Overview of Computer Security

 A computing system: is a collection of hardware, software, data, and people that an organization uses to
do computing tasks
 Computer security means protect our computing system Main aspects are:

Prevention: - Prevent your assets from being damaged

Detection: - Detect when assets has been damage

Reaction: - Recover your assets

Computer Security: - Ensuring the data stored in a computer cannot be read or compromised by an individual‘s
without authorization.

- Most computer security measures involve data encryption and passwords.

- The purpose of computer security is to device ways to prevent the weaknesses from being

SECURITY CONCEPTS

Three Goals in Computing Security Three goals of computer security are

1. Confidentiality

2. Integrity

3. Availability
•Confidentiality: ensures that computer-related assets are accessed only by authorized parties. Confidentiality is
sometimes called secrecy or privacy.

-Difficult to ensure

- Easy to assess

Page 1
Confidentiality is the ability to hide information from those people unauthorized to view it. It is perhaps the most
obvious aspect of the CIA(Confidentiality, Integrity and Availability) triad when it comes to security; but
correspondingly, it is also the one which is attacked most often.

Cryptography and Encryption methods are an example of an attempt to ensure confidentiality of data transferred
from one computer to another.

A good example of methods used to ensure confidentiality is an account number or routing number when
banking online.

Data encryption is a common method of ensuring confidentiality. User IDs and passwords constitute a
standard procedure; two-factor authentication is becoming the norm.

Other options include biometric verification and security tokens, key fobs or soft tokens.

In addition, users can take precautions to minimize the number of places where the information appears
and the number of times it is actually transmitted to complete a required transaction. Different approaches for
achieving confidentiality are

- Access control: - specify who can access. One access control mechanism for preserving confidentiality is
cryptography
- Identification and Authentication Two concepts in confidentiality are
1. Data Confidentiality: - assures that confidential information is not disclosed to authorize individuals.

- Only the people who are authorized to do so can gain access to sensitive data. Imagine your bank records.
- You should be able to access them, of course, and employees at the bank who are helping you with a
transaction should be able to access them, but no one else should.
2. Privacy: The right of individuals to hold information about themselves in secret, free from the knowledge
of others

•Integrity: it means that assets can be modified only by authorized parties or only in authorized ways.

- Much difficult to measure

Two concepts in integrity are

1. Data Integrity:- Information and programs are changed only in authorized manner

2. System Integrity: - System performs its operation in unimpaired manner that means state of the system
not changed.

Integrity mechanisms fall into two classes: prevention mechanisms and detection mechanisms.
Prevention mechanisms seek to maintain the integrity of the data by blocking any unauthorized attempts to
change the data or any attempts to change the data in unauthorized ways.

Page 2
Detection mechanisms do not try to prevent violations of integrity; they simply report that the data‘s integrity is
no longer trustworthy. The mechanisms may report the actual cause of the integrity violation (a specific part of a
file was altered), or they may simply report that the file is now corrupt.

•Availability: it means that assets are accessible to authorized users in all time

- Availability applies both to data and to service.

- Failure to this goal (availability)is known as Denial of service.

- Availability is an important aspect of reliability as well as of system design because an unavailable

system is at least as bad as no system at all

One of the challenges in building a secure system is finding the right balance among the goals, which often
conflict.

Along with three objectives system should also ensure

1. Authentication: Computer system be able to verify identity of user.

Authentication technology provides access control for systems by checking to see if a user's credentials
match the credentials in a database of authorized users or in a data authentication server.

Users are usually identified with a user ID, and authentication is accomplished when the user provides a
credential, for example a password, that matches with that user ID.

2. Accountability: Every individual who works with an information system should have specific
responsibilities for information assurance.
3. Non repudiation: non-repudiation is the assurance that someone cannot deny the validity of something.
Non-repudiation is a legal concept that is widely used in information security and refers to a service,
which provides proof of the origin of data and the integrity of the data. In other words, non-repudiation
makes it very difficult to successfully deny who/where a message came from as well as the authenticity of
that message.

Page 3
 Digital signatures can offer non-repudiation when it comes to online transactions, where it is
crucial to ensure that a party to a contract or a communication can't deny the authenticity of their
signature on a document or sending the communication in the first place.

In this context, non-repudiation refers to the ability to ensure that a party to a contract or a communication must
accept the authenticity of their signature on a document or the sending of a message.

NEED OF SECURITY

Why is computer security important?

Computer security is important, primarily to keep your information protected. It‘s also important for your
computer‘s overall health, helping to prevent viruses and malware and allowing programs to run more smoothly.

Security is needed due to following reason

1. Privacy:- It defines the right of individuals to hold information about themselves in secret, free from the
knowledge of others
2. Accuracy: - Most of damages of data is caused by errors and omissions. An organization always needs
accurate data for transaction processing, providing better service and making
3. Threats by dishonest employ

4. Computer Crimes:- When computer resources can be misused for unauthorized or illegal function

5. Threats for fire and Natural Disasters:- fire and natural disasters like floods, storms, lightening etc

THREATS

•A threat to a computing system is a set of circumstances that has the potential to cause loss or harm.

- A threat can be an object or person or other entity that represents a constant danger to an asset

•There are many threats to a computer system, including human-initiated and computer- initiated
ones.

•A threat is blocked by control of vulnerability (Weakness of the system).

We can view any threat as being one of four

•An interception means that some unauthorized party has gained access to an asset. The outside party can be a
person, a program, or a computing system.

•In an interruption is an asset of the system becomes lost, unavailable, or unusable.

•If an unauthorized party not only accesses but tampers with an asset, is called as a modification.

Page 4
•An unauthorized party might create a fabrication of counterfeit objects on a computing system.

•The intruder may insert spurious transactions to a network communication system or add records to an existing
database.

Kinds of threats

• Interruption

- An asset of the system is destroyed of becomes unavailable or unusable

– Attack on availability
– Destruction of hardware

– Cutting of a communication line

– Disabling the file management system

- Here the information being interrupted

• Interception

– An unauthorized party gains access to an asset

– Attack on confidentiality

– Wiretapping to capture data in a network – Illicit copying of files or programs

- There is a middleman or process or machine trying to intercept

• Modification

– An unauthorized party not only gains access but tampers with an asset

– Attack on integrity

– Changing values in a data file

Page 5
 – Altering a program so that it performs differently

– Modifying the content of messages being transmitted in a network

- Here middleman changes the data and send to the receiver

• Fabrication

– An unauthorized party inserts counterfeit objects into the system

– Attack on authenticity

– Insertion of spurious messages in a network

– Addition of records to a file

- Here sender not sends data to the receiver. Middleman fabricate the data

Page 6
 ATTACKS

- Attack is the process of gaining the access of data by unauthorized user.

- It is an Act or attack that exploit vulnerability(Weakness of the system)

Definition - What does Attack mean?

An attack is an information security threat that involves an attempt to obtain, alter, destroy, remove, implant or
reveal information without authorized access or permission. It happens to both individuals and organizations.

Two types of attacks are

1. Passive attack:-data just accessed by third party, no modification, does not affect system resources

2. Active attack: - data will be modified

Page 7
• Passive Attacks

– Release of message contents for a telephone conversion, an electronic mail message, and a
transferred file are subject to these threats
– Traffic analysis:- By analyzing the traffic flow between sender and receiver third party access
the data
• Active Attacks

– Masquerade takes place when one entity pretends to be a different entity

– Replay involves the passive capture of a data unit and its subsequent retransmission to produce
an unauthorized effect
– Modification of messages means that some portion of a legitimate message is altered, or that
messages are delayed or reordered, to produce an unauthorized effect
– Denial of service prevents or inhibits the normal use or management of communications facilities

• Disable network or overload it with messages

Page 8
 1. Masquerade attack

The third party sends the same message to the receiver and receiver receives it with the name of sender.

Page 9
2. Replay attack

- Here receiver receives two messages. One from sender and another from third party.

- Receiver did not know which one is correct

3. Data Modification attack

4. Denial of Service

• A denial-of-service (DoS) is any type of attack where the attackers (hackers) attempt to prevent
legitimate users from accessing the service.
• In a DoS attack, the attacker usually sends excessive messages asking the network or server to
authenticate requests that have invalid return addresses.

Page 10
• The network or server will not be able to find the return address of the attacker when sending the
authentication approval, causing the server to wait before closing the connection.

Page 11
 • When the server closes the connection, the attacker sends more authentication messages with
invalid return addresses. Hence, the process of authentication and server wait will begin again,
keeping the network or server busy.
- Here the third party interrupts (disrupts) the services sends by the server.

- Disruption of entire network either by disabling the network or by overloading it with message , so as to
degrade performance

MALICIOUS CODE (MALWARE)

- It is a software written into intentionally cause undesirable effect

- Can do anything that a normal program can do

- Designed to damage a computer system without owners concern

- Gets installed in your device and perform unwanted tasks

- Mainly designed to transmit information about your web browsing.

- It comes from different sources such as website, email, physical media etc

- In some cases it spreads itself to other computers though email or infected discs.

Page 12
- Malware or Malicious software is software designed to damage a computer system without the owner's
concerns.
- Malicious software includes Virus, Worm, Trojan, Adware, Root kit, Spyware and many other unwanted
software.
ACCESS CONTROL MATRIX

All the information needed for access control administration can be put into a matrix with rows representing
the subjects or groups of subjects and columns representing the objects.

The access that the subject or a group of subjects is permitted to the object is shown in the body of the
matrix.

It is a table of subjects and objects indicating what actions individual subjects can take upon individual
objects.

For example, in the matrix in Figure, user B has permission to read in file R4.

The entry access(i,j) defines the set of operations that a process executing in Subject i can invoke on Object j

One feature of the access control matrix is its sparseness. Because the matrix is so sparse, storage
consideration becomes an issue, and it is better to store the matrix as a list.

Page 13
Implementation of Access control matrix

Access control can be implemented in three ways

1. Global table

2. Access lists for objects

3. Capability list for subjects

Global Table

The simplest implementation of the access matrix

Table consists of set of ordered triples<Subject, object, right set>

Whenever an operation M is executed on object(Oj) with subject(Si) then a global table is searched for triple

<Si, Oj, Rk> If found, operation is allowed to continue otherwise it deny access It
has several disadvantage usually large thus cannot be kept in main memory.

Access lists for objects

Access Control Lists (ACLs)

• Focus on the object

ACLs ≡ columns of the access control matrix Oj <Si , Rk>

• ACL define all domain with non empty set of access rights for that object

• Access rights are often defined for groups of users

Page 14
 – Because individual subjects may create a huge list
Capability List
• Focus on the subject

Capabilities list ≡ rows of the access control matrix

• Capability is pointer to the object, contain address of the object

• Each domain has its capability list which contain list of capability together with operation allowed

• Capability list is itself a protected object

- Maintained by operating system

- Accessed by user only indirectly

Page 15
Security Policies

 Security policies in this context are rules designed to protect networks, systems, and data from
unauthorized access, attacks, and other security threats. They define how cryptographic tools and
network defenses should be used to secure communications and prevent breaches.
 To create a strong, reliable defense against various threats, ensuring that sensitive information is
protected through encryption, authentication, and other security measures.
 Examples in CNS:
o Use of Encryption: Secure communication channels by using encryption protocols like TLS/SSL to
protect data during transmission across networks.
o Access Control: Implementing strong user authentication methods, such as certificates or
biometrics, to ensure only authorized users access sensitive data.
o Firewall and Intrusion Detection Systems (IDS): Protecting networks from unauthorized access by
monitoring traffic and blocking suspicious activities.
o Virtual Private Networks (VPNs): Securing remote access to a network by encrypting traffic
between the user and the organization’s network.

2. Confidentiality Policies

 Confidentiality policies ensure that sensitive information remains private and is only accessible by
authorized users. In cryptography, this is achieved by encrypting data to prevent unauthorized
access during storage or transmission.
 To maintain privacy by ensuring that unauthorized users or attackers cannot read or intercept
sensitive data while it is being transmitted or stored.
 Examples
o Data Encryption: Using cryptographic algorithms like AES (Advanced Encryption Standard) or RSA
to encrypt sensitive data before transmission over networks, ensuring that even if the data is
intercepted, it cannot be read.
o Secure File Storage: Encrypting files stored on devices or cloud servers to protect them from
unauthorized access.

Page 16
 o End-to-End Encryption: Implementing encryption for communication systems (e.g., messaging
apps) to ensure that only the intended recipient can read the message, even if it is intercepted
during transmission.

3. Integrity Policies

 Integrity policies ensure that data remains accurate, consistent, and unaltered during transmission
or storage. Cryptographic techniques such as hash functions and digital signatures are used to
verify that the data has not been tampered with.
 To ensure that the data is authentic, reliable, and hasn't been changed or corrupted during
transmission, providing assurance to users and systems.
 Examples in CNS:
o Hash Functions: Using cryptographic hash functions (e.g., SHA-256) to generate a fixed-size output
(hash) for a message. This allows the receiver to compare the received hash with the one
generated on their end to ensure the data was not altered.
o Digital Signatures: Verifying the identity of the sender and ensuring the message hasn’t been
modified by using a private key to sign a message and a public key for verification.
o Message Authentication Codes (MACs): Ensuring the integrity and authenticity of a message by
using symmetric-key cryptography, where both sender and receiver share a secret key.

4. Hybrid Policies

 Hybrid policies combine elements of confidentiality and integrity to provide comprehensive

security. These policies ensure that data remains both private and accurate by using a combination
of encryption, hashing, and digital signatures.
 To create a more robust security framework that addresses both the privacy and trustworthiness of
data and communication in networks.
 Examples in CNS:
o Secure Email Systems: Using both encryption and digital signatures to ensure that emails are
confidential (encrypted) and authentic (signed). This ensures that only authorized users can read
the email, and that it hasn’t been altered.

Page 17
o VPNs with Integrity Checks: A VPN might not only encrypt data but also include integrity checks
(such as MACs) to ensure that data has not been tampered with during transmission.
o Blockchain Technology: Blockchain uses both cryptography (to ensure confidentiality) and hashing
(to ensure integrity) to create a secure and transparent system for recording transactions.

Page 18