Download AISE PoIS4E_PP_ch02_57

Principles of Information
Security,
Fourth Edition39
Chapter 2
Why Security is Needed
Learning Objectives
• Upon completion of this material, you should be
able to:
– Demonstrate that organizations have a business
need for information security
– Explain why a successful information security
program is the responsibility of both an
organization’s general management and IT
management
Principles of Information Security, Fourth Edition
2
Learning Objectives (cont’d.)
– Identify the threats posed to information security and
the more common attacks associated with those
threats, and differentiate threats to the information
within systems from attacks against the information
within systems
– Describe the issues facing software developers, as
well as the most common errors made by
developers, and explain how software development
programs can create software that is more secure
and reliable
Principles of Information Security, Fourth Edition
3
Introduction
• Primary mission of information security is to ensure
systems and contents stay the same
• If no threats existed, resources could be focused
on improving systems, resulting in vast
improvements in ease of use and usefulness
• Attacks on information systems are a daily
occurrence
Principles of Information Security, Fourth Edition
4
Business Needs First
• Information security performs four important
functions for an organization
– Protects ability to function
– Enables safe operation of applications implemented
on its IT systems
– Protects data the organization collects and uses
– Safeguards technology assets in use
Principles of Information Security, Fourth Edition
5
Protecting the Functionality of an
Organization
• Management (general and IT) responsible for
implementation to protect the ability of the
organization to function.
• Information security is both management issue and
people issue not isolating security as a technical
problem.
• Organization should address information security in
terms of business impact and cost
Principles of Information Security, Fourth Edition
6
Enabling the Safe Operation of
Applications
• Today’s organizations are under immense ‫هائل‬
pressure to create and operate integrated, efficient,
and capable applications. Thus:
– Organization needs environments that
safeguard applications using IT systems..
– Management must continue to oversee
infrastructure once in place—not relegate to
IT department
Principles of Information Security, Fourth Edition
7
Protecting Data that Organizations
Collect and Use
• Organization, without data, loses its record of
transactions and/or ability to deliver value to
customers.
• Therefore, they must able to protect data in motion
and data at rest ; since they are both critical
aspects of information security.
• An effective information security program is
essential to the protection of the integrity and value
of the organization’s data.
Principles of Information Security, Fourth Edition
8
Safeguarding Technology Assets in
Organizations
• To perform effectively, organizations must employ
secure infrastructure services appropriate to the
size and scope of the enterprise.
• Additional security services may be needed as
organization grows.
• More robust solutions may be needed to replace
security programs the organization has outgrown.
Principles of Information Security, Fourth Edition
9
Safeguarding Technology Assets in
Organizations
• For instance, a small business may start by using
an e-mail service provided by an ISP and
augmented with a personal encryption tool. When
an organization grows , it must develop
additional security services. For example,
– organizational growth could lead to the need for:
•
•
•
•
public key infrastructure (PKI),
an integrated system of software,
encryption methodologies, and
legal agreements that can be used to support the
entire information infrastructure.
Principles of Information Security, Fourth Edition
10
Safeguarding Technology Assets in
Organizations
• An example of a robust solution is a firewall, a
mechanism that keeps certain kinds of network traffic
out of a private network.
• Another example is caching network appliances, which
are devices that store local copies of Internet content,
such as Web pages that are frequently accessed by
employees.
The appliance displays the cached pages to users,
rather than accessing the pages from the server each
time.
Principles of Information Security, Fourth Edition
11
Threats
• To protect your organization’s information, you must:
– (1) know yourself; that is, be familiar with the information to be
protected and the systems that store, transport, and process it;
– and (2) know the threats you face.
• To make sound decisions about information security:
– create policies, and enforce them,
– management must be informed of the various kinds of threats
facing the organization, its applications, data and information
systems.
Principles of Information Security, Fourth Edition
12
Threats
• Threat: an object, person, or other entity that represents
a constant danger to an asset..
• Management must be informed of the different threats
facing the organization (by whom?)
• Overall security is improving according to surveys.
Principles of Information Security, Fourth Edition
13
Threats
• To investigate the wide range of threats that pervade ‫ تتخلل‬the
interconnected world, researchers have interviewed practicing
information security personnel and examined information security
literature.
• To better understand the numerous threats facing the organization,
a categorization scheme has been developed allowing us to group
threats by their respective activities.
• The 2009 Computer Security Institute/Federal Bureau of
Investigation (CSI/FBI) survey on Computer Crime and Security
Survey found:
• 64 percent of organizations had malware infections ‫اصابة البرامج‬
‫الضارة‬
• 14 percent indicated system penetration by an outsider
Principles of Information Security, Fourth Edition
14
Table 2-1 Threats to Information Security4
Principles of Information Security, Fourth Edition
15
Figure 2-1 World Internet usage3
Principles of Information Security, Fourth Edition
16
Compromises to Intellectual Property
• Many organizations create or support the
development of intellectual property as part of their
business operations.
• Intellectual property (IP): “ownership of ideas and
control over the tangible ‫ ملموس‬or virtual
representation of those ideas”
• Intellectual property for an organization includes
trade secrets, copyrights, trademarks, and patents
‫براءات االختراع‬.
Principles of Information Security, Fourth Edition
17
Compromises to Intellectual Property
• Once intellectual property (IP) has been defined
and properly identified, breaches ‫ خرق‬to IP
constitute a threat to the security of this
information.
• Most common IP breaches can involve the unlawful
use or duplication of software-based intellectual
property, known as software piracy.
Principles of Information Security, Fourth Edition
18
Compromises to Intellectual Property
• In addition to the laws surrounding software piracy,
two watchdog organizations investigate software
abuse:
– Software & Information Industry Association (SIIA)
– Business Software Alliance‫( تحالف‬BSA)
• Enforcement of copyright law has been attempted
with a number of technical security mechanisms,
including digital watermarks, embedded codes.
Principles of Information Security, Fourth Edition
19
Deliberate Software Attacks
• Malicious software (malware) (‫ ضارة )خبيثه‬designed
to damage, destroy, or deny service to target
systems; common instances of malicious code are:
–
–
–
–
–
–
–
Viruses
Worms
Trojan horses
Logic bombs
Back door or trap door
Polymorphic threats
Virus and worm hoaxes
Principles of Information Security, Fourth Edition
20
Deliberate Software Attacks
• Computer viruses are segments of code that
perform malicious actions.
• This code behaves very much like a virus pathogen
attacking animals and plants, using the cell’s own
replication machinery ‫ الي‬to propagate and attack.
• The code attaches itself to the existing program
and takes control of that program’s access to the
targeted computer.
Principles of Information Security, Fourth Edition
21
Deliberate Software Attacks
• The macro virus is embedded in the automatically
executing macro code, common in office product
software like word processors, spread sheets, and
database applications.
• The boot virus infects the key operating systems
files located in a computer’s boot sector.
Principles of Information Security, Fourth Edition
22
Deliberate Software Attacks
• Worms - Malicious programs that replicate
themselves constantly without requiring another
program to provide a safe environment for
replication.
• Worms can continue replicating themselves until
they completely fill available resources, such as
memory, hard drive space, and network bandwidth.
Principles of Information Security, Fourth Edition
23
Deliberate Software Attacks
• Trojan horses - Software programs that hide their
true nature and reveal their designed behavior only
when activated.
• Trojan horses are frequently disguised ‫ يتنكر‬as
helpful, interesting, or necessary pieces of
software, such as readme.exe files often included
with shareware or freeware packages.
• Can monitor your activities in the system by
transmit information to the hacker.
Principles of Information Security, Fourth Edition
24
Deliberate Software Attacks
• Back door or Trap door – same as a virus or
worm can have a payload ‫ حمولة‬that installs a back
door or trap door component in a system.
• This allows the attacker to access the system with
special privileges.
Principles of Information Security, Fourth Edition
25
Deliberate Software Attacks
• Polymorphism - A threat that changes its apparent
shape over time to antivirus software programs, representing
a new threat not detectable by techniques that are looking
for a preconfigured signature.
• These threats actually evolve, changing their size and
appearance to elude ‫ يراوغ‬detection by antivirus software
programs, making detection more of a challenge.
• The emergence of polymorphic threats is one of the biggest
challenges to fighting viruses and worms.
Principles of Information Security, Fourth Edition
26
Deliberate Software Attacks
• Virus and Worm Hoaxes – this type is frustrating as
viruses and worms.
• Perhaps more time and money is spent on resolving
virus hoaxes. ‫خدعة وليس حقيقة‬.
• why?
– People can disrupt the harmony ‫ التناغم في المنظمة‬and flow of an
organization when they send group e-mails warning of
supposedly dangerous viruses that don’t exist.
– users forward the warning message to everyone they know,
post the message on bulletin boards, and try to update their
antivirus protection software.
Principles of Information Security, Fourth Edition
27
Deliberate Software Attacks
• Virus and Worm Hoaxes
– A number of Internet resources enable individuals to
research viruses to determine if they are fact or fiction.
– For the latest information on real, threatening viruses and
hoaxes, along with other relevant and current security
information, visit the CERT Coordination Centre at
www.cert.org
– For the latest virus, worm, and hoax information, visit the
Hoax-Slayer Web site at www.hoax-slayer.com
Principles of Information Security, Fourth Edition
28
Figure 2-4 Trojan Horse Attack
Principles of Information Security, Fourth Edition
29
Deviations in Quality of Service
• This category represents situations where products
or services are not delivered as expected
• Organization’s information system depends on the
successful operation of many interdependent
support systems including:
– power grids, telecom networks, parts suppliers,
service vendors, and even the janitorial staff and
garbage haulers. ‫موظفي النظافة ومتعهدي جمع النفايات‬
– Internet service, communications, and power
irregularities dramatically affect availability of
information and systems
Principles of Information Security, Fourth Edition
30
Deviations in Quality of Service
(cont’d.)
• Internet service issues
– For organizations that rely heavily on the Internet and the Web
to support continued operations, the threat of the potential loss
of Internet service can lead to considerable loss in the
availability of information.
– Thus Internet service provider (ISP) failures can
considerably undermine ‫ يقوض‬availability of information.
– When an organization places its Web servers in the care
of a Web hosting provider, that outsourcer assumes
responsibility for all Internet services as well as for the
hardware and operating system software used to operate
the Web site.
Principles of Information Security, Fourth Edition
31
Deviations in Quality of Service
(cont’d.)
• Communications and other service provider issues
– Other utility services affect organizations:
• telephone, water, wastewater, trash pickup, etc.
– The threat of loss of these services can lead to the
inability of an organization to function properly.
Principles of Information Security, Fourth Edition
32
Deviations in Quality of Service
(cont’d.)
• The threat of irregularities from power utilities is
common and can lead to fluctuations ‫ تقلبات‬such as
power excesses, power shortages, and power
losses.
– Organizations with inadequately conditioned power are
susceptible ‫حساس وسريع التأثير‬
– Controls can be applied to manage power quality
Principles of Information Security, Fourth Edition
33
Deviations in Quality of Service
(cont’d.)
• Fluctuations ‫( تقلبات التيار الطويلة والقصيرة‬short or prolonged)
– When voltage levels spike (experience a momentary
increase), or surge (experience a prolonged increase),
the extra voltage can severely damage or destroy
equipment.
– Sag (a momentary low voltage) or a brownout (a more
prolonged drop in voltage) can cause systems to shut
down or reset, or otherwise disrupt availability.
– Complete loss of power for a moment is known as a fault,
and a more lengthy loss as a blackout.
Principles of Information Security, Fourth Edition
34
Deviations in Quality of Service
(cont’d.)
• Thus we said:
Since sensitive electronic equipment, especially
networking equipment, computers, and computer-based
systems are susceptible ‫ عرضة‬to fluctuations, controls can
be applied to manage power quality.
Principles of Information Security, Fourth Edition
35
Espionage ‫تجسس‬or
Trespass ‫تعدي على الغير‬
• Access of protected information by unauthorized
individuals
• When an unauthorized individual gains access to the
information an organization is trying to protect, that act
is categorized as a deliberate act of espionage or
trespass.
• When information gatherers employ techniques that
cross ‫ يتجاوز‬the threshold ‫ حدود‬of what is legal and/or
ethical, they enter the world of industrial espionage.
Principles of Information Security, Fourth Edition
36
Espionage ‫تجسس‬or
Trespass ‫تعدي على الغير‬
• Instances of shoulder surfing *‫ *مصطلح تجسسي‬occur at
computer terminals, desks, ATM machines, public phones,
or other places where a person is accessing confidential
information.
• The threat of trespass can lead to unauthorized real or
virtual actions that enable information gatherers to enter
premises ‫ مبنى‬or systems they have not been authorized to
enter.
• Thus: controls are sometimes implemented to mark the
boundaries of an organization’s virtual territory.
• These boundaries give notice to trespassers that they are
encroaching ‫تخطى‬- ‫ دخول غير مصرح‬on the organization’s
cyberspace.
Principles of Information Security, Fourth Edition
37
Espionage ‫تجسس‬or
Trespass ‫تعدي على الغير‬
• The classic perpetrator ‫ مرتكب‬of deliberate acts of
espionage or trespass is the hacker.
• Competitive intelligence (legal) vs. industrial
espionage (illegal)
• Hackers use skill, guile‫ مكر‬, or fraud to bypass
controls protecting others’ information
Principles of Information Security, Fourth Edition
38
Figure 2-5 Shoulder Surfing
Principles of Information Security, Fourth Edition
39
Figure 2-6 Hacker Profiles
Principles of Information Security, Fourth Edition
40
Espionage or Trespass (cont’d.)
Generally two skill levels among hackers:
• Expert hacker
– Develops software scripts and program exploits used by the
unskilled hacker
– Usually a master of several programming languages,
networking protocols, and operating systems
– Will often create attack software and share with others
• Unskilled hacker
– Many more unskilled hackers than expert hackers
– Use expertly written software to exploit a system
– Do not usually fully understand the systems they hack
Principles of Information Security, Fourth Edition
41
Espionage or Trespass (cont’d.)
• Other terms for system rule breakers:
– Cracker: “cracks” or removes software protection
designed to prevent unauthorized duplication
– Phreaker: hacks the public telephone network
Principles of Information Security, Fourth Edition
42
Forces of Nature
• Events of nature, can cause the most dangerous
threats, because they are unexpected and can
occur with very little warning.
• These threats disrupt not only individual lives, but
also storage, transmission, and use of information
• Organizations must implement controls to limit
damage and prepare contingency plans for
continued operations
Principles of Information Security, Fourth Edition
43
Forces of Nature
• These include fire, flood, earthquake, lightning,
landslide or mudslide, tornado or severe
windstorm, hurricane or typhoon, tsunami,
electrostatic discharge, and dust contamination.
• Since it is not possible to avoid many of these
threats, management must implement controls to
limit damage and also prepare contingency plans
for continued operations.
Principles of Information Security, Fourth Edition
44
Human Error or Failure
• This category includes the possibility of acts performed
without intent or malicious purpose ‫ غرض سيء أو تخريبي‬by
an individual who is an employee of an organization.
This can happen when:
– Inexperience
– Improper training
– Incorrect assumptions
• Employees constitute one of the greatest threats to
information security, as the individuals closest to the
organizational data.
Principles of Information Security, Fourth Edition
45
Human Error or Failure (cont’d.)
• Employee mistakes can easily lead to:
– Revelation of classified data
– Entry of erroneous data
– Accidental data deletion or modification
– Data storage in unprotected areas
– Failure to protect information
• Many threats can be prevented with controls, ranging from:
– Simple procedures, such as requiring the user to type a critical
command twice,
– To more complex procedures, such as the verification of
commands by a second party.
Principles of Information Security, Fourth Edition
46
Figure 2-8 Acts of Human Error or Failure
Principles of Information Security, Fourth Edition
47
Information Extortion ‫ابتزاز‬
• Attacker steals information from computer system
and demands compensation for its return or for an
agreement to not disclose the information.
• Extortion ‫ ابتزاز‬is common in credit card number
theft.
Principles of Information Security, Fourth Edition
48
Missing, Inadequate, or Incomplete
Organizational
Policy or Planning
• In policy or planning, can make organizations
vulnerable to loss, damage, or disclosure of
information assets.
• With missing, inadequate, or incomplete controls,
can make an organization more likely to suffer
losses when other threats lead to attacks.
• Information security is, at its core, a management
function.
Principles of Information Security, Fourth Edition
49
Missing, Inadequate, or Incomplete
Organizational
Policy or Planning
• The organization’s executive leadership is responsible for
strategic planning for security as well as for IT and business
functions—a task known as governance.
• Thus; missing, inadequate, or incomplete controls for security
safeguards and information asset protection controls that are:
– missing, misconfigured, antiquated ‫مهمل‬- ‫قديم‬- , or poorly designed or
managed
make an organization more likely to suffer losses when
other threats lead to attacks.
Principles of Information Security, Fourth Edition
50
Sabotage ‫ اعمال تخريبية‬or Vandalism
‫تخريب‬
• Equally popular today is the assault ‫ اعتداء‬on the
electronic face ‫ الوجه التقني‬of an organization, its Web
site.
• This category of threat involves the deliberate sabotage
of:
– a computer system or business, or acts of vandalism to
either destroy an asset or damage the image ‫صورة أو‬
‫ سمعة المنظمة‬of an organization.
• These threats can range from petty vandalism by
employees to organized sabotage against an
organization.
Principles of Information Security, Fourth Edition
51
Sabotage ‫ اعمال تخريبية‬or Vandalism
‫تخريب‬
• Organizations frequently rely on image to support the
generation of revenue ‫ايرادات‬, so if an organization’s
Web site is defaced can lead to:
– a drop in consumer confidence is probable, reducing
the organization’s sales and net worth.
• Compared to Web site defacement, vandalism within a
network is more malicious in intent and less public.
Principles of Information Security, Fourth Edition
52
Sabotage ‫ اعمال تخريبية‬or Vandalism
‫تخريب‬
• Today, security experts are noticing a rise in
another form of online vandalism in what are
described as hacktivist or cyberactivist operations;
which interfere with or disrupt systems to protest the
operations, policies, or actions of an organization or
government agency.
• A hacktivist uses the same tools and techniques as
a hacker, but does so in order to disrupt services
and bring attention to a political or social cause
Principles of Information Security, Fourth Edition
53
Sabotage ‫ اعمال تخريبية‬or Vandalism
‫تخريب‬
• A more extreme version is referred to as
cyberterrorism.
• Cyberterrorism: much more sinister‫ شرير‬form of
hacking.
• Cyberterrorists hack systems to conduct terrorist
activities via network or Internet pathways.
• First noticeable occurrence of this attack in Oct. 21,
2002, when a distributed denial-of-service (DDOS)
attack struck the 13 root servers that provide the
primary road-map for all Internet communications.
Principles of Information Security, Fourth Edition
54
Sabotage ‫ اعمال تخريبية‬or Vandalism
‫تخريب‬
• Nine servers out of these thirteen were jammed.
• The problem was taken care of in a short period of time.
• While this attack was significant, the results were not
noticeable to most users of the Internet.
• A news report shortly after the attack noted that “the
attack, at its peak, only caused 6 percent of domain
name service requests to go unanswered.
Principles of Information Security, Fourth Edition
55
Figure 2-9 Cyber Activists Wanted
Principles of Information Security, Fourth Edition
56
Theft
• Theft is illegal taking of another’s physical,
electronic, or intellectual property.
• Within an organization, that property can be
physical, electronic, or intellectual.
• The value of information suffers when it is copied
and taken away without the owner’s knowledge.
• Physical theft is controlled relatively easily.
• A wide variety of measures can be used from
simple locked doors to trained security personnel
and the installation of alarm systems.
Principles of Information Security, Fourth Edition
57
Theft
• Electronic theft is more complex problem to
manage and control.
• Evidence of crime not readily apparent.
• Organizations may not even know it has occurred.
Principles of Information Security, Fourth Edition
58
Technical Hardware Failures or Errors
• Large quantities of computer code are written, debugged,
published, and sold before all their bugs are detected and
resolved.
• Technical hardware failures or errors occur when a
manufacturer distributes equipment containing a known or
unknown flaw ‫ عيب‬to users.
• These defects ‫ عيوب مصنعية‬can cause the system to perform
outside of expected parameters, resulting in unreliable
service or lack of availability.
Principles of Information Security, Fourth Edition
59
Technical Software Failures or Errors
• This category of threats comes from purchasing software with
unknown, hidden faults.
• Sometimes, unique combinations of certain software and hardware
reveal new bugs.
• Sometimes, these items aren’t errors but are purposeful shortcuts
left by programmers for honest or dishonest reasons.
• Some errors are terminal— that is, they result in the
unrecoverable loss of the equipment. ‫اليمكن اصالح القطعة أو الجهاز‬
• Some errors are intermittent, in that they only periodically
manifest themselves, resulting in faults that are not easily
repeated, and thus, equipment can sometimes stop working, or
work in unexpected ways.
Principles of Information Security, Fourth Edition
60
Technological Obsolescence ‫تقادم تقني‬
• When the infrastructure becomes antiquated ‫مهمل‬or outdated, it
leads to unreliable and untrustworthy systems.
• Management must recognize that when technology becomes
outdated, there is a risk of loss of data integrity to threats and
attacks.
• Ideally, proper planning by management should prevent the risks
from technology obsolesce ‫ قديم‬, but when obsolescence is
identified, management must take immediate action.
• IT plays large role.
Principles of Information Security, Fourth Edition
61
Attacks
• Attacks
– Acts or actions that exploits vulnerability (i.e., an
identified weakness) in controlled system
– Accomplished by threat agent that damages or
steals organization’s information or physical asset.
– An exploit is a technique to compromise a system.
– Vulnerability is an identified weakness of a
controlled system whose controls are not present or
are no longer effective.
Principles of Information Security, Fourth Edition
62
Attacks
• Types of attacks
– (1) Malicious code:
• Includes execution of viruses, worms, Trojan horses, and active
Web scripts with intent to destroy or steal information
• The state of the art in attacking systems in 2002 is the
multivector worm.
• These attack programs use up to six known attack vectors
to exploit a variety of vulnerabilities in commonly found
information system devices.
Principles of Information Security, Fourth Edition
63
Attacks
• Types of attacks
– (2) Hoaxes:
• A more devious ‫ مراوغ‬attack on computer systems is the
transmission of a virus hoax with a real virus attached.
• When the attack is masked in a seemingly legitimate
message, unsuspecting users more readily distribute it.
• Even though these users are trying to do the right thing to
avoid infection, they end up sending the attack on to their
coworkers and friends and infecting many users along the
way.
Principles of Information Security, Fourth Edition
64
New Table
Table 2-2 Attack Replication Vectors
Principles of Information Security, Fourth Edition
65
Attacks (cont’d.)
• Types of attacks (cont’d.)
– Back door: gaining access to system or network using known or
previously unknown/newly discovered access mechanism
– Password crack: attempting to reverse calculate a password
– Brute force: the application of computing and network
resources to try every possible combination of options of a
password.
– Dictionary: narrows the field by selecting specific accounts to
attack and uses a list of commonly used passwords (the
dictionary) to guess with.
Principles of Information Security, Fourth Edition
66
Attacks (cont’d.)
• Types of attacks (cont’d.)
– Denial-of-service (DoS): attacker sends large
number of connection or information requests to a
target
• Target system cannot handle successfully along with
other, legitimate service requests
• May result in system crash or inability to perform
ordinary functions
– Distributed denial-of-service (DDoS): an attack in
which a coordinated stream of requests is launched
against target from many locations simultaneously
Principles of Information Security, Fourth Edition
67
Figure 2-11 Denial-of-Service Attacks
Principles of Information Security, Fourth Edition
68
Attacks (cont’d.)
• Types of attacks (cont’d.)
– Spoofing‫ انتحال محاكاة‬: A technique used to gain
unauthorized access to computers, whereby the
intruder sends messages to a computer with an IP
address indicating that the message is coming from
a trusted host.
– Man-in-the-middle: or TCP hijacking attack, an
attacker sniffs packets from the network, modifies
them, and inserts them back into the network.
Principles of Information Security, Fourth Edition
69
Attacks (cont’d.)
• Types of attacks (cont’d.)
– Spam: unsolicited ‫غير مدعو أو مرحب فيه‬commercial email; more a nuisance ‫ مزعج‬than an attack, though is
emerging as a vector for some attacks
– Mail bombing: another form of e-mail attack that is
also a DoS, in which an attacker routes large
quantities of e-mail to the target.
Principles of Information Security, Fourth Edition
70
Figure 2-12 IP Spoofing
Principles of Information Security, Fourth Edition
71
Figure 2-13 Man-in-the-Middle Attack
Principles of Information Security, Fourth Edition
72
Attacks (cont’d.)
• Types of attacks (cont’d.)
– Sniffers: program or device that monitors data
traveling over network. Sniffers can be used both
for legitimate network management functions and for
stealing information from a network.
– Phishing ‫تصيد احتيالي‬: an attempt to gain personal/
financial information from individual, usually by
posing as legitimate entity.
– Pharming : redirection of legitimate Web traffic (e.g.,
browser requests) to illegitimate site for the purpose
of obtaining private information.
Principles of Information Security, Fourth Edition
73
Figure 2-14 Example of a Nigerian 4-1-9 Fraud
Principles of Information Security, Fourth Edition
74
Attacks (cont’d.)
• Types of attacks (cont’d.)
– Social engineering: using social skills ‫مهارات اجتماعية‬
"‫"أو ذكاء اجتماعي‬to convince people to reveal access
credentials ‫ شهادة او اثبات‬or other valuable information
to attacker.
“People are the weakest link. You can have the best
technology; firewalls, intrusion-detection systems,
biometric devices ... and somebody can call an
unsuspecting employee to get everything!
Principles of Information Security, Fourth Edition
75
Attacks (cont’d.)
• Types of attacks (cont’d.)
– Timing attack: relatively new; A timing attack
explores the contents of a Web browser’s cache and
stores a malicious cookie on the client’s system.
• The cookie can allow the designer to collect information on
how to access password-protected sites.
• Cookie is a small quantity of data stored by the Web
browser on the local system, at the direction of the Web
server.
• Another attack by the same name involves the interception
of cryptographic elements to determine keys and encryption
algorithms.
Principles of Information Security, Fourth Edition
76
Secure Software Development
• Many information security issues discussed here
are caused by software elements of system
• Development of software and systems is often
accomplished using methodology such as Systems
Development Life Cycle (SDLC)
• Many organizations recognize need for security
objectives in SDLC and have included procedures
to create more secure software
• This software development approach known as
Software Assurance (SA)
Principles of Information Security, Fourth Edition
77
Software Assurance and the SA
Common Body of Knowledge
• National effort underway to create common body of
knowledge focused on secure software
development
• US Department of Defense and Department of
Homeland Security supported Software Assurance
Initiative, which resulted in publication of Secure
Software Assurance (SwA) Common Body of
Knowledge (CBK)
• SwA CBK serves as a strongly recommended
guide to developing more secure applications
Principles of Information Security, Fourth Edition
78
Software Design Principles
• Good software development results in secure
products that meet all design specifications
• Some commonplace security principles:
– Economy of mechanism: Keep the design as simple and
small as possible.
– Fail-safe defaults: Base access decisions on permission
rather than exclusion.
– Complete mediation: Every access to every object must
be checked for authority.
– Open design: The design should not be secret, but rather
depend on the possession of keys or passwords.
Principles of Information Security, Fourth Edition
79
Software Design Principles (cont’d.)
• Some commonplace security principles (cont’d.):
– Separation of privilege: Where feasible, a protection
mechanism should require two keys to unlock, rather than one.
– Least privilege: Every program and every user of the system
should operate using the least set of privileges necessary to
complete the job.
– Least common mechanism: Minimize mechanisms (or shared
variables) common to more than one user and depended on by
all users.
– Psychological acceptability: It is essential that the human
interface be designed for ease of use, so that users routinely
and automatically apply the protection mechanisms correctly.
Principles of Information Security, Fourth Edition
80
Software Development Security
Problems
• Problem areas in software development:
1. Buffer overruns
• Buffers are used to manage mismatches in the processing
rates between two entities involved in a communication
process.
• A buffer overrun (or buffer overflow) is an application error
that occurs when more data is sent to a program buffer than
it is designed to handle. During a buffer overrun, an attacker
can make the target system execute instructions, or the
attacker can take advantage of some other unintended
consequence of the failure.
Principles of Information Security, Fourth Edition
81
Software Development Security Problems
2. Command injection
• Command injection problems occur when user input is passed
directly to a compiler or interpreter. The underlying issue is the
developer’s failure to ensure that command input is validated
before it is used in the program.
3. Cross-site scripting (or XSS)
• Occurs when an application running on a Web server gathers
data from a user in order to steal it. An attacker can use
weaknesses in the Web server environment to insert
commands into a user’s browser session, so that users
ostensibly ‫ ظاهريا‬connected to a friendly Web server are, in fact,
sending information to a hostile server.
• Often an attacker encodes a malicious link and places it in the
target server, making it look less suspicious.
82
Principles of Information Security, Fourth Edition
Software Development Security
Problems
4. Failure to handle errors
• What happens when a system or application encounters an
scenario that it is not prepared to handle?
• Does it attempt to complete the operation (reading or writing
data or performing calculations)?
• Does it issue a cryptic message that only a programmer could
understand?
• Or does it simply stop functioning?
• Failure to handle errors can cause a variety of unexpected
system behaviors.
• Programmers are expected to anticipate problems and prepare
their application code to handle them.
Principles of Information Security, Fourth Edition
83
Software Development Security Problems
5. Failure to protect network traffic
• With the growing popularity of wireless networking comes a
corresponding increase in the risk that wirelessly transmitted
data will be intercepted. Most wireless networks are installed
and operated with little or no protection for the information that
is broadcast between the client and the network wireless
access point. “Public networks like coffee shops, bookstores,
and hotels.”
• Traffic on a wired network is also vulnerable to interception. On
networks using hubs instead of switches, any user can install a
packet sniffer and collect communications to and from users.
Thus, periodic scans for unauthorized packet sniffers,
unauthorized connections to the network, and general
awareness of the threat can mitigate this problem.
Principles of Information Security, Fourth Edition
84
Software Development Security
Problems
6. Failure to store and protect data securely
• Programmers are responsible for integrating access controls
into, and keeping secret information out of, programs.
• Access controls, the subject of later chapters, regulate who,
what, when, where, and how individuals and systems interact
with data.
• Failure to properly implement sufficiently strong access controls
makes the data vulnerable.
• Overly strict access controls hinder business users in the
performance of their duties, and as a result the controls may be
administratively removed or bypassed.
Principles of Information Security, Fourth Edition
85
Software Development Security Problems
7. Failure to use cryptographically strong random numbers
• Most modern cryptosystems, like many other computer
systems, use random number generators.
8. Format string problems
• Computer languages often are equipped with built-in
capabilities to reformat data while they’re outputting it
(see notes below)
9. Neglecting change control
• Developers use a process known as change control to
ensure that the working system delivered to users
represents the intent of the developers.
• Once the system is in production, change control processes
ensure that only authorized changes are introduced and
that all changes are adequately tested before being
released.
Principles of Information Security, Fourth Edition
86
Software Development Security
Problems (cont’d.)
10. Improper file access
• If an attacker changes the expected location of a file by
intercepting and modifying a program code call, the
attacker can force a program to use files other than the
ones the program is supposed to use.
11. Improper use of SSL
12. Information leakage
13. Integer bugs (overflows/underflows)
14. Race conditions
15. SQL injection
Principles of Information Security, Fourth Edition
87
Software Development Security
Problems (cont’d.)
16. Trusting network address resolution
17. Unauthenticated key exchange
18. Use of magic URLs and hidden forms
19. Use of weak password-based systems
Principles of Information Security, Fourth Edition
88
Use of Weak Password-Based
Systems
•
Principals of Information Security, Fourth Edition
89
Use of Weak Password-Based
Systems
Principals of Information Security, Fourth Edition
90
Summary
• Unlike any other aspect of IT, information security’s
primary mission to ensure things stay the way they
are
• Information security performs four important
functions:
– Protects organization’s ability to function
– Enables safe operation of applications implemented
on organization’s IT systems
– Protects data the organization collects and uses
– Safeguards the technology assets in use at the
organization
Principles of Information Security, Fourth Edition
91
Summary (cont’d.)
• Threat: object, person, or other entity representing
a constant danger to an asset
• Management effectively protects its information
through policy, education, training, and technology
controls
• Attack: a deliberate act that exploits vulnerability
• Secure systems require secure software
Principles of Information Security, Fourth Edition
92