Introduction to Cyber

Security

Security Fundamentals
Core textbook used

Security in Computing, 4th edition

Charles P. Pfleeger and Shari Lawrence Pfleeger
Prentice-Hall, 2007.
Learning objectives

 What is our goal in this course?

 What is security?
 What is privacy?
 Who are the adversaries?
 Assets, vulnerabilities, threats, attacks and controls
 Methods of defence
 Critical Infrastructure Areas

… telecommunications, electrical power systems, gas and

oil, banking and finance, transportation, water supply
systems, government services and emergency services.
[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
 What is our goal in this course?

 Our primary goal is to be able to identify security and privacy issues in various
aspects of computing, including:
 Programs
 Operating systems
 Networks
 Internet applications
 Databases
 Secondarily, to be able to use this ability to design systems that are more protective
of security and privacy.
 The Present
 The Internet brings millions of computer networks
into communication with each other—many of
them unsecured

 Abilityto secure a computer’s data influenced by

the security of every computer to which it is
connected
What is Security?

You Will Never Own a Perfectly Secure System.

Well … Maybe If You Do This:

(Even then you have to do it in the right way, there are standards how
to destroy computers to prevent security/privacy risks...)
 What is Security?
 “The quality or state of being secure—to be free
from danger”
 A successful organization should have multiple
layers of security in place:
 Physical security
 Personal security
 Operations security
 Communications security
 Network security
 Information security
 “Secure” Computer System
 To decide whether a computer system is “secure”, you must first decide what
“secure” means to you, then identify the threats you care about.
 Some threats are named in the ovals

Denial
Cyberterrorism of Modified
Service Databases

Virus
Espionage

Identity
Theft
Equipment
Theft Stolen
Customer
Data
 What is Security? (continued)
 The protection of information and its critical
elements, including systems and hardware that
use, store, and transmit that information
 Necessary tools: policy, awareness, training, education,
technology
 C.I.A.
triangle is standard based on Confidentiality,
Integrity, and Availability
 C.I.A.
triangle now expanded into list of critical
characteristics of information

10
What is security? (context of computers)

 In the context of computers, security generally means three

things:
 Confidentiality
 Access to systems or data is limited to authorized parties
 Integrity
 When you ask for data, you get the “right” data
 Availability
 The system or data is there when you want it
 A computing system is said to be secure if it has all three
properties
Cyber Threats and Vulnerability

 As the recent epidemic of data breaches illustrates, no system is

immune to attacks. Any company that manages, transmits, stores, or
otherwise handles data has to institute and enforce mechanisms to
monitor their cyber environment, identify vulnerabilities, and close up
security holes as quickly as possible.
 Before identifying specific dangers to modern data systems, it is
crucial to understand the distinction between cyber threats and
vulnerabilities.
 Cyber Threats

 These are security incidents or circumstances with the potential to

have a negative outcome for your network or other data
management systems.
Examples:
 Phishing attacks: These results in the installation of malware that
infects your data.
 Human Failure: Failure of a staff member to follow data protection
protocols that cause a data breach.
 Natural causes: An earthquake that takes down your company’s data
headquarters, disrupting access.
 Vulnerabilities
 These are the gaps or weaknesses in a system that make threats
possible and tempt threat actors to exploit them.
 Types of vulnerabilities in network security include but are not limited
to SQL injections, server misconfigurations, cross-site scripting, and
transmitting sensitive data in a non-encrypted plain text format.
 When threat probability is multiplied by the potential loss that may
result, cyber security experts, refer to this as a risk.
 Security Vulnerabilities, Threats And
Attacks

 Categories of vulnerabilities
• Corrupted (Loss of integrity)
• Leaky (Loss of confidentiality)
• Unavailable or very slow (Loss of availability)
 Threats represent potential security harm to an asset when
vulnerabilities are exploited.
 Attacks are threats that have been carried out
• Passive : Make use of information from the system without affecting
system resources
• Active : Alter system resources or affect operation
• Insider : Initiated by an entity inside the organization
• Outsider : Initiated from outside the perimeter
 Computer Criminals
 Computer criminals have access to enormous amounts of hardware, software,
and data; they have the potential to cripple much of effective business and
government throughout the world. In a sense, the purpose of computer
security is to prevent these criminals from doing damage.
 Computer crime is any crime involving a computer or aided by the use of
one.
Although this definition is admittedly broad, it allows us to consider ways to
protect ourselves, our businesses, and our communities against those who use
computers maliciously.

 One approach to prevention or moderation is to understand who commits

these crimes and why. Many studies have attempted to determine the
characteristics of computer criminals. By studying those who have already
used computers to commit crimes, we may be able in the future to spot likely
criminals and prevent the crimes from occurring.
 CIA TRIAD
 The CIA Triad is actually a security
model that has been developed to
help people think about various
parts of IT security.

 The triad CIA stands for

 C: Confidentiality
 I: Integrity
 A: Availability
 The CIA triad is used in every
single domain of cyber-security,
and you must be perfectly clear
about each of the components.
 CONFIDENTIALITY
 You need to be sure that your data is confidential when it is stored,
when it is being transmitted and when it is being processed.
 Confidentiality refers to protecting or hiding your data so that it is
available only to authorized users.

 The classic way of enforcing confidentiality is through encryption.

 Encryption makes your data secure so that it is not visible to
unauthorized users.
 CONFIDENTIALITY Cont …

 Some violations of confidentiality include packet sniffing.

 So that happens when your data is being transmitted over a network
and somebody captures your traffic.
 Confidentiality is also violated when somebody is able to successfully
break the encryption that you use to protect your data.
 But it can also sometimes happen due to unintentional human error
when a user inadvertently exposes data.
Violation of Confidentiality

 The Internet is a public network which is

very insecure.
 So if you're sending your data in plain
text over the public Internet or even any
other public network, then it means that
there's a good chance that people can
eavesdrop on your data, which is in plain
text.
 This would constitute as a violation of
the confidentiality of the data because
now it is available to people who are not
authorized.
Mitigation Of Confidentiality
 So what encryption does is that you give it
a secret key and the encryption algorithm
takes the data and uses the key to encode
the data into a format which is not
understandable by anyone.
 So even if somebody gets a hold of a copy
of your data, they would not be able to
decode this data easily.
 INTEGRITY
 Means that your data must be accurate and complete and that it has
not been modified.
 Integrity is typically enforced through hashes.

 Typical violations of integrity happen when you transmit you data

from one point to the other and a man in the middle intercepts your
traffic and modifies your data.
 Hashes are a kind of summary or a message digest of your original
data so that if anything changes in your data, the hash would also
change.
 Violations Of Integrity

 So at the destination, the receiver can simply check the hash to make
sure that the data has not been modified.
 Typical violations of integrity include modification of data, especially
during transit.
Mitigation of Integrity
 AVAILABILITY
 Means that data is available as and when required.
 Typically, availability is enforced through redundancy.
 What it means is that you install multiple communication links or for
example, you install multiple Web servers so that even if some of the
communication links or some of the Web servers, they are targeted,
you still have some backups.
 Violations of availability happen if someone, for example, damages
your communication infrastructure or they damage your Web server
so that you're no longer able to service your clients.
 Violations Of Availability

 However, even if someone successfully slows down your database

servers or your Web servers so that they cannot service the clients in
an appropriate amount of time, then this would also be considered a
violation of the availability.
Violations Of Availability

 They may attack communication

links between clients and your
servers, making it difficult or
impossible to reach your servers or
they may directly attack your web
or application servers.
 The attack can be partial so the
attacker doesn't need to completely
break off the communication link so
the attacker can simply choke
communication links enough so
that the traffic is very slow or they
send so much traffic to your servers
that they are very slow at
responding to legitimate clients.
Mitigation of Availability

 Having multiple Web and

database servers, even if some
of your servers go down or the
attacker sends excessive traffic
to them, we can simply load
balance and ensure availability.
 Similarly, we can also employ
multiple communication links
and so on
 Understanding CIA

 The CIA Triad is all about information. While this is considered the core factor
of the majority of IT security, it promotes a limited view of the security that
ignores other important factors.
 For example, even though availability may serve to make sure you don't lose
access to resources needed to provide information when it is needed,
thinking about information security in itself doesn't guarantee that someone
else hasn't used your hardware resources without authorization.
 It's important to understand what the CIA Triad is, how it is used to plan and
also to implement a quality security policy while understanding the various
principles behind it. It's also important to understand the limitations it
presents. When you are informed, you can utilize the CIA Triad for what it has
to offer and avoid the consequences that may come along by not
understanding
it.
 Balancing
CIA Biographical
Data
Payroll
Data
Health
Data

Confidentiality Integrity

Sensitive
Availability Data
S = secure

Packet
Switch

Need to balance CIA

Ex: Disconnect computer from

Bridge
Internet to increase confidentiality
(availability suffers, integrity File
Server
suffers due to lost updates)

Ex: Have extensive data checks by

different people/systems to Gateway
increase integrity (confidentiality
suffers as more people see data, Other
Networks
availability suffers due to locks on
data under verification)
[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
 ASSETS AND THREATS

 An asset is any data, device or other component of an organization’s

systems that is valuable often because it contains sensitive data or
can be used to access such information.

 For example: An employee’s desktop computer, laptop or company

phone would be considered an asset, as would applications on those
devices. Likewise, critical infrastructure, such as servers and support
systems, are assets. An organization’s most common assets are
information assets. These are things such as databases and physical
files i.e. the sensitive data that you
store
 THREATS

 A threat is any incident that could negatively affect an asset.

 For example, if it’s lost, knocked offline or accessed by an
unauthorized party.
 Threats can be categorized as circumstances that compromise the
confidentiality, integrity or availability of an asset, and can either be
intentional or accidental.
 Intentional threats include things such as criminal hacking or a
malicious insider stealing information, whereas accidental threats
generally involve employee error, a technical malfunction or an event
that causes physical damage, such as a fire or natural disaster.
 Motive of Attackers

 The categories of cyber-attackers enable us to better understand the

attackers' motivations and the actions they take. As shown in Figure,
operational cyber security risks arise from three types of actions:
i. Inadvertent actions (generally by insiders) that are taken without
malicious
or harmful intent;
ii. Deliberate actions (by insiders or outsiders) that are taken intentionally
and are meant to do harm; and
iii. Inaction (generally by insiders), such as a failure to act in a
given situation, either because of a lack of appropriate skills, knowledge,
guidance, or availability of the correct person to take action Of primary
concern here are deliberate actions, of which there are three categories of
motivation.
 Motive of Attackers Cont …

 Political motivations: examples include destroying, disrupting, or

taking control of targets; espionage; and making political statements,
protests, or retaliatory actions.
 Economic motivations: examples include theft of intellectual
property or other economically valuable assets (e.g., funds, credit
card information); fraud; industrial espionage and sabotage; and
blackmail.
 Sociol-cultural motivations: examples include attacks with
philosophical, theological, political, and even humanitarian goals.
Socio-cultural motivations also include fun, curiosity, and a desire for
publicity or ego gratification.
1. Trudy changes the meeting time in a message she intercepts from Alice
before she forwards it on to Bob. This is a violation of which
aspect of the CIA Triad?
2. You fail to backup your files and then drop your laptop breaking
it into many small pieces. You have just failed to address which
aspect of the CIA Triad?
3. Consider an automated teller machine (ATM) to which users provide
a personal identification number (PIN) and a card for account access.
Give examples of confidentiality, integrity, and availability requirements
associated with the system and, in each case, indicate the degree of
importance of the requirement.