Security in Computing (C2021)

Week-1

Module Syllabus SummaryThe main topics of study will include:

General Security Problems:

attacks; computer criminals; computer security; methods of defense.

Program Security:

secure programs; viruses and malicious code; controls against program

threats.

Security in Operating Systems:

user authentication; memory and address protection; file protections;

control of access to general objects; trusted operating systems.

Module Syllabus Summary contd.Database Security:

security requirements; integrity and reliability; inference; multilevel

security.

Security in Networks:

threats in networks; firewalls intrusion detection; secure email; security

control.

Legal, Privacy, and Ethical Issues:

protecting programs and data; information and the law; rights of

employees and employers; privacy; ethical issues.Cryptography: traditional ciphers; symmetric encryption; public key encryption; digital signatures and authentication; quantum cryptography.

Module Assessments

For more about Assessments:

http://learning.londonmet.ac.uk/computing/IC_Link/CompNetITSec/mo

dules/cc2021/cc2021_spec.html

Recommended Book List• Pfleeger, C.P & Pfleeger, S.L., 2007. Security in Computing. 4th ed.

Prentice Hall.

• Stallings, W., 2006. Cryptography and Network Security Principles and

Practices. 4th ed. Prentice Hall.

• Stallings, W & Brown, L., 2008. Computer Security: Principles and

Practice. Prentice Hall.

Introduction to Security in Computing

Chapter-1

Introduction – Security in Computing• Security in computing is about protecting computer-related assets, i.e.

valuable information

• The focus is security for computing systems

• How banks protect physical currency cf. people protecting information

(Pfleeger, p.2)

• Can we learn from our analysis of banks, i.e. how they have protected

e.g. money, gold etc.

Terms and DefinitionsSecure, protected

• Immune to attack

• Covered by certain controls

Threat

• A potential to do harm or cause loss

Vulnerability

• Weaknesses in defenses that could allow harm to occur

Terms and Definitions

Figure 1-1 Threats Controls and Vulnerabilities

The water is a THREAT to the man

The crack is a VULNERABILTIY that threatens the man’s security

The man placing his finger in the whole is controlling the threat.

Terms and DefinitionsAttack

• Threat + Vulnerability

Control, countermeasure

Risk, residual [remaining] risk

Penetration[making way through], weakest point

Attacks and AttackersAttacks

• Malicious; non-malicious; natural causes

•Accidental, intentional

Attackers

MOM – Method + Opportunity + Motive

• Method: tools, knowledge, capability

• Opportunity: time, physical access, availability

• Motivation: reason for attack

Work factor: difficult in pulling off attack; measured in time, skill,

resources

The Security Triad – C I A

Figure 1-2  Relationship Between Confidentiality, Integrity, and Availability

(Pfleeger, p.11)

The Security Triad – C I A

Figure 1-3  Security of Data (Pfleeger, p.18)

The Security Triad – C I AConfidentiality: protection from unauthorised disclosure

• Privacy; personal private information

• Sensitive information, e.g. student grades, company inventions,

juvenile arrest records

• Protection of classified information

The Security Triad – C I AIntegrity: protection from inappropriate modification

• Precision, accuracy

• Possible ways to limit modification

• Not modified ( for example, read-only)

• Only in acceptable ways, e.g. ?

• Only by acceptable people, e.g. ?

• Only using appropriate processes, e.g.?

The Security Triad – C I AIntegrity: protection from inappropriate modification

• Internally consistent

• The disk contents match what was originally recorded

• Update to once instance causes change to be propagated to all

instances

• Meaningful and usable

• Readable

• Not protected against legitimate access (see also availability)

The Security Triad – C I AAvailability

• Usable (readable, accessible)

• Sufficient capacity (bandwidth, sharable, or copied as needed)

• Is making progress (not hung in a loop or never attended to)

• Completes in an acceptable amount of time

These goals can conflict

• High confidentiality may limit availability

• Strong integrity controls may impose a slowdown that affect

availability

VulnerabilitiesKinds of Vulnerabilities

• Interruption (breaking a pathway of use, deleting, destroying)

• Interception (taking or obtaining without permission; either taking an

object itself or making an unauthorised copy)

• Modifications (changing without permission)

• Fabrication (creating a new – illicit – version)

VulnerabilitiesKinds of Vulnerabilities

Figure 1-4 System Security Threats

VulnerabilitiesKinds of Vulnerabilities

Figure 1-5 Vulnerabilities of Computer System

VulnerabilitiesTargets of vulnerabilities

• Hardware (including firmware)

• Software

• Data and Information

• Access, time, bandwidth, network resources(cable, switches and

routers, addressing and routing information, wireless services)

• People

• Supplies

Computer AttackersMost computers attacks are committed by insiders as unintentional,

non- malicious errors

• Security awareness is the most effective and least expensive control

Amateurs

• Often insiders with privileges (necessary to do their jobs)

• Outside probers or tinkerers

Computer Attackers contdCrackers

• Advanced form of probing or tinkering.

• Intention to undermine or circumvent security controls

• Various motivations: challenge, ego, curiosity, adventure,

experimentation

• Non-malicious attacks or attacks with non-malicious intent are still

attacks

Computer Attackers contdCriminals

• Motivation: payoff, revenge, competition

• Rapidly growing attack segment

• Financial reward potential is attractive

• Some evidence that organised crime is becoming involved in computer

crime – it’s where the money is

• Definition of “computer crime” not precise

Defence ObjectivesPrevent harm

• Block attack, close [plug] vulnerability

• Although obviously most effective, sometimes prevention is not

possible

o Insiders need elevated privileges to do work

o Vulnerabilities may be unknown

o Even a fortes can be breached with the right attack

Defence Objectives contd.Deter harm

• Make the attacker work harder or longer

• Hope the attacker will choose another easier target

• Example: protect bank tellers with bulletproof glass: not

impenetrable, but requires a long time and a lot of force

Deflect harm

• Push the attacker to another target

• Example: a “honeypot” [trap] - website to attract and occupy the

attacker

Defence Objectives contd.Detect harm

• Determine that attack is under way (realtime) or has occurred

sometime in the past (non-realtime)

Goals:

• to be able to increase defences (to block an attack in realtime)

• To determine the kind and extend of attack (after the fact) and

strengthen defences for the future (close vulnerability) or know what

has been lost

Defence Objectives contd.Recover from harm

• Resume normal operation

• Increase or strengthen so future attacks do not succeed

• Deal with loss or exposure of date

Note:

• More cost effective to allow unlikely harm to occur and spend money

on recovery than to spend much more money trying in vain to prevent

the harm

ControlsPhysical• Gates, guns, guards

• Access control devices, e.g., badge readers, motion detectors

• Fire suppression, extinguishers

Administrative

• Security awareness training

• Security policies, procedures, guidelines, practices

• Rules of acceptable use, code of ethics

• Hiring and termination practices

• Software development practices

• Human oversight, management, review

Controls contd.Technical

• Firewall

• Intrusion detection system

• Virus scanner

• Encryption

• Identification and authentication technologies (e.g. smart cards,

biometrics, password)

• Logical access controls (program-based controls limiting access based

on identity, proposed use, date, time etc); implemented by network

infrastructure, operating systems, database management, application

program, utility

Controls contd.Technical

• Honeypot

• Protocol

• Networking infrastructure, operating systems, database management

systems, applications

Controls contd.Technical

Figure 1-6 Multiple Controls