CS 5950 –

Computer Security and Information Assurance

Section 1 (ch.1) : Introduction to Security

Dr. Leszek Lilien

Department of Computer Science
Western Michigan University

Slides based on Security in Computing. Third Edition by Pfleeger and Pfleeger.

Using some slides courtesy of:
Prof. Aaron Striegel — at U. of Notre Dame
Prof. Barbara Endicott-Popovsky and Prof. Deborah Frincke — at U. Washington
Prof. Jussipekka Leiwo — at Vrije Universiteit (Free U.), Amsterdam, The Netherlands

Slides not created by the above authors are © 2006-2007 by Leszek T. Lilien
Requests to use original slides for non-profit purposes will be gladly granted upon a written request.
 Section 1 Outline
 1. Introduction to Security
 1.1. Examples – Security in Practice
 1.2. What is „Security?”
 1.3. Pillars of Security:
Confidentiality, Integrity, Availability (CIA)
 1.4. Vulnerabilities, Threats, and Controls
 1.5. Attackers
 1.6. How to React to an Exploit?
 1.7. Methods of Defense
 1.8. Principles of Computer Security
2 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
1.Introduction to Security
1.1. Examples – Security in Practice [Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]

From CSI/FBI Report 2002

 90% detected computer security breaches within the last year

 80% acknowledged financial losses

 44% were willing and/or able to quantify their financial losses.

These 223 respondents reported $455M in financial losses.

 The most serious financial losses occurred through theft of proprietary information and
financial fraud:
26 respondents: $170M
25 respondents: $115M

For the fifth year in a row, more respondents (74%) cited their Internet connection as a
frequent point of attack than cited their internal systems as a frequent point of attack (33%).

34% reported the intrusions to law enforcement. (In 1996, only 16% acknowledged
reporting intrusions to law enforcement.)
3 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
 More from CSI/FBI 2002
 40% detected external penetration

 40% detected denial of service attacks.

 78% detected employee abuse of Internet access privileges
 85% percent detected computer viruses.
 38% suffered unauthorized access or misuse on their Web sites
within the last twelve months. 21% didn’t know.
[includes insider attacks]

 12% reported theft of transaction information.

 6% percent reported financial fraud (only 3% in 2000).

[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]

4 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
 Critical Infrastructure Areas

… telecommunications, electrical power systems, gas and

oil, banking and finance, transportation, water supply
systems, government services and emergency services.
[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
5 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
 Threat Spectrum

[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]

6 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
 Cyberterrorism

 The Internet Black Tigers conducted a successful

"denial of service" attack on servers of Sri Lankan
government embassies
 Italian sympathizers of the Mexican Zapatista
rebels attacked web pages of Mexican financial
institutions.
 Rise of “Hack-tivism”

Freeh, Testimony before Senate, 2000.

[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]

7 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
 Threats to Personal Privacy

 Buying and selling confidential information from

Social Security files.
 Browsing IRS files.
 Buying and selling bank account name lists.
 A Princeton University student stole ~1800 credit
card numbers, customer names, and user
passwords from an e-commerce site.
House Ways and Means Committee, 102nd Congress, 1992.
10., Washington Post, S. Barr, 2 Aug. 1993
(4) Freeh, Testimony 2000

[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]

8 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
 Identity Theft

 “The theft of computer hard drives from

TriWest Healthcare Alliance could turn into
one of the largest identity thefts on record
if the information is misused, the Federal
Trade Commission said.”

[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]

9 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
 1.2. What is „Security?”

You Will Never Own a Perfectly

Secure System.

You Will Never Own a Perfectly Secure

System.

You Will Never Own a Perfectly Secure

System.
[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
10 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
 Well … Maybe If You Do This:

(Even then you have to do it in the right way –

there are standards how to destroy computers to prevent
security/privacy risks...)
[cf. Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
11 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
 “Secure” Computer System
 To decide whether a computer system is “secure”, you must first decide what “secure”
means to you, then identify the threats you care about.
 Some threats are named in the ovals

Denial
Cyberterrorism of Modified
Service Databases

Virus
Espionage

Identity
Theft
Equipment
Theft Stolen
Customer
Data
[cf. Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
12 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
 1.3. Pillars of Security:
Confidentiality, Integrity, Availability (CIA)
Confidentiality: Who is authorized?
Integrity: Is data „good?”
Availability: Can one access data whenever needed?

Confidentiality Integrity
S

Availability
S = secure
[cf. Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
13 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
 Balancing
CIA Biographical
Data
Payroll
Data
Health
Data

Confidentiality Integrity

S
Sensitive
Data

Availability S = secure

Need to balance CIA

Packet
Ex: Disconnect computer from Switch
Internet to increase
confidentiality (availability
suffers, integrity suffers due to
lost updates) Bridge
File
Ex: Have extensive data checks Server
by different people/systems to
increase integrity (confidentiality
Gateway
suffers as more people see data,
availability suffers due to locks Other
on data under verification) Networks

[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]

14 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
 Confidentiality
 Use the “need to know” basis for data access
 How do we know who needs what data?
Approach: access control specifies who can access what
 How do we know a user is the person she claims to be?
Need her identity and need to verify this identity
Approach: identification and authentication
 Analogously: “need to access/use” basis for access
to physical assets
 E.g., access to a computer room, use of a desktop
 Confidentiality is:
 Difficult to ensure
 Easiest to assess in terms of success
 Binary in nature: Yes / No
15 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
 Integrity
 Integrity vs. Confidentiality
 Integrity - concerned with unauthorized modification of
assets (= resources)
Confidentiality - concered with access to assets
 Integrity is more difficult to measure than confidentiality
Not binary – degrees of integrity
Context-dependent - means different things in different
contexts
Could mean any subset of these asset properties:
{ precision / accuracy / currency / consistency /
meaningfulness / usefulness / ...}

 Types of integrity—an example

 A quotation from a politician
 Preserve the quotation (data integrity) but mis-attribute
(origin integrity)
16 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
 Availability (1)
 Not understood very well yet
„[F]ull implementation of availability is security’s next
challenge”
E.g. Full implemenation of availability for Internet users
(with ensuring security)

 Complex
Context-dependent
Could mean any subset of these asset (data or service)
properties :
{ usefulness / sufficient capacity /
progressing at a proper pace /
completed in an acceptable period of time / ...}
[Pfleeger & Pfleeger]
17 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
 Availability (2)

 We can say that an asset (resource) is

available if:
 Timely request response
 Fair allocation of resources (no starvation!)
 Fault tolerant (no total breakdown)
 Easy to use in the intended way
 Provides controlled concurrency (concurrency
control, deadlock control, ...)
[Pfleeger &
Pfleeger]
18 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
1.4. Vulnerabilities, Threats, and Controls
 Understanding Vulnerabilities, Threats, and Controls
 Vulnerability = a weakness in a security system

 Threat = circumstances that have a potential to

cause harm
 Controls = means and ways to block a threat, which

tries to exploit one or more vulnerabilities

 Most of the class discusses various controls and their
effectiveness

[Pfleeger & Pfleeger]

19 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007

  Attack
 = exploitation of one or more vulnerabilities by a
threat; tries to defeat controls
 Attack may be:

 Successful
 resulting in a breach of security, a system

penetration, etc.
 Unsuccessful
 when controls block a threat trying to exploit a

vulnerability
[Pfleeger & Pfleeger]
 Examples
 Fig. 1-1 (p.6)
 New Orleans disaster (Hurricane Katrina):
What were city vulnerabilities, threats, and controls
20 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
 Kinds of Threats
 Kinds of threats:
 Interception
 an unauthorized party (human or not) gains access to

an asset
 Interruption
 an asset becomes lost, unavailable, or unusable

 Modification
 an unauthorized party changes the state of an asset

 Fabrication
 an unauthorized party counterfeits an asset

[Pfleeger & Pfleeger]

 Examples?

21 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007

 Levels of Vulnerabilities / Threats
 D) for other assets (resources)
 including. people using data, s/w, h/w
 C) for data
 „on top” of s/w, since used by s/w
 B) for software
 „on top” of h/w, since run on h/w
 A) for hardware

[Pfleeger & Pfleeger]

22 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007

 A) Hardware Level of Vulnerabilities /
Threats
 Add / remove a h/w device
 Ex: Snooping, wiretapping
Snoop = to look around a place secretly in order to discover things about
it or the people connected with it. [Cambridge Dictionary of American
English]
 Ex: Modification, alteration of a system
 ...
 Physical attacks on h/w => need physical security: locks and
guards
 Accidental (dropped PC box) or voluntary (bombing a
computer room)
 Theft / destruction
 Damage the machine (spilled coffe, mice, real bugs)

 Steal the machine

 „Machinicide:” Axe / hammer the machine

 ...

23 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007

 Example of Snooping:
Wardriving / Warwalking, Warchalking,
 Wardriving/warwalking -- driving/walking
around with a wireless-enabled notebook looking
for unsecured wireless LANs

 Warchalking -- using chalk markings to show the

presence and vulnerabilities of wireless networks
nearby
 E.g., a circled "W” -- indicates a WLAN

protected by Wired Equivalent Privacy (WEP)

encryption

[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]

24 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
 Example of Snooping:
Tapping Wireless http://www.oreillynet.com/cs/weblog/view/wlg/448

[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]

25 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
 [Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
26 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
 Example of System Alteration:
Skimming from ABC.com

A legitimate transaction, so it seems... Stealing credit card data.

Making counterfeit „blank” credit Magetizing the magnetic strip to

card (with a blank magnetic strip). complete producing a counterfeit card.
[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
27 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
 B) Software Level of Vulnerabilities /
Threats
 Software Deletion
 Easy to delete needed software by mistake
 To prevent this: use configuration management
software
 Software Modification
 Trojan Horses, , Viruses, Logic Bombs, Trapdoors,
Information Leaks (via covert channels), ...
 Software Theft
 Unauthorized copying
 via P2P, etc.

28 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007

 Viruses
 Virus
A hidden, self-replicating section of computer software, usually malicious
logic, that propagates by infecting (i.e., inserting a copy of itself into and
becoming part of) another program. A virus cannot run by itself; it requires that
its host program be run to make the virus active

 Many kinds of viruses:

 Mass Mailing Viruses  Cell phone viruses
 Macro Viruses  Home appliance
 “Back Doors” a.k.a. “Remote Access viruses
Trojans”  MP3 player viruses

[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]

29 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
 Types of Malicious Code
Trapdoors
Trojan Horses
X
Files

Bacteria

Worms
Logic Bombs Viruses

[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]

30 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
Bacterium - A specialized form of virus which does not attach to a specific file.
Usage obscure.
Logic bomb - Malicious [program] logic that activates when specified conditions
are met. Usually intended to cause denial of service or otherwise damage system
resources.
Trapdoor - A hidden computer flaw known to an intruder, or a hidden computer
mechanism (usually software) installed by an intruder, who can activate the trap
door to gain access to the computer without being blocked by security services or
mechanisms.
Trojan horse - A computer program that appears to have a useful function, but also
has a hidden and potentially malicious function that evades security mechanisms,
sometimes by exploiting legitimate authorizations of a system entity that invokes the
program.
Virus - A hidden, self-replicating section of computer software, usually malicious
logic, that propagates by infecting (i.e., inserting a copy of itself into and becoming
part of) another program. A virus cannot run by itself; it requires that its host
program be run to make the virus active.
Worm - A computer program that can run independently, can propagate a complete
working version of itself onto other hosts on a network, and may consume computer
resources destructively.
[…more
31 types of malicious code exist…] [bacterium: http://sun.soci.niu.edu/~rslade/secgloss.htm, other: http://www.ietf.org/rfc/rfc2828.txt]
Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
 C) Data Level of Vulnerabilities /
Threats
 How valuable is your data?
 Credit card info vs. your home phone number
 Source code
 Visible data vs. context
 „2345” -> Phone extension or a part of SSN?

 Adequate protection
 Cryptography
 Good if intractable for a long time

32 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007

 Identity Theft  Cases in 2003:
 Credit card skimmers plus drivers
license, Florida
 Faked social security and INS
cards $150-$250
 Used 24 aliases – used false id to
secure credit cards, open mail
boxes and bank accounts, cash
fraudulently obtained federal
income tax refund checks, and
launder the proceeds
 Bank employee indicted for
stealing depositors' information
to apply over the Internet for
loans
 $7M loss, Florida: Stole 12,000
cards from restaurants via
computer networks and social
engineering
 Federal Trade Commission:
http://www.consumer.gov/idtheft/
[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
33 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
 Preventing Identity Theft
 Handle data carefully  Practice good computer
 Regular checks of your security
credit reports  Anti-virus s/w, firewall,
 Put a password on your secure browsers, …
credit accounts; don’t  Regularly (daily) updated
use just “mother’s
maiden name”  Minimize financial info on
 Be cautious about your computer
sharing personal  Think before you “click”
information  Clean up any computer
 From a web site:
“Deposit outgoing mail in before you sell/discard it
 Need special s/w to
post office collection
boxes or at your local securely destroy
post office, rather than „deleted” data
in an unsecured mailbox”
 Shred, don’t just discard [Barbara Edicott-Popovsky and Deborah Frincke,
CSSE592/492, U. Washington]
34 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
 Preventing Identity Theft:
Government Suggestions
 Suggestions from FTC:
 Contact the three major credit agencies, check credit,
put “stop” on unapproved new cards, issue “fraud alert”
 Close all accounts; open new ones w/o mother’s maiden
name (use password)
 File a report in the appropriate jurisdiction and keep
copies of those records

 … and now there’s an ID Theft Affidavit, to

 To prove to institutions that you are a victim of a

crime, not a criminal

[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
35 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
 Types of Attacks on Data CIA
 Disclosure
 Attack on data confidentiality
 Unauthorized modification / deception
 E.g., providing wrong data (attack on data
integrity)
 Disruption
 DoS (attack on data availability)
 Usurpation
 Unauthorized use of services (attack on data
confidentiality, integrity or availability)
36 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
 Ways of Attacking Data CIA
 Examples of Attacks on Data Confidentiality
 Tapping / snooping
 Examples of Attacks on Data Integrity
 Modification: salami attack -> little bits add up
 E.g., „shave off” the fractions of cents after interest calculations
 Fabrication: replay data -> send the same thing again
 E.g., a computer criminal replays a salary deposit to his account
 Examples of Attacks on Data Availability
 Delay vs. „full” DoS
 Examples of Repudiation Attacks on Data:

Repudiation / denial of origin of data: „I never sent it”
Repudiation = refusal to acknowledge or pay a debt or honor a
contract (especially by public authorities).
[http://www.onelook.com]

Repudiation / denial of receipt of data: „I never got it”
37 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
D) Vulnerab./Threats at Other Exposure
Points
 Network vulnerabilities / threats
 Networks multiply vulnerabilties and threats, due to:
 their complexity => easier to make

design/implem./usage mistakes
 „bringing close” physically distant attackers

 Esp. wireless (sub)networks

 Access vulnerabilities / threats
 Stealing cycles, bandwidth
 Malicious physical access

Denial of access to legitimate users
 People vulnerabilities / threats
 Crucial weak points in security
 too often, the weakest links in a security chain

 Honest insiders subjected to skillful social engineering

 Disgruntled employees
38 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
 1.3.5. Attackers

 Attackers need MOM

 Method

Skill, knowledge, tools, etc. with which to pull off an

attack
 Opportunity
Time and access to accomplish an attack
 Motive
Reason to perform an attack

39 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007

 Types of Attackers (1)

 Amateurs
 Opportunistic attackers
 Uses a password he found

 Script kiddies
 Hackers - nonmalicious
 in broad use beyond security community: also malicious
 Crackers - malicious
 Career criminals
 State-supported spies and information warriors
40 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
 Types of Attackers (2)
(in: the „Threat Spectrum” slide)

[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]

41 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
 Example: Hacking As Social Protest

 Hactivism

 Electro-Hippies

 DDOS attacks on government agencies

 SPAM attacks as “retaliation”

[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]

42 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
 New Internet
Attacks
High Packet Forging & Spoofing

Stealth Diagnotics

DDOS Sophistication of
Hacker Tools
Sweepers Sniffers

Hijacking Sessions

Back Doors

Self-Replicating Code Technical Knowledge

Required
Password Cracking

Password Guessing

Time
[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
43 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
1.6. How to React to an Exploit?

Exploit = successful attack

 Should you release it to the public?

 Include source code / not include source
code
 Release to vendor first, etc.

44 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007

 “To Report or Not To Report:”
Tension between Personal Privacy
and Public Responsibility
An info tech company will typically lose
between ten and one hundred times more
money from shaken consumer confidence than
the hack attack itself represents if they decide to
prosecute the case.

Mike Rasch, VP Global Security, testimony before the

Senate Appropriations Subcommittee, February 2000
reported in The Register and online testimony transcript

[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]

45 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
 Further Reluctance to Report

 One common fear is that a crucial piece of equipment,

like a main server, say, might be impounded for
evidence by over-zealous investigators, thereby
shutting the company down.

 Estimate: fewer than one in ten serious intrusions are

ever reported to the authorities.

Mike Rasch, VP Global Security, testimony before the Senate

Appropriations Subcommittee, February 2000
reported in The Register and online testimony transcript

[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]

46 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
 Computer Forensics:
Fighting Computer Crime
 Technology
 Law
Enforcement
 Individual and
Societal Rights
 Judiciary
 …

[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]

47 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
1.7. Methods of Defense
 Five basic approaches to defense of
computing systems
 Prevent attack
 Block attack / Close vulnerability

 Deter attack
 Make attack harder (can’t make it impossible )
 Deflect attack
 Make another target more attractive than this

target
 Detect attack
 During or after

 Recover from attack

48 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
 A) Controls
 Castle in Middle Ages  Computers Today
 Location with natural  Encryption
obstacles  Software controls
 Surrounding moat  Hardware controls
 Drawbridge  Policies and procedures
 Heavy walls 
Physical controls
 Arrow slits

 Crenellations

 Strong gate
 Tower

 Guards / passwords

49 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007

  Medieval castles
 location (steep hill, island, etc.)

 moat / drawbridge / walls / gate / guards /passwo

 another wall / gate / guards /passwords

 yet another wall / gate / guards /passwords

 tower / ladders up

 Multiple controls in computing systems

 Fig. 1-6 – p.23
 system perimeter – defines „inside/outside”
 preemption – attacker scared away
 deterrence – attacker could not overcome defenses
 faux environment (e.g. honeypot, sandbox) – attack deflected
towards a worthless target (but the attacker doesn’t know about it!)
 Note layered defense /
multilevel defense / defense in depth (ideal!)

50 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007

 A.1) Controls: Encryption
 Primary controls!

 Cleartext scambled into ciphertext (enciphered text)

 Protects CIA:
 confidentiality – by „masking” data

 integrity – by preventing data updates

 e.g., checksums included

 availability – by using encryption-based protocols

 e.g., protocols ensure availablity of resources for

different users

 Much more later

[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
51 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
 A.2) Controls: Software Controls
 Secondary controls – second only to encryption
 Software/program controls include:
 OS and network controls
 E.g. OS: sandbox / virtual machine

 Logs/firewalls, OS/net virus scans, recorders

 independent control programs (whole programs)

 E.g. password checker, virus scanner, IDS (intrusion

detection system)
 internal program controls (part of a program)
 E.g. read/write controls in DBMSs

 development controls
 E.g. quality standards followed by developers

 incl. testing
52 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
  Considerations for Software Controls:
 Impact on user’s interface and workflow
 E.g. Asking for a password too often?

53 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007

 A.3) Controls: Hardware Controls

 Hardware devices to provide higher degree

of security
 Locks and cables (for notebooks)
 Smart cards, dongles, hadware keys, ...
 ...

54 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007

 A.4) Controls: Policies and Procedures

 Policy vs. Procedure

 Policy: What is/what is not allowed
 Procedure: How you enforce policy
 Advantages of policy/procedure controls:
 Can replace hardware/software controls
 Can be least expensive
 Be careful to consider all costs
 E.g. help desk costs often ignored for for passwords (=> look
cheap but migh be expensive)

55 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007

  Policy - must consider:
 Alignment with users’ legal and ethical standards
 Probability of use (e.g. due to inconvenience)
Inconvenient: 200 character password,
change password every
week
(Can be) good: biometrics replacing passwords
 Periodic reviews
 As people and systems, as well as their goals,

change

56 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007

 A.5) Controls: Physical Controls

 Walls, locks
 Guards, security cameras
 Backup copies and archives
 Cables an locks (e.g., for notebooks)
 Natural and man-made disaster protection
 Fire, flood, and earthquake protection
 Accident and terrorism protection
 ...

57 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007

 B) Effectiveness of Controls
 Awareness of problem
 People convined of the need for these controls
 Likelihood of use
 Too complex/intrusive security tools are often disabled
 Overlapping controls
 >1 control for a given vulnerability
 To provide layered defense – the next layer

compensates for a failure of the previous layer

 Periodic reviews
 A given control usually becomess less effective with time
 Need to replace ineffective/inefficient controls with better
ones

58 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007

 1.8. Principles of Computer Security

 Principle of Easiest Penetration (p.5)

An intruder must be expected to use any available
means of penetration.
The penetration may not necessarily be by the most obvious
means, nor is it necessarily the one against which the most
solid defense has been installed.

 Principle of Adequate Protection (p.16)

Computer items must be protected to a degree
consistent with their value and only until they lose
their value. [modified by LL]

59 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007

  Principle of Effectiveness (p.26)
Controls must be used—and used properly—to be
effective.
They must be efficient, easy to use, and appropriate.

 Principle of Weakest Link (p.27)

Security can be no stronger than its weakest link.
Whether it is the power supply that powers the firewall or
the operating system under the security application or the
human, who plans, implements, and administers controls, a
failure of any control can lead to a security failure.
60 Section 1 (Ch.1) – Computer Security and Information Assurance – Spring 2007
End of Section 1:
Introduction to Security