What Is A Secure Computer System? Concerns of A Secure System

Overview
What
is a secure computer system? Concerns of a secure system

o Data: Privacy, Integrity, Availability o Users: Authentication, Authorization, Privacy
Security
in stand-alone, networked, and internetworked environments
Chapter 1 Introduction
Secure Computer System

A security policy specifies exactly what types of actions are and are not permitted on the system Example security policy
A secure system obeys its security policy
o Only authorized users able to use the system o Authorization/Access control o Resources sharing among users
Security Breaches

A violation of a systems security policy is called a security breach Security breaches can occur
o Accidentally faulty program
o Intentionally virus
Creating a system where security breaches cannot occur can be easy or impossible depending on
o What the security policy requires
o How the system implements the policy
Secure Systems Design

Policy
Simplicity Principle Functionality Principle
o Policy as simple as possible (but no simpler)
o Should state what is allowed and forbidden
System
o Include necessary functionality (and no more) o Perform job it was designed to do (and no more)
Policy Simplicity
Simpler security policies are easier to get right, reason about and implement Security breaches caused by policy shortcomings are most often due to
o Incomplete or inconsistent policy o Misunderstanding the policys requirements o Error in implementation
System Functionality
Limiting
functionality limits attacks Security breaches caused by system functionality can be caused by
o Software bugs
o Unforeseen interactions between components
Relative Security
Few useful systems will be absolutely secure We view security in a relative sense This does not mean that good security design and implementation is unimportant Example: safes
Cost vs Security
Proper
security level depends on value of the items that system is protecting (other concerns?) Trade-off between cost and security Select security level appropriate for user needs
Cost vs Security (continued)
Example: user authentication

o System A - authenticates the user by retinal scan o System B - authenticates users once with password
System A is probably more secure than system B, but more costly and inconvenient Is added security and expense called for?
o Maybe for NSA o Not for an individual
Secure System Concerns

Data
Users
o Privacy o Integrity o Availability o Authentication o Privacy
10
Data Privacy
Data privacy: access to information is limited to authorized entities Examples
o Certain files only accessible to certain users o Communications between two users cannot be
read by some third party
Cryptography for privacy of data
11
Data Integrity
Data has integrity if it can only be modified by authorized principals Examples
o Bank must ensure that only authorized
Message-digests used to protect integrity
personnel can change account balances o Company must make sure that its freeware program has not been modified
12
Data Availability
Data availability means that data is accessible in a timely manner as needed Examples
o Non-working laptop brought to open-note test o Students laptop notes poorly organized so time
Replication and fault tolerance can be used to ensure the availability of data
wasted finding relevant information
13
User Authentication
User authentication means that system accurately determines users identity Examples
o Files readable only by their owner o Only certain users should be able to add or
Authenticate by: something you know, something you have, something you are
delete system accounts
14
User Privacy
privacy means that users have control over info collected and made available to others Examples:
o User may not want others to know programs
they run, who they communicate with, etc. o User may not want to receive spam
Anonymity can protect privacy
15
Network and Internet
Additional challenges
o Privacy
Stand-alone system - the operating system is likely to control all communication channels Networked systems - no host controls the communication medium; eavesdropping usually easy Stand-alone system user is physically present Internetworked systems user may access system over an insecure communication channel
o User authentication
16
Summary

A secure computer system follows security policy Security concerns involve protecting o Data privacy o Data integrity o Data availability o User authentication o User privacy
o Network and internetwork additional risks
17

What Is A Secure Computer System? Concerns of A Secure System

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

What Is A Secure Computer System? Concerns of A Secure System

Diunggah oleh

Hak Cipta:

Format Tersedia

Overview

is a secure computer system? Concerns of a secure system

in stand-alone, networked, and internetworked environments

Secure Computer System

A secure system obeys its security policy

o How the system implements the policy

Secure Systems Design

Simplicity Principle Functionality Principle

o Policy as simple as possible (but no simpler)

o Should state what is allowed and forbidden

o Incomplete or inconsistent policy o Misunderstanding the policys requirements o Error in implementation

Cost vs Security (continued)

Example: user authentication

Secure System Concerns

o Privacy o Integrity o Availability o Authentication o Privacy

read by some third party

Cryptography for privacy of data

o Bank must ensure that only authorized

Message-digests used to protect integrity

wasted finding relevant information

delete system accounts

o User may not want others to know programs

Anonymity can protect privacy

Network and Internet

Anda mungkin juga menyukai