Isys20261 lecture 02


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Isys20261 lecture 02

  1. 1. Computer Security Management(ISYS20261)Lecture 2 –Threats and Vulnerabilities Module Leader: Dr Xiaoqi Ma School of Science and Technology
  2. 2. Last week …• Computer security - protection of information related assets: – Data – Hardware – Software – People – Intangible assets• Information security requirements: – Confidentiality – Integrity – AvailabilityComputer Security ManagementPage 2
  3. 3. Remember definitions?• Harm – Something happens to an asset that we do not want to happen• Threat – Possible source of harm• Attack – Threatening event (instance of a threat)• Attacker – Someone or something that mounts a threat• Vulnerability – Weakness in the system (asset) that makes an attack more likely to successes• Risk – Possibility that a threat will affect the business or organisationComputer Security ManagementPage 3
  4. 4. Security risks and management Risk Analysis Asset Vulnerability Threat Risk Management Risk Security MeasuresComputer Security ManagementPage 4
  5. 5. Today ...… we will discuss:• Harm and threats• Vulnerabilities• Methods of defenceComputer Security ManagementPage 5
  6. 6. Harm and threats• Six basic types of harm: – Modification – Destruction – Disclosure – Interception – Interruption – Fabrication• A threat is a possible source of harm• Example: a virus formats the hard disk of a computer• Threats exploit vulnerabilities of systemsComputer Security ManagementPage 6
  7. 7. Modification• Data held in a computer system is accessed in an unauthorised manner and is changed without permission• Somebody changes either values in a database or alters routines in a computer programme to perform additional computations• Modification can also occur when data is changed during transmission• Modification of data can also be caused by changing the hardware of an information systemComputer Security ManagementPage 7
  8. 8. Destruction• Occurs when hardware, software, or data is destroyed because of malicious intent• Can not only happen to stored data, but also to data at the input stage (before processing)Computer Security ManagementPage 8
  9. 9. Disclosure• Takes place when data is made available or access to software is made available without consent of the individual responsible for the data or software• Serious impact on security and privacy• Responsibility for data and/or software is usually linked to a position within an organisation• Although disclosure of data can occur because of malicious intent, it also happens many times because of lack of proper procedure within an organisationComputer Security ManagementPage 9
  10. 10. Interception• Occurs when an unauthorised person or software gains access to data or computer resources• May result in copying of programs or data• An interceptor may use computing resources at one location to access assets elsewhereComputer Security ManagementPage 10
  11. 11. Interruption• Occurs when a computer resource becomes unavailable for use• Might be a consequence of malicious damage of computing hardware, erasure of software, or malfunctioning of an operating system• Example: Denial of Service (DoS) attacksComputer Security ManagementPage 11
  12. 12. Fabrication• Occurs when spurious transactions are inserted into a network or records are added to an existing databaseComputer Security ManagementPage 12
  13. 13. Information security requirements• Confidentiality – Protecting sensitive information from unauthorised disclosure or intelligible interception• Integrity – Safeguarding the accuracy and completeness of information (and software)• Availability – Ensuring that information (and vital services) are available to users when required• Authentication – Ensuring that information is from the source it claims to be from• Non repudiation – Prevents an entity from denying having performed a particular action related to dataComputer Security ManagementPage 13
  14. 14. Vulnerabilities• Weaknesses in a system• Might arise from: – Poor design – Poor implementation – technological advances• Examples: – Password management flaws – Fundamental operating system design flaws – Software bugs – Unchecked user input – Social engineering – Etc.Computer Security ManagementPage 14
  15. 15. Password management flaws• Using of weak passwords that could be discovered by brute force• Passwords are stored on the computer where a program can access it• Users re-use passwords between many programs and websites• System administrator uses factory-set default passwords• Etc.Computer Security ManagementPage 15
  16. 16. Fundamental operating system design flaws• Operating system designer implements unsuitable policies on user and/or program management• Example: operating system grants every program and every user full access to the entire computer• Such an operating system flaw allows viruses and malware to execute commands on behalf of the administratorComputer Security ManagementPage 16
  17. 17. Software bugs• The programmer leaves an exploitable bug in a software program• The software bug may allow an attacker to misuse an application through (for example) bypassing access control checks or executing commands on the system hosting the application• Examples: – Buffer overflows – Dangling pointersComputer Security ManagementPage 17
  18. 18. Unchecked user input• A program assumes that all user input is safe• Consequence: the programs does not check validity user input• Can allow unintended direct execution of commands or SQL statements• Examples – Buffer overflows – SQL injectionComputer Security ManagementPage 18
  19. 19. Social engineering• Based on specific attributes of human decision-making known as cognitive biases• These biases, sometimes called "bugs in the human hardware," are exploited in various combinations to create criminal attack techniques• Examples: – Pretexting – Phishing – Baiting – Etc.• “ … I could often get passwords and other pieces of sensitive information by pretending to be someone else and just asking for it.” (Kevin Mitnick, The Art of Deception, 2002)Computer Security ManagementPage 19
  20. 20. Methods of defence• Protecting a technical system: establish controls that satisfy our information security requirements• Dhillon lists three main methods of defence: – Encryption – Software controls – Physical and hardware controls• More on these methods in the coming lectures …Computer Security ManagementPage 20
  21. 21. SummaryToday we learned:• Six basic types of harm• A threat is a possible source of harm• A threat exploits vulnerabilities in a system• We need to satisfy our information security requirements• Need to put controls in place to defend ourselvesComputer Security ManagementPage 21