INTRODUCTION

LECTURE SET 01 AND 02

CRs NO:1502170
INTRODUCTION TO CYBER SECURITY

M5 - 221 kjaveed@[Link] Dr. Khalid Javeed

M5 - 220 srubab@[Link] Dr. Saddaf Rubab

M5 - 227 kbelwafi@[Link] Dr. Kais Belwafi
 CYBER SECURITY

 Cyber security refers to the body of technologies,

processes, and practices designed to protect networks,
devices, programs, and data from attack, damage, or
unauthorized access.
 Cyber security consists of technologies, processes, and
controls designed to protect systems, networks, programs,
devices, and data from cyber attacks

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:

9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
 CYBER SECURITY

3
[Link]
COMPUTER SYSTEM STRUCTURE

 Computer system can be divided into four components:

 Hardware – provides basic computing resources
 CPU, memory, I/O devices
 Operating system
 Controls and coordinates use of hardware among various
applications and users
 Application programs – define the ways in which the system
resources are used to solve the computing problems of the users
 Word processors, compilers, web browsers, database systems,
video games
 Users
 People, machines, other computers
4
FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
 COMPUTER SYSTEM STRUCTURE

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:

9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
COMPUTER SYSTEM

I/O
Input / Output Peripherals
Register
ALU
Array
System Bus

Control
Memory

Microprocessor Unit Primary Storage Secondary Storage

MPU

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:

6
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
 RISK IS A FACT OF LIFE

 Crossing the street is risky

 But you still cross the street!

 Using computers is risky (from the security and privacy

perspectives)
 But you still use computers!
WHAT DOES "SECURE" MEAN?

 How do we protect our most valuable assets?

 Bank robbery: bank robbery was, for a time, considered to be a
profitable business. Protecting assets was difficult and not always
effective.
 Today, asset protection is easier; Very sophisticated alarm and camera
systems silently protect secure places, genetic material (DNA),
fingerprints, retinal patterns, voice, etc.
 WHAT DOES "SECURE" MEAN?

Characteristic Bank Protecting Money People Protecting Information

Size and portability Sites storing money are large, Items storing valuable assets are very small and portable.
unwieldy, and not at all portable. The physical devices in computing can be so small that
Buildings require guards, vaults, and thousands of dollars’worth of computing gear Can fit
many levels of physical security to comfortably in a briefcase.
protect money.
Ability to avoid Difficult. When banks deal with Simple. When information is handled electronically, no
physical contact physical currency, a criminal must physical contact is necessary. Indeed, when banks handle
physically demand the money and money electronically, almost all transactions can be done
carry it away from the bank's without any physical contact. Money can be transferred
premises through computers, mail, or telephone
Value of assets Very high Variable, from very high to very low. Some information,
such as medical history, tax payments, investments, or
educational background, is confidential. Other
information, about troop movements, sales strategies,
buying patterns, can be very sensitive. Still other
information, such as address and phone number, may be
of no consequence and easily accessible by other means.
THIS CHAPTER

 Threats, vulnerabilities, and controls

 Confidentiality, integrity, and availability
 Attackers and attack types; method, opportunity, and
motive
 Valuing assets
 WHAT IS COMPUTER SECURITY?
 The protection of the assets of a computer system
 Hardware
 Software
 Data

12
Values of Assets

13
 COMPUTING SYSTEM SECURITY

 The computing system is a collection of hardware, software, storage

media, data, and people that an organization uses to perform computing
tasks.
 Sometimes, we assume that parts of a computing system are not
valuable to an outsider, but often we are mistaken.
 Any system is most vulnerable at its weakest point.
 Any part of a computing system can be the target of a crime.

 Computer security is the protection of the items you value,

called the assets
THE VULNERABILITY–THREAT–CONTROL PARADIGM

1. Vulnerability: weakness
2. Threat: condition that exercises vulnerability
3. Incident: vulnerability + threat. We also define the impact and
likelihood
4. Control: reduction of threat or vulnerability, safeguard
VULNERABILITIES, THREATS, ATTACKS, AND
CONTROLS

 A vulnerability is a weakness in the security system (for example, in

procedures, design, or implementation), that might be exploited to cause
loss or harm.
 A threat to a computing system is a set of circumstances that can
potentially cause loss or harm.
 A human who exploits a vulnerability perpetrates an attack on the
system.
 How do we address these problems?
 We use a control as a protective measure. A control is an action,
device, procedure, or technique that removes or reduces a
vulnerability.
VULNERABILITIES, THREATS, ATTACKS, AND
CONTROLS

 The relationship among threats, controls, and vulnerabilities

in this way:
 A threat is blocked by control of a vulnerability.
 To devise controls, we must know as much about threats as possible.
THREAT & VULNERABILITY

 Vulnerability
 Threat
 Attack
 Countermeasure or control

The water is the threat,

the crack is the
vulnerability, and the
finger is the control (for
now).
18
 THREATS AND HARMS

 A threat to a computing system is a set of circumstances that

can potentially cause loss or harm.
 Two ways to consider potential harm:
1. First, we can look at what bad things can happen to
assets,
2. Second, we can look at who or what can cause or allow
those bad things to happen.
 Threats target the availability, valuable, integrity, and personal
aspects
 TYPES OF HARMS

 We can view any threat as being caused by one of four acts:

interception, interruption, modification, and fabrication.
 TYPES OF HARMS

 We can view any threat as being caused by one of four acts:

interception, interruption, modification, and fabrication.

An interception means that some

unauthorized party has gained
access to an asset.

These are the primary types of harm against system data and functions.
Understanding these possibilities is important to considering threat and risk.
TYPES OF HARMS

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:

22
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
 TYPES OF HARMS
 We can view any threat as being caused by one of four acts:
interception, interruption, modification, and fabrication.

In an interruption, an asset of
the system becomes lost,
unavailable, or unusable.

These are the primary types of harm against system data and functions.
Understanding these possibilities is important to considering threat and risk.
 TYPES OF HARMS
 We can view any threat as being caused by one of four acts:
interception, interruption, modification, and fabrication.

If an unauthorized party not only

accesses but tampers with an asset,
the threat is a modification.

These are the primary types of harm against system data and functions.
Understanding these possibilities is important to considering threat and risk.
 TYPES OF HARMS
 We can view any threat as being caused by one of four acts:
interception, interruption, modification, and fabrication.
An unauthorized party might
create a fabrication of counterfeit
objects on a computing system.
Fabrication attacks involve
generating data, processes,
communications, or other similar
activities with a system.
Example: Email Spoofing

These are the primary types of harm against system data and functions.
Understanding these possibilities is important to considering threat and risk.
TYPES OF HARMS

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:

26
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
VULNERABILITIES OF COMPUTING SYSTEMS
 THE MEANING OF COMPUTER SECURITY

 Security Goals
 When we talk about computer security, we mean that we are
addressing three important aspects of any computer-related
system:
1) Confidentiality,
2) Integrity, (CIA)
3) Availability
 THE MEANING OF COMPUTER SECURITY

1. Confidentiality ensures that computer-related assets are

accessed only by authorized parties.
 Reading, viewing, printing, or even knowing their existence
 Secrecy or privacy

2. Integrity means that assets can be modified only by authorized

parties or only in authorized ways.
 Writing, changing, deleting, creating

3. Availability means that assets are accessible to authorized

parties at appropriate times. For this reason, availability is
sometimes known by its opposite, denial of service.
MORE SECURITY GOALS

Authentication Accountability
• Verifying that users are • The ability of the system
who they say they are and to confirm actions of an
that each input arriving at entity to be traced
the system came from a uniquely to that entity. The
trusted source. sender cannot deny having
sent something.

30
 TYPES OF HARMS

 We can view any threat as being caused by one of four acts:

interception, interruption, modification, and fabrication.
o If an unauthorized party not only accesses but tampers with
an asset, the threat is a modification.
modification
o An unauthorized party might create a fabrication of
counterfeit objects on a computing system.

o An interception means that some unauthorized party

has gained access to an asset.

o In an interruption,
interruption an asset of the system becomes
lost, unavailable, or unusable.
 THE MEANING OF COMPUTER SECURITY

Integrity means that assets can be modified only by authorized

parties or only in authorized ways (Writing, changing, deleting,
creating)
Availability means that assets are accessible to authorized parties at
appropriate times.

Confidentiality ensures that computer-related assets are accessed

Confidentiality
only by authorized parties (Reading, viewing, printing, or even knowing
their existence, Secrecy or privacy).

Denial of Service (DoS) is opposite to Availability.

Availability
 CONFIDENTIALITY, INTEGRITY, AND AVAILABILITY
(CIA TRIAD

 One of the challenges in building a

secure system is finding the right
balance among the goals, which often
conflict.

o For example, it is easy to preserve a particular object's confidentiality

in a secure system simply by preventing everyone from reading that
object. However, this system is insecure (not secure) because it
does not meet the availability requirement for proper access.
CONFIDENTIALITY, INTEGRITY, AND
AVAILABILITY

 In fact, these three characteristics can be independent, can

overlap, and can even be mutually exclusive.
 CONFIDENTIALITY, INTEGRITY, AND
AVAILABILITY

 Ensuring confidentiality can be difficult.

 For example, who determines which people or systems are
authorized to access the current system? By "accessing" data,
do we mean that an authorized party can access a single bit?
The whole collection? Pieces of data out of context? Can
someone who is authorized disclose those data to other
parties?
 We understand confidentiality well because we can relate
computing examples to those of preserving confidentiality in the
real world.
 FAILURE OF DATA CONFIDENTIALITY

 An unauthorized person accesses a data item.

 An unauthorized process or program accesses a data item.
 A person authorized to access certain data accesses other data not
authorized (which is a specialized version of "an unauthorized person
accesses a data item").
 An unauthorized person accesses an approximate data value (for example,
not knowing someone's exact salary but knowing that the salary falls in a
particular range or exceeds a particular amount).
 An unauthorized person learns the existence of a piece of data (for
example, knowing that a company is developing a certain new product or
38
that talks are underway about the merger of two companies).
 ACCESS CONTROL
Policy:
Who+What +How=Yes/No
Object
Subject (What)
Mode of access
(Who) (how)

40
 CONFIDENTIALITY, INTEGRITY, AND
AVAILABILITY

 Integrity is much harder to pin down.

 Integrity means different things in different contexts.
 Precise, unmodified, modified only in acceptable ways,
modified only by authorized people, modified only by
authorized processes, consistent, meaningful, and usable
 Integrity can be enforced in much the same way as can
confidentiality: by rigorous control of who or what can
access which resources in what ways.
 CONFIDENTIALITY, INTEGRITY, AND
AVAILABILITY
 Availability applies both to data and services (that is, information and
information processing). We say a data item, service, or system is available
 If there is a timely response to our request.
 Resources are allocated fairly so that some requesters are not favored
over others.
 The service or system involved follows a philosophy of fault tolerance,
whereby hardware or software faults lead to graceful cessation of service
or to work-arounds rather than to crashes and abrupt loss of
information.
 The service or system can be used easily and in the way it was intended
to be used.
 Concurrency is controlled; that is, simultaneous access, deadlock
management, and exclusive access are supported as required.
CONFIDENTIALITY, INTEGRITY, AND
AVAILABILITY

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:

43
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
 Confidentiality Integrity Availability
• preserving • guarding against • ensuring timely and
authorized improper reliable access to
restrictions on information and use of
information access modification or information
and disclosure, destruction,
including means for including ensuring
protecting information
personal privacy nonrepudiation
and proprietary and authenticity
information

Computer security seeks to prevent unauthorized

viewing (confidentiality) or modification (integrity) of
data while preserving access (availability).
THE CIA TRIAD
TYPES OF THREATS

 Threats are caused both by

human and other sources
(natural disasters, loss of
electricity, failure of any
component).
 Threats can be malicious or
not.
 Malicious attacks can be
random or directed.

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:

45
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
 ADVANCED PERSISTENT THREAT

 A lone attacker might create a random attack that traps a few, or a few
million, individuals, but the resulting impact is limited to what that single
attacker can organize and manage.
 A collection of attacker squads might work together — for example, the
cyber equivalent of a street gang or an organized crime
 come from organized, well-financed, patient attackers. They carefully select
their targets, crafting attacks that appeal to specifically those targets.
 Typically, the attacks are silent, avoiding any obvious impact that would
alert a victim, thereby allowing the attacker to exploit the victim’s access
rights over a long time.
FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:
46
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
 ATTACKS

 When you test any computer system

 One of your jobs is to imagine how the system could malfunction.
 Then, you improve the system's design so that the system can
withstand any of the problems you have identified.
 In the same way, we analyze a system from a security perspective
 thinking about ways in which the system's security can malfunction and
diminish the value of its assets.
 TYPES OF ATTACKERS

Each of these attacker types is associated with a different

set of resources, capabilities & motivations.
48

Understanding the different types will help later in

considering threats.
 TYPES OF ATTACKERS
Black hat hackers are cybercriminals who illegally crack systems with malicious
intent. Once a black hat hacker finds a security vulnerability, they try to exploit it
White hat hackers are ethical security hackers who identify and fix vulnerabilities.
Gray hat hackers may not have the criminal or malicious intent of a black hat hacker;
gray hat hackers uncover weaknesses they report them rather than exploiting them. But
gray hat hackers may demand payment in exchange for providing full details of what
they uncovered.
Green hat hackers are inexperienced and may lack the technical skills of more
experienced hackers.

Blue hat hackers are white hat hackers whom an organization actually employs.

Red hat hackers are vigilante hackers, red hat hackers are motivated by a desire to
fight back against black hat hackers.
FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.

50
 COMPUTER CRIMINALS

 Computer crime is any crime involving a computer or aided by the use

of one.
 One approach to prevention or moderation is to understand who
commits these crimes and why.
 Many studies have attempted to determine the characteristics of
computer criminals.
 By studying those who have already used computers to commit crimes,
we may be able, in the future, to spot likely criminals and prevent the
crimes from occurring.
COMPUTER CRIMINALS
 Amateurs and Individuals
 Ordinary computer users who while doing their jobs discover their
ability to access something valuable
 Amateurs have committed most of the computer crimes reported to
date.
 Organized,Worldwide groups
 Attackers’ goals include fraud, extortion, money laundering, and drug
trafficking, areas in which organized crime has a well-established
presence.
 traditional criminals are recruiting hackers to join the lucrative world
of cybercrime
COMPUTER CRIMINALS

 Crackers or Malicious Hackers

 System crackers, often high school or university students, attempt to
access computing facilities for which they have not been authorized.
 Others attack for curiosity, personal gain, or self-satisfaction. And still
others enjoy causing chaos, loss, or harm. There is no common profile
or motivation for these attackers.
COMPUTER CRIMINALS

 Career Criminals
 By contrast, the career computer criminal understands the targets of
computer crime.
 There is some evidence that organized crime and international
groups are engaging in computer crime. Recently, electronic spies and
information brokers have begun to recognize that trading in
companies' or individuals' secrets can be lucrative.
HERE

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:

55
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
METHOD, OPPORTUNITY, AND MOTIVE

 A malicious attacker must have three things (MOM):

 method: the skills, knowledge, tools, and other things with which to be
able to pull off the attack
 Knowledge of systems are widely available
 opportunity: the time and access to accomplish the attack
 Systems available to the public are accessible to them
 motive: a reason to want to perform this attack against this system
VULNERABILITIES

 When we prepare to test a system, we usually try to imagine how the

system can fail; we then look for ways in which the requirements,
design, or code can enable such failures.
 Imagine the vulnerabilities that would prevent us from reaching one
or more of our three security goals.
VULNERABILITIES OF COMPUTING SYSTEMS

 Hardware Vulnerabilities
 adding devices, changing them, removing them, intercepting the traffic
to them, or flooding them with traffic until they can no longer
function. (many other ways to harm the hardware).
 Software Vulnerabilities
 Software can be replaced, changed, or destroyed maliciously, or it can
be modified, deleted, or misplaced accidentally. Whether intentional
or not, these attacks exploit the software's vulnerabilities.
VULNERABILITIES OF COMPUTING SYSTEMS

 Data Vulnerabilities
 data have a definite value, even though that value is often difficult to
measure.
 Ex1: confidential data leaked to a competitor
 may narrow a competitive edge
 Ex2: flight coordinate data used by an airplane that is guided partly or
fully by software
 Can cost human lives if modified
OTHER EXPOSED ASSETS
 Networks
 Networks are specialized collections of hardware, software, and data.
 Can easily multiply the problems of computer security
 Insecure shared links
 Inability to identify remote users (anonymity)
 Key People
 People can be crucial weak points in security. If only one person
knows how to use or maintain a particular program, trouble can arise
if that person is ill, suffers an accident, or leaves the organization
(taking her knowledge with her).
VULNERABILITIES OF COMPUTING SYSTEMS

 Principle of Adequate Protection: Computer items must be

protected only until they lose their value. They must be protected
to a degree consistent with their value.
 This principle says that things with a short life can be protected by
security measures that are effective only for that short time. The
notion of a small protection window applies primarily to data, but it
can in some cases be relevant for software and hardware, too.
VULNERABILITIES OF COMPUTING SYSTEMS

 Principle of Easiest Penetration - “An intruder must be expected

to use any available means of penetration.”
 The penetration may not necessarily be by the most obvious means,
 nor is it necessarily the one against which the most solid defense has
been installed
 and it certainly does not have to be the way we want the attacker to
behave.
 This principle implies that computer security specialists must consider
all possible means of penetration.
 Penetration analysis must be done repeatedly, and especially whenever
the system and its security change.
VULNERABILITIES OF COMPUTING SYSTEMS

 Principle of Weakest Link - Security can be no stronger than its

weakest link.
 Whether it is the power supply that powers the firewall or the
operating system under the security application or the human who
plans, implements, and administers controls, a failure of any control
can lead to a security failure.
CONTROLS - METHODS OF DEFENSE

 We can deal with harm in several [Link] can seek to

 prevent it, by blocking the attack or closing the vulnerability
 deter it, by making the attack harder but not impossible
 deflect it, by making another target more attractive (or this one less
so)
 detect it, either as it happens or some time after the fact
 recover from its effects

Security professionals balance the cost and effectiveness of controls with the
likelihood and severity of harm.
 CONTROLS - METHODS OF DEFENSE
 The figure illustrates how we use a combination of controls to secure our
valuable resources. We use one or more controls, according to what we are
protecting, how the cost of protection compares with the risk of loss, and how
hard we think intruders will work to get what they want.

In this simple representation of a networked system, it is easy to see all the touch points where controls can be placed,
as well as some different types of controls, including deterrence, deflection, response, prevention, and preemption.
CONTROLS AVAILABLE

 Encryption
 the formal name for the scrambling process.
 We take data in their normal, unscrambled state, called cleartext, and
transform them so that they are unintelligible to the outside
observer; the transformed data are called enciphered text or
ciphertext.
 Encryption clearly addresses the need for confidentiality of data.
 Additionally, it can be used to ensure integrity; data that cannot be
read generally cannot easily be changed in a meaningful manner.
CONTROLS AVAILABLE

 Encryption does not solve all computer security problems, and other
tools must complement its use.
 Furthermore, if encryption is not used properly, it may have no effect on
security or could even degrade the performance of the entire system.
 Weak encryption can actually be worse than no encryption at all,
because it gives users an unwarranted sense of protection.
 Therefore, we must understand those situations in which encryption is
most useful as well as ways to use it effectively.
CONTROLS AVAILABLE
 Software/Program Controls
 Programs must be secure enough to prevent outside attack.
 They must also be developed and maintained so that we can be confident of
the programs' dependability.
 Program controls include the following:
 internal program controls: parts of the program that enforce security
restrictions, such as access limitations in a database management program
 operating system and network system controls: limitations enforced by the
operating system or network to protect each user from all other users
 independent control programs: application programs, such as password
checkers, intrusion detection utilities, or virus scanners, that protect against
certain types of vulnerabilities
CONTROLS AVAILABLE

 development controls: quality standards under which a program is

designed, coded, tested, and maintained to prevent software faults
from becoming exploitable vulnerabilities

 Software controls frequently affect users directly, such as when the user
is interrupted and asked for a password before being given access to a
program or data.
 Because they influence the way users interact with a computing
system, software controls must be carefully designed. Ease of use and
potency are often competing goals in the design of a collection of
software controls.
CONTROLS AVAILABLE

 Hardware Controls
 Numerous hardware devices have been created to assist in providing
computer security. These devices include a variety of means, such as
 hardware or smart card implementations of encryption
 locks or cables limiting access or deterring theft
 devices to verify users' identities
 firewalls
 intrusion detection systems
 circuit boards that control access to storage media
CONTROLS AVAILABLE
 Policies and Procedures
 Sometimes, we can rely on agreed-on procedures or policies among
users rather than enforcing security through hardware or software
means. such as frequent changes of passwords
 We must not forget the value of community standards and
expectations when we consider how to enforce security.

 Physical Controls
 locks on doors, guards at entry points, backup copies of important
software and data, and physical site planning that reduces the risk of
natural disasters.
 CONTROLS/COUNTERMEASURES

• The three dimensions by which

a control can be categorized.

• Thinking about controls in this

way enables you to easily map
the controls against the threats
they help address.

72
EFFECTIVENESS OF CONTROLS

 Awareness of Problem
 People using controls must be convinced of the need for security.
That is, people will willingly cooperate with security requirements
only if they understand why security is appropriate in a given
situation.
EFFECTIVENESS OF CONTROLS

 Likelihood of Use
 Of course, no control is effective unless it is used.
 Principle of Effectiveness:
 Controls must be used and used properly to be effective. They
must be efficient, easy to use, and appropriate.
 This principle implies that computer security controls must be
efficient enough, in terms of time, memory space, human activity, or
other resources used, that using the control does not seriously
affect the task being protected. Controls should be selective so
that they do not exclude legitimate accesses.
EFFECTIVENESS OF CONTROLS

 Overlapping Controls
 Several different controls may apply to address a single vulnerability.
 Periodic Review
 Just when the security specialist finds a way to secure assets against
certain kinds of attacks, the opposition doubles its efforts in an
attempt to defeat the security mechanisms. Thus, judging the
effectiveness of a control is an ongoing task.
IS THERE A SECURITY PROBLEM IN COMPUTING?

1. The goals of secure computing: confidentiality, integrity, availability

(CIA)
2. The threats to security in computing: interception, interruption,
modification, fabrication
3. Controls available to address these threats: encryption,
programming controls, operating systems, network controls,
administrative controls, law, and ethics
SUMMARY

 Computer security attempts to ensure the confidentiality, integrity, and

availability of computing systems' components(hardware, software, and
data)
 This chapter explored the meanings and the types of threats,
vulnerabilities, attacks, and controls
 Also, four principles affect the direction of work in computer security:
the principle of easiest penetration, timeliness (adequate protection),
effectiveness, and the weakest link

Remember that computer security is a game with rules only for the defending team
the attackers can (and will) use any means they can.
REFERENCES

Chapter 01
Pfleeger, C. P. (2015). Security in Computing. 5th Edition.
Prentice Hall. ISBN 0-13-239077-9.

78