College of Computer Science & Engineering

Department of Information Systems Information

Systems
Security

Chapter 2
Why Security is Needed
 Learning Objectives

• Upon completion of this material, you

should be able to:
– Demonstrate that organizations have a
business need for information security
– Explain why a successful information
security program is the responsibility of
both an organization’s general
management and IT management

2
 Learning Objectives (cont’d.)

– Identify the threats posed to information

security and the more common attacks
associated with those threats, and
differentiate threats to the information within
systems from attacks against the information
within systems
– Describe the issues facing software
developers, as well as the most common
errors made by developers, and explain how
software development programs can create
software that is more secure and reliable
3
 Introduction

• Primary mission of information security

is to ensure systems and contents stay
the same
• If no threats existed, resources could
be focused on improving systems,
resulting in vast improvements in ease
of use and usefulness
• Attacks on information systems are a
daily occurrence
4
 Business Needs First

• Information security performs four

important functions for an organization
– Protects ability to function
– Enables safe operation of applications
implemented on its IT systems
– Protects data the organization collects and
uses
– Safeguards technology assets in use

5
 Protecting the Functionality of an
Organization
• Management (general and IT)
responsible for implementation
• Information security is both
management issue and people issue
• Organization should address
information security in terms of
business impact and cost

6
 Enabling the Safe Operation of
Applications
• Organization needs environments that
safeguard applications using IT
systems
• Management must continue to oversee
infrastructure once in place—not
relegate to IT department

7
 Protecting Data that Organizations
Collect and Use
• Organization, without data, loses its
record of transactions and/or ability to
deliver value to customers
• Protecting data in motion and data at
rest are both critical aspects of
information security

8
 Safeguarding Technology Assets in
Organizations
• Organizations must have secure
infrastructure services based on size
and scope of enterprise
• Additional security services may be
needed as organization grows
• More robust solutions may be needed
to replace security programs the
organization has outgrown

9
 Threats

• Threat: an object, person, or other

entity that represents a constant
danger to an asset
• Management must be informed of the
different threats facing the organization
• Overall security is improving

10
Table 2-1 Threats to Information Security4 11
Compromises to Intellectual Property

• Intellectual property (IP): “ownership of

ideas and control over the tangible or
virtual representation of those ideas”
• The most common IP breaches involve
software piracy
• Enforcement of copyright law has been
attempted with technical security
mechanisms

12
 Deliberate Software Attacks

• Malicious software (malware) designed to

damage, destroy, or deny service to target
systems
• Includes:
– Viruses
– Worms
– Trojan horses
– Logic bombs
– Back door or trap door
– Polymorphic threats
– Virus and worm hoaxes
13
 Viruses

• Computer viruses are segments of code that

perform malicious actions
– This code behaves very much like a virus
pathogen that attacks animals and plants by using
the cell’s own replication machinery to propagate
– The code attaches itself to the existing program
and takes control of that program’s access to the
targeted computer
– The virus-controlled target program then carries
out the virus’s plan by replicating itself into
additional targeted systems
14
 Viruses (cont’d.)

• A macro virus is embedded in the

automatically executing macro code
that is common in word processors,
spread sheets, and database
applications
• A boot virus infects key operating
system files located in a computer’s
boot sector

15
 Worm

• Worms are malicious programs that

replicate themselves constantly without
requiring another program to provide a
safe environment for replication
• Worms can continue replicating
themselves until they completely fill
available resources, such as memory,
hard drive space, and network
bandwidth

16
 Trojan Horses

• Trojan horses are software programs

that hide their true nature and reveal
their designed behavior only when
activated
• Trojan horses are frequently disguised
as helpful, interesting, or necessary
pieces of software, such as readme.exe
files often included with shareware or
freeware packages

17
 Trojan Horses

Figure 2-4 Trojan Horse Attack

18
 Back door or trap door

• Virus or worm can have a payload that

installs a back door or trap door
component in a system
• This allows the attacker to access the
system at will with special privileges

19
 Polymorphic Threat

• A polymorphic threat changes over

time, making it undetectable by
techniques that are looking for
preconfigured signatures
• These threats actually evolve, changing
their size and appearance to elude
detection by antivirus software
programs, making detection more of a
challenge

20
 Virus Hoaxes

• As frustrating as viruses and worms

are, perhaps more time and money is
spent on resolving virus hoaxes
• Well-meaning people can disrupt the
harmony and flow of an organization
when they send e-mails warning of
dangerous viruses that are fictitious

21
 Espionage or Trespass

• Access of protected information by

unauthorized individuals
• Competitive intelligence (legal) vs. industrial
espionage (illegal)
• Shoulder surfing can occur anywhere a
person accesses confidential information
• Controls let trespassers know they are
encroaching on organization’s cyberspace
• Hackers use skill, cunning, or fraud to bypass
controls protecting others’ information
22
 Espionage or Trespass (cont’d.)

• Expert hacker
– Develops software scripts and program
exploits
– Usually a master of many skills
• Several programming languages, networking
protocols, and operating systems and also
exhibits a mastery of the technical
environment of the chosen targeted system
– Will often create attack software and share with
others

23
 Espionage or Trespass (cont’d.)

• Unskilled hacker
– Many more unskilled hackers than expert
hackers
– Use expertly written software to exploit a
system
• Novice hackers become script kiddies
– Hackers of limited skill who use expertly
written software to exploit a system, but do
not fully understand or appreciate the
systems they hack

24
 Espionage or Trespass (cont’d.)

• Other terms for system rule breakers:

– Cracker
• “cracks” or removes software protection
designed to prevent unauthorized
duplication
– Phreaker
• hacks the public telephone network

25
 Forces of Nature

• Forces of nature are among the most

dangerous threats
• Disrupt not only individual lives, but
also storage, transmission, and use of
information
• Organizations must implement controls
to limit damage and prepare
contingency plans for continued
operations
26
 Human Error or Failure

• Includes acts performed without

malicious intent
• Causes include:
– Inexperience
– Improper training
– Incorrect assumptions
• Employees are among the greatest
threats to an organization’s data

27
 Human Error or Failure (cont’d.)

• Employee mistakes can easily lead to:

– Revelation of classified data
– Entry of erroneous data
– Accidental data deletion or modification
– Data storage in unprotected areas
– Failure to protect information
• Many of these threats can be prevented
with controls

28
 Information Extortion

• Attacker steals information from

computer system and demands
compensation for its return or
nondisclosure
• Commonly done in credit card number
theft

29
 Missing, Inadequate, or Incomplete

• In policy or planning, can make

organizations vulnerable to loss,
damage, or disclosure of information
assets
• With controls, can make an
organization more likely to suffer
losses when other threats lead to
attacks

30
 Sabotage or Vandalism

• Threats can range from petty vandalism

to organized sabotage
• Web site defacing can erode consumer
confidence, dropping sales and
organization’s net worth
• Threat of hacktivist or cyberactivist
operations rising
• Cyberterrorism: much more sinister
form of hacking
31
 Theft

• Illegal taking of another’s physical,

electronic, or intellectual property
• Physical theft is controlled relatively
easily
• Electronic theft is more complex
problem; evidence of crime not readily
apparent
– Organizations may not even know it has
occurred

32
Technical Hardware Failures or Errors

• Occur when manufacturer distributes

equipment containing flaws to users
• Can cause system to perform outside of
expected parameters, resulting in
unreliable or poor service
• Some errors are terminal:
– They result in the unrecoverable loss of the
equipment
• Some errors are intermittent:
– They only periodically manifest themselves,
resulting in faults that are not easily repeated
33
Technical Software Failures or Errors

• Purchased software that contains

unrevealed faults
• Combinations of certain software and
hardware can reveal new software bugs
• Entire Web sites dedicated to
documenting bugs

34
 Technological Obsolescence

• Antiquated/outdated infrastructure can

lead to unreliable, untrustworthy
systems
• Proper managerial planning should
prevent technology obsolescence
• IT plays large role

35
 Attacks

• Attacks
– Acts or actions that exploits vulnerability (i.e., an
identified weakness) in controlled system
– Accomplished by threat agent that damages or
steals organization’s information
• Types of attacks
– Malicious code: includes execution of viruses,
worms, Trojan horses, and active Web scripts with
intent to destroy or steal information
– Hoaxes: transmission of a virus hoax with a real
virus attached
• more devious form of attack
36
 Attacks (cont’d.)

• Types of attacks (cont’d.)

– Back door: gaining access to system or
network using known or previously
unknown/newly discovered access
mechanism
– Password crack: attempting to reverse
calculate a password
• Brute force: trying every possible
combination of options of a password
• Dictionary: selects specific accounts to
attack and uses commonly used passwords
(i.e., the dictionary) to guide guesses
37
 Attacks (cont’d.)

• Types of attacks (cont’d.)

– Denial-of-service (DoS): attacker sends large
number of connection or information requests
to a target
• Target system cannot handle successfully
along with other, legitimate service requests
• May result in system crash or inability to
perform ordinary functions
– Distributed denial-of-service (DDoS):
coordinated stream of requests is launched
against target from many locations
simultaneously
38
DoS and DDoS

Figure 2-11 Denial-of-Service Attacks

39
 Attacks (cont’d.)

• Types of attacks (cont’d.)

– Spoofing: technique used to gain
unauthorized access; intruder assumes a
trusted IP address
– Man-in-the-middle: attacker monitors
network packets, modifies them, and
inserts them back into network
• also known as a TCP hijacking attack

40
 Spoofing

Figure 2-12 IP Spoofing

41
Man-in-the-Middle

Figure 2-13 Man-in-the-Middle Attack

42
 Attacks (cont’d.)

• Types of attacks (cont’d.)

– Spam: unsolicited commercial e-mail;
more a nuisance than an attack, though is
emerging as a vector for some attacks
– Mail bombing: also a DoS; attacker routes
large quantities of e-mail to target

43
 Attacks (cont’d.)

• Types of attacks (cont’d.)

– Sniffers: program or device that monitors
data traveling over network; can be used
both for legitimate purposes and for
stealing information from a network
– Phishing: an attempt to gain
personal/financial information from
individual, usually by posing as legitimate
entity

44
 Attacks (cont’d.)

• Types of attacks (cont’d.)

– Pharming: redirection of legitimate Web
traffic (e.g., browser requests) to
illegitimate site for the purpose of
obtaining private information
• May also exploit the Domain Name
Server (DNS) by causing it to transform
the legitimate host name into the invalid
site’s IP address
– This form of pharming is also known as
“DNS cache poisoning”
45
 Attacks (cont’d.)

• Types of attacks (cont’d.)

– Social engineering: using social skills to
convince people to reveal access credentials
or other valuable information to attacker
• “People are the weakest link. You can have
the best technology; firewalls, intrusion-
detection systems, biometric devices ...
and somebody can call an unsuspecting
employee. That's all she wrote, baby. They
got everything.” — Kevin Mitnick

46
 Attacks (cont’d.)

• Types of attacks (cont’d.)

– Timing attack: relatively new; works by
exploring contents of a Web browser’s
cache to create malicious cookie
• The cookie can allow the designer to
collect information on how to access
password-protected sites

47
 Secure Software Development

• Many information security issues discussed

here are caused by software elements of
system
• Development of software and systems is often
accomplished using methodology such as
Systems Development Life Cycle (SDLC)
• Many organizations recognize need for
security objectives in SDLC and have included
procedures to create more secure software
• This software development approach known as
Software Assurance (SA)
48
 Software Design Principles

• Good software development results in

secure products that meet all design
specifications
• Some commonplace security principles:
– Economy of mechanism: Keep the design as
simple and small as possible
– Fail-safe defaults: Base access decisions on
permission rather than exclusion
– Complete mediation: Every access to every
object must be checked for authority
49
Software Design Principles (cont’d.)

• Some commonplace security principles

(cont’d.):
– Open design: The design should not be secret,
but rather depend on the possession of keys
or passwords
– Separation of privilege: Where feasible, a
protection mechanism should require two keys
to unlock, rather than one
– Least privilege: Every program and every user
of the system should operate using the least
set of privileges necessary to complete the job

50
Software Design Principles (cont’d.)

• Some commonplace security principles

(cont’d.):
– Least common mechanism: Minimize
mechanisms (or shared variables)
common to more than one user and
depended on by all users
– Psychological acceptability: It is essential
that the human interface be designed for
ease of use, so that users routinely and
automatically apply the protection
mechanisms correctly”
51
 Software Development Security
Problems
• Problem areas in software
development:
– Buffer overruns
– Command injection
– Cross-site scripting
– Failure to handle errors
– Failure to protect network traffic
– Failure to store and protect data securely
– Failure to use cryptographically strong
random numbers
52
 Software Development Security
Problems (cont’d.)
• Problem areas in software development
(cont’d.):
– Format string problems
– Neglecting change control
– Improper file access
– Improper use of SSL
– Information leakage
– Integer bugs (overflows/underflows)
– Race conditions
– SQL injection
53
 Software Development Security
Problems (cont’d.)
• Problem areas in software development
(cont’d.):
– Trusting network address resolution
– Unauthenticated key exchange
– Use of magic URLs and hidden forms
– Use of weak password-based systems
– Poor usability

54
 Buffer Overuns

• When buffers are used when there is a

mismatch in the processing rates between two
entities involved in a communication process
• A buffer overrun (or buffer overflow) is an
application error that occurs when more data
is sent to a program buffer than it is designed
to handle
• During a buffer overrun, an attacker can make
the target system execute instructions, or the
attacker can take advantage of some other
unintended consequence of the failure
55
 Command Injection

• Command injection problems occur

when user input is passed directly to a
compiler or interpreter
• The underlying issue is the developer’s
failure to ensure that command input is
validated before it is used in the
program

56
 Cross-Site Scripting

• Occurs when an application running on

a Web server gathers data from a user
in order to steal it
• An attacker can use weaknesses of the
Web server environment to insert
commands into a user’s browser
session so that users apparently
connected to a friendly Web server are,
in fact, sending information to a hostile
server
57
 Failure to Handle Errors

• Can cause a variety of unexpected

system behaviors
• Programmers are expected to
anticipate problems and prepare their
application code to handle them

58
 Failure to Protect Network Traffic

• With the growing popularity of wireless networking

comes a corresponding increase in the risk that
wirelessly transmitted data will be intercepted
• Most wireless networks are installed and operated with
little or no protection for the information that is broadcast
between the client and the network wireless access point
• Without appropriate encryption (such as that afforded by
WPA), attackers can intercept and view your data
• Traffic on a wired network is also vulnerable to
interception in some situations

59
 Failure to Store and Protect Data
Securely
• Programmers are responsible for
integrating access controls into, and
keeping secret information out of,
programs
• Access controls regulate who, what,
when, where and how individuals and
systems interact with data

60
Failure to Properly Implement Strong
Access Controls
• Failure to properly implement sufficiently
strong access controls makes the data
vulnerable, while overly strict access
controls hinder business users in the
performance of their duties
• The integration of secret information can
put that information at risk of disclosure
– Such as the “hard coding” of passwords,
encryption keys, or other sensitive
information
61
Failure to Use Cryptographically Strong
Random Numbers
• Many computer systems use random
number generators
• These “random” number generators use a
mathematical algorithm, based on a seed
value and another system component
(such as the computer clock) to simulate a
random number
• Those who understand the workings of
such a “random” number generator can
predict particular values at particular times
62
 Format String Problems

• Computer languages are often equipped with

built-in capabilities to reformat data while they’re
outputting it
• The formatting instructions are usually written as
a “format string”
• An attacker may embed characters meaningful as
formatting directives into malicious input
• If this input is then interpreted by the program as
formatting directives, the attacker may be able to
access information or overwrite very targeted
portions of the program’s stack with data of the
attacker’s choosing
63
 Neglecting Change Control

• Developers use a process known as change control

to ensure that the working system delivered to
users represents the intent of the developers
• Change control processes ensure that developers
do not work at cross purposes by altering the same
programs or parts of programs at the same time
• They also ensure that only authorized changes are
introduced and that all changes are adequately
tested before being released

64
 Improper File Access

• If attackers change the expected location

of a file, by intercepting and modifying a
program code call, they can force a
program to use their own files rather than
the files the program is supposed to use
• The potential for damage or disclosure is
extreme, so it is critical to protect the
location of the files, as well as the
method and communications channels
by which these files are accessed
65
 Improper Use of SSL

• Programmers use Secure Socket Layer (SSL) to

transfer sensitive data such as credit card numbers
and other personal information between a client and
server
• SSL and its successor, Transport Layer Security
(TLS), both need certificate validation to be truly
secure
• Failure to use secure HTTP, to validate the
Certificate Authority and then validate the certificate
itself, or to validate the information against a
Certificate Revocation list (CRL), can compromise
the security of SSL traffic
66
 Information Leakage

• One of the most common methods of

obtaining inside and classified
information is directly or indirectly from
an individual, usually an employee
• By warning employees against
disclosing information, organizations
can protect the secrecy of their
operation

67
 Integer Bugs

• Integer bugs (Overflows/Underflows)

• Although paper-and-pencil can deal with
arbitrary numbers of digits, the binary
representations used by computers are
of a particular fixed length
• Integer bugs are usually exploited
indirectly—that is, triggering an integer
bug enables an attacker to corrupt other
areas of memory, gaining control of an
application
68
 Race Condition

• A race condition is the failure of a

program that occurs when an
unexpected ordering of events in the
execution of the program results in a
conflict over access to the same
system resource

69
 SQL Injection

• Occurs when developers fail to

properly validate user input before
using it to query a relational database
• The possible effects of the ability to
“inject” SQL of the attacker’s choosing
into the program are not just limited to
improper access to information, but
could potentially allow an attacker to
drop tables or even shut down the
database
70
Trusting Network Address Resolution

• Domain Name Service (DNS) is a function of the

World Wide Web that converts a URL into the IP
address of the Web server host
• DNS cache poisoning involves compromising a
DNS server and then changing the valid IP address
associated with a domain name to one which the
attacker chooses, usually a fake Web site designed
to obtain personal information, or one that accrues
some sort of benefit to the attacker
– For example, redirecting shoppers from a competitor’s
Web site

71
Trusting Network Address Resolution
(cont’d.)
• The DNS system relies on a process of
automated updates that can be
exploited
• Attackers most commonly compromise
segments of the DNS by either
attacking the name of the name server
and substituting their own DNS primary
name server or by responding before
an actual DNS can

72
 Unauthenticated Key Exchange

• One of the biggest challenges in private key systems

• Private key systems involve two users sharing the
same key, is the need to get the key to the other
party securely
• An attacker can physically intercept a key in transit
or intercept it digitally
• Interception online can be accomplished by writing a
variant of a public key system and placing it out as
“freeware” or by corrupting or intercepting the
function of someone else’s public key encryption
system, perhaps by posing as a public key
repository

73
 Magic URLs and Hidden Forms

• Because HTTP is a stateless protocol and computer

programs on either end of the communication channel
cannot rely on guaranteed delivery of any message, it is
difficult for software developers to track a user’s
exchanges with a Web site over multiple interactions
• Too often, sensitive state information is simply included
in a “magic” URL (e.g., the authentication ID is passed as
a parameter in the URL for the exchanges that will follow)
or included in hidden form fields on the HTML page
• If this information is stored as plain text, an attacker can
harvest the information from a magic URL as it travels
across the network or use scripts on the client to modify
information in hidden form fields

74
Use of Weak Password-Based Systems

• Failure to require sufficient password strength and to control

incorrect password entry is another severe security issue
• Password policy can specify the number and type of characters,
frequency of mandatory changes, and reusability of old
passwords
• The number of incorrect entries that can be submitted by a user
can also be regulated to further improve the level of protection
• The strength of a password directly impacts its ability to
withstand a brute force attack
• Using nonstandard password components (like the 8.3 rule—at
least eight characters, with at least one letter, number and non-
alphanumeric character) can greatly enhance the strength of the
password
75
 Poor Usability

• Employees prefer doing things the easy way,

regardless of whether the easy way is the “official
way” or an “unofficial way”
• The only way to address this issue is to only
provide one way—the secure way
• Integrating security and usability, adding training
and awareness, and ensuring solid controls all
contribute to the security of information
• Allowing users to default to easier, more usable
solutions, will inevitably lead to loss

76