security introduction

1. Security
Lecture 1

3. Introduction
• Computer security- ways and means taken to protects computer and
everything associated with it :
- Hardware
-Software
-Storage media
-Data
-Persons( authorized users)
-Information( Information Security)
• Secure computing resources against unauthorized users ( attackers,
outsider) as well as from natural disasters

4. Introduction
• Computer security:
• -Preventing attackers from achieving objectives through unauthorized
access or unauthorized use of computers and networks.
• -Keeping anyone from doing things you don not want them to do,
with on or from your computers or any peripheral devices

5. Introduction
• The protection afforded to an automated information system in order
to attain the applicable objectives of preserving the integrity,
availability and confidentiality of information system resources
(includes hardware, software, firmware, information/data, and
telecommunications)

6. Key Security Concepts

7. Network and computer security Requirements
CIA
• Confidentiality
– Data Confidentiality :protection of data from
unauthorized disclosure
• Integrity
– Data Integrity: assurance that data received is as sent by
an authorized entity
• Availability
– Systems work promptly and service is not denied to
authorized users.( resource accessible/usable)

8. Computer Security Challenges
1. not simple
2. must consider potential attacks
3. involve algorithms and secret info
4. battle of wits between attacker / admin
5. requires regular monitoring
6. regarded as impediment to using system

9. Principles of Secure Design
1. Least Priviledge
2. Fail Safe Defaults
3. Economy of Mechanism
4. Complete Mediation
5. Defense in depth
6. Open Design
7. Separation of priviledge
8. Least Common Mechanism
9. Psychological Acceptability

10. Principle of Least Priviledge
• Asubject should only be given the priviledges it needs to complete its
task and no more.
• The priviledges should be controlled by the function , not the identity
,similar to the right to know principle.
• Foe example, a cashier cannot write checks.

11. Principle of Fail-Safe Defaults
• Unless explicit acess has been granted ,access should be
denied.Moreover, if a system is unable to complete a task, it should
roll back to the start state, for safety.
• Example: A regular user may not modify other people’s mail files; in
addition, if the mail program cannot deliver mail, the only thing it can
do is report failure.

12. Principle of Economy of Mechanism
• Security mechanisms should be as simple as possible.
• This way, it is easier to check for errors.

13. Principle of Complete Mediation
• All accesses to objects must be checked to ensure that they are still
allowed.

14. Principle of Defense in Depth
• The more lines of defense there are against an attacker, the better the
defense, specially if the additional line(s) are of different nature.

15. Principle of Open Design
• The security of a mechanism should not depend on the secrecy of its
design or implementation.
• Specially important for crypto.
• Example DVD’s

16. Principle of Separation of Priviledge
• A system should not grant permission based on a single condition.
• Example :on BSD systems, su users must belong to the wheel group
and know the root password.

17. Principle of Least Common Mechanism
• Mechanisms to access resources should not be shared(because they
provide a haven for covert channels)

18. Principle of psychological Acceptability
• Security mechanisms should not make it more difficult to access a
resource.
• Example: ssh, login mechanism.