Embed Size (px)
Citation preview
Computer Security Management(ISYS20261)Lecture 11 –Methods of Defence
Module Leader: Dr Xiaoqi Ma
School of Science and Technology
Computer Security ManagementPage 2
Previously …
• Computer security - protection of information related assets:– Data
– Hardware
– Software
– People
– Intangible assets
• Information security requirements:– Confidentiality
– Integrity
– Availability
Computer Security ManagementPage 3
Definitions
• Harm– Something happens to an asset that we do not want to happen
• Threat– Possible source of harm
• Attack– Threatening event (instance of a threat)
• Attacker– Someone or something that mounts a threat
• Vulnerability– Weakness in the system (asset) that makes an attack more likely to successes
• Risk– Possibility that a threat will affect the business or organisation
Computer Security ManagementPage 4
Harm and threats
• Six basic types of harm:– Modification
– Destruction
– Disclosure
– Interception
– Interruption
– Fabrication
• A threat is a possible source of harm
• Example: a virus formats the hard disk of a computer
• Threats exploit vulnerabilities of systems
Computer Security ManagementPage 5
Vulnerabilities
• Weaknesses in a system
• Might arise from:– Poor design
– Poor implementation
– technological advances
• Examples:– Password management flaws
– Fundamental operating system design flaws
– Software bugs
– Unchecked user input
– Social engineering
– Etc.
Computer Security ManagementPage 6
Basic types of attacks
• Host-based Attacks– Malicious Code
– Malicious Software
• Network-based Attacks– Sniffing
– IP address spoofing
– Man-in-the-middle attack
– Denial-of-service attack (DoS)
– OS-based attacks
– Web application attacks
• Social Engineering– Pretexting
– Phishing
– Etc.
Computer Security ManagementPage 7
Today ...
• Protection against harm
• Methods of defence (countermeasures)
Computer Security ManagementPage 8
Defence
• Protection against harm:– Prevent it by blocking attack or closing vulnerabilities
– Deter it by making the attack harder (but not impossible!)
– Deflect it by making another target more attractive
– Detect it either as it happens or some time after
– Recover from effects
– Using any combination of the above
• Methods of defence – Software controls
– Encryption
– Physical and hardware controls
Computer Security ManagementPage 9
Software
• Software provides functionality in an information processing system– Weak link in the security chain
• Three aspects:– Operating systems
– Applications
– Software development process
• Each of these need to be controlled
Computer Security ManagementPage 10
Operating system controls
• Limitations need to be built into OSs to– Protect system against unauthorised users
– protect each user from other users
– Protect OS (from users)
• Access control– authentication
– authorisation
Computer Security ManagementPage 11
Application controls
• Internal to software applications
• Limit access to– Program
– data
• Might check on computing environment
Computer Security ManagementPage 12
Software development controls
• Aim: preventing vulnerabilities in the software
• Using quality standards– ISO S9001
– Capability Maturity Model (CMM)
– etc
• Using established development methodologies– V model
– Appropriate and Effective Guidance for Information Security (AEGIS)
– Security Development Lifecycle (SDL)
– Etc.
• Use appropriate languages, libraries, architectures and patterns
• Sophisticated testing, coding, and maintenance
Computer Security ManagementPage 13
Encryption
• Transforming data (plain text) in a way so that it becomes meaningless for an observer (cipher text)
• Done by using an encryption algorithm (cipher)
• Encryption based on a key or pass phrase
• Can be used to– Scramble messages
– Scramble data base
• If legitimate user wants to read the data (cipher text) it needs to be transformed back into plain text
• Only the person doing the scrambling (and possibly another person receiving the message) can decrypt it, because the original encryption was done on an agreed set of keys
Computer Security ManagementPage 14
Physical and hardware controls
• Physical controls– Locks on doors
– Guards at entry points
– Physical site planning
– Limited emissions (e.g. CRT radiation, power analysis, etc)
– etc
• Hardware controls– Hardware encryption systems
– Locks or cables limiting access (or deterring from theft)
– Devices to verify user’s identity
– Firewalls
– Intrusion detection systems
– Trusted computer platform
– etc
Computer Security ManagementPage 15
Summary
Today we learned:
• Protection against harm
• Using countermeasures (controls)– Software controls
– Encryption
– Physical and hardware controls
