TSN3251

Computer Security
Lecture 1
Introduction

2016, Ian Tan

TSN3251 Computer Security

Slide 1

 Consultation
By Email Appointment only
About Me

But before tutorial/laboratory sessions.

Ian Tan, Lecturer

CQBR4008
Faculty of Computing and Informatics
Multimedia University
Cyberjaya 63100 Selangor
Tel: +603-83125235
Email: ian@mmu.edu.my

Research Interest
Big Data
Data marshalling
Parallel and distributed computing
Operating systems

Networks
File transfers across wide area networks

Security
One time passwords
Online trust management
Mobile security

2016, Ian Tan

TSN3251 Computer Security

Slide 2

Subject Grading
TSC2211
Quiz 2 x 5% (10%)
Mid-Term 20%
Lectures 1 7*,
date/time/venue to be
arranged.

Assignment 10%
To be announced around
Week 3 or 4

Final Exams
Structured/Essay 60%
6 questions (6 x 10 marks)

2016, Ian Tan

TSN3251 Computer Security

TSN3251
Quiz 2 x 7.5% (15%)
Mid-Term 20%
Lectures 1 7*,
date/time/venue to be
arranged.

Assignment 15%
To be announced around
Week 4

Final Exams
Structured/Essay 50%
5 questions (5 x 20 marks)*

Slide 3

TSN3251 & TSC2211 Course Style

Lectures
MMLS lecture slides are insufficient, you will need to read the text book and do
own reading from other sources.

Laboratories
Print and read laboratory sheet and do it the night before and in the laboratory.
No demonstrations in the laboratory but you can ask questions.
The laboratory sheets are not a step by step guide and will have less
instructions as we progress. You are expected to learn on your own BUT you
should ask questions during laboratory sessions if you are unsure.
Practical exercises and you are encouraged to work in small groups of not more
than 4.

Quizzes, Mid-Terms
Estimated Week 5 & 12 for Quizzes and Week 8 for Mid-Terms. Please do
check with me as we go along as these dates are tentative.

2016, Ian Tan

TSN3251 Computer Security

Slide 4

Planned Course Content

WEEK
1

DATE
27/06/2016

Introduction

04/07/2016

Elementary Cryptography I

11/07/2016

Elementary Cryptography II

18/07/2016

Symmetric Cryptography

25/07/2016

Asymmetric Cryptography I

01/08/2015

Asymmetric Cryptography II

08/08/2015

Asymmetric Cryptography III & Hash

15/08/2015

Program Security

22/08/2015

Database Security

10

29/08/2015

Operating Systems Security I & II

11

05/09/2016

Operating Systems Security II (Cont) and Network Security Issues

12

12/09/2016

13

19/09/2016

Network Security Issues (Cont) and Network Security Controls

14

26/09/2016

Security Administration

2016, Ian Tan

TSN3251 Computer Security

TOPICS

REMARKS
No Labs due to Eidur
Fitri. Homework lab
exercise.

Mid-Terms (*)
Wednesday National
Day
(start earlier)
Monday Aidil Adha
(start earlier)

Slide 5

Text Book and Reference

Text
William Stallings and Lawrie Brown, Computer Security:
Principles and Practice, Prentice Hall; 2nd edition
(November 19, 2011), ISBN-10: 0132775069
William Stallings, Cryptography and Network Security: Principles
and Practice, Prentice Hall; 6th edition (March 16, 2013), ISBN10: 0133354695

Reference
Charles P. Pfleeger, Security in Computing, (4th Edition),
Prentice-Hall, ISBN-10: 0-13-035548-8
2016, Ian Tan
TSN3251 Computer Security

Slide 6

QUESTIONS?

2016, Ian Tan

TSN3251 Computer Security

Slide 7

Introduction
What is Security?
Gates, Locks, Guard Dogs, Security Guards, Security Alarm,
Window Grills, Barb Wires, Broken Glass
Protecting Valuables

What is Computer Security?

Protecting Valuable Information/Data

2016, Ian Tan

TSN3251 Computer Security

Slide 8

Computer Security
The protection afforded to an automated
information system in order to attain the applicable
objectives of preserving the Integrity, Availability,
and Confidentiality of information system
resources.

2016, Ian Tan

TSN3251 Computer Security

Slide 9

Security Goals
Look at it from the objectives/goals of security, which
are;
To protect Confidentiality
To preserve Integrity
To ensure Availability

For the resources, which are hardware, software,

firmware, data, information, networks.

2016, Ian Tan

TSN3251 Computer Security

Slide 10

Confidentiality
Data Confidentiality
Assures that private and confidential information is not made
available or disclosed to unauthorized individuals

Privacy
Assures that individuals control or influence what information
related to them may be collected and stored and by whom and to
whom that information may be disclosed.

2016, Ian Tan

TSN3251 Computer Security

Slide 11

Integrity
Data Integrity
Assures that information and programs are changed only in a
specified and authorized manner.

System Integrity
Assures that a system performs its intended functions in an
unimpaired manner, free from deliberate or inadvertent
unauthorized manipulation of the system.

2016, Ian Tan

TSN3251 Computer Security

Slide 12

Availability
Assures that the systems work promptly and service is
not denied to authorized users.

These three concepts are generally referred to as the

CIA Triad.
2016, Ian Tan
TSN3251 Computer Security

Slide 13

Two Other Concepts

Authenticity
Being able to verify and trust the transmission, originator,
message. They are who they say they are

Accountability
Being able to trace (audit) each action, in order to support nonrepudiation, fault isolation, intrusion detection, recovery and legal
action.

2016, Ian Tan

TSN3251 Computer Security

Slide 14

Information System Resources

Hardware
Software
System
Application

Data
Communication Facilities (Networks)
People!

2016, Ian Tan

TSN3251 Computer Security

Slide 15

Vulnerabilities, Threats and

Assets
CIA3 & Resources
Vulnerabilities: Assets can be
Corrupted
Leaky (unauthorized access)
Unavailable (or very slow)

2016, Ian Tan

TSN3251 Computer Security

Slide 16

Vulnerabilities
Hardware
E.g. CIMB ATM Bank 24 hours

Software
Bank account rounding off incident. Mentioned in the text book
(pp 15, paragraph 4) and it also did happen in Malaysia! (exactly
the same as described in the book)
Software Modification More in later lectures
Software Theft To revisit at the end of course

2016, Ian Tan

TSN3251 Computer Security

Slide 17

Other Vulnerabilities
Other than hardware, software and data;
Network itself is a computer system
Probably the most vulnerable part of a computer system.

Access
Performance degradation.
Malicious modifications to obtain access via a trap door.
Accidental changes to software/data.

People
Somehow the most vulnerable but the least looked after area.
Most things happen due to insiders

2016, Ian Tan

TSN3251 Computer Security

Slide 18

People
Computer Criminals
Amateurs
Reportedly committed most of the computer crimes (but to think about it, if
they are professionals, then they may not have been caught?)
Using PCs unauthorized for personal use can also be classified as a crime!

Crackers/Hackers
Generally an ego booster kind of work
http://www.theregister.co.uk/2015/11/13/brit_gets_eight_months_for_ddos_spree/

Career Criminals
Getting more prevalent and has reached the stage of being conducted by
organized crime (large scale and well planned).

Terrorists
Attention seeking and propaganda.
2016, Ian Tan
TSN3251 Computer Security

Slide 19

Some Definitions
Threat Your attacker
Vulnerability Your weak links

A threat is blocked by the controls you put in place on

your systems vulnerability
An attack is when someone/something exploits the
vulnerabilities of a system.

2016, Ian Tan

TSN3251 Computer Security

Slide 20

Some Threat Classifications

Interception
Unauthorized access to the message and not let it through?

Interruption
Block the message completely?

Modification
Change intended message?

Fabrication
Transmit fake message?

Text book section 1.2 for full listing!

2016, Ian Tan
TSN3251 Computer Security

Slide 21

Malicious Attacks
Method
Skills, knowledge, tools

Opportunity
Access, time, venue

Motive
Reason even for fun and just wanna to prove a point, it is
considered malicious

2016, Ian Tan

TSN3251 Computer Security

Slide 22

Defense Methods
We have briefly talked about threats and vulnerabilities,
what about control. Generally defense mechanisms that
Prevent: block or close the vulnerability.
Deter: building better defenses to make it more difficult.
Deflect: by making your computer system less attractive
relatively to others.
Detect: better if you can detect when it happens then after it
happens but either way, it will help to recover.
Recover: recover from the effects of the attack, e.g. restore the
last known version.

2016, Ian Tan

TSN3251 Computer Security

Slide 23

Common Controls
Encryption
The scrambling of data so that it is meaningless unless you are able to
unscramble it.
Considered the most useful tool in providing computer security.
Note that US had export limitations to use only 56-bit encryption in the past

Software Controls
Program controls: User Authentication
OS controls: Limit users access (similarly for databases)
Independent control programs: anti-virus, anti-spam, password
checkers, intrusion detection
Development controls: Following quality standards
2016, Ian Tan
TSN3251 Computer Security

Slide 24

Common Controls
Hardware Controls
Smartcard access, Physical locks
Black box to create PINs, Hardware Firewalls & IDS

Policies and Procedures

Frequent password changing
Backups

Physical Controls
Physical entrance control in high security areas such as banks and
stock exchanges

2016, Ian Tan

TSN3251 Computer Security

Slide 25

3 Principles (Controls)
Principle of Easiest Penetration
attacker will exploit any vulnerability available, and will focus on the
vulnerability with the weakest controls. "Weak link in chain.

Principle of Adequate Protection

Computer items must be protected only until they lose their value. They
must be protected to a degree consistent with their value. Exam
papers.

Principle of Effectiveness
Controls must be used, and used properly, to be effective. They must
be efficient, easy to use, and appropriate. Awareness.
2016, Ian Tan
TSN3251 Computer Security

Slide 26

How important is IT Security?

From recent news on Security (2013)

JAKARTA, May 29 (Xinhua) -- In a move to keep the country's sovereignty in the
cyber age, the Indonesian defense ministry is planning to create a special force
called "cyber army" to tackle attacks by Internet hackers against the state's
Internet portals and websites that could endanger the security of the state.
BEIJING, May 28 (Xinhua) -- The People's Liberation Army (PLA) will conduct an
exercise next month to test new types of combat forces including units using
digital technology amid efforts to adjust to informationalized war, it announced on
Tuesday.

2016, Ian Tan

TSN3251 Computer Security

Slide 27

What will you be learning?

From Wikipedia:

Heartbleed is a security bug in the OpenSSL cryptography

library. OpenSSL is a widely used implementation of the
Transport Layer Security (TLS) protocol. Heartbleed may be
exploited whether the party using a vulnerable OpenSSL
instance for TLS is a server or a client.

Heartbleed results from improper input validation (due to a

missing bounds check) in the implementation of the TLS
heartbeat extension, the heartbeat being the basis for the
bug's name. The vulnerability is classified as a buffer overread, a situation where software allows more data to be read
than should be allowed.

2016, Ian Tan

TSN3251 Computer Security

Slide 28

So, where do we start?

The most elementary component for computer data
security is
Encryption
Symmetric
Asymmetric

2016, Ian Tan

TSN3251 Computer Security

Slide 29

Homework
Do read the text book, Stallings chapter 1.1 1.3, 1.5
1.8!
Go get some puzzle books, e.g.

2016, Ian Tan

TSN3251 Computer Security

Slide 30