Computer Security

Overview
Key Security Concepts
Security Terminology
 Vulnerabilities and Attacks
 System resource vulnerabilities may
 Be corrupted (loss of integrity)
 Become leaky (loss of confidentiality)
 Become unavailable (loss of availability)
 Attacks are threats carried out and may be
 Passive
 Active
 Insider
 Outsider
 Countermeasures
 Means used to deal with security attacks
 Detect
 Prevent
 Recover
 May result in new vulnerabilities
 Goal is to minimize risk given constraints
 Threat Consequences
 Unauthorized disclosure
 Exposure, interception, inference, intrusion
 Deception
 Masquerade, falsification, repudiation
 Disruption
 Incapacitation, corruption, obstruction
 Usurpation
 Misappropriation, misuse
Scope of Computer Security
 Network Security Attacks
 Classify as passive or active
 Passive attacks are eavesdropping
 Release of message contents
 Traffic analysis

Note: Are hard to detect so aim to prevent

 Active attacks modify/fake data
 Masquerade
 Replay

 Modification

 Denial of service

Note: Are hard to prevent so aim to detect

 Security Functional Requirements
 Technical measures:
 Access control; identification & authentication
 System & communication protection; system &
information integrity
 Management controls and procedures
 Awareness & training; audit & accountability;
certification, accreditation, & security assessments;
 Contingency planning; physical & environmental
protection; planning; personnel security; risk
assessment; systems & services acquisition
Security Taxonomy
User Authentication
 User Authentication
 Fundamental security building block
 Basis of access control & user accountability
 Is the process of verifying an identity claimed by
or for a system entity
 Has two steps:
 Identification - specify identifier
 Verification - bind entity (person) and identifier
 Means of User Authentication
 Four means of authenticating user's identity
 Bases on something the individual
 Knows - e.g. password, PIN
 Possesses - e.g. key, token, smartcard
 Is (static biometrics) - e.g. fingerprint, retina
 Does (dynamic biometrics) - e.g. voice, sign

 Can be used alone or combined

 Password Authentication
 Something Individual Knows
 Widely used user authentication method
 User provides name/login and password
 System compares password with that saved for
specified login
 Authenticates ID of user logging and
 That the user is authorized to access system
 Determines the user’s privileges
 Used in discretionary access control
 Password Vulnerabilities
 Offline dictionary attack
 Specific account attack
 Popular password attack
 Password guessing against single user
 Workstation hijacking
 Exploiting user mistakes
 Exploiting multiple password use
 Electronic monitoring
 Token Authentication
 Something an individual Possesses
 Object user possesses to authenticate, e.g.
 Embossed Card
 Magnetic Stripe Card
 Memory Card
 Smartcard
 Memory Card
 Store but do not process data
 Magnetic stripe card, e.G. Bank card
 Electronic memory card
 Used alone for physical access
 With password/PIN for computer use
 Drawbacks of memory cards include:
 Need special reader
 Loss of token issues
 User dissatisfaction
 Biometric Authentication
 Something an individual Is
 Authenticate user based on one of their physical
characteristics
 Authentication Security Issues
 Client attacks
 Host attacks
 Eavesdropping
 Replay
 Trojan horse (disguised malware claiming to
be legitimate)
 Denial-of-service