The document provides an outline for an exit exam tutor session at Injibara University, focusing on key concepts of computer security, including vulnerabilities, security requirements for trusted operating systems, and techniques for database integrity and protection. It discusses the CIA triad of computer security—confidentiality, integrity, and availability—and outlines common threats like phishing and ransomware, as well as the importance of independent evaluation for security systems. Additionally, it emphasizes the need for database security practices to safeguard data management systems from cyberattacks and ensure reliability.

1. INJIBARA UNIVERSITY
COLLAGE OF ENGINEERING AND TECHNOLOGY
DEPARTMENT OF COMPUTER SCIENCE
EXIT EXAM TUTOR SESSION

2. Outline
Understand the basic concepts in computer security
Issues related to program security
Common vulnerabilities in computer program
Basic requirements for trusted operating system
Independent evaluation including evaluation criteria
and evaluation process.
Security requirements for database security.
Techniques to ensure database integrity, reliability
Secrecy, inference control and multilevel database

3. Basic Concept of Computer
Security
Computer Security is the protection(both physically and
logical) of computer system from attackers in order to
achieve the applicable objectives of preserving the
integrity, availability, and confidentiality of information
system resources.
It is all about addressing the issue of Integrity,
Availability and Confidentiality.
 Computer security comprises cyber security, information
security, network security and application security.
 Purpose of computer security is to prevent the
weakness of device from being exploit/misuse.

4. The 3 principles of computer security(CIA triad)

5. Continue..
Confidentiality
It refers protect information from unauthorized access and misuse.
 Data confidentiality: Assures that confidential information is not open to
unauthorized individuals.
 Privacy: Assures that individuals control; what information may be collected and
stored.
Integrity
Integrity refers protect information from unauthorized alteration.
 Data integrity: assures that information and programs are changed only in a
specified and authorized manner
 System integrity: Assures that a system performs its operations in unaffected
manner
Availability: means that authorized users have access to the systems and the
resources they need.

6. Issues related to program security
 Vulnerabilities:- a weakness in an any system that can be
broken by an attacker to deliver a successful attack.
 Risky:- It represents the damage that could be caused to the
organization in the event of a attack.
 Threat:- a person or thing likely to cause damage or danger.
 Attack Any kind of malicious activity that attempts to collect,
disrupt, deny, degrade, or destroy information system resources or
the information itself.
 Security Issues means any situation, threat, vulnerability, act or
omission posing a risk of giving rise to a Security
Incident( attempted or successful unauthorized access, use,
disclosure, modification, or destruction of information). Or
 A program security issue is any unmitigated risk in your
program that hackers can use to do damage to a program.

8. Continue..
 Phishing:- Phishing attacks use fake communication, such as an
email, to trick the receiver into opening it and carrying out the
instructions inside, such as providing a credit card number. “The goal
is to steal sensitive data like credit card and login information or to
install malware on the victim’s machine
 Ransomware:- A specific type of malware, ransomware works by
encrypting key files on a machine or network, then demanding a
payment - usually in the form of Bitcoin or another cryptocurrency -
to make them accessible again.
 Denial of service (DoS):- hacker floods a website with more traffic
than it can handle.

9. Common vulnerabilities in computer
program
Cryptographic Failures:- Sensitive data such as addresses,
passwords, and account numbers must be properly protected. If it
isn't, untrustworthy agents take advantage of the vulnerabilities to
gain access.
Identification and Authentication Failures:- Authentication and
session management application functions need to be implemented
correctly. If they aren't, it creates a software vulnerability that can be
exploited by untrustworthy agents to gain access to personal
information.
Weak password

10. Continue..
Broken Access Control:- User restrictions must be
properly enforced. If they are broken, it can create a
software vulnerability. Untrustworthy agents can exploit
that vulnerability.
Software that is already infected with virus.
Download of codes without integrity checks.
Use of broken algorithms( if someone is able to
discover key that was used for encryption)

11. Basic requirements for trusted
operating system
• Trusted Operating System (TOS) refers to an operating system that
provides sufficient support for multilevel security.
• A system is called trusted if it meets the intended security
requirements.
• Generally, An operating system that manages data to make sure that
it cannot be altered, moved, or viewed except by entities having
appropriate and authorized access rights is called Trusted operating
system.
• Examples of certified trusted operating systems are: Apple Mac OS
X 10.6 (Rated EAL 3+) ,HP-UX 11i v3 (Rated EAL 4+), Some
Linux distributions (Rated up to EAL 4+)

12. Key requirements for TOS
1. Identification and Authentication:- Trusted operating systems
require secure identification of individuals, and each individual must
be uniquely identified/recognized.
2. Mandatory and dictionary access control:- Mandatory access
control (MAC) means refers to the granting of access by a central
authority, not by individual users. Discretionary access
control (DAC), in that objects not managed by the central authority
can be managed by the individual user owning them.
3. Complete Mediation:- trusted operating systems perform complete
mediation, meaning that all accesses are checked.

13. Continue..
4. Trusted path : is a mechanism that provides confidence that the
user is communicating with what the user intended to communicate
with, ensuring that attackers can’t intercept or modify whatever
information is being communicated.
5. Intrusion Detection: Trusted OS must be able to detect some
attacks.
6. Accountability and Audit: Accountability usually entails
maintaining a log of security-relevant events that have occurred,
listing each event and the person responsible for the addition,
deletion, or change. A trusted OS must protected the audit logs
from outsiders, and record every security-relevant event.
Those termed as functional requirements

14. Assurance Requirements
Configuration Management – This requirement addresses the
identification of configuration items, consistent mappings among all
documentation and code, and tools.
Trusted Distribution – addresses the integrity of the mapping
between masters and on-site versions of the software as well as
acceptance procedures for the customer.
System Architecture – mandates modularity, minimization of
complexity, and other techniques.
Design Specification and Verification – addresses a large number
of individual requirements, which vary among the evaluation classes.
Testing – addresses conformance with claims/right, resistance to
penetration and correction of flaws followed by retesting.
Product Documentation – is divided into a Security Features User’s
Guide and an administrator guide called a Trusted Facility Manual.
Internal documentation includes design and test documentation.

15. Independent evaluation
 Most system consumers (that is, users or system purchasers) are not
security experts.
They need the security functions, but they are not usually capable of
verifying the accuracy or adequacy of test coverage, checking the
validity of a proof of correctness, or determining in any other way
that a system correctly implements a security policy. Thus, it is useful
(and sometimes essential) to have an independent third party evaluate
an operating system's security.
Independent experts can review the requirements, design,
implementation, and evidence of assurance for a system.

16. Independent evaluation Criteria
•Security policy- The policy must be explicit and well defined and
enforced/applied by the mechanisms within the system.
•Identification- Individual subjects must be uniquely identified.
•Documentation- Documentation must be provided, including test,
design, and specification documents, user guides, and manuals.
•Accountability- Audit data must be captured and protected to enforce
accountability.
•Life cycle assurance- Software, hardware, and firmware must be able
to be tested individually to ensure that each enforces the security
policy in an effective manner throughout their lifetimes.
•Continuous protection- The security mechanisms and the system as
a whole must perform predictably/certainly and acceptably in different
situations continuously.

17. Evaluation process
• We can examine the evaluation process itself, using set of objective
criteria. For instance, it is fair to say that there are several desirable
qualities we would like to see in an evaluation, including the
following:
Extensibility. Can the evaluation be extended as the product is
enhanced?
Granularity. Does the evaluation look at the product at the right
level of detail?
Speed. Can the evaluation be done quickly enough to allow the
product to compete in the marketplace?
Thoroughness. Does the evaluation look at all relevant aspects of
the product?
Objectivity. will two different reviewers give the same rating to
a product?

18. Continue..
Portability. Does the evaluation apply to the product no matter
what platform the product runs on?
Consistency. Do similar products receive similar ratings?
Would one product evaluated by different teams receive the
same results?
Compatibility. Could a product be evaluated similarly under
different criteria?
Exportability. Could an evaluation under one scheme be
accepted as meeting all or certain requirements of another
scheme/structure?

19. Security requirements for
database security
 Database security is a set of practices and technologies used to
protect database management systems from malicious cyberattacks
and unauthorized use. Or It refers to the range of tools, controls, and
measures designed to establish and preserve database confidentiality,
integrity, and availability.
 The goal of database security is to protect against misuse, data
corruption, and intrusion, not only of the data in the database, but of
the data management system itself and applications that access the
database.
 Another aspect of database security is protecting and hardening the
physical or virtual server hosting the database, and the surrounding
computing and network environment.

20. Continue.
 Database security must address and protect the
following:
 The data in the database.
 The database management system (DBMS)
 Any associated applications.
 The physical database server and/or the virtual database
server and the underlying hardware.
 The computing and/or network infrastructure used to
access the database.

21. Techniques to ensure database
reliability and integrity
• Database reliability is defined broadly to mean that the database
performs consistently/constantly without causing problems. More
specifically, it means that there is accuracy and consistency of data.
• Database integrity is the collection of rules set in place to ensure that
the mechanisms to hold data can provide the same conditions
applicable to the security of the data itself.

22. Continue..
 validating input data
 removing duplicate data
 Backing up data
 Using Access controls
 Keeping Audit trial
 Performing Penetration
Testing and Security
Audits
 Encrypt your data
 use of an effective
database management
system
 Conduct risk analysis
 Make decisions about
scaling.
 Educate other
engineers.
 Utilize automation.

23. Continue.
• Note:- from the above techniques those have bold face are the task of
Database Reliability Engineers.
• Database reliability engineering is an effective way for organizations to
ensure database reliability and to ensure that organizations are able to
effectively use data.
• Database reliability engineering is generally driven by the database
reliability engineer, a data administrator that works to ensure that data
is protected and accessible.
• Among other things, this increased reliability provides the safety and
support needed to enable innovation and facilitate work.

24. Inference control
• Another crucial component of database security in DBMSs
(Database Management Systems) is inference control.
• It speaks about the method used to stop unauthorized users from
drawing conclusions about sensitive information from less
sensitive data. Because even seemingly innocent information can
be used in conjunction with other data to infer sensitive
information, inference management is essential.

25. Secrecy
• Secrecy is the practice of hiding information from certain
individuals or groups who do not have the "need to know",
perhaps while sharing it with other individuals. That which is
kept hidden is known as the secret.
 Techniques to ensure secrecy
 encryption
 restrict to access data
 Implement a confidentiality policy.

26. Multi-level database
• A multilevel database system supports the application of a
multilevel policy for regulating access to the database object.
• A multilevel database provides security for data depending on the
sensitivity of the data field and permission of the user for both
writing and reading data.
• It needs multilevel security.
• Multilevel security databases contain information at a number of
different classification levels.

27. THANK YOU!!!