1

BCSE317L
INFORMATION SECURITY
2

Course Outcomes
1. Apply fundamental knowledge on key security concepts,
access control and authentication.
2. Comprehend the use of security techniques for securing
the information.
3. Apply various data privacy policies in different areas of
web based security systems.
4. Differentiate the needs and application of security in
Operating System and Firewalls.
5. Analyze various method of securing databases.
3
4

SECURITY IN COMPUTING,
FIFTH EDITION
Charles P. Pfleeger, Shari Lawrence Pfleeger, Jonathan Margulies

Module 1: Information Security Concepts

Information Security – Computer Security – Threats – Harm –
Vulnerabilities – Program Security – Malicious Code – Malwares:
Viruses, Trojan Horses and Worms – Counter Measures
5

Objectives for Module 1

• Define computer security as well as basic computer
security terms
• Introduce the C-I-A Triad
• Introduce basic access control terminology
• Explain basic threats, vulnerabilities, and attacks
• Show how controls map to threats
6
7
8

Introduction
On 11 February 2013, residents of Great Falls, Montana received the following
warning on their televisions. The transmission displayed a message banner on
the bottom of the screen.

Likely someone was able to access the system that feeds emergency broadcasts
to local radio and television stations. In other words, a hacker probably broke into
a computer system.
9

Introduction
• We encounter computers daily in countless situations.
✓move money,
✓control airplanes,
✓ monitor health,
✓ lock doors,
✓play music,
✓ heat buildings,
✓ regulate hearts,
✓tally votes,
✓ regulate traffic.
• Most of the time these computers work just as they should. But
occasionally they do something horribly wrong, because of a
malicious attack.
10

What is Computer Security?

• Computer security is the protection of the items you value,
called the assets of a computer or computer system.
• There are many types of assets, involving hardware,
software, data, people, processes, or combinations of
these.
• To determine what to protect, we must first identify what
has value and to whom.
11

Assets

Computer systems—hardware, software,

and data—have value and deserve
security protection.

Hardware: Software: Data:

• Computer • Operating system • Documents
• Devices (disk • Utilities (antivirus) • Photos
drives, memory, • Commercial • Music, videos
printer) applications (word • Email
• Network gear processing, photo • Class projects
editing)
• Individual applications
12

Values of Assets
• After identifying the assets to protect,
we next determine their value.
• For example, when you go for a swim
you can leave a bottle of water and a
towel on the beach, but not your wallet
or cell phone. The difference relates to
the value of the assets.
Off the shelf;
easily replaceable

Hardware: Software: Data:

• Computer • Operating system • Documents
• Devices (disk • Utilities (antivirus) • Photos
drives, memory, • Commercial • Music, videos
printer) applications (word • Email
• Network gear processing, photo • Class projects
editing)
• Individual
Unique; irreplaceable
applications
13

Values of Assets
• The value of an asset depends on the asset owner’s or user’s perspective,
and it may be independent of monetary cost.

• Your photo of your sister, worth only a few cents in terms of paper and ink,
may have high value to you and no value to your roommate.
•
• For example, that photo of you and your friends at a party may have cost
you nothing, but it is invaluable because there is no other copy.

• On the other hand, the DVD of your favorite film may have cost a
significant portion of your take-home pay, but you can buy another one if the
DVD is stolen or corrupted.

Assets’ values are personal, time dependent, and often imprecise.

14

Basic Terms
• Vulnerability
• Threat
• Attack
• Countermeasure or control
15

Vulnerabilities, Threats, Attacks, Controls

• Vulnerability is a weakness in the security system
• (i.e., in procedures, design, or implementation), that might
be exploited to cause loss or harm.

• For instance, a particular system may be vulnerable to

unauthorized data manipulation because the system does
not verify a user’s identity before allowing data access.

A vulnerability is a weakness that could be exploited to

cause harm.
16

Vulnerabilities, Threats, Attacks, Controls

• Threat to a computing system is a set of circumstances that
has the potential to cause loss or harm.
• a potential violation of security

• A human (criminal) who exploits a vulnerability perpetrates

an attack on the system.

• How do we address these problems?

• We use a control as a protective measure.
• That is, a control is an action, device, procedure, or technique that
removes or reduces a vulnerability.
17

Threat and Vulnerability

• The water to the left of the wall is a threat to the man on the right of the
wall: The water could rise, overflowing onto the man, or it could stay
beneath the height of the wall, causing the wall to collapse.
• So the threat of harm is the potential for the man to get wet, get hurt,
or be drowned. For now, the wall is intact, so the threat to the man is
unrealized.
• However, we can see a small crack in the wall—a vulnerability that
threatens the man’s security. If the water rises to or beyond the level of
the crack, it will exploit the vulnerability and harm the man.
18

Threat and Vulnerability

• How do we address these problems? We use a control or

countermeasure as protection. That is, a control is an action, device,
procedure, or technique that removes or reduces a vulnerability.
• In Figure, the man is placing his finger in the hole, controlling the
threat of water leaks until he finds a more permanent solution to the
problem.
• In general, we can describe the relationship between threats, controls,
and vulnerabilities in this way: A threat is blocked by control of a
vulnerability.
• Before we can protect assets, we need to know the kinds of harm we
have to protect them against, so now we explore threats to valuable
assets.
19

C-I-A Triad or Security Triad

• availability: the ability of a system to ensure that an asset can be used
by any authorized parties
• integrity: the ability of a system to ensure that an asset is modified only
by authorized parties
• confidentiality: the ability of a system to ensure that an asset is viewed
only by authorized parties
• Taken together (and rearranged), the properties are called the C-I-A triad
or the security triad.
• ISO 7498-2 [ISO89] adds to them two more properties that are desirable,
particularly in communication networks:
• authentication: the ability of a system to confirm the identity of a sender
• nonrepudiation or accountability: the ability of a system to confirm that
a sender cannot convincingly deny having sent something
• The U.S. Department of Defense [DOD85] adds auditability: the ability
of a system to trace all actions related to a given asset
20

Nature of harm caused to the assets

• The C-I-A triad can be viewed from a different
perspective: the nature of the harm caused to
assets.
• Harm can also be characterized by four acts:
➢interception,
➢interruption,
➢modification,
➢fabrication.
21

Four Acts to cause security harm

Interception Interruption

Modification Fabrication
22

Threats
• In an interception means that some unauthorized party
has gained access to an asset.

• In an interruption, an asset of the system becomes lost,

unavailable, or unusable.

• If an unauthorized party not only accesses but tampers

(forges) with an asset, the threat is a modification.

• Finally, an unauthorized party might create a fabrication

of counterfeit objects on a computing system.
23

• From this point of view, confidentiality can suffer if

someone intercepts data, availability is lost if someone or
something interrupts a flow of data or access to a
computer, and integrity can fail if someone or something
modifies data or fabricates false data.
• Thinking of these four kinds of acts can help you
determine what threats might exist against the computers
you are trying to protect.
24

Relationship between Confidentiality

Integrity and Availability
• In fact, these three characteristics can be independent,
can overlap, and can even be mutually exclusive.

Confidentiality

Secure
Integrity Availability
25

Confidentiality
• Some things obviously need confidentiality protection. For
example, students’ grades, financial transactions, medical
records, and tax returns are sensitive.
• The definition of confidentiality is straightforward: Only
authorized people or systems can access protected
data.
• Ensuring confidentiality can be difficult.
• For example, who determines which people or systems are
authorized to access the current system?
• By “accessing” data, do we mean that an authorized party can
access a single bit? the whole collection? pieces of data out of
context?
• Can someone who is authorized disclose data to other parties?
26

Confidentiality
• Confidentiality relates most obviously to data, although we can
think of the confidentiality of a piece of hardware (a novel
invention) or a person (the whereabouts of a wanted criminal).
• Here are some properties that could mean a failure of data
confidentiality:
• An unauthorized person accesses a data item.
• An unauthorized process or program accesses a data item.
• A person authorized to access certain data accesses other data not
authorized (which is a specialized version of “an unauthorized person
accesses a data item”).
• An unauthorized person accesses an approximate data value (for
example, not knowing someone’s exact salary but knowing that the
salary falls in a particular range or exceeds a particular amount).
• An unauthorized person learns the existence of a piece of data (for
example, knowing that a company is developing a certain new product
or that talks are underway about the merger of two companies).
27
28

Confidentiality(Terms)
• A person, process, or program is (or is not) authorized to
access a data item in a particular way.
• We call the person, process, or program a subject, the
data item an object, the kind of access (such as read,
write, or execute) an access mode, and the authorization
a policy.
• These four terms are the fundamental aspects of
computer security.
29

Access Control
30

Integrity
• system to ensure that an asset is modified only by
authorized parties
• For example, if we say that we have preserved the
integrity of an item, we may mean that the item is
• precise
• accurate
• unmodified
• modified only in acceptable ways
• modified only by authorized people
• modified only by authorized processes
• consistent
• meaningful and usable
31

Integrity
Aspects of integrity
• Welke and Mayfield recognize three particular aspects of
integrity:
➢authorized actions,
➢separation and protection of resources,
➢ error detection and correction.

• Integrity can be enforced in much the same way as can

confidentiality: by rigorous control of who or what can
access which resources in what ways.
32

Availability
• Availability applies both to data and to services (that is, to
information and to information processing). As with the
notion of confidentiality, different people expect availability
to mean different things.
• For example, an object or service is thought to be
available if the following are true:
• It is present in a usable form.
• It has enough capacity to meet the service’s needs.
• It is making clear progress, and, if in wait mode, it has a bounded
waiting time.
• The service is completed in an acceptable period of time.
33

Availability
• Criteria to define availability
• There is a timely response to our request.
• Resources are allocated fairly so that some requesters are not
favored over others.
• Concurrency is controlled; that is, simultaneous access, deadlock
management, and exclusive access are supported as required.
• The service or system involved follows a philosophy of fault
tolerance, whereby hardware or software faults lead to graceful
ending of service or to workarounds rather than to crashes and
abrupt loss of information.
34

• A person or system can do three basic things with a data

item: view it, modify it, or use it. Thus, viewing
(confidentiality), modifying (integrity), and using
(availability) are the basic modes of access that computer
security seeks to preserve.
• Computer security seeks to prevent unauthorized
viewing (confidentiality) or modification (integrity) of
data while preserving access (availability).
35

Types of Threats
36

Threats
• One way to analyze harm is to consider the cause or source. We call a
potential cause of harm a threat.
• Causes of harm
• → nonhuman events
• natural disasters:
• - fires or floods;
• - loss of electrical power;
• - failure of a component such as a communications cable, processor chip,
or disk drive.
• → human Cause
• benign (nonmalicious):
- someone’s accidentally spilling a soft drink on a laptop,
-unintentionally deleting text,
-inadvertently sending an email message to the wrong person,
- carelessly typing “12” instead of “21” when entering a phone number
- clicking “yes” instead of “no” to overwrite a file.
37

Threats
• Malicious attacks:
→random attack :
In a random attack the attacker wants to harm any computer or user;
An example of a random attack is malicious code posted on a website
that could be visited by anybody.

• Directed attack :
• In a directed attack, the attacker intends harm to specific computers,
perhaps at one organization (think of attacks against a political
organization) or belonging to a specific individual (think of trying to
drain a specific person’s bank account, for example, by
impersonation).
• Another class of directed attack is against a particular product, such
as any computer running a particular browser.
38

Advanced Persistent Threat (APT)

• → Lone attacker
• → Gangster or crime squad
• Advanced persistent threat attacks come from organized, well
financed, patient assailants. Often affiliated with
governments or quasi-governmental groups, these attackers
engage in long term operations.
• They carefully select their targets, crafting attacks that appeal
to specifically those targets; email messages called spear
phishing are intended to seduce their recipients.
• Typically the attacks are silent, avoiding any obvious impact
that would alert a victim, thereby allowing the attacker to exploit
the victim’s access rights over a long time.
• One popular objective of this attack is economic espionage.
39

Types of Attackers
Terrorist

Criminal-
Hacker
for-hire

Loosely
Individual connected
group

Organized
crime member
40

Types of Attackers
• Attackers motivations might range from chance to a specific target.
• No one pattern matches all attackers.
• Individuals
• Individual attackers usually acting with motives of fun, challenge, or
revenge. Early attackers acted alone.
• World wide loosely connected groups:
• Attacks that involves groups of people.
• criminals all over the world work together to break into systems and steal
and sell information, such as credit card numbers.
• attacks have been heavily influenced by financial gain.
• organized crime
• These attackers’ goals include fraud, blackmail, money laundering, and
drug trafficking.
• Evidence is growing that organized crime groups are engaging in computer
crime. In fact, traditional criminals are recruiting hackers to join the
profitable world of cybercrime.
41

Types of Attackers: Terrorists

• Terrorists using computers in four ways:
• Computer as target of attack: Denial-of-service attacks
and website defacements are popular activities for any
political organization because they attract attention to the
cause and bring undesired negative attention to the object
of the attack.
• Computer as method of attack: Launching offensive
attacks requires the use of computers. Stuxnet, an
example of malicious computer code called a worm, is
known to attack automated control systems.
42

Types of Attackers
• Computer as enabler of attack: Websites and email lists
are effective, fast, and inexpensive ways to allow many
people to coordinate.
• For example terrorists responsible for the November 2008
attack that killed over 200 people in Mumbai used GPS
systems to guide their boats, and Google Earth to plot
their routes.
• Computer as enhancer of attack: The Internet has
proved to be an invaluable means for terrorists to spread
propaganda and recruit agents.