COMPUTER SECURITY

1
 Definition
Computer security entails techniques for ensuring
that data stored in a computer or data in transit
cannot be read or compromised by any
individuals without authorization

Computer security covers all the processes and

mechanisms by which computer-based
equipment, information and services are
protected from unintended or unauthorized
access
2
 Security domains

Computer security is often defined in terms of security

domains below:
a) Physical security – Controlling the comings and
goings of people and materials; protection against
natural disasters
b) Operational / Procedural security – covers
everything from security policy to reporting
hierarchies
c) Personnel security – Background screening before
employing, training, security briefings, handling
departures
3
 Security domains

Computer security is often defined in terms of

security domains below:
d) System security – User access and
authentication controls, assignment of
priviledges, backup, log-keeping and auditing
e) Network security – Protecting network servers
and network equipment, controlling access
from untrusted networks, detecting intrusions

4
 Security properties / goals
1) Confidentiality
• No improper gathering of information
• Disclosure of knowledge only to authorized
individuals

2) Integrity
• Data should not be maliciously altered.
• Completeness, wholeness, and readability
unaltered information.
5
 Security properties contd …

3) Availability
Data/ services should be accessed by the
authorized persons as and when needed

4) Authentication
User or data origin should be accurately
identifiable
6
 Computer security
Note: Computer security is a whole
system issue.
The whole system includes at least :
software, hardware, data files, physical
environment, personnel, corporate and
legal structure

7
 1) Confidentiality
• Confidentiality is characterized by preventing
the unauthorized reading of data
• It assumes a security policy that specifies who
and what can access data
• The security policy is used for access control
Example violations
Your medical records are obtained by a potential
employer, without your consent

8
 2) Integrity
• Integrity is concerned with preventing possible
malicious alterations of data, by someone who is not
authorized to do so.
• It assumes a security policy saying who or what is
allowed to alter data

Example violations
a) An online payment system that alters an electronic
cheque to read $10000 instead of $100.00
b) un-authorized change of user access rights
9
 3) Availability
• Availability – data or service should be
accessed as expected.

• Threats to availability cover many kinds of

external environmental events (e.g. fire,
pulling out the server plug) as well as
accidental or malicious attacks in software
(e.g. infection with a virus)

10
 3) Availability contd …
• Ensuring availability means preventing
Denial of Service (DoS)
Its possible to fix attacks on faulty protocols,
but attacks exhausting available resources
are harder, since it can be tricky to
distinguish between the attack er and a
legitimate user of the system

11
 4) Authentication
• Authentication is verification of identity of a person
or system
• Authentication is a pre-requisite for allowing access
to someone, but denying access to others, using an
access control system
• Authentication methods are characterized as :
Something you have e.g. access card
Something you know e.g. password
Something you are i.e. biometric e.g. signature,
voice, fingerprint
12
 Why does security fail?
1) Opposing forces to security
• complexity of the system and inevitable
errors
• Wide and unpredicted human factors
• Cunning expertise of attackers (new attacks come
up everyday)
2) Engineering and management aspects
• Failure to invest in providing security
• Standard Off-the-shelf but insecure systems
13
 Opposing forces : complexity
• Complexity is one of the worst enemies
of security
• All computer systems have bugs and
design errors
• A proportion of bugs will be security-
related, leading to accidental breaches
and easy exploits

14
 Opposing forces : complexity

• Two approaches to deal with this

i) Limit complexity e.g. use special
purpose solutions like firewalls
ii) Design around security e.g. Use
multiple levels of security, invest more
in detection than prevention

15
 Tradeoff – Usability vs Security
• Costs involved –
– planning, designing, and implementing safeguards,
– participation of everyone in the organization.
• The second cost limits the freedom to use the
technology to its fullest extent.
• Fundamental tension between security and usability:
– Security requires that information and access to it
be tightly controlled
– Advantage of the information technologies is their
ability to enable the free flow of information.
• In competitive industries, usability is a priority over
security.
 Opposing forces : attackers
• Attackers have many reasons to act maliciously
e.g. fun, publicity, theft, fraud, terrorism,
surveillance
• List of potential attackers
i) Hobbyist hackers - more knowledgeable and
write down their own tools and find new
flaws
ii) Determines hackers – have a cause e.g.
disgruntled IT professionals, cybercriminals
17
 Opposing forces : attackers contd…

iii) Professional consultants e.g. Industrial

espionage that is highly knowledgeable and
well-funded

A risk assessment can consider the list of

potential attackers and determine how much
to protect against them

18
 Opposing forces : human factors
People are liable to:
• Sloppy procedures: e.g. choosing weak
passwords, turning off or skipping security
checks, ignoring warnings
• Social engineering attacks: giving
information to an intruder who
masquerades as an authorized personnel
• Failure to understand security implications
of actions: e.g. opening spam or suspicious
attachments
19
 Investing in security
• Security may be a low priority either
deliberately or unintentionally
• Projects have limited budgets and security gets
the least priority
• Understanding and providing security requires
experts that may be unavailable / expensive
• Security risks are often judged to be small yet
the impact is very high

20