Bule Hora University

Computing and Informatics College

Computer Science Department

Course: Computer Security

Chapter One: Introduction to Computer Security
 Outline
• Basic concepts of computer security
• Threats, vulnerabilities, control
• Goals of computer security
• Security attack
• Security policies and mechanism
• Prevention, detection, deterrence
• Software security assurance
Basic concepts of computer security
• Definition: Protecting computers, networks, and
information from unauthorized access, misuse, or damage.
• Types of Security:
• Computer Security - generic name for the collection of
tools designed to protect data and to thwart hackers
• Network Security - measures to protect data during
their transmission
• Internet Security - measures to protect data during their
transmission over a collection of interconnected
networks
Basic concepts of computer security
• Threat Sources:
• External hackers.
• Internal threats (e.g., disgruntled employees).
• Rising Risk Factors:
• Easy access to hacking tools & manuals.
• Faster internet & devices.
• What to Secure:
• Physical (alarms, access control, sensors).
• User access (passwords, IDs).
• Network & devices (encryption, firewalls).Data (storage
& transmission encryption).
 Threats, vulnerabilities, control
• Threats: Malware, ransomware, DDoS, social engineering,
natural disasters.
• Vulnerabilities: Weak points in software/hardware;
unauthorized access exploits them.
• Risks: Potential harm (e.g., phishing, data breaches);
managed by risk assessments & risk management programs.
• Controls:
• Access → locks, guards, login authentication.
• Procedural → training, incident response.
• Technical → firewalls, antivirus, MFA.
• Compliance → laws, frameworks, standards.
 Goals of computer security
• Three categories of goals:
– Confidentiality:- assets of the computer
systems should not be accessible to
unauthorized parties.
– Integrity:- assets of the computer systems
should not be modified by un-authorized users
– Availability:- the system should be available to
authorized users.
 Security Attacks
• A security attack is an unauthorized
attempt to steal, damage, or expose data
from an information system such as a
website.
Classification of Security Attacks
• Security attacks are classified into Passive
and Active attacks.
 Passive Attacks
• Attempts to learn or use information from
the system but does not affect resources.
Difficult to detect.
• Examples:
– Release of message content
– Traffic analysis
 Release of Message Content
• Preventing an opponent from learning the
contents of transmissions.
 Traffic Analysis
• Guessing the information transmitted by
observing frequency and length of
messages.
 Active Attacks
• Attempts to alter system resources or affect
their operation. Very difficult to prevent
completely.
 Classification of Active Attacks
• Active attacks include:
–Interruption
–Interception
–Modification
–Fabrication
 Classification of active attacks/threats

• According to sources, attacks on the security of a

computer can be characterized best by viewing how the
computer functions when sending and receiving
information. The normal and accurate flow of
information from one source (Source A) to another
source, which is the destination (B), is shown in the
diagram below:
 Interruption
• An asset is destroyed, unavailable or
unusable.
• Example: cutting cables, hardware
destruction.
 Interception
• Unauthorized access to assets. Attack on
confidentiality.
• Example: wiretapping, copying files
without permission.
 Modification
• Unauthorized tampering with system data
or programs.
• Example: altering values, changing
programs, modifying messages.
 Fabrication
• Insertion of false data or objects. Attack on
authenticity.
• Example: sending fake emails, adding false
records.
 Security Policies
• A statement of what is and isn’t allowed.
Defines secure and non-secure states.
Security policies and mechanisms
• Security policy: is a statement of what is, and
what is not, allowed
• Security mechanism: is a method, tool, or
procedure for enforcing a security policy.
• Security mechanism: mechanism that is designed
to detect, prevent or recover the system from the
security attacks.
Security policies and mechanisms
• The security mechanisms are ….
• Decipherment: The use of mathematical algorithms to
transfer the data into a form that is not readily
intelligible.
• Digital signatures: Used to protect the data against
forgery. Digital signature appended to the data unit
that allows a recipient of the data unit to prove the
source and integrity of the data unit.
• Access Control: These mechanisms enforce access rights
to resources.
• Data integrity: A variety of mechanisms are used to
assure the integrity of data unit.
Security policies and mechanisms
• The security mechanisms are …. (cont..)
• Authentication exchange: A mechanism intended to
ensure the identity of an entity by means of
information exchange.
• Traffic padding: The insertion of bits into gaps in a
data stream to control traffic analysis attacks
• Notarization: The use of trusted third party to assure
certain properties of a data exchange.
• Routing control: Enables selection of particular
physically secure routes for certain data and allows
routing changes
 Prevention
• Better to prevent incidents than to
prosecute.
• Requires policies, awareness programs,
access controls.
 Detection
• Critical to detect system compromise.
• Intrusion Detection Systems (IDS) monitor
activity, detect attacks, and notify
administrators.
 Deterrence
• Discourages attackers by increasing risks
and reducing rewards of attacks.
 Software Security Assurance (SSA)

• Process to design software that protects

data and resources.
• Security must be integrated early in the
development lifecycle.
 Causes of Software Security Problems

• 1. Non-conformance (coding errors,

validation errors)
• 2. Errors in software requirements
(incomplete or incorrect requirements).
 Software Security Assurance Activities

• 1. Ensure data has correct sensitivity

classification.
• 2. Ensure control and protection of
software, tools, and data.