Chapter One

Introduction to Computer Security

1/22/2024 Compiled by: Naol G. (MSc.) 1

Chapter objectives
 Up on completion of this chapter you should be able to: –
◦ Understand what computer and network security means.

◦ Figure out the evolution of computer security.

◦ Understand the key terms and critical concepts of computer security.

◦ Understand the difference & types of vulnerabilities, threats and attacks.

◦ Be able to analyze about security policies, services, controls and

mechanisms.

◦ Recognize the challenges of computer security.

1/22/2024 Compiled by: Naol G. (MSc.) 2

Overview

“The art of war teaches us to rely not on the likelihood of the

enemy's not coming, but on our own readiness to receive him;
not on the chance of his not attacking, but rather on the fact
that we have made our position unassailable.”

Sun Tzu, The Art of War

1/22/2024 Compiled by: Naol G. (MSc.) 3

Overview(definition)
 Computer security, is the protection of computer systems from attacks by
malicious actors that may result in unauthorized information disclosure, theft
of, or damage to hardware, software, or data, as well as from the disruption
or misdirection of the services they provide. (Wikipedia)

1/22/2024 Compiled by: Naol G. (MSc.) 4

Overview…
 Computer Security when there is connection to networks (Network
security) on the other hand deals with policies, processes and practices
adopted to prevent and monitor unauthorized access, misuse, modification,
or denial of the computer network and network-accessible resources.
(Wikipedia)

1/22/2024 Compiled by: Naol G. (MSc.) 5

Overview…
 “The most secure computers are those not connected to the
Internet and shielded from any interference”

• However, they are not immune to all

security risks.
• The potential security concerns,
include
• Insider threats,
• Physical security breaches and
• The introduction of malware via
removable media or other means.

1/22/2024 Compiled by: Naol G. (MSc.) 6

History
 Until 1960s computer security was limited to physical protection of
computers.
 The late 1960s and 1970s
◦ Evolutions
 Computers became interactive

 Multiuser/Multiprogramming & Networking was invented

 Mainframe computer, Unix and Unix-like OSs
 ARPANET (Advanced Research Projects Agency Network)

 More and more data started to be stored in computer databases

◦ Organizations and individuals started to worry about

 What the other persons using computers are doing to their data?
 What is happening to their private data stored in large databases?

1/22/2024 Compiled by: Naol G. (MSc.) 7

History…
 Computer security was almost non-existing before 1980s (besides
physical protection).
 In the 1980s and 1990s
◦ Evolution
 Personal computers were popularized
 LANs and Internet invaded the world
 Applications started to develop such as E-commerce (good & services), E-
government(online tax filing, voting) and E-health(remote patient monitoring,
data record).
 Viruses become major threats

◦ Organizations/individuals started to worry about

 Who has access to their computers and data
 Whether they can trust a mail, a website, etc.
 Whether their privacy is protected in the connected world
1/22/2024 Compiled by: Naol G. (MSc.) 8
History: Famous security problems
• 1950s: Phone Phreaking
• The initial intent of hacking did not encompass
computer information collection.
• The prominence of phone phreaking emerged
during the 1950s, hence exposing this
John Draper ‘s Co playing over pub. phone
phenomenon
• John Draper (Caps. Crunch)- made Whistle for
phreaking.
• Steve Jobs and Steve Wozniak developed
BlueBox
• making cost-free calls and circumventing long-
distance fees.

John Draper ‘s Whistle

1/22/2024 Compiled by: Naol G. (MSc.) 9
History: Famous security problems
• Morris worm – Internet Worm
• November 2, 1988 a worm attacked more than 6k
from 60k computers around the USA
• Robert Morris became the first person to be
charged for the Computer Fraud and Abuse Act of
1986
• He was sentenced to three years of probation, 400
hours of community service and a fine of some Robert T. Morris, 2008
$10,050
• He is currently an associate professor at the
Massachusetts Institute of Technology

1/22/2024 Compiled by: Naol G. (MSc.) 10

History: Famous security problems
– NASA shutdown
• In 1990, an Australian computer science student was charged for shutting down NASA’s
computer system for 24 hours
– ILOVEYOU 2000
– The Melissa Virus 1999
– was a computer worm that
– It targets Microsoft Word and Outlook-based systems. infected over 10 million Windows
personal computers.
–spread as email message.

1/22/2024 Compiled by: Naol G. (MSc.) 11

History: Famous security problems
– 2014: Sony Pictures Entertainment Suffers Multiple Attacks,
– US Intelligence suspected attack was sponsored by N.Korea.
– 2016 (WikiLeaks): a multi-national media organization and associated library.
– Launched a searchable archive for over 30k emails & email attachments
sent to and from Hillary Clinton's private email server while she was
Secretary of State. https://wikileaks.org/clinton-emails/

– 2017: Ransomware (WannaCry): Encrypt user data and demand money to

decrypt.
– 2018: Facebook Plagued by Privacy Concerns
– 2021: > 267 million Facebook Account sold on Darkweb.
– 2021: Hack in Florida city's water system exposes potential cyber risks of
local communities.
1/22/2024 Compiled by: Naol G. (MSc.) 12
History… Early Efforts
 1960s: Marked as the beginning of true computer security
 1970s: Tiger teams
o Government and industry sponsored crackers who attempted to break down defenses
of computer systems in order to uncover vulnerabilities so that patches can be
developed
o1970s: Research and modeling
o Identifying security requirements
o Formulating security policy models
o Defining guidelines and controls
o Development of secure systems
 Standardization
 1978: DES selected as encryption standard by the US
 1985: Orange Book for Security Evaluation (or TCSEC - Trusted Computer System
Evaluation Criteria)
o Describes the evaluation criteria used to assess the level of trust that can be placed in a
particular computer system 1/22/2024 Compiled by: Naol G. (MSc.) 13
History…
Legal Issues (Worldwide)
 In the US, legislation was enacted with regards to computer security and
privacy starting from late 1960s
 The European Council adopted a convention on Cyber-crime in 2001
 The World Summit for Information Society considered computer security and
privacy as a subject of discussion in 2003 and 2005
(In Ethiopia)
 The Ethiopian Penal Code of 2005 has articles on data and computer related
crimes
 Cybercrime Proclamation of 2016 (Computer Crime Proclamation No.
958/2016)
1/22/2024 Compiled by: Naol G. (MSc.) 14
Basic Security Objectives (Pillars) - CIA
Confidentiality: This term covers two related concepts:

 Data confidentiality: Assures that private or Confidentiality

confidential information or resources (resource
and configuration hiding) are not made available
or disclosed to unauthorized individuals

 Is compromised by reading and copying

Integrity Availability
 In network communication, it means only
sender and intended receiver should
“understand” message contents

 Privacy: Assures that individuals control what information related to them may be
collected and stored and by whom and to whom that information may be
disclosed.

1/22/2024 Compiled by: Naol G. (MSc.) 15

Security Objectives…

 Integrity: This term covers two related concepts.

 Data integrity: Assures that information and programs are changed only in a
specified and authorized manner
 In network communication, sender and receiver want to ensure that the
message is not altered (in transit or afterwards) without detection
 System integrity: Assures that a system performs its intended function in an
unimpaired manner, free from deliberate or inadvertent unauthorized
manipulation of the system.
 Is compromised by deleting, corrupting, and tampering with.

1/22/2024 Compiled by: Naol G. (MSc.) 16

Security Objectives…

 Availability: Assures that systems work promptly and service is not denied to
authorized users

Supplements to CIA:
◦ Authentication
 How do I know it's really you?
◦ Authorization
 Now that you are here, what are you allowed to do?
◦ Accountability
 Who did what, and, perhaps, who pays the bill?

1/22/2024 Compiled by: Naol G. (MSc.) 17

Vulnerabilities,Threats, attack & Countermeasures
 Vulnerability is a flaw or weakness in system security procedures, design,
implementation that could be exercised (accidentally triggered or intentionally
exploited) and result in a violation of the system's security policy.

 A threat is a potential danger that could exploit a vulnerability to break

security and cause harm.
◦ Threat sources can be hackers, malware, disgruntled employees, and natural disasters.
◦ Threats can be intentional or unintentional.

 An attack is a threat that carried out. Or enacted threat.

◦ It can be passive or active.

 Countermeasures are techniques OR action taken to protect the system.

1/22/2024 Compiled by: Naol G. (MSc.) 18

Vulnerabilities (vulnerability can have different forms and sources.)
 physical site:  Network:
◦ area subject to natural disasters (e.g. flood,
◦ unprotected communication
earthquake).
(e.g. lack of cryptography)
◦ interruption of power source
◦ insecure network architecture.
 Hardware:  Personnel:
◦ susceptibility to humidity or dust ◦ inadequate recruiting process
◦ susceptibility to unprotected storage ◦ inadequate security awareness
◦ over-heating ◦ insider threat
 Software:  Organizational
◦ insufficient testing ◦ lack of regular audits
◦ insecure coding ◦ lack of security plans
◦ design flaw

1/22/2024 Compiled by: Naol G. (MSc.) 19

Threats
 Threats can be classified according to their type and origin:

 Types of threats:
◦ Physical damage: fire, water, pollution

◦ Natural events: climatic, seismic, volcanic

◦ Loss of essential services: electrical power, air conditioning, telecommunication

◦ Compromise of information: eavesdropping, theft of media, retrieval of discarded

materials

◦ Technical failures: equipment, software, capacity overload

◦ Compromise of functions: abuse of rights/privilege, denial of actions

1/22/2024 Compiled by: Naol G. (MSc.) 20

Threats
 Threat type can have multiple origins:
◦ Intentional threats can be from outsiders
◦ Accidental and insiders
 equipment failure ◦ Outsiders may penetrate systems in a
 software failure variety of ways:
◦ Environmental  Disguised entry as maintenance personnel.

 natural event  Via malware (virus, Trojan horse etc.)

 loss of power supply ◦ Although most security mechanisms

protect best against outside intruders,
◦ Intentional: aiming at information asset
surveys indicates that most attacks are by
 Spying or malicious code.
insiders.
 illegal processing of data

1/22/2024 Compiled by: Naol G. (MSc.) 21

Threats
 Estimates are that as many as 80 percent of system penetrations are by fully
authorized users who abuse their access privileges to perform unauthorized
functions.
◦ "The enemy is already in, we hired them.”
 Insiders are sometimes referred as living Trojan horses
 There are a number of different types of insiders.
◦ fired or disgruntled employee might be trying to steal revenge ; employee might have been
blackmailed or persuaded by foreign or corporate enemy agents.

◦ greedy employee might use her inside knowledge to divert corporate or customer funds
for personal benefit.

◦ insider might be an operator, a systems programmer, or even a casual user who is willing to
share a password.

1/22/2024 Compiled by: Naol G. (MSc.) 22

Threats
 Don't forget, one of the most dangerous insiders may simply be lazy or
untrained.
◦ He doesn't bother changing passwords,
◦ Doesn't learn how to protect email messages and other files,
◦ Leaves sensitive printouts in piles on desks and floors, and ignores the
paper shredder when disposing of documents.

1/22/2024 Compiled by: Naol G. (MSc.) 23

Security Attacks
 An attack occurs when a threat actor exploits a vulnerability to compromise a
system's security.
 Attacks can take many forms, including unauthorized access, data theft, malware
infection, denial of service, and social engineering.
 Classification security attacks:
◦ passive attacks and active attacks.
 A passive attack attempts to learn or make use of information from the system but
does not affect system resources.
 An active attack attempts to alter system resources or affect their operation.

1/22/2024 Compiled by: Naol G. (MSc.) 24

Categories of attacks
Interruption: An attack on availability

Interception: An attack on confidentiality

Modification: An attack on integrity

Fabrication: An attack on authenticity

1/22/2024 Compiled by: Naol G. (MSc.) 25

Security Attacks (Passive attack)…
 A passive attack attempts to learn information from system but does not affect
system resources.
 The attacker might do eavesdropping and monitoring contents of a message.
 These attacks are passive because
 attacker goal is to gather information, but not modify information/harm systems resources.
 Passive attack is difficult to detect as no modification or tampering of data is
performed and the user might not be aware of the presence of the attacker.
 Passive attacks can be prevented by implementing measures such as encryption.

 Two types of passive attacks:

 Release of Message contents and
 Traffic Analysis

1/22/2024 Compiled by: Naol G. (MSc.) 26

Security Attacks (Passive attack) …
 Release of Message contents:
 It involves the attacker capturing the information sent by the user and reading the sensitive
information.
 Ex. : reading an email or tapping into a phone conversation between the communicating parties.
 Mitigation: Data Encryption
 Traffic Analysis:
 The attacker observes the length and frequency of the messages being exchanged and to
guess the identity of the parties, their location and the nature of communication that was
taking place. Mitigation: using NAT(Network Address Translation) but its difficult!

1/22/2024 Compiled by: Naol G. (MSc.) 27

Security Attacks (Active attack)…
 An active attack attempts to alter system resources or affect their operation.
 The attack goal is to interfere with network operations by either modifying the
data stream or even introduce a false data stream.
 These attacks do involve modification of data and are hence easy to detect.
 Though easy to detect, they are hard to prevent with many sophisticated threats
(physical, software & network vulnerabilities) present these days.
 Active attacks are categorized into:
 Masquerade
 Message Replay
 Modification of message and
 Denial of service(DoS).

1/22/2024 Compiled by: Naol G. (MSc.) 28

Security Attacks (Active attack)…
 Masquerade:
 In this attack, one entity pretends to be a different entity with the motive of the attacker is
to gain unauthorized privileges.
 Masquerading is usually done by using stolen ID's and passwords, or using other forms of
attacks. Mitigation: Strong access controls (Multi-factor authentication).

1/22/2024 Compiled by: Naol G. (MSc.) 29

Security Attacks (Active attack)…
 Message Replay:
 This attack involves passive capture of a genuine message sent by the sender and its
subsequent retransmission to create an authorized effect.
 Ex.: capturing the packet with bank login credentials and resending it to gain unauthorized entry
to the account. Mitigation: Sequence Number (for each packet sent).

1/22/2024 Compiled by: Naol G. (MSc.) 30

Security Attacks (Active attack)…
 Modification of Messages:
 This attack involves making certain alterations to the captured messages, or delaying or
reordering of the message sequence to produce an unauthorized effect.
 Ex.: change of beneficiary account number for a financial transaction to steal money.
 Mitigation: Access Controls, Intrusion Detection Systems (IDS)

1/22/2024 Compiled by: Naol G. (MSc.) 31

Security Attacks (Active attack)…
 Denial of Service (DoS):
 This attack prevents or inhibits the normal functioning or management of communication
facilities.
 These attacks can be targeted or generalized.
 Another form of this attack includes disruption of an entire network, either by disabling
the network or by overloading it with messages so as to degrade performance.
 Mitigation: Firewall, proxy server.

1/22/2024 Compiled by: Naol G. (MSc.) 32

Security Attacks…
 To summarize the two categories of attacks:
◦ In a passive attack, no modification of data occurs and the target does
not know about its occurrence unless they have a monitoring and alert
system.

◦ In an active attack, system resources and data are altered or otherwise

damaged affecting the systems normal operations.

◦ Passive attacks are tough to detect, but could be prevented.

Comparatively, active attacks are easy to detect, but hard to prevent.

1/22/2024 Compiled by: Naol G. (MSc.) 33

Exercise:
 Identify whether to be vulnerability / threat / attack ??
1. A lot of people would like to use your credit card number to buy something. (?)

2. Your credit card number is printed on the receipt. (?)

3. A person creates a fake of your credit card and uses it on a gas pump. (?)

1/22/2024 Compiled by: Naol G. (MSc.) 34

Security Policy and Mechanism
 A security policy is a statement of what is, and what is not allowed.
 Security Mechanism: is a method, tool or procedure for enforcing a security
policy.
 Examples:
 Encipherment
 Digital Signature
 Access Control
 Authentication exchange
 Firewall
 Hashing/Message digest

 Security mechanisms implement functions/countermeasure that help prevent,

detect, and respond to recovery from security attacks.

1/22/2024 Compiled by: Naol G. (MSc.) 35

Cont’d…
 Given a security policy’s specification of “secure” and “non-secure” actions, security
mechanisms can prevent (defend) the attack, detect the attack, or recover from the
attack

 Prevention: it means that an attack will fail;

 E.g., passwords to prevent unauthorised users or Intrusion Prevention Systems (IPSs)

 Detection: is most useful when an attack cannot be prevented, but it can also
indicate the effectiveness of preventative measures.
 Detection mechanisms accept that an attack will occur;
 determine that an attack is underway, or has occurred, and report it.
 E.g. Analyzing the data flowing, using Intrusion Detection System (IDS)

1/22/2024 Compiled by: Naol G. (MSc.) 36

Cont’d…
 Recovery/Reaction: requires resumption of correct operation. Has two forms.
 The first is to stop an attack and to assess and repair any damage caused by that attack.
 E.g. if the attacker deletes a file, recovery restore the file from backup tapes.
 The attacker may return, so recovery involves identification and fixing of the
vulnerabilities used by the attacker to enter the system.

 The three strategies are usually used together.

 A fourth approach is deterrence; involves active steps to beat off attacks; discourage
them even to try attacking.

1/22/2024 Compiled by: Naol G. (MSc.) 37

Computer Security Countermeasures
 Security controls or countermeasures refer to mitigation techniques to prevention,
detection, recovery and deterrence.

A. Authentication : For Prevention

 Authentication is the binding of an identity to a subject.
 An entity must provide information to enable the system to confirm its identity. This
information comes from one (or a combination) of the following
 What the entity knows (such as password, PIN, PUK)
 What the entity has (object in the possession of the user, such as a bank card)
 What the entity is (physical characteristic of the user (biometrics), such as a
fingerprint, eye iris etc.)

1/22/2024 Compiled by: Naol G. (MSc.) 38

Computer Security Countermeasures…
B. Encryption – hiding/masking secret information For Prevention
• (key + algorithm)
C. Auditing - For Recovery
 Auditing is the process of analysing systems to determine what actions took place
and who performed them;
 Auditing is essential for recovery and accountability
D. Administrative procedures - For Prevention, Recovery and Deterrence
E. Physical Security - For Prevention, Detection
F. Laws - For Deterrence
G. Intrusion Detection/Prevention Systems - For Detection/Prevention
H. Anti-malware - For Prevention/Detection

1/22/2024 Compiled by: Naol G. (MSc.) 39

Security services
 Security services implement security policies by security mechanisms in order
to achieve security goals and prevent security attacks.
◦ Authentication Service
 Authentication service deals with assuring the identity of the communicating parties and
also no third party masquerade as the legitimate parties for unauthorized reception of
messages.

◦ Data Confidentiality Service

 It is the protection of transmitted data from passive attacks, and the protection of traffic flow
from analysis.

◦ Data Integrity Service

 It assures that messages are received as sent by an authorized entity, with no duplication,
insertion, modification, reordering, replay, or loss.

1/22/2024 Compiled by: Naol G. (MSc.) 40

Security services…
 Access Control Service
 It is the ability to limit and control the access to host systems and applications via
communications links.
 To implement access control, each entity trying to gain access must first be identified, or
authenticated, so that access rights can be tailored to the individual.
 Nonrepudiation Service
◦ This service does not allow the sender or receiver of a message to refuse the claim of not
sending or receiving that message.
 Nonrepudiation, Origin: ensures the receiver to prove that the message was sent by the
specified sender.
 Nonrepudiation, Destination: ensure the sender to prove that the message was delivered
to the intended receiver.

1/22/2024 Compiled by: Naol G. (MSc.) 41

Security services…
 Availability Service
◦ Availability is the service that ensure the resource being accessible and usable
upon demand by an authorized system entity, according to performance
specifications for the system.

◦ A variety of attacks can result in the loss of (or) reduction in availability.

◦ A common attack that impacts availability is the Denial-of-service attack (DoS), in

which the attacker interrupts access to information, system, devices or other

network resources.

1/22/2024 Compiled by: Naol G. (MSc.) 42

Security Challenges
 Security is not simple: terminology seems to be straight forward but mechanism
to meet requirements are very complex.

 Potential attacks on a security mechanism or algorithm have to be considered

while designing since an attacker can exploit an unexpected weakness.

 Procedures used to provide particular services are often counter-intuitive.

 Security mechanisms involve multiple algorithms and usage of secret
information.

 Must decide where to deploy security mechanisms in terms of physical

placement and logical sense

1/22/2024 Compiled by: Naol G. (MSc.) 43

Security Challenges…
 Always a battle of wits between perpetrator and a designer/administrator.
 Attackers looks for holes and admin tries to close them.
 System managers tend to perceive little benefit on security investment until a
security failure happens.

 Security requires regular/constant monitoring which is difficult in the todays

short-term and overloaded environment.

 Users and Administrator view strong security as an impediment to free usage of

a system.

1/22/2024 Compiled by: Naol G. (MSc.) 44

Physical Security
Reading assignment

1/22/2024 Compiled by: Naol G. (MSc.) 45

End of Chapter-1
Questions?
Read More…..

1/22/2024 Compiled by: Naol G. (MSc.) 46