Chapter 1

COMPUTER AND NETWORKSECURITY PRINCIPLES

Content

• Importance of Computer and Network Security

• Underlying Computer and Network Security Concepts

• Threats and Countermeasures• Policies and Standards

Importance of Computer and Network Security

• Computer security: involves implementing measures to secure a single computer (protecting the resources stored on that computer and protecting that computer from threats).

• Network security: involves protecting all the resources on a network from threats(computers on the network, network devices, network transmission media, and the data being transmitted across the network).

• Type of Attack:– Exposing Secrets– Causing System Failures– Social Engineering

Exposing Secrets

• Problems:– Hacker was discovered password on your device and then

published your Personal data.– Hacker intercept data send across non secure internet

protocols to attack their target(Buy merchandise on internet).– Badly protected servers at a target site.– Another potential risk is identity theft (name, social security

number, bank account number, etc.)• Solve Problem:

– Using a complex password to protected your device.– Using a secure internet protocols such as HTTPS, and TSL.

Risks of using an e-commerce website

Causing System Failures

• Problem: Attackers use a variety of techniques to cause damage– Vulnerabilities in software that accepts user input, such

as Internet browsers or email software, can allow external parties to take control of a device.

– Worms and viruses make use of overgenerous features or vulnerabilities to spread widely and overload networks and end systems with the traffic they generate.

– A denial-of-service attack is one that prevents a server from performing its normal job.

Social Engineering• A social engineering attack is one that involves people, not

computers.• How social engineering attacks work:

– An attacker calls an employee on the phone claiming to be an administrator. The person asks for the user’s name and password so they can verify the user’s network settings.

– An attacker who does not work for the company claims to be a temporary employee or contractor. The attacker is allowed access to a computer or worse, to the server room.

– An attacker sifts through documents in the trash bin to discover employee names, organizational hierarchy, or even network configuration data.

• Protecting Social Engineering:– educating employees about unsafe practices

Underlying Computer and Network Security Concepts

• Key concepts underlying computer and network security include the following:– Confidentiality: prevention of unauthorized disclosure of

information(Related store data on computer and transmit across network).

– Integrity: prevention of unauthorized modification of information.

– Availability: prevention of unauthorized withholding of information or resources.

– Accountability: holding users accountable for their actions(users should be held responsible for their actions).

– Nonrepudiation: The ability to ensure that someone cannot deny (i.e, repudiate) his or her actions(providing evidence about the fact that a message was delivered to a specific recipient).

Man-in-the-middle attack(Integrity)

A denial-of-service attack (smurf attack)

Confidentiality and Integrity Requirements

Threats and Countermeasures

• Risk is the possibility that some incident or attack will cause damage to an organization’s network.

• Risk analysis: The process of identifying a risk and assessing its likelihood and impact.

• Within IT security, risk analysis is applied:– Comprehensively for all information assets of an

enterprise.– Specifically for the IT infrastructure of an enterprise.– During the development of new products or systems

Assessing Assets, Vulnerabilities, and Threats to Calculate Risk

• Assets have to be identified and valued:– Hardware: laptops, desktops, servers, routers, PDAs, mobile

phones, smart cards, and so on.– Software: applications, operating systems, database management

systems, source code, object code, and so on.– Data and information: essential data for running and planning

your business, design documents, digital content, data about your customers, data belonging to your customers (like credit card numbers), and so forth.

– Reputation: the opinion held by your customers and the general public about your organization. Reputation can affect how likely a person is to place an order with you or provide you with information.

Assessing Assets, Vulnerabilities, and Threats to Calculate Risk

• Vulnerabilities: are weaknesses of a system that could be accidentally or intentionally exploited to damage assets.

• In an IT system, the following are typical vulnerabilities:– Accounts with system privileges where the default password,

such as ‘MANAGER’, has not been changed.– Programs with unnecessary privileges.– Programs with known flaws.– Weak access control settings on resources, for example,

granting everyone full control to a shared folder.– Weak firewall configurations that allow access to vulnerable

services.

Assessing Assets, Vulnerabilities, and Threats to Calculate Risk

• Threats: are actions by adversaries who try to exploit vulnerabilities in order to damage assets.

• Microsoft’s STRIDE threat model for software security lists the following categories.– Spoofing identities: The attacker pretends to be somebody else.– Tampering with data: Security settings are changed to give the attacker more

privileges.– Repudiation: A user denies having performed an action like mounting an attack or

making a purchase.– Information disclosure: Information might lose its value if it is disclosed to the wrong

parties (e.g., trade secrets); your organization might face penalties if it does not properly protect information (e.g., personal information about individuals).

– Denial of service (DoS): DoS attacks can make websites temporarily unavailable; there have been stories in the press that businesses use such attacks to harm competitors.

– Elevation of privilege: The term elevation of privilege refers to a user who gains more privileges on a computer system than he or she is entitled to.

Attack tree for obtaining another user’s password

Calculating Risk• In quantitative risk analysis, expected losses are computed based on monetary values

for the assets and probabilities for the likelihood of threats.• In qualitative risk analysis, the following principles are used:

– Assets can be rated on a scale of critical–very important–important–not important.– Criticality of vulnerabilities can be rated on a scale of has to be fixed immediately–has to be fixed

soon–should be fixed–fix if convenient.– Threats can be rated on a scale of very likely–likely–unlikely–very unlikely.– A finer method of scaling could be provided for each variable, that is, numerical values from 1 to

10.• Risk = Assets Vulnerabilities Threats• Guidance has to be given on how to assign ratings:

– Damage potential: relates to the values of the assets being affected.– Reproducibility: one aspect of how difficult it is to launch an attack; attacks that are easy to

reproduce are a greater risk than attacks that only work in specific circumstances.– Exploitability: relates to the effort, expertise, and resources required to launch an attack.– Affected users: for software vendors, another important contributing factor to damage potential.– Discoverability: When will the attack be detected? In the most damaging case, you will never

know that your system has been compromised. If you don’t know you’ve been attacked, then you don’t know to take steps to recover.

Example

InventoryAndOrders” -Unpatched software is Medium=5-Denial-of-service attack is Medium=5-Database is Medium=5

Risk =5 x 5 x 5 =125

Policies and Standards• A security policy is a document that defines the security goals of the business.• Security management standards that specify certain security measures required to be taken by an

organization exist for a number of different types of industries.• ISO 17799 standard:

– Establishment of organizational security policy: An enterprise must provide management direction and support on security matters.

– Organizational security infrastructure: Responsibilities for security within an enterprise have to be properly organized.

– Asset classification and control: To know what is worth protecting, and how much to spend on protection, an enterprise has to have a clear picture of its assets and of their value.

– Physical and environmental security: Physical security measures (fences, locked doors, etc.) protect access to business premises or to sensitive areas (rooms) within a building.

– Personnel security: An organization’s employees can be a source of insecurity.– Communications and operations management: The day-to-day management of IT systems and of business

processes has to ensure that security is maintained.– Access control: Access control can apply to data, services, and computers.– Systems development and maintenance: Security issues should be considered when an IT system is being

developed.– Business continuity planning: An organization must put measures in place so that it can cope with major

failures or disasters.– Compliance: Organizations have to comply with legal, regulatory, and contractual obligations, as well as with

standards and their own organizational security policy.