0% found this document useful (0 votes)
25 views20 pages

Lecture 3a Security

The document provides an overview of computer security, detailing key concepts such as vulnerabilities, attacks, and countermeasures. It discusses various types of attacks, including passive and active, and emphasizes the importance of user authentication methods like passwords, tokens, and biometrics. Additionally, it highlights security issues related to authentication and the need for effective management controls to minimize risks.

Uploaded by

mokorigeorge
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
25 views20 pages

Lecture 3a Security

The document provides an overview of computer security, detailing key concepts such as vulnerabilities, attacks, and countermeasures. It discusses various types of attacks, including passive and active, and emphasizes the importance of user authentication methods like passwords, tokens, and biometrics. Additionally, it highlights security issues related to authentication and the need for effective management controls to minimize risks.

Uploaded by

mokorigeorge
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 20

Computer Security

Overview
Key Security Concepts
Security Terminology
Vulnerabilities and Attacks
 System resource vulnerabilities may
 Be corrupted (loss of integrity)
 Become leaky (loss of confidentiality)
 Become unavailable (loss of availability)
 Attacks are threats carried out and may be
 Passive
 Active
 Insider
 Outsider
Countermeasures
 Means used to deal with security attacks
 Detect
 Prevent
 Recover
 May result in new vulnerabilities
 Goal is to minimize risk given constraints
Threat Consequences
 Unauthorized disclosure
 Exposure, interception, inference, intrusion
 Deception
 Masquerade, falsification, repudiation
 Disruption
 Incapacitation, corruption, obstruction
 Usurpation
 Misappropriation, misuse
Scope of Computer Security
Network Security Attacks
 Classify as passive or active
 Passive attacks are eavesdropping
 Release of message contents
 Traffic analysis

Note: Are hard to detect so aim to prevent


 Active attacks modify/fake data
 Masquerade
 Replay

 Modification

 Denial of service

Note: Are hard to prevent so aim to detect


Security Functional Requirements
 Technical measures:
 Access control; identification & authentication
 System & communication protection; system &
information integrity
 Management controls and procedures
 Awareness & training; audit & accountability;
certification, accreditation, & security assessments;
 Contingency planning; physical & environmental
protection; planning; personnel security; risk
assessment; systems & services acquisition
Security Taxonomy
User Authentication
User Authentication
 Fundamental security building block
 Basis of access control & user accountability
 Is the process of verifying an identity claimed by
or for a system entity
 Has two steps:
 Identification - specify identifier
 Verification - bind entity (person) and identifier
Means of User Authentication
 Four means of authenticating user's identity
 Bases on something the individual
 Knows - e.g. password, PIN
 Possesses - e.g. key, token, smartcard
 Is (static biometrics) - e.g. fingerprint, retina
 Does (dynamic biometrics) - e.g. voice, sign

 Can be used alone or combined


Password Authentication
 Something Individual Knows
 Widely used user authentication method
 User provides name/login and password
 System compares password with that saved for
specified login
 Authenticates ID of user logging and
 That the user is authorized to access system
 Determines the user’s privileges
 Used in discretionary access control
Password Vulnerabilities
 Offline dictionary attack
 Specific account attack
 Popular password attack
 Password guessing against single user
 Workstation hijacking
 Exploiting user mistakes
 Exploiting multiple password use
 Electronic monitoring
Token Authentication
 Something an individual Possesses
 Object user possesses to authenticate, e.g.
 Embossed Card
 Magnetic Stripe Card
 Memory Card
 Smartcard
Memory Card
 Store but do not process data
 Magnetic stripe card, e.G. Bank card
 Electronic memory card
 Used alone for physical access
 With password/PIN for computer use
 Drawbacks of memory cards include:
 Need special reader
 Loss of token issues
 User dissatisfaction
Biometric Authentication
 Something an individual Is
 Authenticate user based on one of their physical
characteristics
Authentication Security Issues
 Client attacks
 Host attacks
 Eavesdropping
 Replay
 Trojan horse (disguised malware claiming to
be legitimate)
 Denial-of-service

You might also like