Computer and Information

Security

Mary Komunte
Ethical use of Information Security
• We discuss vulnerabilities and attacks
– Most vulnerabilities may be fixed
– Some attacks may still cause harm
– Do not try these at home, work places or
anyplace else
• Purpose of this class
– Learn to prevent malicious attacks
– Use knowledge for good purposes
 What is security?

• Security is considered as a means to prevent

unauthorized access, use, alteration, theft or
physical damage to property.
• Most security problems are intentionally caused
by malicious people trying to gain some benefit
or harm someone.
 Information Security
• The concepts, techniques and
administrative measures used to protect
information assets from deliberate or
inadvertent unauthorized acquisition,
• damage,
• disclosure,
• manipulation,
• modification,
• loss, or use.
 Information security
• It is concerned with making sure that snooping people can not
read, or worse yet, modify messages intended for other recipients.
• Students have fun snooping on other people’s emails, files,
• hacker hacks to test out someone’s security system or steal
information,
• businessman causes breach in security to discover a competitor’s
strategic marketing plan,
• an ex-employee leaks information to get revenge for being fired,
• a terrorist to steal germ warfare secrets.
• All these unauthorized access to information system causes
serious security problems.
 Computer Security cont--
• Is the protection of data in a system against unauthorized
disclosure, modification, or destruction and the
protection of the computer system itself against
unauthorized use, modification or denial of service in
order to attain the applicable objectives of preserving the;
• integrity,
• availability
• and confidentiality
of information system resources (includes hardware,
software, firmware, information/data, and
telecommunications).
CIA Triad
 Confidentiality
• Limited observation and disclosure of knowledge only
to authorized individuals.
• Information about system or its users cannot easily be
learned by an attacker
• Technological advances both help and hinder its progress.
• Need for keeping information secret arising from use of
computers in sensitive fields such as government and industry
• Access mechanisms, such as cryptography, support
confidentiality
– Example: encrypting income tax return
• Lost through unauthorized disclosure of information
 Integrity
• Integrity: Completeness, wholeness, and
readability of information, and the quality of
being unchanged from a baseline state.
• Often requires preventing unauthorized
changes/ modification of files and maintaining
the status quo.
• Integrity is lost through unauthorized
modification or destruction of information
 Availability
• Ensures timely and reliable access to and use of
information
• Actions by an attacker do not prevent users
from having access to use of the system when it
is needed.
• Lost through disruption of access to
information or information system called
denial of service attacks (DoS).
 Computer and Information Attacks

• Physical security : is the protection of personnel,

hardware, programs, networks, and data from
physical circumstances and events that could
cause serious losses or damage to an enterprise,
agency, or institution.
 Breaches of Physical Security
• Examples of physical threats include:
• Natural events (e.g., floods, earthquakes, and tornados)
• Other environmental conditions (e.g., extreme
temperatures, high humidity, heavy rains, and
lightening)
• Intentional acts of destruction (e.g., theft, vandalism,
arson and terrorism )
• Unintentionally destructive acts (e.g., spilled drinks,
overloaded electrical outlets, and bad plumbing)
 Breaches of Physical Security…

• An unauthorized person gets into the data center

and is able to physically access servers.
• An unauthorized person gets into the office and
connects his or her own computer to an open
network port or company WiFi accessing company
resources over the company network.
• An unauthorized person gets into the office and
uses an employee’s workstation or laptop that was
left unattended, allowing them access to whatever
resources the employee’s login grants them.
 Breaches of Physical Security…
• A “denial-of-service” attack is characterized by an explicit
attempt by attackers to prevent legitimate users of the service
from using that service.
• Flooding a network, thereby preventing legitimate network
traffic;
• Disrupting a server by sending more request than it can
possibly handle, thereby preventing access to a service;
Preventing a particular individual from accessing a service;
• Disrupting service to a specific system or person.
 Breaches of Personnel Security

Masquerading
• Masquerading occurs when one person uses the identity of another to
gain access to a computer . This may be done in person or remotely.
• In person, a criminal may use an authorized user's identity or access
card to get into restricted areas where he will have access to computers
and data.
• This may be as simple as signing someone else‘s name to a sign in sheet
at the door of a building.
• It may be as complex as playing back a voice recording of someone
else to gain entry via a voice recognition system.
• Electronically, an unauthorized person will use an authorized user's
login ID, password, personal identification number (PIN), or telephone
access code to gain access to a computer or to a particular set of
sensitive data files.
 Breaches of Personnel Security

Social Engineering
• Social engineering is the name given a category of attacks in
which someone manipulates others into revealing information that
can be used to steal data or subvert systems.
Harassment
• A particularly nasty kind of personnel breach we've seen lately is
harassment on the Internet. Sending threatening email messages
and slandering people on bulletin board systems and newsgroups
is all too common.
• the electronic audience is a much larger one, and such messages,
sent out from an organization's network domain, may damage the
reputation of the organization as well as that of the particular
perpetrator.
 Breaches of Personnel Security…
Software Piracy
• Copying and selling off-the-shelf application
programs in violation of the copyrights costs
software vendors many millions of dollars. The
stealing of proprietary programs is also a major
business problem.
• A company may spend millions of dollars to develop
a specialized program, only to find that its competitor
has the same program--and the competitor hasn't had
to invest in the development costs!
Breaches of Communications
and Data Security…
 Breaches of Communications
and Data Security…

• Modification: This is an attack on integrity

– Corrupting transmitted data or tampering with it
before it reaches its destination
• Fabrication: This is an attack on authenticity
– Faking data as if it were created by a legitimate
and authentic party
 Breaches of Communications
and Data Security…
Traffic Analysis
• In one industrial espionage case, a competitor monitored a
company's use of online data services to find out what
questions it had and what information it was collecting on
certain types of metallurgy.
• The information allowed the competitor to monitor the
company's progress on a research and development project and
to use this information in developing its own similar product.
• That product reached the market several weeks before the
original developer was able to. The original company's research
and development investment and its potential share of the
market--many millions--were all but lost.
 Breaches of Communications
and Data Security…

Session Hijacking
• Some systems don't disconnect immediately when a
session is terminated. Instead, they allow a user to re-
access the interrupted program for a short period. A
cracker with a good knowledge of telephone and
telecommunications operations can take advantage of
this fact to reconnect to the terminated session.
• Sometimes, an attacker will connect a covert computer
terminal to a line between the authorized terminal and
the computer.
 Session Hijacking cont……

• The criminal waits until the authorized terminal is on line

but not in use, and then switches control to the covert
terminal.
• The computer thinks it is still connected to the authorized
user, and the criminal has access to the same files and
data as the authorized user.
• Other types of hijacking occur when an authorized user
doesn't log out properly so the computer still expects a
terminal to be connected.
• Call forwarding from an authorized number to an
unauthorized number is another method of getting access.
 Timing Attacks
• Computer systems are often called upon to do many things at the
same time.
• They may, for example, be asked by different users to analyze data
using an application program that can work with only one set of
data at a time.
• Or they may be told to print data by more users than they can
handle at once.
• In these cases, the operating system simply places user requests
into a queue, then satisfies them according to a predetermined set
of criteria; for example, certain users may always take precedence,
or certain types of tasks may come before others.
• "Asynchronous" means that the computer doesn't simply satisfy
requests in the order in which they were performed, but according
to some other scheme.
 Timing Attacks

• A skilled programmer can figure out how to penetrate the queue

and modify the data that is waiting to be processed or printed.
• He might use his knowledge of the criteria to place his request in
front of others waiting in the queue.
• He might change a queue entry to replace someone else's name or
data with his own, or to subvert that user's data by replacing it.
• Or he could disrupt the entire system by changing commands so
that data is lost, programs crash, or information from different
programs is mixed as the data is analyzed or printed.
 Software Attacks

Trap Doors
• A trap door is a quick way into a program; it allows
program developers to bypass all of the security built
into the program now or in the future.
• To a programmer, trap doors make sense. If a
programmer needs to modify the program sometime
in the future, he can use the trap door instead of
having to go through all of the normal, customer-
directed protocols just to make the change.
 Trap Doors cont…..

• Trap doors of course should be closed or eliminated in the final

version of the program after all testing is complete, but, intentionally
or unintentionally, some are left in place.
• Other trap doors may be introduced by error and only later
discovered by crackers who are roaming around, looking for a way
into system programs and files. Typical trap doors use such system
features as debugging tools, program exits that transfer control to
privileged areas of memory, undocumented application calls and
parameters, and many others.
• Trap doors make obvious sense to expert computer criminals as well,
whether they are malicious programmers or crackers. Trap doors are
a nifty way to get into a system or to gain access to privileged
information or to introduce viruses or other unauthorized programs
into the system.
 Trap Doors cont…..
• detection of trap doors is an operations security
problem--checking to see if the trap doors are
there in the first place, and whether they exist and
operations are correct on an ongoing basis.
 Software attacks…
Trojan Horses
• During the Trojan War, the Greeks hid soldiers inside a large
hollow wooden horse designed by Odysseus.
• When the Trojans were persuaded to bring the horse inside the
gates of the city, the hidden soldiers emerged and opened the
gates to allow their own soldiers to attack the enemy.
• In the computer world, Trojan horses are still used to sneak in
where they're not expected. A Trojan horse is a method for
inserting instructions in a program so that program performs an
unauthorized function while apparently performing a useful
one.
 Trojan Horses ….

• Consider this typical situation: A Trojan horse is

hidden in an application program that a user is eager
to try--something like a new game or a program that
promises to increase efficiency. Inside the horse is a
logic bomb that will cause the entire system to crash
the third time the user runs the new program. If he's
lucky, the user will thoroughly enjoy the program
the first two times it's run, because when he tries to
use it the third time, the program he was eager to try
will disable his whole system.
 Viruses
• Computer virus has become an umbrella term for many
types of malicious code.
• Technically, virus is a piece of programming code that
seeks out other programs and “infects” a file by
embedding a copy of itself inside the program. The
infected program is often called a virus host. When the
host procedure runs, the virus code runs as well and
performs the instruction it was intended to perform.
• A virus needs a host to infect. Without a host, the virus
cannot replicate.
 Viruses
• How a virus works

¨ ORIGINATION - A programmer writes a program - the virus - to cause

mischief or destruction. The virus is capable of reproducing itself
¨ TRANSMISSION - Often, the virus is attached to a normal program. It
then copies itself to other software on the hard disk
¨ REPRODUCTION - When another floppy disk is inserted into the
computer’s disk drive, the virus copies itself on to the floppy disk
¨ INFECTION - Depending on what the original programmer wrote in the
virus program, a virus may display messages, use up all the computer’s
memory, destroy data files or cause serious system errors
 Worms…
• A worm is different from a virus in that it is a
standalone program.
• A typical worm maintains only a functional copy of
itself in active memory and duplicate itself . They
differ from viruses because they can propagate
without human intervention, sending copies of
themselves to other computers by e-mail, for
example.
 Examples of Worms
Salamis
• The Trojan horse is also a technique for creating
an automated form of computer abuse called the
salami attack, which works on financial data. This
technique causes small amounts of assets to be
removed from a larger pool.
• The stolen assets are removed one slice at a time
(hence the name salami). Usually, the amount
stolen each time is so small that the victim of the
salami fraud never even notices.
 Software attacks…
Logic Bombs
• Logic bombs may also find their way into computer systems by way of
Trojan horses.
• A typical logic bomb tells the computer to execute a set of instructions at
a certain date and time or under certain specified conditions. The
instructions may tell the computer to display "I love you" on the screen, or
it may tell the entire system to start erasing itself.
• In several cases we've heard about, a programmer told the logic bomb to
destroy data if the company payroll is run and his name is not on it.; this is
a sure-fire way to get back at the company if he is fired! The employee is
fired, or may leave on his own, but does not remove the logic bomb.
• The next time the payroll is run and the computer searches for but doesn't
find the employee's name, it crashes, destroying not only all of the
employee payroll records, but the payroll application program as well.
 Breaches of Operations Security
Data diddling, sometimes called false data entry, involves
modifying data before or after it is entered into the computer.
• Consider situations in which employees are able to falsify
time cards before the data contained on the cards is entered
into the computer for payroll computation.
• E.g. two employees of a utility company found that there
was a time lapse of several days between when meter
readings were entered into the computer and when the bills
were printed.
• By changing the reading during this period, they were able
to substantially reduce their electric bills and the bills of
some of their friends and neighbors.
 Breaches of Operations Security…

IP Spoofing
• (IP stands for Internet Protocol, one of the communications
protocols that underlies the Internet).
• Certain UNIX programs grant access based on IP addresses;
essentially, the system running the program is authenticated,
rather than the individual user.
• The attacker forges the addresses on the data packets he sends so
they look as if they came from inside a network on which systems
trust each other.
• Because the attacker's system looks like an inside system, he is
never asked for a password or any other type of authentication. In
fact, the attacker is using this method to penetrate the system
from the outside.
 Breaches of Operations Security…
Password Sniffing
• Password sniffers are able to monitor all traffic on areas of a
network.
• Crackers have installed them on networks used by systems that
they especially want to penetrate, like telephone systems and
network providers.
• Password sniffers are programs that simply collect the first 128 or
more bytes of each network connection on the network that's
being monitored.
• When a user types in a user name and a password--as required
when using certain common Internet services like FTP (which is
used to transfer files from one machine to another) or Telnet (which lets
the user log in remotely to another machine)--the sniffer collects that
information.
 Threats to Information Security
• Scanning
• With scanning, a program known as a war dialer
or demon dialer processes a series of
sequentially changing information, such as a list
of telephone numbers, passwords, or telephone
calling card numbers. It tries each one in turn to
see which ones succeed in getting a positive
response,
 Security measures…
• What are the security measures to all these
breaches?

• Security measures can be both Personnel and

technology measures.
 Personnel – Security Policy and
Procedures
• Information Security Policies are the foundation, the
bottom line, of information security within an
organization
• Ensure that they are comprehensive enough
• Ensure that they are always up-to-date
• Ensure they are delivered effectively and
available to all staff and MUST be implemented to be
effective
• Will mitigate the following attacks:
• – Internal attacks (i.e. disgruntled employees)
 Security Policy and Procedures
• For a company’s security policies to be effective, they
must be communicated properly to the employees to
ensure company wide knowledge and compliance.
• Rules won’t be followed if nobody knows they exist.
Many companies make use of consultants to create and
draft security policies and procedures, but these
policies often aren’t communicated to the user
community and aren’t used.
• Employees need to be aware of security issues and
procedures to protect not only themselves but also the
company’s services and data.
Personnel – Training and Awareness
• Staff members play a critical role in protecting the integrity,
confidentiality, and availability of IT systems and networks
• Training in security awareness and accepted computer
practices should be mandatory for all staff
Initial security training, followed by annual refresher training
• Awareness should be ongoing through:
• Motivational slogans
• Videotapes
• Posters and Flyers
• Will alleviate the following attacks:
– Internal attacks (i.e. disgruntled employees)
 Personnel – Dedicated
Management
• Organizations need to demonstrate that they have
Information Security controls in place through
dedicated staff.
• Provide the framework to initiate, implement,
maintain, and manage Information Security
 Physical Security
• Physical security refers to the protection of building sites ,
equipment, and all information and software contained
therein from theft, vandalism, natural disaster, manmade
catastrophes, and accidental damage e.g., from electrical
surges, extreme temperatures, and spilled drinks & eats.

• It requires solid building construction, suitable

emergency preparedness, reliable power supplies,
adequate climate control, and appropriate protection
from intruders.
 Physical Security…
• The outside barrier can be a fence made of barbed
wire, brick walls, natural trees, mounted noise or
vibration sensors, security lights, and etc,
• The area surrounding the facility can be secured using
locks and keys,
• Window breakage detectors,
• Card access control systems,
• Animal & human barriers like dogs and security
guards.
 Physical Security…
• defining the physical limits of a facility and controlling access, a perimeter
barrier also creates a physical and psychological deterrent to unauthorized
entry.
• It delays intrusion into an area, making the possibility of detection and
apprehension more likely.
• It aids security forces in controlling access and assists in directing the flow
of persons and vehicles through designated entrances.
• Every vulnerable point should be protected to deter or prevent unauthorized
access to the facility.
• The roof, basement, and walls of a building may contain vulnerable points of
potential entry.
• A security survey of the perimeter should address manholes and tunnels,
gates leading to the basement, elevator shafts, ventilation openings,
skylights, and any opening 96 square inches or larger that is within 18 feet of
the ground.
 Technology - Firewalls
• Is a hard ware and software used to isolate the sensitive
portions of an information facility from the outside world and
limit the potential damage that can be done by a malicious
intruder.
• Firewalls serve as a “gatekeeper” system that protects
a company’s intranets and other computer networks
from intrusion.
• Firewalls provide a filter and safe transfer point. It
prevents malicious agents by screening all network
traffic for proper passwords or other security codes.
• Protects data in transit or stored on disk.
 Technology – Virus Protection
• Anti- virus Software should be installed on all
network servers, as well as computers
• Shall include the latest versions, as well as signature
files (detected viruses)
• Should screen all software coming into your
computer or network system (files, attachments,
programs, etc.)
• Will mitigate the following attacks:
• – Viruses and Worms
• – Malicious Code and Trojans
 Technology- Passwords
• A password is string of usually six to eight characters,
with restrictions on length and start character, to
verify a user to an information system facility usually
a computer system;
• A password has four cardinal rules;
– Never tell anyone your password
– Never write your password down anywhere
– Never choose a password that is easy to guess
– Change your password frequently.
 Technology- Passwords
• Passwords are a fundamental line of defense against
unauthorized access of our computers or data, so it is
important to have good passwords that are hard for
hackers to guess or crack, and it’s also important to
protect your passwords - keep them secure.
• Protecting your password means never share it and try
to create passwords that are easy for you to remember
so you don’t have to write them down.
• If you DO have to write a password down, be sure you
store it securely - lock it up in a place where others
wouldn’t think to look.
 Technology - Encryption
• It involves using special mathematical algorithms to
transform digital data in scrambled code.
• Encrypted passwords, messages, files, and other data is
transmitted in scrambled form and unscrambled for authorized
users.
• Most widely used method uses a pair of public and private
keys unique to each individual. The act of ciphering and
denciphering data through the
• use of shared software keys,
• data cannot be accessed
without the appropriate software keys.
 Why are there security vulnerabilities?
• Attacking is becoming so common and easy – there are books
clearly explaining how to launch them
• Few courses in computer security
• Incorporation of security into networks, not growing with the
rapidly growing number and size of networks
• Programming text books do not emphasize security
• Few security audits C is an unsafe language
• Programmers have many other things to worry about
• Consumers do not care about security
• Security is expensive and takes time
• Security is often over looked (not one of the top criteria)
• Systems too complex in nature and rich in features can be
filled with security holes
 Why are there security vulnerabilities?
• Difficult problem: insider threat
• Easy to hide code in large software packages
• Virtually impossible to detect back doors
• Skill level needed to hide malicious code is
much lower than needed to find it.
 Summary
• Thank you for your attention