Wolaita Sodo University

School of Informatics
Department of Computer Science

Computer Security (COSC4035)

Compiled by Dawit Uta. (M. Tech.)
Computer Science Department, WSU
website address: www.davidtechnotips.com
2 Course outline
 Introduction to Computer Security
 1.1 Basic concepts of computer security
 1.2 Goals of computer security
 1.3 Threats, vulnerabilities, attack risks
 1.4 Security attack
 1.5 Security policies and mechanisms
 1.6 Prevention, detection, and deterrence
 1.7 Software security assurance
 Chapter I: Introduction
3
 The word security is “the quality or state of being secure to be free
from danger.”
 In other words, protection against adversaries from those who
would do harm, intentionally or unintentionally.
1.1 Basic concepts of computer security
Computer security is the protection of the items you value, called the
assets of a computer or computer system. There are many types of
assets, involving hardware, software, data, people, processes, or
combinations of these. To determine what to protect, we must first
identify what has value and to whom.
 1.1 Basic concepts of computer security
4

 The thing that makes your computer unique and important to you is
its content: photos, songs, papers, email messages, projects,
information, eBooks, contact information, code you created, and the
like.
 Thus, data items on a computer are assets, too. Unlike most
hardware and software, it is impossible to recreate or replace all
datas. These assets are all listed bellow
 5

 These three things hardware, software, and data contain or express

things like the design for your next new product, the photos from
your recent vacation, the chapters of your new book, or the genome
sequence resulting from your recent research.
 All of these things represent intellectual endeavor or property, and
they have value that differs from one person or organization to
another.
 Its value that makes the assets worthy of protection, and they are the
elements we want to protect.
 Definition…
6
“The most secure computers are those not connected
to the Internet and shielded from any interference”

Recently there have been more expansions to Internet technology

and Internet use.
Such expansions include increased transmission speeds, a wider use
of wireless Internet, and the growing phenomenon of online
education.
so most of our business is conducted online, a great deal of personal
information is stored in computers, this leads to some very
important questions: How is information protected?
 Definition…
7
 Cybersecurity is the deliberate collaboration of technologies,
processes, and practices to protect information and the networks,
computer systems and appliances, and programs used to collect,
process, store, and transport that information from attack, damage,
and unauthorized access or harm.
 People throughout industry, academia, and government all use
formal and informal science to create and expand cybersecurity
knowledge.
 Cyber security standards are security standards which enable
organizations to practice safe security techniques to minimize the
number of successful cyber security attacks.
 8
 We view cybersecurity as a holistic set of activities that are focused
on protecting an organization’s vital information.
 Cybersecurity includes the technologies employed to protect
information.
 It includes the processes used to create, manage, share, and store
information.
 It includes the practices such as workforce training and testing to
ensure information is properly protected and managed.
 Effective cybersecurity preserves the confidentiality, integrity, and
availability of information, protecting it from attack by bad actors,
damage of any kind, and unauthorized access by those who do not
have a “need to know.”
 In today’s business environment, cybersecurity is not just a
technical issue, it is a business imperative.
 1.2 Goals of computer security
9
The goal of computer security is to maintain the three
important security goals.
The ability of a system to ensure that
an asset is viewed only by authorized
parties
Confidentiality

The ability of a system The ability of a system to

to ensure that an asset assure that systems work
is modified only by promptly and service is not
authorized parties denied to authorized users.
Integrity
Availability
 10 1.2 Goals of computer security cont…
 Three basic security concepts important to information on the
internet are confidentiality, integrity, and availability.
 Concepts relating to the people who use that information are
authentication, authorization, and nonrepudiation.
 When information is read or copied by someone not authorized to
do so, the result is known as loss of confidentiality.
 For some types of information, confidentiality is a very important
attribute. Examples include research data, medical and insurance
records, new product specifications, and corporate investment
strategies.
 In some locations, there may be a legal obligation to protect the
privacy of individuals.
 11
 This is particularly true for banks and loan companies; debt
collectors; businesses that extend credit to their customers or issue
credit cards; hospitals, doctors’ offices, and medical testing
laboratories; individuals or agencies that offer services such as
psychological counseling or drug treatment; and agencies that
collect taxes.
 Information can be corrupted when it is available on an insecure
network. When information is modified in unexpected ways, the
result is known as loss of integrity.
 This means that unauthorized changes are made to information,
whether by human error or intentional tampering. Integrity is
particularly important for critical safety and financial data used for
activities such as electronic funds transfers, air traffic control, and
financial accounting.
 12

 Information can be erased or become inaccessible, resulting in loss

of availability. This means that people who are authorized to get
information cannot get what they need.
 Availability is often the most important attribute in service-oriented
businesses that depend on information (for example, airline
schedules and online inventory systems).
 13 Real world examples
Example: Confidentiality:
 Student grade information is an asset whose confidentiality is
considered to be highly important by students. For example,
students’ grades, financial transactions, medical records, and tax
returns are sensitive. Other things, such as diplomatic and military
secrets, companies’ marketing and product development plans, and
educators’ tests, also must be carefully controlled.
 Grade information should only be available to students, their
parents, and employees that require the information to do their job.
 Directory information (such as lists of students, faculty, or
departmental lists) may be assigned a low confidentiality rating or
indeed no rating.
14
Real world examples cont..,
Example: Integrity
 hospital patient’s information stored in a database. The doctor
should be able to trust that the information is correct and
current.
 Now suppose that an employee (e.g., a nurse) who is authorized
to view and update this information deliberately falsifies the
data to cause harm to the hospital. The database needs to be
restored to a trusted basis quickly, and it should be possible to
trace the error back to the person responsible.
15
Real world examples cont..,
 Example: Availability:
 An example of an asset that typically would be rated as having a
moderate availability requirement is a public Web site for a
university; the Web site provides information for current and
prospective students and donors.
 An online telephone directory lookup application would be
classified as a low availability requirement.
 CBE system should be available for 7/24 because every person
want to move their transaction.
 1.3 Threats, vulnerabilities, controls, risk
16

 The goal of computer security is protecting valuable assets. To study

different ways of protection, we use a framework that describes how
assets may be harmed and how to counter or mitigate that harm.
 vulnerability : is a weakness in the system, for example, in procedures,
design, or implementation, that might be exploited to cause loss or harm.
For instance, a particular system may be vulnerable to unauthorized data
manipulation because the system does not verify a user’s identity before
allowing data access.
 It can be a design mistake that directly or indirectly leads to a
compromise in the system’s availability, integrity, or confidentiality.
 A human who exploits a vulnerability, commits an attack on the system.
 The vulnerabilities could be weaknesses in the technology, configuration,
or security policy.
 Any discovered vulnerability must be addressed to mitigate any threat
that could take advantage of the vulnerability.
 17
 How do we address these problems?
 We use a control or counter measure as protection.
 That a control is an action, device, procedure, or technique that removes or
reduces a vulnerability.
 In summary, vulnerability is a weakness that is inherent in every network
and device. This includes: routers, switches, desktops, servers, and even
security devices themselves.
 Networks are typically plagued by one or all of three primary
vulnerabilities or weaknesses:
 Technology weaknesses
 Configuration weaknesses
 Security policy weaknesses
 A vulnerability assessment is the process of identifying, analyzing, and
ranking vulnerabilities in the specific environment.
 18 vulnerability : Technology weaknesses
 Computer and network technologies have intrinsic security
weaknesses. These include
 TCP/IP protocol weaknesses (HTTP, FTP, and ICMP are inherently
insecure )
 Operating system weaknesses weaknesses( The UNIX, Linux,
Macintosh, Windows NT, 9x, 2K, XP, Win-10, 11)
 and network equipment weaknesses (such as routers, firewalls, and
switches, have security weaknesses (Password protection, Lack of
authentication Routing protocols Firewall holes)
 Vulnerability: Configuration Weaknesses
19
 Now there are two points to uptake into consideration. Many systems are
shipped with known and unknown security holes and bugs, for instance.
 This is also associated with misconfigurations like when you get a modem
and the modem has, for instance, the username and password admin, this
could be considered a vulnerability since a hacker from the Internet or a
threat attack could actually connect to the modem and use those user
account or those credentials to access the modem and perform many
malicious activity.
 So the vulnerability assessment tool will be able to detect that these
modem has the default credentials and will flag that as a misconfiguration
vulnerability.
 So the system admin can actually go ahead and make the necessary
actions.
 In this case, change the username and the password or change the
password to something more or a stronger. So it will be more difficult to
get access to the modem.
 20 Vulnerability: Security Policy Weaknesses

 A security policy is a document that states in writing how a company

plans to protect its physical and information technology (IT) assets.
 Security policies are living documents that are continuously updated
and changing as technologies, vulnerabilities and security
requirements change.
 Security policy weaknesses can create unforeseen security threats.
 The network can pose security risks to the network if users do not
follow the security policy.
 21 In generally threat can be:
Threat to a computing system is a set of circumstances that has the
potential to cause loss or harm.
There are many factors of threats to a computer system, including
human-initiated and computer initiated ones.
 Computer Security threats
22

Factors of security threats

Physical factor (Ex. Buildings)

Natural factor (Ex. Earthquake)

Hardware and Software factor (Ex. Failures)

Media factor (Ex. Disks can be stolen)

Communication factor (Ex. Wires can be tapped)

Human factor (Ex. Insiders)

 Computer Security threats
23

Natural Disasters
 Fire and smoke
 Climate: Heat, Direct sun or Humidity
 Hurricane, storm, cyclone
 Earthquakes
 Water
 Electric supply
 Lightning

Solution
 Avoid having servers in areas often hit by Natural Disasters!
24
Computer Security threats

People
 Intruders
 Thieves
 People who have been given access unintentionally by the
insiders
 Employees, contractors, etc. who have access to the facilities

 External thieves
 Portable computing devices can be stolen outside the
organization’s premises
Loss of a computing device
 Mainly laptop
Computer Security: The Human Factor
25
The human factor is an important component of computer
security
Some organizations view technical solutions as “their
solutions” for computer security. However:
 Technology is fallible (imperfect)
 Ex.UNIX holes that opened the door for Morris worm
 The technology may not be appropriate
 Ex. It is difficult to define all the security requirements and find a
solution that satisfies those requirements
 Technical solutions are usually (very) expensive
 Ex. Antivirus purchased by ETC to protect its Internet services

Given all these, someone, a human, has to implement the

solution
 Computer Security threat: The Human Factor
26

Competence of the security staff

 Ex. Crackers may know more than the security team

Understanding and support of management

 Ex. Management does not want to spend money on
security
Staff ’s discipline to follow procedures
 Ex. Staff members choose simple passwords

Staff members may not be trustworthy

 Ex. Bank theft
 Computer Security Attacks
27
 Attack is a deliberate unauthorized action on a system or asset. Attacks can be
classified as active and passive attacks.
 An Active attack attempts to alter system resources or affect their operations.
 This attacks involve some modification of the data stream or the creation of false
statements, attacker intentionally altering or destroying data, or disrupting the
normal operation of a system.
 Examples: denial of service (DoS), where an attacker floods a system with traffic in
an attempt to make it unavailable to legitimate users, and attacker installs malicious
software (malware) on a system to steal or destroy data.
 A Passive attack attempts to learn or make use of information from the system but
does not affect system resources.
 The goal of the opponent is to obtain information that is being transmitted. Passive
attacks involve an attacker passively monitoring or collecting data without altering
or destroying it. Examples: eavesdropping, where an attacker listens in on network
traffic to collect sensitive information, and sniffing, where an attacker captures and
analyzes data packets to steal sensitive information.
 Computer Security Attacks
28
Attack (or exploit). An action taken to harm an asset

Categories of Attacks

Interruption: An attack on availability

Interception: An attack on confidentiality

Modification: An attack on integrity

Fabrication: An attack on authenticity

Computer Security Attacks
29

Categories of Attacks/Threats
Source

Destination
Normal flow of information
Attack

Interruption Interception

Modification Fabrication
 The difference between threat and attack are:
30 Threat Attack
Can be intentional or unintentional Is intentional
May or may not be malicious Is malicious
Circumstance that has the ability to cause
Objective is to cause damage
damage
Information may or may not be altered or Chance for information alteration and
damaged damage is very high
Can be blocked by control of Cannot be blocked by just controlling the
vulnerabilities vulnerabilities
Can be initiated by the system itself as Is always initiated by an outsider (system
well as by outsider or user)
Can be classified into Physical threat, Can be classified into Virus, Spyware,
internal threat, Phishing, Worms, Spam,
external threat, human threat, and non- Botnets, DoS attacks, Ransomware,
physical threat. Breaches.
 Sources and Motives of Security Threats/Attack
31

 Design Philosophy:- since of the Internet and cyberspace in

general was based on an open architecture work in progress
philosophy.
 Weaknesses in Network Infrastructure and Communication
Protocols, Rapid Growth of Cyberspace and Hacker Community
 Vulnerability in Operating System Protocol:- every OS comes
with some security vulnerabilities. In fact many security
vulnerabilities are OS specific. Hacker look for OS-identifying
information like file extensions for exploits.
 The Invisible Security Threat (the Insider effect): - research data
from many reputable agencies consistently show that the greatest
threat to security in any enterprise is the guy down the hall.
 Sources and Motives of Security Threats/Attack
32
 Based on the FBI’s foreign counterintelligence mission, security threats broadly
categorized into the following groups:
 Terrorism: - electronic terrorism is used to attack military installations, banking,
and many other targets of interest based on politics, religion, and probably hate.
 Cyber-terrorism is not only about obtaining information; it is also about
instilling fear and doubt and compromising the integrity of the data.
 Military Espionage is a method of intelligence gathering which includes
information gathering from public sources. Its associated with state spying on
potential or actual enemies for military purposes.
 Economic espionage: may include the secret gaining or outright theft of
invaluable proprietary information in a number of areas including technology,
finance and government policy.
 Revenge
 Hate (National Origin, Gender, and Race)
 Notoriety (ill fame)
 Greed
 Sources and Motives of Security Threats/Attack cont….
33

 Targeting the National Information Infrastructure: - Activities may

include the following
 Denial or disruption of computer, cable, satellite, or telecommunications
(tele) services;
 Unauthorized monitoring of computer, cable, satellite, or tele systems;
 Unauthorized disclosure of proprietary or classified information stored within or
communicated through computer, cable, satellite, or tele systems;
 Unauthorized modification or destruction of computer programming codes,
computer network databases, stored information or computer capabilities; or
 Manipulation of computer, cable, satellite, or tele services resulting in fraud,
financial loss, or other federal criminal violations.
 Ignorance: - it happens when a novice in computer security stumbles (upsets)
on an exploit or vulnerability and without knowing or understanding it uses it
to attack other systems.
 Security mechanism and policies
34
A security policy is a formal statement of the rules by which people
who are given access to an organization's technology and information
assets must abide.
Sometimes, we can rely on agreed-on procedures or policies among
users rather than enforcing security through hardware or software
means. In fact, some of the simplest controls, such as frequent changes of passwords,
can be achieved at essentially no cost
Purposes of a Security Policy
 The main purpose of a security policy is to inform users, staff and managers of their
obligatory requirements for protecting technology and information assets.
 The policy should specify the mechanisms through which these requirements can be
met. Another purpose is to provide a baseline from which to acquire, configure and
audit computer systems and networks for compliance with the policy.
 Therefore, an attempt to use a set of security tools in the absence of at least an
implied security policy is meaningless.
 Security mechanism and policies
35

 Security in general is about protection of assets. This implies that in

order to protect our assets, we must know the assets and their values.
Rough classification of protection measures includes:

• Deterrence: creating an atmosphere intended to frighten intruders.

• Prevention: to take measures to prevent the damage

• Detection: when, how and who of the damage.

• Reaction: to take measures to recover from damage.

 Security mechanism and policies
36
 Example of protecting a fraudster from using our credit card in
Internet purchase
• Prevention: Encrypt when placing order, perform some check
before placing order, or don’t use credit card number on
internet.
• Detection: A transaction that you had not authorized appears on
your credit card statement.
• Reaction: Ask for new card, recover cost of the transaction from
the insurance, the card issuer or the merchant
 37 Software Security Assurance
 Software security assurance (SSA) is an approach to designing,
building, and implementing software that addresses security needs
from the ground up.
 Transparency is critical with SSA because it provides a high level of
trust that an application performs as intended without any
unexpected functions that could lead to security compromises.
 The benefits of SSA extend from the companies that develop
software to the end users of that software.
 When procuring a third-party application, SSA assures that you’re
getting code built from the ground up with security in mind.
Security by design
Continuous reviews
Penetration testing
Computer Security and Privacy/ Countermeasures
38

Computer security controls

 Authentication (Password, Cards, Biometrics)
Encryption
 Auditing
 Administrative procedures
 Standards
 Certifications
 Physical Security
 Laws
 Computer Security: Physical Security
39

Physical security is the use of physical controls to

protect premises, site, facility, building or other
physical asset of an organization.

Physical security protects your physical computer

facility (your building, your computer room, your
computer, your disks and other media).
 Security Threat Management and safety tips.
40
 It a technique used to monitor an organization’s critical security systems in
real-time to review reports from the monitoring systems such as the
intrusion detection systems, and other scanning sensors.
 To secure company resources, security managers have to do real-time
management.
 Real-time management requires access to real time data from all network
sensors.
 Use antivirus software
 Insert firewalls , pop up blocker, uninstall unnecessary software
 Maintain backup
 Check security settings and Use secure connection
 Open attachments carefully
 Use strong passwords , don’t give personal information unless required
 Individual Assignment (10%)
41
1. Brute Force Attack 15. Server Spoofing
• Read about these security attack
2. Buffer Overflow 16. Session Hijacking
related keywords. Study about one
of these keywords and write a two – 3. Cyber ware fare 17. Smurf Attack
four page (maximum) summary of 4. Cookie Injection 18. Spamming
your findings including any 5. Cookie Poisoning 19. Scam and Phishing
recorded history of significant 6. DNS Poisoning 20. Spoofing Attack
damages created by these attacks. 7. DoS and DDoS 21. SQL Injection
• Prepare your report and submit Attack 22. SYN Attack
through google classroom. (Use 8. Eavesdropping 23. Teardrop
your names as the file name). We 9. HTTP Tunnel 24. Traffic Analysis
will use the last 15 minutes of each Exploit 25. Trojan Horses,
class to hear three of you on the 10. ICMP and UDP Viruses, and Worms
topic, you will be given 5 minutes. Flood 26. War Dialing
• Note: While preparing your report 11. Logic Bomb 27. Wire Tapping
don’t copy and paste from online or 12. Malware Attack 28. Cross-site scripting
reference books polish with your 13. Packet Sniffing (XSS) attack.
own words. Plagiarism is not 14. Ping of Death 29. Cyberwarfare
worthy.