Unit 1

Introduction
Course: System Security
 Contents
• Basic Components of Computer security(CIA)
• Vulnerabilities and threats ,
• Attacks and controls ,
• Goals of security,
• Computer criminals,
• Internet Standards and RFC.

2
 What does “SECURE” mean?
• How do we protect our most valuable assets?

3
 Objectives of this unit
• What kind of vulnerabilities computing systems are prone to
• Why these vulnerabilities are exploited
• Different kinds of attacks that are possible
• Kinds of people who contribute to the security problem
• How to prevent possible attacks on systems

4
 Basic components of Computer
Security
• A computer based system has 3 separate and valuable
components:
– Hardware
– Software
– Data
• Each of these assets offers value to different members.

5
 Basic components of Computer
Security
• Computer Security rests on
– Confidentiality
– Integrity and
– Availability

6
 Components of Security:
Confidentiality
• Only authorized people or systems can access data.
• Concealment of information or resources.
• Keeping information secret arise in the fields of government
and industry…
• Eg: military and civilian institutions in the government often
restrict access to information to unauthorized users.
• Access control mechanisms support confidentiality
– Eg: cryptography
– Passwords
– Two-factor authentication

7
 Components of Security: Integrity
• Trustworthiness of data or resources
• Includes
– Data integrity
• The content of the information
– Origin integrity
• The source of the data ,called authentication
• Includes both correctness and trustworthiness of the data.
• Factors affecting the integrity of data
– The origin of the data
– How well the data was protected before it arrived at
the current machine.
– How well the data is protected on the current machine.
8
 Components of Security: Availability
• Means the assets are accessible to authorized parties at
appropriate times.
• The ability to use the information or resource desired.
• An object/service is said to be available if:
– It is present in usable form
– It has capacity enough to meet the service’s needs
– It is making clear progress and if in wait mode, it has bounded waiting
time
– The service is completed in an acceptable period of time.
• Attempt to block availability, called denial of service attacks,
can be the most difficult to detect.

9
 Security Goals
• Addresses three
security goals
– Confidentiality
– Integrity
– Availability
• Challenges in building a
secure system is finding
the right balance
among the goals, which
often conflict.
10
Vulnerability, Treats, Attacks and Control
Vulnerability is a weakness in the security system that might be
exploited to cause loss or harm
Eg., a system may be vulnerable to unauthorized data manipulation
because the system does not verify user’s identity before allowing
data access.
Threat is a set of circumstances that has potential to cause loss or
harm.
• It can be human-initiated and computer-initiated ones, natural
disasters
A human/system who exploits a vulnerability perpetrates an attack on
the system.
• To address these problems, we use a control as protective measure.
Control is an action/procedure that reduces or removes a vulnerability
A threat is blocked by control of a vulnerability.
11
Difference between threat and
vulnerability

12
 TYPES OF THREATS
• They are of 4 kinds:
– Interception :- unauthorized party has gained access to an
asset. Ex: illicit copying of program or data files or
wiretapping to obtain data in a network.
– Interruption :- asset of the system becomes lost or
unavailable. Ex: destruction of h/w device, erasure of a
program or data file
– Modification:- unauthorized party not only accesses but
hampers with an asset. Ex: changing the values in a
database, alter a program so that it performs an additional
computation.
– Fabrication :- unauthorized party might create a fabrication
of counterfeit objects. Ex: add records to an existing
database
13
 TYPES OF THREATS

Information Information
Source Destination
Normal

Information Information Information Information

Source Destination Source Destination
Interruption Interception

Information Information Information Information

Source Destination Source Destination
Modification Fabrication 14
 TYPES OF THREATS
• Interruption – attack on availability
• Interception – attack on confidentiality
• Modification – attack on integrity
• Fabrication – attack on authenticity

15
 Vulnerabilities
• It is a weakness in the security system, in procedures, in
design or implementation
– H/W Vulnerabilities:-
• H/W is clearly visible as it is composed of physical
objects.
• H/W can be damaged by drenching water ,burned,
frozen ,gassed etc.
Interruption Interception
(denial of service) (theft)
Hardware
Modification Fabrication
(Substitution)
16
Vulnerabilities contd…
• S/W Vulnerabilities-
– The malicious modification in the S/W can be notified
whereas in most cases it goes undetected.

– The types of S/W attacks are :-

• S/W deletion:-
– An intruder may erase a saved file or save bad file.
– As a precaution S/W configuration management is
used so that S/W cannot be destroyed , replaced
accidently. Each version or release retains its integrity
& is thoroughly tested before release.

17
Vulnerabilities contd…
S/W modification:-
– modification can either fail the program or it will
perform an unintended task.
– Some categories of s/w modification are:
logic bomb, trojan horse, virus, trapdoor, information
leaks.
• Software theft:-
– Unauthorized copying of software

18
 Vulnerabilities
Interruption Interception
(deletion)
Software
Modification Fabrication

Interruption Interception
(loss)
Data
Modification Fabrication

19
Vulnerabilities contd…
• Data Vulnerabilities:
– Data attacks are most dangerous because unlike S/W or
H/W, data can be readily interpreted by general public.
– Data incorrectly measured or changed can turn into major
economic loss or loss of life.
– S/W & H/W have really long life but data is time sensitive
therefore major aim of security is to keep the data secure
until the data value is lost.

20
 Attacks
• An attack is any action that violates security
• Two types: passive and active
• Passive:– eavesdropping on, monitoring of, transmissions.
Goal is to:
– obtain message contents, or
– monitor traffic flows
• Active: modification of the data stream or creation of a false
stream , subdivided into – masquerade, replay, modification of
messages and denial of service.

21
 Controls
• Is an action, procedure or technique that removes or reduces a
vulnerability.
• Types of controls:
– Encryption
– Software controls
– Hardware Controls
– Policies and procedures
– Physical controls

22
 Encryption
• Scrambling process
• Data in normal and unscrambled state is called clear text.
• Transformed data that is unintelligible to outside observer is
called enciphered text or ciphertext.
• Addresses the need for confidentiality of data. it can also be
used to ensure Integrity.

23
 Software controls
• Programs must be secure enough to prevent outside attack.
• Program Controls include
– Internal program controls
• enforces security restrictions such as access limitations in a
database management program
– Operating system and network system controls
• Limitations enforced by OS & N/W to protect each user from
all other users.
– Independent control programs:
• Application programs that protect against certain
vulnerabilities such as password checkers, virus scanners etc.
– Development controls
• Quality standards to prevent s/w faults from becoming
exploitable vulnerabilities.
24
 Hardware controls
• H/W devices created to assist in providing computer security.
• devices such as
– Smart card implementations of encryption
– Locks or cables limiting access or deterring theft
– Devices to verify users identities
– Firewalls
– Intrusion detection systems (IDS)

25
 Policies and Procedures
• Agreed- upon procedures or policies among users.
– Eg: frequent change of passwords..
• Training and administration follow immediately after
establishment of policies to reinforce the importance of
security policy and to ensure their proper use.
• Legal and ethical controls

26
 Physical controls
• Easiest, most effective and least expensive controls
• Using of
– locks on doors,
– guard at entry points,
– Back up copies of important software and data
– Physical site planning that reduces the risk of natural
disasters.

27
 Effectiveness of controls
• There is no use of controls unless they are used
properly.
– Aspects that can enhance the effectiveness of
controls
• Awareness of problem
• Likelihood of use
• Overlapping Controls
• Periodic review

28
 Computer Criminals
– Amateurs
• Normal people, who observe the weakness in a security
system that allows them to access resources
– Crackers or malicious hackers
• Attack for curiosity, personal gain or self satisfaction
– Career Criminals
• Understand the targets of computer crime.
– Terrorists
• Targets of attack: denial-of-service
• Methods of attack

29
 Conclusion
• Security goals
• CIA triad
• Vulnerability, threat, attack and control
• Types of threats
• Types of vulnerabilities
• Types of attacks
• Types of controls
• Types of computer criminals

30