Presentation is loading. Please wait.

Presentation is loading. Please wait.

GENERAL SECURITY CONSIDERATIONS.

Published byHarriet Howard Modified over 8 years ago

Similar presentations

Presentation on theme: "GENERAL SECURITY CONSIDERATIONS."— Presentation transcript:

1 http://www.flickr.com/photos/torkildr/3462607995/ GENERAL SECURITY CONSIDERATIONS

2 What does “Security” encompass? One viewpoint: NIST FIPS 199 3 key objectives: Confidentiality Integrity Availability http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf

3 Confidentiality “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information” – In short: Keeping secrets secret – This is the primary linkage between security and data privacy laws and regulations such as HIPAA – Example of a threat: packet sniffing

4 Integrity “Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity” – In short: Not letting data get trashed – Example of a threat: impersonation in order to achieve data modification

5 Availability “Ensuring timely and reliable access to and use of information” – In short: People can get their data – How much would people complain if they couldn’t get to certain information? That tells you whether availability is important. – Can be assessed using Business Impact Analysis (BIA) – Example of a threat: denial of service attack

6 Confidentiality != Integrity != Availability Reminder – Confidentiality: Secrets stay secret – Integrity: Data don't get trashed – Availability: People can get their data Example: Stealing a copy of unencrypted file – Confidentiality: fail; integrity and availability: ok Example: Appending false facts to a file – Integrity: fail; confidentiality and availability: ok Example: Moving (hiding) somebody's file – Availability: fail; confidentiality and integrity: ok

7 Some key web security concerns Logging of URLs Impersonation Autocomplete Man-in-the-middle Bots and denial-of-service Theft of data – Encrypting data yourself – Hashing passwords Injection attacks (later lecture) Cross-site forgery (later lecture)

8 Logging of URLs ASSUME that all URLs are logged somewhere – Probably on your webserver, maybe elsewhere This includes ALL GET parameters So NEVER EVER send ANY data as a GET parameter if it needs to be kept confidential – Passwords, credit card numbers, student ID numbers, etc.

9 Impersonation This is where user X pretends to be user Y – So X can see Y's data (confidentiality: fail) – So X can delete Y's data (integrity+availability: fail) How to prevent? – Just make everybody authenticate before they can access any data that must be kept confidential or whose integrity & availability must be protected

10 Autocomplete These days, most browsers will kindly try to save users' data and auto-fill forms – Includes passwords – Potential for impersonation – Threatens confidentiality+integrity+availability To disable… …

11 Man-in-the-middle The browser doesn't talk directly to the server – It talks to the operating system, which sends data on wireless or a cable to a router, which forwards the data to another network, etc. And anywhere along the way, somebody could view and log the data values as they go by – Including passwords (even if sent by POST) Solution: Encrypt the data To do this, you install an SSL server certificate

12 Overview of how to set up SSL 1.Lease some PHP hosting (server) space 2.Lease rights to a domain (also known as "registering a domain") – E.g., buy "mydomain.com" for a year 3.Log into a server owned by the people from whom you leased the domain name & indicate the IP address of your leased server – E.g., map "www.mydomain.com" to 69.25.142.5 4.Lease an SSL certificate (file) that contains cyptographic keys for your specified domain 5.Log into your PHP server, put a copy of your certificate onto it, and restart your server  Anybody who connects to your server via https will have a totally (2-way) encrypted connection… voila, no more man-in-the-middle attacks

13 Bots and denial-of-service A browser is just a program Somebody could create another program that calls your server & pretends to be a browser – This is called a "bot" – And the bot can be installed on lots of computers Say, machines that a bad person has hacked ("botnet") If the program hits your often enough, legit requests won't get through – This is called "denial of service" – Availability threat (not confidentiality or integrity)

14 How to beat denial-of-service Still not a "solved problem" Partial solutions that reduce the threat: – Replicate onto lots of servers – Use a custom operating system (or web server or router) that filters out suspicious traffic – Redesign the app with a peer-to-peer architecture rather than a client-server architecture I.e., it's not a web application any more

15 Theft of data Suppose – Your web application has no obvious security holes… – But the people you're leasing a server from are shady (or inept)… – And somebody steals your database!!! Could be a huge threat to confidentiality, integrity, availability – E.g., if unencrypted passwords are in the database, the thief can launch an impersonation attack – Worse: what if somebody steals credit cards?

16 Theft of data isn't just for databases Suppose – Your web application has no obvious security holes… – But your users are absolutely clueless (they don't even know what antivirus is)… – And somebody hacks their hard drives!!! Could be a huge threat to confidentiality, integrity, availability – E.g., if unencrypted passwords are in cookies, the thief can launch an impersonation attack – Worse: storing credit cards in autocomplete or cookies

17 Mitigating theft of data Simple solution – Encrypt all data that needs to be kept confidential – Before inserting into permanent storage Databases Files Cookies Etc.

18 Some example code <?php $secretInfo = '6011000000000004'; // credit card $keyForEncryptingAndDecrypting = 'montague1300!'; $iv = '37492910'; // any 8 digits $encryptionCipher = mcrypt_module_open(MCRYPT_BLOWFISH,'','cbc',''); mcrypt_generic_init($encryptionCipher, $keyForEncryptingAndDecrypting, $iv); $asEncrypted = base64_encode(mcrypt_generic($encryptionCipher, $secretInfo)); mcrypt_generic_deinit($encryptionCipher); mcrypt_generic_init($encryptionCipher, $keyForEncryptingAndDecrypting, $iv); $afterDecryption = mdecrypt_generic($encryptionCipher, base64_decode($asEncrypted)); mcrypt_generic_deinit($encryptionCipher); echo $secretInfo. " -> ". $asEncrypted. " -> ". $afterDecryption; ?> // note: $asEncrypted can be pretty long

19 Now you need to keep your key safe You also need to keep your database username and password safe, incidentally Most PHP hosts (servers) allow this: – Any lines of code that need to be kept secure can be placed in a file stored "above" your web application /store/them/here/config.inc Instead of /store/them/here/myweb_server_root/myfile.php – And then include the values when you need them

20 Incidentally, you don't actually need to store passwords in the database An even more secure option is to store a random-ish number computed based on the password (called a "hash") When user sends a password: – Hash the password – Compare to the hashed password in the database

21 Example code: Hashed passwords // when initializing database $usr = 'ricky'; $pwd = 'mypassword'; $insertthis = base64_encode(hash('sha256',$pwd)); mysql_query("insert into users(usr,pwd) values('".$usr."','".$insertthis."')"); // when you receive a username & password later on (user is trying to log in) $usr = $_REQUEST["usr"]; $pwd = $_REQUEST["pwd"]; $checkthis = base64_encode(hash('sha256',$pwd)); $rs2 = mysql_query("select usr from users where usr='". mysql_real_escape_string($usr). "' and pwd='". mysql_real_escape_string($checkthis). "'"); $_SESSION["usr"] = (mysql_numrows($rs2) > 0 ? $usr : "");

22 Even more secure… hash password concatenated with some random string // when initializing database $usr = 'ricky'; $pwd = 'mypassword'; $insertthis = base64_encode(hash('sha256',$pwd. "blahblahblah102020" )); mysql_query("insert into users(usr,pwd) values('".$usr."','".$insertthis."')"); // when you receive a username & password later on (user is trying to log in) $usr = $_REQUEST["usr"]; $pwd = $_REQUEST["pwd"]; $checkthis = base64_encode(hash('sha256',$pwd. "blahblahblah102020" )); $rs2 = mysql_query("select usr from users where usr='". mysql_real_escape_string($usr). "' and pwd='". mysql_real_escape_string($checkthis). "'"); $_SESSION["usr"] = (mysql_numrows($rs2) > 0 ? $usr : "");

23 Key points to remember Objectives: Keep secrets secret, don't let data get trashed, make sure people can get data Things to remember: – Never send confidential data via GET – Use SSL to prevent man-in-the-middle attacks – Replication is a partial solution to denial-of-service – Encrypt sensitive data values before storing Except for passwords: hash those instead

Download ppt "GENERAL SECURITY CONSIDERATIONS."

Similar presentations

GCSE ICT Networks & Security..

GCSE ICT Networks & Security..
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.

A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.
Cryptography and Network Security

Cryptography and Network Security
Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.

Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
HTML FORMS

HTML FORMS
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.

Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.

By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.

CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.
Chapter 13 Network Security. Contents Definition of information security Role of network security Vulnerabilities, threats and controls Network security.

Chapter 13 Network Security. Contents Definition of information security Role of network security Vulnerabilities, threats and controls Network security.
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.

Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
Data Security GCSE ICT.

Data Security GCSE ICT.

Similar presentations

Ads by Google