Terminology

  • assets - items of value of computer or system (hw, sw, data)
    • value depends on owner's perspective; replacement cost and time

  • computer security - relative to a set of desired properties (secure end system, data in transit, etc.) and capabilities of the adversary

  • vulnerability - weakness in the system that may be exploited to cause loss or harm

  • threat - set of circumstances with potential to cause loss or harm, classes of threats:

    • disclosure - unauthorized access to information
    • deception - acceptance of false data
    • disruption - interruption or prevention of correct operation
    • usurpation - unauthorized control of system (can be partial)

  • attack - actual violation of security

    • random attack - attacker looking to harm any computer or user
    • directed attack - attacker looking to harm specific computers, people, or systems
    • attack can be active ("modifying data") or passive ("listening, learning about data")
  • types of attackers
    • individuals - motivated by fun, challenge, revenge
    • organized worldwide groups - motivated by financial gains, fame, ...
    • organized crime - fraud, extortion, money laundering
    • terrorists - government coordinated targeted attacks
  • factors of successful attacks - deny any of these and the attack will fail
    • method: skill, knowledge, tools to carry out the attack
    • opportunity: time and access to execute
    • motive: reason to attack
  • control or countermeasure - action, device, procedure, or technique to remove or reduce vulnerability
    • control prevents threats from exercising vulnerabilities
    • threat is blocked by control of a vulnerability
  • types of controls
    • physical controls - stop/block attack by something tangible
    • procedural/administrative controls - command or agreement to advice people how to act
    • technical controls - hardware/software countermeasures (encryption, passwords, access control, firewalls, etc.)
  • authorization - determination is person or system is allowed to access resource, based on access control policy
  • authentication - determination of role or identify someone has (smart card, password, fingerprint)
    • something you know, something you have, something you are
    • the ability of system to confirm the identity of sender
  • C.I.A
    • foundation for thinking about security
    • computer security seeks to prevents unauthorized viewing or modifications of data while preserving access, whether in storage, processing or in transit; and denial of service to authorized users, including measures to detect, document and counter such threats
  • confidentiality - assets is viewed only by authorized parties
    • avoidance of unauthorized disclosure of information, to include knowing about existence of data
    • tools: encryption, access control, authorization, authentication, physical security
  • integrity - asset is modified only by authorized parties, information has not been altered in unauthorized ways
    • data integrity
    • origin integrity - authentication
    • tools: (prevention) access controls, (detection) checksum, data correcting codes - ability to restore original if transient error occurs
  • availability - assets can be used by any authorized parties; access to data/resource in timely fashion
    • related: capacity, performance, fault tolerance, usability
    • tools: physical protections, computational redundancies
  • non-repudiation or accountability - ability of system to confirm that a sender cannot convincingly deny having sent something
  • auditability - ability of system to trace all actions related to a given asset
  • authenticity - proof of originality;
    • tools: using digital signatures -> provides service of nonrepudiation
  • anonymity - certain records or transactions not to be attributable to any individual
    • not same as privacy - privacy is relative to each individual
    • tools: pseudonyms, mixing/interleaving transactions, information, communications such that they are not traceable to any individual
  • assurance - confidence that system works as expected
    • specs, design, implementation + trusting people who made them
    • trust management: policies how uses can access system; permissions; protection from unauthorized access
    • information assurance organizations:
      • Information Assurance Advisory Council (IAAC)
      • National Institute of Standards Technology (NIST)
  • Directory of known security vulnerabilities and exposures: https://cve.mitre.org
  • Common Vulnerability Scoring System (CVSS) https://nvd.nist.gov/cvss.cfm
  • ways to reduce risk:
    • prevent violation of security policy
    • detect violations of security policy, and measure efficiency of prevention mechanism
    • recover from effects: stop policy violations, access and repair damage, ensure availability during ongoing attack, fix vulnerabilities to prevent future attacks, report to authorities
    • deter, deflect, mitigate
  • Operational issues
    • breach caused by improper operation
    • risk analysis and management: which threats to control and was resources to devote
    • cost-benefit analysis: is it cheaper to prevent or recover
    • laws and customs: are security measures illegal, will people do them?
  • human issues
    • power, responsibility, coordination -> who is the scapegoat
    • financial benefits -> maybe no action if no impact on revenue
    • people problems: outsiders vs. insiders; social engineering