Learning Objectives / Whāinga Ako

• Define what "computer security" means and its three core goals: Confidentiality, Integrity, and Availability (CIA Triad).

• Explain the inherent tradeoffs when balancing the CIA Triad.

• Identify various types of digital security threats, including sophisticated social engineering tactics.

• Describe advanced methods for protecting digital devices and personal information, including different authentication techniques and defensive/offensive strategies.

• Understand the critical role of users, threat actors, and the elements of Technology, People, Process, and Compliance in digital security.

• Recognize the breadth of expertise required to be a security expert and the importance of user education in security.

Getting Started / Whakataki (Prior Knowledge Required)

To get the most out of learning about Privacy, it's essential to have a clear understanding of:

• Digital Devices: Do you know what digital devices are? (Link to Digital Devices page)

• End-User: Do you understand that digital systems are built for people to use? (Link to End-User page)

• File Management: Do you know how your digital files are stored and organized? (Link to File Management page)

• Digital Ethics & Society: Do you understand the importance of responsible digital behavior? (Link to Digital Ethics & Society page)

• Privacy: Have you explored how to control your personal information online? (Link to Privacy page)

Quick Check: If someone knew everything you did online, saw all your messages, and knew where you were at all times, how would that make you feel? This feeling relates to your privacy!

What is Computer Security?

Computer security (haumarutanga rorohiko) refers to the protection of computer systems and information from theft, damage, unauthorized access, or disruption. Its main goals are often summarized by the CIA Triad:

• Confidentiality: Keeping data private and only accessible to authorized people. This is where Privacy is key! (e.g., your bank ensuring only you can see your account balance).

• Integrity: Ensuring data is accurate, complete, and hasn't been tampered with. If someone can change information that you rely on (like account balances or passwords), it can cause huge problems. For example, an attacker could manipulate Artificial Intelligence by feeding machine learning algorithms false data (such as feeding it images of cats, and saying that they are ducks!).

• Availability: Making sure authorized users can access systems and data when needed. If a system is overwhelmed or shut down, it loses its availability.

In our digital society, computer security isn't just for governments or big companies; it's essential for everyone. From protecting your personal photos to securing your online banking, good security practices help ensure your digital life is safe and reliable.

The CIA Triad: A Constant Balance Act

Getting security right is a fine art because the three needs of the CIA Triad are always "pulling in different directions":

• You can provide great confidentiality by closing down your online system, but then its availability is terrible!

• You could have great availability by letting someone stay logged in all the time on any computer they're using, but that could lead to big confidentiality problems if the computer is shared or lost.

• Similarly, giving all staff access to change all student exam results provides high availability for changes, but risks the integrity of the results if changes are made incorrectly or maliciously.

Computer security experts are always trying to find the right balance, known as the threat model – understanding the main risks and their consequences.

How It Works / Me Pēhea te Mahi

Digital systems face various threats, from sneaky tricks to overwhelming attacks. Understanding these helps us build stronger protections.

Elements of a Computer System: A Layered Defence

When considering computer security, experts think about the different key elements of a digital system. Security needs to be strong across all layers:

• Technology: The hardware and software & applications in a system, including networks.

• People: The users, including staff, customers, and decision-makers.

• Process: How the system should be used by the people (procedures and rules).

• Compliance: How you ensure that everyone follows the rules and policies.

Common Threats:

1. Malware (Malicious Software): This is the general name for software that has been written to intentionally cause harm, disrupt, or gain unauthorized access to a computer system. Malware can be used for "persistence" – once an attacker breaches an organisation, they can use malware as a back door that they can access later at any time. The nature of malware has evolved: early forms showed off technical skills or curiosity, but with the growth of online commerce, malware became a way to trick people into spending money or to demand ransoms.

   • Examples of Malware:

     • Viruses & Worms: Malware that can spread automatically between computers.

     • Ransomware: Malware that locks up a company’s computer systems or data, demanding a payment (often in cryptocurrency) to unlock it.

     • Spyware: Malware that secretly monitors your activity on a computer.

   • If a vulnerability is found in common software (a Common Vulnerabilities and Exposures (CVE) identification number is assigned), security updates and patches are distributed. Computers that aren’t updated become a target. The WannaCry malware, for instance, exploited known vulnerabilities in old Windows systems.

2. Phishing: Tricking people into revealing personal information (like passwords or bank details) by pretending to be a trustworthy entity. Attackers send fake emails or messages hoping some people will fall for the request.

   • Examples: Fake emails saying your account has strange activity and to login via a suspicious link; emails from someone you work with asking to pay their last invoice to a new bank account.

   • Exploits human trust and tendency to click quickly. Malware can also be delivered via phishing.

3. Social Engineering: Manipulating people into breaking normal security procedures or giving up confidential information by building trust or exploiting emotions (like fear or greed). Attackers try to make you click on something or do something based on an emotional reaction.

   • Examples: Getting a phone call from someone pretending to be tech support, claiming your computer is infected and asking for remote access; social media friend requests from fake profiles to gain trust; "only paying for shipping" when "winning" a free, expensive item. Malware can also be installed this way.

   • Exploits human weaknesses like being overly helpful or forgetful.

4. Weak Passwords: Passwords that are easy to guess, too short, or reused across many accounts.

   • Users may reuse common or predictable passwords if policies are too restrictive (e.g., frequent mandatory changes).

5. Unpatched Software / Vulnerabilities: Old software often has known security weaknesses (vulnerabilities) that attackers can exploit. When a vulnerability is found, a Common Vulnerabilities and Exposures (CVE) identification number is often assigned.

   • If an Operating System or Software & Applications isn't updated (e.g., your web browser telling you to update), it leaves the system vulnerable. Attackers always check the versions of software running on a target’s system, then look up known vulnerabilities for those specific versions.

   • Real-World Examples of Unpatched Vulnerabilities:

     • SolarWinds Orion (2020): A tool used by many organizations to monitor networks was infected with malware. News of the weakness became public before a fix was widely available, impacting many customers, including the US Government.

     • Meltdown and Spectre (2018): These vulnerabilities affected a very wide range of computer microprocessors. Google independently discovered them and worked with chip manufacturers (Intel/ARM/AMD) for months to develop patches before the issue became widely known, highlighting the effort involved in fixing fundamental hardware flaws.

     • WannaCry & NotPetya (2017): These devastating malware attacks (costing billions of USD in damages) exploited vulnerabilities that the US National Security Agency (NSA) had secretly used. The NSA quietly alerted Microsoft, who released updates. However, many organizations had not applied these updates, leading to widespread damage when the vulnerabilities were later leaked by a group called Shadow Brokers.

6. Distributed Denial of Service (DDoS) Attack: Overwhelming a system with a flood of requests from many different computers (often controlled by malware), preventing legitimate users from accessing it. This attack aims to reduce Availability. The malware used for this often forms a "botnet" – a network of compromised computers.

   • Example: In New Zealand in 2020, the NZ Exchange experienced a DDoS attack that prevented trading for five days in August 2020. A high-profile ransomware attack also occurred on the NZX in the same month.

   • Targets network infrastructure. It's like sending someone a million letters, so a single legitimate letter gets lost.

7. Data Manipulation: Deliberately changing data to cause harm, confusion, or illicit gain. This directly attacks Integrity.

   • Examples: Changing your bank account balance, locking you out of your account by changing your password, manipulating stock or cryptocurrency prices. Attackers can even manipulate Artificial Intelligence by feeding machine learning algorithms false data.

   • Can exploit weaknesses in how data is processed or stored.

8. "Own Goals": Security failures caused by mistakes within the defending organization, often from overlooking a part of the system's security.

   • Example: The NZ government's 2019 budget leak, where parts of the confidential budget were found via the site's own search function, highlighting that security needs to be considered for every aspect of a system.

   • Human error or poor system configuration.

Offensive vs. Defensive Security Tactics:

Looking after security involves both defensive and offensive tactics, much like team sports.

• Defensive Security: These are the measures taken to prevent attacks and protect a system. Most security measures you'll encounter are defensive.

  • Examples: Setting up firewalls, ensuring users have strong passwords and use multi-factor authentication, placing limits on resources, encrypting data.

• Offensive Security: This involves actively testing systems to find weaknesses before malicious attackers do, or setting traps for them. These professionals are sometimes referred to as "Whitehat hackers" (good hackers who help improve security) versus "Blackhat hackers" (malicious hackers who exploit weaknesses for harm). It can be hard to distinguish between someone researching for good or bad reasons, as both look for weaknesses.

  • Examples:

    • Penetration Tests / Security Audits / Red Team Exercises: Companies hire contractors to "attack" their own systems (with strict agreements in place) to find and report weaknesses.

    • Bug Bounties: Some companies offer rewards to ethical hackers who find and report security vulnerabilities (e.g., Discord's Bug Bounty).

    • Honeypots: Setting up a section of a website or network that appears to have weak security, acting as a decoy to distract attackers from the real system and gather data about their tactics. This uses "annoyance" to waste their time.

    • Attribution & Attack (Rarely by Defenders): Trying to identify the attacker by gathering information (attribution). While possible, defenders usually focus on strengthening their own systems, leaving complex attribution to forensic and police experts. Forensic experts are often in demand by law enforcement as crimes commonly involve computers.

Who are the Actors? Understanding Threat Actors:

A threat actor (or malicious actor) is a person or entity responsible for an event or incident that impacts, or has the potential to impact, the safety or security of another entity. They have various motivations:

• Internal Threat Actors (from within the organization):

  • Users who intentionally or unintentionally make mistakes or breach policies (e.g., clicking a suspicious link, reusing passwords).

  • Administrators who take advantage of their higher level of authorization.

• External Threat Actors (from outside the organization):

  • Organized Crime, Terrorists, State-Sponsored Attacks: Highly resourced groups with specific, often financial or political, goals. They might use "Advanced Persistent Threat" (APT) groups that infiltrate a system and remain undetected for a long time.

  • Activists / "Hacktivists": Groups using hacking to fight for a cause they believe in (e.g., protesting laws, removing internet blocks).

  • "Script Kiddies": Less skilled individuals who copy and paste existing code or techniques from others without fully understanding them, often just to show off.

Key Protection Methods & Processes:

Computer security experts anticipate attacker tactics and continuously improve systems. People make mistakes, so security systems also try to make it harder for mistakes to happen. Security is always a balance between convenience for legitimate users and inconvenience for unauthorized users. Very strong security can sometimes backfire (e.g., forcing frequent password changes can lead users to write them down or reuse old ones). The effort put into security depends on the "threat model."

1. Strong Passwords & Multi-Factor Authentication (MFA):

   • Strong Passwords: Long, complex combinations (mix of upper/lowercase letters, numbers, symbols) that are unique for each online account. Avoid easily guessable information. Security systems might prevent users from using weak or previously breached passwords.

   • MFA (e.g., 2FA): Requires a second verification step (e.g., a code sent to your phone, a fingerprint scan, a hardware key) in addition to your password, making it much harder for unauthorized access. This strengthens Authentication – proving who you are.

     • Authentication Examples: Something you know (passwords, PINs), Something you have (codes, hardware keys you plug in like a USB drive), Something you are (biometrics like fingerprints, facial recognition, or retina scans).

   • Using password managers to generate and autofill unique, strong passwords for every system can significantly increase security and decrease password reuse, with little extra effort for the user. Password rotation (e.g., every three months) can also be part of a strong process.

2. Antivirus/Anti-malware Software: Scans for, detects, and removes malicious programs from your system. These are crucial defenses against Malware.

3. Firewalls: An important defensive measure that creates a barrier between trusted internal networks and untrusted external networks (like the Internet). All network traffic passes through them, requiring a balance between detecting bad traffic and maintaining speed for legitimate operations.

   • Firewalls can be software on a single computer or an array of specialized computers for large organizations.

   • They use security rules to allow or block specific traffic.

   • They need to respond quickly, detecting and rejecting suspicious data.

   • They face challenges with "bad bots" (scripts trying to break in) versus "good bots" (like search engine indexers) and real human traffic. Sending too many requests can overwhelm a firewall, leading to a Denial of Service (DoS) attack, where even legitimate users are blocked.

   • Firewalls check incoming traffic, looking at its origin and patterns that match attack forms. They use fast algorithms for this.

   • Requests to specific "ports" indicate the type of service sought (e.g., web pages use port 80/443, email port 25, file transfer (FTP) port 20). Requests to unused or vulnerable ports (like outdated FTP) are blocked. The "P" in acronyms like HTTP/HTTPS/SMTP/FTP stands for Protocol.

   • Firewalls also monitor outgoing traffic to prevent accidental access to malicious sites or unauthorized data leakage.

   • They play a key role in network segmentation, separating different parts of a network for security (e.g., a "Virtual Local Area Network" (VLAN) uses tagging to separate traffic on the same physical equipment, or a "Demilitarized Zone" (DMZ) is an isolated part of a network for external-facing services).

4. Software Updates: Regularly updating your Operating System and Software & Applications patches security vulnerabilities that attackers might exploit. It drives up the time and cost for attackers, as they have to find new ways in. Organizations need a well-organized system for this. Users don't like systems "down for maintenance," but updates are crucial, and many can happen without users noticing. Effective updates like Transport Layer Security (TLS) are widely used for secure communication. These updates are a primary defense against Malware and Unpatched Software / Vulnerabilities.

5. Data Backup: Regularly make copies of your important files and store them separately (e.g., on a cloud service like Google Drive, or an external hard drive). This protects against data loss due to damage, ransomware, or theft, ensuring Availability and Integrity. It's crucial to test that backups are working so that data can actually be recovered when needed. This is a critical defense against Ransomware.

6. Secure Networks: Always use trusted Wi-Fi networks. Be cautious with public Wi-Fi (e.g., free Wi-Fi that overlays scam ads), as they can be less secure.

7. Encryption: A powerful method that scrambles data, making it unreadable to anyone without a special "key." This is crucial for Privacy during Data Transmission (e.g., online banking) and storage.

   • Secure systems often don't store users' passwords directly but store a "hash" of their password (a one-way scrambled version), often with "salting" (adding random data to the hash). This makes it very hard to figure out the original password even if the hashed data is stolen.

8. Digital Citizenship & User Education: Being smart, ethical, and safe online. This involves:

   • Thinking critically about suspicious links, emails, or "too good to be true" offers.

   • Being cautious about friend requests from unknown people on social media.

   • Educating users about threats (like phishing and social engineering) and how to report concerns.

   • Providing users with the tools they need to do their job securely, reducing the temptation to download unsafe software. This helps prevent attackers from convincing users to install Malware.

   • Relates to Compliance: Sometimes security measures involve inconveniences (e.g., blocking USB drives, forcing computer locks). Balancing these rules with user understanding is key. For individuals with personal devices, where formal policies might be absent, education about avoiding common traps is the best defense.

9. Access Rights Management: Carefully removing access rights of people who leave an organization (such as revoking their password) is important to ensure only authorized individuals have access.

10. Security Policies & Compliance: Organizations need clear policies and practices to enforce safe computer usage, especially for staff accessing sensitive information. These policies define what users can and cannot do, creating a trade-off between Availability for legitimate users and stronger Integrity and Confidentiality. Because many users don't have security expertise, enforcing policies is critical.

    • Examples of Policies in Action:

      • Password Policies: Systems enforcing minimum length, complexity, or preventing common/previously breached passwords. What happens if you type an incorrect password too many times? (Some sites temporarily lock you out, preventing continuous guessing).

      • Transaction Limits/Validation: Preventing unusual or negative orders (e.g., ordering 5,000,000 rolls of toilet paper, or getting free items due to loopholes like in McDonald's discounts). This protects Integrity.

      • Contactless Payment Policies: Rules around maximum contactless purchase limits (e.g., Paywave) or PIN requirements. These policies changed during Covid-19 (e.g., higher limits for convenience), adjusting the balance between convenience and security. They use "disincentives" (like potential card blocking if suspicious activity is detected) to make fraudulent use not worthwhile.

      • Device Control: Blocking USB flash drives from work computers to prevent malware spread.

      • Auto-Locking: Forcing computers to lock after a period of inactivity.

    • Companies (like Xero) often publish security or Privacy policies to reassure clients and explain security inconveniences. General security standards (e.g., ISO27001, SOC2) provide common guidelines for organizations. If a company's security is important to its clients, they will likely publish these.

    • These are about making sure people follow the rules, even if they are inconvenient, to maintain overall system security.

By combining these methods, users and system administrators can significantly reduce the risk of security breaches. Security experts also consider Tools, Techniques, Procedures (TTPs) that attackers use to better anticipate and defend against attacks.

The Role of a Security Expert & User Education

Becoming a security expert requires a wide range of knowledge and experience. They deal with changing organizational needs, plan responses to attacks, and advise on technology choices like Operating Systems. Specialised areas include cryptocurrency security and forensics (investigating digital crimes, often involving law enforcement).

A key element of security is education of the user. If you understand what has been covered on this page, you'll be more sensitive to the threats to the systems you use, and also more able to understand why policies and procedures that sometimes seem inconvenient are actually vital protections. This knowledge empowers you to be a stronger defense against many common attacks.

Formal Assessment / Te Aromatawai

Check your understanding of Privacy.

1. Multiple Choice: What does Integrity in the CIA Triad refer to?

• a) Keeping data private.

• b) Making sure data is accurate and hasn't been tampered with.

• c) Ensuring systems are always available.

• d) Hiding data from unauthorized users.

2. Short Answer: Explain the main difference between a phishing attack and a DDoS attack.

3. Scenario: Your school's internal network is suddenly very slow, and students are having trouble accessing online learning resources. Your IT department suspects a cyberattack.

• Which aspect of the CIA Triad is being directly threatened in this scenario?

• Suggest two protection methods your school's IT department might use to defend against or recover from such an attack.

4. Scenario 2: An ethical hacker is performing a "penetration test" for a company. They find a major security flaw that could allow attackers to steal customer data.

• Is this hacker a "Whitehat" or "Blackhat" hacker? Why?

• What is the ethical hacker's goal in finding this flaw?

5. Scenario 3: Your computer's Operating System has a notification prompting you to install an urgent "security update." You're busy with schoolwork.

• Which element of a computer system (Technology, People, Process, Compliance) is most directly related to this update?

• Explain why it's important to install this update quickly from a computer security perspective.

6. Scenario 4: A hospital's computer system is suddenly encrypted by ransomware, and a message demands payment to unlock the patient files.

• Which two aspects of the CIA Triad are most severely impacted in this scenario?

• What is a crucial defense that the hospital should have in place (beyond antivirus) to recover from this specific type of attack without paying the ransom?

7. Scenario 5: A large online retailer accidentally advertises a popular product at a much lower price than intended. Thousands of people rush to buy it. Their website becomes very slow and eventually crashes.

• Which aspect of the CIA Triad is impacted in this "own goal" scenario?

• Why might this be challenging for the retailer's firewall to handle, even if it's well-configured?

Key Takeaways / Mātauranga

• Computer security protects digital systems and information, aiming for Confidentiality, Integrity, and Availability (CIA Triad).

• The CIA elements often involve tradeoffs, and security is about finding the right balance.

• Security involves Technology, People, Process, and Compliance for a layered defense.

• Common threats include malware (viruses, worms, ransomware, spyware), phishing, social engineering, weak passwords, DDoS attacks, data manipulation, and "own goals".

• Security involves both defensive tactics (preventing attacks) and offensive tactics (testing for weaknesses, setting traps).

• Threat actors can be internal or external, with varied motivations.

• Key protections include strong authentication (passwords, MFA/2FA), antivirus, firewalls, software updates, data backup (with testing!), secure networks, and encryption.

• Security policies enforce safe practices, balancing security needs with user convenience.

• Users play a vital role through good digital citizenship and understanding security practices.

• Becoming a security expert requires a wide range of expertise, but user education is a key element of overall security.

What's Next?

Now that you understand the importance of protecting your personal information, you're ready to explore the broader strategies and tools used to keep digital systems safe:

• Encryption: Learn about the specific technology that scrambles data to keep it private and secure, a core tool in computer security.

• Error Control: Understand how data integrity is maintained, preventing errors during transmission, which is crucial for secure and reliable systems.

• Network Communication Protocols: Explore the rules that govern how data travels securely across networks and the internet, often involving security measures.

Continue your journey by clicking on the links to these exciting topics!