CHAPTER 1

INTRODUCTION TO COMPUTER SECURITY

Compiled By: Mr. Navin Manandhar

Masters in Business Administration (MBA)

Master in Computer Science (MCS)
Lecturer for Information Management

1
 Information Security
■ Information security means protecting information and information systems from
unauthorized access, use, modification, or destruction.
■ The terms information security, computer security and information assurance are frequently
used interchangeably which share the common goals of protecting the confidentiality,
integrity and availability of information.

■ Computer Security rests on Confidentiality, Integrity and Availability, commonly known as

CIA or CIA triangle

Compiled by Mr. Navin Manandhar 2

 Confidentiality
■ Confidentiality is the concealment of information or resources.

■ Cryptography can be the better choice for maintaining the privacy of information, which traditionally is used
to protect the secret messages.

■ Similarly, privacy of resources, i.e. resource hiding can be maintained by using proper firewalls.
Confidentiality is sometimes called secrecy or privacy.

■ Example: TrueCrypt

Compiled by Mr. Navin Manandhar 3

 Integrity
■ Integrity ensures the correctness as well as trustworthiness of data or resources.
■ For example it is precise, accurate, unmodified, modified only in acceptable ways, modified only
by authorized people, modified only by authorized processes
■ Integrity mechanisms fall into two classes:
■ prevention mechanisms and detection mechanisms.
■ Prevention mechanisms are responsible to maintain the integrity of data by blocking any
unauthorized attempts to change the data or any attempts to change data in unauthorized ways.
■ While detection mechanisms; rather than preventing the violations of integrity; they simply
analyze the data’s integrity is no longer trustworthy. Such mechanisms may analyze the system
events or the data itself to see if required constraints still hold.

■ Example: Thunderbird

Compiled by Mr. Navin Manandhar 4

 Availability

■ Availability refers to the ability to use the information or resource desired.

■ An unavailable system is as bad as no system at all.
■ An object or service is thought to be available if:
– It is present in a usable form.
– It has capacity enough to meet the service's needs.
– It is making clear progress, and, if in wait mode, it has a bounded waiting time.
– The service is completed in an acceptable period of time.
■ Availability is usually defined in terms of “quality of service”.

■ Example: RAID (Redundant Array of Independent Disk)

Compiled by Mr. Navin Manandhar

5
Relationship between Confidentiality,
Integrity and Availability

Compiled by Mr. Navin Manandhar 6

■ Threats:
– A threat to a computing system is a set of circumstances that has the potential to
cause loss or harm.
– It is a potential violation of security, means that it is a possible danger that might
exploit vulnerability.
■ Attack:
– Attack is an assault on system security that derives from an intelligent threat,
– i.e. attack is an intelligent act that is an intentional attempt to evade security services
and violate the security policy of a system.

Compiled by Mr. Navin Manandhar 7

 Four classes of threats
■ Disclosure- Unauthorized access to information.
– Snooping
■ Deception- Acceptance of false data
– Modification, Spoofing, denial of receipt, Repudiation of origin
■ Disruption- Interruption of correct operation
– Modification
■ Usurpation- Unauthorized control of some part of system
– Modification, Spoofing, denial of service, delay

Compiled by Mr. Navin Manandhar 8

■ Snooping- It is an unauthorized interception of information. It is
passive, means that some entity is listening to communications or
browsing the system information. Passive wiretapping is an
example of snooping where attackers monitors the network
communications.

■ Modification- It is an unauthorized change of information. It is

active, means that some entity is changing the information. Active
wiretapping is an example of modification where data across the
network is altered by the attackers.

■ Spoofing / Masquerading- It is an impersonation of one entity by

another. E.g.: if a user tries to log into a computer across the
internet but instead reaches another computer that claims to be
the desired one, the user has been spoofed.
Compiled by Mr. Navin Manandhar 9
■ Repudiation of origin- A false denial that an entity sent something, is a
form of deception.

■ Denial of receipt- A false denial that an entity received some message

or information, is a form of deception.

■ Delay- It is a temporal forbiddance of service. E.g.: If delivery of a

message or a service requires time t; if an attacker can force the
delivery time to be more than t, then there is delayed delivery.

■ Denial of service- It is an infinite delay i.e., a long term inhibition of

service. E.g., an entity may suppress all messages directed to a
particular destination. Another form of service denial is the disruption
of an entire network, either by disabling the network or by overloading
it with messages so as to degrade the performance.
10
Compiled by Mr. Navin Manandhar
 Issues with Security

■ Operational Issues
– Cost benefit analysis
– Risk analysis

■ Human Issues

Compiled by Mr. Navin Manandhar 11

Goals of Security:

• Prevention
• Detection
• Recovery

Compiled by Mr. Navin Manandhar 12

 Security Policies
■ A security policy is a statement that partitions the states of the system into a set of
authorized, or secure, states and a set of unauthorized, or nonsecure, states.
■ A breach of security occurs when a system enters an unauthorized state.
■ A security mechanism is an entity or procedure that enforces some part of the security
policy.
■ A security policy defines “secure” for a system or a set of systems.
■ Security policies can be informal or highly mathematical in nature

Compiled by Mr. Navin Manandhar 13

 Security Policy
■ Key terms
– Confidentiality policy (information flow)
– Integrity policy. (separation of duties)
– Availability policies (browsers and applets)

Compiled by Mr. Navin Manandhar 14

 Types of Security Policies

■ Military Security Policy

– A military security policy (also called a governmental security policy) is a security policy
developed primarily to provide confidentiality.

■ Commercial Security Policy

– A commercial security policy is a security policy developed primarily to provide
integrity.

Compiled by Mr. Navin Manandhar

15
 What Makes a Good Security Policy?

1. It must be implementable through system administration

procedures, publishing of acceptable use guidelines, or other
appropriate methods.

2. It must be enforceable with security tools, where appropriate,

and with sanctions, where actual prevention is not technically feasible.

3. It must clearly define the areas of responsibility for the users,

administrators, and management.

Compiled by Mr. Navin Manandhar 16

 Types of Access Control

■ Discretionary Access Control(DAC) or Identity Based Access Control(IBAC):

■ Mandatory Access Control (MAC) or Rule Based Access Control:

■ Originator Controlled Access Control (ORCON or ORGCON):

■ Role Based Access Control (RBAC):

Compiled by Mr. Navin Manandhar 17

 Overview of the Bell-LaPadula Model

■ Systems are divided in subjects (users) and labeled objects

■ State machine with a set of allowable system states
■ Preserves security of information even as the system moves from one state to
another (i.e information flow model)
■ * Star property
– No Write Down
■ Simple security property
– No read Up

for CS & CL 18
Biba Integrity Model
• Rules were designed to ensure data integrity
• Rules about integrity levels prevent inappropriate
modification of data and corruption caused by
introducing unreliable informations
– No Write Up
– No Read Down- Subject cannot read objects of lesser
integrity (trust level)

for CS & CL 19