Computer and Data Security

Mario Čagalj

University of Split
Introduction

Based on different sources:

kaspersky.com
ttmm.io/tech/professional-paranoia
masterclass.com/articles/understanding-incentives-in-economics
Cybersecurity Trends
 Cybersecurity is fast-moving
 A game of cat and mouse between hackers and defenders

 Latest trends increase risks [kaspersky.com]

 Remote working risks (post Covid-19 pandemic)
 The growth of mobiles
 The Internet of Things (IoT) is on the rise
 Rise of ransomware and social engineering
 Increase in cloud services
 Rise of artificial intelligence (AI)

3
Incentives at Odds with Cybersecurity
 An incentive is anything that moves/motivates
you to do something
 Intrinsic incentives comes from within a person
 Extrinsic incentives through material reward or punishment

 Intrinsic incentives
 Edward Snowden
 A company fires a system administrator
 People have a tendency to show off and prove their point

 Extrinsic incentives
 Your personal data and habits have an economic value, even
if you do not value it that much [Dark Web Price Index 2022]
4
Professional Paranoia
 Paranoia vs professional paranoia
 Hope for the best, but expect the worst and enjoy life 

5
Overview of Information
Security
Based on:
An Introduction to Information Security, NIST
Computer Security: Principles and Practice, Stallings and Brown
Information Security
 The protection of information and information systems
from unauthorized access, use, disclosure, disruption,
modification, or destruction in order to ensure
confidentiality, integrity, and availability.
 [An Introduction to Information Security]
NIST (National Institute of Standards and Technology)

7
Key Information Security Concepts
 Information security rests on CIA
 Confidentiality (hrv. povjerljivost)
 Integrity (hrv. cjelovitost)
 Availability (hrv. dostupnost)

 CIA are the fundamental security objectives

for both data and computing services/systems
 Hardware, software, data, telecomunications

8
Confidentiality
 Refers to hiding of proprietary information or
resources, including protection of personal privacy
 Only authorized people or systems can access protected data

 Also applies to the existence of data/resource

 The existence of data equally informative as the data itself
 Data shape, intensity, abudance, lack etc. can be very
informative and revealing
 [Tor Metrics]

9
Confidentiality
 An interesting spike here [Tor Metrics]

10
Confidentiality
 [Tor Metrics]

11
Confidentiality
 Access control mechanisms support confidentiality
 Access control through encryption (cryptography)
 Access control by means of passwords and permissions
 Think and answer:
 Name an important difference between the two mechanisms
 Which one would you suggest as a security consultant?

12
Integrity
 Refers to the trustworthiness (hrv. vjerodostojnost) of
data or resources
 Protection against information modification and
ensuring information non-repudiation and authenticity
 Data Integrity – the property that data (in storage, during
processing, and in transit) has not been altered in an
unauthorized manner
 System Integrity – the quality that a system has when it
performs its intended function in an unimpaired manner, free
from unauthorized manipulation of the system

13
Integrity
 Integrity protection mechanisms fall into two classes
 Prevention mechanisms - block any unauthorized attempts to
change the data or to change the data in unauthorized ways
(e.g., authentication and access control)
 Detection mechanisms - do not try to prevent violations of
integrity; they simply report that the data’s integrity is no
longer trustworthy (e.g., cryptographic hash functions,
message authentication codes, digital signatures)

 Does confidentiality implies integrity (in general)?

14
Confidentiality vs Integrity

15
Confidentiality vs Integrity

16
Avaliability
 Ensuring timely and reliable access to and use of
information and systems
 Unavailable system is at least as bad as no system at all
 The aspect of availability that is relevant to security is that
someone may deliberately arrange to deny access to data or
to a service by making it unavailable
 Denial-of-Service (DoS) attacks - attempts to block
avaliability

17
Example: SYN Flooding DoS
 TCP 3-way  SYN flooding
handshake
Client Server Client Server

SYN=1

Wa
SYN=2
it
SeqC=3000, SYN=1 SYN=3
Store SYN=4
data

SeqS=5000, SYN=1, SYN=1, ACK=1

Store
AckS=3001, ACK=1 SYN=2, ACK=2

data
SYN=3, ACK=3
timeout
until
Wait

SeqC=3001, SYN=4, ACK=4

AckC=5001, ACK=1

timeout
until
Wait
connection
established

TCP

time time
Backlog queue fills up with
half-open connections.

18
Security Terminology [RFC 4949]
 System resource: hardware, software, data, communication facilities and
networks (assets to be protected)
 Security policy: rules stating what is allowed and what is not allowed

 Vulnerability: weakneses in a system’s desing, implementation, or operation

that can be exploited to violate a security policy
 Adversary: an entity attacking or threatening to a system

 Attack: an assault on system security from an intelligent threat

 Threat: a potential violation of security (potentially exploits a vulnerability)

 Risk: an expetation of loss expresses as probability that a particular threat

will exploit a particular vulnerability with a particular loss incurred
 Countermeasure: an action that reduces a threat, a vulnerability, or an attack

19
Relations Among Security Terms
value
owners
wish to minimize
impose
to reduce
countermeasurs
that may
poses

vulnerabilities
may be aware of
leading
adversary to

give risk
rise to that to
increase
threats assets
to
wish to abuse and/or may damage

20
Vulnerabilities and Attacks
 System resource (asset) vulnerabilities
 May be corrupted (loss of integrity)
 Become leaky (loss of confidentiality)
 Become unavaliable (loss of avaliabity)

 Attacks are threats carried out and may be

 Passive (e.g., wiretapping, snooping, sniffing)
 Active (e.g., man-in-the-middle, man-in-the-browser)
 Insider
 Outsider

21
Vulnerabilities and Attacks
 Man-in-the-middle (MitM)

22
Example: ARP Spoofing Threat
 Address Resolution Protocol (ARP) maps IP to MAC addresses

23
Example: ARP Spoofing Threat
 Another machine sends an unsolicited ARP reply

24
Example: Man-in-the-Browser (MitB)
 MitB is a proxy trojan horse that infects a web browser
and has the ability to modify pages, modify transaction
content or insert additional transactions

25
Example: Man-in-the-Browser (MitB)
 MitB is a proxy trojan horse that infects a web browser
and has the ability to modify pages, modify transaction
content or insert additional transactions
 No TLS protocol nor two (2F) or three factor (3F)
authentication can help (to counter a MitB attack one
has to utilize explicit transaction verification)
 Demo time

26
 Scope of Computer Security
Computer System Computer System
Sensitive files must be
3 4
secured (file security)
Data must be securely
2 Data transmitted through Data
Access to (network security)
the data must
be controlled
(protection)

Users’ processes Users’ processes

Guard Guard
1 Access to the computer
facility must be controlled
(user authentication )

Users making requests

27
Computer Assets and Some Threats

Avaliability Confidentiality Integrity

Equipment is stolen Implanted hardware
Hardware or disabled, thus keylogger.
denying service.
Programs are An unauthorized copy A working program is
deleted, denaying of software is made. modified to cause it to
Software access to users. fail or to cause it to do
some unintended task.
Files are deleted, An unauthorized read Existing files are
denying access to of data is performed. modified or new files
Data users. An analysis of are fabricated.
statistical data reveals
underlaying data.
Messages are Messages are read. Messages are modified,
Communication destroyed or Traffic patterns are destroyed, reordered,
deleted. observed. duplicated. False
Links
messages are injected.

28
Some Trends at Odds with Computer Security
Connected
Devices
high
Attacker Tools
Sophistication

Intruders
low
knowledge

past present future

29