TINC101

Lecture 21

INTERNATIONAL OPEN UNIVERSITY

INTRODUCTION TO COMPUTING (TINC101)

TOPIC 21: COMPUTER SECURITY (PART I)

21.0 Overview
• Computers and networks are being misused at a growing rate. Spam, phishing, and
computer viruses are becoming multibillion-dollar problems, as is identity theft, which
poses a serious threat to the personal finances and credit ratings of users, and creates
liabilities for corporations. Thus, there is a growing need for broader knowledge of
computer security in society as well as increased expertise among information technology
professionals.

• Society needs more security-educated computer professionals, who can successfully

defend against and prevent computer attacks, as well as security-educated computer
users, who can safely manage their own information and the systems they use. The NIST
Internal/Interagency Report NISTIR 7298 defines the term computer security as follows:

Measures and controls that ensure confidentiality, integrity, and availability

of information system assets including hardware, software, firmware, and
information being processed, stored, and communicated.

• This definition introduces three key objectives that are at the heart of computer security:
Confidentiality, Integrity and Availability. These three concepts form what is often
referred to as the CIA triad.

• A traditional hypertext document is similar to a text file because its text is encoded
character by character using a system such as ASCII or Unicode. The distinction is that a
hypertext document also contains special symbols, called tags, that describe how the
document should appear on a display screen, what multimedia resources (such as images)
should accompany the document, and which items within the document are linked to other
documents. This system of tags is known as Hypertext Markup Language (HTML) – refer
to Lecture 15.

Page 1 of 28
 TINC101
Lecture 21

21.1 CIA Triad

Figure 21.1: CIA Triad and Additional Concepts to Computer Security

• The three concepts embody the fundamental security objectives for both data and for
information and computing services.

• Although the use of the CIA triad to define security objectives is well established, some in
the security field feel that additional concepts are needed to present a complete picture.
The two additional concepts are known as authenticity and accountability.

21.1.1 Confidentiality
• In the context of computer security, confidentiality is the avoidance of the unauthorized
disclosure of information. That is, confidentiality involves the protection of data, providing
access for those who are allowed to see it while disallowing others from learning anything
about its content.

• Keeping information secret is often at the heart of information security, and this concept,
in fact, predates computers. For example, in the first recorded use of cryptography, Julius
Caesar communicated commands to his generals using a simple cipher. In his cipher,
Caesar took each letter in his message and substituted D for A, E for B, and so on. This
cipher can be easily broken, making it an inappropriate tool for achieving confidentiality
today. But in its time, the Caesar cipher 1was probably fairly secure, since most of Caesar’s
enemies couldn’t read Latin anyway.

1
Caesar Cipher covered in detail in the Network Security course.

Page 2 of 28
 TINC101
Lecture 21

• Nowadays, achieving confidentiality is more of a challenge. Computers are everywhere,

and each one is capable of performing operations that could compromise confidentiality.
With all of these threats to the confidentiality of information, computer security researchers
and system designers have come up with a number of tools for protecting sensitive
information.

• These tools incorporate the following concepts:

o Encryption: the transformation of information using a secret, called an encryption
key, so that the transformed information can only be read using another secret,
called the decryption key (which may, in some cases, be the same as the
encryption key). To be secure, an encryption scheme should make it extremely
difficult for someone to determine the original information without use of the
decryption key.
o Access control: rules and policies that limit access to confidential information to
those people and/or systems with a “need to know.” This need to know may be
determined by identity, such as a person’s name or a computer’s serial number,
or by a role that a person has, such as being a manager or a computer security
specialist.
o Authentication: the determination of the identity or role that someone has. This
determination can be done in a number of different ways, but it is usually based
on a combination of something the person has (like a smart card or a radio key
fob storing secret keys), something the person knows (like a password), and
something the person is (like a human with a fingerprint).
o Authorization: the determination if a person or system is allowed access to
resources, based on an access control policy. Such authorizations should prevent
an attacker from tricking the system into letting him have access to protected
resources.
o Physical security: the establishment of physical barriers to limit access to
protected computational resources. Such barriers include locks on cabinets and
doors, the placement of computers in windowless rooms, the use of sound
dampening materials, and even the construction of buildings or rooms with walls
incorporating copper meshes (called Faraday cages) so that electromagnetic
signals cannot enter or exit the enclosure.

Page 3 of 28
 TINC101
Lecture 21

21.1.2 Integrity
• Another important aspect of information security is integrity, which is the property that
information has not be altered in an unauthorized way.

Figure 21.2: The Telephone Game

• The importance of integrity is often demonstrated to school children in the Telephone

game (see Figure 21.2) . In this game, a group of children sit in a circle and the person
who is “it” whispers a message in the ear of his or her neighbour on the right. Each child
in the circle then waits to listen to the message from his or her neighbour on the left. Once
a child has received the message, he or she then whispers this same message to their
neighbour on the right. This message passing process continues until the message goes
full circle and returns to the person who is “it.” At that point, the last person to hear the
message says the message out loud so that everyone can hear it. Typically, the message
has been so mangled by this point that it is a great joke to all the children, and the game
is repeated with a new person being “it.” And, with each repeat play, the game reinforces
that this whispering process rarely ever preserves data integrity. Indeed, could this be one
of the reasons we often refer to rumours as being “whispered”?

• There are a number of ways that data integrity can be compromised in computer systems
and networks, and these compromises can be benign or malicious.

o For example, a benign compromise might come from a storage device being hit
with a stray cosmic ray that flips a bit in an important file, or a disk drive might
simply crash, completely destroying some of its files.
o A malicious compromise might come from a computer virus that infects our system
and deliberately changes some the files of our operating system, so that our
computer then works to replicate the virus and send it to other computers. Thus,
it is important that computer systems provide tools to support data integrity.

Page 4 of 28
 TINC101
Lecture 21

• The previously mentioned tools for protecting the confidentiality of information, denying
access to data to users without appropriate access rights, also help prevent data from
being modified in the first place.

• In addition, there are several tools specifically designed to support integrity, including the
following:
o Backups: the periodic archiving of data. This archiving is done so that data files
can be restored should they ever be altered in an unauthorized or unintended way.
o Checksums: the computation of a function that maps the contents of a file to a
numerical value. A checksum function depends on the entire contents of a file and
is designed in a way that even a small change to the input file (such as flipping a
single bit) is highly likely to result in a different output value. Checksums are like
trip-wires—they are used to detect when a breach to data integrity has occurred.
o Data correcting codes: methods for storing data in such a way that small
changes can be easily detected and automatically corrected. These codes are
typically applied to small units of storage (e.g., at the byte level or memory word
level), but there are also data-correcting codes that can be applied to entire files
as well.

21.1.3 Availability
• Besides confidentiality and integrity, another important property of information security is
availability, which is the property that information is accessible and modifiable in a timely
fashion by those authorized to do so.

• Information that is locked in a cast-iron safe high on a Tibetan mountain and guarded
round the clock by a devoted army of ninjas may be considered safe, but it is not practically
secure from an information security perspective if it takes us weeks or months to reach it.
Indeed, the quality of some information is directly associated with how available it is.

• For example, stock quotes are most useful when they are fresh. Also, imagine the damage
that could be caused if someone stole our credit card and it took weeks before our credit
card company could notify anyone, because its list of stolen numbers was unavailable to
merchants. Thus, as with confidentiality and integrity, computer security researchers and
system designers have developed a number of tools for providing availability, including the
following:

Page 5 of 28
 TINC101
Lecture 21

o Physical protections: infrastructure meant to keep information available even in

the event of physical challenges. Such protections can include buildings housing
critical computer systems to be constructed to withstand storms, earthquakes, and
bomb blasts, and outfitted with generators and other electronic equipment to be
able to cope with power outages and surges.
o Computational redundancies: computers and storage devices that serve as
fallbacks in the case of failures. For example, redundant arrays of inexpensive
disks (RAID) use storage redundancies to keep data available to their clients. Also,
web servers are often organized in multiples called “farms” so that the failure of
any single computer can be dealt with without degrading the availability of the
web site.

• Because availability is so important, an attacker who otherwise doesn’t care about the
confidentiality or integrity of data may choose to attack its availability. For instance, a thief
who steals lots of credit cards might wish to attack the availability of the list of stolen credit
cards that is maintained and broadcast by a major credit card company. Thus, availability
forms the third leg of support for the vital C.I.A. triad of information security.

21.2 Computer Security – Types and Importance

21.2.1 Types
• Here are some of the major types of computer security practices and tactics that are
followed by users and organizations to protect their sensitive data, software, and hardware.
The different types of computer security are very important to protect the data stored in
electronic systems and networks.

Figure 21.3: Major Types of Computer Security

Page 6 of 28
 TINC101
Lecture 21

a) Application Security
• When security features are introduced in the primary stage of the development process,
that is one it's known as application security. It is very well capable of protecting your
computer system from cyber security threats such as unauthorized access and data
breaches. Furthermore, it can also help your computer system to fight against SQL
breaches and denial of service attacks.
• Some of the major application tools techniques are used for installing the application
security feature, such as software encryption, antivirus, firewall, etc. and these help your
system to build a wall against cyber-attacks.

b) Information Security
• Information security is a type of cyber security that specially focuses on the methodology
and techniques that are built for ensuring computer security. Information security, as a
Process was developed to protect the availability, integrity, and confidentiality of computer
systems from Data thefts, unauthorized access, harm, and destruction. Information
security is commonly known as the CIA triad and this model is used for protecting the
integrity, availability, and confidentiality of organizational data so that productivity is
maintained.

c) Network Security
• Network security as the name suggests is another type of computer security that protects
your computer system from authorized intrusions and access to your computer networks.
It is similar to information security in a way that it also protects the integrity, availability,
and confidentiality of your computer networks. Network security is designed in a way with
a lot of configurations that it performs to its best abilities. it includes the safety of both
software and hardware.

d) Endpoint Security
• Any error that is committed by a human can be easily exploited by hackers or cyber
criminals. End users are facing a huge security risk in any organization. End users become
the victims of Cybercrimes because of their lack of knowledge about IT protection and
policies. Because they lack awareness, they can unknowingly give access to their computer
systems to Cyber criminals.
• So, it is important to understand the comprehensive security policies and procedures so
that you do not fall into the trap of cyber criminals and always stay alert. Awareness

Page 7 of 28
 TINC101
Lecture 21

training programs should be arranged for enhancing their knowledge about computer
security and its threats.

e) Internet Security
• Internet security is the most recent type of computer security that has reached a boom
period in recent times. It is a method for creating a perfect set of rules and actions to
prevent any unauthorized use or harm to computer systems that are directly connected to
the internet.
• It is the newest branch of computer security that specifically deals with the risks and
threats that comes with the internet which is enumerated as follows:
• Hacking
• Computer viruses
• Malware
• Denial of service attacks

21.2.2 Importance

Figure 21.4: Various Importance of Computer and Cyber Security

Page 8 of 28
 TINC101
Lecture 21

a) To protect personal information

• To prevent yourself from cyber threats, make sure that you protect your personal
information and data.
• You must keep your information and data safe and you can do that by implementing
the below-mentioned steps:
• Implement an anti-virus software.
• Update the operating system of your computer regularly.
• Apply smart password and other locks.
• Always take a backup of your critical data information.
• Use computer locks for safety.
• Do not fall for the traps of phishing emails.

b) To protect company properties

• A company involves a lot of sensitive information and assets. It is very important to
protect the organization's important information and sensitive data so that it can
prevent itself from any unauthorized access or misuse. So, a company does not
compromise the security of its computer system because if the information gets out
then the company has to incur huge losses. Installing a security system in the
computers ensures IT protection which indeed helps the companies to protect their
sensitive data and information.

c) To Prevent Data Theft

• Data help means stealing any critical and sensitive information such as account
passwords, bank account details, health-related information, personal information,
important documents that are stored in the computer systems and its servers, and so
on.
• Data theft can happen for multiple reasons that can be stated as follows:
o Stolen and weak credentials.
o Errors caused by humans.
o Presence of any malicious insiders.
o Some application vulnerabilities.
• To protect your system from Data theft you have to make sure that your system is
equipped with endpoint security, use relevant authentication, identify sensitive data
and log down your computer system.

Page 9 of 28
 TINC101
Lecture 21

d) To Prevent Malware and Viruses

• Computer viruses and malware can be very annoying at times and computer security
can help you to prevent your system from these unwanted visitors. A computer virus
or malware can delete your important data and corrupt the sensitive information that
is stored in your computer system. It can also harm your hard disk as it can spread
from one computer to another with the help of email programming.

e) To Protect from Unauthorized Access

• By installing computer security in your system, you will be able to understand who is
trying to get unauthorized access to your system. You can prevent your computer
system from being authorized to access it by implementing computer security. It
prevents hackers from getting access to your computer system and controls your
critical information. To stop hackers from humming your sensitive data, you need to
install a security system.

21.3 Security Threats and Attacks

• An attack is usually perpetrated by someone with bad intentions on computer and
computer networks. They try to destroy, expose, alter, disable, steal or gain
unauthorised access or make unauthorised use of an asset. To know how to detect
and respond to attacks is a critical skill set for working in cyber security. Therefore,
formal methods and procedures have been developed to provide a structured approach
to this difficult problem. Computer systems are open to many threats that can inflict
various types of damage, resulting in significant losses. This damage can range from
errors harming database integrity to fires destroying entire computer centres. The
effects of various threats vary considerably, some affect the confidentiality or integrity
of data while others affect the availability of a system. This topic describes, explains
and aims to create understanding of the various attacks and threats an organisation
can face, and for them to build more robust defensive measures.

Page 10 of 28
 TINC101
Lecture 21

Table 21.1 Differences between an attack and a threat

Attack Threat
• An attack usually is perpetrated by • A threat can refer to anything that has the
someone with bad intentions on potential to cause serious harm to a
computer and computer networks. computer system.
• They try to destroy, expose, alter, • This can lead to attacks on computer
disable, steal or gain unauthorised systems, organisation networks and
access to or make unauthorised use of cause possible harm.
an asset. • Also known as internal attack.

• An organisation can build more robust defensive measures by understanding the

various attacks and threats that they could possibly face. The differences between an
attack and a threat are shown in this table. A computer attack can be defined as actions
directed against computer systems and networks to disrupt equipment operations,
change processing control, or corrupt stored data. Attacks are launched for a variety
of reasons, including monetary gain, maliciousness, fraud, warfare and to gain
economic advantage. Attacks are directed at compromising the confidentiality,
integrity and availability of networks and their resources and can be divided into four
general categories: modification attack, repudiation attack, denial of service
attack and access attack.

21.3.1 External and Internal Attacks

• External Attacks: External attacks are performed by individuals who are external to the
targeted network or organisation.
a) Distributed denial-of-service (DDoS), intends to bring your network's availability to a
screeching halt. It can fall into these following types: consumption of network/system
resources, changing network configuration to reroute or interrupt network connectivity,
network session resets and disruption of network switches/routers, resulting in connectivity
loss for a number of systems. Example of DDoS attacks are TCP SYN flood attacks, Smurf
IP attack, Ping of death and Botnets.

b) Targeted hacks/espionage, is specifically targeted for sensitive information. Target attacks

have the goal of being stealthy, patient and focused on obtaining sensitive information for
personal use, espionage or for sale to other parties. Most targeted attacks follow a generic
method of intelligence gathering, active scanning, exploitation and maintaining access.

Page 11 of 28
 TINC101
Lecture 21

• Internal Attacks: An internal attack comes from sources that are within an organisation's
networks, such as a disgruntled employee with access privileges who attempts to perform
unauthorised activities. It includes any harmful actions with data that violate at least one of
the fundamental principles of information security (integrity, availability, and confidentiality)
and originate from within a company's information system. User error and ignorance play a
large role in trusted individuals, hence putting networks and systems at risk to outside
agents.
a) Unintentional file sharing, and file sharing programs are often referred to as point to point
programs and are intended to share files, movie, music and many more. Many of these
programs will scan for folders containing media files in a user's hard drive, and share these
folders out to the network. The outside users have not only access to media files but also
other files within the directory that may contain sensitive data. To avoid this problem, the
network connectivity can be controlled at the boundary via firewalls, and proper
configuration control of the end systems can detect installation of unauthorised software.
Implementing a least privileged policy for end-systems can mitigate many risks.

b) Device loss theft: The embarrassing and damaging form of attack is that of property loss.
Most newsworthy breaches involve stolen or lost laptops that contain millions of sensitive
customer records, technical documents or health records. To avoid this issue, full encryption
has gotten the attention and application it deserves. The HDD encryption works by requiring
user name and password to decrypt the hand-drive sectors and start up the operating
system.

Table 21.2 Differences between an external and internal attacks

External Internal

▪ Distributed Denial of Service (DDoS) bring ▪ Unintentional file sharing

network’s availability to a halt.
▪ How to avoid? network connectivity can
▪ Example, TCP SYN flood attacks, Smurf be controlled at the boundary via firewalls,
IP attack, Ping of death and Botnets. and proper configuration control of the end
systems can detect installation of
unauthorised software

▪ Targeted hacks/espionage, is specifically ▪ Device loss theft

targeted for sensitive information.
▪ How to avoid? Full encryption, HDD
▪ Example, intelligence gathering, active encryption
scanning, exploitation and maintaining
access.

Page 12 of 28
 TINC101
Lecture 21

Some of the threats and attacks that can compromise the network security goals:
i. Eavesdropping: the interception of information intended for someone else during its
transmission over a communication channel. Examples include packet sniffers, which monitor
nearby Internet traffic, such as in a wireless access location. This is an attack on confidentiality.

ii. Alteration: unauthorized modification of information. Examples of alteration attacks include

the man-in-the-middle attack, where a network stream is intercepted, modified, and
retransmitted, and computer viruses, which modify critical system files so as to perform some
malicious action and to replicate themselves. Alteration is an attack on data integrity.

iii. Denial-of-service: the interruption or degradation of a data service or information access.

Examples include email spam, to the degree that it is meant to simply fill up a mail queue and
slow down an email server. Denial of service is an attack on availability.

iv. Masquerading: the fabrication of information that is purported to be from someone who is
not actually the author. Examples of masquerading attacks include phishing, which creates a
web site that looks like a real bank or other e-commerce site, but is intended only for gathering
passwords, and spoofing, which may involve sending on a network data packets that have false
return addresses. Masquerading is an attack on authenticity, and, in the case of phishing, an
attempt to compromise confidentiality and/or anonymity.

v. Repudiation: the denial of a commitment or data receipt. This involves an attempt to back
out of a contract or a protocol that requires the different parties to provide receipts
acknowledging that data has been received. This is an attack on assurance.

vi. Correlation and traceback: the integration of multiple data sources and information flows to
determine the source of a particular data stream or piece of information. This is an attack on
anonymity.

• There are other types of attacks as well, such as military-level attacks meant to break
cryptographic secrets. In addition, there are composite attacks, which combine several of the
above types of attacks into one. But those listed above are among the most common types of
attacks.

Page 13 of 28
 TINC101
Lecture 21

21.4 Network Security Issues involving the Users – Roles and Responsibilities
• No matter how advanced the technology is, it will ultimately be deployed in an environment
where humans exist. It is the human element that poses the biggest security challenge. It
is hard to compensate for all of the possible ways that humans can deliberately or
accidentally cause security problems or circumvent our security mechanisms. Despite all of
the technology, despite all of the security procedures we have in place, and despite all of
the security training we may provide, somebody will invariably fail to do what they are
supposed to do, or do something they are not supposed to do, and create a vulnerability
in the organization's security posture.

• Two main network security issues involving users are social engineering and poor security
practices.
21.2.1 Social Engineering
Social engineering is the process of convincing an authorized individual to provide
confidential information or access to an unauthorized individual. It is a technique in which
the attacker uses various deceptive practices to convince the targeted person to divulge
information they normally would not divulge or to convince the target of the attack to do
something they normally wouldn't do. Social engineering is very successful for several
reasons. The first is the basic desire of most people to be helpful. When somebody asks a
question for which we know the answer, our normal response is not to be suspicious but
rather to answer the question. The problem with this is that seemingly innocuous
information can be used either directly in an attack or indirectly to build a bigger picture
that an attacker can use to create an aura of authenticity during an attack—the more
information an individual has about an organization, the easier it will be to convince others
that this person is part of the organization and has a right to even sensitive information.
An attacker who is attempting to exploit the natural tendency of people to be helpful may
take one of several approaches:

o The attacker might simply ask a question, hoping to immediately obtain the desired
information. For basic information that is not considered sensitive, this approach
generally works. As an example, an attacker might call and ask who the IT manager
is.

o The attacker might first attempt to engage the target in conversation and try to evoke
sympathy so that the target feels sorry for the individual and is more prone to provide
the information. For information that is even slightly sensitive in nature, the request

Page 14 of 28
 TINC101
Lecture 21

of which could possibly arouse suspicion, this technique may be tried. As an example,
an attacker might call and claim to be under some deadline from a supervisor who is
upset for some reason. The target, feeling sorry for an alleged fellow worker, might
give up the information, thinking they are helping them avoid trouble with the
supervisor.

o The attacker might appeal to an individual's ego. As an example, an attacker might

call the IT department, claiming to have some sort of problem, and praising them for
work they supposedly did to help another worker. After being told how great they are
and how much they helped somebody else, they will often be tempted to demonstrate
that they can supply the same level of help to another individual. This technique may
be used to obtain sensitive information, such as having the target's password reset.

• Various attacks related to social engineering include phishing, pharming, vishing, spam
and shoulder surfing.

21.2.2 Poor Security Practices

• A significant portion of human-created security problems results from poor security
practices. These poor practices may be those of an individual user who is not following
established security policies or processes, or they may be caused by a lack of security
policies, procedures, or training within the user's organization.
• Various issues include password selection, shoulder surfing, piggybacking, dumpster
diving, installing unauthorized hardware and software, data handling, physical access
by non-employees and clean desk policies.
• In this note, a greater focus will be given to password selection.
o Password selection
Poor password selection is one of the most common of poor security practices, and
one of the most dangerous. Numerous studies that have been conducted on password
selection have found that, while overall more users are learning to select good
passwords, a significant percentage of users still make poor choices. The problem with
this, of course, is that a poor password choice can enable an attacker to compromise
a computer system or network more easily. Even when users have good passwords,
they often resort to another poor security practice–writing the password down in an
easily located place, which can also lead to system compromise if an attacker gains
physical access to the area.

Page 15 of 28
 TINC101
Lecture 21

Organizations have also instituted additional policies and rules relating to

password selection to further complicate an attacker's efforts. Organizations, for
example, may require users to frequently change their password. This means that if
an attacker is able to guess a password, it is only valid for a limited period of time
before a new password is selected, after which the attacker is locked out. All is not
lost for the attacker, however, because, again, users will select passwords they can
remember. For example, password changes often result in a new password that simply
incorporates a number at the end of the old one.
Another policy or rule governing password selection often adopted by
organizations is that passwords must not be written down. This, of course, is difficult
to enforce, and thus users will frequently write them down, often as a result of what
is referred to as the "password dilemma." The more difficult we make it for attackers
to guess our passwords, and the more frequently we force password changes, the
more difficult the passwords are for authorized users to remember and the more likely
they are to write them down. Writing them down and putting them in a secure place
is one thing, but all too often users will write them on a slip of paper and keep them
in their calendar, wallet, or purse. Most security consultants generally agree that if
they are given physical access to an office, they will be able to find a password
somewhere—the top drawer of a desk, inside of a desk calendar, attached to the
underside of the keyboard, or even simply on a yellow "sticky note" attached to the
monitor.
With the proliferation of computers, networks, and users, the password
dilemma has gotten worse. Today, the average Internet user probably has at least a
half dozen different accounts and passwords to remember. Selecting a different
password for each account, following the guidelines mentioned previously regarding
character selection and frequency of changes, only aggravates the problem of
remembering the passwords. This results in users all too frequently using the same
password for all accounts. If a user does this, and then one of the accounts is
compromised, all other accounts are subsequently also vulnerable to attack.
The need for good password selection and the protection of passwords also
applies to another common feature of today's electronic world: PINs. Most people have
at least one PIN associated with things such as their ATM card or a security code to
gain physical access to a room. Again, users will invariably select numbers that are
easy to remember. Specific numbers, such as the individual's birth date, their spouse's
birth date, or the date of some other significant event, are all common numbers to
select. Other people will pick patterns that are easy to remember—2580, for example,

Page 16 of 28
 TINC101
Lecture 21

uses all of the center numbers on a standard numeric pad on a telephone. Attackers
know this, and guessing PINs follows the same sort of process that guessing a
password does.
Password selection is an individual activity, and ensuring that individuals are
making good selections is the realm of the entity's password policy. In order for users
make appropriate choices, they need to be aware of the issue and their personal role
in securing accounts. An effective password policy conveys both the user's role and
responsibility associated with password usage and does so in a simple enough manner
that it can be conveyed via screen notes during mandated password change events.

21.3 Users as a Security Tool

An interesting paradox when speaking of social engineering attacks is that people are not only the
biggest problem and security risk but also the best tool in defending against a social engineering
attack. The first step a company should take to fight potential social engineering attacks is to create
the policies and procedures that establish the roles and responsibilities for not only security
administrators but for all users. What is it that management expects, security-wise, from all
employees? What is it that the organization is trying to protect, and what mechanisms are
important for that protection?

Security Awareness
• Probably the single most effective method to counter potential social engineering attacks,
after establishment of the organization's security goals and policies, is an active security
awareness program. The extent of the training will vary depending on the organization's
environment and the level of threat, but initial employee training on social engineering at the
time a person is hired is important, as well as periodic refresher training.

• An important element that should be stressed in training about social engineering is the type
of information that the organization considers sensitive and may be the target of a social
engineering attack. There are undoubtedly signs that the organization could point to as
indicative of an attacker attempting to gain access to sensitive corporate information. All
employees should be aware of these indicators. The scope of information that an attacker
may ask for is very large, and many questions attackers pose might also be legitimate in
another context (asking for someone's phone number, for example). Employees should be
taught to be cautious about revealing personal information and should especially be alert for
questions regarding account information, personally identifiable information, or passwords.

Page 17 of 28
 TINC101
Lecture 21

Individual User Responsibilities

• Individual user responsibilities vary between organizations and the type of business the
organization is involved in, but there are certain very basic responsibilities that all users
should be instructed to adopt:
o Lock the door to your office or workspace.
o Do not leave sensitive information inside your car unprotected.
o Secure storage media containing sensitive information in a secure storage device.
o Shred paper containing organizational information before discarding it.
o Do not divulge sensitive information to individuals (including other employees) who do not
have an authorized need to know it.
o Do not discuss sensitive information with family members. (The most common violation of
this rule occurs in regard to HR information, as employees, especially supervisors, may
complain to their spouse about other employees or problems that are occurring at work.)
o Protect laptops that contain sensitive or important organization information wherever the
laptop may be stored or left. (It's a good idea to ensure that sensitive information is
encrypted on the laptop so that, should the equipment be lost or stolen, the information
remains safe.)
o Be aware of who is around you when discussing sensitive corporate information. Does
everybody within earshot have the need to hear this information?
o Enforce corporate access control procedures. Be alert to, and do not allow, piggybacking,
shoulder surfing, or access without the proper credentials.
o Be aware of the correct procedures to report suspected or actual violations of security
policies.
o Follow procedures established to enforce good password security practices. Passwords are
such a critical element that they are frequently the ultimate target of a social engineering
attack. Though such password procedures may seem too oppressive or strict, they are
often the best line of defence.

• As a final note on user responsibilities, corporate security officers must cultivate an

environment of trust in their office, as well as an understanding of the importance of security.
If users feel that security personnel are only there to make their life difficult or dredge up
information that will result in an employee's termination, the atmosphere will quickly turn
adversarial and be transformed into an "us versus them" situation. Security personnel need
the help of all users and should strive to cultivate a team environment in which users, when

Page 18 of 28
 TINC101
Lecture 21

faced with a questionable situation, will not hesitate to call the security office. In situations
like this, security offices should remember the old adage of "don't shoot the messenger."

21.4 Security Principles and Policy

In the mid-1970s, two computer scientists from MIT, Jerome Saltzer and Michael Schroeder,
published a paper on design principles for a secure computer system. The Saltzer and Schroeder
paper, titled "The Protection of Information in Computer Systems," has been hailed as a seminal
work in computer security, and the ten design principles in it are as relevant today as they were in
1970s. These principles are useful in secure system design and operation.

21.4.1 10 Principles

Figure 21.5: 10 Security Principles by Saltzer and Schroeder

i) Least Privilege
• One of the most fundamental principles in security is least privilege. This concept is applicable
to many physical environments as well as network and host security. Least privilege means
that a subject (which may be a user, application, or process) should have only the necessary
rights and privileges to perform its task, with no additional permissions.

• Limiting an object's privileges limits the amount of harm that can be caused, thus limiting an
organization's exposure to damage. Users may have access to the files on their workstations
and a select set of files on a file server, but no access to critical data that is held within the

Page 19 of 28
 TINC101
Lecture 21

database. This rule helps an organization protect its most sensitive resources and helps ensure
that whoever is interacting with these resources has a valid reason to do so.

• The security concept of least privilege is not unique to computer security. It has been practiced
by organizations such as financial institutions and governments for centuries. Basically it
simply means that individuals are given only the absolute minimum of privileges that are
required to accomplish their assigned job. Examine the security policies that your organization
has in place and see if you can identify examples of where the principle of least privilege has
been used.

• The concept of least privilege applies to more network security issues than just providing users
with specific rights and permissions. When trust relationships are created, they should not be
implemented in such a way that everyone trusts each other simply because it is easier. One
domain should trust another for very specific reasons, and the implementers should have a
full understanding of what the trust relationship allows between two domains. If one domain
trusts another, do all of the users automatically become trusted, and can they thus easily
access any and all resources on the other domain? Is this a good idea? Is there a more secure
way of providing the same functionality? If a trusted relationship is implemented such that
users in one group can access a plotter or printer that is available on only one domain, it might
make sense to simply purchase another plotter so that other, more valuable or sensitive
resources are not accessible by the entire group.

• Another issue that falls under the least privilege concept is the security context in which an
application runs. All applications, scripts, and batch files run in the security context of a specific
user on an operating system. They execute with specific permissions as if they were a user.
The application may be Microsoft Word and run in the space of a regular user, or it may be a
diagnostic program that needs access to more sensitive system files and so must run under
an administrative user account, or it may be a program that performs backups and so should
operate within the security context of a backup operator. The crux of this issue is that a
program should execute only in the security context that is needed for that program to perform
its duties successfully. In many environments, people do not really understand how to make
programs run under different security contexts, or it may just seem easier to have all programs
run under the administrator account. If attackers can compromise a program or service
running under the administrator account, they have effectively elevated their access level and
have much more control over the system and many more ways to cause damage.

Page 20 of 28
 TINC101
Lecture 21

ii) Separation of Privilege

• Protection mechanisms can be employed to grant access based on a variety of factors. One
of the key principles is to base decisions on more than a single piece of information. The
principle of separation of privilege states that the protection mechanism should be constructed
so that it uses more than one piece of information to make access decisions. Applying this
principle to the people side of the security function results in the concept of separation of
duties.

• The principle of separation of privilege is applicable to physical environments as well as

network and host security. When applied to people's actions, separation of duties specifies
that for any given task, more than one individual needs to be involved. The task is broken into
different duties, each of which is accomplished by a separate individual. By implementing a
task in this manner, no single individual can abuse the system for their own gain. This principle
has been implemented in the business world, especially financial institutions, for many years.
A simple example is a system in which one individual is required to place an order and a
separate person is needed to authorize the purchase.

• While separation of duties provides a certain level of checks and balances, it is not without its
own drawbacks. Chief among these is the cost required to accomplish the task. This cost is
manifested in both time and money. More than one individual is required when a single person
could accomplish the task, thus potentially increasing the cost of the task. In addition, with
more than one individual involved, a certain delay can be expected because the task must
proceed through its various steps.

iii) Open Design

• The principle of open design holds that the protection of an object should not rely upon secrecy
of the protection mechanism itself. This principle has been long proven in cryptographic circles,
where hiding the algorithm ultimately fails and the true protection relies upon the secrecy and
complexity of the keys. The principle does not exclude the idea of using secrecy, but merely
states that, on the face of it, secrecy of mechanism is not sufficient for protection.

• Another concept in security that should be discussed in this context is the idea of security
through obscurity. In this case, security is considered effective if the environment and
protection mechanisms are confusing or thought to be not generally known. Security through
obscurity uses the approach of protecting something by hiding it. Non-computer examples of

Page 21 of 28
 TINC101
Lecture 21

this concept include hiding your briefcase or purse if you leave it in the car so that it is not in
plain view, hiding a house key under a doormat or in a planter, and pushing your favourite ice
cream to the back of the freezer so that everyone else thinks it is all gone. The idea is that if
something is out of sight, it is out of mind. This approach, however, does not provide actual
protection of the object. Someone can still steal the purse by breaking into the car, lift the
doormat and find the key, or dig through the items in the freezer to find your favourite ice
cream. Security through obscurity may make someone work a little harder to accomplish a
task, but it does not prevent anyone from eventually succeeding.

• Similar approaches are seen in computer and network security when attempting to hide certain
objects. A network administrator may, for instance, move a service from its default port to a
different port so that others will not know how to access it as easily, or a firewall may be
configured to hide specific information about the internal network in the hope that potential
attackers will not obtain the information for use in an attack on the network.

• In most security circles, security through obscurity is considered a poor approach, especially
if it is the only approach to security. Security through obscurity simply attempts to hide an
object; it doesn't implement a security control to protect it. An organization can use security
through obscurity measures to try to hide critical assets, but other security measures should
also be employed to provide a higher level of protection. For example, if an administrator
moves a service from its default port to a more obscure port, an attacker can still actually find
this service; thus, a firewall should be used to restrict access to the service. Most people know
that even if you do shove your ice cream to the back of the freezer, someone may eventually
find it.

iv) Economy of mechanism

• The terms security and complexity are often at odds with each other, because the more
complex something is, the harder it is to understand, and you cannot truly secure something
if you do not understand it. Another reason complexity is a problem within security is that it
usually allows too many opportunities for something to go wrong. If an application has 4000
lines of code, there are a lot fewer places for buffer overflows, for example, then in an
application of two million lines of code. The principle of economy of mechanism is described
as always using simple solutions when available.

• An example of the principle concerns the number of services that you allow your system to
run. Default installations of computer operating systems often leave many services running.

Page 22 of 28
 TINC101
Lecture 21

The keep-it-simple principle tells us to eliminate or disable those services we don't need. This
is also a good idea from a security standpoint because it results in fewer applications that can
be exploited and fewer services that the administrator is responsible for securing. The general
rule of thumb is to eliminate or disable all nonessential services and protocols. Ideally, you
should know what your computer system or network is being used for, and thus you should
be able to identify and activate only those elements that are essential. For a variety of reasons,
this is not as easy as it sounds. Alternatively, a stringent security approach that one can take
is to assume that no service is necessary and activate services and ports only as they are
requested. Whatever approach is taken, there is a never-ending struggle to try to strike a
balance between providing functionality and maintaining security.

v) Fail-safe Defaults

• Today, the Internet is no longer the friendly playground of researchers that it once was. This
has resulted in different approaches that might at first seem less than friendly but that are
required for security purposes. Fail-safe defaults is the concept that when something fails, it
should do so to a safe state. One approach is that a protection mechanism should deny access
by default and should grant access only when explicit permission exists. This is sometimes
called default deny, and the common operational term for this approach is implicit deny.

• Frequently in the network world, administrators make many decisions concerning network
access. Often a series of rules will be used to determine whether or not to allow access (which
is the purpose of a network firewall). If a particular situation is not covered by any of the other
rules, the implicit deny approach states that access should not be granted. In other words, if
no rule would allow access, then access should not be granted. Implicit deny applies to
situations involving both authorization and access.

vi) Complete Mediation

• One of the fundamental tenets of a protection system is to check all access requests for
permission. Each and every time a subject requests access to an object, the permission must
be checked; otherwise, an attacker might gain unauthorized access to an object. Complete
mediation refers to the concept that each and every request should be verified. When
permissions are verified the first time, and the result is cached for subsequent use,
performance may be increased, but this also opens the door to permission errors. Should a
permission change subsequent to the first use, this change would not be applied to the
operations after the initial check.

Page 23 of 28
 TINC101
Lecture 21

• Complete mediation also refers to ensuring that all operations go through the protection
mechanism. When security controls are added after the fact, it is important to make certain
that all process flows are covered by the controls, including exceptions and out-of-band
requests. If an automated process is checked in one manner, but a manual paper backup
process has a separate path, it is important to ensure all checks are still in place. When a
system undergoes disaster recovery or business continuity processes, or backup and/or
restore processes, these too require complete mediation.

vii) Least Common Mechanism

• The principle of least common mechanism states that mechanisms used to access resources
should be dedicated and not shared. Sharing of mechanisms allows a potential 50 cross-over
between channels, resulting in a protection failure mode. For example, if there is a module
that enables employees to check their payroll information, a separate module should be
employed to change the information, lest a user gain access to change versus read access.
Although sharing and reuse are good in one sense, they can represent a security risk in
another.

• Common examples of the least common mechanism and its isolation principle abound in
ordinary systems. Sandboxing is a means of separating the operation of an application from
the rest of the operating system. Virtual machines perform the same task between operating
systems on a single piece of hardware. Instantiating shared libraries, in which separate
instantiation of local classes enables separate but equal coding, is yet another. The key is to
provide a means of isolation between processes so information cannot flow between separate
users unless specifically designed to do so.

viii) Psychological Acceptability

• Psychological acceptability refers to the users’ acceptance of security measures. Another name
for psychological acceptability is least astonishment, referring to the role that security
measures should play with respect to usability. Users play a key role in the operation of a
system, and if security measures are perceived to be an impediment to the work a user is
responsible for, then a natural consequence may be that the user bypasses the control.
Although a user may understand that this could result in a security problem, the perception
that it does result in their performance failure will present pressure to bypass it.

Page 24 of 28
 TINC101
Lecture 21

• Psychological acceptability is often overlooked by security professionals focused on technical

issues and how they see the threat. They are focused on the threat, which is their professional
responsibility, so the focus on security is natural and aligns with their professional
responsibilities. This alignment between security and professional work responsibilities does
not always translate to other positions in an organization. Security professionals, particularly
those designing the security systems, should not only be aware of this concept but should pay
particular attention to how security controls will be viewed by workers in the context of their
work responsibility, not with respect to security for its own sake.

ix) Work Factor

• According to this principle, the cost of circumventing a security mechanism should be

compared with the resources of an attacker when designing a security scheme. A system
developed to protect student grades in a university database, which may be attacked by
snoopers or students trying to change their grades, probably needs less sophisticated security
measures than a system built to protect military secrets, which may be attacked by
government intelligence organizations. Saltzer and Schroeder admit that the work factor
principle translates poorly to electronic systems, where it is difficult to determine the amount
of work required to compromise security. In addition, technology advances so rapidly that
intrusion techniques considered infeasible at a certain time may become trivial to perform
within a few years. For example, brute force password cracking is becoming increasingly
feasible to perform on an inexpensive personal computer.

x) Compromise Recording

• Finally, this principle states that sometimes it is more desirable to record the details of an
intrusion than to adopt more sophisticated measures to prevent it. Internet-connected
surveillance cameras are a typical example of an effective compromise record system that can
be deployed to protect a building in lieu of reinforcing doors and windows. The servers in an
office network may maintain logs for all accesses to files, all emails sent and received, and all
web browsing sessions. Again, the compromise recording principle does not hold as strongly
on computer systems, since it may be difficult to detect intrusion and adept attackers may be
able to remove their tracks on the compromised machine (e.g., by deleting log entries).

21.5 Security Policy

• The important parts of any organization's approach to implementing security include the
policies, procedures, standards, and guidelines that are established to detail what users and
administrators should be doing to maintain the security of the systems and network.

Page 25 of 28
 TINC101
Lecture 21

Collectively, these documents provide the guidance needed to determine how security will be
implemented in the organization. Given this guidance, the specific technology and security
mechanisms required can be planned for.

• Policies are high-level, broad statements of what the organization wants to accomplish. They
are made by management when laying out the organization's position on some issue.

• Procedures are the step-by-step instructions on how to implement policies in the

organization. They describe exactly how employees are expected to act in a given situation or
to accomplish a specific task.

• Standards are mandatory elements regarding the implementation of a policy. They are
accepted specifications that provide specific details on how a policy is to be enforced. Some
standards are externally driven. Regulations for banking and financial institutions, for example,
require certain security measures be taken by law. Other standards may be set by the
organization to meet its own security goals.

• Guidelines are recommendations relating to a policy. The key term in this case is
recommendations—guidelines are not mandatory steps.

• Just as the network itself constantly changes, the policies, procedures, standards, and
guidelines should be living documents that are periodically evaluated and changed as
necessary. The constant monitoring of the network and the periodic review of the relevant
documents are part of the process that is the operational model. When applied to policies,
this process results in what is known as the policy lifecycle. This operational process and policy
lifecycle roughly consist of four steps in relation to your security policies and solutions:
1. Plan (adjust) for security in your organization.
2. Implement the plans.
3. Monitor the implementation.
4. Evaluate the effectiveness.

• In the first step, you develop the policies, procedures, and guidelines that will be implemented
and design the security components that will protect your network. A variety of governing
instruments—from standards to compliance rules—will provide boundaries for these
documents. Once these documents are designed and developed, you can implement the plans.
Part of the implementation of any policy, procedure, or guideline is an instruction period during

Page 26 of 28
 TINC101
Lecture 21

which those who will be affected by the change or introduction of this new document can
learn about its contents. Next, you monitor to ensure that both the hardware and the software,
as well as the policies, procedures, and guidelines, are effective in securing your systems.
Finally, you evaluate the effectiveness of the security measures you have in place. This step
may include a vulnerability assessment (an attempt to identify and prioritize the list of
vulnerabilities within a system or network) and a penetration test (a method to check the
security of a system by simulating an attack by a malicious individual) of your system to ensure
the security is adequate. After evaluating your security posture, you begin again with Step 1,
this time adjusting the security mechanisms you have in place, and then continue with this
cyclical process.

• Regarding security, every organization should have several common policies in place (in
addition to those already discussed relative to access control methods). These include, but
are not limited to, security policies regarding change management, classification of
information, acceptable use, due care and due diligence, due process, need to know, disposal
and destruction of data, service level agreements, human resources issues, codes of ethics,
and policies governing incident response.

o Security Policies
In keeping with the high-level nature of policies, the security policy is a high-level
statement produced by senior management that outlines both what security means to
the organization and the organization's goals for security. The main security policy can
then be broken down into additional policies that cover specific topics. Statements such
as "this organization will exercise the principle of least access in its handling of client
information" would be an example of a security policy. The security policy can also
describe how security is to be handled from an organizational point of view (such as
describing which office and corporate officer or manager oversees the organization's
security program).

o Data Policies
System integration with third parties frequently involves the sharing of data. Data can
be shared for the purpose of processing or storage. Control over data is a significant
issue in third-party relationships. Numerous questions need to be addressed. For
example, the question of who owns the data—both the data shared with third parties
and subsequent data developed as part of the relationship—is an issue that needs to
be established.

Page 27 of 28
 TINC101
Lecture 21

A key component of IT security is the protection of the information processed and stored
on the computer systems and network. Organizations deal with many different types of
information, and they need to recognize that not all information is of equal importance
or sensitivity. This requires classification of information into various categories, each
with its own requirements for its handling. Factors that affect the classification of
specific information include its value to the organization (what will be the impact to the
organization if this information is lost?), its age, and laws or regulations that govern its
protection. The most widely known system of classification of information is the one
implemented by the U.S. government (including the military), which classifies
information into categories such as Confidential, Secret, and Top Secret. Businesses
have similar desires to protect information and often use categories such as Publicly
Releasable, Proprietary, Company Confidential, and For Internal Use Only. Each policy
for the classification of information should describe how it should be protected, who
may have access to it, who has the authority to release it (and how), and how it should
be destroyed. All employees of the organization should be trained in the procedures for
handling the information they are authorized to access.

REFERENCES
Ciampa, M. D., & Computing Technology Industry Association. (2018). CompTIA Security+ Guide
to Network Security Fundamentals (7th ed.). Boston [Mass.] Cengage Learning.
Goodrich, M. T., & Tamassia, R. (2014). Introduction to computer security. Pearson Education
Limited.
Morley, D. & Parker, C.S. (2017). Understanding Computers: Today and Tomorrow:
Comprehensive (16th Ed.). Cengage Learning. ISBN: 9781305656314.
Stallings, W., & Brown, L. (2018). Computer Security : Principles and Practice (4th ed.). Pearson
Education.

Page 28 of 28