Security Concepts: Computer Security Lectures 2014/15 S2

• Report rights infringement
• published: 13 Jun 2015
• views: 2075

This video is part of the computer/information/cyber security and ethical hacking lecture series; by Z. Cliffe Schreuders at Leeds Beckett University. Laboratory work sheets, slides, and other open educational resources are available at http://z.cliffe.schreuders.org. The slides themselves are creative commons licensed CC-BY-SA, and images used are licensed as individually attributed. Topics covered in this lecture include: What is security? What is computing security? 'A computer is secure if you can depend on it and its software to behave as you expect' – Garfinkel et al., Practical Unix & Internet Security Security is a process, not a state or a product We can aim to be in a secure state, but we need to have the process in place to maintain 'security' Security involves “The Golden Triangle”: Attacker's and terminology Attacker – generic term Black hat / cracker – nefarious attacker White hat – good guy / researcher Hacker – the media's term for attacker Who and why? Organised crime Corporate espionage (gather information) Insider threats (disgruntled employees) Hacktivists Botnet operators Government sponsored attacks Many nations have capabilities, such as China and USA Stuxnet escaped into the wild Many attacks originate from China (allegedly state sponsored) Government sponsored attacks The NSA attacked Google, Yahoo and various other companies (incl. data center links) NSA Tailored Access Operations (TAO) QUANTUM, FOXACID, intercept traffic and attack end users Government sponsored attacks NSA intercept network equipment being shipped, and implant firmware Advanced persistent threat (APT): a long term pattern of targeted, sophisticated attacks Aimed at governments, organisations, or activists APT1: China, APT28: Russia Weakest Link 'Principle of Easiest Penetration...' – Pfleeger and Pfleeger, Security in Computing Break into and reseal a locked suitcase demonstration Security goals Computing security is often described as having three main goals, that of: Confidentiality Integrity Availability Confidentiality Secrecy / Privacy Only accessed by those authorised Need to know Confidentiality Integrity Data is accurate Unmodified Only modified in authorised ways Integrity Availability Services are usable Respond fast enough, for authorised users Mitigate denial of service attacks Availability Cost Security breaches can cost an organisation either directly financially or indirectly Reputation Customer relations Vulnerabilities and Threats Vulnerability – a weakness in the security system Threat – circumstance that has the potential to do harm Threats include... Some general threats include unauthorised: Disclosure of information Modification Snooping ('wiretapping') Masquerading or spoofing Denial of service Following are some concrete examples... Threats include... Unauthorised local people Attempting to access a computer Users with access May misuse their access to a computer system May attempt to get access to additional resources Threats include... 'Misbehaving' programs Software bugs or design problems Malicious software (malware) Misconfiguration of software/security May accidentally grant access (directly or indirectly) Threats include Remote attackers Looking for any kind of access Intercepting or modifying communications Masquerading or spoofing (impersonating) others Behaving unexpectedly (attempting to exploit software vulnerabilities) Attempting to trick legitimate users/processes to act on their behalf A security policy defines what is, and what is not, allowed Policy can be a set of rules for a program or for people to follow Needs to be designed to mitigate threats A 'security mechanism', or 'control', is something that enforces a security policy Can be a method, tool, or procedure Actively mitigates threats Examples include: Passwords for authentication Access control for restricting what users and processes can do Firewalls for limiting the network traffic that is allowed Sandboxes and Virtualisation for isolation Encryption for 'scrambling' data Non-technical procedures: for example, requiring proof of identity Security teams Security goals Prevention Means that an attack will fail For example, by employing controls This is the focus of this module Detect Determine that an attack has occurred or is happening For example, by monitoring activity Recover Stop an attack and repair damage For example, by restoring data Security Jobs Thinking like an attacker – Bruce Schneier Challenging It is arguably easier to break a system than to keep it secure It only takes one weakness... Computing security is challenging – and can be fun Conclusion We have discussed important security concepts, including: the motivation for security common security threats and security goals