CoSc 4032: Computer Security

Faculty of Informatics

Chapter 1
Lecture Notes
Fundamentals of Computer Security

Name of Instructor: Sebahadin Nasir

Department of Computer Science
February, 2025
Fundamentals of Computer Security
1.1 Overview
 Computer security is about provisions and policies adopted to
protect information and property from unauthorized access, use,
alteration, degradation, destruction, theft, corruption, natural
disaster, etc. while allowing the information and property to
remain accessible and productive to its intended use
 ƒPrivacy: The right of the individual to be protected against
intrusion into his personal life or affairs, or those of his family.

2
Fundamentals of Computer Security
1.1 Overview
 Computer Security: when there is connection to networks
(Network security) it deals with provisions and policies adopted to
prevent and monitor unauthorized access, misuse, modification, or
denial of the computer network and network-accessible resources

3
Fundamentals of Computer Security
1.1 Overview
“The most secure computers are those not connected to the
Internet and shielded from any interference”

4
Fundamentals of Computer Security
1.1 Overview
 Two extreme attitudes regarding computer security
 There is no real threat
◦ Much of the negative news is simply unwarranted panic
◦ If our organization has not been attacked so far, we must be secure
◦ This is a reactive approach to security; wait to address security issues until
an incident occurs
The opposite viewpoint overestimates the dangers
◦ They tend to assume that talented, numerous hackers are an imminent threat
to a system
◦ They may believe that any teenager with a laptop can traverse highly secure
systems at will (Such a world view is unrealistic)
◦ The reality is that many people who call themselves hackers are less
knowledgeable than they think they are. These people have a low
probability of being able to compromise any system that has implemented
even moderate security precautions 5
Fundamentals of Computer Security
1.1 Overview
 This does not mean that skillful hackers do not exist
 However, they must balance the costs (financial, time) against the
rewards (ideological, monetary)
 “Good” hackers tend to target systems that yield the highest
rewards
 Keep in mind, too, that the greatest external threat to any system is
not hackers, but malware and denial of service attacks.
 Malware includes viruses, worms, Trojan horses, logic bombs, etc.

6
Fundamentals of Computer Security
1.1.1 Basic Security Objectives (Pillars) - CIA

Confidentiality

Integrity
Availability

7
Fundamentals of Computer Security
1.1.1 Basic Security Objectives (Pillars) - CIA
 Confidentiality: This term covers two related concepts:
 ƒData confidentiality: Assures that private or confidential
information or resources (resource and configuration hiding) are
not made available or disclosed to unauthorized individuals
=> In network communication, it means only sender and
intended receiver should “understand” message contents
Privacy: Assures that individuals control or influence what
information related to them may be collected and stored and by
whom and to whom that information may be disclosed.

8
Fundamentals of Computer Security
1.1.1 Basic Security Objectives (Pillars) - CIA
 Integrity: This term covers two related concepts
◦ Data integrity: Assures that information and programs are changed only in a
specified and authorized manner
=>In network communication, sender and receiver want to ensure that the message
is not altered (in transit or afterwards) without detection
◦ ƒSystem integrity: Assures that a system performs its intended function in an
unimpaired manner, free from unauthorized manipulation of the system
 Availability: Assures that systems work promptly and service is not
denied to authorized users
 Authenticity: A missing component of objectives in CIA. It is the
property of being genuine and being able to be verified and trusted;
confidence in the validity of a transmission, a message, or message
originator; or sender and receiver want to confirm the identity of each
other
9
Fundamentals of Computer Security
1.1.2 Policy and Mechanism
 A security policy is a statement of what is, and what is not, allowed
by users of a system
 A security mechanism is a method, tool, or procedure for enforcing
a security policy
 More on this in Chapter 5 - Security Mechanisms and Techniques

10
Fundamentals of Computer Security
1.1.3 Goals of Security
 Given a security policy’s specification of “secure” and “nonsecure”
actions, security mechanisms can prevent the attack, detect the
attack, or recover from the attack
◦ Prevention: take measures to prevent the damage; it means that an attack will
fail; e.g., passwords to prevent unauthorized users
◦ Detection: if an attack cannot be prevented; when, how and who of the attack
have to be identified; e.g., when a user enters a password three times
◦ Recovery/Reaction: take measures to recover from the damage; e.g., restore
deleted files from backup; sometimes retaliation (attacking the attacker’s
system or taking legal actions to hold the attacker accountable)
 The three strategies may be used together or separately

11
Fundamentals of Computer Security
1.1.3 Goals of Security
 Example 1: Protecting valuable items at home from a burglar
◦ Prevention: locks on the door, guards, hidden places, etc.
◦ Detection: burglar alarm, guards, Closed Circuit Television (CCTV), etc.
◦ Recovery: calling the police, replace the stolen item, etc.
 Example 2: Protecting a fraudster from using our credit card in
Internet purchase
◦ Prevention: Encrypt when placing order, perform some check before placing
order, or don’t use credit card on the Internet
◦ Detection: A transaction that you had not authorized appears on your credit
card statement
◦ Recovery: Ask for new card, recover cost of the transaction from insurance,
the card issuer or the merchant
12
Fundamentals of Computer Security
1.2 Brief History of Computer Security and Privacy
 Until the 1960s computer security was limited to physical protection
of computers
 In the 60s and 70s
◦ Evolutions
 Computers became interactive
 Multiuser/Multiprogramming was invented
 More and more data started to be stored in computer databases
 Organizations and individuals started to worry about
◦ What the other persons using computers are doing to their data
◦ What is happening to their private data stored in large databases
13
Fundamentals of Computer Security
1.2 Brief History of Computer Security and Privacy
 In the 80s and 90s
◦ Evolutions
 Personal computers were popularized
 LANs and the Internet invaded the world
 Applications such as E-commerce, E-government and
 E-health started to be developed
 Viruses became majors threats
ƒ
◦ Organizations and individuals started to worry about
 ƒWho has access to their computers and data
 ƒWhether they can trust a mail, a website, etc.
 ƒWhether their privacy is protected in the connected world

14
Fundamentals of Computer Security
1.2 Brief History of Computer Security and Privacy
 Famous Security Problems
◦ Morris worm – Internet Worm
 On November 2, 1988 a worm attacked more than 60,000 computers
around the USA
 The worm attacks computers, and when it has installed itself, it
Robert Morris
multiplies itself, freezing the computer in 2008
 It exploited UNIX security holes in Sendmail and Finger
 A nationwide effort enabled to solve the problem within 12 hours
 Robert Morris became the first person to be indicted under the
Computer Fraud and Abuse Act
 He was sentenced to 3 years of probation, 400 hours of
community service and a fine of $10,500

15
Fundamentals of Computer Security
1.2 Brief History of Computer Security and Privacy
 Bank theft
◦ ƒIn 1984, a bank manager was able to steal $25 million through un-audited computer
transaction
 NASA shutdown
◦ Iƒn 1990, an Australian computer science student was charged for shutting down NASA’s
computer system for 24 hours
 Airline computers
◦ Iƒn 1998, a major travel agency discovered that someone penetrated its ticketing system
and has printed airline tickets illegally
Assignment I :
a. Find any security problem stories in Africa and Ethiopia then write a short summary
including the attack description, who was the main target, by whom it was performed and
what king of measurement was taken ?
b. Assess and bring a written summary about the policy and rules on cyber crimes in
Ethiopia? 16
Fundamentals of Computer Security
1.2 Brief History of Computer Security and Privacy
 Early Efforts
◦ 1960s: Marked as the beginning of true computer security
◦ 1970s: Tiger teams
 ƒ
Government and industry sponsored crackers who attempted to break
down defenses of computer systems in order to uncover vulnerabilities so
that patches can be developed
◦ 1970s: Research and modeling
 Identifying security requirements
 Formulating security policy models
 Defining guidelines and controls
 Development of secure systems
17
Fundamentals of Computer Security
1.2 Brief History of Computer Security and Privacy
 Standardization
◦ 1985: Orange Book for Security Evaluation (or TCSEC -Trusted Computer
System Evaluation Criteria)
 ƒDescribes the evaluation criteria used to assess the level of trust that can be placed in a
particular computer system
◦ 1978: DES selected as encryption standard by the US
 Legal Issues
◦ In the US, legislation was enacted with regards to computer security and
privacy starting from late 1960s
◦ European Council adopted a convention on Cyber-crime in 2001
◦ The World Summit for Information Society considered computer security
and privacy as a subject of discussion in 2003 and 2005
18
Fundamentals of Computer Security
1.3 Computer Security Controls
a. Authentication (Password, Card, Biometrics) n

(What we know, have, are!)

◦ Authentication is the binding of an identity to a subject
◦ An entity must provide information to enable the system to
confirm its identity. This information comes from one (or more)
of the following
 What the entity knows (such as passwords or secret information)
 What the entity has (such as a badge or card)
 What the entity is (such as fingerprints or retinal characteristics -
Biometrics)
b. Encryption (detail in chapter 3)
19
Fundamentals of Computer Security
1.3 Computer Security Controls
c. Auditing
◦ Auditing is the process of analyzing systems to determine what actions
took place and who performed them; It is the analysis of log records to
present information about the system in a clear and understandable manner
◦ Auditing is essential for recovery and accountability
◦ Logging is the basis for most auditing; Logging is the recording of events
or statistics to provide information about system use and performance
d. Administrative procedures
e. Standards
f. Certifications
g. Physical Security
h. Laws 20
Fundamentals of Computer Security
The Human Factor
 The human factor is an important component of computer security
 Some organizations view technical solutions as “their solutions”
for computer security
◦ Technology is fallible (imperfect)
- e.g., UNIX holes that opened the door for Morris worm
◦ The technology may not be appropriate
- e.g., It is difficult to define all the security requirements and find a
solution that satisfies those requirements
◦ Technical solutions are usually (very) expensive
- e.g., Antivirus
 Given all these, someone, a human, has to be there to implement
the solution 21
Fundamentals of Computer Security
The Human Factor
 Competence of the security staff
◦ e.g., Crackers may know more than the security team
 Understanding and support of management
◦ e.g., Management does not want to spend money on security
 Staff’s discipline to follow procedures
◦ e.g., Staff members choose simple passwords
 Staff members may not be trustworthy
◦ e.g., Bank theft

22
Fundamentals of Computer Security
1.4 Physical Security
“ The most robustly secured computer that is left sitting
unattended in an unlocked room is not at all secure !! ”
[Chuck Easttom]
 Physical security is the use of physical controls to protect premises,
site, facility, building or other physical asset of an organization
[Lawrence Fennelly]
 Physical security protects your physical computer facility (your
building, your computer room, your computer, your disks and other
media) [Chuck Easttom]
 Physical security was overlooked in the past few years by
organizations because of the emphasis placed on improving cyber
security 23
Fundamentals of Computer Security
1.4 Physical Security
 In the early days of computing, physical security was
simple because computers were big, standalone, expensive
machines
◦ It was almost impossible to move them (not portable)
◦ They were very few and it is affordable to spend on physical
security for them
◦ Management was willing to spend money
◦ Everybody understands and accepts that there is restriction

24
Fundamentals of Computer Security
1.4 Physical Security
 Today
◦ Computers are more and more portable (PC, laptop, Smartphone)
◦ There are too many of them to have good physical security for each of them
◦ They are not “too expensive” to justify spending more money on physical
security until a major crisis occurs
◦ Users don’t accept restrictions easily
◦ Accessories (e.g., network components) are not considered as important for
security until there is a problem
◦ Access to a single computer may endanger many more computers connected
through a network
⇒Physical security is much more difficult to achieve today than
some decades ago
25
Fundamentals of Computer Security
Overview/ Concepts
Walking over a bridge
Fundamentals of Computer Security
Overview
If the bridge collapse ,it is threat
Fundamentals of Computer Security
Overview
A crack in the cement is vulnerability
Fundamentals of Computer Security
Overview
Physical harm

29
Fundamentals of Computer Security
Overview
Control -eliminate the vulnerability

30
Fundamentals of Computer Security
1.4.1 Types of Vulnerabilities
 Physical vulnerabilities (e.g., Buildings)
 Natural vulnerabilities - disasters (e.g., Earthquake)
 Hardware and Software vulnerabilities (e.g., Failures)
 Media vulnerabilities (e.g., Disks can be stolen)
 Communication vulnerabilities (e.g., Wires can be tapped)
 Human vulnerabilities (e.g., Insiders)

31
Fundamentals of Computer Security
Some of the vulnerabilities in brief (Natural Disasters)
a. Fire and smoke
◦ Fire can occur anywhere
◦ Solution – Minimize risk
 Good policies: No Food and Drinks, No Smoking, etc.
 Fire extinguisher, good procedure and training
 Fireproof cases (and other techniques) for backup tapes
 Fireproof doors

32
Fundamentals of Computer Security
Some of the vulnerabilities in brief (Natural Disasters)
b. Climate
 Heat
 Direct sun
 Humidity
 Hurricane, storm, cyclone
 Earthquakes
 Water
◦ Flooding can occur even when a water tap is not properly closed
 Electric supply
◦ Voltage fluctuation (Solution: Voltage regulator)
 Lightning
Avoid having servers in areas often hit by Natural Disasters! 33
Fundamentals of Computer Security
Some of the vulnerabilities in brief (People)
 Intruders
◦ Thieves
◦ People who have been given access unintentionally by insiders
◦ Employees, contractors, etc., who have access to the facilities
 External thieves
 Portable computing devices can be stolen outside the
organization’s premises

34
Fundamentals of Computer Security
Some of the vulnerabilities in brief (Loss of a computing device)
 Mainly laptop but also there are other computing device like flash
disk, CD, DVD, External hard disks and etc.

35
Fundamentals of Computer Security
1.4.2 Safe Area
 Safe area is often a locked place where only authorized personnel
can have access
 Organizations usually have safe area for keeping computers and
related devices
 Challenges
◦ Is the area inaccessible through other opening (window, roof ceilings,
ventilation hole, etc.)?
- Design of the building with security in mind
- Know the architecture of your building
◦ During opening hours, is it always possible to detect when an unauthorized
person tries to get to the safe area?
- Surveillance/guards, video-surveillance, automatic doors with security code locks, alarms, etc.
- Put signs so that everybody sees the safe area 36
Fundamentals of Computer Security
1.4.2 Safe Area(ƒ
Are the locks reliable?)
 The effectiveness of locks depends on the design,
manufacture, installation and maintenance of the keys
 Among the attacks on locks are
◦ Illicit keys
 Duplicate keys
 ƒAvoid access to the key by unauthorized persons even for a few seconds
 ƒChange locks/keys frequently
 ƒKey management procedure
 Lost keys
 ƒNotify responsible person when a key is lost
 ƒThere should be no label on keys

◦ Forceful attacks
 Punching, Drilling, Hammering, etc. 37
Fundamentals of Computer Security
1.4.2 Safe Area (Surveillance with Guards)
◦ The most common in Ethiopia
◦ Not always the most reliable since it adds a lot of human factor
◦ Expensive in terms of manpower requirement
◦ Not always practical for users (employees don’t like to be
questioned by guards wherever they go)

38
Fundamentals of Computer Security
1.4.2 Safe Area (Surveillance with Video)
◦ Uses Closed Circuit Television (CCTV) that started in
the 1960s
◦ Became more and more popular with the worldwide
increase of theft and terrorism
◦ Advantages
 A single person can monitor more than one location
 The intruder doesn’t see the security personnel
 It is cheaper after the initial investment
 It can be recorded and be used for investigation
39
Fundamentals of Computer Security
1.4.2 Safe Area(Surveillance with Video)
◦ Since it can be recorded the security personnel are more careful
◦ Today’s digital video surveillance can use advanced techniques
such as face recognition to detect terrorists, wanted people, etc.
 Drawback
◦ Privacy concerns

40
Fundamentals of Computer Security
1.4.3 Internal Human Factor - Personnel
 Choose employees carefully
◦ Personal integrity should be as important a factor in the hiring process as
technical skills
 Create an atmosphere in which the levels of employee loyalty,
morale, and job satisfaction are high
 Remind employees, on a regular basis, of their continuous
responsibilities to protect the organization’s information
 Establish procedures for proper destruction and disposal of
obsolete programs, reports, data and hardwares.

41
Fundamentals of Computer Security
1.4.3 Internal Human Factor - Personnel
 Act defensively when an employee must be discharged,
either for cause or as part of a cost reduction program
◦ Such an employee should not be allowed access to the system and should be
carefully watched until s/he leaves the premises
◦ Any passwords used by a former employee should be immediately disabled

42
Fundamentals of Computer Security
1.4.3 Internal Human Factor - Personnel
 Guard Against Disgruntled Employees and Angry Former Employees
◦ Many organizations have suffered damage by disgruntled
employees or angry former employees. This is often referred to as
the insider threat, or former insider threat
◦ In situations where employees plan to do damage to the facilities
or equipment of an organization, they have several advantages
compared to outsiders who want to inflict physical damage
 Knowledge of facility layout and design
 Familiarity with the location of sensitive or expensive equipment
 Duplicate keys that allow them easy access to buildings

43
Fundamentals of Computer Security
1.4.3 Internal Human Factor - Personnel
◦ Knowledge of access codes for alarm systems
◦ The ability to gain access to buildings with the aid of a friend or
relative who is still employed by the organization
◦ Knowledge of organizational habits such as shift changes or
which doors are not secured during working hours

44
Fundamentals of Computer Security
1.4.3 Internal Human Factor - Personnel
 Some basic steps that can be taken to reduce those
advantages
◦ Notify security staff when an employee has been terminated or
suspended
◦ When you do not have a security staff, notify all managers and
supervisors when an employee has been terminated or suspended
◦ Maintain strict policies on access to facilities by nonemployees,
and train all employees on those policies
◦ If terminated or suspended employees had been issued keys,
ensure that keys are returned
45
Fundamentals of Computer Security
1.4.3 Internal Human Factor - Personnel
◦ Change the locks for which any angry former employee had keys
◦ Change key codes to electronic doors immediately after an
employee has been terminated or suspended
◦ Disable user rights for computers or communications systems
held by a former or suspended employee

46