Outline for January 6, 2003

Reading: Chapter 1

Discussion Problem

A student discovers a flaw in the department's computer system. To ensure that the flaw really exists, she exploits it to gain extra privileges on the system. These privileges allow her to read any file on the system, whereas without the privileges, there are files that the student cannot read.

  1. Given that there were files she was not supposed to be able to read, did the student act ethically in exploiting the flaw?
  2. The computer system did not provide sufficient mechanisms to prevent the student from obtaining the additional privileges. Did she "break in" (that is, breach security) or was her action not a violation of security?
  3. The student reports the problem to the department chairperson, who promptly files charges against the student for breaking in. Assuming that what the student did was a violation of security, did the chairperson act ethically?

Outline for the Day

  1. Basic components of computer security
    1. Confidentiality
    2. Integrity
    3. Availability
  2. Classes of threats
    1. Disclosure
    2. Deception
    3. Disruption
    4. Usurpation
  3. Policy vs. mechanism
    1. Policy
    2. Mechanism
  4. Goals of security
    1. Prevention
    2. Detection
    3. Recovery
  5. Trust and Assumptions
  6. Types of mechanisms: secure, precise, broad
  7. Assurance
    1. Specification
    2. Design
    3. Implementation
    4. Maintenance and operation
  8. Operational Issues
    1. Cost-benefit analysis
    2. Risk analysis
    3. Laws and customs
  9. Human issues
    1. Organizational problems
    2. People problems

Here is a PDF version of this document.