isys20261 lecture 02
TRANSCRIPT
![Page 1: Isys20261 lecture 02](https://reader031.vdocument.in/reader031/viewer/2022020217/555a283dd8b42ab3088b4bb5/html5/thumbnails/1.jpg)
Computer Security Management(ISYS20261)Lecture 2 –Threats and Vulnerabilities
Module Leader: Dr Xiaoqi Ma
School of Science and Technology
![Page 2: Isys20261 lecture 02](https://reader031.vdocument.in/reader031/viewer/2022020217/555a283dd8b42ab3088b4bb5/html5/thumbnails/2.jpg)
Computer Security ManagementPage 2
Last week …
• Computer security - protection of information related assets:– Data
– Hardware
– Software
– People
– Intangible assets
• Information security requirements:– Confidentiality
– Integrity
– Availability
![Page 3: Isys20261 lecture 02](https://reader031.vdocument.in/reader031/viewer/2022020217/555a283dd8b42ab3088b4bb5/html5/thumbnails/3.jpg)
Computer Security ManagementPage 3
Remember definitions?
• Harm– Something happens to an asset that we do not want to happen
• Threat– Possible source of harm
• Attack– Threatening event (instance of a threat)
• Attacker– Someone or something that mounts a threat
• Vulnerability– Weakness in the system (asset) that makes an attack more likely to successes
• Risk– Possibility that a threat will affect the business or organisation
![Page 4: Isys20261 lecture 02](https://reader031.vdocument.in/reader031/viewer/2022020217/555a283dd8b42ab3088b4bb5/html5/thumbnails/4.jpg)
Computer Security ManagementPage 4
Security risks and management
Asset ThreatVulnerability
Risk
Ris
k A
naly
sis
Security Measures Ris
k M
anag
emen
t
![Page 5: Isys20261 lecture 02](https://reader031.vdocument.in/reader031/viewer/2022020217/555a283dd8b42ab3088b4bb5/html5/thumbnails/5.jpg)
Computer Security ManagementPage 5
Today ...
… we will discuss:
• Harm and threats
• Vulnerabilities
• Methods of defence
![Page 6: Isys20261 lecture 02](https://reader031.vdocument.in/reader031/viewer/2022020217/555a283dd8b42ab3088b4bb5/html5/thumbnails/6.jpg)
Computer Security ManagementPage 6
Harm and threats
• Six basic types of harm:– Modification
– Destruction
– Disclosure
– Interception
– Interruption
– Fabrication
• A threat is a possible source of harm
• Example: a virus formats the hard disk of a computer
• Threats exploit vulnerabilities of systems
![Page 7: Isys20261 lecture 02](https://reader031.vdocument.in/reader031/viewer/2022020217/555a283dd8b42ab3088b4bb5/html5/thumbnails/7.jpg)
Computer Security ManagementPage 7
Modification
• Data held in a computer system is accessed in an unauthorised manner and is changed without permission
• Somebody changes either values in a database or alters routines in a computer programme to perform additional computations
• Modification can also occur when data is changed during transmission
• Modification of data can also be caused by changing the hardware of an information system
![Page 8: Isys20261 lecture 02](https://reader031.vdocument.in/reader031/viewer/2022020217/555a283dd8b42ab3088b4bb5/html5/thumbnails/8.jpg)
Computer Security ManagementPage 8
Destruction
• Occurs when hardware, software, or data is destroyed because of malicious intent
• Can not only happen to stored data, but also to data at the input stage (before processing)
![Page 9: Isys20261 lecture 02](https://reader031.vdocument.in/reader031/viewer/2022020217/555a283dd8b42ab3088b4bb5/html5/thumbnails/9.jpg)
Computer Security ManagementPage 9
Disclosure
• Takes place when data is made available or access to software is made available without consent of the individual responsible for the data or software
• Serious impact on security and privacy
• Responsibility for data and/or software is usually linked to a position within an organisation
• Although disclosure of data can occur because of malicious intent, it also happens many times because of lack of proper procedure within an organisation
![Page 10: Isys20261 lecture 02](https://reader031.vdocument.in/reader031/viewer/2022020217/555a283dd8b42ab3088b4bb5/html5/thumbnails/10.jpg)
Computer Security ManagementPage 10
Interception
• Occurs when an unauthorised person or software gains access to data or computer resources
• May result in copying of programs or data
• An interceptor may use computing resources at one location to access assets elsewhere
![Page 11: Isys20261 lecture 02](https://reader031.vdocument.in/reader031/viewer/2022020217/555a283dd8b42ab3088b4bb5/html5/thumbnails/11.jpg)
Computer Security ManagementPage 11
Interruption
• Occurs when a computer resource becomes unavailable for use
• Might be a consequence of malicious damage of computing hardware, erasure of software, or malfunctioning of an operating system
• Example: Denial of Service (DoS) attacks
![Page 12: Isys20261 lecture 02](https://reader031.vdocument.in/reader031/viewer/2022020217/555a283dd8b42ab3088b4bb5/html5/thumbnails/12.jpg)
Computer Security ManagementPage 12
Fabrication
• Occurs when spurious transactions are inserted into a network or records are added to an existing database
![Page 13: Isys20261 lecture 02](https://reader031.vdocument.in/reader031/viewer/2022020217/555a283dd8b42ab3088b4bb5/html5/thumbnails/13.jpg)
Computer Security ManagementPage 13
Information security requirements
• Confidentiality– Protecting sensitive information from unauthorised disclosure or intelligible
interception
• Integrity– Safeguarding the accuracy and completeness of information (and software)
• Availability– Ensuring that information (and vital services) are available to users when
required
• Authentication– Ensuring that information is from the source it claims to be from
• Non repudiation– Prevents an entity from denying having performed a particular action related to
data
![Page 14: Isys20261 lecture 02](https://reader031.vdocument.in/reader031/viewer/2022020217/555a283dd8b42ab3088b4bb5/html5/thumbnails/14.jpg)
Computer Security ManagementPage 14
Vulnerabilities
• Weaknesses in a system
• Might arise from:– Poor design
– Poor implementation
– technological advances
• Examples:– Password management flaws
– Fundamental operating system design flaws
– Software bugs
– Unchecked user input
– Social engineering
– Etc.
![Page 15: Isys20261 lecture 02](https://reader031.vdocument.in/reader031/viewer/2022020217/555a283dd8b42ab3088b4bb5/html5/thumbnails/15.jpg)
Computer Security ManagementPage 15
Password management flaws
• Using of weak passwords that could be discovered by brute force
• Passwords are stored on the computer where a program can access it
• Users re-use passwords between many programs and websites
• System administrator uses factory-set default passwords
• Etc.
![Page 16: Isys20261 lecture 02](https://reader031.vdocument.in/reader031/viewer/2022020217/555a283dd8b42ab3088b4bb5/html5/thumbnails/16.jpg)
Computer Security ManagementPage 16
Fundamental operating system design flaws
• Operating system designer implements unsuitable policies on user and/or program management
• Example: operating system grants every program and every user full access to the entire computer
• Such an operating system flaw allows viruses and malware to execute commands on behalf of the administrator
![Page 17: Isys20261 lecture 02](https://reader031.vdocument.in/reader031/viewer/2022020217/555a283dd8b42ab3088b4bb5/html5/thumbnails/17.jpg)
Computer Security ManagementPage 17
Software bugs
• The programmer leaves an exploitable bug in a software program
• The software bug may allow an attacker to misuse an application through (for example) bypassing access control checks or executing commands on the system hosting the application
• Examples:– Buffer overflows
– Dangling pointers
![Page 18: Isys20261 lecture 02](https://reader031.vdocument.in/reader031/viewer/2022020217/555a283dd8b42ab3088b4bb5/html5/thumbnails/18.jpg)
Computer Security ManagementPage 18
Unchecked user input
• A program assumes that all user input is safe
• Consequence: the programs does not check validity user input
• Can allow unintended direct execution of commands or SQL statements
• Examples– Buffer overflows
– SQL injection
![Page 19: Isys20261 lecture 02](https://reader031.vdocument.in/reader031/viewer/2022020217/555a283dd8b42ab3088b4bb5/html5/thumbnails/19.jpg)
Computer Security ManagementPage 19
Social engineering
• Based on specific attributes of human decision-making known as cognitive biases
• These biases, sometimes called "bugs in the human hardware," are exploited in various combinations to create criminal attack techniques
• Examples:– Pretexting
– Phishing
– Baiting
– Etc.
• “ … I could often get passwords and other pieces of sensitive information by pretending to be someone else and just asking for it.” (Kevin Mitnick, The Art of Deception, 2002)
![Page 20: Isys20261 lecture 02](https://reader031.vdocument.in/reader031/viewer/2022020217/555a283dd8b42ab3088b4bb5/html5/thumbnails/20.jpg)
Computer Security ManagementPage 20
Methods of defence
• Protecting a technical system: establish controls that satisfy our information security requirements
• Dhillon lists three main methods of defence:– Encryption
– Software controls
– Physical and hardware controls
• More on these methods in the coming lectures …
![Page 21: Isys20261 lecture 02](https://reader031.vdocument.in/reader031/viewer/2022020217/555a283dd8b42ab3088b4bb5/html5/thumbnails/21.jpg)
Computer Security ManagementPage 21
Summary
Today we learned:
• Six basic types of harm
• A threat is a possible source of harm
• A threat exploits vulnerabilities in a system
• We need to satisfy our information security requirements
• Need to put controls in place to defend ourselves