3. Computer Security
• Computer Security is a Branch of Computer Technology
• It is Information security as applied to computers and
networks.
• The objectives- Protection of information from
Theft,
Corruption,
Damage from disaster,
Definition
Security: The prevention and protection of computer assets
from unauthorized access, use, alteration, degradation,
destruction, and other threats.
“ The term computer system security means the collective
processes and mechanisms by which sensitive and valuable
information and services are protected from publication,
tamper [ alter ]or collapse by unauthorized activities or
untrustworthy individuals and unplanned events
respectively.
4. Privacy
• Privacy: The legal rights of the
groups/individuals/organizations
to be protected against
unauthorized intrusion into his
personal life/affairs, by direct
physical means or by publication of
information.
• Security or Privacy Threat: Any
individual group, act, or object that
poses a danger to computer security
and privacy is known as threat.
5. No Tension ??
No Computer
No Network
No Internet
• The most secured manner
Either no computers or are
those not connected to any
Network or Internet and
protected from any intrusion
6. Defining- Computer Security
• Computer or Information Technology can be
used for productive or destructive purposes
• Computer Security refers to techniques for
ensuring that data stored in a computer
cannot be read or compromised by any
individuals without authorization.
• Computer Security The provisions and
policies adopted to protect information and
property from theft, corruption, or natural
disaster while allowing the information and
property to remain accessible and productive
to its intended users.
7. ‘computer security’ Vs ‘computer
technology ‘
Computer Security
• Preventing unwanted
computer behavior
• Computer Security and
Information Security
focuses on hardware risk,
software risks, network
risks, data theft, identity
theft, and the like
Computer Technology
• Enabling wanted computer
behavior.
8. Common Computer Security Measures
• Most computer security measures involve data
encryption and passwords.
• Data encryption is the translation of data into a
form that can not be read without a
deciphering mechanism.
• A password is a secret word or phrase that
gives a user access to a particular program or
system.
9. Computer Security VS Network Security
Computer Security
• Computer Security is confined
to securing the Computer as
an individual system.
• The provisions and policies
adopted to protect
information and property from
Theft, Corruption, or Natural
Disaster while allowing the
information and property to
remain accessible and
productive to its intended
users. [ Security at gate, Safe
place, Authorization of
people, Building]
Network security
• Network security on the
other hand deals with
provisions and policies
adopted to prevent and
monitor unauthorized access,
misuse, modification, or
denial of the computer
network and network-
accessible resources.
10. Computer Security Domains
Security in unwired/ Wired network ?
Security from Spams?
Security under OS environment?
Security of Physical components?
Security by firewall ?
Security from computer
viruses, worms, Trojan horse, logic bombs, ?
Security in Distributed Systems /Cloud
Computing?
11. Goals of Computer Security / Information
Security
• To maintain information Confidentiality
• To ensure the Integrity and Reliability of data
resources
• To ensure the Uninterrupted Availability of
data resources and online operations
• To reduce the risk of systems and organizations
ceasing operations
• To ensure Compliance with Policies and Laws
regarding security and privacy
13. Categories of attacks
Categories of attacks
• Interruption: An attack on availability
• Interception: An attack on confidentiality
• Modification: An attack on integrity
• Fabrication: An attack on authenticity
14. Categories of Attacks/Threats (W. Stallings)
Normal flow of information
Interruption Interception
Modification Fabrication
Source
Destination
Attack
15. Types of Vulnerabilities
• Physical vulnerabilities (Ex. Buildings)
• Natural vulnerabilities (Ex. Earthquake)
• Hardware and Software vulnerabilities (Ex. Failures)
• Media vulnerabilities (Ex. Disks can be stolen)
• Communication vulnerabilities (Ex. Wires can be
tapped)
• Human vulnerabilities (Ex. Insiders)
16. Evolution of Computer Security and Privacy
Issues and Ethics
• Computer security, meaning safeguarding
hardware, software and their physical
locations, first took shape in World War 2, when
the military began using mainframes designed to
assist in code breaking.
• 1960s- Larry Roberts, hailed as the internet’s
founder, designed the ARPANET (Advanced
Research Projects Agency Network), which is
called the internet’s predecessor.
• "worldwide system of interconnected networks
and computers“- Internet by Larry
17. Evolution of Computer Security and
Privacy Issues and Ethics
• Ethics is derived from Greek word Ethos and morality
from Latin word mos and moris. But the meaning of
both is same.
• In the early 1940s
• MIT professor Norbert Wiener during World War II,
when he helped to develop an anti-aircraft cannon
capable of shooting down fast warplanes. This work
resulted in Wiener and his colleagues creating a new
field of research that Wiener called cybernetics, the
science of information feedback systems.
• Wiener published “The Human Use of Human Beings”
in 1950, which described a comprehensive foundation
that is still the basis for computer Security, ethics
research and analysis.
18. Evolution of Computer Security and
Privacy Issues and Ethics
• In the mid-1960s
• Donn B. Parker, at the time with SRI International in Menlo
Park, CA, began examining unethical and illegal uses of
computers and documenting examples of computer crime
and other unethical computerized activities.
• He published "Rules of Ethics in Information Processing" in
Communications of the ACM in 1968, and headed the
development of the first Code of Professional Conduct for
the Association for Computing Machinery, which was
adopted by the ACM in 1973.
• During the late 1960s, Joseph Weizenbaum, a computer
scientist at MIT in Boston, created a computer program
that he called ELIZA that he scripted to provide a crude
imitation of "a Rogerian psychotherapist engaged in an
initial interview with a patient.”
19. Evolution of Computer Security and
Privacy Issues and Ethics
• The following topics, identified by Terrell Bynum, are good to use as a basis.
• Computers in the Workplace: Computers can pose a threat to jobs as people feel
they may be replaced by them. However, the computer industry already has
generated a wide variety of new jobs. another workplace concern is health and
safety.
• Computer Crime: With the proliferation of computer viruses, spyware, phishing
and fraud schemes, and hacking activity from every location in the world,
computer crime and security are certainly topics of concern when discussing
computer ethics.
• Privacy and Anonymity: gather; store, search, compare, retrieve, and share
personal information
• Intellectual Property: One of the more controversial areas of computer ethics
concerns the intellectual property rights connected with software ownership.
• Professional Responsibility and Globalization: Global business
• Global education
• Global information flows
• Information-rich and information-poor nations
• Information interpretation
• The gap between rich and poor nations, and between rich and poor citizens in
industrialized countries, is very wide.
20. Evolution Contd…
• 1960s
Computer security issues limited to physical protection of
computers. No networking
• 1960s - 70s
New paradigms of Multiuser and Multiprogramming were
introduced
Data storage systems like concepts of database and RDBMS were
introduced
New Concerns arise –
The issue of computer security first arose in the 1970s as
individuals began to break into telephone systems.
People and companies started focusing on database processing
What is being done to their privately stored data in large databases
21. Evolution Contd…
• 1980s & 90s
Local Area Network introduced
Internet entered in the world
PCs were popularized
Net based business models like E-commerce, E-government and
E-health services started to develop new computerized systems
Malwares like Viruses become majors threats
New Concerns –
People and Companies start thinking about their security of
computers and stored data
Trust on emails and websites were primarily suspected.
They were worried about their information privacy in networked
environment / world
22. Salient Security Cases
• Salient Security Cases
The Federal Bureau of Investigation (FBI) made one of its first
arrests related to computer hacking in the early 1980s.
A group of hackers known as the 414s, named after their area code
in Milwaukee, Wisconsin, were indicted for attacking 60 different
computer systems including the Los Alamos National Laboratory
and the Memorial Sloan-Kettering Cancer Center.
Internet Worm (Morris worm )
November 2, 1988 a worm attacked more than 60,000 computers around
the USA
The worm attacks computers, and when it has installed itself, it
multiplies itself, freezing the computer
It exploited UNIX security holes in Sendmail
A nationwide effort enabled to solve the problem within 12 hours
Robert Morris [ A Professor at the MIT] became the first person to be
indicted under the Computer Fraud and Abuse Act.
He was sentenced to three years of probation, 400 hours of community service
and a fine of $10,050
23. Salient Security Cases Contd…
• Salient security harms …
NASA shutdown
In 1990, an Australian computer science student was charged for
shutting down NASA’s computer system for 24 hours
Digital Equipment Corp. and MCI Communications Corp, Attack
a 25-year-old hacker named Kevin Mitnick began tapping into the e-mail
system used by computer security managers. As a result, Mitnick was
arrested and sentenced to one year in jail.
Airline computers
In 1998, a major travel agency discovered that someone penetrated
its ticketing system and has printed airline tickets illegally
Bank theft
In 1984, a bank manager was able to steal $25 million through un-
audited computer transactions
24. Salient Security Cases Contd…
Computer Emergency Response Team
After several criminal cases the Computer Emergency Response
Team was established by the U.S. government to research the
increasing number of computer security breaches.
Three Computer viruses
Along with growth in hacking activity came the spread of computer
viruses. Three of the most well known viruses—
• Cascade,
• Friday the 13th, and
• Stoned—all originated in 1987.
By 1991, more than 1,000 viruses had been discovered
by computer security experts.
An attack on AT&T's network caused the firm's long-
distance service to temporarily shut down.
25. Salient Security Cases Contd…
During 1995, computers at the U.S. Department of Defense were
attacked roughly 250,000 times.
In 1998, the U.S. Department of Justice created the National
Infrastructure Protection Center, charging it with task of
safeguarding domestic technology, telecommunications, and
transportation systems from unethical hackers.
A 16-year-old Canadian boy operating under the name
Mafiaboy, was arrested, and authorities discovered he also had
broken into the computer networks at Harvard and Yale
Universities.
While on parole, Mafia-boy was prohibited from using the
Internet or shopping at stores that sold computers; only when
supervised by a teacher at school, could he use a computer?
26. Salient Security Cases Contd…
Cyber crime and Ethiopia
Employees of a company managed to change their salaries by
fraudulently modifying the company’s database
In 1990s Internet password theft
Hundreds of dial-up passwords were stolen and sold to
other users
Many of the owners lost tens of thousands of Birr each
In Africa: Cote d’Ivoire
An employee who has been fired by his company deleted all the
data in his company’s computer
27. Salient Security Cases Contd…
Early Efforts
• 1960s: Marked as the beginning of true computer
security
• 1970s: Research and modeling
Identifying security requirements
Formulating security policy models
Defining recommended guidelines and controls
Development of secure systems
• European Council adopted a convention on Cyber-
crime in 2001.
• The World Summit for Information Society
considered computer security and privacy as a subject
of discussion in 2003 and 2005.
• The Ethiopian Penal Code [EPC] of 2005 has articles
on data and computer related crimes.
28. Computer Privacy?
Non disclosure of Personal Information by
unauthorized persons in unauthenticated means
Web privacy can fall under several
umbrellas, including your online surfing
habits, your passwords and login information and
your computer files.
Usually, tracking any of this happens through the
use of “cookies.”
Cookies are small bits of data that are placed on
your computer by Web sites. They can help track
how often you return, other sites you’ve visited and
more.
To prevent others from knowing this, cookies can
be removed.
29. Computer Privacy?
• Internet is full of potential risk to our privacy and
security.
• Everyone has an IP address to communicate on the
Internet, IP address is like a telephone number or mailing
address. Using your IP it is possible to know your
country, city, internet provider and even physical address.
• While surfing the Internet browsers keep tracks of our
Internet activity in order to provide a more pleasant
computer and surfing experience. But these history
tracks can compromise our privacy and provide an easy
way for others to see what web sites you visited, what
you have been searching, downloading, viewing, etc.
31. Types of Computer Security Contd…
Security by Design ( i.e. Software Design Logic)
• The technologies of computer security are Based on Logic.
• As security is not necessarily the primary goal of most computer
applications, designing a program with security in mind often imposes
restrictions on that program's behavior.
There are 4 approaches to Security in Computing;
1. Trust all the software to abide by a security policy but the
software is not trustworthy (this is computer insecurity).
2. Trust all the software to abide by a security policy and the
software is validated as trustworthy (by tedious branch and path analysis
for example).
3. Trust no software but enforce a security policy with mechanisms
that are not trustworthy (again this is computer insecurity).
4. Trust no software but enforce a security policy with trustworthy
hardware mechanisms.
32. Types of Computer Security Contd…
Security Architecture [ i.e. IT infrastructure
Arch.)
• Security Architecture can be defined as the
design artifacts that describe how the security
controls (security countermeasures) are
positioned, and how they relate to the overall
Information technology architecture.
• A countermeasure is an
action, process, device, or system that can
prevent, or mitigate [lessen] the effects
of, threats to a computer, server or network. [
• System's quality
attributes, confidentiality, integrity*(validity), av
ailability, accountability and assurance [ Real
33. Contd…
• A threat is a potential or actual adverse event
that may be malicious or incidental, and that can
compromise the assets of an enterprise or the
integrity of a computer or network.
• Countermeasures can take the form of
software, hardware and modes of behavior.
Software countermeasures include:
• personal firewalls
• anti-virus software
• pop-up blockers
• Spyware detection/removal programs……..
34. Contd…
• The most common hardware countermeasure is a router that can prevent
the IP address of an individual computer from being directly visible on the
Internet. Other hardware countermeasures include:
• Biometric authentication systems
• Physical restriction of access to computers and peripherals
• Intrusion detectors
• Alarms.
• Behavioral countermeasures include:
• Frequent deletion of stored cookies and temporary files from Web
browsers
• Regular scanning for viruses and other malware
• Regular installation of updates and patches for operating systems
• Refusing to click on links that appear within e-mail messages
• Refraining from opening e-mail messages and attachments from unknown
senders
• Staying away from questionable Web sites
• Regularly backing up data on external media.
36. Types of Computer Security Contd…
Secure Operating Systems
• Such Ultra-Strong secure operating systems are
based on Operating System Kernel Technology
that can guarantee that certain security policies
are absolutely enforced in an operating
environment.
• Ordinary operating systems, on the other
hand, lack the features that assure this maximal
level of security.
• Operating System Security
• Flaws in the operating systems of computers are
discovered almost daily
37. Contd..
Basic Precautions:
• Software Updates - Make sure that the software on your computer is
regularly updated. We recommend setting your computer to check for
software updates automatically.
• Firewall - Run a firewall program on your computer. A firewall is a
device or program that blocks undesired Internet traffic, including
viruses, from accessing your computer. Both Windows and Mac OS X
have built-in firewall programs that are easy to set up. By blocking
unwanted Internet traffic, a lot of viruses and bugs can be stopped
dead in their tracks!
• Account Management - Manage the user accounts on your
computer, so you can control exactly who can log into your machine.
Especially on Windows XP machines, it is easy to accidentally leave
your computer wide open to unauthorized users.
• Antivirus Software - Use your antivirus software to scan for viruses as
files are being launched.
38. Contd..
Secure coding
• In commercial environments, the majority of software subversion
vulnerabilities result from a few known kinds of coding defects.
Common software defects include:
• Buffer overflows,
• Integer overflow, and
• Code/Command injection.
(Code injection is the exploitation of a computer bug that is caused by
processing invalid data. Code injection can be used by an attacker to
introduce (or "inject") code into a computer program to change the
course of execution. The results of a code injection attack can be
disastrous. For instance, code injection is used by some computer
worms to propagate.)
39. Contd..
• Code injection can be used to infect operating system
files, rendering all antivirus software unable to detect the
virus, if they are running on the infected operating system.
File hashes stored in Windows, to identify altered Windows
files, can also be overwritten so that the System File
Checker will report that system files are originals.
• Some common languages such as C and C++ are vulnerable
to all of these defects .
• Other languages, such as Java, are more resistant to some
of these defects, but are still prone to code/command
injection and other software defects which facilitate
subversion.
40. Physical Security
• There are three simple principles to follow:
1.Keep people away
• Most large corporations maintain very strict
control over who can enter their datacenters. They
use card key or keypad systems, log books and
human security to limit unauthorized access.
• If at all possible, sensitive servers should be kept
behind a locked door, not just a door with a
lock, and access should be limited to a select set of
trustworthy administrators
2. Keep backup away from the datacenter
41. Contd…
3. Keep them out, and
• you can't keep everyone away from them. The next layer of a good physical security
plan is to limit what can be done with the computers.
• Here's a great security feature that costs nothing: lock your computer when you're
walking away from it. In Windows NT, Windows 2000, or Windows XP, you only have
to quickly hit Ctrl+Alt+Delete,
• Lock the CPU case. Most desktop and tower cases have locking lugs that you can use
to keep an intruder from opening the case.
• Use a cable-type security lock to keep someone from stealing the whole computer.
This is particularly good advice for laptops or small desktops that can easily be hidden
inside a backpack or coat.
• Configure the BIOS not to boot from the floppy drive. This makes it harder for an
intruder to remove passwords and account data from your system's disks.
• Consider whether it's worth the expense of using a motion-sensor alarm in the room
where the computers located. (Remember, for home offices, security systems that
cover the office area are generally deductible business expenses!)
• Use the syskey utility (supported in Windows NT 4.0, Windows 2000, and Windows
XP) to secure the local accounts database, local copies of EFS encryption keys, and
other valuables that you don't want attackers to have.
42. Contd…
4 Protect your plumbing.
• Network cabling, hubs and even the external
network interface are extremely vulnerable
points in a network. An attacker who can attach
to your network can steal data in transit or mount
attacks against computers on your network—or
on other networks! If at all possible, keep hubs
and switches behind looked doors or in locked
cabinets, run cabling through walls and ceilings
to make it harder to tap, and ensure that your
external data connection points are kept locked.
43. Contd..
• Some Important Physical security measures every organization
should take
• 1. Lock up the server room
• 2. Set up surveillance
• A better solution than the log book is an authentication system
incorporated into the locking devices, so that a smart card, token,
or biometric scan is required to unlock the doors, and a record is
made of the identity of each person who enters.
• A video surveillance camera, placed in a location that makes it
difficult to tamper with or disable (or even to find) but gives a good
view of persons entering and leaving should supplement the log
book or electronic access system. Surveillance cams can monitor
continuously, or they can use motion detection technology to
record only when someone is moving about.
• They can even be set up to send e-mail or cell phone notification if
motion is detected when it shouldn’t be (such as after hours).
44. Contd..
3. Make sure the most vulnerable devices are in
that locked room
4. Use rack mount servers
5. Don’t forget the workstations connected
6. Keep intruders from opening the case Both
servers and workstations should be protected
from thieves who can open the case and grab
the hard drive.
7. Disable the drives
8. Put CCTV Cameras…….
45. Vulnerability in Computing
• In computer security, vulnerability is a
weakness which allows an attacker to reduce a
system's information assurance.
Vulnerability is the intersection of three
elements:
• A system susceptibility or flaw itself( fault),
• Attacker access to the flaw( fault), and
• Attacker capability to exploit the flaw (fault).
• Eg Body
46. Contd..
• To exploit vulnerability, an attacker must have at
least one applicable tool or technique that can
connect to a system weakness. In this frame,
vulnerability is also known as the attack surface.
• Vulnerability management is the cyclical practice
of-
• identifying,
• classifying,
• remediating, and
• mitigating (lessen).
47. Defining vulnerability
• “A weakness of an asset or group of assets
that can be exploited by one or more
threats.”
• Where an asset is anything that can has value
to the organization, its business operations
and their continuity, including information
resources that support the organization's
mission
ISO 27005 definition
48. Contd..
• “A flaw or weakness in a system's
design, implementation, or operation and
management that could be exploited to violate the
system's security policy”
IETF RFC 2828 defined vulnerability
“A flaw or weakness in system security
procedures, design, implementation, or internal
controls that could be exercised (accidentally
triggered or intentionally exploited) and result in a
security breach or a violation of the system's
security policy.”
Many NIST publications define
vulnerability in IT contest in different publications
49. Classification of Vulnerabilities
1. Hardware
• Susceptibility to humidity
• Susceptibility to dust
• susceptibility to soiling
• susceptibility to unprotected storage
2. Software
• insufficient testing
• lack of audit trail
3. Network
• unprotected communication lines
• insecure network architecture
4. Personnel
• inadequate recruiting process
• inadequate security awareness
5. Site
• area subject to flood
• unreliable power source
6. Organizational
• lack of regular audits
• lack of continuity plans
• lack of security
50. Causes of Vulnerabilities
• Complexity: Large, complex systems increase the probability of flaws and
unintended access points
• Familiarity: Using common, well-known code, software, operating
systems, and/or hardware increases the probability an attacker has or can
find the knowledge and tools to exploit the flaw
• Connectivity: More physical connections, privileges, ports, protocols, and
services and time each of those are accessible increase vulnerability
• Password management flaws: The computer user uses weak passwords
that could be discovered by brute force. The computer user stores the
password on the computer where a program can access it. Users re-use
passwords between many programs and websites.
• Fundamental operating system design flaws: The operating system
designer chooses to enforce suboptimal policies on user/program
management. For example operating systems with policies such as default
permit grant every program and every user full access to the entire
computer. This operating system flaw allows viruses and malware to
execute commands on behalf of the administrator.
51. Contd…
• Internet Website Browsing: Some internet websites may contain harmful
Spyware or Adware that can be installed automatically on the computer
systems. After visiting those websites, the computer systems become
infected and personal information will be collected and passed on to third
party individuals.
• Software bugs: The programmer leaves an exploitable bug in a software
program. The software bug may allow an attacker to misuse an
application.
• Unchecked user input: The program assumes that all user input is safe.
Programs that do not check user input can allow unintended direct
execution of commands or SQL statements (known as Buffer overflows,
SQL injection or other non-validated inputs).
• Not learning from past mistakes: for example most vulnerabilities
discovered in IPv4 protocol software were discovered in the new IPv6
implementations
• The research has shown that the most vulnerable point in most
information systems is the human user, operator, designer, or other
human: so humans should be considered in their different roles as asset,
threat, information resources. Social engineering is an increasing security
concern.