Computer Security

(week - 1)
(CoSc4171 – 3CrHr/5ECTS)

Semester I – 2015 E.C

Shegaw M. (ethioprogramming1@gmail.com)
 Computer Security

“The
most secure
computers are those
not connected
to the Internet and
shielded
from any interference”
 Computer Security
Computer
Computer security
security isis about
about
provisions
provisions and
and policies
policies adopted
adopted to to protect
protect
information
information andand property
property from
from theft,theft,
corruption,
corruption, oror natural
natural disaster
disaster while
while
allowing
allowing the
the information
information and
and property
property to to
remain
remain accessible
accessible and
and productive
productive to to its
its
intended
intended users.
users.
Computer
Computer security
security isis the
the protection
protection afforded
afforded to
to an
an automated
automated
information
information system
system inin order
order to
to attain
attain the
the applicable
applicable objectives
objectives of
of
preserving
preservingthe
theintegrity,
integrity,availability,
availability,and
andconfidentiality
confidentialityof
ofinformation
information
system
system resources
resources (includes
(includes hardware,
hardware, software,
software, firmware,
firmware,
information/data,
information/data,and
andtelecommunications).
telecommunications).
 Computer Security
Network
Network security
security deals
deals with
with provisions
provisions and
and policies
policies
adopted
adopted to
to prevent
prevent and
and monitor
monitor unauthorized
unauthorized access,
access,
misuse,
misuse, modification,
modification, or
or denial
denial of
of the
the computer
computer network
network
and
andnetwork
networkaccessible
accessibleresources.
resources.

Internet
Internet
Computer Security/Goals
Security Goals

Confidentiality

Integrity
Availaibility
 Computer Security/ Goals
Confidentiality:
Confidentiality: Preserving
Preserving authorized
authorized restrictions
restrictions on on
information
information access
access and and disclosure,
disclosure, including
including means
means forfor
protecting
protecting personal
personal privacy
privacy and
and proprietary
proprietary information.
information. AA loss
loss
of
ofconfidentiality
confidentialityisisthe
theunauthorized
unauthorizeddisclosure
disclosureofofinformation.
information.
Integrity:
Integrity: Guarding
Guarding against
against improper
improper information
information modification
modification
or
or destruction,
destruction, including
including ensuring
ensuring information
information nonrepudiation
nonrepudiation
and
andauthenticity.
authenticity.
AAloss
lossof
ofintegrity
integrityisisthe
theunauthorized
unauthorizedmodification
modificationor
ordestruction
destruction
of
ofinformation
information
Availability:
Availability: Ensuring
Ensuring timely
timely and
and reliable
reliable access
access to
to and
and use
use of
of
information.
information.
AA loss
loss of
of availability
availability isis the
the disruption
disruption of
of access
access to
to or
or use
use of
of
information
informationor oran
aninformation
informationsystem.
system.
 Computer Security/ Overview
Security:
Security: The
The prevention
prevention and
and protection
protection of
of an
an assets
assets from
from
unauthorized
unauthorized access,
access, use,
use, alteration,
alteration, degradation,
degradation, destruction,
destruction,
and
andother
otherthreats.
threats.
Privacy:
Privacy: TheThe right
right of
of the
the individual
individual to to bebe protected
protected against
against
intrusion
intrusion into
into his
his personal
personal life
life or
or affairs,
affairs, or
or those
those of
of his
his family,
family,
by
bydirect
directphysical
physicalmeans
meansor orby
bypublication
publicationof ofinformation.
information.
Security/Privacy
Security/Privacy Threat:
Threat: Any
Any person,
person, act,
act, or
or object
object that
that poses
poses aa
danger
danger to
to computer
computer security/privacy.
security/privacy. Threat
Threat isis aa possible
possible danger
danger
that
thatmight
mightexploit
exploitaavulnerability.
vulnerability.
Attack
Attack isis an
an assault
assault on
on system
system security
security that
that derives
derives fromfrom anan
intelligent
intelligent threat;
threat; that
that is,
is, an
an intelligent
intelligent act
act that
that isis aa deliberate
deliberate
attempt
attempt (especially
(especially in in the
the sense
sense of
of aa method
method or or technique)
technique) toto
evade
evade security
security services
services andand violate
violate the
the security
security policy
policy of
of aa
system.
 Computer Security/ Overview
Countermeasure
Countermeasure isis an an action,
action, device,
device, procedure,
procedure, or or technique
technique
that
that reduces
reduces aa threat,
threat, aa vulnerability,
vulnerability, oror an
an attack
attack by
by eliminating
eliminating
or
or preventing
preventing it,it, by
by minimizing
minimizing the the harm
harm itit can
can cause,
cause, oror by
by
discovering
discovering andand reporting
reporting itit soso that
that corrective
corrective action
action can
can be
be
taken.
taken.
Risk
Risk AnAn expectation
expectation of of loss
loss expressed
expressed as as the
the probability
probability that
that aa
particular
particular threat
threat will
will exploit
exploit aa particular
particular vulnerability
vulnerability with
with aa
particular
particularharmful
harmfulresult.
result.
Security
Security Policy
Policy isis aa set
set of
of rules
rules and
and practices
practices that
that specify
specify or
or
regulate
regulatehow
howaasystem
systemor ororganization
organizationprovides
providessecurity
securityservices
services
to
toprotect
protectsensitive
sensitiveand
andcritical
criticalsystem
systemresources.
resources.
Vulnerability
Vulnerability -- AA flaw
flaw oror weakness
weakness inin aa system’s
system’s design,
design,
implementation,
implementation, oror operation
operation and
and management
management that that could
could be
be
exploited
exploitedto
toviolate
violatethe
thesystem’s
system’ssecurity
securitypolicy.
policy.
 Computer Security and Privacy/ Attacks

Categories
Categoriesof
ofAttacks
Attacks

Interruption:
Interruption: An
An attack
attack on
on availability
availability

Interception:
Interception: An
An attack
attack on
on confidentiality
confidentiality

Modification:
Modification: An
An attack
attack on
on integrity
integrity

Fabrication:
Fabrication: An
An attack
attack on
on authenticity
authenticity
 Computer Security and Privacy/Attacks

Categories
Categoriesof
ofAttacks/Threats
Attacks/Threats(W.
(W.Stallings)
Stallings)
Source

Destination
Normal flow of information
Attack

Interruption Interception

Modification Fabrication
 Computer Security and Privacy/ Vulnerabilities
Types
Typesof
ofVulnerabilities
Vulnerabilities

Physical
Physicalvulnerabilities
vulnerabilities(Ex.
(Ex.Buildings)
Buildings)

Natural
Naturalvulnerabilities
vulnerabilities(Ex.
(Ex.Earthquake)
Earthquake)

Hardware
Hardwareand
andSoftware
Softwarevulnerabilities
vulnerabilities(Ex.
(Ex.Failures)
Failures)

Media
Mediavulnerabilities
vulnerabilities(Ex.
(Ex.Disks
Diskscan
canbe
bestolen)
stolen)

Communication
Communicationvulnerabilities
vulnerabilities(Ex.
(Ex.Wires
Wirescan
canbe
betapped)
tapped)

Human
Humanvulnerabilities
vulnerabilities(Ex.
(Ex.Insiders)
Insiders)
 Computer Security and Privacy/ Countermeasures

Computer
Computer security
security controls
controls

 Authentication
Authentication (Password,
(Password, Cards,
Cards, Biometrics)
Biometrics)

 Encryption
Encryption

 Auditing
Auditing

 Administrative
Administrative procedures
procedures

 Standards
Standards

 Certifications
Certifications

 Physical
Physical Security
Security

 Laws
Laws
Computer Security and Privacy

Physical
Physical Security
Security
Computer Security and Privacy/ Physical Security

Physical
Physical security
security isis the
the use
use of
of physical
physical controls
controls to
to protect
protect
premises,
premises, site,
site, facility,
facility, building
building or
or other
other physical
physical asset
asset of
of an
an
organization
organization[Lawrence
[LawrenceFennelly]
Fennelly]

Physical
Physical security
security protects
protects your
your physical
physical computer facility (your
computer facility (your
building,
building, your
your computer
computer room,
room, your
your computer,
computer, your
your disks
disks
and
andother
othermedia)
media)[Chuck
[ChuckEasttom].
Easttom].
Computer Security and Privacy/ Physical Security

In
In the
the early
early days
days of
of computing
computing physical
physical security was simple
security was simple
because
becausecomputers
computerswere
werebig,
big,standalone,
standalone,expensive
expensivemachines
machines
₯ It
₯ almostimpossible
Itisisalmost impossibleto
tomove
movethem
them(not
(notportable)
portable)
₯ They
₯ They were
were very
very few and itit isis affordable
few and affordable to
to spend
spend on
on
physical
physicalsecurity
securityfor
forthem
them
₯ Management
₯ waswilling
Managementwas willingto
tospend
spendmoney
money
₯ Everybody
₯ Everybody understands
understands and
and accepts
accepts that
that there
there isis
restriction
restriction
 Computer Security and Privacy/ Physical Security

Today
Today
₯ Computers
₯ Computersare
aremore
moreand
andmore portable(PC,
moreportable (PC,laptop,
laptop,PDA,
PDA,
Smartphone)
Smartphone)
₯ There
₯ Thereare
aretoo manyof
toomany ofthem
themto tohave
havegoodgoodphysical
physicalsecurity
security
for
foreach
eachofofthem
them
₯ They
₯ They are
are not
not “too
“too expensive”
expensive” to justify spending
to justify spending more
more
money
moneyon onphysical
physicalsecurity
securityuntiluntilaamajor
majorcrisis
crisisoccurs
occurs
₯ Users
₯ Usersdon’t
don’taccept restrictionseasily
acceptrestrictions easily
₯ Accessories
₯ Accessories(ex.
(ex.Network
Networkcomponents)
components)are not considered
are not considered
as importantfor
asimportant forsecurity
securityuntil
untilthere
thereis
isaaproblem
problem
₯ Access
₯ Access toto aa single
single computer
computer may may endanger many more
endanger many more
computersconnected
computers connectedthrough
throughaanetwork
network
 Computer Security and Privacy/ Physical Security

Threats and vulnerabilities

Natural
NaturalDisasters
Disasters

Fire
Fireand
andsmoke
smoke

Fire
Firecan
canoccur
occuranywhere
anywhere

Solution – Minimize risk
Solution – Minimize risk
Good
Goodpolicies:
policies:NO SMOKING, ,etc..
NOSMOKING etc..
Fire
Fireextinguisher,
extinguisher,good
goodprocedure
procedureandandtraining
training
Fireproof
Fireproofcases
cases(and
(andother
othertechniques)
techniques)for
forbackup
backuptapes
tapes
Fireproof
Fireproofdoors
doors

Climate
Climate

Heat
Heat

Direct
Directsun
sun

Humidity
Humidity
 Computer Security and Privacy/ Physical Security
Threats and vulnerabilities …
Natural
NaturalDisasters
Disasters…
…

Hurricane,
Hurricane,storm,
storm,cyclone
cyclone

Earthquakes
Earthquakes

Water
Water

Flooding
Floodingcan
canoccur
occureven
evenwhen
whenaawater
watertab
tabisisnot
notproperly
properlyclosed
closed

Electric
Electricsupply
supply

Voltage
Voltagefluctuation
fluctuation
Solution:
Solution:Voltage
Voltageregulator
regulator

Lightning
Lightning

Solution
Solution

 Avoid
Avoidhaving
havingservers
serversin
inareas
areasoften
oftenhit
hitby
byNatural
NaturalDisasters!
Disasters!
 Computer Security and Privacy/ Physical Security

Threats and vulnerabilities …

People
People

Intruders
Intruders

Thieves
Thieves

People who
People who have
have been
been given
given access
access unintentionally
unintentionally by
by the
the
insiders
insiders

Employees,
Employees,contractors,
contractors,etc.
etc.who
whohave
haveaccess
accessto
tothe
thefacilities
facilities

 External
Externalthieves
thieves

Portable computing
Portable computing devices
devices can
can be
be stolen
stolen outside
outside the
the
organization’s
organization’spremises
premises
Loss
Loss of
of aa computing
computing device
device

Mainly
Mainlylaptop
laptop
 Computer Security and Privacy/ Physical Security

Safe area
Safe
Safe area
area often
often isis aa locked
locked place
place where
where only
only
authorized
authorized personnel
personnel can
can have
have access
access using
using
Surveillance/guards,
Surveillance/guards, video-surveillance,
video-surveillance, automatic-doors
automatic-doors
with
withsecurity
securitycode
codelocks,
locks,alarms,
alarms,etc.
etc.

Organizations
Organizations usually
usually have
have safe
safe area
area for
for keeping
keeping
computers
computers and
and related
related devices
devices
Computer Security and Privacy/ Attacks & Threats

Computer
Computer Security
Security -- Attacks
Attacks and
and
Threats
Threats
 Computer security/ Attacks & Threats

A
A computer
computer security
security threat
threat isis any
any person,
person, act,
act, or
or
object
object that
that poses
poses aa danger
danger to
to computer
computer security
security

Computer
Computer world
world isis full
full of
of threats!
threats!
And
And so
so isis the
the real
real world!
world!

Thieves,
Thieves, pick-pockets,
pick-pockets, burglars,
burglars, murderers,
murderers,
drunk
drunk drivers,
drivers, …
…
Computer security/ Attacks & Threats
What
Whatdo
doyou
youdo
doin
inreal
reallife?
life?

You
Youlearn
learnabout
aboutthe
thethreats
threats

What
Whatare
arethe
thethreats
threats

How
Howcan
canthese
thesethreats
threatsaffect
affectyou
you
You
You
 need
need
What
to
isto do
thedo exactly
riskexactly
for you
the
the
to be
same
same thing
attackedthing
by
with
with
these
computers!
computers!
threats
What is the risk for you to be attacked by these threats

How
Howyou
youcan
canprotect
protectyourself
yourselffrom
fromthese
theserisks
risks

How
Howmuch
muchdoes
doesthe
theprotection
protectioncost
cost

What
Whatyou
youcan
cando
doto
tolimit
limitthe
thedamage
damagein
incase
caseyou
youare
areattacked
attacked

How
Howyou
youcan
canrecover
recoverin
incase
caseyou
youare
areattacked
attacked

Then,
Then, you
you protect
protect yourself
yourself in
in order
order to
to limit
limit the
the risk
risk but
but to
to
continue
continueto
tolive
liveyour
yourlife
life
Computer security/ Types of Attacks & Threats

Hacking
HackingAttack:
Attack:

Any
Anyattempt
attemptto
togain
gainunauthorized
unauthorizedaccess
accessto
toyour
yoursystem
system..
Denial
Denialof
ofService
Service(DoS)
(DoS)Attack
Attack

Blocking
Blockingaccess
accessfrom
fromlegitimate
legitimateusers
users

Physical
PhysicalAttack:
Attack:

Stealing,
Stealing,breaking
breakingor
ordamaging
damagingof
ofcomputing
computingdevices
devices

Malware
Malware Attack:
Attack:

AAgeneric
genericterm
termfor
forsoftware
softwarethat
thathas
hasmalicious
maliciouspurpose
purpose

Examples:
Examples:Viruses,
Viruses,Trojan
Trojanhorses,
horses,Spy-wares,
Spy-wares,worm
worm
New
Newones:
ones:Spam/scam,
Spam/scam,identity
identitytheft,
theft,e-payment
e-paymentfrauds,
frauds,etc.
etc.
Computer security/ Types of Attacks & Threats
Viruses
Viruses

“A
“A small
small program
program that
that replicates
replicates and
and hides
hides itself
itself inside
inside other
other
programs
programsusually
usuallywithout
withoutyour
yourknowledge.”
knowledge.”Symantec
Symantec

Similar
Similarto
tobiological
biologicalvirus:
virus:Replicates
Replicatesand
andSpreads
Spreads
Worms
Worms

An
Anindependent
independentprogram
programthat
thatreproduces
reproducesby
bycopying
copyingitself
itselffrom
fromone
one
computer
computerto toanother
another

ItItcan
cando
doas
asmuch
muchharm
harmas asaavirus
virus

ItItoften
oftencreates
createsdenial
denialof
ofservice
service
Trojan
Trojanhorses
horses

Secretly
Secretly downloading
downloading aa virus
virus or
or some
some other
other type
type of
of mal-ware
mal-ware on
on to
to
your
yourcomputers.
computers.
Spy-wares
Spy-wares

“A
“Asoftware
softwarethat
thatliterally
literallyspies
spieson
onwhat
whatyou
youdo
doon
onyour
yourcomputer.”
computer.”

Example: Simple Cookies and Key Loggers
Example: Simple Cookies and Key Loggers
 Computer security/Threats
Anti-Virus …

Functions
Functions of
of anti-viruses
anti-viruses
₯
₯ Identification
Identification of
of known
known viruses
viruses
₯
₯ Detection
Detection of
of suspected
suspected viruses
viruses
₯
₯ Blocking
Blocking of
of possible
possible viruses
viruses
₯
₯ Disinfection
Disinfection of
of infected
infected objects
objects
₯
₯ Deletion
Deletion and
and overwriting
overwriting of
of infected
infected objects
objects
 Computer Security/ OSI Security Architecture

The
The OSI
OSI Security
Security Architecture
Architecture
1.
1. Security
Security attack:
attack: Any
Any action
action that
that compromises
compromises the
the
security
security of
of information
information owned
owned by
by an
an organization.
organization.
2.
2. Security
Security mechanism:
mechanism: A
A process
process (or
(or aa device
device
incorporating
incorporating such
such aa process)
process) that
that isis designed
designed to
to detect,
detect,
prevent,
prevent, or
or recover
recover from
from aa security
security attack.
attack.
3.
3. Security
Security service:
service: A
A processing
processing or
or communication
communication
service
service that
that enhances
enhances the
the security
security of
of the
the data
data
processing
processing systems
systems and
and the
the information
information transfers
transfers of
of an
an
 OSI Security Architecture/Security attacks

AA useful
useful means
means of
of classifying
classifying security
security attacks
attacks isis in
in terms
terms of
of
passive
passiveattacks
attacksand
and active
activeattacks.
attacks.
AA passive
passive attack
attack attempts
attempts to
to learn
learn or
or make
make use
use of
of
information
information from
from the
the system
system but
but does
does not
not affect
affect system
system
resources.
resources.
®® Two
Two types
types of
of passive
passive attacks
attacks are
are the
the release
release of
of message
message
contents
contentsand
andtraffic
trafficanalysis.
analysis.
1.1. Release
Release of
of message
message contents
contents -- e.g.,
e.g., from
from aa telephone
telephone
conversation,
conversation,e-mail,
e-mail,transferred
transferredfiles,
files,etc.
etc.
2.2. Traffic
Traffic analysis
analysis -- e.g.,
e.g., location
location and
and identity
identity of
of communicating
communicating
hosts, frequency and length of messages, the nature of messages.
 OSI Security Architecture/Security attacks
An
An active
active attack
attack attempts
attempts to
to alter
alter system
system resources
resources or
or affect
affect their
their
operation.
operation.
Active
Active attacks
attacks can
can be
be subdivided
subdivided into
into four
four categories:
categories: masquerade,
masquerade,
replay,
replay,modification
modificationof
ofmessages,
messages,andanddenial
denialofofservice.
service.
©© AA masquerade
masquerade takes
takes place
place when
when one
one entity
entity pretends
pretends to
to be
be aa different
different
entity.
entity.
©© Replay
Replay involves
involves the
the passive
passive capture
capture of
of aa data
data unit
unit and
and its
its subsequent
subsequent
retransmission
retransmissionto
toproduce
produceananunauthorized
unauthorizedeffect.
effect.
©© Modification
Modification of
of messages
messages simply
simply means
means that
that some
some portion
portion of
of aa
legitimate
legitimate message
message isis altered,
altered, or
or that
that messages
messages areare delayed
delayed oror
reordered,
reordered,to
toproduce
produceananunauthorized
unauthorizedeffect.
effect.
©© The
The denial
denial of of service
service prevents
prevents or or inhibits
inhibits the
the normal
normal use
use or
or
management
managementof ofcommunications
communicationsfacilities.
facilities.
 OSI Security Architecture/Security Services
Security
SecurityServices
Servicesdivides
dividesthese
theseservices
servicesinto
intofive
fivecategories
categoriesor
orservices.
services.
 OSI Security Architecture/Security Services

₯
₯ The
Thefunction
functionof
ofthe
the authentication
authenticationservice
serviceisisto
toassure
assurethe
therecipient
recipientthat
that
the
themessage
messageisisfrom
fromthe
thesource
sourcethat
thatititclaims
claimsto
tobe
befrom.
from.
₡₡ the
theservice
serviceassures
assuresthat
thatthe
thetwo
twoentities
entitiesare
areauthentic
authentic
₡₡ service
servicemust
mustassure
assurethat
thatthe
theconnection
connectionisisnot
notinterfered
interfered
This
This authentication
authentication service
service can
can be
be peer
peer entity
entity oror data
data entity
entity
authentication.
authentication.
₯
₯ Access
Access control
control isis the
the ability
ability to
to limit
limit and
and control
control the
the access
access to
to host
host
systems
systemsand
andapplications
applicationsvia viacommunications
communicationslinks.
links.
₯
₯ Confidentiality
Confidentiality isis the
the protection
protection of
of transmitted
transmitted data
data from
from passive
passive
attacks.
attacks.
₯
₯ Integrity
Integritycan
canbe
beconnection-oriented
connection-orientedor
orconnectionless
connectionless
₵₵ AA connection-oriented
connection-oriented integrity
integrity service
service deals
deals with
with aa stream
stream ofof messages
messages
and
and assures
assures that
that messages
messages are are received
received asas sent
sent with
with no
no duplication,
duplication,
 OSI Security Architecture/Security Services

₵₵ AA connectionless
connectionless integrity
integrity service
service deals
deals with
with individual
individual
messages
messages without
without regard
regard to
to any
any larger
larger context
context and
and generally
generally
provides
providesprotection
protectionagainst
againstmessage
messagemodification
modificationonly.
only.
₯
₯Nonrepudiation
Nonrepudiation prevents
prevents either
either sender
sender or
or receiver
receiver from
from denying
denying aa
transmitted
transmittedmessage.
message.
AA Prove
Provethe
thesent
sent&&received
receivedmessage
message BB
₯
₯Availability
Availability to
to be
be the
the property
property of
of aa system
system or
or aa system
system resource
resource
being
being accessible
accessible and
and usable
usable upon
upon demand
demand by
by an
an authorized
authorized
system
systementity.
entity.
₵₵ This
This service
service addresses
addresses the
the security
security concerns
concerns raised
raised by
by
denial-of-service
denial-of-serviceattacks.
attacks.
 OSI Security Architecture/Security Mechanism
₵₵ The
Themechanisms
mechanismsare
aredivided
dividedinto
intospecific
specificand
andpervasive
pervasivesecurity
securitymechanisms:
mechanisms:
 Q&C

What are the challenges of computer security?