Presentation is loading. Please wait.

Presentation is loading. Please wait.

Failure to protect stored data

Published byPenelope Flynn Modified over 6 years ago

Similar presentations

Presentation on theme: "Failure to protect stored data"— Presentation transcript:

1 Failure to protect stored data
Austin Woodruff CSCE 548

2 Learning OBjectives Technical Overview of the Problem Examples
Detection Methods and Error Mitigation Conclusion

3 Technical Overview Comes from the idea that software designers will often worry about protecting data and information in transit more so than they will when it is on the disk. The reality is that the data spends more time on the disk than in transit. To protect stored data the two big aspects to consider are having weak or missing access control mechanisms, and lousy or lacking data encryption.

4 Access Control on Stored Data
Windows: Access Control Lists (ACLs) UNIX: Permission Model Bad Practice

5 Encryption of Stored data
Don’t be lazy, do it! Don’t do it lousy!

6 Related topics to help understanding
Information leakage Race conditions Use of weak password-based systems Poor random numbers to generate encryption keys Using the wrong cryptography

7 Examples SMS remote control program Cybration’s ICUII
Mozilla installer software

8 Detection Look for code that… Sets access controls
Creates an object without setting access controls Writes configuration information into a shared area Writes sensitive information into an area readable by low-priviledged users

9 Detection in code review

10 Mitigation Don’t be lousy in protection! Take it step by step
Encrypt! Encrypt! Encrypt!

11 Conclusion ACLs and permissions Encrypt! Integrate your defense! Apply
Analyze Test and retest for weaknesses Encrypt! Integrate your defense!

12 Works Cited "Common Weakness Enumeration." CWE - CWE-217: DEPRECATED: Failure to Protect Stored Data from Modification (2.9). N.p., n.d. Web. 26 July 2016. Howard, Michael, David LeBlanc, and John Viega. 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them. New York: McGraw-Hill, Print. "Common Vulnerabilities and Exposures." CVE - CVE N.p., n.d. Web. 26 July 2016. "Common Vulnerabilities and Exposures." CVE - CVE N.p., n.d. Web. 26 July 2016. "Common Vulnerabilities and Exposures." CVE - CVE N.p., n.d. Web. 26 July 2016.

Download ppt "Failure to protect stored data"

Similar presentations

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.

August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.

Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.
Secure Coding Weasel nomad mobile research centre.

Secure Coding Weasel nomad mobile research centre.
Secure Software Development Chris Herrick 01/29/2007.

Secure Software Development Chris Herrick 01/29/2007.
Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

Secure Software Development Mini Zeng University of Alabama in Huntsville 1.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
Application and Website Security 101 Daniel Owens IT Security Professional.

Application and Website Security 101 Daniel Owens IT Security Professional.
Stuart Cunningham - Computer Platforms - 2003 COMPUTER PLATFORMS Computer & Network Security & User Support & Training Week 11.

Stuart Cunningham - Computer Platforms COMPUTER PLATFORMS Computer & Network Security & User Support & Training Week 11.
Lightweight Mobile Applications Certification: Prepared By: Rahul Biswas.

Lightweight Mobile Applications Certification: Prepared By: Rahul Biswas.
VPN AND SECURITY FLAWS Rajesh Perumal Clemson University.

VPN AND SECURITY FLAWS Rajesh Perumal Clemson University.
Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.

Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.
May 2, 2007St. Cloud State University Software Security.

May 2, 2007St. Cloud State University Software Security.
August 1, 2006. The Software Security Problem August 1, 2006.

August 1, The Software Security Problem August 1, 2006.
Web Site Security Andrew Cormack JANET-CERT ©The JNT Association, 1999.

Web Site Security Andrew Cormack JANET-CERT ©The JNT Association, 1999.

Similar presentations

Ads by Google