Что такое findslide.org?

FindSlide.org - это сайт презентаций, докладов, шаблонов в формате PowerPoint.

Обратная связь

Презентация на тему Security. The goal

Содержание

2. Real-World SecurityIt’s about value, locks, and punishment.
3. Elements of SecurityPolicy: Specifying security What is it
4. DangersVandalism or sabotage that damages information disrupts serviceTheft of moneyTheft of informationLoss of privacyintegrityavailabilityintegritysecrecysecrecy
5. VulnerabilitiesBad (buggy or hostile) programsBad (careless or
6. Defensive strategiesKeep everybody out IsolationKeep the bad
7. The Access Control ModelGuards control access to valued resources.Reference monitorObjectDo operationResourcePrincipalGuardRequestSource
8. Mechanisms—The Gold StandardAuthenticating principalsMainly people, but also
9. Assurance: Making Security WorkTrusted computing baseLimit what
10. Assurance: ConfigurationUsers—keep it simpleAt most three levels:
11. Assurance: Defense in DepthNetwork, with a firewallOperating
12. Why We Don’t Have “Real” SecurityA. People
13. Standard Operating System SecurityAssume secure channel from
14. Скачать презентацию
15. Похожие презентации

Real-World SecurityIt’s about value, locks, and punishment. Locks good enough that bad guys don’t break in very often.Police and courts good enough that bad guys that do break in get caught and punished often enough.Less interference

Security: The Goal Computers are as secure as real world systems, and

Elements of SecurityPolicy: Specifying security What is it supposed to do? Mechanism: Implementing security

DangersVandalism or sabotage that damages information disrupts serviceTheft of moneyTheft of informationLoss of privacyintegrityavailabilityintegritysecrecysecrecy

VulnerabilitiesBad (buggy or hostile) programsBad (careless or hostile) people giving instructions

Defensive strategiesKeep everybody out IsolationKeep the bad guy outCode signing, firewallsLet him

The Access Control ModelGuards control access to valued resources.Reference monitorObjectDo operationResourcePrincipalGuardRequestSource

Mechanisms—The Gold StandardAuthenticating principalsMainly people, but also channels, servers, programsAuthorizing access. Usually

Assurance: Making Security WorkTrusted computing baseLimit what has to work to ensure

Assurance: ConfigurationUsers—keep it simpleAt most three levels: self, friends, othersThree places to

Assurance: Defense in DepthNetwork, with a firewallOperating system, with sandboxingBasic OS (such

Why We Don’t Have “Real” SecurityA. People don’t buy it:Danger is small,

Standard Operating System SecurityAssume secure channel from user (without proof)Authenticate user by

End-to-End SecurityAuthenticate secure channelsWork uniformly between organizationsMicrosoft can securely accept Intel’s authenticationGroups

Слайды презентации

Слайд 2 Real-World Security
It’s about value, locks, and punishment.
Locks

Real-World SecurityIt’s about value, locks, and punishment. Locks good enough that

good enough that bad guys don’t break in very

often.
Police and courts good enough that bad guys that do break in get caught and punished often enough.
Less interference with daily life than value of loss.
Security is expensive—buy only what you need.

Слайд 3 Elements of Security

Policy: Specifying security What is it supposed to

Elements of SecurityPolicy: Specifying security What is it supposed to do? Mechanism: Implementing

do?
Mechanism: Implementing security How does it do it?
Assurance: Correctness of

security Does it really work?

Слайд 4 Dangers
Vandalism or sabotage that
damages information
disrupts service
Theft

of money
Theft of information
Loss of privacy

integrity
availability
integrity
secrecy
secrecy

Слайд 5 Vulnerabilities
Bad (buggy or hostile) programs
Bad (careless or hostile)

people giving instructions to good programs
Bad guy interfering with

communications

Слайд 6 Defensive strategies
Keep everybody out
Isolation
Keep the bad guy

Defensive strategiesKeep everybody out IsolationKeep the bad guy outCode signing, firewallsLet

out
Code signing, firewalls
Let him in, but keep him from

doing damage
Sandboxing, access control
Catch him and prosecute him
Auditing, police

Слайд 7 The Access Control Model
Guards control access to valued

resources.

Reference
monitor
Object
Do
operation
Resource

Principal
Guard
Request
Source

Слайд 8

Mechanisms—The Gold Standard
Authenticating principals
Mainly people, but also channels,

Mechanisms—The Gold StandardAuthenticating principalsMainly people, but also channels, servers, programsAuthorizing access.

servers, programs
Authorizing access.
Usually for groups of principals
Auditing

Assurance
Trusted computing

base

Слайд 9 Assurance: Making Security Work
Trusted computing base
Limit what has

to work to ensure security
Ideally, TCB is small and

simple
Includes hardware and software
Also includes configuration, usually overlooked
What software has privileges
Database of users, passwords, privileges, groups
Network information (trusted hosts, …)
Access controls on system resources
. . .
The unavoidable price of reliability is simplicity.—Hoare

Слайд 10 Assurance: Configuration
Users—keep it simple
At most three levels: self,

Assurance: ConfigurationUsers—keep it simpleAt most three levels: self, friends, othersThree places

friends, others
Three places to put objects
Everything else done automatically

with policies
Administrators—keep it simple
Work by defining policies. Examples:
Each user has a private home folder
Each user belongs to one workgroup with a private folder
System folders contain vendor-approved releases
All executable programs are signed by a trusted party
Today’s systems don’t support this very well

Слайд 11 Assurance: Defense in Depth
Network, with a firewall
Operating system,

Assurance: Defense in DepthNetwork, with a firewallOperating system, with sandboxingBasic OS

with sandboxing
Basic OS (such as NT)
Higher-level OS (such as

Java)
Application that checks authorization directly

All need authentication

Слайд 12 Why We Don’t Have “Real” Security
A. People don’t

Why We Don’t Have “Real” SecurityA. People don’t buy it:Danger is

buy it:
Danger is small, so it’s OK to buy

features instead.
Security is expensive.
Configuring security is a lot of work.
Secure systems do less because they’re older.
Security is a pain.
It stops you from doing things.
Users have to authenticate themselves.

B. Systems are complicated, so they have bugs.

Слайд 13 Standard Operating System Security
Assume secure channel from user

Standard Operating System SecurityAssume secure channel from user (without proof)Authenticate user

(without proof)
Authenticate user by local password
Assign local user and

group SIDs
Access control by ACLs: lists of SIDs and permissions
Reference monitor is the OS, or any RPC target
Domains: same, but authenticate by RPC to controller
Web servers: same, but simplified
Establish secure channel with SSL
Authenticate user by local password (or certificate)
ACL on right to enter, or on user’s private state