Computer Security
Lecture 1
Introduction
Slide 1
Consultation
By Email Appointment only
About Me
CQBR4008
Faculty of Computing and Informatics
Multimedia University
Cyberjaya 63100 Selangor
Tel: +603-83125235
Email: ian@mmu.edu.my
Research Interest
Big Data
Data marshalling
Parallel and distributed computing
Operating systems
Networks
File transfers across wide area networks
Security
One time passwords
Online trust management
Mobile security
Slide 2
Subject Grading
TSC2211
Quiz 2 x 5% (10%)
Mid-Term 20%
Lectures 1 7*,
date/time/venue to be
arranged.
Assignment 10%
To be announced around
Week 3 or 4
Final Exams
Structured/Essay 60%
6 questions (6 x 10 marks)
TSN3251
Quiz 2 x 7.5% (15%)
Mid-Term 20%
Lectures 1 7*,
date/time/venue to be
arranged.
Assignment 15%
To be announced around
Week 4
Final Exams
Structured/Essay 50%
5 questions (5 x 20 marks)*
Slide 3
Lectures
MMLS lecture slides are insufficient, you will need to read the text book and do
own reading from other sources.
Laboratories
Print and read laboratory sheet and do it the night before and in the laboratory.
No demonstrations in the laboratory but you can ask questions.
The laboratory sheets are not a step by step guide and will have less
instructions as we progress. You are expected to learn on your own BUT you
should ask questions during laboratory sessions if you are unsure.
Practical exercises and you are encouraged to work in small groups of not more
than 4.
Quizzes, Mid-Terms
Estimated Week 5 & 12 for Quizzes and Week 8 for Mid-Terms. Please do
check with me as we go along as these dates are tentative.
Slide 4
DATE
27/06/2016
Introduction
04/07/2016
Elementary Cryptography I
11/07/2016
Elementary Cryptography II
18/07/2016
Symmetric Cryptography
25/07/2016
Asymmetric Cryptography I
01/08/2015
Asymmetric Cryptography II
08/08/2015
15/08/2015
Program Security
22/08/2015
Database Security
10
29/08/2015
11
05/09/2016
12
12/09/2016
13
19/09/2016
14
26/09/2016
Security Administration
TOPICS
REMARKS
No Labs due to Eidur
Fitri. Homework lab
exercise.
Mid-Terms (*)
Wednesday National
Day
(start earlier)
Monday Aidil Adha
(start earlier)
Slide 5
Reference
Charles P. Pfleeger, Security in Computing, (4th Edition),
Prentice-Hall, ISBN-10: 0-13-035548-8
2016, Ian Tan
TSN3251 Computer Security
Slide 6
QUESTIONS?
Slide 7
Introduction
What is Security?
Gates, Locks, Guard Dogs, Security Guards, Security Alarm,
Window Grills, Barb Wires, Broken Glass
Protecting Valuables
Slide 8
Computer Security
The protection afforded to an automated
information system in order to attain the applicable
objectives of preserving the Integrity, Availability,
and Confidentiality of information system
resources.
Slide 9
Security Goals
Look at it from the objectives/goals of security, which
are;
To protect Confidentiality
To preserve Integrity
To ensure Availability
Slide 10
Confidentiality
Data Confidentiality
Assures that private and confidential information is not made
available or disclosed to unauthorized individuals
Privacy
Assures that individuals control or influence what information
related to them may be collected and stored and by whom and to
whom that information may be disclosed.
Slide 11
Integrity
Data Integrity
Assures that information and programs are changed only in a
specified and authorized manner.
System Integrity
Assures that a system performs its intended functions in an
unimpaired manner, free from deliberate or inadvertent
unauthorized manipulation of the system.
Slide 12
Availability
Assures that the systems work promptly and service is
not denied to authorized users.
Slide 13
Accountability
Being able to trace (audit) each action, in order to support nonrepudiation, fault isolation, intrusion detection, recovery and legal
action.
Slide 14
Data
Communication Facilities (Networks)
People!
Slide 15
Slide 16
Vulnerabilities
Hardware
E.g. CIMB ATM Bank 24 hours
Software
Bank account rounding off incident. Mentioned in the text book
(pp 15, paragraph 4) and it also did happen in Malaysia! (exactly
the same as described in the book)
Software Modification More in later lectures
Software Theft To revisit at the end of course
Slide 17
Other Vulnerabilities
Other than hardware, software and data;
Network itself is a computer system
Probably the most vulnerable part of a computer system.
Access
Performance degradation.
Malicious modifications to obtain access via a trap door.
Accidental changes to software/data.
People
Somehow the most vulnerable but the least looked after area.
Most things happen due to insiders
Slide 18
People
Computer Criminals
Amateurs
Reportedly committed most of the computer crimes (but to think about it, if
they are professionals, then they may not have been caught?)
Using PCs unauthorized for personal use can also be classified as a crime!
Crackers/Hackers
Generally an ego booster kind of work
http://www.theregister.co.uk/2015/11/13/brit_gets_eight_months_for_ddos_spree/
Career Criminals
Getting more prevalent and has reached the stage of being conducted by
organized crime (large scale and well planned).
Terrorists
Attention seeking and propaganda.
2016, Ian Tan
TSN3251 Computer Security
Slide 19
Some Definitions
Threat Your attacker
Vulnerability Your weak links
Slide 20
Interruption
Block the message completely?
Modification
Change intended message?
Fabrication
Transmit fake message?
Slide 21
Malicious Attacks
Method
Skills, knowledge, tools
Opportunity
Access, time, venue
Motive
Reason even for fun and just wanna to prove a point, it is
considered malicious
Slide 22
Defense Methods
We have briefly talked about threats and vulnerabilities,
what about control. Generally defense mechanisms that
Prevent: block or close the vulnerability.
Deter: building better defenses to make it more difficult.
Deflect: by making your computer system less attractive
relatively to others.
Detect: better if you can detect when it happens then after it
happens but either way, it will help to recover.
Recover: recover from the effects of the attack, e.g. restore the
last known version.
Slide 23
Common Controls
Encryption
The scrambling of data so that it is meaningless unless you are able to
unscramble it.
Considered the most useful tool in providing computer security.
Note that US had export limitations to use only 56-bit encryption in the past
Software Controls
Program controls: User Authentication
OS controls: Limit users access (similarly for databases)
Independent control programs: anti-virus, anti-spam, password
checkers, intrusion detection
Development controls: Following quality standards
2016, Ian Tan
TSN3251 Computer Security
Slide 24
Common Controls
Hardware Controls
Smartcard access, Physical locks
Black box to create PINs, Hardware Firewalls & IDS
Physical Controls
Physical entrance control in high security areas such as banks and
stock exchanges
Slide 25
3 Principles (Controls)
Principle of Easiest Penetration
attacker will exploit any vulnerability available, and will focus on the
vulnerability with the weakest controls. "Weak link in chain.
Principle of Effectiveness
Controls must be used, and used properly, to be effective. They must
be efficient, easy to use, and appropriate. Awareness.
2016, Ian Tan
TSN3251 Computer Security
Slide 26
Slide 27
From Wikipedia:
Slide 28
Slide 29
Homework
Do read the text book, Stallings chapter 1.1 1.3, 1.5
1.8!
Go get some puzzle books, e.g.
Slide 30