[SEC] Foundations of Security

Computer Security - Foundations of Security

Content

  • What is Computer Security
  • Managing security
  • Security vs Ease of use
  • Data vs Information
  • Principles of Computer Security Design

What is Computer Security

Security is about the protection of assets

  • Prevention: Preventing access and damage to assets
  • Detection: Steps to detect the access or damage of assets
  • Recovery: Measures allowing us to recover from asset damage
    Assets could be physical or simply information

Historic Computer Security

  • Historically systems have been built to serve single users
  • Often only a few highly trusted users were permitted to access a system
    • Mistakes still a concern
  • Current multi-user systems have totally different security concerns

Modern Computer Security

  • Possibly thousands of users
  • Distributed over wide networks
  • Not all users are inherently trustworthy
  • More and more things are moving electronic
    • Require protocols to manage them

Managing Security

  • Within organisations, management are responsible for defining security needs
  • Developers implement these policies
  • A concise document explaining the needs is called a Security Policy
    • What should be protected?
    • How should we protect it?

CIA

Usually defined as three key areas:

  • Confidentiality: prevention of unauthorised disclosure of information
  • Integrity: prevention of unauthorised modification of information
  • Availability: prevention of unauthorised witholding(使用) of information or resources

Confidentiality

  • The prevention of unauthorised users reading private or secret information.
  • Privacy is the protection of personal data.
  • Examples are : Medical records and Transfer of credit card details

Integrity

  • The prevention of unauthorised modification of data, and the assurance that data remains unmodified.
  • Examples are:
    • Distributed bank transactions
    • Database records

Availability

  • The property of being accessible an useable upon demand by an authorised entity.
  • In other words, we want to prevent denial of service(Dos)
  • Examples:
    • Redundant power supplies
    • Firewall packet filtering

Some other areas of computer security

Accountability

  • Users should be held responsible for their actions
  • The system should identify and authenticate users and ensure compliance
  • Audit trails(审计跟踪) must be kept

Non-repudiation(不可抵赖性)

  • Provides unforgeable evidence that someone did something
  • Evidence verifiable by a trusted third party
    • E.g. Notaries(公证人), Digital Certificates
  • Applies to physical security
  • Mostly a legal concept

A fundamental Dilemma

“Security-unaware users have specific security requirements but no security expertise”

  • There is a trade off between security and ease of use
    • Increased resource demands
    • Interferes with working patterns

Data vs Information

  • Security can be seen as controlling access to information
  • This is hard, we usually control access to data instead
    • Data- A means to represent information
    • Information - An interpretation of that data
  • Focusing on data can still leave information vulnerable

Security Design

System Focus

  • Computer Security is not rocket science if:
    • Approached in a systematic, disciplined and well planned manner
    • From the inception/design of a system
  • However: If added as an afterthought, will often lead to disaster.

Security Design

  • Good security design focuses on these principles:
    • Focus of control
    • Complexity vs. Assurance
    • Centralised or Decentralised Controls
    • Layered Security

Focus of Control

In a given, application, should the focus of protection mechanisms be:

  • Data
  • Operations
  • Users

Complexity vs. Assurance

Would we prefer a simple approach with high assurance? Or a feature-rich environment?

  • Feature-rich security systems and high assurance do not match easily
  • e.g. Linux and Windows permissions

Decentralised Controls

Should defining and enforcing security be performed by a central entity, or be left to individual components in a system?

  • Central Entity - A possible bottleneck
  • Distributed Solution - More efficient, but harder to manage

Layered Security

enter image description here
enter image description here

评论

发表评论

此博客中的热门博文

[MLE] W2 Multivariate linear regression

图片
Multivariate linear regression What we have talked about in week 1 is linear regression with single feature. For example, in the house pricing predicting problem, we only use the size of house (x) to predict the price (y) . But what if there are other features like age, bedroom numbers and so on? Linear regression with multiple variables is also known as “multivariate linear regression” According to the graph above, we now have new representation symbols: n = number of features m = number of training examples \(x^{(i)}\) = \(i^{th}\) training example \(x^{(i)}_j\) = feature j in \(i^{th}\) training example 1416 is \(x_{1}^{(2)}\) in this case, m is 47 for example, n is 4. Hypothesis function The multivariable form of the hypothesis function accommodating these multiple features is as follows: if we make \(x_0\) to 1, the \(h_{\theta}(x)\) will be \(\theta^Tx\), which is \(\theta\) transpose matrix multiply by x, where \(\theta\) is a vector of 1 by(n+1) dimension an
阅读全文

[MLE] W1 Introduction

图片
Before get started The blog is based on the machine learning course on Coursera, taught by Andrew Ng . From today, i will begin my study trip on Machine learning, which will be labelled as MLE. This course will last 11 weeks and today is week 1. The application of machine learning is everywhere: Database mining Applications can’t program by hand Self-customizing program Understanding human learning(brain, real AI) Introduction What is Machine Learning Two definitions of machine learning are offered: Arthur Samuel described it as: “the field of study that gives computers the ability to learn without being explicitly programmed.” This is an older, informal definition. Tom Mitchell provides a more modern definition: “A computer program is said to learn from experience E with respect to some class of tasks T and performance measure P, if its performance at tasks in T, as measured by P, improves with experience E.” If we raise a example of what is machine learning: If
阅读全文

[AIM] MetaHeuristics

图片
Day2 Outline Metaheuristics -definition Single point based search method(simple stochastic local search) Iterated local search Scheduling Tabu Search Metaheuristic what is a metaheuristic? A metaheuristic is a high-level problem independent algorithmic framework that provides a set of guidelines or strategies to develop heuristic optimization algorithms. what is the difference between heuristic and metaheuristic? Heuristic : Heuristics are problem-dependent techniques. As such, they usually are adapted to the problem at hand and they try to take full advantage of the particularities of this problem. However, because they are often too greedy, they usually get trapped in a local optimum and thus fail, in general, to obtain the global optimum solution. Metaheuristic : Meta-heuristics, on the other hand, are problem-independent techniques . As such, they do not take advantage of any specificity of the problem and, therefore, can be used as black boxes . In general, t
阅读全文