• Jypzie M.

Catedrilla, DIT
• IT/Physics Department
• January 7, 2023

Week 10
Introduction to Practical Computer
Security
Outline
• Overview
• Practical Computer Security
• Computer Security Key Definitions
• Security Frameworks
• Confidentiality
• Integrity
• Availability
Where We Are Today
• We are always connected
• We have at least 2 devices that receive internet close to you right now
• We have apps for everything!
• We bank online
• We watch TV online
• We pay our taxes online
• We communicate with others online
The Devices We Have…
• We use smart phones
• We use smart watches
• We use smart cars
• We use smart TVs
• All these assets are connected. They are all online.
• All devices and the way we use them have the potential to become
vulnerable in some way.
So WHAT?
• The point is that computer security is every bit a part of who we are
• We all have devices that need protecting
• We all have information that needs to be protected
• There are threats out there that we may encounter
Case: Monitoring of network traffic

• Firewall hits.
• In the middle of the summer.
• without students.
• For a one-hour time period!
Perhaps these aren’t as serious or are they?
• Once again, only 1 hour
time period!
• Maybe we should
investigate these…?
The Challenges
• Computer security is not simple. It takes time to understand. You
have to learn both theory and learn through example.
• When deploying services or systems, there are always going to be
vulnerabilities. How can you account for them when the system is
being designed or implemented
• It is necessary to balance security with practicality and productivity
• Security is a constant battle against those who want to do harm
• Information is everywhere – knowing when to use it and not use it or
how to protect it is a full-time job
• The security field is so hot right now it’s difficult to keep good people
Practical Computer Security
• Practical computer security – the means in which computer security is
applied in an everyday setting
• Many certifications focus on theory and understanding how to
implement security controls
• Bottom line is that if you end up putting all the controls you can in
place, you will:
• End up forcing people to find another solution that actually allows them to do
their work, which leads to insecurity
• Managing too much which may lead to too much management in the end
Brief Case Study
• UCCS deployed NAC (Network Access Control) back in 2007.
• Network Access Control:
• Forces the user to identify who they are via network protocols or logins
• Can employ other techniques to control how the user behaviors or how their
computer behaves
• Alternative solution back in 2007 was very black and white
• Antivirus/Antispyware must be running and up to date
• Windows must be FULLY up to date
• It would kick you off the network if those weren’t met
The Burden of Computer Security
• Securing computers is tough!
• Many things have to be taken into account when applying computer
security
• Example – The user who needs to share files with another user
• You have a corporate solution
• Your users don’t know how to use it
• Your users think they know better
• What is the risk of not knowing
The Need for Security
• There are a 2 reasons why we need to have security.
• Information
• Intellectual Property
• Personal information
• Safety
• Safety of people
• Safety of systems
• How we protect information reduces to 3 key points:
• Confidentiality
• Integrity
• Availability
Computer Security Key
Definitions
Asset
• An asset is anything that needs to be protected
• This could be:
• Information – Examples: medical records, social security numbers, banking
data
• Computer System – Examples: defense systems, critical infrastructure
• Service – Examples: Websites, life/safety systems
• Facilities that house any of the 3 above
Threat/Threat Agent
• A threat is any potential violation of security that could cause harm to the
asset.
• This could be:
• Someone wanting to do harm
• An insecure service
• Unacknowledged system, service, information
• A threat agent is anyone or anything that wants to do harm or harms an
asset
• Hackers
• Hacktivists
• Not malicious entity – Example: someone that accidentally runs into a power pole
and knocks out power to a facility
Vulnerability
• A vulnerability is a flaw or weakness in the design or implementation
of an asset that could be used by a threat or threat agent to
undermine security
• The could be:
• Incorrect configurations of a system
• An open port on a networked computer
• Poor backup strategy
• Poor coding
Exploit
• An exploit is any software or tools that are intentionally used to take
advantage of a vulnerability on an asset.
• This could be:
• Hacking tools such as: Metasploit, Ophcrack
Risk
• A risk is the probability that a threat will take advantage of a
vulnerability on an asset and cause harm.
• Think about risk of losing data. For example: If I only have 1 backup
copy of data from my main computer. If I lose that backup, the risk is
higher that my data may be lost.
• How about risk of a personal photo collection vs a banking system.
The risk that an threat agent wants to get the data is much higher on
the banking system.
Attack
• An attack is any intentional or unintentional event that harms or
intends to harm an asset.
• Examples:
• Denial of Service attack
• Data breach
• Physical destruction of equipment
Mitigation/Compensating Control
• Mitigation is any tool, service or system that lessens the risk of
attack.
• Compensating control is any tool, service or system that takes lowers
the risk of attack on an asset by intentionally getting in the way of the
threat.
• For example: A firewall in between a vulnerable system and the internet
Security Frameworks
What Are Frameworks?
• Frameworks are standards that can be followed to enhance and
validate your security posture or processes
• Frameworks are generally well tested and reviewed thoroughly by
many people that are in the industry
How Frameworks Can Help
• Since frameworks are tested and vetted by many users and organizations
over time, they are proven standards to abide by
• Think of frameworks as a map. The map tells you how to get to places,
explains points of interest, and tell you how to avoid certain areas
• Frameworks will point you in different directions on how to comply with
security
• Frameworks are sometimes also required to be followed because of
industry standards
• Frameworks can also help you communicate effectively to executives in an
enterprise setting
Types of Frameworks
• Industry Based Frameworks – Designed to be a broad set of rules and
guidelines that allows you to protect certain industry based
architectures
• General Frameworks – Designed to apply to almost any industry.
These are the most widely adopted since in an enterprise we can pick
and choose what we want to follow within the framework
NIST Frameworks - 1
• The National Institute for Standards and Technology (NIST) has many
frameworks out there.
• These are special publications that have been a standard for many
years.
• They are very easy to follow and have different levels depending on
what type of compliance or rigor you need.
NIST Frameworks - 2
• NIST Cybersecurity Framework
• Aimed at protecting critical infrastructure
• One of the best frameworks to follow and easy to adopt
• NIST SP 800-53
• Security and Privacy Controls for Federal Information Systems and Organizations
• Broken down into security controls
• Comprehensive
• NIST SP 800-171
• Protecting Controlled Unclassified Information in Nonfederal Systems and
Organizations
• Much easier to follow than 800-53
ISO 27001 and 27002 Frameworks
• The international Organization for Standardization
• Provides a comprehensive framework for security controls
• 27001 – Information security management systems
• 27002 – Code of practice for information security controls

• Easier to follow than some NIST publications, but last update was in
2013.
CIS Framework
• Center for Information Security
• Framework is Critical Security Controls (CSC)
• Designed to cover many different sectors of industry
• Power, Defense, Transportation, Finance, etc.
• CIS also has controls that you can put into some software to test if
you are complying with the framework
• Lesser known and adopted
Industry Frameworks
• HITECH – Healthcare in the US
• PCIDSS – Worldwide credit card compliance
• DFARS – US military contracts
How do I choose?
• Choosing a frame is as simple as, what do you think you can follow?
• Some frameworks are hard to comply with
• Some frameworks are meant to be implemented fully
• CU chose NIST 800-53 years ago. It took us nearly 3 years to write
ours. We chose the controls that we thought we could all follow
• Benefit of using NIST 800-53 is there are high, medium, and low
categories.
• You don’t have to think up this stuff on your own! There is a map!
Confidentiality
Confidentiality - Definition
• Definition according to Title 44 of the U.S. Code: “Preserving
authorized restrictions on information access and disclosure,
including means for protecting personal privacy and proprietary
information”
• In layman's terms: Keeping things that are meant to be secret, secret
• This includes unauthorized access to people, systems and processes
• FIPS 199: “A loss of confidentiality is the unauthorized disclosure of
information”
Example – Credit Card Information
• To help illustrate this over the next few lessons, we’ll use the example
of credit cards
• Credit card companies go to great lengths to protect information
• What if someone steals your credit card information?
• Is credit card information confidential?
Example – Health Care Information
• Health information is another example of something that needs to be
confidential
• Do you want your personal information leaked?
• In the US we have the Health Insurance Portability and Accountability
Act
Best principle to follow?
• Out of the three principles – Confidentiality, Integrity, Availability, this
is the one people are most familiar with and most sought after
• Laws are based on it
• Industry is designed to keep information secret
• Intellectual Property (IP)
• Financial Information
• Government Secrets
• Student Data
Examples of how we use it everyday
• Credit Cards
• Website Encryption – your Coursera login, Email, Google.com,
Youtube
• VPNs – Virtual Private Networks
• Encryption such as BitLocker or FileVault
Why do we need this?
• It protects us from people intentionally or accidentally
• Only authorized individuals should have access to it
Integrity
Definition
• Definition according to Title 44 of the U.S. Code: “Guarding against
improper information modification or destruction, and includes
ensuring information non-repudiation and authenticity”
• In layman’s terms: keeping information:
• Accurate, complete, and protected from modification
• FIPS 199: “A loss of integrity is the unauthorized modification or
destruction of information”
Example - 1
• Did you ever play the game called “pass the message”
• It’s where one person said a word or a phrase and whispered it to
another person.
• The message would go between person to person until the end and
you would see if you kept the message correct
• Rarely was it correct.
• Think about the game if you gave a piece of paper instead. Could you
pass the note along instead of whispering?
• Medium is important!
Example - 2
• Integrity allows us to verify data
• Luhn algorithm – used to protect against accidental errors
• Credit card numbers
• IMEI numbers
• National Provider Identification numbers
• Canadian Social Insurance numbers
Examples of how we use it everyday
• All packets traversing the network are checked for errors
• Digital signatures
• Hashes
• Cryptography
Why do we need this?
• If we can’t verify a message is correct, what good is the message?
• Think about any industry
• Healthcare - Accuracy is key! Think about how you dose medicine?
• Credit Card information – Think about how we use the data to make
transactions?
• Video on Youtube – If you have errors in the network and packets are garbled,
do you have distorted video?
Availability
Definition
• Definition according to Title 44 of the U.S. Code: “Ensuring timely and
reliable access to and use of information”
• In layman’s terms: The ability to ensure systems remain available and
functioning
• The “A” in the CIA triad has also been used with accounting but we
talking about the classic “A” – availability
• FIPS 199: “A loss of availability is the disruption of access to or use of
information or an information system”
Example - 1
• Healthcare information – duty is to keep information available in case
it is needed.
• This is built into the security law
• If a doctor needs access to a patient’s medical records and can’t get
to them because a computer system is down, could you have a life
and death situation?
Example - 2
• Not so common sense
• Availability could be used to make the case for backups and
redundancy
• We need data centers. Where do you think the information is stored?
Only in one?
• How many backups do we have?