2. Computer Security and Privacy
“The
most secure
computers are those
not connected
to the Internet and
shielded
from any interference”
3. Computer Security and Privacy
Computer security is about
provisions and policies adopted to
protect information and property
from theft, corruption, or natural
disaster while allowing the
information and property to remain
accessible and productive to its
intended users.
4. Computer Security and Privacy
Network security on the other hand deals with
provisions and policies adopted to prevent and
monitor unauthorized access, misuse, modification, or
denial of the computer network and network-
accessible resources.
Internet
Not Sufficient!!
5. Computer Security and Privacy
Elements of Security
Integrity
Confidentiality
Availaibility
6. Spoofing Attack
Brut Force Attack:
Malware Attack:
Virus/Worm Attack
SMURF Attack:
SYN Attack
Trojan Horse
Logic Bomb
Ping of Death
Packet Sniffing
Eavesdropping
Cracking
Session Hijacking
War Dialing
DoS/DDoS
Blackout/ Brownout
Serge/Spike
Traffic Analysis
Wire Tapping
Assignment:
• Form a group of Three.
• Read about these security attack
related keywords and write a
five page (maximum) summary
of your findings including any
recorded history of significant
damages created by these
attacks.
• Send your report by email in
word format after two weeks
(Use your names as the file
name:shew.admas2010@gmail.com).
• Bonus: While reading, if you find
keywords other than these, send
them on the second page of
your report.
• Finally prepare for presentation.
Computer Security and Privacy
7. Course Outline
1.Fundamentals of computer security & privacy
Overview: history, vulnerabilities, countermeasures, physical security
2.Computer security attacks/threats
Viruses, Worms, Trojan horses, Crackers, Spy-wares …
3.Cryptography and Encryption Techniques
4.Network security concepts and mechanisms
Transport and Application layer security, IP security, …
5.Security mechanisms and techniques
Authentication, access control, firewall, …
6.Secure system planning and administration
Analysing risks, planning, policies and procedures
7.Information Security
Legal, ethical and policy issues
8. References
1. Computer security basics, D. Russel and G. Gangemi
2. Security Complete, BPB Publications
3. Computer Security Fundamentals, Chuck Easttom
4. Network Security Essentials, W. Stallings
5. Effective Physical Security, Lawrence Fennelly
6. Information Security Policies and Procedures, Thomas R. Peltier
7. Physical Security for IT, Erbschloe Michael
8. Computer Security: Art and Science, Matt Bishop
9. Computer Security, Dicter Gouman, John Wiley & Sons
10. Computer Security: Art and Science, Mathew Bishop, Addison-Wesley
11. Principles of Information Security, Whitman, Thomson.
12. Network security, Kaufman, Perl man and Speciner, Pearson Education.
13. Cryptography and Network Security, 5th Edition William Stallings, Pearson
Education
14. Introduction to Cryptography, Buchmann, Springer.
9. Computer Security and Privacy/ Overview
Security: The prevention and protection of computer
assets from unauthorized access, use, alteration,
degradation, destruction, and other threats.
Privacy: The right of the individual to be protected
against intrusion into his personal life or affairs, or those
of his family, by direct physical means or by publication
of information.
Security/Privacy Threat: Any person, act, or object
that poses a danger to computer security/privacy.
Definitions
10. Computer Security and Privacy/Attacks
Prevention
oTo prevent someone from violating a security policy
Detection:
oTo detect activities in violation of a security policy
oVerify the efficacy of the prevention mechanism
Recovery
oStop policy violations (attacks)
oAssess and repair damage
oEnsure availability in presence of an ongoing attack
oFix vulnerabilities for preventing future attack.
oRetaliation against the attacker
Goals of Security
11. Computer Security and Privacy/Attacks
Interruption: An attack on availability
E.g. DOS Attack
Interception: An attack on confidentiality
E.g. Eyes dropper
Modification: An attack on integrity
E.g. Hacker
Fabrication: An attack on authenticity
E.g. Man in the middle (MITM)
Repudiation of origin: False denial that an
entity created something.
Categories of Attacks(Common security attacks)
12. Computer Security and Privacy/Attacks
Disclosure: Disclosure: unauthorized access to information
oSpoofing
Deception: acceptance of false data.
oModification, masquerading/spoofing, repudiation of origin,
denial of receipt.
oModification
Disruption: interruption/prevention of correct
interruption/prevention of correct operation
oModification
Usurpation: Usurpation: unauthorized control of a system
unauthorized control of a system component
oModification, masquerading/spoofing, delay, denial of service
Classes of Threats (Shirley)
13. Computer Security and Privacy/Attacks
Categories of Attacks/Threats (W. Stallings)
Normal flow of information
Interruption Interception
Modification Fabrication
Source
Destination
Attack
14. Computer Security and Privacy/Vulnerabilities
Physical vulnerabilities (Ex. Buildings)
Natural vulnerabilities (Ex. Earthquake)
Hardware and Software vulnerabilities (Ex. Failures)
Media vulnerabilities (Ex. Disks can be stolen)
Communication vulnerabilities (Ex. Wires can be tapped)
Human vulnerabilities (Ex. Insiders)
Types of Vulnerabilities
16. Computer Security and Privacy/ The Human Factor
The human factor is an important component of
computer security
Some organizations view technical solutions as
“their solutions” for computer security. However:
Technology is fallible (imperfect)
Ex. UNIX holes that opened the door for Morris worm
The technology may not be appropriate
Ex. It is difficult to define all the security requirements and find a
solution that satisfies those requirements
Technical solutions are usually (very) expensive
Ex. Antivirus purchased by ETC to protect its Internet services
Given all these, someone, a human, has to implement the solution
17. Computer Security and Privacy/ The Human Factor
Competence of the security staff
Ex. Crackers may know more than the security team
Understanding and support of management
Ex. Management does not want to spend money on
security
Staff’s discipline to follow procedures
Ex. Staff members choose simple passwords
Staff members may not be trustworthy
Ex. Bank theft
18. Computer Security and Privacy/ Physical Security
“The most robustly secured
computer that is left sitting
unattended in an unlocked room
is not at all secure !!”
[Chuck Easttom]
19. Computer Security and Privacy/ Physical Security
Physical security protects your physical computer
facility (your building, your computer room, your
computer, your disks and other media) [Chuck
Easttom].
Physical security is the use of physical controls to
protect premises, site, facility, building or other
physical asset of an organization [Lawrence Fennelly]
20. Computer Security and Privacy/ Physical Security
In the early days of computing physical security
was simple because computers were big,
standalone, expensive machines
It is almost impossible to move them (not
portable)
They were very few and it is affordable to
spend on physical security for them
Management was willing to spend money
Everybody understands and accepts that there
is restriction
21. Computer Security and Privacy/ Physical Security
=>
Physical security is much more
difficult to achieve today than some
decades ago
22. Computer Security and Privacy/ Physical Security
Natural Disasters
Fire and smoke
Fire can occur anywhere
Solution – Minimize risk
Good policies: NO SMOKING, etc..
Fire extinguisher, good procedure and training
Fireproof cases (and other techniques) for backup tapes
Fireproof doors
Climate
Heat
Direct sun
Humidity
Threats and vulnerabilities
23. Computer Security and Privacy/ Physical Security
Natural Disasters …
Hurricane, storm, cyclone
Earthquakes
Water
Flooding can occur even when a water tab is not properly closed
Electric supply
Voltage fluctuation
Solution: Voltage regulator
Lightning
Threats and vulnerabilities …
Solution
Avoid having servers in areas often hit by Natural Disasters!
24. Computer Security and Privacy/ Physical Security
People
Intruders
Internal Thieves
Thieves
People who have been given access unintentionally by the
insiders
Employees, contractors, etc. who have access to the
facilities
External thieves
Portable computing devices can be stolen outside the
organization’s premises
Loss of a computing device
Mainly laptop
Threats and vulnerabilities …
25. Computer Security and Privacy/ Physical Security
Safe area
Safe area often is a locked place where
only authorized personnel can have
access
Organizations usually have safe area for
keeping computers and related devices
26. Computer Security and Privacy/ Physical Security
Is the area inaccessible through other openings
(window, roof-ceilings, ventilation hole, etc.)?
Design of the building with security in mind
Know the architecture of your building
Safe area … Challenges
During opening hours, is it always possible to
detect when unauthorized person tries to get to the
safe area?
Surveillance/guards, video-surveillance, automatic-
doors with security code locks, alarms, etc.
Put signs so that everybody sees the safe area
27. Computer Security and Privacy/ Physical Security
Are the locks reliable?
The effectiveness of locks depends on the design, manufacture,
installation and maintenance of the keys!
Among the attacks on locks are:
Illicit keys
Duplicate keys
Avoid access to the key by unauthorized persons even for a few seconds
Change locks/keys frequently
Key management procedure
Lost keys
Notify responsible person when a key is lost
There should be no label on keys
Circumventing of the internal barriers of the lock
Directly operating the bolt completely bypassing the locking mechanism which remains locked
Forceful attacks:
Punching, Drilling, Hammering, etc.
Safe area…Locks
28. Computer Security and Privacy/ Physical Security
Surveillance with guards
The most common in Ethiopia
Not always the most reliable since it adds a
lot of human factor
Not always practical for users (employees
don’t like to be questioned by guards
wherever they go)
Safe area… Surveillance
29. Computer Security and Privacy/ Physical Security
Safe area… Surveillance
Surveillance with video
Uses Closed Circuit Television (CCTV)
Started in the 1960s
Become more and more popular with the worldwide increase of
theft and terrorism
Advantages
A single person can monitor more than one location
The intruder doesn’t see the security personnel
It is cheaper after the initial investment
It can be recorded and be used for investigation
Since it can be recorded the security personnel is more careful
Today’s digital video-surveillance can use advanced techniques such
as face recognition to detect terrorists, wanted people, etc.
Drawback
Privacy concerns
30. Computer Security and Privacy/ Physical Security
Choose employees carefully
Personal integrity should be as important a
factor in the hiring process as technical skills
Create an atmosphere in which the levels of
employee loyalty, morale, and job satisfaction
are high
Remind employees, on a regular basis, of
their continuous responsibilities to protect
the organization’s information
Internal Human factor - Personnel
31. Computer security/ Attacks & Threats
A computer security threat is any person,
act, or object that poses a danger to
computer security
Computer world is full of threats!
… refer to the first assignment…
And so is the real world!
Thieves, pick-pockets, burglars,
murderers, drunk drivers, …
32. Computer security/ Attacks & Threats
What is the right attitude?
To do what you do in real life
What do you do in real life?
You learn about the threats
What are the threats
How can these threats affect you
What is the risk for you to be attacked by these threats
How you can protect yourself from these risks
How much does the protection cost
What you can do to limit the damage in case you are attacked
How you can recover in case you are attacked
Then, you protect yourself in order to limit the risk but to
continue to live your life
You need to do exactly the same thing with computers!
33. Computer security/ Attacks & Threats
Types of Threats/Attacks … (Chuck Eastom)
Hacking Attack:
Any attempt to gain unauthorized access to
your system
Denial of Service (DoS) Attack
Blocking access from legitimate users
Physical Attack:
Stealing, breaking or damaging of computing
devices
34. Computer security/ Attacks & Threats
Malware Attack:
A generic term for software that has malicious
purpose
Examples
Viruses
Trojan horses
Spy-wares
New ones: Spam/scam, identity theft, e-payment
frauds, etc.
Types of Threats/Attacks (Chuck Eastom)
35. Computer security/Threats
Viruses
“A small program that replicates and hides itself inside
other programs usually without your knowledge.”
Symantec
Similar to biological virus: Replicates and Spreads
Malware Attack:
Worms
An independent program that reproduces by copying
itself from one computer to another
It can do as much harm as a virus
It often creates denial of service
36. Computer security/Threats
Trojan horses
(Ancient Greek tale of the city of Troy and the wooden
horse) - ??
Secretly downloading a virus or some other type of mal-
ware on to your computers.
Spy-wares
“A software that literally spies on what you do on your
computer.”
Example: Simple Cookies and Key Loggers
Malware Attack…
37. Computer security/Threats
Infection mechanisms
First, the virus should search for and detect
objects to infect
Installation into the infectable object
Writing on the boot sector
Add some code to executable programs
Add some code to initialization/auto-executable
programs
…
Most software based attacks are commonly
called Viruses: How do viruses work?
39. Computer security/Threats
Adolescents
Ethically normal and of average/above
average intelligence.
Tended to understand the difference
between what is right and wrong
Typically do not accept any responsibility
for problems caused
Who Writes Virus
40. Computer security/Threats
The College Student
Ethically normal
Are not typically concerned about the results of
their actions related to their virus writing
Who Writes Virus …
The Adult (smallest category)
Ethically abnormal
42. Types of Antivirus
1. AVG(Anti Virus Garden)
the first most popular anti virus software
It can download freely from internet
2. MacAfee
the second most popular anti virus software
3. Norton
the third most popular anti virus software and it cheeks and
delete virus from a computer
43. Computer security/Threats
Functions of anti-viruses
Identification of known viruses
Detection of suspected viruses
Blocking of possible viruses
Disinfection of infected objects
Deletion and overwriting of infected
objects
Anti-Virus …
44. Computer security/Threats
Hacking: is any attempt to intrude or gain
unauthorized access to your system either via
some operating system flaw or other means. The
purpose may or may not be for malicious
purposes.
Hackers/Intrusion Attack:
Cracking: is hacking conducted for malicious purposes.
45. Computer security/Threats
DoS Attack: is blocking access of legitimate
users to a service.
Denial of Service (DoS) Attack:
Distributed DoS Attack: is accomplished by
tricking routers into attacking a target or using
Zumbie hosts to simultaneously attack a given
target with large number of packets.