220 likes | 228 Vues
TERMS & DEFINITIONS IN COMPUTER SECURITY CRH503. Jacky Hartnett 2011. Topics. Terms and Definitions Computer security definitions What can be lost? Interception, modification, fabrication, interruption Privacy versus Confidentiality. Topics. Terms and Definitions
E N D
TERMS & DEFINITIONS IN COMPUTER SECURITYCRH503 Jacky Hartnett 2011
Topics • Terms and Definitions • Computer security definitions • What can be lost? • Interception, modification, fabrication, interruption • Privacy versus Confidentiality
Topics • Terms and Definitions • Computer security definitions • What can be lost? • Interception, modification, fabrication, interruption • Privacy versus Confidentiality
References • Chapter 1 of the book by Pfleeger
Term and Definitionsfor attacks • Vulnerability • weak point in system (computer and manual) • try to find and protect these (penetration testing) • Threat • circumstances or people that possibly might cause harm to the system (always changing) • Loss • undesired (costly) end result of a threat materialising
Terms and Definitionsfor prevention • Risk • quantified measure of what could lose • Exposure • assessment of likelihood of sustaining a particular loss • Protection • safeguards against loss • countermeasures
Terms and Definitionsfor evaluation of security • Weakest link • system will be attacked where weakest • system is only as strong as its weakest link • A great photo that illustrates the "weakest link" principle: • http://www.syslog.com/~jwilson/pics-i-like/kurios119.jpg
Terms and Definitionsfor evaluation of security • Weakest link • system will be attacked where weakest • Cost-effectiveness • level of protection versus cost of countermeasures • Timeliness • length of time protection has to last • affects strength of CIA protection used
Terms and Definitionsfor evaluation of security • More on Timeliness • Integrity protection • Network data while it travels through the network ~ 180 seconds • A contract for perhaps 20 years • Confidentiality protection • ‘Attack a dawn’ - a secret until dawn • “X has HIV’ - confidential for always
Terms and Definitionsfor a successful attack • Method • Must have way to exploit vulnerability • Opportunity • Ability to circumvent normal controls so can use method • Motive • Some kind of benefit to perpetrator • Not necessarily monetary gain
Topics • Terms and Definitions • Computer security definitions • What can be lost? • Interception, modification, fabrication, interruption • Privacy versus Confidentiality
What can be lost?interception C “assets of a computing system are accessible only by authorised parties”Pfleeger p5 • unauthorised viewing of data • data residing on system • data in transit (interception) • data as hard copy • data as backup • how can you tell?
What can be lost?modification and fabrication I ‘Every piece of data is as the last authorized modifier left it’Schneier, p122 • data is altered, invented (fabricated) or re-used • on system • as backup • in transit • as hard copy
What can be lost?interruptions A ‘an attacker can’t prevent legitimate users from having reasonable access to their systems’Schneier, p122 • can’t use system when need to • software failure • hardware failure • denial of service • systematic attack • The motivation landscape for these has changed recently with a new class of attacker – Nation States being added to the list
Topics • Terms and Definitions • Computer security definitions • What can be lost? • Interception, modification, fabrication, interruption • Privacy versus Confidentiality
Privacy versus Confidentiality • Privacy • idea that you can control what is known about you even if it is publicly available • eg name and address • phone book, electoral roll • presence on list • links to other data
Privacy versus Confidentiality • Profiling • use of personal data aggregated to reveal information previously considered private • Credit cards, Loyalty schemes • can work out from shopping habits about • personal tastes -> • Targeted advertising • clothing sizes of family -> • composition, age and gender of family
Privacy versus Confidentiality • Profiling based on • Personally Identifiable Information PII • Personally Identified Data PID • Uses private information • No access to confidential information • Read the ‘Cuckoo’s Egg to understand military concept of sensitive information that when aggregated can lead to confidential info being deduced • Protection • Privacy legislation
Privacy versus Confidentiality • Confidentiality • idea that some things should be known only to a few people • secrets (eg Coca Cola recipe) • pejorative data (reflects badly upon) • surprises (company results) • Roger Clarke • http://www.anu.edu.au/people/Roger.Clarke/
Privacy versus Confidentiality- why care? • Needs of business • risk analysis, security policy (later lectures) • Government Regulation • Australian Information Privacy Principles • National Privacy Principles • Legal ‘duty of care’
Summary • As with all subjects certain words have a specific meaning in the Computer Security Domain • The concepts contained n these definitions can help with setting security goals • Terms for the motivations and means of attacking information systems have also been discussed