Wiliam Ferraciolli, profile picture
Uploaded byWiliam Ferraciolli
PPT, PDF281 views

Isys20261 lecture 02

This document summarizes a lecture on computer security threats and vulnerabilities. It defines harm, threats, and vulnerabilities, and outlines six basic types of harm: modification, destruction, disclosure, interception, interruption, and fabrication. It also discusses common vulnerabilities like password flaws, software bugs, and social engineering. Finally, it notes that defenses against threats aim to satisfy security requirements through encryption, software controls, and physical/hardware controls.

Embed presentation

Download to read offline
Computer Security Management (ISYS20261) Lecture 2 –Threats and Vulnerabilities Module Leader: Dr Xiaoqi Ma School of Science and Technology
Last week … • Computer security - protection of information related assets: – Data – Hardware – Software – People – Intangible assets • Information security requirements: – Confidentiality – Integrity – Availability Computer Security Management Page 2
Remember definitions? • Harm – Something happens to an asset that we do not want to happen • Threat – Possible source of harm • Attack – Threatening event (instance of a threat) • Attacker – Someone or something that mounts a threat • Vulnerability – Weakness in the system (asset) that makes an attack more likely to successes • Risk – Possibility that a threat will affect the business or organisation Computer Security Management Page 3
Security risks and management Risk Analysis Asset Vulnerability Threat Risk Management Risk Security Measures Computer Security Management Page 4
Today ... … we will discuss: • Harm and threats • Vulnerabilities • Methods of defence Computer Security Management Page 5
Harm and threats • Six basic types of harm: – Modification – Destruction – Disclosure – Interception – Interruption – Fabrication • A threat is a possible source of harm • Example: a virus formats the hard disk of a computer • Threats exploit vulnerabilities of systems Computer Security Management Page 6
Modification • Data held in a computer system is accessed in an unauthorised manner and is changed without permission • Somebody changes either values in a database or alters routines in a computer programme to perform additional computations • Modification can also occur when data is changed during transmission • Modification of data can also be caused by changing the hardware of an information system Computer Security Management Page 7
Destruction • Occurs when hardware, software, or data is destroyed because of malicious intent • Can not only happen to stored data, but also to data at the input stage (before processing) Computer Security Management Page 8
Disclosure • Takes place when data is made available or access to software is made available without consent of the individual responsible for the data or software • Serious impact on security and privacy • Responsibility for data and/or software is usually linked to a position within an organisation • Although disclosure of data can occur because of malicious intent, it also happens many times because of lack of proper procedure within an organisation Computer Security Management Page 9
Interception • Occurs when an unauthorised person or software gains access to data or computer resources • May result in copying of programs or data • An interceptor may use computing resources at one location to access assets elsewhere Computer Security Management Page 10
Interruption • Occurs when a computer resource becomes unavailable for use • Might be a consequence of malicious damage of computing hardware, erasure of software, or malfunctioning of an operating system • Example: Denial of Service (DoS) attacks Computer Security Management Page 11
Fabrication • Occurs when spurious transactions are inserted into a network or records are added to an existing database Computer Security Management Page 12
Information security requirements • Confidentiality – Protecting sensitive information from unauthorised disclosure or intelligible interception • Integrity – Safeguarding the accuracy and completeness of information (and software) • Availability – Ensuring that information (and vital services) are available to users when required • Authentication – Ensuring that information is from the source it claims to be from • Non repudiation – Prevents an entity from denying having performed a particular action related to data Computer Security Management Page 13
Vulnerabilities • Weaknesses in a system • Might arise from: – Poor design – Poor implementation – technological advances • Examples: – Password management flaws – Fundamental operating system design flaws – Software bugs – Unchecked user input – Social engineering – Etc. Computer Security Management Page 14
Password management flaws • Using of weak passwords that could be discovered by brute force • Passwords are stored on the computer where a program can access it • Users re-use passwords between many programs and websites • System administrator uses factory-set default passwords • Etc. Computer Security Management Page 15
Fundamental operating system design flaws • Operating system designer implements unsuitable policies on user and/or program management • Example: operating system grants every program and every user full access to the entire computer • Such an operating system flaw allows viruses and malware to execute commands on behalf of the administrator Computer Security Management Page 16
Software bugs • The programmer leaves an exploitable bug in a software program • The software bug may allow an attacker to misuse an application through (for example) bypassing access control checks or executing commands on the system hosting the application • Examples: – Buffer overflows – Dangling pointers Computer Security Management Page 17
Unchecked user input • A program assumes that all user input is safe • Consequence: the programs does not check validity user input • Can allow unintended direct execution of commands or SQL statements • Examples – Buffer overflows – SQL injection Computer Security Management Page 18
Social engineering • Based on specific attributes of human decision-making known as cognitive biases • These biases, sometimes called "bugs in the human hardware," are exploited in various combinations to create criminal attack techniques • Examples: – Pretexting – Phishing – Baiting – Etc. • “ … I could often get passwords and other pieces of sensitive information by pretending to be someone else and just asking for it.” (Kevin Mitnick, The Art of Deception, 2002) Computer Security Management Page 19
Methods of defence • Protecting a technical system: establish controls that satisfy our information security requirements • Dhillon lists three main methods of defence: – Encryption – Software controls – Physical and hardware controls • More on these methods in the coming lectures … Computer Security Management Page 20
Summary Today we learned: • Six basic types of harm • A threat is a possible source of harm • A threat exploits vulnerabilities in a system • We need to satisfy our information security requirements • Need to put controls in place to defend ourselves Computer Security Management Page 21

More Related Content

PPTX
Computer security concepts
byPrachi Gulihar
 
PPTX
System security
bysommerville-videos
 
PPTX
06. security concept
byMuhammad Ahad
 
PPTX
Basic Security Concepts of Computer
byFaizan Janjua
 
PPT
Isys20261 lecture 11
byWiliam Ferraciolli
 
PPTX
Securing information system
byTanjim Rasul
 
PDF
Information systems security(1)
bySandeep Agarwal
 
PPT
22 need-for-security
byAl Balqa Applied University
 
Computer security concepts
byPrachi Gulihar
 
System security
bysommerville-videos
 
06. security concept
byMuhammad Ahad
 
Basic Security Concepts of Computer
byFaizan Janjua
 
Isys20261 lecture 11
byWiliam Ferraciolli
 
Securing information system
byTanjim Rasul
 
Information systems security(1)
bySandeep Agarwal
 
22 need-for-security
byAl Balqa Applied University
 

What's hot

PPTX
Data security
bySoumen Mondal
 
PPT
Information Assurance And Security - Chapter 2 - Lesson 2
byMLG College of Learning, Inc
 
PPT
Security and privacy
byHaa'Meem Mohiyuddin
 
PPTX
2.5 safety and security of data in ict systems 13 12-11
bymrmwood
 
PPTX
Application of security computer
byibrahimzubairu2003
 
PPTX
Protection and security
bymbadhi
 
PPTX
5 Security Tips to Protect Your Login Credentials and More
byCommunity IT Innovators
 
PPTX
security and ethical challenges in information systems
byhilal12
 
PPT
The Perimeter Protection Issues, Technique and Operation
byHafiza Abas
 
PPTX
Data Security
byAkNirojan
 
PPT
Viruses (Lecture) IT Slides # 3
byMuhammad Talha Zaroon
 
PPT
IT Security for the Physical Security Professional
byciso_insights
 
PPT
2 Security And Internet Security
byAna Meskovska
 
PPTX
Information security challenges in today’s banking environment
byEvan Francen
 
PPTX
Chap11
bynitin_009
 
PPT
Chap11
byAman Sharma
 
PPTX
Week 12
byJoey Pierce
 
PPTX
System security
byReachLocal Services India
 
PPTX
Lecture 2 using an operating system
byMaxwell Musonda
 
PPTX
PACE-IT, Security+ 4.5: Mitigating Risks in Alternative Environments
byPace IT at Edmonds Community College
 
Data security
bySoumen Mondal
 
Information Assurance And Security - Chapter 2 - Lesson 2
byMLG College of Learning, Inc
 
Security and privacy
byHaa'Meem Mohiyuddin
 
2.5 safety and security of data in ict systems 13 12-11
bymrmwood
 
Application of security computer
byibrahimzubairu2003
 
Protection and security
bymbadhi
 
5 Security Tips to Protect Your Login Credentials and More
byCommunity IT Innovators
 
security and ethical challenges in information systems
byhilal12
 
The Perimeter Protection Issues, Technique and Operation
byHafiza Abas
 
Data Security
byAkNirojan
 
Viruses (Lecture) IT Slides # 3
byMuhammad Talha Zaroon
 
IT Security for the Physical Security Professional
byciso_insights
 
2 Security And Internet Security
byAna Meskovska
 
Information security challenges in today’s banking environment
byEvan Francen
 
Chap11
bynitin_009
 
Chap11
byAman Sharma
 
Week 12
byJoey Pierce
 
System security
byReachLocal Services India
 
Lecture 2 using an operating system
byMaxwell Musonda
 
PACE-IT, Security+ 4.5: Mitigating Risks in Alternative Environments
byPace IT at Edmonds Community College
 

Viewers also liked

PPT
Computer virus
byRahul Baghla
 
PPTX
Computer viruses
byAnnies Minu
 
PPTX
Computer virus
byMark Anthony Maranga
 
PPTX
Computer Technology
byguest5fd01d
 
PDF
TEDx Manchester: AI & The Future of Work
byVolker Hirsch
 
PPTX
Viruses and internet security
byhimeag
 
PPTX
presentation on computer virus
byYogesh Singh Rawat
 
PPT
Consumer electronics seminar
bySai Ram
 
PPTX
Virus-Awareness
byUtkarsh Srivastava
 
PPTX
virus 2014 more design 2014
byShwana M
 
PDF
Computer security 101
byKhairulmizam Samsudin
 
PPTX
MediaMosa and webservices
byMediaMosa
 
Computer virus
byRahul Baghla
 
Computer viruses
byAnnies Minu
 
Computer virus
byMark Anthony Maranga
 
Computer Technology
byguest5fd01d
 
TEDx Manchester: AI & The Future of Work
byVolker Hirsch
 
Viruses and internet security
byhimeag
 
presentation on computer virus
byYogesh Singh Rawat
 
Consumer electronics seminar
bySai Ram
 
Virus-Awareness
byUtkarsh Srivastava
 
virus 2014 more design 2014
byShwana M
 
Computer security 101
byKhairulmizam Samsudin
 
MediaMosa and webservices
byMediaMosa
 

Similar to Isys20261 lecture 02

PPTX
Introduction to Information Security
byShreedevi Tharanidharan
 
PPTX
Computer security
byAyesha Arshad
 
PPTX
InformationSecurity
bylearnt
 
PPT
Lecture 01- What is Information Security.ppt
byshahadd2021
 
PPTX
Cyber security
byNimesh Gajjar
 
PPT
Security information for internet and security
bySomesh Kumar
 
PDF
information security introduction for campus students.pdf
byhailegebrielgeta6
 
PPT
IT-Security Assessment for IT assets.ppt
bysantoshsahu190428
 
PPT
IT-Security-20210426203847.ppt
byIan Dave Balatbat
 
PPTX
Lecture 6 Cybersecurity-Basics and .pptx
byakatsesena2003
 
PPTX
Information Systems.pptx
byKnownId
 
PPTX
Network Security Basics in networking to learn
byamansinght675
 
PPTX
Date security introduction
byLeo Mark Villar
 
PPTX
Information Security Lecture One for Basic
byhassankhan978073
 
PDF
IA 124 Lecture 01 2022 -23-1.pdf hahahah
byflyinimohamed
 
PPT
Isys20261 lecture 01
byWiliam Ferraciolli
 
PPT
IT-Security-20210426203847.ppt
byssuser6c59cb
 
PPT
IT-Security-20210426203847.ppt
byRamaNingaiah
 
PPTX
Security in network computing
byManoj VNV
 
PPT
Security management(new) (1)
byDivyesh Chauhan
 
Introduction to Information Security
byShreedevi Tharanidharan
 
Computer security
byAyesha Arshad
 
InformationSecurity
bylearnt
 
Lecture 01- What is Information Security.ppt
byshahadd2021
 
Cyber security
byNimesh Gajjar
 
Security information for internet and security
bySomesh Kumar
 
information security introduction for campus students.pdf
byhailegebrielgeta6
 
IT-Security Assessment for IT assets.ppt
bysantoshsahu190428
 
IT-Security-20210426203847.ppt
byIan Dave Balatbat
 
Lecture 6 Cybersecurity-Basics and .pptx
byakatsesena2003
 
Information Systems.pptx
byKnownId
 
Network Security Basics in networking to learn
byamansinght675
 
Date security introduction
byLeo Mark Villar
 
Information Security Lecture One for Basic
byhassankhan978073
 
IA 124 Lecture 01 2022 -23-1.pdf hahahah
byflyinimohamed
 
Isys20261 lecture 01
byWiliam Ferraciolli
 
IT-Security-20210426203847.ppt
byssuser6c59cb
 
IT-Security-20210426203847.ppt
byRamaNingaiah
 
Security in network computing
byManoj VNV
 
Security management(new) (1)
byDivyesh Chauhan
 

More from Wiliam Ferraciolli

PPTX
Lecture 12 monitoring the network
byWiliam Ferraciolli
 
PPT
Isys20261 lecture 07
byWiliam Ferraciolli
 
PPTX
Lecture 3 more on servers and services
byWiliam Ferraciolli
 
PPTX
Lecture 8 permissions
byWiliam Ferraciolli
 
PPTX
Lecture 5&6 corporate architecture
byWiliam Ferraciolli
 
PPT
Isys20261 lecture 12
byWiliam Ferraciolli
 
PPT
Isys20261 lecture 14
byWiliam Ferraciolli
 
PPT
Isys20261 lecture 06
byWiliam Ferraciolli
 
PPT
Isys20261 lecture 09
byWiliam Ferraciolli
 
PPT
Isys20261 lecture 10
byWiliam Ferraciolli
 
PPT
Isys20261 lecture 08
byWiliam Ferraciolli
 
PPTX
Lecture 1 introduction
byWiliam Ferraciolli
 
PPTX
Lecture 11 managing the network
byWiliam Ferraciolli
 
PPTX
Lecture 7 naming and structuring objects
byWiliam Ferraciolli
 
PPTX
Lecture 10 the user experience (1)
byWiliam Ferraciolli
 
PPTX
Lecture 10 the user experience
byWiliam Ferraciolli
 
PPTX
Lecture 9 further permissions
byWiliam Ferraciolli
 
PPTX
Lecture 4 client workstations
byWiliam Ferraciolli
 
PPTX
Lecture 2 servers and services
byWiliam Ferraciolli
 
PPTX
Lecture 13, 14 & 15 c# cmd let programming and scripting
byWiliam Ferraciolli
 
Lecture 12 monitoring the network
byWiliam Ferraciolli
 
Isys20261 lecture 07
byWiliam Ferraciolli
 
Lecture 3 more on servers and services
byWiliam Ferraciolli
 
Lecture 8 permissions
byWiliam Ferraciolli
 
Lecture 5&6 corporate architecture
byWiliam Ferraciolli
 
Isys20261 lecture 12
byWiliam Ferraciolli
 
Isys20261 lecture 14
byWiliam Ferraciolli
 
Isys20261 lecture 06
byWiliam Ferraciolli
 
Isys20261 lecture 09
byWiliam Ferraciolli
 
Isys20261 lecture 10
byWiliam Ferraciolli
 
Isys20261 lecture 08
byWiliam Ferraciolli
 
Lecture 1 introduction
byWiliam Ferraciolli
 
Lecture 11 managing the network
byWiliam Ferraciolli
 
Lecture 7 naming and structuring objects
byWiliam Ferraciolli
 
Lecture 10 the user experience (1)
byWiliam Ferraciolli
 
Lecture 10 the user experience
byWiliam Ferraciolli
 
Lecture 9 further permissions
byWiliam Ferraciolli
 
Lecture 4 client workstations
byWiliam Ferraciolli
 
Lecture 2 servers and services
byWiliam Ferraciolli
 
Lecture 13, 14 & 15 c# cmd let programming and scripting
byWiliam Ferraciolli
 

Isys20261 lecture 02

  • 1.
    Computer Security Management (ISYS20261) Lecture2 –Threats and Vulnerabilities Module Leader: Dr Xiaoqi Ma School of Science and Technology
  • 2.
    Last week … •Computer security - protection of information related assets: – Data – Hardware – Software – People – Intangible assets • Information security requirements: – Confidentiality – Integrity – Availability Computer Security Management Page 2
  • 3.
    Remember definitions? • Harm – Something happens to an asset that we do not want to happen • Threat – Possible source of harm • Attack – Threatening event (instance of a threat) • Attacker – Someone or something that mounts a threat • Vulnerability – Weakness in the system (asset) that makes an attack more likely to successes • Risk – Possibility that a threat will affect the business or organisation Computer Security Management Page 3
  • 4.
    Security risks andmanagement Risk Analysis Asset Vulnerability Threat Risk Management Risk Security Measures Computer Security Management Page 4
  • 5.
    Today ... … wewill discuss: • Harm and threats • Vulnerabilities • Methods of defence Computer Security Management Page 5
  • 6.
    Harm and threats •Six basic types of harm: – Modification – Destruction – Disclosure – Interception – Interruption – Fabrication • A threat is a possible source of harm • Example: a virus formats the hard disk of a computer • Threats exploit vulnerabilities of systems Computer Security Management Page 6
  • 7.
    Modification • Data heldin a computer system is accessed in an unauthorised manner and is changed without permission • Somebody changes either values in a database or alters routines in a computer programme to perform additional computations • Modification can also occur when data is changed during transmission • Modification of data can also be caused by changing the hardware of an information system Computer Security Management Page 7
  • 8.
    Destruction • Occurs whenhardware, software, or data is destroyed because of malicious intent • Can not only happen to stored data, but also to data at the input stage (before processing) Computer Security Management Page 8
  • 9.
    Disclosure • Takes placewhen data is made available or access to software is made available without consent of the individual responsible for the data or software • Serious impact on security and privacy • Responsibility for data and/or software is usually linked to a position within an organisation • Although disclosure of data can occur because of malicious intent, it also happens many times because of lack of proper procedure within an organisation Computer Security Management Page 9
  • 10.
    Interception • Occurs whenan unauthorised person or software gains access to data or computer resources • May result in copying of programs or data • An interceptor may use computing resources at one location to access assets elsewhere Computer Security Management Page 10
  • 11.
    Interruption • Occurs whena computer resource becomes unavailable for use • Might be a consequence of malicious damage of computing hardware, erasure of software, or malfunctioning of an operating system • Example: Denial of Service (DoS) attacks Computer Security Management Page 11
  • 12.
    Fabrication • Occurs whenspurious transactions are inserted into a network or records are added to an existing database Computer Security Management Page 12
  • 13.
    Information security requirements •Confidentiality – Protecting sensitive information from unauthorised disclosure or intelligible interception • Integrity – Safeguarding the accuracy and completeness of information (and software) • Availability – Ensuring that information (and vital services) are available to users when required • Authentication – Ensuring that information is from the source it claims to be from • Non repudiation – Prevents an entity from denying having performed a particular action related to data Computer Security Management Page 13
  • 14.
    Vulnerabilities • Weaknesses ina system • Might arise from: – Poor design – Poor implementation – technological advances • Examples: – Password management flaws – Fundamental operating system design flaws – Software bugs – Unchecked user input – Social engineering – Etc. Computer Security Management Page 14
  • 15.
    Password management flaws •Using of weak passwords that could be discovered by brute force • Passwords are stored on the computer where a program can access it • Users re-use passwords between many programs and websites • System administrator uses factory-set default passwords • Etc. Computer Security Management Page 15
  • 16.
    Fundamental operating systemdesign flaws • Operating system designer implements unsuitable policies on user and/or program management • Example: operating system grants every program and every user full access to the entire computer • Such an operating system flaw allows viruses and malware to execute commands on behalf of the administrator Computer Security Management Page 16
  • 17.
    Software bugs • Theprogrammer leaves an exploitable bug in a software program • The software bug may allow an attacker to misuse an application through (for example) bypassing access control checks or executing commands on the system hosting the application • Examples: – Buffer overflows – Dangling pointers Computer Security Management Page 17
  • 18.
    Unchecked user input •A program assumes that all user input is safe • Consequence: the programs does not check validity user input • Can allow unintended direct execution of commands or SQL statements • Examples – Buffer overflows – SQL injection Computer Security Management Page 18
  • 19.
    Social engineering • Basedon specific attributes of human decision-making known as cognitive biases • These biases, sometimes called "bugs in the human hardware," are exploited in various combinations to create criminal attack techniques • Examples: – Pretexting – Phishing – Baiting – Etc. • “ … I could often get passwords and other pieces of sensitive information by pretending to be someone else and just asking for it.” (Kevin Mitnick, The Art of Deception, 2002) Computer Security Management Page 19
  • 20.
    Methods of defence •Protecting a technical system: establish controls that satisfy our information security requirements • Dhillon lists three main methods of defence: – Encryption – Software controls – Physical and hardware controls • More on these methods in the coming lectures … Computer Security Management Page 20
  • 21.
    Summary Today we learned: •Six basic types of harm • A threat is a possible source of harm • A threat exploits vulnerabilities in a system • We need to satisfy our information security requirements • Need to put controls in place to defend ourselves Computer Security Management Page 21