Computer and Information

Security
Introduction
 Computer systems are vulnerable to many threats
that can inflict various types of damage resulting in
significant losses of information and or the hard
and software components of a system.

 This damage can range from errors harming

database integrity to fires destroying entire
computer centres.
Introduction
 Losses can result, for example, from the actions of
supposedly trusted employees defrauding a system,
from outside hackers, or from careless data entry
clerks.
 The effects of various threats varies considerably:
some affect the confidentiality or integrity of data
while others affect the availability of a system.
 Basic security Concepts

Information is data that has been processed.

 Security is the degree of protection against danger, loss, and

criminal attacks.

 Information security
Is the process by which an organization protects and secures its
systems, media, and facilities that process and maintain information
vital to its operations.
Basic security Concepts
 Security refers to the policies, procedures, and
technical measures used to prevent unauthorized
access, alteration, theft, or physical damage to
information systems.
 Controls are methods, policies, and organizational
procedures that ensure the safety of the
organization’s assets, the accuracy and reliability of
its records, and operational adherence to
management standards.
Basic security Concepts
 Computer security:
 This is the process that involves security of computer
system assets from damages.
 E.g. physical damage, electric shock etc. allowing the
information and property to remain accessible and
productive to its intended users.
Basic security Concepts
 Threat -a possible danger that might exploit a
vulnerability to breach security and thus cause
possible harm
 Attacks-A vulnerability that has been
compromised and exploited to cause harm to a
computer system
Basic security Concepts
 Risk-Event or action that causes loss of or damage
to computer system
 A vulnerability that could allow loss of
confidentiality, integrity, or availability of
computer services and where there is a possibility
of the vulnerability being exploited.
Differences between Information security and
computer security
 Computer security mainly involves protecting the computer
system hardware from theft, physical damages etc.
 Involves the review of physical security of your premises which
include door locks, storage of duplicate keys etc

 One the other side, Information security provides measures to

secure information from unauthorized access or users. E.g. Using
biometric system(finger prints), voice detectors, pass words etc.
Differences between Information security and
computer security

 Information security is concerned with the confidentiality,

integrity and availability of data/information regardless of the form
the data may take: electronic, print, or other forms.

 Computer security can focus on ensuring the availability and

correct operation of a computer system without concern for the
information stored or processed by the computer.
Objectives of Information security

 Securing information is equivalent to ensuring that computers keep

your secrets, hold valid information, are ready to work when you
are, and keep records of your transactions.

 The three objectives of confidentiality, integrity, and availability

can never be completely separated.
Objectives of Information security..
 Objectives of Information security

Confidentiality:
 It involves keeping information away from people who should not have
it.
 Accomplishing this objective requires that we know what data we are
protecting and who should have access to it.
 It requires that we provide protection mechanisms for the data while it
is stored in the computer and while it is being transferred over networks
between computers.

• Confidentiality mechanisms (like data encryption) keep

information from being read by unauthorized people.
Confidentiality Aspects

 Privacy: it involves the ability to control the spread of

confidential information. E.g. use of private of passwords.

 Identification: recognizing someone’s identity.

 Authentication: a way of implementing decisions about whom to

trust.

 Authorization: Access privileges granted to a user, program, or

process.

 Access Control: How much data should a particular user see?

Authentication, authorization, and access control.

 Authentication is the process of determining whether someone or

something is, in fact, who or what it is declared to be. In many
systems (including the Internet), authentication is commonly done
through the use of logon passwords.
 Knowledge of the password is assumed to guarantee that the user is
authentic.
 Each user registers initially (or is registered by someone else), using
an assigned or self-declared password.
 On each subsequent use, the user must know and use the previously
declared password.
Authentication, authorization, and access control.

 Authorization is the process by which the user's privileges are

ascertained specifying access rights to resources

 Access control is the process by which the user's access to

physical data in the application is limited, based on his privileges.
Objectives of Information security..

Integrity:
 This is the second objective of information security.

 It ensures that the information stored in the computer is never

contaminated or changed in a way that is not appropriate.

 Both confidentiality and availability contribute to integrity.

 Keeping data away from those who should not have it and making sure
that those who should have it can get it are fairly basic ways to maintain
the integrity of the data.

 Integrity mechanisms ensure that information stored in the

computer is never changed in a way that is not appropriate.
Integrity Aspects

 Privileges control access to data, so that only authorized users can

change the data.
 Data/information must be protected against viruses designed to
corrupt the data.
 Backup and recovery procedures must be used to restore correct states
of the data/information in events of clashes.
 Objectives of Information security..

Availability:
 It ensures that data stored in the computer can be accessed by the
people who should access it.
 Availability is a broad subject addressing things such as denial of
service and access control to ensure that data is available to those
authorized to access it.
 Availability means ensuring that the data can be accessed by all
authorized people.
Availability Aspects

 Scalability: System performance must remain adequate regardless

of the number of users or processes demanding service.

 Flexibility: Administrators must have adequate means of managing

the user population. They might do this by using a directory, for
example.

 Ease of Use: The security implementation itself must not diminish

the ability of valid users to get their work done.
 Objectives of Information security..

Non repudiation:
 Method by which the sender of data is provided with proof of
delivery and the recipient is assured of the sender's identity, so that
neither can later deny having processed the data.
Objectives of Information
security.
 Non repudiation:
 Prevents an individual or entity from denying having
performed a particular action related to electronic data
(such as origin, intent or ownership).

 It is a way of making sure that the sender of a message

cannot later refuse to recognize that the sender sent the
message and that the recipient cannot deny having received
the message.
 Objectives of Information security..

Non repudiation cont’d

 For example, in a business-to-consumer (B to C) transaction,

consumers place orders. Sometimes, they change their minds and

decide they don't want what they ordered and will claim that they
never ordered merchandise or that the order was not what they
requested. NR mechanisms keep consumers honest and protect
businesses in these situations.
Threats

 A threat is a potential violation of security. It is a person, a

mechanism or an event that can potentially inflict harm on the
firm's information resources.

 The violation needs not to actually occur for a threat to be there; the
fact that the violation may occur means that those actions that could
cause it to occur must be guarded against (or prepared for).

 Those actions are called attacks and the people who execute such
actions or cause them to be executed are called attackers.
Threats
Threats

 The three security elements i.e. confidentiality, integrity and

availability face a number of threats as discussed below;
 Snooping – which involves the unauthorized interception of
information. It is a form of disclosure in which an entity is listening
to or (reading) communications or browsing through files or system
information.
Threats
 Wire tapping is also a form of snooping in which a network
is monitored.
 Confidentiality services counter this threat.
Threats

 Modification or alteration – An unauthorized change or

modification of information. In this type of threat, data may be
modified, and this incorrect information may be used to make
decisions of released to the public.
 Unlike spoofing which is passive, modification is active; it
results from an entity changing information.
 Active wiretapping is a form of modification in which data
moving across a network is altered; the term active distinguishes
it from snooping (“passive wiretapping”).
Threats

 An example is the man in the middle attack, in which an intruder

reads messages from the sender and sends (possibly modified)
versions to the recipient, in hopes that the recipient and the
sender will not realize the presence of the intermediary.

 Integrity services counter this threat.

 Threats

 Masquerader In terms of communications security issues, a

masquerade is a type of attack where the attacker pretends to be an
authorized user of a system in order to gain access to it or to gain
greater privileges than they are authorized for.
Threats
 A masquerade may be attempted through the use of
stolen logon IDs and passwords, through finding
security gaps in programs, or through bypassing the
authentication mechanism.

 Once the attacker has been authorized for entry, they

may have full access to the organization's critical
data, and (depending on the privilege level they
pretend to have) may be able to modify and delete
software and data.
THE MOST NOTORIOUS THREAT—THE “VIRUS”

 A virus a software program capable of reproducing itself and usually

capable of causing great harm to files or other programs on the same
computer.

 A true virus cannot spread to another computer without human assistance.

 A worm is a self-replicating Malware computer program.

 It uses a computer network to send copies of itself to other nodes (computers

on the network) and it may do so without any user intervention.

 This is due to security shortcomings on the target computer. ...

Trojan horse

 A Trojan horse is a computer program that appears to be useful; it

even tempts the user to install it but instead facilitates unauthorized
access to the user’s computer.

 Neither replicates nor copies itself, and its file name is normally
misleading to entice you to open it. ...
Threats
 Errors and Omissions
 Caused by all types of users who create and edit
data.
 Users, data entry clerks, system operators, and
programmers frequently make errors that contribute
directly or indirectly to security problems. In some
cases, the error is the threat, such as a data entry
error or a programming error that crashes a system.
 In other cases, the errors create vulnerabilities.
Threats
 Fraud and Theft
 Computer systems can be exploited for both fraud
and theft both by "automating" traditional methods
of fraud and by using new methods.
 For example, individuals may use a computer to
skim small amounts of money from a large number
of financial accounts, assuming that small
discrepancies may not be investigated
Threats
 Computer fraud and theft can be committed by
insiders or outsiders. Insiders (i.e., authorized users
of a system) are responsible for the majority of
fraud.
 Since insiders have both access to and familiarity
with the victim computer system (including what
resources it controls and its flaws), authorized
system users are in a better position to commit
crimes.
Threats
 Insiders can be both general users (such as clerks)
or technical staff members.
 An organization's former employees, with their
knowledge of an organization's operations, may
also pose a threat, particularly if their access is not
terminated promptly.
Software Theft
 Act of stealing or illegally stealing software,
copying software or intentionally erasing programs
 Software piracy is illegal duplication of
copyrighted software
Software Theft
 Some software can be free for use, editing and
distribution for example open source software
while other types of software are free for sharing
and use especially in the education sector while
other types of software have to be purchased –
copying of these types of software is not allowed as
this breaches the developers copyrights.
Employee Sabotage
 Employees are most familiar with their employer's
computers and applications, including knowing
what actions might cause the most damage,
mischief, or sabotage.
 The downsizing of organizations in both the public
and private sectors has created a group of
individuals with organizational knowledge, who
may retain potential system access (e.g., if system
accounts are not deleted in a timely manner).
Employee Sabotage
 Destroying hardware or facilities,
 Planting logic bombs that destroy programs or data,
 Entering data incorrectly, "crashing" systems,
 Deleting data,
 Holding data hostage, and
 Changing data.
 Some ways of ensuring computer security so
as to guarantee information security

• Using Password
 A good pass word is at least 6 characters long, is not a word that appears in
any dictionary and includes at least one special character.

 It should be easy for the user to remember so that the user wont be prompted
to write it down

 it should not be based on the users birthday, dogs name, or any such
personal attribute.

 One way to create acceptable pass word is to replace letters with numerals
or characters. e.g.
 -Dest%360#
 -Ge380ther$
Some ways of ensuring computer security so as to
guarantee information security

Installing Anti Virus software:

 Computer security can be secured by installing an anti-virus

thus protection of the computer from infections plus

protecting information not to be duplicated by the virus
infection. E.g. Avast, AVG, Norton anti-virus etc.

 An anti-virus software should always be updated.

Some ways of ensuring computer security so as to
guarantee information security

 Using firewall.
 A firewall is software or hardware that checks information coming from
the Internet or a network, and then either blocks it or allows it to pass
through to your computer, depending on your firewall settings.

 A firewall can help prevent hackers or malicious software (such as worms)

from gaining access to your computer through a network or the Internet.

 A firewall can also help stop your computer from sending malicious
software to other computers.

 The following illustration shows how a firewall works.

Illustration of firewall
Some ways of ensuring computer security so
as to guarantee information security
 Intrusion detection software can be used to analyze
network traffic, assess system vulnerabilities, and
identify intrusions and suspicious behavior.
 Access control can also be used and defines who
can access computer and what actions they can
take.
 Audit trail records access attempts-easy to detect
who is trying to access your system and prompts
you to employ required security measures.
Some ways of ensuring computer security so
as to guarantee information security
 Use of biometric devices

 Authenticates person’s identity using personal

characteristics like:
 Fingerprint, hand geometry, voice, and iris
Some ways of ensuring computer security so
as to guarantee information security
 Backing Up
 Duplicate of file, program, or disk
 Full backup all files in computer
 Selective back up select which files to back up
 Three-generation backup preserves three copies of
important files
 In case of system failure or corrupted files, restore
files by copying to original location
 Encryption

 Information security uses cryptography to transform usable

information into a form that renders it unusable by anyone other than
an authorized user; this process is called encryption.

 Information that has been encrypted (rendered unusable) can be

transformed back into its original usable form by an authorized user,
who possesses the cryptographic key, through the process of
decryption.
Encryption
 Cryptography is used in information security
to protect information from unauthorized or
accidental disclosure while the information is
in transit (either electronically or physically)
and while information is in storage.
Employee Education and
Training
 Employee education should teach employees for example not
to open emails from persons they do not know, ask the
helpdesk about any emails that seem suspicious, to be aware
of the phishing scams, always update their anti-viruses etc.

 Educated and trained employees are one of the best lines of

defense against information security threats in an
organization.
Environmental threats/Hazards to computers and Information
systems

 Fire- the most serious and costly hazard. It destroys data, information,
software and hardware.
 Security measures against fire include:
 Fire proof cabinets
 Have fire extinguishers
 Have fire detectors
 Training of fire officers
 Observation of safety procedures e. avoid smoking in computer rooms.
Environmental threats/Hazards to
computers and Information systems
 Water/Flood and moisture. This causes components of a
computer to rust. Security measures include;
 Setting up computer rooms on higher grounds to avoid floods.
 Adequate drainage system
 Use of water proof ceiling and floors.
Environmental threats/Hazards cont…d

 Lightening & electricity- this causes power failure which can cause
damage to data which have not been transferred to permanent
storage media services.
 Security measures;
 Use of uninterrupted power supply (UPS)
 Use stand by power generators/source
 Have lightening arrestors in the building
 Use power stabilizers.
Environmental threats/Hazards cont…
d
 Terrorist Attacks. This includes activities like political
terrorists e.g. bombs, criminal type of activities. Security
measures include;
 Control physical access to be building housing the computer room.
 Consult with police and fire authorities about potential risks and co-
operation.
Conclusion

 The technical challenges of security are mostly conquered through

Firewalls, encryption, virus protection etc.

 However the largest security and most challenging problem is the

people

 Social engineering is still the most effective attack

 Social engineering is simply the user of non-technical means to

gain authorized access – for example, making phone calls or
walking into a facility and pretending to be an employee.
Social engineering..

 Social engineering scams can be as simple as an attacker posing

as a helpdesk administrator and calling an employee asking for
the employee’s password.

 Therefore, Employee awareness as a result of adequate training

teaches the employee standard organizational procedures, such
as there is no circumstance when the helpdesk would call and
ask for a password.
Note:

 A hacker is a person who is proficient with computers and/or

programming to an elite level where they know all of the in's
and out's of a system. There is NO illegality involved with
being a hacker.

 A cracker is a hacker who uses their proficiency for personal

gains outside of the law. EX: stealing data, changing bank
accounts, distributing viruses etc.
Note
 What the hacker does with their knowledge of systems within the
definition of the law is what defines them as a hacker vs. a cracker.
It's then safe to say that all crackers are hackers, but not all hackers
are crackers. This is an important distinction.

 The term cracker and hacker are used interchangeably (albeit

incorrectly) largely due to the ignorance of the general populace,
especially the media.
Conclusion cont’d

 Security Is a Process
 Security is never finished

 The world changes

– Technology changes
– People forget working methods
 Security is a continuous loop of

– Planning
– Implementing
– Evaluating
Reading: Laudon and Laudon 15
edition Chapter 8
 Why are information systems vulnerable to
destruction, error and abuse?
 Why are systems vulnerable?
 Identify contemporary security challenges and
vulnerabilities
 Internet vulnerabilities
 Wireless security challenges
 Malicious software
 Hackers and computer crime
Reading: Laudon and Laudon 15
edition Chapter 8
 Spoofing and Sniffing
 Denial-of-Service Attacks
 Identity Theft
 Click Fraud
 Global Threats: Cyberterrorism and Cyberwarfare
 Internal threats: employees
 Software vulnerability
Reading: Laudon and Laudon 15
edition Chapter 8
 Business value of security and control
 Legal and regulatory requirements for electronic
records management
 Electronic evidence and computer forensics
 Components of organizational framework for
security and control
 Information system controls
 Risk assessment
 Security policy
Reading: Laudon and Laudon 15
edition Chapter 8
 Disaster recovery planning and business continuity
planning
 Role of auditing
 Tools and technologies for safeguarding
information resources
 Identity management and authentication
 Firewalls, intrusion detection systems and antivirus
software
 Securing wireless networks
Reading: Laudon and Laudon 15
edition Chapter 8
 Encryption and public key infrastructure
 Ensuring system availability
 Security issues for cloud computing and mobile
platforms
 Ensuring software quality