Module-1
INFORMATION ASSETS &
THREATS
Common Vulnerabilities and
Exposures (CVE)
• Common Vulnerabilities and Exposures (CVE) is a
catalogue of known security threats.
• Threats are divided into two categories:
• Vulnerabilities and
• Exposures.
Common Vulnerabilities and Exposures
(CVE)
• Common Vulnerabilities and Exposures (CVE) is a dictionary of
common names (i.e. CVE Identifiers) for publicly known
information/cyber security vulnerabilities.
• CVE’s common identifiers make it easier to share data across
separate network security databases and tools, and provide a
baseline for evaluating the coverage of an organization’s
security tools.
• If a report from one of your security tools incorporates CVE
identifiers, you may then quickly and accurately access fix
information in one or more separate CVE compatible
databases to remediate the problem.
Common Vulnerability Scoring System
(CVSS)
• Common Vulnerability Scoring System (CVSS) provides an
open framework for communicating the characteristics and
impacts of IT vulnerabilities.
• Its quantitative model ensures repeatable, accurate
measurement while enabling users to see the underlying
vulnerability characteristics that were used to generate the
scores.
• CVSS is well suited as a standard measurement system for
industries, organizations and governments that need accurate
and consistent vulnerability impact scores.
https://en.wikipedia.org/wiki/Common_Vulnerability_Scoring_System
Common Weakness Enumeration
(CWE)
• Common Weakness Enumeration Specification (CWE)
provides a common language of discourse for
discussing, finding and dealing with the causes of
software security vulnerabilities as they are found in
code, design or system architecture.
• Each individual CWE represents a single vulnerability
type.
• CWEs are used as a classification mechanism that
differentiates CVEs by the type of vulnerability they
represent.
Module-1
Elements of Information Security
Elements of Information Security
• Network Security
– Network security refers to any activity designed to
protect the usability, reliability, integrity and safety
of your network and data.
– Network security is accomplished through hardware
and software where the software must be constantly
updated and managed to protect you from emerging
threats.
Elements of Information Security (Network
Security)…
• Network security system usually consists of many
components. Ideally, all components work together, which
minimizes maintenance and improves security.
• Mobility of Wireless networks adds more challenges to
security, namely monitoring and maintenance of secure traffic
transport of mobile nodes.
• At Terminal, it is important to protect its resources (battery,
disk, CPU) against misuse and ensure the confidentiality of its
data.
• Ad hoc or sensor network, it becomes essential to ensure
terminal’s integrity as it plays a dual role of router and
terminal.
Elements of Information Security
Network security components often include:
– Anti-virus and anti-spyware
– Firewall to block unauthorized access into the network
– Intrusion Prevention Systems (IPS) to identify fast-
spreading threats, such as zero-day or zero-hour attacks
– Virtual Private Networks (VPNs) to provide secure remote
access
– Communication security
Application Security
• Application security encompasses measures taken to improve the security
of an application often by finding, fixing and preventing security
vulnerabilities.
• Different techniques are used to surface such security vulnerabilities at
different stages of an applications lifecycle such as design, development,
deployment, upgrade, maintenance.
• Terms
– Asset - Resource of value such as the data in a database, money in an
account, file on the file system or any system resource.
– Vulnerability - A weakness or gap in security program that can be
exploited by threats to gain unauthorized access to an asset.
– Attack (or exploit) - An action taken to harm an asset.
– Threat - Anything that can exploit a vulnerability and obtain, damage,
or destroy an asset.
Application Security
• Three distinct elements:
• Measurable reduction of risk in existing
applications
• Prevention of introduction of new risks
• Compliance with software security mandates
Application Security Techniques
• Different techniques will find different subsets of the security vulnerabilities lurking in an
application and are most effective at different times in the software lifecycle. They each
represent different tradeoffs of time, effort, cost and vulnerabilities found.
• Techniques
– Whitebox security review, or code review. This is a security engineer deeply
understanding the application through manually reviewing the source code and noticing
security flaws. Through comprehension of the application vulnerabilities unique to the
application can be found.
– Blackbox security audit. This is only through use of an application testing it for security
vulnerabilities, no source code required.
– Design review. Before code is written working through a threat model of the application.
Sometimes alongside a spec or design document.
– Tooling. There exist many automated tools that test for security flaws, often with a
higher false positive rate than having a human involved.
– Coordinated vulnerability platforms. Hacker-powered application security solutions
offered by many websites and software developers by which individuals can receive
recognition and compensation for reporting bugs.
• Utilizing these techniques appropriately throughout the software development life cycle
(SDLC) to maximize security is the role of an application security team.
Application Security
• Application Security market has reached sufficient
maturity to allow organizations of all sizes to follow a well-
established roadmap:
– Begin with software security testing to find and assess potential
vulnerabilities
– Follow remediation procedures to prioritize and fix them.
– Train developers on secure coding practices.
– Leverage ongoing threat intelligence to keep up-to-date.
– Develop continuous methods to secure applications throughout the
development life cycle.
– Instantiate policies and procedures that in still good governance.
Application threats and attacks
• According to the patterns & practices Improving Web
Application Security book, the following are classes of
common application security threats and attacks:
Category Threats & Attacks
Input Validation Buffer overflow; cross-site scripting; SQL injection; canonicalization
Attacker modifies an existing application's runtime behavior to perform
Software Tampering unauthorized actions; exploited via binary patching, code substitution, or
code extension
Network eavesdropping; Brute force attack; dictionary attacks; cookie
Authentication
replay; credential theft
Elevation of privilege; disclosure of confidential data; data tampering;
Authorization
luring attacks
Unauthorized access to administration interfaces; unauthorized access to
Configuration
configuration stores; retrieval of clear text configuration data; lack of
management
individual accountability; over-privileged process and service accounts
Access sensitive code or data in storage; network eavesdropping;
Sensitive information
code/data tampering
Session management Session hijacking; session replay; man in the middle
Cryptography Poor key generation or key management; weak or custom encryption
Parameter Query string manipulation; form field manipulation; cookie
manipulation manipulation; HTTP header manipulation
Exception
Information disclosure; denial of service
management
User denies performing an operation; attacker exploits an application
Auditing and logging
without trace; attacker covers his or her tracks
OWASP
• The Open Web Application Security Project (OWASP) is an
online community that produces freely-available articles,
methodologies, documentation, tools, and technologies in the
field of web application security.
• The OWASP community publishes a list of the top 10
vulnerabilities for web applications
• It outlines best security practices for organizations and while
aiming to create open standards for the industry
OWASP
Category Threats / Attacks
SQL injection; NoSQL; OS Command; Object-relational mapping; LDAP
Injection
injection
Broken authentication Credential stuffing; brute force attacks; weak passwords
Sensitive data exposure Weak cryptography; un-enforced encryption
XML external entities XML external entity attack
Broken access control CORS misconfiguration; force browsing; elevation of privilege
Unpatched flaws; failure to set security values in settings; out of date or
Security misconfiguration
vulnerable software
Cross-site scripting (XSS) Reflected XSS; Stored XSS; DOM XSS
Insecure deserialization Object and data structure is modified; data tampering
Out of date software; failure to scan for vulnerabilities; failure to fix
Using components with
underlying platform frameworks; failure to updated or upgraded library
known vulnerabilities
compatibility
Failure to log auditable events; failure to generate clear log messages:
Insufficient logging &
inappropriate alerts; failure to detect or alert for active attacks in or near
monitoring
real-time
https://owasp.org/www-project-top-ten/
Communications Security
• Communications Security (COMSEC) ensures the security of
telecommunications confidentiality and integrity – the two
information assurance (IA) pillars.
• Generally, COMSEC may refer to the security of any information
that is transmitted, transferred or communicated.
Five COMSEC Security Types
1. Crypto security: Encrypts data, rendering it unreadable until the
data is decrypted.
2. Emission Security (EMSEC): Prevents the release or capture of
emanations from equipment, such as cryptographic equipment,
thereby preventing unauthorized interception.
3. Physical Security: Ensures the safety and prevents unauthorized
access to cryptographic information, documents and equipment.
4. Traffic-Flow Security: Hides messages and its characteristics
while transmitting on a network.
5. Transmission Security (TRANSEC): Protects transmissions from
unauthorized access, thereby preventing interruption and harm.
Module-1
Principles and Concepts – Data
Security
Principles and Concepts – Data
Security
• Critical Information Characteristics
• Confidentiality
• Integrity
• Availability
Principles and Concepts – Data Security
Information States
• Information has three basic states, at any given moment, information is
being transmitted, stored or processed.
• Three states exist irrespective of the media in which information resides.
Processing
Information
States
Transmission Stored
Principles and Concepts – Data Security
Basic information security concepts:
• Identification
• Authentication
• Authorization
• Confidentiality
• Integrity
• Availability
• Non-repudiation
Identification
• Identification is the first step in the ‘identify-authenticate-
authorize’ sequence that is performed every day countless times by
humans and computers alike when access to information or
information processing resources are required.
• While particulars of identification systems differ depending on who
or what is being identified, some intrinsic properties of
identification apply regardless of these particular.
• Just three of these properties are the scope, locality, and
uniqueness of IDs.
Authentication
• Authentication happens right after identification and before
authorization.
• It verifies the authenticity of the identity declared at the
identification stage.
• At the authentication stage you prove that you are indeed the
person or the system you claim to be.
• Three methods of authentication:
• what you know,
• what you have and
• what you are.
Authorization
• Authorization is the process of ensuring that a user has
sufficient rights to perform the requested operation, and
preventing those without sufficient rights from doing the same.
• After declaring identity at the identification stage and proving
it at the authentication stage, users are assigned a set of
authorizations (also referred to as rights, privileges or
permissions) that define what they can do on the system.
• These privileges extremes:
• “permit nothing”
• “permit everything” and
• include anything in between.
Confidentiality
• Confidentiality means persons authorized have access to receive or
use information, documents etc.
• Unauthorized access to confidential information may have
devastating consequences, not only in national security applications,
but also in commerce and industry.
• Mechanisms to assure confidentiality in information systems
• Cryptography
• Access controls
Confidentiality
• Examples of threats to confidentiality:
• Malware
• Intruders
• Social engineering
• Insecure networks and
• Poorly administered systems.
Integrity
• Integrity is concerned with the trustworthiness, origin,
completeness and correctness of information as well as
the prevention of improper or unauthorized
modification of information.
• Integrity in the information security context refers not
only to integrity of information itself but also to the
origin integrity i.e. integrity of the source of
information.
Integrity
• Integrity protection mechanisms may be grouped into two broad
types:
• Preventive mechanisms
• Access controls prevent unauthorized modification of
information
• Detective mechanisms
• Intended to detect unauthorized modifications when
preventive mechanisms have failed
Availability
• Availability of information, although usually mentioned last, is not
the least important pillar of information security.
• Who needs confidentiality and integrity if the authorized users of
information cannot access and use it? Who needs sophisticated
encryption and access
• Controls if the information being protected is not accessible to
authorized users when they need it?
Availability
• Availability is just as important and as necessary a component of
information security as confidentiality and integrity.
• Attacks against availability are known as denial of service (DoS)
attacks.
• Natural and manmade disasters obviously may also affect availability
as well as confidentiality and integrity of information though their
frequency and severity greatly differ.
Non-repudiation
• Nonrepudiation is the assurance that someone cannot deny
something.
• It refers to the ability to ensure that a party to a contract or a
communication cannot deny the authenticity of their signature
on a document or the sending of a message that they
originated.
• In the information security context refers to one of the
properties of cryptographic digital signatures that offers the
possibility of proving whether a particular message has been
digitally signed by the holder of a particular digital signature’s
private key.
Non-repudiation
• The following types of non-repudiation services are defined in
international standard ISO 14516:2002 (guidelines for the use
and management of trusted third party services).
1. Approval: Non-repudiation of approval provides proof of who is
responsible for approval of the contents of a message.
2. Sending: Non-repudiation of sending provides proof of who sent the
message.
3. Origin: Non-repudiation of origin is a combination of approval and
sending.
4. Submission: Non-repudiation of submission provides proof that a
delivery agent has accepted the message for transmission.
Non-repudiation
• 5. Receipt: Non-repudiation of receipt provides proof that the
recipient received the message.
• 6. Knowledge: Non-repudiation of knowledge provides proof that
the recipient recognized the content of the received message.
• 7. Delivery: Non-repudiation of delivery is a combination of receipt
and knowledge, as it provides proof that the recipient received and
recognized the content of the message.
• 8. Transport: Non-repudiation of transport provides proof for the
message originator that a delivery agent has delivered the message
to the intended recipient.
Non-repudiation
https://www.cryptomathic.com/news-events/blog/why-banks-need-non-repudiation-
of-origin-and-non-repudiation-of-emission
NRO and NRE
• Non-Repudiation of Origin (NRO) makes a link between the message and
the sender of the message. It can provide legal evidence that a person in
fact sent the message.
• Non-Repudiation of Emission (NRE) makes a link between the sender of
the message and the content of the message. It can provide legal evidence
that a person sent that specific message
• From a technical point of view, RFC 4270 (Attacks on Cryptographic Hashes
in Internet Protocols) points out that Non-repudiation is “a security service
that provides protection against false denial of involvement in a
communication”.
• Something You Know, Have, or Are, and then you can sign
– The knowledge of a unique secret (E.g. password, PIN)
– Having a unique device that no one else has (E.g. token, card)
– Being yourself (E.g. fingerprints, DNA)
Threat Scenarios…
https://www.cryptomathic.com/news-events/blog/centralized-authentication-
and-signing-for-e-government
Threat Scenarios…