Lecture 1: Computer & Information Security Fundamentals

Computer and Information Security Fundamentals

Course Information
  • Course Code: CSE 2203
  • Semester: II (2024-2025)
  • Lecturer: Sandra Khan
  • Contact: sandra.khan@uog.edu.gy
  • Department: Computer Science, The University of Guyana, Faculty of Natural Sciences
Course Outline
  • Week 1: Security Basics
  • Week 2: Introduction to Cryptography
  • Week 3: Authentication, Encryption (DES/RSA), Hashing
  • Week 4: Integrity – Digital Certificates, Message Digests
  • Week 5: Network and Internet Security
  • Week 6: Internet Commerce, SSL, IPSec, Firewalls
  • Week 7: VPN / IDS
  • Week 8 & 9: Wireless Security
  • Week 10: System Security
  • Week 11: Access Control
  • Week 12: Application Security
  • Week 13: Cyber Crime
Learning Objectives
  • Define Information Security
  • Define Computer Security
  • Describe the major security goals (CIA Triad)
  • Utilize fundamental terminology and concepts of the discipline
  • Explain the nature of the Computer and Information Security challenge and the scope and context of the discipline
  • Evaluate a computer security incident scenario using industry-standard terms
Core Concepts
  • Information Security: Broad field encompassing the protection of information assets.
  • Cyber Security: Related to protecting digital information and systems.
  • Computer Security: Focuses on protecting the assets of a computer or computer system, including hardware, software, data, people, and processes.
  • Determining what to protect involves identifying valuable assets and who values them.
The Discipline of Information/Cyber Security
*   An interdisciplinary course comprising elements of law, policy, human factors, ethics, and risk management
*   A discipline that focuses on the creation, operation, analysis, and testing of secure computer systems.
*   A computing-based discipline involving technology, people, information, and processes
Definition of Information
  • Data, such as census, medical, or readings from sensors.
  • A sequence of symbols that convey some meaning in a given context.
  • Documents such as books, and content on the World Wide Web (WWW).
Why Computer/Information Security is Needed
  • To protect information assets from various threats and vulnerabilities.
Security Goals – CIA Triad
  • The purpose of Information Security is to protect your information's:
    • Confidentiality: Ensuring that information is accessible only to authorized individuals.
    • Integrity: Maintaining the accuracy and completeness of information.
    • Availability: Ensuring that authorized users have reliable access to information and resources.
Fundamental Principles
  • Confidentiality: The ability of a system to ensure that an asset is viewed only by authorized parties.
  • Integrity: The ability of a system to ensure that an asset is modified only by authorized parties.
  • Availability: The ability of a system to ensure that an asset can be used by any authorized parties.
Additional Security Goals
  • Privacy: A person's desire to limit the disclosure of personal Information.
  • Non-repudiation: Assurance that the sender of data is provided with proof of delivery and the recipient is provided with proof of the sender's identity, preventing either party from denying the transaction. (Protection from Non-deniability).
CIA Question Example
  • A third party (e.g., a spy) is unable to read a message when:
    • The message is using a cryptographic protocol to implement confidentiality.
Vulnerability – Threat – Control Framework
  • The goal of Computer / Information Security is to protect valuable information assets.
  • A framework that describes how assets may be harmed and how to counter or mitigate that harm called the:
    • Vulnerability – Threat – Control Framework or Paradigm
Vulnerability – Threat
  • A threat is a set of circumstances that can be exploited to cause harm.
  • Software threats are often referred to in the Literature as exploits.
Vulnerability – Threat
  • Once there is a vulnerability or weakness, there is opportunity for an attacker to exploit, and a corresponding RISK of a system failure / breach.
  • Incidents can be malicious or unintentional or due to acts of nature.
Controls / Countermeasures
  • In order to prevent vulnerabilities from becoming incidents or being exploited, we use controls or countermeasures as protection.
  • A control or countermeasure is an action, device, procedure, or technique that removes or reduces a vulnerability.
Controls / Countermeasures
  • A control prevents threats from exploiting vulnerabilities.
Vulnerability – Threat - Control
  • The Vulnerability – Threat – Control paradigm provides a framework to develop effective security policies to prevent attacks and reduce the risk to the enterprise / organization.
  • So, a threat is blocked by control of a vulnerability.
Key Elements for a Successful Attack (M-O-M)
  • A malicious attacker must have three elements in place in order to facilitate his / her success:
    • Method
    • Opportunity
    • Motive
  • Deny any of the M-O-M, and an attack cannot succeed.
Readings
  • Required Readings:
    • Pfleeger, C. P., & Pfleeger, S. L. (2015). Security in computing: Chapter 1
  • Recommended Readings:
    • Stallings, W. (2007). Network security essentials: applications and standards. Pearson Education India.
    • https://www.sans.org/security-resources/glossary-of-terms/