SecurityComputer SecurityNetwork SecurityComputer and Network Security RequirementsTypes of ThreatsSlide 6Slide 7Slide 8Computer System AssetsSlide 10Slide 11Slide 12ProtectionSlide 14Slide 15Protection of MemoryUser-Oriented Access ControlData-Oriented Access ControlAccess MatrixAccess Matrix (contd.)Access Matrix DetailsACLsWindows NT(W2K) SecurityAccess Token (per user/subject)Security Descriptor (per Object)Access Control ListAccess MaskAccess Control Using ACLs01/13/19 B.Ramamurthy 1SecurityB.Ramamurthy01/13/19 B.Ramamurthy 2Computer SecurityCollection of tools designed to thwart hackersBecame necessary with the introduction of the computerToday automated tools are used01/13/19 B.Ramamurthy 3Network SecurityProtect data during transmissionIncludes telephone transmission and local area networks01/13/19 B.Ramamurthy 4Computer and Network Security RequirementsSecrecy information in a computer system be accessible for reading by authorized parties onlyIntegrityassets can be modified by authorized parties onlyAvailabilityassets be available to authorized parties01/13/19 B.Ramamurthy 5Types of ThreatsInterruptionan asset of the system is destroyed of becomes unavailable or unusabledestruction of hardwarecutting of a communication linedisabling the file management system01/13/19 B.Ramamurthy 6Types of ThreatsInterceptionan unauthorized party gains access to an assetwiretapping to capture data in a networkillicit copying of files or programs01/13/19 B.Ramamurthy 7Types of ThreatsModificationan unauthorized party not only gains access but tampers with an assetchanging values in a data filealtering a program so that it performs differentlymodifying the content of messages being transmitted in a network01/13/19 B.Ramamurthy 8Types of ThreatsFabricationan unauthorized party inserts counterfeit objects into the systeminsertion of spurious messages in a networkaddition of records to a file01/13/19 B.Ramamurthy 9Computer System AssetsHardwarethreats include accidental and deliberate damageSoftwarethreats include deletion, alteration, damagebackups of the most recent versions can maintain high availability01/13/19 B.Ramamurthy 10Computer System AssetsDatainvolves filesthreats include unauthorized reading of datastatistical analysis can lead to determination of individual information which threatens privacy01/13/19 B.Ramamurthy 11Computer System AssetsCommunication Lines and Networksthreats include eavesdropping and monitoringa telephone conversion, an electronic mail message, and a transferred file are subject to these threatsencryption masks the contents of what is transferred so even if obtained by someone, they would be unable to extract information01/13/19 B.Ramamurthy 12Computer System AssetsCommunication Lines and Networksmasquerade takes place when one entity pretends to be a different entitymessage stream modification means that some portion of a legitimate message is altered, delayed, or reordereddenial of service prevents or inhibits the normal use or management of communications facilitiesdisable network or overload it with messages01/13/19 B.Ramamurthy 13ProtectionNo protectionsensitive procedures are run at separate timesIsolationeach process operates separately from other processes with no sharing or communication01/13/19 B.Ramamurthy 14ProtectionShare all or share nothingowner of an object declares it public or privateShare via access limitationoperating system checks the permissibility of each access by a specific user to a specific objectoperating system acts as the guard01/13/19 B.Ramamurthy 15ProtectionShare via dynamic capabilitiesdynamic creation of sharing rights for objectsLimit use of an objectlimit no only access to an object but also the use to which that object may be putExample: a user may be able to derive statistical summaries but not to determine specific data values01/13/19 B.Ramamurthy 16Protection of MemorySecurityEnsure correct function of various processes that are active01/13/19 B.Ramamurthy 17User-Oriented Access ControlLog on requires both a user identifier (ID) and a passwordsystem only allows users to log on if the ID is known to the system and password associated with the ID is correctusers can reveal their password to others either intentionally or accidentallyhackers are skillful at guessing passwordsID/password file can be obtained01/13/19 B.Ramamurthy 18Data-Oriented Access ControlAssociated with each user, there can be a user profile that specifies permissible operations and file accessesOperating system enforces these rulesFor each object, an access control list gives users and their permitted access rights01/13/19 B.Ramamurthy 19Access MatrixA general model of access control as exercised by a file or database management system is that of an access matrix.Basic elements of the model are:Subject: An entity capable of accessing objects. The concept of subject equates that of a process.Object: Anything to which access is controlled. Ex: files, programs, segments of memory.Access right: The way in which an object is accesses by the subject. Examples: read, write, and execute.01/13/19 B.Ramamurthy 20Access Matrix (contd.)userAuserBuserCFile 1File 2 File 3 File 4 Acct1 Acct2 Printer1OwnR, WOwnR, WOwnR, WOwnR, WRR,W RW RInquiryCreditInquiryCreditInquiryDebitInquiryDebitP01/13/19 B.Ramamurthy 21Access Matrix DetailsRow index corresponds to subjects and column index the objects.Entries in the cell represent the access privileges/rights.In practice, access matrix is quite sparse and is implemented as either access control lists (ACLs) or capability tickets.01/13/19 B.Ramamurthy 22ACLsAccess matrix can be decomposed by columns, yielding access control lists.For each object access control list lists the users and their permitted access rights.The access control list may also have a default or public entry to covers subjects that are not explicitly listed in the list.Elements of the list may include individual as well group of users.01/13/19 B.Ramamurthy 23Windows NT(W2K) SecurityAccess Control Schemename/passwordaccess token associated with each process object indicating privileges associated with a usersecurity descriptoraccess control listused to compare with access control list for object01/13/19 B.Ramamurthy 24Access Token (per user/subject)Security ID (SID)Group SIDsPrivilegesDefault
View Full Document