Software Security

Vulnerabilities and
Protections
An unprotected computer connected to the Internet may be disabled within seconds.
•Security:
Policies, procedures, and technical measures used to prevent unauthorized access, alteration,
theft, or physical damage to information systems
•Controls:
Methods, policies, and organizational procedures that ensure the safety of the organization's
assets; accuracy and reliability of its accounting records; and operational adherence to
management standards
 Why Systems Are Vulnerable
• Hardware problems
Breakdowns, configuration errors, damage from improper use or crime
• Software problems
Programming errors, installation errors, unauthorized changes
• Disasters
Power failures, floods, fires, and so on
• Use of networks and computers outside of the firm's control
E.g., with domestic or offshore outsourcing vendors
The architecture of a Web-based application typically includes a Web client, a server, and corporate
information systems linked to databases. Each of these components presents security challenges and
vulnerabilities. Floods, fires, power failures, and other electrical problems can cause disruptions at
any point in the network.
 • Internet vulnerabilities
Network open to anyone
Size of Internet means abuses can have wide impact
Use of fixed Internet addresses with permanent connections to the Internet eases identification
by hackers
E-mail attachments
E-mail used for transmitting trade secrets
IM messages lack security, can be easily intercepted
 Wireless security challenges
• Radio frequency bands easy to scan
• SSIDS (service set identifiers)
 Identify access points.
 Broadcast multiple times.

• War driving
 Eavesdroppers drive by buildings and try to intercept network traffic
 When hacker gains access to SSID, has access to network’s resources

• WEP (Wired Equivalent Privacy)

 Security standard for 802.11
 Basic specification uses shared password for both users and access point
 Users often fail to use security features
Wi-Fi Security Challenges
Many Wi-Fi networks can be
penetrated easily by intruders
using sniffer programs to obtain
an address to access the
resources of a network without
authorization.
Malicious Software: Viruses, Worms,
Trojan Horses, and Spyware
•Malware
◦ Viruses
◦ Rogue software program that attaches itself to other software programs or data files in order to be executed

•Worms
◦ Independent computer programs that copy themselves from one computer to other computers over a
network

•Trojan horses
◦ Software program that appears to be benign but then does something other than expected.
Malicious Software: Viruses, Worms, Trojan
Horses, and Spyware, Malware (cont.)

Spyware
Small programs install themselves surreptitiously on computers to monitor user Web surfing
activity and serve up advertising
Key loggers
Record every keystroke on computer to steal serial numbers, passwords, launch Internet attacks
Hackers and Computer Crime
Hackers versus crackers
Activities include:
System intrusion
System damage
Cybervandalism
Intentional disruption, defacement, destruction of Web site or corporate
information system
Hackers and Computer Crime
Spoofing
◦ Misrepresenting oneself by using fake e-mail addresses or masquerading as someone else
◦ Redirecting Web link to address different from intended one, with site masquerading as
intended destination

Sniffer
◦ Eavesdropping program that monitors information traveling over network
◦ Enables hackers to steal proprietary information such as e- mail, company files, and so on
Denial-of-service attacks (DoS)
• Flooding server with thousands of false requests to crash the network.
Distributed denial-of-service attacks (DDoS)
• Use of numerous computers to launch a DoS
Botnets
• Networks of "zombie" PCs infiltrated by bot malware
Computer crime
Defined as "any violations of criminal law that involve a knowledge of computer technology for
their perpetration, investigation, or prosecution"
Computer may be target of crime:
Breaching confidentiality of protected computerized data Accessing a computer system without
authority
Computer may be instrument of crime:
Theft of trade secrets
Using e-mail for threats or harassment
• Identity theft
Theft of personal information (social security id, driver’s license, or credit card numbers) to
impersonate someone else
•Phishing
Setting up fake Web sites or sending e-mail messages that look like legitimate businesses to ask
users for confidential personal data
•Evil twins
Wireless networks that pretend to offer trustworthy Wi-Fi connections to the Internet
• Pharming
Redirects users to a bogus Web page, even when individual types correct Web page address into
his or her browser
•Click fraud
Occurs when individual or computer program fraudulently clicks on online ad without any
intention of learning more about the advertiser or making a purchase
Internal Threats: Employees
Security threats often originate inside an organization.
•Inside knowledge
◦ Sloppy security procedures
◦ User lack of knowledge

•Social engineering:
Tricking employees into revealing their passwords by pretending to be legitimate members of
the company in need of information
Software Vulnerability
Commercial software contains flaws that create security vulnerabilities
•Hidden bugs (program code defects)
•Zero defects cannot be achieved because complete testing is not possible with large programs
•Flaws can open networks to intruders
Patches
•Vendors release small pieces of software to repair flaws.
•However, amount of software in use can mean exploits created faster than patches can be
released and implemented