Overview of Computer SecurityOutline of the TalkComputer SecurityThree Basic Security ServicesConfidentialitySupport for ConfidentialityIntegrityIntegrity MechanismsIntegrity vs. ConfidentialityAvailabilityThreatsExamples of ThreatsSlide 13Slide 14Policy and MechanismGoals of SecurityAssumptions and TrustSecure, Precise, BroadAssumptions for trusting security mechanism worksAssuranceOperational IssuesHuman IssuesSecurity Life Cycle1cs691chowC. Edward ChowC. Edward ChowOverview of Computer SecurityOverview of Computer SecurityCS691 – Chapter 1 of Matt Bishop2cs691chowOutline of the TalkOutline of the TalkDefinitionsThree Basic Security ServicesThreatsPolicy and MechanismAssumptions and TrustAssuranceOperational IssuesHuman IssuesDefinitionsThree Basic Security ServicesThreatsPolicy and MechanismAssumptions and TrustAssuranceOperational IssuesHuman Issues3cs691chowComputer SecurityComputer SecuritySecurity: 1. a feeling secure; freedom from fear, doubt, etc. 2. protection; safeguard3. something given as a pledge of repayment, etc.4. [pl.] bonds, stocks, etc.Secure1. [Firm] fastened, bound, adjusted2. [Safe] guarded, unharmed, defended3. [Self-confident] assured, stable, determinedAbove from Webster’s New World DictionaryComputer Security: issues, theories, techniques, and tools that deals with the protection and safeguard of computer systems.Security: 1. a feeling secure; freedom from fear, doubt, etc. 2. protection; safeguard3. something given as a pledge of repayment, etc.4. [pl.] bonds, stocks, etc.Secure1. [Firm] fastened, bound, adjusted2. [Safe] guarded, unharmed, defended3. [Self-confident] assured, stable, determinedAbove from Webster’s New World DictionaryComputer Security: issues, theories, techniques, and tools that deals with the protection and safeguard of computer systems.4cs691chowThree Basic Security ServicesThree Basic Security ServicesConfidentiality: the concealment of information or resources.Integrity: the trustworthiness of data and resourcesAvailability: the ability to use the information or resources desired.Confidentiality: the concealment of information or resources.Integrity: the trustworthiness of data and resourcesAvailability: the ability to use the information or resources desired.5cs691chowConfidentialityConfidentialityThe need for keeping information secret arises from:Enforcing the “need to know” principle in military and civilian government agencies.Protecting proprietary designs from competitorsProtecting a company’s personnel recordsProtecting personal financial/ID info against ID theft.Apply to existence of data or traffic patternApply to resource hidingSystem configuration dataSystems/Equipment/Service Provider used.The need for keeping information secret arises from:Enforcing the “need to know” principle in military and civilian government agencies.Protecting proprietary designs from competitorsProtecting a company’s personnel recordsProtecting personal financial/ID info against ID theft.Apply to existence of data or traffic patternApply to resource hidingSystem configuration dataSystems/Equipment/Service Provider used.6cs691chowSupport for ConfidentialitySupport for ConfidentialityAccess control mechanisms support confidentiality. For example,CryptographyFile access control –but when it fails, data is not protected–How the file access control protects the existence of data?These mechanisms requires supporting services from system kernel, and agents to provide correct data.Assumptions and trust underlie confidentiality mechanisms. E.g., openssl crypto library trustworthy?Access control mechanisms support confidentiality. For example,CryptographyFile access control –but when it fails, data is not protected–How the file access control protects the existence of data?These mechanisms requires supporting services from system kernel, and agents to provide correct data.Assumptions and trust underlie confidentiality mechanisms. E.g., openssl crypto library trustworthy?7cs691chowIntegrityIntegrityPreventing improper or unauthorized change.Two types of integrity: Data integrity (content of information)Origin integrity (source of the data, related to authentication)  significant bearing on the credibility and trust of the people who creates the info.Example: newspaper print info from a leak at White House but attribute it to the wrong source. What integrity got violated?Preventing improper or unauthorized change.Two types of integrity: Data integrity (content of information)Origin integrity (source of the data, related to authentication)  significant bearing on the credibility and trust of the people who creates the info.Example: newspaper print info from a leak at White House but attribute it to the wrong source. What integrity got violated?8cs691chowIntegrity MechanismsIntegrity MechanismsPrevention mechanisms: They seek to maintain the integrity of the data by blockingany unauthorized attempts to change the data, or–e.g., intrusion–Protect with adequate authentication and access controlsAny attempts to change the data in unauthorized ways, e.g., embezzlement such Enron?–Protect with (independent) Auditing, persons with integrity (those three persons of the year in Time Detection mechanisms: report the data integrity is compromised, by analyzing system events or data itself.Prevention mechanisms: They seek to maintain the integrity of the data by blockingany unauthorized attempts to change the data, or–e.g., intrusion–Protect with adequate authentication and access controlsAny attempts to change the data in unauthorized ways, e.g., embezzlement such Enron?–Protect with (independent) Auditing, persons with integrity (those three persons of the year in Time Detection mechanisms: report the data integrity is compromised, by analyzing system events or data itself.9cs691chowIntegrity vs. ConfidentialityIntegrity vs. ConfidentialityWhich one is harder? Confidentiality work finds whether data is compromised.Integrity work includes checking the correctness and trustworthiness of the data.This includes the history of the data–Integrity of the origin of data–How it is arrived (transport channel integrity)–How well it is protected after it arrived.Which one is