CSC 410 Day 28

Computer Security

1
Admin.

Plan.

◦ 1. Suggested Structure for Project Plan,

Due Monday April 4th.

◦ 2. Computer Security.

2
1. Suggested Structure for Project
Plan due Monday 4/4.
1. Introduction.
◦ A) Explain the topic.
◦ B) State your thesis.
◦ C) Outline the rest of the paper.
2. Define key IT and philosophical terms.
3. Present some some real-world examples.
4. Explain the relevance of vocation, ethical
theory, and the professional codes, and
develop arguments for your thesis.
5. Consider and respond to objections to
your thesis.
3
2. Computer Security.
1) Confidentiality
◦ Is sensitive data kept private and in the right
hands?
2) Data integrity
◦ Is data rightly used and not corrupted?
3) Ease of use.
◦ Does it help or hinder the use of the system?
4) Monitoring.
◦ Is monitoring used to detect misuse but not to
invade privacy of legitimate users?

4
Trade offs:
1) Confidentiality should protect the innocent.
◦ But it can also be used to wrongly withhold
information or hide misinformation.
2)Protecting data integrity keeps out
unauthorized access.
◦ But it may make it difficult for legitimate users to
upgrade or respond to emergencies.
3)Good security can increase confidence so
users can trust a system.
◦ But it can make people careless.
4) Monitoring can detect misuse.
◦ But it can also be used to spy.
5
More security:
Allows people to get on with their real work, not
being sidetracked by “firefighting.”

But:
◦ 1) it consumes resources;
◦ 2) may make a system run slower;
◦ 3) reduced ease of use;
◦ 4) time lost in security upgrades;
◦ 5) promotes paranoia and false alarms;
◦ 6) requires emergency overrides, and these
introduce new security holes!
6
Security threats include:
External Threats
◦ Confidentiality breach
◦ Fraud and theft
◦ Infection with malware
◦ Remote monitoring or control
◦ Denial of service / resource attacks
Internal Threats
◦ Misuse of software and data by employees
◦ Embezzlement
◦ Spying or unauthorized data disclosure
◦ Installing monitoring or malicious software
7
Neumann’s 3 gaps:
1) Technological gap
◦ The gap between what the system should enforce
and what it does enforce
2) Sociotechnical gap
◦ The gap between computer policies and the
existing laws and professional codes of ethics that
society expects to be upheld.
3) Social gap
◦ The gap between moral expectations and actual
human behavior (a result of sin!)

8
Narrowing the gaps
1) Technological gap
◦ Requires adoption of security protocols and
software so that the system enforces policies of
confidentiality, data integrity, etc.
2) Sociotechnical gap
◦ Requires security protocols and software to
comply with laws and professional codes.
3) Social gap
◦ Requires more ethical and legal education,
promotion of virtue and accountability for misuse
of computer systems.

9
Effects of poor security 1
1) Loss of confidentiality
◦ Data may be given away or obtained deliberately
or inadvertently. Even if data is not deliberately
disclosed or stolen, it may end up in the wrong
hands

2) Loss of system integrity

◦ Data or software may be updated incorrectly
leading to a lack of internal consistency with the
company’s other data or a lack of external
consistency with the real world.

10
Effects of poor security 2
3) Denial of service / resources
◦ This leads a system to be unusable or very slow.
Can prevent mission-critical programs from
running on time, slow response time.

4) Wider social consequences

◦ Identity theft and violation of human rights by
government or companies
◦ Theft of data and software
◦ Impact on health and safety
◦ Legal problems
11
Ensuring proper use of IT depends on:
Identification
◦ Is it possible to identify the user of a system (i.e.
they are not anonymous)?
Authentication
◦ Can we determine if this user is who he/she claims
to be?
◦ Do they have the right credentials: password,
digital signature, biometric data ?
◦ Are they impersonating someone else?
Authorization
◦ Is this user within his/her access privileges?
12
2. Hacking
Hacking may be malicious or non-malicious in
intent, is usually unauthorized, but not always,
and can be pursued for various reasons:

1) “educational”
2) to “test a system”
3) deliberate snooping, theft or vandalism
4) at a company’s request: “ethical hacking”

13
The 7 types of hackers part I.
https://securingtomorrow.mcafee.com/consumer/family-safety/7-types-of-hacker-motivations/

 “1) White Hat Hackers: These are the good guys, computer security
experts who specialize in penetration testing and other methodologies to
ensure that a company’s information systems are secure. These IT security
professionals rely on a constantly evolving arsenal of technology to battle
hackers.
 2) Black Hat Hackers: These are the bad guys, who are typically referred
to as just plain hackers. The term is often used specifically for hackers who
break into networks or computers, or create computer viruses. Black hat
hackers continue to technologically outpace white hats. They often manage
to find the path of least resistance, whether due to human error or laziness,
or with a new type of attack. Hacking purists often use the term “crackers”
to refer to black hat hackers. Black hats’ motivation is generally to get
paid.
 3) Script Kiddies: This is a derogatory term for black hat hackers who use
borrowed programs to attack networks and deface websites in an attempt to
make names for themselves.
 4) Hacktivists: Some hacker activists are motivated by politics or religion,
while others may wish to expose wrongdoing, or exact revenge, or simply
harass their target for their own entertainment. 14
The 7 types of hackers part II.
https://securingtomorrow.mcafee.com/consumer/family-safety/7-types-of-hacker-motivations/

 5) State Sponsored Hackers: Governments around the globe realize that it

serves their military objectives to be well positioned online. The saying
used to be, “He who controls the seas controls the world,” and then it was,
“He who controls the air controls the world.” Now it’s all about controlling
cyberspace. State sponsored hackers have limitless time and funding to
target civilians, corporations, and governments.
 6) Spy Hackers: Corporations hire hackers to infiltrate the competition
and steal trade secrets. They may hack in from the outside or gain
employment in order to act as a mole. Spy hackers may use similar tactics
as hacktivists, but their only agenda is to serve their client’s goals and get
paid.
 7) Cyber Terrorists: These hackers, generally motivated by religious or
political beliefs, attempt to create fear and chaos by disrupting critical
infrastructures. Cyber terrorists are by far the most dangerous, with a wide
range of skills and goals. Cyber Terrorists ultimate motivation is to spread
fear, terror and commit murder.”

15
Unauthorized Hacking I
All information should be free!

◦ What is the argument?

◦ What sort of argument is it ethically?

◦ What is a possible response from a critic?

16
Costs of free information
Lack of privacy

Cannot maintain critical data in its correct form

Breakdown of trust in transactions and records

Undermines motivation to develop new ideas,

programs or other intellectual property

17
Unauthorized Hacking II
It is good for a company!

◦ What is the argument?

◦ What sort of argument is it ethically?

◦ What is a possible response from a critic?

18
Costs of security breaches:
Compels companies to expend more time and
resources on security
A laborious audit is needed to find out what the
hacker did
Not all companies can afford the upgrades
Burglars cannot say in a court of law, “your
locks were bad: you were asking for it.”
The cost of security fixes is passed on to
customers.

19
Unauthorized Hacking III
No-one was using that computer!
◦ If everyone scavenged unused capacity, computers
would lock up
◦ We don’t accept: you can joyride my car and crash
it because I am not using it, or party in my house
because I am at work!
I learned a lot!
◦ Not serious principles of IT design
◦ Not how to treat others’ property with respect
◦ Hackers don’t know most of the consequences of
their actions, so they can’t learn from them

20
Unauthorized Hacking IV
I am protecting you from Big Brother!
◦ If data is being used by governments and
companies, hacking may make them more secretive
and abusive.

◦ Hackers may expose data to criminals or hostile

governments, compromise corporate trade secrets
and harm national security.

◦ Exposed individuals may be targeted e.g. job loss or

even assassination if national security operatives.

21