Professional Documents
Culture Documents
(InTc2116 3CrHr)
Prevention of unauthorized
Prevention of unauthorized
withholding of information or
modification of information
resource
Integrity
Availaibility
Computer Security and Privacy
Security
Security inin general
general isis about
about protection
protection of
of assets.
assets. This
This implies
implies that
that inin
order
order to
to protect
protect our
our assets,
assets, we
we must
must know
know the
the assets
assets and
and their
their values.
values.
Rough
Roughclassification
classificationofofprotection
protectionmeasures
measuresincludes:
includes:
•• Prevention:
Prevention:tototake
takemeasures
measurestotoprevent
preventthe
thedamage
damage
•• Detection:
Detection:when,
when,how
howand
andwho
whoofofthe
thedamage.
damage.
•• Reaction:
Reaction:tototake
takemeasures
measuresto
torecover
recoverfrom
fromdamage.
damage.
Example
Exampleofofprotecting
protectingvoluble
volubleitems
itemsatathome
homefrom
fromaaburglar:
burglar:
•• Prevention:
Prevention:Locks
Lockson onthe
thedoor,
door,guards,
guards,hidden
hiddenplaces,
places,……
•• Detection: Burglar alarm, guards, CCTV,
Detection: Burglar alarm, guards, CCTV, … …
•• Reaction:
Reaction:Calling
Callingthe
thepolice,
police,replace
replacethe
thestolen
stolenitem,
item,…
…
Example
Exampleofofprotecting
protectingaafraudster
fraudsterfrom
fromusing
usingour
ourcredit
creditcard
cardininInternet
Internetpurchase
purchase
•• Prevention:
Prevention: Encrypt
Encrypt whenwhen placing
placing order,
order, perform
perform somesome check
check before
before
placing order, or don’t use credit card number on
placing order, or don’t use credit card number on internet.internet.
•• Detection:
Detection: AA transaction
transaction that
that you
you had
had not
not authorized
authorized appears
appears onon your
your
credit
creditcard
cardstatement.
statement.
•• Reaction:
Reaction: Ask
Ask forfor new
new card,
card, recover
recover cost
cost ofof the
the transaction
transaction from
from the
the
insurance,
insurance,the
thecard
cardissuer
issuerororthe
themerchant.
merchant.
Computer Security and Privacy/ Overview
Definitions
Security:
Security: TheThe protection
protection of
of computer
computer assets
assets from
from
unauthorized
unauthorized access,
access, use,
use, alteration,
alteration, degradation,
degradation,
destruction,
destruction,and
andother
otherthreats.
threats.
Privacy:
Privacy: The
The right
right of
of the
the individual
individual to
to be
be protected
protected
against
against intrusion
intrusion into
into his
his personal
personal life
life or
or affairs,
affairs, or
or
those
those of
of his
his family,
family, by
by direct
direct physical
physical means
means oror by
by
publication
publicationofofinformation.
information.
Security/Privacy
Security/Privacy Threat:
Threat: Any
Any person,
person, act,
act, or
or object
object
that
thatposes
posesaadanger
dangerto
tocomputer
computersecurity/privacy.
security/privacy.
Computer Security and Privacy/ History
Until
Until 1960s
1960s computer
computer security
security was
was limited
limited to
to
physical
physical protection
protection of
of computers
computers
In
In the
the 60s
60s and
and 70s
70s
Evolutions
Evolutions
Computers
Computersbecame
becameinteractive
interactive
Multiuser/Multiprogramming
Multiuser/Multiprogrammingwas wasinvented
invented
More
More and
and more
more data
data started
started toto be
be stored
stored inin computer
computer
databases
databases
Organizations
Organizationsand andindividuals
individualsstarted
startedto worryabout
toworry about
What
What the
the other
otherpersons
persons using
using computers
computers areare doing
doing toto their
their
data
data
What
What isis happening
happening toto their
their private
private data
data stored
stored in in large
large
databases
databases
Computer Security and Privacy/ History
In
In the
the 80s
80s and
and 90s
90s
Evolutions
Evolutions
Personal
Personalcomputers
computerswere
werepopularized
popularized
LANs
LANsandandInternet
Internetinvaded
invadedthe
theworld
world
Applications
Applicationssuch
suchasasE-commerce,
E-commerce,E-government
E-governmentand
and
E-health
E-healthstarted
startedto
todevelop
develop
Viruses
Virusesbecome
becomemajors
majorsthreats
threats
Organizations
Organizationsand
andindividuals
individualsstarted
startedto
toworry
worryabout
about
Who
Whohas
hasaccess
accessto
totheir
theircomputers
computersand
anddata
data
Whether they can trust a mail, a website, etc.
Whether they can trust a mail, a website, etc.
Whether
Whethertheir
theirprivacy
privacyisisprotected
protectedin
inthe
theconnected
connectedworld
world
Computer Security and Privacy/ History
Famous
Famous security
security problems
problems
Morris worm––Internet
Morrisworm InternetWorm
Worm
November
November 2,2, 1988 1988 aa worm
worm attacked
attacked more
more than
than 60,000
60,000
computers
computersaround
aroundthe theUSA
USA
The
Theworm
wormattacks
attackscomputers,
computers,and
andwhen
whenitithas
hasinstalled
installeditself,
itself,itit
multiplies
multipliesitself,
itself,freezing
freezingthe
thecomputer
computer
It
Itexploited
exploitedUNIX
UNIXsecurity
securityholes
holesin
inSendmail
SendmailandandFinger
Finger
AA nationwide
nationwide effort
effort enabled
enabled to
to solve
solve the
the problem
problem within
within 1212
hours
hours
Robert
Robert Morris
Morris became
became the the first person to
first person to be
be indicted
indicted
under
underthe
theComputer Fraudand
ComputerFraud andAbuse
AbuseAct.
Act.
He
He was
was sentenced
sentenced to
to three
three years
years of
of probation,
probation, 400
400 hours
hours of
of
community
communityservice
serviceand
andaafine
fineof
of$10,050
$10,050
Until
Until recently,
recently, he
he has
has been
been anan associate professor at
associate professor at the
the
Massachusetts Institute of Technology (MIT)
Computer Security and Privacy/ History
Famous
Famous security
security problems
problems …
…
NASA shutdown
NASA shutdown
In
In 1990,
1990, an
anAustralian
Australian computer
computerscience
science student
student was
was
charged
charged for
for shutting
shutting down
down NASA’s
NASA’s computer
computer system
system
for
for24
24hours
hours
Airline computers
Airline computers
In
In 1998,
1998, aa major
major travel
travel agency
agency discovered
discovered thatthat
someone
someone penetrated
penetrated itsits ticketing
ticketing system
system and and has
has
printed
printedairline
airlinetickets
ticketsillegally
illegally
Bank theft
Bank theft
In
In 1984,
1984, aa bank
bank manager
manager waswas able
able to
to steal
steal $25
$25million
million
through
throughun-audited
un-auditedcomputer
computertransactions
transactions
Computer Security and Privacy/ History
Famous
Famous security
security problems
problems …
…
InEthiopia
In Ethiopia
Employees of
Employees of aa company
company managed
managed to
to change
change their salaries by
their salaries by
fraudulently
fraudulentlymodifying
modifyingthe
thecompany’s
company’sdatabase
database
InIn1990s
1990sInternet
Internetpassword
passwordtheft
theft
Hundreds
Hundreds ofof dial-up
dial-up passwords
passwords were
were stolen
stolen and
and sold
sold to
to
other
otherusers
users
Many
Manyofofthe
theowners
ownerslost
losttens
tensof
ofthousands
thousandsof ofBirr
Birreach
each
AAmajor
major company
company suspended
suspended the
the use
use of
of aa remote login software
remote login software by
by
technicians
technicians who
who were
were looking at the
looking at the computer
computer of
of the
the General
General
Manager
Manager
InAfrica:
In Africa:Cote
Coted’Ivoire
d’Ivoire
An
Anemployee
employeewho
whohas
hasbeen
beenfired
firedby
byhis
hiscompany
companydeleted
deletedall
allthe
the
data
datain
inhis
hiscompany’s
company’scomputer
computer
Computer Security and Privacy/ History
Early
Early Efforts
Efforts
1960s:
1960s: Marked
Marked as
as the
the beginning
beginning of
of true
true
computer
computersecurity
security
1970s:
1970s:Tiger
Tigerteams
teams
Government and
Government and industry
industry sponsored
sponsored crackers
crackers who
who
attempted
attempted to
to break
break down
down defenses
defenses ofof computer
computer systems
systems in
in
order
order to
to uncover
uncover vulnerabilities
vulnerabilities so
so that
that patches
patches can
can be
be
developed
developed
1970s:
1970s: Research
Research and
and modeling
modeling
Identifying
Identifyingsecurity
securityrequirements
requirements
Formulating security policy models
Formulating security policy models
Defining
Definingguidelines
guidelinesand
andcontrols
controls
Development
Developmentofofsecure
securesystems
systems
Computer Security and Privacy/ Legal Issues
In
In the
the US,
US, legislation
legislation was
was enacted
enacted with
with regards
regards toto
computer
computer security
security and
and privacy
privacy starting
starting from
from late
late
1960s.
1960s.
European
European Council
Council adopted
adopted aa convention
convention on
on Cyber-
Cyber-
crime
crime in
in 2001.
2001.
The
The World
World Summit
Summit for for Information
Information Society
Society
considered
considered computer
computer security
security and
and privacy
privacy as
as aa
subject
subject of
of discussion
discussion in
in 2003
2003 and
and 2005.
2005.
The
The Ethiopian
Ethiopian Penal
Penal Code
Code ofof 2005
2005 has
has articles
articles on
on
data
data and
and computer
computerrelated
related crimes.
crimes.
Computer Security and Privacy/Attacks
Categories
Categoriesof
ofAttacks
Attacks
Interruption:
Interruption: An
An attack
attack on
on availability
availability
Interception:
Interception: An
An attack
attack on
on confidentiality
confidentiality
Modification:
Modification: An
An attack
attack on
on integrity
integrity
Fabrication:
Fabrication: An
An attack
attack on
on authenticity
authenticity
Computer Security and Privacy/Attacks
Categories
Categoriesof
ofAttacks/Threats
Attacks/Threats(W.
(W.Stallings)
Stallings)
Source
Destination
Normal flow of information
Attack
Interruption Interception
Modification Fabrication
Computer Security and Privacy/Vulnerabilities
Types
Typesof
ofVulnerabilities
Vulnerabilities
Physical
Physicalvulnerabilities
vulnerabilities(Ex.
(Ex.Buildings)
Buildings)
Natural
Naturalvulnerabilities
vulnerabilities(Ex.
(Ex.Earthquake)
Earthquake)
Hardware
Hardwareand
andSoftware
Softwarevulnerabilities
vulnerabilities(Ex.
(Ex.Failures)
Failures)
Media
Mediavulnerabilities
vulnerabilities(Ex.
(Ex.Disks
Diskscan
canbe
bestolen)
stolen)
Communication
Communicationvulnerabilities
vulnerabilities(Ex.
(Ex.Wires
Wirescan
canbe
betapped)
tapped)
Human
Humanvulnerabilities
vulnerabilities(Ex.
(Ex.Insiders)
Insiders)
Computer Security and Privacy/ Countermeasures
Computer
Computer security
security controls
controls
Authentication
Authentication (Password,
(Password, Cards,
Cards,
Biometrics)
Biometrics)
(What
(What we
we know,
know, have,
have, are!)
are!)
Encryption
Encryption
Auditing
Auditing
Administrative
Administrative procedures
procedures
Standards
Standards
Certifications
Certifications
Physical
Physical Security
Security
Laws
Computer Security and Privacy/ The Human Factor
The
The human factor is
human factor is an
an important
important component
component of of
computer
computersecurity
security
Some
Some organizations
organizations view
view technical solutions as
technical solutions as
“their
“theirsolutions”
solutions” for
forcomputer
computersecurity.
security. However:
However:
Technologyisisfallible
Technology fallible(imperfect)
(imperfect)
Ex.
Ex.UNIX
UNIXholes
holesthat
thatopened
openedthe
thedoor
doorfor
forMorris
Morrisworm
worm
The
Thetechnology
technologymay notbe
maynot beappropriate
appropriate
Ex.
Ex.ItItisisdifficult
difficultto
todefine
defineall
allthe
thesecurity
securityrequirements
requirementsand
andfind
find
aasolution
solutionthat
thatsatisfies
satisfiesthose
thoserequirements
requirements
Technical
Technicalsolutions
solutionsare
areusually
usually(very)
(very)expensive
expensive
Ex.
Ex.Antivirus
Antiviruspurchased
purchasedby byETC
ETCtotoprotect
protectits
itsInternet
Internetservices
services
Given
Given all
all these,
these, someone,
someone, aa human
human,, has
has to
to implement
implement
the
the solution
solution
Computer Security and Privacy/ The Human Factor
Competence of
Competence of the
the security
security staff
staff
Ex.
Ex.Crackers
Crackersmay
mayknow
knowmore
morethan
thanthe
thesecurity
securityteam
team
Understanding
Understanding and support of
and support of management
management
Ex.
Ex. Management
Management does
does not
not want
want to
to spend
spend money
money on
on
security
security
Staff’s discipline to
Staff’s discipline to follow
follow procedures
procedures
Ex.
Ex.Staff
Staffmembers
memberschoose
choosesimple
simplepasswords
passwords
Staff
Staff members
members may not be
may not be trustworthy
trustworthy
Ex.
Ex.Bank
Banktheft
theft
Computer Security and Privacy/ Physical Security
Physical
Physical security
security isis the
the use
use ofof physical controls to
physical controls to
protect
protect premises,
premises, site,
site, facility,
facility, building
building or or other
other
physical
physical asset
asset of
of an
an organization
organization [Lawrence
[LawrenceFennelly]
Fennelly]
Physical
Physical security
security protects
protects your
your physical
physical computer
computer
facility (your
facility (your building,
building, your
your computer
computer room,
room, your
your
computer,
computer, your your disks
disks and
and other
other media)
media) [Chuck
[Chuck
Easttom].
Easttom].
Computer Security and Privacy/ Physical Security
In
In the
the early
early days
days of
of computing
computing physical
physical security
security
was simple
was simple because
because computers
computers were
were big,
big,
standalone,
standalone, expensive
expensive machines
machines
It
It almost impossible
isis almost impossible to to move
move themthem (not
(not
portable)
portable)
They
They were were very
very few and itit isis affordable
few and affordable to to
spend
spend on on physical
physical security
security for
forthem
them
Management
Management was was willing
willing to
to spend
spend money
money
Everybody understands
Everybody understands and and accepts
accepts that
that there
there
isis restriction
restriction
Computer Security and Privacy/ Physical Security
Today
Today
Computers
Computers are
are more
more and
and more portable (PC,
more portable (PC, laptop,
laptop,
PDA,
PDA,Smartphone)
Smartphone)
There
There are
are too many of
too many of them
them to to have
have good
good physical
physical
security
securityfor
foreach
eachof
ofthem
them
They
They are
are not
not “too
“too expensive”
expensive” to justify spending
to justify spending more
more
money
moneyononphysical
physicalsecurity
securityuntil
untilaamajor
majorcrisis
crisisoccurs
occurs
Users
Usersdon’t
don’taccept restrictions easily
acceptrestrictions easily
Accessories
Accessories (ex.
(ex. Network
Network components)
components) are are notnot
considered
considered as important for
as important for security
security until
until there
there is
is aa
problem
problem
Access
Access to
to aa single
single computer
computer may
may endanger many more
endanger many more
computersconnected
computers connectedthrough
throughaanetwork
network
Computer Security and Privacy/ Physical Security
=>
=>
Physical
Physical security
security is
is much
much more
more
difficult
difficult to
to achieve
achieve today
today than
than some
some
decades
decades agoago
Computer Security and Privacy/ Physical Security
Solution
Solution
Avoid
Avoidhaving
havingservers
serversin
inareas
areasoften
oftenhit
hitby
byNatural
NaturalDisasters!
Disasters!
Computer Security and Privacy/ Physical Security
Safe area
Safe
Safe area
area often
often isis aa locked
locked place
place where
where
only
only authorized
authorized personnel
personnel can can have
have
access
access
Organizations
Organizations usually
usually havehave safe
safe area
area for
for
keeping
keeping computers
computers and and related
related devices
devices
Computer Security and Privacy/ Physical Security
Safe area … Challenges
Is
Is the
the area
area inaccessible
inaccessible through
through other
other openings
openings
(window,
(window, roof-ceilings,
roof-ceilings, ventilation
ventilation hole,
hole, etc.)?
etc.)?
Design
Designof
ofthe
thebuilding
buildingwith
withsecurity
securityin
inmind
mind
Know the architecture of your building
Know the architecture of your building
During
During opening
opening hours,
hours, isis itit always
always possible
possible to to
detect
detect when
when unauthorized
unauthorized person
person tries
tries to
to get
get to
to the
the
safe
safe area?
area?
Surveillance/guards,
Surveillance/guards, video-surveillance,
video-surveillance, automatic-
automatic-
doors
doorswith
withsecurity
securitycode
codelocks,
locks,alarms,
alarms,etc.
etc.
Put
Putsigns
signsso
sothat
thateverybody
everybodysees
seesthe
thesafe
safearea
area
Computer Security and Privacy/ Physical Security
Safe area…Locks
Are
Arethe
thelocks
locksreliable?
reliable?
The
Theeffectiveness
effectivenessof
oflocks
locksdepends
dependson
onthe
thedesign,
design,manufacture,
manufacture,
installation
installationand
andmaintenance
maintenanceofofthe
thekeys!
keys!
Among
Amongthe theattacks
attackson
onlocks
locksare:
are:
Illicit
Illicitkeys
keys
Duplicate
Duplicatekeys
keys
Avoid
Avoidaccess
accesstotothe
thekey
keyby
byunauthorized
unauthorizedpersons
personseven
evenfor
foraafew
fewseconds
seconds
Change
Changelocks/keys
locks/keysfrequently
frequently
Key
Keymanagement
managementprocedure
procedure
Lost
Lostkeys
keys
Notify
Notifyresponsible
responsibleperson
personwhen
whenaakey
keyisislost
lost
There
Thereshould
shouldbe
beno
nolabel
labelon
onkeys
keys
Circumventing
Circumventingof
ofthe
theinternal
internalbarriers
barriersof
ofthe
thelock
lock
Directly
Directly operating
operating the
the bolt
bolt completely
completely bypassing
bypassing the
the locking
locking mechanism
mechanism
which remains locked
which remains locked
Forceful
Forcefulattacks:
attacks:
Punching,
Punching,Drilling,
Drilling,Hammering,
Hammering,etc.
etc.
Computer Security and Privacy/ Physical Security
Surveillance
Surveillance with
with guards
guards
The
The most
most common
common in in Ethiopia
Ethiopia
Not
Not always
always the
the most
most reliable
reliable since
since itit adds
adds aa
lot
lot of
of human
human factor
factor
Not
Not always
always practical
practical forfor users
users (employees
(employees
don’t
don’t like
like toto bebe questioned
questioned by by guards
guards
wherever
wherever they
they go)
go)
Computer Security and Privacy/ Physical Security
Safe area… Surveillance with Video
Surveillance
Surveillancewith
withvideo
video
Uses
UsesClosed
ClosedCircuit
CircuitTelevision
Television(CCTV)
(CCTV)
Started in the 1960s
Started in the 1960s
Become
Become more
more and
and more
more popular
popular with
with the
the worldwide
worldwide increase
increase of
of
theft
theftand
andterrorism
terrorism
Advantages
Advantages
AAsingle
singleperson
personcan
canmonitor
monitormore
morethan
thanone
onelocation
location
The intruder doesn’t see the security personnel
The intruder doesn’t see the security personnel
ItItisischeaper
cheaperafter
afterthe
theinitial
initialinvestment
investment
ItItcan
canbeberecorded
recordedandandbe
beused
usedfor
forinvestigation
investigation
Since
Sinceititcan
canbeberecorded
recordedthethesecurity
securitypersonnel
personnelisismore
morecareful
careful
Today’s
Today’sdigital
digitalvideo-surveillance
video-surveillancecan canuse
useadvanced
advancedtechniques
techniquessuch
such
as
asface
facerecognition
recognitionto todetect
detectterrorists,
terrorists,wanted
wantedpeople,
people,etc.
etc.
Drawback
Drawback
Privacy
Privacyconcerns
concerns
Computer Security and Privacy/ Physical Security
Internal Human factor - Personnel
Choose
Choose employees
employees carefully
carefully
Personal
Personal integrity
integrity should
should be
be as
as important
important aa
factor
factorin
in the
the hiring
hiring process
process as
as technical
technical skills
skills
Create
Create an
an atmosphere
atmosphere in in which
which the
the levels
levels of
of
employee
employee loyalty,
loyalty, morale,
morale, andand job
job
satisfaction
satisfaction are
are high
high
Remind
Remind employees,
employees, on on aa regular
regular basis,
basis, of
of
their
their continuous
continuous responsibilities
responsibilities to to protect
protect
the
the organization’s
organization’s information
information
Computer Security and Privacy/ Physical Security