Information Assurance and Security

concepts

Introduction Goals

Threats

By
Dr. Nora Shoaip
Lecture1

Damanhour University
Faculty of Computers & Information Sciences
Department of Information Systems

2024 - 2025
 computer security
• Basic Security Goals
• Threats vs Vulnerability
 What is computer security ?
NIST is the National
The NIST Computer Security Handbook [NIST95] defines the Institute of Standards and
term computer security as: Technology at the U.S.
Department of
Commerce.
“ The protection afforded to an automated information The NIST Cybersecurity
system in order to attain the applicable objectives of Framework helps
preserving the integrity, availability, and confidentiality of businesses of all sizes
information system resources (includes hardware, software, better understand,
firmware, information/ data, and telecommunications)." manage, and reduce their
cybersecurity risk and
protect their networks
and data.

3
Assets of Computer System

+ Peopleware

4
Basic Security Goals

5
Confidentiality
 Definition: is concealment of information or resources.
 The need of keeping the information confident depends on the sensitivity of the
information.
E.g. Military information vs. industrial information vs. personal information.
 Achieving higher confidentiality is supported by:
 Access Control: Ensures only authorized personnel have access to the
information.
 Cryptography: When unauthorized access occurred, information is
meaningless.

6
Integrity

Definition: Trust worthiness of the data or resource. Prevent improper or

unauthorized change.

 Integrity includes:
o Data integrity: Content of the data.
o Origin integrity : Source of the data using authentication.
 Integrity Mechanism falls into two classes:
o Prevention: Blocking unauthorized attempt to modify data.
o Detection: Report when unauthorized modification occurs.

Evaluating integrity is hard because some attempts seems legit.

7
 Availability
Definition: Ensures that authorized access to data
when desired.
Attempt to block service ( System down) or make
the service unavailable is called Denial of service
attack (DoS).

8
Continue security Goals
Availability (Vs denial of service) access to computing resources
without difficulties.
 Expectations of availability:
 Presence of object or service in usable form
 Capacity to meet service needs
 Progress : Bounded waiting time
 Adequate time/ timeliness of service
 The Goals of availability:
 Timely response
 Fair allocation
 Fault tolerance
 Usability (can be used as intended)
 Controlled concurrency (support of simultaneous access, deadlock management)

9
Threats vs Vulnerability
 Threats : A loss or harm that might be fall a system , e.g., users’ personal
files may be revealed to the public

 Vulnerability: it refers to a weakness in the computer system (i,e; policy,

design, implementation, or procedure) that can be exploited to cause
harm or loss

 There are four major categories of threats:

 Interception
 Interruption
 Modification
 Fabrication

10
Actions of threats

11
Threats to the security of a computing system
 Interruption: an asset of the system becomes lost, unavailable or unusable
(example: Destruction of hardware, erasure of program or data or malfunction of
an OS file manager .

 Interception: means that some unauthorized party (person, program) has gain
access to an asset (example: illicit copying of program or data files, or
wiretapping to obtain data in a network.)

 Modification: Example( changing the values in a database modifying a program so that

it performs an additional computation, or modifying data being transmitted by the
network).

 Fabrication : counterfeit objects on a computing system. (adding records to an existing

data base or insertion of spurious transactions to a network communication system.

12
Threats to the security of a computing system
 Threats to hardware: (Usually The concern of a small staff of computer
center professionals)
 Involuntary( water, food, burned, gas ,dust, slap, punch)
 Voluntary: in which some actually wishes to do harm to the computer (bombs ,fires, ,theft, shorting
out circuit boards)
 Threats of software( the concern of all programmers and analysts who
create and modify programs)
 Software deletion.
 Software theft.
 Software modification (either to cause the program fails during execution or fails in some special
circumstances( logic bomb) or to cause it to do some unintended task.

13
Threats to the security of a computing system
• The category of software modification include:
◦ Trojan horse- a program that overtly does one thing while covertly doing
another
◦ Virus – a specific type of Trojan horse, that can be used to spread infection
from one computer to another.
◦ Trapdoor- a program that has a secret entry point.
◦ Information leaks –in a program which make information accessible to
unintended people or programs.

14
Threats to the security of a computing system
 Threats of data( the concern of general public, so data attack is a more
widespread and serious problem than either hardware or software ) examples:
 Confidential data leaked to a competitor may narrow a competitive edge.
 Data incorrectly modified can cost human lives

 The qualities of data security;

 Confidentiality – (preventing unauthorized disclosure ): data can be gathered by tapping wires planting
bugs in output devices, from trashes, monitoring electromagnetic radiation, bribing key employees,
inferring on data point from other values.
 Data integrity –(preventing unauthorized modification) modifying or making a new data requires
understanding the technology by which data stored transmitted and it’s format ,and this might be done by
using malicious programs Example( salami attack)
 Availability (preventing denial of authorized access)

15
 Other exposed assets

 Storage media –(effective security plans consider adequate backups of data and
physical protection for the media contains these backups.
 Networks – a collections of software, hardware , and data and this simply
multiply the problem of security.
 Access to computer equipment – (the intruder may steal computer time just
to do computing and he can destroy software or data and this may lead to the
denial of the service to a legitimate user .
 Key People – (if only one person knows how to use or maintain a particular
program –trouble can arise if he gets sick, has an accident or leaves ,
 disgruntled employees can cause serious damage
 Trusted individuals should be selected carefully

16
Threats to computer Networks

17
Defense of computer systems
• Software controls
• Hardware controls
• Physical controls
 Defense of computer systems

 Cryptography
Protecting data by making it unreadable to an attacker
 Authenticating users with digital signatures
 Authenticating transactions with cryptographic protocols
 Ensuring the integrity of stored data

19
 Software controls

 Passwords and other forms of access control

 Operating systems separate users’ actions from each other
 Virus scanners watch for some kinds of malware
 Development controls enforce quality measures on the
original source code
 Personal firewalls that run on your desktop

20
 Hardware controls

 Not usually protection of the hardware itself, but rather using

separate hardware to protect the system as a whole
 Fingerprint readers
 Smart tokens
 Firewalls
 Intrusion detection systems

21
 Physical controls
 Protection of the hardware itself, as well as physical access
to the console, storage media, etc.
 Locks
 Guards
 Off-site backupsPolicies and procedures
 Non-technical means can be used to protect against some
classes of attack
 Rules about changing passwords
 Training in best security practices

22
 Methods of defense
 countermeasures that attempt to prevent exploitation of the vulnerability of
computing system.
 Encryption :Transforming data so that it is unintelligible to the outside observer, the most powerful
tool in providing computer security and it provides confidentiality , integrity furthermore
encryption is the basic of some protocols which insure availability of resources.
 Software controls: Programs must be secure to exclude outside attack and they must be
maintained so that one can be confident of the dependability of them. Software controls may use
tools such as hardware, encryption, or information gathering
 Program controls include the following:
 Internal program controls: parts of the program that enforce security restriction such
as access limitation in a data base management system .
 OS Controls: limitations enforced By the OS to protect each user from other users
 Development controls: Quality standards under which program is designed , coded,
tested und maintained
23
 Methods of defense
 Hardware controls (hardware or smartcard implementation of encryption to
locks limitation access, to theft protection, to circuit boards that control access
to disk drivers in PCs.)
 Polices examples:
 Frequent changing passwords
 Legal controls
 Ethical controls
 Training and administration
 Physical controls: include (locks on doors, guards at entry points, backup copies
of important software and data and physical site planning that reduces the risk
of natural disasters

24
To achieve Goals of Security

25
factors that affect the effectiveness of controls

 Awareness of problem (people using controls must be convinced of the

need for security)
 Likelihood of use (no control is effective until it is used)
 Overlapping controls (several different controls may be used)
 Periodic review ( continuous efforts to improve the methods of defense
)

26
 Policy and Mechanism
 Security Policy: is the statement of what is, and what is not allowed.
Policy can be presented in mathematical form.
 Example: Binary matrices of what is allowed and what is not.
 Usually policies are written in English language.
 Security Mechanism: is the method or tool or procedure for enforcing a
security policy.
 Mechanism can be nontechnical.
 Example: Presenting your ID (Physically) to change your bank phone number.
 Mechanism Can be Technical.

 Example: You must change your password every 6 months.

27
 Operational issues
It is a trade off between cost, implementation and mechanism verses policy and mechanism .
 Cost-Benefit Analysis:
 The total cost of the system determines how much many to invest in
security.
 If data cost less than the cost of protecting it, then investing in security
mechanism is cost- effective.
 Risk analysis:
 Risk is a function of environment : Attacker from overseas can not attack an offline
system.
 Risk changes with time: Amazon down-time during Christmas is catastrophic.
 Risk is remote but still exist: companies allow internet access to some computers not
all. Because it is acceptable to some.

28