What
Security
Chapter 1 Introduction
o Only authorized users able to use the system o Authorization/Access control o Resources sharing among users
Chapter 1 Introduction
Security Breaches
A violation of a systems security policy is called a security breach Security breaches can occur
o Accidentally faulty program
o Intentionally virus
Creating a system where security breaches cannot occur can be easy or impossible depending on
o What the security policy requires
Chapter 1 Introduction
System
o Include necessary functionality (and no more) o Perform job it was designed to do (and no more)
Chapter 1 Introduction
Policy Simplicity
Simpler security policies are easier to get right, reason about and implement Security breaches caused by policy shortcomings are most often due to
Chapter 1 Introduction
System Functionality
Limiting
functionality limits attacks Security breaches caused by system functionality can be caused by
o Software bugs
o Unforeseen interactions between components
Chapter 1 Introduction
Relative Security
Few useful systems will be absolutely secure We view security in a relative sense This does not mean that good security design and implementation is unimportant Example: safes
Chapter 1 Introduction
Cost vs Security
Proper
security level depends on value of the items that system is protecting (other concerns?) Trade-off between cost and security Select security level appropriate for user needs
Chapter 1 Introduction
System A is probably more secure than system B, but more costly and inconvenient Is added security and expense called for?
o Maybe for NSA o Not for an individual
Chapter 1 Introduction
Users
Chapter 1 Introduction
10
Data Privacy
Data privacy: access to information is limited to authorized entities Examples
o Certain files only accessible to certain users o Communications between two users cannot be
Chapter 1 Introduction
11
Data Integrity
Data has integrity if it can only be modified by authorized principals Examples
personnel can change account balances o Company must make sure that its freeware program has not been modified
Chapter 1 Introduction
12
Data Availability
Data availability means that data is accessible in a timely manner as needed Examples
o Non-working laptop brought to open-note test o Students laptop notes poorly organized so time
Replication and fault tolerance can be used to ensure the availability of data
Chapter 1 Introduction
13
User Authentication
User authentication means that system accurately determines users identity Examples
o Files readable only by their owner o Only certain users should be able to add or
Authenticate by: something you know, something you have, something you are
Chapter 1 Introduction
14
User Privacy
privacy means that users have control over info collected and made available to others Examples:
they run, who they communicate with, etc. o User may not want to receive spam
Chapter 1 Introduction
15
Additional challenges
o Privacy
Stand-alone system - the operating system is likely to control all communication channels Networked systems - no host controls the communication medium; eavesdropping usually easy Stand-alone system user is physically present Internetworked systems user may access system over an insecure communication channel
o User authentication
Chapter 1 Introduction
16
Summary
A secure computer system follows security policy Security concerns involve protecting o Data privacy o Data integrity o Data availability o User authentication o User privacy
o Network and internetwork additional risks
Chapter 1 Introduction
17