Mekdela Amba University

College of Computing and Informatics

Department of Computer Science

Welcome to COSC4035
Computer Security
Chapter One
Introduction to Computer Security

Leweyehu Y. Department of Computer Science

 Overview
• What is security: history and definition
• Threats, vulnerabilities, controls, risk
• Goals of computer security
• Security attack
• Security policies and mechanisms
• Prevention, detection, and deterrence
• Software security assurance

Leweyehu Y. Department of Computer Science

 Why Computer Security
• The past decade has seen an explosion in the
concern for the security of information
– Malicious codes (viruses, worms, etc.) caused over $28
billion in economic losses in 2003, and will grow to
over $75 billion by 2007
• Security specialists markets are expanding !
– “ Full-time information security professionals will rise
almost 14% per year around the world, going past 2.1
million in 2008” (IDC report)

Leweyehu Y. Department of Computer Science

 Why Computer Security (cont’d)
• Internet attacks are increasing in frequency,
severity and sophistication
• Denial of service (DoS) attacks
– Cost $1.2 billion in 2000
– 1999 CSI/FBI survey 32% of respondents detected
DoS attacks directed to their systems
– Thousands of attacks per week in 2001
– Yahoo, Amazon, eBay, Microsoft, White House, etc.,
attacked

Leweyehu Y. Department of Computer Science

 Why Computer Security (cont’d)
• Virus and worms faster and powerful
– Melissa, Nimda, Code Red, Code Red II, Slammer …
– Cause over $28 billion in economic losses in 2003,
growing to over $75 billion in economic losses by 2007.
– Code Red (2001): 13 hours infected >360K machines -
$2.4 billion loss
– Slammer (2003): 10 minutes infected > 75K machines -
$1 billion loss

Leweyehu Y. Department of Computer Science

 The History of Computing
• For a long time, security was largely ignored in the
community
– The computer industry was in “survival mode”, struggling
to overcome technological and economic hurdles
– As a result, a lot of comers were cut and many
compromises made
– There was lots of theory, and even examples of systems
built with very good security, but were largely ignored
or unsuccessful
• E.g., ADA language vs. C (powerful and easy to use)

Leweyehu Y. Department of Computer Science

Computing Today is Very Different
• Computers today are far from “survival mode”
– Performance is abundant and the cost is very cheap
– As a result, computers now ubiquitous at every facet
of society
• Internet
– Computers are all connected and interdependent
– This codependency magnifies the effects of any
failures

Leweyehu Y. Department of Computer Science

 Biological Analogy
• Computing today is very homogeneous.
– A single architecture and a handful of OS dominates
• In biology, homogeneous populations are in danger
– A single disease or virus can wipe them out overnight
because they all share the same weakness
– The disease only needs a vector to travel among hosts
• Computers are like the animals, the Internet
provides the vector.
– It is like having only one kind of cow in the world, and
having them drink from one single pool of water!
Leweyehu Y. Department of Computer Science
 Computer Security History
• Until 1960s computer security was limited to physical
protection of computers
• In the 60s and 70s
– Evolutions
• Computers became interactive
• Multiuser/Multiprogramming was invented
• More and more data started to be stored in computer
databases
– Organizations and individuals started to worry about
• What the other persons using computers are doing to
their data
• What is happening to their private data stored in large
databases
Leweyehu Y. Department of Computer Science
 Computer Security History
• In the 80s and 90s
– Evolutions
• Personal computers were popularized
• LANs and Internet invaded the world
• Applications such as E-commerce, E-government and
E-health started to develop
• Viruses become majors threats
– Organizations and individuals started to worry about
• Who has access to their computers and data
• Whether they can trust a mail, a website, etc.
• Whether their privacy is protected in the connected world

Leweyehu Y. Department of Computer Science

 Computer Security History
• Famous security problems
– Morris worm – Internet Worm
• November 2, 1988 a worm attacked more than 60,000 computers
around the USA

• The worm attacks computers, and when it has installed itself, it

multiplies itself, freezing the computer

• It exploited UNIX security holes in Sendmail and Finger

• A nationwide effort enabled to solve the problem within 12 hours

– Robert Morris became the first person to be indicted under the

Computer Fraud and Abuse Act.
• He was sentenced to three years of probation, 400 hours of
community service and a fine of $10,050

– Until recently, he has been an associate professor at the

Massachusetts Institute of Technology (MIT)
Leweyehu Y. Department of Computer Science
 Computer Security History
• Famous security problems …
– NASA shutdown
• In 1990, an Australian computer science student
was charged for shutting down NASA’s computer
system for 24 hours
– Airline computers
• In 1998, a major travel agency discovered that
someone penetrated its ticketing system and has
printed airline tickets illegally
– Bank theft
• In 1984, a bank manager was able to steal $25
million through un-audited computer transactions
Leweyehu Y. Department of Computer Science
 Computer Security History
• Famous security problems …
• In Ethiopia
– Employees of a company managed to change their salaries by
fraudulently modifying the company’s database
– In 1990s Internet password theft
• Hundreds of dial-up passwords were stolen and sold to other
users
• Many of the owners lost tens of thousands of Birr each
– A major company suspended the use of a remote login software
by technicians who were looking at the computer of the General
Manager
• In Africa: Cote d’Ivoire
• An employee who has been fired by his company deleted all
the data in his company’s computer
Leweyehu Y. Department of Computer Science
 The Definition of Computer Security
• Security is a state of well-being of information and
infrastructures in which the possibility of successful yet
undetected theft, tampering, and disruption of
information and services is kept low or tolerable
• Security rests on confidentiality, authenticity, integrity,
and availability
• Comp. Security: The protection of computer assets from
unauthorized access, use, alteration, degradation,
destruction, and other threats.

Leweyehu Y. Department of Computer Science

 Basic concepts of computer security
Computer security is the protection of the items you
value, called the assets of a computer or computer
system.

 There are many types of assets, involving

hardware, software, data, people, processes, or
combinations of these.

To determine what to protect, we must first identify

what has value and to whom.

Leweyehu Y. Department of Computer Science

Basic concepts of computer security

Leweyehu Y. Department of Computer Science

Basic concepts of computer security

Leweyehu Y. Department of Computer Science

 Threats, vulnerabilities, controls, risk
 The goal of computer security is protecting valuable
assets.
 To study different ways of protection, we use a
framework that describes how assets may be harmed
and how to counter or mitigate that harm.

 A vulnerability is a weakness in
the system, for example, in procedures,
design, or implementation, that might be exploited to
cause loss or harm.

Leweyehu Y. Department of Computer Science

 Threats, vulnerabilities, controls, risk

A threat to a computing system is a set of

circumstances that has the potential to cause
loss or harm.

To understand the difference between a

threat and a vulnerability, see the following
illustrations.

Leweyehu Y. Department of Computer Science

Threats, vulnerabilities, controls, risk

Leweyehu Y. Department of Computer Science

 Threats, vulnerabilities, controls, risk

 a wall is holding water back. The water to the

left of the wall is a threat to the man on the
right of the wall:
 The water could rise, overflowing onto the
man, or it could stay beneath the height of
the wall, causing the wall to collapse.
 So the threat of harm is the potential for the
man to get wet, get hurt, or be drowned.
 For now, the wall is intact, so the threat to
the man is unrealized

Leweyehu Y. Department of Computer Science

 Threats, vulnerabilities, controls, risk

 There are many threats to a computer

system, including human-initiated and
computer-initiated ones.

We have all experienced the results of inadvertent

human errors, hardware design flaws, and software
failures. But natural disasters are threats, too;

They can bring a system down when the computer

room is flooded or the data center collapses from an
earthquake.

Leweyehu Y. Department of Computer Science

 Threats, vulnerabilities, controls, risk
How do we address these problems?

• We use a control or countermeasure as protection.

A control is an action, device, procedure, or technique

that removes or reduces a vulnerability

Leweyehu Y. Department of Computer Science

 Threats, vulnerabilities, controls, risk
We can group controls into three largely independent classes.

1. Physical controls stop or block an attack by using something

tangible too, such as walls and fences

– lock

• -(human) guards

– sprinklers and other fire extinguishers

• 2. Procedural or administrative controls use a command or

agreement that

• – requires or advises people how to act;

• for example, – laws, regulations

Leweyehu Y. Department of Computer Science

 Treats, vulnerabilities, controls, risk
-policies, procedures, guidelines– copyrights, patents
- contracts, agreements

3.Technical controls counter threats with technology

(hardware or software), including

– passwords

– program or operating system access controls

– network protocols

– firewalls, intrusion detection systems

– encryption – network traffic flow regulators

Leweyehu Y. Department of Computer Science

 Treats, vulnerabilities, controls, risk

 The value of many assets can change over time, so the

degree of harm (and therefore the severity of a threat)
can change, too.

 With unlimited time, money, and capability, we might

try to protect against all kinds of harm. But because our
resources are limited, we must prioritize our protection,
safeguarding only against serious threats and the ones we
can control.

Leweyehu Y. Department of Computer Science

 Treats, vulnerabilities, controls, risk
• Choosing the threats we try to mitigate
involves a process called risk
management, and it includes weighing the
seriousness of a threat against our ability to
protect.

Leweyehu Y. Department of Computer Science

 Goals of computer security
Computer security has three main goals, often referred to
as the CIA triad:

1. Confidentiality: Protecting information from unauthorized

access.

• The ability of a system to ensure that an asset is viewed

only by authorized parties.

• This means ensuring that only authorized users can see

sensitive data, such as financial records or personal
information.

• Imagine a locked treasure chest - confidentiality is like the

lock and key, keeping the valuables safe from prying eyes.

Leweyehu Y. Department of Computer Science

 Goals of computer security
3. Availability: Ensuring that systems and data are accessible
to authorized users when needed.

This means preventing outages or disruptions that could

prevent people from doing their jobs or accessing critical
information.

 The ability of a system to ensure that an asset can be

used by any authorized parties.

Leweyehu Y. Department of Computer Science

 Goals of computer security

Computer security has three main goals, often

referred to as the CIA triad:

Leweyehu Y. Department of Computer Science

 The Basic Components
• Confidentiality is the concealment of information or
resources.
– E.g., only sender, intended receiver should “understand” message
contents
• Authenticity is the identification and assurance of the
origin of information.
• Integrity refers to the trustworthiness of data or
resources in terms of preventing improper and
unauthorized changes.
• Availability refers to the ability to use the information
or resource desired.

Leweyehu Y. Department of Computer Science

 Security Threats and Attacks
• A threat is a potential violation of security.
– Flaws in design, implementation, and operation.
• An attack is any action that violates security.
– Active adversary
• An attack has an implicit concept of “intent”
– Router mis-configuration or server crash can also
cause loss of availability, but they are not attacks

Leweyehu Y. Department of Computer Science

 Friends and enemies: Alice, Bob, Trudy
• well-known in network security world
• Bob, Alice (lovers!) want to communicate “securely”
• Trudy (intruder) may intercept, delete, add messages

Alice Bob
data, control
channel
messages

data secure secure data

sender receiver

Trudy
Leweyehu Y. Department of Computer Science
 Computer Security and Privacy/Attacks

Categories of Attacks
• Interruption: An attack on availability
• Interception: An attack on confidentiality
• Modification: An attack on integrity
• Fabrication: An attack on authenticity

Leweyehu Y. Department of Computer Science

 Security Attack
• A security attack is any attempt to compromise the
integrity, confidentiality, or availability of a system,
network, or data.

• There are two types of attack : passive attacks and

active attacks.

• A passive attack attempts to learn or make use of

information from the system but
• does not affect system resources.

• An active attack attempts to alter system resources or

affect their operation

Leweyehu Y. Department of Computer Science

Security Attack
•Passive Attacks:-Passive attacks are in
the nature of eavesdropping on, or monitoring of,
transmissions.

•The goal of the opponent is to obtain information that is

being transmitted.
• Two types of passive attacks are the
release of message contents and traffic
analysis.

Leweyehu Y. Department of Computer Science

 Classify Security Attacks as
• Passive attacks - eavesdropping on, or
monitoring of, transmissions to:
– obtain message contents, or
– monitor traffic flows
• Active attacks – modification of data stream to:
– masquerade of one entity as some other
– replay previous messages
– modify messages in transit
– denial of service
Leweyehu Y. Department of Computer Science
 passive attacks
 The release of message contents is easily understood
 A telephone conversation, an electronic mail message, and
a transferred file may contain sensitive or confidential
information
 We would like to prevent an opponent from learning the
contents of these transmissions.

Leweyehu Y. Department of Computer Science

 passive attacks Cont’d…
 A second type of passive attack, traffic analysis, is
subtler.

 If we had encryption protection in place,an

opponent might still be able to observe the pattern of
these messages.
 The opponent could determine the location and
identity of communicating hosts and could observe the
frequency and length of messages being exchanged.
 This information might be useful in guessing the
nature of the communication that was taking place
Leweyehu Y. Department of Computer Science
passive attacks Cont’d…

Leweyehu Y. Department of Computer Science

 passive attacks Cont’d…
• Passive attacks are very difficult to detect,
because they do not involve any alteration of the
data.

• The emphasis in dealing with passive attacks is

on prevention rather than detection.

• Active attacks involve some modification of the data

stream or the creation of a false stream and can
be subdivided into four categories: masquerade,
replay, modification of messages, and denial of
service

Leweyehu Y. Department of Computer Science

Leweyehu Y. Department of Computer Science
 Active attacks
 Active attacks refer to malicious activities aimed at
altering system resources or affecting the operation of a
system.
 Active attacks involve some modification of the data
stream or the creation of a false stream and can be
subdivided into four categories: masquerade, replay,
modification of messages, and denial of service.
 A masquerade takes place when one entity pretends to be
a different entity.

Leweyehu Y. Department of Computer Science

 Active attacks Cont’d…
 Replay involves the passive capture of a data unit and
its subsequent retransmission to produce an
unauthorized effect.

Leweyehu Y. Department of Computer Science

 Active attacks Cont’d…
 Modification of messages simply means that some portion
of a legitimate message is altered, or that messages are
delayed or reordered, to produce an unauthorized effect.

Leweyehu Y. Department of Computer Science

 Active attacks Cont’d…
 The denial of service prevents or inhibits the normal use
or management of communications facilities.

Leweyehu Y. Department of Computer Science

 Security policies and mechanisms
 Security policies and mechanisms work together
to protect systems and data from unauthorized
access, modification, or destruction.

 They play different but crucial roles:

Leweyehu Y. Department of Computer Science

 Security policies
 Define the "what": These are sets of rules and
guidelines that specify what is and isn't allowed
within a system or organization.
 They outline acceptable behavior and usage, often
focusing on areas like password management, data
sharing, and internet use. Think of them as the
ground rules for digital security.
 Provide direction and clarity: Policies inform users
and administrators about their responsibilities and
how they should handle sensitive information or
security threats.

Leweyehu Y. Department of Computer Science

 Security policies
Set expectations and accountability: By clearly outlining
acceptable behavior, policies establish expectations for
everyone involved and create a basis for holding
individuals accountable for their actions.
Security Mechanisms
oImplement the "how": These are the tools and
technologies used to enforce the security policies.
oThey put the rules into action by actively protecting
systems and data from various threats.
oExamples include firewalls, encryption, intrusion detection
systems, and access controls

Leweyehu Y. Department of Computer Science

 Security Mechanisms
o Prevent unauthorized access and attacks: Mechanism
act as barriers or filters, blocking unauthorized users or
malicious activities from accessing sensitive data or
systems.
o They detect and thwart potential attacks before they
can cause damage.

Leweyehu Y. Department of Computer Science

 Computer Security ASS. I
Assignment I
• Be in group which has two 1.
2.
Blackout
Brownout
19.
20.
Spike
Server Spoofing
members.
3. Brute Force 21. Session Hijacking
• Read about these security Attack 22. Smurf Attack
attack related keywords. Study 4. Buffer Overflow 23. SNMP Community
about 10 of these keywords and 5. Cookie Injection Strings
write a 7 page (maximum) 6. Cookie Poisoning 24. Spamming
summary of your findings 7. Cracking 25. Scam and
including any recorded history 8. DNS Poisoning Phishing
of significant damages created 9. DoS Attack 26. Spoofing Attack
by these attacks. 10. DDoS Attack 27. SQL Injection
11. Eavesdropping 28. SYN Attack
• The same answer between 12. HTTP Tunnel 29. Teardrop
groups not acceptable Exploit 30. Traffic Analysis
• The presentation time for each 13. ICMP Flood 31. Trojan Horses
group will be 10 minutes. 14. Logic Bomb 32. UDP Flood
• Submit your report by 15. Malware Attack 33. Viruses
16. Packet Sniffing 34. Worms
Handwriting Bonus: While
17. Ping of Death 35. War Dialing
reading, if you find security
18. Serge 36. Wire Tapping
attack related keywords other
than these, write them on the
other page of your report.
Leweyehu Y. Department of Computer Science
 Security Policy and Mechanism
• Policy: a statement of what is, and is not allowed.
• Mechanism: a procedure, tool, or method of
enforcing a policy.
• Security mechanisms implement functions that
help prevent, detect, and respond to recovery
from security attacks.
• Security functions are typically made available to
users as a set of security services through APIs
or integrated interfaces.
• Cryptography underlies many security
mechanisms.
Leweyehu Y. Department of Computer Science
• Goals: Security mechanisms aim to:

• Prevent attacks: They try to block unauthorized

access and activity before it
• happens.

• Detect attacks: They identify suspicious activity

and potential threats.

• Respond to attacks: They contain and mitigate the

damage caused by attacks.

Leweyehu Y. Department of Computer Science

 OSI Security Architecture
• ITU-T X.800 Security Architecture for OSI
• Defines a systematic way of defining and
providing security requirements
• For us it provides a useful, if abstract,
overview of concepts we will study
• X.800 defines security services in 5 major
categories

Leweyehu Y. Department of Computer Science

 Security Services (X.800)
• Authentication - assurance that the
communicating entity is the one claimed
• Access Control - prevention of the unauthorized
use of a resource
• Data Confidentiality –protection of data from
unauthorized disclosure
• Data Integrity - assurance that data received is
as sent by an authorized entity
• Non-Repudiation - protection against denial by
one of the parties in a communication
Leweyehu Y. Department of Computer Science
 How to Make a System Trustworthy
• Specification
– A statement of desired functions
• Design
– A translation of specifications to a set of components
• Implementation
– Realization of a system that satisfies the design
• Assurance
– The process to insure that the above steps are carried
out correctly
– Inspections, proofs, testing, etc.
Leweyehu Y. Department of Computer Science
 The Security Life Cycle
• The iterations of
– Threats
– Policy
– Specification
– Design
– Implementation
– Operation and maintenance

Leweyehu Y. Department of Computer Science

 Software Security Assurance(SSA)
• Software security assurance (SSA) is a
systematic approach to ensure that software is
designed, developed, implemented, and maintained
with security in mind throughout its entire
lifecycle.

• It's like building a fortress around your software,

protecting it from invaders and keeping your
precious data safe.

Leweyehu Y. Department of Computer Science

Here are the key aspects of SSA:
 Proactive
 Comprehensive
 Risk-based
 Process-Driven

Leweyehu Y. Department of Computer Science

 Proactive: SSA isn't just about fixing vulnerabilities
after they're discovered; it's about actively preventing
them from being introduced in the first place.

 This means building security into the software from the

very beginning, right from the planning and design stages.

 Comprehensive: SSA covers all aspects of the

software development lifecycle
 (SDLC), from requirements gathering and coding to
testing and deployment.

 It ensures that security is considered at every step of

the way.
Leweyehu Y. Department of Computer Science
 Risk-based: SSA recognizes that not all vulnerabilities are created
equal.

• It focuses on identifying and mitigating the most critical risks first,

based on the

• potential impact they could have on the software and its users.

 Process-driven: SSA follows a defined set of processes and procedures

to ensure

• consistency and repeatability.

• This helps to ensure that security is not left to chance and that the
same level of

• protection is applied to all software.

Leweyehu Y. Department of Computer Science

 Benefits of SSA:
• Reduced risk of security breaches: By proactively
addressing vulnerabilities, SSA
• can help to prevent costly and damaging security
breaches.

• Improved software quality: Security is an essential

part of quality software. SSA
• can help to improve the overall quality and reliability
of your software.

• Enhanced user trust: By demonstrating a commitment

to security, SSA can help to
• build trust with your users and customers.
Leweyehu Y. Department of Computer Science
Thank You!

Leweyehu Y. Department of Computer Science