Chapter 2

Computer Threat
Contents
Malicious code

Class of Attacks

Program flaws

Controls to protect against program flaws in execution

Program Security Defenses

Revision Questions

 Explain the following

1.Viruses
2.Trojan horses
3.Worms
4.Spy-wares
 Class of attack
 Attacks on computer systems and networks can be categorized

into different classes based on their objectives and techniques.

 Here are some common classes of attacks:

 Reconnaissance

 Access

 Denial of Service, etc.

 Reconnaissance Attacks

 These are information-gathering activities where attackers collect

data about a target system, network, or organization to identify

vulnerabilities and plan further attacks.

 Examples:
 Port scanning

 Network mapping

 Social engineering (e.g., phishing for information)

 Prevention
 Use firewalls and intrusion detection
systems (IDS).
 Limit public exposure of sensitive
information.
 Monitor and log suspicious activities.
 Tools used for reconnaissance attacks
 Nmap- for scanning network
 Shodan- for identifying internet connected
devises
 Access Attacks
 These attacks aim to gain unauthorized access to systems,
networks, or data.
 Examples:
 Password cracking (brute (physical) force, dictionary attacks)
 Exploiting(taking advantage) software vulnerabilities (e.g., SQL
injection, buffer overflow)
 Session hijacking (capturing)
 Man-in-the-middle (MITM) attacks
 Purpose: To steal, modify, or destroy data, or to gain control over
systems.
 Prevention:

 Implement strong authentication mechanisms (e.g., multi-factor

authentication).
 MFA, also known as two-step verification, adds an extra layer of security by
requiring users to prove their identity in multiple ways

 Regularly patch and update software.

 Use encryption for sensitive data.

 Denial of Service (DoS) Attacks
 These attacks aim to disrupt the availability of a system, network, or service, making it

inaccessible to legitimate (authorized) users.

 Examples:

 Flooding a server with traffic (e.g., SYN flood, UDP flood)

 Exploiting or taking Advantages of system vulnerabilities(ድክመቶች ) to crash a system

 Distributed Denial of Service (DDoS) attacks (using multiple systems to overwhelm the target)

 A Distributed Denial of Service (DDoS) attack is a cyberattack where multiple

compromised systems (a "botnet") flood a target with traffic, overwhelming its resources

and making it unavailable to legitimate users.

 Purpose: To cause downtime, financial loss, or reputational damage.

Prevention:

 Use DoS protection tools and services (e.g., firewalls,

CDNs).
 Implement rate limiting and traffic filtering.

 Monitor network traffic for unusual patterns.

Program flaws

Buffer overflows

Time-of-check to time-of-use flaws

Incomplete mediation
 Program flows

 Program flaws, also known as software vulnerabilities, are

weaknesses.
 This weakness can be in the design, implementation, or
configuration of software
 That can be exploited by attackers to compromise the security or
functionality of a system.
 Buffer Overflows
 A buffer overflow occurs when a program writes more data to a buffer (a fixed-size block

of memory) than it can hold, causing the excess data to overwrite adjacent memory
locations.

 Impact:

 Can crash the program.

 May allow attackers to execute arbitrary code, escalate privileges, or gain unauthorized access

to the system.

 Common Causes:

 Lack of bounds checking when writing to buffers.

 Use of unsafe functions like gets(), strcpy(), and sprintf() in C/C++.

 Prevention

 Use safer alternatives like strncpy() or snprintf().

 Implement bounds checking.

 Use modern programming languages with built-in memory

safety (e.g., Rust, Python).

 Enable compiler protections.

 Time-of-Check to Time-of-Use (TOCTOU) Flaws
 A TOCTOU flaw occurs when the state of a resource (e.g., a file) changes between the time it is
checked and the time it is used, leading to unexpected behavior.
 It is a type of software vulnerability, or race condition, where a system checks the state of a resource, and
then, before using that resource, the resource's state is changed by an attacker, leading to unexpected behavior
or security breaches.

 Impact:

 Can result in race conditions, where an attacker exploits the timing gap to manipulate the resource.

 May allow privilege escalation or unauthorized access.

 Common Causes:

 Lack of synchronization between checking and using a resource.

 Prevention

 Use atomic operations to ensure consistency between checking

and using a resource.
 Implement proper locking mechanisms.

 Validate resource states immediately before use.

 Incomplete Mediation
 Incomplete mediation occurs when a program fails to fully validate or enforce
access controls, allowing unauthorized actions or data manipulation.
 Impact:
 Can lead to unauthorized access, data breaches, or privilege escalation.

 Attackers may bypass security checks or manipulate inputs.

 Common Causes:
 Relying on client-side validation without server-side enforcement.

 Failing to validate all inputs or parameters.

 Assuming that users will not tamper with data.

Cont.
Examples:
 A web application allows users to change the price of an item by
modifying hidden form fields.
 An API does not verify if a user has permission to access a
resource before processing the request.
Prevention:
 Implement server-side validation for all inputs and actions.
 Use role-based access control (RBAC) to enforce permissions.
 Validate and sanitize all user inputs to prevent injection attacks.
Controls to protect against program flaws in execution

 Operating system support and administrative controls

 Operating system support and administrative controls

 To prevent program flaws from being exploited during

execution, both operating system (OS) support and
administrative controls play a crucial role.
 These controls help safeguard against vulnerabilities such as
buffer overflows, race conditions, memory leaks, and code
injections.
 Operating System Support Controls
 Modern operating systems provide built-in mechanisms to prevent
execution flaws and mitigate security risks.

1. Memory Protection Mechanisms 2. Process and Execution Controls

 Address Space Layout Randomization
(ASLR)Randomizes memory addresses of
executables, libraries, and stacks to make buffer
overflow attacks difficult.
 Data Execution Prevention (DEP) Prevents
execution of code in non-executable memory
regions, blocking malware exploits.
 Process Isolation & Sandboxing
Prevents one process from interfering with
another (e.g., Chrome’s multi-process
sandboxing).
User Mode vs Kernel Mode Execution
Ensures only essential system processes run in
privileged kernel mode.
 Administrative Controls

1. Secure Software Development Practices

 Code Reviews & Testing

 Conducts security-focused code reviews and static analysis (e.g., SonarQube,

Coverity).

 Input Validation & Error Handling Prevents injection attacks by sanitizing

user inputs.

 Patch Management & Software Updates Regularly updates OS and

applications to fix execution vulnerabilities.
 Cont.

2. Least Privilege Enforcement

 Role-Based Access Control (RBAC)
 Limits program execution to authorized users and roles.
 Privilege Separation
 Runs applications with the minimum necessary permissions to reduce exploit risks.

3. Security Policies and Incident Response

 Security Awareness Training
 Educates users about safe execution practices (e.g., avoiding unknown programs).
 Intrusion Detection & Response Plans
 Ensures quick action in case of execution-related exploits.
 Program Security Defenses
 These are practices and processes applied during development to ensure secure,
reliable, and maintainable software.

1. Secure Software Development Lifecycle (SDLC)

 Integrate security into every phase of development (requirements, design, coding,
testing, deployment).
 Models:

 Waterfall: Sequential phases with security checkpoints.

 Agile/DevSecOps: Continuous security integration in iterative cycles.

 Shift-Left: Address security early in development (e.g., threat modeling during design).
 Cont.

Secure Coding Standards

 Follow guidelines.
 Avoid unsafe functions (e.g., strcpy in C/C++).
 Validate inputs, sanitize outputs, and enforce least privilege.

Access Control & Authentication

 Implement role-based access control (RBAC).
 Use strong authentication (e.g., multi-factor authentication).
 Database Management system Security
Access Control
 Authentication:

 Enforce strong passwords and multi-factor authentication (MFA) for database users.

 Use centralized identity providers (e.g. Active Directory) for user management.

 Authorization:

 Apply the Principle of Least Privilege: Grant users only the permissions they need.

 Use Role-Based Access Control (RBAC) to manage permissions via roles (e.g., admin, read-

only).
 Encryption

 Data at Rest:
 Encrypt database files, backups, and storage media using AES-
256 or TDE (Transparent Data Encryption).
 Data in Transit:
 Use TLS/SSL to encrypt communication between clients and
the database.
 Column-Level Encryption:
 Encrypt sensitive fields (e.g., credit card numbers, SSNs)
individually.
 Backup and Recovery
 Regular Backups:
 Schedule automated backups and store them securely (offsite or in immutable
storage).

 Disaster Recovery Plan:

 Test backup restoration procedures to ensure data availability during
ransomware or hardware failures.

 Data Masking/Redaction:
 Anonymize sensitive data in non-production environments (e.g., test
databases).
Any Questions