Download presentation
Published byWinifred Hines Modified over 9 years ago
1
ISEC0511 Programming for Information System Security
Lecture Notes #2 Security in Software Systems
2
Vulnerability and Attacks
Vulnerability is a weak point in a system. There several ways in which vulnerabilities can be discovered. Exploiting Vulnerability Once a security vulnerability is known, how to exploit it is also known. What is not easily known is who has the device with the vulnerability and how to reach it. Scanning systems in the network is a way to discover targets.
3
Vulnerability and Attacks
Passive Attacks When a hacker eavesdrops on your system or monitors the transmitted packets, it is a passive attack. Sensitive information such as credit card information can be discovered using this technique. This is also called a sniffing attack.
4
Vulnerability and Attacks
Active Attacks The original object is disturbed or manipulated. The hacker can impersonate you and log into the remote system as you. Hacking The process of exploiting vulnerabilities and launching an attack on computers is called hacking. Hackers hack computers, networks, and telephone systems for profit, sometimes even for fun.
5
Vulnerability and Attacks
Social Engineering Social engineering is a technique used by adversaries to manipulate the social and psychological behavior of people to gain access to information or do something that they will not do in a different social setup. Identity Theft This is in order to get financial identity, personal identity, medical records, business or commercial identity. Phishing scam
6
Various Security Attacks
Brute-Force Attacks Try to find the right combination of password or encryption key. The attack is also used by researchers to test the strength of encryption algorithm. Key strength is exponential to key size.
7
Various Security Attacks
Authentication Attacks In telecom network, a device is authenticated. In data network, a user is authenticated. Dictionary Attack Passwords should never be based on known information. The attack is also used to discover s.
8
Various Security Attacks
Replay Attack Ali Baba did not know the meaning of this phrase; he heard the bandits use. In a replay attack, the adversary replays a genuine message captured earlier to perform a function intended for a legitimate user. Password Guessing Knowing user ID is relatively easy. It is likely that we have a common user ID and password for many accounts (banks, ATM, s, credit cards) Password Sniffing
9
Various Security Attacks
Spoofing attack Spoofed IP Spoofed s Spoofed SMS Denial-of-Service Attacks Distributed Denial-of-Service Attack Half-Open Attack or SYN-Flooding Denial of Service through User-ID Lock Attack Ping of Death Attack Smurf Attack
10
Various Security Attacks
Packet Sniffer Tcpdump and Ethereal (Wireshark)
11
Taking Control of Application
To take control of applications, you need to make user execute your code. Overflow Attack Stack Smashing Attack Remote Procedure Call Attack Code Injection Attacks echo Welcome $1 $2 $3 $4 hi;cat /etc/passwd|mail Luring Attack
12
Computer Security Physical Security Operating System Security
Shell Security File System Security Kernel Security Network Security
13
Typical Security in Data Network
14
Counter External Threats
Stopping Attacker the application should use all possible defenses to protect itself and all its data. Firewall Intrusion Detection System Intrusion Prevention System Honeypot Penetration Test and Ethical Hacking
15
Security Programming A programmer has a responsibility to ensure that the code written is secure and safe with minimum or no known vulnerability. Security bugs have a very high impact.
16
Security Attributes Confidentiality Integrity
A mechanism through which we keep the meaning of information or data secret. This property is also known as privacy or encryption. Integrity A property through which you can detect whether your message or data have been corrupted or tampered with.
17
Security Attributes Availability
It is necessary that the service is available for the period it is advertised. Any attack on availability is called a DoS attack.
18
Security Attributes Authentication
Authentication is a process by which we validate the identity of the parties. In nonrepudiation we identify the identity of these parties beyond any doubt. Digital signatures can achieve nonrepudiation. One-factor authentication, Two-factor authentication, Multi-factor authentication.
19
Security Attributes Authorization
Usage constraints on objects based on security level or privilege of the subject. This attribute is also called fine-grained access control or role-based security.
20
Security Attributes Accounting Anonymity
Accounting is the process by which the usage of a service is metered. Audit trails and logs for transactions in an application can also be considered as part of the accounting information. These files need security so that adversaries cannot tamper or delete them. Anonymity A property through which the user is anonymous to the external world.
21
Secured Programming In secured programming you use the security attributes to ensure that the input data are secure. Also, you use these attributes to ensure that the processed information is secured. You make the data and information secure using security algorithms, security protocols, and secured programming.
22
Safe Programming You as a programmer need to ensure that whatever program you write does not have any security vulnerability. The bottom line is that the programs you write need to be robust and failsafe.
23
Vulnerability Remediation
To minimize the security risks posed by software vulnerabilities, a two-step approach is necessary. First, minimize the number of vulnerabilities in the software that is being developed, and Second, minimize the number of vulnerabilities in the software that have already been deployed.
24
Vulnerability Remediation
Reducing the number of new vulnerabilities in the new software is the focus of secured and safe programming, while removing existing vulnerabilities is the focus of vulnerability remediation.
25
Database Security Database Authentication Database Privileges
Secure Metadata Customize Access to Information Views and Stored procedures High Availability Database Database Encryption
26
Security Standards Public-Key Cryptographic Standards
standards accepted as de facto standards for public key cryptography helping interoperability between applications using cryptography for security. CERT: Computer Emergency Response Team – OWASP: Open Web Application Security Project) –
27
Security Standards NIST: National Institute of Standards and Technology – crsc.nist.gov OASIS: Organization for the Advancement of Structured Information Standards SSE-CMM: System Security Engineering Capability Maturity Model – ISO17799
28
Readings Architecting Secure Software Systems, Chapter 1.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.