1

Computer Security Classifications

• Secrecy
– Protecting against unauthorized data
disclosure and ensuring the authenticity of a
data source
• Integrity
– Refers to preventing unauthorized data
modification
• Necessity
– Refers to preventing data delays or denials

2
Security Policy and Integrated Security
• A security policy is a written statement
describing:
– Which assets to protect and why they are being
protected
– Who is responsible for that protection
– Which behaviors are acceptable and which are not
• First step in creating a security policy
– Determine which assets to protect from which
threats

3
4
 Security Policy and Integrated
Security (continued)
• Elements of a security policy address:
– Authentication
– Access control
– Secrecy
– Data integrity
– Audits
5
 Security for Client Computers
• Stateless connection

– Each transmission of information is independent

• Session cookies

– Exist until the Web client ends connection

• Persistent cookies

– Remain on a client computer indefinitely

6
 Security for Client Computers
(continued)
• First-party cookies
– Cookies placed on a client computer by a Web
server site
• Third-party cookies
– Originates on a Web site other than the site being
visited
• Web bug
– Tiny graphic that a third-party Web site places on
another site’s Web page

7
8
9
 Active Content (continued)

• Trojan horse
– Program hidden inside another program or
Web page that masks its true purpose
• Zombie
– Program that secretly takes over another
computer to launch attacks on other
computers
– Attacks can be very difficult to trace to their
creators

10
 Java Applets
• Java
– Programming language developed by Sun
Microsystems
• Java sandbox
– Confines Java applet actions to a set of rules defined
by the security model
• Untrusted Java applets
– Applets not established as secure
11
 JavaScript
• Scripting language developed by Netscape to
enable Web page designers to build active
content
• Can be used for attacks by:
– Executing code that destroys a client’s hard disk
– Discloses e-mail stored in client mailboxes
– Sends sensitive information to an attacker’s Web
server
12
 ActiveX Controls
• An ActiveX control is an object containing programs and
properties that Web designers place on Web pages

• ActiveX components can be constructed using different

languages programs but the most common are C++ and Visual
Basic

• The actions of ActiveX controls cannot be halted once they

begin execution

13
 Digital Certificates
• A digital certificate is a program embedded in
a Web page that verifies that the sender or
Web site is who or what it claims to be
• A certificate is signed code or messages that
provide proof that the holder is the person
identified by the certificate
• Certification authority (CA) issues digital
certificates
14
15
 Digital Certificates (continued)
• Main elements:
– Certificate owner’s identifying information
– Certificate owner’s public key
– Dates between which the certificate is valid
– Serial number of the certificate
– Name of the certificate issuer
– Digital signature of the certificate issuer
16
 Steganography

• Describes the process of hiding information

within another piece of information

• Provides a way of hiding an encrypted file

within another file

• Messages hidden using steganography are

difficult to detect
17
 Communication Channel Security
• Secrecy is the prevention of unauthorized
information disclosure
• Privacy is the protection of individual rights to
nondisclosure
• Sniffer programs
– Provide the means to record information passing
through a computer or router that is handling
Internet traffic

18
 Integrity Threats
• Integrity threats exist when an unauthorized
party can alter a message stream of information
• Cybervandalism
– Electronic defacing of an existing Web site’s page
• Masquerading or spoofing
– Pretending to be someone you are not
• Domain name servers (DNSs)
– Computers on the Internet that maintain directories
that link domain names to IP addresses
19
 Necessity Threats

• Purpose is to disrupt or deny normal

computer processing

• DoS attacks

– Remove information altogether

– Delete information from a transmission or file

20
 Threats to Wireless Networks
• Wardrivers
– Attackers drive around using their wireless-
equipped laptop computers to search for
accessible networks

• Warchalking
– When wardrivers find an open network they
sometimes place a chalk mark on the building

21
 Encryption Algorithms
• An encryption algorithm is the logic behind
encryption programs
• Encryption program
– Program that transforms normal text into cipher
text
• Hash coding
– Process that uses a hash algorithm to calculate a
number from a message of any length
22
 Asymmetric Encryption
• Asymmetric encryption encodes messages by
using two mathematically related numeric keys

• Public key
– Freely distributed to the public at large

• Private key
– Belongs to the key owner, who keeps the key secret

23
 Asymmetric Encryption
(continued)
• Pretty Good Privacy (PGP)
– One of the most popular technologies used to
implement public-key encryption

– Set of software tools that can use several different

encryption algorithms to perform public-key
encryption

– Can be used to encrypt e-mail messages

24
 Symmetric Encryption
• Symmetric encryption encodes a message with one
of several available algorithms that use a single
numeric key
• Data Encryption Standard (DES)
– Set of encryption algorithms adopted by the U.S.
government for encrypting sensitive information
• Triple Data Encryption Standard
– Offers good protection
– Cannot be cracked even with today’s supercomputers
25
 Comparing Asymmetric and
Symmetric Encryption Systems
• Public-key (asymmetric) systems
– Provide several advantages over private-key
(symmetric) encryption methods
• Secure Sockets Layer (SSL)
– Provides secure information transfer through the
Internet
– Secures connections between two computers
• S-HTTP
– Sends individual messages securely
26
27
 Ensuring Transaction Integrity
with Hash Functions
• Integrity violation
– Occurs whenever a message is altered while in
transit between the sender and receiver
• Hash algorithms are one-way functions
– There is no way to transform the hash value back
to the original message
• Message digest
– Small integer number that summarizes the
encrypted information
28
Ensuring Transaction Integrity with
Digital Signatures
• Hash algorithms are not a complete solution
– Anyone could:
• Intercept a purchase order
• Alter the shipping address and quantity ordered
• Re-create the message digest
• Send the message and new message digest on to the
merchant
• Digital signature
– An encrypted message digest
29
 Security for Server Computers
• Web server
– Can compromise secrecy if it allows automatic
directory listings
– Can compromise security by requiring users to
enter a username and password

• Dictionary attack programs

– Cycle through an electronic dictionary, trying
every word in the book as a password

30
 Other Programming Threats
• Buffer
– An area of memory set aside to hold data read
from a file or database
• Buffer overrun
– Occurs because the program contains an error or
bug that causes the overflow
• Mail bomb
– Occurs when hundreds or even thousands of
people each send a message to a particular
address
31
 Firewalls
• Software or hardware and software
combination installed on a network to control
packet traffic
• Provides a defense between the network to
be protected and the Internet, or other
network that could pose a threat

32
 Firewalls (continued)
• Characteristics
– All traffic from inside to outside and from outside
to inside the network must pass through the
firewall
– Only authorized traffic is allowed to pass
– Firewall itself is immune to penetration
• Trusted networks are inside the firewall
• Untrusted networks are outside the firewall

33
 Firewalls (continued)
• Packet-filter firewalls
– Examine data flowing back and forth between a
trusted network and the Internet
• Gateway servers
– Firewalls that filter traffic based on the application
requested
• Proxy server firewalls
– Firewalls that communicate with the Internet on
the private network’s behalf
34
 Organizations that Promote
Computer Security
• CERT
– Responds to thousands of security incidents
each year

– Helps Internet users and companies become

more knowledgeable about security risks

– Posts alerts to inform the Internet community

about security events
35
 Computer Forensics and Ethical
Hacking
• Computer forensics experts

– Hired to probe PCs and locate information that

can be used in legal proceedings

• Computer forensics

– The collection, preservation, and analysis of

computer-related evidence
36
 Summary
• Assets that companies must protect include:
– Client computers
– Computer communication channels
– Web servers
• Communication channels, in general, and the
Internet, in particular, are especially vulnerable
to attacks
• Encryption
– Provides secrecy
37
 Summary (continued)
• Web servers are susceptible to security
threats
• Programs that run on servers might:
– Damage databases
– Abnormally terminate server software
– Make subtle changes in proprietary information

• Security organizations include CERT and SANS

38