Unit – I Introduction to Computer Security (12 Hrs.

) 14 Marks

Unit Outcomes (UOs)

1a. Explain the importance of the given component of computer security.
1b. Explain the characteristics of the given type of threat.
1c. Explain the given type of attacks related with security.
1d. Describe the features of given type of update of operating system.
1e. Classify Information.
1f. Explain Principles of Information Security.

Topics and Sub-topics

1.1 Foundations of Computer Security –Definition and Need of computer security,
Security basics: Confidentiality, Integrity, Availability, Accountability, Non-repudiation,
Reliability.
1.2 Risk and Threat Analysis: Assets, Vulnerability, Threats, Risks, Counter measures.
1.3 Threat to Security: Viruses, Phases of Viruses, Types of Virus, Dealing with
Viruses, Worms, Trojan horse, Intruders, Insiders.
1.4 Type of attacks: Active and Passive attacks, Denial of Service, DDOS, Backdoors
and Trapdoors, Sniffing, Spoofing, Man in the Middle, Replay, TCP/IP Hacking,
Encryption attacks.
1.5 Operating system security: Operating system updates: Hot Fix, Patch, and Service
Pack
1.6 Information: Need and Importance of Information, information classification,
criteria for information classification, Security, need of security, Basics principles of
information security.
1.1. Foundations of Computer Security
Computer Security: The protection supported to a computerized information
system to secure the applicable target from harm, theft, and unauthorized use by
protecting the integrity, availability, and confidentiality of information system
resources (which includes hardware, software, firmware, information or data, and
telecommunications).

Need of Computer Security:

1. For prevention of data theft such as bank account numbers, credit card
information, passwords, work related documents or sheets, etc.
2. To ensure data remain safe and confidential.
3. To provide confidentiality which ensures that only those individuals should ever
be able to view data they are not entitled to.
4. To provide integrity which ensures that only authorized individuals should ever
be able change or modify information.
5. To provide availability which ensure that the data or system itself is available
for use when authorized user wants it.
6. To provide authentication which deals with the desire to ensure that an
authorized individual.
7. To provide non-repudiation which deals with the ability to verify that message
has been sent and received by an authorized user.

Security Basics: Three basic security concepts important to information on the

internet are confidentiality, integrity, and availability. Concepts relating to the
people who use that information are authentication, authorization, and
nonrepudiation.

Figure 1.1: Security Requirement Triad (CIA)

Confidentiality: This term covers two related concepts:
Data Confidentiality: Assures that private or confidential information is not made
available or disclosed to unauthorized individuals.
Assures Privacy: that individuals control or influence what information related to
them may be collected and stored and by whom and to whom that information may
be disclosed.

Integrity: This term covers two related concepts:

Data Integrity: Assures that information and programs are changed only in a
specified and authorized manner.
System Integrity: Assures that a system performs its intended function in an
unimpaired manner, free from deliberate or inadvertent unauthorized manipulation
of the system.

Availability: Assures that systems work promptly and service is not denied to
legitimate users.

Accountability: Accountability is an essential part of an information security plan.

The phrase means that every individual who works with an information system
should have specific responsibilities for information assurance. The tasks for which
an individual is responsible are part of the overall information security plan and can
be readily measurable by a person who has managerial responsibility for
information assurance. One example would be a policy statement that all
employees must avoid installing outside software on a company-owned
information infrastructure. The person in charge of information security should
perform periodic checks to be certain that the policy is being followed. Individuals
must be aware of what is expected of them and guide continual improvement.
Every information asset should be "owned" by an individual in the organization who
is primarily responsible each one.

Non-Repudiation: Non-repudiation is the assurance that someone cannot deny

the validity of something. Non-repudiation is a legal concept that is widely used in
information security and refers to a service, which provides proof of the origin of
data and the integrity of the data. In other words, non-repudiation makes it very
 difficult to successfully deny who/where a message came from as well as the
authenticity and integrity of that message.

Reliability: Reliability is a science that ensures the correct functioning of computer

systems even as individual hardware and software components may fail. Security
considers failures in an adversarial context, where someone is explicitly trying to
make a system behave incorrectly.

1.2. Risk and Threat Analysis:

Within IT security, risk analysis is being applied:
 Comprehensively for all information assets of an enterprise;
 Specifically for the IT infrastructure of an enterprise;
 During the development of new products or systems, e.g. in the area of software
security.
Informally, risk is the possibility that some incident or attack can cause damage to
your enterprise. An attack against an IT system consists of a sequence of actions,
exploiting weak points in the system, until the attacker’s goals have been achieved.
To assess the risk posed by the attack we have to evaluate the amount of damage
being done and the likelihood of the attack occurring. This likelihood will depend
on the attacker’s motivation and on how easy it is to mount the attack. In turn, this
will further depend on the security configuration of the system under attack.
To disentangle the various strands of investigations that have to be pursued in the
process of risk analysis, we will refer to assets, vulnerabilities and threats, and
calculate risk as a function thereof. Informally:
𝑹𝒊𝒔𝒌 = 𝑨𝒔𝒔𝒆𝒕𝒔 × 𝑻𝒉𝒓𝒆𝒂𝒕𝒔 × 𝑽𝒖𝒍𝒏𝒆𝒓𝒂𝒃𝒊𝒍𝒊𝒕𝒊𝒆𝒔
In the process of risk analysis, values are assigned to assets, vulnerabilities and
threats.
In quantitative risk analysis, values are taken from a mathematical domain like a
probability space. For example, by assigning monetary values to assets and
probabilities to threats the expected loss can be calculated.
In qualitative risk analysis, values are taken from domains that do not have an
underlying mathematical structure. Risk is calculated based on rules that capture
the consolidated advice of security experts.
Assets: In an IT system, assets include:
• Hardware: laptops, servers, routers, PDAS, mobile phones, smart cards etc.;
• Software: applications, operating systems, database management systems,
source code, object code etc.;
• Data and information: essential data for running and planning your business,
design documents, digital content, data about your customers etc.;
• Reputation
Valuation of assets is more of a challenge. Some assets, such as hardware, can
be valued according to their monetary replacement costs. For other assets, such
as data and information, this is more difficult. If your business plans are leaked to
the competition or private information about your customers is leaked to the public
you have to account for indirect losses due to lost business opportunities. The
competition may underbid you and your customers may desert you. Even when
equipment is lost or stolen you have to consider the value of the data stored on it,
and the value of the services that were running on it. In such situations, assets can
be valued according to their importance. As a good metric for importance, ask
yourself how long your business could survive when a given asset has been
damaged: a day, a week, a month?

Vulnerability: Vulnerabilities are weaknesses of a system that could be

accidentally or intentionally exploited to damage assets. In an IT system, typical
vulnerabilities are:
• Accounts with system privileges where the default password, such as
‘MANAGER’, has not been changed;
• Programs with unnecessary privileges;
• Programs with known flaws;
• Weak access control settings on resources, e.g. Having kernel memory world
writable;
• Weak firewall configurations that allow access to vulnerable services.
Vulnerability scanners provide a systematic and automated way of identifying
vulnerabilities. Their knowledge base of known vulnerabilities has to be kept up to
date. Vulnerabilities can be rated according to their impact (level of criticality). A
vulnerability that allows an attacker to take over a systems account is more critical
than a vulnerability that gives access to an unprivileged user account. A
vulnerability that allows an attacker to completely impersonate a user is more
critical than a vulnerability where the user can only be impersonated in the context
of a single specific service. Some scanners also give rating for the vulnerabilities
they detect.

Threats: Threats are actions by adversaries who try to exploit vulnerabilities to

damage assets. There are various ways to identify threats. We can categorize
threats by the damage done to assets. For example, Microsoft’s STRIDE threat
model for software security lists the following categories:
• Spoofing identities: the attacker pretends to be somebody else.
• Tampering with data: e.g. security settings are changed to give the attacker
more privileges.
• Repudiation: a user denies having performed an action like mounting an
attack, or making a purchase.
• Information Disclosure: information may lose its value if it is disclosed to the
wrong parties (e.g. trade secrets); your organization may face penalties if it is
does not properly protect information (e.g. personal information about
individuals).
• Denial of Service (Dos): DoS attacks can make web sites temporarily
unavailable; there have been stories in the press that businesses use such
attacks to harm competitors.
• Elevation of Privilege: a user gains more privileges on a computer system
than he/she is entitled to.

Risks: Having rated the value of assets, the criticality of vulnerabilities and the
likelihood of threats, we now face the tricky task of calculating our risks.

Quantitative Risk Analysis:

In quantitative risk analysis, expected losses could be computed in the framework
of probability theory, based on monetary values for the assets and probabilities for
the likelihood of threats. Such a method has the pleasing feature of being based
on a well-established mathematical theory, but also has the considerable drawback
that the ratings we obtain are often based on educated guesses. In short, the
quality of the results we obtain cannot be better than the quality of the inputs
provided. We could consider other mathematical frameworks, such as fuzzy theory,
to make some provisions for the imprecise nature of our ratings.
There are areas of risk analysis where quantitative methods work, but more often
the lack of precision in the inputs does not justify a mathematical treatment.

Qualitative Risk Analysis:

• Assets could be rated on a scale of critical – very important – important – not
important;
• Criticality of vulnerabilities could be rated on a scale of has to be fixed
immediately has to be fixed soon should be fixed fix if convenient;
• Threats could be rated on a scale of very likely – likely, unlikely, and very
unlikely.
The DREAD methodology that complements STRIDE may serve as an example of
a scheme for qualitative risk analysis
• Damage Potential: relates to the values of the assets being affected.
• Reproducibility: one aspect of how difficult it is to launch an attack; attacks
that are easy to reproduce are a greater risk than attacks that only work in
specific circumstances.
• Exploitability: relates to the effort, expertise and resources required to launch
an attack.
• Affected Users: for software vendors, another important contributing factor to
damage potential.
• Discoverability: when will the attack be detected? In the most damaging case,
you will never know that your system has been compromised.

Counter Measures:
The result of a risk analysis is a prioritized list of threats, together with
recommended countermeasures to mitigate risk. Risk analysis tools usually come
with a knowledge base of countermeasures for the threats they can identify.
It might seem trivially true that one should first go through a risk analysis before
deciding on which security measures to implement. However, there are two
reasons why this ideal approach may not work. Conducting a risk analysis for a
larger organization will take time, but the IT system in the organization and the
world around will keep changing. So, by the time the results of the analysis are
 presented, they are already somewhat out of date. Moreover, the costs of a full risk
analysis may be difficult to justify to management.
For these reasons, organizations may opt for baseline protection as an alternative.
This approach analyzes the security requirements for typical cases and
recommends security measures deemed adequate. One of the best known IT
security baseline documents is maintained by the German Information Security
Agency

1.3. Threat to Security:

In computer security, a threat is a possible danger that might exploit a vulnerability
to breach security and thus cause possible harm. Computer security threat is any
circumstance or event with the potential to adversely impact organizational
operations (including mission, functions, image, or reputation), organizational
assets, or individuals through an information system via unauthorized access,
destruction, disclosure, modification of information, and/or denial of service.
Security threats to your computer can be classified in three groups:
• Hackers, who try to break into your computer without your knowledge or
permission. They may claim that they were “just looking around” or that they
were “doing you a favor by showing that your security is flawed.” They may
also steal your data or use your computer to commit a crime by remote control.
In any case, hackers are unethical people who should not be trusted or
respected.
• Malware (Malicious Software), which comes in many forms: viruses, worms,
Trojan horses, scripts, rootkits, adware, and spyware. Malware can take
control of your computer without your knowledge or permission, delete your
data, send your data to an unauthorized recipient, or cause your computer to
attack other computers. In the last few years, malware has become
professional crime ware—it’s no longer produced by kids trying to impress their
friends.
• User Error, which includes ignorance, laziness, and gullibility. Computer users
need to understand computer security, just as car drivers need to understand
the “rules of the road” to avoid unpleasant results. Users must keep their
computers up to date, use passwords whenever available, and ensure the
passwords are not guessable. Short passwords that are easy to type are also
 easy to guess. Unwary users can fall prey to con artists like phishers and social
engineers, resulting in embarrassment, financial loss, and identity theft.

Viruses: Computer viruses are small software programs that are designed to
spread from one computer to another and to interfere with computer operation. A
virus is a piece of software that can "infect" other programs by modifying them; the
modification includes a copy of the virus program, which can then go on to infect
other programs. A virus can do anything that any other programs can do.
A virus attaches itself to another program and executes secretly when the host
program is running. Once a virus is executing, it can perform any function, such
as erasing files and programs.

Phases of Computer Virus Life Cycle: A typical virus goes through the following
four phases:
 Dormant phase
 Propagation phase
 Triggering phase
 Execution phase

Figure 1.2: Phases of Computer Virus Life Cycle

Dormant phase: In this phase the virus is idle. The virus will eventually be
activated by some event, such as a date, the presence of another program or file,
or the capacity of the disk exceeding some limit. Not all viruses have this stage.

Propagation phase: In this phase the virus places an identical copy of itself into
other programs or into certain system areas on the disk. Each infected program
will now contain a clone of the virus, which will itself enter a propagation phase.

Triggering phase: The virus is activated to perform the function for which it was
intended. As with the dormant phase, the triggering phase can be caused by a
variety of system events, including a count of the number of times that this copy of
the virus has made copies of itself.

Execution phase: The function is performed, which may be harmless, e.g. a

message on the screen, or damaging, e.g. the destruction of programs and data
files
Types of Virus:
• Boot Sector Virus
• Program Virus
• Multipartite Virus
• Stealth Virus
• Polymorphic Virus
• Macro Virus
• Memory Resident Viruses
• Non- Resident Viruses
• Overwriting Viruses
• Stealth Virus
• Companion Viruses
• Email Viruses
• Metamorphic Viruses
• Parasitic Viruses

Boot Sector Virus: Infects the boot or MBR of diskettes and hard drives through
the sharing of infected disks and pirated software applications Once your hard
drive is infected all diskettes that you use in your computer will be infected

Program Virus: Becomes active when the program file (usually with extensions
.BIN, .COM, .EXE, .OVL, .DRV) carrying the virus is opened. It then makes copies
of itself and will infect other programs on the computer.

Multipartite Virus: Hybrid of a Boot Sector and Program viruses. It infects

program files and when the infected program is active it will affect the boot record.

Stealth Virus: Disguises itself to prevent from being detected by antivirus

software. It alters its file size or conceals itself in memory

Polymorphic Virus: Act like a chameleon, changing its virus signature (binary
pattern) every time it multiples and infects a new file
Macro Virus: Programmed as a macro embedded in a document, usually found
in Microsoft Word and Excel. Once it gets in to your computer, every document
you produce will become infected. A new type of virus may slip by your antivirus
software if you don't have the most recent version installed

Memory Resident Viruses: This type of virus lives in the memory after its
execution. Its inserts themselves as a part of operating system or application and
can manipulate any file that executed. Copied or moved

Non-resident Virus: This type of virus executes itself and terminated or destroyed
after specific time.

Overwriting Virus: Overwriting viruses deletes the original code and replaces it
by new, malicious code. When the replaced file is executed the virus can try to
replicate again. Since the original file is deleted by overwriting either in whole or
in part, it is not possible to disinfect them. The original file is to be restored from a
backup.

Stealth Virus: It’s a virus that hides the modification it has made in the file or boot
record

Companion Virus: This is the virus which, creates a new program instead of
modifying an existing file

Email Viruses: Virus gets executed when E-mail attachment is open by recipient.
Virus stands itself to everyone on the mailing list of sender

Metamorphic Viruses: This type of virus keeps rewriting itself every time. It may
change their behavior as well as appearance code

Parasitic Viruses: It attaches itself to executable code and replicates itself. When
the infected code is executed, it will find other executable code or program infect.
Dealing with Viruses: How to Deal with Computer Viruses
Step 1: Use a reliable antivirus program
Step 2: Scan your computer
Step 3: Remove the malware
Step 4: Stop future infections

Worms: Computer Worms are reproducing programs that run independently and
travel across network connections. A worm is a computer program that copy itself
from machine to machine in a network. The main difference between viruses and
worms is the method in which they reproduce and spread. A worm usually exploits
some sort of security hole in a piece of software or the operating system. Worms
normally move around and infect other machines through computer networks.
Using a network, a worm can expand from a single copy very rapidly.
Computer worms are malicious software applications that designed to spread via
computer networks. Computer worms are one form of malware along with viruses
and Trojans. A person typically installs worms by inadvertently opening an email
attachment or message that contains executable scripts.
Unlike a computer virus, it does not need to attach itself to an existing program.
Worms almost always cause at least some harm to the network, even if only by
consuming bandwidth, whereas viruses almost always corrupt or modify files on a
targeted computer.
Many worms that have been created are designed only to spread, and do not
attempt to change the systems they pass through.

Virus V/S Worms:

Sr. No. Virus Worm
1. Virus attaches itself to another Worm spread itself through network
program to perform malicious connections to perform malicious
activity. activity.
2. A virus is dependent upon a host A worm can run completely
file or boot sector, and the transfer independently and spread itself
of files between machines to through network connections.
spread.

Trojan horse: A Trojan horse is a program where harmful code is contained inside
another code which can appear to be harmless. Once the apparently harmless
code is in the computer, it releases the malicious code to do its damage. Trojan
horses may even claim to be anti-virus in order to get the user to install it.
The name comes from the deception that the Greek army played on the people of
Troy during the Trojan War. They presented Troy with a large wooden horse in
which they had secretly hidden their warriors. Once inside the city gates, the
warriors emerged from the horse and took control of the city.

Intruders: The act of intentionally accessing computer systems and networks

without authorization or without permission is generally referred to as hacking. The
individuals those who perform this activity are commonly as hackers.
An Intruder is a person who attempts to gain unauthorized access to a system, to
damage that system, or to disturb data on that system. In summary, this person
attempts to violate Security by interfering with system Availability, data Integrity or
data Confidentiality.
Intruders have to be extremely patient, since the process to gain access to a
system takes persistence and strong-willed determination. The attacker has to
conduct many pre-attack activities in order to obtain the information needed to
perform the successful attack. Before launching the attack, intruder has to be very
confident about the gathered information. An attack performed by an individual or
even a small group of attackers comes under the unstructured threat category.

Insiders: Insiders may have accounts giving them legitimate access to computer
systems, with this access originally having been given to them to serve in the
performance of their duties; these permissions could be abused to harm the
organization.
An Insider Threat is a malicious threat to an organization that comes from people
within the organization, such as employees, former employees, contractors or
business associates, who have inside information concerning the organization's
security practices, data and computer systems. The threat may involve fraud, the
theft of confidential or commercially valuable information, the theft of intellectual
property, or the sabotage of computer systems.
Insiders are more dangerous in many aspects than the intruders. Since insiders
are having direct access and the necessary knowledge to cause instant damage
to the organization. In most organizations security is designed to protect against
 intruders. Insiders may actually already have all the access they need to commit
criminal activity such as fraud. In addition to direct access, insiders also normally
have the details of the security systems in organization and so they can easily
avoid detection. Attacks by insiders are often the result of employees who have
become irritated, dissatisfied, and unhappy with their organization and are looking
for ways to disturb work.

1.4.Type of attacks: An attack is an information security threat that involves an

attempt to obtain, alter, destroy, remove, implant or reveal information without
authorized access or permission. An attack is one of the biggest security threats in
information technology, and it comes in different forms.
There are many different kinds of attacks like, Active and Passive attacks, Denial
of Service, DDOS, Backdoors and Trapdoors, Sniffing, Spoofing, Man in the
Middle, Replay, TCP/IP Hacking, Encryption attacks

Active Attacks: An active attack attempts to alter system resources or affect their
operation. Active attacks involve some modification of the data stream or the
creation of a false stream and can be subdivided into four categories:
masquerade, replay, modification of messages, and denial of service.

Masquerade: Masquerade takes place when one entity pretends to be a different

entity. A masquerade attack usually includes one of the other forms of active
attack. For example, authentication sequences can be captured and replayed after
a valid authentication sequence has taken place, thus enabling an authorized
entity with few privileges to obtain extra privileges by impersonating an entity that
has those privileges.
Figure 1.3: Masquerade

Replay: Replay involves the passive capture of a data unit and its subsequent
retransmission to produce an unauthorized effect

Figure 1.4: Replay

Modification of Messages: It means that some portion of a message is altered

or that message is delayed or reordered to produce an unauthorized effect. For
example, a message meaning “Allow JOHN to read confidential file X” is modified
as “Allow Smith to read confidential file X”.
Figure 1.5: Modification of Message

Denial of Service: It prevents normal use of communication facilities. This attack

may have a specific target. For example, an entity may suppress all messages
directed to a particular destination. Another form of service denial is the disruption
of an entire network wither by disabling the network or by overloading it by
messages so as to degrade performance.

Figure 1.6: Denial of Service

Passive Attacks: A Passive attack attempts to learn or make use of information

from the system but does not affect system resources. Passive attacks are in the
nature of eavesdropping on, or monitoring of, transmissions. The goal of the
opponent is to obtain information that is being transmitted. Two types of passive
attacks are release of message contents and traffic analysis.
Passive attacks are very difficult to detect because they do not involve any
alteration of the data. Typically, the message traffic is sent and received in an
apparently normal fashion and neither the sender nor receiver is aware that a third
party has read the messages or observed the traffic pattern. However, it is feasible
to prevent the success of these attacks, usually by means of encryption. Thus,
File the emphasis in dealing with passive attacks is on prevention rather than
detection.

Release of Message Content: Telephonic conversation, an electronic mail

message or a transferred file may contain sensitive or confidential information. We
would like to prevent an opponent from learning the contents of these
transmissions.

Figure 1.6: Release of Message Content

Traffic Analysis: Suppose that we had a way of masking (encryption) of

information, so that the attacker even if captured the message could not extract
any information from the message.
The opponent could determine the location and identity of communicating host
and could observe the frequency and length of messages being exchanged. This
information might be useful in guessing the nature of the communication that was
taking place.
 Figure 1.6: Traffic Analysis

Following are the important differences between Active Attack and Passive Attack.
Sr.
Key Active Attack Passive Attack
No.
1. In Active Attack, information is In Passive Attack, information
Modification
modified. remain unchanged.

2. Dangerous Active Attack is dangerous for Passive Attack is dangerous

For Integrity as well as availability. for Confidentiality.

3. Attention is to be paid on Attention is to be paid on

Attention
detection. prevention.

4. Impact on In Active Attack, system is In Passive Attack, system has

System damaged. no impact.

5. Victim gets informed in active Victim does not get informed

Victim
attack. in passive attack.

6. System System Resources can be System Resources are not

Resources changed in active attack. changed in passive attack.

DDOS: A denial-of-service attack (DoS attack) is a cyber-attack in which the

perpetrator seeks to make a machine or network resource unavailable to its
intended users by temporarily or indefinitely disrupting services of a host
connected to the Internet. Denial of service is typically accomplished by flooding
the targeted machine or resource with superfluous requests in an attempt to
overload systems and prevent some or all legitimate requests from being fulfilled.
 In a distributed denial-of-service attack (DDoS attack), the incoming traffic flooding
the victim originates from many different sources. This effectively makes it
impossible to stop the attack simply by blocking a single source.
A DoS or DDoS attack is analogous to a group of people crowding the entry door
of a shop, making it hard for legitimate customers to enter, thus disrupting trade.

Backdoors
Trapdoors
Sniffing
Spoofing
Man in the Middle
Replay
TCP/IP Hacking
Encryption attacks.
1.5. Operating system security: Operating system updates: Hot Fix, Patch, and Service
Pack
1.6. Information: Need and Importance of Information, information classification,
criteria for information classification, Security, need of security, Basics principles
of information security.