security concepts ,goals of computer security , problem and requirements ,identifying the assets ,identifying the threats, identifying the impacts, vulnerability ,user authentication ,security system and facilities ,system access control , password management ,privileged user management ,user account management ,data resource protection, sensitive system protection ,cryptography ,intrusion detection ,computer-security classification
2.
INDEX
1.Goals of computer security
o Confidentiality:
o Integrity:
o Availability
o Authentication:
o Access control:
2.Security problems and
requirements
o Identifying the Assets
o Identifying the Threats
o Identifying the Impact
3. Threats and Vulnerabilities
4. Security System and
Facilities
o System Access Control
o Password Management
o Privileged User
Management
o User Account Management
o Data Resource Protection
o Sensitive System Protection
5.Computer security
classifications
o Cryptography
o Intrusion Detection
3.
GOALS OF COMPUTER SECURITY
Confidentiality:
The principle of
Confidentiality specifies that
only the sender and the
intended recipient should be
able to access the contents of a
message.
->Confidentiality gets
compromised if an
unauthorised person is able to
access a message.
Integrity:
When the content of a message
are changed after the sender
sends it,but before it reaches
the intended recipient, we say
that the integrity of a message
is lost.
->modification causes loss of
integrity.
4.
Availability:
->The principle of availability states that resources should be
available to authorized parties at all times.
->Interruption puts the availability of resources in danger
A computer system is available if
The response time is acceptable
There is a fair allocation of resources
Fault tolerance exists
It is user friendly
Concurrency control and deadlock management exists.
Authentication:
Authentication mechanism helps to establish proof of identities.
->The authentication process ensures the origin of an electronic
message or document is correcctly identified.
5.
Access control:
The principle of access control determines who
should be able to access what, an access control
mechanism can be setup to ensure this.
->access control is broadly related to role management
and rule management.
Role management : concentrates on the user side
Rule management: focuses on the resource side
6.
SECURITY PROBLEM AND
REQUIREMENT
Identifying the Assets :
Hardware: CPUs, boards,
keyboards, terminals,
workstations, personal
computers, printers, disk drives,
comunication lines, terminal
servers, routers, Management
hubs, gateways, servers,
modems, etc.
Software: source programs,
object programs, utilities,
diagnostic programs, operating
systems, communications
program, firewall software, IDS
(Intrusion Detection System)
software etc.
Data: during execution, store
on-line, archive off-line,
backup, audit logs,
databases, in transit over
communication media etc.
People: user, people needed
to run systems.
Documentation: on
programs, hardware,
systems, local
administrative procedures.
Supplies: paper, forms,
ribbons, floppy diskettes,
magnetic media.
7.
Identifying the Threats:
There are two basic type of threats: accidental threats and
intentional threats.
1. Accidental threats can lead to exposure of confidential
information
2. An intentional threat is an action performed by an entity
with the intention to violate security.
The possible threats to a computer system can be:
Unauthorized Access
Disclosure of information
Denial of service.
8.
Identifying the Impact:
After identifying the assets and threats, the impact of security
attack should be assessed. The process includes the following
tasks.
Identifying the vulnerabilities of the system;
Analysing the possibility of threats to exploit these
vulnerabilities;
Assessing the consequences of each threat;
Estimating the cost'of each attack;
Estimating the cost of potential counter measure
Selecting the optimum and cost effective security system.
9.
A threat can be accidental or deliberate and the various
types of security breaches can be classified as (a)
interruption, (b) interception, (c) modification and (d)
fabrication.
Interruption: An asset of the system becomes lost, unavailable, or
unusable. Malicious destruction of a hardware device Deletion of
program or data file Malfunctioning of an Operating system.
Interception: Some uilauthorised entity can gain access to a
computer asset. This unauthorised entity can be a person, a program,
or a computer system. Illicit copying of program or data files
Wiretapping to obtain data.
Modification: Some unauthorised party not only accesses but also
tampers with the computer asset. Change in the values in the
database Alter a program Modify data being transmitted
electronically Modification in hardware.
Threats and Vulnerabilities
10.
Fabrication: Some unauthorised party creates a fabrication of
counterfeit object of a system. The intruder may put spurious
transaction in the computer system or modify the existing database.
VULNERABILITIES:
The computing system vulnerabilities are: e Software vulnerabilities:
software vulnerability can be due to interruption, interception,
modification, or fabrication. The examples of software
vulnerabilities are: (a) destroyedJde1eted software, (b) stolen or
pirated software, (c) unexpected behaviour and flaws, (d) non-
malicious program errors, (e) altered (but still run) software.
Hardware vulnerabilities: hardware vulnerability is caused due to
interruption (denial of service), modification, fabrication
(substitution) and interception (theft).
Data vulnerabilities: Data vulnerability is caused by interruption
(results in loss of data), interception of data, modification of data
and fabrication of data.
Human vulnerabilities: The various human generated
vulnerabilities are break-ins, virus generation, security violation,
inadequate training.
11.
Security system and facilities
System Access Control:
Access to information
system resources like
memory, storage devices
etc., sensitive utilities and
data resources and
programme files shall be
controlled and restricted on
"need-to-use" basis.
The access control software
or operating system should
be providing features to
restrict access to the system
and data resources. The use
of common passwords such
as "administrator" or
"president" or "game", etc,.
to protect access to the
system and data resources
should be avoided.
Each user shall be assigned
a unique user ID.
Password management:
The following control features
shall be implemented for
passwords: Minimum of 8
characters without leading or
trailing blanks;
Shall be different from
existing passwords;
To be changed at least once
every 90 days and for
sensitive systems it should
be changed every 30 days;
Should not be shared,
displayed or printed;
Password retries should be
limited to a maximum of 3
attempted logons after
which the user ID shall
then be revoked for
sensitive system;
12.
Privileged User Management:
The following points must be taken into account while granting
privilege to users.
Privileges shall be granted only on a need-to-use basis.
Login available only from console.
Audit log should be maintained.
User Account Management:
Procedures for user account management should be established
to control access to application and data. It sl10~11d include:
Should be an authorised user.
A written statement of access rights should be given to all users.
A formal record of all registered users shall be maintained.
Access rights of users who have been transferred, or left the
organisation, shall be removed immediately.
A periodic check/review shall be carried out for redundant user
accounts and access right that is no longer required.
Redundant user accounts should not be reissued to another user.
13.
Data and Resource Protection:
All information shall be assigned an owner responsible for
integrity of data and resource. This will help in protection of
data and resources to a great extent. And this assignment of
responsibility should be formal and top management must
supervise the whole process of allocation of responsibilities
Sensitive System Protection:
Security token/smart cards/bio-metric technologies such as iris
recognition, finger print verification technologies, etc,. shall be
used to complement the usage of password to access the
computer system. Encryption should be used to protect the
integrity and confidentiality of sensitive data. In this unit we
will discuss various techniques used in the protection of
sensitive computer systems and networks.
14.
Computer security classifcations
Cryptography
Cryptography is the art of
achieving security by encoding
messages to them non-
readable.
->when a plain text is codified
using any suitable scheme , the
resulting message is called
cipher text and it is readable
only by those who know the
encoding and decoding
process of that particular
scheme.
Intrusion Detection
System (IDS)
Intrusion Detection Systems are a
combination of hardware and
software systems that monitor and
collect information and analyse it
to detect attacks or intrusions.
Some IDSs can automatically
respond to an intrusion based on
collected library of attack
signatures. IDSs uses software
based scanners, such as an
Internet scannel; for vulnerability
analysis. Intrusion detection
software builds patterns of
normal system usage; triggering
an alarm any time when abnormal
patterns occur.