This document provides an introduction to basic security concepts, including definitions of security, principles of penetration, and classifications of protection. It discusses goals of security including integrity, confidentiality, and availability. Common security threats are also outlined such as interruption, interception, modification, and fabrication. The document then covers methods of defense for computer security including access controls, encryption, policies, physical controls, and system design approaches. Identification and authentication methods are described for system access control. Data access control and access rights models are also summarized.

1. 2/24/2013
1
TOPIC 1
Basic Security Concepts
INTRODUCTION
What is security?
Security is about the protection of assets.
- Computer-related assets.
Computing system :- hardware, software,
storage media, data and people.
Principle of Easiest Penetration
Intruder must be expected to use all
available means of penetration. Use the
‘weakest point’.
INTRODUCTION
There are 3 classification of protection:
– Prevention: take measures that prevent your
assets from being damaged.
– Detection: take measures that allow you to
detect when an asset has been damaged
– Reaction: take measures that allow you to
recover your assets or to recover from damage
to your assets.
Example from physical world:
– Prevention: locks at the door or window bars,
wall around the property
– Detection: you detect when something has been
stolen if it is no longer there, a burglar alarm
goes on when break-in occurs, cctv provide
information that allows you to identify intruders
– Reaction: you can call the police or you may
decide to replace the stolen item
INTRODUCTION
INTRODUCTION
Example from cyber world: consider credit card fraud
cases.
– Prevention: use encryption when placing an order,
rely on the merchant to perform some checks on
the caller before accepting a credit card order or
don’t use credit card number on the Internet.
– Detection: a transaction that you had not authorized
appears on your credit card statements.
– Reaction: you can ask for new credit card number,
the cost of the fraudulent may be recovered by the
card holder or the merchant where the fraudster
had made the purchase or the credit card issuer.
SECURITY
GOALS
INTEGRITY: An assets can be
modified only by authorized or
only in authorized ways.
CONFIDENTIALITY: an assets of
computing systems are available
only by authorized parties (also
known as secrecy).
AVAILABILITY : An assets are
accessible to authorized parties
when needed without any
delay.

2. 2/24/2013
2
SECURITY
THREATS
INTERRUPTION: An asset of the
system is destroyed or become
unavailable or unusable – attack
on AVAILABILTY
INTERCEPTION: An unauthorized
party (program, person,
computer) gains access to an
asset – attack on
CONFIDENTIALITY
MODIFICATION: An unauthorized
party not only gain access to but
tampers with an assets – attack
on INTEGRITY
FABRICATION: An unauthorized
party insert counterfeit objects
into the system – an attack on
AUTHENTICITY
Information
source
Information
destination
INTERRUPTION
Information
source
Information
destination
MODIFICATION
Information
source
Information
destination
INTERCEPTION
Information
source
Information
destination
FABRICATION
Middle
man
Middle
man
Middle
man
SECURITY THREATS
Examples of security threats/attacks:
Interruption
~ destruction of piece of hardware (hard disk)
~ cutting of communication line or
~ disabling of the file management system
Interception
~ wiretapping
~ illicit copy of files or programs
Modification
~ changing values in data file,
~ altering a program so that
it performs differently,
~ modifying the content of messages being transmitted in a network.
Fabrication
~ addition of records to a file,
~ insertion of spurious messages in a network
Vulnerabilities
Vulnerabilities: a weaknesses in the security
system that might be exploited to cause
loss or harm.
DATASOFTWARE
HARDWARE
Interception
(Theft)
Interruption
(Denial of service)
Interruption
(Deletion)
Interception
(piracy)
Modification
Interruption
(Loss)
Interception
Modification
Fabrication
Vulnerabilities in Computing Systems
Vulnerabilities
Threats to Hardware
• involuntary machine-slaughter: accidental acts not intended to
do serious damage.
• voluntary machine-slaughter: intended to do harm
Threats to Software
• deletion
• modification – trojan horse, virus, trapdoor, logic bomb
• theft - piracy

3. 2/24/2013
3
Vulnerabilities
Threats to Data
• loss of data
•interception
• modification
• fabrication
Threats to other exposed assets
• storage media – consider backups
• networks – very expose medium, access from distant
• access – steal computer time, denial of service
• key people – disgruntled employees
Methods of Defense
Encryption provides
~ confidentiality for data
~ integrity
~ basis for protocol
SOFTWARE/HARDWARE
CONTROLSENCRYPTION
POLICIES
Software controls:
~ Internal program controls
~ Operating system controls
~ Development controls
Hardware controls:
~ hardware devices :
- smartcard (encryption)
- circuit board ctrl disk
drives in PCs~ frequent changes
of password
~ training
Legal and ethical controls
~ codes of ethics ~ locks of doors
~ backup copies of important s/w and data
~ physical site planning (reduce natural disasters)
PHYSICAL CONTROLS
METHODS OF
DEFENSE
Who are the people?
Amateurs: not career criminal but normal people
who observe a flaw in a security system – have
access to something valuable.
Crackers: may be university or high school
students who attempt to access computing facilities
for which they have not been authorized.
Career criminal: understands the targets of
computer crime, international groups, electronic
spies, information brokers.
Hackers: someone with deep knowledge and
interest in operating systems or multiple OS. Do not
attempt to intentionally break any system (non-
malicious).
How to makes a system secure?
There are four methods how computer security provide
protection:
(1) System Access Control: ensuring that unauthorized
users don’t get into the system.
(2) Data Access Control: monitoring who can access what
data and for what purposes.
(3) System and Security Administration: performing
certain procedures (system administrator’s responsibilities or
training users appropriately)
(4) System Design: Taking advantage of basic hardware
and software security characteristics.
System Access Control
The first way in which system provides computer
security is by controlling access to that system:
– Who’s allowed to log in?
– How does the system decide whether a user is legitimate?
Identification and authentication provides the
above.
Identification & Authetication
Identification tells the system who you are
Authentication proves to the system that you are
who you are.
There are 3 ways to prove ourselves:
– Something you know
– Something you have
– Something you are
System Access Control

4. 2/24/2013
4
e.g.: password
~ you know the
password,
you the owner
AUTHENTICATION
IDENTIFICATION
&
AUTHENTICATION
SOMETHING YOU
HAVE
SOMETHING YOU
KNOW
SOMETHING YOU
ARE
e.g.: tokens,keys &
smart cards
~ you have the key,
you must be the owner
of it
e.g: fingerprints,retina pattern,handprint etc.
Username and Password
Typical first line of defense
User name (Login ID) – identification
Password – authentication
Login will succeed if you entered a valid user name
and corresponding password.
System Access Control
User plays an important role in
password protection – authentication
is compromised when you gave away
your own password by telling others.
Common threats on password:
– Password guessing: exhaustive search
and intelligent search
– Password spoofing
– Compromise of the password file
System Access Control
How we can defend password security:
– Compulsory to set a password
– Change default password
– Password length
– Password format
– Avoid obvious passwords
How system help to improve password security:
– Password checkers
– Password generation
– Password ageing
– Limit login attempts
– Inform users
System Access Control
Data Access Control
On the most elementary level, a subject
may observe an object or alter an object,
therefore the common access modes are
defined as below:
– Observe: look at the contents of an object
– Change: change the contents of an object
Data Access Control
Observe
Change
execute append read write
√
√ √
√
Access rights in the Bell-LaPadula model
{execute, read, write}
Alice
Bill
bill.doc edit.exe fun.com
{read, write}
{execute}
{execute}
{execute, read}-
An access control matrix

5. 2/24/2013
5
Effectiveness of Controls
Awareness of Problems: people will cooperate
with security requirements only if they understand
why security is appropriate in each specific
situation.
Likelihood of use: controls must be used to be
effective – therefore it must be easy to use and
appropriate.
Overlapping controls: combinations of control on
one exposure.
Periodic review: ongoing task in judging the
effectiveness of a control.
The End