uccser/cs-field-guide

# Computer Security

The goal of computer security is to ensure that online systems can be accessed easily - but only by those who should be using them!
The online systems could range from banks to social network sites, school networks to home computers, and online shopping to corporate intranets.
This provides the interesting challenge of putting barriers in place for access to computer systems, at the same time trying to avoid getting in the way of legitimate users.

What sort of things does a computer security expert need to be good at?
For one thing, they’re always on the lookout for weaknesses in a system.
Some weaknesses are well known (such as people choosing easily guessed passwords), and others might be a result of a way their company has set up their computer.
But a security person can’t only be concerned with keeping people out, because their real job is to let the right people in!

And this isn’t simple, since computer systems are usually online all the time, can be accessed from anywhere in the world, and are expected to be easy for legitimate customers and staff to access.
Is security really a big deal?
The internet is a hostile environment.
For example, 2% of internet traffic is immediately recognisable as an attack and gets blocked right away.
What about the other 98%?
Well, about 50,000,000 requests a day could be attacks trying to find a weakness that they can use to break in (some current statistics are available [here](https://www.akamai.com/internet-station/cyber-attacks/state-of-the-internet-report/web-attack-visualization), [here](https://www.imperva.com/cyber-threat-index/), and [here](https://cybermap.kaspersky.com/stats)).
With millions of attacks happening every day, a good defence is crucial.
There are a lot of reasons that people want to break into computers - it might be to extract valuable information such as user names, bank accounts and passwords; or it might be to stop a site working either as industrial espionage, or to claim a ransom; or to make money by either selling information, access, or using resources to mine cryptocurrency; or to test their knowledge and capabilities by seeing what they can find; or simply out of curiosity, to find out some personal information about someone.
There are many motivations why these attacks might happen.

Computer security is referred to using several names; it’s also known as cybersecurity or information technology security (IT security), and many people also say “infosec” or “cyber” for short.
It is about protecting the information files and computer systems from harm, theft, and unauthorised access.
Computer security has become increasingly more important as devices have become mobile and through the ability to connect with other devices via the internet, intra-networkers, bluetooth, wifi, and shared drives - in security terms, the attack surface is increasing as more devices are connected - even a [fish tank thermometer](https://www.washingtonpost.com/news/innovations/wp/2017/07/21/how-a-fish-tank-helped-hack-a-casino/) has been used to gain unauthorised access to sensitive data!
In this chapter we’ll look at the layers of security that can be applied for your privacy and for the protection of your files from attack.

{panel type="exercise"}

# Security thinking

Think of a room that is lit by just a single light bulb at night.
What are 10 ways someone could plunge the room into darkness, without them turning off the switch for the light?
Be creative!
If your job was to keep that light on at all costs, you’d need to block as many as possible of these “attacks” on the light in the room - for each attack you come up with, what could be done to prevent that attack?

{panel type="teacher-note"}

# Guide students to think laterally

For example, what would happen if the power bill wasn’t paid?
These questions and more can be [found on isecom.org](https://www.isecom.org/jat.pdf), and there is a [video that includes this exercise](https://youtu.be/VeG5tE5rS6g?t=1281).

{panel end}

{panel end}

{panel type="teacher-note"}

# Computer security and illegal activities

Most breaches of computer security are the result of criminal activity, and the threats discussed in this chapter are usually illegal activities.
Normally we encourage students to do practical experiments with the concepts covered in the CS Field Guide, but there are obvious legal and ethical implications with students exploring some parts of this space.
In a more comprehensive course, students explore attack and defence methods on a network disconnected from the internet, either using a network of spare computers, or setting up virtual machines.
Activities like penetration testing need to be done with full awareness and legal signoff of the organisation whose security is being tested, otherwise it’s hard to distinguish a malicious attack from someone who was “just trying to help”.
We have suggested some activities in this chapter that don’t require pushing this boundary, but as a teacher, you also need to make sure students are aware of ethical and legal implications.
In the same way that police and security guards know the tricks that criminals use, computer security people gain a lot of knowledge that can be used for harm as well as good.

{panel end}


{panel type="additional-information"}

# Background reading

The following books provide colourful stories from the history of computer security; they won’t be so useful for understanding current techniques, but they do uncover real issues that underlie computer security:

- [Cult of the Dead Cow](https://www.goodreads.com/book/show/42283862-cult-of-the-dead-cow) is the tale of the oldest, most respected, and most famous American hacking group of all time.
Though until now it has remained mostly anonymous, its members invented the concept of hacktivism, released the top tool for testing password security, and created what was for years the best technique for controlling computers from afar, forcing giant companies to work harder to protect customers.”
- [The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage](https://www.goodreads.com/book/show/18154.The_Cuckoo_s_Egg)
by Clifford Stoll. “Before the Internet became widely known as a global tool for terrorists, one perceptive U.S. citizen recognized its ominous potential. Armed with clear evidence of computer espionage, he began a highly personal quest to expose a hidden network of spies that threatened national security. But would the authorities back him up?”

{panel end}