A computer program system that is supposed to be used only by those authorized must attempt to detect and exclude the unauthorized. Access to it is therefore usually controlled by insisting on an authentication procedure to establish with some degree of confidence the identity of the user, thence granting those privileges as may be authorized to that identity. Common examples of access control involving authentication include: * A captcha is a means of asserting that a user is a human being and not a computer program.
A computer program using a blind credential to authenticate to another program * Entering a country with a passport * Logging in to a computer * Using a confirmation E-mail to verify ownership of an e-mail address * Using an Internet banking system * Withdrawing cash from an ATM In some cases, ease of access is balanced against the strictness of access checks. For example, the credit card network does not require a personal identification number for authentication of the claimed identity; and a small transaction usually does not even require a signature of the authenticated person for proof of authorization of the transaction.
The security of the system is maintained by limiting distribution of credit card numbers, and by the threat of punishment for fraud. Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to remain accessible and productive to its intended users.
The term computer system security means the collective processes and mechanisms by which sensitive and valuable information and services are protected from publication, tampering or collapse by unauthorized activities or untrustworthy individuals and unplanned events respectively. The strategies and methodologies of computer security often differ from most other computer technologies because of its somewhat elusive objective of preventing unwanted computer behavior instead of enabling wanted computer behavior.
Certain concepts recur throughout different fields of security: * Assurance – assurance is the level of guarantee that a security system will behave as expected * Countermeasure – a countermeasure is a way to stop a threat from triggering a risk event * Defense in depth – never rely on one single security measure alone * Exploit – a vulnerability that has been triggered by a threat – a risk of 1. (100%) * Risk – a risk is a possible event which could cause a loss * Threat – a threat is a method of triggering a risk event that is dangerous * Vulnerability – a weakness in a target that can potentially be exploited by a threat security The following terms used in engineering secure systems are explained below. * Authentication techniques can be used to ensure that communication end-points are who they say they are. * Automated theorem proving and other verification tools can enable critical algorithms and code used in secure systems to be mathematically proven to meet their specifications.
Capability and access control list techniques can be used to ensure privilege separation and mandatory access control. This section discusses their use. * Chain of trust techniques can be used to attempt to ensure that all software loaded has been certified as authentic by the system’s designers. * Cryptographic techniques can be used to defend data in transit between systems, reducing the probability that data exchanged between systems can be intercepted or modified. Firewalls can provide some protection from online intrusion Access authorization restricts access to a computer to group of users through the use of authentication systems. These systems can protect either the whole computer – such as through an interactive logon screen – or individual services, such as an FTP server. There are many methods for identifying and authenticating users, such as passwords, identification cards, and, more recently, smart cards and biometric systems. * Confidentiality
Confidentiality is the term used to prevent the disclosure of information to unauthorized individuals or systems. For example, a credit card transaction on the Internet requires the credit card number to be transmitted from the buyer to the merchant and from the merchant to a transaction processing network. The system attempts to enforce confidentiality by encrypting the card number during transmission, by limiting the places where it might appear (in databases, log files, backups, printed receipts, and so on), and by restricting access to the places where it is stored.
If an unauthorized party obtains the card number in any way, a breach of confidentiality has occurred. Breaches of confidentiality take many forms. Permitting someone to look over your shoulder at your computer screen while you have confidential data displayed on it could be a breach of confidentiality. If a laptop computer containing sensitive information about a company’s employees is stolen or sold, it could result in a breach of confidentiality. Giving out confidential information over the telephone is a breach of confidentiality if the caller is not authorized to have the information.
Confidentiality is necessary (but not sufficient) for maintaining the privacy of the people whose personal information a system holds.  * Integrity In information security, integrity means that data cannot be modified undetectably. This is not the same thing as referential integrity in databases, although it can be viewed as a special case of Consistency as understood in the classic ACID model of transaction processing. Integrity is violated when a message is actively modified in transit.
Information security systems typically provide message integrity in addition to data confidentiality. * Availability For any information system to serve its purpose, the information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades.
Ensuring availability also involves preventing denial-of-service attacks. * Authenticity In computing, e-Business and information security it is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine. It is also important for authenticity to validate that both parties involved Authentication is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the subject are true.
This might involve confirming the identity of a person, tracing the origins of an artifact, ensuring that a product is what its packaging and labeling claims to be, or assuring that a computer program is a trusted one. * Identification and authentication (I&A) Identification and authentication (I&A) is the process of verifying that an identity is bound to the entity that makes an assertion or claim of identity. The I&A process assumes that there was an initial validation of the identity, commonly called identity proofing.
Various methods of identity proofing are available ranging from in person validation using government issued identification to anonymous methods that allow the claimant to remain anonymous, but known to the system if they return. The method used for identity proofing and validation should provide an assurance level commensurate with the intended use of the identity within the system. Subsequently, the entity asserts an identity together with an authenticator as a means for validation. The only requirements for the identifier are that it must be unique within its security domain.
The function of identification is to map a known quantity to an unknown entity so as to make it known. The known quantity is called the identifier (or ID) and the unknown entity is what needs identification. A basic requirement for identification is that the ID be unique. IDs may be scoped, that is, they are unique only within a particular scope. IDs may also be built out of a collection of quantities such that they are unique on the collective. Identification is the capability to find, retrieve, report, change, or delete specific data without ambiguity.
This applies especially to information stored in databases. In database normalization, it is the central, defining function to the discipline. Authenticators are commonly based on at least one of the following four factors: Something you know, such as a password or a personal identification number (PIN). This assumes that only the owner of the account knows the password or PIN needed to access the account. Something you have, such as a smart card or security token. This assumes that only the owner of the account has the necessary smart card or token needed to unlock the account.
Something you are, such as fingerprint, voice, retina, or iris characteristics. Where you are, for example inside or outside a company firewall, or proximity of login location to a personal GPS device. Authorization The process of authorization is sometimes mistakenly thought to be the same as authentication; many widely adopted standard security protocols, obligatory regulations, and even statutes make this error. However, authentication is the process of verifying a claim made by a subject that it should be allowed to act on behalf of a given principal (person, computer, process, etc. . Authorization, on the other hand, involves verifying that an authenticated subject has permission to perform certain operations or access specific resources. Authentication, therefore, must precede authorization. For example, when you show proper identification credentials to a bank teller, you are asking to be authenticated to act on behalf of the account holder. If your authentication request is approved, you become authorized to access the accounts of that account holder, but no others.
Even though authorization cannot occur without authentication, the former term is sometimes used to mean the combination of both. Authorization applies to subjects. Authorization determines what a subject can do on the system. Most modern operating systems define sets of permissions that are variations or extensions of three basic types of access: Read (R): The subject can Read file contents List directory contents Write (W): The subject can change the contents of a file or directory with the following tasks: Add Create Delete Rename Execute (X): If the file is a program, the subject can cause the program to be run. In Unix systems, the ‘execute’ permission doubles as a ‘traverse directory’ permission when granted for a directory. ) These rights and permissions are implemented differently in systems based on discretionary access control (DAC) and mandatory access control (MAC). * Accountability Accountability uses such system components as audit trails (records) and logs to associate a subject with its actions. The information recorded should be sufficient to map the subject to a controlling user. Audit trails and logs are important for Detecting security violations Re-creating security incidents.
If no one is regularly reviewing your logs and they are not maintained in a secure and consistent manner, they may not be admissible as evidence. Many systems can generate automated reports based on certain predefined criteria or thresholds, known as clipping levels. For example, a clipping level may be set to generate a report for the following: More than three failed logon attempts in a given period Any attempt to use a disabled user account These reports help a system administrator or security administrator to more easily identify possible break-in attempts.
Security experts argue that it is impossible to prove the identity of a computer user with absolute certainty. It is only possible to apply one or more tests which, if passed, have been previously declared to be sufficient to proceed. The problem is to determine which tests are sufficient, and many such are inadequate. Any given test can be spoofed one way or another, with varying degrees of difficulty References * William Stallings, Cryptography and Network Security, Prentice Hall, 2003 * Charles P. Pfleeger, Security in computing, Revised edition, Prentice Hall. * Diffie hellman secret key exchange,
Cite this Computer Security and Cryptography
Computer Security and Cryptography. (2017, Mar 20). Retrieved from https://graduateway.com/computer-security-and-cryptography/