Published on

COMP2700 - Week 1 - Intro Cyber Security

Table of Contents

Security

Security Strategies

  • Prevention -> Take measures to prevent assets from being damaged
  • Detection -> Take measures to detect when, how and by whom an assets is damaged
  • Reaction -> Take measures to recover assets or from damage to assets

Please Drive Right

Security Objectives

  • Confidentiality -> Prevent unauthorised disclosure and reading of information

    • Unauthorised users should not learn sensitive information, i.e. Hiding the existence of something
    • Secrecy -> Protection of data belonging to someone else

  • Integrity -> Prevent unauthorised modification of information

    • Data integrity -> No accidental or malicious alteration or destruction of data
      • Any such events/attempts should be detected and logged

  • Availability -> Prevent unauthorised withholdings of information

    • i.e. being accessible and usable upon demand
    • DoS or DDoS -> Prevention of authorised access of resources

  • Authenticity -> Know who/what you are talking to

  • Accountability (Non-repudiation) -> Prove an entity was in an event

    • Requires:
      • Audit trails -> System/authentication logs
      • A link between a user and a user identity
    • Non-repudiation -> Unforgeable evidence that something/someone occured
      • Non-repudiation of Origin -> Protects against a sender from denying data was sent
      • Non-repudiation of Delivery -> Protects against a reciever from denying data was recieved

CIAAA - CI 'triple' A

Reliability and Safety

  • Reliability -> Addresses the consequences of accidental errors

    • Can be tested against typical usage patterns
    • Untypical usage patterns must be tested to make it more secure

  • Safety -> Measure the absence of catastrophic influences on the environment

Dimension of computer security

Design Decisions

I. Where to Focus Control?

Focus: Data, Operations, or Users?

Example - Integrity requirements:

  • Format and content of data items
  • Operations on data items
  • Authorised users

II. Where to Place Security Control?

Control Levels
Application
Services (middleware)
Operating System
OS Kernel
Hardware

Human-machine Scale

Human-machine scale

  • Security mechanisms can be visualised as concentric protection rings
    • Hardware mechanisms in the centre, application mechanisms outwards
    • Centre mechanisms are usually more generic, outer ones are more specific

Onion model of protection

Data vs Information

Data -> Representation of certain aspects of our conceptual and real world

Any meanings we assign to data can be labelled as information

III. Complexity vs Assurance

  • Location of a security mechanism on the man-machine scale is related to its complexity

Centralised vs Decentralised Control

  • Centralised control

+ One entity in charge and easy to achieve uniformity - Performance bottleneck

  • Distributed control

+ More efficient - Policy consistency needs to be enforced

Security Perimeter

  • Every mechanism has a defined security perimeter
  • Anything able to malfunction without compromising anything else lies outside, and vice versa

Note: Inside attacks common

IV. Protection of the Layer Below

  • Preventing someone from bypassing protection mechanisms