SecurityComputer and Network Security RequirementsTypes of ThreatsSlide 4Slide 5Slide 6Computer System AssetsSlide 8Slide 9Slide 10Slide 11ProtectionSlide 13Slide 14Protection of MemoryUser-Oriented Access ControlData-Oriented Access ControlAccess MatrixSlide 19Access Control ListSlide 21Capability TicketsSlide 23Intrusion TechniquesTechniques for Learning PasswordsSlide 26ID Provides SecurityPassword Selection StrategiesSlide 29Slide 30PowerPoint PresentationIntrusion DetectionSlide 33Slide 34Malicious ProgramsSlide 36TrapdoorLogic BombTrojan HorseVirusesWormsZombieVirus StagesSlide 44Types of VirusesSlide 46Slide 47Macro VirusesSlide 49Antivirus ApproachesGeneric DecryptionDigital Immune SystemSlide 53E-mail VirusTrusted SystemsSlide 56Trojan Horse DefenseSlide 58Slide 59Slide 60Windows 2000 SecurityAccess TokenAccess tokenSecurity DescriptorSlide 65SecurityChapter 15Computer and Network Security Requirements•Confidentiality–Requires information in a computer system only be accessible for reading by authorized parties•Integrity–Assets can be modified by authorized parties only•Availability–Assets be available to authorized parties•Authenticity–Requires that a computer system be able to verify the identity of a userTypes of Threats•Interruption–An asset of the system is destroyed of becomes unavailable or unusable–Attack on availability–Destruction of hardware–Cutting of a communication line–Disabling the file management systemTypes of Threats•Interception–An unauthorized party gains access to an asset–Attack on confidentiality–Wiretapping to capture data in a network–Illicit copying of files or programsTypes of Threats•Modification–An unauthorized party not only gains access but tampers with an asset–Attack on integrity–Changing values in a data file–Altering a program so that it performs differently–Modifying the content of messages being transmitted in a networkTypes of Threats•Fabrication–An unauthorized party inserts counterfeit objects into the system–Attack on authenticity–Insertion of spurious messages in a network–Addition of records to a fileComputer System Assets•Hardware–Threats include accidental and deliberate damage•Software–Threats include deletion, alteration, damage–Backups of the most recent versions can maintain high availabilityComputer System Assets•Data–Involves files–Security concerns fro availability, secrecy, and integrity–Statistical analysis can lead to determination of individual information which threatens privacyComputer System Assets•Communication Lines and Networks – Passive Attacks–Release of message contents for a telephone conversion, an electronic mail message, and a transferred file are subject to these threats–Traffic analysis•encryption masks the contents of what is transferred so even if obtained by someone, they would be unable to extract informationComputer System Assets•Communication Lines and Networks – Active Attacks–Masquerade takes place when one entity pretends to be a different entity–Replay involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect–Modification of messages means that some portion of a legitimate message is altered, or that messages are delayed or reordered, to produce an unauthorized effectComputer System Assets•Communication Lines and Networks – Active Attacks–Modification of messages means that some portion of a legitimate message is altered, or that messages are delayed or reordered, to produce an unauthorized effect–Denial of service prevents or inhibits the normal use or management of communications facilities•Disable network or overload it with messagesProtection•No protection–Sensitive procedures are run at separate times•Isolation–Each process operates separately from other processes with no sharing or communicationProtection•Share all or share nothing–Owner of an object declares it public or private•Share via access limitation–Operating system checks the permissibility of each access by a specific user to a specific object–Operating system acts as the guardProtection•Share via dynamic capabilities–Dynamic creation of sharing rights for objects•Limit use of an object–Limit no only access to an object but also the use to which that object may be put–Example: a user may be able to derive statistical summaries but not to determine specific data valuesProtection of Memory•Security•Ensure correct function of various processes that are activeUser-Oriented Access Control•Log on–Requires both a user identifier (ID) and a password–System only allows users to log on if the ID is known to the system and password associated with the ID is correct–Users can reveal their password to others either intentionally or accidentally–Hackers are skillful at guessing passwords–ID/password file can be obtainedData-Oriented Access Control•Associated with each user, there can be a user profile that specifies permissible operations and file accesses•Operating system enforces these rules•Database management system controls access to specific records or portions of recordsAccess Matrix•Subject–An entity capable of accessing objects•Object–Anything to which access is controlled•Access rights–The way in which an object is accessed by a subjectAccess MatrixAccess Control List•Matrix decomposed by columns•For each object, an access control list gives users and their permitted access rightsAccess Control ListCapability Tickets•Decomposition of access matrix by rows•Specifies authorized object and operations for a userCapability TicketsIntrusion Techniques•Objective of intruder is the gain access to the system or to increase the range of privileges accessible on a system•Protected information that an intruder acquires is a passwordTechniques for Learning Passwords•Try default password used with standard accounts shipped with computer•Exhaustively try all short passwords•Try words in dictionary or a list of likely passwords•Collect information about users and use these items as passwordsTechniques for Learning Passwords•Try user’s phone numbers, social security numbers, and room numbers•Try all legitimate license plate numbers for this state•Use a Trojan horse to bypass restrictions on access•Tap the line between a remote user and the host systemID Provides Security•Determines whether
View Full Document
Unlocking...