University of Mosul

College of Engineering
Computer Engineering Dept.

Computer Security
2022-2023
Lecture 1
Introduction to Computer & Network Security
Asst. Prof. Dr. Mayada Faris Ghanim
 Reference
• Security in Computing, Charles P. Pfleeger,
Shari Lawrence Pfleeger and Jonathan
Margulies, Prentice Hall, fifth edition,
ISBN-13: 978-0-13-408504-3, 2015.
• Cryptography and Network Security
Principles and Practice, William Stallings,
Pearson Education, seventh edition, ISBN
978-0-13-444428-4, 2017

2
 What is Computer Security?
Computer security, cyber security is the protection of computer
systems and networks from the theft or damage to their
hardware, software or data, as well as from the disruption or
misdirection of the services they provide. In other words,
Computer security is the protection of the items you value,
called the assets of a computer or computer system.

3
 Values of Assets
After identifying the assets to protect, we next determine
their value. We make value_based decisions frequently, and
they depend on:
1. The value of an asset depends on the asset owner’s or
user’s perspective, and it may be independent of
monetary cost.
2. Other items’ value depends on replacement cost; some
computer data are difficult or impossible to replace.
3. Similarly, timing has bearing on asset value.
Assets’ values are personal, time dependent, and often
imprecise.
4
Values of Assets

5
 The Vulnerability
• A vulnerability is a weakness in the system, for
example, in procedures, design, or
implementation, that might be exploited to
cause loss or harm. For instance, a particular
system may be vulnerable to unauthorized
data manipulation because the system does
not verify a user’s identity before allowing
data access.
6
 The Vulnerability
Computer systems have vulnerabilities too; such
as weak authentication, lack of access control,
errors in programs, finite or insufficient
resources, and inadequate physical protection.
Paired with a credible attack, each of these
vulnerabilities can allow harm. Each attack
vector seeks to exploit a particular vulnerability.

7
 Threat
• A threat to a computing system is a set of
circumstances that has the potential to cause
loss or harm.
• What is the difference between a threat and a
vulnerability?

8
 Threats
• Before we can protect assets, we need to know
the kinds of harm we have to protect them
against, so now we explore threats to valuable
assets.
• We can consider potential harm to assets in two
ways: First, we can look at what bad things can
happen to assets, and second, we can look at
who or what can cause or allow those bad things
to happen. These two perspectives enable us to
determine how to protect assets.
9
 Control Paradigm
We use a control or countermeasure as protection.
That is, a control is an action, device, procedure, or
technique that removes or reduces a vulnerability.
In general, we can describe the relationship between
threats, controls, and vulnerabilities in this way: A
threat is blocked by control of a vulnerability.

10
 C-I-A Triad or the Security Triad
• Availability: the ability of a system to ensure
that an asset can be used by any authorized
parties
• Integrity: the ability of a system to ensure that
an asset is modified only by authorized parties
• Confidentiality: the ability of a system to
ensure that an asset is viewed only by
authorized parties
11
ISO 7498-2 adds to them two more properties
that are desirable, particularly in communication
networks:
• Authentication: the ability of a system to
confirm the identity of a sender
• Nonrepudiation or accountability: the ability
of a system to confirm that a sender cannot
convincingly deny having sent something

12
What can happen to harm the confidentiality,
integrity, or availability of computer assets?
If a thief steals your computer, you no longer
have access, so you have lost availability;
furthermore, if the thief looks at the pictures or
documents you have stored, your confidentiality
is compromised. And if the thief changes the
content of your files but then gives them back
with your computer, the integrity of your data
has been harmed.
13
 Types of Threats
One way to analyze harm is to consider the
cause or source. We call a potential cause of
harm a threat. Harm can be caused by either
nonhuman events or humans.
1. nonhuman threats include natural disasters
like fires or floods; loss of electrical power;
failure of a component such as a
communications cable, processor chip, or
disk drive.
14
 Types of Threats
2. Human threats can be either benign
(nonmalicious) or malicious. Nonmalicious kinds
of harm include someone’s accidentally spilling a
soft drink on a laptop, inadvertently sending an
email message to the wrong person, and
carelessly typing “12” instead of “21” when
entering a phone number or clicking “yes”
instead of “no” to overwrite a file.

15
 Types of Threats
These human errors happen to most people; we
just hope that the seriousness of harm is not too
great, or if it is, that we will not repeat the
mistake.
Most computer security activity relates to
malicious, human-caused harm: A malicious
person actually wants to cause harm, and so we
often use the term attack for a malicious
computer security event. Malicious attacks can
be random or directed. 16
 Malicious attacks
In a random attack the attacker wants to harm
any computer or user. An example malicious
code posted on a website that could be visited
by anybody.
In a directed attack, the attacker intends harm
to specific computers, perhaps at one
organization or belonging to a specific individual
(think of trying to drain a specific person’s bank
account, for example, by impersonation).
17
Types of Threats

18
 Types of Attackers
1. Individuals: computer attackers were individuals,
acting with motives of fun, challenge, or revenge.
Early attackers acted alone.
2. Organized, Worldwide Groups: More recent
attacks have involved groups of people.

19
 Types of Attackers
3. Organized Crime: Attackers’ goals include
fraud, extortion and money laundering, areas
in which organized crime has a well-
established presence.
4. Terrorists: The link between computer
security and terrorism is quite evident.

20
 Controls
A control or countermeasure is a means to
counter threats. Harm occurs when a threat is
realized against a vulnerability. To protect
against harm, then, we can neutralize the threat,
close the vulnerability, or both. The possibility
for harm to occur is called risk.

21
We can deal with harm in several ways:
• prevent it, by blocking the attack or closing the
vulnerability
• deter it, by making the attack harder but not
impossible
• deflect it, by making another target more
attractive (or this one less so)
• mitigate it, by making its impact less severe
• detect it, either as it happens or some time after
the fact
• recover from its effects
22
 Controls
Of course, more than one of these controls can
be used simultaneously. So, for example, we
might try to prevent intrusions—but if we
suspect we cannot prevent all of them, we
might also install a detection device to warn of
an potential attack.
Security professionals balance the cost and
effectiveness of controls with the likelihood and
severity of harm.
23
We can group controls into three
largely independent classes:
1. Physical controls stop or block an attack by
using something tangible too, such as
– locks
–(human) guards
–fire extinguishers

24
 We can group controls into three
largely independent classes:
2. Procedural or administrative controls use a
command or agreement that requires or advises
people how to act; for example,
– laws, regulations
– policies, procedures, guidelines
– copyrights, patents
– contracts, agreements
25
We can group controls into three
largely independent classes:
3. Technical controls counter threats with
technology (hardware or software),including
– passwords
– program or operating system access controls
– network protocols
– firewalls, intrusion detection systems
– encryption
– network traffic flow regulators 26
Types of Countermeasures

27