong to the wheel group and know the root password.
- 17. Principle of Least Common Mechanism • Mechanisms to access resources should not be shared(because they provide a haven for covert channels)
- 18. Principle of psychological Acceptability • Security mechanisms should not make it more difficult to access a resource. • Example: ssh, login mechanism.