Computer Security (CoSc4111)

Prepared by Tewodros T. (Lecturer and Researcher

@Faculty of Informatics,Hawassa University,
Ethiopia)
 Computer Security

Introduction
Introduction to
to Computer
Computer Security
Security
 Computer Security
Computer
Computer security
security isis about
about provisions
provisions and
and
policies
policies adopted
adopted to to protect
protect assets
assets from
from theft,
theft,
corruption,
corruption, oror natural
natural disaster
disaster while
while allowing
allowing the
the
assets
assets to
to remain
remain accessible
accessible and
and productive
productive to
to its
its
intended
intended users.
users.
 Computer Security
Computer
Computer Security
Security when
when there
there isis connection
connection to
to networks
networks
(Network
(Network security)
security) on
on the
the other
other handhand deals
deals with
with
provisions
provisions and
and policies
policies adopted
adopted to to prevent
prevent and
and monitor
monitor
unauthorized
unauthorized access,
access, misuse,
misuse, modification,
modification, oror denial
denial of
of the
the
computer
computer network
networkand
andnetwork-accessible
network-accessibleresources.
resources.

Not Sufficient!!

Internet
Internet
 Computer Security/ Overview
Definitions
 Security:
Security: The
The protection
protection of
of computer
computer assets
assets from
from
unauthorized
unauthorized access,
access, use,
use, alteration,
alteration, degradation,
degradation,
destruction,
destruction,and
andother
otherthreats.
threats.

 Privacy:
Privacy: The
The right
right of
of the
the individual
individual to
to be
be protected
protected
against
against intrusion
intrusion into
into his
his personal
personal life
life or
or affairs,
affairs, or
or
those
thoseof
ofhis
hisfamily
family

 Security/Privacy
Security/Privacy Threat:
Threat: Any
Any person,
person, act,
act, or
or object
object
that
thatposes
posesaadanger
dangerto
tocomputer
computersecurity/privacy.
security/privacy.
 Computer Security
Security Goals
Prevention of
unauthorized disclosure
of information Confidentiality

Prevention of
Prevention of
unauthorized withholding
unauthorized modification
of information or resource
of information

Integrity
Availaibility
 Computer Security
Security
Security in
in general
general isis about
about protection
protection ofof assets.
assets. This
This implies
implies
that
thatin
inorder
ordertotoprotect
protectour ourassets,
assets,we
wemust
mustknow
knowthe theassets
assetsand
and
their
their values.
values. Rough
Rough classification
classification ofof protection
protection measures
measures
includes:
includes:
••Prevention:
Prevention:to totake
takemeasures
measuresto toprevent
preventthethedamage
damage
••Detection:
Detection:when,
when,how howandandwho
whoof ofthe
thedamage.
damage.
••Reaction:
Reaction:to totake
takemeasures
measuresto torecover
recoverfrom
fromdamage.
damage.
Example
Exampleof ofprotecting
protectingvaluable
valuableitems
itemsat athome
homefrom
fromaaburglar:
burglar:
••Prevention:
Prevention:Locks
Lockson onthe
thedoor,
door,guards,
guards,hidden
hiddenplaces,
places,……
••Detection:
Detection:Burglar
Burglaralarm,
alarm,guards,
guards,CCTV,
CCTV,… …
••Reaction:
Reaction:Calling
Callingthe thepolice,
police,replace
replacethe
thestolen
stolenitem,
item,……
 Computer Security
Example
Example of of protecting
protecting aa fraudster
fraudster from
from using
using our
our credit
credit card
card
in
inInternet
Internetpurchase
purchase
•• Prevention:
Prevention: Encrypt
Encrypt when
when placing
placing order,
order, make
make sure
sure the
the
system
system isis secure,
secure, or
or don’t
don’t use
use credit
credit card
card number
number on on
internet
internet
•• Detection:
Detection: AA transaction
transaction that
that you
you had
had not
not authorized
authorized
appears
appearson onyour
yourcredit
creditcard
cardstatement
statement
•• Reaction:
Reaction: Ask Ask for
for new
new card,
card, recover
recover cost
cost of
of the
the
transaction
transaction from
from the
the insurance,
insurance, the
the card
card issuer
issuer or
or the
the
merchant
merchant
 Computer Security/ History

 Until
Until 1960s
1960s computer
computer security
security was
was limited
limited to
to
physical
physical protection
protection of
of computers
computers
 In
In the
the 60s
60s and
and 70s
70s

Evolutions
Evolutions
Computers
Computersbecame
becameinteractive
interactive
Multiuser/Multiprogramming
Multiuser/Multiprogrammingwas wasinvented
invented
More
More and
and more
more data
data started
started to
to be
be stored
stored in
in computer
computer
databases
databases

Organizations
Organizationsand andindividuals
individualsstarted
startedto worryabout
toworry about
What
Whatthe
theother
otherpersons
personsusing
usingcomputers
computersare aredoing
doingto totheir
their
data
data
What
What isis happening
happening toto their
their private
private data
data stored
stored inin large
large
databases
databases
 Computer Security/ History

 InIn the
the 80s
80s and
and 90s
90s

Evolutions
Evolutions
Personal
Personalcomputers
computerswere
werepopularized
popularized
LANs
LANsandandInternet
Internetinvaded
invadedthe
theworld
world
Applications
Applicationssuch
suchasasE-commerce,
E-commerce,E-government
E-governmentand
and
E-health
E-healthstarted
startedto
todevelop
develop
Viruses
Virusesbecome
becomemajors
majorsthreats
threats

Organizations
Organizationsand
andindividuals
individualsstarted
startedto
toworry
worryabout
about

Who
Whohas
hasaccess
accessto
totheir
theircomputers
computersand
anddata
data

Whether they can trust an email, a website, etc.
Whether they can trust an email, a website, etc.

Whether
Whethertheir
theirprivacy
privacyisisprotected
protectedin
inthe
theconnected
connectedworld
world
 Computer Security/ History

 Famous
Famous security
security problems
problems

Morris worm––Internet
Morrisworm InternetWorm
Worm
November
November 2,2, 1988 1988 aa worm
worm attacked
attacked more
more than
than 60,000
60,000
computers
computersaround
aroundthe theUSA
USA
The
Theworm
wormattacks
attackscomputers,
computers,and
andwhen
whenitithas
hasinstalled
installeditself,
itself,itit
multiplies
multipliesitself,
itself,freezing
freezingthe
thecomputer
computer
It
Itexploited
exploitedUNIX
UNIXsecurity
securityholes
holesin
inSendmail
SendmailandandFinger
Finger
AA nationwide
nationwide effort
effort enabled
enabled to
to solve
solve the
the problem
problem within
within 1212
hours
hours

Robert
Robert Morris
Morris became
became the the first person to
first person to be
be accused
accused
under
underthe
theComputer Fraudand
ComputerFraud andAbuse
AbuseAct.
Act.

He
He was
was sentenced
sentenced to
to three
three years
years of
of probation,
probation, 400
400 hours
hours of
of
community
communityservice
serviceand
andaafine
fineof
of$10,050
$10,050

Until
Until recently,
recently, he
he has
has been
been an an associate professor at
associate professor at the
the
 Computer Security/ History

 Famous
Famous security
security problems
problems …
…

NASA shutdown
NASA shutdown

In
In1990,
1990,an
anAustralian
Australian computer
computerscience
sciencestudent
student was
was
charged
charged for
forshutting
shutting down
down NASA’s
NASA’s computer
computer system
system
for
for24
24hours
hours

Airline computers
Airline computers
In
In 1998,
1998, aa major
major travel
travel agency
agency discovered
discovered thatthat
someone
someone penetrated
penetrated itsits ticketing
ticketing system
system and and has
has
printed
printedairline
airlinetickets
ticketsillegally
illegally

Bank theft
Bank theft
In
In 1984,
1984, aa bank
bank manager
manager waswas able
able to
to steal
steal $25
$25million
million
through
throughun-audited
un-auditedcomputer
computertransactions
transactions
 Computer Security/ History

 Famous
Famous security
security problems
problems …
…
 InEthiopia
 In Ethiopia

Employees of
Employees of aa company
company managed
managed to
to change
change their salaries by
their salaries by
fraudulently
fraudulentlymodifying
modifyingthe
thecompany’s
company’sdatabase
database

InIn1990s
1990sInternet
Internetpassword
passwordtheft
theft
Hundreds
Hundreds ofof dial-up
dial-up passwords
passwords were
were stolen
stolen and
and sold
sold to
to
other
otherusers
users
Many
Manyofofthe
theowners
ownerslost
losttens
tensof
ofthousands
thousandsof ofBirr
Birreach
each

AA major
major company
company suspended
suspended the
the use
use of
of aa remote login software
remote login software by
by
technicians
technicians who
who were
were looking at the
looking at the computer
computer of
of the
the General
General
Manager
Manager
 InAfrica:
 In Africa:Cote
Coted’Ivoire
d’Ivoire

An
Anemployee
employeewho
whohas
hasbeen
beenfired
firedby
byhis
hiscompany
companydeleted
deletedall
allthe
the
data
datain
inhis
hiscompany’s
company’scomputer
computer
 Computer Security/ History

 Early
Early Efforts
Efforts

1960s:
1960s: Marked
Marked as
as the
the beginning
beginning of
of true
true
computer
computer security
security

1970s:
1970s: Tiger
Tiger teams
teams

Government and
Government and industry
industry sponsored
sponsored crackers
crackers who
who
attempted
attempted to
to break
break down
down defenses
defenses ofof computer
computer systems
systems in
in
order
order to
to uncover
uncover vulnerabilities
vulnerabilities so
so that
that patches
patches can
can be
be
developed
developed

1970s:
1970s: Research
Research and
and modeling
modeling

Identifying
Identifyingsecurity
securityrequirements
requirements

Formulating security policy models
Formulating security policy models

Defining
Definingguidelines
guidelines

Development
Developmentofofsecure
securesystems
systems
 Computer Security/ Legal Issues
 InIn the
the US,
US, legislation
legislation was
was enacted
enacted with
with regards
regards to
to
Computer
Computer Security
Security starting
starting from
from late
late 1960s.
1960s.

 European
European Council
Council adopted
adopted aa convention
convention on
on
Cyber-crime
Cyber-crime in
in 2001.
2001.

 The
The Ethiopian
Ethiopian Penal
Penal Code
Code of
of 2005
2005 has
has articles
articles on
on
data
data and
and computer
computer related
related crimes.
crimes.
 Computer Security/ Legal Issues
 The
The National
National Information
Information Security
Security Policy
Policy 2011
2011 isis
the
the first
first cyber
cyber specific
specific policy
policy with
with goals
goals including:
including:

oo Build
Build national
national capability
capability for
for coordinated
coordinated prevention,
prevention,
detection,
detection, response
response against
against threats
threats and
and minimize
minimize
damage,
damage, cost
cost and
and recovery
recovery time
time from
from attack
attack that
that do
do
occur;
occur;((http://ethiocert.insa.gov.et/)
http://ethiocert.insa.gov.et/)

oo Ensure
Ensure the
the confidentiality,
confidentiality, integrity,
integrity, availability
availability
and
and authenticity
authenticity of
of national
national information
information asset;
asset;
 Computer Security/Attacks

Categories
Categoriesof
ofAttacks
Attacks

Interruption:
Interruption: An
An attack
attack on
on availability
availability

Interception:
Interception: An
An attack
attack on
on confidentiality
confidentiality

Modification:
Modification: An
An attack
attack on
on integrity
integrity

Fabrication:
Fabrication: An
An attack
attack on
on authenticity
authenticity
 Computer Security/Attacks

Categories
Categoriesof
ofAttacks/Threats
Attacks/Threats
Source

Destination
Normal flow of information
Attack

Interruption Interception

Modification Fabrication
 Computer Security/Vulnerabilities
Types
Typesof
ofVulnerabilities
Vulnerabilities

 Physical
Physicalvulnerabilities
vulnerabilities(Ex.
(Ex.Buildings)
Buildings)

 Natural
Naturalvulnerabilities
vulnerabilities(Ex.
(Ex.Earthquake)
Earthquake)
 Hardware
Hardware and
and Software
Software vulnerabilities
vulnerabilities (Ex.
(Ex. Failures,
Failures,
reliability)
reliability)

 Media
Mediavulnerabilities
vulnerabilities(Ex.
(Ex.Disks
Diskscan
canbe
bestolen)
stolen)

 Communication
Communicationvulnerabilities
vulnerabilities(Ex.
(Ex.Wires
Wirescan
canbe
betapped)
tapped)

 Human
Humanvulnerabilities
vulnerabilities(Ex.
(Ex.Insiders)
Insiders)
 Computer Security/ Countermeasures

 Computer
Computer security
security controls
controls

Authentication
Authentication (Password,
(Password, Cards,
Cards,
Biometrics)
Biometrics)
(What
(What we
we know,
know, have,
have, are!)
are!)

Cryptography
Cryptography

Auditing
Auditing

Administrative
Administrative procedures
procedures

Standards
Standards

Physical
Physical Security
Security

Laws
Laws
 Computer Security/ Physical Security

 Physical
Physical security
security isis the
the use
use of
of physical controls to
physical controls to
protect
protect premises,
premises, site,
site, facility,
facility, building
building or
or other
other
physical
physical asset
asset of
of an
an organization
organization [Lawrence
[LawrenceFennelly]
Fennelly]

 Physical
Physical security
security protects
protects your
your physical
physical computer
computer
facility (your
facility (your building,
building, your
your computer
computer room,
room, your
your
computer,
computer, your your disks
disks and
and other
other media)
media) [Chuck
[Chuck
Easttom].
Easttom].
 Computer Security/ Physical Security

 InIn the
the early
early days
days of
of computing
computing physical
physical security
security
was simple
was simple because
because computers
computers were
were big,
big,
standalone,
standalone, expensive
expensive machines
machines

 It almost impossible
It isis almost impossible to to move
move them
them (not
(not
portable)
portable)

 They
They were
were very
very few and itit isis affordable
few and affordable to
to spend
spend on
on
physical
physical security
security for
for them
them

 Management
Management was was willing
willing toto spend
spend money
money
 Computer Security/ Physical Security

 Today
Today

Computers
Computers are
are more
more and
and more portable (PC,
more portable (PC,
laptop,
laptop, PDA,
PDA, Smartphone)
Smartphone)

There
There are are too many of
too many of them
them to to have
have good
good
physical
physical security
security for
for each
each of
of them
them

They
They areare not
not “too
“too expensive”
expensive” to justify spending
to justify spending
more
more money
money onon physical
physical security
security until
until aa major
major
crisis
crisis occurs
occurs
 Computer Security/ Physical Security

Threats and vulnerabilities

 Natural
NaturalDisasters
Disasters

Fire
Fireand
andsmoke
smoke

Fire
Firecan
canoccur
occuranywhere
anywhere

Solution – Minimize risk
Solution – Minimize risk
Good
Goodpolicies:
policies:NO SMOKING,,etc..
NOSMOKING etc..
Fire
Fireextinguisher,
extinguisher,good
goodprocedure
procedureand
andtraining
training
Fireproof
Fireproofcases
cases(and
(andother
othertechniques)
techniques)for
forbackup
backup
tapes
tapes
Fireproof
Fireproofdoors
doors

Climate
Climate

Heat
Heat

Solution
Solution
Cooling system
 Computer Security/ Physical Security
Threats and vulnerabilities …
 Natural
NaturalDisasters
Disasters…
…

Hurricane,
Hurricane,storm,
storm,cyclone
cyclone

Earthquakes
Earthquakes

Electric
Electricsupply
supply

Voltage
Voltagefluctuation
fluctuation
Solution:
Solution:Voltage
Voltageregulator
regulator

 Solution
Solution

 Avoid
Avoidhaving
havingservers
serversin
inareas
areasoften
oftenhit
hitby
byNatural
NaturalDisasters!
Disasters!
 Computer Security/ Physical Security

Threats and vulnerabilities …

 People
People

Intruders
Intruders

Thieves
Thieves

People who
People who have
have been
been given
given access
access unintentionally
unintentionally by
by the
the
insiders
insiders

Employee
Employeewho
whohave
haveaccess
accessto
tothe
thefacilities
facilities

 External
Externalthieves
thieves

Portable computing
Portable computing devices
devices can
can be
be stolen
stolen outside
outside the
the
organization’s
organization’spremises
premises
 Computer Security/ Physical Security

Safe area

 Safe
Safe area
area often
often isis aa locked
locked place
place where
where only
only
authorized
authorized personnel
personnel cancan have
have access
access
 Organizations
Organizations usually
usually have
have safe
safe area
area for
for
keeping
keeping computers
computers andand related
related devices
devices that
that
contain
contain sensitive
sensitive information
information
 Computer Security/ Physical Security
Safe area … Challenges

 IsIs the
the area
area inaccessible
inaccessible through
through other
other openings
openings
(window,
(window, roof-ceilings,
roof-ceilings, ventilation
ventilation hole,
hole, etc.)?
etc.)?

Design
Designof
ofthe
thebuilding
buildingwith
withsecurity
securityin
inmind
mind

 During
During opening
opening hours,
hours, isis itit always
always possible
possible to
to
detect
detect when
when unauthorized
unauthorized person
person tries
tries to
to get
get to
to the
the
safe
safe area?
area?

Surveillance/guards,
Surveillance/guards, video-surveillance,
video-surveillance, automatic-
automatic-
doors
doorswith
withsecurity
securitycode
codelocks,
locks,alarms,
alarms,etc.
etc.

Put
Putsigns
signsso
sothat
thateverybody
everybodysees
seesthe
thesafe
safearea
area
 Computer Security/ Physical Security

Safe area… Surveillance

 Surveillance
Surveillance with
with guards
guards

The
The most
most common
common inin Ethiopia
Ethiopia

Not
Not always
always the
the most
most reliable
reliable since
since itit adds
adds aa
lot
lot of
of human
human factor
factor

Not
Not always
always practical
practical for
for users
users (employees
(employees
don’t
don’t like
like to
to bebe questioned
questioned byby guards
guards
wherever
wherever they
they go)
go)
 Computer Security/ Physical Security
Safe area… Surveillance

 Surveillance
Surveillancewith
withvideo
video

Uses
UsesClosed
ClosedCircuit
CircuitTelevision
Television(CCTV)
(CCTV)

Started in the 1960s
Started in the 1960s

Become
Become more
more and
and more
more popular
popular with
with the
the worldwide
worldwide increase
increase of
of
theft
theftand
andterrorism
terrorism

Advantages
Advantages

AAsingle
singleperson
personcan
canmonitor
monitormore
morethan
thanone
onelocation
location

The intruder doesn’t see the security personnel
The intruder doesn’t see the security personnel

ItItisischeaper
cheaperafter
afterthe
theinitial
initialinvestment
investment

ItItcan
canbeberecorded
recordedand
andbe
beused
usedfor
forinvestigation
investigation

Today’s
Today’sdigital
digitalvideo-surveillance
video-surveillancecancanuse
useadvanced
advancedtechniques
techniquessuch
such
as
asface
facerecognition
recognitionto
todetect
detectterrorists,
terrorists,wanted
wantedpeople,
people,etc.
etc.

Drawback
Drawback
Privacy
Privacyconcerns
concerns
Thank You !!!
Computer Security

Next