Objectives

• Up on completion of this class you should be able to:

– Understand what cyber security means
– Understand the key terms and critical concepts of cyber
security
– Know the types of threats in cyber security
– Understand security control mechanisms to safeguard
organizational resources from attack
– Be able to analyze the types of security controls and
mechanisms.
– Comprehend the evolution of information security
 What is Security?
• Security is “the quality or state of being secure—
to be free from danger.”

• In other words, protection against adversaries—

from those who would do harm, intentionally or
otherwise—is the objective.

• National security, for example, is a multilayered

system that protects the sovereignty of a state, its
assets, its resources, and its people. Achieving the
appropriate level of security for an organization
also requires a multifaceted system.
 Cont…
• A successful cyber system should have the following
multiple layers of security in place to protect its
operations:
• Physical security, to protect physical items, objects, or
areas from unauthorized access and misuse
• Personnel security, to protect the individual or group
of individuals who are authorized to access the
organization and its operations
• Operations security, to protect the details of a
particular operation or series of activities
• Communications security, to protect communications
media, technology, and content
• Network security, to protect networking components,
connections, and contents
 What is Cyber Security
 Cyber Security means protecting assets from unauthorized access,
use, disclosure, modification, disruption, or destruction.
 The term asset is used to describe any object that has value to the
organization. Or An asset is the organizational resource that is being
protected.
 Example: data files, website, software, IT equipment and infrastructure

 Cyber system Security defined: (Alternatively)

 The preservation of confidentiality, integrity and availability of
assets; in addition, other properties such as authenticity,
accountability, non-repudiation and authorization can also be
involved. (ISO27001)
• Necessary tools: policy, education (awareness and training),
technology
Three key objectives/Requiremets/Services
:(CIA)

The ultimate goal of the cyber security process is to protect three

unique attributes of information: CIA
 Cyber Security: Basic Requirements
• Confidentiality- it refers to information protection
from unauthorized read/access operations. i.e.
Information should only be seen by those persons
authorized to see it.
• the term privacy is often used when data to be
protected refer to individuals.
• Controls: Encryption, Access Control, Perimeter
defence
• EXAMPLE: Enciphering an income tax return will prevent anyone from
reading it. If the owner needs to see the return, it must be deciphered.
However, if someone else can read it when it is entered into the program,
the confidentiality of the tax return has been compromised.
 Cyber Security: Basic Requirements
• Integrity- refers to information protection from
unauthorized modifications; or Information must not be
corrupted, degraded, or modified.
• Integrity means that data cannot be modified without
authorization.
• Integrity is an assurance mechanism that ensures the
message as sent is exactly the same message that was
received.
• Eg: Integrity is violated when an unauthorized employee is able to modify his
own salary in a payroll database .
• Controls: Cryptographic integrity check, Encryption,
Access Control, Perimeter defense, Audit.
 Cyber Security: Basic Requirements
• Availability -ensures that access to information is not denied and /or
delayed to authorized(legitimate) subjects.
• Information must be kept available to authorized persons when they
need it and Attacker should not force the delivery to take more time.
• Availability does not imply that the information is accessible to any
user; rather, it means availability to authorized users.
• High availability systems aim to remain available at all times,
preventing service disruptions due to power outages, hardware
failures, and system upgrades.
E.g. The prevention of authorized access to resources or the delaying of operations, disruptions
of services due to power outages, hardware failures, and system upgrades.

• Controls: Redundancy of resources, traffic filtering, incident

recovery.
 Example of CIA Breaches
• Attacks/Threats compromise systems in a number of ways that
affect one or all of these attributes.
• If an attacker is successful in
– Disclosure of information or access of information.
• What InfSec got violeted? (Threat to………..
– Corruption or modification of information
• Threat to…………………..
– Disruption/ interruption or denial of services or the disruption of
access to or use of information or an information system. (Threat to
………….
• Cyber security protects these attributes by:
– Protecting confidentiality
– Ensuring integrity
– Maintaining availability
 Other concepts to a complete security picture
Reading Assignment
• Non repudiation : is the assurance that someone cannot deny the validity of
something
• Accountability
– Ensuring that an entity’s action is traceable uniquely to that entity

• Authentication
– The process of positively identifying a subject is called authentication
– The authentication process usually occurs when a subject self-identifies and
then responds to a systematic challenge of the identity.
– This challenge is based on what you know, what you have or who you are.
Recommended access control management systems: multi factor
authentication
• Authorization : is the process of giving someone permission to do or have
something or is the process of giving someone the ability to access a resource
 CNSS Security Model
• The model, created by John McCumber in 1991, provides a model
called McCumber Cube.
• The McCumber Cube in Figure 1-2, shows three dimensions. The
three dimensions of each axis become a 3 x 3 x 3 cube with 27 cells
representing areas.
• To secure today’s systems, each of the 27 areas must be properly
addressed during the security process.
• For example, the intersection between technology, integrity, and
storage requires a control or safeguard that addresses the need to use
technology to protect the integrity of information while in storage.
• One such control might be a system for detecting host intrusion that
protects the integrity of information by alerting the security
administrators to the potential modification of a critical file.
 Cont…

Figure 1.2 The McCumber Cube

 Key Information Security Concepts
• Asset: The organizational resource that is being
protected. An asset can be logical, such as a Web
site, information, or data; or an asset can be
physical, such as a person, computer system, or
other tangible object.
• Assets comprise:
– Information (databases, data files, agreements and
contracts, research results, training materials, audit
results, operational instructions etc.);
– Software files; – technical equipment; – services
(computer and communication, heating, lighting, air-
conditioning etc.);
– Staff and their qualifications, skills and experience;
– Intellectual property (reputation, image of
organisation).
 Cont’d
• Attack Vs Threat
• Threat: Anything that has the potential to cause
harm.
– The violation need not actually occur
– The fact that the violation might occur makes it a
threat
– It is important to guard against threats and be
prepared for the actual violation
• The actual violation of security is called an attack
 Cont…
• Threat agent: The specific instance or a
component of a threat.

• For example, all hackers in the world present a

collective threat, while Kevin Mitnick, who
was convicted for hacking into phone systems,
is a specific threat agent.
 Cont…
• Attacks can be active or passive, intentional or
unintentional, and direct or indirect.
Example:
• Someone casually reading sensitive
information not intended for his or her use is
unintentional attack.
• A hacker attempting to break into an
information system is an intentional attack.
• A lightning strike that causes a fire in a
building is an unintentional attack.
 Cont’d
Active Attacks Passive Attacks

Active attacks are based on the modification of the

In passive attacks, the attacker indulges in
original message in some manner or creation of
eavesdropping or monitoring of data transmission.
false message.

There is no modification to the contents of an

The contents of original message are modified.
original message.

The attacker needs to gain the physical control of

The attacker needs to observe the conversation.
the media.

These attacks are relatively easier to detect. These attacks are harder to detect.

These attacks can be prevented by encryption of

These attacks cannot be prevented easily.
data.

•There are four types of active attacks-

Masquerade •There are two types of passive attacks-
•Replay Release of message content
•Modification of message •Traffic analysis
•Denial of service
 Cont…
• A direct attack is a hacker using a personal
computer to break into a system.
– Direct attacks originate from the threat itself.
• An indirect attack is a hacker compromising a
system and using it to attack other systems.
– The computer is attacked to cause problem to other
system
– Indirect attacks originate from a compromised system
or resource that is malfunctioning or working under
the control of a threat. e.g. D-DOS
– This group of compromised computers is known as
zombies.
– Zombies can operate autonomously or under the
attacker’s direct control to attack systems
 Cont’d
– Denial-of-service: An attacker sends so many
information requests to a target system that the
target cannot handle them successfully and can crash
the entire system. Or All types of attacks intended to
overwhelm a computer or a network in such a way
that legitimate users of the computer or network
cannot use it.

– Involve one site flooding another with traffic or one

site sending a small stream of packets designed to
exploite flaws in the operating system’s software that
take the site down (either crash or hang the operating
system or disable any network communication to or
from the site)

– DDOS: a machine compromise another machines

(zombies) make them to participate in the attack
 Cont…

•Subjects and Objects: Computer can be

subject of an attack and/or the object of an
attack
– When the subject of an attack, computer is used
as an active tool to conduct attack
– When the object of an attack, computer is the
entity being attacked
– A computer can be both the subject and object of
an attack, when, for example, it is compromised by
an attack (object), and is then used to attack other
systems (subject).
Computer as Subject and Object of an attack
 Cont…
• Vulnerability: A weaknesses or fault in a
system or protection mechanism that exposes
assets to attack or damage.

• Some examples of vulnerabilities are a flaw in

a software package, an unprotected system
port, and an unlocked door. Some well-known
vulnerabilities have been examined,
documented, and published; others remain
latent (or undiscovered).
 Cont…
• Risk: The likelihood occurrence of
loss/damage in the system or the probability
that something unwanted will happen.
Organizations must minimize risk to match
their risk appetite—the quantity and nature of
risk the organization is willing to accept.
• Risk = Threats x Vulnerabilities
 Cont’d
• Control, safeguard, or countermeasure:
Security mechanisms, policies, or procedures
that can successfully counter attacks, reduce
risk, resolve vulnerabilities, and otherwise
improve the security within an organization
 Cont’d
Example:
•If a company has antivirus software but does not use an anti-virus
and not keeping the virus signatures up-to-date.

•Vulnerability:
•Threat:
•Attack:
•risk
•Countermeasures
•The likelihood of a virus showing up in the environment and causing
damage is the risk.

•The countermeasures in this situation are to update the signatures

and install the antivirus software on all computers
 Security is a continuing process
• The cyber Security is Process
• Bruce Schneier, one of the world’s most well-
known experts on security, once wrote that
“security is a process, not a product.” Indeed,
with all the changing variables and players,
security is a never-ending evolutionary
process, wherein defenses change in response
to new threats and new threats emerge with
the introduction of new systems and defenses.
 Why Security is a continuing
process?
 Why not simply solve all security problems once for all?
 Reasons why that’s impossible:
 Rapid innovation constantly generates new technology with
new vulnerabilities
 More activities including sensitive information go online
 Information security is a second thought when developing IT
 New and changing threats
 More effective and efficient attack technique and tools are
being developed
 Occurrence of Threat

• Two broad categories of threats

• Unintentional threats
• Intentional/deliberate threats
 Unintentional Threats
• Unintentional threats: are performed WITHOUT
malicious intent. (Often unknowingly!): E.g. accidentally
deleted an important file, or tripped over a power cord, lost laptops or
other devices, opening emails from unknown senders, etc
• Human errors
• Environmental hazards
• Computer systems failure
– Human errors
• can occur in the design of the hardware and/or information system
• also can occur in programming, testing, data collection, data entry,
authorization and procedures (associate with vulnerability)
• operator error
 Cont’d

– Environmental hazards, including

• Earthquakes
• severe storms and floods
• power failures or strong fluctuations
• fires (most common hazard)
• Explosions
• other damage to physical facilities
 Cont’d

– Computer system failures

• can occur as the result of poor
manufacturing or defective materials
• include
– Hardware malfunction
– Software bugs
– Data errors
– Inadequate system performance
 Intentional threats
• Intentional threats (Hacker/cracker)
– Hacker: A person who has penetrated a computer system, usually with
no criminal intent.
– Cracker: A malicious hacker
• Espionage or Trespass
• Information Extortion
• Theft (equipment, information, or identity)
• Software Attacks(virus, trojan horse, worm, DOS – denial-
of-service attack, phishing, spyware, keylogger,
malware/spamware, etc.)
• Sabotage or Vandalism
• Many others!
 Cont’d
• Espionage or Trespass: The act of gaining access to the information
an organization is trying to protect by using practice of spying or of
using spies.
– Social engineering: someone tries to gain access through social means
(pretending to be a legitimate system user or administrator, use of
social skills or tricking people into revealing secrets, etc.). The person
supplying the information is the UNINTENTIONAL threat.
– E.g. envision a call to an unsuspecting user by someone masquerading as a desktop technician, in
which the caller says he needs the user’s network password to diagnose a technical problem and
then uses that password to compromise the system.
– Shoulder surfing is looking at a computer monitor or ATM screen over
another person’s shoulder.
• Information Extortion: When an attacker or formerly trusted
employee steal information from a computer system and then
demands compensation for its return or an agreement not to
disclose it.
 Cont’d
• Theft: the illegal taking of property that belongs to
another individual/organization.
– Theft of software and equipment
– Unauthorized use of access codes and financial
passwords
– Theft by stealing or modifying data
– Internet hoaxes for illegal gain
– Theft by modifying software
– Identity theft: Crime in which someone uses the
personal information of others, usually obtained
from the Internet, to create a false identity and then
commits fraud.
 Cont’d
• Software attacks
– Software programs designed to do unintended action, damage, destroy,
or deny service to the targeted systems.
– Most common types of software attacks are viruses, worms, Trojan
horses, logic bombs, back doors, denial-of-service, alien software,
phishing and pharming.
– Denial-of-service. An attacker sends so many information requests to a
target system that the target cannot handle them successfully and can
crash the entire system. All types of attacks intended to overwhelm a
computer or a network in such a way that legitimate users of the
computer or network cannot use it.
– Involve one site flooding another with traffic or one site sending a small
stream of packets designed to exploite flaws in the operating system’s
software that take the site down (either crash or hang the operating
system or disable any network communication to or from the site)
– DDOS, a machine compromise another machines (zombies) make them
to participate in the attack
 Cont’d
– Viruses. Segments of computer code that performs
unintended actions ranging from merely annoying to
destructive.
– Worms. Destructive programs that replicate themselves
without requiring another program to provide a safe
environment for replication.
– Trojan horses. Software programs that hide in other
computer programs and reveal their designed behavior
only when they are activated.
– Phishing. Uses deception to fraudulently acquire sensitive
personal information such as account numbers and
passwords disguised as an official-looking e-mail.
– Logic bombs. Designed to activate and perform a
destructive action at a certain time.
 Cont’d
– Back doors or trap doors. Typically a password, known only
to the attacker, that allows access to the system without
having to go through any security.
– Pestware. Clandestine software that uses up valuable
system resources and can report on your Web surfing habits
and other personal information
– Adware. Designed to help popup advertisements appear on
your screen.
– Spyware. Software that gathers user information through
the user’s Internet connection without their knowledge (i.e.
keylogger, password capture).
– Spamware. Designed to use your computer as a launch pad
for spammers.
 Cont’d
– Cookies. Small amount of information that Web sites store
on your computer, temporarily or more-or-less
permanently.
– Web bugs. Small, usually invisible, graphic images that are
added to a Web page or e-mail.
– Pharming. Fraudulently acquires the Domain Name for a
company’s Web site and when people type in the Web site
URL they are redirected to a fake Web site.
 Cont’d
• Sabotage or Vandalism
– Hacktivist or cyberactivist : use of technology for high-tech
civil disobedience to protest operations, policies, or
actions of an individual, an organization, or a government
agency.
– Cyberterrorism: is a premeditated, politically motivated
attack against information, computer systems, computer
programs, and data that results in violence against
noncombatant targets by sub-national groups or
clandestine agents.
– Cyberwar: War in which a country’s information systems
could be paralyzed from a massive attack by destructive
software.
 Category of Threats
• Shirey et.al divided threats into four broad classes:
• Disclosure
– Snooping: unauthorized interception of information, listen
to (or read) communications or browsing through files or
system information; is a form of disclosure.
• It is passive
• Wiretapping, or passive wiretapping, is a form of snooping in
which a network is monitored.
– Release of potentially confidential data
– Confidentiality services counter this threat.
 Category of Threats
• Deception
– Modification or alteration : unauthorized change of
information
– Acceptance of false data and believing it to be true
– The goal is to make an entity relies on the modified data to
determine which action to take, or in which incorrect
information is accepted as correct and is released.
– Active wiretapping: a form of modification in which data
moving across a network is altered; the term "active"
distinguishes it from snooping ("passive" wiretapping).
– Example: Man-in-the-middle attack: intruder intercepts and modifies the
msg between sender and receiver
– Integrity services counter this threat.
 Category of Threats
• Disruption
– interrupts or prevents the correct operation of system
services and functions
– Example: Denial of service in which the attacker prevents a
server from providing a service to the requesting client
– Availability mechanisms counter this threat.
 Category of Threats
• Usurpation
– Unauthorized entity controls of some parts of a system
– Masquerading or spoofing: an impersonation of one entity by
another,
– Pretend to be a site or deliver different file.
– Convinces a victim into believing that the entity with which it is
communicating is a targeted entity.
– Example: if a user tries to log into a computer across the Internet but instead
reaches another computer that claims to be the desired one, the user has
been spoofed.
– if a user tries to read a file, but an attacker has arranged for the user to be
given a different file, another spoof has taken place.
– Authentication services counter this threat
 Cont’d
Summary
– Disclosure - unauthorized access to information

– Deception – acceptance of false data

– Disruption – interruption or prevention of correct

operation
– Usurpation – unauthorized control of some part of a
system
 Common security attacks
• Interruption: The systems become unusable after this attack by
the unauthorized users which results in the wastage of systems.
• Interception: The data or message which is sent by the sender
is intercepted by an unauthorized individual where the
message will be used by the individual for his malicious process.
• Modification: The message which is sent by the sender is
modified and sent to the destination by an unauthorized user.
The integrity of the message is lost by this type of attack.
• Fabrication: In this type of attack a fake message is inserted
into the network by an unauthorized user as if it is a valid user.
This results in the loss of confidentiality, authenticity and
integrity of the message.
Cont’d
 Types of Damage
• Interruption---destroyed/unavailable
services/resources
• Interception---unauthorized party snooping or
getting access to a resource
• Modification--- unauthorized party modifying
a resource
• Fabrication---unauthorized party inserts a fake
asset/resource
 Cyber Security: how ?
• Policies define security, and mechanisms enforce the security basics
i.e. CIA and NR,AA
• Policy: a statement of what is allowed and not allowed. Or A security
policy is a document that states in writing how a company plans to
protect the company's physical and information technology (IT) assets.
• Mechanism: a procedure, tool, or method of enforcing a policy.

• Security mechanisms implement functions that help prevent, detect,

deterrent, correct and respond to recovery from security attacks.
 Cont’d
• Composition of policies
– If policies conflict, discrepancies may create
security vulnerabilities
– The composition problem requires checking for
inconsistencies among policies. If, for example, one
policy allows students and faculty access to all data,
and the other allows only faculty access to all the
data, then they must be resolved (e.g., partition the
data so that students and faculty can access some
data, and only faculty access the other data).
 Types of IS security Controls
• Central to information security is the concept of controls, which may be
categorized
By their functionality /objective
• Preventive,
• Detective,
• Corrective,
• Recovery,
• Deterrent, and
• Compensating
By the plane of application
• physical,
• Administrative, or
• Technical.
 Security Controls cont’d
• Prevention
– Prevent attackers from violating security policy
• Detection
– Detection mechanisms accept that an attack will occur; the goal
is to determine that an attack is under way, or has occurred, and
report it.
– Detective controls come into play when preventive controls
have failed
– Detective controls include cryptographic checksums, file
integrity checkers, audit trails and logs, and similar mechanisms.
– E.g. a business might reconcile the general ledger or review
payment request audit logs to identify fraudulent payments.
 Corrective Controls
• Corrective controls try to correct the situation
after a security violation has occurred.
Although a violation occurred, not all is lost,
so it makes sense to try and fix the situation.
• Corrective controls vary widely, depending on
the area being targeted, and they may be
technical or administrative in nature.
 Cont’d
• Recovery Controls
– In recovery control, the attack is successful to
compromise systems or the system's functioning is
inhibited/unable to perform by the attack.
– Stop attack, assess and repair damage or restore the
operations of the business
– These include business continuity planning, disaster
recovery plans, and backups. All of these mechanisms
enable the enterprise to recover information, systems,
and business processes, thereby restoring normal
operations.
– Example, if the attacker deletes a file, one recovery mechanism would be to
restore the file from backup tapes.
 Deterrent Controls
• Deterrent controls are intended to discourage
potential attackers and send the message that it
is better not to attack, but even if you decide to
attack we are able to defend ourselves.
• Examples of deterrent controls include notices of
monitoring and logging as well as the visible
practice of sound information security
management.
 Compensating controls
• Compensating controls are intended to be alternative
arrangements for other controls when the original
controls have failed or cannot be used.
• When a second set of controls addresses the same
threats that are addressed by another set of controls,
the second set of controls are compensating controls
• For example, if a guard dog cannot be used because of the
proximity of a residential area, a motion detector with a spotlight
can be used.
• Preventative controls are clearly the best, since they minimize the
possibility of loss by preventing the event from occurring.
 By the plane of application
• Administrative control: Administrative controls are the policies
and procedures defined by an organizations security policy to
implement and enforce overall control. Examples of
administrative access controls include policies, procedures,
hiring practices, background checks, data classification, security
training, vacation history, reviews, work supervision, personnel
controls, and testing.
• Technical control are the hardware or software mechanisms
used to manage access to resources and systems and provide
protection for those resources and systems. Examples of logical
or technical access controls include encryption, anti virus
software, firewalls, intrusion detection systems, smart cards,
passwords, biometrics, checker application routines.
 Cont’d
• Physical control: Physical controls are the
physical barriers deployed to prevent direct
contact with systems or portions of a facility.
Examples of physical access controls include
guards, flood protection, locked doors, fences,
sealed windows, cable protections, guard
dogs, video cameras, and alarms.
Illustration: A firewall provides a "logical" key to obtain access to
a network, a "physical" key to a door can be used to gain
access to an office space or storage room.
Security control categories
 Balancing Security and Access
• The major problem these days is that enterprises cannot have both
access to information and airtight security at the same time.
• tradeoffs between absolute information security and the efficient flow of information
• It is possible to make a system available to anyone, anywhere, anytime.
– unrestricted access poses a danger to the security of the information.
– On the other hand, a completely secure information system would not allow anyone access.
• Pull between Information Security and Users!
• Impossible to obtain perfect security that satisfies the user and the security
professional —it is a process, not an absolute result
• Security should be considered balance between protection and availability
• To achieve balance, level of security must allow reasonable access, yet protect
against threats
As a security professional, it needs to prioritize their risks and assets then work on
safeguarding against the greatest threats
How to balance ?
 Security Life cycle
• It consists of:
– First defining a security policy
– Then choosing some mechanism to enforce the
policy
– Finally providing assurance that both the
mechanism and the policy are sound

SECURITY LIFE-CYCLE
History of computer and Information Security
• Until 1960s computer security was limited to physical
protection of computers
• In the 1960s
– Evolutions
• Computers became interactive
• Multiuser/Multiprogramming was invented
• More and more data started to be stored in computer
databases
– Organizations and individuals started to worry about
• What the other persons using computers are doing to their data
• What is happening to their private data stored in large
databases
History cont’d
• In the 1980s and 1990s
– Evolutions
• Personal computers were popularized
• LANs and Internet invaded the world
• Applications such as E-commerce, E-government and E-
health started to develop
• Viruses become major threats
– Organizations/individuals started to worry about
• Who has access to their computers and data
• Whether they can trust a mail, a website, etc.
• Whether their privacy is protected in the connected world
History cont’d
• Famous security problems
– Morris worm – Internet Worm
• November 2, 1988 a worm attacked more than 60,000 computers
around the USA
• The worm attacks computers, and when it has installed itself, it
multiplies itself, freezing the computer
• It exploited UNIX security holes in Send mail and Finger Programs
• A nation wide effort enabled to solve the problem within 12 hours
– Robert Morris (the father of Computer viruses) became the first person
to be charged for the Computer Fraud and Abuse Act of 1986
• He was sentenced to three years of probation, 400 hours of
community service and a fine of some $10,000
– He is currently an associate professor at the Massachusetts Institute of
Technology (MIT)
History cont’d…
• Famous security problems…
– NASA shutdown
• In1990, an Australian computer science student was
charged for shutting down NASA’s computer system for 24
hours
– Airline computers
• In 1998, a major travel agency discovered that some one
penetrated its ticketing system and has printed airline
tickets illegally
– Bank theft
• In 1984, a bank manager was able to steal $25million
through un-audited computer transactions
History cont’d…
• Famous security problems…
– In Ethiopia
• Employees of a company managed to change their salaries by
fraudulently modifying the company’s database
• In 1990s Internet password theft
– Hundreds of dial-up passwords were stolen and sold to other users
– Many of the owners lost tens of thousands of Birr each
• A major company suspended the use of a remote login software
by technicians who were looking at the computer of the General
Manager
– In Africa: Cote d’Ivoire
• An employee who has been fired by his company deleted all the
data in his company’s computer
Recent Security breaches…..
• User Account Credential of world wide UN officials was hacked
by a hacking group (though UN denounces the accounts are no
longer active)
• The Sony Play Station Network outage:
– The outage occurred in 2011 on Sony's Play Station Network in which
personal details from approximately 77 million accounts were stolen
and prevented users of “Play Station3” and “Play Station Portable
consoles” from playing online through the service. The outage lasted for
approximately 23 days
• Stuxnet Hits Iran
– News broke out (in 2011) that five Iranians suspected in enriching
weapons grade uranium were hit by the Stuxnet worm over a 10- month
period—one reported incident caused damage to a main centrifuge.
Security /Privacy :legal Issues
• Early Efforts
– 1960s:Markedasthebeginningoftruecomputersecuritysyste
mdevelopment
– 1970s:Tiger teams
• Government and industry sponsored crackers who attempted
to break down defenses of computer systems in order to
uncover vulnerabilities so that patches can be developed
– 1970s: Research and modeling
• Identifying security requirements
• Formulating security policy models
• Defining recommended guidelines and controls
• Development of secure systems
 Legal Issues Cont’d…
• In the US, legislation was enacted with regards to
computer security and privacy starting from late 1960s
• European Council adopted a convention on Cyber-crime
in 2001
• The World Summit for Information Society considered
computer security and privacy as a subject of discussion
in 2003 and 2005
• The Ethiopian Penal Code of 2005 has articles on data
and computer related crimes ( what does it say? ---
please read!)
 Security/Privacy Vulnerabilities
• Physical vulnerabilities (Eg. Buildings)
• Natural vulnerabilities (Eg. Earthquake)
• Hardware and Software vulnerabilities (Eg.
Failures, overflows)
• Media vulnerabilities (Eg. Disks can be stolen)
• Communication vulnerabilities (Eg. Wires can
be tapped)
• Human vulnerabilities (Eg. Insiders)