This document summarizes a lecture on computer security threats and vulnerabilities. It defines harm, threats, and vulnerabilities, and outlines six basic types of harm: modification, destruction, disclosure, interception, interruption, and fabrication. It also discusses common vulnerabilities like password flaws, software bugs, and social engineering. Finally, it notes that defenses against threats aim to satisfy security requirements through encryption, software controls, and physical/hardware controls.
2. Last week …
• Computer security - protection of information related assets:
– Data
– Hardware
– Software
– People
– Intangible assets
• Information security requirements:
– Confidentiality
– Integrity
– Availability
Computer Security Management
Page 2
3. Remember definitions?
• Harm
– Something happens to an asset that we do not want to happen
• Threat
– Possible source of harm
• Attack
– Threatening event (instance of a threat)
• Attacker
– Someone or something that mounts a threat
• Vulnerability
– Weakness in the system (asset) that makes an attack more likely to successes
• Risk
– Possibility that a threat will affect the business or organisation
Computer Security Management
Page 3
5. Today ...
… we will discuss:
• Harm and threats
• Vulnerabilities
• Methods of defence
Computer Security Management
Page 5
6. Harm and threats
• Six basic types of harm:
– Modification
– Destruction
– Disclosure
– Interception
– Interruption
– Fabrication
• A threat is a possible source of harm
• Example: a virus formats the hard disk of a computer
• Threats exploit vulnerabilities of systems
Computer Security Management
Page 6
7. Modification
• Data held in a computer system is accessed in an unauthorised
manner and is changed without permission
• Somebody changes either values in a database or alters routines in
a computer programme to perform additional computations
• Modification can also occur when data is changed during
transmission
• Modification of data can also be caused by changing the hardware of
an information system
Computer Security Management
Page 7
8. Destruction
• Occurs when hardware, software, or data is destroyed because of
malicious intent
• Can not only happen to stored data, but also to data at the input
stage (before processing)
Computer Security Management
Page 8
9. Disclosure
• Takes place when data is made available or access to software is
made available without consent of the individual responsible for the
data or software
• Serious impact on security and privacy
• Responsibility for data and/or software is usually linked to a position
within an organisation
• Although disclosure of data can occur because of malicious intent, it
also happens many times because of lack of proper procedure within
an organisation
Computer Security Management
Page 9
10. Interception
• Occurs when an unauthorised person or software gains access to
data or computer resources
• May result in copying of programs or data
• An interceptor may use computing resources at one location to
access assets elsewhere
Computer Security Management
Page 10
11. Interruption
• Occurs when a computer resource becomes unavailable for use
• Might be a consequence of malicious damage of computing
hardware, erasure of software, or malfunctioning of an operating
system
• Example: Denial of Service (DoS) attacks
Computer Security Management
Page 11
12. Fabrication
• Occurs when spurious transactions are inserted into a network or
records are added to an existing database
Computer Security Management
Page 12
13. Information security requirements
• Confidentiality
– Protecting sensitive information from unauthorised disclosure or intelligible
interception
• Integrity
– Safeguarding the accuracy and completeness of information (and software)
• Availability
– Ensuring that information (and vital services) are available to users when
required
• Authentication
– Ensuring that information is from the source it claims to be from
• Non repudiation
– Prevents an entity from denying having performed a particular action related to
data
Computer Security Management
Page 13
14. Vulnerabilities
• Weaknesses in a system
• Might arise from:
– Poor design
– Poor implementation
– technological advances
• Examples:
– Password management flaws
– Fundamental operating system design flaws
– Software bugs
– Unchecked user input
– Social engineering
– Etc.
Computer Security Management
Page 14
15. Password management flaws
• Using of weak passwords that could be discovered by brute force
• Passwords are stored on the computer where a program can access
it
• Users re-use passwords between many programs and websites
• System administrator uses factory-set default passwords
• Etc.
Computer Security Management
Page 15
16. Fundamental operating system design flaws
• Operating system designer implements unsuitable policies on user
and/or program management
• Example: operating system grants every program and every user
full access to the entire computer
• Such an operating system flaw allows viruses and malware to
execute commands on behalf of the administrator
Computer Security Management
Page 16
17. Software bugs
• The programmer leaves an exploitable bug in a software program
• The software bug may allow an attacker to misuse an application
through (for example) bypassing access control checks or executing
commands on the system hosting the application
• Examples:
– Buffer overflows
– Dangling pointers
Computer Security Management
Page 17
18. Unchecked user input
• A program assumes that all user input is safe
• Consequence: the programs does not check validity user input
• Can allow unintended direct execution of commands or SQL
statements
• Examples
– Buffer overflows
– SQL injection
Computer Security Management
Page 18
19. Social engineering
• Based on specific attributes of human decision-making known as
cognitive biases
• These biases, sometimes called "bugs in the human hardware," are
exploited in various combinations to create criminal attack
techniques
• Examples:
– Pretexting
– Phishing
– Baiting
– Etc.
• “ … I could often get passwords and other pieces of sensitive
information by pretending to be someone else and just asking for
it.” (Kevin Mitnick, The Art of Deception, 2002)
Computer Security Management
Page 19
20. Methods of defence
• Protecting a technical system: establish controls that satisfy our
information security requirements
• Dhillon lists three main methods of defence:
– Encryption
– Software controls
– Physical and hardware controls
• More on these methods in the coming lectures …
Computer Security Management
Page 20
21. Summary
Today we learned:
• Six basic types of harm
• A threat is a possible source of harm
• A threat exploits vulnerabilities in a system
• We need to satisfy our information security requirements
• Need to put controls in place to defend ourselves
Computer Security Management
Page 21