Transcript Document

Computer Security
Workshops
Security 101 - Introduction,
Central Principles and Concepts
Why Study Computer Security?
Increasingly important issue for:


Computer system and network administrators
Application programmers
Security issues follow technology

Desktop systems, wireless networks, handheld
devices
Security issues affect software, laws, profits and
businesses
Computer Security
Definition – ensuring the security of
resources in a computing environment



“ensuring” – work to make it so – a process
“resources” – data, network, hardware,
applications, …
“computing environment” – mix of hardware,
software and people
Information Assurance
A broader category than computer
security, information security, etc.
Concerned with the


Security of information in system
Quality/Reliability of information in system
Core Security Concepts
Vulnerability, Exploit, Threat



Vulnerability – a weakness in some aspect of
a system
Exploit – a known method for taking
advantage of a vulnerability
Threat – the likelihood of some agent using
an exploit to compromise security
Note: not all users/groups are equal threats to
various systems


“Hackers” more of a threat to popular web sites,
businesses
Disgruntled employees more of a threat to isolated
businesses
Interesting Security Email Lists
Cryptogram Newsletter, Bruce Schneier

http://www.counterpane.com; Library, Crypto-gram
US/CERT Advisory List (Dept. of Homeland
Security)

http://www.us-cert.gov ; Advisories by Email
Bugtraq List

http://seclists.org/about/bugtraq.txt , subscription
information about 2/3 down the page
Principles To Consider
Security is a very difficult topic to
comprehend
No silver bullets
However, consideration of major principles
will help develop a good set of security
processes and policies
1st Principle
“Security is a process, not a product” –
attributed to Bruce Schneier of
Counterpane Security Systems, others



Not something you purchase
Rather, a set of processes (approved set of
steps) and policies (rules for behavior) you
create and enforce in your environment
Must be dealt with continually
2nd Principle
Computer Security is not just about computer
systems

Three major aspects to computer security
Technology


Hardware (systems, networks, any connected equipment)
Software (programming, configuration)
People, in many different roles



Legitimate users, disgruntled users, hackers
Insiders vs. outsiders – fuzzy line!
Social engineering is a large concern
Best technological security is worthless is someone is
tricked into turning it off / allowing access through it
Physical environment

Surroundings, access, proximity
3rd Principle
Security and convenience are inversely
proportional



Lack of security generally makes it easier to
get work done
Addition of security may interfere with the
ease of getting a job done
Goal: find the balance point that supports both
4th Principle
Security succeeds or fails based on the
weakest link


All aspects (technology, people, environment)
must be attended to equally
Must remain current with each aspect
E.g. software patches should be applied as they
come out, not when you “get around to it”
Corollary: “People are the weakest link” –
Kevin Mitnick
5th Principle
Hackers are generally technologists (as
opposed to programmers)




Smaller group of hackers program exploits, viruses
More hackers apply technology already available,
sometimes in creative ways
Poor configuration of systems is a major security
problem
Corollary – good programming skills aren’t
sufficient to make a good security professional
Add understanding of networks & technology, attention to
detail, creativity, …
6th Principle
Utilize Multiple Layers of Defense

E.g. Network hardware
Router – initial line of defense
Bastion host(s) – system(s) visible/available to
outside world (e.g. web server)
Firewall – second line of defense
Secure intranet – internally available systems

Can anyone bypass one or more layers?
7th Principle
Focus your security energy on dealing with
the most likely threats

Consider what is most relevant to your
environment
Which vulnerabilities do you have?
Which of these have known exploits?
What users are likely to cause problems?
What is the likelihood of a given threat?
8th Principle
One aspect of security is obscurity


Don’t set yourself up as a target
Maintain a low network profile for your
business, computer system, etc.
Problem: contradicts marketing principles if you’re
a business

Examples
Windows is attacked more than MacOS/OS X
Those who claim their systems can’t be hacked will
have lots of people trying…
Putting It Together
Computer Security is balancing of a number of
interrelated factors







Considering Security Goals
Developing Layered Protection
(Vertically,Horizontally)
Utilizing Available Resources
Developing and Enforcing Policies and Processes
Minimizing Interference With Functionality
Weighing of Risks
Maintaining Constant Vigilance