COMPUTER SYSTEM SECURITY

 

Click Here for all units Notes 

WHAT IS COMPUTER SECURITY The meaning of the term computer security has evolved in recent years. Before the problem of data security became widely publicized in the media, most people’s idea of computer security focused on the physical machine. Traditionally, computer facilities have been physically protected for three reasons: • To prevent theft of or damage to the hardware • To prevent theft of or damage to the information • To prevent disruption of service Strict procedures for access to the machine room are used by most organizations, and these procedures are often an organization’s only obvious computer security measures. Today, however, with pervasive remote terminal access, communications, and networking, physical measures rarely provide meaningful protection for either the information or the service; only the hardware is secure. Nonetheless, most computer facilities continue to protect their physical machine far better than they do their data, even when the value of the data is several times greater than the value of the hardware. The security violations perpetrated (perhaps inadvertently) by legitimate users whom padlocks and passwords cannot deter. Most computer crimes are in fact committed by insiders, and most of the research in computer security since 1970 has been directed at the insider problem. 

 

Click Here for all units Notes 

1.1 Secrecy, Integrity, And Denial Of Service The discussion of computer security emphasizes the problem of protecting information from unauthorized disclosure, or information secrecy.  Fortunately, techniques to protect against information modification are almost always the same as (or a subset of) techniques to protect against information disclosure. This fact is consistently borne out in the technical measures. In the rare cases where the techniques differ, that fact will be pointed out explicitly.  The definition of computer security include both secrecy and integrity, the closely related area termed denial of service is rarely discussed here. Denial of service can be defined as a temporary reduction in system performance, a system crash requiring manual restart, or a major crash with permanent loss of data. Although reliable operation of the computer is a serious concern in most cases, denial of service has not traditionally been a topic of computer security research. As in the case of data integrity, one reason for the lack of concern is historic: secrecy has been the primary goal of government funded security programs.  If denial of service is your only concern, you should refer to such topics as structured development, fault tolerance, and software reliability. Most of the techniques for building secure systems, however, also help you build more robust and reliable systems. In addition, some security techniques do address certain denial-of-service problems, especially problems related to data integrity.  To sum up, security relates to secrecy first, integrity second, and denial of service a distant third. To help you remember this, memorize the computer security researcher’s favorite (tongue incheek) phrase: “I don’t care if it works, as long as it is secure.” 

 

1.2 Trusted System Evaluation Criteria The U.S. Department of Defense has developed its own definition of computer security, documented in Trusted Computer System Evaluation Criteria (Department of Defense 1985).The document employs the concept of a trusted computing base, a combination of computer hardware 

 

 

and an operating system that supports untrusted applications and users. The seven levels of trust identified by the Criteria range from systems that have minimal protection Features to those that provide the highest level of security modern technology can produce (table 1-1). The Criteria attempts to define objective guidelines on which to base evaluations of both commercial systems and those developed for military applications. The National Computer Security Center, the official evaluator for the Defense Department, maintains an Evaluated Products List of commercial systems that it has rated according to the Criteria. The Criteria is a technical document that defines many computer security concepts and provides guidelines for their implementation. It focuses primarily on general-purpose operating systems. To assist in the evaluation of networks, the National Computer Security Center has published the Trusted Network Interpretation (National Computer Security Center 1987), that interprets the Criteria from the point of view of network security.  

 

Click Here for all units Notes 

You can be sure that a system rated high according to the Criteria (that is, at class Al or B3) has been subject to intense scrutiny, because such systems are intended to protect classified military information. In order to attain such a high rating, a system has to be designed with security as its most important goal. While systems rarely qualify for any rating without some changes, most commercial operating systems can achieve a C1 or C2 level with a few enhancements or add-on packages. The Evaluated Products List is short because the Criteria is relatively new and evaluations take a long time. Also, many vendors have not yet shown an interest in submitting their products for evaluation.