Download to read offline
![Critical Infrastructure Areas
… telecommunications, electrical power systems, gas and
oil, banking and finance, transportation, water supply
systems, government services and emergency services.
[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
* 1.4](https://image.slidesharecdn.com/securitythreatsvulnerabilities-240209175811-d8d8e444/85/Security_Threats_and_Vulnerabilities-in-Computer-System-4-320.jpg)
![“Secure” Computer System
• To decide whether a computer system is “secure”, you must first decide
what “secure” means to you, then identify the threats you care about.
• Some threats are named in the ovals
Virus
Identity
Theft
Denial
of
Service
of
Service
Espion
age
Stolen
Custom
er
Data
Modifie
d
Databas
es
Cyberter
rorism
Equip
ment
Theft
[cf. Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
* 1.7](https://image.slidesharecdn.com/securitythreatsvulnerabilities-240209175811-d8d8e444/85/Security_Threats_and_Vulnerabilities-in-Computer-System-7-320.jpg)
![1.15
Passwords
Strong Passwords:
⮚ Contains both upper and lower case characters
⮚ Includes digits and punctuation characters as well as letters (!@#$%^&*()_+|~
-=`{}[]:”;’<>?,./)
⮚ Has at least eight characters
⮚ Does not contain a word in any language, slang, dialect, jargon, etc.
⮚ Is not based on personal information, names of family, etc.
Weak Passwords:
⮚ Contains less than eight characters
⮚ Is a word found in a dictionary (English or foreign)
⮚ Is a common usage word such as: Names of family, pets, friends, co-workers, fantasy
characters, etc.
⮚ Computer terms and names, commands, sites, companies, hardware, software,
sport team
⮚ Birthdays and other personal information such as addresses, phone numbers, or
license plates
⮚ Word or number patterns like aaabbb, qwerty, 9876543
⮚ Any of the above spelled backwards.
⮚ Any of the above preceded or followed by a digit (battleship52)](https://image.slidesharecdn.com/securitythreatsvulnerabilities-240209175811-d8d8e444/85/Security_Threats_and_Vulnerabilities-in-Computer-System-15-320.jpg)
![Types of Malicious Code
Trapdoors
Trojan Horses
Bacteria
Logic Bombs
Worms
Viruses
X
Files
[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]](https://image.slidesharecdn.com/securitythreatsvulnerabilities-240209175811-d8d8e444/85/Security_Threats_and_Vulnerabilities-in-Computer-System-20-320.jpg)
![Bacterium - A specialized form of virus which does not attach to a specific file.
Usage obscure.
Logic bomb - Malicious [program] logic that activates when specified conditions
are met. Usually intended to cause denial of service or otherwise damage system
resources.
Trapdoor - A hidden computer flaw known to an intruder, or a hidden computer
mechanism (usually software) installed by an intruder, who can activate the trap
door to gain access to the computer without being blocked by security services or
mechanisms.
Trojan horse - A computer program that appears to have a useful function, but also
has a hidden and potentially malicious function that evades security mechanisms,
sometimes by exploiting legitimate authorizations of a system entity that invokes the
program.
Virus - A hidden, self-replicating section of computer software, usually malicious
logic, that propagates by infecting (i.e., inserting a copy of itself into and becoming
part of) another program. A virus cannot run by itself; it requires that its host
program be run to make the virus active.
Worm - A computer program that can run independently, can propagate a complete
working version of itself onto other hosts on a network, and may consume computer
resources destructively.
[…more types of malicious code exist…] [bacterium: http://sun.soci.niu.edu/~rslade/secgloss.htm, other: http://www.ietf.org/rfc/rfc2828.txt]](https://image.slidesharecdn.com/securitythreatsvulnerabilities-240209175811-d8d8e444/85/Security_Threats_and_Vulnerabilities-in-Computer-System-21-320.jpg)
Security_Threats_and_Vulnerabilities in Computer System
- 1. Security, Threats and Vulnerabilities by Dr.Smita Chaudhari Assistant Professor, Department of Computer Engineering, Marathwada Mitra Mandal’s College of Engineering, Pune 1.1
- 2. Outline ● Basics ofthreat and Vulnerability ● Threat Modelling ● Password Cracking ● Insecure Network Connections ● Malicious Code ● Programming bugs
- 3. Basics of threatand Vulnerability
- 4. Critical Infrastructure Areas …telecommunications, electrical power systems, gas and oil, banking and finance, transportation, water supply systems, government services and emergency services. [Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington] * 1.4
- 5. Vulnerabilities, Threats, Attacks,Controls • Vulnerability is a weakness in the security system (i.e., in procedures, design, or implementation), that might be exploited to cause loss or harm. • Threat to a computing system is a set of circumstances that has the potential to cause loss or harm i.e. a potential violation of security • A human (criminal) who exploits a vulnerability perpetrates an attack on the system. • How do we address these problems? • We use a control as a protective measure. • That is, a control is an action, device, procedure, or technique that removes or reduces a vulnerability. * 1.5
- 6. Threat and Vulnerability 6 Relationshipamong threats, controls, and vulnerabilities: • A threat is blocked by control of a vulnerability. • To devise controls, we must know as much about threats as possible. The fact that the violation might occur means that the actions that might cause it should be guarder against. *
- 7. “Secure” Computer System •To decide whether a computer system is “secure”, you must first decide what “secure” means to you, then identify the threats you care about. • Some threats are named in the ovals Virus Identity Theft Denial of Service of Service Espion age Stolen Custom er Data Modifie d Databas es Cyberter rorism Equip ment Theft [cf. Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington] * 1.7
- 8. Types of Threats FromSecurity in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. 8
- 9. 1.9 Threats •Spoofing identity: illegalaccess & use of another user’s information •Tampering with data: malicious modification of data •Repudiation: associated with users who deny performing an action without other parties having any way to prove otherwise •Information disclosure: exposure of information to individual who are not supposed to have access to it. •Denial of service: Deny service to valid users •Elevation of privilege: Unpriviledged user gains priviledged access
- 10.
- 11.
- 12.
- 13.
- 14.
- 15. 1.15 Passwords Strong Passwords: ⮚ Containsboth upper and lower case characters ⮚ Includes digits and punctuation characters as well as letters (!@#$%^&*()_+|~ -=`{}[]:”;’<>?,./) ⮚ Has at least eight characters ⮚ Does not contain a word in any language, slang, dialect, jargon, etc. ⮚ Is not based on personal information, names of family, etc. Weak Passwords: ⮚ Contains less than eight characters ⮚ Is a word found in a dictionary (English or foreign) ⮚ Is a common usage word such as: Names of family, pets, friends, co-workers, fantasy characters, etc. ⮚ Computer terms and names, commands, sites, companies, hardware, software, sport team ⮚ Birthdays and other personal information such as addresses, phone numbers, or license plates ⮚ Word or number patterns like aaabbb, qwerty, 9876543 ⮚ Any of the above spelled backwards. ⮚ Any of the above preceded or followed by a digit (battleship52)
- 16.
- 17.
- 18. 1.18 Insecure Network Connections Characteristicsof a non-secure communication: ● Non-HTTPS communication ● Unsecured Firewall ● Improper network connections e.g. free Wifi system ● Application layer problem e.g. username and password in the url of a website
- 19.
- 20. Types of MaliciousCode Trapdoors Trojan Horses Bacteria Logic Bombs Worms Viruses X Files [Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
- 21. Bacterium - Aspecialized form of virus which does not attach to a specific file. Usage obscure. Logic bomb - Malicious [program] logic that activates when specified conditions are met. Usually intended to cause denial of service or otherwise damage system resources. Trapdoor - A hidden computer flaw known to an intruder, or a hidden computer mechanism (usually software) installed by an intruder, who can activate the trap door to gain access to the computer without being blocked by security services or mechanisms. Trojan horse - A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program. Virus - A hidden, self-replicating section of computer software, usually malicious logic, that propagates by infecting (i.e., inserting a copy of itself into and becoming part of) another program. A virus cannot run by itself; it requires that its host program be run to make the virus active. Worm - A computer program that can run independently, can propagate a complete working version of itself onto other hosts on a network, and may consume computer resources destructively. […more types of malicious code exist…] [bacterium: http://sun.soci.niu.edu/~rslade/secgloss.htm, other: http://www.ietf.org/rfc/rfc2828.txt]
- 22.
- 23. 1.23 Programming Bugs ● Improperinput validation ● Improper encoding and escaping of output ● Error message information leak ● Failure to constrain operations within the boundary of a memory buffer ● Improper access control ● Hard-coded passwords ● Execution with unnecessary privileges
- 24.