SECURITY AND

MANAGEMENT


Made by: Arti solanki

 INDEX
1.Goals of computer security
o Confidentiality:
o Integrity:
o Availability
o Authentication:
o Access control:
2.Security problems and
requirements
o Identifying the Assets
o Identifying the Threats
o Identifying the Impact
3. Threats and Vulnerabilities

4. Security System and
Facilities
o System Access Control
o Password Management
o Privileged User
Management
o User Account Management
o Data Resource Protection
o Sensitive System Protection
5.Computer security
classifications
o Cryptography
o Intrusion Detection
GOALS OF COMPUTER SECURITY

Confidentiality:
The principle of
Confidentiality specifies that
only the sender and the
intended recipient should be
able to access the contents of a
message.
->Confidentiality gets
compromised if an
unauthorised person is able to
access a message.
Integrity:
When the content of a message
are changed after the sender
sends it,but before it reaches
the intended recipient, we say
that the integrity of a message
is lost.
->modification causes loss of
integrity.
Availability:
->The principle of availability states that resources should be
available to authorized parties at all times.


->Interruption puts the availability of resources in danger
A computer system is available if
 The response time is acceptable
 There is a fair allocation of resources
 Fault tolerance exists
 It is user friendly
 Concurrency control and deadlock management exists.
Authentication:
Authentication mechanism helps to establish proof of identities.
->The authentication process ensures the origin of an electronic
message or document is correcctly identified.
Access control:
The principle of access control determines who
should be able to access what, an access control

mechanism can be setup to ensure this.
->access control is broadly related to role management
and rule management.
Role management : concentrates on the user side
Rule management: focuses on the resource side
 SECURITY PROBLEM AND
REQUIREMENT
Identifying the Assets :

Hardware: CPUs, boards,

 Data: during execution, store
keyboards, terminals,
workstations, personal
computers, printers, disk drives,
comunication lines, terminal
servers, routers, Management
hubs, gateways, servers, modems,
etc.
Software: source programs, object
programs, utilities, diagnostic
programs, operating systems,
communications program,
firewall software, IDS (Intrusion
Detection System) software etc.
on-line, archive off-line,
backup, audit logs, databases,
in transit over communication
media etc. People: user,
people needed to run
systems. Documentation: on
programs, hardware,
systems, local administrative
procedures. Supplies: paper,
forms, ribbons, floppy
diskettes, magnetic media.
Identifying the Threats:
There are two basic type of threats: accidental threats and
intentional threats.


1. Accidental threats can lead to exposure of confidential
information
2. An intentional threat is an action performed by an entity
with the intention to violate security.
The possible threats to a computer system can be:
 Unauthorized Access
 Disclosure of information
 Denial of service.
Identifying the Impact:
After identifying the assets and threats, the impact of security
attack should be assessed. The process includes the following
tasks.

 Identifying the vulnerabilities of the system;
 Analysing the possibility of threats to exploit these
vulnerabilities;
 Assessing the consequences of each threat;
 Estimating the cost'of each attack;
 Estimating the cost of potential counter measure
 Selecting the optimum and cost effective security system.
 Threats and Vulnerabilities

A threat can be accidental or deliberate and the various types
of security breaches can be classified as (a) interruption, (b)
interception, (c) modification and (d) fabrication.
Interruption: An asset of the system becomes lost, unavailable, or
unusable. Malicious destruction of a hardware device Deletion of
program or data file Malfunctioning of an Operating system.
Interception: Some uilauthorised entity can gain access to a computer
asset. This unauthorised entity can be a person, a program, or a
computer system. Illicit copying of program or data files Wiretapping
to obtain data.
Modification: Some unauthorised party not only accesses but also
tampers with the computer asset. Change in the values in the database
Alter a program Modify data being transmitted electronically
Modification in hardware.
Fabrication: Some unauthorised party creates a fabrication of
counterfeit object of a system. The intruder may put spurious
transaction in the computer system or modify the existing database.
VULNERABILITIES:

The computing system vulnerabilities are: e Software vulnerabilities:
software vulnerability can be due to interruption, interception,
modification, or fabrication. The examples of software vulnerabilities
are: (a) destroyedJde1eted software, (b) stolen or pirated software, (c)
unexpected behaviour and flaws, (d) non-malicious program errors, (e)
altered (but still run) software. Hardware vulnerabilities: hardware
vulnerability is caused due to interruption (denial of service),
modification, fabrication (substitution) and interception (theft).
Data vulnerabilities: Data vulnerability is caused by interruption
(results in loss of data), interception of data, modification of data and
fabrication of data.
Human vulnerabilities: The various human generated vulnerabilities
are break-ins, virus generation, security violation, inadequate training.
 Security system and facilities
System Access Control:
Password management:



Access to information system
The following control features shall
resources like memory, storage be implemented for passwords:
devices etc., sensitive utilities and Minimum of 8 characters without
data resources and programme leading or trailing blanks;
files shall be controlled and
 Shall be different from existing
restricted on "need-to-use" basis.
passwords;

The access control software or
 To be changed at least once every
operating system should be
90 days and for sensitive systems
providing features to restrict
it should be changed every 30
access to the system and data days;
resources. The use of common
 Should not be shared, displayed
passwords such as "administrator"
or printed;
or "president" or "game", etc,. to
protect access to the system and  Password retries should be
data resources should be avoided. limited to a maximum of 3
attempted logons after which the

Each user shall be assigned a
user ID shall then be revoked for
unique user ID.
sensitive system;
Privileged User Management:
 The following points must be taken into account while granting
privilege to users.
 Privileges shall be granted only on a need-to-use basis.


 Login available only from console.
 Audit log should be maintained.
User Account Management:
 Procedures for user account management should be established
to control access to application and data. It sl10~11d include:
 Should be an authorised user.
 A written statement of access rights should be given to all users.
 A formal record of all registered users shall be maintained.
 Access rights of users who have been transferred, or left the
organisation, shall be removed immediately.
 A periodic check/review shall be carried out for redundant user
accounts and access right that is no longer required.
 Redundant user accounts should not be reissued to another user.
Data and Resource Protection:
All information shall be assigned an owner responsible for
integrity of data and resource. This will help in protection of
data and resources to a great extent. And this assignment of


responsibility should be formal and top management must
supervise the whole process of allocation of responsibilities
Sensitive System Protection:
Security token/smart cards/bio-metric technologies such as iris
recognition, finger print verification technologies, etc,. shall be
used to complement the usage of password to access the
computer system. Encryption should be used to protect the
integrity and confidentiality of sensitive data. In this unit we
will discuss various techniques used in the protection of
sensitive computer systems and networks.
Computer security classifcations
Cryptography
Cryptography is the art of
 (IDS)
achieving security by encoding
messages to them non-
readable.
->when a plain text is codified
using any suitable scheme ,
the resulting message is called
cipher text and it is readable
only by those who know the
encoding and decoding
process of that particular
scheme.
Intrusion Detection System
Intrusion Detection Systems are a
combination of hardware and
software systems that monitor and
collect information and analyse it
to detect attacks or intrusions.
Some IDSs can automatically
respond to an intrusion based on
collected library of attack
signatures. IDSs uses software
based scanners, such as an
Internet scannel; for vulnerability
analysis. Intrusion detection
software builds patterns of
normal system usage; triggering
an alarm any time when abnormal
patterns occur.