TRINITY OF TROUBLE

Three trends
1) Connectivity
 Inter networked
 Include SCADA (supervisory control and data
acquisition systems)
 Automated attacks

2) Extensibility
 Mobile code – functionality evolves
incrementally
 Web/Os Extensibility

3) Complexity
 XP is at least 40 M lines of code 2
 Add to that use of unsafe languages (C/C++)
Bigger problem today .. And growing

3
SOLUTION …
THREE PILLARS OF SECURITY

4
Risk Analysis and Management Framework

Assets Threats Vulnerabilities

Risks
} Analysis

Security Measures } Management

5
TERMINOLOGY
The meanings of terms in this area is not universally
agreed. We will use the following
 Threat: Harm that can happen to an asset
 Impact: A measure of the seriousness of a threat
 Attack: A threatening event
 Attacker: The agent causing an attack (not
necessarily human)
 Vulnerability: a weakness in the system that makes an
attack more likely to succeed
 Risk: a quantified measure of the likelihood of a threat
being realised

6
TERMINOLOGY …
 Risk
Analysis involves the identification and
assessment of the levels of risk, calculated from
the
� Values of assets
� Threats to the assets
� Their vulnerabilities and likelihood of exploitation

 Risk Management involves the identification,

selection and adoption of security measures
justified by
� The identified risks to assets
� The reduction of these risks to acceptable levels
7
GOALS OF RISK ANALYSIS

 All assets have been identified

 All threats have been identified
� Their impact on assets has been valued
 All
vulnerabilities have been identified
and assessed

8
WHAT IS RISK?
 We just started integrating the software and we
found out that COTS* products A and B just
can’t talk to each other.
 We’ve got too much tied into A and B to change
 Our best solution is to build wrappers around A
and B to get them to talk via CORBA.
 This will take 3 months and $300K
 It will also delay integration and delivery by at
least 3 months
 Is this RISK?

*COTS: Commercial off-the-shelf

9
**CORBA: Common Object Request Broker Architecture
WHAT IS RISK?
 No, it is a problem
� Being dealt with reactively
 Risks involve uncertainties
� And can be dealt with pro-actively
� Earlier, this problem was a risk
 A and B are our strongest COTS choices
� But there is some chance that they can’t talk to each other
� Probability of loss P(L)

 If we commit to using A and B

� And we find out in integration that they can’t talk to each

other 10

� We’ll add more cost and delay delivery by at least 3 months

RISK MANAGEMENT

 Risk management is a scientific approach to

dealing with pure risks by anticipating possible
accidental losses and designing and
implementing procedures that minimize the
occurrence of loss or the financial impact of the
losses that do occur.
 Meaning: Risk as uncertainty concerning the
11
occurrence of a loss.
RISK MANAGEMENT
 Risk Management is concerned with the potential loss,
including economic loss, human suffering, or that which
may prevent the organization from being to achieve its
goals.
 To meet the organization’s specific needs, a successful
risk management program must balance risk control
and risk financing techniques while considering the
organization’s mission, vision, values, and goals.

 Many organizations are looking to implement Risk

12
Management as a way to improve the structure and
quality of the business.
Cont.…

13
 Cont.…
q Risk Assessment: The initial steps of risk management.
1) Analyzing the value of assets to the business,
2) Identifying threats to those assets, and
3) Evaluating how vulnerable each asset is to those threats.
q Risk Assessment can be quantitative (based on numerical) or
qualitative.
q The Business Continuity Management Process involves reducing risks
to an acceptable level and planning for the recovery of business
processes.

14
 Cont.…

q BCM sets the objectives, scope, and requirements for IT Service

Continuity Management.
q IT Service Continuity Management (ITSCM) ensures continuity of
IT service in time of any disaster.
q It also evaluates the level of insurance we need to protect service
assets and a manuscript to recover from a disaster.
q BCM is the business process responsible for managing risk that
could seriously affect the BCM safeguards and interests of key
stakeholders, reputation, brand, and value-creating activities.

15
Cont.….
The ITSCM process includes:
q Agreement on the scope of the ITSCM process and the policies adopted.
q Business Impact Analysis (BIA) to quantify the impact loss of IT service would
have on the business.
q Risk Analysis: the risk identification and risk assessment to identify potential
threats to continuity and the likelihood of the threats becoming a reality.
q This also includes taking measures to manage the identified threats where this
can be cost-justified.
q Production of the overall ITSCM strategy. This can be produced following the
two steps identified above and is likely to include elements of risk reduction as
well as a selection of appropriate and comprehensive recovery options.
q Production of an ITSCM plan, which again must be integrated with the overall
BCM plans.
16
q Testing of the plans.
q Ongoing operation and maintenance of the plans
 Cont.…
A standard methodology, such as the Management of
Risk (M_o_R), should be used to assess and manage
risks within an organization.

17
 Cont..
q M_o_R principles: these principles are essential for the
development of good risk management practice and are
derived from corporate governance principles.
q M_o_R approach: an organization’s approach to these
principles needs to be agreed upon and defined within the
following living documents:
q Risk Management Policy
q Process Guide
q Plans
q Risk registers 18

q Issue Logs
 Cont..
q M_o_R Processes: the following four main steps
describe the inputs, outputs and activities that ensure
that risks are controlled:
q Identify the threats and opportunities within an activity
that could impact the ability to reach its objective.
q Assess: the understanding of the net effect of the
identified threats and opportunities associated with an
activity when aggregated together
q Plan: to prepare a specific management response that
will reduce the threats and maximize the opportunities.19
q Implement: the planned risk management actions
monitor their effectiveness and take corrective action
where responses do not match expectations.
q Embedding and reviewing M_o_R: having put the
principles, approach, and processes in place, they
need to be continually reviewed and improved to
ensure they remain effective.
q Communication: having the appropriate
communication activities in place to ensure that
everyone is kept up-to-date with changes in threats,
opportunities and any other aspects of 20
risk
management.
RISK EQUATION
Risk = Vulnerability x Threat x Impact
*Probability
 Vulnerability = An error or a weakness in the
design, implementation, or operation of a system.

 Threat = An adversary that is motivated to

exploit a system vulnerability and is capable of
doing so

 Impact = the likelihood that a vulnerability will be

exploited or that a threat may become harmful.
 *Probability = likelihood already factored into 21

impact.
RISK TYPES
 Strategic – Goals of the Organization
 Operational – Processes that Achieve Goals
 Compliance – Laws and Regulations
 Reputational – Public Image
 Technical risk: Includes problem with languages, project size, project
functionality .
 Management risk: It includes lack of management experience
and lack of planing.
 Financial risk: Includes cash flow, capital and budget issues.
 Project Risks: affect project schedule or resources.
 Product Risks: affect product quality or performance of software.
22
 Personnel risk: Includes staffing lags, experience and training
problems.
HOW CAN RISK MANAGEMENT
HELP YOU DEAL WITH RISKS?

Strategies:
 Buying information
 Risk avoidance
 Risk transfer
 Risk reduction
 Risk acceptance

23
RISK MANAGEMENT STRATEGIES:

Buying Inform

 Let’s spend $30K and 2 weeks prototyping the

integration of A and B.

 This will buy information on the magnitude of P(L) and

S(L)

 If RE = P(L) * S(L) is small, we’ll accept and monitor the

24
risk
RISK MANAGEMENT STRATEGIES…
 Risk Avoidance
� COTS product C is almost as good as B, and it can talk to A
� Delivering on time is worth more to the customer than the
small performance loss
 Risk Transfers
� If the customer insists on using A and B, have them establish a
risk reserve.
� To be used to the extent that A and B can’t talk to each other
 Risk Reduction
� If we build the wrappers and the CORBA corrections right
now, we add cost but minimize the schedule delay
 Risk Acceptance
� If we can solve the A and B interoperability problem, we’ll
have a big competitive edge on the future procurements
� Let’s do this on our own money, and patent the solution 25
WHEN SHOULD YOU DO
IT?
Risk Management Starts on Day One
 Early and Late Risk Resolution
� Quotes, Notes, and Data
� Temptations to Avoid
 Early
Risk Resolution with the WinWin
Spiral Model
� Identifying Stakeholders and Win Conditions
� Model Clash and Win-Lose Risk Avoidance
� Avoiding Cost/Schedule Risks with the SAIV
Model 26
EARLY RISK RESOLUTION QUOTES

“In architecting a new software program, all

the serious mistakes are made on the first
day.”
Robert Spinrad, VP-Xerox, 1988

“If you don’t actively attack the risks, the

risks will actively attack you.”
Tom Gilb, 1988

27
DAY ONE TEMPTATIONS TO AVOID -
I It’s too early to think about risks. We

need to:
 Finalize the requirements
� Maximize our piece of the pie

� Converge on the risk management

organization, forms, tools, and procedures.
Don’t put the cart before the horse.

 The real horse is the risks, and it’s leaving the 28

barn
DAY ONE TEMPTATIONS TO AVOID - II
 We don’t have time to think about the risks. We
need to:
 Get some code running right away

� Put on a socko demo for the customers

� Be decisive, Lead and Make commitments.

 The Contrarian’s Guide to Leadership (Sample,

2002)

� Never make a decision today that can be put off till

tomorrow. 29

� Don’t form opinions if you don’t have to. Think gray.

DAY ONE TEMPTATIONS TO AVOID - III
 Unwillingness to admit risks exist
� Leaves impression that you don’t know exactly
what you’re doing
� Leaves impression that your bosses, customers
don’t know exactly what they’re doing
� “Success-orientation”
� “Shoot the messenger” syndrome
 Tendency to postpone the hard parts

� Maybe they’ll go away

� Maybe they’ll get easier, once we do the easy
parts
 Unwillingness to invest money and time up front 30
RISK MANAGEMENT
FRAMEWORK: FIVE STAGES

 RMF occurs in parallel with SDLC activities

Set By: Fantahun B.

Measurement and reporting
1 2 Identify 3 4
Understand the Business Define the Risk
Synthesize and
the Business and Technical Mitigation
Rank the Risks
context Risk Strategy
Artifact Analysis

Business
Context
5
Carry out fixes
And validate
23
STAGE 1:
UNDERSTAND BUSINESS
CONTEXT
 Risk management
� Occurs in a business context
� Affected by business motivation
 Key activity of an analyst
� Extract and describe business goals – clearly
 Increasing revenue; reducing dev cost; meeting SLAs;
generating high return on investment (ROI)
� Set priorities
� Understand circumstances
 Bottomline – answer the question
� who cares?
32
STAGE 2: IDENTIFY THE
BUSINESS &
TECHNICAL RISKS
 Business risks have impact

� Direct financial loss; loss of reputation; violation of

customer or regulatory requirements; increase in
development cost

 Severity of risks
� Should be capture in financial or project management
terms

 Key is –
33
� tie technical risks to business context
ØFor example, a technical risk may give rise to
Øthe system behaving in an unexpected way,
Øviolating its own design structures, or failing to perform
as required.
Øthe process of building software may offer too many
opportunities for mistakes in design or implementation.
ØTechnical risks involve impacts such as
ØUnexpected system crashes,
ØAvoidance of controls
ØUnauthorized data modification or disclosure
ØNeedless rework of artifacts during development.
34
STAGE 3: SYNTHESIZE AND RANK THE
RISKS

 Prioritize the risks alongside the business goals

 Assign risks appropriate weights for resolution

 Risk metrics

� Risk likelihood

� Risk impact

� Number of risks mitigated over time

35
ØIn this stage the critical "Who cares?" question can be answered.
ØSynthesis and prioritization should be driven to answer questions
such as:
Ø"What shall we do first given the current risk situation?"
Ø"What is the best allocation of resources, in terms of risk
mitigation activities?“
Ø The prioritization process must take into account
Øwhich business goals are the most important to the organization,
Øwhich goals are immediately threatened,
Øhow likely technical risks are to manifest themselves in a way that
impacts the business.
ØAll the risks and their appropriate weighting for resolution. 36

ØTypical risk metrics include risk likelihood, risk impact and risk
STAGE 4: RISK MITIGATION STRATEGY
 Develop a coherent strategy
� For mitigating risks
� In cost effective manner; account for
 Cost Implementation time
 Completeness Impact
 Likelihood of success

A mitigation strategy should

� Be developed within the business context
� Be based on what the organization can afford, integrate
and understand
� Must directly identify validation techniques
Typical metrics are financial in nature and include estimated
cost takeout, ROI, method effectiveness in terms of dollar 37
impact, and percentage of risk coverage.
STAGE 5: CARRY OUT FIXES AND
VAThose
LIDATE
artifacts where problems have been identified (e.g.,
architectural flaws in a design, requirements collisions, coding
errors, or problems in testing) should be rectified.
 Validate that risks have been mitigated
� Testing can be used to demonstrate and measure the
effectiveness of risk mitigation activities.
� Develop confidence that unacceptable risk does not remain

� This stage should define and leave in place a repeatable,

measurable, verifiable validation process that can be run from
time to time to continually verify artifact quality.

� Typical metrics employed during this stage include artifact

quality metrics as well as levels of risk mitigation
38

effectiveness.
RESPONSES TO
RISK
Responses to risk
 Avoid it completely by withdrawing from an activity

 Accept it and do nothing

 Reduce it with security measures

39
SECURITY MEASURES

Possible security measures

 Transfer the risk, e.g. insurance

 Reduce vulnerability
� Reduce likelihood of attempt

 e.g. publicise security measures in order to deter attackers

 e.g. competitive approach - the lion-hunter’s approach to security

� Reduce likelihood of success by preventive measures

 e.g. access control, encryption, firewall

 Reduce impact, e.g. use fire extinguisher / firewall

40
 Recovery measures, e.g. restoration from backup
ITERATE
 Adding security measures changes the
system
� Vulnerabilities may have been introduced

 After deciding on security measures, revisit the

risk analysis and management processes
� e.g. introduction of encryption of stored files may remove
the threat to Confidentiality but introduce a threat to
Availability

 What happens if the secret key is lost? 41

BRAIN STORMING

 Imagine that an adversary wants to deliberately disrupt your systems. Or perhaps a well
intentioned engineer with a privileged account makes a far-reaching change by mistake.

 Since you understand your systems well, and they’re designed for the least privilege and
recovery, the impact to your environment is limited.

 When investigating and performing incident response, you can identify the root cause of
the issues and take appropriate action.

 Security isn't a one-time effort. You must implement this guidance on a recurring basis.
 CHAPTER TWO
SECURITY DESIGN PRINCIPLES

§ Developing an infrastructure that’s considerably secure is not an easy task with the ever-
increasing sophistication of hackers.

§ If you are to consider yourself an information security expert, however, you need to be aware
of the tenets of a secure system.

§ These principles should guide the security of our architecture, design choices, and
operational processes.

§ Secure design principle promotes the concept of defense in depth, in which multiple
layers of security complementing each other are used in order to increase the
overall security.
 THE THREE PILLARS OF SOFTWARE SECURITY

 Software security naturally borrows heavily from software engineering,

programming languages, and security engineering.

 The three pillars of software security are applied risk management,

software security touchpoints, and knowledge.
 RISK MANAGEMENT

 Successful risk management is business-level decision-support tool: a way to

gather the requisite data to make a good judgment call, based on knowledge of
vulnerabilities, threats, impacts, and probabilities.

 To make risk management coherent, it is useful to draw a distinction between the

application of risk analysis at the architectural level (sometimes called threat modeling
or security design analysis) and the notion of tracking and mitigating risk as a full
lifecycle activity.

 However, security risks crop up throughout the SDLC thus, an overall approach to risk
management as a philosophy is also important.

 These underlying approach is called the risk management framework (RMF).

SOFTWARE SECURITY TOUCHPOINTS
KNOWLEDGE
SAFE PROXIES IN PRODUCTION ENVIRONMENTS

§ Safe proxies are a framework that allows authorized persons to

access or modify the state of physical servers, virtual machines, or
particular applications.
§ In general, proxies provide a way to address new reliability and
security requirements without requiring substantial changes to
deployed systems.
§ Safe proxies represent a single entry point between networks and
are key instruments that enable us to do the following:
§ Audit every operation in the fleet
§ Control access to resources
§ Protect production from human mistakes at scale
 WHAT IS ZERO TRUST IT SECURITY?
§ Zero Touch Prod is a project at Google that requires every change in
production to be made by automation (instead of humans), pre-validated
by software, or triggered through an audited break glass mechanism.

§ Safe proxies are among the set of tools we use to achieve these principles.

§ Zero Trust is an approach to designing security architectures based on the

premise that every interaction begins in an untrusted state.

§ This contrasts with traditional architectures which may determine

trustworthiness based on whether communication starts inside a firewall.

§ More specifically, Zero Trust attempts to close gaps in security

architectures that rely on implicit trust models and one-time
authentication.
 CONT..
v Zero Trust has gained popularity because the global threat landscape has
evolved, challenging long held assumptions about the inherent trustworthiness
of activities inside a network.

v Well-organized cybercriminals can recruit insiders, and continue to find new

ways past the outer shell of traditional security architectures.

v Sophisticated hacking tools and commercialized ransomware-as-a-service

platforms have also become more widely available, making it easier for new
kinds of financially motivated criminals and cyber terrorists to operate

v For instance, these critical components needed for successful adoption of a

Zero Trust strategy may already be present as part of a conventional security
architecture:
CONT.…
§ Identity

§ Access

§ Authorization

§ Automated policy decisions

§ Ensuring resources are patched

§ Continuous monitoring with transactions that are logged and analyzed

§ Repeatable activities that are prone to human errors automated as

much as possible

§ Behavioral analytics and threat intelligence used to improve asset

security
 WHAT IS DEVSECOPS?

 DevSecOps stands for development, security, and operations.

 It's an approach to culture, automation, and platform design that integrates security as a shared
responsibility throughout the entire IT lifecycle.

 DevOps isn’t just about development and operations teams.

 If you want to take full advantage of the agility and responsiveness of a DevOps approach, IT security
must also play an integrated role in the full life cycle of your apps.

 Effective DevOps ensures rapid and frequent development cycles(sometimes weeks or days), but
outdated security practices can undo even the most efficient DevOps initiatives.

 Now, in the collaborative framework of DevOps, security is a shared responsibility integrated from end
to end.
 CONT.…
 It’s a mindset that is so important, it led some to coin the term
"DevSecOps" to emphasize the need to build a security foundation
into DevOps initiatives.
 DevSecOps means thinking about application and infrastructure
security from the start. It also means automating some security gates
to keep the DevOps workflow from slowing down.
 WHAT IS CONTAINER SECURITY?
 Container security involves defining and adhering to build, deployment, and
runtime practices that protect a Linux container from the applications they
support to the infrastructure they rely on.

 As organizations transition to micro service design patterns and container

technologies such as Docker and Kubernetes security teams are challenged to
develop container security solutions that facilitate these infrastructure shifts.

In general continuous container security is about

 Securing the container pipeline of the application

 Securing the container deployment environment and infrastructures

 CHAPTER FOUR
WORMS AND OTHER MALWARES

1
 WORMS AND OTHER MALWARES

▪ Whether wired or wireless, computer networks are essential to

everyday
activities.
▪ Individuals and organizations depend on their computers and
networks
for functions such as email, accounting, organization, and
file
Intrusion by an unauthorized person can result in costly network
▪ management.
outages
and loss of work.
▪ Attacks to a network can be devastating and can
result
in a loss of time and money due to damage or theft of
important
information or assets.

2
• Intruders can gain access to a network through software vulnerabilities, hardware
attacks, or
even through less high-tech methods, such as guessing usernames and
passwords.
• Intruders who gain access by modifying software or exploiting software vulnerabilities
are often
called threat
actors.
▪ When the threat actor gains access to the network, four types of threat
may arise:
✓ Information
theft
✓ Data loss and
manipulation
✓ Identity theft

✓ Disruption of
service
• Information theft is breaking into a computer to obtain confidential
information.
• Information can be used or sold for various purposes such as when someone is
stealing
proprietary information of an organization, like research and
development data.
• Data loss and manipulation is breaking into a computer to destroy or alter
data records.
• An example of data loss is a threat actor sending a virus that reformats a computer3
hard driv
• An example of data manipulation is breaking into a records
system
changetoinformation, such as the price of an
item
• Identity theft is a form of information theft where personal
information
is stolen for the purpose of taking over the identity of
someone.
• Using this information, a threat actor can obtain legal
documents,
apply for credit, and make unauthorized online
purchases.
• Identity theft is a growing problem costing billions of dollars per
year.
• Disruption of service is preventing legitimate users from
accessing
services to which they are
entitled.
• Examples include denial of service (DoS) attacks on servers,
network
devices, or network communications
links.
• Security threats from network intruders can come from both
internal
and external
sources.
4
 4.1. EXTERNAL THREATS

• External threats arise from individuals working outside

oforganization
an
.
• They do not have authorized access to the computer
systems
or
network.
• External attackers work their way into a network
mainly
from the internet through wireless links or dial-up
access
servers.

5
 4.2. INTERNAL THREATS
• Internal threats occur when someone has authorized access to the network
through a user
account or has physical access to the network equipment. Internal attackers
know the
• internal politics
They often knowand people.
what information is both valuable and vulnerable, and how to
get to it.
However, not all internal attacks are
intentional.
• In some cases, an internal threat can come from a trustworthy employee who
picks up a
virus or security threat while outside the company and unknowingly brings it
into the
• internal network.spend considerable resources defending against external
Most companies
attacks,however;
some of the most damaging incidents are the result of actions by trusted
internal users.
• Lost smartphones and removable storage devices, misplaced or stolen laptops,
and the
failure to properly remove data from devices before disposal are common ways
that user 6
4.3. Social Engineering attack
▪ One of the easiest ways for an intruder to gain access, whether internal or
external, is
by exploiting human
behavior.
▪ One of the more common methods of exploiting human weaknesses is
called social
engineering.

▪ Social engineering is a term that refers to the ability of something or

someone
influencetothe behavior of a person or group of
people.
▪ With these techniques, the attacker takes advantage of unsuspecting legitimate
users to
gain access to internal resources and private information, such as bank
account
Social engineering
• numbers attacks exploit the fact that users are generally
or passwords.
considered onelinks
the weakest of in
security.
• Social engineers can be internal or external to the organization, but most
often
comedoface-to-face
not with their
victims. 7
8
 4.4. MALICIOUS SOFTWARE

• In addition to social engineering, there are other types of attacks launched by malicious
software
which exploit the vulnerabilities in computer
software.
• Malware is the short name for malicious
software.
• Examples of malware attacks include viruses, worms, and Trojan
horses.

• All of these are types of malware introduced onto a host.

• They can damage a system, destroy data, as well as deny access to networks, systems, or
services.

• They can also forward data and personal details from unsuspecting PC users to
criminals.

•• In many how
Imagine cases, they can
difficult replicate
it would themselves
be to and spread
recreate saved to other
files, such hosts
as game connected
files, to
license key
the
files,network.
photographs, and
videos.
• Sometimes these techniques are used in combination with social engineering to trick an
unsuspecting
user into executing the
attack. 9
 4.4.1. TYPES OF MALWARE
• Viruses A virus is a program that spreads by modifying other
programs
or files.
• A virus cannot start by itself; it needs to be activated. When
activated,
virus maya do nothing more than replicate itself and
spread.
• Though simple, even this type of virus is dangerous as it can
quickly
use all available memory and bring a system to a
halt.
• A more serious virus may be programmed to delete or corrupt
specific
files before
spreading.
• Viruses can be transmitted via email, downloaded files, and
instant
messages, or via CD or USB
devices.

10
• Worms: A worm is similar to a virus, but unlike a virus, it does not need to
attach
itself to an existing
program.
• A worm uses the network to send copies of itself to any
connected hosts.
• Worms can run independently and spread quickly. They do not necessarily
require
activation or human
intervention.
• Self-spreading network worms can have a much greater impact than a single
virus
canand
infect large parts of the internet
quickly.
Trojan Horses
• A Trojan horse is a program that is written to appear like a legitimate
program,
when in fact it is an attack
tool.
• It can not replicate itself. A Trojan horse relies upon its legitimate
appearance
to deceive the victim into initiating the
program.
• It may be relatively harmless or may contain code that can damage
the hard
drive content of the computer. Trojans can also create a back
door into a
system that then allows threat actors to gain access. 11
Spyware
• Not all attacks do damage or prevent legitimate users from having access to
resources.
• Many threats are designed to collect information about users which can be
used for
advertising, marketing, and research
purposes.
• These include spyware, tracking cookies, adware, and
popups.
• While these may not damage a computer, they invade privacy and can be
annoying.
• Spyware is any program that gathers personal information from your computer
without
your permission or
knowledge.
• This information is sent to advertisers or others on the internet and
can include
passwords and account
numbers.
• Spyware is usually installed unknowingly when downloading a file, installing
another
program, or clicking a
popup.
• It can slow down a computer and make changes to internal settings which
creates more
vulnerabilities for other
threats. 12
• In addition, spyware can be very difficult to
• This information is sent to advertisers or others on the internet and
can include
passwords and account
numbers.
• Spyware is usually installed unknowingly when downloading a file, installing
another
program, or clicking a
popup.
• It can slow down a computer and make changes to internal settings which
creates more
vulnerabilities for other
threats.
Tracking Cookies
▪ Cookies are a form of spyware but are not always bad.
▪ They are used to record information about an internet user when the user visits
websites.
▪ Cookies may be useful or desirable by allowing personalization and other
time-saving
techniques.
▪ Many websites require that cookies be enabled in order to allow the user to
connect.

13
Adware and Popups

▪ Three of the most common methods threat actors use to obtain

information directly
from authorized users go by unusual names: pretexting, phishing, and
vishing.
▪ Adware is a form of spyware that is used to collect information about a
user
on based
websites the user
visits.
▪ That information is then used for targeted advertising. Adware is
commonly
installed by a user in exchange for a "free"
product.
• When a user opens a browser window, adware can start new browser
instances
which attempt to advertise products or services based on the surfing
practices of a
user.
• The unwanted browser windows can open repeatedly, and can make
surfing the very difficult, especially with slow internet
internet
connections.
• Adware can be very difficult to
uninstall.
14
Popups and pop-unders are additional advertising windows that display
when
a website is visited.
• Unlike adware, popups and pop-unders are not intended to collect
information
about the user and are typically associated only with the website being
visited.
Pop-unders - These open behind the current browser
Popups
window.- These open in front of the current browser window.
• They can be annoying and usually advertise products or services that
are not by the
wanted
user.
Botnets and Zombies
• Another annoying by-product of our increasing reliance on
electronic
communications is unwanted bulk
email.
• Sometimes merchants do not want to bother with targeted
marketing.
• They want to send their email advertising to as many end users as
possible
hoping that someone is interested in their product or
service.
• This widely distributed approach to marketing on the internet is
called spam.
• One of the ways that spam can be sent is by using a botnet
15
or bot.
▪ "Bot" is derived from the word "robot" which describes how the
devices act are
when they
infected.
▪ Malicious bot software infects a host, usually through an email or web
page
link, by downloading and installing a remote control
function.
▪ When infected, the “zombie” computer contacts servers managed by
the botnet
creator.
▪ These servers act as a command and control (C&C) center for an
entire
network of compromised devices, which is called a
botnet.
• Infected machines can often pass the software to other unprotected
devices in
their network, increasing the size of the
botnet.
• Some botnets include many thousands of infected
devices.
• Bot software programs can also cause security issues on the infected
machines.
• This is because the installed software may include the ability to log
keystrokes,
gather passwords, capture and analyze packets, gather financial
information,
launch DoS attacks, and relay spam. 16
Denial of Service
(DoS)
DoS attacks are aggressive attacks on an individual computer or
groups
of computers with the intent to deny services to intended users.
DoS attacks can target end-user systems, servers,
routers,
and network links.
• DoS attacks are relatively simple and can be initiated by an
unskilled
threat
actor.
• A threat actor uses a DoS attack to perform these
functions:
✓Flood a network, host, or application with traffic to prevent
legitimate
network traffic from
flowing.
✓Disrupt connections between a client and server to prevent
access to a
service.
• There are several types of DoS attacks. Security administrators
need to
be aware of the types of DoS attacks that can occur and 17
ensure that
Distributed Denial of Service
(DDoS)
• DoS attacks that are coming from a single IP address can disrupt a
website for
a period of time until the attack can be isolated and defended against.
• More sophisticated types of attacks can bring web services offline for
much
DDoS lengths
• longer is a more sophisticated and potentially damaging form of
of time.
the DoS
attack.
• It is designed to saturate and overwhelm network links with useless
data.
• DDoS operates on a much larger scale than DoS attacks.
• Typically hundreds or thousands of attack points attempt to
overwhelm a
target simultaneously.
18
 4.5. SECURITY PRACTICES AND
PROCEDURES
• It is never wise to assume that your device or network will
not be
the next target of an
attack.
• Taking protective measures can guard you from loss of
sensitive
or confidential data, and can protect your systems from
being
Security procedures
• damaged can range from simple, inexpensive
or compromised.
tasks
such as maintaining up-to-date software releases, to
complex
implementations of firewalls and intrusion detection 19

systems.
• Some of the most effective security procedures are simple to
implement and extensive technical
do not require
knowledge.
• A username and password are two pieces of information that a user
needs toto a computer or
log on
application.
• When a threat actor knows one of these entries, the attacker
needs
crackonly to
or discover the other entry to gain access to the computer
system.
• It is important to change the default username for accounts
such as
administrator or guest, because these default usernames are widely
known.
• Whenever possible, change the default usernames of all users on
computers
network and
equipment.
• Most users select passwords that can be easily guessed or derived from
known
information about the user such as birthdays, pet names, or a favorite
sports team.
• It is important to view passwords as a key to valuable data and to make them
as as
secure
possible.
20
 4.6. SECURITY TOOLS AND APPLICATIONS
• Internet security is a major concern around the world. Many tools are available to
network users
to protect the devices from attacks and to help remove malware from infected
machines.

21
 4.7. SIGNS OF INFECTIONS

• Even when the OS and applications have all the current

patches and
updates, they may still be susceptible to
attack.
• Any device that is connected to a network is susceptible to
viruses,
worms, and Trojan
horses.
• These may be used to corrupt OS code, affect
computer
performance, alter applications, and destroy
data.
So how do you know if your computer has been
infected?
• Some of the signs that a virus, worm, or Trojan horse may be
present
include the following:
✓Computer starts acting
abnormally
✓Program does not respond to mouse and
keystrokes
✓Programs starting or shutting down on their
22
own
✓ Email program begins sending out large quantities of
email
✓ CPU usage is very high
✓ There are unidentifiable processes or a large number of processes
running
✓ Computer slows down significantly or crashes, such as the when the
Windows
screen of“blue
death” (BSoD)
appears.
Antimalware includes a variety of software available to detect and prevent these
types of
intrusions and infections including antivirus software, antispam
software, and
antispyware software.

23
Antivirus Software
• Antivirus software can be used as both a preventive tool and as a reactive
tool.
• It prevents infection. It detects and removes viruses, worms, and Trojan
horses.
•• Antivirus software should
Antivirus software relies on
be known “virus
installed signatures”
on all computerstoconnected
find and prevent
to the new
viruses
from infecting the
network.
computer.
Some of the features that can be included in antivirus
programs are:
• Email checking - Scans incoming and outgoing emails, and identifies
spam and
suspicious
attachments.
• Resident dynamic scanning - Checks program files and documents when
they are
accessed.
• Scheduled scans - Virus scans can be scheduled to run at regular intervals and
check
specific drives or the entire
computer.
• Automatic Updates - Checks for and downloads known virus
characteristics
patterns. and
• Can be scheduled to check for updates on a regular
basis. 24
Antispam Software
• No one likes opening their email and being overwhelmed by
unwanted
messages.
• Spam is not only annoying; it can overload email servers and
potentially carry
viruses and other security
threats.
• Additionally, people who send spam may use links within the emails
tocontrol
take of a host by planting code on it in the form of a virus or a Trojan
horse.
• Antispam software protects hosts by identifying spam and
performing an as placing it into a junk folder or
action, such
deleting it.
• Spam filters can be loaded on individual devices, but can also be
loaded
emailon
servers.
• Antispam software does not recognize all spam, so it is important
toemail
open carefully.

25
Antispyware software

Spyware and adware can also cause virus-like

symptoms.
• In addition to collecting unauthorized information, they can use important computer resources
and affect
performance.

• Antispyware software detects and deletes spyware applications, as well as prevents future
installations from
occurring.

• Many antispyware applications also include detection and deletion of cookies and adware. Some
antivirus
packages include antispyware
functionality.
Popup blocker

Popup blocking software can be installed to prevent popups and pop-

unders.
• Many web browsers include a popup blocker feature by
default.
• Note that some programs and web pages
create
necessary and desirable
popups.
• Most popup blockers offer an override feature for this 26
purpose.
 CONT..

Additional Safeguards
One of the most common types of spam forwarded is a
virus
warning.
• Although some virus warnings sent via email are true, a
number of them are hoaxes and do not really
large
• exist.
This type of spam can create problems because people
others of the impending disaster and so flood the email
warn
• system.
In addition, network administrators may overreact and
time investigating a problem that does not
waste
• exist.
Finally, many of these emails can actually
to the spread of viruses, worms, and Trojan
contribute
horses.

27
 CONT..

In addition to using spam blockers, other actions to prevent the spread

of spam
•include
Apply the
OS following:
and application updates when
available.
• Run an antivirus program regularly and keep it up to
date.
•• DoDo not
not forward suspicious
open email emails.especially from people you do not
attachments,
know.
•• Set up rules
Identify in your
sources of email
spam to delete
and spam
report it tothat bypass the
a network antispam
administrator so
software.
it blocked.
can be
• Report incidents to the governmental agency that deals with abuse
by spam.

28
 Chapter Five
Crypto
Concepts
Outline
 What is
cryptography?
 Application of cryptography
 Symmetric key
cryptography
 Public Key Cryptography
 Basic Security Properties (Revision)
 Confidentiality: to prevent unauthorized
disclosure
of the
 information
Integrity: to prevent or detect
unauthorized
modification of the
information
 Authentication: to p rove the
person/computer
who she/it claims is to be (verify the identity of a
 user)
Availa bility: to guarantee access to
information
 Privacy: to prevent disclosure of
personal
informatio

nAccess control: The limitation and
controlthrough
access of identification and
authentication.
 Problem 1:Secure communication

Alice Eve Bob

M M

Secure communication over unsecure

channel
 Secure channel :an adversary does not have
theability to reorder, insert, or
read.
 Unsecure channel : parties other than those
for
which the information is intended can
reorder,
delete, insert, or read.
 Problem 2: Secure Storage

Secure storage on un-trusted

hosts
 Secure storage one from which only authorized users
can
have access (read) to its information.
 Un-trusted host (and storage) one which
unauthorized
users can have access to with the intent to read,
delete,
1-What is Cryptography?
 Cryptography is the science and study of secret
writing
(practice and study of hiding
information)

 Encryption :is the process of converting data

into
meaningless form.
 Decryption :the translation of encrypted data
 Crypto-analysis
 Crypto-analysis(from the Greek
kryptós,
"hidden", and analýein, "to loosen" or
"to
– The study of methods for obtaining
untie")
the is
meaning of encrypted information
without
access to the secret key which is
 Typically, this involves finding the
normally
secret
keyrequired to do so.
2-Applications of Cryptography
1 File encryption
▪ „Files are stored in encrypted form on
▪disk
„Only owner and other authorized users
has the key for decrypting the
secret
file
 Attacks on standard file protection:
▪ „Boot computer with a new operating
system CD
▪ „Steal hard d rive
2 Communication Encryption:
▪ Alice and Bob communicate over the
internet
• „Communication between browser and web
server
2-Applications of Cryptography…
3 Digital right management : refers to hardware
and
software systems providing access control for
digital
▪ Encrypting music
content (e.g., music and video files)
• Software music players (e.g., iTunes) encrypt
purchased
songs
• Songs are stored encrypted on disk and decryption
keys
stored within player which is shared with a limited
number
4-E-cashof trusted devices
▪ Encryption is used in electronic money
schemes to
protect conventional transaction data like
▪ account
Digital signatures can replace handwritten
numbers
signatures and transaction amounts.
or
a credit-card
authorizations.
 Cryptographic systems
 Cryptographic systems are generically classified
along
three independent
dimensions.
1. Based on the type of operations used for
transforming
▪ plaintext to ciphertext.
Substitutions: changing the plaintext one piece at a
▪ time.
Transformations: encrypt plaintext by moving small
▪ pieces
Fundamental requirement is that no information
of the
be lostmessage around.
2. Based on the number of keys used for encryption
and
• decryption
Using a single key for encryption and decryption
o Called Symmetric/Conventional encryption
o The same key is used to encrypt and decrypt a
message
P = DK [EK (P) ]
 Cryptographic systems…
• A pair of keys are used for encryption and
decryption
o Called Asymmetric/Public key encryption
o keys for encryption and decryption are different
but form a unique pair
o P = DKD [E KE (P) ]
o Only one of the keys need to be private while
the other can be public
3. Based on the way in which the plaintext is
processed
• Stream cipher: processes the input
elements
continuously, producing output one element
• at a cipher: processes the input one block
Block
of time.
elements at a time, producing an output
 Cryptosystem Elements
 Quintuple(E, D, M, K, C)
▪ M:set of plaintexts
▪ K:set of keys
▪ C:set of ciphertexts
▪ E:set of encryption
functions
▪ e: Mof
▪ D:set xK→ C
decryption
functions
▪ d: C K →M
x
3- Symmetric / Conventional
Encryption
 The only form of encryption prior to late
1970s


Plaintext:
EncryptionThe original message
algorithm: Performsor data
various
substitutions
and transformations
▪ Substitutions: onthe
changing theplaintext
plaintext.
one piece at a
time.
▪ Transformations: encrypt plaintext by moving small
pieces
of the message around.
 Ciphertext: Scrambled message produced as
 Secret key: Input to the encryption algorithm.
output.▪ Depends on the plaintext and the
 secret algorithm:
Decryption key Encryption algorithm run
in
▪ reverse.
Uses ciphertext and the secret key to produce the
plaintext
original
 Symmetric Encryption Cont..
Simplified Encryption Model:
Symmetric Encryption Cont..
 Symmetric Encryption Cont..
 A source produces a message in
X = [x1 ,x2,…,x M]
plaintext,
 The M elements of X are letters in
some
finite alphabet.
For1,Kencryption,
 [K 2,…,K ]J is a key of the form K
= generated.
▪ The key should be provided to receiver
by
means of some secure channel.
▪ deliver theparty
The third key for
can generate and
both.
securely
 Symmetric Encryption Cont..

 With the message and the encryption

key as
input, the encryption
1 2 algorithm
N forms the
ciphertext
Y = EK(X),Y =where
[Y ,Y ,…,Y
Y is ] ciphertext, E
is
encryption algorithm.
 Receiver in verts X = D (Y ), where D
K
is decryption
algorithm.
 An opponent attempts to recover X or
K both.
or
Attacks on Symmetric encryption
 Objective of an attack is to recover the key in
use
rather than simply to recover the plaintext of a
single
 There are two general approaches to
ciphertext.
attacking a
conventional encryption
a) scheme:
Cryptanalysis: rely on the nature of the
algorithm
plus perhaps some knowledge of the general
characteristics of the plaintext or even some
sample
▪ Exploits the characteristics of the algorithm to
plaintext–ciphertext
attempt to deducepairs.
a specific plaintext or to
deduce
the key being used.
Attacks on Symmetric encryption
b) Brute-force attack: The attacker tries
every possible key on a piece of
ciphertext
until an intelligible translation into
plaintext
 On average, half of all possible keys
is obtained.
must
be tried to achieve
success.
Crytoanalysis attack
 Only relatively weak algorithms fail
towithstand a known plaintext
attack.
 Gen erally an encryption algorithm is
designed
to withstand a known-plaintext
 attack.
An encryption algorithm meets one or
both
the of
following:
▪ The cost of breaking the cipher exceeds the
value
the of
encrypted
▪ information.
The ti me required to break the cip her e xceed
s the
useful lifetime of the
information.
 An encryption scheme
is: ▪ Unconditionally secure
• If the ciphertext generated does not
contain
enough information to determine
• uniquely the information doesn’t
The required
corresponding plaintext.
exist.
• Except one-time pad scheme, there is
no
encryption algorithm that is
unconditionally
▪ Computationally
secure.
secure
• The amount of cost and time exceeds the
value
and lifetime of the information
required to
Substitution and transposition techniques

1. Substitution
techniques
▪ Letters of plain text are replaced by
letters or by numbers or
other
2. symbols.
Transposition
Techniques
▪ Performing some sort of permutation
on the
plaintext
letters.
A-Substitution Techniques
i) Spartan SCYTALE (c 500 B.C.)
 Itwas used by the Spartan
Military
for encoding message sent
between
commanders.
ii) CEASAR Cipher
ii) CEASAR Cipher…
ii-CEASAR Algorithm
Example
ii-CEASAR’s Problem

 Key is too short, can be found by exhaustive

search.
 Monoalphabetic ciphers are easy to break
because
they reflect the frequency data of the original

alphabet
Countermeasure
▪ Homophonic Cipher-provide multiple substitutes
forsingle
a
▪ character.
Polyalphabetic cipher-change the substitution
pattern
(key) on a character
basis
iii-Playfair Cipher
 Best-known multiple-letter
encryption
 Algorithm is based on the use of a 5
x5
matrix of letters
 Example
 Constructed by using keyword
M O N A R

C H Y B D

E F G I/J K

L P Q S T

U V W X Z
iii-Playfair Cipher …

 The keyword is
monarchy.
 The matrix is constructed by filling in
the
letters of the keyword (minus
duplicates)
from left to right and from top to
bottom,
and then filling in the remainder of
 The letters I and J count as one
the
letter.
matrix with the remaining letters
in
 iii-Playfair Cipher-Encryption
 Plaintext is encrypted two letters at a
time
according to the following
rules:
1. Repeating plaintext letters that are in the same
pair are
separated with a filler letter, such as x, so that
balloon
2. Two plaintext letters that fall in the same row
M O N A R of would
the be treated as ba lx lo on.
C H Y B D matrix
the firstare each replaced
element of the by
rowthe letter tofollowing
circularly the
theF
E G I/J K right,
last. with
L P Q S T
U V W X Z ▪ For example, AR is encrypted as
RM. plaintext letters that fall in the same
3. Two
column are
each replaced by the letter beneath, with
the top
element of the column circularly following the last.
iii-Playfair Cipher-Encryption
M O N A R
C H Y B D
E F G I/J K
L P Q S T
U V W X Z

Example, MU is encrypted as
4. CM.
Otherwise, each plaintext letter in a
pair is
replaced by the letter that lies in its own
row
and theHScolumn
Example. becomesoccupied
BP and ea by the IM
becomes
other
(or
plaintext letter. wishes).
JM, as the encipherer
iii-Playfair Cipher …

 Great advancement over

cipher.
monoalphabetic
 There are about 26 x 26 = 676
diagrams.
 More difficult to identify
individual
diagrams and relative frequencies of
letters,
so the playfair cipher was unbreakable
for a
long.
iv-Vigènere Cipher
iv-Vigènere Cipher-Example
iv-Cryptanalysis of Vigenere

 On polyalphabetic ciphers we
need
▪ Number of alphabets used
Key for each
one
 Cryptanalysis is harder since it is not
only a
matters to check how the frequency has
shifted
iv’-One-time Pad
 A Vigenère cipher with a random key at least as
long
as the message so that the key need not be
repeated.
 Probably
unbreakable
 Why?

Look at ciphertext DXQR. Equally likely to

correspond to plaintext DOIT (key AJIY) and to
plaintext DONT (key AJDY) and any other 4
 letters.
The key is to be used to encrypt and decrypt a
single
message, and then is
discarded.
iv’-One-time Pad …
 Warning: keys must be random, or
you
can attack the cipher by trying to
regenerate the key
 Very large number of alphabets: one
time
pad (large non-repeating keys on a
pad)
 Each different, each used once
and
discarde
dProblems: Printing, distribution,
storage
B-Transposition Techniques
 Performing some sort of permutation on the
plaintext
letters.
 The simplest such cipher is the rail fence
technique
 Plaintext is written down as a sequence of diagonals
and
then read off as a sequence of
rows.
 Example with k=2.

 Plaintext: “meet me after the toga

party”
 Encryption using railfence cipher

 Ciphertext:“MEMATRHTGPRYETEFETEOAAT”
 How to decrypt it?
 A more complex scheme is to write the
message in a
rectangle, row by row, and read the message
off,
column by column but permute the order of
 The order of the columns then becomes the key
to the
the
algorithm.
columns.
 For example:
key=4312567
 The transposition cipher can be made
significantly more secure by performing
more
 than one stageofofprevious
Transposition transposition.
output
(TTNAAPTMTSUO AOD WCOI X KNLYPETZ) with
the same key
4-Modern Cryptography
i.Feistel Cipher
ii.Simplified DES(S-DES)
iii.DES: Data Encryption Standard.
iv-3DES
Shannon theory
 Confusion (K C)
▪ Confusion makes the relation between the key
and the
ciphertext as complex as
▪ possible.
Ideally, every letter in the key influences every
letter
the of
ciphertext
block.
▪ Replacing every letter with the one next to it on the
typewriter
keyboard is a simple example of confusion by
substitution.
▪ Good confusion can only be achieved when each
character of the ciphertext depends on several
parts of
the key, and this dependence appears to be
▪ random to do not offer much confusion
Ciphers that
theas
(such observer.
Vigenère cipher) are vulnerable to frequency
analysis.
Shannon theory
 Diffusion (M C)
▪ A fixed transformation can show good encryption
atfirst
the iterations but it can fail in the long
▪ run.
Diffusion refers to the property that the
statistics
structure of the plaintext is dissipated into long
▪ range
In contrast to confusion, diffusion spreads the
statistics
of a singleofplaintext
influence the ciphertext.
letter over many ciphertext
▪ letters.
In terms of the frequency statistics of letters,
digrams,
etc in the plaintext, diffusion randomly spreads
▪ them
This means that much more ciphertexts are
across
needed several characters
to
do a meaningful statisticalinattack
the ciphertext.
on the
cipher.
Shannon theory
 Unconditional security
▪ Unconditionally secure systems can not be
broken
even if all possible keys could be tried within
short
time.
Modern symmetric key
cryptography
Modern symmetric key
cryptography
Product Cipher
SP-Network
 Stream Ciphers and Block
Ciphers
 Stream cipher is one that encrypts a digital
stream one bit or one byte at a
data
time.
E.g. Vigenère cipher and theVernam
 cipher.
Block cipher is one in which a block of
plaintext
is treated as a whole and used to produce a
ciphertext
▪ Typically, block
a blockofsize
equal length.
of 64 or 128 bits is
used.
▪ E.g. Feistel cipher and
DES
 Block Cipher
 A block cipher operates on a block of n bits
and it
produces a ciphertext block of n
 bits.
There are possible different
2n blocks. plaintext/ciphertext
 The encryption must be reversible. i.e.
decryption to
be possible each plaintext must produce a
unique
 Such a transformation is called reversible, or
ciphertext block. (one-to-one correspondence)
nonsingular.
 The following examples illustrate nonsingular
and
singular transformations for n=2.
Fundamental of Software security

1
 Overview
Computers today are used not only in the home and office,
but in a countless of crucial and sensitive applications.
we rely on computers in our day today lives !

“The most secure computers are those not connected to the Internet and
shielded from any interference”

Security

ü The quality or state of being secure--to be free from

danger”
ü To be protected from adversaries
 • What is Security?
§Security is about
• Threats (bad things that may happen, e.g. your money getting
stolen)

– It might be a person (cracker or a spy),

– a thing (a faulty piece of equipment),
– an event (a fire or a flood) that might exploit a vulnerability of the
system.

• Vulnerabilities (weaknesses in your defenses, e.g. your front door

being made of thin wood and glass)
• Attacks (ways in which the threats may be actualized,
• e.g. a thief breaking through your weak front door while you and
the neighbors are on holiday)
Countermeasures are techniques for protecting your computer systems and
6
networks from cyber threats
 Computer and Network
• Security…
Computer security is about provisions and policies
adopted to protect information and property from theft,
corruption, or natural disaster

– while allowing the information and property to remain

accessible and productive to its intended users.

• security of computers against intruders (e.g.,hackers) and

malicious software (e.g., viruses).

3
 Computer and Network
• Security…
Network security on the other hand deals with provisions
and policies adopted to prevent and monitor unauthorized
access, misuse, modification, or denial of the computer
network and network-accessible resources.

Not Sufficient!!

4
 Sources of risks/ who are attacker ?
o Vandals (Hackers, crackers) driven by intellectual
challenge.
o Insiders: employees or customers seeking revenge or gain
informal benefits
o Natural disasters: flooding, fire, storms, earthquake…
o Criminals seeking financial gain.
o Organized crime seeking gain or hiding criminal activities.
o Organized terrorist groups or nation states trying to
influence national policy.
o Foreign agents seeking information (spying) for economic,
political, or military purposes.
o Tactical countermeasures intended to disrupt military
capability.
o Large organized terrorist groups
o Cyber attacks
 Vulnerabilities
Types of Vulnerabilities
vulnerability is a point where a system is susceptible to attack.

• Physical vulnerabilities (Computer can be stolen)

break into your server room, device theft, steal backup
media and printouts,
– Locks, guards, Surveillance cams, Burglar alarms

• Natural vulnerabilities (fire, flood, earthquakes, lightning)

• Environmental threats: Dust, humidity, and uneven

temperature conditions

– air conditioning and heating systems, UPS, back ups 7

Hardware and Software vulnerabilities (Ex. Failures)
◦ protection features failure lead to open security holes
◦ open some "locked" systems by introducing extra hardware
◦ Software failures: antivirus ,firewall failures
• Media vulnerabilities (Ex. Hard disks can be stolen)
◦ can be stolen, damaged by dust or electromagnetic fields.
◦ keep backup tapes and removable disks clean and dry
– keep backup tapes and removable disks clean and dry

• Communication vulnerabilities (Ex. Wires can be tapped,

physically damaged)

• use fiber
• Human vulnerabilities (Ex. Insiders)
– the greatest vulnerability of all 8

– – Choose employees carefully

 Threats
• Threats fall into three main categories based on the source:
natural, unintentional, and intentional.

• Natural: fires, floods, power failures, and other disasters

• fire alarms, temperature gauges, and surge protectors

• backing up critical data off-site

• Unintentional threats: delete a file, change of security
passwords

Training , security procedures and policies .

9
 Threat
• s
Intentional threats: outsiders and insiders

• Outsiders may penetrate systems in a variety of ways:

– simple break-ins of buildings and computer rooms;

– disguised entry as maintenance personnel;

– anonymous, electronic entry through modems and network

connections;

– and bribery or coercion of inside personnel.

• Although most security mechanisms protect best against

outside intruders, surveys indicates that most attacks are10 by
insiders.
• Estimates are that as many as 80 percent of system
penetrations are by fully authorized users who abuse their
access privileges to perform unauthorized functions.

– "The enemy is already in, we hired them.”

• Insiders are sometimes referred as living Trojan horses

• There are different types of insiders.

– fired or disgruntled employee might be trying to steal

revenge ; employee might have been blackmailed or
11

bribed by foreign or corporate enemy agents.

 Threats…
– greedy employee might use their inside knowledge to divert
corporate or customer funds for personal benefit.

– insider might be an operator, a systems programmer, or even a

casual user who is willing to share a password.

• Don't forget, one of the most dangerous insiders may simply be lazy
or untrained.

– He doesn't bother changing passwords,

– doesn't learn how to encrypt email messages and other files,

– leaves sensitive printouts in piles on desks and floors, and ignores

the paper shredder when disposing of documents.
12
 Consequences of risks
• Failure/End of service

• Reduction of QoS, down to Denial of Service (DoS)

• Internal problems in the enterprise

• Trust decrease from partners (client, providers, share-

holders)
• Technology leakage
• Human consequences (personal data, sensitive data -
medical, insurances, …)

13
 Countermeasures
• Authentication Password, cards, biometrics
• Encryption
• Auditing/inspect the quality of the system
• Administrative procedures
• Standards

• Physical security(such as security locks, fencing, security personnel,

)
surveillance equipment and cameras, and other physical security necessities

• Laws
• Backups
Control
Removing or reducing a vulnerability
You control a vulnerability to prevent an attack and block a threat.
14
9
 Security and privacy
criteria
�Properties of Security?

• Security is expressed in terms of:

� Confidentiality (Privacy)

� Integrity

� No repudiation
� Availability (Denial of Service)

• Authentication is a foundations of security

� In its absence, security properties can be violated 14

 Security criteria (in detail)
• A computing system is said to be secure if it has all
three properties:
Confidentiality
• It requires that the message can only be accessible for
reading by authorized parties.
• It also requires that the system should verify the identity
of a user.
Integrity
• It requires that messages should be modified or altered
only by authorized parties.
– Modification includes writing, changing, deleting, and
creating the message that is supposed to 15be
transmitted across the network.
• Integrity guarantees that no modification, addition,
or deletion is done to the message;
• The altering of message can be malicious or accidental.
Availability

• It requires that computer and network assets are only

available to authorized parties or data are accessible when
you need them.
• computer and network should provide all the designated
services in the presence of all kinds of security attack.
NONREPUDIATION
• Provides protection against denial by one of the entities
involved in a communication of having participated in all or
part of the communication.
 Security criteria...
Supplements to CIA:
Authentication
• It means that correct identity is known to communicating parties.
• This property ensures that the parties are genuine not impersonator.
• How do I know it's really you?
Authorization
• This property gives access rights to different types of users.
– For example a network management can be performed by
network
administrator only.
Accountability
Now that you are here, what are you allowed to do?
• Who did what, who pays the bill?
Usually, authorization occurs within the context of authentication. Once you have
authenticated a user, they may be authorized for different types of access or activity.
The final plank in the AAA framework is accounting, which measures the resources 17
a user consumes during access.
 Goals of security
�Prevention : means that an attack will fail.
◦ Eg. passwords ( prevent unauthorized users from
accessing the system).
�Detection : is most useful when an attack cannot
be prevented, but it can also indicate the
effectiveness of preventative measures.
◦ Detection mechanisms accept that an attack will
occur;
◦ determine that an attack is underway, or has
occurred, and report it.
◦ The attack may be monitored, however, to provide
data about its nature, severity, and results.
154
Goals…

� Recovery : requires resumption of

correct operation.
◦ has two forms.
� The first is to stop an attack and to
assess and repair any damage caused
by that attack.
◦ E.g if the attacker deletes a file, recovery
restore the file from backup tapes.
◦ the attacker may return, so recovery
involves identification and fixing of the
vulnerabilities used by the attacker to
enter the system 155
 Goals
� In a second form of recovery, the system
continues to function correctly while an
attack is underway.
◦ fault tolerance.
� It differs from the first form of recovery,
because at no point does the system
function incorrectly. However, the system
may disable nonessential functionality.

156
 Security Attacks

• Categories of Attacks

– Interruption: An attack on availability

– Interception: An attack on confidentiality

– Modification: An attack on integrity

– Fabrication: An attack on authenticity

18
 Attacks…
• Categories of Attacks/Threats

Source

Destination
Normal flow of information
Attack

Interruption Interception

Modification Fabrication 19
 Security attack
• The attacks types
can also be classified by the following criteria.
– Passive or active,
– Internal or external,
– At different protocol layers.
Passive vs. active attacks
• A passive attack attempt to learn or make use of the
information without changing the content of the message
and disrupting the operation of the communication.
• Examples of passive attacks are:
-- Eavesdropping : is commonly applied to discover the
contents of confidential communication. In particular,
eavesdropping is often used to intercept personal
communication (e.g., email or instant messages) or
authentication credentials. 20
 Security attack
types
Examples of passive attacks are:

-- Traffic analysis: Similar to eavesdropping attacks, traffic

analysis attacks are based on what the attacker hears
in the network. The attacker simply listens to the network
communication to perform traffic analysis to determine
the location of key nodes, the routing structure, and even
application behavior patterns.

21
 Security attack
types…
• Active attack attempts to interrupt, modify, delete, or
fabricate messages or information thereby disrupting
normal operation of the network.
• Some examples of active attacks include:

– Jamming, impersonating, modification, denial of

service (DoS), and message replay.

22
 Passive
• Passive attacks Attacks
do not affect system resources

– Eavesdropping, monitoring

– The goal of the opponent is to obtain information that is

being transmitted

• Passive attacks are very difficult to detect

– Message transmission apparently normal

• No alteration of the data

– Emphasis on prevention rather than detection

• By means of encryption 23
Passive Attacks (1)
Eavesdropping

24
Passive Attacks (2)
Traffic Analysis

25
 Active
•
Attacks
Active attacks try to alter system resources or affect their operation

– Modification of data, or creation of false data

• Four categories

– Masquerade of one entity as some other

– Replay previous message

– Modification of messages

– Denial of service (DoS): preventing normal use

• A specific target or entire network

• Difficult to prevent
26
– The goal is to detect and recover
Active Attacks (1)
Masquerade

27
Active Attacks (2)
Replay

28
 Active Attacks (3)
Modification of Messages

29
Active Attacks (4)
Denial of Service

30
 Security attack
types…
Internal vs. External attacks

• External attacks are carried out by hosts that don’t belong to

the network domain, sometimes they are called outsider.

– E.g.it can causes congestion by sending false routing

information thereby causes unavailability of services.

• In case of internal attack, the malicious node from the

network gains unauthorized access and acts as a genuine
node and disrupts the normal operation of nodes.

• They are also known as insider.

31
 Network Protocol & Security
Network protocols are a set of rules and conventions
that govern how data is transmitted and received over a
network.

These protocols define:

• format of data packets,
• error handling,
• addressing, and other aspects of network communication.

171
 TCP/IP Protocol Suite
It is the foundation of modern networking. It consists of several
layers, each with its own set of protocols.

1. Application Layer: This layer includes protocols like HTTP,

FTP, SMTP, and DNS. It deals with application-level data
and user interactions.
2. Transport Layer: is responsible for end-to-end
communication. It includes TCP for reliable, connection-
oriented communication and UDP for connectionless
communication.
3. Internet Layer: is primarily governed by the IP. It is
responsible for routing and addressing data packets to their
destination across networks.
4. Link Layer: includes protocols for the physical and data link
layers of network communication. Ethernet and Wi-Fi are
examples of link layer technologies.
172
 Cont.…
• TCP/IP communication involves data encapsulation, where
data is wrapped in various headers and trailers as it moves
down the protocol stack and is unwrapped as it moves up.
Each layer adds its own header, addressing information,
and control data.
• Physical Layer Attack: Wiretapping or eavesdropping on
physical communication channels.
Countermeasure: Use secure physical cabling and encryption technologies,
like VPNs or TLS/SSL for higher-layer data protection.
• Data Link Layer Attack: MAC address spoofing, ARP
poisoning, or VLAN hopping.
Countermeasure: Implement port security, use MAC address filtering,
employ ARP inspection, and configure VLAN ACLs (Access Control Lists).

173
 Cont.…
Network Layer (IP Layer) Attack: IP spoofing, DDoS attacks, or
routing attacks.
Countermeasure: Implement packet filtering, use Access Control Lists (ACLs), and
deploy intrusion detection and prevention systems (IDPS) to mitigate DDoS
attacks.

Transport Layer Attack: Man-in-the-Middle (MitM) attacks, session

hijacking, and SYN flooding.
Countermeasure: Use Transport Layer Security (TLS) for encryption, employ
firewalls and intrusion detection systems, and implement SYN/ACK cookies to
prevent SYN flooding.

Application Layer Attack: SQL injection, Cross-Site Scripting (XSS),

and Cross-Site Request Forgery (CSRF). 174

Countermeasure: Input validation, output encoding, and parameterized queries to

mitigate SQL injection; implement security headers and input validation to
 Security attack
• types…
Attacks on different layers of the TCP/IP model:
• The security attacks can also be classified as according to the
TCP/IP layers. Table shows the attack types at each layer.
Layer Attacks
Application layer E-mail bombing, Repudiation, data
corruption, malicious code attack
(Trojan, maleware,virus,...)
Transport layer Session hijacking, Altering checksum,
SYN flooding.
Network layer IP spoofing, ICMP echo, Worm hole,
black hole, gray hole, Byzantine,
flooding
Data link layer Traffic analysis, disruption (E.g MAC
IEEE 802.11 Wi-Fi)
Physical layer Jamming, interception, eavesdropping 32

Cross-layer attack DoS, impersonation, replay, MiM attack

 Common security attacks and
their
• countermeasures
Finding a way into the network
– Firewalls
• Exploiting software bugs, buffer overflows
– Intrusion Detection Systems
• Denial of Service
– access filtering, IDS
• TCP hijacking
– IPSec
• Packet sniffing
– Encryption (SSL, HTTPS)
• Social problems
34
– Education
 Authentication Mechanisms
Authentication is the process or action of verifying the identity of
a user or process is termed as authentication in terms of
computer security.
Why we need authentication?
1. Computer networks are prone to attacks
2. If no authentication process, then the attacker might have
access to view some important information.
3. Also verifying a user’s identity is often required to allow
access to confidential data.

Authenticator is an entity which is used to confirm the identity

of a user.
 SECURITY MECHANISM

The following are lists of the security mechanisms defined

in X.800.

The mechanisms are divided into:

• Those that are implemented in a specific protocol
layer, such as TCP or an application layer protocol,
and
• Those that are not specific to any particular protocol
layer or security.
 SPECIFIC SECURITY MECHANISMS

SPECIFIC SECURITY MECHANISMS May be incorporated into the appropriate

protocol layer in order to provide some of the OSI security services.

• Encipherment - The use of mathematical algorithms to transform data into a

form that is not readily intelligible. The transformation and subsequent

recovery of the data depend on an algorithm and zero or more encryption

keys.

• Digital Signature - Data appended to, or a cryptographic transformation of, a

data unit that allows a recipient of the data unit to prove the source and

integrity of the data unit and protect against forgery (e.g., by the recipient).
• Data Integrity - A variety of mechanisms used to assure the integrity of a

data unit or stream of data units.

• Authentication Exchange - A mechanism intended to ensure the

identity of an entity by means of information exchange.

• Traffic Padding - The insertion of bits into gaps in a data stream to

frustrate traffic analysis attempts.

• Routing Control - Enables selection of particular physically secure

routes for certain data and allows routing changes, especially when a

breach of security is suspected.

• Notarization - The use of a trusted third party to assure certain

properties of a data exchange.

PERVASIVE SECURITY MECHANISMS
Mechanisms that are not specific to any particular OSI security service or
protocol layer.
• Trusted Functionality :That which is perceived to be correct with respect
to some criteria (e.g., as established by a security policy).
• Security Label : The marking bound to a resource (which may be a data
unit) that names or designates the security attributes of that resource.
• Event Detection : Detection of security-relevant events.
• Security Audit Trail : Data collected and potentially used to facilitate a
security audit, which is an independent review and examination of system
records and activities.
• Security Recovery : Deals with requests from mechanisms, such as
event handling and management functions, and takes recovery actions.
 SECURITY SERVICES
• A processing or communication service that is provided by a system to give a specific
kind of protection to system resources; security services implement security policies and
are implemented by security mechanisms.
Authentication
• The authentication service is concerned with assuring that a communication is authentic.
• In the case of a single message, such as a warning or alarm signal, the function of the
authentication service is to assure the recipient that the message is from the source that it
claims to be from.
• In the case of an ongoing interaction, such as the connection of a terminal to a host, two
aspects are involved.
• First, at the time of connection initiation, the service assures that the two entities are
authentic (that is, that each is the entity that it claims to be).
• Second, the service must assure that the connection is not interfered with in such a way
that a third party can masquerade as one of the two legitimate parties for the purposes of
unauthorized transmission or reception..
Two specific authentication services are defined in X.800:

• Peer entity authentication: Provides for the corroboration of the identity of a

peer entity in an association. Two entities are considered peers if they

implement the same protocol in different systems (e.g., two TCP modules in two

communicating systems). Peer entity authentication is provided for use at the

establishment of or during the data transfer phase of a connection. It attempts to

provide confidence that an entity is not performing either a masquerade or an

unauthorized replay of a previous connection.

• Data origin authentication: Provides for the corroboration of the source of a

data unit. It does not provide protection against the duplication or modification of

data units. This type of service supports applications like electronic mail, where

there are no prior interactions between the communicating entities

 CHAPTER SEVEN
SECURITY AND PENETRATION TESTING

Security Testing
What is security testing?
▪ Security testing is an integral part of software testing, which is
used to
discover the weaknesses, risks, or threats in the software
application.
▪ And also help us to stop the nasty attack from the outsiders and make
sure the
security of our software
applications.
▪ The primary objective of security testing is to find all the potential
ambiguities
and vulnerabilities of the application so that the software does not stop
working.
CONT.….
 If we perform security testing, then it helps us to identify
all the
possible security threats and also help the programmer to
fix
 It is a testing procedure, which is used to define that the
those errors.
data
be will
safe and also continue the working process of the
software.
❑ Principle of Security testing
Availability
In this, the data must be retained by an official person, and
they also
guarantee that the data and statement services will be ready
to use
whenever we need it.
CONT..

Integrity
▪ In this, we will secure those data which have been changed by the unofficial
person.
▪ The primary objective of integrity is to permit the receiver to control the data
that is given by the system.
▪ The integrity systems regularly use some of the similar fundamental
approaches as confidentiality structures.
▪ Still, they generally include the data for the communication to create the
source of an algorithmic check rather than encrypting all of the
communication.
▪ And also verify that correct data is conveyed from one application to another.
CONT..
Authorization
▪ It is the process of defining that a client is permitted to perform an action and
also receive the services.
▪ The example of authorization is Access control
CONT.…

Confidentiality
▪ It is a security process that protracts the leak of the data from the outsider's
because it is the only way where we can make sure the security of our data.

Authentication
▪ The authentication process comprises confirming the individuality of a person,
tracing the source of a product that is necessary to allow access to the private
information or the system.
 CONT.…
Non- repudiation

▪ It is used as a reference to the digital security, and it a way of assurance

that the
sender of a message cannot disagree with having sent the message and
that the
▪ recipient cannot repudiate
The non-repudiation is usedhaving received
to ensure that the message.message has
a conveyed
been sent
and received by the person who claims to have sent and received the
message.
KEY AREAS IN SECURITY TESTING

▪ While performing the security testing on the web application, we need to

concentrate on the following areas to test the application:
CONT.…

System software security

▪ In this, we will evaluate the vulnerabilities of the application based on different
software such as operating system, etc.
Network security
▪ In this, we will check the weakness of the network structure, such as policies
and resources.
Ser ver-side application security
▪ We will do the server-side application security to ensure that the server
encryption and its tools are sufficient to protect the software from any
disturbance.
 CONT.…

Client-side application security

▪ In this, we will make sure that any intruders cannot operate on any browser
or any tool which is used by customers.
Types of Security testing
▪ As per Open Source Security Testing techniques, we have different types of security
testing which as follows:
Security Scanning
Risk Assessment
Vulnerability Scanning
Penetration testing
Security Auditing
Ethical hacking
Posture Assessment
 CONT.…

Security Scanning
▪ Security scanning can be done for both automation testing and manual
testing.
▪ This scanning will be used to find the vulnerability or unwanted file
modification in a web-based application, websites, network, or the file
system.
▪ After that, it will deliver the results which help us to decrease those
threats.
▪ Security scanning is needed for those systems, which depends on the
structure they use.
CONT..
Risk Assessment
▪ To moderate the risk of an application, we will go for risk assessment.
▪ In this, we will explore the security risk, which can be detected in the association.
▪ The risk can be further divided into three parts, and those are high, medium, and
low.
▪ The primary purpose of the risk assessment process is to assess the vulnerabilities and
control the significant threat.
Vulnerability Scanning
▪ It is an application that is used to determine and generates a list of all the systems
which contain the desktops, servers, laptops, virtual machines, printers, switches, and
firewalls related to a network.
▪ The vulnerability scanning can be performed over the automated application and also
identifies those software and systems which have acknowledged the security
vulnerabilities.
 CONT..

Penetration testing
▪ Penetration testing is a security implementation where a cyber-security
professional tries to identify and exploit the weakness in the computer system.
▪ The primary objective of this testing is to simulate outbreaks and also finds the
loophole in the system and similarly save from the intruders who can take the
benefits.
Security Auditing
▪ Security auditing is a structured method for evaluating the security measures of
the organization.
▪ In this, we will do the inside review of the application and the control system for
the security faults.
CONT.…

Ethical hacking
▪ Ethical hacking is used to discover the weakness in the system and also helps
the organization to fix those security loopholes before the nasty hacker
exposes them.
▪ The ethical hacking will help us to increase the security position of the
association because sometimes the ethical hackers use the same tricks, tools,
and techniques that nasty hackers will use, but with the approval of the official
person.
▪ The objective of ethical hacking is to enhance security and to protect the
systems from malicious users' attacks.
CONT.….

Posture Assessment
▪ It is a combination of ethical hacking, risk assessments, and security scanning,
which helps us to display the complete security posture of an organization.
How we perform security testing
▪ The security testing is needed to be done in the initial stages of the software
development life cycle because if we perform security testing after the
software execution stage and the deployment stage of the SDLC, it will cost
us more.
▪ Now let us understand how we perform security testing parallel in each stage
of the software development life cycle(SDLC).
CONT.…
CONT.…

Example of security testing

▪ Generally, the type of security testing includes the problematic steps based on
overthinking, but sometimes the simple tests will help us to uncover the most
significant security threats.
▪ Let us see a sample example to understand how we do security testing on a
web application:
Firstly, log in to the web application.
And then log out of the web application.
Then click the BACK button of the browser to verify that it was asking us
to log in again, or we are already logged-in the application.
CONT.…

Why security testing is essential for web applications

At present, web applications are growing day by day, and most of the web
application is at risk.
Here we are going to discuss some common weaknesses of the web
application.
Client-side attacks
Authentication
Authorization
Command execution
Logical attacks
Information disclosure
CONT.…

 Client-side attacks
 The client-side attack means that some illegitimate implementation of the external
code occurs in the web application.
 And the data spoofing actions have occupied the place where the user believes
that the particular data acting on the web application is valid, and it does not come
from an external source.
CONT.…

Security testing tools

We have various security testing tools available in the market, which are as follows:
SonarQube
ZAP
Reading Assignment
Netsparker
Arachni
IronWASP
PENETRATION TESTING

 What is Penetration Testing

Penetration testing, also called as pen testing, ensures that information security experts
use security bugs in a computer program to find and take advantage of them.
 These specialists, often classified as white-hat hackers or ethical hackers, make things
simpler by detecting attacks by cyber attackers known as black-hat hackers in the
modern environment.
 In reality, performing penetration testing is equivalent to hiring experienced analysts to
conduct a safe facility security breach to figure out how it could be achieved by actual
criminals.
 Businesses and companies are using the results to make the frameworks more stable.
CONT.…

Classification of Penetration Tests

Penetration testing contains the following essential types that are listed below.
Blind Tests
White box Tests
External tests
Double-blind tests
Internal Tests

Blind Tests
▪ The Companies offers penetration testers with little security details about
the device being exploited in a blind test, referred to as a black-box test.
▪ The aim is to find vulnerabilities that wouldn't ever be discovered
CONT.…

White box Tests

A white box test is one where companies offer a range of security details related
to their structures to penetration testers to help them improve vulnerabilities
External Tests
An external test is one where, globally, penetration testers aim to identify
vulnerabilities.They are carried out on macro environment-facing software such
as domains because of the existence of these kinds of testing.
Internal Tests
An internal examination is one where the examination of penetration exists
within the boundaries of an entity.Typically, these checks concentrate on the
security weaknesses of which full advantage could be taken by anyone operating
from inside an organization.
 BEST PENETRATION TESTING TOOLS AND SOFTWARE

Wireshark
▪ Typically named as Ethereal 0.2.0, with 600 contributors,Wireshark is an award-
winning network mapper.
▪ You can catch and analyze data packets easily with this program.
▪ The tool is open-source and is compatible with Windows, Solaris, FreeBSD, and Linux,
among other frameworks.

Key Points
It offers both offline review and options for live-capture.
Its locating intermediate nodes help you to discover new characteristics, including the
protocol of the source and destination.
It includes the opportunity to inspect the smallest information in a network for
operations.
It contains optional coloring rules for fast, intuitive analysis and are added to the pack.
CONT..

Netsparkar
▪ A common automated application server for penetration testing is the
Netsparker vulnerability scanner.
▪ From cross-site request to SQL injection, the program can recognize anything
from it.
▪ This tool can be used by designers on blogs, web infrastructure, and web
services.
▪ The platform is efficient enough to simultaneously search anything from 500
to 1000 software applications.
▪ With attack tools, verification, and URL rewriting guidelines, you will be have
the ability to modify the security scan.
▪ In a read-only manner, Netsparker takes advantage of vulnerabilities spots
dynamically.
▪ Exploitation proof is made.The effect of vulnerabilities can be viewed instantly.
 CONT.…

Key Points
It can search the web-based applications for 1000 + in less than a day!
For teamwork and easy discoverability of results, you can add several
teammates.
The Advanced scanning reduces the need for a small set up.
It can search for SQL and XSS bugs in software applications that are hackable.
You can create the Legal application of the web and reports of regulatory
requirements.
It has Proof-based screening technology to ensure precise identification.
 CONT.…

 John The Ripper Password Cracker

One of the most common flaws is passwords. To capture information
and access sensitive systems, hackers can use credentials.
 For this reason, John the Ripper is the indispensable tool for password
guessing and offers a variety of systems.
 The pen vulnerability scanner is a free software to use.
It automatically detects various variations of passwords.
It also discovers inside databases password vulnerabilities.
For Linux, Mac OS X, Hash Suite, and Hash Suite Droid, the
premium edition is available.
A personalized cracker is included.
It helps people to discover online documentation.This provides a
description of improvements between variants that are distinct.
CONT.…

SQLmap
▪ SQLmap is a Database SQL Injection Control Tool. It also enable MySQL
, SQLite, Sybase, DB2,Access, MSSQL, PostgreSQL database platforms.
 SQLmap is open-source and streamlines the mechanism of manipulating the
application server and bugs for the Attack vector.
 Key Points
This tool allows you to Detect exploits and monitor them.
It offers assistance for all aspects of injection: Union,Time, Stack, Error,
Boolean.
It executes a command-line interface and can be configured for Linux, Mac
OS, and Windows operating systems.
CONT.…

Cain and Abel

▪ Cain & Abel is suitable for penetration for the acquisition of network controls
and credentials.
▪ To detect the vulnerability, the tool makes the utilization of network sniffing.
Key Points
Utilizing the network sniffers, cryptographic algorithms threats, and brute
force, the Windows-based framework can restore passwords.
It is Superb for missing password restoration.
CONT.….

Wapiti
Wapiti is a security tool for programs that enables black-box testing. Checking
the black box tests web-based applications for possible exposures.
Websites are checked at the time of the black box testing procedure, and the
tested data is implanted to search for any failures in protection.
Key Points
With the help of command-line application interface, professionals may find
ease-ofusability.
Wapiti detects file exposure glitches, XSS Intrusion, Database transfusion, XXE
injection, Command Execution mitigation, and vulnerable .htaccess settings that
are easily evaded.
 Chapter Six
 Cross-Domain Security in Web
Applications
 Abuse Case Development

 Client State Manipulation
SQL Injection
Cross-Domain Security in Web
Applications
 In computing, the same-origin policy is an important
concept
in the web application security
model.
 Under the policy, a web browser permits scripts contained in
a first
web page to access data in a second web page, but only if
both web
 An origin
pages is defined
have the as a. combination of U R I
same origin
scheme,
hostname, and port
number.
 This policy prevents a malicious script on one page
from
obtaining access to sensitive data on another web page
through
that page's Document Object Model.
 This mechanism bears a particular significance for modern web
applications that
extensively depend on H T T P cookies to maintain authenticated user
sessions, as
servers act based on the H T T P cookie information to reveal sensitive
information
 A strict separation between content provided by unrelated sites
must be state-changing actions.
or take
maintained on the client-side to prevent the loss of data
confidentiality or
• The algorithm used to calculate the "origin" of a U R I is specified in R F C
integrity.
6454,
Section 4. For absolute U R I s , the origin is the triple {protocol, host,
port}.
 If the U R I does not use a hierarchical element as a naming authority
(see R F C
3986, Section 3.2) or if the U R I is not an absolute U R I , then a globally
unique
 Two resources
identifier are considered to be of the same origin if and only if all
is used.
these
values are exactly the
same.
U R L "http://www.example.com/dir/page.html".
Compared U R L Outcome Reason
http://www.example.com/dir/page2.html Success Same protocol, host and
port
http://www.example.com/dir2/other.htm Success Same protocol, host and
l port

http://username:password@www.example.com/dir2/other.ht Success
ml Same protocol, host and
port protocol and host
Same
http://www.example.com:81/dir/other.ht Failure
but
ml different port
https://www.example.com/dir/other.ht Failure Different
ml protocol
http://en.example.com/dir/other.ht Failure
ml Different host
Different host (exact
http://example.com/dir/other.ht Failure
match
ml required)
Different host (exact
http://v2.www.example.com/dir/other.ht Failure
match
ml required)
Port explicit. Depends on
Depends
implementation in
http://www.example.com:80/dir/other.ht browser.
ml
Alice is using our (“good”) web-application:
www.bank.com (assume user is logged in
w/
cookie)
At the same time (i.e. same browser session),
she’s
also visiting a “malicious” web- application:
www.evil.org
Malicious site can’t read info (due to same-origin
policy),
but can make write requests to our app!C a n still
cause
� in Alice’s case, attacker gained control of
damage
her
account with full read/write
access!
Who should worry about XSRF?
� apps withuser info, profiles (e.g.,
Facebook)
� apps that do financial transactions for
users
� any app that stores user data
� etc
1300
XSS
1200
1100
Buffer Overflow
1000 SQL Injection
900 PHP Include
800
DoS
700
600
500
400
300
200
100
0
2001 2006
1) Cross-Site Request F o r ge r y

 Cross-Site Request Forgery (CSRF) is an attack that tricks the victim into
loading a page
that contains a malicious
request.
 Itis malicious in the sense that it inherits the identity and privileges of the
victim to
perform an undesired function on the victim's behalf, like change the
victim's e-
mail address, home address, or password, or purchase something.
 CSRF attacks generally target functions that cause a state change on the
server
but can also be used to access sensitive data.
For most sites, browsers will automatically include with such
requests any
credentials associated with the site, such as the user's session
cookie, basic
Therefore, if the
authorization
 useris currently
credentials, authenticated
IPaddress, to the site,
Windows domain the site
will have
credentials,
no way to etc.
distinguish this from a legitimate user
request.
 In this way, the attacker can make the victim perform actions
that they
didn't intend to, such as logout, purchase item, change
account
information, retrieve account information, or any other function
provided
by the vulnerable website.
 A cross-site scripting attack exploits the trust a user
places
in a website, making it a common vector for phishing
and
related attacks. Cross-site scripting occurs in two
 Reflected cross-site scripting (first order), which
basic
occurs
forms:
when an attacker can embed script in data
rendered
immediately to the victim as part of a G E T or
 Stored cross-site scripting (second order), in which
POST
the
request.
attacker supplied script is retained in long-term
storage
before being rendered to the victim.
 Reflected cross-site scripting tends to be easier to
detect and
exploit, though it requires more direct victim
interaction,
 Stored cross-site
making the attackscripting is often more difficult to
less reliable.
detect
and exploit, though the attack is more reliable
because it
 Most cross-site
typically scripting
occurs without any attacks attempt to
victim interaction.
hijack the
victim's session key and smuggle it out by embedding
it in
an image U R L , or similar link.
 Cross-site scripting attacks are the most commonly
reported
Web security vulnerability
today.
 There are various approaches to mitigate
cross-site
scripting attacks, including server or client
sanitization or
 When handling
filtering, untrusted
"safe subset" data
scripting from other
languages, and so
domains,
forth. it is
important that proper diligence is exercised to
ensure that
the data provided is not used to execute a script
injection
 D N S Rebinding is an attack on the insecure binding between
DNS
hostnames and network
addresses.
 During a D N S rebinding attack, an attacker will manipulate
DNS
records for a site he controls (e.g., *.evil.com) such that at some
times
the hostname points at a server under his control, and at
others, the
 In this way, the attacker is able to bypass the same-origin-
policy
hostname points at a victim server or device.
restriction because both the victim and the attacker have
the same
 This attack(attechnique
hostname different can enable
points firewall circumvention,
in time).
because a
victim server behind an organizational firewall is reachable
by a
 Strengthening the client's binding between a D N S
hostname
and the network address (e.g., pinning) has been
proposed as a
mitigation, but such a change may lead to
Servers can help mitigate the threat of D N S
 application
rebinding by
compatibility problems (e.g., with C D N s , load-balancing,
etc).
using H T T P S and verifying the H O S T header on
inbound
 Any security mechanism that relies upon multiple
requests.
requests
(e.g., request permission, then request resource)
must be
hardened against D N S rebinding to help mitigate a
Time of check/Time of Use (TOC/TOU) attacks occur
in
requests where principals or permissions have
changed
between the time of permission checking and the
time of
 In the event of a D N S rebinding attack, the
actual
actual use of the permissions.
principal identity of the server may change,
enabling
permissions granted by one server (the attacker)
to be
In another form of TOC/TOU attack, consider the
following
case.
The client obtains permissions against a server, but the
server
subsequently is reconfigured to change permissions. The
cached
permissions may be illegally reused against the server
unless the
 Any cross-domain approach that uses multiple
client rechecks permissions.
request
permission check and usage must weigh the
performance and
security implications of cached permissions.
 Wildcarding attacks occur when
access
controls are set in error and allow
for
 For example, if access control rules are
unintended
set to access.
* .com , any .com site can access the
 resource.
While such an attack is clearly enabled
by a
configuration error by the service provider,
there
are numerous examples of this in the wild
today.
 Such mistakes can occur when developers
switch
responsibilities, as sites are merged, due to
simple
typographical errors, and numerous other reasons.
 As access-control rules become more complex,
the
likelihood of configuration errors increases. For
example,
major sites have suffered exploits in the past where
access
control rules were incorrectly set.
 Abuse Cases
Development

� Use cases
 Expected behaviour
 Normal input
 Functional requirements

� Abuse cases
 Unexpected behavior
 By Malicious agents
 Derived from risk assessment
 Developers should think evil
which leads to…
 Defensive programming
 Security is not a feature that can be added to a
system.
There is no “security” pull-down menu where security
can
 Unfortunately,
be selected and many
magic software producers mistakenly
things happen.
rely
solely on plunking functional security features
and
mechanisms such as cryptography somewhere in
their
software and they assume that the security needs
are in
o The best, most cost-effective approach to software
security
incorporates thinking beyond normative features
and
incorporates that thinking throughout the development
process.
o Every time a new requirement, feature, or use case is
created,
someone should spend some time thinking about
o how
Professionals
that who know how features are attacked and
how to
feature might be unintentionally misused or
protect software should play an active role in this
intentionally
kind of
abused.
 One of the goals of misuse cases is to decide
and
document a priority how software should
react to
 The simplest, most practical method for creating
illegitimate use.
misuse
cases is usually through a process of
informed
 To guide brainstorming, software security experts
brainstorming.
ask
many questions of a system’s designers to help
identify
the places where the system is likely to
 The process of specifying abuse cases makes a designer very
clearly
differentiate appropriate use from inappropriate use, but to get
there, the
� How can
designer theask
must system distinguish
the right between good and bad
questions:
input?
�C a n it tell whether a request is coming from a
legitimate or a rogue application replaying
traffic?
 All systems have more vulnerable places than the obvious front
doors, of
course, so
� where can a bad guy be
positioned?
� O n the wire? At a workstation? In the back
office?
� Any communication line between two endpoints or two
components?
Creating anti-
requirements
� Important to think about
 Things that you don’t want your software to do
Requirements: security analysis + requirement
analysis
� Anti-requirements
Provide insight into how a malicious user,
attacker,
thrill seeker, competitor can abuse your system
 Considered throughout the lifecycle
 indicate what happens when a required
security
function is not
included
Creating an attack
model
� Based on known attacks and attack
types

� Do the following
 Select attack patterns relevant to your system –
build
abuse case around the attack
patterns
 Include anyone who can gain access to the
system
because threats must encompass all potential
sources
� Also need to model
attacker
 Client State
▪
Manipulation
Web applications are often vulnerable to malicious
users.
▪ To protect them, programmers must be aware of
vulnerabilities and
countermeasure
s.
▪ To be secure, web applications should not trust clients and should
validate all
input received from
clients.
▪ HTTP is stateless, so web servers are not required to keep track of any
state or
information about their
clients.
▪ An example of a vulnerability is when a web server uses hidden
values in
HTML forms to store sensitive information, which can be easily
manipulated
by malicious clients.
 Client-state manipulation
vulnerabilities
▪ The client state is used to store information in HTML
documents toback
transmitted be to the server at a subsequent
interaction.
▪ It can have several benefits, such as decreasing the load on the
server andthe need for a session state expiration
avoiding
mechanism.
▪ Cookies also provide a related
mechanism.

Dataflow of client state from a JSP page to a servlet via an HTML

document
 SQL Injection
▪ SQL injection is a web security vulnerability that allows attackers
todata
viewthat they are not normally able to
▪ retrieve.
It can also cause persistent changes to the application's
behavior.or
content
▪ It is a code penetration technique that can be used to
application'sthe
manipulate web server by malicious
users
▪ demoUserI =
getrequestString("UserId");
▪ demoSQL = "SELECT * FROM users WHERE
UserI+demoUserId;
SQL injection
▪examples
There are a wide variety of SQL injection vulnerabilities, attacks, and techniques, which
arise in situations. Some common SQL injection examples
different
include:
▪ Retrieving hidden data, where you can modify an SQL query to return additional results.

▪ Subverting application logic, where you can change a query to interfere with the
application's logic.

▪ UNION attacks, where you can retrieve data from different database tables.
• Retrieving hidden
data
Consider a shopping application that displays products in different categories. When the
user clicks
on the Gifts category, their browser requests the URL: This causes the application to make
an SQL
query to retrieve details of the relevant products from the database:
SELECT * FROM products WHERE category = 'Gifts' AND released = 1
This SQL query asks the database to return: all details (*) from the products table where
the
• The restriction released = 1 is being used to hide products that are not
category is Gifts and released is 1.
released.
▪ For unreleased products, presumably released = 0. The application doesn't
implement
any defenses against SQL injection attacks, so an attacker can construct an
attack like:
▪ This results in the SQL query: SELECT * FROM products WHERE category =
'Gifts'-
-' AND released =
1
▪ The key thing here is that the double-dash sequence -- is a
comment
indicator in SQL, and means that the rest of the query is
interpreted as a
This effectively removes the remainder of the query, so it no
▪ comment.
longer
includes AND released =
1.
▪ This means that all products are displayed, including unreleased
products.
Subverting application logic
▪ Consider an application that lets users log in with a username and password. If a user
submits

the username wiener and the password bluecheese, the application checks the
credentials by

performing
SELECT the following
* FROM SQL query:
users WHERE username = 'wiener' AND password =
'bluecheese‘
▪ If the query returns the details of a user, then the login is successful. Otherwise, it is
rejected.

Here, an attacker can log in as any user without a password simply by using the SQL

comment sequence – to remove the password check from the WHERE clause of the
query.

For example, submitting the username administrator'-- and a blank password

results in the
SELECT * FROM users WHERE username = 'administrator'--' AND
following query:
password = ''
 Types of SQL injection
attacks
▪ Some of the SQL injection attacks include: Updating,
deleting, and
inserting the data: An attack can modify the cookies to poison
a web
It is executing
▪ application's commands
database query.on the server that can download
and install
malicious programs such as
Trojans.
▪ We are exporting valuable data such as credit card details,
email, and
passwords to the attacker's remote
server.
▪ Getting user login details: It is the simplest form of SQL
injection.
Web application typically accepts user input through a form,
and the
Retrieving data from other database
tables
In cases where the results of an SQL query are returned within the
application's
responses, an attacker can leverage an SQL injection vulnerability to
retrieve
This
dataisfrom
done usingtables
other the UNION
within keyword, which lets you execute an
the database.
additional
SELECT query and append the results to the original query.
▪ For example, if an application executes the following query containing
the user
input "Gifts":
SELECT name, description FROM products WHERE category = 'Gifts'
then an
attacker can
submit the input: ' UNION SELECT username, password FROM
users .
▪ This will cause the application to return all usernames and passwords
along
with the names and descriptions of
Examining the
database
• Following initial identification of an SQL injection vulnerability,
it is
generally useful to obtain some information about the
database itself.
• This information can often pave the way for further
exploitation. You
can query the version details for the
database.
• The way that this is done depends on the database type, so
you can
infer the database type from whichever technique
works.
• For example, on Oracle you can execute: SELECT *
FROM
v$version
 Blind SQL injection
▪ vulnerabilities
Many instances of SQL injection are blind
vulnerabilities.
▪ This means that the application does not return the results of
the SQL
query or the details of any database errors within its
responses.
▪ Blind vulnerabilities can still be exploited to access
unauthorized data,
but the techniques involved are generally more complicated and
difficult to perform
SQL injection in different parts of the
query
▪ Most SQL injection vulnerabilities arise within the WHERE clause of a SELECT
query.
▪ This type of SQL injection is generally well-understood by experienced
testers.
▪ But SQL injection vulnerabilities can in principle occur at any location within the
query,
and within different query
types.
▪ The most common other locations where SQL injection arises are:

▪ In UPDATE statements, within the updated values or the WHERE

clause.

▪ In INSERT statements, within the inserted values.

▪ In SELECT statements, within the table or column
name.

▪ In SELECT statements, within the ORDER BY clause.

 Second-order SQL
▪injection
First-order SQL injection arises where the application takes
user input
from an HTTP request and, in the course of processing that
request,
In second-order
▪ incorporates the SQL
inputinjection (alsoquery
into an SQL knowninas
anstored
unsafeSQL
way.
injection), the
application takes user input from an HTTP request and stores it
for
This is use.
▪ future usually done by placing the input into a database,
but no
vulnerability arises at the point where the data is
stored.
▪ Later, when handling a different HTTP request, the application
retrieves
the stored data and incorporates it into an SQL query in an
unsafe way.
What Can Attackers Do With a SQL Injection
Attack?
▪ SQLi attacks make use of vulnerabilities in code at the point
where it a
accesses
database.
▪ By hijacking this code, attackers are able to access, modify, and
even
delete secured data. When SQLi attacks are successful,
attackers can:
▪ Log in to an app or a website front end without a
password.
▪ Access, extract, and delete stored data from secured
databases.
▪ Create their own database records or modify existing records,
opening
the door for further
attacks.
 How to prevent SQL
injection
▪ We should use user authentication to validate input from
the user
by pre-defining length, input type, and the input
field.
▪ Restricting the access privileges of users and defining the
amount
of data any outsider can access from the
database.
▪ Generally, the user cannot be granted permission to
access
everything in the
database.
▪ We should not use system administrator
accounts.
▪ Most instances of SQL injection can be prevented by
using
parameterized queries (also known as prepared statements)
▪ instead of
The following code is vulnerable to SQL injection because the
string
input isconcatenation
user concatenatedwithin the
directly query.
into the
query:
• String query = "SELECT * FROM products WHERE category =
'"+ input + “’”;
• Statement statement =
•connection.createStatement();
ResultSet resultSet =
▪ This codestatement.executeQuery(query)
can be easily rewritten in a way that prevents the user
interfering
input from with the query
structure:
• PreparedStatement statement =
FROM products WHERE category
connection.prepareStatement("SELECT * = ?");
• statement.setString(1,
input);
• ResultSet resultSet =
statement.executeQuery();
▪ Parameterized queries can be used for any situation where
untrusted input
appears as data within the query, including the WHERE clause and values
in an