SCSC 455 Computer Security
Chapter 1 Overview of Computer Security
Dr. Frank Li
Index







Overview security risks in computer systems
Privacy in computer security
Risk assessment and security policy
Security-focused organizations
Government’s security and privacy role
Security-Focused Linux Products
Security certifications
Overview Computer Security

Computer security is a large and specialized field


Computer security separates in many ways from the dayto-day operation of a network server
There are many unauthorized computer access events
and attacks on computer networks.
Do you know …
 Carlos Felipe Salgado used sniffing technique to collect
over 100,000 credit card numbers from online merchants.


He was arrested in June 1997 as he tried to sell them to
undercover FBI agents.
On Nov. 3, 1988, system administrators all over the U.S.
found that their systems were running abnormally slowly.
Overview Computer Security
Do you know … (cont’)

In early 2000, a series of attacks attempt to shut down
many web sites (Yahoo, eBay, Microsoft Network, etc.)
by overwhelming them with bogus requests.
Q: What are the causes of so many attacks on networks
and computer systems?
Evolution of computing and security

Mainframe era

The only computers were a few
mainframes, which are used for
specialized tasks.


Users access the mainframes through
“dumb” terminals
Little threat of security breaches or
vulnerabilities being exploited at that
time.
Why?
Mainframe era
Because …



Only a handful of people, who knew how to operate the computer,
work in a closed environment.
Although some mainframes are networked, it was done in a crude
fashion for specific tasks.
Although the OS of that time had problems, software bugs, and
vulnerabilities, not many people were interested in taking advantage
of them.
PC and networking era

PC and networking era (1980 -- )





Personal computers (PCs) become more efficient and cheaper
The functionality of the system grew, various applications were
developed
Millions individuals have access to computers
Millions of computers are networked and birth of the client /
server computing model
Many security issues emerge



Data got corrupted accidentally due to individual mistakes
unexpected inputs from users
malicious attempts from crackers
Pros and cons of Networking

A large number of computers are networked nowadays.



This broad access represents the power of networked
computers, but also represents opportunities for malicious
intent.
The more broadly a computer is networked, the more
potential for access to that computer
A great deal of valuable information (personal, financial
…) are stored on computers.


Two terms are commonly used to persons who break into
computer systems: hacker vs. cracker.
The motivations: for fun or for profit
Other causes of computer attacks

Cyber-terrorism: the use of computing resources to intimidate or
coerce others.



E.g. Hacking into a hospital computer system and
changing someone's medicine prescription to a lethal
dosage as an act of revenge.
Information warfare is the offensive and defensive use of
information and information systems to deny, exploit, corrupt, or
destroy, an adversary's information, information-based processes,
information systems, and computer-based networks while
protecting one's own. Such actions are designed to achieve
advantages over military, political or business adversaries.
-- Dr. Ivan Goldberg
Computer Crime: unauthorized access to a computer system.

Gathering accurate statistics of the damages caused by
computer crime is difficult. Why?
The difficulties of gathering accurate
statistics of computer crime

Computer break-ins are not always reported



are not discovered
are discovered long after the break-in occurred
The company was broken into may not want to risk
negative publicity by reporting the incident
How are nations affected?
We are increasingly dependent on computer /network
technology for communication, funds transfers, utility
management, government services, military action, and maintaining
confidential information.


E.g. 1, A majority of the military vehicles, weapons systems, and
communication systems are controlled by computer systems.
E.g. 2, Critical infrastructures and industries, such as power grid
and communication channels, are controlled by computer
systems. Most governments have recognized this vulnerability
and have started taking steps to evade these types of attacks.
How are companies affected?
Many companies are finding out how security affects their
bottom line in ways they never expected.




If a company suffers a security breach, it will have to deal with a
wide range of issues, such as sued by the customers.
Organizations have had trade secrets and intellectual property stolen
by employees who left to work for a competitor.
A company can lose money and time is by its lack of readiness to
react to a situation.
To get a good insurance rate, companies must prove that they have
a solid security program and that they are doing all that they can to
protect their own investments.
The Evolution of Hacking

What is hacking?



Joyriding hacking, profit-driven hacking, and ethical hacking
Hackers’ profile: Baby hacker, tool hacker, and god father hacker
Not only hacking activity on the rise, but the sophistication of the
attacks is advancing
 Steal financial information, military secret
 Defacing web sites
 Extortion

Phishing

Etc.
Index







Overview security risks in computer systems
Privacy in computer security
Risk assessment and security policy
Security-focused organizations
Government’s security and privacy role
Security-Focused Linux Products
Security certifications
The Privacy Issue

Privacy issues arise when personal information stored in
computers

Any personal information stored on a computer is
threatened by someone cracking the system where it is
stored.


E.g., Credit card numbers, tax records, medical files, military
records
Privacy makes computer security an issue of personal
concern.
The Privacy Debate
Privacy advocates vs. those advocating a free flow of information
Opt-in vs. Opt-out

In opt-in: will not receive ads unless you specify say “yes, put me on
the mailing list.”

Opt-out: receive ads unless you contact a company and say “take me
off the mailing list”
E.g.



Who should be able to obtain your credit records?
Who should be allowed to see your medical records?
How can a company that gathers information about you use that
information?
Privacy Policy


A privacy policy is a voluntary statement by a company about how it
will and will not use data that is collects about users or customers.
Privacy policies usually contain the following information:
 We don’t collect or save any information about visitors to our web
site
 We collect information in order to complete a sale or register
users, but we do not share that data
 We collect information on visitors and use patterns to determine
if a visitor might be interested in some of our other products
 We collect information and share it with our partners who may
have products that interest you
…
Example of Privacy Policy
Example of Privacy Policy



Personal information

In all marketing channels we do collect information you choose to
submit,

We use common Internet technologies, such as cookies, on our Web
sites and in our e-mails.
…
Uses of information

We may share information about you with vendors we have hired to
provide services on our behalf.
...
Your privacy choices

You may unsubscribe from our e-mail newsletters and promotions.

You may direct us not to send you direct mail promotional materials or
call you about Consumer Reports products, programs and services.
…
Ethics and System Administrators
Privacy policies are usually created by enforced by lawyers
and marketing VP, and executed by the system
administrators.


The burden of ethical use of data typically falls on the
system administrator
Ethics deals with the issue of doing the right thing at the
right time, for the right reason

Ethics codes were developed to define the role of system
administrators in organizations and to increase the
respectability and raise standards of behavior in the
profession
Index







Overview security risks in computer systems
Privacy in computer security
Risk assessment and security policy
Security-focused organizations
Government’s security and privacy role
Security-Focused Linux Products
Security certifications
The approaches to security

A paradox of computer security: the more secure a
system is, the less usable it is.


The best approach to security is to make a system
highly secure without undue annoyance to authorized
users.
“Security through obscurity” assumes that if no one
knows about your system, you are safe,
 Is it a good approach? Why?
Risk Assessment


“Security through obscurity” must be avoided.
Because …
The key to good security is not to hope that no one finds
the security weaknesses of your system, but rather to
eliminate those weaknesses.
Hardware, software and data are primary targets of
attack

of these three, data presents the most serious threat
Outsider vs. Insider

Crackers break into systems in order to:

steal data


corrupt data


maybe unintentionally, but often for malicious reasons
block access to the system


e.g. credit card
as in a Denial-of-Service (DoS) attack
Crackers are not the only threat to systems, a majority of
security incidents result from the actions of users within
an organization
Computer attack techniques
(The details will be covered in later chapters.)

Password cracking


Trojan horse attacks


an illicit program is run from an untrustworthy source
Buffer overflow attacks


obtaining a password by using a password cracking
program or social engineering
rely on a weakness in the design of a program dealing
with buffer (memory space) management
Denial-of-Service attacks

try to overwhelm your system so that valid users cannot
access it
Risk Assessment

Security should begin with a careful analysis of the assets
being protected and their value



These assets can include reputation, revenue generation,
secret data, or other factors
What is risk ?
Four layers of security




(will be covered in the later chapters)
Physical security – e.g., physical access to Linux server
User security - e.g., user authorization and privileges
File security - e.g., file access limitations
Network security - e.g., secure network configuration
Creating a Security Policy

A security policy is a written document that may do
any of the following:







Analyze what assets are at risk
Provide network danger statistics to end users
Describe security procedures
Outline user access levels
List specific actions to make the system secure after a
reboot
Outline procedures to follow when an intrusion by a cracker
has been detected
Merge the security policy with disaster recovery plan
Computer security is really about people



In one sense, computer security is really about people
 knowing why they act as they do and knowing whom to trust
 is true from the perspective of the system administrator and the
cracker
The system administrator must proceed with caution regarding
where they obtain Linux and other software
 A back door is a method of accessing a program that is known
to its creator but not to other users
Social engineering involves a cracker manipulating a user to
extract needed access information
 E.g., A cracker will simply obtain a user’s name and call them in
order to obtain information.
 E.g. A cracker could walk past an employee’s workstation and
gather information from posted data
Index







Overview security risks in computer systems
Privacy in computer security
Risk assessment and security policy
Security-focused organizations
Government’s security and privacy role
Security-Focused Linux Products
Security certifications
How to stay security

Upgrading the Linux system regularly

to keep your system upgraded, including the Linux kernel
and programs that run on Linux.



Most of the updates for security problems come in the form of
a patch
Q: update vs. patch ?
The best way to stay informed about upgrades and patches
is to subscribe to the security notification service of a
reputable Linux vendor
Taking advantage of professional organizations which act
as clearinghouses for recent security information
 E.g., Red Hat has a service “Red Hat Network”, which
informs the subscribers new patches and upgrades
Security-focused organizations

Two organizations are known as bastions of computer
security information:


The CERT Coordination Center (Computer Emergency
Response Team)
The System Administration, Networking, and Security
(SANS) Institute
CERT/CC
The CERT Coordination Center (CERT/CC)



Is a federally funded software engineering institute operated by
Carnegie-Mellon University
Was formerly called the Computer Emergency Response Team
The CERT/CC website maintains lists of security vulnerabilities, alerts,
incident reports.
CERT/CC Website
SANS


The System Administration, Audit, Network, and Security Institute
(SANS)
 Is a prestigious education and research organization whose staff
includes most of the leading security experts in the country
www.sans.org
 Contains a top 20 list of the most widely used strategies being
used to attack computer systems – updated annually
 Security training and certificate in SANS
SANS Internet storm center at www.incidents.org
 A statistical summary of what attacks are taking place at more
than 3,000 firewalls in over 60 countries around the world.
 Today's Internet Threat Level: GREEN  RED
SANS Website
Index







Overview security risks in computer systems
Privacy in computer security
Risk assessment and security policy
Security-focused organizations
Government’s security and privacy role
Security-Focused Linux Products
Security certifications
The U.S. Government and
Computer Security

Computer security is increasingly viewed as part of our
national security


the U.S. federal government continues to increase its
involvement with the computer security industry
Two new roles the government is playing are


prosecutor of computer crimes
an information clearinghouse to encourage good security
practices
Security and the Law



When congress passed the Computer Fraud and Abuse Act (1986), it
became a crime to access a computer without authorization
Additional laws have been passed to help stop the acts of crackers,
including
 the Computer Security Act (1987)
 the National Information Infrastructure Protection Act (1996)
 the Patriot Act (2002)
Prosecuting a cracker is different from prosecuting other criminals.
 Investigators need to have a strong understanding of the
technology involved;
 Special computer crime units




The FBI’s National Computer Crime Squad
The U.S. Department of Justice, Criminal Division
The FBI’s National Infrastructure Protection Center (NIPC)
The Department of the Treasury runs the Secret Service and the
Financial Crimes Enforcement Network (FinCEN)
Index







Overview security risks in computer systems
Privacy in computer security
Risk assessment and security policy
Security-focused organizations
Government’s security and privacy role
Security-Focused Linux Products
Security certifications
Security-Focused Linux Products

The development of several security-focused versions of
Linux




NSA security-enhanced Linux
Trustix Secure Linux
Bastille Linux hardening package
NSA security-enhanced Linux (selinux)


NSA selinux is a research project,
Runs the Linux kernel on top of another kernel microkernel


allows each process in Linux kernel to be controlled and
handled in isolation.
http://www.nsa.gov/selinux/ for more information and
source code
Security-Focused Linux Products

Trustix Secure Linux
 Uses a standard Linux kernel, but it is thoroughly configured to
be a server with tight security



No GUI, network service are disabled by default, high level of firewall
protection
http://www.trustix.net/
Another security-conscious Linux is the Bastille Linux hardening
package
 Contains a set of scripts that can be run on some Linux
distributions
 Bastille scripts examine your installed Linux system, checking for
configurations that present a security hazard
 http://www.trustix.org/
Bastille Linux hardening tool
Index







Overview security risks in computer systems
Privacy in computer security
Risk assessment and security policy
Security-focused organizations
Government’s security and privacy role
Security-Focused Linux Products
Security certifications
The purpose of security certification
Two purpose of Security Certification


helps companies identify individuals who have the ability, knowledge,
and experience
 To perform risk analysis,
 To identify necessary countermeasures,
 To implement solid security practices,
 To help the organization as a whole protect its facility, network,
systems, and information.
also provides security professionals with the credential that
represents the skill set they want to offer to employers.
Popular IT security certifications


CompTIA Security+ and Network+ certifications (or equivalent knowledge)
are helpful to prepare advanced security certifications. ( www.comptia.org )

CompTIA has more than 22,000 member companies in over 100
countries around the world;

also serves the IT industry as the world's largest developer of vendorneutral IT certification exams.
Advanced security certifications (details next …)

Certified information systems security professional (CISSP)

SANS Institute offers training and information security certifications
through Global Information Assurance Certification (GIAC)

The international council of electronic commerce consultants (ECCouncil) offers Certified ethical hacker (CEH)
Compare security certifications


CISSP

More concerned with policies and procedures

Although it is not geared toward the technical IT professional, it has
become one of the standards for many security professionals.
GIAC certifications are classified in five subject areas:






Security Administration
Management
Operations
Legal
Audit
CEH certifications

People with this certification will most likely be placed on a team called a
“red team” that conducts network penetration test.

Probing vulnerability of the networks and computer systems.
The CISSP Requirements


CISSP exam requires one of the following professional experience
requirements:
 At least three years of experience in one (or more) of the ten
domains and a college degree
 Four years of professional experience in one (or more) of the
domains within the Common Body of Knowledge (CBK)
 Two years of experience plus a bachelor’s degree or a master’s
degree in information security from a National Center of
Excellence
Associate of CISSP
 For candidates who do not meet professional experience
requirements
The Common Body of Knowledge
(CBK)

CISSP exam covers the ten domains that make up the CISSP CBK
Access Control
Systems and
Methodology
This domain examines mechanisms and methods
used to enable administrators and managers to
control what subjects can access, the extent of
their capabilities after authorization and
authentication, and the auditing and monitoring of
these activities.
The Common Body of Knowledge
(CBK)
Telecommunications
and Network Security
This domain examines internal, external, public,
and private communication systems; networking
structures; devices; protocols; and remote
access and administration.
Security Management
Practices
This domain examines the identification of
company assets, the proper way to determine
the necessary level of protection required, and
What type of budget to develop for security
implementations with the goal of reducing
threats and monetary loss.
The Common Body of Knowledge
(CBK)
Applications and
Systems Development
Security
This domain examines the security components
within operating systems and applications and
how to best develop and measure their
effectiveness. This domain looks at software life
cycles, change control, and application security.
Cryptography
This domain examines methods and techniques
for disguising data for protection purposes. This
involves cryptography techniques, approaches,
and technologies.
The Common Body of Knowledge
(CBK)
Security Architecture
and Models
This domain examines concepts, principles, and
standards for designing and implementing
secure applications, operating systems, and
systems. This covers international security
measurement standards and their meaning for
different types of platforms.
Operations Security
This domain examines controls over personnel,
hardware, systems, and auditing and monitoring
techniques. This also covers possible abuse
channels and how to recognize and address
them.
The Common Body of Knowledge
(CBK)
Business Continuity
Planning (BCP) and
Disaster Recovery
Planning (DRP)
This domain examines the preservation of
business activities when faced with disruptions
or disasters. This involves the identification of
real risks, proper risk assessment, and
countermeasure implementation.
Laws, Investigation,
and Ethics
This domain examines computer crimes, laws,
and regulations. This includes techniques in
investigating a crime, gathering evidence, and
handling procedures. It also covers how to
develop and implement an incident-handling
program.
The Common Body of Knowledge
(CBK)
Physical Security
This domain examines threats, risks, and
countermeasures to protect facilities, hardware,
data, media, and personnel. This involves
Facility selection, authorized entry methods, and
environmental and safety procedures.