At the end of this topic, the students are able to:

•Explain what computer security is.

•Relate the basic elements – policy and mechanism with computer security.
•Relate how confidentiality, integrity and availability requirements affect a typical
software system.
•Differentiate the vulnerabilities, threats and attacks commonly found within software
systems.
•Describe the typical type of threats of software systems.
•Express the basic instruments in computer security – prevention, detection and
recovery/reaction.
•Discuss the quadridelemma of computer security design.
•Discuss the principles of computer security design.
•Explain the security life cycle.

1
Security is about protecting our assets from someone or something. We want to
protect our assets from loss, damage, misused etc. The question is, how well that we
want to protect our assets? Do we need to use four or five locks, just to secure our
house? Alternatively, is one lock enough?

Assuming that we have used five locks to secure our house and imagine that we have
locked our two months old baby in, how fast can we unlock the door? Five minute...
Ten minute... Its depend on how we are organizing the keys!

Security, reliability and manageability are different aspects of the general problem of
protecting our assets, which we need to think about when we are securing our assets.

2
Assets generally include hardware (e.g. servers and switches), software (e.g. mission
critical applications and support systems) and confidential information. Assets should
be protected from illicit access, use, disclosure, alteration, destruction, and/or theft,
resulting in a loss to the organization.

What is the value of these assets? The broken hardware and applications can easily be
replaced or reinstalled. However, can corrupted data that being collected for 10 years
easily replaced?

3
•Computer security is designed to protect our computer and everything associated
with it --- the building, the workstations and printers, cabling, and disks and other
storage media. Most importantly, computer security protects the information stored in
our system.

•Computer security is not only designed to protect against outside intruders who
break into systems, but also dangers arising from sharing a password with a friend,
failing to back up a disk, spilling a soda on a keyboard.

•There are three distinct aspects of security: confidentiality, integrity and availability.

4
Security is defined or describe by policy. A policy is a natural statement of what is,
and what is not, allowed.

Mechanism is an instrument i.e. a procedure, method or tool to enforce the policy.

The mechanism can be categorized into non-technical, semi-technical and technical
types.

The composition problem requires checking for inconsistencies among policies. If,
for example, one policy allows students and staffs access to all data, and the other
allows only staffs access to all the data, then they must be resolved through proper
mechanism (e.g., partition the data so that students and staffs can access some data,
and only staffs access the other data).

5
For example, UiTM’s policy on organization (official) email:
Only staff, who have been authorised to use email at UiTM may do so.

The enforcement of the above policy is done via process of authentication – where
only authorise staff will given an email account and password. The respective staffs
need to authenticate themselves using this email account and password.

The authentication process is a method that being used to enforce the above policy.

6
The CIA Triad is a venerable, well-known model for security policy development,
used to identify problem areas and necessary solutions for computer security.

•Confidentiality deals with preventing unauthorized reading of information. A bank

(hereafter is referred as Bank) , let say as the Bank probably wouldn't care much
about the confidentiality of the information it deals with, except for the fact that its
customers certainly do. For example, X does not want Y to know how much he has in
his savings account. The Bank would also face legal problems if it failed to protect
the confidentiality of such information.

•Integrity deals with preventing, or at least detecting, unauthorized "writing" (i.e.,

changes to data). The Bank must protect the integrity of account information to
prevent Y from, say, increasing the balance in her account or changing the balance in
X’s account. Note that confidentiality and integrity are not the same thing. For
example, even if Y cannot read the data, she might be able to modify this unreadable
data, which, if undetected, would destroy its integrity. In this case, Y might not know
what changes she had made to the data (since she can't read it), but she might not care
- sometimes just causing trouble is good enough.

•Denial of service, or DoS, attacks are a relatively recent concern. Such attacks try to
reduce access to information. As a result of the rise in DoS attacks, data availability
has become a fundamental issue in information security. Availability is an issue for
both the Bank and X - if the Bank’s website is unavailable, then Alice can't make
money from customer transactions and Bob can't get his business done. Bob might
then take his business elsewhere. If Y has a grudge against the Bank, or if she just
wants to be malicious, she might attempt a denial of service attack on the Bank. 7
Confidentiality, integrity, and availability are only the beginning of the information
security story. Consider this situation when a bank’s customer, X logs on to his
computer. How does X’s computer determine that "X" is really X and not Y? Once X
being identified as “X”, the system should allow X to conduct any valid transaction.

If X claims a transaction is not done by him, can the Bank’s system able to trace and
verify his claim? All of these scenarios are concerned with identification,
authorization and accountability.

Authentication of a computer system typically requires that X’s password be verified.

Once X has been authenticated by the Bank’s system, then the Bank must enforce
restrictions on X’s actions. Enforcing such restrictions goes by the name of the
authorization. The Bank’s system must able to keep track every single action
conducted by X, it's called accountability.

8
In computer security, vulnerability is a weakness, which allows an attacker to reduce
a system's information assurance. Vulnerability is the intersection of three elements: a
system susceptibility or flaw, attacker access to the flaw, and attacker capability to
exploit the flaw. To exploit vulnerability, an attacker must have at least one applicable
tool or technique that can connect to a system weakness. In this frame, vulnerability
is also known as the attack surface.

A threat is a possible danger that might exploit a vulnerability to breach security and
thus cause possible harm. A threat can be either "intentional" (i.e., intelligent; e.g., an
individual cracker or a criminal organization) or "accidental" (e.g., the possibility of a
computer malfunctioning, or the possibility of a natural disaster such as an
earthquake, a fire, or a tornado) or otherwise a circumstance, capability, action, or
event.

An attack is any attempt to destroy, expose, alter, disable, steal or gain unauthorized
access to or make unauthorized use of an asset.

9
Unauthorized access to information is disclosure. For instance, snooping which is the
unauthorized interception of information, is a form of disclosure. Confidentiality
services counter this threat.

Acceptance of false data is called deception. For instance, the man-in-the-middle

attack is a kind of deception, where the receiver and sender do not realize that an
intruder is reading the sent information and possibly sending false information to the
receiver. Integrity services counter this threat.

Interruption or prevention of correct operation is called disruption. Denial of service

is an instance of disruption. The attacker may prevent the server from providing
service to the requesting client. Availability services take care of this threat.

Unauthorized control of some part of the system is called usurpation. Masquerading

or pretending to be someone else to control a system is a kind of usurpation. Integrity
services (called “authentication services”, in this context) counter this threat.

Therefore, three security services-confidentiality, integrity and availability- are

sufficient to deal with the threats of disclosure, disruption, deception and usurpation.

10
11
12
13
14
Computer systems are vulnerable to many threats that can inflict various types of
damage resulting in significant losses. This damage can range from errors harming
database integrity tp fires destroying entrire computer centres. Losses can stemm for
example, from the actions of supposely trusted employees defrauding a system, from
outside hackers or from careless data entry clerks. Precision in estimating computer
security-related losses is not possible because many losses are never discovered and
others are “swept under the carpet” to avoid unfavourable publicity. The efforts of
various threats varies considerably – some affect the confidentiality or integrity of
data while others might affect the availability of a computer system.

15
“The minute you dial in to your Internet service provider or connect to a DSL or
cable modem, you are casting your computer adrift in a sea of millions of other
computers – all of which are sharing the world's largest computer network, the
Internet. Most of those computers are cooperative and well behaved, but some are
downright nasty. Only you can make sure your computer is ready for the
experience.”

Daniel Appleman, Always Use Protection, A Teen's Guide to Safe Computing, (2004 –
Apress)

16
•Prevention is ideal, because then there are no successful attacks.

•Detection occurs after someone violates the policy. The mechanism determines that
a violation of the policy has occurred (or is underway), and reports it. The system (or
system security officer) must then respond appropriately.

•Recovery/Reaction means that the system continues to function correctly, possibly

after a period during which it fails to function correctly. If the system functions
correctly always, but possibly with degraded services, it is said to be intrusion
tolerant. This is very difficult to do correctly; usually, recovery means that the attack
is stopped, the system fixed (which may involve shutting down the system for some
time, or making it unavailable to all users except the system security officers), and
then the system resumes correct operations.

17
To prevent our house from break-in, we build fence and lock the gate. In addition of
the fence, we install intruder alarms system to detect any break-in. Once detected,
normally the system will automatically alert the authority/police.

18
To avoid ATM or credit cards being cloned, Bank Negara Malaysia has instructed all
the banks to replace the magnetic - striped card with smart card. The banks will alert
the customer via SMS for transactions more than RM500. Which, it is the customer's
responsibility to acknowledge the bank is the transaction is not being done by them.
Once being acknowledged by the customers, the bank will block the respective cards.

19
We receive regular system patches from either Microsoft or Apple for our computer
systems.

We also install anti-virus and anti-malware to detect virus or malware in our

computer systems.

On top of that two mechanisms, all our computer systems now are equipped with
personal firewall that prevent virus, malwares or attackers from penetrate our
computer systems.

20
When we design computer security, we need to look at several factors:

1. Security cost vs asset cost – obviously the cost of security should not more than
the cost of the assets. We should find a security mechanism that able to protect the
asset without incurring high cost. For example, if the policy requires the
notebook to be used in organizations compound, how we can enforce that policy?
We can install RFID to tag the notebook and install a sensor at the door, so that its
ability to detect any attempt to bring the notebook outside.

2. Security cost vs potential damage – we must protect all our data accordingly,
which based on classified information. Therefore, name attributes into database
does not need protection, but password attributes need to be protected. Normally,
we encrypt the password before we store in database.

3. Technology vs operational cost – the best security is when it is transparent for the
users. The users do not realize that we have implemented security mechanism.
Normally the security cost should be one-off cost.

21
It is difficult to design proper computer security systems. We need to take a few
elements or factors into consideration. The factors are:

1. Usability or User expertise – we must design the system that requires minimum
training, does not change much of the workflow and it must be transparent from
the user (the user does not realize that the computer security components are
being implemented).
2. Security – We must implement mechanisms that uphold the organization’s policy.
3. Functionality - The system developed must retain all the functionalities,
however, if it is conflict with security policy the workaround or alternative must
be found and developed to replace the affected function.
4. Cost - The security mechanisms implemented must not cost more that security
required (aka cost-effectiveness must prevail).

22
What happens if the data and resources are compromised? This tells you what you
need to protect and to what level. Cost-benefit analyses help determine the risk here,
but there may be other metrics involved. We can use both quantitative and qualitative
analysis to determine the proper protection level – we do not want to over-protective
and also under-protective systems.

23
24
· The economy of mechanism principle stresses simplicity in the design
and implementation of security measures. - While applicable to most
engineering endeavors, the notion of simplicity is especially important in the
security domain, since a simple security framework facilitates its understanding by
developers and users and enables the efficient development and verification of
enforcement methods for it.

· The fail-safe default principle states that the default configuration of

a system should have a conservative protection scheme. For example,
when adding a new user to an operating system, the default group of the user
should have minimal access rights to files and services. Unfortunately, operating
systems and applications often have default options that favor usability over
security. This has been historically the case for a number of popular applications,
such as web browsers that allow the execution of code downloaded from the web
server.

· The complete mediation idea behind this principle is that every access
to a resource must be checked for compliance with a protection
scheme. As a consequence, one should be wary of performance improvement
techniques that save the results of previous authorization checks, since permissions 25
This network design implement the complete mediation principle.

26
... And this network design implements the separation privilege principle.

27
This design is commonly used in operating systems. What is the security design
principle that being used? Yes... It is the separation privilege principle.

28
Whenever we want to design computer security, we have to identify all threats that
will affect our systems. This identification of threats will help us to determine the
best prevention and detection methods to be used in our system development. Then
we will map or align with the organization’s policy to determine what are recovery or
reaction that need to be taken once the attacks are detected.

These will be our specifications which we will incorporate in our system design and
subsequently been developed into our system.

29
30
31