CSI1101 Computer Security

Module 1: Introduction to Principles & Aims of Security

 Sun Tzu – The Art of War

• If you know the enemy and know yourself, you need not fear the result of a
hundred battles
• If you know yourself but not the enemy, for every victory gained, you will
also suffer a defeat
• If you know neither the enemy nor yourself,
you will succumb in every battle
‒ How well do you know yourself?
‒ The information stored on your ‘device’?
‒ The effectiveness of your protection mechanisms?
CSI1101 – Computer Security

Reflection Questions
 Reflection Questions

Are the ‘default’ security settings on computing devices an

issue?

Why don’t vendors make computing devices secure by

‘default’ out-of-the-box?

focus is on performance and price; security is an

afterthought
 WPA / WEP /

Questions on Broadband Routers

• What is a broadband router? A device that helps to access broadband internet

from the internet service provider
• What is its purpose? It allows to access multiple devices to access same internet, *manage
traffic between these networks by forwarding data packets to the
• Can it protect your network/computers? intended ip address
Encryption protect from unauthorized access where nowadays many routers provides it
• Can it put your network/computers at risk?
If a third party breached the network once then all the information will be shown to that third part
• What does it take for your broadband router to be considered ‘secure’?
Making a strong password, By Encrypting
 CSI1101 – Computer Security

Real-World Cyber Attacks

 Is the Internet Dangerous?

Let’s start by looking at some examples of dangers that exist in today’s

online world...
 Toll Group – 2020

• Well-known transportation and logistics company

• Feb 20, a malicious attack hit the company’s IT system

• Operations were either slowed or became unavailable

• Still recovering from the incident

 Shutdown of a Natural Gas Pipeline

• Malicious attack forced the shutdown of a natural gas pipeline in the

US

• Exact location not disclosed

• Attackers got control of the operations

• Imagine the consequence – catastrophic at a massive scale

 Citrix Systems Attack

• Networking software giant – best known for virtual private networking

(VPN) software

• Cyber criminals were inside Citrix networks for 5 months

• Accessed personal and financial data

• FBI alerted Citrix about the breach – caused by “password spraying”

 Citrix Systems Attack

Possible information taken

• Social security numbers
• Tax details
• Drivers license numbers
• Passport numbers
• Bank details
• Medical details
 Attack on Redcar and Cleveland

• Feb 20, council’s IT system was hacked through a malicious attack

with the following message on council’s website

“The requested service is temporarily unavailable. It is either

overloaded or under maintenance. Please try later.”

• Started working using paper and pens

 Marriot Hotels – 2018/19

• Massive breach of customer data ~ 500 million (later downsized to

383 million)

• Credit/debit card details, passport details

 Uber – 2017

• 57 million users data stolen (names, mobile numbers, license

information, and email addresses)

• Paid massive amount to the hackers just to cover up the breach –

failing to notify the affected customers

• CSO resigned
 Yahoo – 2016

• All accounts in 2013 and 2014 were compromised (3 billion

accounts)

• Did not disclose until 2016

• Compromised information included names, email addresses, phone

numbers, birthdates and security questions and answers
 CSI1101 – Computer Security

Some Case Studies Specific to Australia

Cybercrime Types Targeting Australians – Case Study 1
• A 26-year-old woman was looking for a room to rent and responded to an
advertisement on a popular Australian website

• The person who posted the ad informed the woman that they were
currently overseas on holiday, but would return to Australia in a week

• In order to secure the room, she was told to provide her full name and
date of birth, together with copies of her identity documents

• The woman sent through copies of her passport, birth certificate, driver’s
licence and employment history
 Cybercrime Types Targeting Australians – Case Study 1

• The advertiser then requested three months of rent in advance before they
would provide a copy of the lease

• It was at this point the woman suspected that she might be the victim of a
scam

• Subsequent investigation discovered that the scammer used the woman’s

stolen personal information to apply for a credit card in her name and
purchase over $10,000 worth of airline tickets, electronics and luxury items
 Cybercrime Types Targeting Australians – Case Study 2

• A 22-year-old man received a text message from what he thought

was his bank, indicating that an issue with his account had been
detected

• The text message contained a link taking him to a fake bank login
page, where he provided his bank login and driver’s licence details

• Within a matter of hours, cyber criminals had emptied his bank

account, and the man lost over $20,000
 Cybercrime Types Targeting Australians – Case Study 3

• A 35-year-old man sought to purchase a new vehicle online

• He found an online business advertising the exact model of car he was looking
for, at a heavily discounted price

• The online business claimed to offer delivery with a seven day return policy if the
buyer wasn’t satisfied

• The man paid $25,000 in advance for the car and a further $4,000 for shipping

• The car never arrived and the website disappeared

 Relevance of the Preceding Examples

• The preceding slides describe breaches of computer and information

security

• ALL of the attacks either attempted to access, alter or make assets

unavailable
 CSI1101 – Computer Security

Let’s Define Computer Security

 Understanding Computer Security

Computer security deals with computer-related assets that are

subject to a variety of threats and for which various measures are
taken to protect those assets
 Understanding Computer Security

• Three fundamental questions (relate this to the SunTzu quotes discussed

earlier)
§ What assets do we need to protect?
§ How are those assets threatened?
§ What can we do to counter those threats?
 Understanding Computer Security

NIST defines computer security as

“Measures and controls that ensure confidentiality, integrity, and

availability of information system assets including hardware, software,
firmware, and information being processed, stored, and
communicated”
 Aims of Security

The aims of Computer Security are:

– Confidentiality
– Integrity Often referred to as the CIA triad
– Availability
Some consider there to be only 3 aims i.e. CIA
– Authenticity Others consider there to be 5 aims
– Non-repudiation
 Confidentiality

• Information/systems should only be read and/or accessed by

authorised people – need to know principle

• Information/systems should be kept private, secret and out of the

hands of those who do not have authorisation to access it e.g.
‒ Organisations storing medical records have a legal, moral and ethical
obligation to keep information private
‒ Proprietary information kept secret by the industrial firm from their
competitors
 Importance of Confidentiality

Breaching confidentiality may result in a...

• Loss of revenue

• Loss of reputation

• Loss of clients/customers

• Embarrassment
 Ensuring Confidentiality

• Encryption: transformation of data using a secret, so that the

transformed data can only be read using another secret

• Access control: rules and policies that limit access to those people
and/or systems with a “need to know”

• Security, education, training and awareness

 Integrity
• Ensuring that information/systems have not been altered in an
unauthorised way

• Ensuring that information/systems have not been tampered with

‒ A storage drive malfunctions and corrupts stored data

‒ An employee makes unauthorised database changes

‒ Malware modifies files on a computer/server

‒ Wi-Fi data is modified/corrupt in transit

 Importance of Integrity

Breaching integrity may result in...

• Important decisions being made on information that is not trustworthy, correct
and error-free

• Corrupted information may be difficult to detect

• Untrustworthy/unreliable backups

Imagine a hospital ‘losing’ a patient because a single database value

was updated incorrectly
 Ensuring Integrity

• Cryptographic hashing algorithms

• Performing regular backups

• Data validation

• Security, education, training and awareness

 Availability

Ensures that information/systems are accessible and modifiable in a

timely fashion by those authorised to do so
• A website is overwhelmed by fake requests and cannot provide services to
clients

• An employee powers down a web server

• A storage drive malfunctions

• An Ethernet cable is removed from a switch

 Effect of Non-Availability

• Customers unable to make purchases online may take their business

elsewhere

• Critical decisions may need to be made, based on certain information

being readily available

• Patients in a hospital waiting to be served (UK NHS attack –

WannaCry)
 Ensuring Availability

• Access control

• Computational redundancies

• Physical protection mechanisms

• Security, education, training and awareness

 Authenticity

• Ensuring that an entity is able to prove or verify that it is who or what it

claims to be
• Is this Western Australian driver’s license real?

• Is this person really who they say they are?

• Is this document really what it purports to be?

• Is this really my bank’s web server?

• Verifying that the users are who they say they are and that input arriving
at the system came from a trusted source
 Non-Repudiation/Accountability

Ensuring that an entity is unable to falsely deny actions or behaviours

• Alice sends an email and then denies sending it

• Bob denies receiving an email when in fact he did receive it

• Frank refuses to pay the bill for an on-line purchase saying that the goods
were not received when in fact they were

• Bob denies accessing illegal content online

 Three or Five Aims?

• Some people consider confidentiality, integrity and availability to be

the major aims of security

• Some consider authenticity and non-repudiation to be aspects of first

three aims

• Others consider authenticity and non-repudiation to be aims in their

own right

• It depends on what resources you read

 Goals of Security

Three goals
• Prevent – attack will fail (e.g. use of strong password)

• Detect – attack cannot be prevented; the goal is to determine that an attack

has occurred and report it

• Recovery – two forms

• Stop an attack
• Assess and repair any damage caused by that attack
 Let’s test our Understanding

Identify the following as a violation of CIA or of some combination

thereof:
• Jack copies Mat’s homework
• Sophie crashes Lynda’s system
• Jack changes the amount of Sophie’s check from $100 to $1,000
• Mat forges Lynda’s signature on a deed
• Jack spoofs Mat’s IP address to gain access to his computer
 Tutorials/Workshops

• In this unit a number of different tools, applications and online

resources are used to expose you to the subject matter

• The legality of security tools will vary in certain jurisdictions

• Encryption tools are illegal in some countries
• Pen testing tools legality is contextualised