SlideShare a Scribd company logo

chap-1 : Vulnerabilities in Information Systems

Download as PPTX, PDF
K
KashfUlHuda1

Introduction to Cyber Security. Chapter #1. Vulnerabilities in Information Systems. What is a vulnerability? Cyberspace: From terra incognita to terra nullius. Cyberspace performance expectations. Measuring vulnerabilities. CVSS XCCDF OVAL Avoiding vulnerabilities through secure coding

Education
1 of 34
Cyber Security Prepared By: Ms Kashf Ul Huda
Chap#1: Vulnerabilities in Information System Recommended Book: Cyberspace and Cybersecurity
What is vulnerability? • Vulnerability in any system is the result of an intentional or unintentional omission or of an inadvertent design mistake that directly or indirectly leads to a compromise in the system’s availability, integrity, or confidentiality. • Hidden in • Information access security • Computer and storage security • Communication security • Operational and physical security
What is vulnerability? • Components of information system • People • hardware • Software • Reliability vs vulnerability • Quantify the abstract concept of vulnerability • The aim is to express the perceived level of security in a way that is measurable, standardized, and understood and to improve “the measurability of security through enumerating baseline security data, providing standardized languages as means for accurately communicating the information, and encouraging the sharing of the information with users by developing repositories
Authentication • Vulnerabilities can be hidden in data, code, and most often in processes that inadvertently allow unauthorized access • Security at both user and server end. • User end authentication: • OTP • Biometrics • Questionnaires • User device identification numbers (MAC, IMEI, manufacturer’s serial number)
MAC
International Mobile Equipment Identity (IMEI)
Authentication • Server-side authentication: • Certificates • IP restrictions • Data encapsulations • Data in transit • Hash codes (CRC) • Private/ Pubic key encryption mechanism
When vulnerabilities originate? • Firewall penetration • Trojan horse attack • Decentralization • Static resource allocation • During system upgradation • Being adapted to new environment
Measuring Vulnerabilities • Security Content Automation Protocol (SCAP) • Used for standardization classification and assessment of security content in software sysetms. • Standardize the way security vulnerability and configuration information is identified and catalogued. • Developed by NIST
Components of SCAP • Common vulnerabilities and exposure (CVE) • Common configuration and enumerator (CCE) • Common platform enumerator (CPE) • Common vulnerability scoring system (CVSS) • Extensible configuration checklist description format (XCCDF) • Open vulnerability and assessment language (OVAL) Note: the above standards comprise a very powerful infrastructure for information system vulnerability assessment and reporting.
Components of SCAP
Additional Components of SCAP
Avoiding vulnerabilities through Secure Coding • Old programming culture • Minimum number of lines • Executable in a minimum amount of time • Memory and processor time were valuable assets • Fault tolerance for data integrity. • No extra code for security as system were stand-alone and physically isolated. • Neither memory space nor processing speed seem to be the programming constraint anymore. • High speed total interconnectivity
Avoiding vulnerabilities through Secure Coding • vulnerabilities can be minimized by segmenting the code and the data into resident and transient sections. • Call the data and application only that is needed rather than bringing the entire inventory of application. • Minimize the impact of malware intrusion. • Experts openly say: “The Internet is a hostile environment, so you must . . . [be able to] withstand attack[s to survive,” and it is often referred to as the Wild Wild Web, WWW.
Avoiding vulnerabilities through Secure Coding • Design web with security from hostile attacks • Move from minimal code to minimal vulnerability. • Concepts of s/w quality and s/w security have been embedded. • Spend time in designing secure apps than costly development patches and bad publicity etc. • An increasing trend is for web applications to come with their own firewalls rather than exclusively relying on those of the hosting system.
Avoiding vulnerabilities through Secure Coding • Cost of fixing vulnerability • Very high from five to seven digit dollar • Depend on how deep in design the vulnerability exists. • During the fixing, resources will have to be taken away from other assignments to attend to this matter in a very urgent way.
Steps necessary to rectify a software vulnerability
Steps necessary to rectify a software vulnerability 1. Location of the origin of the vulnerability 2. Design of a patch that will strengthen the code and eliminate the vulnerability 3. Application and testing of the patch 4. Confirmation that there are no side effects 5. Drafting of patch documentation 6. Preparation of a patch distribution plan to all affected clients 7. Patch installation 8. Confirmation of the effectiveness of the patch; public relations campaign to offset prior negative publicity
Most frequent vulnerabilities • Buffer overflow • Arithmetic overflow • Format string attacks • Command injections • Cross-site scripting (XSS) • SQL injections • Insecure direct object reference
Most frequent vulnerabilities • Insecure storage • Weak cryptography • Race conditions
Avoiding vulnerabilities through Secure Coding • the software designer’s mindset must have two parallel tracks • functionality and security • with security being a mechanism that reveals and subsequently blocks intrusions. • Such security mechanism should be robust and well designed and should never be replaced by some data obscurity scheme that attempts to outsmart the attacker. • The designer must also think of the user convenience and provide a security mechanism that poses no hindrance to the normal operations, being as transparent to the user as possible.
Mistakes can be good • Learn from mistakes. • Making a mistake again and again is foolish. • Assign privilege to the extent where it is needed. • Make list of resources and their permissions (read, write, execute, create , delete) at the time of installation. • This way, should a malware install itself in the application, the potential damage will be minimal, and the malware will not be able to roam inside the system • when a computer is a single user, it should not necessarily operate in the administrator mode, but in the user mode.
Threat Classification • Any circumstance or event that can negatively impact assets • Basic types of threats • Illegal data change • Illegal data access • Illegal obstruction of data access Information security researchers at Microsoft broadly classified all threats in six categories named as “STRIDE”
Table 1.1 Information system Threats
Table 1.1 Information system Threats
Threat Modeling Process 1.Define what constitutes the information system in question. That is, determine the functional and geographical borders of what we refer to as being our system. Beyond what point is it not our responsibility or liability? 2. Now that we have quantified our system, we attempt to identify what we consider as being the threats that are based on internal or external vulnerabilities. The STRIDE categories, mentioned previously, can serve as a starting point to threats classification.
Threat Modeling Process 3. Recognize which of the threats, in your context of operations, constitute absolute danger that may lead to a catastrophic impact on the system. Define the modes under which such threats can become successful attacks. 4. Develop defense options for each and every recognized threat, and rank the considered defense mechanisms based on effectiveness and demand of resources. 5. Select optimum approaches to threat eliminations, balancing effectiveness, probability of occurrence, severity of occurrence, and solution development cost.
Threat Modeling Process • Iterative process • Participants
Security starts at Home • home is the creative phases of the Software Development Life Cycle (SDLC), especially the program design and coding stages. • From abstract needs to formal requirements—Analysis (security requirements are defined) 2. From formal requirements to overall design—Design (Security mechanisms are developed) 3. From overall design to program code 4. From all of the above to documentation drafting 5. From all of the above to system testing (Vulnerabilities are discovered and eliminated) 6. From system testing to system utilization (or to a previous step) 7. From system utilization to needs enhancement (Step 1)
Security starts at Home • Measures taken to improve s/w development process • Programmers certification in secure coding • Software certification as to secure coding • Utilization of software analysis tools • Measures taken in intra-organizational s/w development initiatives • Programmers certification in secure coding • Software certification as to secure coding • Utilization of software analysis tools
Tools for Security • Categories of S/w tools • Code Coverage—Keeps track of the code and data locations that have been created, read, or modified. ◾ Instruction Trace—Records the execution of each instruction, making it available for subsequent step-by-step analysis. ◾ Memory Analysis—Keeps track of the memory space utilization, looking for possible violations. ◾ Performance Analysis—Based on the user’s criteria, software are analyzed and fine-tuned for performance optimization.
Security in Application • Vulnerabilities come with insecure application. • MS Office 2003 is the example. • Vulnerability Notes Database • Severity Metric • A most common gateway to malware attacks is the web browser. • Many web browsers are configured to provide increased functionality at the cost of decreased security.”
chap-1 : Vulnerabilities in Information Systems

Recommended

Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecurityNicholas Davis
 
Software security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical securitySoftware security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical securityNicholas Davis
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Unit4
Unit4Unit4
Unit4Integral university, India
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesBlack Duck by Synopsys
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Michael Hidalgo
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart WaySecurity Innovation
 

Recommended

Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecurityNicholas Davis
 
Software security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical securitySoftware security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical securityNicholas Davis
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Unit4
Unit4Unit4
Unit4Integral university, India
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesBlack Duck by Synopsys
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Michael Hidalgo
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart WaySecurity Innovation
 
Slide Deck CISSP Class Session 5
Slide Deck CISSP Class Session 5Slide Deck CISSP Class Session 5
Slide Deck CISSP Class Session 5FRSecure
 
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017FRSecure
 
Introduction to cyber security
Introduction to cyber securityIntroduction to cyber security
Introduction to cyber securityGeevarghese Titus
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cyclepenetration Tester
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskSecurity Innovation
 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Security Innovation
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
Program security
Program securityProgram security
Program securityG Prachi
 
Software Security
Software SecuritySoftware Security
Software SecurityIntegral university, India
 
Module 6.pptx
Module 6.pptxModule 6.pptx
Module 6.pptxssuser66c4d5
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochQA or the Highway
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochQA or the Highway
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat ModelingMiriam Celi, CISSP, GISP, MSCS, MBA
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Security Patterns - An Introduction
Security Patterns - An IntroductionSecurity Patterns - An Introduction
Security Patterns - An IntroductionMarcel Winandy
 
Careers in Cyber Security
Careers in Cyber SecurityCareers in Cyber Security
Careers in Cyber SecurityDeep Shankar Yadav
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzingG Prachi
 
[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principlesOWASP
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm HereChristopher Grayson
 
An Introduction to Secure Application Development
An Introduction to Secure Application DevelopmentAn Introduction to Secure Application Development
An Introduction to Secure Application DevelopmentChristopher Frenz
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
ACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfSpandanaRallapalli
 

More Related Content

Similar to chap-1 : Vulnerabilities in Information Systems

Slide Deck CISSP Class Session 5
Slide Deck CISSP Class Session 5Slide Deck CISSP Class Session 5
Slide Deck CISSP Class Session 5FRSecure
 
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017FRSecure
 
Introduction to cyber security
Introduction to cyber securityIntroduction to cyber security
Introduction to cyber securityGeevarghese Titus
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskSecurity Innovation
 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Security Innovation
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
Program security
Program securityProgram security
Program securityG Prachi
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochQA or the Highway
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochQA or the Highway
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Security Patterns - An Introduction
Security Patterns - An IntroductionSecurity Patterns - An Introduction
Security Patterns - An IntroductionMarcel Winandy
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzingG Prachi
 
[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principlesOWASP
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm HereChristopher Grayson
 
An Introduction to Secure Application Development
An Introduction to Secure Application DevelopmentAn Introduction to Secure Application Development
An Introduction to Secure Application DevelopmentChristopher Frenz
 

Similar to chap-1 : Vulnerabilities in Information Systems (20)

Slide Deck CISSP Class Session 5
Slide Deck CISSP Class Session 5Slide Deck CISSP Class Session 5
Slide Deck CISSP Class Session 5
 
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
 
Introduction to cyber security
Introduction to cyber securityIntroduction to cyber security
Introduction to cyber security
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security Risk
 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Program security
Program securityProgram security
Program security
 
Software Security
Software SecuritySoftware Security
Software Security
 
Module 6.pptx
Module 6.pptxModule 6.pptx
Module 6.pptx
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Security Patterns - An Introduction
Security Patterns - An IntroductionSecurity Patterns - An Introduction
Security Patterns - An Introduction
 
Careers in Cyber Security
Careers in Cyber SecurityCareers in Cyber Security
Careers in Cyber Security
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzing
 
[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
 
An Introduction to Secure Application Development
An Introduction to Secure Application DevelopmentAn Introduction to Secure Application Development
An Introduction to Secure Application Development
 

Recently uploaded

Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
ACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfSpandanaRallapalli
 
AmericanHighSchoolsprezentacijaoskolama.
AmericanHighSchoolsprezentacijaoskolama.AmericanHighSchoolsprezentacijaoskolama.
AmericanHighSchoolsprezentacijaoskolama.arsicmarija21
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...JhezDiaz1
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
 
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxGrade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxChelloAnnAsuncion2
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatYousafMalik24
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomnelietumpap1
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersSabitha Banu
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Celine George
 
Types of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxTypes of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxEyham Joco
 
ROOT CAUSE ANALYSIS PowerPoint Presentation
ROOT CAUSE ANALYSIS PowerPoint PresentationROOT CAUSE ANALYSIS PowerPoint Presentation
ROOT CAUSE ANALYSIS PowerPoint PresentationAadityaSharma884161
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Mark Reed
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxSherlyMaeNeri
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17Celine George
 

Recently uploaded (20)

Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
ACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdf
 
AmericanHighSchoolsprezentacijaoskolama.
AmericanHighSchoolsprezentacijaoskolama.AmericanHighSchoolsprezentacijaoskolama.
AmericanHighSchoolsprezentacijaoskolama.
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
 
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxGrade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice great
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choom
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginners
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17
 
Types of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxTypes of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptx
 
ROOT CAUSE ANALYSIS PowerPoint Presentation
ROOT CAUSE ANALYSIS PowerPoint PresentationROOT CAUSE ANALYSIS PowerPoint Presentation
ROOT CAUSE ANALYSIS PowerPoint Presentation
 
Raw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptxRaw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptx
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptx
 
Rapple "Scholarly Communications and the Sustainable Development Goals"
Rapple "Scholarly Communications and the Sustainable Development Goals"Rapple "Scholarly Communications and the Sustainable Development Goals"
Rapple "Scholarly Communications and the Sustainable Development Goals"
 
OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17
 

chap-1 : Vulnerabilities in Information Systems

  • 1. Cyber Security Prepared By: Ms Kashf Ul Huda
  • 2. Chap#1: Vulnerabilities in Information System Recommended Book: Cyberspace and Cybersecurity
  • 3. What is vulnerability? • Vulnerability in any system is the result of an intentional or unintentional omission or of an inadvertent design mistake that directly or indirectly leads to a compromise in the system’s availability, integrity, or confidentiality. • Hidden in • Information access security • Computer and storage security • Communication security • Operational and physical security
  • 4. What is vulnerability? • Components of information system • People • hardware • Software • Reliability vs vulnerability • Quantify the abstract concept of vulnerability • The aim is to express the perceived level of security in a way that is measurable, standardized, and understood and to improve “the measurability of security through enumerating baseline security data, providing standardized languages as means for accurately communicating the information, and encouraging the sharing of the information with users by developing repositories
  • 5. Authentication • Vulnerabilities can be hidden in data, code, and most often in processes that inadvertently allow unauthorized access • Security at both user and server end. • User end authentication: • OTP • Biometrics • Questionnaires • User device identification numbers (MAC, IMEI, manufacturer’s serial number)
  • 6. MAC
  • 8. Authentication • Server-side authentication: • Certificates • IP restrictions • Data encapsulations • Data in transit • Hash codes (CRC) • Private/ Pubic key encryption mechanism
  • 9. When vulnerabilities originate? • Firewall penetration • Trojan horse attack • Decentralization • Static resource allocation • During system upgradation • Being adapted to new environment
  • 10. Measuring Vulnerabilities • Security Content Automation Protocol (SCAP) • Used for standardization classification and assessment of security content in software sysetms. • Standardize the way security vulnerability and configuration information is identified and catalogued. • Developed by NIST
  • 11. Components of SCAP • Common vulnerabilities and exposure (CVE) • Common configuration and enumerator (CCE) • Common platform enumerator (CPE) • Common vulnerability scoring system (CVSS) • Extensible configuration checklist description format (XCCDF) • Open vulnerability and assessment language (OVAL) Note: the above standards comprise a very powerful infrastructure for information system vulnerability assessment and reporting.
  • 14. Avoiding vulnerabilities through Secure Coding • Old programming culture • Minimum number of lines • Executable in a minimum amount of time • Memory and processor time were valuable assets • Fault tolerance for data integrity. • No extra code for security as system were stand-alone and physically isolated. • Neither memory space nor processing speed seem to be the programming constraint anymore. • High speed total interconnectivity
  • 15. Avoiding vulnerabilities through Secure Coding • vulnerabilities can be minimized by segmenting the code and the data into resident and transient sections. • Call the data and application only that is needed rather than bringing the entire inventory of application. • Minimize the impact of malware intrusion. • Experts openly say: “The Internet is a hostile environment, so you must . . . [be able to] withstand attack[s to survive,” and it is often referred to as the Wild Wild Web, WWW.
  • 16. Avoiding vulnerabilities through Secure Coding • Design web with security from hostile attacks • Move from minimal code to minimal vulnerability. • Concepts of s/w quality and s/w security have been embedded. • Spend time in designing secure apps than costly development patches and bad publicity etc. • An increasing trend is for web applications to come with their own firewalls rather than exclusively relying on those of the hosting system.
  • 17. Avoiding vulnerabilities through Secure Coding • Cost of fixing vulnerability • Very high from five to seven digit dollar • Depend on how deep in design the vulnerability exists. • During the fixing, resources will have to be taken away from other assignments to attend to this matter in a very urgent way.
  • 18. Steps necessary to rectify a software vulnerability
  • 19. Steps necessary to rectify a software vulnerability 1. Location of the origin of the vulnerability 2. Design of a patch that will strengthen the code and eliminate the vulnerability 3. Application and testing of the patch 4. Confirmation that there are no side effects 5. Drafting of patch documentation 6. Preparation of a patch distribution plan to all affected clients 7. Patch installation 8. Confirmation of the effectiveness of the patch; public relations campaign to offset prior negative publicity
  • 20. Most frequent vulnerabilities • Buffer overflow • Arithmetic overflow • Format string attacks • Command injections • Cross-site scripting (XSS) • SQL injections • Insecure direct object reference
  • 21. Most frequent vulnerabilities • Insecure storage • Weak cryptography • Race conditions
  • 22. Avoiding vulnerabilities through Secure Coding • the software designer’s mindset must have two parallel tracks • functionality and security • with security being a mechanism that reveals and subsequently blocks intrusions. • Such security mechanism should be robust and well designed and should never be replaced by some data obscurity scheme that attempts to outsmart the attacker. • The designer must also think of the user convenience and provide a security mechanism that poses no hindrance to the normal operations, being as transparent to the user as possible.
  • 23. Mistakes can be good • Learn from mistakes. • Making a mistake again and again is foolish. • Assign privilege to the extent where it is needed. • Make list of resources and their permissions (read, write, execute, create , delete) at the time of installation. • This way, should a malware install itself in the application, the potential damage will be minimal, and the malware will not be able to roam inside the system • when a computer is a single user, it should not necessarily operate in the administrator mode, but in the user mode.
  • 24. Threat Classification • Any circumstance or event that can negatively impact assets • Basic types of threats • Illegal data change • Illegal data access • Illegal obstruction of data access Information security researchers at Microsoft broadly classified all threats in six categories named as “STRIDE”
  • 25. Table 1.1 Information system Threats
  • 26. Table 1.1 Information system Threats
  • 27. Threat Modeling Process 1.Define what constitutes the information system in question. That is, determine the functional and geographical borders of what we refer to as being our system. Beyond what point is it not our responsibility or liability? 2. Now that we have quantified our system, we attempt to identify what we consider as being the threats that are based on internal or external vulnerabilities. The STRIDE categories, mentioned previously, can serve as a starting point to threats classification.
  • 28. Threat Modeling Process 3. Recognize which of the threats, in your context of operations, constitute absolute danger that may lead to a catastrophic impact on the system. Define the modes under which such threats can become successful attacks. 4. Develop defense options for each and every recognized threat, and rank the considered defense mechanisms based on effectiveness and demand of resources. 5. Select optimum approaches to threat eliminations, balancing effectiveness, probability of occurrence, severity of occurrence, and solution development cost.
  • 29. Threat Modeling Process • Iterative process • Participants
  • 30. Security starts at Home • home is the creative phases of the Software Development Life Cycle (SDLC), especially the program design and coding stages. • From abstract needs to formal requirements—Analysis (security requirements are defined) 2. From formal requirements to overall design—Design (Security mechanisms are developed) 3. From overall design to program code 4. From all of the above to documentation drafting 5. From all of the above to system testing (Vulnerabilities are discovered and eliminated) 6. From system testing to system utilization (or to a previous step) 7. From system utilization to needs enhancement (Step 1)
  • 31. Security starts at Home • Measures taken to improve s/w development process • Programmers certification in secure coding • Software certification as to secure coding • Utilization of software analysis tools • Measures taken in intra-organizational s/w development initiatives • Programmers certification in secure coding • Software certification as to secure coding • Utilization of software analysis tools
  • 32. Tools for Security • Categories of S/w tools • Code Coverage—Keeps track of the code and data locations that have been created, read, or modified. ◾ Instruction Trace—Records the execution of each instruction, making it available for subsequent step-by-step analysis. ◾ Memory Analysis—Keeps track of the memory space utilization, looking for possible violations. ◾ Performance Analysis—Based on the user’s criteria, software are analyzed and fine-tuned for performance optimization.
  • 33. Security in Application • Vulnerabilities come with insecure application. • MS Office 2003 is the example. • Vulnerability Notes Database • Severity Metric • A most common gateway to malware attacks is the web browser. • Many web browsers are configured to provide increased functionality at the cost of decreased security.”