CS415 Final Review 2023 with 100% questions and answers

SQL injection (insertion) attack SQLi attacks are designed to send malicious SQL commands to the DB (server), for extraction of data Cross-site scripting (XSS) attack Exploits Web page security vulnerabilities to bypass browser security mechanisms and create malicious link that injects unwanted code into a website. Inference (w.r.t DB security) process of performing authorized queries AND deducing unauthorized information from legitimate responses received The inference problem combination of data items is more sensitive than individual items OR when combination of data items can be used to infer data of higher sensitivity Parameterized Query Insertion This approach attempts to prevent SQLi by allowing the application developer to more accurately specify the structure of an SQL query, and pass the value parameters to it separately such that any unsanitary user input is not allowed to modify the query structure Assurance Levels An assurance level describes an organization's degree of certainty that a user has presented a credential that refers to his or her identity. Level 1: little or no confidence in the asserted identity's validity. (Ex: somebody logging in to company website) Level 2: Some confidence in the asserted identity's validity. 1 factor authentication is appropriate. (Ex: Student logging into D2L) Level 3: High confidence. Need at least two factor authentication. (Ex: Patent attorney/lawyer submitting confidential information) Level 4: Very high confidence. (Ex: Law enforcement officials accessing criminal databases.) Digital user authentication The process of establishing confidence in user identities that are presented electronically to an information system. Multi-factor authentication Any authentication scheme that requires validation of at least two of the possible authentication factors. Potential Impact FIPS 199 defines 3 levels of potential impact on organizations or individuals should there be a breach of security Low: An authentication error could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals (e.g defacement of MU site) Moderate: An authentication error could be expected to have a serious adverse effect (e.g confidential leaks) High: n authentication error could be expected to have a severe or catastrophic adverse effect (can include life threatening losses) (e.g ransomware in hospitals, falsely identifying air traffic controllers) salt value 3 main purposes Countermeasure to dictionary attacks Makes two identical passwords different making it impossible to get the password using bcrypt to figure out the hash password based authentication Widely used line of defense against intruders •User provides name/login and password •System compares password with the one stored for that specified login The user ID: •Determines that the user is authorized to access the system •Determines the user's privileges •Is used in discretionary access control FLAWS: User ID's are easily known because of patterns Former HRs have access to all employees info, even when they leave the job Password cracking attacks Dictionary attacks: -Develop a large dictionary of possible passwords and try each against the password file -Each password must be hashed using each salt value and then compared to stored hash values -John the Ripper (Kali) Rainbow table attacks: -Pre-compute tables of hash values for all salts -Can be countered by using a sufficiently large salt value and a sufficiently large hash length salt value Random characters that you can combine with an actual input key to create the encryption key Password File Access Control Can block offline guessing attacks by denying access to encrypted passwords •Make hashed password portion of the file available only to a "privileged" users •Shadow password file ... Continued Vulnerabilities: •Weakness in the OS that allows access to the file (A hacker may be able to exploit a software vulnerability in the O/S to bypass the access control system long enough to extract the password file. Alternatively, the hacker may find a weakness in the file •system or database management system that allows access to the file.) •Accident with permissions making it readable •Users with same password on other Modern Approaches to Password Cracking -password guessing: attempt limit -exploiting user mistakes (users accessing a computer that is on and left unattended): short time lockout, quick sleep time -Complex password policy: Forcing users to pick stronger passwords -(Best) Proactive: system rejects a user's password if it is easily guessable -Reactive: system tries to go through and crack the password, if it does, then requires user to change it Smart Tokens Physical characteristics: • looks like a bank card and includes an embedded microprocessor • Can look like calculators, keys, small portable objects Electronic interface • A smart card requires an electronic interface to communicate with a compatible reader/writer • Contact [insert] and contactless interfaces [close proximity] Contains: • Processor • Memory • Security logic Typical Authentication protocol: • Challenge-response: the computer system generates a challenge, such as a random string of numbers .The smart token generates a response based on the challenge. [e.g. PKI scheme could be used here - also see end of lecture] Biometric Authentication Attempts to authenticate an individual based on unique physical characteristics • Based on pattern recognition • Is technically complex and expensive when compared to passwords and tokens False match rate vs False nonmatch rate false match rate: The rate at which an imposter can go through a system False nonmatch rate: Frequency from which samples from a legitimate source are being determined as an imposter Remote User Authentication - Authentication over a network, the Internet, or a communications link is more complex - Additional security threats such as: eavesdropping, capturing a password, replaying an authentication sequence that has been observed - Generally rely on some form of a challenge-response protocol to counter threats Malware a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system or otherwise annoying or disrupting the victim worm vs virus a virus must attach to something, such as an executable file, to spread. Worms do not need to attach to anything to spread and look for machines. Also, worms are complete programs, while viruses are not. (see midterm quizlet for more about viruses) morris worm Affected 10% of the internet. Designed to spread on Unix machines. 1. First task of the worm was to discover other hosts known and trusted by this machine by examining system tables, looking at mail forwarding files, table of user permissions to access remote machines 2. Part two: with the information it had, the worm tried to log in as a legitimate user on the machines by attempting to crack local password files by using a password cracking program which took each person's account name and created permutations of it. It also used a list of 432 built in passwords that Morris thought were likely candidates. 3. All words from local dictionary 4. Exploits trap door of a remote process which sends/receives email [sendmail & rsh] Summary: •Earliest significant worm infection •Released by Robert Morris in 1988 •Designed to spread on UNIX systems •Attempted to crack local password file to use login/password to log on to other systems •Exploited a bug in the finger protocol which reports the whereabouts of a remote user •Exploited a trap door in the debug option of the remote process that receives and sends mail •Successful attacks achieved communication with the operating system command interpreter •Sent interpreter a bootstrap program to copy worm over drive-by download Exploits browser and plugin vulnerabilities so when the user A views a webpage controlled by the attacker, this webpage contains code that exploits the bug to download & install malware on A's system without the A's knowledge or consent. (e.g multiple vulnerabilities in the Adobe Flash Player & Oracle Java plugins have been exploited by attackers over many years, to the point where many browsers are now removing support for them) In most cases the malware does not actively propagate as a worm does. Spreads when users visit the malicious webpage. Malvertising Places malware on websites without actually compromising the websites • The attacker pays for advertisements (that have malware incorporated into them) to be placed on sites that are highly likely to be visited by their intended target websites • Using these malicious ads, attackers can infect visitors who are visiting sites displaying them those ads • The malware code may be dynamically generated to either reduce the chance of detection or to only infect specific systems • Has grown rapidly in recent years because they are easy to place on desired websites with few questions asked and are hard to track • Attackers can place these ads for as little as a few hours, when they expect their intended victims could be browsing the targeted websites, greatly reducing their visibility Clickjacking A user can be led to believe they are typing in the password to their email or bank account , but are instead typing in to an invisible frame con trolled by the attacker (i.e keystrokes can also be hijacked) • The attacker can force the user to do a variety of things from adjusting the user 's computer settings to unwittingly sending the user to Web sites that might have malicious code • By taking advantage of Adobe Flash or JavaScript an at tacker could even place a but ton under or over a legitimate but ton making it difficult for users to detect • A typical attack uses multiple transparent or opaque layers to trick a user in to clicking on a button or link on another page when they were in tending to click on the top-level page; essentially, the attacker is hijacking clicks meant for one page and routing them to another page Payload - Information Theft Keyloggers and Spyware Keylogger • Captures keystrokes to allow attacker to monitor sensitive in formation • Typically uses some form of filtering mechanism that only returns in formation close to keywords ("login", "password") Spyware • Subverts the compromised machine to allow monitoring of a wide range of activity on the system • Monitoring history and content of browsing activity • Redirecting certain Web page requests to fake sites • Dynamically modifying data exchanged between the browser and certain websites of interest Malware Countermeasure Approaches Four main elements of prevention: • Policy • Awareness • Vulnerability mitigation • Threat mitigation Ideal solution to the threat of malware is prevention . If prevention fails, technical mechanisms can be used to support the following threat mitigation options: -Detection -Identification -Removal DOS Attack Web server is flooded with so many spurious/ fake requests, that it is unable to respond to valid requests from users and often just crashes Source Address Spoofing Attacker spoofs the IP addresses that the attack is coming from Done so they can hide their IP address, and also receive responses for all different IPs, slowing down the server -Backscatter: Target is bombarded with error message responses from spoofed IPs DNS Reflection Attack A variation of the reflector attack establishes a self-contained loop between the intermediary and the target system. Both systems act as reflectors 1. Normally the DNS client sends a query from its UDP port 1792 to the server's DNS port 53 to obtain the IP address of a domain name 2. The DNS server sends a UDP response packet including the IP address 1. But in the case of an attack, the attacker sends a query to the DNS server with a spoofed IP source address of j.k.l.m; this is the IP address of the target/ victim. But instead of port 1792, the attacker uses port 7 which is usually associated with echo, a reflector service 2. The DNS server then sends a response to the victim of the attack, j.k.l.m, addressed to port 7 3. If the victim is offering the echo service, it may create a packet that echoes the received data back to the DNS server. This can cause a loop between the DNS server and the victim if the DNS server responds again to the packets sent by the victim. DDOS attack Distributed Denial of Service Attack. Typically a virus installed on many computers (thousands) activate at the same time and flood a target with traffic to the point the server becomes overwhelmed. Really hard to connect back to the attacker because zombies are being controlled from all around the world. TFN - Try Flood Network: One of the most popular tools for DDOS Agent zombies are running combination of attacks at different times DDOS attack prevention Detection/Filtering : Second step of defense, happens during attack. Traceback : Third step. During or after the attack. Recovery : final step. After the attack. First two steps are most important. They can prevent/stop the attacks, and if you do it wrong you get lawsuits (because personal data was leaked/stolen). -Find spoof IP addresses on dark web and make list of them for firewall to compare them to the IP addresses of incoming requests, and if they match, reject service from them. Work done with ISP. -ISPs have a lot of control over the flow of packets. -Drop connections after a timeout period (instead of waiting for responses from spoof IPs that never come). --Block specific service combinations (e.g 7:53) -Ensure ICMP is 2% (or so) of network traffic, if it is more than cut ICMP off Responding to DDOS Alternate/backup servers Redirect legitimate traffic to different IP addresses DDOS Defense Attack prevention and preemption (before the attack): These mechanisms enable the victim to endure attack attempts without denying service to legitimate clients. Techniques include enforcing policies for resource consumption and providing backup resources available on demand. In addition, prevention mechanisms modify systems and protocols on the Internet to reduce the possibility of DDoS attacks. Attack detection and filtering (during the attack): These mechanisms attempt to detect the attack as it begins and respond immediately. This minimizes the impact of the attack on the target. Detection involves looking for suspicious patterns of behavior. Response involves filtering out packets likely to be part of the attack. Attack source traceback and identification (during and after the attack): This is an attempt to identify the source of the attack as a first step in preventing future attacks. However, this method typically does not yield results fast enough, if at all, to mitigate an ongoing attack. Attack reaction (after the attack): This is an attempt to eliminate or curtail the effects of an attack. SMURF Application Attack 1. Attacker identifies several intermediary sites that will amplify the attack (usually several are selected, to further disguise the attack) 2. Hacker sends a large amount of ICMP traffic at the broadcast address of these intermediary sites 3. These packets have the source IP address spoofed to point towards the victim 4. Intermediaries deliver the broadcast to all the hosts on their subnet 5. Hosts reply to the victim network 6. And this cycles continues, eventually overwhelming the target Buffer Overflow A buffer overflow occurs when the volume of data exceeds the storage capacity of the memory buffer - allowing for data to be overwritten to adjacent memory locations. If an attacker know the memory layout of a program, they can feed input that is greater than what the buffer can store, and overwrite executable code, by replacing it with her own code (e.g As an example, the attacker can overwrite a pointer and point it instead to to an exploit payload) Buffer Overflow Countermeasures •Current operating systems have runtime protection e.g. •Address space randomization (ASLR) — randomly moves around the address space locations of data regions. (note: Buffer overflow attackers need to know the location/ address of executable code, so randomizing address spaces makes this very difficult.) •Data execution prevention (DEP) — reserves certain areas of memory as non-executable or executable, thus in effect stopping an attack from running code in a nonexecutable region Buffer Overflow consequences Examples of consequences of overwriting adjacent memory locations: • corruption of program data • unexpected transfer of control • memory access violation • execution of code chosen by attacker • the Morris worm • "Riding on the Rocket" [ see reading relational database A relational DB uses multiple tables that are related to each other by a designated key they all have in common - in this example, the field is PhoneNumber Note: in general, all tables are not necessarily related to each other Server Variables Server Variables e.g. HTTP or network IP protocols headers are often used by DB to log usage statistics and browsing trends AND used by routers to route packets to correct destination • Attackers can forge the values that are placed in HTTP/ IP headers with SQL commands • When the SQL query to log the server variables is issued to DB, the attack in the forged header is then issued (usually to access DB and commit harm) capabilities and limitations of firewalls Firewall defines a single chokepoint where there are rules Firewall allows specific rules for our corporation Firewall limitations: Permutable Can't think of all of the rules People logging in from different places may be able to pass firewall Insider Attacks Most difficult to prevent and detect Examples: Vice president of sales for stock firm copied DB from company she left as she went to competitor IDS 3 logical components sensors, analyzers, and user interface sensors - collect data Input: network packet, log files, system call traces • analyzers - determine if intrusion has occurred Input: feed from sensors or other analyzers user interface - manage / direct / view ID Input?: manager, director, console component Honeypots What they do • divert an attacker from accessing critical systems • collect information about the attackers' activities • encourage the attacker to stay on the system long enough for admin to response (though not necessarily to catch) Why they work • honeypots consist of a system that is filled with fabricated information designed to appear valuable (falsified employee records, client data, budget), but that a legitimate user would not access • data is similar but falsified, therefore any access to the HP is suspect • the HP system is equipped with event loggers (monitors) that detect access, collect information about the electronic activities of the attackers Software as a Service (SaaS) Provides service to customers/ subscribers in the form of application software, running on, and accessible in the cloud infrastructure • Applications are accessible from various client devices through a simple interface such as a Web browser • Instead of obtaining desktop and server licenses for software products it uses, the subscriber obtains the same function from the cloud service • The use of SaaS avoids the complexity of software installation, maintenance, upgrades, and patches • The cloud provider also typically offer data-related features such as automatic back-up and data-sharing between subscribers • Examples of services at this level are Goggle Gmail, Microsoft 365, Salesforce, Citrix GoToMeeting, CiscoWebEx Platform as a Service (PaaS) • Provides service to customers/ subscribers in the form of a platform on which the customer's applications can run • In effect PaaS is an operating system in the cloud • Useful for an organization that wants to develop new or tailored applications while paying for the needed computing resources, only as needed, and only for as long as needed • Examples of PaaS are AppEngine, Engine Yard, Heroku, Microsoft Azure, F, Apache Stratos Infrastructure as a Service Provides customers/ subscribers with access to the resources of the underlying cloud infrastructure • Customers/ subscribers do not manage or control the resources of the underlying cloud infrastructure, but has (limited) control over O/S, deployed applications, select networking components (e.g. host firewalls). • IaaS offers customers/ subscribers processing, storage, networks, fundamental computing resources • Typical customers are able to self-provision this infrastructure using a Web-based GUI • Examples of IaaS are Amazon Elastic Compute Cloud (EC2), Microsoft WindowsAzure, Google Compute Engine (GCE), Rackspace Cloud Security Countermeasures Insecure interfaces (that customers use to manage and interact with cloud services) • Countermeasures include: • Ensuring that strong authentication and access controls are implemented in concert with encrypted transmission • Malicious Insiders • Countermeasures include: • Conducting a comprehensive assessment of customer employee/ clients • Specify human resources requirement as part of legal contract • Determine security breach notification processes • Shared Technology Issues (IaaS vendors deliver their services in a scalable way by sharing infrastructure) • Countermeasures include: • Implementing security best practices for installation/ configuration • Monitor environment for unauthorized changes/ activity • Promote strong authentication and access control for administrative access • Conduct vulnerability scanning and configuration (firewall, servers etc.) audits Data Loss or Leakage • Countermeasures include: • Implementing strong access control • Encrypting and protect integrity of data in transit and at rest • Analyzing data protection at both design and run time (frequent testing) • Account or Service Hijacking • Countermeasures include: • Prohibiting the sharing of account credentials between users • Using strong 2-factor authentication techniques • Employing proactive monitoring to detect unauthorized activity (IDS) Internet of Things (IOT) IoT refers to the expanding interconnection of smart devices, ranging from appliances to tiny sensors. The Internet now supports the interconnection of billions of industrial and personal objects, usually through cloud systems IOT security framework (what it should be) Communication Security • Prevention of unauthorized access to the content of data • Guarantee integrity of data during transmission Data Management Security • Prevention of unauthorized access to the content of data • Guarantee integrity of data during storage or processing Integration of Security Policies & Techniques • The ability to integrate different security policies and techniques, so as to ensure a consistent security control over the variety of devices and users of IoT Mutual Authentication & Authorization • Before a device (or an IoT user) can access the IoT, mutual authentication and authorization between EACH device (or user) should be required to be performed according to predefined security policies Security Audit • IoT is required to support security audits (logs that are traceable and reproducible according to appropriate regulation and laws) for data transmission storage, processing, and application access Role-based security • Assign access rights to roles instead of individual users Anti-tamper and detection • Immediate alert to owner of unauthorized access/ changed to device • Data protection and confidentiality Internet protocol protection • Protection of data in motion from eavesdropping Network Layer Security: IPsec Introduction Data Authentication • Enables a legitimate node to verify whether a message originated from another legitimate node (i.e. a node with which it shares a secret key) and was unchanged during transmission Replay Protection • Prevents an attacker from successfully recording a packet and replaying it at a later time Low Energy Overhead • This is achieved by minimizing communication overhead and by using only symmetric encryption Resilient to lost messages • The relatively high occurrence of dropped packets in wireless sensor networks requires a design that can tolerate high message loss rates (e.g. redundant packets) *VPNs have IPsec enabled routers from point A to B so they can transmit packets securely over the public internet Digital Forensics Scientific process of preserving, identifying, extracting, documenting, and interpreting data on a computer Examples of the many functions that a digital forensics expert are responsible: • Analysis of computer systems belonging to defendants (in criminal cases) or litigants (in civil cases) • Recovering "deleted" data - using special software • Determining how an attacker (e.g. from E. Europe, Asia) hacked the company database • Investigate electronic data and evidence against an errant employee - conversely to uncover information about a company carrying out illegal activities online • Building algorithms to help catch electronic fakes KINDS OF CASES A DIGITAL FORENSIC EXPERT WORKS ON Child Pornography Civil Litigation (between organizations or individuals) False emails (email headers ...) - people who can no longer testify Employee Termination Cases Media Leak Investigations (esp. sensitive info and stock market...) Industrial Espionage Investigations (Coca-Cola ...) Doctored images Social networking WHY IS THE STUDY OF DIGITAL FORENSICS RELEVANT Almost everything is online Computing is pervasive Determining how hackers from other parts of the world broke into databases Can be used as evidence in legal court cases Collection of Evidence To collect computer evidence, care must be taken not to change the evidence e.g. -Imaging media using a write-blocking tool to ensure the suspect device is not be modified -Documenting everything that has been done (including pictures of the actual location and machines and cables etc.) -Establishing and maintaining the chain of custody -Using only tools and methods that have been tested and evaluated to validate their accuracy and reliability (industry standards) Why Use Images in Digital Forensics Information on digital media is easily changed. Once changed it is usually impossible to detect that a change has taken place (or to revert the data back to its original state) unless other measures have been taken A common practice is calculate a cryptographic hash to establish a check point Examining a live file system changes state of the evidence The computer/media is the "crime scene" Protecting the crime scene is paramount as once evidence is contaminated, it cannot be decontaminated Really only one chance to do it right! IDS should be: A. used only when it is necessary B. run continually but with careful and constant human supervision C. run continually and with minimal human supervision D. none of the above are true E. only A and B are true C During a digital investigation, the following procedures should be followed to ensure the chain of custody: A. a record or evidence log should be kept to show when all items of evidence, such as server logs, computers, hard drives, and disk, are received or seized and where they are located B. if the items are released to auditors, authorities, or the court, those release dates should be recorded C. access to evidence should not be restricted throughout the investigations and any subsequent proceedings D. all of the above are true E. only A and B are true E Real life biometric authentication example UAE scans iris of incoming people at airports to make sure they are not people who have been exiled trying to get back into the country Types of malicious software Propagation mechanisms: -Social engineering attacks that convince users to by pass security mechanisms and install software that they should not be installing. (ex: 123movies tasha incident, message that says you need to download software to defend themselves from a hack) -back door/trap door attack Payload action: performed by malware once it reaches a target system. can include: -corruption of system/data files -lock out of systems -data loss/copying -hiding additional malware within a system macro & scripting viruses a virus that attaches itself to documents and uses the macro programming capabilities o f the document's application to execute and propagate -Exploits the active content of a document. In particular, Word and Excel. -Would be able to access other documents and the machine through things like Excel scripts -It is platform independent, meaning any hardware that supports Word/Excel or any of these documents, is vulnerable to this attack. -Infects documents and not the executable part of the code. -Easily spread. -Target specific and very effective (created for Word different than created for Excel) Could affect multiple OS's as long as they had those documents -platform_independent_and_target_specific virus classification File infector • Infects files that the operating system or shell considers to be executable Macrovirus • Infects files with macro or scripting code that is interpreted by an application Encrypted virus • A portion of the virus creates a random encryption key and encrypts the remainder of the virus (mutation engine) Polymorphic virus • A form of virus that creates copies during replication that are function ally equivalent but have distinctly different bit patterns, in order to defeat programs that scan for viruses. Metamorphic virus • A virus that mutates and rewrites itself completely at each iteration and may change behavior as well as appearance Target Discovery (worms) Scanning (or fingerprinting) • First function in the propagation phase for a network worm • Searches for other systems to infect Random •Each compromised host probes random addresses in the IP address space using a different copy •This produces a high volume of Internet traffic which may cause generalized disruption even before the actual attack is launched Hit-list •The attacker first compiles a long list of potential vulnerable machines •Once the list is compiled the attacker begins infecting machines on the list •Each infected machine is provided with a portion of the list to scan •This results in a very short scanning period which may make it difficult to detect that infection is taking place Topological • This method uses in formation contained on an infected victim machine to find more hosts to scan Local subnet • If a host can be infected behind a firewall, then that host then looks for targets in its own local network • The host uses the subnet address structure to find other hosts that would otherwise be protected by the firewall Watering Hole Attacks -A variant of drive-by-download but used in highly targeted attacks • The attacker researches: a) their intended victims to identify websites they are likely to visit, then b) scans these website sites to identify those with vulnerabilities that allow their compromise • They then wait for one of their intended victims to visit one of the compromised sites • Attack code may even be written so that it will only infect systems belonging to the target organization and take no action for other visitors to the site • This greatly increases the likelihood of the site compromise remaining undetected Payload - Information Theft Phishing / Social Engineering -"Tricking" users to assist in the compromise of their own systems - Exploits social engineering to leverage the user's trust by masquerading as communication from a trusted source - Include a URL in a spam e-mail that links to a fake Web site that mimics the login page of a banking , gaming , or similar site - Suggests that urgent action is required by the user to authenticate their account - Attacker exploits the account using the captured credentials Spear-phishing - Recipients are care fully researched by the attacker - E-mail is crafted to specifically suit its recipient, often quoting a range of in formation to convince them of its authenticity Payload - Attack Agents Bots • Takes over other computers online and uses those computers to launch or manage attacks (bots / zombies) • Botnet - collection of bots capable of acting in a coordinated manner • Uses: - Distributed denial-of-service (DDoS) attacks - Spamming - Sniffing traffic - Keylogging - Spreading new malware - Installing advertisement add-ons - Manipulating online polls /games Payload - Stealthing / Backdoor • Also known as a trapdoor • Secret entry point into a program allowing the attacker to gain access and bypass the security access procedures • Maintenance hook is a backdoor used by Programmers to debug and test programs • Difficult to implement operating system controls for backdoors in applications Perimeter Scanning Approaches • Anti-virus software typically included in e-mail and Web proxy services running on an organization's firewall and IDS • May also be included in the traffic analysis component of an IDS • May include intrusion prevention measures, blocking the flow of any suspicious traffic XSS countermeasures Textual data: -Validate AND restrict User Input -Compare input data against what is wanted, and then accepting only valid input. OR Compare the input data with known dangerous values. • Ensure that data conform with any assumptions made about the data before subsequent use. (E.g. • If the data are textual, these assumptions may be that the data contain only printable characters, have certain HTML markup, are the name of a person, a userid, an e-mail address, a filename, and/or a URL) Numerical data: -Alternatively, the data might represent an integer or other numeric value. A program using such input should confirm that it meets these assumptions. -Buffer overflow can be carried out by exploiting XSS. -For example, a buffer size may be read as an unsigned integer. It may later be compared with the acceptable maximum buffer size. Depending on the language used, the size value that was input as unsigned may subsequently be treated as a signed value in some comparison. This leads to a vulnerability because negative values have the top bit set. This is the same bit pattern used by large positive values in unsigned integers. So the attacker could specify a very large actual input data length, which is treated as a negative number when compared with the maximum buffer size. [Hello Discrete Structures :-D ] -Once again, care is needed to check assumptions about data values and to ensure that all use I consistent with these assumptions A Main Avenue of SQLi Attacks User Input: In most SQLi attacks that target Web applications, user input typically comes in the forms of GET/POST commands Tautology: puts in a tautology so each row is labeled as true and returned Illegal/Logically Incorrect Queries: gives attacker info about the type of structure of the backend DB of a web application through the form of an error message Host Based IDS specialized software to monitor (vulnerable/ sensitive) system activity to detect suspicious behavior • primary purpose is to detect intrusions, log suspicious events, and send alerts • used to detect both external and internal intrusions • Follow two basic approaches, often used in combination: -anomaly detection: involves the collection of data relating to the behavior of legitimate users, over a period of time. • statistical tests are applied to observed behavior, to determine with a high level of confidence whether that behavior is not legitimate user behavior. • attempt to define normal, or expected, behavior. This approach is effective against masqueraders, who are unlikely to mimic the behavior patterns of the accounts they appropriate. On the other hand, such techniques may be unable to deal with motivated insider attacker. • signature detection: defines a set of rules or attack patterns used to decide that a given behavior is that of an intruder. • it attempts, ahead of time, to define proper behavior and may be able to recognize events and sequences that, in context, reveal penetration Collection of Data • a fundamental tool for intrusion detection two variants: -native audit records: provided by O/S (most multi-user operating systems include accounting software that collects information on user activity) • always available but may not be optimum *advantage: it is already in built you already have this data being collected by the operating system *disadvantage: that it might not be collecting exactly what you need in the time you need it in the way you need it -detection-specific audit records: IDS specific (and company specific) • additional overhead but specific to IDS task • often log individual elementary actions • e.g. may contain fields for: subject, action, object, resource-usage, time-stamp Placement of Network Based IDS -External Firewall *advantage: able to look at access to all ports, secure perimeter, catch obvious attacks *disadvantage: huge overhead, don't catch subtle attacks, incompetent users Placement of Honeypot -External *advantage: detects intrusion activity *disadvantage: does not catch insider attack cloud computing Provides for ubiquitous, convenient, in-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, application, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction [NIST 2011] Cloud Computing - Essential Characteristics Broad Network Access • Capabilities are available over the network and accessed through different client platforms (e.g., smartphones, laptops, tablets) Rapid Elasticity • The ability to expand and reduce resources according to your specific service requirement, e.g. you may need a large number of server resources for the duration of a specific task, but can then release these resources upon completion of the task Measured Services • Automatically controlling and optimizing resources by metering capability - I.e. resources are monitored, controlled, and reported, proving transparency for both the provider and consumer of the utilized service On-demand Self-Service • Services, such as server time, network storage are unilaterally (one direction) provisioned requiring minimal human interaction - and because of this on-demand service, resources are not permanent parts of the consumer's IT infrastructure Resource Pooling • The provider's computing resources are pooled to serve multiple CSCs (Could Service Consumer) using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. Cloud Deployment Models Community Cloud • Cloud resources are shared among a number of independent organizations/ subscribers/ customers - but access is restricted • The organizations that share a community cloud have similar requirements and typically, a need to exchange data with each other • E.g. organizations within the health care industry - the community cloud can be implemented to comply with governance privacy and other regulations - and the community participants can exchange data in a controlled fashion • The cloud infrastructure may: • be managed by the participating organizations or a 3rd party • exist on premise or off premise • have costs spread over more users than a private cloud Hybrid Cloud • Composed of 2 or more clouds (private, community, public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (for e.g. load balancing) • Sensitive information can be placed in a restricted area of the cloud, and less sensitive data in the shared public space • Attractive solution to smaller businesses - cost-saving - least expensive option Private Cloud • Implemented within the internal IT environment of the organization • A key motivation for opting for a private cloud of security - it offers tighter controls over the geographic location of data storage. Also easier resource sharing with, and rapid deployment to, organization entities • Most expensive option Cloud Security Concepts Governance • Put in place audit mechanisms and tools to ensure organizational practices are followed throughout the system lifecycle Compliance • Ensure that the cloud provider's electronic discovery capabilities and processes do not compromise the privacy or security of client data and applications Trust • Establish clear, exclusive ownership rights over data Identity & Access Management • Ensure that adequate safeguards are in place to secure authentication, authorization and other access functions are suitable for the client organization Data Protection • Understand and weigh the risks involved in cryptographic key management with the facilities available in the cloud environment and the processes established by the cloud provide Availability • Ensure that during an intermediate or prolonged disruption or a serious disaster, critical operations can be immediately resume, and that critical operations can be eventually reinstated in a timely and organized manner Incidence Response • Ensure that the cloud provider has a transparent response process in place and sufficient mechanisms to share information during and after an incident Overview of Cloud Security Approaches Data Protection • Encryption, back-up, access control within the cloud service in an auditable way Service Protection Identity & Access Management (IAM) • Authenticates users, control access within the cloud service in an auditable way Data Loss Prevention (DLP) • Implements rules about what functions can be performed on data Web Security • Protection against malware, data backup, traffic control Web access control Email Security • Provides control over inbound/ outbound email, protecting the organization against phishing, malicious attachment, enforcing corporate policies. Digital signatures, encryption Intrusion Management • Use of IDS on entry points to the cloud and on servers in the cloud Business Continuity & Disaster Recovery • Service must include a flexible infrastructure, redundancy of service and hardware, monitors operations, geographically distributed data centers and network survivability Network Security • Perimeter security, firewalls, DOS prevention, protection of underlying resources Forensic Constraints Chain of Custody -Maintain possession of all objects (accountability) Must be able to trace evidence back to source -"Prove" source integrity Priority by Volatility -Some data is more volatile -RAM swap disk CDs/DVDs -Idea: capture more volatile evidence first ANALYSIS & EVALUATION of Digital Forensics Know where evidence can be found Understand techniques used to hide or "destroy" digital data Toolbox of techniques to discover hidden data and recover "destroyed" data Cope with HUGE quantities of digital data... Ignore the irrelevant, target the relevant Thoroughly understand circumstances which may make "evidence" unreliable If you have a hard drive with a broken sector that gives different result, what happens when you hash the entire drive? Digital Forensic Tools Autopsy and the Sleuth Kit FTK Imager Volatility Cellebrite UFED EnCase Wireshark Where is evidence hiding in digital forensics? Can hide with IP spoofing Can hide in network layers Cryptography Steganography • The process of hiding data inside other data (e.g. image files). Change file names and extensions • E.g. rename a .doc file to a .tmp file Hidden tracks • most hard disks have # of tracks hidden (i.e. track 0) • They can be used to hide/read data by using a hex editor Deleted Files • not truly deleted, merely marked for deletion. Disk Wiping (Digital Forensics) Simple erase -The data is still on the drive but the segment has been marked as available -Next time data is written to the drive it MAY overwrite the segment Destructive erase -First overwrites all data in the file with random data Next marks the segment as available -It may be possible to find ghost images of what was previously on the disk surface ANTI-FORENSIC & DATA SECURITY Anti-forensic techniques try to frustrate forensic investigators and their techniques Securely deleting data, so that it cannot be restored with forensic methods Prevent the creation of certain data in the first place Data which was never there, obviously cannot be restored with forensic methods. Firewall Characteristics Different protection levels based on the location of the computer -When your PC connects to a network, the firewall applies a security level in accordance with the type of network. If you want to change the security level assigned initially, you can do this at any time through the firewall settings. Protection of wireless networks (Wi-Fi) -This blocks intrusion attempts launched through wireless networks (Wi-Fi). When an intruder attempts to access, a pop-up warning is displayed that allows you to immediately block the attack. Access to the network and the Internet -It specifies which programs installed on your computer can access the network or the Internet. Protection against intruders -It prevents hacker attacks that try to access your computer to carry out certain actions. Blocks -The firewall can block the access of the programs that you specify should not be able to access the local network or the Internet. It also blocks access from other computers that try to connect to programs installed on your computer. Definition of rules -This defines rules that you can use to specify which connections you want to allow and the ports and zones through which the connection can be established. (from ) E.g schools blocking porn sites WHAT OBJECTS COULD BE IDENTIFIED AS USEFUL TO AN INVESTIGATION? computers, hard drives, anything that can have info on it Common Collection Mistakes (Digital Forensics) Unplug computer (lose RAM, volatile memory), change time stamp Why create a duplicate image? (in digital forensics cases) Preserves original evidence Prevents inadvertent alteration of original evidence during examination Allows recreation of the duplicate image if necessary (BUT a file copy does not recover all data areas of the device for examination) make bit level images along with directory level