SlideShare a Scribd company logo

E sec chaptr-1

Download as DOCX, PDF
1
123aleena

chapter 1. security problem in computing-Pfleeger

Engineering
1 of 8
E-SECURITY QUESTIONS AND ANSWERS CHAPTER-1 1. Distinguish between threats, vulnerabilities and controls.[4marks]  Vulnerability is a weakness in the security system, for example, in procedures, design, or implementation that might be exploited to cause loss or harm.  A particular system may be vulnerable to unauthorized data manipulation because the system does not verify a user’s identity before allowing data access.  A threat to a computing system is a set of circumstances that has the potential to cause loss or harm.  A human who exploits vulnerability perpetrates an attack on the system.  To address these problems, we use a control as a protective measure.  A control is an action, device, procedure, or technique that removes or reduces vulnerability.  Relationship among threats, controls, and vulnerabilities in this way: o A threat is blocked by control of vulnerability. For e.g., consider a wall is holding water back.  The water to the left of the wall is a threat to the man on the right of the wall.  The water could rise, overflowing onto the man, or it could stay beneath the height of the wall, causing it to collapse.  So the threat of harm is the potential for the man to get wet, get hurt, or drown.  For now, the wall is intact, so the threat to the man is unrealized.  However, we can see a small crack in the wall—a vulnerability that threatens the man’s security. If the water rises to or beyond the level of the crack, it will exploit the vulnerability and harm the man. 2. Explain 4 kinds of threats. Threats can be of four kinds: - Interception, interruption, modification, and fabrication.
E-SECURITY QUESTIONS AND ANSWERS  An interception means that some unauthorized party has gained access to an asset.  In an interruption, an asset of the system becomes lost, unavailable, or unusable.  If an unauthorized party not only accesses but tampers with an asset, the threat is a modification.  Finally, an unauthorized party might create a fabrication of counterfeit objects on a computing system. 3. What is MOM?  Method, Opportunity, and Motive  A malicious attacker must have three things: • Method: the skills, knowledge, tools, and other things with which an attack is performed. • Opportunity: the time and access to accomplish the attack. • Motive: a reason to want to perform this attack against this system. 4. Which are the Security Goals? Security Goals o Three important aspects of any computer-related system: - confidentiality, integrity, and availability (CIA) o Confidentiality ensures that computer-related assets are accessed only by authorized parties.  Reading, viewing, printing, or even knowing their existance  Secrecy or privacy o Integrity means that assets can be modified only by authorized parties or only in authorized ways.  Writing, changing, deleting, creating o Availability means that assets are accessible to authorized parties at appropriate times.
E-SECURITY QUESTIONS AND ANSWERS 5. Explain different types of vulnerabilities.[10 marks]  Vulnerability is a weakness in the security system, for example, in procedures, design, or implementation that might be exploited to cause loss or harm. A computer-based system has three valuable components: - Hardware , software and data.  Types of vulnerabilities  Hardware vulnerabilities - Hardware is more visible than software. - It is simple to attack by adding devices, changing them, removing them, intercepting the traffic to them, or flooding them with traffic until they can no longer function. - Other ways: - Computers have been drenched with water, burned, frozen, gassed, and electrocuted. - Physical attacks on h/w => need physical security: locks and guards - Accidental (dropped PC box) or voluntary (bombing a computer room) - Theft / destruction - Damage the machine (spilled coffe, mice, real bugs) - Steal the machine - Machinicide:Axe / hammer the machine
E-SECURITY QUESTIONS AND ANSWERS  Software Vulnerabilities - Software can be replaced, changed, or destroyed maliciously, or it can be modified, deleted, or misplaced accidentally. - Whether intentional or not, these attacks exploit the software’s vulnerabilities. Software Deletion - Software is surprisingly easy to delete. Each of us has, at some point in our careers, accidentally erased a file or saved a bad copy of a program, destroying a good previous copy. - Because of software’s high value, access to software is controlled through a process called configuration management - so that software is not deleted, destroyed, or replaced accidentally & retains its integrity. - Softwarefdf Modification - Software is vulnerable to modifications that either cause it to fail or cause it to perform an unintended task. Other categories of software modification include: - a Trojan horse: a program that overtly does one thing while covertly doing another - a virus: a specific type of Trojan horse that can be used to spread its “infection” from one computer to another - a trapdoor: a program that has a secret entry point - information leaks in a program: code that makes information accessible to unauthorized people or programs - Software Theft - This attack includes unauthorized copying of software. - Software authors and distributors are entitled to fair compensation for use of their product, as are musicians and book authors.  Data Vulnerabilities - Data have a definite value, even though that value is often difficult to measure. o Ex1: confidential data leaked to a competitor  may narrow a competitive edge o Ex2: flight coordinate data used by an airplane that is guided partly or fully by software  Can cost human lives if modified
E-SECURITY QUESTIONS AND ANSWERS Principle of Adequate Protection: - Computer items must be protected only until they lose their value. - They must be protected to a degree consistent with their value.  This principle says that things with a short life can be protected by security measures that are effective only for that short time. Data Confidentiality: prevents unauthorized disclosure of a data item. Data Integrity: prevents unauthorized modification Data Availability: prevents denial of authorized access. Types of Attacks on Data  Disclosure -Attack on data confidentiality  Unauthorized modification / deception -E.g., providing wrong data (attack on data integrity)  Disruption -Attack on data availability  Usurpation-Unauthorized use of services (attack on data confidentiality, integrity or availability) Other Exposed Assets  Networks  Networks are specialized collections of hardware, software, and data.  Can easily multiply the problems of computer security  Insecure shared links  Inability to identify remote users (anonymity)  Key People  People can be crucial weak points in security. If only one person knows how to use or maintain a particular program, trouble can arise if that person is ill, suffers an accident, or leaves the organization (taking her knowledge with her).
E-SECURITY QUESTIONS AND ANSWERS 6. Explain different computer criminals. Computer Criminals  Computer crime is any crime involving a computer or aided by the use of one.  Amateurs  Ordinary computer users who while doing their jobs discover their ability to access something valuable  Amateurs have committed most of the computer crimes reported to date.  Crackers or Malicious Hackers  System crackers, often high school or university students, attempt to access computing facilities for which they have not been authorized.  Others attack for curiosity, personal gain, or self-satisfaction. And still others enjoy causing chaos, loss, or harm. There is no common profile or motivation for these attackers.  Career Criminals  By contrast, the career computer criminal understands the targets of computer crime.  There is some evidence that organized crime and international groups are engaging in computer crime. Recently, electronic spies and information brokers have begun to recognize that trading in companies' or individuals' secrets can be lucrative.  Terrorists  The link between computers and terrorism is quite evident.  Terrorists use computers in three ways: � Targets of attack: denial-of-service attacks and web site defacements are popular for any political organization because they attract attention to the cause and bring undesired negative attention to the target of the attack. � Propaganda vehicles: web sites, web logs, and e-mail lists are effective, fast, and inexpensive ways to get a message to many people. � Methods of attack: to launch offensive attacks requires use of computers. OTHER PORTIONS IN CHAPTER-1.  Methods of Defense We can deal with harm in several ways. We can seek to o prevent it, by blocking the attack or closing the vulnerability o deter it, by making the attack harder but not impossible o deflect it, by making another target more attractive (or this one less so) o detect it, either as it happens or sometime after the fact o recover from its effects  The figure illustrates how we use a combination of controls to secure our valuable resources. We use one or more controls, according to what we are protecting, how the cost of protection compares with the risk of loss, and how hard we think intruders will work to get what they want.
E-SECURITY QUESTIONS AND ANSWERS Controls Available Encryption o the formal name for the scrambling process. o We take data in their normal, unscrambled state, called cleartext, and transform them so that they are unintelligible to the outside observer; the transformed data are called enciphered text or ciphertext. o Encryption clearly addresses the need for confidentiality of data. o Additionally, it can be used to ensure integrity; data that cannot be read generally cannot easily be changed in a meaningful manner.  Encryption does not solve all computer security problems, and other tools must complement its use.  Furthermore, if encryption is not used properly, it may have no effect on security or could even degrade the performance of the entire system.  Weak encryption can actually be worse than no encryption at all, because it gives users an unwarranted sense of protection.  Therefore, we must understand those situations in which encryption is most useful as well as ways to use it effectively.  Software/Program Controls o Programs must be secure enough to prevent outside attack. o They must also be developed and maintained so that we can be confident of the programs' dependability.  Program controls include the following: o internal program controls: parts of the program that enforce security restrictions, such as access limitations in a database management program o operating system and network system controls: limitations enforced by the operating system or network to protect each user from all other users o independent control programs: application programs, such as password checkers, intrusion detection utilities, or virus scanners, that protect against certain types of vulnerabilities o development controls: quality standards under which a program is designed, coded, tested, and maintained to prevent software faults from becoming exploitable vulnerabilities  Software controls frequently affect users directly, such as when the user is interrupted and asked for a password before being given access to a program or data. o Because they influence the way users interact with a computing system, software controls must be carefully designed. Ease of use and potency are often competing goals in the design of a collection of software controls.
E-SECURITY QUESTIONS AND ANSWERS  Hardware Controls o Numerous hardware devices have been created to assist in providing computer security. These devices include a variety of means, such as  hardware or smart card implementations of encryption  locks or cables limiting access or deterring theft  devices to verify users' identities  firewalls  intrusion detection systems  circuit boards that control access to storage media  Policies and Procedures o Sometimes, we can rely on agreed-on procedures or policies among users rather than enforcing security through hardware or software means. such as frequent changes of passwords o We must not forget the value of community standards and expectations when we consider how to enforce security.  Physical Controls o Locks on doors, guards at entry points, backup copies of important software and data, and physical site planning that reduce the risk of natural disasters. Effectiveness of Controls  Awareness of Problem  People using controls must be convinced of the need for security. That is, people will willingly cooperate with security requirements only if they understand why security is appropriate in a given situation.  Likelihood of Use  Of course, no control is effective unless it is used.  Principle of Effectiveness: Controls must be used and used properly to be effective. They must be efficient, easy to use, and appropriate. - Computer security controls must be efficient enough, in terms of time, memory space, human activity, or other resources used, that using the control does not seriously affect the task being protected. - Controls should be selective so that they do not exclude legitimate accesses.  Overlapping Controls Several different controls may apply to address a single vulnerability.  Periodic Review Just when the security specialist finds a way to secure assets against certain kinds of attacks, the opposition doubles its efforts in an attempt to defeat the security mechanisms. Thus, judging the effectiveness of a control is an ongoing task. Principle of Weakest Link - Security can be no stronger than its weakest link.  Whether it is the power supply that powers the firewall or the operating system under the security application or the human who plans, implements, and administers controls, a failure of any control can lead to a security failure.

Recommended

Security in network computing
Security in network computingSecurity in network computing
Security in network computingManoj VNV
 
Honey Pot Intrusion Detection System
Honey Pot Intrusion Detection SystemHoney Pot Intrusion Detection System
Honey Pot Intrusion Detection SystemInternational Journal of Engineering Inventions www.ijeijournal.com
 
Threats to information security
Threats to information securityThreats to information security
Threats to information securityarun alfie
 
Information Security Management
Information Security ManagementInformation Security Management
Information Security ManagementBhadra Gowdra
 
Threats to information security
Threats to information securityThreats to information security
Threats to information securityswapneel07
 
Viruses (Lecture) IT Slides # 3
Viruses (Lecture) IT Slides # 3Viruses (Lecture) IT Slides # 3
Viruses (Lecture) IT Slides # 3Muhammad Talha Zaroon
 
Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer SecurityVibrant Event
 
Evolution of Security
Evolution of SecurityEvolution of Security
Evolution of SecurityDM_GS
 

Recommended

Security in network computing
Security in network computingSecurity in network computing
Security in network computingManoj VNV
 
Honey Pot Intrusion Detection System
Honey Pot Intrusion Detection SystemHoney Pot Intrusion Detection System
Honey Pot Intrusion Detection SystemInternational Journal of Engineering Inventions www.ijeijournal.com
 
Threats to information security
Threats to information securityThreats to information security
Threats to information securityarun alfie
 
Information Security Management
Information Security ManagementInformation Security Management
Information Security ManagementBhadra Gowdra
 
Threats to information security
Threats to information securityThreats to information security
Threats to information securityswapneel07
 
Viruses (Lecture) IT Slides # 3
Viruses (Lecture) IT Slides # 3Viruses (Lecture) IT Slides # 3
Viruses (Lecture) IT Slides # 3Muhammad Talha Zaroon
 
Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer SecurityVibrant Event
 
Evolution of Security
Evolution of SecurityEvolution of Security
Evolution of SecurityDM_GS
 
IT Security for the Physical Security Professional
IT Security for the Physical Security ProfessionalIT Security for the Physical Security Professional
IT Security for the Physical Security Professionalciso_insights
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingWilliam Mann
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by FortinetAtlantic Training, LLC.
 
System Security Threats and Risks)
System Security Threats and Risks)System Security Threats and Risks)
System Security Threats and Risks)BPalmer13
 
Basic practices for information & computer security
Basic practices for information & computer securityBasic practices for information & computer security
Basic practices for information & computer securityPrajktaGN
 
Computer security threats & prevention
Computer security threats & preventionComputer security threats & prevention
Computer security threats & preventionPriSim
 
2 Security And Internet Security
2 Security And Internet Security2 Security And Internet Security
2 Security And Internet SecurityAna Meskovska
 
Threats to Information Resources - MIS - Shimna
Threats to Information Resources - MIS - ShimnaThreats to Information Resources - MIS - Shimna
Threats to Information Resources - MIS - ShimnaChinnu Shimna
 
Threats and Security Tips of Computer System
Threats and Security Tips of Computer SystemThreats and Security Tips of Computer System
Threats and Security Tips of Computer SystemFaruk_Hossen
 
Basic Security Concepts of Computer
Basic Security Concepts of ComputerBasic Security Concepts of Computer
Basic Security Concepts of ComputerFaizan Janjua
 
Information security threats
Information security threatsInformation security threats
Information security threatscomplianceonline123
 
Physical security.ppt
Physical security.pptPhysical security.ppt
Physical security.pptFaheem Ul Hasan
 
InformationSecurity
InformationSecurityInformationSecurity
InformationSecuritylearnt
 
Computer security overview
Computer security overviewComputer security overview
Computer security overviewCAS
 
06. security concept
06. security concept06. security concept
06. security conceptMuhammad Ahad
 
Securityawareness
SecurityawarenessSecurityawareness
SecurityawarenessJayfErika
 
Mobile Security Basics
Mobile Security BasicsMobile Security Basics
Mobile Security Basicsanandraje
 
Threats to an information system
Threats to an information systemThreats to an information system
Threats to an information systemNimisha Walecha
 
Security & control in management information system
Security & control in management information systemSecurity & control in management information system
Security & control in management information systemOnline
 
Information Security Lecture Notes
Information Security Lecture NotesInformation Security Lecture Notes
Information Security Lecture NotesFellowBuddy.com
 
La rosa azul capítulo 1
La rosa azul capítulo 1La rosa azul capítulo 1
La rosa azul capítulo 1Cfa Paul
 
Opening sequence analysis x3
Opening sequence analysis x3Opening sequence analysis x3
Opening sequence analysis x3rachaelrowe
 

More Related Content

What's hot

IT Security for the Physical Security Professional
IT Security for the Physical Security ProfessionalIT Security for the Physical Security Professional
IT Security for the Physical Security Professionalciso_insights
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingWilliam Mann
 
System Security Threats and Risks)
System Security Threats and Risks)System Security Threats and Risks)
System Security Threats and Risks)BPalmer13
 
Basic practices for information & computer security
Basic practices for information & computer securityBasic practices for information & computer security
Basic practices for information & computer securityPrajktaGN
 
Computer security threats & prevention
Computer security threats & preventionComputer security threats & prevention
Computer security threats & preventionPriSim
 
2 Security And Internet Security
2 Security And Internet Security2 Security And Internet Security
2 Security And Internet SecurityAna Meskovska
 
Threats to Information Resources - MIS - Shimna
Threats to Information Resources - MIS - ShimnaThreats to Information Resources - MIS - Shimna
Threats to Information Resources - MIS - ShimnaChinnu Shimna
 
Threats and Security Tips of Computer System
Threats and Security Tips of Computer SystemThreats and Security Tips of Computer System
Threats and Security Tips of Computer SystemFaruk_Hossen
 
Basic Security Concepts of Computer
Basic Security Concepts of ComputerBasic Security Concepts of Computer
Basic Security Concepts of ComputerFaizan Janjua
 
InformationSecurity
InformationSecurityInformationSecurity
InformationSecuritylearnt
 
Computer security overview
Computer security overviewComputer security overview
Computer security overviewCAS
 
06. security concept
06. security concept06. security concept
06. security conceptMuhammad Ahad
 
Securityawareness
SecurityawarenessSecurityawareness
SecurityawarenessJayfErika
 
Mobile Security Basics
Mobile Security BasicsMobile Security Basics
Mobile Security Basicsanandraje
 
Threats to an information system
Threats to an information systemThreats to an information system
Threats to an information systemNimisha Walecha
 
Security & control in management information system
Security & control in management information systemSecurity & control in management information system
Security & control in management information systemOnline
 
Information Security Lecture Notes
Information Security Lecture NotesInformation Security Lecture Notes
Information Security Lecture NotesFellowBuddy.com
 

What's hot (20)

IT Security for the Physical Security Professional
IT Security for the Physical Security ProfessionalIT Security for the Physical Security Professional
IT Security for the Physical Security Professional
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by Fortinet
 
System Security Threats and Risks)
System Security Threats and Risks)System Security Threats and Risks)
System Security Threats and Risks)
 
Basic practices for information & computer security
Basic practices for information & computer securityBasic practices for information & computer security
Basic practices for information & computer security
 
Computer security threats & prevention
Computer security threats & preventionComputer security threats & prevention
Computer security threats & prevention
 
2 Security And Internet Security
2 Security And Internet Security2 Security And Internet Security
2 Security And Internet Security
 
Threats to Information Resources - MIS - Shimna
Threats to Information Resources - MIS - ShimnaThreats to Information Resources - MIS - Shimna
Threats to Information Resources - MIS - Shimna
 
Threats and Security Tips of Computer System
Threats and Security Tips of Computer SystemThreats and Security Tips of Computer System
Threats and Security Tips of Computer System
 
Basic Security Concepts of Computer
Basic Security Concepts of ComputerBasic Security Concepts of Computer
Basic Security Concepts of Computer
 
Information security threats
Information security threatsInformation security threats
Information security threats
 
Physical security.ppt
Physical security.pptPhysical security.ppt
Physical security.ppt
 
InformationSecurity
InformationSecurityInformationSecurity
InformationSecurity
 
Computer security overview
Computer security overviewComputer security overview
Computer security overview
 
06. security concept
06. security concept06. security concept
06. security concept
 
Securityawareness
SecurityawarenessSecurityawareness
Securityawareness
 
Mobile Security Basics
Mobile Security BasicsMobile Security Basics
Mobile Security Basics
 
Threats to an information system
Threats to an information systemThreats to an information system
Threats to an information system
 
Security & control in management information system
Security & control in management information systemSecurity & control in management information system
Security & control in management information system
 
Information Security Lecture Notes
Information Security Lecture NotesInformation Security Lecture Notes
Information Security Lecture Notes
 

Viewers also liked

La rosa azul capítulo 1
La rosa azul capítulo 1La rosa azul capítulo 1
La rosa azul capítulo 1Cfa Paul
 
Opening sequence analysis x3
Opening sequence analysis x3Opening sequence analysis x3
Opening sequence analysis x3rachaelrowe
 
Idd ppt dec14 updated
Idd ppt dec14 updatedIdd ppt dec14 updated
Idd ppt dec14 updatedimran bhutta
 
Reconstrucción mamaria en segundo tiempo
Reconstrucción mamaria en segundo tiempoReconstrucción mamaria en segundo tiempo
Reconstrucción mamaria en segundo tiempoMelissa Solis
 
Aartselaar Aquafin water , Environmental water plant .
Aartselaar Aquafin water , Environmental water plant .Aartselaar Aquafin water , Environmental water plant .
Aartselaar Aquafin water , Environmental water plant .Mohamed Herzallah
 
Presentation brics international business
Presentation brics international businessPresentation brics international business
Presentation brics international businessMuskan Rustagi
 

Viewers also liked (8)

La rosa azul capítulo 1
La rosa azul capítulo 1La rosa azul capítulo 1
La rosa azul capítulo 1
 
Opening sequence analysis x3
Opening sequence analysis x3Opening sequence analysis x3
Opening sequence analysis x3
 
Концерт учнів Марганецької музичної школи
Концерт учнів Марганецької музичної школиКонцерт учнів Марганецької музичної школи
Концерт учнів Марганецької музичної школи
 
Idd ppt dec14 updated
Idd ppt dec14 updatedIdd ppt dec14 updated
Idd ppt dec14 updated
 
Reconstrucción mamaria en segundo tiempo
Reconstrucción mamaria en segundo tiempoReconstrucción mamaria en segundo tiempo
Reconstrucción mamaria en segundo tiempo
 
Aartselaar Aquafin water , Environmental water plant .
Aartselaar Aquafin water , Environmental water plant .Aartselaar Aquafin water , Environmental water plant .
Aartselaar Aquafin water , Environmental water plant .
 
Water and Society in Southern Africa
Water and Society in Southern AfricaWater and Society in Southern Africa
Water and Society in Southern Africa
 
Presentation brics international business
Presentation brics international businessPresentation brics international business
Presentation brics international business
 

Similar to E sec chaptr-1

Protection and security
Protection and securityProtection and security
Protection and securitymbadhi
 
Data information and security unit 1.pdf
Data information and security unit 1.pdfData information and security unit 1.pdf
Data information and security unit 1.pdfdeepakbharathi16
 
Chapter 4 vulnerability threat and attack
Chapter 4 vulnerability threat and attack Chapter 4 vulnerability threat and attack
Chapter 4 vulnerability threat and attack newbie2019
 
S.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavur
S.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavurS.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavur
S.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavurvkarthi314
 
Cyber terrorism
Cyber terrorismCyber terrorism
Cyber terrorismNihal Jani
 
security system by desu star chapter 1.pptx
security system by desu star chapter 1.pptxsecurity system by desu star chapter 1.pptx
security system by desu star chapter 1.pptxdesalewminale
 
Computer Security Chapter 1
Computer Security Chapter 1Computer Security Chapter 1
Computer Security Chapter 1Temesgen Berhanu
 
OPERATING SYSTEM SECURITY
OPERATING SYSTEM SECURITYOPERATING SYSTEM SECURITY
OPERATING SYSTEM SECURITYRohitK71
 
Introduction to cyber security
Introduction to cyber securityIntroduction to cyber security
Introduction to cyber securityAliyuMuhammadButu
 
Basic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpageBasic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpagenakomuri
 
Information security
Information securityInformation security
Information securityRohit Gir
 
PPT0-Computer Security Concepts.pptx
PPT0-Computer Security Concepts.pptxPPT0-Computer Security Concepts.pptx
PPT0-Computer Security Concepts.pptxPiBits
 

Similar to E sec chaptr-1 (20)

Protection and security
Protection and securityProtection and security
Protection and security
 
Data information and security unit 1.pdf
Data information and security unit 1.pdfData information and security unit 1.pdf
Data information and security unit 1.pdf
 
Chapter 4 vulnerability threat and attack
Chapter 4 vulnerability threat and attack Chapter 4 vulnerability threat and attack
Chapter 4 vulnerability threat and attack
 
S.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavur
S.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavurS.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavur
S.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavur
 
I0516064
I0516064I0516064
I0516064
 
Cyber Security Briefing
Cyber Security BriefingCyber Security Briefing
Cyber Security Briefing
 
System Security
System SecuritySystem Security
System Security
 
Cyber terrorism
Cyber terrorismCyber terrorism
Cyber terrorism
 
security system by desu star chapter 1.pptx
security system by desu star chapter 1.pptxsecurity system by desu star chapter 1.pptx
security system by desu star chapter 1.pptx
 
Computer Security Chapter 1
Computer Security Chapter 1Computer Security Chapter 1
Computer Security Chapter 1
 
OPERATING SYSTEM SECURITY
OPERATING SYSTEM SECURITYOPERATING SYSTEM SECURITY
OPERATING SYSTEM SECURITY
 
Insecurity vssut
Insecurity vssutInsecurity vssut
Insecurity vssut
 
Module -5 Security.pdf
Module -5 Security.pdfModule -5 Security.pdf
Module -5 Security.pdf
 
Security - Chapter 1.ppt
Security - Chapter 1.pptSecurity - Chapter 1.ppt
Security - Chapter 1.ppt
 
Introduction to cyber security
Introduction to cyber securityIntroduction to cyber security
Introduction to cyber security
 
Basic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpageBasic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpage
 
Information security
Information securityInformation security
Information security
 
Chapter- I introduction
Chapter- I introductionChapter- I introduction
Chapter- I introduction
 
Chapter-I introduction
Chapter-I introductionChapter-I introduction
Chapter-I introduction
 
PPT0-Computer Security Concepts.pptx
PPT0-Computer Security Concepts.pptxPPT0-Computer Security Concepts.pptx
PPT0-Computer Security Concepts.pptx
 

Recently uploaded

OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...Soham Mondal
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130Suhani Kapoor
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...ranjana rawat
 
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝soniya singh
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingrakeshbaidya232001
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxJoão Esperancinha
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxAsutosh Ranjan
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxpurnimasatapathy1234
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingrknatarajan
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escortsranjana rawat
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Call Girls in Nagpur High Profile
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxpranjaldaimarysona
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxupamatechverse
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxupamatechverse
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxupamatechverse
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escortsranjana rawat
 
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSHARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSRajkumarAkumalla
 

Recently uploaded (20)

OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
 
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writing
 
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptx
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptx
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptx
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptx
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptx
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptx
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
 
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSHARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
 

E sec chaptr-1

  • 1. E-SECURITY QUESTIONS AND ANSWERS CHAPTER-1 1. Distinguish between threats, vulnerabilities and controls.[4marks]  Vulnerability is a weakness in the security system, for example, in procedures, design, or implementation that might be exploited to cause loss or harm.  A particular system may be vulnerable to unauthorized data manipulation because the system does not verify a user’s identity before allowing data access.  A threat to a computing system is a set of circumstances that has the potential to cause loss or harm.  A human who exploits vulnerability perpetrates an attack on the system.  To address these problems, we use a control as a protective measure.  A control is an action, device, procedure, or technique that removes or reduces vulnerability.  Relationship among threats, controls, and vulnerabilities in this way: o A threat is blocked by control of vulnerability. For e.g., consider a wall is holding water back.  The water to the left of the wall is a threat to the man on the right of the wall.  The water could rise, overflowing onto the man, or it could stay beneath the height of the wall, causing it to collapse.  So the threat of harm is the potential for the man to get wet, get hurt, or drown.  For now, the wall is intact, so the threat to the man is unrealized.  However, we can see a small crack in the wall—a vulnerability that threatens the man’s security. If the water rises to or beyond the level of the crack, it will exploit the vulnerability and harm the man. 2. Explain 4 kinds of threats. Threats can be of four kinds: - Interception, interruption, modification, and fabrication.
  • 2. E-SECURITY QUESTIONS AND ANSWERS  An interception means that some unauthorized party has gained access to an asset.  In an interruption, an asset of the system becomes lost, unavailable, or unusable.  If an unauthorized party not only accesses but tampers with an asset, the threat is a modification.  Finally, an unauthorized party might create a fabrication of counterfeit objects on a computing system. 3. What is MOM?  Method, Opportunity, and Motive  A malicious attacker must have three things: • Method: the skills, knowledge, tools, and other things with which an attack is performed. • Opportunity: the time and access to accomplish the attack. • Motive: a reason to want to perform this attack against this system. 4. Which are the Security Goals? Security Goals o Three important aspects of any computer-related system: - confidentiality, integrity, and availability (CIA) o Confidentiality ensures that computer-related assets are accessed only by authorized parties.  Reading, viewing, printing, or even knowing their existance  Secrecy or privacy o Integrity means that assets can be modified only by authorized parties or only in authorized ways.  Writing, changing, deleting, creating o Availability means that assets are accessible to authorized parties at appropriate times.
  • 3. E-SECURITY QUESTIONS AND ANSWERS 5. Explain different types of vulnerabilities.[10 marks]  Vulnerability is a weakness in the security system, for example, in procedures, design, or implementation that might be exploited to cause loss or harm. A computer-based system has three valuable components: - Hardware , software and data.  Types of vulnerabilities  Hardware vulnerabilities - Hardware is more visible than software. - It is simple to attack by adding devices, changing them, removing them, intercepting the traffic to them, or flooding them with traffic until they can no longer function. - Other ways: - Computers have been drenched with water, burned, frozen, gassed, and electrocuted. - Physical attacks on h/w => need physical security: locks and guards - Accidental (dropped PC box) or voluntary (bombing a computer room) - Theft / destruction - Damage the machine (spilled coffe, mice, real bugs) - Steal the machine - Machinicide:Axe / hammer the machine
  • 4. E-SECURITY QUESTIONS AND ANSWERS  Software Vulnerabilities - Software can be replaced, changed, or destroyed maliciously, or it can be modified, deleted, or misplaced accidentally. - Whether intentional or not, these attacks exploit the software’s vulnerabilities. Software Deletion - Software is surprisingly easy to delete. Each of us has, at some point in our careers, accidentally erased a file or saved a bad copy of a program, destroying a good previous copy. - Because of software’s high value, access to software is controlled through a process called configuration management - so that software is not deleted, destroyed, or replaced accidentally & retains its integrity. - Softwarefdf Modification - Software is vulnerable to modifications that either cause it to fail or cause it to perform an unintended task. Other categories of software modification include: - a Trojan horse: a program that overtly does one thing while covertly doing another - a virus: a specific type of Trojan horse that can be used to spread its “infection” from one computer to another - a trapdoor: a program that has a secret entry point - information leaks in a program: code that makes information accessible to unauthorized people or programs - Software Theft - This attack includes unauthorized copying of software. - Software authors and distributors are entitled to fair compensation for use of their product, as are musicians and book authors.  Data Vulnerabilities - Data have a definite value, even though that value is often difficult to measure. o Ex1: confidential data leaked to a competitor  may narrow a competitive edge o Ex2: flight coordinate data used by an airplane that is guided partly or fully by software  Can cost human lives if modified
  • 5. E-SECURITY QUESTIONS AND ANSWERS Principle of Adequate Protection: - Computer items must be protected only until they lose their value. - They must be protected to a degree consistent with their value.  This principle says that things with a short life can be protected by security measures that are effective only for that short time. Data Confidentiality: prevents unauthorized disclosure of a data item. Data Integrity: prevents unauthorized modification Data Availability: prevents denial of authorized access. Types of Attacks on Data  Disclosure -Attack on data confidentiality  Unauthorized modification / deception -E.g., providing wrong data (attack on data integrity)  Disruption -Attack on data availability  Usurpation-Unauthorized use of services (attack on data confidentiality, integrity or availability) Other Exposed Assets  Networks  Networks are specialized collections of hardware, software, and data.  Can easily multiply the problems of computer security  Insecure shared links  Inability to identify remote users (anonymity)  Key People  People can be crucial weak points in security. If only one person knows how to use or maintain a particular program, trouble can arise if that person is ill, suffers an accident, or leaves the organization (taking her knowledge with her).
  • 6. E-SECURITY QUESTIONS AND ANSWERS 6. Explain different computer criminals. Computer Criminals  Computer crime is any crime involving a computer or aided by the use of one.  Amateurs  Ordinary computer users who while doing their jobs discover their ability to access something valuable  Amateurs have committed most of the computer crimes reported to date.  Crackers or Malicious Hackers  System crackers, often high school or university students, attempt to access computing facilities for which they have not been authorized.  Others attack for curiosity, personal gain, or self-satisfaction. And still others enjoy causing chaos, loss, or harm. There is no common profile or motivation for these attackers.  Career Criminals  By contrast, the career computer criminal understands the targets of computer crime.  There is some evidence that organized crime and international groups are engaging in computer crime. Recently, electronic spies and information brokers have begun to recognize that trading in companies' or individuals' secrets can be lucrative.  Terrorists  The link between computers and terrorism is quite evident.  Terrorists use computers in three ways: � Targets of attack: denial-of-service attacks and web site defacements are popular for any political organization because they attract attention to the cause and bring undesired negative attention to the target of the attack. � Propaganda vehicles: web sites, web logs, and e-mail lists are effective, fast, and inexpensive ways to get a message to many people. � Methods of attack: to launch offensive attacks requires use of computers. OTHER PORTIONS IN CHAPTER-1.  Methods of Defense We can deal with harm in several ways. We can seek to o prevent it, by blocking the attack or closing the vulnerability o deter it, by making the attack harder but not impossible o deflect it, by making another target more attractive (or this one less so) o detect it, either as it happens or sometime after the fact o recover from its effects  The figure illustrates how we use a combination of controls to secure our valuable resources. We use one or more controls, according to what we are protecting, how the cost of protection compares with the risk of loss, and how hard we think intruders will work to get what they want.
  • 7. E-SECURITY QUESTIONS AND ANSWERS Controls Available Encryption o the formal name for the scrambling process. o We take data in their normal, unscrambled state, called cleartext, and transform them so that they are unintelligible to the outside observer; the transformed data are called enciphered text or ciphertext. o Encryption clearly addresses the need for confidentiality of data. o Additionally, it can be used to ensure integrity; data that cannot be read generally cannot easily be changed in a meaningful manner.  Encryption does not solve all computer security problems, and other tools must complement its use.  Furthermore, if encryption is not used properly, it may have no effect on security or could even degrade the performance of the entire system.  Weak encryption can actually be worse than no encryption at all, because it gives users an unwarranted sense of protection.  Therefore, we must understand those situations in which encryption is most useful as well as ways to use it effectively.  Software/Program Controls o Programs must be secure enough to prevent outside attack. o They must also be developed and maintained so that we can be confident of the programs' dependability.  Program controls include the following: o internal program controls: parts of the program that enforce security restrictions, such as access limitations in a database management program o operating system and network system controls: limitations enforced by the operating system or network to protect each user from all other users o independent control programs: application programs, such as password checkers, intrusion detection utilities, or virus scanners, that protect against certain types of vulnerabilities o development controls: quality standards under which a program is designed, coded, tested, and maintained to prevent software faults from becoming exploitable vulnerabilities  Software controls frequently affect users directly, such as when the user is interrupted and asked for a password before being given access to a program or data. o Because they influence the way users interact with a computing system, software controls must be carefully designed. Ease of use and potency are often competing goals in the design of a collection of software controls.
  • 8. E-SECURITY QUESTIONS AND ANSWERS  Hardware Controls o Numerous hardware devices have been created to assist in providing computer security. These devices include a variety of means, such as  hardware or smart card implementations of encryption  locks or cables limiting access or deterring theft  devices to verify users' identities  firewalls  intrusion detection systems  circuit boards that control access to storage media  Policies and Procedures o Sometimes, we can rely on agreed-on procedures or policies among users rather than enforcing security through hardware or software means. such as frequent changes of passwords o We must not forget the value of community standards and expectations when we consider how to enforce security.  Physical Controls o Locks on doors, guards at entry points, backup copies of important software and data, and physical site planning that reduce the risk of natural disasters. Effectiveness of Controls  Awareness of Problem  People using controls must be convinced of the need for security. That is, people will willingly cooperate with security requirements only if they understand why security is appropriate in a given situation.  Likelihood of Use  Of course, no control is effective unless it is used.  Principle of Effectiveness: Controls must be used and used properly to be effective. They must be efficient, easy to use, and appropriate. - Computer security controls must be efficient enough, in terms of time, memory space, human activity, or other resources used, that using the control does not seriously affect the task being protected. - Controls should be selective so that they do not exclude legitimate accesses.  Overlapping Controls Several different controls may apply to address a single vulnerability.  Periodic Review Just when the security specialist finds a way to secure assets against certain kinds of attacks, the opposition doubles its efforts in an attempt to defeat the security mechanisms. Thus, judging the effectiveness of a control is an ongoing task. Principle of Weakest Link - Security can be no stronger than its weakest link.  Whether it is the power supply that powers the firewall or the operating system under the security application or the human who plans, implements, and administers controls, a failure of any control can lead to a security failure.