Introduction - Cont'd: Computer Network Security

Faculty of Computing and Informatics
COMPUTER NETWORK SECURITY

Succeed We Must
Computer Security Research Group
Lecture 2
Introduction – Cont’d
07/12/22 Fred Kaggwa 1

Lecture 2
Succeed We Must
Overview
The history and current events in

“computer network security”
Security Violations (Examples)
Computer Security Objectives
Challenges of Computer security

Introduction: The history and current events in “computer network
Succeed We Must security”
How can you define computer security?

“The protection afforded to an automated

information system in order to attain the
applicable objectives of preserving the
integrity, availability and confidentiality of
information system resources (This
includes hardware, software, firmware,
information/data and
telecommunications)”
(NIST)
What do we need to know?
Succeed We Must
For Computer security, we need to know that:

Software is not secure
Networks are not secure
Trust infrastructures are not secure
And users too are not secure!...someone will tell
you....I think I might have a bank in Nigeria to sell

to you
Internet is not secure

What about in those days?
Succeed We Must
 Before wide spread use of data processing

equipment
 Security of valuable and very sensitive/private

information could be provided by Physical &
Administrative means. E.g (physical) cabinets/Shelves
with a combination lock, (Administrative) Thorough
research on people before recruitment/hiring.
 This is still common in our country…just try to visit
some sensitive organizations.
 People are still rigid and resistant to deploy current
security mechanisms.
 Organizations still believe “Askaris” (Security Guards)
can do it best!

How about in these days?
Succeed We Must
 There is a wide spread use of data processing

equipment (mainly in terms of computing
 Computers, Mobile Phones , Automobile etc.
 These however need to be interconnected through

networks (public telephone networks, data networks,
and or the internet) to allow easy access.
 There is therefore a need for tools that can provide
adequate security of the valuable and very
sensitive/private information stored on these computing
resources.
 The collection of such tools that aid in data protection
and impeding hackers is usually called computer
security.

So, what is for this course?
Succeed We Must
 The wide spread use of computing resources

has brought about:
 The introduction of distributed/shared systems
 The use of networks and
 The use of communication facilities
All to carry data between user terminals and

computers, and between computers &
computers
 There is therefore a need for computer network
security measures/tools that can provide
adequate security & protection during this kind of
transmission.

So, what is for this course?
Succeed We Must
NOTE
Security is about protecting assets.
Computer Security generally concerns assets of

computer systems: the information and services
they provide .
Computer Network Security focuses on the
protection of assets on computers that are
connected and can be accessed remotely
This course therefore focuses on measures to
deter, prevent ,detect, and correct any security
violations that involve transmission of
information.

Some Examples of Security Violations
Succeed We Must
Example 1
Ali (A) transmits a file to his concubine Beth (B).

The file contains very sensitive information (they
want to go out for a trip-but Ali wants to verbally
lie to the wife that he has a business trip). The
information in the file is to be protected from
disclosure. His wife Cathy (C), who is not
authorized to read the file is able to monitor the
transmission and capture a copy of the file during
its transmission.

Succeed We Must
Example 2
A network manager transmits a message to a

computer under his management. The message
instructs the computer to update an authorization
file to include the identities of a number of new
users who are to be given access to that
computer. A certain user intercepts the message,
alters its contents to add or delete entries and
then forwards the message to the computer,
which accepts the message as coming from the
network manager and updates its authorization
file accordingly.
Succeed We Must
Example 3
An employee is fired without a warning. The

personnel manager sends a message to a server
system to invalidate the employee’s account. When
the invalidation is accomplished, the server is to
post a notice to the employee’s file as confirmation
of action. The employee is able to intercept the
message and delay it long enough to make a final
access to the server to retrieve sensitive information.
The message is then forwarded, the action taken,
and the confirmation posted. The employee’s action
may go unnoticed for some considerable time.

Succeed We Must
Example 4
A message is sent from a certain

customer to a stock broker in Uganda with
instructions for various transactions.
Subsequently, the investments loose value
and the customer denies sending the
message.

Reminder: Computer Security
Succeed We Must
“The protection afforded to an automated

information system in order to attain the
applicable objectives of preserving the integrity,
availability and confidentiality of information
system resources (This includes hardware,
software, firmware, information/data and
telecommunications)”
(NIST)

Key Computer Security Objectives
Succeed We Must
You realize that the definition we have just had introduces

the key objectives that are at the heart of computer security.
1. Confidentiality: This term covers two related concepts
Data confidentiality: Assures that private or confidential

information is not made available or disclosed to
unauthorized individuals
Privacy: Assures that individuals control or influence what

information related to them may be collected and stored and
by whom and to whom that information may be disclosed

Key Computer Security Objectives
Succeed We Must
2. Integrity: This term also covers two related concepts

Data Integrity: Assures that information and programs are

changed only in a specified and authorized manner
System Integrity: Assures that a system performs its

intended function in an unimpaired manner, free from
deliberate or inadvertent unauthorized manipulation of the
system
3. Availability: Assures that systems work promptly and

service is not denied to authorized users.
These three are commonly referred to as the CIA

Key Computer Security Objectives (CIA)
Succeed We Must
1. Confidentiality: Preserving authorized restrictions on

information access and disclosure, including means for

protecting personal privacy and proprietary information A loss
of confidentiality is the unauthorized disclosure of
information.
2. Integrity: Guarding against improper information

modification or destruction, including ensuring information
nonrepudiation and authenticity. A loss of integrity is the
unauthorized modification or destruction of information
3. Availability: Ensuring timely an reliable access to and use

of information. A loss of availability is the disruption of access
to or use of information or an information system

Other Computer Security Objectives
Succeed We Must
1. Authenticity: The property of being genuine and being able to be

verified and trusted; confidence in the validity of a transmission, a
message, or message originator. This means verifying that user are

who they say they are and that each input arriving at the system came
from a trusted source .
2. Accountability: The security goal that generates the requirement

for actions of an entity to be traced uniquely to that entity. This
supports nonrepudiation, deterrence, fault isolation, intrusion
detection and prevention and after-action recovery and legal action.
Because truly secure systems are not yet achievable, we must be able
to trace a security breach to a responsible party. System must keep
records of their activities to permit later forensic analysis to trace
security breaches or to aid in transaction disputes

Challenges of Computer Network Security
Succeed We Must
There are a number of reasons that make computer network

security fascinating and complex:
Security is not as simple as it might first appear to the novice.
 Major requirements for security services seem straight

forward (confidentiality, authentication, non-repudiation,
integrity)
 However, the mechanisms to implement the mentioned

requirements, can be complex and not easy to
understand.

Succeed We Must
 If you are to design a certain security mechanism or

algorithm, it is important to always consider possible
attacks on the designed security features.
 The challenge here is in explicitly exploiting all the

possible unexpected weaknesses in the
mechanism/algorithm
 This then makes the design of security

algorithms/mechanisms complex.

Succeed We Must
 The placement of the designed various security

mechanisms can also be challenging. It is not easy to
explicitly decide on where to use these mechanisms.
 For example in physical security placement, it is not easy

to know (decide) where (at what points) to place
particular security mechanisms on a network
 Also, it can be challenging for the logical security for

example at what layer of the architecture like TCP/IP can
the security mechanisms be placed.

Succeed We Must
 The various security mechanisms typically involve more

than one particular algorithm or protocol. They also require
that participants be in possession of some secret

information (eg. An encryption key). This itself raises
questions on how the secret information is created,
distributed and protected.
 There can also be reliance on other communication

protocols of which we may not be sure of their security or
even how to integrate our designed security mechanism
with them.

Succeed We Must
 Computer Network security is simply a battle between the

“bad guys” who want to find security holes and the security
officers (designers or administrators) who try to close these

security holes.
 Now, the biggest challenge here is that, the “bad guys”

need only to find one single weakness and then plan on
exploiting it, BUT the designer has to find and eliminate
all weaknesses to achieve perfect security.

Succeed We Must
 The other challenge is that, users and system managers

have some natural instinct that makes them perceive
little benefit from security investment until when a

security failure occurs.
 To have an almost good security, it requires regular,
even constant, monitoring and this is difficult in today’s
short-term and overloaded environment (people have
other more “important things” to do than monitoring
security).
 System designers still make security an after-thought to
be added to the system, rather than being an integral
part of the design process (very evident in todays
systems)
Succeed We Must
 Many users and also security administrators perceive

strong security as a barrier to efficient and user-friendly
operation of an information system or even the use of

information.
 This is deadly, because the organization ends up not

implementing stronger security mechanisms and hence
security challenges

Breach of Security: Levels of Impact
Succeed We Must
 There can be three levels of impact on either the organizations or

individuals when there is any kind of breach of security (by this we
mean, a loss of confidentiality, integrity or availability).
 LOW: Here, the loss could be expected to have a limited adverse effect
on the organizational operations, organizational assets, or individuals.
By this we mean that, a loss in confidentiality, integrity or availability
might:
 Cause a degradation in mission capability to an extent and

duration that the organization is able to perform its primary
functions but the effectiveness of the functions is noticeably
reduced.
 Result in minor damage to organizational assets
 Result in minor financial loss
 Result in minor harm to individuals

Succeed We Must
 MODERATE: Here, the loss could have a serious

adverse effect on the organizational operations,
organizational assets, or individuals. By this we mean

that, a loss in confidentiality, integrity or availability might:
 Cause a significant degradation in mission capability to
an extent and duration that the organization is able to
perform its primary functions but the effectiveness of the
functions is significantly reduced.
 Result in significant damage to organizational assets
 Result in significant financial loss
 Result in significant harm to individuals that does not

involve loss of life or serious life-threatening injuries.

Succeed We Must
 HIGH: Here, the loss could be expected to have a severe or

catastrophic adverse effect on the organizational
operations, organizational assets, or individuals. By this we

mean that, a loss in confidentiality, integrity or availability
might:
 Cause a severe degradation in or loss of mission
capability to an extent and duration that the organization is
not able to perform one or more of its primary functions.
 Result in major damage to organizational assets
 Result in major financial loss
 Result in severe or catastrophic harm to individuals

involving loss of life or serious life-threatening injuries.

Succeed We Must
Any Questions?

Introduction - Cont'd: Computer Network Security

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Introduction - Cont'd: Computer Network Security

Uploaded by

Copyright:

Available Formats

Faculty of Computing and Informatics

COMPUTER NETWORK SECURITY

07/12/22 Fred Kaggwa 1

The history and current events in

Computer Security Objectives

Challenges of Computer security

07/12/22 Fred Kaggwa 2

How can you define computer security?

“The protection afforded to an automated

For Computer security, we need to know that:

Software is not secure

Networks are not secure

Trust infrastructures are not secure

And users too are not secure!...someone will tell

you....I think I might have a bank in Nigeria to sell

07/12/22 Fred Kaggwa 4

 Before wide spread use of data processing

 Security of valuable and very sensitive/private

07/12/22 Fred Kaggwa 5

 There is a wide spread use of data processing

 Computers, Mobile Phones , Automobile etc.

 These however need to be interconnected through

07/12/22 Fred Kaggwa 6

 The wide spread use of computing resources

 The introduction of distributed/shared systems

 The use of networks and

 The use of communication facilities

All to carry data between user terminals and

07/12/22 Fred Kaggwa 7

Security is about protecting assets.

Computer Security generally concerns assets of

07/12/22 Fred Kaggwa 8

Ali (A) transmits a file to his concubine Beth (B).

07/12/22 Fred Kaggwa 9

A network manager transmits a message to a

An employee is fired without a warning. The

07/12/22 Fred Kaggwa 11

A message is sent from a certain

07/12/22 Fred Kaggwa 12

“The protection afforded to an automated

07/12/22 Fred Kaggwa 13

You realize that the definition we have just had introduces

1. Confidentiality: This term covers two related concepts

Data confidentiality: Assures that private or confidential

Privacy: Assures that individuals control or influence what

07/12/22 Fred Kaggwa 14

2. Integrity: This term also covers two related concepts

Data Integrity: Assures that information and programs are

System Integrity: Assures that a system performs its

3. Availability: Assures that systems work promptly and

These three are commonly referred to as the CIA

07/12/22 Fred Kaggwa 15

1. Confidentiality: Preserving authorized restrictions on

information access and disclosure, including means for

2. Integrity: Guarding against improper information

3. Availability: Ensuring timely an reliable access to and use

07/12/22 Fred Kaggwa 16

1. Authenticity: The property of being genuine and being able to be

message, or message originator. This means verifying that user are

2. Accountability: The security goal that generates the requirement

07/12/22 Fred Kaggwa 17

There are a number of reasons that make computer network