Need for Computer Security

Aims of the Course

Goals

To provide an overview of the need for, the technology, algorithms and standards used, to provide computer and communications security

Outline

need for computer security, threats & countermeasures
introduction to cryptography
- classical cryptography
- modern private key ciphers
- -`introduction to number theory
- public-key ciphers
authentication and integrity
key management
security in practise - secure email & SMTP
user indentification
trusted computer systems
- TCSEC & ITSEC standards
- CMW
- SECMAN standards

Computer Security - Why?

information is a strategic resource
a significant portion of organisational budget is spent on manageing information
there are many types of information
have several security related objectives
- confidentiality (secrecy) - protect info value
- integrity - protect info accuracy
- availabilty - ensure info delivery
threats to information security
- various surveys, with results of order:
- 55% human error
- 10% disgruntled employees
- 10% dishonest employees
- 10% outsider access

IS Security Aspects

Potential Security Solutions

Personnel - Access Tokens, Biometrics

Physical - Integrated Access control

Managerial - Security Education

Data Networking - Configuration control

S/W & O/S - use "Trusted" systems

H/W - h/w handshake

Risk Assessment

use a risk matrix to evaluate threat & counter-measure

use a risk management model to manage threat

[1]

Assets

Hardware
Software
Documentation
Data
Communications
Environment
People

Threats

                   Users                                       Hackers                    
                Terrorists                                    Criminals                   
                 Accidents                                   Ats of God                   
          Issue Motivated Groups                        Foreign Intelligence              
                                            ||
                                            ||
                                            ||
                                            \/


          Destroy                                                     Disrupt             
                                          Lose                                            
           Modify                                                     Disclose

Vulnerabilities

Countermeasures

A check or restraint implemented to:

Reduce the Threat
Reduce Vulnerability
Reduce Impact
Detect a Hostile Event
Recover from an Event

Countermeasures

20% cost => 80% protection
best security comes from basic security management
rest of cost is hi-tech to provide remainder
have a trade-off tree

Defence Security Policy & Standards

- DSB have developed a set of 7 SECMAN manuals 1. Policy

2. Industrial Security

3. Info Systems Security

4. Protective Security

5. Personnel Security

6. Project Security

7. Security Design & Construction Guidelines

(Facilty Security)

- designed to provide checklists and procedures to assist in implementing security in various situations

- will return to these later

[1] follow with DSB slides on: Assets, Vulnerabilities, Threats & Countermeasures

[CSC Info]

Lawrie.Brown@adfa.oz.au / 28-Feb-96