Computer Security

Introduction to Computer
Security
Outline

• What is Computer Security?

• What is Privacy?
• Why Computer Security?
• Challenges of Computer Security?
 Introduction

“The most secure computers are those not connected to the

Internet and shielded from any interference”-Introduction to
computers by Rajmohan Joshi page 264
 Current Trends
• Modern societies are highly dependent on ICT.
▪ Computation is embedded in a rapidly increasing and variety of
products.
▪ Global computer usage continues to grow rapidly, especially in
developing countries.
▪ With every passing day computers administer and control more and
more aspects of human life.
oBanks
oMedical (Biological Devices)
oTransportation etc.
• Conclusion:
▪ We are more and more dependent on ICT!
oImplies security and privacy are critical issues.
 Security

• What is Security?
▪ “the quality or state of being secure or be free from danger.”
▪ protection against adversaries:-from those who would do harm, intentionally
with a certain objective.
• Security is about
▪ Threats (bad things that may happen)
▪ Vulnerabilities (weaknesses in your defenses)
▪ Attacks (ways in which the threats may be actualized) and
▪ Mechanisms to tackle attacks
 Computer Security
What is Computer Security?
• Protection afforded to an automated information system.
▪ protection of computer against intruders (e.g hackers) and malicious software
• Deals with procedures and policies adopted to protect our digital assets and
properties.

• The goal of computer security is preserving the confidentiality, integrity and

availability of information system resources (hardware, software,
information/data)

• Mainly focuses on the prevention and detection of unauthorised actions by users

of a computer system.
 Privacy

• Privacy means that your data, such as personal files and e-mail messages, is
not accessible by anyone without your permission.

• Privacy deals with the measures that you can take to restrict access to your
data.
 Why Computer Security?

• Protect organizations and companies data and asset from insider and outsider
attack
• Prevent unauthorized people from accessing our valued information’s, to
manipulate with it or steal it.
• Protect your sensitive data from natural disaster and accidental risks by using
business continuity and disaster recovery management.
• Regulatory compliance: adherence to laws, regulations, guidelines and
specifications relevant to its business processes.
• Thwart identity theft etc.
Growth of cyber crime cost
 Challenges of Computer Security
• In developing a particular security mechanism or algorithm, one must
always consider potential security threats and attacks on different
security features.
• Having designed various security mechanisms, it is necessary to
decide where to use them.
• Security mechanisms typically involve more than a particular
algorithm or protocol.
• Security requires regular, even constant, monitoring, and this is
difficult in today’s short-term, overloaded environment.
• Lack of awareness about information security
 Aspects of Computer/IS Security
The 3 aspects of computer/information security are:
▪ Security attack: Any action that compromises the security of information
owned by an organization.
▪ Security mechanism: A process (or a device incorporating such a process)
that is designed to detect, prevent, or recover from a security attack.
o Examples: encryption, digital signature, IDS, access control e.t.c
▪ Security service: A processing or communication service that enhances the
security of the data processing systems and the information transfers of an
organization.
 Security Requirements/Services
• Are intended to counter security attacks, and they make use of
one or more security mechanisms to provide the service.
• The main objectives/goal of computer security is preserving the
CIA triad

Secure
Cont..

• Confidentiality
• Integrity
• Availability
• Authentication
• Non-repudiation
• Accountability etc.
Confidentiality
• protect unauthorized discloser of information
• the assurance that information is not disclosed to
unauthorized persons, processes or devices
• This can cover two aspects:
▪ protecting information stored in files
▪ protecting information while in transmission
• Example:
▪ An employee should not come to know the salary of his
manager
▪ The target coordinates of a missile should not be improperly
disclosed.
Integrity

• protect unauthorized modification of information.

• the assurance that data/information can not be created,
changed, or deleted without proper authorization.
▪ System Integrity means that there is an external consistency in the
system: everything is as it is expected to be
▪ Data integrity means that the data stored on a computer is the same
as the source documents (changed only in a specified and authorized
manner.)
• Example: an employee should not be able to modify the employee's own
salary
▪ The target coordinates of a missile should not be improperly
modified
Availability

• Information need to be available for authorized parities

whenever needed.
• Availability is the prevention of unauthorized with holding
of information.
• Timely, reliable access to data and information services for
authorized users.
• Used to guarantee access to information
• Denial of service attacks are a common form of attack.
Authentication
• Who you are?
• Proving that a user is the person he /she claims to be.
• Factors of authentication
▪ Something you know (password)
▪ Something you have (Chip)
▪ Something you are- that proves the person’s identity
(biometric: fingerprint).
▪ Somewhere you are: related to you location
▪ Something you do : identification by observing your unique
physical actions
▪ Or the combination of those techniques (multi-factor
authentication)
Authorization

• What you can do?

• Determine access levels or privileges related
to system resources including files, services,
computer programs, data and application
features.
• Authentication and Authorization go hand in
hand.
Nonrepudiation

• Prevention of either the sender or the receiver denying

a transmitted message. (Proof of sender’s identity and
message delivery)
▪ neither can later deny having processed the data.
▪ Security is strong when the means of authentication
cannot later be refuted: the user cannot later deny that
he or she performed the activity.
• Can be guaranteed using digital signature.
 What should we protect?
• One of the major goal of information/computer security as a discipline and as a
profession is to protect valuable assets.
▪ Assets: items of value
• Determining what to protect requires that we first identify what has value and to
whom.
• Assets include: ▪ Data
▪ Hardware • Files
• Computer components • Databases
• Networks and communications channels
• Mobile devices
▪ Software
• Operating system
• Off-the-shelf Programs and apps
• Customized programs and Apps
Asset Valuation

• The perceived value of an asset depends upon the ease

with which the asset can be replaced.

Hardware Software Data

Easily Replaceable Individual applications Unique: difficult to replace

 Balancing Security and Access
• Information security is not
absolute
▪ It is a process and not a goal
• No security- complete access to
assets
▪ Available to anyone, anytime
and anywhere (pose a danger
to security)
• Complete security- No access
▪ A completely secure
information system would
not allow anyone access
 Vulnerability-threat-control framework

• To study methods of asset protection we use a vulnerability-threat-control

framework.
▪ Vulnerability
• A weakness in a system
• Can be exploited to cause harm or loss
• A human who exploits the vulnerability perpetrating an attack on the
system (cause a harm/loss)
 Cont..
Vulnerabilities are classified according to the asset class they are related to:

Hardware • Personnel
▪ susceptibility to humidity ▪ inadequate recruiting process
▪ susceptibility to dust ▪ inadequate security awareness
▪ susceptibility to soiling etc. • Physical site
Software ▪ area subject to flood, unreliable power source
etc.
▪ insufficient testing, lack of audit trail
• Organizational
▪ design flaw
▪ lack of regular audits
Network
▪ lack of continuity plans , lack of security
▪ unprotected communication lines
etc.
▪ insecure network architecture
 Cont..
▪ Threat
▪ A set of circumstances that has the potential to cause harm or lose
▪ Can be natural, human or process threat
▪ Control
• An action, device or procedure or technique that eliminate or reduce
vulnerability
• Also called countermeasure (Physical, Administrative and Technical )
Security Management and Risk Analysis
 Risk

• Risk is the possibility that a particular threat will adversely impact an

information system by exploiting a particular vulnerability.
▪ The assessment of risk must take into account the consequences of an
exploit.
• Risk analysis is the study of the cost of a particular system against the
benefits of the system.
• Risk management is a process for an organization to identify and address
the risks in their environment.