Kabul University

Computer Science Faculty

Information Systems Department

1. Overview of Computer Security

Adapted from:
Introduction to Computer Security, Matt Bishop

Hedayat Lodin | Sunday, November 01, 2020

OUTLINE

 Security
 Information Security
 Security Basic Components(Sec. Requirements)
 Confidentiality
 Integrity
 Availability
 Accountability
 Vulnerability, Threat, Attack
 Common Security Attacks

Saturday, January 02, 2021 Information Systems Department 2

Computer Science Faculty
Kabul University
OUTLINE

 Threat
 Security policy
 Security Measures
 Useful information?
 Essential Securities for Orgs
 Information System Components

Saturday, January 02, 2021 Information Systems Department 3

Computer Science Faculty
Kabul University
SECURITY

 The ability of a system to protect itself from accidental or

deliberate attacks.
 Information Security:
 The protection of information and its critical elements,
including the systems and hardware that use, store, and
transmit that information.

Saturday, January 02, 2021 Information Systems Department 4

Computer Science Faculty
Kabul University
INFORMATION SECURITY

 Information Security is defending digital information from

unauthorized:
 Access
 Use
 Recording
 Disruption / Interference
 Modification
 Destruction / Damage

Saturday, January 02, 2021 Information Systems Department 5

Computer Science Faculty
Kabul University
THE BASIC COMPONENTS

 Computer security rests on:

 Confidentiality
 Integrity
 Availability
 Accountability

Saturday, January 02, 2021 Information Systems Department 6

Computer Science Faculty
Kabul University
THE BASIC COMPONENTS

 Computer security rests on:

 Confidentiality
 Integrity
 Availability
 Accountability
 Also called Security Attributes/Security Goals/Security
Requirements.
 These attributes form the main objective of any security
system.

Saturday, January 02, 2021 Information Systems Department 7

Computer Science Faculty
Kabul University
THE BASIC COMPONENTS

 All security policies, controls, mechanisms, and safeguards

are implemented to provide one or more of these attributes.

 All risks, threats, and vulnerabilities are measured for their

potential capability to compromise one or all of the
attributes.

Saturday, January 02, 2021 Information Systems Department 8

Computer Science Faculty
Kabul University
THE BASIC COMPONENTS [Confidentiality]

 The concealment of information or resources.

 The need for keeping information secret arises from the use of
computers in sensitive fields.
 keeping information secret from all but those who are authorized
to see it.
 Also called secrecy or privacy

Saturday, January 02, 2021 Information Systems Department 9

Computer Science Faculty
Kabul University
THE BASIC COMPONENTS [Confidentiality]

 Access control mechanisms support confidentiality.

 One access control mechanism confidentiality is
cryptography.
 A cryptographic key controls access to the unscrambled /
decoded data, but then the cryptographic key itself becomes
another datum to be protected.

Saturday, January 02, 2021 Information Systems Department 10

Computer Science Faculty
Kabul University
THE BASIC COMPONENTS [Integrity]

 Preventing improper or unauthorized change.

 Refers to the trustworthiness of data or resources.
 Ensuring information has not been altered by
unauthorized or unknown means.
 Integrity mechanisms fall into two classes:
 Prevention mechanisms
 Detection mechanisms

Saturday, January 02, 2021 Information Systems Department 11

Computer Science Faculty
Kabul University
THE BASIC COMPONENTS [Integrity]

 Prevention mechanisms:
 Block unauthorized attempts to change the data.
 Detection mechanisms:
 Report that the data’s integrity is no longer trustworthy.
 Analyze system events to detect problems.

Saturday, January 02, 2021 Information Systems Department 12

Computer Science Faculty
Kabul University
THE BASIC COMPONENTS [Integrity]

 Working with integrity is very different from working with

confidentiality.

 With confidentiality, the data is either compromised or it is

not, but integrity includes both the correctness and the
trustworthiness of the data.

Saturday, January 02, 2021 Information Systems Department 13

Computer Science Faculty
Kabul University
THE BASIC COMPONENTS [Availability]

 Refers to the ability to use the information.

 The aspect of availability that is relevant to security is that
someone may deliberately arrange to deny access to data
or to a service by making it unavailable (Denial of Service
Attacks).
 keeping information accessible by authorized users when
required.

Saturday, January 02, 2021 Information Systems Department 14

Computer Science Faculty
Kabul University
THE BASIC COMPONENTS [Accountability]

 Refers to the availability and integrity of the identity of the

person who performed an operation.
 Accountability requires a clear definition of roles and
responsibilities for each team member.
 The requirements of accountability are detection and
separation.

Saturday, January 02, 2021 Information Systems Department 15

Computer Science Faculty
Kabul University
VULNERABILITY, THREAT, AND ATTACK

 A vulnerability: is a weakness in system design or

implementation and can be in hardware or software.
 Example: a software bug exists in the OS, or no password rules are
set.

Saturday, January 02, 2021 Information Systems Department 16

Computer Science Faculty
Kabul University
VULNERABILITY, THREAT, AND ATTACK

 A Threat is a set of circumstances that has the potential to

cause loss or harm
 Is an indication of potential undesirable event
 It refers to a situation in which
 A person could do something undesirable (an attacker
initiating a denial-of service attack against an organization's email
server), or
 A natural occurrence could cause an undesirable outcome (a
fire damaging an organization's information technology hardware).

Saturday, January 02, 2021 Information Systems Department 17

Computer Science Faculty
Kabul University
VULNERABILITY, THREAT, AND ATTACK

 A Risk is the possibility of suffering harm or loss.

 An attack: is a realization of a threat
 An attacker: is a person who exploit a vulnerability
 An attacker must have means, opportunity, and motive.
 Synonyms: enemy, adversary, opponent, eavesdropper, intruder.

Saturday, January 02, 2021 Information Systems Department 18

Computer Science Faculty
Kabul University
VULNERABILITY, THREAT, AND ATTACK

 Hacker: A person who have advanced knowledge of operating

systems and programming languages
 Might discover holes within systems and the reasons for such
holes
 Share what they discover but never intentionally damage data
 Cracker: The one who breaks into or violates the system
integrity of remote machines with the malicious intent, i.e.,
gaining unauthorized access
 Might destroy vital data, deny legitimate users services

Saturday, January 02, 2021 Information Systems Department 19

Computer Science Faculty
Kabul University
VULNERABILITY, THREAT, AND ATTACK

 A passive adversary is an adversary who is capable only of

reading from an unsecured channel
 An active adversary is an adversary who may also transmit,
alter, or delete information on an unsecured channel

Saturday, January 02, 2021 Information Systems Department 20

Computer Science Faculty
Kabul University
COMMON SECURITY ATTACKS

 Interruption, delay, denial of receipt or denial of service

 System assets or information become unavailable or are rendered
unavailable
 Interception or snooping
 Unauthorized party gains access to information by browsing
through files or reading communications.
 Modification or alteration
 Unauthorized party changes information in transit or information
stored for subsequent access.

Saturday, January 02, 2021 Information Systems Department 21

Computer Science Faculty
Kabul University
COMMON SECURITY ATTACKS

 Masquerade or spoofing
 Spurious information is inserted into the system or network by
making it appears as if it is from a legitimate entity.

Saturday, January 02, 2021 Information Systems Department 22

Computer Science Faculty
Kabul University
THREATS

 A potential violation of security.

 The actions that could cause violation.
 Those actions are called attacks.
 Those who execute such actions are called attackers.
 The security services, confidentiality, integrity,
availability, and accountability hostage threats to the
security of a system.

Saturday, January 02, 2021 Information Systems Department 23

Computer Science Faculty
Kabul University
THREATS

 Threats are divided into four classes:

 Disclosure
 Deception
 Disruption
 Repudiation

Saturday, January 02, 2021 Information Systems Department 24

Computer Science Faculty
Kabul University
THREATS

 Given a security policy’s specification of “secure” and “non-

secure” actions, these security mechanisms can:
 Prevent the attack
 Detect the attack
 Recover from the attack

Saturday, January 02, 2021 Information Systems Department 25

Computer Science Faculty
Kabul University
THREATS [PREVENTION]

 Means that an attack will fail.

 Involves implementation of mechanisms that users cannot
override such as passwords have become widely accepted.

Saturday, January 02, 2021 Information Systems Department 26

Computer Science Faculty
Kabul University
THREATS [DETECTION]

 Most useful when an attack cannot be prevented.

 Accept that an attack will occur; the goal is to determine that
an attack is under way, or has occurred, and report it.
 For example, give a warning when a user enters an incorrect
password three times.

Saturday, January 02, 2021 Information Systems Department 27

Computer Science Faculty
Kabul University
THREATS [RECOVERY]

 Recovery has two forms.

 The first is to stop an attack and to assess and repair any
damage caused by that attack.
 As an example, if the attacker deletes a file, one recovery
mechanism would be to restore the file from backup tapes.

Saturday, January 02, 2021 Information Systems Department 28

Computer Science Faculty
Kabul University
THREATS [RECOVERY]

 In a second form of recovery, the system continues to

function correctly while an attack is under way.
 This type of recovery is quite difficult to implement because
of the complexity of computer systems.
 It draws on techniques of fault tolerance as well as
techniques of security and is typically used in safety-critical
systems.

Saturday, January 02, 2021 Information Systems Department 29

Computer Science Faculty
Kabul University
SECURITY POLICY

 A security policy states what is, and is not, allowed

 Is a document describing a company’s security controls and
activities.
 Does not specify technologies
 Examples:
 Policy: Password construction Account names must not be used
in passwords.
 Policy: Confidentiality of Personal information all personal
information must be treated as confidential.
 A security Policy is a guideline for implementing security
measures.
Saturday, January 02, 2021 Information Systems Department 30
Computer Science Faculty
Kabul University
SECURITY MEASURES

 Security measures include techniques for ensuring:

 Prevention: such as encryption, user authentication, one
time password, anti-virus, firewall, etc.
 Detection: such as IDS (Intrusion Detection Systems),
Monitoring tools, Firewall log, digital signature, etc.
 Reaction (or recovery): Such as Backup systems, OS’s recovery
points, etc.
 Encryption, Digital Signature, User Authentication, Antivirus, IDS
and firewalls, Database Security, Web Security, etc.

Saturday, January 02, 2021 Information Systems Department 31

Computer Science Faculty
Kabul University
THE USEFUL INFORMATION?

 Data
 Information
 What characteristics should information possess to be useful? It
should be: accurate, timely, complete, verifiable, consistent,
available.

Saturday, January 02, 2021 Information Systems Department 32

Computer Science Faculty
Kabul University
ESSENTIAL SECURITIES FOR ORGANIZATIONS

 A successful organization should have the following multiple

layers of security in place to protect its operations:
 Physical security
 Personnel security
 Operations security
 Communications security

Saturday, January 02, 2021 Information Systems Department 33

Computer Science Faculty
Kabul University
INFORMATION SYSTEM COMPONENTS

 Entire set of:

 Data,
 Software,
 Hardware,
 Networks,
 People,
 Procedures and
 Policies

Saturday, January 02, 2021 Information Systems Department 34

Computer Science Faculty
Kabul University
INFORMATION SYSTEM COMPONENTS

 These critical components enable information to be:

 Input,
 Processed,
 Output, and
 Stored.

Saturday, January 02, 2021 Information Systems Department 35

Computer Science Faculty
Kabul University
INFORMATION SYSTEM COMPONENTS

 Each of these IS components has its own strengths and

weaknesses, as well as its own characteristics and uses.

 Each component of the information system also has its own

security requirements.

Saturday, January 02, 2021 Information Systems Department 36

Computer Science Faculty
Kabul University
INFORMATION SYSTEM COMPONENTS

 Software
 Software is perhaps the most difficult IS component to
secure.
 The information technology industry reports warning of
holes, bugs, weaknesses, or other fundamental problems in
software.
 Software programs become an easy target of accidental or
intentional attacks.

Saturday, January 02, 2021 Information Systems Department 37

Computer Science Faculty
Kabul University
INFORMATION SYSTEM COMPONENTS

 Hardware
 Hardware is the physical technology that houses and
executes the software, stores and transports the data,
and provides interfaces.
 Physical security policies deal with hardware as a
physical asset and with the protection of physical assets
from harm or theft.

Saturday, January 02, 2021 Information Systems Department 38

Computer Science Faculty
Kabul University
INFORMATION SYSTEM COMPONENTS

 Data
 Data stored, processed, and transmitted by a computer
system must be protected.
 Data is often the most valuable asset and the main target of
intentional attacks.

Saturday, January 02, 2021 Information Systems Department 39

Computer Science Faculty
Kabul University
INFORMATION SYSTEM COMPONENTS

 People
 Though often ignored in computer security
considerations, people have always been a threat to
information security.

Saturday, January 02, 2021 Information Systems Department 40

Computer Science Faculty
Kabul University
INFORMATION SYSTEM COMPONENTS

 Procedures
 Another frequently overlooked component of an information
system is procedures.
 Procedures are written instructions for accomplishing a
specific task.
 When an unauthorized user obtains an organization’s
procedures, this poses a threat to the integrity of the
information.

Saturday, January 02, 2021 Information Systems Department 41

Computer Science Faculty
Kabul University
INFORMATION SYSTEM COMPONENTS

 Networks
 The IS component that need for increased computer and
information security is networking.
 When information systems are connected to each other to form
local area networks (LANs), and these LANs are connected to
other networks such as the Internet, new security challenges
rapidly emerge.

Saturday, January 02, 2021 Information Systems Department 42

Computer Science Faculty
Kabul University
QUESTIONS

Saturday, January 02, 2021 Information Systems Department 43

Computer Science Faculty
Kabul University