SlideShare a Scribd company logo
CYBER SECURITY AT APPLICATION LEVEL




                         SANTOSH KHADSARE
Lec  1 apln security(4pd)
   INVOLVES ALTERING THE RAW DATA JUST BEFORE A
    COMPUTER PROCESSES IT AND THEN CHANGING IT
    BACK AFTER PROCESSING IS COMPLETED
   SECONDARY STATE BOARD
   PRIVATE STUDENTS TOPPED OVER GOV T STUDENTS
      6 DIGIT ROLL NUMBER

         GOV T STUDENTS STARTS WITH 3

         PRIVATE STUDENTS STARTS WITH 4

   SOFT WARE MANIPULATION
      FOR ROLL_ NO 3 if marks between 68 & 100
       DEDUCT 9
      FOR ROLL_ NO 4 if marks between 68 & 88 ADD
                                                3
       9
4
5
   Data
       Information we keep on computers (product
        design, financial records, personnel data)
       Lost time, lost sales, lost confidence
   Resources
       Unauthorized use of computer time & space
   Reputation
       Misrepresentation, forgery, negative
        publicity
Confidentiality




Integrity
                              Avalaibility
   Confidentiality - Protection from
    unauthorized persons
   Integrity - consistency of data; no
    unauthorized creation, alteration or
    destruction
   Availability - ensuring access to legitimate
    users
   Legitimate use - ensuring appropriate use
    by authorized users
Functionality
                                Moving Ball




Security                   Ease of Use
   Intrusion - unauthorized access and use of
    systems
   Denial of ser vice - an attack aimed at
    preventing use of company computers
       email bomb or flooding/Internet worm
       disabled, rerouted or replaced services
   Information thef t - network taps, database
    access, hacking into sites to give out more info
    or to wrong parties
•   Scanners
•   Key-loggers.
•   Trojans.
•   Remote Admin
    Toolkits.
•   Spyware.
•   Backdoors.
•   Worms.
•   Remote Sniffers.
•   Distributed Denial of
    Service.
   Security Services
       Authentication (entity, data origin)
       Access control (prevent unauthorized access)
       Confidentiality (disclosure, encryption)
       Data integrity (value of data item)
       Non-repudiation (falsely denying a
        transaction)
   No Security - not an option
   Security thru Obscurity - don’t tell anyone
    where your site is
   Host Security - enforced security on each
    host; progressively difficult to manage as
    number of hosts increase
   Network Security - control network access to
    hosts and services; firewalls, strong
    authentication, and encryption
Biometrics,                                  Cryptography,
Smartcards,                Confidentiality
                           Confidentiality      VPNs,
Voice based Systems                               PKI


     Authentication
     Authentication                            Availability
                                               Availability

                                                 Clustering,
                                                 Redundancy,
Digital Signatures,
                                                 Hot Standby, Port
PKI
                                                 Mirroring




          Integrity
         Integrity                             Assurability
                                               Assurability

                                                  Availability
                                                       +
    Digital Signatures,   Non-Repudiation
                          Non-Repudiation          Reliability
    PKI
Information                    Security
               Info Security   Measures
   States       Components
     IN
 PROCESSING




     IN
  STORAGE



     IN
TRANSMISSION




   As Strong As The Weakest Link …
Lec  1 apln security(4pd)
WAN /
    NETWORK BASED        INTRANET
       FIREWALL                                       MOBILE
                                                      USER
                             ROUTER
                                                 ROUTER

                    SWITCH




     PCs                              HQ ABC CORPS
HQ XYZ CORPS   SERVERS
INTERNET
     Red Zone       Fm ISP

                         Layer 3 Switch WAN
                                  IP
                                              DMZ (Orange
                                              DMZ (Orange
                   IDS                          Zone)
                                                 Zone)
                                                   WebServer

                  FW IP      192.168.3.
                                 2                 DNS Server
                   Cop
                                          L 2 SW
                    192.168.1.1
Green Zone                                         Mail Server
Green Zone

                         L 2 SW
To another L2
SW
Gateway
INTERNE       V.35 ROUTE 136.0.0.1 136.0.0.2              136.0.0.3
   T                 R                       IPS


                      DMZ
                                                            136.0.0.4
                       L2                        192.168.1.1 HW
                       SW                                              FW
                                                                   192.168.2.1/26
      192.168.1.2   192.168.1.3 192.168.1.4                            L2
                                                                                     192.168.2.X/28
                                                                       SW              To OTHER NW

           SERVE
                       SERVER       SERVER
                                                                      VLAN
                                                                   LOCAL NW
             R


                                                          Domain users
          . DNS     . RAID       . ANTI VIRUS
          . HTTP    . RDBMS      . HIPS           NW
                                                                        TASK-       TASK-
          . SMTP    . DATABACKUP . SCANNER      PRINT E     AWAN
                                                                          1           2
                                                   R




                     BIOMETRIC                            192.168.2.2           192.168.2.4
                      SENSOR
                                                                     . Secure disk
                                                 BIOMETRIC           . True Crypt
                                                  SENSOR
NETWORK BASED            WAN


        FIREWALL                                 MOBILE
 ANTI                                            USER

HOST BASED
 VIRUS
          ROUTER
                                              ROUTER
    SWITCH




       PCs                     HQ ABC CORPS
  HQ XYZ CORPS SERVERS
Cyber Security is the set of "measures taken to protect a
Cyber Security is the set of "measures taken to protect a
computer or computer system (as on the Internet) against
computer or computer system (as on the Internet) against
unauthorized access or attack.“
unauthorized access or attack.“

This broad and all-encompassing cyber security definition
 This broad and all-encompassing cyber security definition
poses a significant challenge for enterprises; therefore, it
 poses a significant challenge for enterprises; therefore, it
is highly critical for enterprises to have an in-depth cyber
 is highly critical for enterprises to have an in-depth cyber
security strategy and plan in place in order to provide the
 security strategy and plan in place in order to provide the
maximum level of protection from cyber security risks at
 maximum level of protection from cyber security risks at
not just the network perimeter but also the application
 not just the network perimeter but also the application
layer.
 layer.
Lec  1 apln security(4pd)
Lec  1 apln security(4pd)
An application is a program or group of programs
An application is a program or group of programs
designed for end users. Application software can be
designed for end users. Application software can be
divided into two general classes: systems software
divided into two general classes: systems software
and applications software ..
and applications software

 Systems software consists of low-level programs
  Systems software consists of low-level programs
that interact with the computer at a very basic level.
 that interact with the computer at a very basic level.
This includes operating systems ,, compilers, and
 This includes operating systems compilers, and
utilities for managing computer resources.
 utilities for managing computer resources.

applications software (also called end-user
applications software (also called end-user
programs) includes database programs, word
programs) includes database programs, word
processors, and spreadsheets. Figuratively
processors, and spreadsheets. Figuratively
speaking, applications software sits on top of
speaking, applications software sits on top of
Application security encompasses measures taken
Application security encompasses measures taken
throughout the application's life-cycle to prevent
 throughout the application's life-cycle to prevent
exceptions in the security policy of an application or the
exceptions in the security policy of an application or the
underlying system (vulnerabilities) through flaws in the
underlying system (vulnerabilities) through flaws in the
design,
design,   development,
          development,     deployment,
                           deployment,     upgrade,
                                           upgrade,    or
                                                       or
maintenance of the application.
maintenance of the application.
Lec  1 apln security(4pd)
Lec  1 apln security(4pd)
Lec  1 apln security(4pd)
Most security       Many software
 The flaws within
                      professional are    developers do not
the software cause
                         usually not      have security as a
 a majority of the
                          software          main focus .
   vulnerability
                        developers


                                          Software venders
                       The computing
                        The computing     are trying to rush
                     community is used
                      community is used   their products to
                        to receiving
                         to receiving     markets with their
                        software with
                         software with       eyes set on
                       bugs and then
                        bugs and then      functionality not
                     applying patches.
                      applying patches.        security.
Hard and                                 Soft and
                                           Soft and
crunchy on                                chewy on
                                           chewy on
    the                                  the inside
                                          the inside
  outside



    PP e r m e t e r
       eri ime
                   ter
     ss e c u it y
        e c u rr it
                    y    In t t e r a l e
                          In e r nn a l e v ir o
            is                            nn      nment n
             is
    f f o r tf fe d
      orti i i i           aa r e ee s y t v ir o n m e n t aa n d ss o f w a r
                              r e aa o                            d oft
                                        s y t o ee x p o i t o
                                                 xpl loi nc                 twa e
   aa n d ss li d
     n d oo
                 ed
                                      hh a s bb e n
                                        a s ee o            t o n c e aa c c s s r e
                                                                  e cce
                 li d                                   b t a in e
                                                  e n o b t a in d .        ess
                                                                  ed.
Software
              controls –
            implemented
                  by




Operating                  Combination
 System                      of three
Aplns and Cmptr systems are usually devp for functionality first,
not security.

To get the best of both, security and functionality will have to be
designed and devp at the same time

Developing aplns first and then trying to add security can
cause problems:
   May reduce overall func
   Can open security holes when the apln is to be integrated
      with other aplns
Security solns today look to solve problems through controls
such as IDS, IPS, FWs, Avs, Vulnerability scanners, etc.

This is because our SW contains many vulnerabilities.

Our systems are hard on the outside and soft inside. Why?

We have implemented strong perimeter defences, however our
internal environment and SW is easy to exploit once access has
been gained.

Why are perimeter devices more often considered rather than
developing secure SW?
In the past, SW was devp for func and not security.
Mainframe era.

Many programmers do not have experience of secure coding.

Most security professionals are not SW developers.

Many SW developers do not have security as the main focus.

SW vendors under tight deadlines to get products into market;
security suffers.

Customers cannot control flaws in the SW they purchase,
so they must depend on perimeter protection. Thus the present
day over-reliance on perimeter defences.
Traditionally, we consumers have always demanded
functionality from the aplns, with little thought to security.

Only in the last 6 – 8 yrs, the focus is slowly shifting to
functionality coupled with security.
Security controls can be used for:
Inputs
Processing
Output

Devp controls with potential risks in mind.
SW to be used in a closed trusted environment versus an
open environment.

.
Goal is to:
Prevent data corruption
Prevent security compromises
Reduce vulnerabilities.

Controls can be preventive, detective and corrective.
Can be in the form of administrative or physical controls; but are
mostly technical in nature.
Buggy SW is rel
 Buggy SW is rel

                   Hackers find SW
                   Hackers find SW
                    vulnerabilities
                     vulnerabilities


                                 Web sites post these vulnerabilities on
                                  Web sites post these vulnerabilities on
                                Internet and methods of exploiting them
                                 Internet and methods of exploiting them




                                  SW vendor develops and releases SW
                                  SW vendor develops and releases SW
                                   patches to fix these vulnerabilities
                                    patches to fix these vulnerabilities


The new patch goes on the stack of SW
 The new patch goes on the stack of SW
patches that all NW admin need to test
 patches that all NW admin need to test
               and install
                and install
NW admin today has to integrate various aplns and different
computer systems.

Coys today are rushing to devp aplns capable of taking on-line
orders, storing credit card info and est extranets with business
partners.

All of this is an extremely complex activity.

On top of all this security is expected and demands.

As the complexity of the environment grows, tracking
compromises and errors becomes a difficult task.
SW controls are usually implemented nowadays through a mix of:
OS controls
Apln controls
DB controls

OS controls can control a subject’s access to an object.
These controls do not restrict a subject’s action within an apln.

Apln controls can ensure
    only valid inputs are inserted,
   data is processed in the correct sequence, and
   only certain subjects can view data in sensitive fields.
Aplns must draw a balance between Functionality and Security.

Out of the box installation is always insecure.

If an apln is extremely user friendly, it is probably not secure.
Why?

User friendly implies – extra lines of code.
More lines of code – more the potential vulnerabilities.
SDLC – Security Issues
Also once vendors iden vulnerabilities and rel patches,
NW admin may not apply them. Why?

NW admin may not be up to date on current vulnerabilities
and patches.
They may not fully understand the imp of patches.
They may be afraid that patches may cause other
problems

Bottomline – Insecure systems

Also, If an apln fails – it must fail secure.
Software Development Life Cycle

SDLC stands for Software Development Life Cycle. A
Software Development Life Cycle is essentially a series of
steps, or phases, that provide a model for the development
and lifecycle management of an application or piece of
software.

The methodology within the SDLC process can vary
across industries and organizations, but standards such as
ISO/IEC 12207 represent processes that establish a lifecycle
for software, and provide a mode for the development,
acquisition, and configuration of software systems.
The intent of a SDLC process it to help produce a
product that is cost-efficient, effective, and of high
quality. Once an application is created, the SDLC
maps the proper deployment and decommissioning
of the software once it becomes a legacy.
Project Initiation

Functional Design Analysis and Plg

System Design Specs

SW Devp

Installation/Implementation

Operations / Maintenance

Disposal
Problems with
Database Security
Risks to databases
Today more and more coys holding sensitive data (credit
card info, stock inventory, etc) in DBs.

Earlier employees only accessed DBs. Today DB
connectivity provided to customers also (Eg – check online
availability of an item).

How do you secure DBs?

   Group users in different roles and assign rights and
   permissions to various roles.
   Customers are assigned a role to only view data; and
   that too only specific fields of data.
   Customers interact with the DB through a middleware
   (apln).
   Middleware checks roles and presents data as per
   permissions assigned to that role.
Risks to databases – DB Integrity

Concurrency Problem

Occurs when a DB is accessed by more than one
apln/users at the same time.

SW lock used to overcome this. Processes lock tables
within DB, make changes and then rel the SW lock. Next
process can access DB only after the 1st process has rel the
SW lock.
Risks to databases – DB Integrity

DB SW performs three main types of integrity services:

Entity Integrity: Every row (record) is uniquely iden by a
primary key.

Referential Integrity: All foreign keys reference existing
primary keys.

Semantic Integrity: Rules pertaining to data types, logical
values are enforced.
Risks to databases – DB Integrity

Other Operations in DB SW to protect integrity of data:

Rollback:
An operation that ends a current transaction and cancels
current changes to a DB. The DB reverts to its previous
state.

Could be changes to the data / schema.

Roll back occurs when the DB experiences a glitch or if
processing sequence is disrupted.
Risks to databases – DB Integrity

Other Operations in DB SW to protect integrity of data:

Commit:
This operation completes a transaction and executes all
changes just made by the user. DB is updated to reflect the
latest changes.

If commit cannot complete correctly, a rollback is
performed.

Ensures that partial changes do not take place and data is
not corrupted.
Risks to databases – DB Integrity

Other Operations in DB SW to protect integrity of data:

Savepoints:
Same like system restore in Win OS.

If a system failure takes place, the DB attempts to revert to
the previous savepoint.

Setting savepoints consumes resources. Bal to be stuck
between No of Savepoints and not enough of them.

Savepoints can be initiated by a time interval, user action,
or No of transactions.

Savepoint restores data by enabling user to go back in
time before the system crashed.
Risks to databases – DB Integrity

Other Operations in DB SW to protect integrity of data:

Checkpoints:
Similar to Savepoints.

When a specific amt of mem is filled, a checkpoint is
triggered.

This saves data from mem to a temp file.

If system crashes, the DB will attempt to restore data from
this temp file.
A few Database Attacks


Brute Force attacks against Passwords

Default Username and passwords not changed by the sys admin
Eg: “scott”; “tiger” - username/password combination in
Oracle DB till 11g ver.

Microsoft SQL Server – came with default (publically known)
passwords.

Easily guessable passwords chosen by sys admin..
A few Database Attacks


Privilege Escalation

Gen happens due to mis-configuration of database or underlying
OS.

Eg: A low privilege user has read rights only.
However, he can read all colns in the DB incl colns holding
credit card info.
(mis-configuration – Restd DB views were not enforced).
A few Database Attacks
Exploiting unused / un-necessary services
Eg: Listener service in Oracle DB.
It seeks out and fwds network connection requests to Oracle DB.

When an apln has to access a DB – poorly written aplns can
cause connections w/o authentication and authorisation.

Install only those features that you need to use.

If you don’t install a feature, you don’t have to patch it up later.
A few Database Attacks
Exploiting unused / un-necessary services.

Very Imp: Patch up DBs as and when patches are rel by the
vendor.

Gen sys admins avoid patching. Why?:
Prevent downtime of the DB.
Does not understand patches and what they do
Do not have time to test patches
May fear that patches may cause some other problems.
A few Database Attacks
Stolen Backups
Gen an insider attack.

If backup data is un-encypted, the attacker does not need to
hack into a DB.

Another problem with backups – too many versions of backups.
Problem in tracking all ver.
A few Database Attacks
SQL Injection
Occurs when the fields available for user input allows
SQL stmts to be inputted.

Gen, this attack takes place on the middleware; which connects
to the backend DB.

Eg: If an attacker gets a username/password screen, he can
input an SQL stmt which is passed by the apln server to the DB
and gets executed toentry to the DB.

Gen the result of poor programming practices.
Lec  1 apln security(4pd)

More Related Content

What's hot

(130511) #fitalk network forensics and its role and scope
(130511) #fitalk   network forensics and its role and scope(130511) #fitalk   network forensics and its role and scope
(130511) #fitalk network forensics and its role and scope
INSIGHT FORENSIC
 
Prensentation on packet sniffer and injection tool
Prensentation on packet sniffer and injection toolPrensentation on packet sniffer and injection tool
Prensentation on packet sniffer and injection tool
Issar Kapadia
 
Internet Traffic Monitoring and Analysis
Internet Traffic Monitoring and AnalysisInternet Traffic Monitoring and Analysis
Internet Traffic Monitoring and Analysis
Information Technology
 
DDOS ATTACKS
DDOS ATTACKSDDOS ATTACKS
DDOS ATTACKS
Shaurya Gogia
 
Network sniffers & injection tools
Network sniffers  & injection toolsNetwork sniffers  & injection tools
Network sniffers & injection tools
vishalgohel12195
 
Network traffic analysis with cyber security
Network traffic analysis with cyber securityNetwork traffic analysis with cyber security
Network traffic analysis with cyber security
KAMALI PRIYA P
 
Comparative Analysis: Network Forensic Systems
Comparative Analysis: Network Forensic SystemsComparative Analysis: Network Forensic Systems
Comparative Analysis: Network Forensic Systems
ijsrd.com
 
Entropy and denial of service attacks
Entropy and denial of service attacksEntropy and denial of service attacks
Entropy and denial of service attacks
chris zlatis
 
Ip traceback seminar full report
Ip traceback seminar full reportIp traceback seminar full report
Ip traceback seminar full report
deepakmarndi
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
GTKlondike
 
Module 5 Sniffers
Module 5  SniffersModule 5  Sniffers
Module 5 Sniffers
leminhvuong
 
Defining Cyber Crime
Defining Cyber CrimeDefining Cyber Crime
Defining Cyber Crime
Shenick Network Systems
 
Network Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using WiresharkNetwork Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using Wireshark
n|u - The Open Security Community
 
Network Forensics - Your Only Choice at 10G
Network Forensics - Your Only Choice at 10GNetwork Forensics - Your Only Choice at 10G
Network Forensics - Your Only Choice at 10G
Savvius, Inc
 
Network forensics
Network forensicsNetwork forensics
Network forensics
ArthyR3
 
SDN and Named Data Networking Security
SDN and Named Data Networking SecuritySDN and Named Data Networking Security
SDN and Named Data Networking Security
wolverinetyagi
 
Various OSI Layer Attacks and Countermeasure to Enhance the Performance of WS...
Various OSI Layer Attacks and Countermeasure to Enhance the Performance of WS...Various OSI Layer Attacks and Countermeasure to Enhance the Performance of WS...
Various OSI Layer Attacks and Countermeasure to Enhance the Performance of WS...
IDES Editor
 
Ip trace ppt
Ip trace pptIp trace ppt
Ip trace ppt
deepakmarndi
 
Introduction to cyber forensics
Introduction to cyber forensicsIntroduction to cyber forensics
Introduction to cyber forensics
Anpumathews
 
Deep Learning Based Real-Time DNS DDoS Detection System
Deep Learning Based Real-Time DNS DDoS Detection SystemDeep Learning Based Real-Time DNS DDoS Detection System
Deep Learning Based Real-Time DNS DDoS Detection System
Seungjoo Kim
 

What's hot (20)

(130511) #fitalk network forensics and its role and scope
(130511) #fitalk   network forensics and its role and scope(130511) #fitalk   network forensics and its role and scope
(130511) #fitalk network forensics and its role and scope
 
Prensentation on packet sniffer and injection tool
Prensentation on packet sniffer and injection toolPrensentation on packet sniffer and injection tool
Prensentation on packet sniffer and injection tool
 
Internet Traffic Monitoring and Analysis
Internet Traffic Monitoring and AnalysisInternet Traffic Monitoring and Analysis
Internet Traffic Monitoring and Analysis
 
DDOS ATTACKS
DDOS ATTACKSDDOS ATTACKS
DDOS ATTACKS
 
Network sniffers & injection tools
Network sniffers  & injection toolsNetwork sniffers  & injection tools
Network sniffers & injection tools
 
Network traffic analysis with cyber security
Network traffic analysis with cyber securityNetwork traffic analysis with cyber security
Network traffic analysis with cyber security
 
Comparative Analysis: Network Forensic Systems
Comparative Analysis: Network Forensic SystemsComparative Analysis: Network Forensic Systems
Comparative Analysis: Network Forensic Systems
 
Entropy and denial of service attacks
Entropy and denial of service attacksEntropy and denial of service attacks
Entropy and denial of service attacks
 
Ip traceback seminar full report
Ip traceback seminar full reportIp traceback seminar full report
Ip traceback seminar full report
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
 
Module 5 Sniffers
Module 5  SniffersModule 5  Sniffers
Module 5 Sniffers
 
Defining Cyber Crime
Defining Cyber CrimeDefining Cyber Crime
Defining Cyber Crime
 
Network Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using WiresharkNetwork Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using Wireshark
 
Network Forensics - Your Only Choice at 10G
Network Forensics - Your Only Choice at 10GNetwork Forensics - Your Only Choice at 10G
Network Forensics - Your Only Choice at 10G
 
Network forensics
Network forensicsNetwork forensics
Network forensics
 
SDN and Named Data Networking Security
SDN and Named Data Networking SecuritySDN and Named Data Networking Security
SDN and Named Data Networking Security
 
Various OSI Layer Attacks and Countermeasure to Enhance the Performance of WS...
Various OSI Layer Attacks and Countermeasure to Enhance the Performance of WS...Various OSI Layer Attacks and Countermeasure to Enhance the Performance of WS...
Various OSI Layer Attacks and Countermeasure to Enhance the Performance of WS...
 
Ip trace ppt
Ip trace pptIp trace ppt
Ip trace ppt
 
Introduction to cyber forensics
Introduction to cyber forensicsIntroduction to cyber forensics
Introduction to cyber forensics
 
Deep Learning Based Real-Time DNS DDoS Detection System
Deep Learning Based Real-Time DNS DDoS Detection SystemDeep Learning Based Real-Time DNS DDoS Detection System
Deep Learning Based Real-Time DNS DDoS Detection System
 

Viewers also liked

BASIC IT AND CYBER SECURITY AWARENESS
BASIC IT AND CYBER SECURITY AWARENESSBASIC IT AND CYBER SECURITY AWARENESS
BASIC IT AND CYBER SECURITY AWARENESS
Md Abu Syeem Dipu
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness Presentation
Cristian Mihai
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016
Imperva
 
Cyber Crime and Security
Cyber Crime and SecurityCyber Crime and Security
Cyber Crime and Security
Dipesh Waghela
 
Internet security powerpoint
Internet security powerpointInternet security powerpoint
Internet security powerpoint
Arifa Ali
 
Cybercrime.ppt
Cybercrime.pptCybercrime.ppt
Cybercrime.ppt
Aeman Khan
 
Cyber-crime PPT
Cyber-crime PPTCyber-crime PPT
Cyber-crime PPT
Anshuman Tripathi
 
Cyber security
Cyber securityCyber security
Cyber security
Siblu28
 
Cyber crime and security ppt
Cyber crime and security pptCyber crime and security ppt
Cyber crime and security ppt
Lipsita Behera
 

Viewers also liked (9)

BASIC IT AND CYBER SECURITY AWARENESS
BASIC IT AND CYBER SECURITY AWARENESSBASIC IT AND CYBER SECURITY AWARENESS
BASIC IT AND CYBER SECURITY AWARENESS
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness Presentation
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016
 
Cyber Crime and Security
Cyber Crime and SecurityCyber Crime and Security
Cyber Crime and Security
 
Internet security powerpoint
Internet security powerpointInternet security powerpoint
Internet security powerpoint
 
Cybercrime.ppt
Cybercrime.pptCybercrime.ppt
Cybercrime.ppt
 
Cyber-crime PPT
Cyber-crime PPTCyber-crime PPT
Cyber-crime PPT
 
Cyber security
Cyber securityCyber security
Cyber security
 
Cyber crime and security ppt
Cyber crime and security pptCyber crime and security ppt
Cyber crime and security ppt
 

Similar to Lec 1 apln security(4pd)

S series presentation
S series presentationS series presentation
S series presentation
Sergey Marunich
 
Bloombase Spitfire Link Encryptor Server Brochure
Bloombase Spitfire Link Encryptor Server BrochureBloombase Spitfire Link Encryptor Server Brochure
Bloombase Spitfire Link Encryptor Server Brochure
Bloombase
 
Acme Packet Presentation Materials for VUC June 18th 2010
Acme Packet Presentation Materials for VUC June 18th 2010Acme Packet Presentation Materials for VUC June 18th 2010
Acme Packet Presentation Materials for VUC June 18th 2010
Michael Graves
 
ALOE Transit SBC rev.1 Brochure
ALOE Transit SBC rev.1 BrochureALOE Transit SBC rev.1 Brochure
ALOE Transit SBC rev.1 Brochure
ALOE Systems, Inc.
 
Intoto Linley Tech Utm Architecture Presentation
Intoto Linley Tech Utm Architecture PresentationIntoto Linley Tech Utm Architecture Presentation
Intoto Linley Tech Utm Architecture Presentation
saddepalli
 
CRENNO Technologies Network Consultancy & Session Border Controller Solut...
CRENNO Technologies Network Consultancy & Session Border Controller Solut...CRENNO Technologies Network Consultancy & Session Border Controller Solut...
CRENNO Technologies Network Consultancy & Session Border Controller Solut...
Erol TOKALACOGLU
 
Multicore I/O Processors In Virtual Data Centers
Multicore I/O Processors In Virtual Data CentersMulticore I/O Processors In Virtual Data Centers
Multicore I/O Processors In Virtual Data Centers
scarisbrick
 
Vpn
Vpn Vpn
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat Landscapefinal
Mahmoud Yassin
 
Contrail Enabler for agile cloud services
Contrail Enabler for agile cloud servicesContrail Enabler for agile cloud services
Contrail Enabler for agile cloud services
Juniper Networks (日本)
 
Lecture03 H
Lecture03 HLecture03 H
Lecture03 H
itsvineeth209
 
Clavister security for virtualized environment
Clavister security for virtualized environmentClavister security for virtualized environment
Clavister security for virtualized environment
nicolasotira
 
Cisco Connected Grid Solutions
Cisco Connected Grid SolutionsCisco Connected Grid Solutions
Cisco Connected Grid Solutions
Amos Simoes
 
Axial What We Do
Axial What We DoAxial What We Do
Axial What We Do
dmcleodglas
 
Risk Factory: PCI Shrink to Fit
Risk Factory: PCI Shrink to FitRisk Factory: PCI Shrink to Fit
Risk Factory: PCI Shrink to Fit
Risk Crew
 
Safety Monitoring system for a manufacturing workstation using Web Service Te...
Safety Monitoring system for a manufacturing workstation using Web Service Te...Safety Monitoring system for a manufacturing workstation using Web Service Te...
Safety Monitoring system for a manufacturing workstation using Web Service Te...
FAST-Lab. Factory Automation Systems and Technologies Laboratory, Tampere University of Technology
 
Ct 1 Danielson
Ct 1 DanielsonCt 1 Danielson
Ct 1 Danielson
guest43dc4b
 
Voip
VoipVoip
Network Virtualization in Windows Server 2012
Network Virtualization in Windows Server 2012Network Virtualization in Windows Server 2012
Network Virtualization in Windows Server 2012
Lai Yoong Seng
 
Oded nahum branch repeater 6 technical introduction
Oded nahum branch repeater 6 technical introductionOded nahum branch repeater 6 technical introduction
Oded nahum branch repeater 6 technical introduction
Digicomp Academy AG
 

Similar to Lec 1 apln security(4pd) (20)

S series presentation
S series presentationS series presentation
S series presentation
 
Bloombase Spitfire Link Encryptor Server Brochure
Bloombase Spitfire Link Encryptor Server BrochureBloombase Spitfire Link Encryptor Server Brochure
Bloombase Spitfire Link Encryptor Server Brochure
 
Acme Packet Presentation Materials for VUC June 18th 2010
Acme Packet Presentation Materials for VUC June 18th 2010Acme Packet Presentation Materials for VUC June 18th 2010
Acme Packet Presentation Materials for VUC June 18th 2010
 
ALOE Transit SBC rev.1 Brochure
ALOE Transit SBC rev.1 BrochureALOE Transit SBC rev.1 Brochure
ALOE Transit SBC rev.1 Brochure
 
Intoto Linley Tech Utm Architecture Presentation
Intoto Linley Tech Utm Architecture PresentationIntoto Linley Tech Utm Architecture Presentation
Intoto Linley Tech Utm Architecture Presentation
 
CRENNO Technologies Network Consultancy & Session Border Controller Solut...
CRENNO Technologies Network Consultancy & Session Border Controller Solut...CRENNO Technologies Network Consultancy & Session Border Controller Solut...
CRENNO Technologies Network Consultancy & Session Border Controller Solut...
 
Multicore I/O Processors In Virtual Data Centers
Multicore I/O Processors In Virtual Data CentersMulticore I/O Processors In Virtual Data Centers
Multicore I/O Processors In Virtual Data Centers
 
Vpn
Vpn Vpn
Vpn
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat Landscapefinal
 
Contrail Enabler for agile cloud services
Contrail Enabler for agile cloud servicesContrail Enabler for agile cloud services
Contrail Enabler for agile cloud services
 
Lecture03 H
Lecture03 HLecture03 H
Lecture03 H
 
Clavister security for virtualized environment
Clavister security for virtualized environmentClavister security for virtualized environment
Clavister security for virtualized environment
 
Cisco Connected Grid Solutions
Cisco Connected Grid SolutionsCisco Connected Grid Solutions
Cisco Connected Grid Solutions
 
Axial What We Do
Axial What We DoAxial What We Do
Axial What We Do
 
Risk Factory: PCI Shrink to Fit
Risk Factory: PCI Shrink to FitRisk Factory: PCI Shrink to Fit
Risk Factory: PCI Shrink to Fit
 
Safety Monitoring system for a manufacturing workstation using Web Service Te...
Safety Monitoring system for a manufacturing workstation using Web Service Te...Safety Monitoring system for a manufacturing workstation using Web Service Te...
Safety Monitoring system for a manufacturing workstation using Web Service Te...
 
Ct 1 Danielson
Ct 1 DanielsonCt 1 Danielson
Ct 1 Danielson
 
Voip
VoipVoip
Voip
 
Network Virtualization in Windows Server 2012
Network Virtualization in Windows Server 2012Network Virtualization in Windows Server 2012
Network Virtualization in Windows Server 2012
 
Oded nahum branch repeater 6 technical introduction
Oded nahum branch repeater 6 technical introductionOded nahum branch repeater 6 technical introduction
Oded nahum branch repeater 6 technical introduction
 

More from Santosh Khadsare

Cyber fraud (netflix)
Cyber fraud (netflix)Cyber fraud (netflix)
Cyber fraud (netflix)
Santosh Khadsare
 
INTERNET SECUIRTY TIPS
INTERNET SECUIRTY TIPSINTERNET SECUIRTY TIPS
INTERNET SECUIRTY TIPS
Santosh Khadsare
 
INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)
INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)
INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)
Santosh Khadsare
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
Santosh Khadsare
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
Santosh Khadsare
 
Smart card
Smart cardSmart card
Smart card
Santosh Khadsare
 
Guassvirus
GuassvirusGuassvirus
Guassvirus
Santosh Khadsare
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
Santosh Khadsare
 
Webmail
WebmailWebmail
Linux Forensics
Linux ForensicsLinux Forensics
Linux Forensics
Santosh Khadsare
 
Web server
Web serverWeb server
Web server
Santosh Khadsare
 
Samba server
Samba serverSamba server
Samba server
Santosh Khadsare
 
Firewall(linux)
Firewall(linux)Firewall(linux)
Firewall(linux)
Santosh Khadsare
 
Securitytips
SecuritytipsSecuritytips
Securitytips
Santosh Khadsare
 
Linux basics
Linux basicsLinux basics
Linux basics
Santosh Khadsare
 
Linuxfilesys
LinuxfilesysLinuxfilesys
Linuxfilesys
Santosh Khadsare
 
Linuxconcepts
LinuxconceptsLinuxconcepts
Linuxconcepts
Santosh Khadsare
 
Introtolinux
IntrotolinuxIntrotolinux
Introtolinux
Santosh Khadsare
 
New internet
New internetNew internet
New internet
Santosh Khadsare
 
Stuxnet flame
Stuxnet flameStuxnet flame
Stuxnet flame
Santosh Khadsare
 

More from Santosh Khadsare (20)

Cyber fraud (netflix)
Cyber fraud (netflix)Cyber fraud (netflix)
Cyber fraud (netflix)
 
INTERNET SECUIRTY TIPS
INTERNET SECUIRTY TIPSINTERNET SECUIRTY TIPS
INTERNET SECUIRTY TIPS
 
INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)
INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)
INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
 
Smart card
Smart cardSmart card
Smart card
 
Guassvirus
GuassvirusGuassvirus
Guassvirus
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
 
Webmail
WebmailWebmail
Webmail
 
Linux Forensics
Linux ForensicsLinux Forensics
Linux Forensics
 
Web server
Web serverWeb server
Web server
 
Samba server
Samba serverSamba server
Samba server
 
Firewall(linux)
Firewall(linux)Firewall(linux)
Firewall(linux)
 
Securitytips
SecuritytipsSecuritytips
Securitytips
 
Linux basics
Linux basicsLinux basics
Linux basics
 
Linuxfilesys
LinuxfilesysLinuxfilesys
Linuxfilesys
 
Linuxconcepts
LinuxconceptsLinuxconcepts
Linuxconcepts
 
Introtolinux
IntrotolinuxIntrotolinux
Introtolinux
 
New internet
New internetNew internet
New internet
 
Stuxnet flame
Stuxnet flameStuxnet flame
Stuxnet flame
 

Lec 1 apln security(4pd)

  • 1. CYBER SECURITY AT APPLICATION LEVEL SANTOSH KHADSARE
  • 3. INVOLVES ALTERING THE RAW DATA JUST BEFORE A COMPUTER PROCESSES IT AND THEN CHANGING IT BACK AFTER PROCESSING IS COMPLETED  SECONDARY STATE BOARD  PRIVATE STUDENTS TOPPED OVER GOV T STUDENTS  6 DIGIT ROLL NUMBER  GOV T STUDENTS STARTS WITH 3  PRIVATE STUDENTS STARTS WITH 4  SOFT WARE MANIPULATION  FOR ROLL_ NO 3 if marks between 68 & 100 DEDUCT 9  FOR ROLL_ NO 4 if marks between 68 & 88 ADD 3 9
  • 4. 4
  • 5. 5
  • 6. Data  Information we keep on computers (product design, financial records, personnel data)  Lost time, lost sales, lost confidence  Resources  Unauthorized use of computer time & space  Reputation  Misrepresentation, forgery, negative publicity
  • 8. Confidentiality - Protection from unauthorized persons  Integrity - consistency of data; no unauthorized creation, alteration or destruction  Availability - ensuring access to legitimate users  Legitimate use - ensuring appropriate use by authorized users
  • 9. Functionality Moving Ball Security Ease of Use
  • 10. Intrusion - unauthorized access and use of systems  Denial of ser vice - an attack aimed at preventing use of company computers  email bomb or flooding/Internet worm  disabled, rerouted or replaced services  Information thef t - network taps, database access, hacking into sites to give out more info or to wrong parties
  • 11. Scanners • Key-loggers. • Trojans. • Remote Admin Toolkits. • Spyware. • Backdoors. • Worms. • Remote Sniffers. • Distributed Denial of Service.
  • 12. Security Services  Authentication (entity, data origin)  Access control (prevent unauthorized access)  Confidentiality (disclosure, encryption)  Data integrity (value of data item)  Non-repudiation (falsely denying a transaction)
  • 13. No Security - not an option  Security thru Obscurity - don’t tell anyone where your site is  Host Security - enforced security on each host; progressively difficult to manage as number of hosts increase  Network Security - control network access to hosts and services; firewalls, strong authentication, and encryption
  • 14. Biometrics, Cryptography, Smartcards, Confidentiality Confidentiality VPNs, Voice based Systems PKI Authentication Authentication Availability Availability Clustering, Redundancy, Digital Signatures, Hot Standby, Port PKI Mirroring Integrity Integrity Assurability Assurability Availability + Digital Signatures, Non-Repudiation Non-Repudiation Reliability PKI
  • 15. Information Security Info Security Measures States Components IN PROCESSING IN STORAGE IN TRANSMISSION As Strong As The Weakest Link …
  • 17. WAN / NETWORK BASED INTRANET FIREWALL MOBILE USER ROUTER ROUTER SWITCH PCs HQ ABC CORPS HQ XYZ CORPS SERVERS
  • 18. INTERNET Red Zone Fm ISP Layer 3 Switch WAN IP DMZ (Orange DMZ (Orange IDS Zone) Zone) WebServer FW IP 192.168.3. 2 DNS Server Cop L 2 SW 192.168.1.1 Green Zone Mail Server Green Zone L 2 SW To another L2 SW
  • 19. Gateway INTERNE V.35 ROUTE 136.0.0.1 136.0.0.2 136.0.0.3 T R IPS DMZ 136.0.0.4 L2 192.168.1.1 HW SW FW 192.168.2.1/26 192.168.1.2 192.168.1.3 192.168.1.4 L2 192.168.2.X/28 SW To OTHER NW SERVE SERVER SERVER VLAN LOCAL NW R Domain users . DNS . RAID . ANTI VIRUS . HTTP . RDBMS . HIPS NW TASK- TASK- . SMTP . DATABACKUP . SCANNER PRINT E AWAN 1 2 R BIOMETRIC 192.168.2.2 192.168.2.4 SENSOR . Secure disk BIOMETRIC . True Crypt SENSOR
  • 20. NETWORK BASED WAN FIREWALL MOBILE ANTI USER HOST BASED VIRUS ROUTER ROUTER SWITCH PCs HQ ABC CORPS HQ XYZ CORPS SERVERS
  • 21. Cyber Security is the set of "measures taken to protect a Cyber Security is the set of "measures taken to protect a computer or computer system (as on the Internet) against computer or computer system (as on the Internet) against unauthorized access or attack.“ unauthorized access or attack.“ This broad and all-encompassing cyber security definition This broad and all-encompassing cyber security definition poses a significant challenge for enterprises; therefore, it poses a significant challenge for enterprises; therefore, it is highly critical for enterprises to have an in-depth cyber is highly critical for enterprises to have an in-depth cyber security strategy and plan in place in order to provide the security strategy and plan in place in order to provide the maximum level of protection from cyber security risks at maximum level of protection from cyber security risks at not just the network perimeter but also the application not just the network perimeter but also the application layer. layer.
  • 24. An application is a program or group of programs An application is a program or group of programs designed for end users. Application software can be designed for end users. Application software can be divided into two general classes: systems software divided into two general classes: systems software and applications software .. and applications software  Systems software consists of low-level programs  Systems software consists of low-level programs that interact with the computer at a very basic level. that interact with the computer at a very basic level. This includes operating systems ,, compilers, and This includes operating systems compilers, and utilities for managing computer resources. utilities for managing computer resources. applications software (also called end-user applications software (also called end-user programs) includes database programs, word programs) includes database programs, word processors, and spreadsheets. Figuratively processors, and spreadsheets. Figuratively speaking, applications software sits on top of speaking, applications software sits on top of
  • 25. Application security encompasses measures taken Application security encompasses measures taken throughout the application's life-cycle to prevent throughout the application's life-cycle to prevent exceptions in the security policy of an application or the exceptions in the security policy of an application or the underlying system (vulnerabilities) through flaws in the underlying system (vulnerabilities) through flaws in the design, design, development, development, deployment, deployment, upgrade, upgrade, or or maintenance of the application. maintenance of the application.
  • 29. Most security Many software The flaws within professional are developers do not the software cause usually not have security as a a majority of the software main focus . vulnerability developers Software venders The computing The computing are trying to rush community is used community is used their products to to receiving to receiving markets with their software with software with eyes set on bugs and then bugs and then functionality not applying patches. applying patches. security.
  • 30. Hard and Soft and Soft and crunchy on chewy on chewy on the the inside the inside outside PP e r m e t e r eri ime ter ss e c u it y e c u rr it y In t t e r a l e In e r nn a l e v ir o is nn nment n is f f o r tf fe d orti i i i aa r e ee s y t v ir o n m e n t aa n d ss o f w a r r e aa o d oft s y t o ee x p o i t o xpl loi nc twa e aa n d ss li d n d oo ed hh a s bb e n a s ee o t o n c e aa c c s s r e e cce li d b t a in e e n o b t a in d . ess ed.
  • 31. Software controls – implemented by Operating Combination System of three
  • 32. Aplns and Cmptr systems are usually devp for functionality first, not security. To get the best of both, security and functionality will have to be designed and devp at the same time Developing aplns first and then trying to add security can cause problems: May reduce overall func Can open security holes when the apln is to be integrated with other aplns
  • 33. Security solns today look to solve problems through controls such as IDS, IPS, FWs, Avs, Vulnerability scanners, etc. This is because our SW contains many vulnerabilities. Our systems are hard on the outside and soft inside. Why? We have implemented strong perimeter defences, however our internal environment and SW is easy to exploit once access has been gained. Why are perimeter devices more often considered rather than developing secure SW?
  • 34. In the past, SW was devp for func and not security. Mainframe era. Many programmers do not have experience of secure coding. Most security professionals are not SW developers. Many SW developers do not have security as the main focus. SW vendors under tight deadlines to get products into market; security suffers. Customers cannot control flaws in the SW they purchase, so they must depend on perimeter protection. Thus the present day over-reliance on perimeter defences.
  • 35. Traditionally, we consumers have always demanded functionality from the aplns, with little thought to security. Only in the last 6 – 8 yrs, the focus is slowly shifting to functionality coupled with security.
  • 36. Security controls can be used for: Inputs Processing Output Devp controls with potential risks in mind. SW to be used in a closed trusted environment versus an open environment. .
  • 37. Goal is to: Prevent data corruption Prevent security compromises Reduce vulnerabilities. Controls can be preventive, detective and corrective. Can be in the form of administrative or physical controls; but are mostly technical in nature.
  • 38. Buggy SW is rel Buggy SW is rel Hackers find SW Hackers find SW vulnerabilities vulnerabilities Web sites post these vulnerabilities on Web sites post these vulnerabilities on Internet and methods of exploiting them Internet and methods of exploiting them SW vendor develops and releases SW SW vendor develops and releases SW patches to fix these vulnerabilities patches to fix these vulnerabilities The new patch goes on the stack of SW The new patch goes on the stack of SW patches that all NW admin need to test patches that all NW admin need to test and install and install
  • 39. NW admin today has to integrate various aplns and different computer systems. Coys today are rushing to devp aplns capable of taking on-line orders, storing credit card info and est extranets with business partners. All of this is an extremely complex activity. On top of all this security is expected and demands. As the complexity of the environment grows, tracking compromises and errors becomes a difficult task.
  • 40. SW controls are usually implemented nowadays through a mix of: OS controls Apln controls DB controls OS controls can control a subject’s access to an object. These controls do not restrict a subject’s action within an apln. Apln controls can ensure  only valid inputs are inserted, data is processed in the correct sequence, and only certain subjects can view data in sensitive fields.
  • 41. Aplns must draw a balance between Functionality and Security. Out of the box installation is always insecure. If an apln is extremely user friendly, it is probably not secure. Why? User friendly implies – extra lines of code. More lines of code – more the potential vulnerabilities.
  • 43. Also once vendors iden vulnerabilities and rel patches, NW admin may not apply them. Why? NW admin may not be up to date on current vulnerabilities and patches. They may not fully understand the imp of patches. They may be afraid that patches may cause other problems Bottomline – Insecure systems Also, If an apln fails – it must fail secure.
  • 44. Software Development Life Cycle SDLC stands for Software Development Life Cycle. A Software Development Life Cycle is essentially a series of steps, or phases, that provide a model for the development and lifecycle management of an application or piece of software. The methodology within the SDLC process can vary across industries and organizations, but standards such as ISO/IEC 12207 represent processes that establish a lifecycle for software, and provide a mode for the development, acquisition, and configuration of software systems.
  • 45. The intent of a SDLC process it to help produce a product that is cost-efficient, effective, and of high quality. Once an application is created, the SDLC maps the proper deployment and decommissioning of the software once it becomes a legacy.
  • 46. Project Initiation Functional Design Analysis and Plg System Design Specs SW Devp Installation/Implementation Operations / Maintenance Disposal
  • 48. Risks to databases Today more and more coys holding sensitive data (credit card info, stock inventory, etc) in DBs. Earlier employees only accessed DBs. Today DB connectivity provided to customers also (Eg – check online availability of an item). How do you secure DBs? Group users in different roles and assign rights and permissions to various roles. Customers are assigned a role to only view data; and that too only specific fields of data. Customers interact with the DB through a middleware (apln). Middleware checks roles and presents data as per permissions assigned to that role.
  • 49. Risks to databases – DB Integrity Concurrency Problem Occurs when a DB is accessed by more than one apln/users at the same time. SW lock used to overcome this. Processes lock tables within DB, make changes and then rel the SW lock. Next process can access DB only after the 1st process has rel the SW lock.
  • 50. Risks to databases – DB Integrity DB SW performs three main types of integrity services: Entity Integrity: Every row (record) is uniquely iden by a primary key. Referential Integrity: All foreign keys reference existing primary keys. Semantic Integrity: Rules pertaining to data types, logical values are enforced.
  • 51. Risks to databases – DB Integrity Other Operations in DB SW to protect integrity of data: Rollback: An operation that ends a current transaction and cancels current changes to a DB. The DB reverts to its previous state. Could be changes to the data / schema. Roll back occurs when the DB experiences a glitch or if processing sequence is disrupted.
  • 52. Risks to databases – DB Integrity Other Operations in DB SW to protect integrity of data: Commit: This operation completes a transaction and executes all changes just made by the user. DB is updated to reflect the latest changes. If commit cannot complete correctly, a rollback is performed. Ensures that partial changes do not take place and data is not corrupted.
  • 53. Risks to databases – DB Integrity Other Operations in DB SW to protect integrity of data: Savepoints: Same like system restore in Win OS. If a system failure takes place, the DB attempts to revert to the previous savepoint. Setting savepoints consumes resources. Bal to be stuck between No of Savepoints and not enough of them. Savepoints can be initiated by a time interval, user action, or No of transactions. Savepoint restores data by enabling user to go back in time before the system crashed.
  • 54. Risks to databases – DB Integrity Other Operations in DB SW to protect integrity of data: Checkpoints: Similar to Savepoints. When a specific amt of mem is filled, a checkpoint is triggered. This saves data from mem to a temp file. If system crashes, the DB will attempt to restore data from this temp file.
  • 55. A few Database Attacks Brute Force attacks against Passwords Default Username and passwords not changed by the sys admin Eg: “scott”; “tiger” - username/password combination in Oracle DB till 11g ver. Microsoft SQL Server – came with default (publically known) passwords. Easily guessable passwords chosen by sys admin..
  • 56. A few Database Attacks Privilege Escalation Gen happens due to mis-configuration of database or underlying OS. Eg: A low privilege user has read rights only. However, he can read all colns in the DB incl colns holding credit card info. (mis-configuration – Restd DB views were not enforced).
  • 57. A few Database Attacks Exploiting unused / un-necessary services Eg: Listener service in Oracle DB. It seeks out and fwds network connection requests to Oracle DB. When an apln has to access a DB – poorly written aplns can cause connections w/o authentication and authorisation. Install only those features that you need to use. If you don’t install a feature, you don’t have to patch it up later.
  • 58. A few Database Attacks Exploiting unused / un-necessary services. Very Imp: Patch up DBs as and when patches are rel by the vendor. Gen sys admins avoid patching. Why?: Prevent downtime of the DB. Does not understand patches and what they do Do not have time to test patches May fear that patches may cause some other problems.
  • 59. A few Database Attacks Stolen Backups Gen an insider attack. If backup data is un-encypted, the attacker does not need to hack into a DB. Another problem with backups – too many versions of backups. Problem in tracking all ver.
  • 60. A few Database Attacks SQL Injection Occurs when the fields available for user input allows SQL stmts to be inputted. Gen, this attack takes place on the middleware; which connects to the backend DB. Eg: If an attacker gets a username/password screen, he can input an SQL stmt which is passed by the apln server to the DB and gets executed toentry to the DB. Gen the result of poor programming practices.

Editor's Notes

  1. Is authentication and authorisation reqd? Is encryption needed? Will the apln interface with other aplns? Will the product be directly accessed by the Internet? Preventive ctrls (encryption, unique user login), detective ctrl (audit modules) and corrective controls (for data integrity) are iden in this phase.
  2. Baseline docu creation – inputs from design docu. Design freeze – no more func can be added after this. Design freeze is intended to prevent scope creep . $1 to prevent a problem; $10 to correct a mistake during production; $100 to correct mistake after product has reached end users/customers.
  3. Access control mechanisms are chosen now. Encryption method and algorithm are chosen.
  4. Imp that pgmrs use secure coding practices. Prevent buffer overflow (check input lengths), verify syntax, perform checksums, ensure correct data format entry. SW devp in distinct modules; Each module has specific func; Modules logically chained together to form finished SW. modular design helps maintainability of finished SW. Indl modules can be updated or repl with ease. Modular design – different teams can work on different modules. High cohesion – each module performs only one task or similarly related tasks. Low coupling – a module should not rely on too many different modules to work. Eg- a modul;e performing only addition or (addn, subtraction and multiplication(similar job)) is said to have high cohesion. If module A needs to send data to module B, C and D to perform its task – it is high coupling (not desirable). Pers testing codes to be different than the developers. Use separate environment for code developing, testing and final production environment. – separation of duties. Backdoors (a specific key combination to bypass all access controls and get to the code; also called maint hooks. Remove before sending SW into production.