The document provides an introduction to computer security concepts including examples of security breaches from an FBI/CSI report, the basic pillars of security known as confidentiality, integrity and availability, vulnerabilities, threats and controls, different types of attackers, and how to respond to security exploits. It outlines the topics to be covered in the course such as methods of defense and security principles.
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
Cyber Security introduction. Cyber security definition. Vulnerabilities. Social engineering and human error. Financial cost of security breaches. Computer protection. The cyber security job market
FellowBuddy.com is an innovative platform that brings students together to share notes, exam papers, study guides, project reports and presentation for upcoming exams.
We connect Students who have an understanding of course material with Students who need help.
Benefits:-
# Students can catch up on notes they missed because of an absence.
# Underachievers can find peer developed notes that break down lecture and study material in a way that they can understand
# Students can earn better grades, save time and study effectively
Our Vision & Mission – Simplifying Students Life
Our Belief – “The great breakthrough in your life comes when you realize it, that you can learn anything you need to learn; to accomplish any goal that you have set for yourself. This means there are no limits on what you can be, have or do.”
Like Us - https://www.facebook.com/FellowBuddycom
Information security, sometimes shortened to InfoSec, is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (e.g. electronic, physical)
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Cyber Security introduction. Cyber security definition. Vulnerabilities. Social engineering and human error. Financial cost of security breaches. Computer protection. The cyber security job market
FellowBuddy.com is an innovative platform that brings students together to share notes, exam papers, study guides, project reports and presentation for upcoming exams.
We connect Students who have an understanding of course material with Students who need help.
Benefits:-
# Students can catch up on notes they missed because of an absence.
# Underachievers can find peer developed notes that break down lecture and study material in a way that they can understand
# Students can earn better grades, save time and study effectively
Our Vision & Mission – Simplifying Students Life
Our Belief – “The great breakthrough in your life comes when you realize it, that you can learn anything you need to learn; to accomplish any goal that you have set for yourself. This means there are no limits on what you can be, have or do.”
Like Us - https://www.facebook.com/FellowBuddycom
Information security, sometimes shortened to InfoSec, is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (e.g. electronic, physical)
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
2. 2
Introduction to Security
Outline
1. Examples – Security in Practice
2. What is „Security?”
3. Pillars of Security:
Confidentiality, Integrity, Availability (CIA)
4. Vulnerabilities, Threats, and Controls
5. Attackers
6. How to React to an Exploit?
7. Methods of Defense
8. Principles of Computer Security
3. 3 [cf. Csilla Farkas, University of South Carolina]
Information hiding
Privacy
Security
Trust
Applications
Policy making
Formal models
Negotiation
Network security
Anonymity
Access control
Semantic web security
Encryption
Data mining
System monitoring
Computer epidemic
Data provenance
Fraud
Biometrics
Integrity
Vulnerabilities
Threats
4. 4
1. Examples – Security in Practice
From CSI/FBI Report 2002
90% detected computer security breaches within the last year
80% acknowledged financial losses
44% were willing and/or able to quantify their financial losses.
These 223 respondents reported $455M in financial losses.
The most serious financial losses occurred through theft of proprietary information and
financial fraud:
26 respondents: $170M
25 respondents: $115M
For the fifth year in a row, more respondents (74%) cited their Internet connection as a
frequent point of attack than cited their internal systems as a frequent point of attack (33%).
34% reported the intrusions to law enforcement. (In 1996, only 16% acknowledged
reporting intrusions to law enforcement.)
Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
5. 5
More from CSI/FBI 2002
40% detected external penetration
40% detected denial of service attacks.
78% detected employee abuse of Internet access privileges
85% percent detected computer viruses.
38% suffered unauthorized access or misuse on their Web sites
within the last twelve months. 21% didn’t know.
[includes insider attacks]
12% reported theft of transaction information.
6% percent reported financial fraud (only 3% in 2000).
[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
6. 6
Critical Infrastructure Areas
Include:
Telecommunications
Electrical power systems
Water supply systems
Gas and oil pipelines
Transportation
Government services
Emergency services
Banking and finance
…
7. 7
2. What is a “Secure” Computer System?
To decide whether a computer system is “secure”, you must
first decide what “secure” means to you, then identify the
threats you care about.
You Will Never Own a Perfectly Secure System!
Threats - examples
Viruses, trojan horses, etc.
Denial of Service
Stolen Customer Data
Modified Databases
Identity Theft and other threats to personal privacy
Equipment Theft
Espionage in cyberspace
Hack-tivism
Cyberterrorism
…
8. 8
3. Basic Components of Security:
Confidentiality, Integrity, Availability (CIA)
CIA
Confidentiality: Who is authorized to use data?
Integrity: Is data „good?”
Availability: Can access data whenever need it?
C I
A
S
S = Secure
CIA or CIAAAN…
(other security components added to CIA)
Authentication
Authorization
Non-repudiation
…
9. 9
Need to Balance CIA
Example 1: C vs. I+A
Disconnect computer from Internet to increase confidentiality
Availability suffers, integrity suffers due to lost updates
Example 2: I vs. C+A
Have extensive data checks by different people/systems to
increase integrity
Confidentiality suffers as more people see data, availability
suffers due to locks on data under verification)
10. 10
Confidentiality
“Need to know” basis for data access
How do we know who needs what data?
Approach: access control specifies who can access what
How do we know a user is the person she claims to be?
Need her identity and need to verify this identity
Approach: identification and authentication
Analogously: “Need to access/use” basis for
physical assets
E.g., access to a computer room, use of a desktop
Confidentiality is:
difficult to ensure
easiest to assess in terms of success (binary in nature:
Yes / No)
11. 11
Integrity
Integrity vs. Confidentiality
Concerned with unauthorized modification of assets (=
resources)
Confidentiality - concered with access to assets
Integrity is more difficult to measure than confidentiality
Not binary – degrees of integrity
Context-dependent - means different things in different
contexts
Could mean any subset of these asset properties:
{ precision / accuracy / currency / consistency /
meaningfulness / usefulness / ...}
Types of integrity—an example
Quote from a politician
Preserve the quote (data integrity) but misattribute (origin
integrity)
12. 12
Availability (1)
Not understood very well yet
„[F]ull implementation of availability is security’s next
challenge”
E.g. Full implemenation of availability for Internet users
(with ensuring security)
Complex
Context-dependent
Could mean any subset of these asset (data or service)
properties :
{ usefulness / sufficient capacity /
progressing at a proper pace /
completed in an acceptable period of time / ...}
[Pfleeger & Pfleeger]
13. 13
Availability (2)
We can say that an asset (resource) is
available if:
Timely request response
Fair allocation of resources (no starvation!)
Fault tolerant (no total breakdown)
Easy to use in the intended way
Provides controlled concurrency (concurrency
control, deadlock control, ...)
[Pfleeger & Pfleeger]
14. 14
4. Vulnerabilities, Threats, and Controls
Understanding Vulnerabilities, Threats, and Controls
Vulnerability = a weakness in a security system
Threat = circumstances that have a potential to cause harm
Controls = means and ways to block a threat, which tries to
exploit one or more vulnerabilities
Most of the class discusses various controls and their effectiveness
[Pfleeger & Pfleeger]
Example - New Orleans disaster (Hurricane Katrina)
Q: What were city vulnerabilities, threats, and controls?
A: Vulnerabilities: location below water level, geographical location in
hurricane area, …
Threats: hurricane, dam damage, terrorist attack, …
Controls: dams and other civil infrastructures, emergency response
plan, …
15. 15
Attack (materialization of a vulnerability/threat combination)
= exploitation of one or more vulnerabilities by a threat; tries to defeat
controls
Attack may be:
Successful (a.k.a. an exploit)
resulting in a breach of security, a system penetration, etc.
Unsuccessful
when controls block a threat trying to exploit a vulnerability
[Pfleeger & Pfleeger]
16. 16
Threat Spectrum
Local threats
Recreational hackers
Institutional hackers
Shared threats
Organized crime
Industrial espionage
Terrorism
National security threats
National intelligence
Info warriors
17. 17
Kinds of Threats
Kinds of threats:
Interception
an unauthorized party (human or not) gains access to
an asset
Interruption
an asset becomes lost, unavailable, or unusable
Modification
an unauthorized party changes the state of an asset
Fabrication
an unauthorized party counterfeits an asset
[Pfleeger & Pfleeger]
Examples?
18. 18
Levels of Vulnerabilities / Threats
(reversed order to illustrate interdependencies)
D) for other assets (resources)
including. people using data, s/w, h/w
C) for data
„on top” of s/w, since used by s/w
B) for software
„on top” of h/w, since run on h/w
A) for hardware
[Pfleeger & Pfleeger]
19. 19
A) Hardware Level of Vulnerabilities /
Threats
Add / remove a h/w device
Ex: Snooping, wiretapping
Snoop = to look around a place secretly in order to discover things
about it or the people connected with it. [Cambridge Dictionary of
American English]
Ex: Modification, alteration of a system
...
Physical attacks on h/w => need physical security: locks and
guards
Accidental (dropped PC box) or voluntary (bombing a
computer room)
Theft / destruction
Damage the machine (spilled coffe, mice, real bugs)
Steal the machine
„Machinicide:” Axe / hammer the machine
...
20. 20
Example of Snooping:
Wardriving / Warwalking, Warchalking,
Wardriving/warwalking -- driving/walking
around with a wireless-enabled notebook looking
for unsecured wireless LANs
Warchalking -- using chalk markings to show the
presence and vulnerabilities of wireless networks
nearby
E.g., a circled "W” -- indicates a WLAN
protected by Wired Equivalent Privacy (WEP)
encryption
[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
21. 21
B) Software Level of Vulnerabilities /
Threats
Software Deletion
Easy to delete needed software by mistake
To prevent this: use configuration management
software
Software Modification
Trojan Horses, , Viruses, Logic Bombs, Trapdoors,
Information Leaks (via covert channels), ...
Software Theft
Unauthorized copying
via P2P, etc.
22. 22
Types of Malicious Code
Bacterium - A specialized form of virus which does not attach to a specific file. Usage obscure.
Logic bomb - Malicious [program] logic that activates when specified conditions are met.
Usually intended to cause denial of service or otherwise damage system resources.
Trapdoor - A hidden computer flaw known to an intruder, or a hidden computer mechanism
(usually software) installed by an intruder, who can activate the trap door to gain access to the
computer without being blocked by security services or mechanisms.
Trojan horse - A computer program that appears to have a useful function, but also has a
hidden and potentially malicious function that evades security mechanisms, sometimes by
exploiting legitimate authorizations of a system entity that invokes the program.
Virus - A hidden, self-replicating section of computer software, usually malicious logic, that
propagates by infecting (i.e., inserting a copy of itself into and becoming part of) another
program. A virus cannot run by itself; it requires that its host program be run to make the virus
active.
Worm - A computer program that can run independently, can propagate a complete working
version of itself onto other hosts on a network, and may consume computer resources
destructively.
More types of malicious code exist… [cf. http://www.ietf.org/rfc/rfc2828.txt]
23. 23
C) Data Level of Vulnerabilities / Threats
How valuable is your data?
Credit card info vs. your home phone number
Source code
Visible data vs. context
„2345” -> Phone extension or a part of SSN?
Adequate protection
Cryptography
Good if intractable for a long time
Threat of Identity Theft
Cf. Federal Trade Commission: http://www.consumer.gov/idtheft/
24. 24
Identity Theft
Cases in 2003:
Credit card skimmers plus drivers license, Florida
Faked social security and INS cards $150-$250
Used 24 aliases – used false id to secure credit cards,
open mail boxes and bank accounts, cash fraudulently
obtained federal income tax refund checks, and launder
the proceeds
Bank employee indicted for stealing depositors'
information to apply over the Internet for loans
$7M loss, Florida: Stole 12,000 cards from restaurants
via computer networks and social engineering
Federal Trade Commission:
http://www.consumer.gov/idtheft/
[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
25. 25
Types of Attacks on Data CIA
Disclosure
Attack on data confidentiality
Unauthorized modification / deception
E.g., providing wrong data (attack on data integrity)
Disruption
DoS (attack on data availability)
Usurpation
Unauthorized use of services (attack on data confidentiality, integrity
or availability)
26. 26
Ways of Attacking Data CIA
Examples of Attacks on Data Confidentiality
Tapping / snooping
Examples of Attacks on Data Integrity
Modification: salami attack -> little bits add up
E.g/ „shave off” the fractions of cents after interest calculations
Fabrication: replay data -> send the same thing again
E.g., a computer criminal replays a salary deposit to his account
Examples of Attacks on Data Availability
Delay vs. „full” DoS
Examples of Repudiation Attacks on Data:
Data origin repudiation: „I never sent it”
Repudiation = refusal to acknowledge or pay a debt or honor a contract
(especially by public authorities).
[http://www.onelook.com]
Data receipt repudiation: „I never got it”
27. 27
D) Vulnerab./Threats at Other Exposure
Points
Network vulnerabilities / threats
Networks multiply vulnerabilties and threats, due to:
their complexity => easier to make design/implem./usage
mistakes
„bringing close” physically distant attackers
Esp. wireless (sub)networks
Access vulnerabilities / threats
Stealing cycles, bandwidth
Malicious physical access
Denial of access to legitimate users
People vulnerabilities / threats
Crucial weak points in security
too often, the weakest links in a security chain
Honest insiders subjected to skillful social engineering
Disgruntled employees
28. 28
5. Attackers
Attackers need MOM
Method
Skill, knowledge, tools, etc. with which to pull off an attack
Opportunity
Time and access to accomplish an attack
Motive
Reason to perform an attack
29. 29
Types of Attackers
Types of Attackers - Classification 1
Amateurs
Opportunistic attackers (use a password they found)
Script kiddies
Hackers - nonmalicious
In broad use beyond security community: also malicious
Crackers – malicious
Career criminals
State-supported spies and information warriors
Types of Attackers - Classification 2 (cf. before)
Recreational hackers / Institutional hackers
Organized criminals / Industrial spies / Terrorists
National intelligence gatherers / Info warriors
30. 30
Example: Hacking As Social Protest
Hactivism
Electro-Hippies
DDOS attacks on government agencies
SPAM attacks as “retaliation”
[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
31. 31
High
Technical Knowledge
Required
Sophistication of
Hacker Tools
Password Guessing
Password Cracking
Time
Self-Replicating Code
Back Doors
Hijacking Sessions
Sweepers Sniffers
Stealth Diagnotics
DDOS
Packet Forging & Spoofing
New Internet
Attacks
[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
32. 32
6. Reacting to an Exploit
Exploit = successful attack
Report to the vendor first?
Report it to the public?
What will be public relations effects if you do/do not?
Include source code / not include source code?
Etc.
33. 33
“To Report or Not To Report:”
Tension between Personal Privacy
and Public Responsibility
An info tech company will typically lose between
ten and one hundred times more money from
shaken consumer confidence than the hack attack
itself represents if they decide to prosecute the
case.
Mike Rasch, VP Global Security, testimony before the
Senate Appropriations Subcommittee, February 2000
reported in The Register and online testimony transcript
[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
34. 34
Further Reluctance to Report
One common fear is that a crucial piece of equipment,
like a main server, say, might be impounded for
evidence by over-zealous investigators, thereby
shutting the company down.
Estimate: fewer than one in ten serious intrusions are
ever reported to the authorities.
Mike Rasch, VP Global Security, testimony before the Senate
Appropriations Subcommittee, February 2000
reported in The Register and online testimony transcript
Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
36. 36
7. Methods of Defense
Five basic approaches to defense of
computing systems
Prevent attack
Block attack / Close vulnerability
Deter attack
Make attack harder (can’t make it impossible )
Deflect attack
Make another target more attractive than this
target
Detect attack
During or after
Recover from attack
38. 38
Medieval castles
location (steep hill, island, etc.)
moat / drawbridge / walls / gate / guards /passwords
another wall / gate / guards /passwords
yet another wall / gate / guards /passwords
tower / ladders up
Multiple controls in computing systems can include:
system perimeter – defines „inside/outside”
preemption – attacker scared away
deterrence – attacker could not overcome defenses
faux environment (e.g. honeypot, sandbox) – attack
deflected towards a worthless target (but the attacker
doesn’t know about it!)
Note layered defense /
multilevel defense / defense in depth (ideal!)
39. 39
A.1) Controls: Encryption
Primary controls!
Cleartext scambled into ciphertext (enciphered text)
Protects CIA:
confidentiality – by „masking” data
integrity – by preventing data updates
e.g., checksums included
availability – by using encryption-based protocols
e.g., protocols ensure availablity of resources for
different users
40. 40
A.2) Controls: Software Controls
Secondary controls – second only to encryption
Software/program controls include:
OS and network controls
E.g. OS: sandbox / virtual machine
Logs/firewalls, OS/net virus scans, recorders
independent control programs (whole programs)
E.g. password checker, virus scanner, IDS (intrusion detection
system)
internal program controls (part of a program)
E.g. read/write controls in DBMSs
development controls
E.g. quality standards followed by developers
incl. testing
41. 41
Considerations for Software Controls:
Impact on user’s interface and workflow
E.g. Asking for a password too often?
42. 42
A.3) Controls: Hardware Controls
Hardware devices to provide higher degree of security
Locks and cables (for notebooks)
Smart cards, dongles, hadware keys, ...
...
43. 43
A.4) Controls: Policies and Procedures
Policy vs. Procedure
Policy: What is/what is not allowed
Procedure: How you enforce policy
Advantages of policy/procedure controls:
Can replace hardware/software controls
Can be least expensive
Be careful to consider all costs
E.g. help desk costs often ignored for for passwords (=> look cheap
but migh be expensive)
44. 44
Policy - must consider:
Alignment with users’ legal and ethical standards
Probability of use (e.g. due to inconvenience)
Inconvenient: 200 character password,
change password every week
(Can be) good: biometrics replacing passwords
Periodic reviews
As people and systems, as well as their goals, change
45. 45
A.5) Controls: Physical Controls
Walls, locks
Guards, security cameras
Backup copies and archives
Cables an locks (e.g., for notebooks)
Natural and man-made disaster protection
Fire, flood, and earthquake protection
Accident and terrorism protection
...
46. 46
B) Effectiveness of Controls
Awareness of problem
People convined of the need for these controls
Likelihood of use
Too complex/intrusive security tools are often disabled
Overlapping controls
>1 control for a given vulnerability
To provide layered defense – the next layer compensates for a
failure of the previous layer
Periodic reviews
A given control usually becomess less effective with time
Need to replace ineffective/inefficient controls with better ones
47. 47
8. Principles of Computer Security
[Pfleeger and Pfleeger]
Principle of Easiest Penetration (p.5)
An intruder must be expected to use any available
means of penetration.
The penetration may not necessarily be by the most obvious
means, nor is it necessarily the one against which the most
solid defense has been installed.
Principle of Adequate Protection (p.16)
Computer items must be protected to a degree
consistent with their value and only until they lose
their value. [modified by LL]
48. 48
Principle of Effectiveness (p.26)
Controls must be used—and used properly—to be
effective.
They must be efficient, easy to use, and appropriate.
Principle of Weakest Link (p.27)
Security can be no stronger than its weakest link.
Whether it is the power supply that powers the firewall or
the operating system under the security application or the
human, who plans, implements, and administers controls, a
failure of any control can lead to a security failure.