The document discusses various types of system vulnerabilities including hardware, software, network, and procedural vulnerabilities that can compromise security. It also outlines network security measures and tools such as firewalls, encryption, and antivirus software to protect against cyber threats. Additionally, it highlights the importance of application security, emphasizing authentication, authorization, and security testing to prevent unauthorized access and data breaches.

1. BCSE353E: Information Security
Analysis and Audit
A. Avinash, Ph.D.
School of Computer Science and Engineering
Vellore Institute of Technology (VIT), Chennai

2. System Vulnerabilities
• Vulnerabilities are weaknesses in a system
that gives threats the opportunity to
compromise assets.
– 1. Hardware Vulnerability
– 2. Software Vulnerability
– 3. Network Vulnerability
– 4. Procedural Vulnerability

3. System Vulnerabilities
1. Hardware Vulnerability
– A hardware vulnerability is a weakness which can
be used to attack the system hardware through
physically or remotely.
For examples:
• Old version of systems or devices
• Unprotected storage
• Unencrypted devices, etc

4. System Vulnerabilities
2. Software Vulnerability:
– A software error happen in development or
configuration such as the execution of it can
violate the security policy. For examples:
• Lack of input validation
• Unverified uploads
• Cross-site scripting
• Unencrypted data, etc.

5. System Vulnerabilities
3. Network Vulnerability:
– A weakness happen in network which can be
hardware or software.
For examples:
• Unprotected communication
• Malware or malicious software (e.g.:Viruses,
Keyloggers, Worms, etc)
• Social engineering attacks
• Misconfigured firewalls

6. System Vulnerabilities
4. Procedural Vulnerability:
– A weakness happen in an organization operational
methods.
For examples:
• Password procedure – Password should follow the
standard password policy.
• Training procedure – Employees must know which
actions should be taken and what to do to handle the
security. Employees must never be asked for user
credentials online. Make the employees know social
engineering and phishing threats.

7. Network Security Systems

8. Network Security Systems
• It is a set of rules and configurations designed
to protect the integrity, confidentiality and
accessibility of computer networks and data
using both software and hardware
technologies.
• Every organization, regardless of size, industry
or infrastructure, requires a degree of
network security solutions in place to protect
it from the ever-growing landscape of cyber
threats in the wild today.

9. Network Security Systems
• Physical Network Security
– Physical security controls are designed to prevent
unauthorized personnel from gaining physical
access to network components such as routers,
cabling cupboards and so on.
– Controlled access, such as locks, biometric
authentication and other devices, is essential in
any organization.

10. Network Security Systems
• Technical Network Security
– Technical security controls protect data that is
stored on the network or which is in transit
across, into or out of the network.
– Protection is twofold; it needs to protect data and
systems from unauthorized personnel, and it also
needs to protect against malicious activities from
employees.

11. Network Security Systems
• Administrative Network Security
– Administrative security controls consist of security
policies and processes that control user behavior,
including how users are authenticated, their level
of access and also how IT staff members
implement changes to the infrastructure.

12. System Security
• The objective of system security is the
protection of information and property from
theft, corruption and other types of damage,
while allowing the information and property
to remain accessible and productive.
• System security includes the development and
implementation of security countermeasures.

13. System Security
• Security can be compromised via any of the
breaches mentioned:
– Breach of confidentiality:
• This type of violation involves the unauthorized reading of
data.
– Breach of integrity:
• This violation involves unauthorized modification of data.
– Breach of availability:
• It involves unauthorized destruction of data.
– Theft of service:
• It involves unauthorized use of resources.
– Denial of service:
• It involves preventing legitimate use of the system.

14. System Security
• There are a number of different approaches to
computer system security,
– Firewall
– Data encryption
– Passwords and biometrics.

15. System Security
• Firewall
– One widely used strategy to improve system
security is to use a firewall.
– A firewall consists of software and hardware set
up between an internal computer network and
the Internet.
– A computer network manager sets up the rules for
the firewall to filter out unwanted intrusions.
These rules are set up in such a way that
unauthorized access is much more difficult.

16. System Security
• Firewall
– A system administrator can decide, for example,
that only users within the firewall can access
particular files, or that those outside the firewall
have limited capabilities to modify the files.
– You can also set up a firewall for your own
computer, and on many computer systems, this is
built into the operating system.

17. System Security
• Firewall
– Each institution/organisation that wishes to improve the efficiency of
filtering and increase the level of security in its network should apply
the following recommendations:
• 1. Traffic-filtering rules
– that will determine the manner in which the incoming and
outgoing traffic flows in the network will be regulated. A set
of traffic-filtering rules can be adopted as an independent
packet filtering policy or as a part of the information security
policy;
• 2. Select a traffic-filtering technology
– that will be implemented depending on the requirements and
needs;
• 3. Implement defined rules
– on the selected technology and optimize the performance of
devices accordingly;
• 4. Maintain all the components of the solution,
– including not only devices, but also the policy.

18. System Security
• Encryption
– One way to keep files and data safe is to use
encryption. This is often used when data is
transferred over the Internet, where it could
potentially be seen by others.
– Encryption is the process of encoding messages so
that it can only be viewed by authorized
individuals.
– An encryption key is used to make the message
unreadable, and a secret decryption key is used to
decipher the message.

19. System Security
• Encryption
– Encryption is widely used in systems like e-
commerce and Internet banking, where the
databases contain very sensitive information.
– If you have made purchases online using a credit
card, it is very likely that you've used encryption
to do this.

20. System Security
• Passwords
– The most widely used method to prevent
unauthorized access is to use passwords.
– A password is a string of characters used to
authenticate a user to access a system.
– The password needs to be kept secret and is only
intended for the specific user.
– In computer systems, each password is associated
with a specific username since many individuals
may be accessing the same system.

21. System Security
• Passwords
– Good passwords are essential for keeping
computer systems secure.
– Unfortunately, many computer users don't use
very secure passwords, such as the name of a
family member or important dates - things that
would be relatively easy to guess by a hacker.
– One of the most widely used passwords - you
guessed it - 'password.' Definitely not a good
password to use.

22. System Security
• Passwords
– So what makes for a strong password?
• Longer is better - A long password is much harder to
break. The minimum length should be 8 characters, but
many security experts have started recommending 12
characters or more.
• Avoid the obvious - A string like '0123456789' is too
easy for a hacker, and so is 'LaDaGaGa'. You should also
avoid all words from the dictionary.

23. System Security Tools

24. System Security Tools
• Antivirus Software
– Antivirus software is a program which is designed to
prevent, detect, and remove viruses and other
malware attacks on the individual computer,
networks, and IT systems.
– It also protects our computers and networks from the
variety of threats and viruses such as Trojan horses,
worms, keyloggers, browser hijackers, rootkits,
spyware, botnets, adware, and ransomware.
– Most antivirus program comes with an auto-update
feature and enabling the system to check for new
viruses and threats regularly. It provides some
additional services such as scanning emails to ensure
that they are free from malicious attachments and
web links.

25. System Security Tools
• PKI Services
– PKI stands for Public Key Infrastructure. This tool
supports the distribution and identification of
public encryption keys.
– It enables users and computer systems to securely
exchange data over the internet and verify the
identity of the other party.
– We can also exchange sensitive information
without PKI, but in that case, there would be no
assurance of the authentication of the other
party.

26. System Security Tools
• PKI Services
– People associate PKI with SSL or TLS.
– It is the technology which encrypts the server
communication and is responsible for HTTPS and
padlock that we can see in our browser address
bar.
– PKI solve many numbers of cybersecurity
problems and deserves a place in the organization
security suite.

27. System Security Tools
• PKI Services
– PKI can also be used to:
• Enable Multi-Factor Authentication and access control
• Create compliant, Trusted Digital Signatures.
• Encrypt email communications and authenticate the
sender's identity.
• Digitally sign and protect the code.
• Build identity and trust into IoT ecosystems.

28. System Security Tools
• Managed Detection and Response Service
(MDR)
– Managed detection and response is focused on
threat detection, rather than compliance.
– MDR relies heavily on security event management
and advanced analytics.
– While some automation is used, MDR also
involves humans to monitor our network.
– MDR service providers also perform incident
validation and remote response.

29. System Security Tools
• Penetration Testing
– Penetration testing, or pen-test, is an important
way to evaluate our business's security systems
and security of an IT infrastructure by safely trying
to exploit vulnerabilities.
– These vulnerabilities exist in operating systems,
services and application, improper configurations
or risky end-user behavior.
– In Penetration testing, cybersecurity professionals
will use the same techniques and processes
utilized by criminal hackers to check for potential
threats and areas of weakness.

30. System Security Tools
• Staff Training
– Staff training is not a 'cybersecurity tool' but
ultimately, having knowledgeable employees who
understand the cybersecurity which is one of the
strongest forms of defence against cyber-attacks.
– Today's many training tools available that can
educate company's staff about the best
cybersecurity practices.
– Every business can organize these training tools to
educate their employee who can understand their
role in cybersecurity.

31. Web Security
• In general, web security refers to the
protective measures and protocols that
organizations adopt to protect the
organization from, cyber criminals and threats
that use the web channel.
• Web security is critical to business continuity
and to protecting data, users and companies
from risk

32. Web Security
• The purpose of website security is to prevent
any sorts of attacks.
• The more formal definition of website
security is the act/practice of protecting
websites from unauthorized access, use,
modification, destruction, or disruption.

33. Web Security
• Effective website security requires design
effort across the whole of the website:
– in your web application, the configuration of the
web server, your policies for creating and
renewing passwords, and the client-side code.
– Finally, there are publicly available
vulnerability scanner tools that can help you find
out if you've made any obvious mistakes.

34. Web security Threats
1. Cross-Site Scripting (XSS)
2. SQL injection
3. Cross-Site Request Forgery (CSRF)
4. Other threats

35. Web security Threats
1. Cross-Site Scripting (XSS)
– XSS is a term used to describe a class of attacks that
allow an attacker to inject client-side
scripts through the website into the browsers of other
users.
– Because the injected code comes to the browser from
the site, the code is trusted and can do things like
send the user's site authorization cookie to the
attacker.
– When the attacker has the cookie, they can log into a
site as though they were the user and do anything the
user can, such as access their credit card details, see
contact details, or change passwords.

36. Cross-Site Scripting (XSS)

37. Web security Threats
2. SQL injection
– SQL injection vulnerabilities enable malicious
users to execute arbitrary SQL code on a
database, allowing data to be accessed, modified,
or deleted irrespective of the user's permissions.
– A successful injection attack might spoof
identities, create new identities with
administration rights, access all data on the
server, or destroy/modify the data to make it
unusable.

38. SQL injection

39. Web security Threats
3. Cross-Site Request Forgery (CSRF)
– CSRF attacks allow a malicious user to execute actions
using the credentials of another user without that
user’s knowledge or consent.
– For Example, John is a malicious user who knows that
a particular site allows logged-in users to send money
to a specified account using an HTTP POST request
that includes the account name and an amount of
money.
– John constructs a form that includes his bank details
and an amount of money as hidden fields, and emails
it to other site users (with the Submit button
disguised as a link to a "get rich quick" site).

40. Web security Threats
3. Cross-Site Request Forgery (CSRF)
– If a user clicks the submit button, an
HTTP POST request will be sent to the server
containing the transaction details and any client-side
cookies that the browser associated with the site
(adding associated site cookies to requests is normal
browser behavior).
– The server will check the cookies, and use them to
determine whether or not the user is logged in and
has permission to make the transaction.
– The result is that any user who clicks
the Submit button while they are logged in to the
trading site will make the transaction. John gets rich.

41. Cross-Site Request Forgery (CSRF)

42. Web security Threats
4. Other threats
– Other common attacks/vulnerabilities include:
a) Click jacking
b) Denial of Service
c) Directory Traversal
d) File Inclusion
e) Command Injection

43. Web security Threats
a) Click jacking
– In this attack, a malicious user hijacks clicks meant for a
visible top-level site and routes them to a hidden page
beneath.
– This technique might be used, for example, to display a
legitimate bank site but capture the login credentials into
an invisible <iframe> controlled by the attacker. Clickjacking
could also be used to get the user to click a button on a
visible site, but in doing so actually unwittingly click a
completely different button.
– As a defense, your site can prevent itself from being
embedded in an iframe in another site by setting the
appropriate HTTP headers.

44. Web security Threats
b) Denial of Service
– DoS is usually achieved by flooding a target site with fake
requests so that access to a site is disrupted for legitimate users.
– The requests may be numerous, or they may individually
consume large amounts of resource (e.g., slow reads or
uploading of large files).
c) Directory Traversal
– In this attack, a malicious user attempts to access parts of the
web server file system that they should not be able to access.
– This vulnerability occurs when the user is able to pass filenames
that include file system navigation characters (for
example, ../../). The solution is to sanitize input before using it.

45. Web security Threats
d) File Inclusion
– In this attack, a user is able to specify an "unintended" file
for display or execution in data passed to the server.
– When loaded, this file might be executed on the web server
or the client-side (leading to an XSS attack).
– The solution is to sanitize input before using it.
e) Command injection attacks allow a malicious user to execute arbitrary
system commands on the host operating system.
– The solution is to sanitize user input before it might be used
in system calls.

46. OWASP Top 10
Vulnerabilities
• 1. Injection
– Injection occurs when an attacker exploits insecure code
to insert (or inject) their own code into a program.
• 2. Broken Authentication
– Incorrectly implemented authentication and session
management calls can be a huge security risk.
• 3. Sensitive Data Exposure
– APIs, which allow developers to connect their application
to third-party services like Google Maps, are great time-
savers.

47. OWASP Top 10
Vulnerabilities
• 4. XML External Entities
– This risk occurs when attackers are able to upload
or include hostile XML content due to insecure
code, integrations, or dependencies.
• 5. Broken Access Control
– If authentication and access restriction are not
properly implemented, it's easy for attackers to
take whatever they want.

48. OWASP Top 10
Vulnerabilities
• 6. Security Misconfiguration
– Just like misconfigured access controls, more general
security configuration errors are huge risks that give
attackers quick, easy access to sensitive data and site areas.
• 7. Cross-Site Scripting
– With cross-site scripting, attackers manipulate to retrieve
data from or send commands to your application.
– Cross-site scripting widens the attack surface for threat
actors, enabling them to hijack user accounts, access
browser histories, spread Trojans and worms, control
browsers remotely, and more.

49. OWASP Top 10
Vulnerabilities
• 8. Insecure Deserialization
– Deserialization, or retrieving data and objects that have been
written to disks or otherwise saved, can be used to remotely
execute code in your application or as a door to further attacks.
• 9. Using Components with Known Vulnerabilities
– No matter how secure your own code is, attackers can exploit
APIs, dependencies and other third-party components if they are
not themselves secure.
• 10. Insufficient Logging and Monitoring
– Failing to log errors or attacks and poor monitoring practices can
introduce a human element to security risks.

50. Application Security
• Application security is the process of
developing, adding, and testing security
features within applications to prevent
security vulnerabilities against threats such as
unauthorized access and modification
• A router that prevents anyone from viewing a
computer’s IP address from the Internet is a
form of hardware application security.

51. Application Security
• Why application security is important?
– available over various networks and connected to
the cloud, increasing vulnerabilities to security
threats and breaches.
– increasing pressure and incentive to not only
ensure security at the network level but also
within applications themselves.
– Application security testing can reveal weaknesses
at the application level, helping to prevent these
attacks.

52. Application Security
• Types of application security
1. Authentication
2. Authorization
3. Encryption
4. Logging
5. Application security testing

53. Types of application security
1. Authentication
• Authentication procedures ensure that a user is who
they say they are. This can be accomplished by
requiring the user to provide a user name and
password when logging in to an application.
• Multi-factor authentication requires more than one
form of authentication—the factors might include
something you know (a password), something you
have (a mobile device), and something you are (a
thumb print or facial recognition).

54. Types of application security
2. Authorization
• After a user has been authenticated, the user may be
authorized to access and use the application.
• The system can validate that a user has permission to
access the application by comparing the user’s
identity with a list of authorized users.

55. Types of application security
3. Encryption
• After a user has been authenticated and is using the
application, other security measures can protect
sensitive data from being seen or even used by a
cybercriminal.
• In cloud-based applications, where traffic containing
sensitive data travels between the end user and the
cloud, that traffic can be encrypted to keep the data
safe.

56. Types of application security
4. Logging
• If there is a security breach in an application, logging
can help identify who got access to the data and how.
• Application log files provide a time-stamped record of
which aspects of the application were accessed and
by whom.
5. Application security testing
• A necessary process to ensure that all of these
security controls work properly.

57. Intrusion Detection System (IDS)
IDP (Intrusion Detection and Prevention) network intrusion
detection (ID) is based on monitoring the operation of computer
systems or `networks and analyzing the processes they perform, which
can point to certain incidents.
Network intrusion prevention (IP)
•It includes the process of detecting network intrusion events, but also
includes the process of preventing and blocking detected or potential
network incidents.
Network intrusion detection and prevention systems (idp)
•They are based on identifying potential incidents, logging information
about them, attempting to prevent them and alerting the administrators
responsible for security.
•In addition to this basic function, IDP systems can also be used to
identify problems concerning the adopted security policies, to
document existing security threats and to discourage individuals from
violating security rules.

58. Intrusion Detection System (IDS)
• There are three primary classes of detection
methodology:
– 1. Signature-based detection
– 2. Anomaly-based detection
– 3. Detection based on stateful protocol analysis

59. Intrusion Detection System (IDS)
1. Signature-based detection
– certain security threats can be detected based on the
characteristic manner in which they appear.
– The behaviour of an already detected security threat,
described in a form that can be used for the detection
of any subsequent appearance of the same threat, is
called an attack signature.
– This detection method, based on the characteristic
signature of an attack, is a process of comparing the
known forms in which the threat has appeared with the
specific network traffic in order to identify certain
incidents.

60. Intrusion Detection System (IDS)
1. Signature-based detection
– Although it can be very efficient in detecting the
subsequent appearance of known threats, this detection
method is extremely inefficient in the detection of
completely unknown threats, of threats hidden by
using various techniques, and of already known threats
that have somehow been modified in the meantime.
– It is considered the simplest detection method and it
cannot be used for monitoring and analysing the state
of certain, more complex forms of communication.

61. Intrusion Detection System (IDS)
2. Anomaly-based detection
– This method of IDP is based on detecting anomalies in
a specific traffic flow in the network.
– Anomaly detection is performed, based on the defined
profile of acceptable traffic and its comparison with
the specific traffic in the network.
– Acceptable traffic profiles are formed by tracking the
typical characteristics of the traffic in the network
during a certain period of time (e.g., The number of
email messages sent by a user, and the number of
attempts to log in to a host, or the level of utilisation of
the processor in a given time interval).
– These characteristics of the behaviour of users, hosts,
connections or applications in the same time interval
are then considered to be completely acceptable.

62. Intrusion Detection System (IDS)
3. Detection based on stateful protocol analysis
– Stateful protocol analysis is a process of comparing
predefined operation profiles with the specific data
flow of that protocol on the network.
– Predefined profiles of operation of a protocol are
defined by the manufacturers of IDP devices and they
identify everything that is acceptable or not acceptable
in the exchange of messages in a protocol.
– Unlike anomaly-based detection, where profiles are
created based on the hosts or specific activities on the
network, stateful protocol analysis uses general
profiles generated by the equipment manufacturers.
– Most IDP systems use several detection methods
simultaneously, thus enabling a more comprehensive
and precise method of detection.

63. Intrusion Detection System (IDS)
• Intrusion detection systems can be grouped
into the following categories:
– Host-based IDS
– Network-based IDS
– Intrusion prevention system (IPS)

64. Host-based intrusion detection
systems
• Host-based IDSs are designed to monitor, detect
and respond to activity and attacks on a given
host. In most cases, attackers target specific
systems on corporate networks that have
confidential information.
• They will often try to install scanning programs
and exploit other vulnerabilities that can record
user activity on a particular host.
• Some host-based IDS tools provide policy
management, statistical analytics and data
forensics at the host level.

65. Network-based intrusion detection
systems
• Network traffic based IDSs capture network traffic to detect
intruders.
• Most often, these systems work as packet sniffers that read
through incoming traffic and use specific metrics to assess
whether a network has been compromised.
• Various internet and other proprietary protocols that
handle messages between external and internal networks,
such as TCP/IP, NetBEUI (NetBIOS Extended User Interface)
and XNS (Xerox Network Systems), are vulnerable to attack
and require additional ways to detect malicious events.
• Frequently, intrusion detection systems have difficulty
working with encrypted information and traffic from virtual
private networks. Speed over 1Gbps is also a constraining
factor, although modern and costly network-based IDSs
have the capability to work fast over this speed.

66. Intrusion prevention system (IPS)
• An IPS is a network security tool that can not only
detect intruders, but also prevent them from
successfully launching any known attack.
• Intrusion prevention systems combine the abilities of
firewalls and intrusion detection systems.
• However, implementing an IPS on an effective scale
can be costly, so businesses should carefully assess
their IT risks before making the investment.
• Moreover, some intrusion prevention systems are not
as fast and robust as some firewalls and intrusion
detection systems, so an IPS might not be an
appropriate solution when speed is an absolute
requirement.

67. Intrusion prevention system (IPS)
• Most important, an IPS must perform packet inspection
and analysis at wire speed. Intrusion prevention
systems should be performing detailed packet
inspection to detect intrusions, including application-
layer and zero-day attacks.
• System or host intrusion prevention devices are also
inline at the operating system level. They have the
ability to intercept system calls, file access, memory
access, processes and other system functions to
prevent attacks. There are several intrusion prevention
technologies, including the following:
– System memory and process protection
– Inline network devices
– Session sniping
– Gateway interaction devices

68. Intrusion prevention system (IPS)
• System memory and process protection
– This type of intrusion prevention strategy resides
at the system level.
– Memory protection consists of a mechanism to
prevent a process from corrupting the memory of
another process running on the same system.
– Process protection consists of a mechanism for
monitoring process execution, with the ability to
kill processes that are suspected of being attacks.

69. Intrusion prevention system (IPS)
• Inline network devices
– This type of intrusion prevention strategy places a
network device directly in the path of network
communications with the capability to modify and
block attack packets as they traverse the device’s
interfaces.
– It acts much like a router or firewall combined
with the signature-matching capabilities of IDS.
The detection and response happens in real time
before the packet is passed on to the destination
network.

70. Intrusion prevention system (IPS)
• Session sniping
– This type of intrusion prevention strategy
terminates a TCP session by sending a TCP RST
packet to both ends of the connection. When an
attempted attack is detected, the TCP RST is sent
and the attempted exploit is flushed from the
buffers and thus prevented.
– Note: TCP RST packets must have the correct
sequence and acknowledgement numbers to be
effective.

71. Session sniping

72. Gateway interaction devices
– This type of intrusion prevention strategy allows a
detection device to dynamically interact with
network gateway devices such as routers or
firewalls. When an attempted attack is detected,
the detection device can direct the router or
firewall to block the attack.

73. Intrusion prevention system (IPS)
• Session sniping system identification is another
concern when deploying active response IPSs.
• When systems terminate sessions with RST
packets, an attacker might be able to discover
not only that an IPS is involved but also the type
of underlying system.
• Readily available passive operating system
identification tools analyze packets to determine
the underlying operating system.
• This type of information might enable an attacker
to evade the IPS or direct an attack at the IPS.

74. Intrusion prevention system (IPS)
• There are several risks when deploying intrusion prevention
technologies.
• Most notable is the recurring issue of false positives in today’s
intrusion detection systems. On some occasions, legitimate traffic
will display characteristics similar to malicious traffic.
• This could be anything from inadvertently matching signatures to
uncharacteristically high traffic volume.
• Even a finely tuned IDS can present false positives when this occurs.
When intrusion prevention is involved, false positives can create a
denial-of-service (DoS) condition for legitimate traffic.
• In addition, attackers who discover or suspect the use of intrusion
prevention methods can purposely create a DoS attack against
legitimate networks and sources by sending attacks with spoofed
source IP addresses.
• A simple mitigation to some DoS conditions is to use a whitelisting
policy.

75. Intrusion prevention system (IPS)
• Another risk with active response IPSs involves
gateway interaction timing and race conditions.
• In this scenario, a detection device directs a router or
firewall to block the attempted attack.
• However, because of network latency, the attack has
already passed the gateway device before it receives
this direction from the detection device.
• A similar situation could occur with a scenario that
creates a race condition on the gateway device itself
between the attack and the response.
• In either case, the attack has a high chance of
succeeding.

76. Intrusion prevention system (IPS)
• When deploying an IPS, you should carefully
monitor and tune your systems and be aware
of the risks involved.
• You should also have an in-depth
understanding of your network, its traffic, and
both its normal and abnormal characteristics.
• It is always recommended to run IPS and
active response technologies in test mode for
a while to thoroughly understand their
behavior.