0% found this document useful (0 votes)
70 views26 pages

Operating Systems and Computer Security: Week - 1

This document provides an overview of the topics that will be covered in an operating systems and computer security course. It outlines the aims, learning outcomes, assessment criteria, and syllabus topics. The topics include basic concepts in computer security, cryptography, program security, operating system security, database security, network security, and security management. Models for network and access security are also introduced.

Uploaded by

Mangala Semage
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
70 views26 pages

Operating Systems and Computer Security: Week - 1

This document provides an overview of the topics that will be covered in an operating systems and computer security course. It outlines the aims, learning outcomes, assessment criteria, and syllabus topics. The topics include basic concepts in computer security, cryptography, program security, operating system security, database security, network security, and security management. Models for network and access security are also introduced.

Uploaded by

Mangala Semage
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 26

Operating Systems and

Computer Security
Week - 1
Acknowledgement
Prepared by Nishanthi Herath – ATI, Kandy
Based on Cryptography and Network Security, 3rd
Edition by William Stallings referring the
lecture slides by
Lawrie Brown
Aim of Course
• To provide skills and knowledge in issues
related to computer and information security
and develop the ability to take necessary
actions in securing computer systems and
information.
Intended Learning Outcomes
• State the basic concepts in information
security
• Explain concepts related to applied
cryptography.
• Explain the concepts of malicious code,
including virus, Trojan horse, and worms.
• Explain common vulnerabilities in computer
programs and take necessary remedial actions
• Outline the requirements and mechanisms for
identification and authentication and explain
issues about password authentication.
• Explain and compare security mechanisms for
conventional operating systems.
• Describe security requirements for database
security.
• Describe threats to networks, and explain
techniques for ensuring network security.
Assessment Criteria
• Final Exam – 75%
• In-class participation, group work and
discussions – 10%
• Tutorials and take home assignments – 15%
Outline Syllabus
• Basic concepts in computer security – threats,
vulnerabilities, risks and controls etc.
• Basic cryptography
• Program security – Flaws and Defenses
• Security in conventional operating systems
and trusted operating systems
• Database management systems security
• Network security
• Management of security
The art of war teaches us to rely not on the
likelihood of the enemy's not coming, but on
our own readiness to receive him; not on the
chance of his not attacking, but rather on the
fact that we have made our position
unassailable.

—The Art of War, Sun Tzu


Background
• Information Security requirements have
changed in recent times
• traditionally provided by physical and
administrative mechanisms
• computer use requires automated tools to
protect files and other stored information
• use of networks and communications links
requires measures to protect data during
transmission
The Security Triad

Confidenti
ality
Integrity

Availability

Information Security
Definitions
• Computer Security - generic name for the
collection of tools designed to protect data
and to thwart hackers
• Network Security - measures to protect data
during their transmission
• Internet Security - measures to protect data
during their transmission over a collection of
interconnected networks
• Vulnerability – a weak point in a system
where a threat can sneak in
• Threat – a potential damage that can be
materialised through some flaw in the system
• Risk – the probability of a threat being
materialised by exploiting a vulnerability
• Control – any procedure that is in place to
assure security of a system
Services, Mechanisms, Attacks
• need systematic way to define requirements
• consider three aspects of information security:
– security attack
– security mechanism
– security service
• consider in reverse order
Security Service
– is something that enhances the security of the
data processing systems and the information
transfers of an organization
– intended to counter security attacks
– make use of one or more security mechanisms to
provide the service
– replicate functions normally associated with
physical documents
• eg. have signatures, dates; need protection from
disclosure, tampering, or destruction; be notarized or
witnessed; be recorded or licensed
Security Mechanism
• a mechanism that is designed to detect,
prevent, or recover from a security attack
• no single mechanism that will support all
functions required
• however one particular element underlies
many of the security mechanisms in use:
cryptographic techniques
• hence our focus on this area
Security Attack
• any action that compromises the security of
information owned by an organization
• information security is about how to prevent
attacks, or failing that, to detect attacks on
information-based systems
• have a wide range of attacks
• can focus of generic types of attacks
• note: often threat & attack mean same
OSI Security Architecture
• ITU-T X.800 Security Architecture for OSI
• defines a systematic way of defining and
providing security requirements
• for us it provides a useful, if abstract, overview
of concepts we will study
Security Services
• X.800 defines it as: a service provided by a
protocol layer of communicating open
systems, which ensures adequate security of
the systems or of data transfers
• RFC 2828 defines it as: a processing or
communication service provided by a system
to give a specific kind of protection to system
resources
• X.800 defines it in 5 major categories
Security Services (X.800)
• Authentication - assurance that the communicating
entity is the one claimed
• Access Control - prevention of the unauthorized use
of a resource
• Data Confidentiality –protection of data from
unauthorized disclosure
• Data Integrity - assurance that data received is as
sent by an authorized entity
• Non-Repudiation - protection against denial by one
of the parties in a communication
Security Mechanisms (X.800)
• specific security mechanisms:
– encipherment, digital signatures, access controls,
data integrity, authentication exchange, traffic
padding, routing control, notarization
• pervasive security mechanisms:
– trusted functionality, security labels, event
detection, security audit trails, security recovery
Classify Security Attacks as
• passive attacks - eavesdropping on, or monitoring of,
transmissions to:
– obtain message contents, or
– monitor traffic flows
• active attacks – modification of data stream to:
– masquerade of one entity as some other
– replay previous messages
– modify messages in transit
– denial of service
Model for Network Security
Model for Network Security
• using this model requires us to:
– design a suitable algorithm for the security
transformation
– generate the secret information (keys) used by the
algorithm
– develop methods to distribute and share the
secret information
– specify a protocol enabling the principals to use
the transformation and secret information for a
security service
Model for Network Access Security
Model for Network Access Security
• using this model requires us to:
– select appropriate gatekeeper functions to
identify users
– implement security controls to ensure only
authorised users access designated information or
resources
• trusted computer systems can be used to
implement this model
Summary
• have considered:
– computer, network, internet security def’s
– security services, mechanisms, attacks
– X.800 standard
– models for network (access) security

You might also like