SlideShare a Scribd company logo

Residency ResearchISOL 536 Security Architecture and Design.docx

Download as DOCX, PDF
B
brittneyj3

Residency Research ISOL 536 Security Architecture and Design Using Resources to Promote Critical Thinking Critical thinking is an integral part of any educational program At UC, we encourage and provide applicable resources for the promotion of critical thinking In order to properly research and complete course papers, proper resources must be utilized Critical Thinking helps us to: Understand the links between ideas. Determine the importance and relevance of arguments and ideas. Recognize, build and appraise arguments. Identify inconsistencies and errors in reasoning. Approach problems in a consistent and systematic way. Reflect on the justification of their own assumptions, beliefs and values. http://www.skillsyouneed.com/learn/critical-thinking.html Researching Using the Critical Questions When using research resources, it is imperative to review the six critical questions and implement that data into your writings. Proper Resources for Research When asked to completed a research paper in the UC School for Computer and Information Sciences, you must use scholarly, peer-reviewed articles. A peer-reviewed article is one that has “been evaluated by several researchers or subject specialist in the academic community prior to accepting it for publication” and is “also known as scholarly or refereed.” Your professor or the UC Librarian team can help you determine whether or not an article is peer-reviewed. Proper Resources for Research Examples of sites with peer-reviewed resources UC Library Site EBSCOhost JSTOR Google Scholar Examples of sites with unacceptable resources PC Magazine Cisco Ars Technica Reddit Proper Format is Important All papers written for courses within the School for Computer and Information Sciences must follow the American Psychological Association (APA) writing style. University Resources The UC Library provides a myriad of online resources to assist students with proper research Resources referring to Information Security can be found inside the UC Library site www.ucumberlands.edu/library Groups Group 1 Group Topic: Meltdown [email protected][email protected][email protected][email protected][email protected][email protected] Group 2 Group Topic: Spectre [email protected][email protected][email protected][email protected][email protected][email protected] Group 3 Group Topic: ZombieLoad [email protected][email protected][email protected][email protected][email protected][email protected] Group 4 Group Topic: RIDL [email protected][email protected][email protected][email protected][email protected] Group 5 Group Topic: Fallout [email protected][email protected][email protected][email protected][email protected] Research Topic Security researchers have discovered major vulnerabilities with the design of Intel chips The vulnerabilities stem from several issues and their immediate remediations create severe loss of performance Each vulnerability is similar but different Res.

Education
1 of 17
Residency Research ISOL 536 Security Architecture and Design Using Resources to Promote Critical Thinking Critical thinking is an integral part of any educational program At UC, we encourage and provide applicable resources for the promotion of critical thinking In order to properly research and complete course papers, proper resources must be utilized Critical Thinking helps us to: Understand the links between ideas. Determine the importance and relevance of arguments and ideas. Recognize, build and appraise arguments. Identify inconsistencies and errors in reasoning. Approach problems in a consistent and systematic way. Reflect on the justification of their own assumptions, beliefs and values. http://www.skillsyouneed.com/learn/critical-thinking.html Researching Using the Critical Questions When using research resources, it is imperative to review the
six critical questions and implement that data into your writings. Proper Resources for Research When asked to completed a research paper in the UC School for Computer and Information Sciences, you must use scholarly, peer-reviewed articles. A peer-reviewed article is one that has “been evaluated by several researchers or subject specialist in the academic community prior to accepting it for publication” and is “also known as scholarly or refereed.” Your professor or the UC Librarian team can help you determine whether or not an article is peer-reviewed. Proper Resources for Research Examples of sites with peer-reviewed resources UC Library Site EBSCOhost JSTOR Google Scholar Examples of sites with unacceptable resources PC Magazine Cisco Ars Technica Reddit Proper Format is Important All papers written for courses within the School for Computer and Information Sciences must follow the American Psychological Association (APA) writing style.
University Resources The UC Library provides a myriad of online resources to assist students with proper research Resources referring to Information Security can be found inside the UC Library site www.ucumberlands.edu/library Groups Group 1 Group Topic: Meltdown [email protected][email protected][email protected][email prote cted][email protected][email protected] Group 2 Group Topic: Spectre [email protected][email protected][email protected][email prote cted][email protected][email protected] Group 3 Group Topic: ZombieLoad [email protected][email protected][email protected][email prote cted][email protected][email protected]
Group 4 Group Topic: RIDL [email protected][email protected][email protected][email prote cted][email protected] Group 5 Group Topic: Fallout [email protected][email protected][email protected][email prote cted][email protected] Research Topic Security researchers have discovered major vulnerabilities with the design of Intel chips The vulnerabilities stem from several issues and their immediate remediations create severe loss of performance Each vulnerability is similar but different Research Topic DO Provide a working knowledge of your assigned vulnerability Compare and contrast your assigned vulnerability with others Deeply research the use of threat modeling and secure architecture Tie your research back to recommendations for remediation of the vulnerability DO NOT Dive deep into the mathematics of the vulnerability Disassociate your peer-reviewed scholarly research from the
vulnerability Plagiarize and copy/paste from sites Forget the topics of our course (e.g. STRIDE) Research Paper 10-15 pages Double spaced APA style At least 10 references At least 5 of your references must be scholarly peer-reviewed articles Research Paper Find and review peer-reviewed scholarly articles concerning security architecture, secure design, and threat modeling Find and review other information that associates with your topic area Apply research from articles on chosen topic area to create research paper Research Presentation Goal is to summarize your research and recommendations Must present for at least 25 minutes but no more than 30 minutes Your group will be randomly selected for presentation All group members need to participate in the presentation
ISOL536 | Security Architecture and Design Dr. Justin O. Hensley School of Computer and Information Sciences 1 Overview and stride review 2 Ways to Find Security Issues Static analysis of code Fuzzing or other dynamic testing Pen test/red team Wait for bug reports after release All of these are fine, but as you go down the list, you’re going later and later in the development process. So when you find
bugs, you may have a hard time fixing them, because you might have dependencies on behavior such as taking large complex input from an untrusted party, or your libraries may not handle issues like sql injection well, or you might be using an untyped language like C. 3 Ways to Find Security Issues Threat modeling! Think about security issues early Understand your requirements better Don’t write bugs into the code And the subject of this course 4 Definitions What is a threat? How is it different from a vulnerability, risk, or just a problem? What is a model? Many people get stuck on these. Definitions matter. Many
people don’t understand the definition of a threat and how it’s different from a vulnerability, a risk, or a problem. “Threat” means the bad thing that might happen. “Threat” can also refer to a person, or a piece of malware, but we don’t use those definitions here. “Vulnerability” is a term of art for code that can be automatically exploited, or more generally, a weakness that can be exploited. MODEL: a system or thing used as an example to follow or imitate. 5 How to Threat Model What are you building? What can go wrong? What are you going to do about it? Did you complete a good analysis? The course will teach you practical skills for each of these 6 Addressing the Threat
7 Mitigate Eliminate Transfer Accept Validation of the Model 8 Check the model Check each threat Check the tests STRIDEThreatProperty ViolatedDefinitionExampleSpoofingAuthenticationImpersonatin
g something or someone else.Pretending to be any of Bill Gates, Paypal.com or ntdll.dllTamperingIntegrityModifying data or codeModifying a DLL on disk or DVD, or a packet as it traverses the networkRepudiationNon-repudiationClaiming to have not performed an action.“I didn’t send that email,” “I didn’t modify that file,” “I certainly didn’t visit that web site, dear!”Information DisclosureConfidentialityExposing information to someone not authorized to see itAllowing someone to read the Windows source code; publishing a list of customers to a web site.Denial of ServiceAvailabilityDeny or degrade service to usersCrashing Windows or a web site, sending a packet and absorbing seconds of CPU time, or routing packets into a black hole.Elevation of PrivilegeAuthorizationGain capabilities without proper authorizationAllowing a remote Internet user to run commands is the classic example, but going from a limited user to admin is also EoP. 9 What Can Go Wrong? Track issues as you find them “attacker could pretend to be a client & connect” Track assumptions “I think that connection is always over SSL” Both lists are inputs to “what are you going to do about it?”
10 Spoofing On the Local MachineThreat ExampleWhat the Attacker DoesNotes/ExamplesSpoofing a process Creates a file before the real processThen your process relies on itAbuses namesCreate a version of “sudo” and alter PATHSpoofing a filenameCreates a file in the local directoryLibrary, executable or config fileCreates a link, changes itAlso called ‘race condition’ or TOCTOUCreates many files in a target directoryCode can easily create all possible /tmp/foo.random 11 Tampering with MemoryThreat ExampleWhat the Attacker DoesNotes/ExamplesModifying codeChanges your code to suit themselvesHard to defend against if the attacker is running code inside the trust boundariesModifying data they’ve suppliedSupplies data to a pass by reference API, then changes itWorks because of TOCTOU issuesSupplies data into a shared memory segment, then changes it 12 RepudiationThreat ExampleWhat the Attacker
DoesNotes/examplesRepudiating an actionClaims to have not clickedMaybe they did, maybe they didn’t, maybe they’re honestly confusedClaims to not have received1. Electronic or physical 2. Receipt is strange; does a client downloading email mean you’ve seen it? Did a network proxy pre-fetch images? Was a package left on a porch?Claims to be a fraud victimUses someone else’s account 13 Information Disclosure (Processes)Threat ExampleWhat the Attacker DoesNotes/ExamplesExtracts user dataExploits bugs like SQL injection to read db tablesCan find this by looking to data stores, but here the issue is the process returning data it shouldn’tReads error messages Extracts machine secretsReads error messagesCannot connect to database ‘foo’ as user ‘sql’ with password ‘&IO*(^&’Exploits bugs“Heartbleed” 14 Information Disclosure (Data Stores)Sub-categoryWhat the Attacker DoesPermissionsTake advantage of missing or inappropriate ACLsTake advantage of bad database permissionsFile files protected by obscuritySecurityFind crypto keys on disk or in memoryGet data from logs/temp filesGet data
from swap filesSee interesting information in filenames/directory namesNetworkSee data traversing a networkMiscObtain device, boot in new OS 15 Information Disclosure (Data Flow)Sub-categoryWhat the Attacker DoesNetworkRead data on a networkRedirects traffics to enable reading data on the networkMetadataLearns secrets by analyzing trafficLearns who talks to whom by watching the DNSLearns who talks to whom by analyzing social network information 16 Denial of ServiceThreat ExampleWhat the Attacker DoesNotes/ExamplesAgainst a processAbsorb memory (ram or disk)Absorb CPUUses a process as an amplifierAgainst business logic“Too many login attempts”Against a data storeFills the data storeMakes enough requests to slow the systemAgainst a data flowConsumes network resources Can be temporary (as the attack continues; fill the network) or persist beyond that (fill a disk)
17 Elevation of Privilege (“EoP”)Threat ExampleWhat the Attacker DoesNotes/ExamplesEoP Against process via corruptionSends inputs the code doesn’t handle properlyVery common, usually high impactGains read/write access to memoryWriting memory more obviously badEoP via misused authorization checksEoP via buggy authorization checksCentralizing checking makes consistency, correctness easierEoP via data tamperingModify bits on disk 18 ISOL536 | Security Architecture and Design Dr. Justin O. Hensley School of Computer and Information Sciences 19
ISOL536 | Security Architecture and Design Dr. Justin O. Hensley School of Computer and Information Sciences 1 Introduction and expectations 2 Introduce yourself
3 Goals for Residency Successfully complete part of course requirements Strengthen research skills Make professional connections Increase social and soft skills Have fun! 4 Expectations for Residency Come early Give attention Respect colleagues Participate equally Produce exceptional work 5 Review schedule
6 ISOL536 | Security Architecture and Design Dr. Justin O. Hensley School of Computer and Information Sciences 7

Recommended

ISOL 536Security Architecture and DesignThreat Modeling.docx
ISOL 536Security Architecture and DesignThreat Modeling.docxISOL 536Security Architecture and DesignThreat Modeling.docx
ISOL 536Security Architecture and DesignThreat Modeling.docxchristiandean12115
 
Security vulnerabilities for grown ups - GOTOcon 2012
Security vulnerabilities for grown ups - GOTOcon 2012Security vulnerabilities for grown ups - GOTOcon 2012
Security vulnerabilities for grown ups - GOTOcon 2012Vitaly Osipov
 
1.Security Overview And Patching
1.Security Overview And Patching1.Security Overview And Patching
1.Security Overview And Patchingphanleson
 
SEC 572 Entire Course NEW
SEC 572 Entire Course NEWSEC 572 Entire Course NEW
SEC 572 Entire Course NEWshyamuopiv
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
Sec 572 Effective Communication - tutorialrank.com
Sec 572 Effective Communication - tutorialrank.comSec 572 Effective Communication - tutorialrank.com
Sec 572 Effective Communication - tutorialrank.comBartholomew99
 
SEC 572 Inspiring Innovation / tutorialrank.com
SEC 572 Inspiring Innovation / tutorialrank.comSEC 572 Inspiring Innovation / tutorialrank.com
SEC 572 Inspiring Innovation / tutorialrank.comBromleyz38
 
PROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docx
PROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docxPROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docx
PROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docxwoodruffeloisa
 

Recommended

ISOL 536Security Architecture and DesignThreat Modeling.docx
ISOL 536Security Architecture and DesignThreat Modeling.docxISOL 536Security Architecture and DesignThreat Modeling.docx
ISOL 536Security Architecture and DesignThreat Modeling.docxchristiandean12115
 
Security vulnerabilities for grown ups - GOTOcon 2012
Security vulnerabilities for grown ups - GOTOcon 2012Security vulnerabilities for grown ups - GOTOcon 2012
Security vulnerabilities for grown ups - GOTOcon 2012Vitaly Osipov
 
1.Security Overview And Patching
1.Security Overview And Patching1.Security Overview And Patching
1.Security Overview And Patchingphanleson
 
SEC 572 Entire Course NEW
SEC 572 Entire Course NEWSEC 572 Entire Course NEW
SEC 572 Entire Course NEWshyamuopiv
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
Sec 572 Effective Communication - tutorialrank.com
Sec 572 Effective Communication - tutorialrank.comSec 572 Effective Communication - tutorialrank.com
Sec 572 Effective Communication - tutorialrank.comBartholomew99
 
SEC 572 Inspiring Innovation / tutorialrank.com
SEC 572 Inspiring Innovation / tutorialrank.comSEC 572 Inspiring Innovation / tutorialrank.com
SEC 572 Inspiring Innovation / tutorialrank.comBromleyz38
 
PROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docx
PROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docxPROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docx
PROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docxwoodruffeloisa
 
Professional Hacking in 2011
Professional Hacking in 2011Professional Hacking in 2011
Professional Hacking in 2011securityaegis
 
Sec 572 Effective Communication / snaptutorial.com
Sec 572 Effective Communication / snaptutorial.comSec 572 Effective Communication / snaptutorial.com
Sec 572 Effective Communication / snaptutorial.comBaileyabl
 
CMST&210 Pillow talk Position 1 Why do you think you may.docx
CMST&210 Pillow talk Position 1 Why do you think you may.docxCMST&210 Pillow talk Position 1 Why do you think you may.docx
CMST&210 Pillow talk Position 1 Why do you think you may.docxmccormicknadine86
 
Null bachav
Null bachavNull bachav
Null bachavNaga Venkata Sunil Alamuri
 
Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.uNIX Jim
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)Steve Poole
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 
Saiyed_Crypto_Article_ISSA
Saiyed_Crypto_Article_ISSASaiyed_Crypto_Article_ISSA
Saiyed_Crypto_Article_ISSACarl Saiyed
 
Sec 572 Education Specialist-snaptutorial.com
Sec 572 Education Specialist-snaptutorial.comSec 572 Education Specialist-snaptutorial.com
Sec 572 Education Specialist-snaptutorial.comrobertlesew79
 
Sec 572 Enhance teaching / snaptutorial.com
Sec 572 Enhance teaching / snaptutorial.comSec 572 Enhance teaching / snaptutorial.com
Sec 572 Enhance teaching / snaptutorial.comHarrisGeorg69
 
ISOL536 Security Architecture and DesignDr. Justin O. .docx
ISOL536 Security Architecture and DesignDr. Justin O. .docxISOL536 Security Architecture and DesignDr. Justin O. .docx
ISOL536 Security Architecture and DesignDr. Justin O. .docxvrickens
 
3.Secure Design Principles And Process
3.Secure Design Principles And Process3.Secure Design Principles And Process
3.Secure Design Principles And Processphanleson
 
Sec 572 Education Organization / snaptutorial.com
Sec 572 Education Organization / snaptutorial.comSec 572 Education Organization / snaptutorial.com
Sec 572 Education Organization / snaptutorial.comBaileya109
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSECSean Whalen
 
Security
SecuritySecurity
Securitydominion
 
Open Source Security – A vendor's perspective
Open Source Security – A vendor's perspectiveOpen Source Security – A vendor's perspective
Open Source Security – A vendor's perspectiveMatthew Wilkes
 
Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of TryingShowing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of TryingDan Kaminsky
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best PracticesClint Edmonson
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack
 
Break it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareBreak it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareLeigh Honeywell
 
Research TopicCorporations are making the assumption that ever.docx
Research TopicCorporations are making the assumption that ever.docxResearch TopicCorporations are making the assumption that ever.docx
Research TopicCorporations are making the assumption that ever.docxbrittneyj3
 
Research two (2) manufacturing or two (2) service companies that m.docx
Research two (2) manufacturing or two (2) service companies that m.docxResearch two (2) manufacturing or two (2) service companies that m.docx
Research two (2) manufacturing or two (2) service companies that m.docxbrittneyj3
 

More Related Content

Similar to Residency ResearchISOL 536 Security Architecture and Design.docx

Professional Hacking in 2011
Professional Hacking in 2011Professional Hacking in 2011
Professional Hacking in 2011securityaegis
 
Sec 572 Effective Communication / snaptutorial.com
Sec 572 Effective Communication / snaptutorial.comSec 572 Effective Communication / snaptutorial.com
Sec 572 Effective Communication / snaptutorial.comBaileyabl
 
CMST&210 Pillow talk Position 1 Why do you think you may.docx
CMST&210 Pillow talk Position 1 Why do you think you may.docxCMST&210 Pillow talk Position 1 Why do you think you may.docx
CMST&210 Pillow talk Position 1 Why do you think you may.docxmccormicknadine86
 
Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.uNIX Jim
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)Steve Poole
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 
Saiyed_Crypto_Article_ISSA
Saiyed_Crypto_Article_ISSASaiyed_Crypto_Article_ISSA
Saiyed_Crypto_Article_ISSACarl Saiyed
 
Sec 572 Education Specialist-snaptutorial.com
Sec 572 Education Specialist-snaptutorial.comSec 572 Education Specialist-snaptutorial.com
Sec 572 Education Specialist-snaptutorial.comrobertlesew79
 
Sec 572 Enhance teaching / snaptutorial.com
Sec 572 Enhance teaching / snaptutorial.comSec 572 Enhance teaching / snaptutorial.com
Sec 572 Enhance teaching / snaptutorial.comHarrisGeorg69
 
ISOL536 Security Architecture and DesignDr. Justin O. .docx
ISOL536 Security Architecture and DesignDr. Justin O. .docxISOL536 Security Architecture and DesignDr. Justin O. .docx
ISOL536 Security Architecture and DesignDr. Justin O. .docxvrickens
 
3.Secure Design Principles And Process
3.Secure Design Principles And Process3.Secure Design Principles And Process
3.Secure Design Principles And Processphanleson
 
Sec 572 Education Organization / snaptutorial.com
Sec 572 Education Organization / snaptutorial.comSec 572 Education Organization / snaptutorial.com
Sec 572 Education Organization / snaptutorial.comBaileya109
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSECSean Whalen
 
Open Source Security – A vendor's perspective
Open Source Security – A vendor's perspectiveOpen Source Security – A vendor's perspective
Open Source Security – A vendor's perspectiveMatthew Wilkes
 
Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of TryingShowing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of TryingDan Kaminsky
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best PracticesClint Edmonson
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack
 
Break it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareBreak it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareLeigh Honeywell
 

Similar to Residency ResearchISOL 536 Security Architecture and Design.docx (20)

Professional Hacking in 2011
Professional Hacking in 2011Professional Hacking in 2011
Professional Hacking in 2011
 
Sec 572 Effective Communication / snaptutorial.com
Sec 572 Effective Communication / snaptutorial.comSec 572 Effective Communication / snaptutorial.com
Sec 572 Effective Communication / snaptutorial.com
 
CMST&210 Pillow talk Position 1 Why do you think you may.docx
CMST&210 Pillow talk Position 1 Why do you think you may.docxCMST&210 Pillow talk Position 1 Why do you think you may.docx
CMST&210 Pillow talk Position 1 Why do you think you may.docx
 
Null bachav
Null bachavNull bachav
Null bachav
 
Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
Saiyed_Crypto_Article_ISSA
Saiyed_Crypto_Article_ISSASaiyed_Crypto_Article_ISSA
Saiyed_Crypto_Article_ISSA
 
Sec 572 Education Specialist-snaptutorial.com
Sec 572 Education Specialist-snaptutorial.comSec 572 Education Specialist-snaptutorial.com
Sec 572 Education Specialist-snaptutorial.com
 
Sec 572 Enhance teaching / snaptutorial.com
Sec 572 Enhance teaching / snaptutorial.comSec 572 Enhance teaching / snaptutorial.com
Sec 572 Enhance teaching / snaptutorial.com
 
ISOL536 Security Architecture and DesignDr. Justin O. .docx
ISOL536 Security Architecture and DesignDr. Justin O. .docxISOL536 Security Architecture and DesignDr. Justin O. .docx
ISOL536 Security Architecture and DesignDr. Justin O. .docx
 
3.Secure Design Principles And Process
3.Secure Design Principles And Process3.Secure Design Principles And Process
3.Secure Design Principles And Process
 
Sec 572 Education Organization / snaptutorial.com
Sec 572 Education Organization / snaptutorial.comSec 572 Education Organization / snaptutorial.com
Sec 572 Education Organization / snaptutorial.com
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
Security
SecuritySecurity
Security
 
Open Source Security – A vendor's perspective
Open Source Security – A vendor's perspectiveOpen Source Security – A vendor's perspective
Open Source Security – A vendor's perspective
 
Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of TryingShowing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
 
Break it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareBreak it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure software
 

More from brittneyj3

Research TopicCorporations are making the assumption that ever.docx
Research TopicCorporations are making the assumption that ever.docxResearch TopicCorporations are making the assumption that ever.docx
Research TopicCorporations are making the assumption that ever.docxbrittneyj3
 
Research two (2) manufacturing or two (2) service companies that m.docx
Research two (2) manufacturing or two (2) service companies that m.docxResearch two (2) manufacturing or two (2) service companies that m.docx
Research two (2) manufacturing or two (2) service companies that m.docxbrittneyj3
 
Research Topic  Stratgic planning in Information Technology.docx
Research Topic  Stratgic planning in Information Technology.docxResearch Topic  Stratgic planning in Information Technology.docx
Research Topic  Stratgic planning in Information Technology.docxbrittneyj3
 
RESEARCH TOPIC; SOCIAL WORKERS AND IDENTIFICATION OF HUMAN TRAFF.docx
RESEARCH TOPIC; SOCIAL WORKERS AND IDENTIFICATION OF HUMAN TRAFF.docxRESEARCH TOPIC; SOCIAL WORKERS AND IDENTIFICATION OF HUMAN TRAFF.docx
RESEARCH TOPIC; SOCIAL WORKERS AND IDENTIFICATION OF HUMAN TRAFF.docxbrittneyj3
 
Research topic What is the impact of Gamification on security train.docx
Research topic What is the impact of Gamification on security train.docxResearch topic What is the impact of Gamification on security train.docx
Research topic What is the impact of Gamification on security train.docxbrittneyj3
 
Research Title VII of the Civil Rights Act of 1964 and discuss why i.docx
Research Title VII of the Civil Rights Act of 1964 and discuss why i.docxResearch Title VII of the Civil Rights Act of 1964 and discuss why i.docx
Research Title VII of the Civil Rights Act of 1964 and discuss why i.docxbrittneyj3
 
Research topic StakeholderInstructionsYour submission .docx
Research topic StakeholderInstructionsYour submission .docxResearch topic StakeholderInstructionsYour submission .docx
Research topic StakeholderInstructionsYour submission .docxbrittneyj3
 
Research Theory, Design, and Methods Walden University © .docx
Research Theory, Design, and Methods Walden University © .docxResearch Theory, Design, and Methods Walden University © .docx
Research Theory, Design, and Methods Walden University © .docxbrittneyj3
 
Research the secondary transition services for students with disabil.docx
Research the secondary transition services for students with disabil.docxResearch the secondary transition services for students with disabil.docx
Research the secondary transition services for students with disabil.docxbrittneyj3
 
Research the use of social stories for teaching socially appro.docx
Research the use of social stories for teaching socially appro.docxResearch the use of social stories for teaching socially appro.docx
Research the use of social stories for teaching socially appro.docxbrittneyj3
 
Research the variety of enumeration tools available. Select one tool.docx
Research the variety of enumeration tools available. Select one tool.docxResearch the variety of enumeration tools available. Select one tool.docx
Research the variety of enumeration tools available. Select one tool.docxbrittneyj3
 
Research Topic and Methodology Form—Unit 4Use the research s.docx
Research Topic and Methodology Form—Unit 4Use the research s.docxResearch Topic and Methodology Form—Unit 4Use the research s.docx
Research Topic and Methodology Form—Unit 4Use the research s.docxbrittneyj3
 
Research TitleStudent NameCourse Number – TermYearProfess.docx
Research TitleStudent NameCourse Number – TermYearProfess.docxResearch TitleStudent NameCourse Number – TermYearProfess.docx
Research TitleStudent NameCourse Number – TermYearProfess.docxbrittneyj3
 
Research these topics topics for a two to three page paper. Write th.docx
Research these topics topics for a two to three page paper. Write th.docxResearch these topics topics for a two to three page paper. Write th.docx
Research these topics topics for a two to three page paper. Write th.docxbrittneyj3
 
Research the web to identify a SystemsSoftware Development Lifecycl.docx
Research the web to identify a SystemsSoftware Development Lifecycl.docxResearch the web to identify a SystemsSoftware Development Lifecycl.docx
Research the web to identify a SystemsSoftware Development Lifecycl.docxbrittneyj3
 
Research the specific domains and components of the COBIT Framework..docx
Research the specific domains and components of the COBIT Framework..docxResearch the specific domains and components of the COBIT Framework..docx
Research the specific domains and components of the COBIT Framework..docxbrittneyj3
 
Residency5COVER PAGETable of Conte.docx
Residency5COVER PAGETable of Conte.docxResidency5COVER PAGETable of Conte.docx
Residency5COVER PAGETable of Conte.docxbrittneyj3
 
Research the role that Milton plays in Romantic writing and trac.docx
Research the role that Milton plays in Romantic writing and trac.docxResearch the role that Milton plays in Romantic writing and trac.docx
Research the role that Milton plays in Romantic writing and trac.docxbrittneyj3
 
Research the two alternative presentation applications that yo.docx
Research the two alternative presentation applications that yo.docxResearch the two alternative presentation applications that yo.docx
Research the two alternative presentation applications that yo.docxbrittneyj3
 
Research project oversight using the University Library.Writ.docx
Research project oversight using the University Library.Writ.docxResearch project oversight using the University Library.Writ.docx
Research project oversight using the University Library.Writ.docxbrittneyj3
 

More from brittneyj3 (20)

Research TopicCorporations are making the assumption that ever.docx
Research TopicCorporations are making the assumption that ever.docxResearch TopicCorporations are making the assumption that ever.docx
Research TopicCorporations are making the assumption that ever.docx
 
Research two (2) manufacturing or two (2) service companies that m.docx
Research two (2) manufacturing or two (2) service companies that m.docxResearch two (2) manufacturing or two (2) service companies that m.docx
Research two (2) manufacturing or two (2) service companies that m.docx
 
Research Topic  Stratgic planning in Information Technology.docx
Research Topic  Stratgic planning in Information Technology.docxResearch Topic  Stratgic planning in Information Technology.docx
Research Topic  Stratgic planning in Information Technology.docx
 
RESEARCH TOPIC; SOCIAL WORKERS AND IDENTIFICATION OF HUMAN TRAFF.docx
RESEARCH TOPIC; SOCIAL WORKERS AND IDENTIFICATION OF HUMAN TRAFF.docxRESEARCH TOPIC; SOCIAL WORKERS AND IDENTIFICATION OF HUMAN TRAFF.docx
RESEARCH TOPIC; SOCIAL WORKERS AND IDENTIFICATION OF HUMAN TRAFF.docx
 
Research topic What is the impact of Gamification on security train.docx
Research topic What is the impact of Gamification on security train.docxResearch topic What is the impact of Gamification on security train.docx
Research topic What is the impact of Gamification on security train.docx
 
Research Title VII of the Civil Rights Act of 1964 and discuss why i.docx
Research Title VII of the Civil Rights Act of 1964 and discuss why i.docxResearch Title VII of the Civil Rights Act of 1964 and discuss why i.docx
Research Title VII of the Civil Rights Act of 1964 and discuss why i.docx
 
Research topic StakeholderInstructionsYour submission .docx
Research topic StakeholderInstructionsYour submission .docxResearch topic StakeholderInstructionsYour submission .docx
Research topic StakeholderInstructionsYour submission .docx
 
Research Theory, Design, and Methods Walden University © .docx
Research Theory, Design, and Methods Walden University © .docxResearch Theory, Design, and Methods Walden University © .docx
Research Theory, Design, and Methods Walden University © .docx
 
Research the secondary transition services for students with disabil.docx
Research the secondary transition services for students with disabil.docxResearch the secondary transition services for students with disabil.docx
Research the secondary transition services for students with disabil.docx
 
Research the use of social stories for teaching socially appro.docx
Research the use of social stories for teaching socially appro.docxResearch the use of social stories for teaching socially appro.docx
Research the use of social stories for teaching socially appro.docx
 
Research the variety of enumeration tools available. Select one tool.docx
Research the variety of enumeration tools available. Select one tool.docxResearch the variety of enumeration tools available. Select one tool.docx
Research the variety of enumeration tools available. Select one tool.docx
 
Research Topic and Methodology Form—Unit 4Use the research s.docx
Research Topic and Methodology Form—Unit 4Use the research s.docxResearch Topic and Methodology Form—Unit 4Use the research s.docx
Research Topic and Methodology Form—Unit 4Use the research s.docx
 
Research TitleStudent NameCourse Number – TermYearProfess.docx
Research TitleStudent NameCourse Number – TermYearProfess.docxResearch TitleStudent NameCourse Number – TermYearProfess.docx
Research TitleStudent NameCourse Number – TermYearProfess.docx
 
Research these topics topics for a two to three page paper. Write th.docx
Research these topics topics for a two to three page paper. Write th.docxResearch these topics topics for a two to three page paper. Write th.docx
Research these topics topics for a two to three page paper. Write th.docx
 
Research the web to identify a SystemsSoftware Development Lifecycl.docx
Research the web to identify a SystemsSoftware Development Lifecycl.docxResearch the web to identify a SystemsSoftware Development Lifecycl.docx
Research the web to identify a SystemsSoftware Development Lifecycl.docx
 
Research the specific domains and components of the COBIT Framework..docx
Research the specific domains and components of the COBIT Framework..docxResearch the specific domains and components of the COBIT Framework..docx
Research the specific domains and components of the COBIT Framework..docx
 
Residency5COVER PAGETable of Conte.docx
Residency5COVER PAGETable of Conte.docxResidency5COVER PAGETable of Conte.docx
Residency5COVER PAGETable of Conte.docx
 
Research the role that Milton plays in Romantic writing and trac.docx
Research the role that Milton plays in Romantic writing and trac.docxResearch the role that Milton plays in Romantic writing and trac.docx
Research the role that Milton plays in Romantic writing and trac.docx
 
Research the two alternative presentation applications that yo.docx
Research the two alternative presentation applications that yo.docxResearch the two alternative presentation applications that yo.docx
Research the two alternative presentation applications that yo.docx
 
Research project oversight using the University Library.Writ.docx
Research project oversight using the University Library.Writ.docxResearch project oversight using the University Library.Writ.docx
Research project oversight using the University Library.Writ.docx
 

Recently uploaded

fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingTeacherCyreneCayanan
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Disha Kariya
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...fonyou31
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxVishalSingh1417
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...christianmathematics
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024Janet Corral
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room servicediscovermytutordmt
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpinRaunakKeshri1
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 

Recently uploaded (20)

fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writing
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 

Residency ResearchISOL 536 Security Architecture and Design.docx

  • 1. Residency Research ISOL 536 Security Architecture and Design Using Resources to Promote Critical Thinking Critical thinking is an integral part of any educational program At UC, we encourage and provide applicable resources for the promotion of critical thinking In order to properly research and complete course papers, proper resources must be utilized Critical Thinking helps us to: Understand the links between ideas. Determine the importance and relevance of arguments and ideas. Recognize, build and appraise arguments. Identify inconsistencies and errors in reasoning. Approach problems in a consistent and systematic way. Reflect on the justification of their own assumptions, beliefs and values. http://www.skillsyouneed.com/learn/critical-thinking.html Researching Using the Critical Questions When using research resources, it is imperative to review the
  • 2. six critical questions and implement that data into your writings. Proper Resources for Research When asked to completed a research paper in the UC School for Computer and Information Sciences, you must use scholarly, peer-reviewed articles. A peer-reviewed article is one that has “been evaluated by several researchers or subject specialist in the academic community prior to accepting it for publication” and is “also known as scholarly or refereed.” Your professor or the UC Librarian team can help you determine whether or not an article is peer-reviewed. Proper Resources for Research Examples of sites with peer-reviewed resources UC Library Site EBSCOhost JSTOR Google Scholar Examples of sites with unacceptable resources PC Magazine Cisco Ars Technica Reddit Proper Format is Important All papers written for courses within the School for Computer and Information Sciences must follow the American Psychological Association (APA) writing style.
  • 3. University Resources The UC Library provides a myriad of online resources to assist students with proper research Resources referring to Information Security can be found inside the UC Library site www.ucumberlands.edu/library Groups Group 1 Group Topic: Meltdown [email protected][email protected][email protected][email prote cted][email protected][email protected] Group 2 Group Topic: Spectre [email protected][email protected][email protected][email prote cted][email protected][email protected] Group 3 Group Topic: ZombieLoad [email protected][email protected][email protected][email prote cted][email protected][email protected]
  • 4. Group 4 Group Topic: RIDL [email protected][email protected][email protected][email prote cted][email protected] Group 5 Group Topic: Fallout [email protected][email protected][email protected][email prote cted][email protected] Research Topic Security researchers have discovered major vulnerabilities with the design of Intel chips The vulnerabilities stem from several issues and their immediate remediations create severe loss of performance Each vulnerability is similar but different Research Topic DO Provide a working knowledge of your assigned vulnerability Compare and contrast your assigned vulnerability with others Deeply research the use of threat modeling and secure architecture Tie your research back to recommendations for remediation of the vulnerability DO NOT Dive deep into the mathematics of the vulnerability Disassociate your peer-reviewed scholarly research from the
  • 5. vulnerability Plagiarize and copy/paste from sites Forget the topics of our course (e.g. STRIDE) Research Paper 10-15 pages Double spaced APA style At least 10 references At least 5 of your references must be scholarly peer-reviewed articles Research Paper Find and review peer-reviewed scholarly articles concerning security architecture, secure design, and threat modeling Find and review other information that associates with your topic area Apply research from articles on chosen topic area to create research paper Research Presentation Goal is to summarize your research and recommendations Must present for at least 25 minutes but no more than 30 minutes Your group will be randomly selected for presentation All group members need to participate in the presentation
  • 6. ISOL536 | Security Architecture and Design Dr. Justin O. Hensley School of Computer and Information Sciences 1 Overview and stride review 2 Ways to Find Security Issues Static analysis of code Fuzzing or other dynamic testing Pen test/red team Wait for bug reports after release All of these are fine, but as you go down the list, you’re going later and later in the development process. So when you find
  • 7. bugs, you may have a hard time fixing them, because you might have dependencies on behavior such as taking large complex input from an untrusted party, or your libraries may not handle issues like sql injection well, or you might be using an untyped language like C. 3 Ways to Find Security Issues Threat modeling! Think about security issues early Understand your requirements better Don’t write bugs into the code And the subject of this course 4 Definitions What is a threat? How is it different from a vulnerability, risk, or just a problem? What is a model? Many people get stuck on these. Definitions matter. Many
  • 8. people don’t understand the definition of a threat and how it’s different from a vulnerability, a risk, or a problem. “Threat” means the bad thing that might happen. “Threat” can also refer to a person, or a piece of malware, but we don’t use those definitions here. “Vulnerability” is a term of art for code that can be automatically exploited, or more generally, a weakness that can be exploited. MODEL: a system or thing used as an example to follow or imitate. 5 How to Threat Model What are you building? What can go wrong? What are you going to do about it? Did you complete a good analysis? The course will teach you practical skills for each of these 6 Addressing the Threat
  • 9. 7 Mitigate Eliminate Transfer Accept Validation of the Model 8 Check the model Check each threat Check the tests STRIDEThreatProperty ViolatedDefinitionExampleSpoofingAuthenticationImpersonatin
  • 10. g something or someone else.Pretending to be any of Bill Gates, Paypal.com or ntdll.dllTamperingIntegrityModifying data or codeModifying a DLL on disk or DVD, or a packet as it traverses the networkRepudiationNon-repudiationClaiming to have not performed an action.“I didn’t send that email,” “I didn’t modify that file,” “I certainly didn’t visit that web site, dear!”Information DisclosureConfidentialityExposing information to someone not authorized to see itAllowing someone to read the Windows source code; publishing a list of customers to a web site.Denial of ServiceAvailabilityDeny or degrade service to usersCrashing Windows or a web site, sending a packet and absorbing seconds of CPU time, or routing packets into a black hole.Elevation of PrivilegeAuthorizationGain capabilities without proper authorizationAllowing a remote Internet user to run commands is the classic example, but going from a limited user to admin is also EoP. 9 What Can Go Wrong? Track issues as you find them “attacker could pretend to be a client & connect” Track assumptions “I think that connection is always over SSL” Both lists are inputs to “what are you going to do about it?”
  • 11. 10 Spoofing On the Local MachineThreat ExampleWhat the Attacker DoesNotes/ExamplesSpoofing a process Creates a file before the real processThen your process relies on itAbuses namesCreate a version of “sudo” and alter PATHSpoofing a filenameCreates a file in the local directoryLibrary, executable or config fileCreates a link, changes itAlso called ‘race condition’ or TOCTOUCreates many files in a target directoryCode can easily create all possible /tmp/foo.random 11 Tampering with MemoryThreat ExampleWhat the Attacker DoesNotes/ExamplesModifying codeChanges your code to suit themselvesHard to defend against if the attacker is running code inside the trust boundariesModifying data they’ve suppliedSupplies data to a pass by reference API, then changes itWorks because of TOCTOU issuesSupplies data into a shared memory segment, then changes it 12 RepudiationThreat ExampleWhat the Attacker
  • 12. DoesNotes/examplesRepudiating an actionClaims to have not clickedMaybe they did, maybe they didn’t, maybe they’re honestly confusedClaims to not have received1. Electronic or physical 2. Receipt is strange; does a client downloading email mean you’ve seen it? Did a network proxy pre-fetch images? Was a package left on a porch?Claims to be a fraud victimUses someone else’s account 13 Information Disclosure (Processes)Threat ExampleWhat the Attacker DoesNotes/ExamplesExtracts user dataExploits bugs like SQL injection to read db tablesCan find this by looking to data stores, but here the issue is the process returning data it shouldn’tReads error messages Extracts machine secretsReads error messagesCannot connect to database ‘foo’ as user ‘sql’ with password ‘&IO*(^&’Exploits bugs“Heartbleed” 14 Information Disclosure (Data Stores)Sub-categoryWhat the Attacker DoesPermissionsTake advantage of missing or inappropriate ACLsTake advantage of bad database permissionsFile files protected by obscuritySecurityFind crypto keys on disk or in memoryGet data from logs/temp filesGet data
  • 13. from swap filesSee interesting information in filenames/directory namesNetworkSee data traversing a networkMiscObtain device, boot in new OS 15 Information Disclosure (Data Flow)Sub-categoryWhat the Attacker DoesNetworkRead data on a networkRedirects traffics to enable reading data on the networkMetadataLearns secrets by analyzing trafficLearns who talks to whom by watching the DNSLearns who talks to whom by analyzing social network information 16 Denial of ServiceThreat ExampleWhat the Attacker DoesNotes/ExamplesAgainst a processAbsorb memory (ram or disk)Absorb CPUUses a process as an amplifierAgainst business logic“Too many login attempts”Against a data storeFills the data storeMakes enough requests to slow the systemAgainst a data flowConsumes network resources Can be temporary (as the attack continues; fill the network) or persist beyond that (fill a disk)
  • 14. 17 Elevation of Privilege (“EoP”)Threat ExampleWhat the Attacker DoesNotes/ExamplesEoP Against process via corruptionSends inputs the code doesn’t handle properlyVery common, usually high impactGains read/write access to memoryWriting memory more obviously badEoP via misused authorization checksEoP via buggy authorization checksCentralizing checking makes consistency, correctness easierEoP via data tamperingModify bits on disk 18 ISOL536 | Security Architecture and Design Dr. Justin O. Hensley School of Computer and Information Sciences 19
  • 15. ISOL536 | Security Architecture and Design Dr. Justin O. Hensley School of Computer and Information Sciences 1 Introduction and expectations 2 Introduce yourself
  • 16. 3 Goals for Residency Successfully complete part of course requirements Strengthen research skills Make professional connections Increase social and soft skills Have fun! 4 Expectations for Residency Come early Give attention Respect colleagues Participate equally Produce exceptional work 5 Review schedule
  • 17. 6 ISOL536 | Security Architecture and Design Dr. Justin O. Hensley School of Computer and Information Sciences 7