Information Systems Security

1
Information Systems Security

• Applications Development
• Domain 8

2
Objectives

• Software Flaws
• OSI Model
• Database Concepts
• Software Lifecycle
• Change Control
• OOP
• Expert Systems

3
Why Security is Lacking?

• Software vendors rush to market
• Security professionals are not software
  developers
• Public is used to software with bugs
• Software vendors not held liable
• Programmers not taught secure coding in school
• Note Average 10 bugs every 1K lines

4
Usual Steps

• Buggy software released to market
• Hackers find vulnerabilities
• Web sites post vulnerabilities
• Vendors develop patches
• Sits on network administrators desks to be tested
  and installed

5
Where to Implement

• Security should be planned and managed throughout
  the lifecycle
• Not to be added as an afterthought
• Should not be forsaken due to deliverable
  deadlines
• Focus on security AND functionality

6
Functional Requirements

• Specific system functionalities
• Consider how the parts of the system should
  interoperate
• Deliverable from this phase of development is a
  functional requirements document

7
Design

• Determine how exactly the various parts of the
  system will interoperate
• How the modular system structure will be laid out
• Lay out initial timelines for completion of
  coding milestones
• Deliverable is formal design documents

8
Code Review Walk-Through

• Schedule several code walk through meetings
• Involve only development personnel
• Look for problems in logical flow or security

9
System Testing

• Perform the initial system tests using
  development personnel
• Agree that the system meets all functional
  requirements
• Deliverable is beta code

10
Certification/Accreditation

• Normally required by defense contractors
• Certification is the comprehensive evaluation of
  the technical and non-technical security features
  of an IT system
• Accreditation is the formal declaration by the
  approved authority that an IT system is approved
  to operate in a particular security mode

11
Maintenance

• Ensure continued operation in the face of
  changing operational, data processing, storage,
  and environmental requirements
• Changes to the code be handled through a
  formalized change request/control process

12
Life Cycle Models

• Formalized life cycle management process
• Royce and Boehm proposed several software life
  cycle models
• In 1991, the Software Engineering Institute
  introduced the Capability Maturity Model

13
Waterfall Model

• Developed by Royce in 1970
• Series of iterative activities
• 7 stages of development
• System requirements
• Software requirements
• Preliminary design
• Detailed design
• Code/debug
• Testing
• Maintenance

14
Waterfall Model

• Allows development to return to previous phase to
  correct defaults discovered
• 1st comprehensive model to allow a step back.
• Only allows the developers to step back one phase
  in the process

15
Spiral Model

• Developed by Boehm in 1988 at TRW
• Multiple iterations
• Each loop of the spiral results in a system
  prototype
• Allows developers to return to the planning stage
  based on changing technical demands and customer
  requirements

16
Software Capability Maturity

• Developed at CMU in 1991
• Repeatable reuse of code begins
• Defined developers use formal processes
• Managed quantitative measures utilized
• Optimized process of continuous improvement

17
Security Control Architecture

• Process isolation
• Fundamental security procedures put into place
  during system design
• Hardware segmentation
• Process isolation at the hardware level by
  enforcing memory access constraints

18
Protection Rings

• Layer 0 where the OS kernel resides
• Has full control of all system resources
• Layer 1 2 device drivers and OS interfaces
• Most O/S do not implement these layers
• Layer 3 user applications and processes
• Known as user mode
• Not allowed direct access to system resources

19
Ring 0 Reference Monitor

• Must be tamperproof
• Must always be invoked
• Small enough to be analyzed
• Must be complete

20
Virus

• Piece of code that requires a host application to
  reproduce
• Macro
• Boot sector
• Compression
• Stealth
• Polymorphic
• Multi-partite
• Self-garbling

21
Virus

• Fred Cohen wrote the 1st in 1983
• Called the morris worm
• Over 60,000 viruses today
• Main functions propagation and destruction

22
Types of Viruses

• File Infectors
• Boot Sector Infectors
• Companion Virus
• Email Virus
• Multi-partite

23
More Malware

• Worms
• Can reproduce on their own
• Self contained
• Logic bomb
• Event triggers execution
• Trojan horse
• Disguised as another program
• Uses program to exploit authorization process

24
MORE

• DDoS Zombies
• Spyware/Adware
• Pranks

25
Threats in Software Environment

• Buffer Overflow
• Citizen Programmers
• Covert Channels Storage and Timing
• Malware
• Malformed Input
• Object Reuse
• Mobile Code
• Time of Check/Time of Use

26
System Development Life Cycle

• Project Initiation
• Functional Requirements
• System Design
• Develop
• Acceptance
• Installation
• Maintenance
• Revisions

27
Software Protections Mechanisms

• Security Kernel (Monitor)
• Processor Privilege State
• Buffer Overflow Controls
• Incomplete Parameter Controls
• Memory Protection
• Covert Channel Controls
• Cryptography

28
Database Vulnerabilities

• Aggregation
• Bypass Attacks
• Deadlocking
• Query Attacks
• Web Security
• Compromising Database Views

29
Database Protection

• Lock Controls
• View Based Controls
• Grant/Revoke Controls
• Metadata Controls
• Data Contamination Controls

30
Distributed Components

• Agents
• Performs actions on behalf of user
• Carries out activities unattended
• Applets
• Sent from server to client
• Self contained mini-programs
• Java (Sun) ActiveX (MS)
• Java sandboxed but Active X is ring 0

31
Databases

• Relational
• Flat 2-dimensional table
• of rows is cardinality
• of columns is degree
• Security available through views
• Primary secondary keys used
• Data Warehouses Data Mining

32
Expert Systems

• Accumulated knowledge of expert on a specific
  subject
• Knowledge base
• Inference engine
• Fuzzy logic
• Neural networks

33
Programming

• Interpreted versus compiled
• Fail-secure versus fail-open
• Reverse engineering
• White box testing versus black box testing

34
Password Attacks

• Dictionary attacks
• Against /etc/passwd in Unix
• Compares hash values
• Social engineering
• Brute force attacks
• Complex passwords

35
DOS Attacks

• SYN flood
• DDOS
• Tribal Flood Network (TFN)
• DRDos attacks
• Smurf (ICMP
• Fraggle (UDP)
• Teardrop (fragmentation)
• Land (tight loop for old systems)
• Ping of Death (larger than 64K packets)

36
More Attacks

• Buffer Overflows
• Combat with input controls
• Time of check/Time of use
• Restrictions only checked at login
• IP probes or sweeps (Ping)
• Port scans to identify services
• Vulnerability attacks (Satan)
• IP spoofing