Presentation is loading. Please wait.

Presentation is loading. Please wait.

COMP1321 Digital Infrastructure

Published byRené Généreux Modified over 6 years ago

Similar presentations

Presentation on theme: "COMP1321 Digital Infrastructure"— Presentation transcript:

1 COMP1321 Digital Infrastructure
Richard Henson University of Worcester May 2018

2 Week 24: End-Point Security
Objectives: Explain that applications software and even operating systems are flawed and the crucial importance of using “updates” Explain licensing and life-cycle support for software Explain how the registry controls end-point security Explain why Cyber Essentials is useful for businesses

3 Network Security and Computer Security
Not the same thing! network protected from external threats using firewall and savvy internal users! End-point devices protected at the desktop… registry needs correct settings… GCHQ agreement on “best practice” registry settings for security. Why not do it?

4 The changing security model
“Castle and Moat” approach no longer sufficient End-users access servers via web need protection as well SSL protocol introduced for e-commerce PKI introduced right across the web (1999) most people hadn’t heard of it in 2016…

5 Data on the move: Encryption is not enough!
The other aspect of SSL/PKI is the establishment of trust between online vendors and customers usually achieved by using encryption AND providing a digital certificate system: verifies the identity at each end of the communication link thereby authenticating the server/user The savvy user knows about digital certificates and expects to be able to view them online in 2015 many users still not … savvy!

6 “Mature” use of PKI? But…
16 years on from KPI, larger companies were using SSL/PKI for secure communications as a matter of course! But… (1) companies not applying strict security measures correctly according to PKI guidelines: being defrauded skewing the statistics for more responsible online traders (2) human error/computer misuse through software vulnerabilities continued…

7 Solution… Google’s Browser
From early 2017 onwards, Google Chrome has checked links and highlighted any https link that has flaws… Now explained on BrightTalk webinar… Other Browser manufacturers are now following this excellent practice!

8 B2C and Website Vulnerability
Small businesses outsource many of their business functions Including: development of website putting website on an Internet-facing webserver

9 Website Vulnerabilities
The Website must have direct access to the Internet so Internet have direct access to website folder on webserver webbots can gather information about the business… find weak links in the website! and possibly weaknesses on the server e.g. “Heartbleed not patched!”

10 Software Layers and Operating Systems (OS)
Applications os functions & user interface os kernel CPU, motherboard

11 What if the Operating System has software faults?
The platform becomes “unstable”!! Could be errors in hardware control? user interface? utilities? What would happen to: applications running on a poorly designed platform? businesses depending on such apps?

12 “Good” and “Bad” programming
Apollo missions to the moon first use of programming for control “because manual not possible…” Programming used to: put Apollo spacecraft into moon orbit land a small craft and two astronauts

13 Early example of excellent software
Moon landing software (1969)… & final Presidential acclaim for safe coding (2016)

14 “Moon Lander” Program Retro rockets of falling LEM vehicle
Balanced against moon gravity Limited amount of fuel… Version written for BASIC Very popular early microcomputer game

15 Is software always safe?
Written by humans! Depends how it is: designed coded tested Lots could… and does… go wrong too much trust? not enough testing?

16 B2C Software Consumer buys a license to use software during its lifecycle… NOT the software itself! License may become invalid (or useless…) if software no longer supported consumer potentially unaware also applies to operating systems (!)

17 Publishing of Vulnerabilities
Many disturbing examples of data breaches… and software vulnerabilities that provided access for hackers Records of Internet exploitable vulnerabilities finally kept… US security organisation Mitre

18 Good for Consumers With Mitre initiative…
Software companies with faulty code named and shamed… Embarrassing… Over time, software will get better i.e. fewer flaws!

19 Software Faults & CWE Lot of recent interest in unreliability of software (even operating systems…) Mitre (US gov)… classified software fault types through Common Weakness/Vulnerability Enumeration (CWE/CVE) community support formal published list weaknesses/vulnerabilities Intended use? to better describe software weaknesses in architecture, design, or code [TSI/2012/183] © Copyright

20 More about CWE Full list of CWE entries… CWE provides:
more commonly encountered weaknesses usually “repeat offenders” CWE provides: standard measuring stick for software tools targeting software weaknesses common baseline standard for efforts to identify, mitigate, and prevent software weaknesses Top 25 (most hacked) vulnerabilities… PTO

21 CWE Top 25 faults (part 1) 1 CWE-79
Rank ID Name 1 CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting') 2 CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') 3 CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') 4 CWE-352 Cross-Site Request Forgery (CSRF) 5 CWE-285 Improper Access Control (Authorization) 6 CWE-807 Reliance on Untrusted Inputs in a Security Decision 7 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 8 CWE-434 Unrestricted Upload of File with Dangerous Type 9 CWE-78 Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') 10 CWE-311 Missing Encryption of Sensitive Data 11 CWE-798 Use of Hard-coded Credentials 12 CWE-805 Buffer Access with Incorrect Length Value 13 CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') [TSI/2012/183] © Copyright

22 CWE Top 25 faults (part 2) 14 CWE-129
Rank ID Name 14 CWE-129 Improper Validation of Array Index 15 CWE-754 Improper Check for Unusual or Exceptional Conditions 16 CWE-209 Information Exposure Through an Error Message 17 CWE-190 Integer Overflow or Wraparound 18 CWE-131 Incorrect Calculation of Buffer Size 19 CWE-306 Missing Authentication for Critical Function 20 CWE-494 Download of Code Without Integrity Check 21 CWE-732 Incorrect Permission Assignment for Critical Resource 22 CWE-770 Allocation of Resources Without Limits or Throttling 23 CWE-601 URL Redirection to Untrusted Site ('Open Redirect') 24 CWE-327 Use of a Broken or Risky Cryptographic Algorithm 25 CWE-362 Race Condition [TSI/2012/183] © Copyright

23 Many other System Flaws (software to support OS, networks, etc)
“Recently”: Heartbleed – open source webserver software enhancement flawed KRACK – WiFi WPA2 secure implementation had a security flaw All patched quickly… But does everyone apply the patches?

24 Not just apps… Many examples of operating system flaws
Apple: “dangerous” flaw revealed in iOS 7 and X (21/2/14) Microsoft: Windows flaw that led to “Wannacry” (May 2017)

25 Dangers of not Updating…
New flaws in software being detected by Mitre and others all the time… usually published once a fix has been found! makes sense to update to a version that has had vulnerabilities patched! hackers will know all about any vulnerabilities removed by an update, and will be eager to exploit… organisations who haven’t updated (!)

26 Update Management Essential to update all system and application software as soon as possible after release… updates need to be tested… And roll out planned accordingly! e.g. operating system updates will require reboot so “automatic” updates may cause problems! generally best for administrator to have an alert and install updates asap (after testing!)

27 Latest versions of Applications
Same update principles apply to apps updates free may be required to upgrade to later version Office 2007 “updates” just expired! again… test first… but may also be a cost! Whether to upgrade is cost of upgrade/training justified: better security? increased productivity?

28 Updates and Development Environments
Software, like apps can and do have vulnerabilities need updating like all other software Use of insecure old version particularly worrying… development environments generate code what if that code has vulnerabilities…?

29 Insecure Development Environments
Many web page generator examples available Joomla… WordPress… more recent versions more likely to be secure and still have updates older versions no longer supported so code generated is vulnerable! Java Run-time… regular updates potential knock-on effects for java apps…

30 Using Windows Registry to check end-point security
Registry settings in memory control the desktop… totally! In order to establish the security status of a machine… just look in the registry!?

31 A Software Tool for Checking registry settings against GCHQ’s recommended values
Yes… there is one Yes… it is free! and it is produced by a local company Yes… you’ll be able to test it after the break!

32 Cyber Smart A more sophisticated tool has been developed to check the security settings of multiple machines on a network unfortunately, it is certainly not free! However, it will save a lot of time for analysts wishing to help organisations meet GCHQ’s “Cyber Essential” criteria…

33 Next Week… All about Linux!

Download ppt "COMP1321 Digital Infrastructure"

Similar presentations

Upgrading Software CIT 1100 Chapter4.

Upgrading Software CIT 1100 Chapter4.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.

Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Geneva, Switzerland, 15-16 September 2014 ITU-T CYBEX standards for cybersecurity and data protection Youki Kadobayashi, NICT Japan Rapporteur, ITU-T Q.4/17.

Geneva, Switzerland, September 2014 ITU-T CYBEX standards for cybersecurity and data protection Youki Kadobayashi, NICT Japan Rapporteur, ITU-T Q.4/17.
Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

Secure Software Development Mini Zeng University of Alabama in Huntsville 1.
Fundamentals of Networking Discovery 1, Chapter 2 Operating Systems.

Fundamentals of Networking Discovery 1, Chapter 2 Operating Systems.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
Security Management prepared by Dean Hipwell, CISSP

Security Management prepared by Dean Hipwell, CISSP
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.
Configuring Electronic Health Records Privacy and Security in the US Lecture f This material (Comp11_Unit7f) was developed by Oregon Health & Science University,

Configuring Electronic Health Records Privacy and Security in the US Lecture f This material (Comp11_Unit7f) was developed by Oregon Health & Science University,
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Building Secure Web Applications With ASP.Net MVC.

Building Secure Web Applications With ASP.Net MVC.

Similar presentations

Ads by Google