CH 01
CH 01
SECURITY IN
COMPUTING,
FIFTH EDITION
Chapter 1: Introduction
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
2
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
3
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
4
Assets
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
5
Values of Assets
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
6
Basic Terms
• Vulnerability_ق ابلية ا الصابة
• Threat_ا لتهديد
• Attack_ا لهجوم
• Countermeasure or control_اجراء مضاد
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Vulnerabilities, Threats, Attacks, Controls
• Vulnerability is a weakness in the security system
• (i.e., in procedures, design, or implementation), that might be exploited
to cause loss or harm.
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
9
C-I-A Triad
• Confidentiality_ا لسرية
• Integrity_ا لسالمة
• Availability_ا لتوفر
• Sometimes two other desirable characteristics:
• Authentication_ا لمصادقة
• the process or action of proving or showing something to be true,
genuine, or valid.
• Nonrepudiation_عدم ا النكار
• is the assurance that someone cannot deny something.
• i.e. nonrepudiation refers to the ability to ensure that a party to a
contract or a communication cannot deny the authenticity of their
signature on a document or the sending of a message that they
originated
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
10
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
11
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
12
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
13
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
14
Access Control
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
15
Types of Threats
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
16
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
17
Types of Attackers
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
18
Types of Harm
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Threats
• In an interception_ مضايقةmeans that some unauthorized
party has gained access to an asset.
Method—Opportunity—Motive (MOM)
لدافع- لفرصة ا-ا لطريقة ا
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Method, Opportunity, and Motive
• A malicious attacker must have three things (MOM):
Controls/Countermeasures
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Security Goals
• When we talk about computer security, we mean that we are addressing three
important aspects of any computer-related system: confidentiality, integrity, &
availability (CIA)
Confidentiality
Secure
Integrity Availability
Slide #1-25
Goals of Security
• Prevention
• Prevent attackers from violating security policy
• Detection
• Detect attackers’ violation of security policy
• Recovery
• Stop attack, assess and repair damage
• Continue to function correctly even if attack succeeds
Slide #1-26
• Policies
• Unambiguously partition system states
• Correctly capture security requirements
• Mechanisms
• Assumed to enforce policy
• Support mechanisms work correctly
27
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Controls Available
• Encryption
• We take data in their normal, unscrambled state, called:
• cleartext or plaintext, and transform them so that they are unintelligible
to the outside observer; the transformed data are called enciphered
text or ciphertext.
• Physical Controls
• i.e. locks on doors,
• guards at entry points,
• backup copies of important software and data, and
• physical site planning that reduces the risk of natural disasters.
Effectiveness of Controls
• Awareness of Problem
• People using controls must be convinced of the need for security.
That is, people will willingly cooperate with security requirements
only if they understand
• why security is appropriate in a given situation.
Effectiveness of Controls
• Likelihood of Use
• Of course, no control is effective unless it is used
• Principle of Effectiveness:
• Controls must be used properly to be effective.
• They must be efficient, easy to use, and appropriate.
• Periodic Review
• Just when the security specialist finds a way to secure assets
against certain kinds of attacks, the opposition doubles its efforts in
an attempt to defeat the security mechanisms. Thus, judging the
effectiveness of a control is an ongoing task.
Principle of Weakest Link
• Security can be no stronger than its weakest link !!!
• Whether it is the power supply that powers the firewall or the
operating system under the security application or the human who
plans, implements, and administers controls, a failure of any
control can lead to a security failure.
38
SECURITY IN
COMPUTING,
FIFTH EDITION
Chapter 2: Toolbox: Authentication, Access
Control, and Cryptography
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
39
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
40
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
41
SECURITY IN
COMPUTING,
FIFTH EDITION
Chapter 3: Programs and Programming
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
42
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
43
Memory Structure
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
44
SECURITY IN
COMPUTING,
FIFTH EDITION
Chapter 5: Operating Systems
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
45
Chapter 5 Objectives
• Basic security functions provided by operating systems
• System resources that require operating system
protection
• Operating system design principles
• How operating systems control access to resources
• The history of trusted computing
• Characteristics of operating system rootkits
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
46
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
47
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
48
Protected Objects
• Memory
• Sharable I/O devices, such as disks
• Serially reusable I/O devices, such as printers
• Sharable programs and subprocedures
• Networks
• Sharable data
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
49
OS Layered Design
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
50
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
51
Modular OS Design
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
52
Virtualization
• With virtualization, the OS presents each user with just
the resources that user should see
• The user has access to a virtual machine (VM), which
contains those resources
• The user cannot access resources that are available to
the OS but exist outside the VM
• A hypervisor, or VM monitor, is the software that
implements a VM, ex. Vmware or virtualbox
• Translates access requests between the VM and the OS
• Can support multiple OSs in VMs simultaneously
• Honeypot: A VM meant to lure
ف لىجذب
ت هد اan attacker into
an environment that can be both controlled and monitored
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
53
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
54
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
55
Fence س ياج
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
56
Fence Registers
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
57
Base/Bounds Registers
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
58
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
59
Tagged Architecture
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
60
Segmentation
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
61
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
62
Paging
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
63
Paged Segmentation
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
64
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
65
Kernelized Design
• A kernel is the part of the OS that performs the lowest-
level functions
• Synchronization
• Interprocess communication
• Message passing
• Interrupt handling
• A security kernel is responsible for enforcing the security
mechanisms of the entire OS
• Typically contained within the kernel
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
66
Reference Monitor
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
67
Trusted Systems
• A trusted system is one that has been shown to warrant
some degree of trust that it will perform certain activities
faithfully
• Characteristics of a trusted system:
• A defined policy that details what security qualities it enforces
• Appropriate measures and mechanisms by which it can enforce
security adequately
• Independent scrutiny or evaluation to ensure that the mechanisms
have been selected and implemented properly
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
68
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
69
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
70
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
71
Rootkits
• A rootkit is a malicious software package that
attains and takes advantage of root status or
effectively becomes part of the OS
• Rootkits often go to great length to avoid being
discovered or, if discovered and partially
removed, to reestablish themselves
• This can include intercepting or modifying basic OS
functions
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
72
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
73
Summary
• OSs have evolved from supporting single users and single
programs to many users and programs at once
• Resources that require OS protection: memory, I/O
devices, programs, and networks
• OSs use layered and modular designs for simplification
and to separate critical functions from noncritical ones
• Resource access control can be enforced in a number of
ways, including virtualization, segmentation, hardware
memory protection, and reference monitors
• Rootkits are malicious software packages that attain root
status or effectively become part of the OS
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
74
SECURITY IN
COMPUTING,
FIFTH EDITION
Chapter 6: Networks
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
75
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
76
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
77
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
78
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
79
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
80
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
81
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
82
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
83
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
84
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
85
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
86
Unknown Perimeter
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
87
Unknown Path
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
88
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
89
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
90
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
91
Port Scanning
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
93
WiFi Background
• Wireless communication will never be as secure as wired, because the
exposed signal is more vulnerable.
• Each device must have a network interface card, or NIC, that communicates
radio signals with the access point. The NIC is identified by a unique 48- or
64-bit hardware address called a medium access code, or MAC.
• WiFi Access Range
• WiFi Frames.
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
94
WiFi Background
• Management Frames
The most significant management frame types are these:
- Beacon.
- Authentication.
- Association request and response: A NIC requests a connection by
sending an authentication frame.
• SSID:
An SSID is a string to identify a wireless access point.
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
95
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
96
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
98
WEP Weaknesses
• Weak encryption key
• WEP allows to be either 64- or 128-bit, but 24 of those bits are
reserved for initialization vectors (IV), thus reducing effective key
size to 40 or 140 bits
• Keys were either alphanumeric or hex phrases that users typed in
and were therefore vulnerable to dictionary attacks
• Static key
• Since the key was just a value the user typed in at the client and
AP, and since users rarely changed those keys, one key would be
used for many months of communications
• Weak encryption process
• A 40-bit key can be brute forced easily ي مكناختراقه ب سهولة. Flaws that
were eventually discovered in the RC4 encryption algorithm WEP
uses made the 104-bit keys easy to crack as well
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
99
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
101
WPA (cont.)
• Strong encryption
• WPA adds support for AES (Advanced Encryption Standard), a
much more reliably strong encryption algorithm
• Integrity protection
• WPA includes a 64-bit cryptographic integrity check
• Session initiation
• WPA sessions begin with authentication and a four-way handshake
that results in separate keys for encryption and integrity on both
ends
• While there are some attacks against WPA, they are
either of very limited effectiveness or require weak
passwords
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
102
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
103
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
104
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
105
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
106
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
107
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
108
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
109
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
110
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
111
Botnets
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
112
Link Encryption
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
113
End-to-End Encryption
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
114
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
115
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
116
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
117
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
118
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
119
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
120
SSL Certificate
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
121
Chain of Certificates
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
122
Onion Routing
• Onion routing prevents an eavesdropper
ا لمتنصتfrom
learning source, destination, or content of data in transit in
a network
• This is particularly helpful for evading authoritiesا لتهربمن
ا لسلطات, such as when users in oppressive countriesا لدول
ا لجائرةwant to communicate freely with the outside world.
• Uses asymmetric cryptography, as well as layers of
intermediate hosts, so that
• The intermediate host that sends the message to the ultimate
destinationف لنهائي
ا لهد اcannot determine the original sender, and
• The host that received the message from the original sender
cannot determine the ultimate destination
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
123
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
124
VPN (cont.)
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
125
Firewalls
• A device that filters all traffic between a protected or
“inside” network and less trustworthy or “outside” network
• Most firewalls run as dedicated devices
• Easier to design correctly and inspect for bugs
• Easier to optimize ت حسينfor performance
• Firewalls implement security policies, or set of rules that
determine what traffic can or cannot pass through
• A firewall is an example of a reference monitor, which
means it should have three characteristics:
• Always invoked (ي تم ا الحتماء ب ه دائماcannot be circumvented
منا لصعب
)ا لتحايلعليه
• Tamperproofمحميمنا لعبث
• Small and simple enough for rigorous analysisا لتحليلا لدقيق
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
126
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
127
Types of Firewalls
• Packet filtering gateways or screening routers
• Stateful inspection firewalls
• Application-level gateways, also known as proxies
• Circuit-level gateways
• Guards
• Personal or host-based firewalls
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
128
Packet-Filtering Gateways
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
129
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
130
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
131
Application Proxy
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
132
Circuit-Level Gateway
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
133
Guard
• A sophisticated firewall that, like an application proxy, can
interpret data at the protocol level and respond
• The distinction between a guard and an application proxy
can be fuzzy ;غير واضحthe more protection features an
application proxy implements, the more it becomes like a
guard
• Guards may implement any programmable set of rules;
for example:
• Limit the number of email messages a user can receive
• Limit users’ web bandwidth
• Filter documents containing the word “Secret”
• Pass downloaded files through a virus scanner
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
134
Personal Firewalls
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
135
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
136
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
137
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
138
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
139
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
141
Types of IDS
• Detection method
• Signature-based
• Heuristic
• Location
• Front end
• Internal
• Scope
• Host-based IDS (HIDS)
• Network-based IDS (NIDS)
• Capability
• Passive
• Active, also known as intrusion prevention systems (IPS)
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
142
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
143
Summary
• Networks are threatened by attacks aimed at interception,
modification, fabrication, and interruption
• WPA2 has many critical security advantages over WEP
• DoS attacks come in many flavors, but malicious ones are
usually either volumetric in nature or exploit a bug
• Network encryption can be achieved using specialized tools—
some for link encryption and some for end-to-end—such as
VPNs, SSH, and the SSL/TLS protocols
• A wide variety of firewall types exist, ranging from very basic
IP-based functionality to complex application-layer logic, and
both on networks and hosts
• There are many flavors of IDS, each of which detects different
kinds of attacks in very different parts of the network
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
144
SECURITY IN
COMPUTING,
FIFTH EDITION
Chapter 7: Databases
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
145
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
146
Database Terms
• Database administrator
• Database management system (DBMS)
• Record
• Field/element
• Schema
• Subschema
• Attribute
• Relation
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
147
Database Example
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
148
Schema Example
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
149
Queries
• A query is a command that tells the
database to retrieve, modify, add, or delete
a field or record
• The most common database query
language is SQL
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
150
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
151
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
152
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
153
Two-Phase Update
• Phase 1: Intent
• DBMS does everything it can, other than making changes to the
database, to prepare for the update
• Collects records, opens files, locks out users, makes calculations
• DBMS commits by writing a commit flag to the database
• Phase 2: Write
• DBMS completes all write operations
• DBMS removes the commit flag
• If the DBMS fails during either phase 1 or phase 2, it can
be restarted and repeat that phase without causing harm
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
154
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
155
Sensitive Data
• Inherently sensitive
• Passwords, locations of weapons
• From a sensitive source
• Confidential informant
• Declared sensitive
• Classified document, name of an anonymous donor
• Part of a sensitive attribute or record
• Salary attribute in an employment database
• Sensitive in relation to previously disclosed information
• An encrypted file combined with the password to open it
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
156
It is important to understand both the range of possible contents of each attribute and the data
available to potential attackers in order to apply the appropriate protection mechanisms.
• Exact data
• Bounds
• Negative result
• Existence
• Probable value
• Direct inference ل لمباشر
ا الستدال ا
• Inference by arithmetic
• Aggregation
• Hidden data attributes
• File tags
• Geotags
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
157
Preventing Disclosure
• Suppress اخفاءobviously sensitive
information
• Keep track of what each user knows based
on past queries
• Disguise ت مويهthe data
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
158
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
159
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
160
Data Mining
• Data mining uses statistics, machine learning,
mathematical models, pattern recognition, and other
techniques to discover patterns and relations on large
datasets
• The size and value of the datasets present an important
security and privacy challenge, as the consequencesعواقب
of disclosure are naturally high
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
161
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
162
Summary
• Database security requirements include:
• Physical integrity
• Logical integrity
• Element integrity
• Auditability
• Access control
• User authentication
• Availability
• There are many subtle ways for sensitive data to be
inadvertently disclosed, and there is no single answer for
prevention
• Data mining and big data have numerous open security
and privacy challenges
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
163
SECURITY IN
COMPUTING,
FIFTH EDITION
Chapter 8: Cloud Computing
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
164
Service Models
• Software as a service (SaaS)
• The cloud provider gives the customer access to applications
running in the cloud
• Platform as a service (PaaS)
• The customer has his or her own applications, but the cloud
provides the languages and tools for creating and running them
• Infrastructure as a service (IaaS)
• The cloud provider offers processing, storage, networks, and other
computing resources that enable customers to run any kind of
software
167
Service Models
Read this article
168
Service Models
169
Deployment ت عينModels
• Private cloud
• Infrastructure that is operated exclusively by and for the
organization that owns it
• Community cloud
• Shared by several organizations with common needsاحتياجاتواهتمامات
مشتركة, interests, or goals
• Public cloud
• Owned by a cloud service provider and offered to the general
public
• Hybrid cloud
• Composed of two or more types of clouds, connected by
technology that enables data and applications to balance loads
among those clouds
170
Cloud Storage
• By default, most cloud storage solutions either store
users’ data unencrypted or encrypt all data for all
customers using a single key and therefore don’t provide
strong confidentiality
• Some cloud services provide better confidentiality by
generating keys on a per-user basis ل كلمستخدم علىحدbased
on that user’s password or some other secret
• For maximum confidentiality, some cloud providers
embrace ت تبنىa trust no one (TNO) model in which even
the provider does not have the keys to decrypt user data
176
OAuth
• Whereas SAML is an authentication standard, OAuth is
an authorization standard
• OAuth enables a user to allow third-party applications to
access APIs on that user’s behalf
• When Facebook asks a user if a new application can have
access to his photos, that’s OAuth
• OAuth allows users to give third-party applications access
to only the account resources they need, and to do so
without sharing passwords; users can revoke access at
any time
184
OAuth Authorization
185
OIDC Authentication
187
Securing IaaS
• Shared storage
• When you deallocate ا لغ اء ا لتخصيصshared storage, it gets reallocated to other
users, potentially exposing your data ايي جعلا لبياناتمكشوفة. Encrypted storage
volumes are the most reliable mitigation ت لتخزينا لمشفرة هيوسيلة ا لتخزينا ألكثر موثوقية
وحدا ا..
• Shared network
• Typical practice among IaaS providers prevents users from sniffing one another’s
network traffic, but the safest bet is to encrypt all network traffic to and from
virtual machines whenever possible
• Host access
• Require two-factor authentication
• Do not use shared accounts
• Enforce the principle of least privilegeت ألقل
استخدم مبدأ ا لصالحيا ا
• Use OAuth rather than passwords to give applications access to API interfaces
• Use FIdM wherever possible so as to only manage one set of accounts وذلكإل دارة
مجموعة واحدة ف قط منا لحسابات
188
Summary
• When considering a move to cloud infrastructure, a full
risk assessment will reveal critical requirements and bring
up important unexpected issues
• Cloud storage encryption options vary widely—
confidentiality requirements are a key consideration
• FIdM, including SAML, OAuth, and OIDC, provides strong
security benefits by centralizing account and authorization
management
• In IaaS infrastructures, use server specialization, security
enclaves, and application whitelisting to greatly limit the
potential attack surface
190
Memory Allocation
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
191
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
192
Buffer Overflows
• Occur when data is written beyond the space allocated for
it, such as a 10th byte in a 9-byte array
• In a typical exploitable buffer overflow, an attacker’s inputs
are expected to go into regions of memory allocated for
data, but those inputs are instead allowed to overwrite
memory holding executable code
• The trick for an attacker is finding buffer overflow
opportunities that lead to overwritten memory being
executed, and finding the right code to input
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
193
int i;
sample[10] = ‘B’;
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
194
Memory Organization
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
195
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
196
The Stack
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
197
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
198
Compromised( )ا لمخترقStack
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
199
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
200
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
201
Overflow Countermeasures
• Staying within bounds
• Check lengths before writing
• Confirm that array subscripts are within limits
• Double-check boundary condition code for off-by-one errors
• Limit input to the number of acceptable characters
• Limit programs’ privileges to reduce potential harm
• Many languages have overflow protections
• Code analyzers can identify many overflow vulnerabilities
• Canary values in stack to signal modification
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
202
Incomplete Mediation
• Mediation: Verifying that the subject is
authorized to perform the operation on an
object
• Preventing incomplete mediation:
• Validate all input
• Limit users’ access to sensitive data and
functions
• Complete mediation using a reference monitor
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
203
Time-of-Check to Time-of-Use
• Mediation performed with a “bait and switch” in the middle
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
204
Race Conditions
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
205
Race Conditions
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
206
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
207
Malware
• Programs planted by an agent with malicious intent to
cause unanticipated or undesired effects
• Virus
• A program that can replicate itself and pass on malicious code to
other nonmalicious programs by modifying them
• Worm
• A program that spreads copies of itself through a network
• Trojan horse
• Code that, in addition to its stated effect, has a second,
nonobvious, malicious effect
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
208
Types of Malware
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
209
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
210
History of Malware
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
211
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
212
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
213
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
214
Malware Activation
• One-time execution (implanting)
• Boot sector viruses
• Memory-resident viruses
• Application files
• Code libraries
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
215
Virus Effects
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
216
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
217
Virus Detection
• Virus scanners look for signs of malicious code infection
using signatures in program files and memory
• Traditional virus scanners have trouble keeping up with
new malware—detect about 45% of infections
• Detection mechanisms:
• Known string patterns in files or memory
• Execution patterns
• Storage patterns
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
218
Virus Signatures
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
219
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
220
Code Testing
• Unit testing
• Integration testing
• Function testing
• Performance testing
• Acceptance testing
• Installation testing
• Regression testing
• Penetration testing
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
221
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
222
Other Countermeasures
• Good
• Proofs of program correctness—where possible
• Defensive programming
• Design by contract
• Bad
• Penetrate-and-patch
• Security by obscurity
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
223
Summary
• Buffer overflow attacks can take advantage of the fact that
code and data are stored in the same memory in order to
maliciously modify executing programs
• Programs can have a number of other types of
vulnerabilities, including off-by-one errors, incomplete
mediation, and race conditions
• Malware can have a variety of harmful effects depending
on its characteristics, including resource usage, infection
vector, and payload
• Developers can use a variety of techniques for writing and
testing code for security
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
224
Authentication
• The act of proving that a user is who she says she is
• Methods:
• Authentication mechanisms use any of three
qualities to confirm a user’s identity:
• Something the user knows: Passwords, PIN numbers..
• Something the user is: biometrics
• Something user has: driver’s license, bank card….
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
226
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
227
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
228
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
229
Defeating concealment
(Password Storage)
Plaintext Concealed
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
230
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
231
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
232
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
233
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
234
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
235
Single Sign-On
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
236
Access Control
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
237
Access Policies
• Protecting objects involves several complementary Goals:
• Check every accessت حققمنك لوصول
• Enforce least privilege ف رضأقلامتياز
• Verify acceptable usageت حققمنا الستخدام ا لمقبول
• Track users’ access
• Has someone been around for a long time and so has acquired a large number of no-longer-needed rights?............ Administrators
need to consider these kinds of questions on occasion to determine whether the policy and implementation are doing what they should.
• Use audit logging to track accesses استخدام ت سجيلا لتدقيقل تتبع ا لوصول
• Systems also record which accesses have been permitted, creating what is called an audit log.
• Records of accesses can help plan for new or upgraded equipment, by showing which items have had heavy use.
• If the system fails, these records can show what accesses were in progress and perhaps help identify the cause of failure.
• If a user misuses objects, the access log shows exactly which objects the user did access.
• In the event of an external compromiseا لهجوم ا لخارجي, the audit log may help identify how the assailant ا لمهاجمgained access
and which data items were accessed (and therefore revealed or compromised). These data for after-the-fact forensic analysis
have been extremely helpful in handling major incidentsا لحوادثا لكبرى.
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
238
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
239
Reference Monitor
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
240
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
241
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
242
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
243
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
244
Encryption Terminology
• Sender
• Recipient
• Transmission medium
• Interceptor/intruder
• Encrypt, encode, or encipher
• Decrypt, decode, or decipher
• Cryptosystem
• Plaintext
• Ciphertext
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
245
Encryption/Decryption Process
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
246
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
247
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
248
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
249
Stream Block
Advantages Sp eed o f High d iffu s io n
t r a n s fo r m a t ion
Im m u n it y t o
Lo w er r or in s er t io n o f
p r o p a ga t io n s ym b o l
Disadvantages Lo w d iffu s ion Slo wn es s o f
en cr yp t io n
Su s cep t ibilit y t o
m a liciou s Pa d d in g
in s er t io n s a n d
Er r or
m o d ifica t ion s
p r o p a ga t io n
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
250
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
251
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
252
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
253
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
254
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
255
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
256
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
257
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
258
Parity Check
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
259
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
260
Digital Signature
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
261
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
262
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
263
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
264
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
265
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
266
Summary
• Users can authenticate using something they know,
something they are, or something they have
• Systems may use a variety of mechanisms to implement
access control
• Encryption helps prevent attackers from revealing,
modifying, or fabricating messages
• Symmetric and asymmetric encryption have
complementary strengths and weaknesses
• Certificates bind identities to digital signatures
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
267
Summary
• Vulnerabilities are weaknesses in a system;
• threats exploit those weaknesses;
• controls protect those weaknesses from exploitation
• Confidentiality, integrity, and availability are the three
basic security primitives
• Different attackers pose different kinds of threats based
on their capabilities and motivations
• Different controls address different threats; controls come
in many flavors and can exist at various points in the
system
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
268
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.