Chapter 1

Introduction to Computer/IS
Security
Outline
• What is Security?
• What is Information Security?
• What is Privacy?
• Security Requirements
• Challenges of Information Security?
• Risk Management
Introduction

“The most secure computers are those not

connected to the Internet and shielded from
any interference”-Introduction to computers by Rajmohan
Joshi page 264
Cont..
• Modern societies are highly dependent on ICT.
▪ Computation is embedded in a rapidly increasing
and variety of products.
▪ Global computer usage continues to grow rapidly,
especially in developing countries.
▪ With every passing day computers administer and
control more and more aspects of human life.
oBanks
oMedical (Biological Devices)
oTransportation etc.
• Conclusion:
▪ We are more and more dependent on ICT!
oImplies security and privacy are critical issues.
Security
• What is Security?
▪ “the quality or state of being secure or be free from
danger.”
▪ protection against adversaries:-from those who would
do harm, intentionally with a certain objective.
• Security is about
▪ Threats (bad things that may happen)
▪ Vulnerabilities (weaknesses in your defenses)
▪ Attacks (ways in which the threats may be actualized)
▪ Mechanisms to tackle attacks
Information Security
▪ Information security is the protection of information and
information systems from unauthorized access, use, disclosure,
disruption, modification, or destruction in order to provide
confidentiality, integrity, and availability.
▪ by development and deployment of security applications and
infrastructures
▪ It also refers to:
▪ Protecting information no matter where that information is, i.e. in
transit (on the network) or in a storage area.
▪ The detection and remediation of security breaches, as well as
documenting those events.
Information Assurance
▪ Information assurance: measures taken to protect and
defend information and information systems by ensuring their
availability, integrity, authentication, confidentiality e.t.c.
• incorporate protection, detection and reaction capabilities.
▪ IA includes:
• Physical security: protection of hardware, software, and data against
physical threats.
• Personnel security: measures taken to reduce the likelihood and severity
of accidental and intentional attacks by insiders and known outsiders.
• Operational security: involves the implementation of standard operational
security procedures that define the interaction between systems and users.
• IT security: technical features and functions that collectively contribute to
an IT infrastructure for achieving and sustain CIA.
Privacy

• Privacy means that your data, such as personal files and e-

mail messages, is not accessible by anyone without your
permission.

• Privacy deals with the measures that you can take to

restrict access to your data.
Why Information Security?

• Protect organizations and companies data and asset from

insider and outsider attack
• Prevent unauthorized people from accessing our valued
information’s, to manipulate with it or steal it.
• Protect your sensitive data from natural disaster and
accidental risks by using business continuity and disaster
recovery management.
• Regulatory compliance: adherence to laws, regulations,
guidelines and specifications relevant to its business
processes.
• Thwart identity theft etc.
Challenges of Information Security
• In developing a particular security mechanism or algorithm,
one must always consider potential security threats and attacks
on different security features.
• Having designed various security mechanisms, it is necessary to
decide where to use them.
• Security mechanisms typically involve more than a particular
algorithm or protocol.
• Security requires regular, even constant, monitoring, and this is
difficult in today’s short-term, overloaded environment.
• Lack of awareness about information security
Aspects of Computer/IS Security
The 3 aspects of computer/information security are:
▪ Security attack: Any action that compromises the security
of information owned by an organization.
▪ Security mechanism: A process (or a device incorporating
such a process) that is designed to detect, prevent, or
recover from a security attack.
o Examples: encryption, digital signature, IDS, access
control e.t.c
▪ Security service: A processing or communication service
that enhances the security of the data processing systems
and the information transfers of an organization.
Security Requirements/Services
• Are intended to counter security attacks, and they make
use of one or more security mechanisms to provide the
service.
• The main objectives of computer security is preserving
the CIA triad
Cont..

• Confidentiality
• Integrity
• Availability
• Authentication
• Non-repudiation
• Accountability etc.
Confidentiality
• protect unauthorized discloser of information
• the assurance that information is not disclosed
to unauthorized persons, processes or devices
• This can cover two aspects:
▪ protecting information stored in files
▪ protecting information while in transmission
• Example:
▪ An employee should not come to know the
salary of his manager
▪ The target coordinates of a missile should not
be improperly disclosed.
Integrity

• protect unauthorized modification of information.

• the assurance that data/information can not be
created, changed, or deleted without proper
authorization.
▪ System Integrity means that there is an external
consistency in the system: everything is as it is
expected to be
▪ Data integrity means that the data stored on a
computer is the same as the source documents
(changed only in a specified and authorized manner.)
• Example: an employee should not be able to modify the
employee's own salary
▪ The target coordinates of a missile should not be
improperly modified
Availability

• Information need to be available for

authorized parities whenever needed.
• Availability is the prevention of unauthorized
with holding of information.
• Timely, reliable access to data and
information services for authorized users.
• Used to guarantee access to information
• Denial of service attacks are a common form
of attack.
Authentication
• Who you are?
• Proving that a user is the person he /she claims to be.
• Factors of authentication
▪ Something you know (password)
▪ Something you have (Chip)
▪ Something you are- that proves the person’s
identity (biometric: fingerprint).
▪ Somewhere you are: related to you location
▪ Something you do : identification by observing your
unique physical actions
▪ Or the combination of those techniques (multi-
factor authentication)
Authorization

• What you can do?

• Determine access levels or privileges related
to system resources including files, services,
computer programs, data and application
features.
• Authentication and Authorization go hand in
hand.
Nonrepudiation

• Prevention of either the sender or the receiver

denying a transmitted message. (Proof of
sender’s identity and message delivery)
▪ neither can later deny having processed the
data.
▪ Security is strong when the means of
authentication cannot later be refuted: the
user cannot later deny that he or she
performed the activity.
• Can be guaranteed using digital signature.
What should we protect?
• One of the major goal of information/computer security as a
discipline and as a profession is to protect valuable assets.
▪ Assets: items of value
• Determining what to protect requires that we first identify
what has value and to whom.
• Assets include: ▪ Data
▪ Hardware • Files
• Computer components • Databases
• Networks and communications channels
• Mobile devices
▪ Software
• Operating system
• Off-the-shelf Programs and apps
• Customized programs and Apps
Asset Valuation

• The perceived value of an asset depends upon the ease

with which the asset can be replaced.

Hardware Software Data

Easily Replaceable Individual applications Unique: difficult to replace

 Balancing Security and Access
• Information security is not absolute
▪ It is a process and not a goal
• No security- complete access to
assets
▪ Available to anyone, anytime
and anywhere (pose a danger to
security)
• Complete security- No access
▪ A completely secure
information system would not
allow anyone access
How to protect our Asset?

• To study methods of asset protection we use a

vulnerability-threat-control framework.
▪ Vulnerability
• A weakness in a system
• Can be exploited to cause harm or loss
• A human who exploits the vulnerability
perpetrating an attack on the system (cause a
harm/loss)
 Cont..
Vulnerabilities are classified according to the asset class they are
related to:
Hardware • Personnel
▪ susceptibility to humidity ▪ inadequate recruiting process
▪ susceptibility to dust ▪ inadequate security awareness
▪ susceptibility to soiling etc. • Physical site
Software ▪ area subject to flood, unreliable
power source etc.
▪ insufficient testing, lack
of audit trail • Organizational
▪ design flaw ▪ lack of regular audits
Network ▪ lack of continuity plans , lack
of security etc.
▪ unprotected communication
lines
▪ insecure network architecture
Cont..
▪ Threat
▪ A set of circumstances that has the potential to
cause harm or lose
▪ Can be natural, human or process threat
▪ Control
• An action, device or procedure or technique that
eliminate or reduce vulnerability
• Also called countermeasure (Physical,
Administrative and Technical )
Security Management and Risk Analysis
Cont..

• What and Why first?

• How only later?
• What need to secured and why (e.g. Assets, regulation,
attacks, etc) ?
• What technical solutions to use and how?
Risk
• Risk is the possibility that a particular threat will
adversely impact an information system by exploiting a
particular vulnerability.
▪ The assessment of risk must take into account the
consequences of an exploit.
• Risk analysis is the study of the cost of a particular
system against the benefits of the system.
• Risk management is a process for an organization to
identify and address the risks in their environment.
Risk Management Framework

• There are several risk management frameworks, and

each defines a procedure for an organization to follow
• One particular risk management procedure (from Viega
and McGraw) consists of six steps:
1. Assess assets
2. Assess threats
3. Assess vulnerabilities
4. Assess risks
5. Prioritize countermeasure options
6. Make risk management decisions
Risk Analysis
Cont..
Risk Treatment

• Once the risk has been identified and assessed, managing the
risk can be done through one of four techniques:
• Risk acceptance: risks not avoided or transferred are retained
by the organization.
• E.g. Sometimes the cost of insurance is greater than the
potential loss.
▪ Sometimes the loss is improbable, though catastrophic.
• Risk avoidance: not performing an activity that would incur
risk. E.g. disallow remote login.
• Risk mitigation: taking actions to reduce the losses due to a
risk; many technical countermeasures fall into this category.
• Risk transfer: shift the risk to someone else. E.g. most
insurance contracts, home security systems.