Information Assurance

and Security
 Chapter 1

Fundamentals of Information Assurance

& Security

2
 Overview
Computers today are used not only in the
home and office, but in a countless of crucial
and sensitive applications.
we rely on computers in our day today lives !
Computers are easily disrupted
◦ Accidental spill your cup of coffee on your
computer.
◦ A power loss lasting a fraction of a second may
cause a head crash of the hard disk,

3
 Overview
Definitions
Security : “the quality or state of being free
from danger” Or “ measures taken to guard
against espionage, sabotage, crime, attack, or
escape.”
Computer Security: The prevention and
protection of computer from unauthorized
access, use, alteration, degradation, destruction,
and other threats.

4
 Overview

Attacks/threat: any activity that aims to gain

access to computers for malicious purposes.
Vulnerability/security hole: refer to a state
that can be exploited for such an attack.
Privacy: The right of the individual to be
protected against intrusion into his personal
life or affairs, or those of his family, by direct
physical means or by publication of
information.

5
Overview

Assets
◦ Things we might want to protect:
 Hardware
 Software
 Data

6
 History
Until 1960s computer security was limited to
physical protection of computers.
the late 1960s and 1970s
◦ Evolutions
 Computers became interactive
 Multiuser/Multiprogramming & Networking was invented
 More and more data started to be stored in computer databases
◦ Organizations and individuals started to worry about
 What the other persons using computers are doing to their data
 What is happening to their private data stored in large databases
◦ Remote access of data was possible opening up new
possibilities for abuse.

7
 History

 Computer security was almost non-existing before

1980s.(besides physical protection)
In the 1980s and 1990s
◦ Evolution
 Personal computers were popularized
 LANs and Internet invaded the world
 Applications such as E-commerce, E-government and
E-health started to develop
 Viruses become major threats
◦ Organizations/individuals started to worry about
 Who has access to their computers and data
 Whether they can trust a mail, a website, etc.
 Whether their privacy is protected in the connected world

8
 History

In 2000s
◦ Computers become smaller
◦ Computers become parts of our life
◦ Security became a global concern .
In the past, computer security violations, such
as viruses were caused by hackers(young adults
who did this for fun)
Today, attacks on computers are planned and
funded by organized criminals and may be
devastating.
9
 History: Famous security problems

• Morris worm – Internet Worm

• November 2, 1988 a worm attacked more than
60,000 computers around the USA
• Robert Morris became the first person to be
charged for the Computer Fraud and Abuse Act
of 1986
• He was sentenced to three years of probation,
400 hours of community service and a fine of
some $10,000
• He is currently an associate professor at the
Massachusetts Institute of Technology
10
History: Famous security problems…
• NASA shutdown
• In 1990, an Australian computer science student was
charged for shutting down NASA’s computer system for
24 hours
• Airline computers
• In 1998, a major travel agency discovered that someone
penetrated its ticketing system and has printed airline
tickets illegally
• Bank theft
• In 1984, a bank manager was able to steal $25 million
through un-audited computer transactions

11
History: Famous security problems…

In 2010,Wikileak
◦ began releasing classified cables that had been
sent to the U.S. State Department by 274 of its
consulates, embassies, and diplomatic
missions around the world. Dated between
December 1966 and February 2010,
◦ the cables contain diplomatic analysis from
world leaders, and the diplomats' assessment
of host countries and their officials.

12
 Activity

Why does the problem of computer

security exists?
Why are computers so vulnerable to
attacks and so easy to damage?

13
 Limitations
Lack of intelligence( can’t think )
Easy to break computer security than to build
fully secured computers.
◦ only one weakness is enough to launch an attack
Operatingsystems: different levels b/n hardware
and GUI(hidden malicious software).
◦ “Easy to use easy to misuse !”
Internet and its protocols: important Internet
protocols were developed in the 1970s and 1980s,
before Internet security became a global concern.

14
 Basic concepts

 key objectives that are at the heart of computer

security.(C-I-A)
Confidentiality: Data is confidential if it stays
obscure to all but those authorized to use it.
Integrity: Data has integrity as long as it remains
identical to its state when the last authorized user
finished with it.
Availability: Data is available when it is
accessible by authorized users in a convenient
format and within a reasonable time.
15
Basic concepts…
A computing system is said to be secure if
it has all three properties:
◦ Confidentiality
 Access to systems or data is limited to authorized
parties
◦ Integrity
 When you ask for data, you get the “right” data
◦ Availability
 The system or data is there when you want it

16
 Basic concepts…
Supplements to CIA:
Authentication
◦ How do I know it's really you?
Authorization
◦ Now that you are here, what are you allowed to do?
Accountability
◦ Who did what, and, perhaps, who pays the bill?

17
Basic concepts…
Privacy
◦ “informational self-determination”
◦ This means that you get to control information
about you
◦ “Control” means many things:
 Who gets to see it
 Who gets to use it
 What they can use it for
 Who they can give it to

18
 Basic concepts…
vulnerabilities, threats &
countermeasures
vulnerability is a point where a system is
susceptible to attack.
A threat is a possible danger to the system.
◦ It might be a person (cracker or a spy),
◦ a thing (a faulty piece of equipment),
◦ an event (a fire or a flood) that might exploit a
vulnerability of the system.
Countermeasures are techniques for protecting
your system.
19
 Vulnerabilities

Physical vulnerabilities
◦ break into your server room, device theft, steal backup
media and printouts,
◦ Locks, guards, Surveillance cams, Burglar alarms
Natural vulnerabilities
◦ vulnerable to natural disasters and to environmental
threats, power loss
◦ Natural disasters: fire, flood, earthquakes, lightning
◦ environmental threats: Dust, humidity, and uneven
temperature conditions
◦ air conditioning and heating systems……UPS,…..backups
20
Vulnerabilities…

Hardware and Software vulnerabilities

◦ protection features failure lead to open security
holes
◦ open some "locked" systems by introducing extra
hardware
◦ Software failures: antivirus ,firewall failures
Media vulnerabilities
◦ can be stolen, damaged by dust or electromagnetic
fields.
◦ keep backup tapes and removable disks clean and
dry
21
Vulnerabilities…

Communication vulnerabilities
◦ Wires can be tapped, physically damaged,
EMI
◦ Fiber optics
Human vulnerabilities
◦ the greatest vulnerability of all
◦ Employees, contractors
◦ Choose employees carefully

22
 Threats
Threats fall into three main categories based on
the source: natural, unintentional, and
intentional.
Natural: fires, floods, power failures, and other
disasters
◦ fire alarms, temperature gauges, and surge protectors
◦ backing up critical data off-site.
Unintentional threats: delete a file, change of
security passwords
◦ Training , security procedures and policies

23
Threats…
 Intentionalthreats: outsiders and insiders
 Outsiders may penetrate systems in a variety of
ways:
◦ simple break-ins of buildings and computer rooms;
◦ disguised entry as maintenance personnel;
◦ anonymous, electronic entry through modems and
network connections;
◦ and bribery or coercion of inside personnel.
 Although most security mechanisms protect best
against outside intruders, surveys indicates that
most attacks are by insiders.
24
 Threats…
Estimates are that as many as 80 percent of
system penetrations are by fully authorized users
who abuse their access privileges to perform
unauthorized functions.
◦ "The enemy is already in, we hired them.”
Insiders are sometimes referred as living Trojan
horses
There are a number of different types of insiders.
◦ fired or disgruntled employee might be trying to steal
revenge ; employee might have been blackmailed or
bribed by foreign or corporate enemy agents.
25
Threats…

◦ greedy employee might use her inside knowledge to

divert corporate or customer funds for personal benefit.
◦ insider might be an operator, a systems programmer, or
even a casual user who is willing to share a password.
 Don'tforget, one of the most dangerous insiders
may simply be lazy or untrained.
◦ He doesn't bother changing passwords,
◦ doesn't learn how to encrypt email messages and other
files,
◦ leaves sensitive printouts in piles on desks and floors,
and ignores the paper shredder when disposing of
documents.
26
 Security Attacks

Any action that compromises the security of

information owned by an organization.
Classification security attacks
◦ passive attacks and active attacks.
A passive attack attempts to learn or make use
of information from the system but does not
affect system resources.
 An active attack attempts to alter system
resources or affect their operation.
27
 Security attacks

Normal flow of information

Interruption Interception

Modification Fabrication

28
Countermeasures
Authentication
Password,cards,biometrics
Encryption
Auditing
Administrative procedures
Standards
Physical security
Laws
Backups

29
Control
◦ Removing or reducing a vulnerability
◦ You control a vulnerability to prevent an
attack and block a threat.

30
 Security services
AUTHENTICATION
◦ The assurance that the communicating entity is the
one that it claims to be
ACCESS CONTROL
◦ The prevention of unauthorized use of a resource
(i.e., this service controls who can have access to a
resource, under what conditions access can occur,
and what those accessing the resource are allowed
to do).
DATA CONFIDENTIALITY
◦ The protection of data from unauthorized
disclosure.
31
 Security services…
DATA INTEGRITY
◦ The assurance that data received are exactly as
sent by an authorized entity (i.e., contain no
modification, insertion, deletion, or replay).
NONREPUDIATION
◦ Provides protection against denial by one of
the entities involved in a communication of
having participated in all or part of the
communication.

32
 Goals of security
Prevention : means that an attack will fail.
◦ Eg. passwords ( prevent unauthorized users from accessing
the system).
Detection : is most useful when an attack cannot be
prevented, but it can also indicate the effectiveness of
preventative measures.
◦ Detection mechanisms accept that an attack will occur;
◦ determine that an attack is underway, or has occurred, and
report it.
◦ The attack may be monitored, however, to provide data
about its nature, severity, and results.

33
Goals…
Recovery : requires resumption of correct
operation.
◦ has two forms.
 The first is to stop an attack and to assess
and repair any damage caused by that attack.
◦ E.g if the attacker deletes a file, recovery restore
the file from backup tapes.
◦ the attacker may return, so recovery involves
identification and fixing of the vulnerabilities
used by the attacker to enter the system

34
 Goals
In a second form of recovery, the system
continues to function correctly while an attack
is underway.
◦ fault tolerance.
It differs from the first form of recovery,
because at no point does the system function
incorrectly. However, the system may disable
nonessential functionality.

35
Physical security

Next class!

36
Questions?