SlideShare a Scribd company logo

INTRODUCTION AND ACCESS CONTROL.pptx

Download as PPTX, PDF
D
DAKSHATAPANCHAL2

Access Control Mechanism

Engineering
1 of 32
MODULE 1 : INTRODUCTION AND ACCESS CONTROL
Points to be covered  Cyber attacks  Vulnerabilities  Defence strategies and Techniques  Authentication methods and Protocols  Defence in depth strategies
What is Security?  Protection of assets  Three main Aspects : ◦ Prevention ◦ Detection ◦ Re-action
Difference between Traditional Security and Information Security  Information can be stolen - but you still have it  Confidential information may be copied and sold - but the theft might not be detected  The criminals may be on the other side of the world
Computer Security  Deals with the prevention and detection of unauthorized actions by users of a computer system.  Study cyber attacks – with a view of defending against them.
Computer Security in perspective  Information Security  Network Security  System Security  Application Security  Operating system Security  Database Security  Language Security
What is Security about (in technical sense)  (Goals of the hacker/ attacker/ adversary)  Attacks  Vulnerabilities  Defenses
Cyber Security  A practice that intends to protect computers, networks, programs and data from unintended or unauthorized access, change or destruction.  Why ??? ◦ Everything on web ◦ Major proportions of systems on internet
Cyber Attacks  An illegal attempt to expose, alter, disable, destroy, steal or gain unauthorized access to or make unauthorized use of an asset.  An attempt to gain something from a computer system.  Attacks : Active or Passive ◦ Active attack: attempts to alter system resources or affect their operations. ◦ Passive attack: attempts to learn or make use of information from the system but does not affect system resources.
Some Attack Goals  Theft of sensitive information (example, credit card information)  Disruption of service (rendering a service inaccessible or unavailable)  Information Warfare (attacking infrastructure of an “enemy” country)  Illegal access to or use of resources (circumventing controls so as to gain unauthorized access)
Attacks, Attacks, Attacks !
A few more notable Attacks !!  1988 : Robert Morris, Jr., a 23-yr-old Cornell graduate student, released a warm that overran Arpanet, incapacitating almost 6000 computers, congesting government and university system. He was fined $10,000 and sentenced to 3 years probation.
A few more notable Attacks !!  1991 : David L. Smith, 31-yr-old created the warm “Melissa” which infected thousands of computers causing damage of approx. $1.5 billion. This virus sent copies of itself to the first 50 names of the recipient’s address book. He received a 20 months jail term.
A few more notable Attacks !!  2001 : “Anna Kournikova” virus. Promising photos of the tennis star mailed itself to the every person in the victim’s address book. Investigators were apprehensive that the virus was created with a toolkit enabling the rookies to create a virus.
A few more notable Attacks !!  2008 : The headquarters of the Obama and McCain presidential campaigns were hacked.  July 2009: A series of coordinated cyber attacks against major government, news media, and financial web sites in South Korea and the United States. https://en.wikipedia.org/wiki/List_of_cyberatta
Who commits what?
“ Once we know our weaknesses, they cease to do us any harm” - Georg Christoph Lichtenberg
Vulnerabilities  A vulnerability is a weakness or lacuna in a policy, procedure, protocol, hardware or software within an organization that has the potential to cause it damage or loss.
Vulnerability Types  Human Vulnerabilities ◦ Induced by careless/unthinking human behaviour ◦ Ex. clicking on a link in an e-mail message from a questionable source ◦ Related to phishing and cross-site scripting attacks
Vulnerability Types (contd.)  Protocol Vulnerabilities ◦ Attacks on commonly used networking protocols such as TCP, IP, ARP, ICMP and DNS ◦ Ex. Connection hijacking caused by ARP spoofing, etc. ◦ Denial of Service Attacks (DoS) which exploit the 3-way TCP handshake ◦ Pharming attacks exploit vulnerabilities in DNS
Vulnerability Types (contd.)  Software Vulnerabilities ◦ Caused by sloppy software ◦ Software may perform as expected under normal conditions but when provided with a specific input, it turns malicious ◦ Examples include Buffer Overflow vulnerability, Cross-site Scripting (XSS) vulnerability and SQL Injection vulnerability
Vulnerability Types (contd.)  Configuration Vulnerabilities ◦ relate to settings on system/application software, on files, etc. ◦ Read-write-execute (and other) permissions on files (and other objects) may be too generous. ◦ Privilege level assigned to a process may be higher than what it should be to carry out a task. ◦ Often lead to “privilege escalation” attacks.
Advice to a Security Designer “ You can’t make something secure if you don’t know how to break it” - Marc Weber Tobias
Defence Strategies Prevention Detection Recovery Forensics/Traceback
Examples of Preventive Strategies • Code Auditing and Testing (against software flaws) – Blackbox – Whitebox • Access Control (against unauthorized access) – Authentication – Authorization • Encryption (against eavesdropping)
Examples of Detection • Integrity checks on messages, files – Simple CRC-type checksums not effective for security applications – Use of the Message Authentication Code (MAC) • Intrusion detection systems based on – Anomaly detection – Signature detection

Recommended

Insecurity vssut
Insecurity vssutInsecurity vssut
Insecurity vssut
RAVIKUMAR Digital Signal Processing
 
Information Security Lecture Notes
Information Security Lecture NotesInformation Security Lecture Notes
Information Security Lecture Notes
FellowBuddy.com
 
Need For Ethical & Security Issue In It
Need For Ethical & Security Issue In ItNeed For Ethical & Security Issue In It
Need For Ethical & Security Issue In It
Sonali Srivastava
 
Ehical Hacking: Unit no. 1 Information and Network Security
Ehical Hacking: Unit no. 1 Information and Network SecurityEhical Hacking: Unit no. 1 Information and Network Security
Ehical Hacking: Unit no. 1 Information and Network Security
prachi67
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
Fabiha Shahzad
 
ppt pdf ajay.pdf
ppt pdf ajay.pdfppt pdf ajay.pdf
ppt pdf ajay.pdf
AmolKumarPandey2
 
Presentation 1 security
Presentation 1 securityPresentation 1 security
Presentation 1 security
Okonkwo uzonna
 
Orientation 28 sep education purpose only.pptx
Orientation 28 sep education purpose only.pptxOrientation 28 sep education purpose only.pptx
Orientation 28 sep education purpose only.pptx
230405
 

Recommended

Insecurity vssut
Insecurity vssutInsecurity vssut
Insecurity vssut
RAVIKUMAR Digital Signal Processing
 
Information Security Lecture Notes
Information Security Lecture NotesInformation Security Lecture Notes
Information Security Lecture Notes
FellowBuddy.com
 
Need For Ethical & Security Issue In It
Need For Ethical & Security Issue In ItNeed For Ethical & Security Issue In It
Need For Ethical & Security Issue In It
Sonali Srivastava
 
Ehical Hacking: Unit no. 1 Information and Network Security
Ehical Hacking: Unit no. 1 Information and Network SecurityEhical Hacking: Unit no. 1 Information and Network Security
Ehical Hacking: Unit no. 1 Information and Network Security
prachi67
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
Fabiha Shahzad
 
ppt pdf ajay.pdf
ppt pdf ajay.pdfppt pdf ajay.pdf
ppt pdf ajay.pdf
AmolKumarPandey2
 
Presentation 1 security
Presentation 1 securityPresentation 1 security
Presentation 1 security
Okonkwo uzonna
 
Orientation 28 sep education purpose only.pptx
Orientation 28 sep education purpose only.pptxOrientation 28 sep education purpose only.pptx
Orientation 28 sep education purpose only.pptx
230405
 
Topic 5.0 basic security part 1
Topic 5.0 basic security part 1Topic 5.0 basic security part 1
Topic 5.0 basic security part 1
Atika Zaimi
 
Security Threats
Security ThreatsSecurity Threats
Security Threats
Yasmeen Shaikh
 
Computer Security risks Shelly
Computer Security risks ShellyComputer Security risks Shelly
Computer Security risks Shelly
Adeel Khurram
 
Chapter 1 a
Chapter 1 aChapter 1 a
Chapter 1 a
kibrutry
 
Computer Security
Computer SecurityComputer Security
Computer Security
Vaibhavi Patel
 
Computer Security
Computer SecurityComputer Security
Computer Security
Vaibhavi Patel
 
MIS part 4_CH 11.ppt
MIS part 4_CH 11.pptMIS part 4_CH 11.ppt
MIS part 4_CH 11.ppt
EndAlk15
 
CYBER TERRORISM
CYBER TERRORISM CYBER TERRORISM
CYBER TERRORISM
Tejesh Dhaypule
 
Communication security
Communication securityCommunication security
Communication security
Sotheavy Nhoung
 
Cyber.pptx
Cyber.pptxCyber.pptx
Cyber.pptx
MahalakshmiShetty3
 
Cyber terrorism
Cyber terrorismCyber terrorism
Cyber terrorism
Savigya Singh
 
Chapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamananChapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamanan
newbie2019
 
Cybercrime and security.pptx
Cybercrime and security.pptxCybercrime and security.pptx
Cybercrime and security.pptx
KarthikShivanand
 
L N Yadav Cyber SECURITY.ppt
L N Yadav Cyber SECURITY.pptL N Yadav Cyber SECURITY.ppt
L N Yadav Cyber SECURITY.ppt
lowlesh1
 
L N Yadav Cyber SECURITY2.ppt
L N Yadav Cyber SECURITY2.pptL N Yadav Cyber SECURITY2.ppt
L N Yadav Cyber SECURITY2.ppt
lowlesh1
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
Prabhat kumar Suman
 
Computer security
Computer securityComputer security
Computer security
sruthiKrishnaG
 
1-140701132137-phpapp01 (2).pptx
1-140701132137-phpapp01 (2).pptx1-140701132137-phpapp01 (2).pptx
1-140701132137-phpapp01 (2).pptx
AnkitShaw27
 
Beekman5 std ppt_12
Beekman5 std ppt_12Beekman5 std ppt_12
Beekman5 std ppt_12
Department of Education - Philippines
 
Computer infections and protections(final)
Computer infections and protections(final)Computer infections and protections(final)
Computer infections and protections(final)
allisterm
 
UNIT 4 PTRP final Convergence in probability.pptx
UNIT 4 PTRP final Convergence in probability.pptxUNIT 4 PTRP final Convergence in probability.pptx
UNIT 4 PTRP final Convergence in probability.pptx
kalpana413121
 
Online electricity billing project report..pdf
Online electricity billing project report..pdfOnline electricity billing project report..pdf
Online electricity billing project report..pdf
Kamal Acharya
 

More Related Content

Similar to INTRODUCTION AND ACCESS CONTROL.pptx

Chapter 1 a
Chapter 1 aChapter 1 a
Chapter 1 a
kibrutry
 
MIS part 4_CH 11.ppt
MIS part 4_CH 11.pptMIS part 4_CH 11.ppt
MIS part 4_CH 11.ppt
EndAlk15
 

Similar to INTRODUCTION AND ACCESS CONTROL.pptx (20)

Topic 5.0 basic security part 1
Topic 5.0 basic security part 1Topic 5.0 basic security part 1
Topic 5.0 basic security part 1
 
Security Threats
Security ThreatsSecurity Threats
Security Threats
 
Computer Security risks Shelly
Computer Security risks ShellyComputer Security risks Shelly
Computer Security risks Shelly
 
Chapter 1 a
Chapter 1 aChapter 1 a
Chapter 1 a
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
MIS part 4_CH 11.ppt
MIS part 4_CH 11.pptMIS part 4_CH 11.ppt
MIS part 4_CH 11.ppt
 
CYBER TERRORISM
CYBER TERRORISM CYBER TERRORISM
CYBER TERRORISM
 
Communication security
Communication securityCommunication security
Communication security
 
Cyber.pptx
Cyber.pptxCyber.pptx
Cyber.pptx
 
Cyber terrorism
Cyber terrorismCyber terrorism
Cyber terrorism
 
Chapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamananChapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamanan
 
Cybercrime and security.pptx
Cybercrime and security.pptxCybercrime and security.pptx
Cybercrime and security.pptx
 
L N Yadav Cyber SECURITY.ppt
L N Yadav Cyber SECURITY.pptL N Yadav Cyber SECURITY.ppt
L N Yadav Cyber SECURITY.ppt
 
L N Yadav Cyber SECURITY2.ppt
L N Yadav Cyber SECURITY2.pptL N Yadav Cyber SECURITY2.ppt
L N Yadav Cyber SECURITY2.ppt
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Computer security
Computer securityComputer security
Computer security
 
1-140701132137-phpapp01 (2).pptx
1-140701132137-phpapp01 (2).pptx1-140701132137-phpapp01 (2).pptx
1-140701132137-phpapp01 (2).pptx
 
Beekman5 std ppt_12
Beekman5 std ppt_12Beekman5 std ppt_12
Beekman5 std ppt_12
 
Computer infections and protections(final)
Computer infections and protections(final)Computer infections and protections(final)
Computer infections and protections(final)
 

Recently uploaded

Hospital management system project report.pdf
Hospital management system project report.pdfHospital management system project report.pdf
Hospital management system project report.pdf
Kamal Acharya
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ssuser89054b
 
Integrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - NeometrixIntegrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - Neometrix
Neometrix_Engineering_Pvt_Ltd
 
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak HamilCara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Kandungan 087776558899
 
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
AldoGarca30
 
Standard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power PlayStandard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power Play
Epec Engineered Technologies
 

Recently uploaded (20)

UNIT 4 PTRP final Convergence in probability.pptx
UNIT 4 PTRP final Convergence in probability.pptxUNIT 4 PTRP final Convergence in probability.pptx
UNIT 4 PTRP final Convergence in probability.pptx
 
Online electricity billing project report..pdf
Online electricity billing project report..pdfOnline electricity billing project report..pdf
Online electricity billing project report..pdf
 
Post office management system project ..pdf
Post office management system project ..pdfPost office management system project ..pdf
Post office management system project ..pdf
 
Basic Electronics for diploma students as per technical education Kerala Syll...
Basic Electronics for diploma students as per technical education Kerala Syll...Basic Electronics for diploma students as per technical education Kerala Syll...
Basic Electronics for diploma students as per technical education Kerala Syll...
 
Hospital management system project report.pdf
Hospital management system project report.pdfHospital management system project report.pdf
Hospital management system project report.pdf
 
Computer Graphics Introduction To Curves
Computer Graphics Introduction To CurvesComputer Graphics Introduction To Curves
Computer Graphics Introduction To Curves
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 
Design For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startDesign For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the start
 
Integrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - NeometrixIntegrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - Neometrix
 
Max. shear stress theory-Maximum Shear Stress Theory ​ Maximum Distortional ...
Max. shear stress theory-Maximum Shear Stress Theory ​ Maximum Distortional ...Max. shear stress theory-Maximum Shear Stress Theory ​ Maximum Distortional ...
Max. shear stress theory-Maximum Shear Stress Theory ​ Maximum Distortional ...
 
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxCOST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
 
Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...
Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...
Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...
 
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak HamilCara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
 
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
 
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKARHAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
 
Convergence of Robotics and Gen AI offers excellent opportunities for Entrepr...
Convergence of Robotics and Gen AI offers excellent opportunities for Entrepr...Convergence of Robotics and Gen AI offers excellent opportunities for Entrepr...
Convergence of Robotics and Gen AI offers excellent opportunities for Entrepr...
 
Worksharing and 3D Modeling with Revit.pptx
Worksharing and 3D Modeling with Revit.pptxWorksharing and 3D Modeling with Revit.pptx
Worksharing and 3D Modeling with Revit.pptx
 
Employee leave management system project.
Employee leave management system project.Employee leave management system project.
Employee leave management system project.
 
Standard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power PlayStandard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power Play
 
Augmented Reality (AR) with Augin Software.pptx
Augmented Reality (AR) with Augin Software.pptxAugmented Reality (AR) with Augin Software.pptx
Augmented Reality (AR) with Augin Software.pptx
 

INTRODUCTION AND ACCESS CONTROL.pptx

  • 1. MODULE 1 : INTRODUCTION AND ACCESS CONTROL
  • 2. Points to be covered  Cyber attacks  Vulnerabilities  Defence strategies and Techniques  Authentication methods and Protocols  Defence in depth strategies
  • 3. What is Security?  Protection of assets  Three main Aspects : ◦ Prevention ◦ Detection ◦ Re-action
  • 4.
  • 5. Difference between Traditional Security and Information Security  Information can be stolen - but you still have it  Confidential information may be copied and sold - but the theft might not be detected  The criminals may be on the other side of the world
  • 6. Computer Security  Deals with the prevention and detection of unauthorized actions by users of a computer system.  Study cyber attacks – with a view of defending against them.
  • 7. Computer Security in perspective  Information Security  Network Security  System Security  Application Security  Operating system Security  Database Security  Language Security
  • 8. What is Security about (in technical sense)  (Goals of the hacker/ attacker/ adversary)  Attacks  Vulnerabilities  Defenses
  • 9. Cyber Security  A practice that intends to protect computers, networks, programs and data from unintended or unauthorized access, change or destruction.  Why ??? ◦ Everything on web ◦ Major proportions of systems on internet
  • 10.
  • 11. Cyber Attacks  An illegal attempt to expose, alter, disable, destroy, steal or gain unauthorized access to or make unauthorized use of an asset.  An attempt to gain something from a computer system.  Attacks : Active or Passive ◦ Active attack: attempts to alter system resources or affect their operations. ◦ Passive attack: attempts to learn or make use of information from the system but does not affect system resources.
  • 12.
  • 13. Some Attack Goals  Theft of sensitive information (example, credit card information)  Disruption of service (rendering a service inaccessible or unavailable)  Information Warfare (attacking infrastructure of an “enemy” country)  Illegal access to or use of resources (circumventing controls so as to gain unauthorized access)
  • 15.
  • 16.
  • 17.
  • 18. A few more notable Attacks !!  1988 : Robert Morris, Jr., a 23-yr-old Cornell graduate student, released a warm that overran Arpanet, incapacitating almost 6000 computers, congesting government and university system. He was fined $10,000 and sentenced to 3 years probation.
  • 19. A few more notable Attacks !!  1991 : David L. Smith, 31-yr-old created the warm “Melissa” which infected thousands of computers causing damage of approx. $1.5 billion. This virus sent copies of itself to the first 50 names of the recipient’s address book. He received a 20 months jail term.
  • 20. A few more notable Attacks !!  2001 : “Anna Kournikova” virus. Promising photos of the tennis star mailed itself to the every person in the victim’s address book. Investigators were apprehensive that the virus was created with a toolkit enabling the rookies to create a virus.
  • 21. A few more notable Attacks !!  2008 : The headquarters of the Obama and McCain presidential campaigns were hacked.  July 2009: A series of coordinated cyber attacks against major government, news media, and financial web sites in South Korea and the United States. https://en.wikipedia.org/wiki/List_of_cyberatta
  • 23. “ Once we know our weaknesses, they cease to do us any harm” - Georg Christoph Lichtenberg
  • 24. Vulnerabilities  A vulnerability is a weakness or lacuna in a policy, procedure, protocol, hardware or software within an organization that has the potential to cause it damage or loss.
  • 25. Vulnerability Types  Human Vulnerabilities ◦ Induced by careless/unthinking human behaviour ◦ Ex. clicking on a link in an e-mail message from a questionable source ◦ Related to phishing and cross-site scripting attacks
  • 26. Vulnerability Types (contd.)  Protocol Vulnerabilities ◦ Attacks on commonly used networking protocols such as TCP, IP, ARP, ICMP and DNS ◦ Ex. Connection hijacking caused by ARP spoofing, etc. ◦ Denial of Service Attacks (DoS) which exploit the 3-way TCP handshake ◦ Pharming attacks exploit vulnerabilities in DNS
  • 27. Vulnerability Types (contd.)  Software Vulnerabilities ◦ Caused by sloppy software ◦ Software may perform as expected under normal conditions but when provided with a specific input, it turns malicious ◦ Examples include Buffer Overflow vulnerability, Cross-site Scripting (XSS) vulnerability and SQL Injection vulnerability
  • 28. Vulnerability Types (contd.)  Configuration Vulnerabilities ◦ relate to settings on system/application software, on files, etc. ◦ Read-write-execute (and other) permissions on files (and other objects) may be too generous. ◦ Privilege level assigned to a process may be higher than what it should be to carry out a task. ◦ Often lead to “privilege escalation” attacks.
  • 29. Advice to a Security Designer “ You can’t make something secure if you don’t know how to break it” - Marc Weber Tobias
  • 31. Examples of Preventive Strategies • Code Auditing and Testing (against software flaws) – Blackbox – Whitebox • Access Control (against unauthorized access) – Authentication – Authorization • Encryption (against eavesdropping)
  • 32. Examples of Detection • Integrity checks on messages, files – Simple CRC-type checksums not effective for security applications – Use of the Message Authentication Code (MAC) • Intrusion detection systems based on – Anomaly detection – Signature detection