Ns lecture5: Introduction to Computer, Information, and Network Security.

ECEG-4192
Computer Networks and Security
Mr. Haftom Aregawi(@Letsgo)
Introduction to Computer and
Network Security

Outline
• Introduction
• Why is Computer and Network Security Important?
• Primary Goals of Network Security
• The Security Trinity
• Information Security
• Risk Assessment
• Security Models
• Basic Security Terminologies
• Threats, Vulnerabilities, and Attacks
Haftom Aregawi 2

Outline
• Threats, Vulnerabilities, and Attacks…
• Know Yourself - The Threat and Vulnerability Landscape
• Privacy, Anonymity and Pseudo-anonymity
• Security, Vulnerabilities, Threats and Adversaries
• Know Your Enemy - the Current Threat and Vulnerability
Landscape
• Security Bugs and Vulnerabilities - The Vulnerability Landscape
• Malware, viruses, rootkits and RATs
• Spyware, Adware, Scareware, PUPs & Browser hijacking
• Phishing, Vishing and SMShing
• Spamming & Doxing 3

Outline
• Security services, Policy, Mechanism, and Standards
• Security services
• Security Policy
• Security Mechanism
• Security Standards
• System development
• Operating System Security & Privacy (Next Lecture)
• Windows 7, 8, 8.1, and 10 OS
• MAC-OS
• Linux/Ubuntu OS
4

Introduction
• Computer security: focusing on creating a secure
environment for the use of computers. It is a focus on the
“behavior of users,”
• Network security: focuses on security of data as it is
transmitted between networked systems.
• Information Security: It involves the creation of a state in
which information and data are secure. In this model,
information or data is either in motion through the
communication channels or in storage in databases on
server.
Haftom Aregawi 5

Introduction…
• Why is Computer and Network Security Important?
• To protect company assets
• To gain a competitive advantage
• To comply with regulatory requirements and fiduciary
responsibilities
• To keep your job:
Haftom Aregawi 6

Introduction…
• Primary Goals of Network Security:
Haftom Aregawi 7
Data
and
Service
• Confidentiality: is the concealment of
information or resources.
• Integrity: is Trustworthiness of data or
resources(i.e. data has not been modified in
the transit )
• Availability: refers to the ability to use the
information or resource desired

Introduction…
• The Security Trinity:
• Is the foundation for all security policies and measures that an
organization develops and deploys.
Haftom Aregawi 8
Security
Prevention Figure 1: The security trinity.

Introduction…
• The Security Trinity:
• Prevention:
• To provide some level of security, it is necessary to implement measures to
prevent the exploitation of vulnerabilities.
• In developing network security schemes, organizations should emphasize
preventative measures over detection and response: It is easier, more
efficient, and much more cost-effective to prevent a security breach than to
detect or respond to one.
Haftom Aregawi 9

Introduction…
• The Security Trinity…
• Detection:
• Once preventative measures are implemented, procedures need to be put in
place to detect potential problems or security breaches, in the event
preventative measures fail.
• Response:
• Organizations need to develop a plan that identifies the appropriate
response to a security breach.
• The plan should be in writing and should identify who is responsible for
what actions and the varying responses and levels of escalation.
Haftom Aregawi 10

Introduction…
• Information Security:
• It is also about procedures and policies that protect information
from accidents, incompetence, and natural disasters. Such policies
and procedures need to address:
• Backups, configuration controls, and media controls;
• Disaster recovery and contingency planning;
• Data integrity.
Haftom Aregawi 11
Information security = confidentiality + integrity +
availability + authentication + accountability

Introduction…
• Risk Assessment:
• Risk is the probability that a vulnerability will be exploited.
• The basic steps for risk assessment are:
1. Identifying and prioritizing assets;
2. Identifying vulnerabilities;
3. Identifying threats and their probabilities;
4. Identifying countermeasures;
5. Developing a cost benefit analysis;
6. Developing security policies and procedures.
Haftom Aregawi 12

Introduction…
• Risk Assessment…
• To identify and prioritize information assets and to develop a cost
benefit analysis, it is helpful to ask a few simple questions such as:
• What do you want to safeguard?
• Why do you want to safeguard it?
• What is its value?
• What are the threats?
• What are the risks?
• What are the consequences of its loss?
• What are the various scenarios?
• What will the loss of the information or system cost?
13Haftom Aregawi

Introduction…
• Security Models:
• There are three basic approaches used to develop a network
security model.
a) Security by obscurity,
b) The perimeter defense model, and
c) The defense in depth model
Haftom Aregawi 14

Introduction…
• Security Models…
a) Security by obscurity,
• Hiding a network or at least not advertising its existence
b) The perimeter defense model, and
• Hide the network behind a firewall that separates the protected network
from an untrusted network.
c) The defense in depth model
• The idea is to provide layers of defenses so when one defense fails, another
continues to protect you in its place.
Haftom Aregawi 15
Prevent Detect Recover

Introduction…
• Basic Security Terminologies:
• Threats: is anything that can disrupt the operation, functioning,
integrity, or availability of a network or system.
• Vulnerability: is an inherent weakness in the design,
configuration, or implementation of a network or system that
renders it susceptible to a threat.
• Countermeasures: are the techniques or methods used to defend
against attacks and to close or compensate for vulnerabilities in
networks or systems.
• Identification: is simply the process of identifying one's self to
another entity or determining the identity of the individual or
entity with whom you are communicating.
Haftom Aregawi 16

Introduction…
• Basic Security Terminologies…
• Authentication: serves as proof that you are who you say you are
or what you claim to be.
• Something you know
• Something you have
• Something you are
• Access Control (Authorization): refers to the ability to control
the level of access that individuals or entities have to a network or
system and how much information they can receive.
• Accountability: refers to the ability to track or audit what an
individual or entity is doing on a network or system.
Haftom Aregawi 17

Introduction…
• Basic Security Terminologies…
• Nonrepudiation: the ability to prevent individuals or entities
from denying (repudiating) that information, data, or files were
sent or received or that information or files were accessed or
altered, when in fact they were.
Haftom Aregawi 18

Threats, Vulnerabilities, and Attacks
• Know Yourself - The Threat and Vulnerability Landscape:
• The aim should be to protect what you value most and apply enough
security so you can do the things that you want to do, safely online.
• Consider your accounts, files, email, websites you visit, etc. now, and
ask yourself, "What is most confidential to me?" What can't you afford
to lose? What is irreplaceable? What could cause you the most damage?
What might impact your reputation?
• Note: the purpose of this is to spend most of your effort on the things
that you value and the things that you care about, and spend much less
effort wasting time on the things that you really don’t care about or can
be replaced quite easily.
Haftom Aregawi 19

Threats, Vulnerabilities, and Attacks…
• Privacy, Anonymity and Pseudo-anonymity:
• Privacy: is nobody seeing what you do, but potentially knowing who
you are (i.e. it is about maintaining confidentiality and keeping secrets).
Example: sending of an encrypted email to a friend.
• Anonymity: is nobody knowing who you are, but potentially seeing
what you do (i.e. it is keeping your actions and activities separate from
your true identity). Example: Your identity separate from your true
identity but your message is received and not private.
• Pseudo-anonymity: is when you wish to retain a reputation against an
identity. Example: having an alias for social media or for a forum
online.
Haftom Aregawi 20

• Security, Vulnerabilities, Threats and Adversaries:
Haftom Aregawi 21

• Security, Vulnerabilities, Threats and Adversaries…
• Assets: are the things that we care about, the things that we want
to be private like our files, our accounts, our financials, our email,
and things that may relate to anonymity and our identity, and not
wanting association with our identity, maybe our browser history,
what we download, what we post and so on.
• Note: the assets are individual to you, your personal needs
• To protect the assets, we apply security through various security
controls namely VPNs, encryption, Opsec, patching, HTTP filters,
OpenPGP, lock screens, and the others that you can see here.
Haftom Aregawi 22

• Security: is the degree to which our assets are resistant to threats
from our adversaries. And we select security controls based on the
type of threats and adversaries that we face.
• Threat: is anything that can disrupt the operation, functioning,
integrity, or availability of a network or system which enabled by
our adversaries, which might be hackers, cyber criminals, nation-
states, oppressive regimes, and maybe something like your
expartner, if you're unlucky (i.e. A threat will try to exploit
vulnerabilities in your security to impact your assets). For
example, malware infecting your computer through the
vulnerability of being unpatched.
23

• Vulnerabilities: is an inherent weakness in the design,
configuration, implementation, or management of a network or
system that renders it susceptible to a threat (i.e. what make a
networks susceptible to information loss and downtime). Most
vulnerabilities can usually be traced back to one of three sources:
• Poor design
• Poor implementation
• Poor management
Haftom Aregawi 24

• Vulnerabilities…
• While there are only three sources of vulnerabilities, they can manifest
themselves in many ways.
• Physical Vulnerabilities: Are your systems, communications equipment, and
media located in a secure facility? Central hosts and servers should be kept in
secure rooms that can only be entered by authorized personnel.
• Hardware and Software: Design flaws in hardware or software can render
systems vulnerable to attack or affect the availability of systems.
• Media Vulnerabilities: Disks, tapes, and other media can be stolen, lost, or
damaged.
• Transmission and Emanation Vulnerabilities-Interception of Information:
Signal emissions from electrical equipment can be remotely intercepted and
monitored using sophisticated devices in a process sometimes referred to as van
Eck monitoring.
25

• Vulnerabilities…
• While there are only three sources of vulnerabilities, they can manifest
themselves in many ways…
• Human Vulnerabilities: Human stupidity, carelessness, laziness, greed, and
anger represent the greatest threats to networks and systems and will do more
damage than the rest of the others combined. Moreover, human vulnerabilities
and the risks associated with them are the most difficult to defend against.
• Note: The likelihood of threats exploiting vulnerabilities in your
security controls and the consequences of that is known as risk.
Haftom Aregawi 26
RISK = (Vulnerability x Threats x Consequences)

• Know Yourself - The Threat and Vulnerability Landscape…
• Threat landscape: also known as a threat model.
• Is the threats and adversaries that you face.
• Attack: is a specific technique used to exploit a
vulnerability. For example, a threat could be a denial of
service.
• Two types of attacks:
• Passive attacks: does not involve any modification to the contents of an
original message
• Active attacks: the contents of the original message are modified in some
ways.
Haftom Aregawi 27

• Attack: is a specific technique used to exploit a
vulnerability. For example, a threat could be a denial of
Haftom Aregawi 28

• The three goals of security—confidentiality, integrity and availability—can be
threatened by security attacks. Below Figure relates the taxonomy of attack types to
security goals.
Haftom Aregawi 29

• Snooping, the unauthorized interception of information, is a
form of disclosure.
• Traffic analysis refers other types of information collected
by an intruder by monitoring online traffic.
• Modification or alteration, an unauthorized change of
information, covers three classes of threats. The goal may
be deception, in which some entity relies on the modified
data to determine which action to take, or in which incorrect
information is accepted as correct and is released.
Haftom Aregawi 30

• Masquerading or spoofing, an impersonation of one entity by
another, is a form of both deception and usurpation. It lures a
victim into believing that the entity with which it is
communicating is a different entity.
• Repudiation of origin, a false denial that an entity sent (or
created) something, is a form of deception.
• Denial of receipt, a false denial that an entity received some
information or message, is a form of deception.
• Denial of service, a long-term inhibition of service, is a form of
usurpation, although it is often used with other mechanisms to
deceive. 31

Landscape:
• Why You Need Security – The Value Of A Hack:
• Why would someone target me?
• What’s the point of a hacker taking over my PC or my account?
• Note: Generally the motive for wanting to access your account, steal your
identity, take control of your PC is money.
• Some of the various ways in which your PC could be useful to a
cyber criminals are:
• Web hosting: for example, they can use your PC as a web server. They’ll
steal your content, perform illegal and hacking activities, form email
attacks.
32

Landscape…
• Some of the various ways in which your PC could be useful to a
cyber criminals are…
• Reputation highjacking: accounts can be solved again.
• Bot activities: take down websites, blackmail sites, account credentials.
Haftom Aregawi 33

• Security Bugs and Vulnerabilities - The Vulnerability
Landscape:
• Cyber security is an arms race between offensive and defensive
capabilities.
• A security bug and a vulnerability are actually the same thing.
• Note: security bug is an error which happen by human mistake.
Security bugs can exist in your operating system, firmware,
applications, things like Outlook, your media player, Adobe
Acrobat. In a particular risk, they can exist in your browser and
the extensions and add-ons within the browser.
Haftom Aregawi 34

• Security Bugs and Vulnerabilities - The Vulnerability
Landscape…
• There are two main types of bugs:
• Known bugs: have patches, and if you patch your system, you are safe
against that bug.
• Unknown bugs: can be referred to as zero-days. These are much harder to
protect against as there is no patch.
• Hackers, crackers and cyber criminals:
• Hacker originally was a positive term used to describe someone
who kept hacking a problem until it was done. But today, the
common understanding is really someone who’s out to cause
mischief on the internet or on your computer.
Haftom Aregawi 35

• Hackers, crackers and cyber criminals…
• White hat hackers, meaning they are hacking for good. An
example being the work I’ve done where you are paid to attempt
to compromise a target, such as a company, and this, in the
security industry is called ethical hacking or penetration testing.
• cyber criminals: are a black hat hackers.
Haftom Aregawi 36

• Malware, viruses, rootkits and RATs:
Haftom Aregawi 37

• Malware, viruses, rootkits and RATs…
• Malware is the all encompassing term that refers to all of the
programs that are written with malicious intent.
• Macro viruses: is a virus that has been written in a macro language, such
as VBS, that is usually platform independent since many applications allow
macro programs to be embedded in the documents.
• Stealth viruses: is a virus that hides the modifications it has made, virus
tries to trick antivirus software by intercepting its request to the operating
system and providing false and bogus information
Haftom Aregawi 38

• Polymorphic viruses produces varied operational copies of itself. A
polymorphic virus may have no parts that remain identical between
infections, making it very difficult to detect directly using signatures and
antivirus software.
• self-garbling viruses attempts to hide from antivirus software by
modifying its code so it does not match pre-defined antivirus signatures.
• Bots or Zombies, and that’s really a collection of hacked devices under a
command and control of a hacker. So if your machine does get
compromised, it could be part of a bot network or be a zombie.
Haftom Aregawi 39

• Worms: are the viruses that simply spread from one machine to another.
• Rootkits are the worst software based malware that you can get. They are
usually embedded into the kernel of the operating system so it can hide its
existence completely from the operating system.
• Firmware Rootkits are the worst of all. So for example, within your hard
drive’s firmware chip, you could have some sort of malware. Even
formatting your drive and reinstalling the operating system won’t shift it.
This is NSA, DCHQ level malware.
Haftom Aregawi 40

• Key loggers do as they sound; they log your keystrokes.
• Remote Access Tools, or RATs are malicious programs that run on your
system and allow intruders to access your system remotely.
Haftom Aregawi 41

• Spyware, Adware, Scareware, PUPs & Browser hijacking:
• Spyware is an intelligence gathering malware. Spyware, as the
name suggests, its main purpose is to gather information and send
it back to the attacker, well, to spy.
• Adware is undesirable software that forces advertisement on you.
Example, Cool Web Search.
• Scareware is a type of social engineering attack to trick a person
into believing in a threat that isn’t really real. So a common
example is fake security software claiming that you have malware
infections or something like that.
Haftom Aregawi 42

• Spyware, Adware, Scareware, PUPs & Browser hijacking:
• When an adware or malware takes over your browser in this way,
it’s known as Browser Hijacking.
• If it’s something that you might not have wanted, these are called
Potentially Unwanted Programs, or PUPs.
Haftom Aregawi 43

• Phishing, Vishing and SMShing:
• Phishing is a type of attack that typically attempts to trick the
victim into clicking on a link or executing malware in some way.
It can be an attempt to compromise a device to steal sensitive
information, passwords, usernames, pins, credit card numbers, as
well as try to gain access to online accounts.
Haftom Aregawi 44

• Phishing, Vishing and SMShing…
• Techniques used to perform phishing attacks in order to try and
convince people to click on them:
• Link Manipulation:
Haftom Aregawi 45
subdomains and
misspelled domains
subdirectories
• Where, in red is the real domain, and in blue is the domain it’s
trying to convince you that it’s actually from.

convince people to click on them…
• Link Manipulation…
Haftom Aregawi 46
You probably can because we
zoomed in, which is here. You’ve
got an R and an N instead of an M.
Internationalized Domain Name(IDN)
Homographic Attack

Haftom Aregawi 47
Hidden URLs
<h4>Hidden URLs</h4>
<a href=”http://google.com.stationx.net”>Click Here</a> <br>
<a href=”http://google.com.stationx.net”>http://google.com.stationx.net</a>

• Spamming & Doxing:
• Spam, is unsolicited messages most often coming in email,
through instant messages, forums, social media, even text
messages now, blogs, wikis, and pretty much anywhere else that
they can think of in order to spam you. Mostly it’s to advertise
some sort of product.
• Dox is an abbreviation of document. Doxing is to do research on
an individual, or it can be an organization or company, to find
personal and private information often in order to cause
embarrassment, discredit, extort, coerce, harass, and you know,
just generally cause problems for the victim by publicly releasing
the information or the threat to publicly release it.
48

Haftom Aregawi 49
Hidden URLs
<h4>Hidden URLs</h4>
<a href=”http://google.com.stationx.net”>Click Here</a> <br>
<a href=”http://google.com.stationx.net”>http://google.com.stationx.net</a>

Security services, Policy,
Mechanism, and Standards
• Standards have been defined for security services to achieve
security goals and prevent security attacks. Figure shows
the taxonomy of the five common services.
Haftom Aregawi 50

Mechanism, and Standards…
• Security policy is a statement of what is, and what is not,
allowed.
• Security mechanism is a method, tool, or procedure for
enforcing a security policy.
• For example, suppose a university's computer engineering
laboratory has a policy that prohibits any student from copying
another student's homework files. The computer system provides
mechanisms for preventing others from reading a user's files.
Anna fails to use these mechanisms to protect her homework files,
and Bill copies them. A breach of security has occurred, because
Bill has violated the security policy. Anna's failure to protect her
files does not authorize Bill to copy them. 51

• The security life cycle:
Haftom Aregawi 52

• The security life cycle…
• EXAMPLE: A major corporation decided to improve its security. It
hired consultants, determined the threats, and created a policy. From the
policy, the consultants derived several specifications that the security
mechanisms had to meet. They then developed a design that would meet
the specifications.
• During the implementation phase, the company discovered that
employees could connect modems to the telephones without being
detected. The design required all incoming connections to go through a
firewall. The design had to be modified to divide systems into two
classes: systems connected to "the outside," which were put outside the
firewall; and all other systems, which were put behind the firewall. The
design needed other modifications as well.
53

• When the system was deployed, the operation and maintenance
phase revealed several unexpected threats. The most serious was
that systems were repeatedly misconfigured to allow sensitive data
to be sent across the Internet in the clear. The implementation
made use of cryptographic software very difficult. Once this
problem had been remedied, the company discovered that several
"trusted" hosts (those allowed to log in without authentication)
were physically outside the control of the company. This violated
policy, but for commercial reasons the company needed to
continue to use these hosts. The policy element that designated
these systems as "trusted" was modified.
54

• Finally, the company detected proprietary material being sent to a
competitor over electronic mail. This added a threat that the
company had earlier discounted. The company did not realize that
it needed to worry about insider attacks.
Haftom Aregawi 55

• Organizations and their standards:
Haftom Aregawi 56

• Organizations and their standards…
Haftom Aregawi 57

• International organizations such as the Internet Engineering Task
Force (IETF), the Institute of Electronic and Electric Engineers
(IEEE), the International Standards Organization (ISO), and the
International Telecommunications Union (ITU)
• Multinational organizations like the European Committee for
Standardization (CEN), the Commission of European Union
(CEU), and the European Telecommunications Standards Institute
(ETSI)
Haftom Aregawi 58

• National governmental organizations like the National Institute of
Standards and Technology (NIST), the American National
Standards Institute (ANSI), and the Canadian Standards Council
(CSC)
• Sector-specifi c organizations such as the European Committee for
Banking Standards (ECBS), the European Computer
Manufacturers Association (ECMA), and the Institute of
Electronic and Electric Engineers (IEEE)
Haftom Aregawi 59

• Industry standards such as the RSA, the Open Group
(OSF+X/Open), the Object Management Group (OMG), the
World Wide Web Consortium (W3C)), and the Organization for
the Advancement of Structured Information Standards (OASIS)
Haftom Aregawi 60

• Security Standards Based on Type of Service/Industry:
• System and security managers and users may choose a security
standard to use based on the type of industry they are in and what
type of services that industry provides.
• Security standards based on services:
Haftom Aregawi 61

• Security standards based on services:
Haftom Aregawi 62

• Security standards based on services…
Haftom Aregawi 63

• Best security practices for a small organization:
• Interest-based security standards:
Haftom Aregawi 64

System development
• Determine threats
• Develop a policy
• Give specification of the system
• Desired functionality of the system
• If specification is ambiguous, vulnerabilities can result
• An imprecise specification is useless…
• Design the system
• Design system satisfying the specification
• Difficult (but not impossible) to verify
Haftom Aregawi 65

System development…
• Implementation
• Create a system satisfying the design
• Impossible to fully verify correctness
• Software complexity
• Unknown inputs
• Unverified tools
• “Testing” after the fact
• Subject to limitations of the tests
Haftom Aregawi 66

System development…
• System development (summary)
1. Threat analysis
2. Policy
3. Specification
4. Design
5. Implementation
6. (Operation/maintenance/monitoring?)
Haftom Aregawi 67

References
1. Kizza JM (2003) Social and ethical issues in the information age, 2nd edn. Springer, New York
2. Scherphier A CS596 client-server programming security. http://www.sdsu.edu/cs596/security. html
3. Mercuri R, Peter N (2003) Security by obscurity. Commun ACM 46(11):160
4. McCullagh A, Caelli W Non-repudiation in the digital environment . http://www.fi
rstmonday.dk/issues/issue5_8/mccullagh/index.html#author
5. CobiT a practical toolkit for IT governance.
http://www.ncc.co.uk/ncc/myitadviser/archive/issue8/business_processes.cfm
6. OCTAVE: information security risk evaluation. http://www.cert.org/octave/
7. Putvinski M IT security series part 1: information security best practices.
http://www.corporatecomplianceinsights.com/information-security-best-practices
Haftom Aregawi 68

Ns lecture5: Introduction to Computer, Information, and Network Security.

Operating System Security & Privacy
• Windows 7, 8, 8.1, and 10 OS
• MAC-OS
• Linux/Ubuntu OS
.
.
.
(Next Lecture Slide…)
Haftom Aregawi 70

Ns lecture5: Introduction to Computer, Information, and Network Security.

More Related Content

What's hot (20)

Similar to Ns lecture5: Introduction to Computer, Information, and Network Security. (20)

More from Aksum Institute of Technology(AIT, @Letsgo) (14)

Recently uploaded (20)

Ns lecture5: Introduction to Computer, Information, and Network Security.