Chapter One

Basic Concepts of Computer Security

What is Security?
In general, security is “the quality or state of being secure--to be free from danger.” It means to
be protected from adversaries--from those who would do harm, intentionally or otherwise.
What is Computer Security?
Computer security is the process of protection of the value of assets of an information system
resources such as hardware, software, firmware, information/ data, peoples, telecommunications
computers, data file, servers, mobile devices, electronic systems, networks, website, software, IT
equipment and infrastructure and processes, or combinations of these etc, from any unauthorized
use in order to achieve the objectives computer security. An unauthorized can be access, theft,
corruption, natural disaster, disclosure, modification, disruption, or destruction, review or
inspection, recording a value of assets of an information system resources.
The term value of assets of information system resources is used to describe any object that has
value to the organization. Any values of an asset of information system resources are an
organizational resource that must be protected. An asset can be logical or physical assets.

A value of assets of logical information system resources can be:

 Information (databases, Web site, data files, agreements and contracts, research results,
training materials, audit results, operational instructions etc.)
 Software files: – technical equipment: – services (computer and communication, heating,
lighting, air-conditioning etc.)
 Staff qualifications, skills and experience.
 Intellectual property (reputation (status, standing), image of organization).
A value of assets of physical information system resources can be: such as a person, computer
system hardware, or other tangible object.

1
Computer Security _ Compiled - Shambel Ts. OBU- - 2015 _E.C
Basic Objectives of Computer Security
There are three fundamental key of computer security objectives. These are Confidentiality,
Integrity and Availability. The ultimate goal of computer security process is to protect this three
unique attributes of computer security (CIA triad).

Figure 1.1 The Computer Security Goals /CIA triad

Confidentiality: it refers a value of assets of information system resources are protection from
unauthorized access or operations. Information system resources should only be access by
authorized subjects. Confidentiality models are primarily intended to ensure that no unauthorized
users’ access to information system resources is permitted. The term confidentiality covers two
related concepts data confidentiality and privacy.
Data confidentiality: Assures that private or confidential information is not made available or
released or disclosed to unauthorized individuals.
Privacy: Assures that individuals control or influence what information related to them may be
collected and stored and by whom and to whom that information may be disclosed. The term
privacy is often used when data to be protected refer to individuals’. Common confidentiality
controls are Encryption, Access Control, user IDs and passwords.

2
Computer Security _ Compiled - Shambel Ts. OBU- - 2015 _E.C
Example: Enciphering an income tax return will prevent anyone from reading it. If the owner
needs to see the return, it must be deciphered. However, if someone else can read it when it is
entered into the program, the confidentiality of the tax return has been compromised.
Integrity- refers to information protection from unauthorized modifications or information must
not be corrupted or degraded. Integrity is an assurance mechanism that data cannot be modified
without authorization and ensures the message as sent is exactly the same message that was
received. The term integrity covers two related concepts data integrity and system integrity.
 Data integrity: Assures that information and programs are changed only in a specified and
authorized manner.
 System integrity: Assures that a system performs its intended function in an unaffected or
unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the
system.
Common integrity controls are cryptographic integrity check, Encryption, Access Control,
Perimeter defense, Audit.
Eg: Integrity is violated when an unauthorized employee is able to modify his own salary in a
payroll database.
Availability: ensures that access to information/ resources is not denied and /or delayed to
authorize (legitimate) subjects. Information must be kept available to authorized persons when
they need it. Availability does not imply that the information is accessible to any user rather, it
means availability to authorized users. High availability systems aim to remain available at all
times, preventing service disruptions due to power outages, hardware failures, and system
upgrades. So, availability models keep data and resources available for authorized use, especially
during emergencies or disasters. Usually three common challenges address to availability models
such as Denial of service (DoS) due to intentional attacks, Loss of information system capabilities
because of natural disasters (fires, floods, storms, or earthquakes) or human actions (bombs or
strikes) and Equipment failures during normal use. Common available controls are redundancy of
resources, traffic filtering and incident recovery.
E.g. The prevention of authorized access to resources or the delaying of operations, disruptions
of services due to power outages, hardware failures, and system upgrades.

“Security Controls” are a countermeasures to address the security issues.

3
Computer Security _ Compiled - Shambel Ts. OBU- - 2015 _E.C
Threats, Vulnerabilities, Controls, Risk
 Computer Security threats are anything that has a potential to cause harm on value of assets
of information system resources.
 An attack is derives from an intelligent threat, and an intelligent act that is careful attempt to
violate the security policy of a system.
 A security policy is a statement of what is, and what is not, allowed by users of a system
 A security mechanism is a method, tool, or procedure for enforcing a security policy.
Threats and Attack more on this in Chapter 2, Security Policy and Mechanisms more on
this in Chapter 5
Goals of computer security
Given a security policy’s specification of “secure” and “non-secure” actions, security mechanisms
can prevent the attack, detect the attack, or recover from the attack.

 Prevention: take measures to prevent the damage, it means that an attack will fail; e.g.,
passwords to prevent unauthorized users

 Detection: if an attack cannot be prevented; when, how and who of the attack have to be
identified; e.g., when a user enters a password three times

 Recovery/Reaction: take measures to recover from the damage; e.g., restore deleted files
from backup; sometimes retaliation (attacking the attacker’s system or taking legal actions
to hold the attacker accountable).

This the three strategies may be used together or separately

Example 1: Protecting valuable items at home from a burglar/ thief/ robber/ criminal
 Prevention: locks on the door, guards, hidden places, etc.
 Detection: burglar alarm, guards, Closed Circuit Television (CCTV), etc.
 Recovery: calling the police, replace the stolen item, etc.

Example 2: Protecting a fraudster from using our credit card in Internet purchase.
 Prevention: Encrypt when placing order, perform some check before placing order, or don’t
use credit card on the Internet
 Detection: A transaction that you had not authorized appears on your credit card statement

4
Computer Security _ Compiled - Shambel Ts. OBU- - 2015 _E.C
 Recovery: Ask for new card, recover cost of the transaction from insurance, the card issuer
or the merchant
Some of Security Controls
Authentication: Authentication a process/ mechanism of identification subject based on what you
know, what you have or who you are.
Authentication (Password, Card, Biometrics)

(What we know, have, are!)

 Authentication is the binding of an identity to a subject. An entity must provide information to
enable the system to confirm its identity. This information comes from one (or more) of the
following
 What the entity knows (such as passwords or secret information)
 What the entity has (such as a badge or card)
 What the entity is (such as fingerprints or retinal characteristics - Biometrics)
b. Encryption (detail in chapter 3)

Non-repudiation: sender later deny having processed the data or the originator of a message or
transaction may not later deny action.
Authorization: a mechanism of identification an individual privilege of access, which is allowed
to after authenticated the individuals. It asks, “What are you allowed to do?”
Accounting: is a process of ensuring that an entity’s action is traceable uniquely to that entity. It
wants to know, "What did you do?"
Auditing: Auditing is the process of analyzing systems to determine what actions took place and
who performed them. It is the analysis of log records to present information about the system in a
clear and understandable manner. Logging is the basis for most auditing; Logging is the recording
of events or statistics to provide information about system use and performance. Other security
control are Administrative procedures, Standards and Laws Certifications and Physical Security.

Vulnerabilities and Risk

Vulnerability is a weakness of system that can be exploited to allow unauthorized access or it is
a weaknesses in a system that exposed assets to attack or damage. The vulnerabilities are caused
by a software package, an unprotected system port, an unlocked door, poor procedures, design,
5
Computer Security _ Compiled - Shambel Ts. OBU- - 2015 _E.C
implementation (insecure coding techniques), configuration mistakes, and inappropriate
transmitting sensitive data in a non-encrypted plain text format, server misconfigurations, natural
disaster, physical building and email attachment and OS etc.
Generally, the vulnerabilities could be weaknesses in the human factors, technology,
configuration, or security policy on the other hand attacker capability to exploit an error, since an
attacker must have at least one applicable tool or technique that can connect to a system weakness.
In this frame, vulnerability is also known as the attack surface. General security vulnerabilities
categories into three loss of confidentiality, loss of integrity (Corrupted and loss of availability
(unavailable or very slow).
Type of Vulnerabilities
 Physical vulnerabilities (e.g., Buildings)
 Natural vulnerabilities - disasters (e.g., Earthquake)
 Hardware and Software vulnerabilities (e.g., Failures)
 Media vulnerabilities (e.g., Disks can be stolen)
 Communication vulnerabilities (e.g., Wires can be tapped)
 Human vulnerabilities (e.g., Insiders)

Types of Vulnerabilities Achieved Though

 Physical vulnerabilities (e.g., Buildings)
 Human Factors
 Through employees
 Through former (previous) employees
 Through IT Management
 Partners and suppliers
 Though Technology
 Through Hardware and Software
 Through Network/ Communication
 Physical vulnerabilities (e.g., Buildings)
 Natural Disasters (e.g., Earthquake)

Human Factors

6
Computer Security _ Compiled - Shambel Ts. OBU- - 2015 _E.C
The human factor is an important component of computer security. The human factors of security
represent the actions or events when human error results in a successful hack or data crack and
how employees are making businesses vulnerable from within. The human factor played a major
role in making businesses worldwide vulnerable of system security state.
 Competence (Capability, Skill, Ability) of the security staff e.g. Crackers may know more
than the security team
 Understanding and support of management e.g. Management does not want to spend money
on security.
 Staff’s discipline to follow procedures e.g., Staff members choose simple passwords.
 Staff members may not be trustworthy e.g., Bank theft
Through Employees
 Social interaction and discussing work in public locations,
 Taking data out of the office (paper, mobile phones, laptops),
 E-mailing documents and data, Mailing and faxing documents
 Installing unauthorized software and apps,
 Removing or disabling security tools
 Letting unauthorized persons into the office
 Connecting personal devices to company networks
 Writing down passwords and sensitive data
 Losing security devices/ Media(flash disk, CD, DVD, External hard disks ) such as
ID-cards/Disks can be stolen & Lack of information security awareness
 Smoking Fire that can occur anywhere

Through Former (Previous) Employees

 Former employees working for competitors
 Former employees retaining company data
 Former employees discussing company matters.

Through IT Management
 File sharing through social networking
 Rapid technological changes
7
Computer Security _ Compiled - Shambel Ts. OBU- - 2015 _E.C
  Storing data on mobile devices such as mobile phones
 Internet browsers, OS and Protocol

Through Hardware
 Susceptibility to dust Heat and humidity
 Hardware design flaws Out of date hardware
 Misconfiguration of hardware
 Storing data on mobile devices such as mobile phones

Through software
 Insufficient testing, Lack of audit trail
 Software bugs and design faults Unchecked user input
 Software that fails to consider human factors
 Software complexity (bloatware)
 Software vendors that go out of business or change ownership.
 Internet browsers and OS and Protocol

Through Network
 Unprotected network communications
 File sharing through social networking
 Open physical connections , IPs and ports
 Insecure network architecture and Rapid technological changes
 Unused user IDs and Excessive privileges
 Unnecessary jobs and scripts executing
 Wifi networks
Through IT Management
 Insufficient IT capacity & Missed security patches
 Insufficient incident & problem management
 Configuration errors & missed security notices
 System operation errors & Lack of regular audits
 Improper waste disposal & Insufficient change management
 Business process flaws & Inadequate business rules
 Inadequate business controls & Processes that fail to consider human factors
8
Computer Security _ Compiled - Shambel Ts. OBU- - 2015 _E.C
  Overconfidence in security audits & Lack of risk analysis
 Rapid business change, inadequate continuity planning & Careless employing processes.

Partners and Suppliers

 Interruption of telecom services
 Interruption of utility services such as electric, gas, water, Hardware failure, Software
failure and Supply interruptions
 Sharing confidential data with partners and suppliers

Through Natural Disasters

 Climate: Heat, Direct sun, Humidity … etc
 Hurricane: storm, cyclone, Fire, Earthquakes,
 Water: Flooding can occur even when a water tap is not properly closed
 Lightning: Avoid having servers in areas often hit by Natural Disasters!

Vulnerabilities - - - Countermeasures
Here some Countermeasures to solve for those vulnerabilities, applies those:
 Strong password management & a security guard
 Access control mechanisms and Security-awareness training
 Cryptographic checksum &encryption
 Web proxies & Cryptographic techniques
 Propose good policies like No Food and Drinks, No Smoking, Fire extinguisher, Backup
If we are not applies countermeasures to Solve for those Vulnerabilities of the system, the
company or organization asset (system and property) going to under the risk.
Computer Security Risk
A computer security risk is really anything on your computer that may damage or steal your data
or allow someone else to access your computer, without your knowledge or consent. There are a
lot of different things that can create a computer risk, including malware, a general term used to
describe many types of bad software. We commonly think of computer viruses, but, there are
several types of bad software that can create a computer security risk, including viruses, worms,

9
Computer Security _ Compiled - Shambel Ts. OBU- - 2015 _E.C
ransomware, spyware, and Trojan horses. Misconfiguration of computer products as well as unsafe
computing habits also pose risks. Risk is the probability that something unwanted will happen.

Risk = Threats x Vulnerabilities

Software Security Assurance

Software Security Assurance (SSA) is the process of ensuring that software is designed to operate
at a level of security that is consistent with the potential harm that could result from the loss,
inaccuracy, alteration, unavailability, or misuse of the data and resources that it uses, controls, and
protects. Software security assurance is a process that helps design and implement software that
protects the data and resources contained in and controlled by that software. Software is itself a
resource and thus must be afforded appropriate security.

10
Computer Security _ Compiled - Shambel Ts. OBU- - 2015 _E.C