© 2016 Pearson Education,

Inc., Hoboken, NJ. All rights

reserved.
Chapter 1
Overview
1.1 - Computer Security Concepts

The NIST Computer Security Handbook defines Computer Security as:

“The protection afforded to an automated information

system in order to attain the applicable objectives of
preserving the integrity, availability and confidentiality
of information system resources” (includes
hardware, software, firmware, information /data, and
telecommunications).
The CIA Triad

© 2016 Pearson
Education, Inc.,
Hoboken, NJ. All
rights reserved.
 Key Security Concepts
Confidentiality Integrity Availability

• Preserving • Guarding against • Ensuring timely and

authorized improper reliable access to
restrictions on information and use of
information access modification or information
and disclosure, destruction,
including means for including ensuring
protecting personal information
privacy and nonrepudiation and
proprietary authenticity
information
 INFORMATION SECURITY
OBJECTIVES

Non-
Availability Integrity Authenticity
repudiation
Confidentiality Accountability
• The property • The property • The property • Assurance that • The property • The property
of a system or that data has of being the sender of that data is not of a system or
a system not been genuine and information is disclosed to system
resource being changed, being able to provided with system entities resource
accessible or destroyed, or verify that proof of unless they ensuring that
usable or lost in an users are who delivery and have been the actions of a
operational unauthorized they say they the recipient is authorized to system entity
upon demand, or accidental are and that provided with know the data may be traced
by an manner each input proof of the uniquely to
authorized arriving at the sender’s that entity,
system entity, system came identity, so which can
according to from a trusted neither can then be held
performance source later deny responsible for
specifications having its actions
for the system processed the
information
 Levels of Impact
Low Moderate High
The loss could be
The loss could be The loss could be
expected to have a
expected to have a expected to have a
severe or
limited adverse serious adverse
catastrophic
effect on effect on
adverse effect on
organizational organizational
organizational
operations, operations,
operations,
organizational organizational
organizational
assets, or assets, or
assets, or
individuals individuals
individuals

© 2016 Pearson Education, Inc., Hoboken,

NJ. All rights reserved.
 Computer Security
Challenges
• Computer security is not as • Attackers only need to find a
simple as it might first appear single weakness, the developer
to the novice needs to find all weaknesses
• Potential attacks on the • Users and system managers tend
security features must be to not see the benefits of
considered security until a failure occurs
• Procedures used to provide • Security requires regular and
particular services are often constant monitoring
counterintuitive • Is often an afterthought to be
incorporated into a system after
• Physical and logical placement
the design is complete
needs to be determined
• Thought of as an impediment to
• Additional algorithms or efficient and user-friendly
protocols may be involved operation
1.2 - Computer Security Terminology

© 2016 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

© 2016 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
 Assets of a Computer
System
Hardware

Software

Data

Communication facilities and networks

© 2016 Pearson Education, Inc., Hoboken,

NJ. All rights reserved.
 HARDWARE
ASSETS
• Hardware assets include servers, workstations, laptops,
mobile devices, removable media, networking and
telecommunications equipment, and peripheral equipment
• Key concerns are loss of a device, through theft or damage,
and lack of availability of the device for an extended period
• Another concern is device malfunction, due to deliberate
malfunction or other causes
• Asset valuation needs to take into account the replacement
cost of the hardware, disruption losses, and recovery expenses
 SOFTWARE ASSETS

Software assets include applications,

operating systems and other system
software, virtual machine and Availability is a key consideration
container virtualization software, here, and asset valuation must take
software for software-defined account of disruption losses and
networking (SDN), database recovery expenses
management systems, file systems,
and client and server software
 DATA & INFORMATION ASSETS
• Information assets comprise the information stored in databases and
file systems, both on-premises and remotely in the cloud
• ITU-T X.1055 lists the following as types of information assets in a
telecommunications or network environment:

■ Communication data ■ Customer calling patterns ■ Training materials

■ Customer geographic ■ Billing information
■ Routing information locations
■ Subscriber ■ Operational or support
■ Traffic statistical information procedures
information
■ Contracts and agreements
■ Business continuity plans
■ Blacklist information ■ System documentation
■ Emergency plan fallback
■ Registered service ■ Research information arrangements
information ■ User manuals ■ Audit trails and achieved
■ Operational ■ Customer information information
information
 BUSINESS
ASSETS
The business assets category
includes organization assets that
don’t fit into other categories

This includes human resources,

business processes, and physical
plant

This category also includes

intangible assets such as
organization control, know-how,
reputation, and image of the
organization
 Vulnerabilities, Threats
and Attacks
• Categories of vulnerabilities
• Corrupted (loss of integrity)
• Leaky (loss of confidentiality)
• Unavailable or very slow (loss of availability)

• Threats
• Capable of exploiting vulnerabilities
• Represent potential security harm to an asset

• Attacks (threats carried out)

• Passive – attempt to learn or make use of information from the system
that does not affect system resources
• Active – attempt to alter system resources or affect their operation
• Insider – initiated by an entity inside the security parameter
• Outsider – initiated from outside the perimeter

© 2016 Pearson Education, Inc., Hoboken,

NJ. All rights reserved.
 THREATS
• Threat identification is the process of identifying sources with
the potential to harm system assets
• Threat sources are categorized into three areas:
• Environmental
• Examples include floods, earthquakes, tornadoes, landslides,
avalanches, electrical storms, and power failure
• Business resources
• Examples include equipment failure, supply chain disruption, and
unintentional harm caused by employees
• Hostile actors
• Examples include hackers, hacktivists, insider threats, criminals,
and nation-state actors
 THREAT TYPES
• Dropper
• Malware • Auto-rooter
• Virus • Kit (virus generator) • DNS attacks
• Worm • Spammer program • Hacker or cracker
• Ransomware • Flooder • Injection flaw
• Spam • Keyloggers • Code injection
• Logic bomb • Rootkit • Social engineering
• Trojan horse • Zombie or bot • Phishing
• Backdoor (trapdoor) • Spyware • Password attack
• Mobile code • Adware • Website exploit
• Exploit • Remote access attacks
• Exploit kit • Denial-of-service (DoS)
• Downloader • Distributed denial-of-
service (DDoS) attack
 Table 1.3
Computer and Network Assets, with Examples of Threats
 VULNERABILITIES

• A vulnerability is a weakness or a flaw in a system’s

security procedures, design, implementation, or
internal controls that could be accidentally
triggered or intentionally exploited when a threat is
manifested

• Vulnerability identification is the process of

identifying vulnerabilities that can be exploited by
threats to cause harm to assets
 • Operational vulnerabilities
• Lack of change management,
inadequate separation of duties,
lack of control over software

VULNERABILITY installation, lack of control over

media handling and storage, lack of
control over system
CATEGORIES communications, inadequate
access control or weaknesses in
access control procedures,
inadequate recording and/or
• Technical vulnerabilities review of system activity records,
• Flaws in the design, implementation, and/or inadequate control over encryption
configuration of software and/or hardware keys, inadequate reporting,
components, including application software, handling and/or resolution of
system software, communications software, security incidents, and inadequate
computing equipment, communications monitoring and evaluation of the
equipment, and embedded devices effectiveness of security controls

• Business continuity and

• Human-caused vulnerabilities
compliance vulnerabilities
• Key person dependencies, gaps in awareness and
training, gaps in discipline, and improper • Misplaced, missing, or inadequate
termination of access processes for appropriate
management of business risks;
inadequate business
continuity/contingency planning;
• Physical and environmental vulnerabilities and inadequate monitoring and
• Insufficient physical access controls, poor siting evaluation for compliance with
of equipment, inadequate temperature/humidity governing policies and regulations
controls, and inadequately conditioned electrical
power
 1.3 - CONTROLS / COUNTERMEASURES /SECURITY
FUNCTIONAL REQUIREMENTS

• Controls for cybersecurity include any process, policy,

procedure, guideline, practice, or organizational
structure that modifies information security risk

• Controls are administrative, technical, management,

or legal in nature
 Controls /
Countermeasures
Means used to
deal with security
attacks
• Prevent
• Detect
• Recover

Residual
vulnerabilities
may remain

Goal is to
May itself
minimize residual
introduce new
level of risk to the
vulnerabilities
assets
© 2016 Pearson Education, Inc., Hoboken,
NJ. All rights reserved.
 • Protect
• Limit employee access to data and
information
• Install surge protectors and
• Identity uninterruptible power supplies (UPSs)
• Identify and control who has • Patch your operating systems and
access to your business applications
information • Install and activate software and
hardware firewalls on all your business
• Conduct background checks networks
• Require individual user • Secure your wireless access point and
accounts for each employee networks
• Set up web and email filters
• Create policies and
• Use encryption for sensitive business
procedures for information information
security • Dispose of old computers and media
safely
• Detect
• Train your employees
• Install and update antivirus,
• Recover
anti-spyware, and other
• Make full backups of important
anti-malware programs business data/information
• Maintain and monitor logs • Make incremental backups of important
business data/information
• Respond • Consider cyber insurance
• Develop a plan for disasters • Make improvements to
 Security
Functional
Requirements

(page 1 of 2)

(Table can be found on page 26 in the

textbook.)
 Security
Functional
Requiremen
ts

(page 2 of 2)

(Table can be found on page 27 in the

textbook.)
 Passive and Active
Attacks
Passive Attack Active Attack

• Attempts to learn or make use of • Attempts to alter system resources

information from the system but or affect their operation
does not affect system resources • Involve some modification of the
data stream or the creation of a
• Eavesdropping on, or monitoring false stream
of, transmissions • Four categories:
• Goal of attacker is to obtain o Replay
o Masquerade
information that is being o Modification of messages
transmitted o Denial of service
• Two types:
o Release of message contents
© 2016 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
o Traffic analysis
Security Attacks

Henric Johnson 29
 Security Attacks
• Interruption: This is an attack on
availability
• Interception: This is an attack on
confidentiality
• Modification: This is an attack on
integrity
• Fabrication: This is an attack on
authenticity
Henric Johnson 30
RISK ASSESTMENT
1.4 - Fundamental Security
Design Principles
Economy of Fail-safe Complete
Open design
mechanism defaults mediation

Separation of Least common Psychological

Least privilege
privilege mechanism acceptability

Isolation Encapsulation Modularity Layering

Least
astonishment
 Fundamental Security Design Principles

Economy of mechanism Fail-safe defaults

• Means that the design of security • Means that access decisions

measures embodied in both should be based on permission
hardware and software should be rather than exclusion
as simple and small as possible
• The default situation is lack of
• Relatively simple, small design is access, and the protection
easier to test and verify scheme identifies conditions
thoroughly under which access is permitted

• With a complex design, there are • Most file access systems and
many more opportunities for an virtually all protected services on
adversary to discover subtle client/server use fail-safe defaults
weaknesses to exploit that may
be difficult to spot ahead of time
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
 Fundamental Security Design Principles

Complete mediation Open design

• Means that every access must be

checked against the access control • Means that the design of a security
mechanism mechanism should be open rather
than secret
• Systems should not rely on access
decisions retrieved from a cache • Although encryption keys must be
secret, encryption algorithms should
• To fully implement this, every time be open to public scrutiny
a user reads a field or record in a
file, or a data item in a database, the • Is the philosophy behind the NIST
system must exercise access control
program of standardizing encryption
and hash algorithms
• This resource-intensive approach is
rarely used
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
 Fundamental Security Design Principles

Least privilege
Separation of privilege
• Defined as a practice in which • Means that every process and
multiple privilege attributes every user of the system should
operate using the least set of
are required to achieve access
privileges necessary to perform
to a restricted resource the task

• Multifactor user • An example of the use of this

authentication is an example principle is role-based access
which requires the use of control; the system security policy
can identify and define the various
multiple techniques, such as a
roles of users or processes and
password and a smart card, to each role is assigned only those
authorize a user permissions needed to perform its
functions

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 Fundamental Security Design Principles

Least common mechanism Psychological acceptability

• Means that the design should • Implies that the security mechanisms
minimize the functions shared by should not interfere unduly with the
different users, providing mutual work of users, while at the same time
security meeting the needs of those who
authorize access
• This principle helps reduce the • Where possible, security mechanisms
number of unintended should be transparent to the users of
communication paths and the system or, at most, introduce
reduces the amount of hardware minimal obstruction
and software on which all users • In addition to not being intrusive or
depend, thus making it easier to burdensome, security procedures must
verify if there are any reflect the user’s mental model of
undesirable security implications protection

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 Fundamental Security Design Principles

Isolation Encapsulation

• Applies in three contexts: • Can be viewed as a specific form

o Public access systems should be of isolation based on object-
isolated from critical resources to oriented functionality
prevent disclosure or tampering
• Protection is provided by
o Processes and files of individual
encapsulating a collection of
users should be isolated from one
procedures and data objects in a
another except where it is
explicitly desired domain of its own so that the
internal structure of a data object
o Security mechanisms should be is accessible only to the
isolated in the sense of procedures of the protected
preventing access to those subsystem, and the procedures
mechanisms may be called only at designated
domain entry points
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
 Fundamental Security Design Principles

Modularity Layering

• Refers both to the • Refers to the use of multiple,

development of security overlapping protection
approaches addressing the
functions as separate, people, technology, and
protected modules and operational aspects of
to the use of a modular information systems
architecture for
mechanism design and • The failure or circumvention
implementation of any individual protection
approach will not leave the
system unprotected

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 Fundamental Security Design Principles

Least astonishment
• Means that a program or user interface should
always respond in the way that is least likely to
astonish the user

• The mechanism for authorization should be

transparent enough to a user that the user has a good
intuitive understanding of how the security goals
map to the provided security mechanism

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 1.5 - Attack Surfaces
Consist of the reachable and exploitable vulnerabilities in
a system

Examples:

Code that processes

An employee with
Open ports on incoming data,
access to sensitive
outward facing Web Services available on email, XML, office
Interfaces, SQL, and information
and other servers, the inside of a documents, and
Web forms vulnerable to a
and code listening firewall industry-specific
social engineering
on those ports custom data
attack
exchange formats
Attack Surface Categories
Network Software Human Attack
Attack Surface Attack Surface Surface

Vulnerabilities over an enterprise

Vulnerabilities in application,
network, wide-area network, or the
utility, or operating system code
Internet

Vulnerabilities created by
personnel or outsiders, such as
social engineering, human error,
and trusted insiders
Included in this category are
network protocol vulnerabilities,
such as those used for a denial-of- Particular focus is Web server
service attack, disruption of software
communications links, and various
forms of intruder attacks
© 2016 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
© 2016 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
1.6 - Computer Security Strategy
Security Policy Security
• Formal statement of rules Implementation
and practices that specify • Involves four
or regulate how a system or complementary courses of
organization provides action:
security services to protect • Prevention
sensitive and critical system • Detection
resources
• Response
• Recovery

Assurance Evaluation
• The degree of confidence • Process of examining a
one has that the security computer product or
measures, both technical system with respect to
and operational, work as certain criteria
intended to protect the
system and the information
it processes
 1.7 - Standards
• Standards have been developed to cover management practices
and the overall architecture of security mechanisms and
services
• The most important of these organizations are:
o National Institute of Standards and Technology (NIST)
• NIST is a U.S. federal agency that deals with measurement science, standards,
and technology related to U.S. government use and to the promotion of U.S.
private sector innovation
o Internet Society (ISOC)
• ISOC is a professional membership society that provides leadership in
addressing issues that confront the future of the Internet, and is the organization
home for the groups responsible for Internet infrastructure standards
o International Telecommunication Union (ITU-T)
• ITU is a United Nations agency in which governments and the private sector
coordinate global telecom networks and services
o International Organization for Standardization (ISO)
• ISO is a nongovernmental organization whose work results in international
agreements that are published as International Standards
© 2016 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
 Summary
• Computer security concepts • Fundamental security
o Definition design principles
o Challenges
o Model • Attack surfaces and
• Threats, attacks, and attack trees
o Attack surfaces
assets o Attack trees
o Threats and attacks
o Threats and assets • Computer security
• Security functional strategy
o Security policy
requirements o Security implementation
o Assurance and evaluation