isys20261 lecture 02

Computer Security Management(ISYS20261)Lecture 2 –Threats and Vulnerabilities

Module Leader: Dr Xiaoqi Ma

School of Science and Technology

Computer Security ManagementPage 2

Last week …

• Computer security - protection of information related assets:– Data

– Hardware

– Software

– People

– Intangible assets

• Information security requirements:– Confidentiality

– Integrity

– Availability

Computer Security ManagementPage 3

Remember definitions?

• Harm– Something happens to an asset that we do not want to happen

• Threat– Possible source of harm

• Attack– Threatening event (instance of a threat)

• Attacker– Someone or something that mounts a threat

• Vulnerability– Weakness in the system (asset) that makes an attack more likely to successes

• Risk– Possibility that a threat will affect the business or organisation

Computer Security ManagementPage 4

Security risks and management

Asset ThreatVulnerability

Risk

Ris

k A

naly

sis

Security Measures Ris

k M

anag

emen

t

Computer Security ManagementPage 5

Today ...

… we will discuss:

• Harm and threats

• Vulnerabilities

• Methods of defence

Computer Security ManagementPage 6

Harm and threats

• Six basic types of harm:– Modification

– Destruction

– Disclosure

– Interception

– Interruption

– Fabrication

• A threat is a possible source of harm

• Example: a virus formats the hard disk of a computer

• Threats exploit vulnerabilities of systems

Computer Security ManagementPage 7

Modification

• Data held in a computer system is accessed in an unauthorised manner and is changed without permission

• Somebody changes either values in a database or alters routines in a computer programme to perform additional computations

• Modification can also occur when data is changed during transmission

• Modification of data can also be caused by changing the hardware of an information system

Computer Security ManagementPage 8

Destruction

• Occurs when hardware, software, or data is destroyed because of malicious intent

• Can not only happen to stored data, but also to data at the input stage (before processing)

Computer Security ManagementPage 9

Disclosure

• Takes place when data is made available or access to software is made available without consent of the individual responsible for the data or software

• Serious impact on security and privacy

• Responsibility for data and/or software is usually linked to a position within an organisation

• Although disclosure of data can occur because of malicious intent, it also happens many times because of lack of proper procedure within an organisation

Computer Security ManagementPage 10

Interception

• Occurs when an unauthorised person or software gains access to data or computer resources

• May result in copying of programs or data

• An interceptor may use computing resources at one location to access assets elsewhere

Computer Security ManagementPage 11

Interruption

• Occurs when a computer resource becomes unavailable for use

• Might be a consequence of malicious damage of computing hardware, erasure of software, or malfunctioning of an operating system

• Example: Denial of Service (DoS) attacks

Computer Security ManagementPage 12

Fabrication

• Occurs when spurious transactions are inserted into a network or records are added to an existing database

Computer Security ManagementPage 13

Information security requirements

• Confidentiality– Protecting sensitive information from unauthorised disclosure or intelligible

interception

• Integrity– Safeguarding the accuracy and completeness of information (and software)

• Availability– Ensuring that information (and vital services) are available to users when

required

• Authentication– Ensuring that information is from the source it claims to be from

• Non repudiation– Prevents an entity from denying having performed a particular action related to

data

Computer Security ManagementPage 14

Vulnerabilities

• Weaknesses in a system

• Might arise from:– Poor design

– Poor implementation

– technological advances

• Examples:– Password management flaws

– Fundamental operating system design flaws

– Software bugs

– Unchecked user input

– Social engineering

– Etc.

Computer Security ManagementPage 15

Password management flaws

• Using of weak passwords that could be discovered by brute force

• Passwords are stored on the computer where a program can access it

• Users re-use passwords between many programs and websites

• System administrator uses factory-set default passwords

• Etc.

Computer Security ManagementPage 16

Fundamental operating system design flaws

• Operating system designer implements unsuitable policies on user and/or program management

• Example: operating system grants every program and every user full access to the entire computer

• Such an operating system flaw allows viruses and malware to execute commands on behalf of the administrator

Computer Security ManagementPage 17

Software bugs

• The programmer leaves an exploitable bug in a software program

• The software bug may allow an attacker to misuse an application through (for example) bypassing access control checks or executing commands on the system hosting the application

• Examples:– Buffer overflows

– Dangling pointers

Computer Security ManagementPage 18

Unchecked user input

• A program assumes that all user input is safe

• Consequence: the programs does not check validity user input

• Can allow unintended direct execution of commands or SQL statements

• Examples– Buffer overflows

– SQL injection

Computer Security ManagementPage 19

Social engineering

• Based on specific attributes of human decision-making known as cognitive biases

• These biases, sometimes called "bugs in the human hardware," are exploited in various combinations to create criminal attack techniques

• Examples:– Pretexting

– Phishing

– Baiting

– Etc.

• “ … I could often get passwords and other pieces of sensitive information by pretending to be someone else and just asking for it.” (Kevin Mitnick, The Art of Deception, 2002)

Computer Security ManagementPage 20

Methods of defence

• Protecting a technical system: establish controls that satisfy our information security requirements

• Dhillon lists three main methods of defence:– Encryption

– Software controls

– Physical and hardware controls

• More on these methods in the coming lectures …

Computer Security ManagementPage 21

Summary

Today we learned:

• Six basic types of harm

• A threat is a possible source of harm

• A threat exploits vulnerabilities in a system

• We need to satisfy our information security requirements

• Need to put controls in place to defend ourselves