CSIT 561 - Computer Security

Module 1
Introduction

Bharath K. Samanthula
Department of Computer Science
Montclair State University
Outline

Motivation & Definition

C-I-A Triad

Access Control Terminology

Threats, Vulnerabilities, Attacks

Controls
Need for Computer Security

We are living in a interconnected digitalized world

Computer Systems and Networks are vulnerable to

different kinds of attacks

Many companies spend a lot of resources to counter

security attacks (according to Gartner1 , Worldwide
spending on security is estimated to be $188.3 billion in
2023)

Interesting Questions:
How do users communicate online securely?
What countermeasures need to be taken to secure
applications or networks?

1
https://www.gartner.com/en/newsroom/press-releases/
2022-10-13-gartner-identifies-three-factors-influencing-growth-i
Evolution of Computer Security

Dates back to 1988 - Worm, a software program that

affected approximately 5,000 computers
At that time, the Worm didn’t affect the daily lives of
humans

After 9/11 (2001) terrorist attack, security of many aspects

of society drew renewed scrutiny

Security of computers and their interconnecting networks

is one of the top aspects
Attack Scenario 1: Example

In Feb 2013, residents of Great Falls, Montana received a

strange broadcast message on their TVs “Civil authorities
in your area have reported that the bodies of the dead are
rising from the grave and attacking the living” that sounded
authentic.

What would you have done?

Attack Scenario 2: Example

In 2023, two former Tesla (TSLA) employees were behind

a data breach that compromised personal information of
more than 75,000 people including staff, the electric
carmaker said in a legal disclosure.

Shared the confidential data with German newspaper

Handelsblatt.

What would you expect the media outlet to do?

Cyber Threat Map

https://threatmap.checkpoint.com/

https://cybermap.kaspersky.com/

https://threatmap.checkpoint.com/
Recent Cyber Attacks
Growing cyber attacks

Snowden leaks information about various NSA data

collection programs (phone call records, etc.)

Target - theft of 40 million credit card accounts (spent $240

million to replace customers’ cards)

Anthem - around 80 million customer records have been

compromised

Facebook CEO’s page hacked by Palestinian Khalil

Shreateh to demonstrate bugs in Facebook

Equifax and WannaCry ransomware attacks

... Capital One breach (compromised 100 million

customer’s data)
Hollywood’s Take on Computer Security

Source: Cryptography and Network Security, Behrouz Forouzan

What does computer security mean?

Computer security deals with (textbook):

Protection of the items you value, called the assets of
a computer or computer system
Assets can be hardware, software, data, people,
processes or combinations of these
Identify the assets to protect and determine their
value
NIST Definition
Vulnerability-Threat-Control Paradigm

Vulnerability: A weakness in the system

Example: a system that doesn’t verify user’s identity
before log on is vulnerable to unauthorized or illegal
data access

Threat: A set of circumstances that has the potential to

cause loss or harm

Control: a countermeasure that prevents threats from

exercising vulnerabilites
Why should you provide Computer Security?

We need to have proper security mechanisms in place to avoid

Financial losses

Physical attacks

Loss of credibility

Legal issues - Most governments regulations (e.g., HIPAA

and US Patriot Act) require you to protect customer’s data
Basic Security Components - CIA Triad
Confidentiality

Objectives
Keeping data and resources hidden

Data, whether at rest or being transmitted, need to remain

confidential

Often related to privacy

How this is achieved

Data confidentiality is typically achieved by encrypting the
data (more on this later)

Example: user passwords and bio-metric data need to be

protected from other users/attackers
Confidentialty: Example

An unauthorized person learns the existence of a piece of data

(e.g., knowing that talks are underway about the merger of two
companies)

Is this a failure of data confidentiality?

Integrity
Objectives
Maintain the accuracy and trustworthiness of data
Includes data integrity and origin integrity (authentication)
Data integrity: Data at rest or in transit should not be
changed by unauthorized people (e.g., in the case of
hacking)

How this is achieved

Use cryptographic techniques (such as digital signatures)
Example: when accessing your bank account details, how
can the user ensure that his/her account information is
accurate and trustworthy?
Key question: Can the user authenticate him/herself to the
server without revealing his/her identity?
Availability

Availability - the ability to use the information or resource

desired

A system that is unavailable is at least as bad as no

system at all

Denial of Service (DoS) Attacks: an attempt to make a

machine/data/resource unavailable to intended users
Additional Concepts

ISO 7498-2 adds two more properties that are desirable to

communication networks:

Authenticity: The ability of a system to confirm the identity

of a sender

Accountability or Nonrepudiation: The ability of a system

to confirm that a sender cannot convincingly deny having
sent the message

U.S. Department of Defense adds Auditability to extend security

Auditability: The ability of a system to trace all actions

related to a given asset
C-I-A Together

Computer Security seeks to prevent unauthorized viewing

(confidentiality) or modification (integrity) of data while
preserving access (availability)
Access Control

©2015 Pearson Education, Inc. All rights reserved.

Security Issues

Vulnerability: weakness in the security system (at

hardware, software, data levels)

Threat: a set of circumstances that lead to violation of

system security

Key Question: What is more important for cybersecurity

professionals to focus on, threats or vulnerabilities?"
Threats

Caused both by human and other sources, such as natural

disasters, loss of electrical power, failure of processor chip,
etc.

Either benign or malicious

Targeted or random
Four Common Threats

Interruption

Interception

Modification

Fabrication
Interruption

©2017 Pearson Education, Inc., Hoboken, NJ.

Interception

©2017 Pearson Education, Inc., Hoboken, NJ.

Modification

©2017 Pearson Education, Inc., Hoboken, NJ.

Fabrication

©2017 Pearson Education, Inc., Hoboken, NJ.

Types of Threats

©2017 Pearson Education, Inc., Hoboken, NJ.

Advanced Persistent Threat (APT)

Organized

Directed

Well-financed

Patient

Silent

Example: A series of attacks in 2012 and 2013, organized

and supported by the Chinese government, obtained
product designs from aerospace companies in US.
https://www.crowdstrike.com/cybersecurity-101/advanced-persistent-threat-apt/
Types of Attackers

©2017 Pearson Education, Inc., Hoboken, NJ.

Computer Security vs. Terrorism
Terrorists use computers in four ways:
Computer as target of attack: DoS attacks and website
defacements. Example - A massive DoS attack launched
against the country of Estonia in 2007
Computer as method of attack: malicious code used to
attack systems
Computer as enabler of attack: Website, web logs, emails
provide inexpensive way for coordination among terrorists.
Example - Terrorists in Mumbai attack (2008) used GPS,
Blackberries and Google Earth to execute their plan
Computer as enhancer of attack: Using Internet for
terrorists to spread propoganda and recruit agents.
Example - FBI arrested Colleen LaRose, known as
JihadJane, in Oct 2009 after she spent months on using
electronic tools to recruit radicals in Europe and South
Asia.
Method-Opportunity-Motive
A Malicious attacker must have three things to ensure success:
method, opportunity, and motive

©2017 Pearson Education, Inc., Hoboken, NJ.

Controls/Countermeasures

Physical Controls: stop or block an attack by using

something tangible, such as locks, human guards, fire
extinguishers, etc.

Procedural/Administrative Controls: laws, regulations,

copyrights, contracts, agreements, etc.

Technical Controls: Counter threats with technology, such

as passwords, network protocols, access control, etc.
Controls/Countermeasures

©2017 Pearson Education, Inc., Hoboken, NJ.

Different Types of Controls

©2017 Pearson Education, Inc., Hoboken, NJ.

Summary

Vulnerabilities are weaknesses in a system; threats exploit

those weaknesses; controls protect those weaknesses
from exploitation

Confidentiality, integrity, and availability are the three basic

security primitives

Different attackers pose different kinds of threats based on

their capabilities and motivations

Different controls address different threats; controls come

in many flavors and can exist at various points in the
system
Useful References

https://www.mcafee.com/blogs/enterprise/
5-most-common-types-of-threats-you-need-to-know

Chapter 1, Security in Computing by Charles P. Pfleeger et

al., 5th Edition, Pearson, 2015.

https://www.techwalla.com/articles/
the-difference-between-passive-active-attacks-on