Course: Cyber Security

Programme: BTech CS
About the Course:
Lecture Hours/Week: 2
Practical Hours/Week: 2
Credits: 3
Course Objective:This course is an introduction to
the field of Cyber Security. This course presents a balance of
the managerial and technical aspects of the discipline. It will
prepare students with the technical knowledge and skills
needed to protect and defend computer systems and network
08/07/23 Slide #1-1
 Textbooks and Reference
• M. Bishop, S.S. Venkatramanayya, Introduction to
Computer Security, 1st edition, Pearson Education, 2014.
• M. Whitman, H. Mattford, Principles of Information
Security, 6th edition, Cengage Learning, 2017
• C. Pfleeger, S. Pfleeger, Security in Computing, 5th
edition, Pearson Education, 2015.

08/07/23 Slide #1-2

 Reference Books
• A. Kahate , Cryptography & Network Security, 3rd
edition, Tata McGrawHill , 2017
• W. Stallings, Cryptography and Network Security
Principles and Practice, 7th edition, Pearson
Education, 2017
• Mark Rhodes-Ousley, Information Security: The
Complete Reference, 2nd edition, McGraw Hill
Education, , 2013.

08/07/23 Slide #1-3

 Job Roles
• Network Security Engineer.
• Cyber Security Analyst.
• Application Security Engineer.
• Cybersecurity Engineer.
• Security Architect.
• Cyber Security Manager.
• Information Security Manager.
• Chief Information Security Officer (CISO)
Slide #1-4
Unit 1
Contents:
Introduction:
Basic components of computer security (CIA),
characteristics of
information, vulnerabilities, threats, attacks and
controls, classifications of hackers

08/07/23 Slide #1-5

 Computer Security
Definition by NIST
The protection afforded to an automated
information system in order to attain the
applicable objectives of preserving the integrity,
availability, and confidentiality of information
system resources(includes hardware, software, firmware,
information/data, and telecommunications).

08/07/23 Slide #1-6

 Computer Security

• In the context of computers, security generally

means three things:
– Confidentiality
• Access to systems or data is limited to authorized
parties
– Integrity
• When you ask for data, you get the “right” data
– Availability
• The system or data is there when you want it
• 08/07/23
A computing system is said to be secure if it has all three
Slide #1-7
properties
 Basic Components
• Confidentiality
– Concealment of information or resources
– Need arises from the use of computers in
sensitive fields such as government and industry
– Access Control mechanisms ----> Encryption
– Resource hiding important aspect of
confidentiality
• Eg. Organizations conceal their configuration

08/07/23 Slide #1-8

 Basic Components
• Integrity
– Refers to trustworthiness of data or resources/
Preventing improper or unauthorized change
– By integrity we mean an item is
• Precise
• Accurate
• Unmodified
• Modified only in Acceptable ways
• Modified only by authorized people/process
• Consistent/Meaningful and Usable

08/07/23 Slide #1-9

 Basic Components
• Integrity
– Includes Data Integrity(Content of the information) and
Origin Integrity (Source of the data)
– Mechanisms falls into two classes:
• Prevention Mechanism
– Seek to maintain the integrity of the data by
blocking any unauthorized attempts
– Adequate authentication and Access Controls
• Detection Mechanism
– Report that the data’s integrity is no longer
trustworthy

08/07/23 Slide #1-10

 Basic Components
• Availability
– Assures that systems work promptly and
service is not denied to authorized users.

08/07/23 Computer Security: Art and Science ©2002- Slide #1-11

2004 Matt Bishop
 Relationship between Confidentiality,
Integrity and Availability

08/07/23 Slide #1-12

 Some terminology
• Assets
– Things we might want to protect, such as:
• Hardware
• Software
• Data

• Vulnerabilities
– Weaknesses in a system that may be able to be
exploited in order to cause loss or harm e.g., a
08/07/23
file server that doesn't authenticate its usersSlide #1-13
 Some terminology
• Threats
– A loss or harm that might befall a system
– e.g., users' personal files may be revealed to the public
– There are four major categories of threats:
• Interception
• Interruption
• Modification
• Fabrication
– When we design a system, we need to state a threat model
• This is the set of threats we are undertaking to defend against
• Whom do we want to stop from doing what?
08/07/23 Slide #1-14
 Some terminology
• Attack
– An action which exploits a vulnerability
– e.g., telling the file server you are a different user in an
attempt to read or modify their files

• Control
– Removing or reducing a vulnerability
– You control a vulnerability to prevent an attack and block
a threat.
– How would you control the file server vulnerability?
– Our goal: control vulnerabilities
08/07/23 Slide #1-15
A) Hardware Level of Vulnerabilities /
Threats
• Add / remove a h/w device
Snoop = to look around a place secretly in order to discover things about it or
the people connected with it. [Cambridge Dictionary of American English]
– Ex: Modification, alteration of a system
– ...
• Physical attacks on h/w => need physical security: locks and guards
– Accidental (dropped PC box) or voluntary (bombing a computer
room)
– Theft / destruction
• Damage the machine (spilled coffe, mice, real bugs)
• Steal the machine
• „Machinicide:” Axe / hammer the machine
08/07/23 Slide #1-16
B) Software Level of Vulnerabilities /
Threats
• Software Deletion
– Easy to delete needed software by mistake
– To prevent this: use configuration management software
• Software Modification
– Trojan Horses, , Viruses, Logic Bombs, Trapdoors,
Information Leaks (via covert channels), ...
• Software Theft
– Unauthorized copying
• via P2P, etc.
08/07/23 Slide #1-17
 C) Data Level of Vulnerabilities / Threats

• How valuable is your data?

– Credit card info vs. your home phone number
– Source code
– Visible data vs. context
• „2345” -> Phone extension or a part of SSN?

• Adequate protection
– Cryptography

08/07/23 Computer Security: Art and Science Slide #1-18

©2002-2004 Matt Bishop
Vulnerabilities- Further Types
1. Software vulnerabilities-
– Software vulnerabilities are when applications
have errors or bugs in them. Attackers look at
buggy software as an opportunity to attack the
system making use of these flaws.
– Example: Buffer overflow, race conditions etc.

08/07/23 Slide #1-19

Different types of Vulnerabilities
2. Firewall Vulnerabilities-
– Firewalls are software and hardware systems
that protect intra-network from attacks.
– A firewall vulnerability is an error, weakness
or invalid assumption made during the firewall
design, implementation or configuration that
can be exploited to attack the trusted network
that the firewall is supposed to protect.

08/07/23 Slide #1-20

Different types of Vulnerabilities
3. TCP/IP Vulnerabilities-
– These vulnerabilities are of the various layers
of a network. These protocols may lack features
that are desirable on the insecure network.
– Example: ARP attacks, Fragmentation attacks
etc

08/07/23 Slide #1-21

Different types of Vulnerabilities
4. Wireless Network Vulnerabilities-
– Wireless LANs have similar protocol-based
attacks that plague wired LAN.
– Unsecured wireless access points can be a
danger to organizations as they offer the
attacker a route around the company’s network.
Example: SSID issues, WEP issues etc.

08/07/23 Slide #1-22

Different types of Vulnerabilities
5. Operating System Vulnerabilities-
– The security of applications running on
depends on the security of the operating
system. Slightest negligence by the system
administrator can make the operating systems
vulnerable.
– Example: Windows vulnerabilities, Linux
vulnerabilities.

08/07/23 Slide #1-23

Different types of Vulnerabilities
6. Web Server Vulnerabilities-
– These vulnerabilities are caused due to design
and engineering errors or faulty
implementation.
– Example: sniffing, spoofing etc.

08/07/23 Slide #1-24

 Defence of computer systems
• Remember we may want to protect any of our assets
– Hardware, software, data
• Many ways to do this; for example:
• Cryptography
– Protecting data by making it unreadable to an attacker
– Authenticating users with digital signatures
– Authenticating transactions with cryptographic protocols
– Ensuring the integrity of stored data
– Aid customers' privacy by having their personal information
automatically become unreadable after a certain length of time

08/07/23 Computer Security: Art and Science Slide #1-25

©2002-2004 Matt Bishop
 Defence of computer systems
• Software controls
– Passwords and other forms of access control
– Operating systems separate users' actions from
each other
– Virus scanners watch for some kinds of malware
– Development controls enforce quality measures on
the original source code
– Personal firewalls that run on your desktop

08/07/23 Computer Security: Art and Science Slide #1-26

©2002-2004 Matt Bishop
 Defence of computer systems
• Hardware controls
– (Not usually protection of the hardware itself, but
rather using separate hardware to protect the
system as a whole.)
– Fingerprint readers
– Smart tokens
– Firewalls
– Intrusion detection systems

08/07/23 Computer Security: Art and Science Slide #1-27

©2002-2004 Matt Bishop
 Defence of computer systems
• Physical controls
– Protection of the hardware itself, as well as
physical access to the console, storage media, etc.
– Locks
– Guards
– Off-site backups
– Don't put your data centre on a fault line in
California

08/07/23 Computer Security: Art and Science Slide #1-28

©2002-2004 Matt Bishop
 Defence of computer systems
• Policies and procedures
– Non-technical means can be used to protect against
some classes of attack
– If an employee connects his own Wi-fi access
point to the internal company network, that can
accidentally open the network to outside attack.
• So don't allow the employee to do that!
– Rules about changing passwords
– Training in best security practices

08/07/23 Computer Security: Art and Science Slide #1-29

©2002-2004 Matt Bishop
 Policies and Mechanisms
• Policy says what is, and is not, allowed
– This defines “security” for the site/system/etc.
• Mechanisms enforce policies
• Composition of policies
– If policies conflict, discrepancies may create
security vulnerabilities

08/07/23 Computer Security: Art and Science Slide #1-33

©2002-2004 Matt Bishop
 Security Attacks-Types
• Passive attacks and Active attacks.
– A passive attack attempts to learn or make use
of information from the system but does not
affect system resources.
– An active attack attempts to alter system
resources or affect their operation.

08/07/23 Computer Security: Art and Science ©2002- Slide #1-34

2004 Matt Bishop
 Security Attacks-Types
• Passive attacks
– Nature of eavesdropping on, or monitoring of,
transmissions.
– Goal of the opponent is to obtain information
transmitted
Two types of passive attacks
1. Release of Message Contents
2.Traffic Analysis
08/07/23 Computer Security: Art and Science ©2002- Slide #1-35
2004 Matt Bishop
 Security Attacks-Types
• Active Attacks
– Active attacks involve some modification of the
data stream or the creation of a false stream
– Subdivided into four categories: masquerade,
replay, modification of messages, and denial of
service.

08/07/23 Computer Security: Art and Science ©2002- Slide #1-36

2004 Matt Bishop
 Security Attacks-Types
• Active Attacks
1. Masquerade
• When one entity pretends to be another
• Authentication sequences can be captured and
replayed after a valid authentication sequence has
taken place
2. Replay
• Involves the passive capture of a data unit and its
subsequent retransmission to produce an
08/07/23
unauthorized effect
Computer Security: Art and Science ©2002- Slide #1-37
2004 Matt Bishop
 Security Attacks-Types
• Active Attacks
3. Modification of Messages
• some portion of a legitimate message is altered, or that
messages are delayed or reordered, to produce an
unauthorized effect
4. Denial of Service
• prevents or inhibits the normal use or management of
communications facilities
• Example- Suppress all message to a specific target,
disruption of an entire network
08/07/23 Computer Security: Art and Science ©2002- Slide #1-38
2004 Matt Bishop
 Security Attacks- Differences
• Passive attacks are difficult to detect, measures are available
to prevent their success.
• On the other hand, it is quite difficult to prevent active
attacks absolutely, because of the wide variety of potential
physical, software, and network vulnerabilities.

The goal is to detect active attacks and to recover

from any disruption or delays caused by them.

08/07/23 Computer Security: Art and Science ©2002- Slide #1-39

2004 Matt Bishop
 Goals of Security
• Prevention
– Prevent attackers from violating security policy
• Detection
– Detect attackers’ violation of security policy
• Recovery
– Stop attack, assess and repair damage
– Continue to function correctly even if attack
succeeds

08/07/23 Computer Security: Art and Science ©2002- Slide #1-40

2004 Matt Bishop
 Computer Criminals
• Amateurs
– Committed most of the computer crimes reported
to date
– Not career criminals rather are normal people
who observe a weakness in a security system that
allows them to access cash or other valuables
– Disgruntled employees over some negative work
situation

08/07/23 Computer Security: Art and Science ©2002- Slide #1-41

2004 Matt Bishop
 Computer Criminals
• Crackers
– System Crackers often high school or university
students attempting to access computing
facilities with no authorization.
– Example trying to break login
– Few isolated attempts compound for a large
effect
– Others attack for curiosity, personal gain or
self-satisfaction
08/07/23 Computer Security: Art and Science ©2002- Slide #1-42
2004 Matt Bishop
 Computer Criminals
• Career Criminals
– Understands the targets of computer crime.
– Computer professionals who engage in
computer crime, finding the prospects and
payoff good.
– Organized crimes and International groups

08/07/23 Computer Security: Art and Science ©2002- Slide #1-43

2004 Matt Bishop
 Key Points
• Policy defines security, and mechanisms
enforce security
– Confidentiality
– Integrity
– Availability
• Trust and knowing assumptions
• Importance of assurance
• The human factor
08/07/23 Computer Security: Art and Science ©2002- Slide #1-44
2004 Matt Bishop
Design Principles
– Various Security attacks,
– Method of Defence
– Design Principles
– Security policies
– Types of security

Slide #1-45
 Defence of computer systems
• Remember we may want to protect any of our assets
– Hardware, software, data
• Many ways to do this; for example:
• Cryptography
– Protecting data by making it unreadable to an attacker
– Authenticating users with digital signatures
– Authenticating transactions with cryptographic protocols
– Ensuring the integrity of stored data
– Aid customers' privacy by having their personal
information automatically become unreadable after a
certain length of time
 Defence of computer systems
• Software controls
– Passwords and other forms of access control
– Operating systems separate users' actions from
each other
– Virus scanners watch for some kinds of malware
– Development controls enforce quality measures on
the original source code
– Personal firewalls that run on your desktop
 Defence of computer systems
• Hardware controls
– (Not usually protection of the hardware itself, but
rather using separate hardware to protect the
system as a whole.)
– Fingerprint readers
– Smart tokens
– Firewalls
– Intrusion detection systems
 Defence of computer systems
• Physical controls
– Protection of the hardware itself, as well as
physical access to the console, storage media, etc.
– Locks
– Guards
– Off-site backups
– Don't put your data centre on a fault line in
California
 Defence of computer systems
• Policies and procedures
– Non-technical means can be used to protect against
some classes of attack
– If an employee connects his own Wi-fi access
point to the internal company network, that can
accidentally open the network to outside attack.
• So don't allow the employee to do that!
– Rules about changing passwords
– Training in best security practices
 Defence of computer systems
• Hardware controls
– (Not usually protection of the hardware itself, but
rather using separate hardware to protect the
system as a whole.)
– Fingerprint readers
– Smart tokens
– Firewalls
– Intrusion detection systems
 Defence of computer systems
• Physical controls
– Protection of the hardware itself, as well as
physical access to the console, storage media, etc.
– Locks
– Guards
– Off-site backups
– Don't put your data centre on a fault line in
California
 Defence of computer systems
• Policies and procedures
– Non-technical means can be used to protect against
some classes of attack
– If an employee connects his own Wi-fi access
point to the internal company network, that can
accidentally open the network to outside attack.
• So don't allow the employee to do that!
– Rules about changing passwords
– Training in best security practices
 Design Principles
• Design Principles underlie the design and implementation of
mechanisms for supporting security policies
• Applications of simplicity and restrictions in computing.
1. Principles of Least Privilege
– Restricts how privileges are granted
– Definition: The principle of least privilege states that a
subject should be given only those privileges that it needs
in order to complete its task
– Function of the subject (as opposed to its identity) should
control the assignment of rights
Slide #1-54
 Design Principles
Principles of Least Privilege( Continued….)
•If a specific action requires that a subjects‘ access
rights be augmented, those extra rights should be
relinquished immediately on completion of action

Slide #1-55
 Design Principles
2. Principle of Fail-Safe Defaults
– This principle restricts how privileges are
initialized when a subject or object is created.
– Definition: The principle of fail-safe default
states that unless a subject is given explicit
access to an object , it should be denied access
to that object

Computer Security: Art and Science Slide #1-56

©2002-2004 Matt Bishop
 Design Principles
2. Principle of Fail-Safe Defaults
– The principle requires that the default access to an
object is none.
– When access not explicitly granted , it should be
denied.
– If the subject is unable to complete its action or
task, it should undo those changes it made in the
security state of the system before it terminates.

Computer Security: Art and Science Slide #1-57

©2002-2004 Matt Bishop
 Design Principles
3. Principle of Economy of Mechanism
– The principle simplifies the design and implementation of
security mechanisms.
– Definition: The principle of economy of mechanism states
that the security mechanism should be as simple as
possible.
– If a design and implementation are simple, fewer
possibilities exist for errors.
• Checking and testing process is less complex, fewer test cases
– Complex systems require difficult assumptions for which
chances of failure are more
Computer Security: Art and Science Slide #1-58
©2002-2004 Matt Bishop
 Design Principles
4. Principle of Complete Mediation
– The principle restricts the caching of information, often leads
to simpler implementations of mechanisms
– Definition: The principle of complete mediation requires
that all accesses to objects be checked to ensure that they
are allowed
– Whenever a subject attempts to read an object, the OS
mediates the action..
– First it determines if the subject is allowed to read the object
->If so provides resources for the read
– If second time it tries to read the object again, system
Reference: Chapter 7 Introduction to Slide #1-59
Computer Security Matt Bishop
 Design Principles
5. Principle of Open Design
• This principle suggests that complexity does not add
security.
• Definition: The principle of open design states that the
security of a mechanism should not depend on the
secrecy of its design or implementation.
• Others can ferret out such details either through technical
means such as disassembly and analysis
• Dumpster-diving – Searching through garbage
receptacles for source code listings
Reference: Chapter 7 Introduction to Slide #1-60
Computer Security Matt Bishop
 Design Principles
6. Principle of Separation of Privilege
• This principle is restrictive because it limits access to
system entities
• Definition: The principle of separation of privilege states
that a system should not grant permission based on a
single condition.
• Example:
– Company checks for more than $75000 must be signed by two
officers of the company.
– Berkley based versions of the UNIX operating system, users are not
allowed to change from their accounts to root users unless two
conditions are met. root password and user is in wheel group
Slide #1-61
Reference: Chapter 12 Introduction to
Computer Security Matt Bishop
 Design Principles
7. Principle of Least Common Mechanism
• This principle is restrictive because it limits sharing
• Definition: The principle of least common mechanism
states that mechanisms used to access resources should
not be shared.
• Sharing resources provide a channel along which
information can be transmitted and so much sharing
should be minimized.

Slide #1-62
Reference: Chapter 7 Introduction to
Computer Security Matt Bishop
 Design Principles
8. Principle of Psychological Acceptability
• This principle recognizes the human element in computer security
• Definition: The principle of psychological acceptability states
that security mechanism should not make the resources more
difficult to access than if the security mechanisms were not
present.
− Interpreted to mean that the security mechanism may add some
extra burden, but that burden must be both minimal and
reasonable.
− Example: User supplying wrong password should get error
message as “login failed”
–
Slide #1-63
 Discussion

• A common technique for inhibiting password

guessing is to disable an account after three
consecutive failed login attempts. Which design
principle is implemented?

Computer Security: Art and Science Slide #1-64

©2002-2004 Matt Bishop
 Discussion
• A company publishes the design of its security
software product in a manual that accompanies the
executable software. In what ways does this
satisfy the principle of open design?

Computer Security: Art and Science Slide #1-65

©2002-2004 Matt Bishop
 Security Policies
Security Policies: Definitions
Consider a computer system to be finite- state automaton with a
set of transition functions that change state.
Definition 1 : A security policy is a statement that partitions the
states of the system into a set of authorized or secure states and
a set of unauthorized , or non secure, states.

Definition 2 : A secure system is a system that starts in an

authorized state and cannot enter an unauthorized state.

Reference: Introduction to Computer Security Matt Slide #1-66

Bishop Chapter 2
 Security Policies
Security Policies: Definitions
Definition 3 : A breach of security occurs when a system enters
an unauthorized state

Definition 4 : Let X be a set of entities and let I be some

information. Then I has the property of confidentiality with
respect to X if no member of X can obtain information about I

Reference: Introduction to Computer Security Matt Slide #1-67

Bishop Chapter 2
 Security Policies
Security Policies: Definitions
Definition 5 : Let X be a set of entities and let I be some information or
a resource. Then I has the property of integrity with respect to X if all
members of X trust I.

Definition 6 : Let X be a set of entities and let I be a resource. Then I

has the property of availability with respect to X if all members of X
can access I

Definition 7: A security mechanism is an entity or procedure that

enforces some part of the security policy

Slide #1-68
Reference: Introduction to Computer Security Matt
Bishop Chapter 2
 Security Policies
Security Policies: Definitions

Definition 8: A security model is a model that represents a

particular policy or set of policies.

Reference: Introduction to Computer Security Matt Slide #1-69

Bishop Chapter 2
 Types of Security Policies
1. A military security policy ( Government Security Policy)
– Security Policy primarily to provide confidentiality
2. Commercial security policy
– Security policy developed primarily to provide integrity
3. Confidentiality Policy
– Security Policy dealing only with confidentiality
4. Integrity Policy
– Security Policy dealing only with integrity
Additional
• Academic Computer Security Policy
– General University Policy
– Electronic Mail Policy

Reference: Introduction toSlide

Computer Security Matt
#1-70
Bishop Chapter 2
 Confidentiality Policies
Goals of Confidentiality Policies
Prevents the unauthorized disclosure of information
1.The Bell-LaPadula Model
•Corresponds to military style classification
•Simplest type of confidentiality classification is a set of security
clearance
•The higher the security clearance, the more sensitive the
information
•Subject has security clearance.
•Object has security classification
Slide #1-71
The Bell-LaPadula Model
Top secret

Secret

Confidential

Unclassified

Slide #1-72
 The Bell-LaPadula Model
• The Bell-LaPadula security model combines mandatory and
discretionary access controls.
• Let L(S) = ls be the security clearance of subject S and let
L(O) = lo be the security classification of object O
• Simple Security Condition: S can read O if and only if lo
<= ls and S has discretionary read access to O
• * Property ( Star Property) : S can write O if and only if
ls <= lo and S has discretionary write access to O
( Read down and Write Up)
Slide #1-73
 Integrity Model
Biba Model
Biba policy uses three defining properties to protect objects
from being illegitimately modified:
1.Simple Integrity: s can read o iff i(s) <= i(o)
The property whereby a subject at one integrity level is not
permitted to read an object at a lower level of integrity. No
read down.
2. Star(*) Integrity : S can write to O iff i(o) <= i(s)
The property whereby an object at one integrity level is not
allowed to write to an object at a higher level of integrity . No
write up Slide #1-74
 Integrity Model
Biba Model
Biba policy uses three defining properties to protect objects
from being illegitimately modified:
3.Invocation/ Execution : s1 can execute s2 iff
i(s2) <= i(s1)
The property whereby a subject at one integrity level is
prohibited from invoking or calling up a subject at a higher
level of integrity.

Slide #1-75
 Clark Wilson Integrity Model
• Built upon principles of change control rather than
integrity levels
• Designed for commercial environment
• Its change control principles
– No changes by unauthorized subjects
– No unauthorized changes by authorized persons
– The maintenance of internal and external consistency
• A well formed transaction is a series of operations that
transition the system from one consistent state to another
consistent state.

Slide #1-76
 Clark Wilson Integrity Model
The model
•The Clark-Wilson model defines data subject to its integrity
controls as constrained data items or CDIs.
•Data not subjected to integrity are called Unconstrained data
items.
•For example: The balances of accounts.
•The model also defines two set of procedures:
– Integrity Verification procedures( IVP) and
– Transformation Procedures (TP).

Slide #1-77
 Clark Wilson Integrity Model
Integrity Verification Procedures or IVPs test that the CDIs
confirm to the integrity constraints at the time IVPs are run.
Transformation Procedures or TPs, change the state of the
data in the system from one valid state to another. TPs, change
the state of the data in the system from one valid state to another.
Clark Wilson Model captures these requirements in two
certification rules:
Certification Rule 1: When any IVP is run, it must ensure that
all CDIs are in a valid state.
Certification Rule 2: For some associates set of CDIs, a TP
must transform those CDIs in a valid state into another valid
state. Slide #1-78
 Classification of Hackers
• Hackers can be classified into several categories based on their
activities, motivations, and skills. Here are some common
classifications:
1. White Hat Hackers: Also known as ethical hackers, these individuals
use their skills to identify vulnerabilities in computer systems and
networks and report them to the system owners. They work to improve
the security of computer systems and protect against cyber threats.
2. Black Hat Hackers: These are malicious hackers who use their skills to
break into computer systems and networks for personal gain or to
cause damage. They may steal sensitive information, disrupt
operations, or launch cyber attacks.

08/07/23 Computer Security: Art and Science Slide #1-79

©2002-2004 Matt Bishop
 Classification of Hackers
3. Grey Hat Hackers: These hackers are a combination of both white and black hat
hackers. They may break into computer systems without permission but do not intend
to cause harm. Instead, they may want to demonstrate a vulnerability to the system
owners and may offer to fix it for a fee.
4. Script Kiddies: These are inexperienced hackers who use automated tools and scripts
to break into computer systems without a deep understanding of the underlying
technology.

5. State-Sponsored Hackers: These are hackers who work on behalf of a government or

state agency to conduct cyber espionage, steal intellectual property, or launch cyber
attacks on other countries.

6. Hacktivists: These hackers use their skills to advance a political or social cause. They
may target government agencies, corporations, or other organizations to expose
corruption or promote a particular agenda.

08/07/23 Computer Security: Art and Science Slide #1-80

©2002-2004 Matt Bishop
 Steganography
• Steganography and cryptography are both techniques used
to protect information, but they differ in their approach and
purpose.
• Steganography, on the other hand, involves hiding a
message within another object or file in such a way that it
is not visible or detectable.
• The goal of steganography is to conceal the existence of a
message, rather than its content.

08/07/23 Slide #1-81

 Steganography
• The message may be hidden within an image,
audio file, or even within the whitespace of a text
file.
• The intended recipient can use a specific tool or
technique to extract the hidden message from the
carrier file.

08/07/23 Computer Security: Art and Science Slide #1-82

©2002-2004 Matt Bishop