Scribd Logo
Upload

Welcome to Scribd!

  • 61 views

    Chapter 1: Introduction: - Components of Computer Security

    Uploaded by

    Lawrence Mutambuwa
    The document discusses key concepts in computer security including threats, policies and mechanisms, trust and assurance. It outlines the overall process of identifying assets and exposures, determining policies and controls, and implementing and monitoring security measures. The role of humans in security is also addressed, noting organizational and social issues that can impact security.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    Chapter 1: Introduction: - Components of Computer Security

    Uploaded by

    Lawrence Mutambuwa
    61 views22 pages
    The document discusses key concepts in computer security including threats, policies and mechanisms, trust and assurance. It outlines the overall process of identifying assets and exposures, determining policies and controls, and implementing and monitoring security measures. The role of humans in security is also addressed, noting organizational and social issues that can impact security.

    Original Description:

    Original Title

    01_Intro_nemo.ppt

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses key concepts in computer security including threats, policies and mechanisms, trust and assurance. It outlines the overall process of identifying assets and exposures, determining policies and controls, and implementing and monitoring security measures. The role of humans in security is also addressed, noting organizational and social issues that can impact security.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as ppt, pdf, or txt
    61 views22 pages

    Chapter 1: Introduction: - Components of Computer Security

    Uploaded by

    Lawrence Mutambuwa
    The document discusses key concepts in computer security including threats, policies and mechanisms, trust and assurance. It outlines the overall process of identifying assets and exposures, determining policies and controls, and implementing and monitoring security measures. The role of humans in security is also addressed, noting organizational and social issues that can impact security.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as ppt, pdf, or txt
    of 22

    Chapter 1: Introduction

    • Components of computer security


    • Threats
    • Policies and mechanisms
    • The role of trust
    • Assurance
    • Operational Issues
    • Human Issues
    July 1, 2004 Computer Security: Art and Science Slide #1-1
    ©2002-2004 Matt Bishop
    Basic Components (Goals)
    • Confidentiality
    – Keeping data and resources hidden
    • Integrity
    – Data integrity (integrity)
    – Origin integrity (authentication)
    • Availability
    – Enabling access to data and resources

    July 1, 2004 Computer Security: Art and Science Slide #1-2


    ©2002-2004 Matt Bishop
    Additional Goals
    • Authentication
    – Correctly identifying the source
    • Non-repudiation
    – Being able to prove the source of an utterance
    to a third party

    July 1, 2004 Computer Security: Art and Science Slide #1-3


    ©2002-2004 Matt Bishop
    Terms
    • Exposure
    – Possible form of loss
    • Vulnerability
    – Possible mechanism by which loss can occur
    • Threat
    – Circumstance or event that could cause loss
    • Attack
    – Attempt to exploit vulnerability
    • Control
    – Mechanism to mitigate exposures
    July 1, 2004 Computer Security: Art and Science Slide #1-4
    ©2002-2004 Matt Bishop
    Overall Process
    • Identify and Classify Assets
    – What are we protecting? How are they important?
    • Identify Exposures and Threats
    – What would be bad? How could it happen?
    • Identify Vulnerabilities and Threat Sources
    – Who or what could cause loss, and how?
    • Determine Policies and Controls
    – What should be allowed and what disallowed?
    – How will the policies be enforced
    • Implement and Monitor
    – Deploy controls and use them, gain experience to update p.r.n.

    July 1, 2004 Computer Security: Art and Science Slide #1-5


    ©2002-2004 Matt Bishop
    Chapter 1: Introduction
    • Components of computer security
    • Threats
    • Policies and mechanisms
    • The role of trust
    • Assurance
    • Operational Issues
    • Human Issues
    July 1, 2004 Computer Security: Art and Science Slide #1-6
    ©2002-2004 Matt Bishop
    Classes of Threats
    • Disclosure
    – Snooping
    • Deception
    – Modification, spoofing, repudiation of origin, denial of
    receipt
    • Disruption
    – Modification
    • Usurpation
    – Modification, spoofing, delay, denial of service

    July 1, 2004 Computer Security: Art and Science Slide #1-7


    ©2002-2004 Matt Bishop
    Chapter 1: Introduction
    • Components of computer security
    • Threats
    • Policies and mechanisms
    • The role of trust
    • Assurance
    • Operational Issues
    • Human Issues
    July 1, 2004 Computer Security: Art and Science Slide #1-8
    ©2002-2004 Matt Bishop
    Policies and Mechanisms
    • Policy says what is, and is not, allowed
    – This defines “security” for the site/system/etc.
    • Mechanisms enforce policies
    • Composition of policies
    – If policies conflict, discrepancies may create
    security vulnerabilities

    July 1, 2004 Computer Security: Art and Science Slide #1-9


    ©2002-2004 Matt Bishop
    “Goals” of Security
    (Control Approaches)
    • Prevention
    – Prevent attackers from violating security policy
    • Detection
    – Detect attackers’ violation of security policy
    • Recovery
    – Stop attack, assess and repair damage
    – Continue to function correctly even if attack
    succeeds

    July 1, 2004 Computer Security: Art and Science Slide #1-10


    ©2002-2004 Matt Bishop
    Chapter 1: Introduction
    • Components of computer security
    • Threats
    • Policies and mechanisms
    • The role of trust
    • Assurance
    • Operational Issues
    • Human Issues
    July 1, 2004 Computer Security: Art and Science Slide #1-11
    ©2002-2004 Matt Bishop
    Trust and Assumptions
    • Underlie all aspects of security
    • Policies
    – Unambiguously partition system states
    – Correctly capture security requirements
    • Mechanisms
    – Assumed to enforce policy
    – Support mechanisms work correctly

    July 1, 2004 Computer Security: Art and Science Slide #1-12


    ©2002-2004 Matt Bishop
    Types of Mechanisms

    secure precise broad

    set of reachable states set of secure states

    July 1, 2004 Computer Security: Art and Science Slide #1-13


    ©2002-2004 Matt Bishop
    Chapter 1: Introduction
    • Components of computer security
    • Threats
    • Policies and mechanisms
    • The role of trust
    • Assurance
    • Operational Issues
    • Human Issues
    July 1, 2004 Computer Security: Art and Science Slide #1-14
    ©2002-2004 Matt Bishop
    Assurance
    • Confidence that system will perform in a
    predictable way
    • Generally, intent is that it will perform
    correctly!

    July 1, 2004 Computer Security: Art and Science Slide #1-15


    ©2002-2004 Matt Bishop
    Achieving Assurance
    • Specification
    – Requirements analysis
    – Statement of desired functionality
    • Design
    – How system will meet specification
    • Implementation
    – Programs/systems that carry out design

    July 1, 2004 Computer Security: Art and Science Slide #1-16


    ©2002-2004 Matt Bishop
    Chapter 1: Introduction
    • Components of computer security
    • Threats
    • Policies and mechanisms
    • The role of trust
    • Assurance
    • Operational Issues
    • Human Issues
    July 1, 2004 Computer Security: Art and Science Slide #1-17
    ©2002-2004 Matt Bishop
    Operational Issues
    • Cost-Benefit Analysis
    – Is it cheaper to prevent or recover?
    • Risk Analysis
    – Should we protect something?
    – How much should we protect this thing?
    • Laws and Customs
    – Are desired security measures illegal?
    – Will people do them?
    July 1, 2004 Computer Security: Art and Science Slide #1-18
    ©2002-2004 Matt Bishop
    Chapter 1: Introduction
    • Components of computer security
    • Threats
    • Policies and mechanisms
    • The role of trust
    • Assurance
    • Operational Issues
    • Human Issues
    July 1, 2004 Computer Security: Art and Science Slide #1-19
    ©2002-2004 Matt Bishop
    Human Issues
    • Organizational Problems
    – Power and responsibility
    – Financial benefits
    • People problems
    – Outsiders and insiders
    – Social engineering

    July 1, 2004 Computer Security: Art and Science Slide #1-20


    ©2002-2004 Matt Bishop
    Tying Together
    Threats
    Policy
    Specification

    Design

    Implementation

    Operation

    July 1, 2004 Computer Security: Art and Science Slide #1-21


    ©2002-2004 Matt Bishop
    Key Points
    • Policy defines security, and mechanisms
    enforce security
    – Confidentiality
    – Integrity
    – Availability
    • Trust and knowing assumptions
    • Importance of assurance
    • The human factor
    July 1, 2004 Computer Security: Art and Science Slide #1-22
    ©2002-2004 Matt Bishop

    You might also like