Professional Documents
Culture Documents
1
Computer Security _ Compiled - Shambel Ts. OBU- - 2015 _E.C
Basic Objectives of Computer Security
There are three fundamental key of computer security objectives. These are Confidentiality,
Integrity and Availability. The ultimate goal of computer security process is to protect this three
unique attributes of computer security (CIA triad).
Confidentiality: it refers a value of assets of information system resources are protection from
unauthorized access or operations. Information system resources should only be access by
authorized subjects. Confidentiality models are primarily intended to ensure that no unauthorized
users’ access to information system resources is permitted. The term confidentiality covers two
related concepts data confidentiality and privacy.
Data confidentiality: Assures that private or confidential information is not made available or
released or disclosed to unauthorized individuals.
Privacy: Assures that individuals control or influence what information related to them may be
collected and stored and by whom and to whom that information may be disclosed. The term
privacy is often used when data to be protected refer to individuals’. Common confidentiality
controls are Encryption, Access Control, user IDs and passwords.
2
Computer Security _ Compiled - Shambel Ts. OBU- - 2015 _E.C
Example: Enciphering an income tax return will prevent anyone from reading it. If the owner
needs to see the return, it must be deciphered. However, if someone else can read it when it is
entered into the program, the confidentiality of the tax return has been compromised.
Integrity- refers to information protection from unauthorized modifications or information must
not be corrupted or degraded. Integrity is an assurance mechanism that data cannot be modified
without authorization and ensures the message as sent is exactly the same message that was
received. The term integrity covers two related concepts data integrity and system integrity.
Data integrity: Assures that information and programs are changed only in a specified and
authorized manner.
System integrity: Assures that a system performs its intended function in an unaffected or
unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the
system.
Common integrity controls are cryptographic integrity check, Encryption, Access Control,
Perimeter defense, Audit.
Eg: Integrity is violated when an unauthorized employee is able to modify his own salary in a
payroll database.
Availability: ensures that access to information/ resources is not denied and /or delayed to
authorize (legitimate) subjects. Information must be kept available to authorized persons when
they need it. Availability does not imply that the information is accessible to any user rather, it
means availability to authorized users. High availability systems aim to remain available at all
times, preventing service disruptions due to power outages, hardware failures, and system
upgrades. So, availability models keep data and resources available for authorized use, especially
during emergencies or disasters. Usually three common challenges address to availability models
such as Denial of service (DoS) due to intentional attacks, Loss of information system capabilities
because of natural disasters (fires, floods, storms, or earthquakes) or human actions (bombs or
strikes) and Equipment failures during normal use. Common available controls are redundancy of
resources, traffic filtering and incident recovery.
E.g. The prevention of authorized access to resources or the delaying of operations, disruptions
of services due to power outages, hardware failures, and system upgrades.
3
Computer Security _ Compiled - Shambel Ts. OBU- - 2015 _E.C
Threats, Vulnerabilities, Controls, Risk
Computer Security threats are anything that has a potential to cause harm on value of assets
of information system resources.
An attack is derives from an intelligent threat, and an intelligent act that is careful attempt to
violate the security policy of a system.
A security policy is a statement of what is, and what is not, allowed by users of a system
A security mechanism is a method, tool, or procedure for enforcing a security policy.
Threats and Attack more on this in Chapter 2, Security Policy and Mechanisms more on
this in Chapter 5
Goals of computer security
Given a security policy’s specification of “secure” and “non-secure” actions, security mechanisms
can prevent the attack, detect the attack, or recover from the attack.
Prevention: take measures to prevent the damage, it means that an attack will fail; e.g.,
passwords to prevent unauthorized users
Detection: if an attack cannot be prevented; when, how and who of the attack have to be
identified; e.g., when a user enters a password three times
Recovery/Reaction: take measures to recover from the damage; e.g., restore deleted files
from backup; sometimes retaliation (attacking the attacker’s system or taking legal actions
to hold the attacker accountable).
Example 2: Protecting a fraudster from using our credit card in Internet purchase.
Prevention: Encrypt when placing order, perform some check before placing order, or don’t
use credit card on the Internet
Detection: A transaction that you had not authorized appears on your credit card statement
4
Computer Security _ Compiled - Shambel Ts. OBU- - 2015 _E.C
Recovery: Ask for new card, recover cost of the transaction from insurance, the card issuer
or the merchant
Some of Security Controls
Authentication: Authentication a process/ mechanism of identification subject based on what you
know, what you have or who you are.
Authentication (Password, Card, Biometrics)
Non-repudiation: sender later deny having processed the data or the originator of a message or
transaction may not later deny action.
Authorization: a mechanism of identification an individual privilege of access, which is allowed
to after authenticated the individuals. It asks, “What are you allowed to do?”
Accounting: is a process of ensuring that an entity’s action is traceable uniquely to that entity. It
wants to know, "What did you do?"
Auditing: Auditing is the process of analyzing systems to determine what actions took place and
who performed them. It is the analysis of log records to present information about the system in a
clear and understandable manner. Logging is the basis for most auditing; Logging is the recording
of events or statistics to provide information about system use and performance. Other security
control are Administrative procedures, Standards and Laws Certifications and Physical Security.
Human Factors
6
Computer Security _ Compiled - Shambel Ts. OBU- - 2015 _E.C
The human factor is an important component of computer security. The human factors of security
represent the actions or events when human error results in a successful hack or data crack and
how employees are making businesses vulnerable from within. The human factor played a major
role in making businesses worldwide vulnerable of system security state.
Competence (Capability, Skill, Ability) of the security staff e.g. Crackers may know more
than the security team
Understanding and support of management e.g. Management does not want to spend money
on security.
Staff’s discipline to follow procedures e.g., Staff members choose simple passwords.
Staff members may not be trustworthy e.g., Bank theft
Through Employees
Social interaction and discussing work in public locations,
Taking data out of the office (paper, mobile phones, laptops),
E-mailing documents and data, Mailing and faxing documents
Installing unauthorized software and apps,
Removing or disabling security tools
Letting unauthorized persons into the office
Connecting personal devices to company networks
Writing down passwords and sensitive data
Losing security devices/ Media(flash disk, CD, DVD, External hard disks ) such as
ID-cards/Disks can be stolen & Lack of information security awareness
Smoking Fire that can occur anywhere
Through IT Management
File sharing through social networking
Rapid technological changes
7
Computer Security _ Compiled - Shambel Ts. OBU- - 2015 _E.C
Storing data on mobile devices such as mobile phones
Internet browsers, OS and Protocol
Through Hardware
Susceptibility to dust Heat and humidity
Hardware design flaws Out of date hardware
Misconfiguration of hardware
Storing data on mobile devices such as mobile phones
Through software
Insufficient testing, Lack of audit trail
Software bugs and design faults Unchecked user input
Software that fails to consider human factors
Software complexity (bloatware)
Software vendors that go out of business or change ownership.
Internet browsers and OS and Protocol
Through Network
Unprotected network communications
File sharing through social networking
Open physical connections , IPs and ports
Insecure network architecture and Rapid technological changes
Unused user IDs and Excessive privileges
Unnecessary jobs and scripts executing
Wifi networks
Through IT Management
Insufficient IT capacity & Missed security patches
Insufficient incident & problem management
Configuration errors & missed security notices
System operation errors & Lack of regular audits
Improper waste disposal & Insufficient change management
Business process flaws & Inadequate business rules
Inadequate business controls & Processes that fail to consider human factors
8
Computer Security _ Compiled - Shambel Ts. OBU- - 2015 _E.C
Overconfidence in security audits & Lack of risk analysis
Rapid business change, inadequate continuity planning & Careless employing processes.
Vulnerabilities - - - Countermeasures
Here some Countermeasures to solve for those vulnerabilities, applies those:
Strong password management & a security guard
Access control mechanisms and Security-awareness training
Cryptographic checksum &encryption
Web proxies & Cryptographic techniques
Propose good policies like No Food and Drinks, No Smoking, Fire extinguisher, Backup
If we are not applies countermeasures to Solve for those Vulnerabilities of the system, the
company or organization asset (system and property) going to under the risk.
Computer Security Risk
A computer security risk is really anything on your computer that may damage or steal your data
or allow someone else to access your computer, without your knowledge or consent. There are a
lot of different things that can create a computer risk, including malware, a general term used to
describe many types of bad software. We commonly think of computer viruses, but, there are
several types of bad software that can create a computer security risk, including viruses, worms,
9
Computer Security _ Compiled - Shambel Ts. OBU- - 2015 _E.C
ransomware, spyware, and Trojan horses. Misconfiguration of computer products as well as unsafe
computing habits also pose risks. Risk is the probability that something unwanted will happen.
10
Computer Security _ Compiled - Shambel Ts. OBU- - 2015 _E.C