1
Computer Security
CIS326
Dr Rachel Shipsey
2
This course will cover the following topics:
• passwords
• access controls
• symmetric and asymmetric encryption
• confidentiality
• authentication and certification
• security for electronic mail
• key management
3
The following books are recommended as
additional reading to the CIS326 study guide
• Computer Security by Dieter Gollman
• Secrets and Lies by Bruce Schneier
• Security in Computing by Charles Pfleeger
• Network Security Essentials by William Stallings
• Cryptography - A Very Short Introduction by Fred
Piper and Sean Murphy
• Practical Cryptography by Niels Ferguson and
Bruce Schneier
4
There are also many websites dealing with the
subjects discussed in this course.
For example, the following website provides
links to a large number of sites who have
security and cryptography course on-line:
http://avirubin.com/courses.html
5
What is Security?
Security is the protection of assets. The
three main aspects are:
• prevention
• detection
• re-action
6
Some differences between traditional
security and information security
• Information can be stolen - but you still
have it
• Confidential information may be copied and
sold - but the theft might not be detected
• The criminals may be on the other side of
the world
7
Computer Security
deals with the prevention
and detection of
unauthorised actions by
users of a computer
system.
8
There is no single definition of security
What features should a computer security
system provide?
9
Confidentiality
• The prevention of unauthorised disclosure
of information.
• Confidentiality is keeping information
secret or private.
• Confidentiality might be important for
military, business or personal reasons.
10
Integrity
• Integrity is the unauthorised writing or
modification of information.
• Integrity means that there is an external
consistency in the system - everything is as
it is expected to be.
• Data integrity means that the data stored on
a computer is the same as the source
documents.
11
Availability
• Information should be accessible and
useable upon appropriate demand by an
authorised user.
• Availability is the prevention of
unauthorised withholding of information.
• Denial of service attacks are a common
form of attack.
12
Non-repudiation
• Non-repudiation is the prevention of either
the sender or the receiver denying a
transmitted message.
• A system must be able to prove that certain
messages were sent and received.
• Non-repudiation is often implemented by
using digital signatures.
13
Authentication
• Proving that you are who you say you are,
where you say you are, at the time you say
it is.
• Authentication may be obtained by the
provision of a password or a scan of your
retina.
14
Access Controls
• The limitation and control of access through
identification and authentication.
• A system needs to be able to indentify and
authenticate users for access to data,
applications and hardware.
• In a large system there may be a complex
structure determining which users and
applications have access to which objects.
15
Accountability
• The system managers are accountable to
scrutiny from outside.
• Audit trails must be selectively kept and
protected so that actions affecting security
can be traced back to the responsible party
16
Security systems
• A security system is not just a computer
package. It also requires security conscious
personnel who respect the procedures and
their role in the system.
• Conversely, a good security system should
not rely on personnel having security
expertise.
17
Risk Analysis
• The disadvantages of a security system are
that they are time-consuming, costly, often
clumsy, and impede management and
smooth running of the organisation.
• Risk analysis is the study of the cost of a
particular system against the benefits of the
system.
18
Designing a Security System
There are a number of design considerations:
• Does the system focus on the data, operations or the users
of the system?
• What level should the security system operate from?
Should it be at the level of hardware, operating system or
applications package?
• Should it be simple or sophisticated?
• In a distributed system, should the security be centralised
or spread?
• How do you secure the levels below the level of the
security system?
19
Security Models
A security model is a means for formally
expressing the rules of the security policy in an
abstract detached way.
The model should be:
• easy to comprehend
• without ambiguities
• possible to implement
• a reflection of the policies of the organisation.
20
Summary
By now you should have some idea about
• Why we need computer security
(prevention, detection and re-action)
• What a computer security system does
(confidentiality, integrity, availability, non-
repudiation, authentication, access control,
accountability)
• What computer security exerts do (design,
implement and evaluate security systems)

Cis326week1lesson1

  • 1.
  • 2.
    2 This course willcover the following topics: • passwords • access controls • symmetric and asymmetric encryption • confidentiality • authentication and certification • security for electronic mail • key management
  • 3.
    3 The following booksare recommended as additional reading to the CIS326 study guide • Computer Security by Dieter Gollman • Secrets and Lies by Bruce Schneier • Security in Computing by Charles Pfleeger • Network Security Essentials by William Stallings • Cryptography - A Very Short Introduction by Fred Piper and Sean Murphy • Practical Cryptography by Niels Ferguson and Bruce Schneier
  • 4.
    4 There are alsomany websites dealing with the subjects discussed in this course. For example, the following website provides links to a large number of sites who have security and cryptography course on-line: http://avirubin.com/courses.html
  • 5.
    5 What is Security? Securityis the protection of assets. The three main aspects are: • prevention • detection • re-action
  • 6.
    6 Some differences betweentraditional security and information security • Information can be stolen - but you still have it • Confidential information may be copied and sold - but the theft might not be detected • The criminals may be on the other side of the world
  • 7.
    7 Computer Security deals withthe prevention and detection of unauthorised actions by users of a computer system.
  • 8.
    8 There is nosingle definition of security What features should a computer security system provide?
  • 9.
    9 Confidentiality • The preventionof unauthorised disclosure of information. • Confidentiality is keeping information secret or private. • Confidentiality might be important for military, business or personal reasons.
  • 10.
    10 Integrity • Integrity isthe unauthorised writing or modification of information. • Integrity means that there is an external consistency in the system - everything is as it is expected to be. • Data integrity means that the data stored on a computer is the same as the source documents.
  • 11.
    11 Availability • Information shouldbe accessible and useable upon appropriate demand by an authorised user. • Availability is the prevention of unauthorised withholding of information. • Denial of service attacks are a common form of attack.
  • 12.
    12 Non-repudiation • Non-repudiation isthe prevention of either the sender or the receiver denying a transmitted message. • A system must be able to prove that certain messages were sent and received. • Non-repudiation is often implemented by using digital signatures.
  • 13.
    13 Authentication • Proving thatyou are who you say you are, where you say you are, at the time you say it is. • Authentication may be obtained by the provision of a password or a scan of your retina.
  • 14.
    14 Access Controls • Thelimitation and control of access through identification and authentication. • A system needs to be able to indentify and authenticate users for access to data, applications and hardware. • In a large system there may be a complex structure determining which users and applications have access to which objects.
  • 15.
    15 Accountability • The systemmanagers are accountable to scrutiny from outside. • Audit trails must be selectively kept and protected so that actions affecting security can be traced back to the responsible party
  • 16.
    16 Security systems • Asecurity system is not just a computer package. It also requires security conscious personnel who respect the procedures and their role in the system. • Conversely, a good security system should not rely on personnel having security expertise.
  • 17.
    17 Risk Analysis • Thedisadvantages of a security system are that they are time-consuming, costly, often clumsy, and impede management and smooth running of the organisation. • Risk analysis is the study of the cost of a particular system against the benefits of the system.
  • 18.
    18 Designing a SecuritySystem There are a number of design considerations: • Does the system focus on the data, operations or the users of the system? • What level should the security system operate from? Should it be at the level of hardware, operating system or applications package? • Should it be simple or sophisticated? • In a distributed system, should the security be centralised or spread? • How do you secure the levels below the level of the security system?
  • 19.
    19 Security Models A securitymodel is a means for formally expressing the rules of the security policy in an abstract detached way. The model should be: • easy to comprehend • without ambiguities • possible to implement • a reflection of the policies of the organisation.
  • 20.
    20 Summary By now youshould have some idea about • Why we need computer security (prevention, detection and re-action) • What a computer security system does (confidentiality, integrity, availability, non- repudiation, authentication, access control, accountability) • What computer security exerts do (design, implement and evaluate security systems)