Isys20261 lecture 02

Computer Security Management(ISYS20261)Lecture 2 –Threats and Vulnerabilities

Module Leader: Dr Xiaoqi Ma

School of Science and Technology

Computer Security Management

Last week …

• Computer security - protection of information related assets:– Data

– Hardware

– Software

– People

– Intangible assets

• Information security requirements:– Confidentiality

– Integrity

– Availability


Remember definitions?

• Harm– Something happens to an asset that we do not want to happen

• Threat– Possible source of harm

• Attack– Threatening event (instance of a threat)

• Attacker– Someone or something that mounts a threat

• Vulnerability– Weakness in the system (asset) that makes an attack more likely to successes

• Risk– Possibility that a threat will affect the business or organisation


Security risks and management

Asset ThreatVulnerability

Risk

Ris

k A

naly

sis

Security Measures Ris

k M

anag

emen

t


Today ...

… we will discuss:

• Harm and threats

• Vulnerabilities

• Methods of defence


Harm and threats

• Six basic types of harm:– Modification

– Destruction

– Disclosure

– Interception

– Interruption

– Fabrication

• A threat is a possible source of harm

• Example: a virus formats the hard disk of a computer

• Threats exploit vulnerabilities of systems


Modification

• Data held in a computer system is accessed in an unauthorised manner and is changed without permission

• Somebody changes either values in a database or alters routines in a computer programme to perform additional computations

• Modification can also occur when data is changed during transmission

• Modification of data can also be caused by changing the hardware of an information system


Destruction

• Occurs when hardware, software, or data is destroyed because of malicious intent

• Can not only happen to stored data, but also to data at the input stage (before processing)


Disclosure

• Takes place when data is made available or access to software is made available without consent of the individual responsible for the data or software

• Serious impact on security and privacy

• Responsibility for data and/or software is usually linked to a position within an organisation

• Although disclosure of data can occur because of malicious intent, it also happens many times because of lack of proper procedure within an organisation


Interception

• Occurs when an unauthorised person or software gains access to data or computer resources

• May result in copying of programs or data

• An interceptor may use computing resources at one location to access assets elsewhere


Interruption

• Occurs when a computer resource becomes unavailable for use

• Might be a consequence of malicious damage of computing hardware, erasure of software, or malfunctioning of an operating system

• Example: Denial of Service (DoS) attacks


Fabrication

• Occurs when spurious transactions are inserted into a network or records are added to an existing database


Information security requirements

• Confidentiality– Protecting sensitive information from unauthorised disclosure or intelligible

interception

• Integrity– Safeguarding the accuracy and completeness of information (and software)

• Availability– Ensuring that information (and vital services) are available to users when

required

• Authentication– Ensuring that information is from the source it claims to be from

• Non repudiation– Prevents an entity from denying having performed a particular action related to

data


Vulnerabilities

• Weaknesses in a system

• Might arise from:– Poor design

– Poor implementation

– technological advances

• Examples:– Password management flaws

– Fundamental operating system design flaws

– Software bugs

– Unchecked user input

– Social engineering

– Etc.


Password management flaws

• Using of weak passwords that could be discovered by brute force

• Passwords are stored on the computer where a program can access it

• Users re-use passwords between many programs and websites

• System administrator uses factory-set default passwords

• Etc.


Fundamental operating system design flaws

• Operating system designer implements unsuitable policies on user and/or program management

• Example: operating system grants every program and every user full access to the entire computer

• Such an operating system flaw allows viruses and malware to execute commands on behalf of the administrator


Software bugs

• The programmer leaves an exploitable bug in a software program

• The software bug may allow an attacker to misuse an application through (for example) bypassing access control checks or executing commands on the system hosting the application

• Examples:– Buffer overflows

– Dangling pointers


Unchecked user input

• A program assumes that all user input is safe

• Consequence: the programs does not check validity user input

• Can allow unintended direct execution of commands or SQL statements

• Examples– Buffer overflows

– SQL injection


Social engineering

• Based on specific attributes of human decision-making known as cognitive biases

• These biases, sometimes called "bugs in the human hardware," are exploited in various combinations to create criminal attack techniques

• Examples:– Pretexting

– Phishing

– Baiting

– Etc.

• “ … I could often get passwords and other pieces of sensitive information by pretending to be someone else and just asking for it.” (Kevin Mitnick, The Art of Deception, 2002)


Methods of defence

• Protecting a technical system: establish controls that satisfy our information security requirements

• Dhillon lists three main methods of defence:– Encryption

– Software controls

– Physical and hardware controls

• More on these methods in the coming lectures …


Summary

Today we learned:

• Six basic types of harm

• A threat is a possible source of harm

• A threat exploits vulnerabilities in a system

• We need to satisfy our information security requirements

• Need to put controls in place to defend ourselves

Isys20261 lecture 02

Documents

Transcript of Isys20261 lecture 02