Chapter-1

Introduction to Computer and

Network Security

12/23/2024 1
 Outline

 What is Security?
 Why Security?
 Security Policy and Mechanism
 Security trend
 Sources and consequences of risks
 Types of Vulnerabilities
 Security criteria
 Security attack types
 Security services, mechanisms and model

12/23/2024 2
 Chapter Objectives

 At the end of this chapter, students will be able to

understand:
 The definition of security and why we have to study this
field as computer engineering student

 Types of risk in computer and network day to day activity

 Different Security attacks and how to defend you self and

the organization you are responsible for.

 Security criteria

 Security services and mechanisms

12/23/2024 3
 What is Security?

 Most of computer science technology is concerned with

achieving desired behavior.

 In some sense, security is concerned with preventing

undesired behavior

 Different way of thinking!

 An enemy/opponent/hacker/adversary may be actively

and maliciously trying to circumvent any protective
measures you put in place

12/23/2024 4
 What is Security?...
 Security:

“The most secure

computers are those
not connected
to the Internet and
shielded from any
interference”

12/23/2024 5
 What is Security?...

 Computer security is about provisions

and policies adopted to protect
information and property from theft,
corruption, or natural disaster while
allowing the information and property to
remain accessible and productive to its
intended users.

 Securing computers against intruders

(e.g. hackers) and malicious software (e.g.
viruses).
12/23/2024 6
 What is Security?...

 Network security on the other hand deals with

provisions and policies adopted to prevent and monitor
unauthorized access, misuse, modification, or denial of
the computer network and network-accessible resources.

 Computer security: focuses on security aspects of systems

in isolation

 Network security: focuses on security of data as it is

transmitted between networked systems

12/23/2024 7
 Why Security?...
• Good Security Standards follow the “90 / 10” Rule:

• 10% of security safeguards are technical and

• 90% of security safeguards rely on the computer user

(“YOU”) to adhere to good computing practices .

12/23/2024 8
 Why Security?...
• Example: The lock on the door is the 10%. You

remembering to lock the lock, checking to see if the door

is closed, ensuring others do not open the door, keeping

control of the keys, etc. is the 90%.

• You need both parts for effective security.

12/23/2024 9
 Why Security?...
 What Does This Mean for Me?

 This means that everyone who uses a computer or

mobile device needs to understand how to keep their
computer, devices and data secure.

 Information Security is everyone’s responsibility and

that is why we study computer and network security.

12/23/2024 10
Computer security

Basic components

• Confidentiality
• Integrity

ity

Av
Security

e gr
• Availability

aila
objectives

Int

bil
ity
CIA triad

Confidentiality

11
Confidentiality

• Confidentiality is the concealment of information or resources.

• The need for keeping information secret arises from the use of
computers in sensitive fields such as government and industry.
• For example, military and civilian institutions in the
government often restrict access to information to those who
need that information.
• The first formal work in computer security was motivated by the
military's attempt to implement controls to enforce a "need to
know" principle.
• This principle also applies to industrial firms, which keep their
proprietary designs secure lest their competitors try to steal the
designs. 12
Confidentiality - Example

• Enciphering an income tax return will prevent anyone from reading it.
• If the owner needs to see the return, it must be deciphered.
• Only the possessor of the cryptographic key can enter it into a deciphering
program.
• However, if someone else can read the key when it is entered into the
program, the confidentiality of the tax return has been compromised.
• All the mechanisms that enforce confidentiality require supporting services
from the system.
• The assumption is that the security services can rely on the kernel, and
other agents, to supply correct data. 13
Integrity

• Trustworthiness of data or resources

• Mechanisms: Prevention vs. detection

• Blocking unauthorized attempts to change data, or attempts to change
data in unauthorized ways

• The second is much harder…

• Correctness vs. trustworthiness of data

14
Integrity

• Integrity refers to the trustworthiness of data or resources, and it is usually

phrased in terms of preventing improper or unauthorized change.

• Integrity includes data integrity (the content of the information) and origin
integrity (the source of the data, often called authentication).

• The source of the information may bear on its accuracy and credibility and
on the trust that people place in the information.

15
 Integrity
• Prevention mechanisms seek to maintain the integrity of the data by blocking any
unauthorized attempts to change the data or any attempts to change the data in
unauthorized ways.
• For example, suppose an accounting system is on a computer.
• Someone breaks into the system and tries to modify the accounting data.
• Then an unauthorized user has tried to violate the integrity of the accounting database.
(example the event 40/60 housing lottery program in Addis Ababa)
• Detection mechanisms do not try to prevent violations of integrity; they simply report
that the data's integrity is no longer trustworthy.
• Detection mechanisms may analyze system events (user or system actions) to detect
problems or (more commonly) may analyze the data itself to see if required or expected
constraints still hold.
• The mechanisms may report the actual cause of the integrity violation (a specific part of a
file was altered), or they may simply report that the file is now corrupt.
16
Availability

• Ability to use the info or resource

• Denial of service attacks – attempts to block availability
• Denying access can lead to more serious attacks
• I.e., if credit card verification is down

17
Availability
• Availability refers to the ability to use the information or resource desired.
• Availability is an important aspect of reliability as well as of system design
because an unavailable system is at least as bad as no system at all.
• The aspect of availability that is relevant to security is that someone may
deliberately arrange to deny access to data or to a service by making it
unavailable.
• System designs usually assume a statistical model to analyze expected
patterns of use, and mechanisms ensure availability when that statistical
model holds.
• Someone may be able to manipulate use (or parameters that control use,
such as network traffic) so that the assumptions of the statistical model are
no longer valid.
• This means that the mechanisms for keeping the resource or data available
18
 Threats
• A threat is a potential violation of security.
• The violation need not actually occur for there to be a threat. The fact that the
violation might occur means that those actions that could cause it to occur
must be guarded against (or prepared for).
• Those actions are called attacks. Those who execute such actions, or cause
them to be executed, are called attackers.
• The three security services—confidentiality, integrity, and availability—
counter threats to the security of a system.
• Common attacks can be categorized as:
• Snooping, eavesdropping
• Modification, alteration
• Masquerading, spoofing
• False repudiation/denial of receipt
• Network delay, denial of service
19
Threats …
• Snooping: the unauthorized interception of information, is a form of disclosure.
• It is passive, suggesting simply that some entity is listening to (or reading)
communications or browsing through files or system information.
• Wiretapping, or passive wiretapping, is a form of snooping in which a network is
monitored. Confidentiality services counter this threat.
• Modification or alteration: an unauthorized change of information, covers three
classes of threats.
• The goal may be deception, in which some entity relies on the modified data to
determine which action to take, or in which incorrect information is accepted as
correct and is released.
• If the modified data controls the operation of the system, the threats of disruption
arise.
• Masquerading or spoofing: an impersonation of one entity by another, is a form
of both deception and usurpation (take over).
• It lures a victim into believing that the entity with which it is communicating is a different
entity. 20
 Security Policy and Mechanism

• A security policy is a statement of what is, and what is not, allowed.

• often require some procedural mechanisms that technology cannot
enforce

• A security mechanism is a method, tool, or procedure for enforcing a

security policy.
• can be nontechnical, such as requiring proof of identity before changing
a password

• One is meaningless without the other…

• Problems
12/23/2024 when combining security
21 policies of multiple organizations
 Goals of security

• Given a security policy’s specification of “secure” and

“nonsecure” actions, these security mechanisms can prevent the
attack, detect the attack, or recover from the attack.

• Prevention – make attack fail, e.g. disconnecting a host to

prevent from attack
• Involves implementation of mecha nisms that users cannot override and
that are trusted to be implemented in a correct, unalterable way

• Cumbersome, but simple mechanisms used like passwords

12/23/2024 22
 Goals of security
• Detection – used when an attack cannot be prevented
• Detection mechanisms accept that an attack will occur; the goal is to
determine that an attack is underway, or has occurred, and report it
(monitor nature severity, results)

• Should give warning; e.g when password entered 3 times

• Drawback: do not prevent compromised system

• Recovery – two forms:

• stop an attack and to assess and repair any damage caused by that attack

• system continues to function correctly while an attack is underway;

difficult to implement
12/23/2024 23
 Security Trends

 In 1994, the Internet Architecture Board (IAB) issued a

report entitled "Security in the Internet Architecture"
(Request for Comments/RFC 1636).

 The report stated the general consensus that the

Internet needs more and better security, and it identified
key areas for security mechanisms.

12/23/2024 24
 Security Trends…

 Among these were:

 the need to secure the network infrastructure from
unauthorized monitoring and control of network
traffic and
 the need to secure end-user-to-end-user traffic using
authentication and encryption mechanisms.

12/23/2024 25
 Security Trends…

 Internet-related vulnerabilities over a 10-year

period.
These include:
• Security weaknesses in the OS
of attached computers (e.g.,
Windows, Linux) as well as
• Vulnerabilities in Internet
routers and
other network devices.

12/23/2024 26
 Who are the attackers?

 In computer and computer networks, an attacker is the

individual or organization who performs the malicious
activities to destroy, expose, alter, disable, steal or gain
unauthorized access to or make unauthorized use of an
asset.

 Attackers use every tools and techniques they would try

and attack us to get unauthorized access.

12/23/2024 27
 Who are the attackers?...
 Basically, there are four main types of attackers:

12/23/2024 28
 Who are the attackers?...

1. Cyber Criminals

 Cybercriminals are individual or group of people who

use technology to commit cybercrime with the intention
of stealing sensitive company information or personal
data and generating profits.

 In today's, they are the most prominent and most active

type of attacker.

12/23/2024 29
 Who are the attackers?...
2. Hacktivists

 Hacktivists are individuals or groups of hackers who

carry out malicious activity to promote a political
agenda, religious belief, or social ideology.

 They are not like cybercriminals who hack computer

networks to steal data for the cash.

 They see themselves as fighting injustice.

12/23/2024 30
 Who are the attackers?...

3. State-sponsored Attacker

 These attackers have particular objectives aligned with

either the political, commercial or military interests of
their country of origin.

 The government organizations have highly skilled

hackers and specialize in detecting vulnerabilities and
exploiting these before the holes are patched. It is very
difficult to defeat these attackers due to the vast
resources they use.
12/23/2024 31
 Who are the attackers?...

4. Insider Threats

 The insider threat is a threat to an organization's

security or data that comes from within.

 These type of threats usually occur from employees or

former employees, but may also arise from third parties,
including contractors, temporary workers, employees or
customers.

12/23/2024 32
 Who are the attackers?...
4. Insider Threats

 Insider threats can be categorized in to three:

12/23/2024 33
 Who are the attackers?...

4.1. Malicious

 Malicious threats are attempts by an insider to access

and potentially harm an organization's data, systems or
IT infrastructure.

 These insider threats are often attributed to dissatisfied

employees or ex-employees who believe that the
organization was doing something wrong with them in
some way, and they feel justified in seeking revenge.

12/23/2024 34
 Who are the attackers?...

4.2. Accidental

 Accidental threats are threats which are accidently done

by insider employees.

 In this type of threats, an employee might accidentally

delete an important file or inadvertently share
confidential data with a business partner going beyond
company’s policy or legal requirements.

12/23/2024 35
 Who are the attackers?...
4.3. Negligent

 These are the threats in which employees try to avoid the

policies of an organization put in place to protect
endpoints and valuable data.

 For example, if the organization have strict policies for

external file sharing, employees might try to share work
on public cloud applications so that they can work at
home.

 Note: In addition to the above mentioned attackers, it

should be noted that Natural
12/23/2024 36 disasters: flooding, fire,
 What are the vulnerabilities?

 Physical vulnerabilities (Eg. Computer can be stolen)

 Natural vulnerabilities (Eg. Earthquake)

 Hardware and Software vulnerabilities (Eg. Failures)

 Media vulnerabilities (Eg. Hard disks can be stolen)

 Communication vulnerabilities (Ex. Wires can be

tapped)

 Human vulnerabilities (Eg. Insiders)

12/23/2024 37
 What are the vulnerabilities?...

 Poorly chosen passwords

 Software bugs (non reliability of software)
 Automatically running active content: active-x, scripts,
Java programs (applet)
 Open ports
 Incorrect configuration
 File permissions
 Administrative privileges

12/23/2024 38
 What are the vulnerabilities?...

 Untrained users/system administrators

 Trap doors (intentional security holes)

 Unencrypted communication

 Limited Resources (i.e. TCP connections)

12/23/2024 39
 What are the consequences?

 Failure/End of service

 Reduction of Quality of Service (QoS), down to Denial of

Service (DoS).

 Internal problems in the enterprise

 Trust decrease from partners (client, providers, share-holders)

 Technology leakage

 Human consequences (personal data, sensitive data - medical,

insurances, …)
12/23/2024 40
Next:
• Security criteria
• Attack types and measures
• Services
• Mechanisms
• models
 Security Criteria

 Security Evaluation Criteria are usually presented as a

set of parameter thresholds that must be met for a
system to be evaluated and deemed acceptable.

 These criteria are established based on a Threat

Assessment to establish the extent of the data sensitivity,
the security policy, and the system characteristics.

12/23/2024 42
 Security Criteria

 Security is expressed in terms of:

 Availability
 Integrity
 Confidentiality
 Authentication

 Note: Authentication is a foundations of security. In its

absence, all security properties can be violated

12/23/2024 43
 Security Criteria…

1. Availability

 It requires that computer and network assets are only

available to authorized parties.

 Computer and network should provide all the

designated services in the presence of all kinds of
security attack.

12/23/2024 44
 Security Criteria…

2. Integrity

 It requires that messages should be modified or altered

only by authorized parties.

 Modification includes writing, changing, deleting, and

creating the message that is supposed to be transmitted
across the network.

 Integrity guarantees that no modification, addition, or

deletion is done to the message.

12/23/2024 45
 Security Criteria…

3. Confidentiality

 It requires that the message can only be accessible for

reading by authorized parties.

 It also requires that the system should verify the identity

of a user.

4. Authentication
 It means that correct identity is known to
communicating parties.
12/23/2024 46
 Security Attack Types

 Categories of Attacks
 Interruption: An attack on Availability
 Modification: An attack on Integrity
 Interception: An attack on Confidentiality
 Fabrication: An attack on Authenticity

12/23/2024 47
 Security Attack Types…

 Attacks…

Source

Normal flow of information Destination

Attack

Interruption Interception

Modification Fabrication

12/23/2024 48
 Security Attack Types…

 The attacks can also be classified by the following

criteria.
 Passive or active,
 Internal or external,
 At different TCP/IP protocol Layers

12/23/2024 49
 Security Attack Types…

1. Passive vs. Active attacks

 A passive attack is a network attack in which a system is

monitored and sometimes scanned for open ports and
vulnerabilities.

 The purpose of a passive attack is to gain information about

the system being targeted; it does not involve any direct action
on the target.

 These kind of attacks attempt to learn or make use of the

information without changing the content of the message and
12/23/2024 50
 Security Attack Types…

1. Passive vs. Active attacks

 Passive attacks include active reconnaissance and

passive reconnaissance.

 In a computer security context, reconnaissance is the act

of exploring a system or network in order to gather
information before conducting a full attack.

 Example: traffic analysis and monitoring,

Eavesdropping

12/23/2024 51
 Security Attack Types…

1. Passive vs. active attacks…

 Passive attacks do not affect system resources and they

are very difficult to detect because:
 Message transmission apparently normal

 No alteration of the data

 Emphasis on prevention rather than detection

 By means of encryption

12/23/2024 52
 Security Attack Types…

1. Passive vs. active attacks…

 Active attack attempts to interrupt, modify, delete, or

fabricate messages or information thereby disrupting
normal operation of the network.

 Some examples of active attacks include: Jamming,

impersonating, modification, denial of service (DoS).

 Difficult to prevent. The goal is to detect and recover

12/23/2024 53
 Security Attack Types…

2. Internal vs. External attacks

 External attacks are carried out by hosts that don’t

belong to the network domain, sometimes they are
called outsider.

 E.g. It can cause congestion by sending false routing

information thereby causing unavailability of services.

 In case of internal attack, the malicious node from the

network gains unauthorized access and acts as a genuine
node and disrupts the normal
12/23/2024 54
operation of nodes. They
 Security Attack Types…

3. Attacks at different TCP/IP protocol Layers

12/23/2024 55
 Common security attacks and their
countermeasures
 Finding a way into the network
 Firewalls

 Exploiting software bugs, buffer overflows

 Intrusion Detection Systems

 Denial of Service
 Access filtering, IDS

 TCP hijacking
 IPSec

12/23/2024 56
 Common security attacks and their
countermeasures…

 Packet sniffing
 Encryption (SSL, HTTPS)

 Social problems
 Education

12/23/2024 57
 Security Services

 X.800:

 “a service provided by a protocol layer of communicating

open systems, which ensures adequate security of the
systems or of data transfers”

 RFC 2828:

 “a processing or communication service provided by a

system to give a specific kind of protection to system
resources”

12/23/2024 58
 Security Services (X.800)…

 Authentication - assures that communicating entity is the

one claimed.

 Access Control - prevention of the unauthorized use of a

resource.

 Data Confidentiality –protection of data from unauthorized

disclosure.

 Data Integrity - assurance that data received is as sent by an

authorized entity.

 Non-Repudiation - protection against denial by one of the

parties in a communication. 59
12/23/2024
 Security Mechanism

 Security mechanisms are features designed to detect,

prevent, or recover from a security attack.

 No single mechanism that will support all services

required.

 However one particular element underlies many of the

security mechanisms in use.

 Hence Cryptographic techniques will be our focus on

this course
12/23/2024 60
 Security Mechanism (X.800)

 Specific security mechanisms:

 Ciphering/deciphering, digital signatures, data integrity,

authentication exchange, routing control, …

 Firewall, proxy server

 Access control, Intrusion detection system

12/23/2024 61
 Security Model

 A Network Security Model exhibits how the security

service has been designed over the network to prevent
the opponent from causing a threat to the confidentiality
or authenticity of the information that is being
transmitted through the network.

 Any security service would have the three components

discussed below:

12/23/2024 62
 Security Model

 1. Transformation of the information which has to be

sent to the receiver. So, that any opponent present at the
information channel is unable to read the message.

 This indicates the encryption of the message.

 It also includes the addition of code during the

transformation of the information which will be used in
verifying the identity of the authentic receiver.

12/23/2024 63
 Security Model

 2. Sharing of the secret information between sender and

receiver of which the opponent must not get any clue.

 Yes, we are talking of the encryption key which is used

during the encryption of the message at the sender’s end
and also during the decryption of message at receiver’s
end.

12/23/2024 64
 Security Model

 3. There must be a trusted third party which will

distribute the secret information to both sender and
receiver.

 While designing the network security model, designer

must also concentrate on developing the methods to
distribute the key to the sender and receiver.

 An appropriate methodology must be used to deliver the

secret information to the communicating parties without
the interference of the opponent.
12/23/2024 65
 Security Model

 Model for Network Security

12/23/2024 66
 Dimensions
1. Access Control Security Dimension

 The Access Control Security Dimension ensures that only

authorized personnel or devices are allowed access to network
elements, stored information, information flows, services and
applications.

 In addition, Role-BasedAccess Control (RBAC) provides

different access levels to guarantee that individuals and
devices can only gain access to and perform operations on
network elements, stored information, and information flows
that they are authorized for.
12/23/2024 67
 Dimensions
2. Authentication Security Dimension

 The Authentication Security Dimension serves to confirm the

identities of communicating entities.

 Authentication ensures the validity of the claimed identities of

the entities participating in communication (e.g. person,
device, service or application) and provides assurance that an
entity is not attempting a masquerade or unauthorized replay
of a previous communication.

 Examples: shared secret key, digital signature, digital

certificate
12/23/2024 68
 Dimensions

3. Non-repudiation Security Dimension

 The Non-repudiation Security Dimension provides Assurance

that the sender of information is provided with proof of
delivery and the recipient is provided with proof of the
sender's identity, so neither can later deny having processed
the information.

 It ensures the availability of evidence that can be presented to

a third party and used to prove that some kind of event or
action has taken place.

 Example: Digital Signature

12/23/2024 69
 Dimensions

4. Data Confidentiality Security Dimension

 The Data Confidentiality Security Dimension protects data

from unauthorized disclosure.

 Data Confidentiality ensures that the data content cannot be

understood by unauthorized entities.

 Example: Encryption, access control lists, and file permissions

are methods often used to provide data confidentiality.

12/23/2024 70
 Dimensions
5. Communication Security Dimension

 The Communication Security Dimension ensures that

information flows only between the authorized end points (the
information is not diverted or intercepted as it flows between
these end points).

 It ensures that information flows from source to destination.

 Ex: Virtual Private Network(VPN), Multiprotocol Label

Switching(MPLS)
 VPN describes the opportunity to establish a protected network
connection when using public networks.
12/23/2024 71
 Dimensions
6. Data Integrity Security Dimension

 The Data Integrity Security Dimension ensures the

correctness or accuracy of data.

 The data is protected against unauthorized modification,

deletion, creation, and replication and provides an indication
of these unauthorized activities.

 Examples: MD5, digital signature, anti-virus software

 MD5(Message Digest Algorithm) is a cryptographic protocol
used for authenticating messages as well as content verification

12/23/2024 72
 Dimensions
7. Availability Security Dimension

 The Availability Security Dimension ensures that there is no

denial of authorized access to network elements, stored
information, information flows, services and applications due
to events impacting the network.

 Disaster recovery solutions are included in this category.

 Examples IDS/IPS, network redundancy.

 Network redundancy is process of providing multiple

paths for traffic, so that data can keep flowing even in the
12/23/2024 event of a failure. 73
 Dimensions
8. Privacy Security Dimension

 The Privacy Security Dimension provides for the protection of

information that might be derived from the observation of
network activities.

 It Ensures that identification and network use is kept private

 Examples of this information include web-sites that a user has

visited, a user's geographic location, and the IP addresses and
DNS names of devices in a Service Provider network.

 Examples: Network Address Translator (NAT), encryption

 NAT It's a way to map multiple local private addresses to a public one
12/23/2024 before transferring the information
74 so that the private addresses will
 Thank You

12/23/2024 75