Presentation is loading. Please wait.

Presentation is loading. Please wait.

ISEC0511 Programming for Information System Security

Published byWinifred Hines Modified over 8 years ago

Similar presentations

Presentation on theme: "ISEC0511 Programming for Information System Security"— Presentation transcript:

1 ISEC0511 Programming for Information System Security
Lecture Notes #2 Security in Software Systems

2 Vulnerability and Attacks
Vulnerability is a weak point in a system. There several ways in which vulnerabilities can be discovered. Exploiting Vulnerability Once a security vulnerability is known, how to exploit it is also known. What is not easily known is who has the device with the vulnerability and how to reach it. Scanning systems in the network is a way to discover targets.

3 Vulnerability and Attacks
Passive Attacks When a hacker eavesdrops on your system or monitors the transmitted packets, it is a passive attack. Sensitive information such as credit card information can be discovered using this technique. This is also called a sniffing attack.

4 Vulnerability and Attacks
Active Attacks The original object is disturbed or manipulated. The hacker can impersonate you and log into the remote system as you. Hacking The process of exploiting vulnerabilities and launching an attack on computers is called hacking. Hackers hack computers, networks, and telephone systems for profit, sometimes even for fun.

5 Vulnerability and Attacks
Social Engineering Social engineering is a technique used by adversaries to manipulate the social and psychological behavior of people to gain access to information or do something that they will not do in a different social setup. Identity Theft This is in order to get financial identity, personal identity, medical records, business or commercial identity. Phishing scam

6 Various Security Attacks
Brute-Force Attacks Try to find the right combination of password or encryption key. The attack is also used by researchers to test the strength of encryption algorithm. Key strength is exponential to key size.

7 Various Security Attacks
Authentication Attacks In telecom network, a device is authenticated. In data network, a user is authenticated. Dictionary Attack Passwords should never be based on known information. The attack is also used to discover s.

8 Various Security Attacks
Replay Attack Ali Baba did not know the meaning of this phrase; he heard the bandits use. In a replay attack, the adversary replays a genuine message captured earlier to perform a function intended for a legitimate user. Password Guessing Knowing user ID is relatively easy. It is likely that we have a common user ID and password for many accounts (banks, ATM, s, credit cards) Password Sniffing

9 Various Security Attacks
Spoofing attack Spoofed IP Spoofed s Spoofed SMS Denial-of-Service Attacks Distributed Denial-of-Service Attack Half-Open Attack or SYN-Flooding Denial of Service through User-ID Lock Attack Ping of Death Attack Smurf Attack

10 Various Security Attacks
Packet Sniffer Tcpdump and Ethereal (Wireshark)

11 Taking Control of Application
To take control of applications, you need to make user execute your code. Overflow Attack Stack Smashing Attack Remote Procedure Call Attack Code Injection Attacks echo Welcome $1 $2 $3 $4 hi;cat /etc/passwd|mail Luring Attack

12 Computer Security Physical Security Operating System Security
Shell Security File System Security Kernel Security Network Security

13 Typical Security in Data Network

14 Counter External Threats
Stopping Attacker the application should use all possible defenses to protect itself and all its data. Firewall Intrusion Detection System Intrusion Prevention System Honeypot Penetration Test and Ethical Hacking

15 Security Programming A programmer has a responsibility to ensure that the code written is secure and safe with minimum or no known vulnerability. Security bugs have a very high impact.

16 Security Attributes Confidentiality Integrity
A mechanism through which we keep the meaning of information or data secret. This property is also known as privacy or encryption. Integrity A property through which you can detect whether your message or data have been corrupted or tampered with.

17 Security Attributes Availability
It is necessary that the service is available for the period it is advertised. Any attack on availability is called a DoS attack.

18 Security Attributes Authentication
Authentication is a process by which we validate the identity of the parties. In nonrepudiation we identify the identity of these parties beyond any doubt. Digital signatures can achieve nonrepudiation. One-factor authentication, Two-factor authentication, Multi-factor authentication.

19 Security Attributes Authorization
Usage constraints on objects based on security level or privilege of the subject. This attribute is also called fine-grained access control or role-based security.

20 Security Attributes Accounting Anonymity
Accounting is the process by which the usage of a service is metered. Audit trails and logs for transactions in an application can also be considered as part of the accounting information. These files need security so that adversaries cannot tamper or delete them. Anonymity A property through which the user is anonymous to the external world.

21 Secured Programming In secured programming you use the security attributes to ensure that the input data are secure. Also, you use these attributes to ensure that the processed information is secured. You make the data and information secure using security algorithms, security protocols, and secured programming.

22 Safe Programming You as a programmer need to ensure that whatever program you write does not have any security vulnerability. The bottom line is that the programs you write need to be robust and failsafe.

23 Vulnerability Remediation
To minimize the security risks posed by software vulnerabilities, a two-step approach is necessary. First, minimize the number of vulnerabilities in the software that is being developed, and Second, minimize the number of vulnerabilities in the software that have already been deployed.

24 Vulnerability Remediation
Reducing the number of new vulnerabilities in the new software is the focus of secured and safe programming, while removing existing vulnerabilities is the focus of vulnerability remediation.

25 Database Security Database Authentication Database Privileges
Secure Metadata Customize Access to Information Views and Stored procedures High Availability Database Database Encryption

26 Security Standards Public-Key Cryptographic Standards
standards accepted as de facto standards for public key cryptography helping interoperability between applications using cryptography for security. CERT: Computer Emergency Response Team – OWASP: Open Web Application Security Project) –

27 Security Standards NIST: National Institute of Standards and Technology – crsc.nist.gov OASIS: Organization for the Advancement of Structured Information Standards SSE-CMM: System Security Engineering Capability Maturity Model – ISO17799

28 Readings Architecting Secure Software Systems, Chapter 1.

Download ppt "ISEC0511 Programming for Information System Security"

Similar presentations

1 Computer Networks: A Systems Approach, 5e Larry L. Peterson and Bruce S. Davie Chapter 8 Network Security Copyright © 2010, Elsevier Inc. All rights.

1 Computer Networks: A Systems Approach, 5e Larry L. Peterson and Bruce S. Davie Chapter 8 Network Security Copyright © 2010, Elsevier Inc. All rights.
ECE454/599 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2012.

ECE454/599 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2012.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.

McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.
Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.

Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
The Ecommerce Security Environment For most law-abiding citizens, the internet holds the promise of a global marketplace, providing access to people and.

The Ecommerce Security Environment For most law-abiding citizens, the internet holds the promise of a global marketplace, providing access to people and.
CSA 223 network and web security Chapter one

CSA 223 network and web security Chapter one
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.

Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Controls for Information Security

Controls for Information Security
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Similar presentations

Ads by Google