SlideShare a Scribd company logo

Software Security (Vulnerabilities) And Physical Security

Download as PPT, PDF
Nicholas Davis
Nicholas Davis

The document discusses various types of software vulnerabilities including: 1. Vulnerabilities can result from weak passwords, software bugs, viruses, or insecure user input. 2. Common causes of vulnerabilities are password management flaws, operating system design flaws, software bugs, and unchecked user input. 3. There is debate around how vulnerabilities should be disclosed, with options including full disclosure, responsible disclosure, and limited disclosure.

1 of 48
Downloaded 24 times
1
2
Most read
3
Most read
4
Most read
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
Information Systems 365/765 Lecture 11 Software Security (Vulnerabilities) and Physical Security
Vulnerability • Applied to a weakness in a system which allows an attacker to violate the integrity of that system. Vulnerabilities may result from weak passwords, software bugs, a computer virus or other malware, a script code injection, or a SQL injection.
Vulnerability vs. Exploit • A security risk is classified as a vulnerability if it is recognized as a possible means of attack. • A security risk with one or more known instances of working and fully-implemented attacks is classified as an exploit.
Causes • There are multiple causes of vulnerabilities • Password Management Flaws • Fundamental Operating System Design Flaws • Software Bugs • Unchecked User Input
Password Management Flaws • The computer user uses weak passwords that could be discovered by brute force. • The computer user stores the password on the computer where a program can access it. • Users re-use passwords between many programs and websites.
Software Security (Vulnerabilities) And Physical Security
Operating System Design Flaws • The operating system designer chooses to enforce sub optimal policies on user/program management. F • or example operating systems with policies such as default permit grant every program and every user full access to the entire computer. • This operating system flaw allows viruses and malware to execute commands on behalf of the administrator
Software Bugs • The programmer leaves an exploitable bug in a software program. • The software bug may allow an attacker to misuse an application through (for example) bypassing access control checks or executing commands on the system hosting the application.
Software Bugs • Also the programmer's failure to check the size of data buffers, which can then be overflowed, causing corruption of the stack or heap areas of memory (including causing the computer to execute code provided by the attacker).
Unchecked User Input • The program assumes that all user input is safe. Programs that do not check user input can allow unintended direct execution of commands or SQL statements (known as Buffer overflows, SQL injection or other non-validated inputs).
Vulnerability Disclosure • The method of disclosing vulnerabilities is a topic of debate in the computer security community. • Some advocate immediate full disclosure of information about vulnerabilities once they are discovered. • Others argue for limiting disclosure to the users placed at greatest risk, and only releasing full details after a delay, if ever. • What do you think?
Vulnerability Disclosure • Benefit to limited disclosure: • Such delays may allow those notified to fix the problem by developing and applying patches, • Drawback to limited disclosure • May increase the risk to those not privy to full details.
Full Disclosure • Disclose all the details of a security problem which are known. It is a philosophy of security management completely opposed to the idea of security through obscurity
Full Disclosure • The theory behind full disclosure is that releasing vulnerability information immediately results in quicker fixes and better security. • Fixes are produced faster because vendors and authors are forced to respond in order to save face. • Security is improved because the window of exposure, the amount of time the vulnerability is open to attack, is reduced.
Responsible Disclosure • Some believe that in the absence of any public exploits for the problem, full and public disclosure should be preceded by disclosure of the vulnerability to the vendors or authors of the system. This private advance disclosure allows the vendor time to produce a fix or workaround.
Limited Disclosure • With full details going to a restricted community of developers and vendors, and only the existence of the problem being released to the public, is another possible approach • Nick doesn’t like Limited Disclosure
A.C. Hobbs - Locksmith • A commercial, and in some respects a social doubt has been started within the last year or two, whether it is right to discuss so openly the security or insecurity of locks. Many well-meaning persons suppose that the discussion respecting the means for baffling the supposed safety of locks offers a premium for dishonesty, by showing others how to be dishonest. This is a fallacy. Rogues are very keen in their profession, and know already much more than we can teach them respecting their several kinds of roguery.
Security Through Obscurity • Attempts to use secrecy (of design, implementation, etc.) to provide security. • A system relying on security through obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that the flaws are not known, and that attackers are unlikely to find them.
Software Security (Vulnerabilities) And Physical Security
Vulnerability Disclosure Date • When can it be said that a vulnerability has been disclosed? • 1. The information is freely available to the public • 2. The vulnerability information is published by a trusted and independent channel/source • 3. The vulnerability has undergone analysis by experts such that risk rating information is included upon disclosure
Examples of Vulnerabilities • Buffer overflows • Dangling pointers • Input validation errors, such as: • Format string bugs • Improperly handling shell metacharacters so they are interpreted • SQL injection • Code injection • E-mail injection • Directory traversal • Cross-site scripting in web applications • Race conditions, such as: • Time-of-check-to-time-of-use bugs • Symlink races • Privilege-confusion bugs, such as: • Cross-site request forgery in web applications • Privilege escalation • User interface failures, such as: • Warning fatigue or user conditioning • Blaming the Victim Prompting a user to make a security decision without giving the user enough information to answer it. • Race Conditions
Buffer Overflow • A condition where a process attempts to store data beyond the boundaries of a fixed-length buffer. • The result is that the extra data overwrites adjacent memory locations.
Buffer Overflow • The overwritten data may include other buffers, variables and program flow data, and may result in erratic program behavior, a memory access exception, program termination (a crash), incorrect results or ― especially if deliberately caused by a malicious user ― a possible breach of system security.
Basic example • In the following example, a program has defined two data items which are adjacent in memory: an 8-byte-long string buffer, A, and a two-byte integer, B. Initially, A contains nothing but zero bytes, and B contains the number 3. Characters are one byte wide. A B 0 0 0 0 0 0 0 0 0 3
Buffer Overflow Example • Now, the program attempts to store the character string "excessive" in the A buffer, followed by a zero byte to mark the end of the string. By not checking the length of the string, it overwrites the value of B: A B 'e' 'x' 'c' 'e' 's' 's' 'i' 'v' 'e' 0
SQL Injection • User input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.
SQL Injection Humor
Email Injection • A security vulnerability that can occur in Internet applications that are used to send e-mail messages. Like SQL injection attacks, this vulnerability is one of a general class of vulnerabilities that occur when one programming language is embedded within another.
Software Security (Vulnerabilities) And Physical Security
Directory Traversal • The goal of this attack is to order an application to access a computer file that is not intended to be accessible. This attack exploits a lack of security (the software is acting exactly as it is supposed to) as opposed to exploiting a bug in the code. • Directory traversal is also known as the ../ (dot dot slash) attack, directory climbing, and backtracking.
Cross-Site Scripting • (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross- site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy.
Software Security (Vulnerabilities) And Physical Security
Time-of-check-to-time-of-use • TOCTTOU − pronounced "TOCK too") is a software bug caused by changes in a system between the checking of a condition (such as a security credential) and the use of the results of that check. It is a kind of race condition.
Confused Deputy • A confused deputy is a computer program that is innocently fooled by some other party into misusing its authority. It is a specific type of privilege escalation. In information security, the confused deputy problem is often cited as an example of why capability-based security is important. • Billing example
Blaming The Victim • Prompting a user to make a security decision without giving the user enough information to answer it.
Physical Security • Physical security describes measures that prevent or deter attackers from accessing a facility, resource, or information stored on physical media. It can be as simple as a locked door or as elaborate as multiple layers of armed guardposts.
3 Elements to Physical Security • Obstacles, to frustrate trivial attackers and delay serious ones; • Alarms, security lighting, security guard patrols or closed-circuit television cameras, to make it likely that attacks will be noticed; and • Security response, to repel, catch or frustrate attackers when an attack is detected.
4 Layers to Physical Security • Environmental design • Mechanical and electronic access control • Intrusion detection • Video monitoring
What Are Physical Security Goals? • The goal is to convince potential attackers that the likely costs of attack exceed the value of making the attack. • If you are unable to convince them, then the second goal comes into play—to keep them from entering
Layer One - Physical • The initial layer of security for a campus, building, office, or physical space uses Crime Prevention Through Environmental Design to deter threats. Some of the most common examples are also the most basic - barbed wire, warning signs and fencing, concrete bollards, metal barriers, vehicle height-restrictors, site lighting and trenches.
Layer Two - Mechanical • Includes gates, doors, and locks. • Key control of the locks becomes a problem with large user populations and any user turnover. • Keys quickly become unmanageable forcing the adoption of electronic access control. • Electronic access control easily manages large user populations, controlling for user lifecycles times, dates, and individual access points. • For example a user's access rights could allow access from 0700 to 1900 Monday through Friday and expires in 90 days.
Layer Three – Intrusion Detection • Monitors for attacks. It is less a preventative measure and more of a response measure, although some would argue that it is a deterrent. Intrusion detection has a high incidence of false alarms. In many jurisdictions, law enforcement will not respond to alarms from intrusion detection systems.
Layer Four - Monitoring • Typically video monitoring systems. Like intrusion detection, these are not much of a deterrent. • Video monitoring systems are more useful for incident verification and historical analysis. • For instance, if alarms are being generated and there is a camera in place, the camera could be viewed to verify the alarms. • In instances when an attack has already occurred and a camera is in place at the point of attack, the recorded video can be reviewed. • Monitoring is ALWAYS active
Intertwined in These Four Layers are People • Guards have a role in all layers. • In the first as patrols and at checkpoints. • In the second to administer electronic access control. • In the third to respond to alarms. The response force must be able to arrive on site in less time than it is expected that the attacker will require to breach the barriers. • In the fourth to monitor and analyze video.
Users Are Helpful Too • Users obviously have a role also by questioning and reporting suspicious people. • Aiding in identifying people as known versus unknown are identification systems. • Often photo ID badges are used and are frequently coupled to the electronic access control system. • Visitors are often required to wear a visitor badge.
Examples of Physical Security • ATMs (cash dispensers) are protected, not by making them invulnerable, but by spoiling the money inside when they are attacked. Thieves quickly learned that it was futile to steal or break into an ATM if all they got was worthless money covered in dye.
Examples Continued • Safes are rated in terms of the time in minutes which a skilled, well equipped safe-breaker is expected to require to open the safe. These ratings are developed by highly skilled safe breakers employed by insurance agencies, such as Underwriters Laboratories. In a properly designed system, either the time between inspections by a patrolling guard should be less than that time, or an alarm response force should be able to reach it in less than that time.
How Is Physical Security Like Software Security? • Hiding the resources, or hiding the fact that resources are valuable, is also often a good idea as it will reduce the exposure to opponents and will cause further delays during an attack, but should not be relied upon as a principal means of ensuring security • Security through obscurity can be used in the cases of software security and physical security! • Video!

More Related Content

What's hot (20)

PPTX
INFORMATION SECURITY
Ahmed Moussa
 
PPTX
Network security (vulnerabilities, threats, and attacks)
Fabiha Shahzad
 
PPTX
Encryption ppt
Anil Neupane
 
PDF
Introduction to Software Security and Best Practices
Maxime ALAY-EDDINE
 
PPSX
Security policies
Nishant Pahad
 
PPT
Computer security overview
CAS
 
PPTX
System Security-Chapter 1
Vamsee Krishna Kiran
 
PPT
13 asymmetric key cryptography
drewz lin
 
PDF
Application Security | Application Security Tutorial | Cyber Security Certifi...
Edureka!
 
PPT
Application Security
florinc
 
PPTX
Cryptography and Information Security
Dr Naim R Kidwai
 
PDF
Information Security Awareness Training
Randy Bowman
 
PPT
Network Security Threats and Solutions
Colin058
 
PPTX
The CIA triad.pptx
GulnurAzat
 
PPTX
Security architecture, engineering and operations
Piyush Jain
 
PPT
DES (Data Encryption Standard) pressentation
sarhadisoftengg
 
PDF
Information Security Lecture Notes
FellowBuddy.com
 
PPT
Basics of Information System Security
chauhankapil
 
PDF
Network Security Presentation
Allan Pratt MBA
 
PPTX
Information Security (Digital Signatures)
Zara Nawaz
 
INFORMATION SECURITY
Ahmed Moussa
 
Network security (vulnerabilities, threats, and attacks)
Fabiha Shahzad
 
Encryption ppt
Anil Neupane
 
Introduction to Software Security and Best Practices
Maxime ALAY-EDDINE
 
Security policies
Nishant Pahad
 
Computer security overview
CAS
 
System Security-Chapter 1
Vamsee Krishna Kiran
 
13 asymmetric key cryptography
drewz lin
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Edureka!
 
Application Security
florinc
 
Cryptography and Information Security
Dr Naim R Kidwai
 
Information Security Awareness Training
Randy Bowman
 
Network Security Threats and Solutions
Colin058
 
The CIA triad.pptx
GulnurAzat
 
Security architecture, engineering and operations
Piyush Jain
 
DES (Data Encryption Standard) pressentation
sarhadisoftengg
 
Information Security Lecture Notes
FellowBuddy.com
 
Basics of Information System Security
chauhankapil
 
Network Security Presentation
Allan Pratt MBA
 
Information Security (Digital Signatures)
Zara Nawaz
 

Similar to Software Security (Vulnerabilities) And Physical Security (20)

PPT
Security communication
Say Shyong
 
PPTX
presentation_security_1510578971_320573.pptx
AadityaRauniyar1
 
PPT
Ns
Deepenti123
 
PPTX
Exploitation techniques and fuzzing
Prachi Gulihar
 
PPTX
MODELING THREATS HAER YERE SINIRR JKOA A
juan60m3zz
 
PDF
Ch14 security
Welly Dian Astika
 
PDF
Invited Talk - Cyber Security and Open Source
hack33
 
PDF
Frontier Secure: Handout for small business leaders on "How to be Secure"
Frontier Small Business
 
PPTX
LIS3353 SP12 Week 9
Amanda Case
 
PPTX
Security & threats Presentation => (Presenter: Komal Mehfooz)
Komal Mehfooz
 
PPT
1.Security Overview And Patching
phanleson
 
PDF
How to Destroy a Database
John Ashmead
 
PPTX
information system security --internet cyber security
VivekSinghShekhawat2
 
PDF
Health Information Privacy and Security
Nawanan Theera-Ampornpunt
 
PDF
Secure coding-guidelines
Trupti Shiralkar, CISSP
 
PPTX
Enhancing Cybersecurity: Mitigating Common Threats
VivekSinghShekhawat2
 
PPTX
Software Security and IDS.pptx
Muhib Ahmad Sherwani
 
PPTX
Computer security system Unit1.pptx
VIRAJDEY1
 
PPT
Whittaker How To Break Software Security - SoftTest Ireland
David O'Dowd
 
PPTX
download-20171010121559download-20171010121559.pptx
2024proj005
 
Security communication
Say Shyong
 
presentation_security_1510578971_320573.pptx
AadityaRauniyar1
 
Ns
Deepenti123
 
Exploitation techniques and fuzzing
Prachi Gulihar
 
MODELING THREATS HAER YERE SINIRR JKOA A
juan60m3zz
 
Ch14 security
Welly Dian Astika
 
Invited Talk - Cyber Security and Open Source
hack33
 
Frontier Secure: Handout for small business leaders on "How to be Secure"
Frontier Small Business
 
LIS3353 SP12 Week 9
Amanda Case
 
Security & threats Presentation => (Presenter: Komal Mehfooz)
Komal Mehfooz
 
1.Security Overview And Patching
phanleson
 
How to Destroy a Database
John Ashmead
 
information system security --internet cyber security
VivekSinghShekhawat2
 
Health Information Privacy and Security
Nawanan Theera-Ampornpunt
 
Secure coding-guidelines
Trupti Shiralkar, CISSP
 
Enhancing Cybersecurity: Mitigating Common Threats
VivekSinghShekhawat2
 
Software Security and IDS.pptx
Muhib Ahmad Sherwani
 
Computer security system Unit1.pptx
VIRAJDEY1
 
Whittaker How To Break Software Security - SoftTest Ireland
David O'Dowd
 
download-20171010121559download-20171010121559.pptx
2024proj005
 
Ad

More from Nicholas Davis (20)

PPTX
Conducting a NIST Cybersecurity Framework (CSF) Assessment
Nicholas Davis
 
PPTX
Top Cybersecurity Challenges Facing Your Business
Nicholas Davis
 
PPTX
UW-Madison, Information Systems 371 - Decision Support Systems
Nicholas Davis
 
PPTX
Lecture blockchain
Nicholas Davis
 
PPTX
Software Development Methodologies
Nicholas Davis
 
PPTX
Information systems 365 - Cloud and BYOD Security
Nicholas Davis
 
PPTX
Information Security Awareness: at Work, at Home, and For Your Kids
Nicholas Davis
 
PPTX
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
Nicholas Davis
 
PPTX
Information Systems 371 -The Internet of Things Overview
Nicholas Davis
 
PPTX
Cyberwar Gets Personal
Nicholas Davis
 
PPTX
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
Nicholas Davis
 
PPT
Bringing the Entire Information Security Semester Together With a Team Project
Nicholas Davis
 
PPT
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
Nicholas Davis
 
PPTX
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
Nicholas Davis
 
PPTX
Information Security Fall Semester 2016 - Course Wrap Up Summary
Nicholas Davis
 
PPTX
Organizational Phishing Education
Nicholas Davis
 
PPT
Security Operations -- An Overview
Nicholas Davis
 
PPT
Network Design, Common Network Terminology and Security Implications
Nicholas Davis
 
PPT
Survey Presentation About Application Security
Nicholas Davis
 
PPT
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
Nicholas Davis
 
Conducting a NIST Cybersecurity Framework (CSF) Assessment
Nicholas Davis
 
Top Cybersecurity Challenges Facing Your Business
Nicholas Davis
 
UW-Madison, Information Systems 371 - Decision Support Systems
Nicholas Davis
 
Lecture blockchain
Nicholas Davis
 
Software Development Methodologies
Nicholas Davis
 
Information systems 365 - Cloud and BYOD Security
Nicholas Davis
 
Information Security Awareness: at Work, at Home, and For Your Kids
Nicholas Davis
 
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
Nicholas Davis
 
Information Systems 371 -The Internet of Things Overview
Nicholas Davis
 
Cyberwar Gets Personal
Nicholas Davis
 
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
Nicholas Davis
 
Bringing the Entire Information Security Semester Together With a Team Project
Nicholas Davis
 
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
Nicholas Davis
 
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
Nicholas Davis
 
Information Security Fall Semester 2016 - Course Wrap Up Summary
Nicholas Davis
 
Organizational Phishing Education
Nicholas Davis
 
Security Operations -- An Overview
Nicholas Davis
 
Network Design, Common Network Terminology and Security Implications
Nicholas Davis
 
Survey Presentation About Application Security
Nicholas Davis
 
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
Nicholas Davis
 
Ad

Software Security (Vulnerabilities) And Physical Security

  • 1. Information Systems 365/765 Lecture 11 Software Security (Vulnerabilities) and Physical Security
  • 2. Vulnerability • Applied to a weakness in a system which allows an attacker to violate the integrity of that system. Vulnerabilities may result from weak passwords, software bugs, a computer virus or other malware, a script code injection, or a SQL injection.
  • 3. Vulnerability vs. Exploit • A security risk is classified as a vulnerability if it is recognized as a possible means of attack. • A security risk with one or more known instances of working and fully-implemented attacks is classified as an exploit.
  • 4. Causes • There are multiple causes of vulnerabilities • Password Management Flaws • Fundamental Operating System Design Flaws • Software Bugs • Unchecked User Input
  • 5. Password Management Flaws • The computer user uses weak passwords that could be discovered by brute force. • The computer user stores the password on the computer where a program can access it. • Users re-use passwords between many programs and websites.
  • 7. Operating System Design Flaws • The operating system designer chooses to enforce sub optimal policies on user/program management. F • or example operating systems with policies such as default permit grant every program and every user full access to the entire computer. • This operating system flaw allows viruses and malware to execute commands on behalf of the administrator
  • 8. Software Bugs • The programmer leaves an exploitable bug in a software program. • The software bug may allow an attacker to misuse an application through (for example) bypassing access control checks or executing commands on the system hosting the application.
  • 9. Software Bugs • Also the programmer's failure to check the size of data buffers, which can then be overflowed, causing corruption of the stack or heap areas of memory (including causing the computer to execute code provided by the attacker).
  • 10. Unchecked User Input • The program assumes that all user input is safe. Programs that do not check user input can allow unintended direct execution of commands or SQL statements (known as Buffer overflows, SQL injection or other non-validated inputs).
  • 11. Vulnerability Disclosure • The method of disclosing vulnerabilities is a topic of debate in the computer security community. • Some advocate immediate full disclosure of information about vulnerabilities once they are discovered. • Others argue for limiting disclosure to the users placed at greatest risk, and only releasing full details after a delay, if ever. • What do you think?
  • 12. Vulnerability Disclosure • Benefit to limited disclosure: • Such delays may allow those notified to fix the problem by developing and applying patches, • Drawback to limited disclosure • May increase the risk to those not privy to full details.
  • 13. Full Disclosure • Disclose all the details of a security problem which are known. It is a philosophy of security management completely opposed to the idea of security through obscurity
  • 14. Full Disclosure • The theory behind full disclosure is that releasing vulnerability information immediately results in quicker fixes and better security. • Fixes are produced faster because vendors and authors are forced to respond in order to save face. • Security is improved because the window of exposure, the amount of time the vulnerability is open to attack, is reduced.
  • 15. Responsible Disclosure • Some believe that in the absence of any public exploits for the problem, full and public disclosure should be preceded by disclosure of the vulnerability to the vendors or authors of the system. This private advance disclosure allows the vendor time to produce a fix or workaround.
  • 16. Limited Disclosure • With full details going to a restricted community of developers and vendors, and only the existence of the problem being released to the public, is another possible approach • Nick doesn’t like Limited Disclosure
  • 17. A.C. Hobbs - Locksmith • A commercial, and in some respects a social doubt has been started within the last year or two, whether it is right to discuss so openly the security or insecurity of locks. Many well-meaning persons suppose that the discussion respecting the means for baffling the supposed safety of locks offers a premium for dishonesty, by showing others how to be dishonest. This is a fallacy. Rogues are very keen in their profession, and know already much more than we can teach them respecting their several kinds of roguery.
  • 18. Security Through Obscurity • Attempts to use secrecy (of design, implementation, etc.) to provide security. • A system relying on security through obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that the flaws are not known, and that attackers are unlikely to find them.
  • 20. Vulnerability Disclosure Date • When can it be said that a vulnerability has been disclosed? • 1. The information is freely available to the public • 2. The vulnerability information is published by a trusted and independent channel/source • 3. The vulnerability has undergone analysis by experts such that risk rating information is included upon disclosure
  • 21. Examples of Vulnerabilities • Buffer overflows • Dangling pointers • Input validation errors, such as: • Format string bugs • Improperly handling shell metacharacters so they are interpreted • SQL injection • Code injection • E-mail injection • Directory traversal • Cross-site scripting in web applications • Race conditions, such as: • Time-of-check-to-time-of-use bugs • Symlink races • Privilege-confusion bugs, such as: • Cross-site request forgery in web applications • Privilege escalation • User interface failures, such as: • Warning fatigue or user conditioning • Blaming the Victim Prompting a user to make a security decision without giving the user enough information to answer it. • Race Conditions
  • 22. Buffer Overflow • A condition where a process attempts to store data beyond the boundaries of a fixed-length buffer. • The result is that the extra data overwrites adjacent memory locations.
  • 23. Buffer Overflow • The overwritten data may include other buffers, variables and program flow data, and may result in erratic program behavior, a memory access exception, program termination (a crash), incorrect results or ― especially if deliberately caused by a malicious user ― a possible breach of system security.
  • 24. Basic example • In the following example, a program has defined two data items which are adjacent in memory: an 8-byte-long string buffer, A, and a two-byte integer, B. Initially, A contains nothing but zero bytes, and B contains the number 3. Characters are one byte wide. A B 0 0 0 0 0 0 0 0 0 3
  • 25. Buffer Overflow Example • Now, the program attempts to store the character string "excessive" in the A buffer, followed by a zero byte to mark the end of the string. By not checking the length of the string, it overwrites the value of B: A B 'e' 'x' 'c' 'e' 's' 's' 'i' 'v' 'e' 0
  • 26. SQL Injection • User input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.
  • 28. Email Injection • A security vulnerability that can occur in Internet applications that are used to send e-mail messages. Like SQL injection attacks, this vulnerability is one of a general class of vulnerabilities that occur when one programming language is embedded within another.
  • 30. Directory Traversal • The goal of this attack is to order an application to access a computer file that is not intended to be accessible. This attack exploits a lack of security (the software is acting exactly as it is supposed to) as opposed to exploiting a bug in the code. • Directory traversal is also known as the ../ (dot dot slash) attack, directory climbing, and backtracking.
  • 31. Cross-Site Scripting • (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross- site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy.
  • 33. Time-of-check-to-time-of-use • TOCTTOU − pronounced "TOCK too") is a software bug caused by changes in a system between the checking of a condition (such as a security credential) and the use of the results of that check. It is a kind of race condition.
  • 34. Confused Deputy • A confused deputy is a computer program that is innocently fooled by some other party into misusing its authority. It is a specific type of privilege escalation. In information security, the confused deputy problem is often cited as an example of why capability-based security is important. • Billing example
  • 35. Blaming The Victim • Prompting a user to make a security decision without giving the user enough information to answer it.
  • 36. Physical Security • Physical security describes measures that prevent or deter attackers from accessing a facility, resource, or information stored on physical media. It can be as simple as a locked door or as elaborate as multiple layers of armed guardposts.
  • 37. 3 Elements to Physical Security • Obstacles, to frustrate trivial attackers and delay serious ones; • Alarms, security lighting, security guard patrols or closed-circuit television cameras, to make it likely that attacks will be noticed; and • Security response, to repel, catch or frustrate attackers when an attack is detected.
  • 38. 4 Layers to Physical Security • Environmental design • Mechanical and electronic access control • Intrusion detection • Video monitoring
  • 39. What Are Physical Security Goals? • The goal is to convince potential attackers that the likely costs of attack exceed the value of making the attack. • If you are unable to convince them, then the second goal comes into play—to keep them from entering
  • 40. Layer One - Physical • The initial layer of security for a campus, building, office, or physical space uses Crime Prevention Through Environmental Design to deter threats. Some of the most common examples are also the most basic - barbed wire, warning signs and fencing, concrete bollards, metal barriers, vehicle height-restrictors, site lighting and trenches.
  • 41. Layer Two - Mechanical • Includes gates, doors, and locks. • Key control of the locks becomes a problem with large user populations and any user turnover. • Keys quickly become unmanageable forcing the adoption of electronic access control. • Electronic access control easily manages large user populations, controlling for user lifecycles times, dates, and individual access points. • For example a user's access rights could allow access from 0700 to 1900 Monday through Friday and expires in 90 days.
  • 42. Layer Three – Intrusion Detection • Monitors for attacks. It is less a preventative measure and more of a response measure, although some would argue that it is a deterrent. Intrusion detection has a high incidence of false alarms. In many jurisdictions, law enforcement will not respond to alarms from intrusion detection systems.
  • 43. Layer Four - Monitoring • Typically video monitoring systems. Like intrusion detection, these are not much of a deterrent. • Video monitoring systems are more useful for incident verification and historical analysis. • For instance, if alarms are being generated and there is a camera in place, the camera could be viewed to verify the alarms. • In instances when an attack has already occurred and a camera is in place at the point of attack, the recorded video can be reviewed. • Monitoring is ALWAYS active
  • 44. Intertwined in These Four Layers are People • Guards have a role in all layers. • In the first as patrols and at checkpoints. • In the second to administer electronic access control. • In the third to respond to alarms. The response force must be able to arrive on site in less time than it is expected that the attacker will require to breach the barriers. • In the fourth to monitor and analyze video.
  • 45. Users Are Helpful Too • Users obviously have a role also by questioning and reporting suspicious people. • Aiding in identifying people as known versus unknown are identification systems. • Often photo ID badges are used and are frequently coupled to the electronic access control system. • Visitors are often required to wear a visitor badge.
  • 46. Examples of Physical Security • ATMs (cash dispensers) are protected, not by making them invulnerable, but by spoiling the money inside when they are attacked. Thieves quickly learned that it was futile to steal or break into an ATM if all they got was worthless money covered in dye.
  • 47. Examples Continued • Safes are rated in terms of the time in minutes which a skilled, well equipped safe-breaker is expected to require to open the safe. These ratings are developed by highly skilled safe breakers employed by insurance agencies, such as Underwriters Laboratories. In a properly designed system, either the time between inspections by a patrolling guard should be less than that time, or an alarm response force should be able to reach it in less than that time.
  • 48. How Is Physical Security Like Software Security? • Hiding the resources, or hiding the fact that resources are valuable, is also often a good idea as it will reduce the exposure to opponents and will cause further delays during an attack, but should not be relied upon as a principal means of ensuring security • Security through obscurity can be used in the cases of software security and physical security! • Video!