112/04/18 Y K Choi 1

Overview of Computer Security

City University of Hong Kong

Division of Computer Studies

Y K Choi

112/04/18Y K Choi 2

What is security? (a general definition)

Defined by Ron Kurtus, http://www.school-for-champions.com/security/whatis.htm ,

Security is the protection of a person, property or organization from an attack. There are people who have distorted motivations to perform such attacks. The types of protection include prevention, response and pre-emptive attacks. There are Three Questions you may ask:

What are the types of possible attacks? What reasons do people have to attack others? What type of defenses can you have?

112/04/18Y K Choi 3

What is security?

A simple and less academic definition is: To make it inconvenient to unauthorized persons. Some of the examples are given below:

Place a security guard on the ground floor to keep track of each visitor and write down his/her particulars. (so that it imposes an extra inconvenience to the intruder (illegal visitor))

To install a door lock (so that you need to use a key to open it)

To double-install an iron gate (so that you have to open two doors, iron gate and wooden door)

112/04/18Y K Choi 4

What is Computer Security?

Computer security is a protection that is afforded to an information system in order to attain the applicable objectives or preserving the integrity, availability and confidentiality of information system resources. The information resources include hardware, software, information and data.

Three items: integrity,

availability and

confidentiality

112/04/18Y K Choi 5

Explanation to confidentiality, integrity and authentication

Assume that you wrote a cheque of HKD 1000 to your friend John and sent by mail. You should ensure that only John can get it. Even others get this, they should not know the details. (This is confidentiality)

Both you and John should ensure that no one can tamper (modify) the contents such as the amount and signature. (This is integrity.)

John will ensure that the cheque is from you, no from others. (This is authentication)

112/04/18Y K Choi 6

Example of Confidentiality

John is sending a mail to Alice. Confidentiality means only Alice can access

the mail. Bob is not supposed to receive and view the content.

112/04/18Y K Choi 7

Example of Authentication

John is sending a mail to Alice. Authentication means Alice proves that the

mail is from John not from Bob.

112/04/18Y K Choi 8

Example of Integrity

I love you

John is sending a mail to Alice saying “I love you”. Integrity means that the message will not be captured and modified by Bob as “ I hate you” as from John

to Alice.

I love you

I hate you

112/04/18Y K Choi 9

Example to consider - affordable

We could build an extremely secure computer room to protect a computer system that costs thirty thousands. The computer room might cost million dollars which we could not afford.

It is better to use a traditional key/lock system with password protection. (Although it is easily broken, it is cheaper and affordable.)

112/04/18Y K Choi 10

AgendaAlthough all the assets of an organization are subject to loss, damage etc. information systems (computer networks and applications) tend to be particularly susceptible to these dangers.

•IT components are comparatively fragile (easily broken)

•Computer hardware can be damaged more easily (last for a couple of years)

•Computer systems and networks are likely to be the target of disgruntled workers and criminals.

Security issue:

• Areas of vulnerability

• People in computer crime

• Methods of trespassing (hacking)

• Ways to counteract intrusion (protect the system)

112/04/18Y K Choi 11

Areas of Vulnerability (means easily attacked)

There are four basic items: the most difficulty part is people, as it is difficult to control them.

Hardware: physical devices such as CPU, keyboard

Software: this includes Operating system, applications and network

Data: without the data, this is useless (the essence of computer systems)

People: can cause a great deal of damageFrom Computer security management by Karen A. Forcht, Chapter 1

112/04/18Y K Choi 12

Hardware

It means all physical devices.The most visible parts such as monitor, mouse, keyboard, router, disk etc. (be careful the keyboard)Subject to common mishaps such as coffee spills, crumbs getting into keyboards, dust and stealPrevention: by placing locks on computer rooms, cabinets, motherboard, monitor etc.

112/04/18Y K Choi 13

Software

Software piracy: illegal coping and distribution of software (even free of charge using

BT) is a serious offense

Deletion of software: accidental deletion of software, configuration etc.

Software alteration: changing a few lines of code is hard to find out, which can change the behaviour of software

112/04/18Y K Choi 14

Data

It is crucial to the organization (it means it is important)

Re-construction of lost data is expensive and time consuming (that is why it is better to protect it.)

Another threat is damage of personal data and leakage of data (privacy law)

Sensitive data should be revealed with authorized access (imposes security level)

To safeguard the data: kept in a safe place and shred (destroy) the sensitive data

112/04/18Y K Choi 15

People

Intruders: disgruntled (unhappy) employees might seek revenge to plant a logic bomb (software bomb)Hackers: break the computer system. Hackers have the following profile

Relatively youngHighly motivatedIntelligent and personableHappy with jobProficiency in computer systems and programming

No need to

memorise the

profile

112/04/18Y K Choi 16

Hacker – the definition

The definition is Quite interesting (based on MIT and Stanford’s definition)

1. A person who enjoys learning the details of programming systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary (means who wants

to learn more)

2. One who programs enthusiastically, or who enjoys programming rather than just theorizing about programming

112/04/18Y K Choi 17

People – Computer Criminals

There are Four areas of computer crime

Theft of computer time: common practice to remote log into the system (not common in the Internet). This includes the time it takes to repair the computer system after infected by virus, bomb etc.

Theft of data: physical remove data from files

Manipulation of computer programs: change or insert/delete program

Software piracy: illegal copying of software

112/04/18Y K Choi 18

Threats to security

Natural disasters: such as fire, floods, windstorms, earthquakes etc. We can do little to prevent natural disasters. (In Hong Kong, fire is the most serious.)

Malfunctions: They cause much less damage, but occur frequently such as power surges (sudden change of power), stray electrical forces, dust, operation error etc.

Hardware reliability: routine and preventive maintenanceSoftware reliability: testing and debugging

112/04/18Y K Choi 19

Threats to security (cont.)

Criminal Acts – Crimes against computers and defenses against computer crime. These include the use of password to prevent intruders. Data diddling (means the alteration of data)

Operating integrity – system managers still need to take precautions to safeguard data. A common term is “Garbage in and garbage out” as the process – changing, adding and deleting data may raise error

112/04/18Y K Choi 20

Security Measures (means how to protect)

Passwords: the most common means of user authentication. Generally used. Rules of choosing password:

1. Don’t leave your password open

2. Don’t write it down

3. Choose a password with at least six characters: there are 26^6 (308915776) combination

4. Don’t choose a password that is obvious such as John or “Chan Tai Man” if your name is John or “Chan Tai Man”

112/04/18Y K Choi 21

Security Measures (2)

Encryption: Encrypt the data. There are many standards such as Data Encryption Standard (DES) by IBM

Dial-back devices: The system will disconnect the telephone line and verify the caller, then call the caller. (it is getting outdated as we are using the Internet, I list this method so that you have an idea.)

Control: from planning to final implementation. This involves the progress review and acceptance test, post-installation review and periodic audits

112/04/18Y K Choi 22

Security Measure (3)

Progress review: it is unusual for a project to proceed on schedule. The purpose of a progress review is to bring changes to light to revise the master plan.Acceptance test: It is the final activity before conversion to the new system. (very important in commercial world to accept the modified version of software)

Contingency planning: It is the backup plan in case an event my or may not occur. For example, if the application cannot operate, what should we do? (example. if the system is down, go back to manual system such as using the log book to keep the transaction)

112/04/18Y K Choi 23

Management’s role (3 steps)

As stated by Jay BloomBecker, the approach to security is:Technology (try to prevent illegal users to hack the system. For example, the use of firewall, password, private line, virtual path network, etc.)Management techniques: proper handling the flow of data, procedure of accessing data etc. (in order to achieve this, impose policy.)Laws and legal actions: For those who cannot be stopped (or avoided) by technology, impose law to prevent such as sue hackers etc.

112/04/18Y K Choi 24

Computer Security Information (no need to memorise)

http://www.alw.nih.gov/Security/security.htmlAdvisories  (advisories)

• A number of groups from around the world provide information about security vulnerabilities and methods to remove or reduce the danger of particular vulnerabilities for different computer operating systems. 

Documents  (documents)• Many articles have been written about various topics in computer

and network security that have been published on the Internet. 

Electronic Magazines, Newsletters and News Sites  (electronic magazines)

There are some magazines, newsletters and news sites available online that provide timely information about computer security. 

112/04/18Y K Choi 25

Web information about security (no

need to memorise)

Frequently Asked Questions (FAQ)  (FAQ)A FAQ is a summary document written by knowledgeable individuals for a particular topic and it contains commonly requested information about the topic. 

Groups and Organizations  (organisations)A number of computer security organizations exists that provide information to the public or to their members. 

Mailing Lists  (mailing lists)Mailing Lists provide a dialog on areas of interest to the members of the list. 

http://www.itsd.gov.hk/itsd/secure/g3_r1_disclose.pdf This the web site of ITSD, Hong Kong Government

112/04/18Y K Choi 26

Web informationNewsgroups  (Newsgroups)

USENET newsgroups are a series of discussion groups that can be useful to obtain current information of a specific topic. Some newsgroups are a better source of information than others. 

Request for Comments (RFC) on computer and network security topics  (RFC)Software

A large amount of software is available to improve the security of a system. 

World Wide Web (WWW) Sites  (WWW)Many WWW sites provide a large amount of information about various topics in computer security. Some of these sites are simply large indexes but others contain a collection of information on a specific topic. 

112/04/18Y K Choi 27

SummarySecurity is the protection of a person, property or organization from an attack. Computer systems and data are susceptible to loss, damage etc.Areas of vulnerability (easily damaged) are: hardware, software, data and peoplePrinciples of Security: confidentiality, integrity and authentication

Methods of protecting the system: the use of checksum, data encryption, password, logs, firewall, Information System (IS) plan: To go through all the necessary steps such as progress review, acceptance testing, post installation etc. to ensure the software quality is secure.

112/04/18Y K Choi 28

Next WeekIdentify the natural disasters Determine the damage assessment and reconstruction techniques Design and select the physical location of a computer server Describe the various access control mechanisms to prevent unauthorised entries