Chapter-one

Introduction To Security And Privacy

1
1.1Introduction
 In general, Security is “the quality or state of being secure—to be free from danger.”

 In other words, protection against adversaries—from those who would do harm, intentionally or otherwise—is
the objective.
 A successful organization should have the following multiple layers of security in place to protect its
operations:
 Physical security : to protect physical items, objects, or areas from unauthorized access and misuse
 Personnel security : to protect the individual or group of individuals who are authorized to access
the organization and its operations
 Operations security : to protect the details of a particular operation or series of activities
 Communications security: to protect communications media, technology, and content
 Network security : to protect networking components, connections, and contents
 Information security : to protect the confidentiality, integrity and availability of information assets, whether in
storage, processing, or transmission.
2
 Computer security is about provisions and policies adopted to protect information and
property from unauthorized access, use, alteration, degradation, destruction,
theft, corruption, natural disaster, etc. while allowing the information and property to
remain accessible and productive to its intended use

 Privacy: The right of the individual to be protected against intrusion into his personal life
or affairs, or those of his family

3
 Computer Security: when there is connection to networks (Network security) it deals with
provisions and policies adopted to prevent and monitor unauthorized access,
misuse, modification, or denial of the computer network and network-accessible resources

4
 “The most secure computers are those not connected to the Internet
and shielded from any interference”
 Two extreme attitudes regarding computer security
 There is no real threat
• Much of the negative news is simply unwarranted panic
• If our organization has not been attacked so far, we must be
secure
• This is a reactive approach to security; wait to address
security issues until an incident occurs
 The opposite viewpoint overestimates the dangers
• They tend to assume that talented, numerous hackers are
an imminent threat to a system
• They may believe that any teenager with a laptop can
traverse highly secure systems at will Such a
worldview is unrealistic 5
• The reality is that many people who call themselves hackers
1.1.1 Basic Security Objectives (Pillars) - CIA

6
 Confidentiality: This term covers two related
concepts:
 Data confidentiality: Assures that private or
confidential information or resources
(resource and configuration hiding) are not
made available or disclosed to unauthorized
individuals
 In network communication, it means
only sender and intended
receiver should “understand” message
contents
 Privacy: Assures that individuals control or
influence what information related to
them may be collected and stored and by 7
 Integrity: This term covers two related concepts
 Data integrity: Assures that information and programs are changed
only in a specified and authorized manner
• In network communication, sender and receiver want to
ensure that the message is not altered (in transit or
afterwards) without detection
 System integrity: Assures that a system performs its intended function in an
unimpaired manner, free from deliberate or inadvertent unauthorized
 manipulation
Availability: of thethat
Assures system
systems work promptly and service is not
denied to authorized users
 Authenticity: A missing component of objectives in CIA.
• It is the property of being genuine and being able to be trusted;
verified and in the validity of a transmission, a message, or message originator; or
confidence
sender and receiver want to confirm the identity of each other
8
1.1.2 Policy and
Mechanism
 A security policy is a statement of what is, and what is
not allowed by users of a system.
 Security mechanism is a method, tool, or procedure
for enforcing a security policy
 1.1.3 Goals of Security
 Given a security policy’s specification of “secure” and “non secure” actions,
security mechanisms can prevent the attack, detect the attack, or
recover from the attack

 Prevention: take measures to prevent the damage; it means that an

attack will fail; e.g., passwords to prevent unauthorized users

 Detection: if an attack cannot be prevented; when, how and who of the

attack
have to be identified; e.g., when a user enters a password three times

 Recovery/Reaction: take measures to recover from the damage; e.g.,

restore deleted files from backup; sometimes retaliation (attacking the
attacker’s system or taking legal actions to hold the attacker 10
 Example 1: Protecting valuable items at home from a burglar
 Prevention: locks on the door, guards, hidden places, etc.
 Detection: burglar alarm, guards, Closed Circuit Television (CCTV),
etc.
 Recovery: calling the police, replace the stolen item, etc.
 Example 2: Protecting a fraudster from using our credit card in
Internet purchase
 Prevention: Encrypt when placing order, perform some check
before placing order, or don’t use credit card on the Internet
 Detection: A transaction that you had not authorized appears
on your credit card statement
 Recovery: Ask for new card, recover cost of the transaction
from insurance, the card issuer or the merchant
11
 1.2 Brief History of Computer Security and
Privacy
 Until the 1960s, information security was a straightforward process
composed predominantly of physical security and simple document classification
schemes.

 The primary threats to security were physical theft of equipment, espionage

against the products of the systems, and sabotage.
 In the 60s and 70s
 Evolutions
• Computers became interactive
• Multiuser/Multiprogramming was invented
• More and more data started to be stored in computer databases
• What the other
 Organizations persons using
and individuals computers
started areabout
to worry doing to their
data
12
 In the 80s and 90s
 Evolutions
• Personal computers were popularized
• LANs and the Internet invaded the world
• Applications such as E-commerce, E-government and
E- health started to be developed
• Viruses became majors threats
 Organizations and individuals started to worry about
• Who has access to their computers and data
• Whether they can trust a mail, a website, etc.
• Whether their privacy is protected in the connected
world 13
 Today, the internet brings millions of unsecured computer
networks
into continuous communication with each other.

 The security of each computer’s stored information is now contingent

on the level of security of every other computer to which
it is connected.

 Cyber-attacks have made governments and companies more aware of

the need to defend the Computer-controlled control systems of
utilities and other critical infrastructure.
14
 Famous Security Problems
 Morris worm – Internet Worm
 On November 2, 1988 a worm attacked more than 60,000 computers
around the
USA
 The worm attacks computers, and when it has installed itself, it multiplies
itself,
freezing the computer
 It exploited UNIX security holes in Send mail and Finger
 A nationwide effort enabled to solve the problem within 12 hours
 Robert Morris became the first person to be indicted under the Computer
Fraud and
15
Abuse Act
  Bank theft
 In 1984, a bank manager was able to steal $25 million through
un-audited computer transaction

 NASA shutdown
 In 1990, an Australian computer science student was charged for
shutting down
NASA’s computer system for 24 hours

 Airline computers
 In 1998, a major travel agency discovered that someone penetrated its
ticketing system and has printed airline tickets illegally

 Does anyone know any security problem stories in Africa and Ethiopia?
16
• Early Efforts
 1960s: Marked as the beginning of true computer security
 1970s: Tiger teams
 Government and industry sponsored crackers who attempted to break down defenses
of
computer systems in order to uncover vulnerabilities so that patches can be developed
 1970s: Research and modeling
 Identifying security requirements
 Formulating security policy models
 Defining guidelines and controls
 Development of secure systems
 Standardization
 1985: Orange Book for Security Evaluation (or TCSEC -Trusted
Computer System Evaluation Criteria)
 Describes the evaluation criteria used to assess the level of trust that can be placed in a
particular computer system
 1978: DES selected as encryption standard by the US
 Legal issues
 In the US, legislation was enacted with regards to
computer security and privacy starting from late 1960s
 European Council adopted a convention on Cyber-crime in
2001
 The World Summit for Information Society considered
computer security and privacy as a subject of discussion in
2003 and 2005
 The Ethiopian Penal Code of 2005 has articles on data and
computer related crimes
1.3 Security Controls
a. Authentication (Password, Card, Biometrics)

(What we know, have, are! )

 Authentication is the binding of an identity to a subject

 An entity must provide information to enable the system to confirm its
identity.

 This information comes from one (or more) of the following

• What the entity knows (such as passwords or secret information)
• What the entity has (such as a badge or card)
• What the entity is (such as fingerprints or retinal characteristics -
Biometrics)
19
b. Encryption
c. Auditing
 Auditing is the process of analyzing systems to determine what actions took place and who
performed them;
 It is the analysis of log records to present information about the system in a clear and
understandable manner
 Auditing is essential for recovery and accountability
 Logging is the basis for most auditing; Logging is the recording of events or statistics to provide
information about system use and performance

d. Administrative procedures

e. Standards

f. Certifications

g. Physical Security

h. Laws
20
Security Controls ---

21
1.4 Physical
“The most robustly secured computer that is left sitting unattended in
security
an unlocked room is not at all secure !!”[Chuck Easttom]
 Physical security is the use of physical controls to protect premises,
site, facility, building or other physical asset of anorganization
[Lawrence Fennelly]
• Physical security protects your physical computer facility(your
building, your computer room, your computer, your disks and other
media) [Chuck Easttom]
• Physical security was overlooked in the past few years by
organizations because of the emphasis placed on improving cyber
security
 In the early days of computing, physical security was
simple because computers were big, standalone,
expensive machines
 It was almost impossible to move them (not portable)
 They were very few and it is affordable to spend on
physical security for them
 Management was willing to spend money
 Everybody understands and accepts that there is
restriction
 Today
 Computers are more and more portable(PC, laptop, Smartphone)
 There are too many of them to have good physical security for each
of them
 They are not “too expensive” to justify spending more money on
 physical security until a major crisis occurs
 Users don’t accept restrictions easily
 Accessories (e.g., network components) are not considered as
important for security until there is a problem
 Access to a single computer may endanger many more computers

⇒Physical security is much more difficult to achieve

connected through a network

today than some decades ago

1.4.1 Types of Security Vulnerabilities
 Physical vulnerabilities (e.g., Buildings)
 Natural vulnerabilities - disasters (e.g., Earthquake)
 Hardware and Software vulnerabilities (e.g., Failures)
 Media vulnerabilities (e.g., Disks can be stolen)
 Communication vulnerabilities (e.g., Wires can be tapped)
 Human vulnerabilities (e.g., Insiders)

25
 Some of the vulnerabilities in brief
1. Natural Disasters
a. Fire and smoke
 Fire can occur anywhere
 Solution – Minimize risk
• Good policies: No Food and Drinks, No Smoking, etc.
• Fire extinguisher, good procedure and training
• Fireproof cases (and other techniques) for backup tapes
• Fireproof doors
b. Climate
 Heat
 Hurricane, storm, cyclone
 Earthquakes
 Water ( Flooding can occur even when a water tap is not properly
closed)
 Electric supply (Voltage fluctuation (Solution: Voltage regulator))
 Lightning
Avoid having servers in areas often hit by Natural Disasters! 26
2. People
 Intruders
 Thieves
 People who have been given access unintentionally by
insiders
 Employees, contractors, etc., who have access to the
facilities
 External thieves
 Portable computing devices can be stolen outside
the organization’s premises
3. Loss of a computing device
 Mainly laptop
27
1.4.2 Save Area
 Safe area is often a locked place where only authorized personnel can
have access
 Organizations usually have safe area for keeping computers and
related devices
 Challenges
 Is the area inaccessible through other opening (window, roof-ceilings,
ventilation hole, etc.)?
 Design of the building with security in mind
 Know the architecture of your building
 During opening hours, is it always possible to detect when an unauthorized
person tries to get to the safe area?
 Surveillance/guards, video-surveillance, automatic doors with security code
locks, alarms, etc.
 Put signs so that everybody sees the safe area
 Are the locks reliable?
 The effectiveness of locks depends on the design, manufacture, installation and
maintenance of the keys
 Among the attacks on locks are
 Illicit keys
 Duplicate keys
 Avoid access to the key by unauthorized persons even for a few seconds
 Change locks/keys frequently
 Key management procedure
 Lost keys
 Notify responsible person when a key is lost
 There should be no label on keys
 Circumventing of the internal barriers of the lock
 Directly operating the bolt completely bypassing the locking mechanism
which remains locked
 Forceful attacks
 Punching, Drilling, Hammering, etc.
 Surveillance with Video
 Uses Closed Circuit Television(CCTV) that started in the
1960s
 Became more and more popular with the worldwide increase
of theft and terrorism
 Advantages
 A single person can monitor more than one location
 The intruder doesn’t see the security personnel
 It is cheaper after the initial investment
 It can be recorded and be used for investigation
 Since it can be recorded the security personnel are more careful
 Today’s digital video surveillance can use advanced techniques such
as face recognition to detect terrorists, wanted people, etc.
 Drawback
 Privacy concerns
1.4.3 Internal Human Factor - Personnel
 Choose employees carefully

 Personal integrity should be as important a factor in the hiring process as technical skills

 Create an atmosphere in which the levels of employee loyalty, morale, and job satisfaction are high

 Remind employees, on a regular basis, of their continuous responsibilities to protect the

organization’s information

 Establish procedures for proper destruction and disposal of obsolete programs, reports, and data

 Act defensively when an employee must be discharged, either for cause or as part of a cost
reduction program

 Such an employee should not be allowed access to the system and should be carefully watched until
s/he leaves the premises

 Any passwords used by a former employee should be immediately disabled 31

 Guard Against Disgruntled Employees and Angry Former Employees
 Many organizations have suffered damage by disgruntled employees or angry former employees.
This is often referred to as the insider threat, or former insider threat
 In situations where employees plan to do damage to the facilities or equipment of an organization,
they have several advantages compared to outsiders who want to inflict physical damage

• Knowledge of facility layout and design

• Familiarity with the location of sensitive or expensive equipment
• Duplicate keys that allow them easy access to buildings
• Knowledge of access codes for alarm systems
• The ability to gain access to buildings with the aid of a friend or relative who is still
employed by the organization

• Knowledge of organizational habits such as shift changes or which doors are not secured during
working hours
32
 Cont’
 Some basic steps that can be taken to reduce those advantages
d
 Notify security staff when an employee has been terminated or suspended
 When you do not have a security staff, notify all managers and
supervisors when an employee has been terminated or suspended
 Maintain strict policies on access to facilities by nonemployees, and train all
employees on those policies
 If terminated or suspended employees had been issued keys, ensure that
keys are returned
 Change the locks for which any angry former employee had keys
 Change key codes to electronic doors immediately after anemployee
has been terminated or suspended
 Disable user rights for computers or communications systems held
by a former or suspended employee
33