Computer Security Introduction 12252021 1 Basic Components 1

Computer Security Introduction 12/25/2021 1

Basic Components 1. Confidentiality: Concealment of information (prevent unauthorized disclosure of information). 2. Integrity: Trustworthiness of data/resources (prevent unauthorized modifications). • • Data integrity Origin integrity (authentication) 3. Availability: Ability to use information/resource (prevent unauthorized withholding of 12/25/2021 2 information/resources).

Basic Components Additionally: Authenticity, accountability, reliability, safety, dependability, survivability. . . 12/25/2021 3

Confidentiality Historically, security is closely linked to secrecy. Security involved a few organizations dealing mainly with classified data. However, nowadays security extends far beyond confidentiality. Confidentiality involves: 12/25/2021 • privacy: protection of private data, 4

Integrity “Making sure that everything is as it is supposed to be. ” For Computer Security this means: Preventing unauthorized writing or modifications. 12/25/2021 5

Availability For Computer Systems this means that: Services are accessible and useable (without undue Delay) whenever needed by an authorized entity. For this we need fault-tolerance. Faults may be accidental or malicious (Byzantine). 12/25/2021 Denial of Service attacks are an example of 6

Relationship between Confidentiality Integrity and Availability Confidentiality Secure Integrity Availabilit y 12/25/2021 7

Other security requirements • Reliability – deals with accidental damage, • Safety – deals with the impact of system failure on the environment, • Dependability – reliance can be justifiably placed on the system • Survivability – deals with the recovery of the system after massive failure. • Accountability -- actions affecting security must be traceable to the responsible party. For this, – Audit information must be kept and protected, – Access control is needed. 12/25/2021 8

Basic Components Threats – potential violations of security Attacks – violations Attackers – those who execute the violations 12/25/2021 9

Threats • • Disclosure or unauthorized access Deception or acceptance of falsified data Disruption or interruption or prevention Usurpation or unauthorized control 12/25/2021 10

More threats • • Snooping (unauthorized interception) Modification or alteration – Active wiretapping – Man-in-the-middle attacks • • • Masquerading or spoofing Repudiation of origin Denial of receipt Delay Denial of Service 12/25/2021 11

Policy and Mechanisms 1. A security policy is a statement of what is / is not allowed. 2. A security mechanism is a method or tool that enforces a security policy. 12/25/2021 12

Assumptions of trust Let • P be the set of all possible states of a • system Q be the set of secure states A mechanism is secure if P ≤ Q A mechanism is precise if P = Q A mechanism is broad if there are states in P which 12/25/2021 13 are not in Q

Assurance Trust cannot be quantified precisely. System specifications design and implementation can provide a basis for how much one can trust a system. This is called assurance. 12/25/2021 14

Goals of Computer Security is about protecting assets. This involves: • Prevention • Detection • Reaction (recover/restore assets) 12/25/2021 15

Computer Security How to achieve Computer Security: 1. Security principles/concepts: explore general principles/concepts that can be used as a guide to design secure information processing systems. 2. Security mechanisms: explore some of the security mechanisms that can be used to secure information processing systems. 3. Physical/Organizational security: consider physical & organizational security measures 12/25/2021 16 (policies)

Computer Security Even at this general level there is disagreement on the precise definitions of some of the required security aspects. References: • Orange book – US Dept of Defense, Trusted Computer System Evaluation Criteria. • ITSEC – European Trusted Computer System Product Criteria. • CTCPEC – Canadian Trusted Computer System Product Criteria 12/25/2021 17

Fundamental Dilemma: Functionality or Assurance • Security mechanisms need additional computational • Security policies interfere with working patterns, and can be very inconvenient. • Managing security requires additional effort and costs. • Ideally there should be a tradeoff. 12/25/2021 18

Operational issues – Cost-benefit analysis • Example: a database with salary info, which is used by a second system to print pay checks – Risk analysis • Environmental dependence • Time dependence • Remote risk 12/25/2021 19

Laws and Customs • Export controls • Laws of multiple jurisdiction • Human issues – Organizational problems (who is responsible for what) – People problems (outsiders/insiders) 12/25/2021 20

Tying it all together: how ? ? 12/25/2021 21