Kingdom of Saudi Arabia

Ministry of Higher Education

Al-Imam Muhammad Ibn Saud Islamic University
College of Computer and Information Sciences

Introduction to information security

T. Wed Assiri

First Semester

2023

1
Information Security
Information Security:
Information is a commodity: its purchase and sale is central
to the free enterprise system

Protection Mechanisms are like putting a lock on the door

of a merchant's warehouse

The protection of resources (including data and programs)

from accidental or malicious modification, destruction, or
disclosure.

2 2
Computer Security
What is computer Security:
Computer security is the effort to create a secure computing platform,
designed so that agents (users or programs) cannot perform actions
that they are not allowed to perform, but can perform the actions that
they are allowed to.

3
Key Security Concepts

4 4
Goals of Computer Security
Basic Goals
Confidentiality: Information only available to authorized parties.
Integrity: Information is precise, accurate, modified only in acceptable
ways, consistent, meaningful, and usable.
Availability: Services provide timely response, fair allocation of
resources, quality of service

These goals added when people talk about “Information Assurance”

Non-repudiation: Messages or actions are accompanied by proof
which cannot be denied
Authentication: Establishing the validity of a transmission, message,
or originator (including verifying the identity of a participant)

5 5
User Privacy
User Privacy:
Privacy means that users have control over info collected
and made available to others

Examples:
• User may not want others to know programs they run,
who they communicate with, etc.
• User may not want to receive spam
• Anonymity can protect privacy

6 6
?What About Privacy
• Confidentiality- ensures that sensitive information is not
disclosed to unauthorized recipients
• Integrity- ensures that the data and programs are modified
or destroyed only in a specified and authorized way
• Availability - ensures that the resources of the system will
be usable whenever they are needed by an authorized user
• Privacy- ensures that only the information that an individual
wishes to disclose is disclosed

7 7
 CNSS Model
CNSS stands for Committee on National Security Systems (a
group belonging to the National Security Agency [NSA]).

CNSS has developed a National Security Telecommunications

and Information Systems Security (NSTISSI) standards.

8 8
CNSS Security Model

9 9
 CNSS Security Model
• The model identifies a 3 x 3 x 3 cube with 27 cells
• Security applies to each of the 27 cells
• These cells deal with people, hardware, software, data, and
procedures
• A hacker uses a computer (hardware) to attack another
computer (hardware). Procedures describe steps to follow in
preventing an attack.
• An attack could be either direct or indirect
• In a direct attack one computer attacks another. In an
indirect attack one computer causes another computer to
launch an attack.

10 10
 System Functionality
System Functionality:

• Limiting functionality limits attacks

• Security breaches caused by system functionality can be
caused by
• Software bugs
• Unforeseen interactions between components

11 11
 Relative Security

• Few useful systems will be absolutely secure

• We view security in a relative sense

• This does not mean that good security design and

implementation is unimportant
• Example: safes

12 12
Cost vs Security

• Proper security level depends on value of the items that

system is protecting (other concerns?)
• Trade-off between cost and security
• Select security level appropriate for user needs

13 13
Cost vs Security (continued)
• Example: user authentication
• System A - authenticates the user by retinal scan
• System B - authenticates users once with password

• System A is probably more secure than system B, but

more costly and inconvenient

• Is added security and expense called for?

• Maybe for NSA
• Not for an individual

14 14
Some History
• 1967: People starting to publish papers on computer security
• 1970: Influential (in some circles!) RAND report: “Security Controls for
Computer Systems” – Originally classified – declassified in 1979
• 1964—1974?: MULTICS system development
• Mid-70’s: Many influential papers published in open literature
• Mid-70’s: Cryptography takes off in public research
• 1985: Department of Defense publishes “Trusted Computer System
Evaluation Criteria” (Orange Book)
• 1994: Publication of “Common Criteria for Information Technology
Security Evaluations”
• 2003: Publication of “The National Strategy to Secure Cyberspace”

15 15
Some History – The Other Side
• 1970’s: Age of phone phreaking
• 1980’s: BBSes, Legion of Doom, and Chaos Computer Club
• 1983: War Games movie comes out
• 1984: 2600 (The Hacker Quarterly) publication starts
• 1986: First PC virus in the wild (the “Brain virus”)
• 1988: The “Morris worm”
– Automated spreading across the Internet
– Exploited several bugs, including the first highly-visible “buffer overflow” exploit (of fingerd)
– Around 6000 computers affected – 10% of the Internet at the time!
– Morris convicted in 1990
• Early 1990’s: Kevin Mitnick (“Condor”) years
– Arrested several times
– Went “underground” in 1992 and achieved cult status
– Caught in Raleigh, NC in 1995
– Well-known for “social engineering” skill

16 16
 Some History – The Other Side (cont’d)
• 1993: Kevin Poulsen hacks phones so he wins radio station
contests
• 1999 – present: Widespread worms/viruses
– 1999: Melissa (Word macro virus/worm)
– 2000: Love Letter (VBScript – did damage!)
– 2001: Nimda (hit financial industry very hard)
– 2001: Code Red (designed to DoS the White House, but hard-coded IP address so
defeated!)
– 2003: “Slammer” (spread astoundingly fast!)

• 1999: DDoS networks appear

– 2000: Big attacks on Yahoo, eBay, CNN, …
– Today: “Bot-nets” with 10’s of thousands of bots

17 17
How bad it is
• September 2001 - Nimbda worm spread nationwide in
less than an hour and attacked 86,000 computers

• January 2003 – Sapphire/Slammer SQL worm was able

to spread nationwide in less than 10 minutes, doubling in
size every 8.5 seconds. At its peak (3 minutes after its
release) it scanned at over 55 million IP addresses per
second, infecting 75,000 victims

18 18
Benefits of Information Security
•Computers are everywhere
•Internet has become a mission-critical infrastructure for
business, government, and financial institutions
•Today’s networks are very heterogeneous, highly critical
applications run side by side with noncritical systems
•Cyber attacks against non-critical services may produce
unforeseen side-effects of devastating proportions
• Home Users Increase Vulnerabilities
• Today most homes are connected, particularly with the
advent of DSL and cable modems

19 19
Benefits of Information Security
• Most home users:
– are unaware of vulnerabilities
– don’t use firewalls – think they have nothing to hide or don’t care if
others get their data
– don’t realize their systems can serve as jump off points for other
attacks (zombies)

• Computer security is reactive

– usually reacting to latest attack
– offense is easier than defense
• Security is expensive both in dollars and in time
• There is not now, and never will be, a system with perfect security

20 20
Securities Technology Used

21 21
Attackers types
• Script kiddies download malicious software from hacker
web sites
• Hackers trying to prove to their peers that they can
compromise a specific system
• Insiders are legitimate system users who access data that
they have no rights to access
• Organizational level attackers use the full resources of the
organization to attack

22 22
 Attacks and Attackers
• An attack is when a vulnerability is exploited to realize a threat

• An attacker is a person who exploits a vulnerability, attackers

must have Means, Opportunity, and Motive (MOM)

– Means: Often just an Internet connection!

– Opportunity: Presence of vulnerabilities
– Motive may be complex, or not what you think!

23
Attackers – Motives
• Intellectual challenge
– Some people see it as a game
• Espionage (government or corporate)
• Financial reward
– Credit card numbers sold, spam-nets rented, fraud, ...
• Revenge
• Showing off
– DDoS attacks on CNN, eBay, Yahoo, etc.
• Civil disobedience
– Basic vandalism
– “Hactivism”

24 24
Attackers – Types
• Amateurs
– Could be ordinary users (insiders) exploiting a weakness –
Sometimes accidental discoveries
• Crackers
– People looking specifically to attack
– Motive is often challenge, not malice
– Skill level ranges from very low (script kiddie) to high
• Career criminals
– Organized crime beginning to get involved
– Terrorists? (Cyber-terrorism)
• Government/military information warfare

25 25
Computer Security Threats
• Browsing: Searching through main and secondary memory for
residue information
• Leakage: Transmission of data to an unauthorized user from a
process that is allowed to access the data
• Inference: Deducing confidential data about an individual by
correlating unrelated statistics about groups of individuals
• Tampering: Making unauthorized changes to the value of information
• Accidental destruction: Unintentional modification of information
• Masquerading: Gaining access to the system under another user's
account
• Denial of services: Prevention of authorized access to computer
resources or the delaying of time-critical operations

26
Threat
• Threat is a potential violation of security

• Attacks are those actions which could cause a threat to

occur

• Attackers are those who execute an attack

27 27
Most common Threats
• Password Guising
-More of a problem with the availability of personal computers and
fast connections
-Exhaustive search for passwords
-Lists of commonly used passwords
-Distributed default passwords

•Spoofing
-Duping a user into believing that he is talking to the system and
revealing information (e.g., password)

28 28
Most common Threats
• Browsing
-After an intruder has gained access to a system he may peruse any files that are
available for reading and glean useful information for further penetrations
-Often done by legitimate users

• Trojan Horse
-A program that does more than it is supposed to do
-More sophisticated threat
-A text editor that sets all of your files to be publicly readable in addition to performing
editing functions
-Every unverified program is suspect

29 29
Most common Threats
• Trap Door
-A system modification installed by a penetrator that opens the system on
command
-May be introduced by a system developer
-Bogus system engineering change notice

• Virus
-A program that can infect other programs by modifying them to include a
possibly evolved copy of itself

30 30
Vulnerability
• Vulnerability is a flaw in a system that allows a policy to
be violated

• Exploit is the act of exercising a vulnerability Also used to

refer to an actual program, binary or script that automates
an attack

• Exposure is an information leak that may assist an

attacker

31 31
Security Policy
• A security policy is a statement of what is and what is not
allowed

• May be informal (English statements) or formal

(mathematical logic statements)

32 32
 Access Control
• A means of limiting a user's access to only those entities that the policy
determines should be accessed
• Subjects - Active entities in the system (e.g. , users, processes,
programs)
• Objects - Resources or passive entities in the system (e.g. , files,
programs, devices)
• Access Modes - Read, write, execute, append, update
• Access Control Mechanisms - Determine for each subject what access
modes it has for each object

33 33
Encryption vs Decryption

34 34
END

35
35