Computer Security

(CoSc4151)

Department of Computer Science

Addis Ababa University
 Chapter One

Fundamentals of Computer
Security
 Outline

Overview

Factors of Computer Security

Security Goals

Vulnerabilities

Threats

Countermeasures
 Computer Security Overview
Definitions
Dictionary.com says:
1. Freedom from risk or danger; safety.
2. Freedom from doubt, anxiety, or fear; confidence

3. Something that gives or assures safety, as:

1. A group or department of private guards: Call building security if a
visitor acts suspicious.
2. Measures adopted by a government to prevent espionage,
sabotage, or attack.
3. Measures adopted, as by a business or homeowner, to prevent a
crime such as burglary or assault: …etc.
 Computer Security Overview
Definitions
(Computer) Security: The prevention and
protection of (computer) assets from unauthorized
access, use, alteration, degradation, destruction, and
other threats.
Refers to techniques for ensuring that data stored in a
computer cannot be read or compromised by any
individuals without authorization

The protection afforded to an automated information system in

order to attain the applicable objectives of preserving the
integrity, availability, and confidentiality of information system
resources
 Security? What is that?
Lock the doors and windows and you are secure
NOT
Call the police when you feel insecure
Really?
Computers are powerful, programmable machines
Whoever programs them controls them (and not you)
Networks are ubiquitous
Carries genuine as well as malicious traffic
End result: Complete computer security is unattainable, it is
a cat and mouse game
Similar to crime vs. law enforcement

6
 Computer Security / History

Until 1960s computer security was limited to

physical protection of computers
In the 1960s
 Evolutions
 Computers became interactive
 Multiuser/Multiprogramming was invented
 More and more data started to be stored in computer
databases
 Organizations and individuals started to worry about
 What the other persons using computers are doing to their
data
 What is happening to their private data stored in large
databases
 Computer Security and Privacy/ History

In the 1980s and 1990s

Evolutions
 Personal computers were popularized
 LANs and Internet invaded the world
 Applications such as E-commerce, E-government and
E-health started to develop
 Viruses become major threats

Organizations/individuals started to worry about

 Who has access to their computers and data
 Whether they can trust a mail, a website, etc.
 Whether their privacy is protected in the connected
world
 Computer Security Factors/CIA

Confidentiality:
Preserving authorized restrictions on information access and
disclosure
prevent/detect/deter improper disclosure of information
Two concepts:
 Data confidentiality: Assures that private or confidential
information is not made available or disclosed to
unauthorized individuals.
 Privacy: Assures that individuals control or influence
what information related to them may be collected and
stored and by whom and to whom that information may be
disclosed.
9
 Confidentiality
Concered with access to assets
“Need to know” basis for data access
How do we know who needs what data?
Approach: access control specifies who can access what
How do we know a user is the person s/he claims to be?
Need her identity and need to verify this identity
Approach: identification and authentication
Confidentiality is:
difficult to ensure
Why????
easiest to assess in terms of success
 Computer Security Factors
Integrity:
 Guarding against improper information modification or
destruction
Prevent/detect/deter improper modification of information
Two concepts:
Data integrity: Assures that information and programs are
changed only in a specified and authorized manner.
System integrity : Assures that a system performs its intended
function in an unimpaired manner, free from deliberate or
inadvertent unauthorized manipulation of the system.

11
 Integrity
Concerned with unauthorized modification of assets
Integrity is more difficult to measure than
confidentiality
Not binary – degrees of integrity
Context-dependent - means different things in
different contexts
Could mean any subset of these asset properties:
{ precision / accuracy / currency / consistency /
meaningfulness / usefulness / ...}
 Computer Security Factors

Availability:
Assures that systems work promptly and service is not
denied to authorized users.
prevent/detect/deter improper denial of access to services
Additional
Authenticity: The property of being genuine and being
able to be verified and trusted; confidence in the validity of a
transmission, a message, or message originator.
Accountability: The security goal that generates the
requirement for actions of an entity to be traced uniquely to
that entity.

13
 Availability
Not understood very well yet
Full implementation of availability is security’s next challenge
Complex and Context-dependent
Could mean any subset of these asset (data or service)
properties : { usefulness / sufficient capacity / progressing at
a proper pace /completed in an acceptable period of time / ...}
We can say that an asset (resource) is available if:
Timely request response
Fair allocation of resources (no starvation!)
Fault tolerant (no total breakdown)
Easy to use in the intended way
Provides controlled concurrency (concurrency control, deadlock
control, ...)
 Example
Military example
Confidentiality: target coordinates of a missile should not be
improperly disclosed
Integrity: target coordinates of missile should be correct/precise
Availability: missile should fire when proper command is issued
Commercial example
Confidentiality: patient’s medical information should not be
improperly disclosed
Integrity: patient’s medical information should be correct
Availability: patient’s medical information can be accessed when
needed for treatment
Education
Confidentiality: Student’s information should not be disclosed
Integrity: student’s information must be correct
Availability: Student’s information has to be accessed by those
allowed anytime 15
 Need to Balance CIA
 Example 1: C vs. I+A
 Disconnect computer from Internet to increase confidentiality
 Availability suffers, integrity suffers due to lost updates

 Example 2: I vs. C+A

 Have extensive data checks by different people/systems to
increase integrity
 Confidentiality suffers as more people see data, availability
suffers due to locks on data under verification)
 Activity
Availability,Confidentiality, Integrity

Abebe copies Hana’s assignment

Almaz crashes Kebede’s system
Dawit changes the amount of Abebe’s check from $100 to
$1,000
Hirut spoofs Jemal's IP address to gain access to his
computer.
 What is secured?
Securing computing resources: prevent/detect/deter
improper use of computing resources
Data contained in an information system; or a
service provided by a system; or a system capability,
such as processing power or communication
bandwidth; or an item of system equipment
Hardware
Software
Data
Network

18
 Computer Security
Computer Security can be broken down into two distinct
areas:
Physical security refers to the issues related to the
physical security of the equipment that comprises or is
connected to the network.
Logical security is concerned with security of data held
on devices connected to the network.
involves controlling
• passwords and password policies
• Access to data on servers
• Access to backup tapes
• sources outside the network from gaining access to
the network
Computer Security/ Vulnerabilities
 Computer Security /Vulnerabilities

A flaw or weakness in a system’s design,

implementation, or operation and management that
could be exploited to violate the system’s security policy

Corruption
 It does the wrong thing or gives wrong answers
Leaky
For example, someone who should not have access to
information available through the network obtains such
 Computer Security /Vulnerabilities

Physical vulnerabilities (Eg. buildings)

Natural vulnerabilities (Eg. Earthquake)

Hardware and Software vulnerabilities (Eg. Failures)

Media vulnerabilities (Eg. Disks can be stolen)

Communication vulnerabilities (Eg. Wires can be tapped)

Human vulnerabilities (Eg. Insiders)

 Why are there security vulnerabilities?
Lots of buggy software...
Why do programmers write insecure code?
Some contributing factors
Courses in computer security(few/none)
Programming text books do not emphasize security
Few security audits
Programmers have many other things to worry about
Consumers do not care about security
Security is expensive and takes time
Computer Security/ Threats
 Computer security/Threats
A computer security threat is any person, act, or
object that poses a danger to computer security

circumstances that have a potential to cause harm

Can be
 Physical - weather, natural disaster, bombs, power
failures, etc.
 Human - stealing, trickery, bribery, spying,
sabotage, accidents.
 Software- viruses, Trojan horses, logic bombs,
denial of service, worms,etc.
 Computer security/Threats
A threat consequence can be:
Unauthorized Disclosure
 Exposure
• Can be deliberate or accidental
 Interception
• Unauthorized party gains access to a protected asset.
 Inference
 Intrusion
Deception
 Masquerade
• Stealing username/password
 Falsification
 Repudiation/rejection
 Computer security/Threats
A threat consequence can be:
Disruption
 Interruption
• An asset of a computing system becomes lost,
unavailable or unusable
 Modification
• Unauthorized party gains access and tamper a
protected asset.
 Forgery
• Unauthorized party fabricate counterfeit
objects on a computing system
 Computer security/Threats
Digital threats are very similar to physical world threats BUT
Automation
 Repeated attack on hardware/software weakness
is easy.
Action at distance
 In computing system, all computers are
equidistant.
Propagation
 Computing system facilitate reproduction of data
or software.
 Electronic plan distributed on the Web
 Exploit/Crack/Serial
 Computer Security/ Attacks

Attack
A threat that is carried out
An intelligent act that is a deliberate attempt to
evade security services and violate the security
policy of a system
Active attack:
An attempt to alter system resources or affect their
operation.
Passive attack:
 An attempt to learn or make use of information from the
system that does not affect system resources.

29
 Types of Attacks
 Passive attacks: attempts to learn or make use of information
from the system but does not affect system resources
 Eavesdropping
 Monitoring
 Active attacks: involve some modification of the data stream
 Masquerade – one entity pretends to be a different
entity
 Replay – passive capture of information and its
retransmission
 Modification– legitimate message is altered
 Denial of service – prevents normal use of
resources

30
 Computer Security/Attacks

Four Categories of Attacks/Threats (W. Stallings)

Normal flow of information

Interruption Interception

Modification Fabrication
 Computer security/Attacks
Types of Threats/Attacks (Chuck Eastom)

Malware Attack:
Hacking Attack
Denial of Service Attack
Physical Attack
 Computer security/Attackers
Types of Attackers
Amateurs
Opportunistic attackers: (use a password they found)
Script kiddies
Hackers – non-malicious
In broad use beyond security community: also malicious
Crackers – malicious
Career criminals
Nation-supported spies and information warriors
Attackers need MOM
Method : Skill, knowledge, tools, etc. with which to pull
off an attack
Opportunity: Time and access to accomplish an attack
Motive: Reason to perform an attack
 Computer security/Countermeasures

Any means taken to deal with a security attack

An action, device, procedure, technique that reduces a
threat, attack or vulnerability by
Eliminating or Preventing
Reducing the consequences
Discovering & reporting for security actions

Can be:
Prevention: avoid attacks from being
carried out
Detection : identify when, how & by
whom an asset has been damaged
Recovery: restore assets after the damage
 Countermeasures
Five basic approaches to defense of computing systems
Prevent attack
Block attack / Close vulnerability

Deter attack
Make attack harder (can’t make it impossible )

Deflect attack
Make another target more attractive than this target

Detect attack
During or after

Recover from attack

 Computer Security / Countermeasures

Computer security controls

 Authentication (Password, cards, biometrics)
 Cryptography
 Auditing
 Administrative policies and procedures
 Standards
 Certifications
 Physical controls/ security
 Laws
 Backups