Computer Security and Privacy

COSC 624
 Chapter 1
1. Fundamentals of computer security & privacy

 Overview,
 Evolution (history),
 Vulnerabilities,
 Countermeasures,
 Physical security
 Computer Security
•Computer Security is a Branch of Computer Technology
•It is Information security as applied to computers and networks.

•The objectives- Protection of information from

Theft,
Corruption,
Damage from disaster,

Definition
Security: The prevention and protection of computer assets from
unauthorized access, use, alteration, degradation, destruction, and other
threats.

“ The term computer system security means the collective processes and
mechanisms by which sensitive and valuable information and services are
protected from publication, tamper [ alter ]or collapse by unauthorized
activities or untrustworthy individuals and unplanned events respectively.
 Privacy
• Privacy: The legal rights of the
groups/individuals/organizations to
be protected against unauthorized
intrusion into his personal
life/affairs, by direct physical
means or by publication of
information.
• Security or Privacy Threat: Any
individual group, act, or object that
poses a danger to computer security
and privacy is known as threat.
 No Tension ??
 No Computer
 No Network
 No Internet
• The most secured manner
Either no computers or are
those not connected to any
Network or Internet and
protected from any intrusion
 Defining- Computer Security
• Computer or Information Technology can be
used for productive or destructive purposes

• Computer Security  refers to techniques

for ensuring that data stored in a computer
cannot be read or compromised by any
individuals without authorization.

• Computer Security  The provisions and

policies adopted to protect information and
property from theft, corruption, or natural
disaster while allowing the information and
property to remain accessible and productive
to its intended users.
 Common Computer Security Measures
• Most computer security measures involve data
encryption and passwords.

• Data encryption is the translation of data into a

form that can not be read without a deciphering
mechanism.

• A password is a secret word or phrase that gives

a user access to a particular program or system.
 Goals of Computer Security / Information
Security
• To maintain information Confidentiality
• To ensure the Integrity and Reliability of data
resources
• To ensure the Uninterrupted Availability of
data resources and online operations
• To prevent Non-repudiation of information
sent in reference to security and privacy laws
and guidelines
Computer Security Goals

Confidentiality

Integrity
Availaibility
 Categories of attacks

Categories of attacks

• Interruption: An attack on availability

• Interception: An attack on confidentiality
• Modification: An attack on integrity
• Fabrication: An attack on authenticity
 Categories of Attacks/Threats (W. Stallings)

Source

Destination
Normal flow of information
Attack

Interruption Interception

Modification Fabrication
 Some Types of Attacks
• What are some common attacks?
– Network Attacks
• Packet sniffing, man-in-the-middle
– Web attacks
• Phishing, Cross Site Scripting
– OS, applications and software attacks
• Virus, Trojan, Worms, Rootkits, Buffer Overflow

• Not all hackers are evil wrongdoers trying to steal your info
– Ethical Hackers, Consultants, Penetration testers, Researchers

12
 Network Attacks
• Packet Sniffing
– Internet traffic consists of data “packets”, and these can
be “sniffed”
– Leads to other attacks such as
password sniffing, cookie
stealing session hijacking,
information stealing
• Man in the Middle
– Insert a router in the path between client and server,
and change the packets as they pass through

13
 Web Attacks
• Phishing
– An evil website pretends to be a trusted website
– Example:
• You type, by mistake, “mibank.com” instead of “mybank.com”
• mibank.com designs the site to look like mybank.com so the user
types in their info as usual
• BAD! Now an evil person has your info!

• Cross Site Scripting

– Writing a complex Javascript program that steals data left by other
sites that you have visited in same browsing session

14
 Evolution of Computer Security and Privacy
Issues and Ethics
• Computer security, meaning safeguarding
hardware, software and their physical locations,
first took shape in World War 2, when the military
began using mainframes designed to assist in code
breaking.
• 1960s- Larry Roberts, hailed as the internet’s
founder, designed the ARPANET (Advanced
Research Projects Agency Network), which is called
the internet’s predecessor.
• "worldwide system of interconnected networks
and computers“- Internet by Larry
Evolution of Computer Security and Privacy
Issues and Ethics
• In the mid-1960s
• Donn B. Parker, at the time with SRI International in
Menlo Park, CA, began examining unethical and illegal
uses of computers and documenting examples of
computer crime and other unethical computerized
activities.
• He published "Rules of Ethics in Information
Processing" in Communications of the ACM in 1968,
and headed the development of the first Code of
Professional Conduct for the Association for Computing
Machinery, which was adopted by the ACM in 1973.
 Evolution Contd…
• 1960s
Computer security issues limited to physical protection of
computers. No networking
• 1960s - 70s
 New paradigms of Multiuser and Multiprogramming were
introduced
 Data storage systems like concepts of database and RDBMS
were introduced
New Concerns arise –
 The issue of computer security first arose in the 1970s as
individuals began to break into telephone systems.
 People and companies started focusing on database processing
 What is being done to their privately stored data in large
databases
 Evolution Contd…
• 1980s & 90s
 Local Area Network introduced
 Internet entered in the world
 PCs were popularized
 Net based business models like E-commerce, E-government and
E-health services started to develop new computerized systems
 Malwares like Viruses become majors threats

New Concerns –
 People and Companies start thinking about their security of
computers and stored data
 Trust on emails and websites were primarily suspected.
 They were worried about their information privacy in networked
environment / world
 Salient Security Cases
• Salient Security Cases
 The Federal Bureau of Investigation (FBI) made one of its first arrests related
to computer hacking in the early 1980s.
 A group of hackers known as the 414s, named after their area code in
Milwaukee, Wisconsin, were indicted for attacking 60 different computer
systems including the Los Alamos National Laboratory and the Memorial
Sloan-Kettering Cancer Center.
 Internet Worm (Morris worm )
 November 2, 1988 a worm attacked more than 60,000 computers around the USA
 The worm attacks computers, and when it has installed itself, it multiplies itself,
freezing the computer
 It exploited UNIX security holes in Sendmail
 A nationwide effort enabled to solve the problem within 12 hours
 Robert Morris [ A Professor at the MIT] became the first person to be indicted
under the Computer Fraud and Abuse Act.
 He was sentenced to three years of probation, 400 hours of community service and a fine of
$10,050
 Salient Security Cases Contd…
• Salient security harms …
 NASA shutdown
 In 1990, an Australian computer science student was charged for
shutting down NASA’s computer system for 24 hours
 Digital Equipment Corp. and MCI Communications Corp, Attack
 a 25-year-old hacker named Kevin Mitnick began tapping into the e-
mail system used by computer security managers. As a result, Mitnick
was arrested and sentenced to one year in jail.
 Airline computers
 In 1998, a major travel agency discovered that someone penetrated
its ticketing system and has printed airline tickets illegally
 Bank theft
 In 1984, a bank manager was able to steal $25 million through un-
audited computer transactions
 Salient Security Cases Contd…
During 1995, computers at the U.S. Department of Defense were attacked
roughly 250,000 times.

In 1998, the U.S. Department of Justice created the National Infrastructure
Protection Center, charging it with task of safeguarding domestic
technology, telecommunications, and transportation systems from
unethical hackers.

A 16-year-old Canadian boy operating under the name Mafiaboy, was

arrested, and authorities discovered he also had broken into the computer
networks at Harvard and Yale Universities.

 While on parole, Mafia-boy was prohibited from using the Internet or

shopping at stores that sold computers; only when supervised by a teacher
at school, could he use a computer?
 Salient Security Cases Contd…
 Cyber crime and Ethiopia
 Employees of a company managed to change their salaries by
fraudulently modifying the company’s database
 In 1990s Internet password theft

Hundreds of dial-up passwords were stolen and sold to

other users
Many of the owners lost tens of thousands of Birr each
 In Africa: Cote d’Ivoire
 An employee who has been fired by his company deleted all the
data in his company’s computer
 Salient Security Cases Contd…
Early Efforts
• 1960s: Marked as the beginning of true computer security
• 1970s: Research and modeling
 Identifying security requirements
 Formulating security policy models
 Defining recommended guidelines and controls
 Development of secure systems
• European Council adopted a convention on Cyber-crime
in 2001.
• The World Summit for Information Society considered
computer security and privacy as a subject of discussion in
2003 and 2005.
• The Ethiopian Penal Code [EPC] of 2005 has articles on
data and computer related crimes.
 Computer Security Components
• Vulnerability is a point where a system is
susceptible to attack.
• A threat is a possible danger to the system. The
danger might be a person (a system cracker or a
spy), a thing (a faulty piece of equipment), or an
event (a fire or a flood) that might exploit a
vulnerability of the system.
• Countermeasures are techniques for protecting
your system
 Vulnerability in Computing
• In computer security, vulnerability is a
weakness which allows an attacker to reduce a
system's information assurance.
Vulnerability is the intersection of three
elements:
• A system susceptibility or flaw itself( fault),
• Attacker access to the flaw( fault), and
• Attacker capability to exploit the flaw (fault).
• Eg Body
 Contd..
• To exploit vulnerability, an attacker must have
at least one applicable tool or technique that
can connect to a system weakness. In this
frame, vulnerability is also known as the
attack surface.
 Defining vulnerability
• “A weakness of an asset or group of assets
that can be exploited by one or more threats.”
• Where an asset is anything that can has value
to the organization, its business operations and
their continuity, including information
resources that support the organization's
mission
ISO 27005 definition
 Contd..
• “A flaw or weakness in a system's design,
implementation, or operation and management that
could be exploited to violate the system's security
policy”
IETF RFC 2828 defined vulnerability
“A flaw or weakness in system security procedures, design,
implementation, or internal controls that could be
exercised (accidentally triggered or intentionally
exploited) and result in a security breach or a violation
of the system's security policy.”
Many NIST publications define vulnerability in IT contest
in different publications
 Types of Vulnerabilities

• Physical vulnerabilities (Ex. Buildings)

• Natural vulnerabilities (Ex. Earthquake)
• Hardware and Software vulnerabilities (Ex. Failures)
• Media vulnerabilities (Ex. Disks can be stolen)
• Communication vulnerabilities (Ex. Wires can be tapped)
• Human vulnerabilities (Ex. Insiders)
 Classification of Vulnerabilities
1.Hardware
• Susceptibility to humidity
• Susceptibility to dust
• susceptibility to soiling
• susceptibility to unprotected storage
2.Software
• insufficient testing
• lack of audit trail
3.Network
• unprotected communication lines
• insecure network architecture
 Contd..
4.Personnel
• inadequate recruiting process
• inadequate security awareness
5.Site
• area subject to flood
• unreliable power source
6.Organizational
• lack of regular audits
• lack of continuity plans
• lack of security
 Causes of Vulnerabilities
• Complexity: Large, complex systems increase the probability of
flaws and unintended access points
• Familiarity: Using common, well-known code, software,
operating systems, and/or hardware increases the probability an
attacker has or can find the knowledge and tools to exploit the
flaw
• Connectivity: More physical connections, privileges, ports,
protocols, and services and time each of those are accessible
increase vulnerability
• Password management flaws: The computer user uses weak
passwords that could be discovered by brute force. The
computer user stores the password on the computer where a
program can access it. Users re-use passwords between many
programs and websites.
 Contd…
• Internet Website Browsing: Some internet websites may contain
harmful Spyware or Adware that can be installed automatically on
the computer systems. After visiting those websites, the computer
systems become infected and personal information will be collected
and passed on to third party individuals.
• Software bugs: The programmer leaves an exploitable bug in a
software program. The software bug may allow an attacker to misuse
an application.
• Not learning from past mistakes: for example most vulnerabilities
discovered in IPv4 protocol software were discovered in the new
IPv6 implementations
• The research has shown that the most vulnerable point in most
information systems is the human user, operator, designer, or other
human: so humans should be considered in their different roles as
asset, threat, information resources. Social engineering is an
increasing security concern.
 Contd…
• A threat is a potential or actual adverse event that may
be malicious or incidental, and that can compromise the
assets of an enterprise or the integrity of a computer or
network.

• Countermeasures can take the form of software,

hardware and modes of behavior. Software
countermeasures include:
• personal firewalls
• anti-virus software
• pop-up blockers
• Spyware detection/removal programs……..
 Contd…
• The most common hardware countermeasure is a router that can prevent the 
IP address of an individual computer from being directly visible on the Internet.
Other hardware countermeasures include:
• Biometric authentication systems
• Physical restriction of access to computers and peripherals
• Intrusion detectors
• Alarms.

• Behavioral countermeasures include:

• Frequent deletion of stored cookies and temporary files from Web browsers
• Regular scanning for viruses and other malware
• Regular installation of updates and patches for operating systems
• Refusing to click on links that appear within e-mail messages
• Refraining from opening e-mail messages and attachments from unknown senders
• Staying away from questionable Web sites
• Regularly backing up data on external media.
 Computer security controls

Authentication (Password, Cards, Biometrics)

(What we know, have, are!)
Encryption
Auditing
Administrative procedures
Standards
Physical Security
Laws
 Physical Security

• There are three simple principles to follow:

1.Keep people away
• Most large corporations maintain very strict
control over who can enter their datacenters.
They use card key or keypad systems, log books
and human security to limit unauthorized access.
• If at all possible, sensitive servers should be kept
behind a locked door, not just a door with a lock,
and access should be limited to a select set of
trustworthy administrators
2. Keep backup away from the datacenter
 Contd…
3. Keep them out, and
• you can't keep everyone away from them. The next layer of a good physical
security plan is to limit what can be done with the computers.

• Lock the CPU case. Most desktop and tower cases have locking lugs that you
can use to keep an intruder from opening the case.
• Use a cable-type security lock to keep someone from stealing the whole
computer. This is particularly good advice for laptops or small desktops that can
easily be hidden inside a backpack or coat.
• Configure the BIOS not to boot from the floppy drive. This makes it harder for
an intruder to remove passwords and account data from your system's disks.
• Consider whether it's worth the expense of using a motion-sensor alarm in the
room where the computers located. (Remember, for home offices, security
systems that cover the office area are generally deductible business expenses!)
 Contd…

4 Protect your plumbing.

• Network cabling, hubs and even the external network
interface are extremely vulnerable points in a
network. An attacker who can attach to your network
can steal data in transit or mount attacks against
computers on your network—or on other networks! If
at all possible, keep hubs and switches behind looked
doors or in locked cabinets, run cabling through walls
and ceilings to make it harder to tap, and ensure that
your external data connection points are kept locked.