Lecture 5 Foundations of Computer Security

CET324 - Foundations of
Computer Security
1
Objectives
• Introduce the foundations of computer
security
• Focus on information security by discussing
confidentiality, integrity and availability
• Computer security is not just information
security
• Introduce contradictions in computer security
2
3
Implementing Computer Security
Quick question:
What are the disadvantages of a security system are?
• time-consuming
• Costly
• often clumsy
• impede management and smooth running of the
organization
What are the advantages of computer security?
4
Risk Analysis
• Determining the nature and likelihood of the risks
to key data.
• Planning for information analysis requires risk
analysis.
• Goal is to minimize vulnerability to threats that put
a system at the most risk.
• E.g., economic metric: study of the cost of a particular
system against the benefits of the system.
5
Levels of Impact
Moderat
Low High
e
The loss could be
The loss could be The loss could be
expected to have
expected to have expected to have
a severe or
a limited adverse a serious adverse
catastrophic
effect on effect on
adverse effect on
organizational organizational
organizational
operations, operations,
operations,
organizational organizational
organizational
assets, or assets, or
assets, or
individuals individuals
individuals
Security Concepts and Relationship
Owners Threat agents

value
wish to abuse
wish to impose and/or
minimize may damage
give
rise to
countermeasures assets
to
reduce
to to
risk threats
that
increase
Figure 1.2 Security Concepts and Relationships

Computer Security
Computer security focus is to implement measures and controls
to ensure:
• Confidentiality,
• Integrity, and
• Availability
of information system assets (e.g., hardware, software, firmware,

and information being processed, stored, and communicated
CIA Triad of Information Security
Confidentiality
Ensuring
that data Ensuring that data is
can be protected from
modified Information
unauthorized access
only by Security
appropriate
mechanisms
Integrity Availability
The degree to which authorized

users can access information for
legitimate purposes
9
Information Assurance Pillars
• Confidentiality
– The need to keep information private or secret and to prevent
the disclosure of information to those who don’t need to see it.
– Addresses question who is authorised to use data.
– Achieved through encryption, selective use of access controls,
keeping sensitive information apart from publicly available
systems and networks.
• Confidentiality covers two related concepts:
– Data confidentiality: Private/confidential data not made public
– Privacy: Assures individuals control/influence what
information collected on them, stored by whom, and the way
they are shared.
10
• Integrity
– The notion that information should be complete and unaltered
as it is used and that only authorised people can make
changes and these are recorded properly.
– Addresses the question, is data good ?
• Integrity covers two terms:
– Data integrity: Assures that information/programs are
changed only in a specified and authorised manner.
– System integrity: Assures that a system performs its intended
task in an unimpaired manner, free from
deliberate/inadvertent unauthorised manipulation of the
system.
11
• Availability
– The need to have information ready for use in a usable form
when it is needed.
– Addresses the question, can we access the data whenever we
need it?
12
There are also two additional concepts:

• Authenticity: the property of being genuine and able to
verify and trust.
• Accountability: the requirement for actions of an entity

to be traced uniquely to that entity, it supports
nonrepudiation, deterrence, fault isolation, intrusion
detection and prevention, and after action recovery and
legal action.
13
Bringing the Pillars Together
Confidentiality Integrity
Availability
14
Balancing the Pillars
• In cyber security often the professional
decision is one of considering balance
Example 1
• Increase confidentiality perhaps by
disconnecting computer from Internet
– Availability suffers because offline
– Integrity suffers due to lost updates
15
Example 2
• Increase Integrity have extensive data checks
by different people/systems to increase
integrity
– Confidentiality suffers as more people see data.
– Availability suffers due to locks on data under
verification.
16
Example 3
• What happens when availability is increased?
– To confidentiality?
– To integrity?
17
Confidentiality
• Confidentiality focuses on keeping information secret or
private
• The prevention of unauthorised disclosure of information,
important macro (military, business) and micro (personal)
levels
– From security design perspective we need to know who
needs what data
– Managed through access control
– Need the user’s identity and need to be able to verify
identity
– Design in identification and authentication
– Can utilise encryption
• Confidentiality is difficult to ensure
• Confidentiality is easy to measure (binary – yes:no) 18
Integrity
• Integrity focuses on the external consistency in the
system - everything is as it is expected to be
• Data integrity means that the data stored on a
computer is the same as the source documents
• Integrity is broken if there is unauthorised writing or
modification of the assets or information (whereas
confidentiality is concerned with access)
– What about viewing information access or modification ?
– Copying – access or modification ?
– Duplicating (with write blocker) – access or modification ?
19
Integrity
• From security design perspective we need to know
when breach has occurred and nature of the breach
• Integrity is more difficult to measure than
confidentiality
– Not binary – there are degrees of integrity
– Context-dependent - means different things for different
properties:
• Precision;
• Accuracy;
• Currency;
• Consistency;
• Meaningfulness;
• Usefulness 20
Availability
• Information should be accessible and useable upon appropriate
demand by an authorised user
• Availability is the prevention of unauthorised withholding of
information
• Availability is context dependent, is complex and is not well
understood and is a challenge for security design
• According to Pleeger and Pfleeger we can say that an asset is
available if:
– Timely request response
– Fair allocation of resources (no starvation)
– Fault tolerant (no total breakdown)
– Easy to use in the intended way
– Provides controlled concurrency (concurrency control, deadlock
control) 21
Resilience
• In addition to confidentiality, integrity and availability is
the additional concept of resilience
• Resilience is what allows a computer or computer system
to endure security threats and attacks without critically
failing
• Key is about accepting inevitability of threats and even
limited failures in defence
• It is about remaining operational with the understanding
that attacks and incidents happen on a regular basis
22
Summary
• Confidentiality, integrity and availability (CIA) are the
pillars of information security
• The pillars are not always mutually exclusive or even
complimentary to each other
• Dilemmas and tradeoffs require professional consideration
• CIA are not the only factors that need to be taken into
account when considering information security
• The cyber security domain is a complex environment and
information security is not the complete picture
23
Lab session: task 1 – What Impact do our Principles have on
CIA ?
• Principle of least privilege
– Confidentiality _______________________________________
– Integrity ____________________________________________
– Availability __________________________________________
• Principle of separation of risk
– Integrity ____________________________________________
– Availability __________________________________________
• Defence in Depth
– Integrity ____________________________________________
– Availability __________________________________________
• Secrecy
– Integrity ____________________________________________
– Availability __________________________________________ 24
Lab session: task 2 – What Impact does CIA have on our cyber
security principles ?
• Confidentiality
– Principle of least privilege _______________________________________
– Principle of separation of risk ____________________________________
– Defence in Depth ______________________________________________
– Secrecy _____________________________________________________
• Integrity
– Defence in Depth _____________________________________________
– Secrecy _____________________________________________________
• Availability
– Defence in Depth ______________________________________________
– Secrecy _____________________________________________________
25

Lecture 5 Foundations of Computer Security

Uploaded by

Copyright:

Available Formats

Lecture 5 Foundations of Computer Security

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lecture 5 Foundations of Computer Security

Uploaded by

Copyright:

Available Formats

CET324 - Foundations of

What are the advantages of computer security?

Owners Threat agents

Figure 1.2 Security Concepts and Relationships

of information system assets (e.g., hardware, software, firmware,

The degree to which authorized

There are also two additional concepts:

• Accountability: the requirement for actions of an entity

You might also like