2. • Nature of computer crimes
• Computer Security
• Aspects of Security
• Goals of Computer Security
• Principles of Computer Security
• Security Policy
Topics
3. Examples of computer crimes
Below is a listing of the different types of computer crimes today. Clicking on
any of the links below gives further information about each crime.
• Child pornography - Making or distributing child pornography.
• Cyber terrorism - Hacking, threats, and blackmailing towards a business or
person.
• Cyberbully or Cyberstalking - Harassing others online.
• Creating Malware - Writing, creating, or distributing malware
(e.g., viruses and spyware.)
• Denial of Service attack - Overloading a system with so many requests it
cannot serve normal requests.
• Espionage - Spying on a person or business.
• Fraud - Manipulating data, e.g., changing banking records to transfer
money to an account.
• Harvesting - Collect account or other account related information on
other people.
3
PREPAREDBYDaudiHissanMwahasanga
4. Computer crime (cont……)
• Identity theft - Pretending to be someone you are not.
• Intellectual property theft - Stealing practical or conceptual information
developed by another person or company.
• Phishing - Deceiving individuals to gain private or personal information
about that person.
• Salami slicing - Stealing tiny amounts of money from each transaction.
• Scam - Tricking people into believing something that is not true.
• Spamming - Distributed unsolicited e-mail to dozens or hundreds of
different addresses.
• Spoofing - Deceiving a system into thinking you are someone you really
are not.
• Unauthorized access - Gaining access to systems you have no permission
to access.
• Wiretapping - Connecting a device to a phone line to listen to
conversations.
4
PREPAREDBYDaudiHissanMwahasanga
5. What Is Security?
• In general, security is “the quality or state of being
secure—to be free from danger.” In other words,
protection against adversaries—from those who would
do harm, intentionally.
A successful organization should have the following
multiple layers of security in place to protect its
operations:
• Physical security, to protect physical items, objects, or
areas from unauthorized access and misuse
• Personnel security, to protect the individual or group
of individuals who are authorized to access the
organization and its operations.
5
PREPAREDBYDaudiHissanMwahasanga
6. Cont….
• Operations security, to protect the details of a
particular operation or series of activities
Communications security, to protect communications
media, technology, and content.
• Network security, to protect networking components,
connections, and contents.
• Information security, to protect the confidentiality,
integrity and availability of information assets, whether
in storage, processing, or transmission.
• It is achieved via the application of policy, education,
training and awareness, and technology. 6
PREPAREDBYDaudiHissanMwahasanga
7. A definition of computer security
• Computer security: The protection afforded to
an automated information system in order to
attain the applicable objectives of preserving
the integrity, availability and confidentiality of
information system resources (includes
hardware, software, firmware,
information/data, and telecommunications)
8. Definitions:
Computer Security is the ability of a system to
protect information and system resources with
respect to confidentiality and integrity.
Aspects of Security:
– Prevention: take measures that prevent your assets
from being damaged
– Detection: take measures so that you can detect when,
how, and by whom an asset has been damaged
– Reaction: take measures so that you can recover your
assets or to recover from a damage to your assets
Computer Security
9. Lets now examine
each phase of the
prevent, detect, and
respond
9
PREPAREDBYDaudiHissanMwahasanga
10. • There is an age-old advisory that says, “It’s too
late to sharpen your sword when the drum beats
for battle”.
• during prevention phase, security policies
controls and processes should be designed and
implemented.
• Security policies, security awareness programs
and access control procedures, are all
interrelated and should be developed early on.
10
PREPAREDBYDaudiHissanMwahasanga
11. • The first objective in developing a prevention
strategy is to determine “what” must be
protected and document these “what” in
formal policy.
• the policy must define the responsibilities of
the organization, the employees and
managent.
• it should also fix the responsibility for
implementation, audit and review.
11
PREPAREDBYDaudiHissanMwahasanga
12. • security awereness is a process of educating
the employees on the importance of security,
the use of security measures, reporting
procedures for security violations and their
responsibiities as outilined in the security
policy.
• this program must be continuous process.
12
PREPAREDBYDaudiHissanMwahasanga
13. • access is the manner by which the user utilizes
the information ystem to get information.
• naturally all users should not have the ability to
access all systems and its information so the
access should be restricted and granted.
• to manage access we establish user accounts by
issuing identifiers and authentication methods to
verify these identifiers and authorization rules
that limits acess to resources.
13
PREPAREDBYDaudiHissanMwahasanga
14. • Identification__ is a unique identifier. it is
what user i.e (person, client, software
application, hardware, or network) uses to
differentiate itself from other objects.
• Identifiers that are created for users should
not be resource users or is groups.
authentication.
• Once a user has an identifier the next step
taken to access the resource is authentication.
14
PREPAREDBYDaudiHissanMwahasanga
15. • Authentication is the process of validating the
identinty of the user.
• Authentication verifies identity by providing a
level of trust.
• ther ere three basic factors used to authenticate
an identity:---
1.something you know
2.something you have
3.something you are
15
PREPAREDBYDaudiHissanMwahasanga
16. 1. Something you know
• The password is the most common form used. However,
secret phrases and PIN numbers are also utilized. This is
known as one-factor or single authentication. This form is
weakened due to poor password selection and storage.
For the prevention of password we have to do the
following:
• 1. To secure the passwords and the other sensitive data,
implement unbreakable encryption technology and also preserve
the keys safely.
• 2. Keep the passwords long and keep changing them from time to
time.
• 3. Frequently scan or test the system to detect vulnerability.
• 4. Literate users about security precautions. 16
PREPAREDBYDaudiHissanMwahasanga
17. 2.Something you have
• This authentication factor is something you have,
such as an identification card, smartcard or token.
• Each requiring the user to possess “something”
for authentication.
• A more reliable authentication process would
require two factors such as something you know
with something you have.
• This form is known as the two-factor or multilevel
authentication. 17
PREPAREDBYDaudiHissanMwahasanga
18. 3. Something you are
• The strongest authentication factor is something
you are.
• This is a unique physical characteristic such as a
fingerprint, retina pattern or DNA.
• The measuring of these factors is called
biometrics.
• The strongest authentication process would
require all three factors. Facilities or applications
that are highly secret or sensitive will utilize all
three factors to authenticate a user. 18
PREPAREDBYDaudiHissanMwahasanga
19. • Whereas authentication controls who can access network resources,
authorization says what they can do after they have accessed the
resources.
• Authorization grants privileges to processes and users. Authorization
lets a security administrator control parts of a network (for example,
directories and files on servers).
• Authorization varies from user to user, partly depending on a user's
department or job function. For example, a policy might state that only
Human Resources employees should see salary records for people they
don't manage.
• This principle is based on the idea that each user should be given only
the minimal necessary rights to perform a certain task. Therefore, an
authorization mechanism should give a user only the minimum access
permissions that are necessary.
19
PREPAREDBYDaudiHissanMwahasanga
20. • Authorization is sometimes known as
• Once a user has been authenticated, the next step is to ensure that they
can only access the information resources that are appropriate. This is
done through the use of access control.
• Access control determines which users are authorized to read, modify,
add, and/or delete information. Several different access control models
exist.
• For each information resource that an organization wishes to manage, a
list of users who have the ability to take specific actions can be created.
• This is an access control list, or ACL. For each user, specific capabilities are
assigned, such as read, write, delete, or add.
• Only users with those capabilities are allowed to perform those functions.
• If a user is not on the list, they have no ability to even know that the
information resource exists.
20
PREPAREDBYDaudiHissanMwahasanga
22. • Detection of a system compromise is extremely critical.
with the increasing threat environment, no matter
what level of protection a system may have, it will get
compromised given a greater level of motivation and
skills. there is no proof “silver bullet” security solution.
• A defence in layers strategy should be deployed so
when eah fails, it fails safely to a known state and
sounds an alarm.
• the most important element of this strategy is timely
detection and notification of a compromise
• intrusion detection systems (IDS) are used for this
purpose.
22
PREPAREDBYDaudiHissanMwahasanga
24. • For the detection process to have any value there must
be a timely response.
• The Key response to an incident should be planned
well in advance.
• the responce plan should be written aand ratified by
appropriate levels of management.
• it should prioritize different types of events and require
a level of notification and/or response suitable for the
level of event/threat.
• a computer security incedent responce team (CSIRT)
should be established with specific roles and
responsibilities identified.
24
PREPAREDBYDaudiHissanMwahasanga
25. Computer Security - Goals
Confidentiality, Integrity, Availability
• Confidentiality is about
privacy and ensuring
information is only
accessible to those with a
proven need to see it.
• Integrity is about
information stored in a
database being consistent
and un-modified.
• Availability is about
information being there
when it’s needed to
support care.
25
26. Other concepts to a complete security
picture
• Authenticity: the property of being genuine
and being able to be verified and trusted;
confident in the validity of a transmission, or a
message, or its originator
• Accountability: generates the requirement for
actions of an entity to be traced uniquely to
that individual to support nonrepudiation,
deference, fault isolation, etc
27. • Prevent unauthorised disclosure of information
• Two aspects of confidentiality
– Privacy: protection of personal data
– e.g., personal medical records, student grade information
– Secrecy: protection of data belonging to an
organisation
– e.g., Formula for a new drug, plans for the company for the next 5
years, Student Records
Confidentiality
28. • Detection (and correction) of intentional and
accidental modifications of data in a computer
system
• Various examples of modification
– Corruption of hard drive
– Changing course grades by breaking into university
records
– Transferring money from one account to another
account fraudulently
Integrity
29. • The property that a product’s services are
accessible when needed and without undue
delay
• Denial of Service is the prevention of
authorised access of resources or the delaying
of time-critical operations
• Distributed Denial of Service occurs when
multiple sources contribute to denial of service
simultaneously
Availability
30. • Audit information must be selectively kept and
protected so that actions affecting security can
be traced to the responsible party
• Users are identified and authenticated to have
a basis for access control decisions.
• The security system keeps an audit log (audit
trail) of security relevant events to detect and
investigate intrusions.
Accountability
31. • Where to focus security controls?
– Data: Format and content of data
– Operations: Operations allowed on data
– Users: Access control of data based on user
Principles of Computer Security - I
Application
Software
User
(subject)
Hardware
Resource
(object)
32. • Where to place security controls?
– Lower layers offer more generic control
– Higher layers allow most functionality and ease of
use
Principles of Computer Security - II
hardware
applications
services (middleware)
operating system
OS kernel
33. • Security, functionality and ease-of-use linked together ?
– Increasing Security interfere the functionality & ease-of-use
– Most secure computer is the one not plugged in use
Principles of Computer Security - III
Security
Functionality Ease-of-Use
34. • Centralized or Decentralized Security Control?
– A central security authority provides much better control
but may act as a bottleneck for productivity
– A decentralized security control provides ability to fine
tune security control for applications making system
easy to use
Principles of Computer Security - IV
35. Achieving Network Security
• International Telecommunication Union (ITU), in its
recommendation on security architecture X.800, has defined
certain mechanisms to bring the standardization in methods to
achieve network security. Some of these mechanisms are −
• Encipherment − This mechanism provides data confidentiality
services by transforming data into not-readable forms for the
unauthorized persons. This mechanism uses encryption-decryption
algorithm with secret keys.
• Digital signatures − This mechanism is the electronic equivalent of
ordinary signatures in electronic data. It provides authenticity of the
data.
• Access control − This mechanism is used to provide access control
services. These mechanisms may use the identification and
authentication of an entity to determine and enforce the access
rights of the entity.
mwahasanga hissan 35