Salale University

College Of Natural Science

Department Of Computer
1
Science

Chapter 5
Computer Security
 Outline
2

Computer Security
Backup
Encryption
 What is a “Secure” Computer System?

3
 To decide whether a computer system is “secure”, you
must first decide what “secure” means to you, then
identify the threats you care about.
You Will Never Own a Perfectly Secure System!
 Threats - examples
 Viruses, Trojan horses, etc.
 Denial of Service
 Stolen Customer Data
 Modified Databases
 Identity Theft and other threats to personal privacy
 Equipment Theft
 Espionage in cyberspace
 Hack-tivism
 Cyberterrorism
 Basic Components of Security:

4
 Confidentiality, Integrity, Availability (CIA)
 Confidentiality: Who is authorized to use C I
data? S
 Integrity: Is data good?
 Availability: Can access data whenever A
need it?
S = Secure
 CIA or CIAAAN… 
(other security components added to CIA)
 Authentication
 Authorization
 Non-repudiation …
 Need to Balance CIA
5
 Example 1: C vs. I+A
 Disconnect computer from Internet to increase
confidentiality
 Availability suffers, integrity suffer due to lost updates

 Example 2: I vs. C+A

 Have extensive data checks by different
people/systems to increase integrity
 Confidentiality suffers as more people see data,
availability suffers due to locks on data under
verification)
 …
6

Confidentiality
 prevention of unauthorized disclosure of information.
 keeping information private or safe.
 Confidentiality may be important for military, business or
personal reasons. cy.
Integrity
 Integrity is the prevention of unauthorized writing or
modification of information.
Availability
 Availability is the prevention of unauthorized with-
holding of information.
 …
7

We can say that an asset (resource) is available

if:
 Timely request response
 Fair allocation of resources (no starvation!)
 Fault tolerant (no total breakdown)
 Easy to use in the intended way
 Provides controlled concurrency (concurrency control,
deadlock control, ...)
 Vulnerabilities, Threats and
Controls
8
 Understanding Vulnerabilities, Threats and Controls
 Vulnerability: a weakness in a security system
 Threat:circumstances that have a potential to
cause harm
 Controls: means and ways to block a threat, which
tries to exploit one or more vulnerabilities
 Q: What were city vvulnerabilities, tthreats, and
controls?
 A: Vulnerabilities: location below water level,
geographical location in hurricane area, …
Threats: storm, dam damage, terrorist
attack, …
Controls: dams and other civil
infrastructures, emergency response plan, …
 9

 Attack (materialization of a vulnerability/threat

combination)
 exploitation of one or more vulnerabilities by a threat; tries to
defeat controls
 Attack may be:
 Successful (a.k.a. an exploit)
• resulting in a breach of security, a system penetration, etc.
 Unsuccessful
• when controls block a threat trying to exploit a vulnerability
 Threat Spectrum
10
Local threats
 Recreational hackers
 Institutional hackers

Shared threats
 Organized crime
 Industrial espionage
 Terrorism

National security threats

 National intelligence
 Info warriors
 Kinds of Threats
11

Kinds of threats:
 Interception
 an unauthorized party (human or not) gains access to an
asset
 Interruption
 an asset becomes lost, unavailable, or unusable
 Modification
 an unauthorized party changes the state of an asset
 Fabrication
 an unauthorized party counterfeits an asset
 A) Hardware Level of Vulnerabilitylities/
Threats
12
Add / remove a h/w device
 Ex: Snooping, wiretapping
Snoop = to look around a place secretly in order to
discover things about it or the people connected with
it. [Cambridge Dictionary of American English]
 Ex: Modification, alteration of a system
Physical attacks on h/w => need physical
security: locks and guards
 Accidental (dropped PC box) or voluntary
(bombing a computer room)
 Theft / destruction
 Damage the machine (spilled coffe, mice, real bugs)
 Steal the machine
 B) Software Level of Vulnerabilities / Threats

13

Software Deletion
 Easy to delete needed software by mistake
 To prevent this: use configuration management software

Software Modification
 Trojan Horses, , Viruses, Logic Bombs, Trapdoors,
Information Leaks (via covert channels), ...
Software Theft
 Unauthorized copying
 via P2P, etc.
 Types of Malicious Code
14

Bacterium - A specialized form of virus which does not attach to a

specific file. Usage obscure.
Logic bomb - Malicious [program] logic that activates when
specified conditions are met. Usually intended to cause denial of
service or otherwise damage system resources.
Trapdoor - A hidden computer flaw known to an intruder, or a
hidden computer mechanism (usually software) installed by an
intruder, who can activate the trap do or to gain access to the
computer without being blocked by security services or
mechanisms.
 Types of Malicious Code
15

Trojan horse - A computer program that appears to have a useful function,

but also has a hidden and potentially malicious function that evades
security mechanisms, sometimes by exploiting legitimate authorizations of
a system entity that invokes the program.
Virus - A hidden, self-replicating section of computer software, usually
malicious logic, that propagates by infecting (i.e., inserting a copy of itself
into and becoming part of) another program. A virus cannot run by itself;
it requires that its host program be run to make the virus active.
Worm - A computer program that can run independently, can propagate a
complete working version of itself onto other hosts on a network, and may
consume computer resources destructively.
 Types of Attacks on Data CIA
16

 Disclosure
 Attack on data confidentiality
 Unauthorized modification / deception
 E.g., providing wrong data (attack on data integrity)

 Disruption
 DoS –denied of service (attack on data availability)
 Usurpation
 Unauthorized use of services (attack on data confidentiality,
integrity or availability)
 Ways of Attacking Data CIA
17
 Examples of Attacks on Data Confidentiality
 Tapping / snooping

 Examples of Attacks on Data Integrity

 Modification: salami attack -> little bits add up
 E.g/ „shave off” the fractions of cents after interest calculations
 Fabrication: replay data -> send the same thing again
 E.g., a computer criminal replays a salary deposit to his account
 Examples of Attacks on Data Availability
 Delay vs. „full” DoS
 Backup
18
 A file backup is a copy of a file that is stored in a
separate location from the original.
 Backing up is making copies of data which may be
used to restore the original after a data loss event.
 You can have multiple backups of a file if you want
to track changes to the file.
 Cont. …
19

Types of Backup
 Full backup - All files specified for backup are copied to
the backup device regardless of the state of the archive
flag.
 All archive flags are set to “off” during this process.
 Incremental backup - Only files that have changed since
the last backup process are processed.
 The archive flag is checked for the “on” state before
processing.
 It is set to the “off” state after processing
 Differential backup - Common with image backups.
 Used with large files (i.e. databases) in file backups.
 Introduction to Encryption
20
• Plaintext - the original form of a message
• Cipher text - the coded/encrypted form of a message
• Cipher – is the algorithm for transforming plaintext to

cipher text
•Key - info used in cipher known only by the
sender/receiver
– The key which is an input to the algorithm is secret
– Key is a string of numbers or characters
– If same key is used for encryption & decryption
the algorithm is called symmetric
– If different keys are used for encryption &
decryption the algorithm is called asymmetric
Asymmetric Encryption
21
 Controls: Encryption
22

 Primary controls!
 Cleartext scambled into ciphertext (enciphered text)
 Protects CIA:
 confidentiality – by „masking” data
 integrity – by preventing data updates
 availability – by using encryption-based protocols
 e.g., protocols ensure availablity of resources for different
users
 Controls: Physical Controls
23

Walls, locks
Guards, security cameras
Backup copies and archives
Cables an locks
Natural and man-made disaster protection
 Fire, flood, and earthquake protection
 Accident and terrorism protection