lOMoARcPSD|3010134

Computer Security (Chapter-1)

computer security (Mettu University)

Scan to open on Studocu

Studocu is not sponsored or endorsed by any college or university

Downloaded by shemse shukre ([email protected])
 lOMoARcPSD|3010134

Chapter One
Introduction to Computer Security

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 1
 lOMoARcPSD|3010134

• Prerequisite: CoSc2032-Data Communications and Computer Networks

• Course Description:
– To familiarize students with the security issues and technologies involved in
modern information systems, including computer systems and networks
and the various ways in which information systems can be attacked and
tradeoffs in protecting networks.
1/15/2024 Compiled by: Naol G. (MSc.) 2
Downloaded by shemse shukre ([email protected])
 lOMoARcPSD|3010134

Course objectives:
 By the end of this course, students will be able to:
◦ Understand the basic concepts in information security, including security
attacks/threats, security vulnerabilities, security policies, security models, and security
mechanisms.
◦ Understand the concepts, principles and practices related to elementary cryptography,
including plain-text, cipher-text, the four techniques for crypto-analysis, symmetric
cryptography, asymmetric cryptography, digital signature, message authentication code,
hash functions, and modes of encryption operations.
◦ Understand issues related to program security and the common vulnerabilities in
computer programs; including buffer overflow vulnerabilities, time-of-check to time-of-
use flaws, incomplete mediation.

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 3
 lOMoARcPSD|3010134

Course objectives:
 Cont…
◦ Understand the basic requirements for trusted operating systems, and describe
the independent evaluation, including evaluation criteria and evaluation process.
◦ Describe security requirements for database security, and describe techniques
for ensuring database reliability and integrity, secrecy, inference control, and
multi-level databases.
◦ Describe threats to networks, and explain techniques for ensuring network
security, including encryption, authentication, firewalls, and intrusion detection.
◦ Explain the requirements and techniques for security management, including
security policies, risk analysis, and physical threats and controls.

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 4
 lOMoARcPSD|3010134

Course Outline:

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 5
 lOMoARcPSD|3010134

Course Outline:

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 6
 lOMoARcPSD|3010134

Course Outline:

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 7
 lOMoARcPSD|3010134

Course Outline:

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 8
 lOMoARcPSD|3010134

NB: "Education is the passport to the future, for tomorrow belongs to those who prepare
for it today."
–Malcolm X
1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 9
 lOMoARcPSD|3010134

Chapter objectives
 Up on completion of this chapter you should be able to: –
◦ Understand what computer and network security means.

◦ Figure out the evolution of computer security.

◦ Understand the key terms and critical concepts of computer security.

◦ Understand the difference & types of vulnerabilities, threats and attacks.

◦ Be able to analyze about security policies, services, controls and mechanisms.

◦ Recognize the challenges of computer security.

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 10
 lOMoARcPSD|3010134

Overview

“The art of war teaches us to rely not on the likelihood of the

enemy's not coming, but on our own readiness to receive him;
not on the chance of his not attacking, but rather on the fact
that we have made our position unassailable.”

Sun Tzu, The Art of War

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 11
 lOMoARcPSD|3010134

Overview(definition)
 Computer security, is the protection of computer systems from attacks by
malicious actors that may result in unauthorized information disclosure, theft of,
or damage to hardware, software, or data, as well as from the disruption or
misdirection of the services they provide. (Wikipedia)

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 12
 lOMoARcPSD|3010134

Overview…
 Computer Security when there is connection to networks (Network security)
on the other hand deals with policies, processes and practices adopted to
prevent and monitor unauthorized access, misuse, modification, or denial of the
computer network and network-accessible resources. (Wikipedia)

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 13
 lOMoARcPSD|3010134

Overview…
 “The most secure computers are those not connected to the
Internet and shielded from any interference”

• However, they are not immune to all

security risks.
• The potential security concerns, include
• Insider threats,
• Physical security breaches and
• The introduction of malware via
removable media or other means.

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 14
 lOMoARcPSD|3010134

History
 Until 1960s computer security was limited to physical protection of
computers.
 The late 1960s and 1970s
◦ Evolutions
 Computers became interactive

 Multiuser/Multiprogramming & Networking was invented

 Mainframe computer, Unix and Unix-like OSs
 ARPANET (Advanced Research Projects Agency Network)

 More and more data started to be stored in computer databases

◦ Organizations and individuals started to worry about

 What the other persons using computers are doing to their data?
 What is happening to their private data stored in large databases?

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 15
 lOMoARcPSD|3010134

History…
 Computer security was almost non-existing before 1980s (besides
physical protection).
 In the 1980s and 1990s
◦ Evolution
 Personal computers were popularized
 LANs and Internet invaded the world
 Applications started to develop such as E-commerce (good & services), E-
government(online tax filing, voting) and E-health(remote patient monitoring, data
record).
 Viruses become major threats

◦ Organizations/individuals started to worry about

 Who has access to their computers and data
 Whether they can trust a mail, a website, etc.
 Whether their privacy is protected in the connected world
1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 16
 lOMoARcPSD|3010134

History: Famous security problems

• 1950s: Phone Phreaking
• The initial intent of hacking did not encompass
computer information collection.
• The prominence of phone phreaking emerged
during the 1950s, hence exposing this
John Draper ‘s Co playing over pub. phone
phenomenon
• John Draper (Caps. Crunch)- made Whistle for
phreaking.
• Steve Jobs and Steve Wozniak developed BlueBox
• making cost-free calls and circumventing long-distance
fees.

John Draper ‘s Whistle

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 17
 lOMoARcPSD|3010134

History: Famous security problems

• Morris worm – Internet Worm
• November 2, 1988 a worm attacked more than 6k
from 60k computers around the USA
• Robert Morris became the first person to be
charged for the Computer Fraud and Abuse Act of
1986
• He was sentenced to three years of probation, 400
hours of community service and a fine of some Robert T. Morris, 2008
$10,050
• He is currently an associate professor at the
Massachusetts Institute of Technology

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 18
 lOMoARcPSD|3010134

History: Famous security problems

– NASA shutdown
• In 1990, an Australian computer science student was charged for shutting down NASA’s
computer system for 24 hours
– ILOVEYOU 2000
– The Melissa Virus 1999
– was a computer worm that infected
– It targets Microsoft Word and Outlook-based systems. over 10 million Windows personal
computers.
–spread as email message.

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 19
 lOMoARcPSD|3010134

History: Famous security problems

– 2014: Sony Pictures Entertainment Suffers Multiple Attacks,
– US Intelligence suspected attack was sponsored by N.Korea.
– 2016 (WikiLeaks): a multi-national media organization and associated library.
– Launched a searchable archive for over 30k emails & email attachments sent
to and from Hillary Clinton's private email server while she was Secretary of
State. https://wikileaks.org/clinton-emails/
– 2017: Ransomware (WannaCry): Encrypt user data and demand money to decrypt.
– 2018: Facebook Plagued by Privacy Concerns
– 2021: > 267 million Facebook Account sold on Darkweb.
– 2021: Hack in Florida city's water system exposes potential cyber risks of local
communities.
1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 20
 lOMoARcPSD|3010134

History… Early Efforts

 1960s: Marked as the beginning of true computer security
 1970s: Tiger teams
o Government and industry sponsored crackers who attempted to break down defenses of
computer systems in order to uncover vulnerabilities so that patches can be developed
o1970s: Research and modeling
o Identifying security requirements
o Formulating security policy models
o Defining guidelines and controls
o Development of secure systems
 Standardization
 1978: DES selected as encryption standard by the US
 1985: Orange Book for Security Evaluation (or TCSEC - Trusted Computer System
Evaluation Criteria)
o Describes the evaluation criteria used to assess the level of trust that can be placed in a
particular computer system
1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 21
 lOMoARcPSD|3010134

History…
Legal Issues (Worldwide)

 In the US, legislation was enacted with regards to computer security and privacy
starting from late 1960s

 The European Council adopted a convention on Cyber-crime in 2001

 The World Summit for Information Society considered computer security and
privacy as a subject of discussion in 2003 and 2005

(In Ethiopia)
 The Ethiopian Penal Code of 2005 has articles on data and computer related
crimes
 Cybercrime Proclamation of 2016 (Computer Crime Proclamation No. 958/2016)
1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 22
 lOMoARcPSD|3010134

Basic Security Objectives (Pillars) - CIA

Confidentiality: This term covers two related concepts:

 Data confidentiality: Assures that private or Confidentiality

confidential information or resources (resource
and configuration hiding) are not made available
or disclosed to unauthorized individuals

 Is compromised by reading and copying

Integrity Availability
 In network communication, it means only
sender and intended receiver should
“understand” message contents

 Privacy: Assures that individuals control what information related to them may be
collected and stored and by whom and to whom that information may be disclosed.

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 23
 lOMoARcPSD|3010134

Security Objectives…

 Integrity: This term covers two related concepts.

 Data integrity: Assures that information and programs are changed only in a
specified and authorized manner
 In network communication, sender and receiver want to ensure that the
message is not altered (in transit or afterwards) without detection
 System integrity: Assures that a system performs its intended function in an
unimpaired manner, free from deliberate or inadvertent unauthorized
manipulation of the system.
 Is compromised by deleting, corrupting, and tampering with.

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 24
 lOMoARcPSD|3010134

Security Objectives…

 Availability: Assures that systems work promptly and service is not denied to
authorized users

Supplements to CIA:
◦ Authentication
 How do I know it's really you?
◦ Authorization
 Now that you are here, what are you allowed to do?
◦ Accountability
 Who did what, and, perhaps, who pays the bill?

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 25
 lOMoARcPSD|3010134

Vulnerabilities, Threats & Countermeasures

 Vulnerability is a weakness in design, implementation, operation of a computer
system.
◦ Examples: software bugs, misconfigured security settings, and weak passwords…

 A threat is a potential danger that could exploit a vulnerability to breach

security and cause harm.
◦ It can come from various sources, including hackers, malware, disgruntled employees, and natural
disasters.
◦ Threats can be intentional or unintentional.

 Countermeasures are techniques for protecting your system.

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 26
 lOMoARcPSD|3010134

Vulnerabilities
 Physical vulnerabilities
◦ break into your server room, device theft, steal backup media and etc.
 Locks, guards, surveillance cams, Burglar alarms
 Natural vulnerabilities
◦ Vulnerable to natural disasters and to environmental threats, power loss
◦ Natural disasters: fire, flood, earthquakes, lightning
◦ Environmental factors: Dust, humidity, and uneven temperature conditions
 air conditioning and heating systems……UPS,…..backups
 Hardware and Software vulnerabilities
◦ protection features failure lead to open security holes
◦ open some "locked" systems by introducing extra hardware
◦ Software failures: antivirus ,firewall failures
1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 27
 lOMoARcPSD|3010134

Vulnerabilities…
 Media vulnerabilities
◦ can be stolen, damaged by dust or electromagnetic fields.
 keep backup tapes and removable disks clean and dry
 Communication vulnerabilities
◦ Wires can be tapped, physically damaged, EMI
 Fiber optics
 Human vulnerabilities
◦ the greatest vulnerability of all
◦ Employees, contractors
 Choose employees carefully

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 28
 lOMoARcPSD|3010134

Threats
 Threats fall into three main categories based on the source: natural,
unintentional, and intentional.
◦ Natural threats: fires, floods, power failures, and other disasters.
 fire alarms, temperature gauges, and surge protectors
 backing up critical data off-site.
◦ Unintentional threats: delete a file, change of security passwords
 Training , security procedures and policies
◦ Intentional threats: outsiders and insiders
 Outsiders may penetrate systems in a variety of ways:
 simple break-ins of buildings and computer rooms;

 disguised entry as maintenance personnel;

◦ Although most security mechanisms protect best against outside intruders, surveys
indicates that most attacks are by insiders.

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 29
 lOMoARcPSD|3010134

Threats
 Estimates are that as many as 80 percent of system penetrations are by fully
authorized users who abuse their access privileges to perform unauthorized
functions.
◦ "The enemy is already in, we hired them.”
 Insiders are sometimes referred as living Trojan horses
 There are a number of different types of insiders.
◦ fired or disgruntled employee might be trying to steal revenge ; employee might have been
blackmailed or persuaded by foreign or corporate enemy agents.

◦ greedy employee might use her inside knowledge to divert corporate or customer funds for
personal benefit.

◦ insider might be an operator, a systems programmer, or even a casual user who is willing to
share a password.

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 30
 lOMoARcPSD|3010134

Threats
 Don't forget, one of the most dangerous insiders may simply be lazy or
untrained.
◦ He doesn't bother changing passwords,
◦ Doesn't learn how to encrypt email messages and other files,
◦ Leaves sensitive printouts in piles on desks and floors, and ignores the paper
shredder when disposing of documents.

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 31
 lOMoARcPSD|3010134

Security Attacks
 A threat that is carried out.
 An attack occurs when a threat actor exploits a vulnerability to compromise a system's
security.
 Attacks can take many forms, including unauthorized access, data theft, malware infection,
denial of service, and social engineering.
 Classification security attacks:
◦ passive attacks and active attacks.
 A passive attack attempts to learn or make use of information from the system but
does not affect system resources.
 An active attack attempts to alter system resources or affect their operation.

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 32
 lOMoARcPSD|3010134

Categories of Attacks

Interruption: An attack on availability

Interception: An attack on confidentiality

Modification: An attack on integrity

Fabrication: An attack on authenticity

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 33
 lOMoARcPSD|3010134

Security Attacks (Passive attack)…

 A passive attack attempts to learn or make use of information from the system but
does not affect system resources.
 The attacker might indulge in eavesdropping and monitoring the contents of a
message.
 These attacks are termed as passive because
 the main goal of the attacker is just to gather the information, but not make any alterations to
the message or harm the systems resources.
 A passive attack is difficult to detect as no modification or tampering of data is
performed and the user might not be aware of the presence of the attacker.
 Passive attacks can be prevented by implementing measures such as encryption.
 Two types of passive attacks:
 Release of Message contents and
 Traffic Analysis

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 34
 lOMoARcPSD|3010134

Security Attacks (Passive attack) …

 Release of Message contents:
 It involves the attacker capturing the information (unencrypted) sent by the user and reading
the sensitive information.
 Ex. : reading an email or tapping into a phone conversation between the communicating parties.
 Traffic Analysis:
 In this attack, the attacker observes the length and frequency of the messages being exchanged
by the communicating parties and thereby use this information to guess the identity of the
parties, their location and the nature of communication that was taking place.

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 35
 lOMoARcPSD|3010134

Security Attacks (Active attack)…

 An active attack attempts to alter system resources or affect their operation.
 The main objective of such an attack is to interfere with network operations by
either modifying the data stream or even introduce a false data stream.
 These attacks do involve modification of data and are hence easy to detect.
 Though easy to detect, compared to passive attacks, they are hard to prevent with
many sophisticated threats (physical, software & network vulnerabilities) present
these days.
 Active attacks are categorized into:
 Masquerade
 Message Replay
 Modification of message and
 Denial of service(DoS).

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 36
 lOMoARcPSD|3010134

Security Attacks (Active attack)…

 Masquerade:
 In this attack, one entity pretends to be a different entity with the motive of the attacker is to
gain unauthorized privileges.
 Masquerading is usually done by using stolen ID's and passwords, or using other forms of
attacks.

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 37
 lOMoARcPSD|3010134

Security Attacks (Active attack)…

 Message Replay:
 This attack involves passive capture of a genuine message sent by the sender and its
subsequent retransmission to create an authorized effect.
 Ex.: capturing the packet with bank login credentials and resending it to gain unauthorized entry to
the account.

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 38
 lOMoARcPSD|3010134

Security Attacks (Active attack)…

 Modification of Messages:
 This attack involves making certain alterations to the captured messages, or delaying or
reordering of the message sequence to produce an unauthorized effect.
 Ex.: change of beneficiary account number for a financial transaction to steal money.

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 39
 lOMoARcPSD|3010134

Security Attacks (Active attack)…

 Denial of Service (DoS):
 This attack prevents or inhibits the normal functioning or management of communication
facilities.
 These attacks can be targeted or generalized.
 Another form of this attack includes disruption of an entire network, either by disabling the
network or by overloading it with messages so as to degrade performance.

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 40
 lOMoARcPSD|3010134

Security Attacks…
 To summarize the two categories of attacks:
◦ In a passive attack, no modification of data occurs and the target does not
know about its occurrence unless they have a monitoring and alert system.

◦ In an active attack, system resources and data are altered or otherwise

damaged affecting the systems normal operations.

◦ Passive attacks are tough to detect, but could be prevented. Comparatively,

active attacks are easy to detect, but hard to prevent.

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 41
 lOMoARcPSD|3010134

Computer Security /Countermeasures

 Security controls refer to mitigation techniques to achieve security goals (prevention,
detection, recovery)
A. Authentication : For Prevention
 Authentication is the binding of an identity to a subject
 An entity must provide information to enable the system to confirm its identity. This
information comes from one (or a combination) of the following
 What the entity knows (such as passwords or secret information)
 What the entity has (such as a badge or card)
 What the entity is (such as fingerprints or retinal characteristics - Biometrics)
 Biometric system practices pattern recognition or comparison
 Attributes of a human are measured, and the measured data are compared with stored
data

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 42
 lOMoARcPSD|3010134

Computer Security/ Countermeasures …

 Practical Systems of Biometrics

(a) Fingerprint system for computer authentication

(b) Fingerprint system for authentication of customers, prior to charging a credit card
(c) Lock with fingerprint system
 Benefits with biometrics as opposed to passwords
 Simple and intuitive usage
 Forgery is difficult
 No oblivion (not forgettable like passwords), loss, theft
 The user must be present for authentication
1/15/2024 Compiled by: Naol G. (MSc.) 43
Downloaded by shemse shukre ([email protected])
 lOMoARcPSD|3010134

Computer Security/ Countermeasures …

B. Encryption – hiding/masking secret information For Prevention
• (key + algorithm)
C. Auditing - For Recovery
 Auditing is the process of analysing systems to determine what actions took place and
who performed them;
 Auditing is essential for recovery and accountability
D. Administrative procedures - For Prevention, Recovery and Deterrence
E. Physical Security - For Prevention, Detection
F. Laws - For Deterrence
G. Intrusion Detection/Prevention Systems - For Detection/Prevention
H. Anti-malware - For Prevention
I. Access Control Technologies (Firewalls, Authentication and Authorization Technologies) -
For Prevention

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 44
 lOMoARcPSD|3010134

Security services
 RFC 2828 defines a service as
◦ "A processing or communication service that is provided by a system to give a specific
kind of protection to system resources".
◦ Security services implement security policies, and implemented by security
mechanisms.
 Authentication Service
 Authentication service deals with assuring the identity of the communicating parties and
also no third party masquerade as the legitimate parties for unauthorized reception of
messages.

 Data Confidentiality Service

 It is the protection of transmitted data from passive attacks, and the protection of traffic
flow from analysis.

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 45
 lOMoARcPSD|3010134

Security services…
 Data Integrity Service
◦ It assures that messages are received as sent by an authorized entity, with no duplication,
insertion, modification, reordering, replay, or loss.
 Access Control Service
 It is the ability to limit and control the access to host systems and applications via
communications links.

 To implement access control, each entity trying to gain access must first be identified, or
authenticated, so that access rights can be tailored to the individual.

 The prevention of unauthorized use of a resource (i.e., this service controls who can have
access to a resource, under what conditions access can occur, and what those accessing the
resource are allowed to do).

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 46
 lOMoARcPSD|3010134

Security services…
 Nonrepudiation Service
◦ This service does not allow the sender or receiver of a message to refuse the claim of not
sending or receiving that message.

 Nonrepudiation, Origin: Helps the receiver to prove that the message was sent by the
specified sender.

 Nonrepudiation, Destination: Helps the sender to prove that the message was
delivered to the intended receiver.

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 47
 lOMoARcPSD|3010134

Security services…
 Availability Service
◦ Both X.800 and RFC 4949 defines availability as the property of a system/resource
being accessible and usable upon demand by an authorized system entity, according
to performance specifications for the system.

◦ A variety of attacks can result in the loss of (or) reduction in availability.

◦ A common attack that impacts availability is the Denial-of-service attack (DoS), in

which the attacker interrupts access to information, system, devices or other

network resources.

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 48
 lOMoARcPSD|3010134

Security Policy and Mechanism

 A security policy is a statement of what is, and what is not allowed.
 Security Mechanism: A security mechanism is a method, tool, or procedure for
enforcing a security policy. E.g.
 Encipherment
 Digital Signature
 Access Control
 Authentication exchange
 Firewall
 Hashing/Message digest
 Security mechanisms implement functions that help prevent, detect, and respond to
recovery from security attacks.

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 49
 lOMoARcPSD|3010134

Goals of Security
 Given a security policy’s specification of “secure” and “non-secure” actions, security
mechanisms can prevent (defend) the attack, detect the attack, or recover from the attack

 Prevention: it means that an attack will fail;

 E.g., passwords to prevent unauthorised users or Intrusion Prevention Systems (IPSs)

 Detection: is most useful when an attack cannot be prevented, but it can also indicate
the effectiveness of preventative measures.
 Detection mechanisms accept that an attack will occur;
 determine that an attack is underway, or has occurred, and report it.
 The attack may be monitored, however, to provide data about its nature, severity, and results.

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 50
 lOMoARcPSD|3010134

Goals of Security
 Recovery/Reaction: requires resumption of correct operation. Has two forms.
 The first is to stop an attack and to assess and repair any damage caused by that attack.
 E.g if the attacker deletes a file, recovery restore the file from backup tapes.
 The attacker may return, so recovery involves identification and fixing of the vulnerabilities
used by the attacker to enter the system

 The three strategies are usually used together

 A fourth approach is deterrence; involves active steps to beat off attacks; discourage
them even to try attacking.

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 51
 lOMoARcPSD|3010134

Physical Security
“The most robustly secured computer that is left sitting unattended in an
unlocked room is not at all secure !” [Chuck Easttom]

 In the early days of computing, physical security was simple because computers
were big, standalone, expensive machines

 It was almost impossible to move them (not portable)

 They were very few and it is affordable to spend on physical security for them

 Management was willing to spend money

 Everybody understands and accepts that there is restriction

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 52
 lOMoARcPSD|3010134

Physical Security…
 Today
 Computers are more and more portable (PC, laptop, Smart phone)
 There are too many of them to have good physical security for each of them
 They are not “too expensive” to justify spending more money on physical
security until a major crisis occurs
 Users don’t accept restrictions easily
 Accessories (e.g., network components) are not considered as important for
security until there is a problem.
 Access to a single computer may endanger many more computers connected
through a network

Physical security is much more difficult to achieve today than some

decades ago.
1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 53
 lOMoARcPSD|3010134

Security Challenges
 Security is not simple: terminology seems to be straight forward but mechanism to
meet requirements are very complex.

 Potential attacks on a security mechanism or algorithm have to be considered

while designing-thwarting an attack exploiting an unexpected weakness.

 Procedures used to provide particular services are often counter-intuitive.

 Security mechanisms involve multiple algorithms and usage of secret information.
 Must decide where to deploy security mechanisms in terms of physical placement
and logical sense

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 54
 lOMoARcPSD|3010134

Security Challenges…
 Always a battle of wits between perpetrator and a designer/administrator.
 Attackers looks for holes and admin tries to close them.
 System managers tend to perceive little benefit on security investment until a
security failure happens.

 Security requires regular/constant monitoring which is difficult in the todays short-

term and overloaded environment.

 Security is often incorporated as an after-thought rather than an integral part of

the process

 Users and Administrator view strong security as an impediment to free usage of a

system.
1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 55
 lOMoARcPSD|3010134

Software security assurance (SSA)

 is an approach to designing, building, and implementing software that addresses security
needs from the ground up.
 is the confidence that software will run as expected and be free of vulnerabilities.

 Three standard techniques use to ensure software security includes:

 Security by design
o These principles establish the context by determining all the elements that
compromise an application and its desired functionalities.
 Continuous reviews
o This makes software security assurance an ongoing process.
 Penetration testing
o provides an additional guarantee of security by simulating a cyber attack on an
application and probing for any potentially exploitable weaknesses.

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 56
 lOMoARcPSD|3010134

End of Chapter-1
Questions?
Read More…..

1/15/2024
Downloaded by shemse shukre ([email protected]) Compiled by: Naol G. (MSc.) 57