1 Operating Systems Concept

Airforce Institute of Technology FACULTY OF COMPUTING
Kaduna, Kaduna State DEPARTMENT OF CYBER SECURITY
CYB 201: FUNDAMENTALS OF CYBER SECURITY II – LECTURE NOTES

MODULE 1 – OPERATING SYSTEMS CONCEPTS
TOPIC: COURSE INTRODUCTION – OVERVIEW OF CYBERSECURITY TERMINOLOGIES &

CONCEPTS
Letter: A • alert
• access Definition: A notification that a specific attack has
Definition: The ability and means to communicate been detected or directed at an organization’s
with or otherwise interact with a system, to use information systems.
system resources to handle information, to gain • All Source Intelligence
knowledge of the information the system contains, Definition: In the NICE Framework, cybersecurity
or to control system components and functions. work where a person: Analyzes threat information
Synonym(s): identity and access management from multiple sources, disciplines, and agencies
• access control across the Intelligence Community. Synthesizes and
Definition: The process of granting or denying places intelligence information in context; draws
specific requests for or attempts to: 1) obtain and insights about the possible implications.
use information and related information processing • Analyze
services; and 2) enter specific physical facilities. Definition: A NICE Framework category consisting
Related Term(s): access control mechanism of specialty areas responsible for highly specialized
• access control mechanism review and evaluation of incoming cybersecurity
Definition: Security measures designed to detect information to determine its usefulness for
and deny unauthorized access and permit intelligence.
authorized access to an information system or a • antispyware software
physical facility. Definition: A program that specializes in detecting
• active attack and blocking or removing forms of spyware.
Definition: An actual assault perpetrated by an • antivirus software
intentional threat source that attempts to alter a Definition: A program that monitors a computer or
system, its resources, its data, or its operations. network to detect or identify major types of
Related Term(s): passive attack malicious code and to prevent or contain malware
• active content incidents. Sometimes by removing or neutralizing
Definition: Software that can automatically carry the malicious code.
out or trigger actions without the explicit • asset
intervention of a user. Definition: A person, structure, facility,
• Advanced Persistent Threat information, and records, information technology
Definition: An adversary that possesses systems and resources, material, process,
sophisticated levels of expertise and significant relationships, or reputation that has value.
resources which allow it to create opportunities to Extended Definition: Anything useful that
achieve its objectives by using multiple attack contributes to the success of something, such as an
vectors (e.g., cyber, physical, and deception). organizational mission; assets are things of value or
• adversary properties to which value can be assigned.
Definition: An individual, group, organization, or • asymmetric cryptography
government that conducts or has the intent to Synonym(s): public key cryptography
conduct detrimental activities. • attack
Related Term(s): threat agent, attacker Definition: An attempt to gain unauthorized access
• air gap to system services, resources, or information, or an
Definition: To physically separate or isolate a attempt to compromise system integrity.
system from other systems or networks (verb). Extended Definition: The intentional act of
Extended Definition: The physical separation or attempting to bypass one or more security services
isolation of a system from other systems or or controls of an information system.
networks (noun). Related Term(s): active attack, passive attack
1

• attack method Definition: A property achieved through

Definition: The manner or technique and means an cryptographic methods of being genuine and being
adversary may use in an assault on information or able to be verified and trusted, resulting in
an information system. confidence in the validity of a transmission,
• attack mode information or a message, or sender of information
Synonym(s): attack method or a message.
attack path Related Term(s): integrity, non-repudiation
Definition: The steps that an adversary takes or may • authorization
take to plan, prepare for, and execute an attack. Definition: A process of determining, by evaluating
• attack pattern applicable access control information, whether a
Definition: Similar cyber events or behaviours that subject can have the specified types of access to a
may indicate an attack has occurred or is occurring, particular resource.
resulting in a security violation or a potential Extended Definition: The process or act of granting
security violation. access privileges or the access privileges as granted.
Extended Definition: For software, descriptions of • availability
common methods for exploiting software systems. Definition: The property of being accessible and
Related Term(s): attack signature usable upon demand.
• attack signature Extended Definition: In cybersecurity, applies to
Definition: A characteristic or distinctive pattern assets such as information or information systems.
that can be searched for or that can be used in Related Term(s): confidentiality, integrity
matching to previously identified attacks. Letter: B
Extended Definition: An automated set of rules for • behaviour monitoring
identifying a potential threat (such as an exploit or Definition: Observing activities of users,
the presence of an attacker tool) and possible information systems, and processes and measuring
responses to that threat. the activities against organizational policies and
Related Term(s): attack pattern rule, baselines of normal activity, thresholds, and
• attack surface trends.
Definition: The set of ways in which an adversary • behavioural monitoring
can enter a system and potentially cause damage. Synonym(s): behaviour monitoring
Extended Definition: An information system's • blacklist
characteristics that permit an adversary to probe, Definition: A list of entities that are blocked or
attack, or maintain presence in the information denied privileges or access.
system. Related Term(s): whitelist
• attacker • Blue Team
Definition: An individual, group, organization, or Definition: A group that defends an enterprise's
government that executes an attack. information systems when mock attackers (i.e., the
Extended Definition: A party acting with malicious Red Team) attack, typically as part of an operational
intent to compromise an information system. exercise conducted according to rules established
Related Term(s): adversary, threat agent and monitored by a neutral group (i.e., the White
• authenticate Team).
Related Term(s): authentication Extended Definition: Also, a group that conducts
• authentication operational vulnerability evaluations and
Definition: The process of verifying the identity or recommends mitigation techniques to customers
other attributes of an entity (user, process, or who need an independent technical review of their
device). cybersecurity posture.
Extended Definition: Also, the process of verifying Related Term(s): Red Team, White Team
the source and integrity of data. • bot
• authenticity
2

Definition: A computer connected to the Internet minimal management effort or service provider
that has been surreptitiously / secretly interaction.
compromised with malicious logic to perform • computer forensics
activities under remote the command and control Synonym(s): digital forensics
of a remote administrator. • computer network defense
Extended Definition: A member of a larger Definition: The actions taken to defend against
collection of compromised computers known as a unauthorized activity within computer networks.
botnet. • computer security incident
Synonym(s): zombie Synonym(s): incident
Related Term(s): botnet Related Term(s): event
• bot herder • confidentiality
Synonym(s): bot master Definition: A property that information is not
• bot master disclosed to users, processes, or devices unless they
Definition: The controller of a botnet that, from a have been authorized to access the information.
remote location, provides direction to the Extended Definition: Preserving authorized
compromised computers in the botnet. restrictions on information access and disclosure,
Synonym(s): bot herder including means for protecting personal privacy and
• botnet proprietary information.
Definition: A collection of computers compromised Related Term(s): availability, integrity
by malicious code and controlled across a network. • consequence
• bug Definition: The effect of an event, incident, or
Definition: An unexpected and relatively small occurrence.
defect, fault, flaw, or imperfection in an Extended Definition: In cybersecurity, the effect of
information system or device. a loss of confidentiality, integrity or availability of
• Build Security In information or an information system on an
Definition: A set of principles, practices, and tools organization's operations, its assets, on individuals,
to design, develop, and evolve information systems other organizations, or on national interests.
and software that enhance resistance to • Continuity of Operations Plan
vulnerabilities, flaws, and attacks. Definition: A document that sets forth procedures
for the continued performance of core capabilities
Letter: C and critical operations during any disruption or
• capability potential disruption.
Definition: The means to accomplish a mission, Related Term(s): Business Continuity Plan, Disaster
function, or objective. Recovery Plan, Contingency Plan
Related Term(s): intent • critical infrastructure
• cipher Definition: The systems and assets, whether
Synonym(s): cryptographic algorithm physical or virtual, so vital to society that the
• ciphertext incapacity or destruction of such may have a
Definition: Data or information in its encrypted debilitating impact on the security, economy, public
form. health or safety, environment, or any combination
Related Term(s): plaintext of these matters.
• cloud computing Related Term(s): key resource
Definition: A model for enabling on-demand • critical infrastructure and key resources
network access to a shared pool of configurable Synonym(s): critical infrastructure
computing capabilities or resources (e.g., networks, • cryptanalysis
servers, storage, applications, and services) that Definition: The operations performed in defeating
can be rapidly provisioned and released with or circumventing cryptographic protection of
information by applying mathematical techniques
3

and without an initial knowledge of the key Definition: An electronic information and
employed in providing the protection. communications systems and services and the
Extended Definition: The study of mathematical information contained therein.
techniques for attempting to defeat or circumvent Extended Definition: The information and
cryptographic techniques and/or information communications systems and services composed of
systems security. all hardware and software that process, store, and
• cryptographic algorithm communicate information, or any combination of
Definition: A well-defined computational all these elements: • Processing includes the
procedure that takes variable inputs, including a creation, access, modification, and destruction of
cryptographic key, and produces an output. information. • Storage includes paper, magnetic,
Related Term(s): key, encryption, decryption, electronic, and all other media types. •
symmetric key, asymmetric key Communications include sharing and distribution of
• cryptography information.
Definition: The use of mathematical techniques to • Cyber Operations
provide security services, such as confidentiality, Definition: Cybersecurity work where a person:
data integrity, entity authentication, and data Performs activities to gather evidence on criminal
origin authentication. or foreign intelligence entities in order to mitigate
Extended Definition: The art or science concerning possible or real-time threats, protect against
the principles, means, and methods for converting espionage or insider threats, foreign sabotage,
plaintext into ciphertext and for restoring international terrorist activities, or to support other
encrypted ciphertext to plaintext. intelligence activities.
Related Term(s): plaintext, ciphertext, encryption, • Cyber Operations Planning
decryption Definition: Cybersecurity work where a person:
• cryptology Performs in-depth joint targeting and cyber
Definition: The mathematical science that deals planning process. Gathers information and
with cryptanalysis and cryptography. develops detailed Operational Plans and Orders
Related Term(s): cryptanalysis, cryptography supporting requirements. Conducts strategic and
• cyber ecosystem operational-level planning across the full range of
Definition: The interconnected information operations for integrated information and
infrastructure of interactions among persons, cyberspace operations
processes, data, and information and • cybersecurity
communications technologies, along with the Definition: The activity or process, ability or
environment and conditions that influence those capability, or state whereby information and
interactions. communications systems and the information
• cyber exercise contained therein are protected from and/or
Definition: A planned event during which an defended against damage, unauthorized use or
organization simulates a cyber disruption to modification, or exploitation.
develop or test capabilities such as preventing, Extended Definition: Strategy, policy, and standards
detecting, mitigating, responding to or recovering regarding the security of and operations in
from the disruption. cyberspace, and encompass[ing] the full range of
• cyber incident threat reduction, vulnerability reduction,
Synonym(s): incident deterrence, international engagement, incident
Related Term(s): event response, resiliency, and recovery policies and
• cyber incident response plan activities, including computer network operations,
Synonym(s): incident response plan information assurance, law enforcement,
• cyber infrastructure diplomacy, military, and intelligence missions as
they relate to the security and stability of the global
information and communications infrastructure.
4

• cyberspace Definition: The process or techniques used to

Definition: The interdependent network of analyze large sets of existing information to
information technology infrastructures, that discover previously unrevealed patterns or
includes the Internet, telecommunications correlations.
networks, computer systems, and embedded Related Term(s): data aggregation
processors and controllers. • data spill
Letter: D Synonym(s): data breach
• Data Administration • data theft
Definition: In the NICE Framework, cybersecurity Definition: The deliberate or intentional act of
work where a person: Develops and administers stealing of information.
databases and/or data management systems that Related Term(s): data aggregation, data leakage,
allow for the storage, query, and utilization of data. data loss
• data aggregation • decipher
Definition: The process of gathering and combining Definition: To convert enciphered text to plain text
data from different sources, so that the combined by means of a cryptographic system.
data reveals new information. Synonym(s): decode, decrypt
Extended Definition: The new information is more • decode
sensitive than the individual data elements Definition: To convert encoded text to plain text by
themselves and the person who aggregates the means of a code.
data was not granted access to the totality of the Synonym(s): decipher, decrypt
information. • decrypt
Related Term(s): data mining Definition: A generic term encompassing decode
• data breach and decipher.
Definition: The unauthorized movement or Synonym(s): decipher, decode
disclosure of sensitive information to a party, • decryption
usually outside the organization, that is not Definition: The process of transforming ciphertext
authorized to have or see the information. into its original plaintext.
Related Term(s): data loss, data theft, exfiltration Extended Definition: The process of converting
• data integrity encrypted data back into its original form, so it can
Definition: The property that data is complete, be understood.
intact, and trusted and has not been modified or Synonym(s): decode, decrypt, decipher
destroyed in an unauthorized or accidental • denial of service
manner. Definition: An attack that prevents or impairs the
Related Term(s): integrity, system integrity authorized use of information system resources or
• data leakage services.
Synonym(s): data breach • designed-in security
• data loss Synonym(s): Build Security In
Definition: The result of unintentionally or • digital forensics
accidentally deleting data, forgetting where it is Definition: The processes and specialized
stored, or exposure to an unauthorized party. techniques for gathering, retaining, and analyzing
Related Term(s): data leakage, data theft system-related data (digital evidence) for
• data loss prevention investigative purposes.
Definition: A set of procedures and mechanisms to Extended Definition: Cybersecurity work where a
stop sensitive data from leaving a security person: Collects, processes, preserves, analyses,
boundary. and presents computer-related evidence in support
Related Term(s): data loss, data theft, data leak of network vulnerability, mitigation, and/or
• data mining criminal, fraud, counterintelligence or law
enforcement investigations.
5

Synonym(s): computer forensics, forensics Definition: The process of transforming plaintext
• digital rights management into ciphertext.
Definition: A form of access control technology to Extended Definition: Converting data into a form
protect and manage use of digital content or that cannot be easily understood by unauthorized
devices in accordance with the content or device people.
provider's intentions. Synonym(s): encode, encrypt, encipher
digital signature • enterprise risk management
Definition: A value computed with a cryptographic Definition: A comprehensive approach to risk
process using a private key and then appended to a management that engages people, processes, and
data object, thereby digitally signing the data. systems across an organization to improve the
Related Term(s): electronic signature quality of decision making for managing risks that
• disruption may hinder an organization’s ability to achieve its
Definition: An event which causes unplanned objectives.
interruption in operations or functions for an Extended Definition: Involves identifying mission
unacceptable length of time. dependencies on enterprise capabilities, identifying
• distributed denial of service and prioritizing risks due to defined threats,
Definition: A denial of service technique that uses implementing countermeasures to provide both a
numerous systems to perform the attack static risk posture and an effective dynamic
simultaneously. response to active threats; and assessing enterprise
Related Term(s): denial of service, botnet performance against threats and adjusts
• dynamic attack surface countermeasures as necessary.
Definition: The automated, on-the-fly changes of an Related Term(s): risk management, integrated risk
information system's characteristics to thwart management, risk
actions of an adversary. • event
Letter: E Definition: An observable occurrence in an
• Education and Training information system or network.
Definition: Cybersecurity work where a person: Extended Definition: Sometimes provides an
Conducts training of personnel within pertinent indication that an incident is occurring or at least
subject domain; develop, plan, coordinate, deliver, raise the suspicion that an incident may be
and/or evaluate training courses, methods, and occurring.
techniques as appropriate. Related Term(s): incident
• electronic signature • exfiltration
Definition: Any mark in electronic form associated Definition: The unauthorized transfer of
with an electronic document, applied with the information from an information system.
intent to sign the document. Related Term(s): data breach
• encipher • exploit
Definition: To convert plaintext to ciphertext by Definition: A technique to breach the security of a
means of a cryptographic system. network or information system in violation of
Synonym(s): encode, encrypt security policy.
• encode • Exploitation Analysis
Definition: To convert plaintext to ciphertext by Definition: In the NICE Framework, cybersecurity
means of a code. work where a person: Analyzes collected
Synonym(s): encipher, encrypt information to identify vulnerabilities and potential
• encrypt for exploitation.
Definition: The generic term encompassing • exposure
encipher and encode. Definition: The condition of being unprotected,
Synonym(s): encipher, encode thereby allowing access to information or access to
• encryption
6

capabilities that an attacker can use to enter a • identity and access management
system or network. Definition: The methods and processes used to
Letter: F manage subjects and their authentication and
• Failure authorizations to access specific objects.
Definition: The inability of a system or component • impact
to perform its required functions within specified Synonym(s): consequence
performance requirements. • incident
• firewall Definition: An occurrence that actually or
Definition: A capability to limit network traffic potentially results in adverse consequences to
between networks and/or information systems. (adverse effects on) (poses a threat to) an
Extended Definition: A hardware/software device information system or the information that the
or a software program that limits network traffic system processes, stores, or transmits and that may
according to a set of rules of what access is and is require a response action to mitigate the
not allowed or authorized. consequences.
• forensics Extended Definition: An occurrence that
Synonym(s): digital forensics constitutes a violation or imminent threat of
violation of security policies, security procedures,
Letter: H or acceptable use policies.
• hacker Related Term(s): event
Definition: An unauthorized user who attempts to • incident management
or gains access to an information system. Definition: The management and coordination of
• hash value activities associated with an actual or potential
Definition: A numeric value resulting from applying occurrence of an event that may result in adverse
a mathematical algorithm against a set of data such consequences to information or information
as a file. systems.
Synonym(s): cryptographic hash value • incident response
Related Term(s): hashing Definition: The activities that address the short-
• hashing term, direct effects of an incident and may also
Definition: A process of applying a mathematical support short-term recovery.
algorithm against a set of data to produce a Extended Definition: Responds to crisis or urgent
numeric value (a 'hash value') that represents the situations within the pertinent domain to mitigate
data. immediate and potential threats; uses mitigation,
Extended Definition: Mapping a bit string of preparedness, and response and recovery
arbitrary length to a fixed length bit string to approaches, as needed, to maximize survival of life,
produce the hash value. preservation of property, and information security.
Related Term(s): hash value Investigates and analyzes all relevant response
• hazard activities.
Definition: A natural or man-made source or cause Synonym(s): response
of harm or difficulty. Related Term(s): recovery
Related Term(s): threat • incident response plan
Definition: A set of predetermined and
Letter: I documented procedures to detect and respond to
• ICT supply chain threat a cyber incident.
Definition: A man-made threat achieved through • indicator
exploitation of the information and Definition: An occurrence or sign that an incident
communications technology (ICT) system’s supply may have occurred or may be in progress.
chain, including acquisition processes. Related Term(s): precursor
Related Term(s): supply chain, threat • Industrial Control System
7

Definition: An information system used to control assurance program of an information system in or
industrial processes such as manufacturing, outside the network environment; may include
product handling, production, and distribution or to procurement duties (e.g., Information Systems
control infrastructure assets. Security Officer).
Related Term(s): Supervisory Control and Data • information technology
Acquisition, Operations Technology Definition: Any equipment or interconnected
• information and communication(s) system or subsystem of equipment that processes,
technology transmits, receives, or interchanges data or
Definition: Any information technology, information.
equipment, or interconnected system or subsystem Related Term(s): information and
of equipment that processes, transmits, receives, communication(s) technology
or interchanges data or information. • inside ( r) threat
Related Term(s): information technology Definition: A person or group of persons within an
• information assurance organization who pose a potential risk through
Definition: The measures that protect and defend violating security policies.
information and information systems by ensuring Extended Definition: One or more individuals with
their availability, integrity, and confidentiality. the access and/or inside knowledge of a company,
Related Term(s): information security organization, or enterprise that would allow them
• Information Assurance Compliance to exploit the vulnerabilities of that entity's
Definition: Cybersecurity work where a person: security, systems, services, products, or facilities
Oversees, evaluates, and supports the with the intent to cause harm.
documentation, validation, and accreditation Related Term(s): outside ( r) threat
processes necessary to assure that new IT systems • integrated risk management
meet the organization's information assurance and Definition: The structured approach that enables an
security requirements; ensures appropriate enterprise or organization to share risk information
treatment of risk, compliance, and assurance from and risk analysis and to synchronize independent
internal and external perspectives. yet complementary risk management strategies to
• information security policy unify efforts across the enterprise.
Definition: An aggregate of directives, regulations, Related Term(s): risk management, enterprise risk
rules, and practices that prescribe how an management
organization manages, protects, and distributes • integrity
information. Definition: The property whereby information, an
Related Term(s): security policy information system, or a component of a system
• information sharing has not been modified or destroyed in an
Definition: An exchange of data, information, unauthorized manner.
and/or knowledge to manage risks or respond to Extended Definition: A state in which information
incidents. has remained unaltered from the point it was
• information system resilience produced by a source, during transmission, storage,
Definition: The ability of an information system to: and eventual receipt by the destination.
(1) continue to operate under adverse conditions or Related Term(s): availability, confidentiality, data
stress, even if in a degraded or debilitated state, integrity, system integrity
while maintaining essential operational • intent
capabilities; and (2) recover effectively in a timely Definition: A state of mind or desire to achieve an
manner. objective.
Related Term(s): resilience Related Term(s): capability
• Information Systems Security Operations • interoperability
Definition: In the NICE Framework, cybersecurity
work where a person: Oversees the information
8

Definition: The ability of two or more systems or Extended Definition: Two mathematically related
components to exchange information and to use keys having the property that one key can be used
the information that has been exchanged. to encrypt a message that can only be decrypted
Adapted from: IEEE Standard Computer Dictionary, using the other key.
DHS personnel Related Term(s): private key, public key
• intrusion • key resource
Definition: An unauthorized act of bypassing the Definition: A publicly or privately controlled asset
security mechanisms of a network or information necessary to sustain continuity of government
system. and/or economic operations, or an asset that is of
Synonym(s): penetration great historical significance.
• intrusion detection Related Term(s): critical infrastructure
Definition: The process and methods for analyzing • keylogger
information from networks and information Definition: Software or hardware that tracks
systems to determine if a security breach or keystrokes and keyboard events, usually
security violation has occurred. surreptitiously / secretly, to monitor actions by the
• Investigate user of an information system.
Definition: a NICE Framework category consisting of Related Term(s): spyware
specialty areas responsible for the investigation of Letter: M
cyber events and/or crimes of IT systems, networks, • machine learning and evolution
and digital evidence Definition: A field concerned with designing and
• investigation developing artificial intelligence algorithms for
Definition: A systematic and formal inquiry into a automated knowledge discovery and innovation by
qualified threat or incident using digital forensics information systems.
and perhaps other traditional criminal inquiry • macro virus
techniques to determine the events that transpired Definition: A type of malicious code that attaches
and to collect evidence. itself to documents and uses the macro
Extended Definition: In the NICE Framework, programming capabilities of the document’s
cybersecurity work where a person: Applies tactics, application to execute, replicate, and spread or
techniques, and procedures for a full range of propagate itself.
investigative tools and processes to include but not • malicious applet
limited to interview and interrogation techniques, Definition: A small application program that is
surveillance, counter surveillance, and surveillance automatically downloaded and executed and that
detection, and appropriately balances the benefits performs an unauthorized function on an
of prosecution versus intelligence gathering. information system.
• IT asset Related Term(s): malicious code
Synonym(s): asset • malicious code
Letter: K Definition: Program code intended to perform an
• key unauthorized function or process that will have
Definition: The numerical value used to control adverse impact on the confidentiality, integrity, or
cryptographic operations, such as decryption, availability of an information system.
encryption, signature generation, or signature Extended Definition: Includes software, firmware,
verification. and scripts.
Related Term(s): private key, public key, secret key, Related Term(s): malicious logic
symmetric key • malicious logic
• key pair Definition: Hardware, firmware, or software that is
Definition: A public key and its corresponding intentionally included or inserted in a system to
private key. perform an unauthorized function or process that
9

will have adverse impact on the confidentiality, particular action such as creating information,
integrity, or availability of an information system. sending a message, approving information, and
Related Term(s): malicious code receiving a message.
• malware Related Term(s): integrity, authenticity
Definition: Software that compromises the Letter: O
operation of a system by performing an • object
unauthorized function or process. Definition: A passive information system-related
Synonym(s): malicious code, malicious applet, entity containing or receiving information.
malicious logic Related Term(s): subject, access, access control
• mitigation • operational exercise
Definition: The application of one or more Definition: An action-based exercise where
measures to reduce the likelihood of an unwanted personnel rehearse reactions to an incident
occurrence and/or lessen its consequences. scenario, drawing on their understanding of plans
Extended Definition: Implementing appropriate and procedures, roles, and responsibilities.
risk-reduction controls based on risk management Extended Definition: Also referred to as operations-
priorities and analysis of alternatives. based exercise.
• moving target defense • Operations Technology
Definition: The presentation of a dynamic attack Definition: The hardware and software systems
surface, increasing an adversary's work factor used to operate industrial control devices.
necessary to probe, attack, or maintain presence in Related Term(s): Industrial Control System
a cyber target. • Outside ( r) threat
Definition: A person or group of persons external to
an organization who are not authorized to access its
Letter: N assets and pose a potential risk to the organization
• network resilience and its assets.
Definition: The ability of a network to: (1) provide Related Term(s): inside ( r) threat
continuous operation (i.e., highly resistant to • Oversight & Development
disruption and able to operate in a degraded mode Definition: A NICE Framework category consisting
if damaged); (2) recover effectively if failure does of specialty areas providing leadership,
occur; and (3) scale to meet rapid or unpredictable management, direction, and/or development and
demands. advocacy so that all individuals and the
• Network Services organization may effectively conduct cybersecurity
Definition: Cybersecurity work where a person: work.
Installs, configures, tests, operates, maintains, and Letter: P
manages networks and their firewalls, including • passive attack
hardware (e.g., hubs, bridges, switches, Definition: An actual assault perpetrated by an
multiplexers, routers, cables, proxy servers, and intentional threat source that attempts to learn or
protective distributor systems) and software that make use of information from a system, but does
permit the sharing and transmission of all spectrum not attempt to alter the system, its resources, its
transmissions of information to support the data, or its operations.
security of information and information systems. Related Term(s): active attack
• non-repudiation • password
Definition: A property achieved through Definition: A string of characters (letters, numbers,
cryptographic methods to protect against an and other symbols) used to authenticate an identity
individual or entity falsely denying having or to verify access authorization.
performed a particular action related to data. • pen test
Extended Definition: Provides the capability to Definition: A colloquial term for penetration test or
determine whether a given individual took a penetration testing.
10

Synonym(s): penetration testing Definition: A cryptographic key that may be widely
• penetration published and is used to enable the operation of an
Synonym(s): intrusion asymmetric (public key) cryptographic algorithm.
• penetration testing Extended Definition: The public part of an
Definition: An evaluation methodology whereby asymmetric key pair that is uniquely associated
assessors search for vulnerabilities and attempt to with an entity and that may be made public.
circumvent the security features of a network Related Term(s): private key, asymmetric
and/or information system. cryptography
• Personal Identifying Information / • public key cryptography
Personally Identifiable Information Definition: A branch of cryptography in which a
Definition: The information that permits the cryptographic system or algorithms use two
identity of an individual to be directly or indirectly uniquely linked keys: a public key and a private key
inferred. (a key pair).
• phishing Synonym(s): asymmetric cryptography, public key
Definition: A digital form of social engineering to encryption
deceive individuals into providing sensitive • public key encryption
information. Synonym(s): public key cryptography
• plaintext • Public Key Infrastructure
Definition: Unencrypted information. Definition: A framework consisting of standards
Related Term(s): ciphertext and services to enable secure, encrypted
• precursor communication and authentication over potentially
Definition: An observable occurrence or sign that insecure networks such as the Internet.
an attacker may be preparing to cause an incident. Extended Definition: A framework and services for
Related Term(s): indicator generating, producing, distributing, controlling,
• Preparedness accounting for, and revoking (destroying) public key
Definition: The activities to build, sustain, and certificates.
improve readiness capabilities to prevent, protect Letter: R
against, respond to, and recover from natural or • Recovery
manmade incidents. Definition: The activities after an incident or event
• privacy to restore essential services and operations in the
Definition: The assurance that the confidentiality short and medium term and fully restore all
of, and access to, certain information about an capabilities in the longer term.
entity is protected. • Red Team
Extended Definition: The ability of individuals to Definition: A group authorized and organized to
understand and exercise control over how emulate a potential adversary’s attack or
information about themselves may be used by exploitation capabilities against an enterprise’s
others. cybersecurity posture.
• private key Related Term(s): Blue Team, White Team
Definition: A cryptographic key that must be kept • Red Team exercise
confidential and is used to enable the operation of Definition: An exercise, reflecting real-world
an asymmetric (public key) cryptographic conditions, that is conducted as a simulated
algorithm. attempt by an adversary to attack or exploit
Extended Definition: The secret part of an vulnerabilities in an enterprise's information
asymmetric key pair that is uniquely associated systems.
with an entity. Related Term(s): cyber exercise
Related Term(s): public key, asymmetric • redundancy
cryptography Definition: Additional or alternative systems, sub-
• public key systems, assets, or processes that maintain a
11

degree of overall functionality in case of loss or acceptable level considering associated costs and
failure of another system, sub-system, asset, or benefits of any actions taken.
process. Extended Definition: Includes: 1) conducting a risk
• resilience assessment; 2) implementing strategies to mitigate
Definition: The ability to adapt to changing risks; 3) continuous monitoring of risk over time;
conditions and prepare for, withstand, and rapidly and 4) documenting the overall risk management
recover from disruption. program.
• response Related Term(s): enterprise risk management,
Definition: The activities that address the short- integrated risk management, risk
term, direct effects of an incident and may also • risk mitigation
support short-term recovery. Synonym(s): mitigation
Extended Definition: In cybersecurity, response • risk-based data management
encompasses both automated and manual Definition: A structured approach to managing
activities. risks to data and information by which an
Related Term(s): recovery organization selects and applies appropriate
security controls in compliance with policy and
Adapted from: National Infrastructure Protection commensurate with the sensitivity and value of the
Plan, NCPS Target Architecture Glossary data.
response plan • rootkit
Synonym(s): incident response plan Definition: A set of software tools with
• risk administrator-level access privileges installed on an
Definition: The potential for an unwanted or information system and designed to hide the
adverse outcome resulting from an incident, event, presence of the tools, maintain the access
or occurrence, as determined by the likelihood that privileges, and conceal the activities conducted by
a particular threat will exploit a particular the tools.
vulnerability, with the associated consequences. Letter: S
• risk analysis • secret key
Definition: The systematic examination of the Definition: A cryptographic key that is used for both
components and characteristics of risk. encryption and decryption, enabling the operation
• risk assessment of a symmetric key cryptography scheme.
Definition: The product or process which collects Extended Definition: Also, a cryptographic
information and assigns values to risks for the algorithm that uses a single key (i.e., a secret key)
purpose of informing priorities, developing or for both encryption of plaintext and decryption of
comparing courses of action, and informing ciphertext.
decision making. Related Term(s): symmetric key
Extended Definition: The appraisal of the risks • security automation
facing an entity, asset, system, or network, Definition: The use of information technology in
organizational operations, individuals, geographic place of manual processes for cyber incident
area, other organizations, or society, and includes response and management.
determining the extent to which adverse • security incident
circumstances or events could result in harmful Synonym(s): incident
consequences. • security policy
Related Term(s): risk analysis, risk Definition: A rule or set of rules that govern the
• risk management acceptable use of an organization's information and
Definition: The process of identifying, analyzing, services to a level of acceptable risk and the means
assessing, and communicating risk and accepting, for protecting the organization's information
avoiding, transferring or controlling it to an assets.
12

Extended Definition: A rule or set of rules applied to Related Term(s): keylogger
an information system to provide security services. • subject
• signature Definition: An individual, process, or device causing
Definition: A recognizable, distinguishing pattern. information to flow among objects or a change to
Extended Definition: Types of signatures: attack the system state.
signature, digital signature, electronic signature. Extended Definition: An active entity.
• situational awareness Related Term(s): object, access, access control
Definition: Comprehending information about the • Supervisory Control and Data Acquisition
current and developing security posture and risks, Definition: A generic name for a computerized
based on information gathered, observation and system that can gather and processing data and
analysis, and knowledge or experience. applying operational controls to geographically
Extended Definition: In cybersecurity, dispersed assets over long distances.
comprehending the current status and security Related Term(s): Industrial Control System
posture with respect to availability, confidentiality, • supply chain
and integrity of networks, systems, users, and data, Definition: A system of organizations, people,
as well as projecting future states of these. activities, information and resources, for creating
• software assurance and moving products including product
Definition: The level of confidence that software is components and/or services from suppliers
free from vulnerabilities, either intentionally through to their customers.
designed into the software or accidentally inserted Related Term(s): supply chain risk management
at any time during its lifecycle, and that the • Supply Chain Risk Management
software functions in the intended manner. Definition: The process of identifying, analyzing,
• Software Assurance and Security and assessing supply chain risk and accepting,
Engineering avoiding, transferring or controlling it to an
Definition: In the NICE Framework, cybersecurity acceptable level considering associated costs and
work where a person: Develops and writes/codes benefits of any actions taken.
new (or modifies existing) computer applications, Related Term(s): supply chain
software, or specialized utility programs following • symmetric cryptography
software assurance best practices. Definition: A branch of cryptography in which a
• spam cryptographic system or algorithms use the same
Definition: The abuse of electronic messaging secret key (a shared secret key).
systems to indiscriminately send unsolicited bulk • symmetric encryption algorithm
messages. Synonym(s): symmetric cryptography
• spillage • symmetric key
Synonym(s): data spill, data breach Definition: A cryptographic key that is used to
• Spoofing perform both the cryptographic operation and its
Definition: Faking the sending address of a inverse, for example to encrypt plaintext and
transmission to gain illegal [unauthorized] entry decrypt ciphertext, or create a message
into a secure system. authentication code and to verify the code.
Extended Definition: The deliberate inducement of Extended Definition: Also, a cryptographic
a user or resource to take incorrect action. Note: algorithm that uses a single key (i.e., a secret key)
Impersonating, masquerading, piggybacking, and for both encryption of plaintext and decryption of
mimicking are forms of spoofing. ciphertext.
• spyware Related Term(s): secret key
Definition: Software that is secretly or • System Administration
surreptitiously installed into an information system Definition: Cybersecurity work where a person:
without the knowledge of the system user or Installs, configures, troubleshoots, and maintains
owner. server configurations (hardware and software) to
13

ensure their confidentiality, integrity, and assets (including information and information
availability; also manages accounts, firewalls, and systems), individuals, other organizations, or
patches; responsible for access control, passwords, society.
and account creation and administration. Extended Definition: Includes an individual or group
• system integrity of individuals, entity such as an organization or a
Definition: The attribute of an information system nation), action, or occurrence.
when it performs its intended function in an • threat actor
unimpaired manner, free from deliberate or Synonym(s): threat agent
inadvertent unauthorized manipulation of the • threat agent
system. Definition: An individual, group, organization, or
Related Term(s): integrity, data integrity government that conducts or has the intent to
• Systems Development conduct detrimental activities.
Definition: Cybersecurity work where a person: Related Term(s): adversary, attacker
Works on the development phases of the systems • threat analysis
development lifecycle. Definition: The detailed evaluation of the
Letter: T characteristics of individual threats.
• tabletop exercise Extended Definition: Cybersecurity work where a
Definition: A discussion-based exercise where person: Identifies and assesses the capabilities and
personnel meet in a classroom setting or breakout activities of cyber criminals or foreign intelligence
groups and are presented with a scenario to entities; produces findings to help initialize or
validate the content of plans, procedures, policies, support law enforcement and counterintelligence
cooperative agreements or other information for investigations or activities.
managing an incident. • threat assessment
• tailored trustworthy space Definition: The product or process of identifying or
Definition: A cyberspace environment that provides evaluating entities, actions, or occurrences,
a user with confidence in its security, using whether natural or man-made, that have or
automated mechanisms to ascertain security indicate the potential to harm life, information,
conditions and adjust the level of security based on operations, and/or property.
the user's context and in the face of an evolving Related Term(s): threat analysis
range of threats. • ticket
• Targets Definition: In access control, data that
Definition: Cybersecurity work where a person: authenticates the identity of a client or a service
Applies current knowledge of one or more regions, and, together with a temporary encryption key (a
countries, non-state entities, and/or technologies. session key), forms a credential.
• Test and Evaluation • traffic light protocol
Cybersecurity work where a person: Develops and Definition: A set of designations employing four
conducts tests of systems to evaluate compliance colours (RED, AMBER, GREEN, and WHITE) used to
with specifications and requirements by applying ensure that sensitive information is shared with the
principles and methods for cost-effective planning, correct audience.
evaluating, verifying, and validating of technical, • Trojan horse
functional, and performance characteristics Definition: A computer program that appears to
(including interoperability) of systems or elements have a useful function, but also has a hidden and
of systems incorporating information technology. potentially malicious function that evades security
• threat mechanisms, sometimes by exploiting legitimate
Definition: A circumstance or event that has or authorizations of a system entity that invokes the
indicates the potential to exploit vulnerabilities and program.
to adversely impact (create adverse consequences Letter: U
for) organizational operations, organizational • unauthorized access
14

Definition: Any access that violates the stated policy, assesses the level of risk, and develops
security policy. and/or recommends appropriate mitigation
Letter: V countermeasures in operational and non-
• virus operational situations.
Definition: A computer program that can replicate Letter: W

itself, infect a computer without permission or • weakness
knowledge of the user, and then spread or Definition: A shortcoming or imperfection in
propagate to another computer. software code, design, architecture, or deployment
Related Term(s): macro virus that, under proper conditions, could become a
• vulnerability vulnerability or contribute to the introduction of
Definition: A characteristic or specific weakness vulnerabilities.
that renders an organization or asset (such as Related Term(s): vulnerability
information or an information system) open to • White Team
exploitation by a given threat or susceptible to a Definition: A group responsible for refereeing an
given hazard. engagement between a Red Team of mock
Extended Definition: Characteristic of location or attackers and a Blue Team of actual defenders of
security posture or of design, security procedures, information systems.
internal controls, or the implementation of any of Related Term(s): Blue Team, Red Team
these that permit a threat or hazard to occur. • whitelist
Vulnerability (expressing degree of vulnerability): Definition: A list of entities that are considered
qualitative or quantitative expression of the level of trustworthy and are granted access or privileges.
susceptibility to harm when a threat or hazard is Related Term(s): blacklist
realized. • work factor
Related Term(s): weakness Definition: An estimate of the effort or time needed
• Vulnerability Assessment and by a potential adversary, with specified expertise
Management and resources, to overcome a protective measure.
Definition: Cybersecurity work where a person: • worm
Conducts assessments of threats and Definition: A self-replicating, self-propagating, self-
vulnerabilities, determines deviations from contained program that uses networking
acceptable configurations, enterprise or local mechanisms to spread itself.
15

TOPIC: OPERATING SYSTEMS PROTECTION MECHANISMS
Operating-System Structure
An operating system provides the environment within which programs are executed.
Internally, operating systems vary greatly in their makeup since they are organized along
many different lines. There are, however, many commonalities.
One of the most important aspects of operating systems is the ability to multiprogram. A
single program cannot, in general, keep either the CPU or the I/O devices busy at all times.
Single users frequently have multiple programs running. Multiprogramming increases CPU
utilization by organizing jobs (code and data) so that the CPU always has one to execute.
The idea is as follows: The operating system keeps several jobs in memory simultaneously.
(Since, in general, main memory is too small to accommodate all jobs, the jobs are kept
initially on the disk in the job pool. This pool consists of all processes residing on disk awaiting
allocation of main memory.
The set of jobs in memory can be a subset of the jobs kept in the job pool. The operating
system picks and begins to execute one of the jobs in memory. Eventually, the job may have
to wait for some tasks, such as an I/O operation, to complete. In a non-multiprogrammed
system, the CPU would sit idle. In a multiprogrammed system, the operating system simply
switches to, and executes, another job. When that job needs to wait, the CPU switches to
another job, and so on. Eventually, the first job finishes waiting and gets the CPU back. If at
least one job needs to execute, the CPU is never idle.
This idea is common in other life situations. A lawyer does not work for only one client at a
time, for example. While one case is waiting to go to trial or have papers typed, the lawyer
can work on another case. If he has enough clients, the lawyer will never be idle for lack of
work. (Idle lawyers tend to become politicians, so there is a certain social value in keeping
lawyers busy.)
Multiprogrammed systems provide an environment in which the various system resources

(for example, CPU, memory, and peripheral devices) are utilized effectively, but they do not
provide for user interaction with the computer system. Time sharing (or multitasking) is a
logical extension of multiprogramming. In time-sharing systems, the CPU executes multiple
jobs by switching among them, but the switches occur so frequently that the users can
interact with each program while it is running.
Time sharing requires an interactive computer system, which provides direct communication
between the user and the system. The user gives instructions to the operating system or to a
program directly, using an input device such as a keyboard, mouse, touch pad, or touch
16

screen, and waits for immediate results on an output device. Accordingly, the response time
should be short—typically less than one second.
Characteristics of a Time-shared Operating System
1. A time-shared operating system allows many users to share the computer

simultaneously. Since each action or command in a time-shared system tends to be
short, only a little CPU time is needed for each user. As the system switches rapidly
from one user to the next, each user is given the impression that the entire computer
system is dedicated to his use, even though it is being shared among many users.
2. If several jobs are ready to be brought into memory, and if there is not enough room
for all of them, then the system must choose among them. Making this decision
involves job scheduling. When the operating system selects a job from the job pool, it
loads that job into memory for execution. Having several programs in memory at the
same time requires some form of memory management. In addition, if several jobs
are ready to run at the same time, the system must choose which job will run first.
Making this decision is CPU scheduling. Finally, running multiple jobs concurrently
requires that their ability to affect one another be limited in all phases of the operating
system, including process scheduling, disk storage, and memory management.
3. In a time-sharing system, the operating system must ensure reasonable response
time. This goal is sometimes accomplished through swapping, whereby processes are
swapped in and out of main memory to the disk. A more common method for ensuring
reasonable response time is virtual memory, a technique that allows the execution of
a process that is not completely in memory. The main advantage of the virtual-
memory scheme is that it enables users to run programs that are larger than actual
physical memory. Further, it abstracts main memory into a large, uniform array of
storage, separating logical memory as viewed by the user from physical memory. This
arrangement frees programmers from concern over memory-storage limitations.
4. A time-sharing system must also provide a file system. The file system resides on a
collection of disks; hence, disk management must be provided. In addition, a time-
sharing system provides a mechanism for protecting resources from inappropriate
use.
5. To ensure orderly execution, the system must provide mechanisms for job
synchronization and communication, and it may ensure that jobs do not get stuck in a
deadlock, forever waiting for one another.
PROTECTION AND SECURITY
If a computer system has multiple users and allows the concurrent execution of multiple
processes, then access to data must be regulated. For that purpose, mechanisms ensure that
files, memory segments, CPU, and other resources can be operated on by only those
processes that have gained proper authorization from the operating system. For example,
memory-addressing hardware ensures that a process can execute only within its own address
17

space. The timer ensures that no process can gain control of the CPU without eventually
relinquishing control. Device-control registers are not accessible to users, so the integrity of
the various peripheral devices is protected.
Protection and security require the system to be able to distinguish among all its users. Most
operating systems maintain a list of usernames and associated user identifiers (user IDs). In
Windows parlance, this is a security ID (SID). These numerical IDs are unique, one per user.
When a user logs in to the system, the authentication stage determines the appropriate user
ID for the user. That user ID is associated with all the user's processes and threads. When an
ID needs to be readable by a user, it is translated back to the username via the username list.
PROTECTION
The processes in an operating system must be protected from one another's activities. To
provide such protection, we can use various mechanisms to ensure that only processes that
have gained proper authorization from the operating system can operate on the files,
memory segments, CPU, and other resources of a system.
Protection refers to a mechanism for controlling the access of programs, processes, or users
to the resources defined by a computer system. This mechanism must provide a means for
specifying the controls to be imposed, together with a means of enforcement. We distinguish
between protection and security, which is a measure of confidence that the integrity of a
system and its data will be preserved.
GOALS OF PROTECTION
As computer systems have become more sophisticated and pervasive in their applications,
the need to protect their integrity has also grown. Protection was originally conceived as an
adjunct to multiprogramming operating systems, so that untrustworthy users might safely
share a common logical name space, such as a directory of files, or share a common physical
name space, such as memory. Modern protection concepts have evolved to increase the
reliability of any complex system that makes use of shared resources.
We need to provide protection for several reasons.
1. The need to prevent the mischievous, intentional violation of an access restriction by

a user.
2. The need to ensure that each program component active in a system uses system
resources only in ways consistent with stated policies. This requirement is an absolute
one for a reliable system.
3. Protection can improve reliability by detecting latent errors at the interfaces between
component subsystems. Early detection of interface errors can often prevent
contamination of a healthy subsystem by a malfunctioning subsystem.
18

4. Also, an unprotected resource cannot defend against use (or misuse) by an

unauthorized or incompetent user.
5. A protection-oriented system provides means to distinguish between authorized and
unauthorized usage.
6. The role of protection in a computer system is to provide a mechanism for the
enforcement of the policies governing resource use. These policies can be established
in a variety of ways. Some are fixed in the design of the system, while others are
formulated by the management of a system. Still others are defined by the individual
users to protect their own files and programs. A protection system must have the
flexibility to enforce a variety of policies.
PRINCIPLES OF PROTECTION
Access Control
Each file and directory are assigned an owner, a group, or possibly a list of users, and for each
of those entities, access-control information is assigned. A similar function can be added to
other aspects of a computer system.
This facility revolves around privileges. A privilege is the right to execute a system call or to
use an option within that system call (such as opening a file with write access). Privileges can
be assigned to processes, limiting them to exactly the access they need to perform their work.
Privileges and programs can also be assigned to roles. Users are assigned roles or can take
roles based on passwords to the roles. In this way, a user can take a role that enables a
privilege, allowing the user to run a program to accomplish a specific task. This
implementation of privileges decreases the security risk associated with superusers and
setuid programs.
A key, time-tested guiding principle for protection is the principle of least privilege. It dictates
that programs, users, and even systems be given just enough privileges to perform their tasks.
Consider the analogy of a security guard with a passkey. If this key allows the guard into just
the public areas that she guards, then misuse of the key will result in minimal damage. If,
however, the passkey allows access to all areas, then damage from its being lost, stolen,
misused, copied, or otherwise compromised will be much greater.
An operating system following the principle of least privilege implements its features,
programs, system calls, and data structures so that failure or compromise of a component
does the minimum damage and allows the minimum damage to be done. The overflow of a
buffer in a system daemon might cause the daemon process to fail, for example, but should
not allow the execution of code from the daemon process's stack that would enable a remote
user to gain maximum privileges and access to the entire system (as happens too often today).
19

Such an operating system also provides system calls and services that allow applications to
be written with fine-grained access controls. It provides mechanisms to enable privileges
when they are needed and to disable them when they are not needed. Also beneficial is the
creation of audit trails for all privileged function access. The audit trail allows the programmer,
system administrator, or law-enforcement officer to trace all protection and security activities
on the system.
Managing users with the principle of least privilege entails creating a separate account for
each user, with just the privileges that the user needs. An operator who needs to mount tapes
and back up files on the system has access to just those commands and files needed to
accomplish the job. Some systems implement role-based access control (RBAC) to provide
this functionality.
Domain of Protection
A computer system is a collection of processes and objects. By objects, we mean both

hardware objects (such as the CPU, memory segments, printers, disks, and tape drives) and
software objects (such as files, programs, and semaphores). Each object has a unique name
that differentiates it from all other objects in the system, and each can be accessed only
through well-defined and meaningful operations. Objects are essentially abstract data types.
The operations that are possible may depend on the object. For example, on a CPU, we can
only execute. Memory segments can be read and written, whereas a CD-ROM or DVD-ROM
can only be read. Tape drives can be read, written, and rewound. Data files can be created,
opened, read, written, closed, and deleted; program files can be read, written, executed, and
deleted.
A process should be allowed to access only those resources for which it has authorization.
Furthermore, at any time, a process should be able to access only those resources that it
currently requires to complete its task. This second requirement, commonly referred to as
the need-to-know principle, is useful in limiting the amount of damage a faulty process can
cause in the system. For example, when process p invokes procedure A(), the procedure
should be allowed to access only its own variables and the formal parameters passed to it; it
should not be able to access all the variables of process p. Similarly, consider the case in which
process p invokes a compiler to compile a particular file. The compiler should not be able to
access files arbitrarily but should have access only to a well-defined subset of files (such as
the source file, listing file, and so on) related to the file to be compiled. Conversely, the
compiler may have private files used for accounting or optimization purposes that process p
should not be able to access. The need-to-know principle is like the principle of least privilege
in that the goals of protection are to minimize the risks of possible security violations.
20

TOPIC: OPERATING SYSTEMS SECURITY MECHANISMS
SECURITY
Protection, is strictly an internal problem: How do we provide controlled access to programs

and data stored in a computer system? Security, on the other hand, requires not only an
adequate protection system but also consideration of the external environment within which
the system operates. A protection system is ineffective if user authentication is compromised,
or a program is run by an unauthorized user.
Computer resources must be guarded against unauthorized access, malicious destruction or

alteration, and accidental introduction of inconsistency. These resources include information
stored in the system (both data and code), as well as the CPU, memory, disks, tapes, and
networking that are the computer.
The Security Problem
In many applications, ensuring the security of the computer system is worth considerable
effort. Large commercial systems containing payroll or other financial data are inviting targets
to thieves. Systems that contain data pertaining to corporate operations may be of interest
to unscrupulous competitors. Furthermore, loss of such data, whether by accident or fraud,
can seriously impair the ability of the corporation to function.
We say that a system is secure if its resources are used and accessed as intended under all
circumstances. Unfortunately, total security cannot be achieved. Nonetheless, we must have
mechanisms to make security breaches a rare occurrence, rather than the norm.
Security violations (or misuse) of the system can be categorized as intentional (malicious) or
accidental. It is easier to protect against accidental misuse than against malicious misuse. For
the most part, protection mechanisms are the core of protection from accidents. The
following list includes several forms of accidental and malicious security violations. We should
note that in our discussion of security, we use the terms intruder and cracker for those
attempting to breach security. In addition, a threat is the potential for a security violation,
such as the discovery of a vulnerability, whereas an attack is the attempt to break security.
• Breach of confidentiality. This type of violation involves unauthorized reading of data

(or theft of information). Typically, a breach of confidentiality is the goal of an intruder.
Capturing secret data from a system or a data stream, such as credit-card information
or identity information for identity theft, can result directly in money for the intruder.
21

• Breach of integrity. This violation involves unauthorized modification of data. Such

attacks can, for example, result in passing of liability to an innocent party or
modification of the source code of an important commercial application.
• Breach of availability. This violation involves unauthorized destruction of data. Some
crackers would rather wreak havoc and gain status or bragging rights than gain
financially. Website defacement is a common example of this type of security breach.
• Theft of service. This violation involves unauthorized use of resources. For example,
an intruder (or intrusion program) may install a daemon on a system that acts as a file
server.
• Denial of service. This violation involves preventing legitimate use of the system.
Denial-of-service (DOS) attacks are sometimes accidental. The original Internet worm
turned into a DOS attack when a bug failed to delay its rapid spread.
Methods Attackers Use
Attackers use several standard methods in their attempts to breach security.
1. The most common is masquerading, in which one participant in a communication

pretends to be someone else (another host or another person). By masquerading,
attackers breach authentication, the correctness of identification; they can then gain
access that they would not normally be allowed or escalate their privileges—obtain
privileges to which they would not normally be entitled.
2. Another common attack is to replay a captured exchange of data. A replay attack
consists of the malicious or fraudulent repeat of a valid data transmission. Sometimes
the replay comprises the entire attack—for example, in a repeat of a request to
transfer money. But frequently it is done along with message modification, again to
escalate privileges. Consider the damage that could be done if a request for
authentication had a legitimate user's information replaced with an unauthorized
user’s.
3. Yet another kind of attack is the man-in-the-middle attack, in which an attacker sits in
the data flow of a communication, masquerading as the sender to the receiver, and
vice versa. In a network communication, a man-in-the-middle attack may be preceded
by a session hijacking, in which an active communication session is intercepted.
22

Figure showing Standard Security Attacks
To protect a system, we must take security measures at four levels:
1. Physical. The site or sites containing the computer systems must be physically secured
against armed or surreptitious entry by intruders. Both the machine rooms and the
terminals or workstations that have access to the machines must be secured.
2. Human. Authorization must be done carefully to assure that only appropriate users
have access to the system. Even authorized users, however, may be “encouraged” to
let others use their access (in exchange for a bribe, for example). They may also be
tricked into allowing access via social engineering. One type of social-engineering
attack is phishing. Here, a legitimate-looking e-mail or web page misleads a user into
entering confidential information. Another technique is dumpster diving, a general
term for attempting to gather information in order to gain unauthorized access to the
computer (by looking through trash, finding phone books, or finding notes containing
passwords, for example). These security problems are management and personnel
issues, not problems pertaining to operating systems.
3. Operating system. The system must protect itself from accidental or purposeful
security breaches. A runaway process could constitute an accidental denial-of-service
23

attack. A query to a service could reveal passwords. A stack overflow could allow the
launching of an unauthorized process. The list of possible breaches is almost endless.
4. Network. Much computer data in modern systems travels over private leased lines,
shared lines like the Internet, wireless connections, or dial-up lines. Intercepting these
data could be just as harmful as breaking into a computer, and interruption of
communications could constitute a remote denial-of-service attack, diminishing users'
use of and trust in the system.
Security at the first two levels must be maintained if operating-system security is to be

ensured. A weakness at a high level of security (physical or human) allows circumvention of
strict low-level (operating-system) security measures. Thus, the adage that a chain is only as
strong as its weakest link is especially true of system security. All these aspects must be
addressed for security to be maintained.
Furthermore, the system must provide protection to allow the implementation of security
features. Without the ability to authorize users and processes, to control their access, and to
log their activities, it would be impossible for an operating system to implement security
measures or to run securely. Hardware protection features are needed to support an overall
protection scheme. For example, a system without memory protection cannot be secure. New
hardware features are allowing systems to be made more secure, as we shall discuss.
TYPES OF SECURITY THREATS
I. PROGRAM THREATS
Processes, along with the kernel, are the only means of accomplishing work on a computer.
Therefore, writing a program that creates a breach of security, or causing a normal process
to change its behaviour and create a breach, is a common goal of crackers. In fact, even most
nonprogram security events have as their goal causing a program threat. For example, while
it is useful to log in to a system without authorization, it is quite a lot more useful to leave
behind a back-door daemon that provides information or allows easy access even if the
original exploit is blocked. In this section, we describe common methods by which programs
cause security breaches. Note that there is considerable variation in the naming conventions
for security holes and that we use the most common or descriptive terms.
a) Trojan Horse
Many systems have mechanisms for allowing programs written by users to be executed by
other users. If these programs are executed in a domain that provides the access rights of the
executing user, the other users may misuse these rights. A text-editor program, for example,
may include code to search the file to be edited for certain keywords. If any are found, the
24

entire file may be copied to a special area accessible to the creator of the text editor. A code
segment that misuses its environment is called a Trojan horse. Long search paths, such as are
common on UNIX systems, exacerbate the Trojan-horse problem. The search path lists the
set of directories to search when an ambiguous program name is given. The path is searched
for a file of that name, and the file is executed. All the directories in such a search path must
be secure, or a Trojan horse could be slipped into the user's path and executed accidentally.
b) Trap Door
The designer of a program or system might leave a hole in the software that only she can use.
This type of security breach (or trap door) was shown in the movie War Games. For instance,
the code might check for a specific user ID or password, and it might circumvent normal
security procedures. Programmers have been arrested for embezzling from banks by
including rounding errors in their code and having the occasional half-cent credited to their
accounts. This account crediting can add up to a large amount of money, considering the
number of transactions that a large bank executes.
c) Logic Bomb
Consider a program that initiates a security incident only under certain circumstances. It
would be hard to detect because under normal operations, there would be no security hole.
However, when a predefined set of parameters was met, the security hole would be created.
This scenario is known as a logic bomb. A programmer, for example, might write code to
detect whether he was still employed; if that check failed, a daemon could be spawned to
allow remote access, or code could be launched to cause damage to the site.
d) Stack and Buffer Overflow
The stack- or buffer-overflow attack is the most common way for an attacker outside the
system, on a network or dial-up connection, to gain unauthorized access to the target system.
An authorized user of the system may also use this exploit for privilege escalation.
Essentially, the attack exploits a bug in a program. The bug can be a simple case of poor
programming, in which the programmer neglected to code bounds checking on an input field.
In this case, the attacker sends more data than the program was expecting. By using trial and
error, or by examining the source code of the attacked program if it is available, the attacker
determines the vulnerability and writes a program to do the following:
i. Overflow an input field, command-line argument, or input buffer—for example, on a

network daemon—until it writes into the stack.
25

ii. Overwrite the current return address on the stack with the address of the exploit code
loaded in step 3.
iii. Write a simple set of code for the next space in the stack that includes the commands
that the attacker wishes to execute—for instance, spawn a shell.
The result of this attack program's execution will be a root shell or other privileged command
execution.
For instance, if a web-page form expects a username to be entered into a field, the attacker
could send the username, plus extra characters to overflow the buffer and reach the stack,
plus a new return address to load onto the stack, plus the code the attacker wants to run.
When the buffer-reading subroutine returns from execution, the return address is the exploit
code, and the code is run.
e) Viruses
Another form of program threat is a virus. A virus is a fragment of code embedded in a

legitimate program. Viruses are self-replicating and are designed to “infect” other programs.
They can wreak havoc in a system by modifying or destroying files and causing system crashes
and program malfunctions. As with most penetration attacks, viruses are very specific to
architectures, operating systems, and applications. Viruses are a particular problem for users
of PCs. UNIX and other multiuser operating systems generally are not susceptible to viruses
because the executable programs are protected from writing by the operating system. Even
if a virus does infect such a program, its powers usually are limited because other aspects of
the system are protected.
Viruses are usually borne via e-mail, with spam the most common vector. They can also
spread when users download viral programs from Internet file-sharing services or exchange
infected disks.
Another common form of virus transmission uses Microsoft Office files, such as Microsoft
Word documents. These documents can contain macros (or Visual Basic programs) that
programs in the Office suite (Word, PowerPoint, and Excel) will execute automatically.
Because these programs run under the user's own account, the macros can run largely
unconstrained (for example, deleting user files at will). Commonly, the virus will also e-mail
itself to others in the user's contact list.
HOW DO VIRUSES WORK?
Once a virus reaches a target machine, a program known as a virus dropper inserts the virus
into the system. The virus dropper is usually a Trojan horse, executed for other reasons but
26

installing the virus as its core activity. Once installed, the virus may do any one of several
things. There are literally thousands of viruses, but they fall into several main categories. Note
that many viruses belong to more than one category.
a) File. A standard file virus infects a system by appending itself to a file. It changes the
start of the program so that execution jumps to its code. After it executes, it returns
control to the program so that its execution is not noticed. File viruses are sometimes
known as parasitic viruses, as they leave no full files behind and leave the host
program still functional.
b) Boot. A boot virus infects the boot sector of the system, executing every time the
system is booted and before the operating system is loaded. It watches for other
bootable media and infects them. These viruses are also known as memory viruses
because they do not appear in the file system. Figure 15.5 shows how a boot virus
works.
c) Macro. Most viruses are written in a low-level language, such as assembly or C. Macro
viruses are written in a high-level language, such as Visual Basic. These viruses are
triggered when a program capable of executing the macro is run. For example, a macro
virus could be contained in a spreadsheet file.
d) Source code. A source code virus looks for source code and modifies it to include the
virus and to help spread the virus.
Figure showing a boot-sector computer virus
27

• Polymorphic. A polymorphic virus changes each time it is installed to avoid detection

by antivirus software. The changes do not affect the virus's functionality but rather
change the virus's signature. A virus signature is a pattern that can be used to identify
a virus, typically a series of bytes that make up the virus code.
• Encrypted. An encrypted virus includes decryption code along with the encrypted
virus, again to avoid detection. The virus first decrypts and then executes.
• Stealth. This tricky virus attempts to avoid detection by modifying parts of the system
that could be used to detect it. For example, it could modify the read system call so
that if the file it has modified is read, the original form of the code is returned rather
than the infected code.
• Tunneling. This virus attempts to bypass detection by an antivirus scanner by installing
itself in the interrupt-handler chain. Similar viruses install themselves in device drivers.
• Multipartite. A virus of this type can infect multiple parts of a system, including boot
sectors, memory, and files. This makes it difficult to detect and contain.
• Armoured. An armoured virus is coded to make it hard for antivirus researchers to
unravel and understand. It can also be compressed to avoid detection and
disinfection. In addition, virus droppers and other full files that are part of a virus
infestation are frequently hidden via file attributes or unviewable file names.
II. SYSTEM AND NETWORK THREATS
Program threats typically use a breakdown in the protection mechanisms of a system to

attack programs. In contrast, system and network threats involve the abuse of services and
network connections. System and network threats create a situation in which operating-
system resources and user files are misused. Sometimes, a system and network attack is used
to launch a program attack, and vice versa.
The more open an operating system is—the more services it has enabled and the more
functions it allows—the more likely it is that a bug is available to exploit. Increasingly,
operating systems strive to be secure by default. For example, Solaris 10 moved from a model
in which many services (FTP, telnet, and others) were enabled by default when the system
was installed to a model in which almost all services are disabled at installation time and must
specifically be enabled by system administrators. Such changes reduce the system's attack
surface—the set of ways in which an attacker can try to break into the system.
a) Port Scanning
Port scanning is not an attack but rather a means for a cracker to detect a system's
vulnerabilities to attack. Port scanning typically is automated, involving a tool that attempts
to create a TCP/IP connection to a specific port or a range of ports. For example, suppose
there is a known vulnerability (or bug) in sendmail. A cracker could launch a port scanner to
28

try to connect, say, to port 25 of a particular system or to a range of systems. If the connection
was successful, the cracker (or tool) could attempt to communicate with the answering
service to determine if the service was indeed sendmail and, if so, if it was the version with
the bug.
Because port scans are detectable, they frequently are launched from zombie systems. Such
systems are previously compromised, independent systems that are serving their owners
while being used for nefarious purposes, including denial-of-service attacks and spam relay.
Zombies make crackers particularly difficult to prosecute because determining the source of
the attack and the person that launched it is challenging. This is one of many reasons for
securing “inconsequential” systems, not just systems containing “valuable” information or
services.
b) Denial of Service
As mentioned earlier, denial-of-service attacks are aimed not at gaining information or

stealing resources but rather at disrupting legitimate use of a system or facility. Most such
attacks involve systems that the attacker has not penetrated. Launching an attack that
prevents legitimate use is frequently easier than breaking into a machine or facility.
Denial-of-service attacks are generally network based. They fall into two categories. Attacks
in the first category use so many facility resources that, in essence, no useful work can be
done. For example, a website click could download a Java applet that proceeds to use all
available CPU time or to pop up windows infinitely. The second category involves disrupting
the network of the facility. There have been several successful denial-of-service attacks of this
kind against major websites. These attacks result from abuse of some of the fundamental
functionality of TCP/IP. For instance, if the attacker sends the part of the protocol that says “I
want to start a TCP connection,” but never follows with the standard “The connection is now
complete,” the result can be partially started TCP sessions. If enough of these sessions are
launched, they can eat up all the network resources of the system, disabling any further
legitimate TCP connections. Such attacks, which can last hours or days, have caused partial or
full failure of attempts to use the target facility. The attacks are usually stopped at the
network level until the operating systems can be updated to reduce their vulnerability.
Generally, it is impossible to prevent denial-of-service attacks. The attacks use the same
mechanisms as normal operation. Even more difficult to prevent and resolve are distributed
denial-of-service (DDOS) attacks. These attacks are launched from multiple sites at once,
toward a common target, typically by zombies. DDOS attacks have become more common
and are sometimes associated with blackmail attempts. A site comes under attack, and the
attackers offer to halt the attack in exchange for money.
29

III. CRYPTOGRAPHY AS A SECURITY TOOL
There are many defences against computer attacks, running the gamut from methodology to
technology. The broadest tool available to system designers and users is cryptography.
It is generally considered infeasible to build a network of any scale in which the source and
destination addresses of packets can be trusted in this sense. Therefore, the only alternative
is somehow to eliminate the need to trust the network. This is the job of cryptography.
Abstractly, cryptography is used to constrain the potential senders and/or receivers of a
message. Modern cryptography is based on secrets called keys that are selectively distributed
to computers in a network and used to process messages. Cryptography enables a recipient
of a message to verify that the message was created by some computer possessing a certain
key. Similarly, a sender can encode its message so that only a computer with a certain key can
decode the message. Unlike network addresses, however, keys are designed so that it is not
computationally feasible to derive them from the messages they were used to generate or
from any other public information. Thus, they provide a much more trustworthy means of
constraining senders and receivers of messages.
IV. USER AUTHENTICATION
If a system cannot authenticate a user, then authenticating that a message came from that
user is pointless. Thus, a major security problem for operating systems is user authentication.
The protection system depends on the ability to identify the programs and processes
currently executing, which in turn depends on the ability to identify each user of the system.
Users normally identify themselves. How do we determine whether a user's identity is
authentic? Generally, user authentication is based on one or more of three things: the user's
possession of something (a key or card), the user's knowledge of something (a user identifier
and password), or an attribute of the user (fingerprint, retina pattern, or signature).
a) Passwords
The most common approach to authenticating a user identity is the use of passwords. When
the user identifies herself by user ID or account name, she is asked for a password. If the user-
supplied password matches the password stored in the system, the system assumes that the
account is being accessed by the owner of that account.
Passwords are often used to protect objects in the computer system, in the absence of more
complete protection schemes. They can be considered a special case of either keys or
capabilities. For instance, a password may be associated with each resource (such as a file).
Whenever a request is made to use the resource, the password must be given. If the password
is correct, access is granted. Different passwords may be associated with different access
30

rights. For example, different passwords may be used for reading files, appending files, and
updating files.
Passwords are extremely common because they are easy to understand and use.
Unfortunately, passwords can often be guessed, accidentally exposed, sniffed (read by an
eavesdropper), or illegally transferred from an authorized user to an unauthorized one.
i. One-time passwords
To avoid the problems of password sniffing and shoulder surfing, a system can use a set of
paired passwords. When a session begins, the system randomly selects and presents one part
of a password pair; the user must supply the other part. In this system, the user is challenged
and must respond with the correct answer to that challenge.
This approach can be generalized to the use of an algorithm as a password. Such algorithmic
passwords are not susceptible to reuse. That is, a user can type in a password, and no entity
intercepting that password will be able to reuse it. In this scheme, the system and the user
share a symmetric password. The password pw is never transmitted over a medium that
allows exposure. Rather, the password is used as input to the function, along with a challenge
ch presented by the system. The user then computes the function H(pw, ch). The result of this
function is transmitted as the authenticator to the computer. Because the computer also
knows pw and ch, it can perform the same computation. If the results match, the user is
authenticated. The next time the user needs to be authenticated, another ch is generated,
and the same steps ensue. This time, the authenticator is different. This one-time password
system is one of only a few ways to prevent improper authentication due to password
exposure.
ii. Biometrics
Yet another variation on the use of passwords for authentication involves the use of biometric
measures. Palm- or hand-readers are commonly used to secure physical access—for example,
access to a data centre. These readers match stored parameters against what is being read
from hand-reader pads. The parameters can include a temperature map, as well as finger
length, finger width, and line patterns. These devices are currently too large and expensive to
be used for normal computer authentication.
V. IMPLEMENTING SECURITY DEFENSES
Just as there are myriad threats to system and network security, there are many security
solutions. The solutions range from improved user education, through technology, to writing
31

bug-free software. Most security professionals subscribe to the theory of defence in depth,
which states that more layers of defence are better than fewer layers.
a) Security Policy
The first step toward improving the security of any aspect of computing is to have a security
policy. Policies vary widely but generally include a statement of what is being secured. For
example, a policy might state that all outside-accessible applications must have a code review
before being deployed, or that users should not share their passwords, or that all connection
points between a company and the outside must have port scans run every six months.
Without a policy in place, it is impossible for users and administrators to know what is
permissible, what is required, and what is not allowed. The policy is a road map to security,
and if a site is trying to move from less secure to more secure, it needs a map to know how
to get there.
Once the security policy is in place, the people it affects should know it well. It should be their
guide. The policy should also be a living document that is reviewed and updated periodically
to ensure that it is still pertinent and still followed.
b) Vulnerability Assessment
How can we determine whether a security policy has been correctly implemented? The best
way is to execute a vulnerability assessment. Such assessments can cover broad ground, from
social engineering through risk assessment to port scans. Risk assessment, for example,
attempts to value the assets of the entity in question (a program, a management team, a
system, or a facility) and determine the odds that a security incident will affect the entity and
decrease its value. When the odds of suffering a loss and the amount of the potential loss are
known, a value can be placed on trying to secure the entity.
The core activity of most vulnerability assessments is a penetration test, in which the entity
is scanned for known vulnerabilities.
c) Intrusion Detection
Securing systems and facilities is intimately linked to intrusion detection. Intrusion detection,
as its name suggests, strives to detect attempted or successful intrusions into computer
systems and to initiate appropriate responses to the intrusions.
There are a wide range of solutions, known as intrusion-detection systems (IDSs) and
intrusion-prevention systems (IDPs). IDS systems raise an alarm when an intrusion is
32

detected, while IDP systems act as routers, passing traffic unless an intrusion is detected (at
which point that traffic is blocked).
What constitutes an intrusion? Defining a suitable specification of intrusion turns out to be

quite difficult, and thus automatic IDSs and IDPs today typically settle for one of two less
ambitious approaches. In the first, called signature-based detection, system input or network
traffic is examined for specific behaviour patterns (or signatures) known to indicate attacks.
A simple example of signature-based detection is scanning network packets for the string
/etc/passwd/ targeted for a UNIX system. Another example is virus-detection software, which
scans binaries or network packets for known viruses.
The second approach, typically called anomaly detection, attempts through various
techniques to detect anomalous behaviour within computer systems. Of course, not all
anomalous system activity indicates an intrusion, but the presumption is that intrusions often
induce anomalous behaviour. An example of anomaly detection is monitoring system calls of
a daemon process to detect whether the system-call behaviour deviates from normal
patterns, possibly indicating that a buffer overflow has been exploited in the daemon to
corrupt its behaviour. Another example is monitoring shell commands to detect anomalous
commands for a given user or detecting an anomalous login time for a user, either of which
may indicate that an attacker has succeeded in gaining access to that user's account.
d) Virus Protection
Protection from viruses thus is an important security concern. Antivirus programs are often
used to provide this protection. Some of these programs are effective against only particular
known viruses. They work by searching all the programs on a system for the specific pattern
of instructions known to make up the virus. When they find a known pattern, they remove
the instructions, disinfecting the program. Antivirus programs may have catalogs of
thousands of viruses for which they search.
Both viruses and antivirus software continue to become more sophisticated. Some viruses
modify themselves as they infect other software to avoid the basic pattern-match approach
of antivirus programs. Antivirus programs in turn now look for families of patterns rather than
a single pattern to identify a virus. In fact, some antivirus programs implement a variety of
detection algorithms. They can decompress compressed viruses before checking for a
signature. Some also look for process anomalies. A process opening an executable file for
writing is suspicious, for example, unless it is a compiler. Another popular technique is to run
a program in a sandbox, which is a controlled or emulated section of the system. The antivirus
software analyses the behaviour of the code in the sandbox before letting it run unmonitored.
Some antivirus programs also put up a complete shield rather than just scanning files within
33

a file system. They search boot sectors, memory, inbound and outbound e-mail, files as they
are downloaded, files on removable devices or media, and so on.
The best protection against computer viruses is prevention, or the practice of safe computing.
Purchasing unopened software from vendors and avoiding free or pirated copies from public
sources or disk exchange offer the safest route to preventing infection. However, even new
copies of legitimate software applications are not immune to virus infection: in a few cases,
disgruntled employees of a software company have infected the master copies of software
programs to do economic harm to the company. For macro viruses, one defence is to
exchange Microsoft Word documents in an alternative file format called rich text format
(RTF). Unlike the native Word format, RTF does not include the capability to attach macros.
Another defence is to avoid opening any e-mail attachments from unknown users.
Unfortunately, history has shown that e-mail vulnerabilities appear as fast as they are fixed.
For example, in 2000, the love bug virus became very widespread by traveling in e-mail
messages that pretended to be love notes sent by friends of the receivers. Once a receiver
opened the attached Visual Basic script, the virus propagated by sending itself to the first
addresses in the receiver's e-mail contact list. Fortunately, except for clogging e-mail systems
and users' inboxes, it was relatively harmless. It did, however, effectively negate the defensive
strategy of opening attachments only from people known to the receiver. A more effective
defence method is to avoid opening any e-mail attachment that contains executable code.
Some companies now enforce this as policy by removing all incoming attachments to e-mail
messages.
e) Auditing, Accounting, And Logging
Auditing, accounting, and logging can decrease system performance, but they are useful in
several areas, including security. Logging can be general or specific. All system-call executions
can be logged for analysis of program behaviour (or misbehaviour). More typically, suspicious
events are logged. Authentication failures and authorization failures can tell us quite a lot
about break-in attempts.
Accounting is another potential tool in a security administrator's kit. It can be used to find
performance changes, which in turn can reveal security problems. One of the early UNIX
computer break-ins was detected by Cliff Stoll when he was examining accounting logs and
spotted an anomaly.
34

EXERCISES
1. Give 5 reasons why we need to protect a system.

2. The principles of need-to-know and least privilege are used in protecting operating
systems mechanisms, kindly explain extensively.
3. Differentiate between protection and security of operating system mechanisms.
4. List and explain the 5 forms of accidental and malicious security violations.
5. List and explain 3 common methods attackers use.
6. To protect a system, we must take security measures at four levels. Explain.
7. What are program threats? Mention 5 examples and describe 2 extensively.
8. How do viruses work?
9. List and describe 2 systems network threats.
10. List the 5 methods of implementing security defences. Explain 3 extensively.
35

RECOMMENDED TEXT
(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide, 9th
Edition (2021), Mike Chapple; James Michael Stewart; Darril Gibson; ISBN: 978-1-119-
78623-8
Operating System Concepts, 9th Edition (2012), Abraham Silberschatz; Peter B. Galvin; Greg
Gagne, Wiley
OWASP. Application Threat Modeling | OWASP. Owasp.org. Retrieved 24 April 2021, from
https://owasp.org/www-community/Application_Threat_Modeling.
Rosencrance, L. (2021). What is the Principle of Least Privilege (POLP)?. SearchSecurity.
Retrieved 24 April 2021, from
https://searchsecurity.techtarget.com/definition/principle-of-least-privilege-POLP.
36

1 Operating Systems Concept

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

1 Operating Systems Concept

Uploaded by

Copyright:

Available Formats

Airforce Institute of Technology FACULTY OF COMPUTING

Kaduna, Kaduna State DEPARTMENT OF CYBER SECURITY

CYB 201: FUNDAMENTALS OF CYBER SECURITY II – LECTURE NOTES

TOPIC: COURSE INTRODUCTION – OVERVIEW OF CYBERSECURITY TERMINOLOGIES &

CYB 201: FUNDAMENTALS OF CYBER SECURITY II – LECTURE NOTES

• attack method Definition: A property achieved through

CYB 201: FUNDAMENTALS OF CYBER SECURITY II – LECTURE NOTES

CYB 201: FUNDAMENTALS OF CYBER SECURITY II – LECTURE NOTES

CYB 201: FUNDAMENTALS OF CYBER SECURITY II – LECTURE NOTES

• cyberspace Definition: The process or techniques used to

CYB 201: FUNDAMENTALS OF CYBER SECURITY II – LECTURE NOTES

CYB 201: FUNDAMENTALS OF CYBER SECURITY II – LECTURE NOTES

CYB 201: FUNDAMENTALS OF CYBER SECURITY II – LECTURE NOTES

CYB 201: FUNDAMENTALS OF CYBER SECURITY II – LECTURE NOTES

CYB 201: FUNDAMENTALS OF CYBER SECURITY II – LECTURE NOTES

CYB 201: FUNDAMENTALS OF CYBER SECURITY II – LECTURE NOTES

CYB 201: FUNDAMENTALS OF CYBER SECURITY II – LECTURE NOTES

CYB 201: FUNDAMENTALS OF CYBER SECURITY II – LECTURE NOTES

CYB 201: FUNDAMENTALS OF CYBER SECURITY II – LECTURE NOTES

CYB 201: FUNDAMENTALS OF CYBER SECURITY II – LECTURE NOTES

Definition: A computer program that can replicate Letter: W

CYB 201: FUNDAMENTALS OF CYBER SECURITY II – LECTURE NOTES

TOPIC: OPERATING SYSTEMS PROTECTION MECHANISMS

Multiprogrammed systems provide an environment in which the various system resources

CYB 201: FUNDAMENTALS OF CYBER SECURITY II – LECTURE NOTES

Characteristics of a Time-shared Operating System

1. A time-shared operating system allows many users to share the computer

PROTECTION AND SECURITY

CYB 201: FUNDAMENTALS OF CYBER SECURITY II – LECTURE NOTES

We need to provide protection for several reasons.

1. The need to prevent the mischievous, intentional violation of an access restriction by

CYB 201: FUNDAMENTALS OF CYBER SECURITY II – LECTURE NOTES

4. Also, an unprotected resource cannot defend against use (or misuse) by an

CYB 201: FUNDAMENTALS OF CYBER SECURITY II – LECTURE NOTES

A computer system is a collection of processes and objects. By objects, we mean both

CYB 201: FUNDAMENTALS OF CYBER SECURITY II – LECTURE NOTES

TOPIC: OPERATING SYSTEMS SECURITY MECHANISMS

Protection, is strictly an internal problem: How do we provide controlled access to programs

Computer resources must be guarded against unauthorized access, malicious destruction or

The Security Problem

• Breach of confidentiality. This type of violation involves unauthorized reading of data

CYB 201: FUNDAMENTALS OF CYBER SECURITY II – LECTURE NOTES

• Breach of integrity. This violation involves unauthorized modification of data. Such

Methods Attackers Use

Attackers use several standard methods in their attempts to breach security.

1. The most common is masquerading, in which one participant in a communication

CYB 201: FUNDAMENTALS OF CYBER SECURITY II – LECTURE NOTES

Figure showing Standard Security Attacks

To protect a system, we must take security measures at four levels:

CYB 201: FUNDAMENTALS OF CYBER SECURITY II – LECTURE NOTES

Security at the first two levels must be maintained if operating-system security is to be

TYPES OF SECURITY THREATS

CYB 201: FUNDAMENTALS OF CYBER SECURITY II – LECTURE NOTES

d) Stack and Buffer Overflow

i. Overflow an input field, command-line argument, or input buffer—for example, on a

CYB 201: FUNDAMENTALS OF CYBER SECURITY II – LECTURE NOTES

Another form of program threat is a virus. A virus is a fragment of code embedded in a

HOW DO VIRUSES WORK?

CYB 201: FUNDAMENTALS OF CYBER SECURITY II – LECTURE NOTES

Figure showing a boot-sector computer virus

CYB 201: FUNDAMENTALS OF CYBER SECURITY II – LECTURE NOTES

• Polymorphic. A polymorphic virus changes each time it is installed to avoid detection

II. SYSTEM AND NETWORK THREATS