Admin

• 2 lessons per week

– Mondays
• 1 lab/tutorial session per week
• Teaching staff
– Dr. Brahmi Zaki
– Dr. Weslati Rabeb

2
 Should I take thiscourse?
• Computer Security
– Broad survey course
– Touch on a wide number of security topics and
Evaluate the level of security in a computer system.
• Secure programming, Network, data base, etc.
– Focuses on how to implement securecode
• Introduction to Cryptography and Formal study
of the notion of security.
• Internet of Things, Security and the Cloud
– Paradigms employed in IoT, security and privacy
3
 The security problem
Security policy:
- e.g. confidentiality,
integrity, availability,
authenticity, anonymity,

Attacker

e.g personal motivation,

financial motivation
(pharmaceutical, credit card theft),
political motivation (governments,
activists), . . .
4
 Attack example
1. Steal user credentials and inject ads:
keylog (a keylogger is a spyware or a device that spy the computer user) for
banking passwords, web passwords, gaming pwds, etc.
Example: SilentBanker (and many like it)

User requests login page

Malware injects Bank sends login page

Javascript needed to login
Bank
When user submits
information, also sent to
attacker Similar mechanism used
by Zeus botnet
Man-in-the-Browser (MITB)
5
 Attack Example
2. Aclassic data breach:

a. Employee is sent a phishing email with a link to a realistic

looking internal site.
b. Employee opens the email, clicks the link, and types in
her user name and password.
c. Malicious site collects the password and shows the user
that everything is actually fine so they are not suspicious.
d. Malicious actor uses user name and password to
download sensitive files.

6
 Attack Example
• In 2012, LinkedIn suffered a massive data breach in
which more than 167 Million users accounts login
details, including encrypted passwords, were posted
online by a Russian hacker.

• Source: http://thehackernews.com/2016/05/linkedin-account-hack.html
7
 Attack Example

• In 2009 Hacker steals tens of million of credit

card details:
– Gonzales, a hacker from Miami, was responsible for one of
the biggest fraud case in US history.
– Gonzales was responsible for sealing tens of millions of
credit card and debit card numbers from over 250 financial
institutions.

8
 Attack Example
Users attacked: statistic

300,000 users/month worldwide A worldwide problem

Source: Kaspersky Security Bulletin2015

9
How companies lose data !!
insider error lost/stolen laptops

-e.g. The University of Calgary

paid $20,000 to gain back
insider attack control of its computer system
after it was hacked. It's called
ransomware.
-Hackers are costing
consumers and companies
malware/phishing between $375 a n d $575 billion,
annually, in 2014

10
 In This class

• We will try to understand:

– why computer systems are insecure
– how to build secure systems

11
 Topics of this class
• Computer Security overview
• Security models
• Cryptography
• Program security
• Operating System, Database, software and Network
security
• Security operations
• Privacy issues
• Legal and ethical issues
• …
12
 References
• Books:
– William Stalling and Lawrie Brown, Computer Security: Principles and
Practice, 3rd Edition
– G.T. Gangemi, Rick Lehtinen , Computer Security Basics, 2nd Edition,
2011, O'Reilly Media
– Niels Ferguson, Bruce Schneier, Tadayoshi Kohno, Cryptography
Engineering: Design Principles and Practical Applications, 1st
Edition, Kindle Edition.

• Web Site:
– https://crypto.stanford.edu/cs155/syllabus.html
– https://www.inf.ed.ac.uk/teaching/courses/cs/

13
 Lecture 1:

Introduction

Dr. Zaki Brahmi

 Outline
The focus of this chapter is on three fundamental
questions:

• What assets do we need to protect?

• How are those assets threatened?

• What can we do to counter those threats?

Computer Security Overview

!
" #
 $

$ "" %
• "

$& " "

Source: http://www.zenithtechnologies.com/zen-blog/the-cia-triad-and-life-science-manufacturing/
 Confidentiality
' & % (
" ) *#
" "
( %
& # $ "
" % % "
& #
" " "
) *

• Recommended Practice: homework •

18
 Integrity
% %
% (
#
" & " #
) * " & "#
+ , " % " -.//
""
-./ /// " & & " #
$ " % " & 0 "
% % # #%# % % %
% & %
% " % #
19
 Availability
## % ( "
#
" & " % "
% #
1 % "" 1 1 " & )11 *
& #
11
# & "#
1 " & "" " " % %
" 2
& " & "" " % 2
% " "" #
3 " " " & " "
" % "
" #
20
Availability

21
 "" %
"" % $ 4
% #
.# 5 % ) * "" % % "%
" " "" "" &
#
6# 1 " & )11 *
7#' 8 % 3 "" % % " %
% 5 "" " " " #
" & "" % 2 & "
" #
9# : : ;<
$ 5 &
% #:
11 " ""
& #
 Computer Security Challenges
1The attacker tries to take control of
remote machines, for example with a
virus, exploiting a fault or using a
Trojan.

2Once infected, the machines will

complete the installation or take
o rd e rs from a control cente r,
controlled by the pirate, who thus
ta ke s the re bound ha nd on the
contaminated machines (which
become zombie machines).
3A malicious person ren ts a service
from the pirate.

4The attacker sen ds the command to

the infected machines (or posts a
messag e to retrieve, depending on
the communication mode used).
These then send mass emails.
The working principle of a botnet
23
The challenge is that many botnet owners design systems that are more adaptive
and redundant than many corporate and government networks. Controlling this
agile attack vector before it can be used a s an advanced persistent threat and
migrates into smart mobile devices is crucial.
24
 Computer Security Challenges
=# 0 >? 0

>? 0 0 2 %
#
>? 0 %
2 #
>? 0 " " ) * >?
& % #
" #
" " %
& " & " .
25
 >? 0 , "
>? @ ' %
? "" % , " A?A
% & " ),B * " %# & "
)% < 2 %*
• Example ,B ;% < 2 %)CB C*D
, >? ; C A?A E+<38 B @ A<A
B ; CF , B ;

% & %C %C
C C "
txtUserId: 105 OR1=1 SELECT *FROM Users
WHERE
>? "" " "
UserId= 105 OR 1=1
26
 Computer Security Challenges
G#8 " 8 % "
" & & "" % %
" & #
H# 3 % "" %
"
" #
& #
I#' & " " % " " #@ " &
% "
" " %
" % " #
" %"
& "
27
 Computer Security Terminology
$ & ) % *
$ #
$
$ " ) * &
"" % D " &
& & " " #
) JK L J *
$ & 2
& " " " %
& % ( % ) *
& % % &
#
28
 Computer Security Terminology
<
$ , " , "
" "" , " " & " "
" ") * "#
' "
$ " %#
& & & "
#
<
1 D & & D " D
2 D "
2 #
29
 Computer Security Terminology
) !*
$ " & " ,
" &
" #

M " " ) & *

+" ) "; "#* N %
" %
" , " & " N " #
8 " 3 " + " @
M " " 4 8 " B B< ,
!! # & #
30
Security Concepts and Relationships

31
 Vulnerabilities, Threats and Attacks
M " "
" )" " *
)" % *
& " " & " )" & " " *

" , " %& " "

"
$ ) *
& & " !

32
Scope of Computer Security

33
Computer and Network Assets

34
Security Functional Requirements
"
"
4
% " % # O
"
P P % #@ P
$"# P& 0 "#
& #
@ " $" " %% % ?$" P
" " % % # O P& "
% " ) P
* & & ""
#8 #
4
4 %

35
 Security Functional Requirements
8 % "
)$ % & * 4 %
$ ) * % " " ( & %
(https://subgraph.com/vega/download/).
LAB: audit the web site: www.target.com
• certification, accreditation, & security assessments
• contingency planning (' ()* +#), ):
•Contingency planning refers to temporary measures to recover
information system services after a disruption. Temporary measures
may include relocation of information systems and operations to an
alternate site, recovery of information system functions using alternate
equipment, or performance of information system functions using
manual methods.
36
' "4 & "
' " & " %
& "
% ( " & & " "
% "
" " %
" 2 " " # A#%#
" #

•…
37
 Security Implementation
' & $ "

"# $" %
" ""
% &
" % "#

' & "

-(

< &
) .* % % "
$ , " & &
"
% " &
" # %
38
 Security Mechanism
+ %
' & & " % "
1 P& " "
< %
< & " &

%" "" "" &

$ ( & " "
" % 5 ( /& 0 )
39
 Computer Security Strategy

Specification & Implementation Correctness &

policy & mechanisms assurance

what is the
how does itdo does it really
security scheme
it? work?
supposed to do?

40
 Security Policy
• formal statement of rules and practices that specify
or regulate security services
• factors to consider:
– value of the protected assets
– vulnerabilities of the system
– potential threats and the likelihood of attacks
• trade-offs to consider:
– ease of use versus security
– cost of security versus cost of failure and recovery

41
 ' " A, "

$"" ) * " "

" , " " "" &

$ %
: " % " ) & G
*#
" , 5 " " #
" % " #
" #
" % % .
42
 A,
" "" % & " "
% & " "
# $" N #
# 8 N #
# % $" N -.// -. ///#
#$ % ) 1* L N % #
f. Q $" N
" "
% #
%# )2 3* R " N ' %
#

43
 ? .

.#
6#
"! "

44