Chapter One

1. INTRODUCTION
1.1 Basic Concepts of Computer Security
Under this chapter we will discuss about concepts computer security, it’s objectives, and
controlling mechanisms of security objectives, goals of computer security mechanisms computer
security vulnerabilities, countermeasures and risk.
What is Security?
In general, security is “the quality or state of being secure--to be free from danger.” It means to
be protected from adversaries--from those who would do harm, intentionally or otherwise.
What is Computer Security?
Computer security is the process of protection of the value of assets of an information system
resources such as hardware, software, firmware, information, peoples, servers, mobile devices,
networks infrastructure, website, etc, from any unauthorized use in order to achieve the
objectives computer security. An unauthorized can be access, theft, corruption, disclosure,
modification, disruption, or destruction, recording a value of assets of an information system
resources. The term value of assets of information system resources is used to describe any
object that has value to the organization. An asset can be logical or physical assets.
Logical Assets can be:
 Information (databases, Web site, software files, data files, communication, Intellectual
property, agreements and contracts, research results, training materials, audit results,
operational instructions etc.)
Physical Assets can be: such as a person, computer system hardware, or other tangible object.

1
Computer Security _ Compiled – Zufan W. OBU- - 2016 _E.C
1.2 Basic Objectives of Computer Security
There are three fundamental key of computer security objectives. These are Confidentiality,
Integrity and Availability. The ultimate goal of computer security process is to protect this three
unique attributes of computer security (CIA triad).

Figure 1:1 The Computer Security objectives /CIA triad

Confidentiality: it refers a value of assets of information system resources are protected from
unauthorized access or operations. Information system resources should only be access by
authorized subjects. Confidentiality models are primarily intended to ensure that no unauthorized
users’ access to information system resources is permitted. The term confidentiality covers two
related concepts data confidentiality and privacy.
Data confidentiality: Assures that private or confidential information is not made available or
released or disclosed to unauthorized individuals.
Privacy: Assures that individuals control or influence what information related to them may be
collected and stored and by whom and to whom that information may be disclosed. The term
privacy is often used when data to be protected refer to individuals’. Common confidentiality
controls are Encryption, Access Control, user IDs and passwords.

2
Computer Security _ Compiled – Zufan W. OBU- - 2016 _E.C
Example: Enciphering an income tax return will prevent anyone from reading it. If the owner
needs to see the return, it must be deciphered. However, if someone else can read it when it is
entered into the program, the confidentiality of the tax return has been compromised.
Integrity- refers to information protection from unauthorized modifications or information must
not be corrupted or degraded. Integrity is an assurance mechanism that data cannot be modified
without authorization and ensures the message as sent is exactly the same message that was
received. The term integrity covers two related concepts data integrity and system integrity.
Data integrity: Assures that information and programs are changed only in a specified and
authorized manner.
System integrity: Assures that a system performs its intended function in an unaffected or
unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system.
Common integrity controls are cryptographic integrity check, Encryption, Access Control,
Perimeter defense, Audit. Eg: Integrity is violated when an unauthorized employee is able to
modify his own salary in a payroll database.
Availability: ensures that access to information/ resources is not denied and /or delayed to
authorize (legitimate) subjects. Information must be kept available to authorized persons when
they need it. Availability does not imply that the information is accessible to any user rather, it
means availability to authorized users. High availability systems aim to remain available at all
times, preventing service disruptions due to power outages, hardware failures, and system
upgrades. So, availability models keep data and resources available for authorized use, especially
during emergencies or disasters. Usually three common challenges address to availability models
such as Denial of service (DoS) due to intentional attacks, Loss of information system
capabilities because of natural disasters (fires, floods, storms, or earthquakes) or human actions
(bombs or strikes) and Equipment failures during normal use. Common available controls are
redundancy of resources, traffic filtering and incident recovery. E.g. The prevention of
authorized access to resources or the delaying of operations, disruptions of services due to power
outages, hardware failures, and system upgrades.
1.3 Computer Security Threats, Vulnerabilities, Controls Mechanism and Risk
Computer security threats are anything that has a potential to cause harm on value of assets of
information system resources. On the other hand attack is derives from an intelligent threat, and

3
Computer Security _ Compiled – Zufan W. OBU- - 2016 _E.C
 an intelligent act that is careful attempt to violate the security policy of a system. A security
policy is a statement of what is, and what is not, allowed by users of a system. A security
mechanism is a method, tool, or procedure for enforcing a security policy.
N.B: Threats and Attack more in Chapter 2, Security Policy and Mechanisms more in Chapter 5
1.3.1 Goals of Computer Security Strategies Mechanisms
Given a security policy’s specification of “secure” and “non-secure” actions, security
mechanisms strategies can be prevent the attack, detect the attack, or recover from the attack.
 Prevention: take measures to prevent the damage, it means that an attack will fail, e.g.,
passwords to prevent unauthorized users
 Detection: if an attack cannot be prevented; when, how and who of the attack have to be
identified, e.g. when a user enters a password three times
 Recovery/Reaction: take measures to recover from the damage, e.g., restore deleted files
from backup; sometimes retaliation (attacking the attacker’s system or taking legal
actions to hold the attacker accountable).
This the three Computer Security strategies mechanism may be used together or separately
Example 1: Protecting valuable items at home from a burglar/ thief/ robber/ criminal
 Prevention: locks on the door, guards, hidden places, etc.
 Detection: burglar alarm, Closed Circuit Television (CCTV), etc.
 Recovery: calling the police, replace the stolen item, etc.
Example 2: Protecting a fraudster from using our credit card in Internet purchase.
 Prevention: Encrypt when placing order, perform some check before placing order, or don’t
use credit card on the Internet
 Detection: A transaction that you had not authorized appears on your credit card statement
 Recovery: Ask for new card, recover cost of the transaction from insurance, the card issuer
or the merchant.
Some of Security Controls
Authentication: Authentication a process/ mechanism of identification subject based on what
you know, what you have or who you are.
Authentication (Password, Card, Biometrics)

(What we know, have, are!)

4
Computer Security _ Compiled – Zufan W. OBU- - 2016 _E.C
 Authentication is the binding of an identity to a subject. An entity must provide information
to enable the system to confirm its identity. This information comes from one (or more) of
the following:
 What the entity knows (such as passwords or secret information)
 What the entity has (such as a badge or card)
 What the entity is (such as fingerprints or retinal characteristics - Biometrics)
N.B: Encryption (detail in chapter 3)
Non-repudiation: sender later not deny having processed the data or the originator of a message
or transaction may not later deny action.
Authorization: a mechanism of identification an individual privilege of access, which is allowed
to after authenticated the individuals. It asks, “What are you allowed to do?”
Accounting: is a process of ensuring that an entity’s action is traceable uniquely to that entity. It
wants to know, "What did you do?"
Auditing: Auditing is the process of analysing systems to determine what actions took place and
who performed them. It is the analysis of log records to present information about the system in a
clear and understandable manner. Logging is the basis for most auditing, Logging is the
recording of events or statistics to provide information about system use and performance. Other
security control are Administrative procedures, Standards and Laws Certifications and Physical
Security.
1.3.2 Computer Security Vulnerabilities and Risk
Vulnerability is a weakness of system that can be exploited to allow unauthorized access or it is a
weaknesses in a system that exposed assets to attack or damage. The vulnerabilities are caused
by a software package, an unprotected system port, an unlocked door, poor procedures, design,
implementation (insecure coding techniques), configuration mistakes, and inappropriate
transmitting sensitive data in a non-encrypted plain text format, server misconfigurations, natural
disaster, physical building and email attachment and OS etc.
Type of Computer Security Vulnerabilities
Type of computer security vulnerabilities in factors by human, hardware, and software Network
communication, physical and natural. The frame of vulnerability is the surface an attack.

1. Physical Vulnerabilities

5
Computer Security _ Compiled – Zufan W. OBU- - 2016 _E.C
An organization can implement the best authentication scheme in the world, develop the best
access control, and install firewalls and intrusion prevention, but its security cannot be complete
without implementation of physical security. Physical security is the protection of the actual
hardware and networking components that store and transmit information resources. To
implement physical security, an organization must identify all of the vulnerable resources and
take measures to ensure that these resources cannot be physically tampered with or stolen. These
measures include the following.
 Locked doors: It may seem obvious, but all the security in the world is useless if an
intruder can simply walk in and physically remove a computing device. High-value
information assets should be secured in a location with limited access.
 Physical intrusion detection: High-value information assets should be monitored
through the use of security cameras and other means to detect unauthorized access to
the physical locations where they exist.
 Secured equipment: Devices should be locked down to prevent them from being
stolen. One employee’s hard drive could contain all of your customer information, so
it is essential that it be secured.
Environmental monitoring: An organization’s servers and other high-value equipment should
always be kept in a room that is monitored for temperature, humidity, and airflow. The risk of a
server failure rises when these factors go out of a specified range. It also protects resources from
natural disasters such as floods, fires, storms, and earthquakes.
 Employee training: One of the most common ways thieves steal corporate
information is to steal employee laptops while employees are traveling. Employees
should be trained to secure their equipment whenever they are away from the office.
2. Natural Vulnerabilities or Natural Disasters Vulnerabilities
 Climate: Heat, Direct sun, Humidity … etc
 Hurricane: storm, cyclone, Fire, Earthquakes,
 Water: Flooding can occur even when a water tap is not properly closed
 Lightning: Avoid having servers in areas often hit by Natural Disasters!
3. Hardware Vulnerabilities
 Susceptibility to dust, Heat and humidity

6
Computer Security _ Compiled – Zufan W. OBU- - 2016 _E.C
  Hardware design flaws and Out of date hardware
 Misconfiguration of hardware
 Storing data on mobile devices such as mobile phones and Disks can be stolen

4. Software Vulnerabilities
 Insufficient testing and Lack of audit trail
 Software bugs and design faults
 Software complexity (bloatware)
 Software vendors that go out of business or change ownership.
 Internet browsers and OS and Protocol

5. Network Communication Vulnerabilities

 Unprotected network communications
 File sharing through social networking
 Open physical connections , IPs and ports
 Insecure network architecture and Rapid technological changes
 Open access Wi-Fi networks
6. Human Vulnerabilities ( Human Factors)
The human factor is an important component of computer security. Staff members may not be
trustworthy e.g., Bank theft. Human vulnerabilities can through employees, former (previous)
employees, IT Management and partners and suppliers.
Through Employees
 Social interaction and discussing work in public locations,
 Taking data out of the office (paper, mobile phones, laptops),
 E-mailing documents and data, Mailing and faxing documents
 Installing unauthorized software and apps.
 Removing or disabling security tools
 Letting unauthorized persons into the office
 Connecting personal devices to company networks
 Writing down passwords and sensitive data
 Losing security devices/ Media(flash disk, CD, DVD, External hard disks ) such as ID-
cards/Disks can be stolen, Smoking Fire that can occur anywhere
7
Computer Security _ Compiled – Zufan W. OBU- - 2016 _E.C
Through Former (Previous) Employees
 Former employees working for competitors
 Former employees retaining company data
 Former employees discussing company matters.
Through IT Management
 File sharing through social networking
 Rapid technological changes
 Storing data on mobile devices such as mobile phones
 Internet browsers, OS and Protocol
Through IT Management
 Insufficient IT capacity & Missed security patches, Insufficient incident & problem
management, Configuration errors & missed security notices
 System operation errors & Lack of regular audits
 Improper waste disposal & Insufficient change management
 Business process flaws & Inadequate business rules
 Inadequate business controls & Processes that fail to consider human factors
 Overconfidence in security audits & Lack of risk analysis
 Rapid business change, inadequate continuity planning & Careless employing processes.
Partners and Suppliers
 Interruption of telecom services
 Interruption of utility services such as electric, gas, water, Hardware failure, Software
failure and Supply interruptions, Sharing confidential data with partners and suppliers
1.3.3 Countermeasures of Computer Security Vulnerabilities
Security controls are a countermeasures to address the security issues. Here some
countermeasures to solve for those vulnerabilities, applies those:
 Strong password management & a security guard
 Access control mechanisms and Security-awareness training
 Cryptographic checksum &encryption
 Web proxies & Cryptographic techniques

8
Computer Security _ Compiled – Zufan W. OBU- - 2016 _E.C
  Propose good policies like No Food and Drinks, No Smoking, Fire extinguisher, Backup.
If we are not applies these countermeasures to solve for those vulnerabilities of the
system, the company or organization asset (system and property) going to under the risk.
1.3.4 Computer Security Risk
A computer security risk is really anything on your computer that may damage or steal your data
or allow someone else to access your computer, without your knowledge or permission. There
are a lot of different things that can create a computer risk. There are several types of bad
software that can create a computer security risk, including malware (viruses, worms,
ransomware, spyware, and Trojan horses). Misconfiguration of computer products as well as
unsafe computing habits also pose risks. Risk is the probability that something unwanted will
happen.
Risk = Threats x Vulnerabilities
1.3 Software Security Assurance
Software Security Assurance (SSA) is the process of ensuring that software is designed to
operate at a level of security that is consistent with the potential harm that could result from the
loss, inaccuracy, alteration, unavailability, or misuse of the data and resources that it uses,
controls, and protects. Software security assurance is a process that helps design and implement
software that protects the data and resources contained in and controlled by that software.
Software is itself a resource and thus must be afforded appropriate security.

9
Computer Security _ Compiled – Zufan W. OBU- - 2016 _E.C