Computer Security
Total Page:16
File Type:pdf, Size:1020Kb
Edited by: Dr. Avinash Bhagat COMPUTER SECURITY Edited By Dr.Avinash Bhagat Printed by EXCEL BOOKS PRIVATE LIMITED A-45, Naraina, Phase-I, New Delhi-110028 for Lovely Professional University Phagwara SYLLABUS Computer Security Objectives: To enable the student to understand various threats and security policies for computer systems. Student will learn: cryptography, authorization issues, database security issues, network security issues, design of trusted operating system. Sr. No. Description 1. An Overview of Computer Security: Basic Components, Threats, Goals of Security, Protection State, Assurance and Operational Issues. 2. Information & Network Security Policies: What is a security policy, Types of security polices – Confidentiality policies, Integrity policies, Hybrid policies. 3. Cryptography: What is Cryptography, Substitution Ciphers. Transposition (Permutations). Making “Good” Encryption Algorithms. The Data Encryption Standard (DES). The AES Encryption Algorithm. Public Key Encryption. The Uses of Encryption. 4. Access Control Mechanisms: Access Control Lists, Abbreviations, Creation & Maintenance, Revocation of Rights, Ring based Access Control, Propagated access Control Lists. 5. User Authentication: Basics, Passwords as Authenticators, Attacks on Passwords, Password Selection Criteria, Authentication Process, Biometrics. 6. Designing Trusted Operating Systems: What Is a Trusted System? Security Policies, Models of Security, Trusted Operating System Design, Assurance in Trusted Operating Systems. 7. Database Security: Introduction to Databases, Security Requirements, Reliability and Integrity, Sensitive Data, Inference, Multilevel Databases, Proposals for Multilevel Security. 8. Security in Networks: Network Concepts, Threats in Networks, Network Security Controls, Firewalls. Intrusion Detection Systems, Secure E-Mail. CONTENT Unit 1: Introduction to Computer Security 1 Avinash Bhagat, Lovely Professional University Unit 2: Information Security Policies 11 Avinash Bhagat, Lovely Professional University Unit 3: Assurance and Operational Issues 22 Avinash Bhagat, Lovely Professional University Unit 4: Cryptography 33 Avinash Bhagat, Lovely Professional University Unit 5: Access Control Mechanism 48 Manmohan Sharma, Lovely Professional University Unit 6: User Authentication 58 Manmohan Sharma, Lovely Professional University Unit 7: Designing Trusted Operating System 71 Manmohan Sharma, Lovely Professional University Unit 8; Introduction to Databases 88 Avinash Bhagat, Lovely Professional University Unit 9: Database Security 104 Avinash Bhagat, Lovely Professional University Unit 10: Network Concepts 114 Avinash Bhagat, Lovely Professional University Unit 11: Threats in Network 128 Avinash Bhagat, Lovely Professional University Unit 12: Network Security Controls 142 Manmohan Sharma, Lovely Professional University Unit 13: Firewalls 151 Manmohan Sharma, Lovely Professional University Unit 14: Intrusion Detection System and Secure E-mail 170 Manmohan Sharma, Lovely Professional University Avinash Bhagat, Lovely Professional University Unit 1: Introduction to Computer Security Unit 1: Introduction to Computer Security Notes CONTENTS Objectives Introduction 1.1 Basic Components of Security 1.2 Essentials of computer Security 1.3 Threats to Computer Security 1.3.1 Errors and Omissions 1.3.2 Fraud and Theft 1.3.3 Loss of Physical and Infrastructure Support 1.3.4 Malicious Hackers 1.3.5 Malicious Code 1.4 Goals of Security 1.5 Security Policies and Procedures 1.6 Ways to Ensure Computer Security 1.7 Security Precautions 1.8 Summary 1.9 Keywords 1.10 Review Questions 1.11 Further Readings Objectives After studying this unit, you will be able to: Discuss the importance of computer security Learn about the basic components of computer security Know about the various goals of security Understand the various threats to computer security Introduction This unit deals with the basic concepts relating computer security. The remainder of the book will elaborate on these concepts in order to reveal the logic underlying the principles of these concepts. We begin with basic security-related services that protect against threats to the security of the system. The next section discusses security policies that identify the threats and define the requirements for ensuring a secure system. Security mechanisms detect and prevent attacks and recover from those that succeed. Analyzing the security of a system requires an understanding LOVELY PROFESSIONAL UNIVERSITY 1 Computer Security Notes of the mechanisms that enforce the security policy. It also requires knowledge of the related assumptions and trust, which lead to the threats and the degree to which they may be realized. Such knowledge allows one to design better mechanisms and policies to neutralize these threats. This process leads to risk analysis. Human beings are the weakest link in the security mechanisms of any system. Therefore, policies and procedures must take people into account. This Unit discusses each of these topics. Why is Security Important? Computer security is the process of preventing or detecting unauthorized use of your computer. Malicious software on your computer can damage files, steal personal information and ultimately render your computer inoperable. Using the proper security can help prevent these types of problems. Privacy Issues Computers are used for everything from banking to shopping to communication, all things that you may not want strangers accessing. Generally when people use the Internet their activities are not private anymore. Anytime you apply for an account, register for something or purchase something online that information is saved. This information can be sold to marketing companies without your knowledge or consent. This can be either legal, or illegal, depending on the circumstances. Things like online banking and shopping are usually done through secured websites which protect the user from identity theft, but no security is foolproof and you should be aware of where you put personal information when you are on the Internet. Social networking sites are common places that private information is revealed if you are not careful. 1.1 Basic Components of Security Computer security rests on confidentiality, integrity, and availability. The interpretations of these three aspects vary, as do the contexts in which they arise. The interpretation of an aspect in a given environment is dictated by the needs of the individuals, customs, and laws of the particular organization. Confidentiality, Integrity and Availability are the basic components of computer security. In this Unit you will learn briefly about these components. Confidentiality: A good example is cryptography, which traditionally is used to protect secret messages. But cryptography is traditionally used to protect data, not resources. Resources are protected by limiting information, for example by using firewalls or address translation mechanisms. Integrity: A good example here is that of an interrupted database transaction, leaving the database in an inconsistent state. Trustworthiness of both data and origin affects integrity. The term integrity is tied to trustworthiness makes it much harder to quantify than confidentiality. Cryptography provides mechanisms for detecting violations of integrity, but not preventing them (e.g., a digital signature can be used to determine if data has changed). You will study about cryptography in detail in the subsequent Unit. Availability: This is usually defined in terms of “quality of service,” in which authorized users are expected to receive a specific level of service (stated in terms of a metric). Denial of service attacks are attempts to block availability. 2 LOVELY PROFESSIONAL UNIVERSITY Unit 1: Introduction to Computer Security 1.2 Essentials of Computer Security Notes 1. Computer Security Supports the Mission of the Organization: The purpose of computer security is to protect an organization’s valuable resources, such as information, hardware, and software. Through the selection and application of appropriate safeguards, security helps the organization’s mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets. Unfortunately, security is sometimes viewed as thwarting the mission of the organization by imposing poorly selected, bothersome rules and procedures on users, managers, and systems. On the contrary, well-chosen security rules and procedures do not exist for their own sake they are put in place to protect important assets and thereby support the overall organizational mission. Security, therefore, is a means to an end and not an end in itself. For example, in a private sector business, having good security is usually secondary to the need to make a profit. Security, then, ought to increase the firm’s ability to make a profit. In a public sector agency, security is usually secondary to the agency’s service provided to citizens. Security, then, ought to help improve the service provided to the citizen. 2. Computer Security Should Be Cost-Effective: The costs and benefits of security should be carefully examined in both monetary and nonmonetary terms to ensure that the cost of controls does not exceed expected benefits. Security should be appropriate and proportionate to the value of and degree of reliance on the computer systems and to the severity, probability and extent of potential harm. Requirements for security vary, depending upon the