Threats Part 1

• This is section 1.2 (the start)
  • Read it. Like you want to learn it.
• How do you use your computer as a tool?
  • You accomplish work on it (programming, email, papers)
    • You need to have access to the physical thing
  • Secondly, you store things that you do not wish to change.
    • your paper for philosophy.
    • Your income tax returns.
    • Your pictures.
  • Finally, you don't expect people to be able to access your documents.
    • Your income tax returns.
    • Your personal letters to your close friends.
    • Your pictures.
• These three things constitute the three primary concerns for computer security
  • Confidentially
  • Integrity
  • Availability
• This is the CIA-Triad
  • The term appeared as early as 73
  • It is deeply embedded in the cyber security culture.
  • While they might not cover every tiny aspect, in general they describe what makes your computer valuable to you.
• Availability: The ability of a system to ensure that an asset can be used by any authorized parties.
• Integrity: The ability of a system to ensure that an asset is modified only by authorized parties.
• Confidentiality: The ability of a system to ensure that an asset is viewed only by authorized parties.
• ISO (who are they?) adds
  • Authentication: The ability of a system to confirm the identity of a sender
  • nonrepudiation or Accountability: The ability of a system to confirm that a sender cannot convincingly deny having sent something
• The US DOD (who are they?) adds
  • auditability: the ability of a system to trace all actions related to a given asset.
• These last three extend the concept of computer security to the network.
• For our purposes the authors say to focus on the first (CIA) and consider the other three.
  • A second way to look at these is sort of the negative
  • Harm can be
    • interception
    • interruption
    • modification
    • fabrication.
  • How do these relate to CIA
• Our author looks at the elements CIA in more detail
  • Confidentiality
    • You can expose your data, but others shouldn't
    • Some things are clearly a secret, (Invasion of Normandy In WW2)
    • But some things are not.
      • They state that if the military suddenly increases food orders, this indicates there might be a operation in planning.
      • If you want to learn about a big lie, look into Operation Fortitude
    • I think they just wanted to point out that confidentiality might be more than just direct information.
    • At one point in the internet history there was a network based program called finger.
      • see This page.
      • On a local machine it would report information about the users
      • At one point it worked remotely as well. finger user@machine
      • (demo this on mirkwood)
      • What "dangerous" information might this command provide?
    • They list some examples of a loss of confidentiality
      • An unauthorized person accesses data
      • An unauthorized process accesses data
      • An authorized person accessed data they are not authorized to access.
      • An unauthorized person accesses an approximation of some data
        • you don't get the exact data value, but an estimate.
        • They use the example of an approximate salary value.
      • An unauthorized person learns of the existence of data.
    • They point out a pattern: An (un)authorized (person/process/program) gains access to an object (in an unauthorized way)
      • We will later discuss this in terms of a subject accesses an object in a access mode (read/write/...) forbidden by some policy.
      • Confidentiality is boosted by rigorous control over who can access which resources
  • Integrity
    • An early word virus would
      • Find all of the occurrences if "is"
      • At random insert the word "not" after some.
      • This was easy to do with VBA, or the predecessor.
    • This is an example of a lack of integrity.
    • They provide other examples
      • Defective hardware (Pentium floating point divide bug
      • Spreadsheet errors.
      • Other problems.
    • Integrity is much harder to define.
    • They provide a list of possible definitions for integrity
      • precise
      • Accurate
      • unmodified
      • modified only
        • in acceptable ways
        • by authorized people/process
      • Consistent
      • meaningful and usable
    • It can mean one, more, or all of these things.
    • Integrity is boosted by rigorous control over who can access which resources
      • And we will see later that depends on both technical skill
      • And well established and employed policies.
  • Availability
    • Examples
      • Hardware failure, your machine will not boot.
      • Software failure, someone forks 10,000 processes.
      • System failure, no power.
      • Deliberate network attack, insufficient bandwidth to allow access
    • An item (computer, service, asset) is available if
      • It is present in a usable form.
      • With sufficient resources to meet the user's needs
      • Is making progress or if waiting has a bounded waiting time
      • Will complete tasks in an acceptable period of time.
• These three items make sense in the case of data:
  • you can view (confidentiality), modify (integrity) and use (availability) data.
• Later we will discuss access control or who can access what in what ways.
  • But clearly an access control policy, along with implementation is important to computer security.