Computer

Security
Week 13
 Goals
• After studying this chapter, you should be able to:
• Explain the three concerstones of information security
• Describe the three types of authentication credentials
• Create secure passwords and assess the security levels of others.
• Define the categories of malware.
• List the types of security attacks
• Define cryptography
• Encode and decode messages using various ciphers.
• Discuss the challenges of keeping online data secure
• Discuss the security issues related to social media and mobile
devices

2 03/04/2024 Add a footer

 Information Security
• It is the techniques and policies used to ensure proper
access to data.
• Described as the synthesis of confidentiality,
integrity, and availability.

3 03/04/2024 Add a footer

 Information Security
• Confidentiality
• Ensuring that data is protected from authorized access.
• Exp: You don’t let anyone know how much money you have
in your savings account.

• Integrity
• Ensuring that data can be modified only by appropriate
mechanism
• Exp: You don’t like hacker modify your bank balance.

4 03/04/2024 Add a footer

 Information Security
• Availability
• It is the degree to which authorized users can access
information for legitimate purposes
• Exp: Hacker could launch an attack that floods a network
with useless transmissions, and thereby keep legitimate
users from connecting to remote systems.

5 03/04/2024 Add a footer

 Information Security
• Risk Analysis
• Determines which data needs protecting
• Identifying the risks to that data
• Calculating the likelihood that a risk may become reality
• Once completed, plans can be implemented to manage the
risks accordingly.

6 03/04/2024 Add a footer

 Information Security
• Management of Risk Analysis
• Separate the available data management privileges so that
no single individual has the authority to have a significant
impact on the system.

• Exp: Large financial transactions often require a separate

authorization process. Administrators should assign to an
individual only those privileges needed to carry out his or
her job functions.

7 03/04/2024 Add a footer

 Preventing Unauthorized Access
• Keeping other people from accessing your accounts
and information.

• User Authentication
• It is the process of verifying the credentials of a particular
user of a computer or software system.

• Username and password make up the authentication

credentials (something that provided by users to identify
themselves).

8 03/04/2024 Add a footer

 Preventing Unauthorized Access
• User Authentication
• Has 3 types: username / password, smart card, and
biometrics.

• Smart Card
• It is based on something that the user has, such as
identification card with a magnetic strip / embedded
memory chip.
• This requires special hardware. (more secure than
username password)

9 03/04/2024 Add a footer

 Preventing Unauthorized Access
• Smart Card (RFID tag)
• Contain electronically stored tracking and identification
information.
• They are powered by and read at short ranges by magnetic
fields.
• Unlike bar codes, the tags do not need to be within the
reader’s line of sight.
• RFID tags are used in a wide variety of applications, from
tracking the progress of a car in the highway, install into a
pet body.

10 03/04/2024 Add a footer

 Preventing Unauthorized Access
• Biometrics
• Using physiological characteristics, such as fingerprints, to
identify users and control access.
• Exp: Analysis of fingerprints, retina pattern, voice pattern.

11 03/04/2024 Add a footer

 Preventing Unauthorized Access
• Passwords
• Using a username cannot uniquely identify an account
because someone else may used it before your registration
makes you cannot sign up.

• A password is a string of characters that supposedly only

you, as the user of a particular account, know. Once the
system verifies that the username you provide is valid and
the password you provide is associated with that username,
then you are given the rights that only you should have as
the owner of the account.

12 03/04/2024 Add a footer

 Preventing Unauthorized Access
• Password Guidelines
• Create a password that is easy for you to remember but
difficult for other people to guess
• Don’t use a simple password, especially one that relates to
you personally, like your dog’s name
• Don’t write down a password anywhere that other people
can access
• Use a combination of characters in the password, including
both upper and lowercase letters, digits, and special
characters

13 03/04/2024 Add a footer

 Preventing Unauthorized Access
• Password Guidelines
• Don’t stay logged into an account and then walk away from
your computer
• Don’t ever tell anyone your password. There should never
be a valid reason for you to do so
• Don’t send your password in an email. Most email is sent “in
the clear” with no encryption and could be easily
intercepted.
• Don’t use the same password for all of your online accounts.
If one is compromised, then they all could be.

14 03/04/2024 Add a footer

 Preventing Unauthorized Access
• Password Criteria
• The password must be six (6) characters or longer
• It must contain at least one uppercase and one lowercase
letter
• It must contain at least one digit
• It must contain at least one special character, such as ! or %.

15 03/04/2024 Add a footer

 Preventing Unauthorized Access
• Password Management
• Replace letter l with 1.
• Put second word in all caps
• Separate words with a % character

• Use software to keep track your password where

encryption provided. Exp: 1Password / RoboForm.
Plugin allowed.

16 03/04/2024 Add a footer

 CAPTCHA
• Another alternative for multiple level of
authorization.
• Used to ensure that the information provided
through a web form has been filled in by a person as
opposed to a computer program.
• Stands for Completely Automated Public Turing test
to tell Computers and Humans Apart.

17 03/04/2024 Add a footer

 CAPTCHA
• Can get plug in from various sites.
• Presents words that an optical character reader had
difficulty deciphering.
• When the user types in the words, that information is
also passed along to the company.

18 03/04/2024 Add a footer

 Fingerprint Analysis
• Authentication is not only relies on information the
user provides, but also on inherent characteristics of
the user himself / herself.

• Require the use of a scanner to read the fingerprint,

as well as software to compare it to the fingerprint
stored in the computer of the authorized user.

19 03/04/2024 Add a footer

 Malicious Code
• It is a computer program that try to bypass
appropriate authorization safeguards and to perform
unauthorized function.

• It may cause destruction of data, create nuisance to

pop up unwanted messages.

• Different Categories: Virus, Worm, Trojan Horse,

Logic Bomb
20 03/04/2024 Add a footer
 Malicious Code
• Virus
• It is a program that embeds a copy of itself in another
program (host).
• Cause problems on a particular computer by corrupting or
deleting files.

• Worm
• It is a malicious standalone program that often targets
network resources.
• Cause problems on networks it uses to send copies of itself to
other system.
21 03/04/2024 Add a footer
 Malicious Code
• Trojan Horse
• It is a standalone program and cause problems on computer
on which it is executing.
• It is a program that appears to be helpful in some way, but
actually causes some kind of problem when executed.

• Logic Bomb
• It is a program that executes when a specific system
oriented event occurs.

22 03/04/2024 Add a footer

 Antivirus Software
• It is a software designed to detect, remove, and
prevent malicious software.
• Exp: Norton, McAfee, Symantec, AVG, etc
• Works using signature detection where works only
when a known malware program has been identified
and analyzed.
• When you do a scan of your hard drive or try to install
a new piece of software, the antivirus software
attempts to find those patterns.

23 03/04/2024 Add a footer

 Antivirus Software
• Enhanced version is using heuristic approach to
identify potentially malicious code.

• Some malware can mutate, so heuristic approach

looks for more general patterns than the strict
signature detection approach to find similar family
malware.

24 03/04/2024 Add a footer

 Security Attacks
• Password Guessing
• It is a try to gain access to a computer system by
methodically trying to determine a user’s password.

• A computer program can try thousands of potential

passwords each second in a brute force fashion. To
encounter this, some authentication system will allow a
user to try to enter a password only few times without
success, and then terminate the session.

25 03/04/2024 Add a footer

 Security Attacks
• Phishing
• It uses a web page that looks like an official part of some
trusted environment, but is actually a page designed to
collect key information such as usernames and passwords.

• Exp: You received an email from a bank / Lazada that

presenting a link for you to follow. The resulting web page
ask you to log in using your account. The page simply
transmits that information to a malicious user who will use
it to gain inappropriate access to your account.

26 03/04/2024 Add a footer

 Security Attacks
• Spoofing
• It is an attack on a computer system in which a malicious
user masquerades as an unauthorized user.

• Both password guessing and phishing are ways for a hacker

to spoof a computer system.

27 03/04/2024 Add a footer

 Security Attacks
• Backdoor
• It is a program feature that gives special and unauthorized
access to a software system to anyone who knows it exists.

• A programmer explicitly puts a backdoor into a system,

perhaps for testing purpose to bypass a system security.

• The key to protecting against back door attacks is a high

quality development process, in which careful code reviews
by multiple participants minimize such abuses.

28 03/04/2024 Add a footer

 Security Attacks
• Buffer Overflow
• It is a defect in a computer program that could cause a
system to crash and leave the user with heightened
privileges.

• If a program try to store more information than a buffer can

accommodate, a system crash could occur.

29 03/04/2024 Add a footer

 Security Attacks
• Denial of Service
• It is an attack on network resource that prevents authorized
users from accessing the system.

• It floods a website or other network resources.

• Even cause the system itself to crash due to the sheer

volume of requests for its attention.

30 03/04/2024 Add a footer

 Security Attacks
• Main in the middle
• It is a security attack in which network communication
is intercepted in a try to obtain key data.

• Someone has access to the communication path at

some point in the network and “listens”, usually with
the help of a program, to the traffic as it goes by.

• The encryption methods can guard against these

problems.

31 03/04/2024 Add a footer

 Cryptography
• It is the field of study related to encoded information.

• To help people keep the secrets from falling into the

wrong hands.

• Encryption
• It is the process of converting ordinary text, referred to as
“plaintext” in cryptography terminology, into a form that is
unreadable called “ciphertext”.

32 03/04/2024 Add a footer

 Cryptography
• Decryption
• Reverse the process of encryption, translating ciphertext to
plaintext.

• Cipher
• It is an algorithm used to encrypt and decrypt text.

33 03/04/2024 Add a footer

 Cryptography
• Substitution Cipher
• It is a cipher that substitutes one character with another.
• Exp of plaintext: MEET ME AT THE OLD BARN
• Exp of ciphertext: RJJY RJ FY YMJ TQI GFWS

• Caesar Cipher
• It is a substitution cipher that shifts characters a certain
number of positions in the alphabet.

34 03/04/2024 Add a footer

 Cryptography
• Transposition Ciphers
• It is a cipher that rearranges the order of the characters in a
message.

• Famous one is route ciphers

35 03/04/2024 Add a footer

 Cryptography
• Route Ciphers
• It lays out the message as a grid of characters and specifies
a route through the grid to encrypt the information.

• Exp: plaintext: MEET ME AT OLD BARN

• Exp: 50% ciphertext:

36 03/04/2024 Add a footer

 Cryptography
• Route Ciphers
• You could encrypt the message by spiraling inward from the
top right of the grid moving clockwise, yielding:

ARNBOTEEEMTAHLDETM

• After being delivered, the message would be decrypted by

recreating the grid and reading the letters down the
columns.

37 03/04/2024 Add a footer

 Cryptography
• Route Ciphers
• The key in this cipher is composed of the dimensions of the
grid and the route used to encrypt the data.

• When making the grid, extra characters could be used as

placeholders if the number of characters did not work out
perfectly for a particular grid dimension.

38 03/04/2024 Add a footer

 Cryptography
• Cryptanalysis
• It is the process of decrypting a message without knowing
the cipher or key used to encrypt it.

• Older approaches to cryptography such as transposition

and substitution ciphers do not pose much of a challenge
for modern computers.

• Programs have been written that can fairly easily determine

which of these types of encryption methods are used and
produce the corresponding plaintext messages.

39 03/04/2024 Add a footer

 Cryptography
• Public Key Cryptography
• It is an approach in which each user has two related keys,
one public and one private.

• This relationship is so complex that a message encrypted

with one key can be decrypted only with the corresponding
partner key.

• One is designated as the public key, which can be freely

distributed, and the other key is the private key.

40 03/04/2024 Add a footer

 Cryptography
• Public Key Cryptography Example:
• Talgat and Carrick want to communicate securely with each
other.
• To send a message to Carrick, Talgat first obtains Carrick’s
public key, which he makes readily available, and use it to
encrypt his message.
• Now no one not even Talgat can decrypt the message except
Carrick.
• Talgat then sends the message safely to Carrick, who decrypts
it with his private key.
• As long as both Talgat and Carrick keep their private keys to
themselves, it does not matter who has their public keys.
41 03/04/2024 Add a footer
 Cryptography
• Digital Signatures
• It offer a way to sign a document by appending extra data
to the message that is both unique to the sender and very
difficult to forge.

• It allows the recipient to verify that the message truly

originates from the stated sender and has not been altered
by a third party during transmission. (similar concept to
protocol)

42 03/04/2024 Add a footer

 Cryptography
• Digital Signatures
• The signature is created using software that compresses
the message into a form called “message digest”, and then
encrypts the message digest with the sender’s private key.

• The receiver uses the sender’s public key to decrypt the

message digest and then compares it to the digest created
from the message itself.

• If they match, the message is probably genuine and

unaltered.

43 03/04/2024 Add a footer

 Cryptography
• Digital Certificate
• How can a receiver be sure that a public key is authentic?

• Organizations are handling this risk by creating a certificate

authority center, which creates a digital certificate for each
trusted sender.

44 03/04/2024 Add a footer

 Cryptography
• Digital Certificate
• The certificate is made using the sender’s personal data and
authenticated public key.

• When a new message arrives, it is verified using that digital

certificate.

• If the message comes from someone for whom you don’t

have a digital certificate, you then have to decide whether
to trust the message.

45 03/04/2024 Add a footer