What is Computer Security?

Computer security is the branch of computer science that deals with the protection of computer systems from potential risks and/or data breaches. The main aspects of data protection (i.e., information) are:

confidentiality or privacy - protect data exchanged between a sender and one or more recipients from the risk of third party access without permission

integrity - protect data from being tampered, caused by unauthorized or accidental events, and with appropriate procedures for recovery of information

the availability - to reduce the risk that authorized users are denied access to information due to unauthorized access or accidental events

It is good to be aware that countermeasures taken in a computer system are never enough to ward off any attack: no computer connected to the Internet will be 100% safe. Behind the attacks on a computer system lie different motives:

• Access to confidential information
• Industrial Espionage
• Personal Revenge Purposes
• Public defamation of a company
• Gaining economic benefits

For all these reasons, the issue of network security is of paramount importance, both from a personal point of view and from a professional point of view. In any case, the user's privacy is violated.

Legal Aspects

Security on the Internet understood as conservation and protection of economic and non-economic values is a matter of course entwined with legal aspects, each time these values are recognized and taken into account by the law.

Personal data can be divided into four categories:

Sensitive data: those capable of revealing one person racial or ethnic origin. Revealing religious, or other beliefs, political opinions, membership of parties, trade unions, associations, as well as personal data suitable for revealing a person's state of health and sex life.

Semi-Sensitive data: are information of data related to financial situations.

Common Data: These are all information such as name, last name, SSN, DOB, address, telephone numbers, driver license number, which allow identifying a person or entity.

Judicial data: these are the information that can be used to disclose criminal records, a register of administrative sanctions for offenses or suspended charges.

In addition, personal data must be:

• treated with correctness;
• collected and recorded for certain purposes;
• must be accurate and up-to-date;
• kept in a form that allows the identification of the person concerned.

System components to be protected

It is essential to protect some system components from external attacks; among them, we find hardware, software, data, storage media, networks, accesses, and key individuals. The etymology of the hardware term comes from the merging of two English terms, hard (hard) and ware (artifact, object). With it refers to all the "physical" components of a computer, that is to all the magnetic, optical, mechanical and electronic components that allow it to operate. By the term, software is meant the set of programs, instructions that, when powered up, animate it and make it possible to work with the user. The term consists of the combination of the words soft (soft) and ware (artifact, component, object, thing). The data constitute information managed by the programs, and the storage media that have the function of storing the data. The networks enable the exchange of information by means of the interconnection between the systems; the access is related to the possibility that users are given to access resources, and finally, key individuals are system administrators and specialized operators. The types of damage that can be made to system components can be listed as follows:

- Interruption; it may indicate an asynchronous signal indicating the 'need for attention' by a peripheral for a specific service request, a synchronous event that allows a process to be interrupted when specific conditions or a specific request occur to the operating system by a running process.

- Interception; an unauthorized entity (a user, a computer system or a program) accesses an asset.

- Modification; by which an unauthorized entity, which can be represented by a user, a computer system or a program, obtain access to an asset and modifies it.

- Counterfeiting; which consists in the construction of counterfeit objects within the computer system by a user, a program or an unauthorized computer system.

The types of damage listed above can be attributed to specific components of the system; in detail, it is possible to note that hardware devices are most susceptible to interruptions and interceptions; software and data to all types of damage.

The attackers

To protect from possible attacks, you must identify possible sources of threat. We can distinguish between:

Hacker attacks, implemented through the internet, by users called "hackers," who through the use of special software, sometimes created by themselves, intruded abusively within the system, succeed in obtaining full machine control, to manage resources and data without permission.

Cracker attacks, which violate computer systems with the precise intent of causing damage. The term "cracker" is often confused with that of hackers, the meaning of which is, however, noticeably different. Some techniques are similar, but the hacker is the one who exploits his / her ability to explore, have fun, learn without creating real damage. On the contrary, the cracker is the one who exploits his own abilities (and in some cases those of others) in order to destroy, deceive and earn. Another distinction concerns:

1) outsiders: those who operate from outside the network who intend to attack;

2) insiders: they are allowed to use the network but are trying to abuse it.

Types of network attacks

There are several types of attack: - Acquisition of information: It is a set of actions that anticipate an attack. - Unauthorized Access: An intruder gets access to a network, or to a computer, without having permission, obtaining confidential information, or causing various types of damage to the system.

- Access/modify/delete information .

- Denial of Service: The intruder makes a system, service, or network unavailable by exhausting its network resources (bandwidth), Syn Floods (TCP), or disk space (by uploading data).

Attacks can be made by following different techniques:

Interceptions Sniffing is an activity of passive interception of data transiting in a network electronically. Such activity can be carried out for legitimate purposes (e.g., analysis and detection of communication problems or intrusion attempts) and for illicit purposes (fraudulent password interception or other sensitive information). The tools, software, and hardware that are used to perform these tasks are called sniffers. The term refers to "The Sniffer Network Analyzer," the name of the first program of this type. The mere existence of a sniffer represents a flaw and a threat to the security and confidentiality of communications within the network. If the LAN is subjected to the "control" of a sniffer, there are two risk options: either an intruder from outside has successfully installed a sniffer inside the network, or a user or network operator is using it improperly (i.e., in addition to monitoring and maintenance). The most vulnerable are the personal passwords used to access the most varied network services or internet services.

Port scanning Port Scanning is a technique used to gather information on a computer connected to a network by determining which ports are "listening" on a machine. A port is said to be " listening " or "open" when there is a service or program that uses it, so port scanning has the purpose of detecting the list of active services on a particular machine. It means " scanning the doors " and consists of sending requests for connection to the target computer. Scanning allows you to see if the door is "open" ( accepted) if there is an active service on that port. If the door is "closed" ( denied ). If it is " dropped/filtered," for example if there is some protection or obstacle (e.g., firewall ) that can block access to the port, preventing it from locating the status. Itself, port scanning is not dangerous for IT systems and is commonly used by system administrators to perform controls and maintenance. However, it reveals detailed information that could be used by an attacker to easily prepare a technique designed to undermine system security, so administrators are very careful about how and when they are port scanning to the computers in their network.

Virus In 1949 John von Neumann demonstrated that it was possible to build a computer program capable of replicating itself. This idea found application in the game created by a group of programmers called "Core Wars," in which several programs were to overwrite each other. This marked the beginning of computer viruses. The definition of viruses was as follows: "A computer virus is a program that recursively and explicitly copies an evolved version of itself."

A virus is a software that can infect files and reproduce by making copies of themselves, generally without being detected by the user. Commonly, the term virus is misused as a synonym for malware, thus indicating also different categories of "viri," such as worms, trojans, dialers or spyware.

Those who create viruses are called virus writers. A virus is made up of a set of instructions, like any other computer program. It usually consists of a minimal number of instructions (from a few bytes to a few kilobytes), and is specialized in doing just a few simple operations; it uses the smallest amount of resources to make it as invisible as possible. The life cycle of a virus is articulated into a series of phases: creation, incubation, infection, activation, propagation, recognition and finally grubbing. A virus, to be activated, must infect a host program or a sequence of code that is launched automatically, such as in the case of the boot sector (space sector of a magnetic medium).

The technique usually used by viruses is to infect executables: the virus inserts a copy of itself into the executable file that it must infect. Viruses can spread through programs downloaded from the Internet or infected media, or by opening and running unknown e-mail attachments.

There are several types of viruses:

File viruses: they partially or completely replace a program (.exe, bat, .com, etc.). When the program runs, the virus will run.

Boot Virus: Use the boot or MBR disk sector to run at each boot of the machine. They reside in memory.

Multiparty viruses: they are the most dangerous and can infect both the boot sector and the programs.

Macro viruses: They infect only data files (and not programs) and precisely those files inside which macros can be contained. Viruses can be harmful to the operating system that hosts them; involve a waste of resources in terms of RAM, CPU (core processor or processor), and hard drive space. They can also cause damage to the hardware indirectly, for example by causing the CPU to overheat or by stopping the cooling fan. Mostly, a virus makes copies of itself by spreading the epidemic, but it can also have other more damaging tasks: erasing or tampering with files, formatting the hard disk, opening backdoor (service ports let you overcome it in part or all security procedures), make messages appear, draw, or change the appearance of the display.

Trojans

They have their name due to the fact that their features are hidden within a seemingly useful program; it is the user who installs and executes a certain program, unknowingly, installs and even executes the hidden trojan code. Trojans do not have any visible effect on the PC. They are getting more and more not all recognizable by current antivirus, some of which can even prevent the update. They camouflage well, they look normal and maybe even useful, it is not in its intrinsic nature to self-replicate. Its action may be immediate or delayed.

Trojans are a variant of viruses that can hide certain malicious features within the system or seemingly innocent programs. They are often used as an alternative vehicle for worms and viruses to install backdoor or keylogger on target systems.

Approximately in the years after 2001 or 2002, the Trojan began to be systematically used by criminals, to do illegal actions using the infected PC as a release station. In particular to send spam messages and to steal personal information such as credit card numbers and other documents, email addresses, passwords (thanks to programs called Keylogger). In fact, they strike especially when surfing the internet, or when executing software (mostly audio and multimedia) software, trojans to be more effective hide in the hidden operating system folders where the user does not may have access. By hiding in these folders, even the antivirus cannot eliminate them without damaging the computer. If this happens, the Trojan can be detected and removed only through the complete removal of data from an expert. Often, antivirus products are, in fact, insufficient to debug the Trojan. While recognizing the most important and widespread ones, it is not easy to identify and control newcomers, because the antivirus is based on the recognition and verification of each trojan's signature. The dangers, therefore, are varied and almost never find specific products that guarantee prevention and/or removal, only a good amount of attention and a proper browser configuration can be the help we seek.

Spyware

Spyware is a type of software that can gather information about a particular user's online activity (sites visited, purchases made on the network, etc.) without her consent; such information will subsequently be transmitted via the Internet to an organization that will use them to profit from it, usually by sending targeted advertising.

The term spyware is often used to define various malware as well as malicious software used to send unsolicited advertisements (spam), modify your browser homepage or browser list, or perform illegal activities such as redirecting to fake sites e-commerce (phishing). Installing such software can take place, exploiting browser vulnerabilities, visiting some web pages or using social engineering techniques. The latter can be defined as the set of psychological, non-computer techniques used by online attackers to make the user do what they want; some examples may be: induce you to unlock your access code, open infected files, or visit a site containing dangerous material. It should be stressed that spyware occupies memory space and makes the system unstable.

Spyware, like any other unwanted software, can reach your computer in many ways; generally, the hidden installation of this software happens during the installation of another program. It is therefore desirable, whenever you want to install a new application on your computer, read the documentation carefully, including the license agreement and the privacy statement. Including unwanted software when installing another program can be documented but is typically only reported at the end of the license agreement or privacy notice.

Worm

Another type of attack is the worms; these, just like viruses, are made to replicate from one computer to another, but unlike viruses, this operation happens automatically, that is, they do not need to bind with other executable files to spread.

A worm (literally "worm") is a particular category of malware (any software created with the sole purpose of causing more or less serious damage to the computer on which it is run), and a feature that makes it even more dangerous is the ability to self-replicate.

One of the first worms on the net was Worm Internet, created by Robert Morris on November 2, 1988, when the internet was still at dawn. That virus could hit between 4000 and 6,000 machines. The action of a worm changes the infected computer so that it runs every time you start the machine and remain active until you turn off your computer or stop the corresponding process. The worm tries to replicate by exploiting the Internet in different ways: often the media are more than one for the same worm.

The most common means used by worms to spread is e-mail. Once in the system, the worm can travel independently. Regarding its self-replicating ability, for example, a worm can send copies of itself to all the contacts in an e-mail address, doing the same on all the computers they can access. When new worms are released, their spread is extremely fast. A worm usually propagates without any special action from the user and distributes copies of itself (possibly modified) on the network. Worms do not use "host" or file programs to navigate but can penetrate the system and allow malicious users to take control of the computer remotely. They cause a domino effect in network traffic, resulting in both business and Internet slowdowns; are the cause of long waits for opening Web pages on the Internet. The worms take control of the functions of the computer intended for the transfer of files or information.

A worm can consume memory or network bandwidth causing an abnormal shutdown of the computer. Even worse, they can steal data and personal information (passwords, IPs).

Phishing

Phishing, "tapping" of sensitive data, it is an illegal activity used to gain access to personal or confidential information by theft purposes. Thanks to messages that mimic graphics and logo of corporate websites, the user is deceived and led to reveal personal information. Spreading is through the use of electronic communications, especially fake e-mail or instant messaging, but also phone contacts, web providers, and online auctions.

Phishing works like this: the phisher sends the user an email message that simulates, in the graphics and content, an institution known to the recipient (e.g., his bank, his web provider, an online auction site). Email almost always notifies situations or problems with your current account/account (such as a huge debt, expiration of your account, etc.) or a bid. The email invites the recipient to follow a link in the message to avoid a charge and/or regularize his / entity or company. However, the link provided does not really lead to the official website, but to a seemingly similar copy of the official site, located on a phisher-controlled server, in order to request and obtain from the recipient personal details, usually with the excuse of a confirmation or need to authenticate to the system. This information is stored by the server handled by the phisher and then end up in the hands of the attacker. The phisher uses this data to buy goods, transfer money or even just as "bridge" for further attacks. Identity theft, credit card numbers, account numbers, identification codes, etc. You must pay attention to the sites that are not authentic; In the case of a request for personal data, account numbers, passwords or credit card, you must notify the bank or other interested parties, so that they act against the malicious site.

Network Defense Tools

Protection against computer attacks is achieved by acting on multiple levels: first of all on a physical and material level, placing the servers in the safest, secure, and access controlled locations. It's good to note how often the fact of adopting sophisticated techniques generates a false sense of security that can lead to neglecting the simple ones. There are then a number of techniques, more or less complex, used to protect information.

Managing access to the system

The first steps to be taken is user authentication: this is the first obstacle an intruder encounters in his attempt to violate the system. This reduces the risk that unauthorized users may access the information.

There are various authentication methods: login and password, the most traditional method. Magnetic card (recognition is made by inserting the card into a reader and typing a password). Biometrics (fingerprint or voice readers, retina analysis, signature analysis), a method that is based on identifying user characteristics, which are compared with the values previously recorded by the user himself.

You also need to delimit logical spaces: this ensures a certain level of privacy since a user can access data files or programs for which he has been authorized. Finally, activity tracking allows you to control a user's activity on the network and detect any abnormal behaviors.

Antivirus

It is a software that can detect and erase computer viruses from a system. Anti-virus software needs to be periodically updated to have effective protection; they also have a preventive function, that is, they remain active to prevent virus access to the system, check:

-The presence of viruses in startup records at system startup,

-The programs at the time of their use, they scan all of the local hard disks

-Check if there is any activity on your computer that may indicate a virus activity.

-Can verify the presence of viruses in the files stored in the various media, memory and in the boot sector.

Internet Security, unlike the antivirus, protects your system against malware and unauthorized attempts to gain access to Internet connections. The software is used both for personal use and for use in small offices. Easy to install and use, it offers a real-time security system and the software maker provides support at any time and anywhere in the world. The antivirus, on the other hand, can only eliminate the viruses it recognizes, so all new viruses can go completely unnoticed and act without the antivirus intervening. Additionally, the antivirus can only intercept the virus when it has entered the computer and has already infected a file or memory. At this point, depending on the virus, it can "disinfect" the file or memory by completely removing the virus or in some cases is forced to "quarantine" the infected file and delete it because of the inability to retrieve the original file.

You must regularly update your antivirus to prevent known malware (that is, already listed in the online software database list) is not recognized and can, therefore, infect your PC. Choosing an antivirus is a very complex thing because different antivirus software can track and then check new viruses before others.

Firewall

The firewall is a hardware or software networking apparatus that filters all incoming and outgoing information, thereby blocking incoming traffic and simultaneously delivers the outbound traffic network. In this way, the device raises the network security level and allows both internal and external users to operate at maximum security. The firewall can be programmed to "control," or block various activities such as allowing mail passage, protecting from unidentified login from outside, or blocking traffic from outside inside and allowing the opposite.

Antispyware

An antispyware is a program designed to search and delete from the system, through a special scan, spyware, adware, keylogger, trojan and other malware. The functions of these programs are similar to those of antivirus software; in fact, they need regular updating of the definitions database in order to detect even the latest spyware.

Encryption

Encryption is the and the methods that are used to make a "blurred" message in order to be understandable to persons who are not authorized to read it; such message type is called "cryptogram." Cryptography is, therefore, the discipline that teaches to "encode" or "encrypt" a message so that it appears incomprehensible to anyone except the legitimate recipient, to "decode" or "decrypt" a message that it does not you know the secret key.

Historically, it can be stated that for many centuries, almost exclusively military and diplomatic encryption has been used, and that secret messages were physically traveled in trusted couriers. Between the 19th and 20th centuries, the invention of the telegraph, the telephone, and the radio enabled instantaneous transmission of messages from one side of the world, facilitating enemy interceptions and, therefore, increased the need to encrypt messages reserved for radio broadcasts. In the second half of the 20th century with the invention of the computer and the Internet the need to communicate confidential information and to encrypt the messages extended beyond the diplomatic-military scope.

IDS

An IDS consists of a set of ad-hoc techniques and methodologies to detect suspicious packets at a network, transport or application level. An IDS cannot block or filter inbound and outbound packages, nor can it modify them, so it does not try to block any intrusions, but tries to detect where it occurs. It is a software-hardware or hardware to identify unauthorized access to computers or local networks. IDS are used to detect all attacks on computer networks and computers.

These attacks include:

- attacks on computer networks through the exploitation of a vulnerable service;

- attacks by sending malformed data and malicious applications; - attempts to access hosts by unlawful elevation of user privileges;

- unauthorized access to computers and files;

- and traditional malicious programs such as viruses, trojans, and worms.

There are several types of IDS that differ according to their specific task and the methodologies used to detect security breaches. The simplest IDS is a device that integrates all components into one device. The activities and fields of application of an Intrusion Detection System are varied, to the point that they are often handled by various software, which collectively detects attempts to attack or scan a system, provide notification mechanisms and reaction by events also proactive, capable of blocking IP communications from which hostile packets arrive.

The detection mechanisms for suspicious activities are different, but generally, focus on:

- verifying system logs or specific programs to detect abnormal activity -integrity control of local files

-monitoring packets for the host, both to react to known attack patterns and to detect a remote port scan, a usual prologue of an attempted intrusion.

Their disadvantage is above all not to be able to detect any future type of intrusion if it is not present in the system, while the great benefit is to generate a relatively low number of false positives and to be adequately reliable and fast.

IDS can also be subdivided according to what they are analyzing:

- Passive IDS: detect an IT security violation, notify the operator of the console, and possibly send them an email.

- Active IDS: In addition to notifying the operator of a security breach, they take appropriate countermeasures to eliminate or otherwise isolate the computer violation.

Eliminating the violation is usually obtained by reprogramming the firewall access control list to prevent access to the attacking addresses. This type of IDS must be carefully programmed as a false identification may block an authorized user. IDS work in two modes:

Preventive -responding in real time to the attack is able to eliminate or isolate the violation

Reactive -it allows completing the process perfectly.

The two modes change the timing of action and the possibility of interaction, have the major problem of generating false positives (an abnormal activity that is not intrusive, but which is reported as such) and false negatives (all activities that are abnormal and are not detected and reported). Using only one method cannot offer total security.