INTRODUCTION TO
COMPUTER SECURITY
Dr. Shahriar Bijani
Shahed University
SLIDE REFERENCES
Matt Bishop, Computer Security: Art and
Science, the author homepage, 2004.
 Michael E. Whitman, Principles of Information
Security: Chapter 1: Introduction to Information
Security, 4/e, 2011.
 Chris Clifton, CS 526: Information Security course,
Purdue university, 2010.
 Patrick Traynor, CS 8803 - Cellular and Mobile
Network Security, Georgia Tec, 2012.

2
WHAT IS SECURITY?
Security /sɪˈkjʊərɪti/
noun
 the state of being free from danger or threat.
 synonyms: certainty, safe future, assured future,
safety, reliability, dependability, solidness,
soundness
3
WHAT IS SECURITY?

A successful organization should have multiple
layers of security in place:






Physical security: to protect the physical items, objects,
or areas of an organization from unauthorized access and
misuse.
Personal security: to protect the (group of) authorized
individual.
Operations security: to protect the details of a
particular operation or series of activities.
Communications security: to protect an organization’s
communications media, technology, and content.
Network security: to protect networking components,
connections, and contents.
Information security
4
BASIC COMPONENTS

An Information System is secure if it supports CIA:

Confidentiality


Keeping data and resources hidden
Integrity
Data integrity (integrity)
 Origin integrity (authentication)


The CIA triangle
Availability

Enabling access to data and resources
5
THE HISTORY OF INFORMATION SECURITY



Began immediately following development first
mainframes
 Developed for code-breaking computations
 During World War II
 Multiple levels of security were implemented
Physical controls
Elementary
 Mainly composed of simple document classification
 Defending against physical theft, espionage, and
sabotage
THE 1960S
Original communication by mailing tapes
 Advanced Research Project Agency (ARPA)
 Examined feasibility of networked communications
 Larry Roberts developed ARPANET
 Plan






Link computers
Resource sharing
Link 17 Computer Research Centers
Cost 3.4M $
ARPANET is predecessor to the Internet
THE 1970S AND 80S
ARPANET grew in popularity
 Potential for misuse grew
 Fundamental problems with ARPANET security

Individual remote sites were not secure from unauthorized
users
 Vulnerability of password structure and formats
 No safety procedures for dial-up connections to ARPANET
 Non-existent user identification and authorization to
system

THE 1970S AND 80S …

Rand Report R-609
Paper that started the study of computer security
 Information Security as we know it began


Scope of computer security grew from physical
security to include:



Safety of data
Limiting unauthorized access to data
Involvement of personnel from multiple levels of an
organization
THE 1990S
Networks of computers became more common
 Need to interconnect networks grew
 Internet became first demonstration of a global
network of networks
 Initially based on de-facto standards
 In early Internet deployments, security was treated
as a low priority

2000 TO PRESENT
Millions of computer networks communicate
 Many of the communication unsecured
 Ability to secure a computer’s data influenced by
the security of every computer to which it is
connected
 Growing threat of cyber attacks has increased the
need for improved security

CHALLENGES OF COMPUTER SECURITY
1.
2.
3.
4.
5.
6.
7.
8.
9.
Computer security is not simple
One must consider potential (unexpected) attacks
Must decide where to deploy mechanisms
Involve algorithms and secret info (keys)
A battle between attacker / admin
It is not perceived on benefit until fails
Requires constant monitoring
Too often incorporated after the design is complete (not
integral)
Regarded as a barrier to using system
KEY INFORMATION SECURITY CONCEPTS
Access
 Adversary
 Asset
 Attack
 Control, Safeguard, or
Countermeasure
 Exploit
 Exposure
 Hack
 Loss
 Nonrepudiation

•
Subjects / Objects
•
Risk
•
Threat
•
Vulnerability
14
RELATIONSHIPS OF SECURITY CONCEPTS
KEY INFORMATION SECURITY CONCEPTS
 Computer
can be subject or object of an
attack
 When the subject of an attack


An active tool to conduct attack
When the object of an attack

An entity being attacked
Source: Principles of Information
Security, 4th Edition
16
INFORMATION SECURITY VS. ACCESS
 Perfect
security is impossible
 Security is a process
 Security should be considered balance
between protection and availability
 Must allow reasonable access, yet protect
against threats
17
INFORMATION SECURITY VS. ACCESS
18
Source: Principles of Information Security, 4th Edition
VULNERABILITIES
19
Principles of Information Security, 4/e
THREATS

A threat is a potential violation of security.
20
CLASSES OF THREATS
 Interruption
(Disruption)
interruption or prevention of correct operation
 DOS attack: Denial of Service

 Interception


/ Disclosure
Unauthorized access to information
Snooping: the unauthorized interception of information
 Modification


An unauthorized party not only gains access to but
modify an asset.
Masquerading or spoofing: an impersonation of one
entity by another.
 Fabrication

An unauthorized party inserts fake objects into the
system.
21
CLASSES OF THREATS
22
EXAMPLES OF THREATS
ADVERSARY
An adversary is anyone attempting to bypass the
security infrastructure.
 The curious and generally inexperienced (e.g., scriptkiddies)
 Unintended attackers seeing to understand systems
 Malicious and terrorist groups
 Competitors (industrial espionage)
 Governments

25
ATTACK
An attack occurs when someone attempts to exploit
a vulnerability
 Type of attacks

Passive (e.g., eavesdropping)
 Active (e.g., password guessing, DoS)


A compromise occurs when an attack is successful
26
TRUST
Trust
 The degree to which an entity is expected to
behave.
 Trust is a particular level of the subjective
probability with which an agent assesses that
another agent will perform a particular action in
a context that affects his actions [Gambetta,
1990]
 Reputation
 Expectation about an entity’s behavior based on
past behavior [Abdul-Rahman, 2000]
 May be used to determine trust

27
TRUST MANAGEMENT
 Trust

Trust relationships between peers help establish
confidence
 Two


Management as a countermeasure:
types of trust management systems
Credential and Policy-based
Reputation-based
28
SECURITY MODEL

A security model is the combination of a trust and threat
models that address the:
set of perceived risks
 The “security requirements” used to develop some cogent and
comprehensive design
 Every design must have security model
 LAN network or global information system? Java applet or
operating system?



The single biggest mistake seen in use of security is the lack
of a coherent
security model
It is very hard to retrofit security (design time)
This class is going to talk a lot about security models
What are the security concerns (risks)? Threats?
Who are our adversaries?
 Who do we trust and to do what?
 Systems must be explicit about these things to be secure




29
POLICIES AND MECHANISMS

Policy says what is, and is not, allowed

This defines “security” for the site/system/etc.
Mechanisms enforce policies
 Composition of policies


If policies conflict, inconsistencies may create security
vulnerabilities
30
TRUST AND ASSUMPTIONS
Underlie all aspects of security
 Policies

Unambiguously partition system states
 Correctly capture security requirements


Mechanisms
Assumed to enforce policy
 Support mechanisms work correctly

31
GOALS OF SECURITY

Prevention )‫(پیشگیری‬


Detection )‫(تشخیص‬


Prevent attackers from violating security policy
Detect attackers’ violation of security policy
Recovery )‫(ترمیم‬
Stop attack, assess and repair damage
 Continue to function correctly even if attack succeeds

32