Chapter One
Introduction to Computer Security
What is Security?
Security : “the quality or state of being free from danger” Or
“ measures taken to guard against espionage, sabotage, crime,
attack, or escape.”
Security is about
• Threat: is any potential occurrence, malicious or
otherwise, that could harm an asset. In other words, a
threat is any bad thing that can happen to your assets.
• Vulnerability: is a weakness that makes a threat
possible. This may be because of poor design,
configuration mistakes, or inappropriate and insecure
coding techniques
• Attacks: is an action that exploits a vulnerability or
enacts a threat. Examples of attacks include sending
malicious input to an application or flooding a network
2
in an attempt to deny service.
Computer Security
Computer security is about provisions and policies adopted to
protect information and property from unauthorized access,
use, alteration, degradation, destruction, theft, corruption,
natural disaster, etc. while allowing the information and
property to remain accessible and productive to its intended use
Privacy: The right of the individual to be protected against
intrusion into his personal life or affairs, or those of his family
Physical Security
3
Computer Security: when there is connection to networks
(Network security) it deals with provisions and policies adopted to
prevent and monitor unauthorized access, misuse, modification, or
denial of the computer network and network-accessible resources
Physical Security
4
“The most secure computers are those not connected to the
Internet and shielded from any interference”
5
Threats, vulnerabilities, Controls
Vulnerability is a point where a system is susceptible to
attack.
Threat is a possible danger to the system.
It might be a person (cracker or a spy),
a thing (a faulty piece of equipment),
an event (a fire or a flood) that might exploit a vulnerability of
the system.
Countermeasures are techniques for protecting your
system.
6
Vulnerabilities
Physical vulnerabilities
break into your server room, device theft, steal backup
media and printouts,
Locks, guards, Surveillance cams, Burglar alarms
Natural vulnerabilities
vulnerable to natural disasters and to environmental
threats, power loss
Natural disasters:
disasters fire, flood, earthquakes, lightning
environmental threats:
threats Dust, humidity, and uneven
temperature conditions
air conditioning and heating systems……UPS,…..back ups
7
Vulnerabilities…
Hardware and Software vulnerabilities
protection features failure lead to open security
holes
open some "locked" systems by introducing extra
hardware
Software failures: antivirus ,firewall failures
Media vulnerabilities
can be stolen, damaged by dust or electromagnetic
fields.
keep backup tapes and removable disks clean and
dry
8
Vulnerabilities…
Communication vulnerabilities
Wires can be tapped, physicaly damaged, EMI
Fiber optics
Human vulnerabilities
the greatest vulnerability of all
Employees, contractors
Choose employees carefully
9
The Human Factor
The human factor is an important component of computer security
Some organizations view technical solutions as “their solutions”
for computer security. However:
Technology is fallible
Eg. UNIX holes that opened the door for Morris worm
The technology may not be appropriate
Eg. It is difficult to define all the security requirements and
find a solution that satisfies those requirements
Technical solutions are usually (very) expensive
Eg. Antivirus purchased by ETC to protect its Internet
services
Threats
Threats fall into three main categories based on
the source: natural, unintentional, and
intentional.
Natural: fires, floods, power failures, and other
disasters
fire alarms, temperature gauges, and surge protectors
backing up critical data off-site.
Unintentional threats: delete a file, change of
security passwords
Training , security procedures and policies
11
Threats…
• Intentional threats: outsiders and insiders
• Outsiders may penetrate systems in a variety of ways:
• simple break-ins of buildings and computer rooms;
• disguised entry as maintenance personnel;
• anonymous, electronic entry through modems and
network connections;
• and bribery or coercion of inside personnel.
• Although most security mechanisms protect best
against outside intruders, surveys indicates that most
attacks are by insiders.
12
Threats…
• Estimates are that as many as 80 percent of
system penetrations are by fully authorized users
who abuse their access privileges to perform
unauthorized functions.
• "The enemy is already in, we hired them.”
• Insiders are sometimes referred as living Trojan
horses
• There are a number of different types of insiders.
• fired or disgruntled employee might be trying to steal
revenge ; employee might have been blackmailed or
bribed by foreign or corporate enemy agents.
13
Threats…
• greedy employee might use her inside knowledge to
divert corporate or customer funds for personal
benefit.
• insider might be an operator, a systems
programmer, or even a casual user who is willing to
share a password.
• Don't forget, one of the most dangerous insiders
may simply be lazy or untrained.
• He doesn't bother changing passwords,
• doesn't learn how to encrypt email messages and
other files,
• leaves sensitive printouts in piles on desks and
floors, and ignores the paper shredder when
disposing of documents.
14
Security Attacks
• Any action that compromises the security of
information owned by an organization.
• Classification security attacks
• passive attacks and active attacks.
• A passive attack attempts to learn or make use of
information from the system but does not affect
system resources.
• An active attack attempts to alter system resources or
affect their operation.
operation
15
Security attacks
Normal flow of information
Interception
Interruption
Modification Fabrication
16
Countermeasures
Authentication
Physical security
Password,cards,biometrics
Laws
Encryption
Backups
Auditing
Standards
Administrative procedures
17
Basic Security Objectives (Pillars) - CIA
Confidentiality: This term covers two Confidentiality
related concepts:
Data confidentiality: Assures that
private or confidential information
or resources (resource and
configuration hiding) are not made Integrity Availability
available or disclosed to
unauthorized individuals
Is compromised by reading and copying
In network communication, it means only sender and
intended receiver should “understand” message contents
Privacy: Assures that individuals control or influence what
information related to them may be collected and stored and
by whom and to whom that information may be disclosed
18
Integrity: This term covers two related concepts
Data integrity: Assures that information and programs are
changed only in a specified and authorized manner
In network communication, sender and receiver want to
ensure that the message is not altered (in transit or
afterwards) without detection
System integrity: Assures that a system performs its intended
function in an unimpaired manner, free from deliberate or
inadvertent unauthorized manipulation of the system
Is compromised by deleting, corrupting, and tampering with
Availability: Assures that systems work promptly and service is
not denied to authorized users
Authenticity: Some say it is a missing component of objectives in
CIA. It is the property of being genuine and being able to be
verified and trusted; confidence in the validity of a transmission, a
message, or message originator; or sender and receiver want to
confirm the identity of each other 19
1.1.2 Policy and Mechanism
A security policy is a statement of what is, and what is not,
allowed by users of a system
A security mechanism is a method, tool, or procedure for
enforcing a security policy
More on this in Chapter 5 - Security Mechanisms and
Techniques
20
1.1.3 Goals of Security
Given a security policy’s specification of “secure” and “nonsecure”
actions, security mechanisms can prevent (defend) the attack,
detect the attack, or recover from the attack
Prevention/Defence: take measures to prevent the damage; it
means that an attack will fail; e.g., passwords to prevent
unauthorised users or Intrusion Prevention Systems (IPSs)
Detection: if an attack cannot be prevented; when, how and
who of the attack have to be identified; e.g., when a user
enters a password three times; Intrusion Detection Systems
(IDSs)
Recovery/Reaction: take measures to recover from the
damage; e.g., restore deleted files from backup; sometimes
retaliation (attacking the attacker’s system or taking legal
actions to hold the attacker accountable)
The three strategies are usually used together
A fourth approach is deterrence; involves active steps to beat off
21
attacks; discourage them even to try attacking
Example 1: Protecting valuable items at home from a burglar
Prevention: locks on the door, guards, hidden places, etc.
Detection: burglar alarm, guards, Closed Circuit Television
(CCTV), etc.
Recovery: calling the police, replace the stolen item, etc.
Example 2: Protecting a fraudster from using our credit card in
Internet purchase
Prevention: Encrypt when placing order, perform some check
before placing order, or don’t use credit card on the Internet
Detection: A transaction that you had not authorized appears
on your credit card statement
Recovery: Ask for new card, recover cost of the transaction
from insurance, the card issuer or the merchant
22
Software security assurance
• Software security is the idea of software engineering so that it
continues to function correctly under malicious attack.
• Software security is an idea implemented to protect software against
malicious attack and other hacker risks so that the software
continues to function correctly under such potential risks
• Any compromise to integrity, authentication and availability
makes a software unsecure.
• Software systems can be attacked to steal information, monitor
content, introduce vulnerabilities and damage the behaviour of
software.
• Malware can cause DoS (denial of service) or crash the system
itself.
23
Software Security Threats
Software defects with security ramifications including
• implementation bugs such as buffer overflows and
• design flaws such as inconsistent error handling.
Buffer overflow, stack overflow, command injection
and SQL injections are the most common attacks on
the software.
Buffer and stack overflow attacks overwrite the
contents of the heap or stack respectively by writing
extra bytes.
24
Software Security Threats
• Command injection can be achieved on the software code
when system commands are used predominantly.
• New system commands are appended to existing commands
by the malicious attack.
• Sometimes system command may stop services and cause
DoS.
• SQL injections use malicious SQL code to retrieve or modify
important information from database servers.
• SQL injections can be used to bypass login credentials.
• Sometimes SQL injections fetch important information from a
25
Software security assurance
• Malicious intruders can hack into systems by exploiting software
defects
• Software security includes:
• software design principles including the principles of
• least privilege,
• fail-safe stance, and
• defence-in-depth (These also included in Computer Security)
• Internet-enabled software applications present the most common
security risk encountered today, with software’s ever-expanding
complexity and extensibility adding further fuel to the fire.
26
