Computer Security: Introduction

January 3, 2020

Short title January 3, 2020 1 / 22

What is Computer Security?

Short title January 3, 2020 2 / 22

What is Computer Security?

Computer security deals with computer-related assets that are subject to a

variety of threats and for which various measures are taken to protect
those assets.

Short title January 3, 2020 3 / 22

Our Focus

1. What assets do we need to protect?

2. How are those assets threatened?
3. What can we do to counter those threats?

Short title January 3, 2020 4 / 22

Computer Security

Definition:
The protection afforded to an automated information system in order to
attain the applicable objectives of preserving the integrity, availability, and
confidentiality of information system resources (includes hardware,
software, firmware, information/data, and telecommunications).

Short title January 3, 2020 5 / 22

Key-objectives of Computer Security

Confidentiality:
- Data confidentiality: Assures that private or confidential information
is not made available or disclosed to unauthorized individuals.

- Privacy: Assures that individuals control or influence what information

related to them may be collected and stored and by whom and to
whom that information may be disclosed.

Short title January 3, 2020 6 / 22

Key-objectives of Computer Security

Integrity:
- Data integrity: Assures that information and programs are changed
only in a specified and authorized manner.

- System integrity: Assures that a system performs its intended

function in an unimpaired manner, free from deliberate or inadvertent
unauthorized manipulation of the system.

Short title January 3, 2020 7 / 22

Key-objectives of Computer Security

Availability: Assures that systems work promptly and service is not

denied to authorized users.

Short title January 3, 2020 8 / 22

What does these objectives mean?

Confidentiality: Preserving authorized restrictions on information

access and disclosure, including means for protecting personal privacy
and proprietary information. A loss of confidentiality is the
unauthorized disclosure of information.
Integrity: Guarding against improper information modification or
destruction, including ensuring information non-repudiation and
authenticity. A loss of integrity is the unauthorized modification or
destruction of information.
Availability: Ensuring timely and reliable access to and use of
information. A loss of availability is the disruption of access to or
use of information or an information system.

Short title January 3, 2020 9 / 22

Additional Security Objectives

Authenticity: The property of being genuine and being able to be

verified and trusted; confidence in the validity of a transmission, a
message, or message originator. This means verifying that users are
who they say they are and that each input arriving at the system
came from a trusted source.
Accountability: The security goal that generates the requirement for
actions of an entity to be traced uniquely to that entity. This
supports non-repudiation, deterrence, fault isolation, intrusion
detection and prevention, and after-action recovery and legal action

Short title January 3, 2020 10 / 22

Challenges of Computer Security

1. The requirements seem to be straightforward but the mechanisms

used to meet those requirements can be quite complex, and
understanding them may involve rather subtle reasoning.
2. In developing a particular security mechanism or algorithm, one must
always consider potential attacks on those security features.
In many cases, successful attacks are designed by looking at the
problem in a completely different way, therefore exploiting an
unexpected weakness in the mechanism.

Short title January 3, 2020 11 / 22

Challenges of Computer Security

3. Because of point 2, the procedures used to provide particular services

are often counterintuitive.
4. Having designed various security mechanisms, it is necessary to decide
where to use them.
5. Security mechanisms require that participants be in possession of
some secret information (e.g., an encryption key), which raises
questions about the creation, distribution, and protection of that
secret information.

Short title January 3, 2020 12 / 22

Challenges of Computer Security

6. The great advantage that the attacker has is that he or she need only
find a single weakness while the designer must find and eliminate all
weaknesses to achieve perfect security.
7. Tendency to consider security as having little benefit, requires
constant involvement, needs to be part of design, and consider
security effects efficiency.

Short title January 3, 2020 13 / 22

A Model for Computer Security

Short title January 3, 2020 14 / 22

A Model for Computer Security

Short title January 3, 2020 15 / 22

Assets of a Computer System

The assets of a computer system can be categorized as follows:

Hardware: Including computer systems and other data processing,
data storage, and data communications devices
Software: Including the operating system, system utilities, and
applications.
Data: Including files and databases, as well as security-related data,
such as password files.
Communication facilities and networks: Local and wide area
network communication links, bridges, routers, and so on.

Short title January 3, 2020 16 / 22

Vulnerabilities of a Computer System

The following are general categories of vulnerabilities of a computer

system or network asset:
It can be corrupted, so that it does the wrong thing or gives wrong
answers.
It can become leaky. For example, someone who should not have
access to some or all of the information available through the network
obtains such access.
It can become unavailable or very slow. That is, using the system or
network becomes impossible or impractical.
These three general types of vulnerability correspond to the concepts of
integrity, confidentiality, and availability.

Short title January 3, 2020 17 / 22

Threats
Corresponding to the various types of vulnerabilities to a system resource
are threats that are capable of exploiting those vulnerabilities.
We can distinguish two types of attacks:

Active attack: An attempt to alter system resources or affect their

operation.
Passive attack: An attempt to learn or make use of information
from the system that does not affect system resources.
We can also classify attacks based on the origin of the attack:
Inside attack: Initiated by an entity inside the security perimeter (an
”insider”). The insider is authorized to access system resources but
uses them in a way not approved by those who granted the
authorization.
Outside attack: Initiated from outside the perimeter, by an
unauthorized or illegitimate user of the system (an ”outsider”).
Short title January 3, 2020 18 / 22
Security concepts and their relationship

Short title January 3, 2020 19 / 22

Threat Consequences, and the Types of Threat Actions
that Cause Each Consequence

Short title January 3, 2020 20 / 22

Threat Consequences, and the Types of Threat Actions
that Cause Each Consequence

Short title January 3, 2020 21 / 22

Computer and Network Assets, with Examples of Threats

Short title January 3, 2020 22 / 22

Attack Surfaces

An attack surface consists of the reachable and exploitable vulnerabilities

in a system. Examples of attack surfaces are the following:
Open ports on outward facing Web and other servers, and code
listening on those ports
Services available on the inside of a firewall
Code that processes incoming data, email, XML, office documents,
and industry-specific custom data exchange formats
Interfaces, SQL, and Web forms
An employee with access to sensitive information vulnerable to a
social engineering attack

Short title January 3, 2020 23 / 22

The End

Short title January 3, 2020 24 / 22