COMPUTER SECURITY

Definition & need

 Definition & Need For Security:

“Computer Security is the protection of computing systems and

the data that they store or access.”
 Information is a strategic resource
 A significant portion of organizational budget is spent on
managing information
 There are many types of information have several security
related objectives
 confidentiality (secrecy) - protect info value.
 Integrity - protect info accuracy
 availability - ensure info delivery
KEY OBJECTIVES
 Security basics : CIAAN

Authentication : Process ensures that the origin of the data/message

is correctly identified.
Confidentiality: No unauthorized persons should able to view data
and only those who have authority can view or use that data.
Integrity : only authorized person can able to generate view and
modify the data.
Availability : System[Data/Information] should be available itself
when authorized person access it at any time.
Non-Repudiation : Non repudiation does not allow sender to refuses
the claim of not sending messages.
Access Control: Access control is a security technique that can be
used to regulate who or what can view or use resources in a
computing environment.
 CONFIDENTIALITY

The principal of confidentiality specifies that only

the sender and the intended recipient(s) should be
able to access the contents of a message.
We can ensure by
1.Require strong authentication
2.Strict access controls
3.Encryption of data
So, it cannot be interpreted and accessed during
transmission.
 INTEGRITY

Integrity means you cannot alter or substitute data,

and if some changes are made than they should
detectable and provable.
When the contents of a message are changed after
the sender sends it, but before it reaches the intended
recipient, we say that the integrity of the message is
lost.
The information should not be changed expect by an
authorized agent.
 AVAILABILITY

The principle of availability states that resources (i.e.

information) should be available to authorized
parties at all times.
CIA TRIAD
 Risk and Threat Analysis

Asset : “a useful or valuable thing”

Vulnerability: A system that can leave it open to attack .
A vulnerability may also refer to any type of weakness
in a computer system itself, in a set of procedures, or in
anything that leaves information security exposed to a
threat.
 Threats : “Anything that has the potential to cause
serious harm to a computer system”
 A threat is something that may or may not happen, but
has the potential to cause serious damage.
 Risk & Countermeasures

Risk: Risk is the possibility or chance of loss, danger

or injury.
Counter measures: A countermeasure is an action,
process, device, or system that can prevent, or
mitigate the effects of, threats to a computer, server
or network. In this context, a threat is a potential or
actual adverse event that may be malicious or
incidental, and that can compromise the assets of an
enterprise or the integrity of a computer or network.
THREATS TO SECURITY
Viruses
 Viruses

 A virus is a piece of software that can “infect” other

programs by modifying them; the modification includes a
copy of the virus program, which can then go on to infect
other programs.
 Program or code that attackers itself to the application and
runs whenever that application runs.
 Viruses modify the program functionality. Almost all
viruses are attached to the executable file , which means the
virus may exists on a system but will not be active or able to
spread until a user runs or opens the malicious host file or
program files deletion on launching media player
application.
Virus Phases
Virus Types
Virus Types
Virus Types
 Virus Types

Parasitic Virus
Memory Resident Virus
Boot Sector Virus
Stealth Virus
Polymorphic virus
Metamorphic Virus
Assignment: Study all of this how it works?
Worms
 Worms

Computer worms are similar to viruses in that they

replicate functional copies of themselves and can
cause same type of damage.
In contrast to viruses, which requires spreading of
an infected host file, worms are standalone software
and do not require a host program or human to
propagate.
Consumes more recourses and makes system slow
down.
Worms
Trojan Horse
Logic Bomb
 INTRUDER

The act of deliberately accessing computer systems

and networks without authorization is generally
referred to as hacking, with individually who
conduct this activity being referred to as hackers.
“An intruder is a person who attempts to gain
unauthorized access to a system, to damage that
system, or to disturb data on that system.”
 Three classes of intruders

Masquerader: (pretend to be someone one is not)

 An individual who is not authorized to use the computer and who
penetrates a system’s access control to exploit a legitimate user
account.()

Misfeasor: (authentic user doing unauthorized actions)

A legitimate user who access data, program or recourses for which
such access is not authorized, or who is authorize for such access
that misuses his or her privileges.

Clandestine (secret) user: ( done secretively)

An individual who seizes supervisory control of the system and
uses this control to evade auditing and access controls or to
suppress audit collection
 INSIDERS

An insider threat is a security risk that originates

from within the targeted organization. It typically
involves a current or former employee or business
associate who has access to sensitive information or
privileged accounts within the network of an
organization, and who misuses this access.
Insiders
 Avenue of attack

A computer system is attacked for two general

reasons: it is specifically targeted by the attacker, or
it is a target of opportunity.
For example, an individual in one country
might attack a government system in another
country to gather secret information.
 THE STEPS IN AN ATTACK

The steps an attacker takes in attempting to penetrate a

targeted network are similar to those that a security
consultant performs during a penetration test.
The following outlines the common steps of the hacking
process:

1. Reconnaissance (also known as profiling , Information

Gathering)
2. Scanning(Determination of target system)
3. Researching vulnerability(finding possible vulnerability
and suitable tools)
4. Performing the attack(Attack to the targeted system.)
 Types of attack

Active Attack : These types of attack will alter system

resources or will affect there operation. Active attack “
Involve some modification of the data stream or the
creation of a false stream and can be subdivided into
four subcategories : Masquerade, Replay, Modification
of message and Denial of service.”
Passive attack: These types of attack will learn and
make use of information without affecting system
resources. “ Attempts to learn or make use of
information from the system but does not affect system
resources.”
 Types of attack

Inside attack [insider]: these types of attack is carried out by user inside
organization. These are the authorized users to access the system resources
Out side Attack [An outsider]:Out sider can be any unauthorized user who is
from outside the organization. :Define following terms:
Assets: Assets is any thing which has some value. In computer world assets
is Data, devices, hardware software, information etc.
Vulnerability: it is weakness in the system.
Threats: Threats is an action taken by attacker who try to exploit
vulnerabilities to damage assets
Risk is an incident or attack that can cause damage to system.
An attack against a system can be done by sequences of actions, exploiting
weak point until attackers goal is not achieved,

Risk= Assets X Threats X Vulnerabilities

Active Attack
 DENIAL-OF-SERVICE-ATTACKS(DoS)
and DISTRIBUTED DoS(DDoS)

In a dos attacks, the attacker attempts to deny authorized users access
either to specific information or to the computer system or network
itself. This can be accomplished by crashing this system-taking it offline-
or by sending so many requests that the machine is overwhelmed.

The purpose of a dos attack can be simply to prevent access to the target
system, or the attack can be used in conjunction with other action to
gain unauthorized access to a computer or networks.

In DDOS attacks service is denied by over whelming the target with
traffic from many different systems. A network of attack agents
(sometime called zombies)is created by the attacker, and upon receiving
the attacks agents Commence sending a specific type of traffic against
the target.
Distributed DENIAL-OF-SERVICE-ATTACK
 BACKDOORS AND TRAPDOORS

Backdoors were originally methods used by software

developers to ensure that they could gain access to
an application even if something were to happen in
the future to prevent normal access methods.
 SNIFFING

 Sniffing is when someone examines all the network traffic

that passes their NIC, whether addressed for them or not.
 A network sniffer is a software or hardware device that is
used to observe traffic as it passes through a network on
shared broadcast media.
 Network sniffer used by network administrator to monitor
performance, traffic analysis, network bandwidth analysis
and troubleshoot certain problems.
 SPOOFING

Spoofing is when you assemble packets with false

header information to device (believe in false) the
receiver as to the true address of the sender. This can
be done to manipulate return packets in the case of
ping sweeps, or to provide anonymity(condition of
being unknown) for mail.
Man - in - Middle Attacks.(MIM)
 TCP/IP HACKING

TCP/IP hacking and session hacking are terms used

to refer to the process of taking control of an already
existing session between a client and a server.

The advantage to an attacker of hijacking over

attempting to penetrate a computer system or
network is that the attacker doesn’t have to
circumvent any authentication mechanisms, since
the user has already authenticated and established
the session.
 PHISHING

Phishing is the use of fraudulent e-mails or instant

messages that appear to be genuine but are designed
to trick users.
 SQL INJECTION

SQL injection is a code injection technique, used to

attack data-driven applications, in which malicious
SQL statements are inserted into an entry field for
execution (e.g. to dump the database contents to the
attacker).
 Identification Authentication
and Operational Security

Username and Password

•When first time user log on to computer ask for user
name and password.
•The first step is called Identification, purpose is Who
you are ?
•Second is called Authentication, what you access ?
•If your username and password is correct then you
successfully log into computer, and if username or
password is incorrect then login screen display again.
•Some times incorrect attempts will be count and if
threshold attempts reached system prevent to login again.
 Managing Password

• All time we try not to disclose password at any level.

• There are number of tools to crack password.
• Send password through courier with personal delivery.(Banks
normally use it)
• Send Password through information given in the form like email
or Mobile number, use that password for one time only.
• Ask user to change that password in first login only.
• Confirmation should send through mail or activate account
through particular link only.
• Do not relay only on password also use some key, this key will
be generated through device or generate online and send
through mail or mobile number.
• Do not use vehicle no, computer name,spell backwords like
drowssap etc
 Choosing a password

• Do not choose password base upon personal data.

• Do not choose password that is English dictionary word, TV
show, keyboard sequence.
• Do not choose password that is append special character. Like
pasword123, password!, password* etc..
• Do not choose password less then 8 characters.
• Do not only use characters, numbers.
• Avoid guessable words, or easily traceable.
• Do not choose Default Passwords
• Do not use password as name of spouse, child ,surname,
friends name etc
• Do not give same password to all account.
 Best method to choose password

• Select more that 8 characters in a password.

• Create a phrase or series of letters randomly but easy
to remember like :I Have Two Kids
:Jack And Jill
• Convert it like ihtk:jaj
• Add numbers in it ih2k:jaj
• Add special characters like ih2k:j&j
• Use combinations of upper case and lower case like
Ih2k:J&j
• Make following password
• My name is Bond: James Bond.
• We lives in Maharashtra: Pune
• I like chicken
• I love my country: India.
 Role of people in security

Password Selection
• Make your password as long as possible.
• Use many characters as possible like Upper case, Lower
case, Numbers Special Characters etc.
• Do not use personal data, like account no, mob. No.
• Change your password regularly, ideally after 30 ,60 or 90
days.
• Make sure that password is hard to crack but easy to
remember.
• Do not write down password any ware like on table,in a
computer file, in your personal dairy.
 Password Selection Strategy

• User Education
• Computer Generated Password.
• Reactive Password.
• Proactive Password.
 User Education

 Tell computer users importance of hard-to guess password.

 Give password selection guidelines.
 Do not tell your password to unknown person.
Computer Generated Password
 Computer generated password also have some problem, it
is reasonable random in nature but very difficult to
remember like : gTs!P5w2q.
 Many time users write it down.
 Automated password generators use random characters and
numbers generator.
 Many system generator passwords is used for one time only or at
first login we have to change it.
 Reactive Password Checking

 In this scheme system periodically run it’s own password cracker

and find out guessable password.
 If system found system cancel it and inform to user.
 This method has number of drawbacks, it will take hours to
check the system.
 Many vulnerable passwords existing until reactive password
checker find it.
 Reactive password system is not available in each system.
 Proactive Password Checking

 It is the most promising approach to improve password , in

this scheme user is allowed to select his/her own password.
 However at the time of selection system check the
password if the password is allowable then allow or reject
it.
 Such systems are designed by considering all guidelines .
 Some systems are show bar between weak and strong
password.
 If system continuously reject password it means that user gives
weak password.
 It will also provide guidelines to select passwords.
 Piggybacking
• Piggybacking is the simply access of a wireless connection closely
behind a person who just used there own access card on PIN to
gain physical access to a room or building, without knowing to
subscriber
• They get access to facility to without knowing to
authorized persons.
• In short, access of wireless internet connection by bringing one’s
computer within range of another wireless connection without
permission.
Reasons for piggy backing:
• Avoid paying required access fees.
• Gain access to area which is completely restricted .
• To hide identification.
• Person forgotten or loss it’s access key.
 Shoulder Surfing

• In shoulder surfing refer to use direct observation

 technique. looking overs some one ‘s shoulder to get information.

• This method is effective in crowded places because it is relatively easy to observe

some one’s activity like:
– Entering password or PIN number in the computer.
– Fill out form
– Entering access code in ATM or public places.

– Shoulder surfing can be done at a distance using vision

 enhancing devices.

• To avoid shoulder surfing it is advice to hide keypad by using body.

• Do not use computer in crowded places like cyber café ,libraries or places where
people are very close to you.
 Dumpster Diving

• Dumpster Diving is method by which attacker search for

important system information by diving into the dump. The
search is carried out in paper waste, electronic waste such as
old HDD, floppy and CD media recycle and trash bins on the
systems etc.
• attackers tries to extracts passwords, system configuration,
network configuration, user lists from these list from these
methods, and gain access to these important details.
• Dumpster diving is learning anything
valuable from your trash,
• Experts recommended that company should m policy
where all paper, including printouts and important
documents should be erased properly and recycled.
Unauthorized Software/Hardware installation

• Installing software from unauthorized sources will

automatically install some software which user don’t
want.
• Such software may be harmful to your system.
– Such software may contain viruses which infect your system
or network.
– May send unwanted messages from your system.
– These software should be pirated, leads penalties incase of
audit.
– May contain spyware that will capture information and send to
unauthorized persons.
 Individual User Responsibility

• Every Computer User must aware about computer

security aspects, comprised security by doing following
things –
– Execute program from unknown or unreliable sources.
– Opening and accessing documents from unsecure sources.
– Exposing password or not protecting them.
– Access computer network remotely.
– Opening e-mails and their attachments from untrusted
origin .
– Download plugging and active-X controls.
• To secure computer system avoid these
points.
 Access Control

• Access control is the ability to permit or deny use of

particular resource by a particular entity.
• Access control mechanism is minimize physical
resource, logical resources or digital resources.
• Access control techniques:
– Discretionary Access Control (DAC)
– Mandatory Access Control (MAN)
– Role Base Access Control (RBAC)
 Discretionary Access Control (DAC)

• Discretionary Access Control: This is a type of access control in

which user has complete control over all the programs it own and
execute.
• DAC is an access policy determined by the owner of an object.
Owner decide who is allowed to access the object and what
privilege they have .
• Two important aspects:
 File and Data Ownership : Every object in the system has an owner . In
most DAC system initial owner is subject that cause it to be created.
– Access policy for an object is determine by it’s owner
 Access rights and Permissions : These are the control that an owner can
assign to other subjects for specific resources
 Mandatory Access Control (MAN

• In this control administrator cam manages the access control. The

administrator can define uses of access policy , which can not be modify
or change by user.
• MAC is used in multilevel system that process highly sensitive data, such
as classified Government and military information.
• Sensitive labels: All subjects and objects must have labels assigned to
them. A subject sensitive label specify the level of truth required to
access a given object.
• Data Import and Export: Controlling import of information from other
system is a critical function of MAC base system, which must ensure that
sensitive label are properly maintain.
• Rule Base access control: These type of control further define specific
condition for access.
 Role Base Access Control (RBAC)

• RBAC is an access control is determine by the system not by the owner, This
type of access control is used in commercial applications and also in military
system. where multi level access control is required
• ABAC and DAC is differ in nature as DAC allow user to control but in RBAC
system access is controlled by the system which is outside user’s control.
• Three Rules are defined fro RBAC:
– Role Assigned: Subject can execute a transaction, only if the
subject has selected or being a role.
– Role authorization : A subject’s active role must be authorize

 for the subject.

– Transaction authorization : A subject can execute a transaction only if
transaction is authorized, this insures that user can execute only
transaction for which they are authorized.
 BIOMETRICS

 “Biometric refers to the study of method for uniquely recognizing

human based upon or one of more physical behavioral
characters.
• Physiological are related the shape of the body. For example
Fingerprints, Face recognition, DNA, Palm print, iris recognition ,retina
scan.
• Behavioral are related to the behavior of a person, typing
rhythm, signature and voice.
• Why human characters can be used for Biometric:
– Universality : Every person should have these
characters
– Uniqueness : biometric separates each individual
from another.
– Collect ability: Easy to collect samples for measurements.
– Performance: accuracy speed and robustness of technology
used.
– Acceptability: Degree of approval of a technology.
• Biometric work on following two modes.
• Verification : A one two one comparison of a
capture biometric with a stored temple to verify that
individual is who he claim to be.
• Identification: A one to many comparison of the
captured biometric against a biometric database in
attempt to identify an unknown individual.
Block diagram of Biometric Device