Software Security

Introduction

1
 What is software security ?

• Understanding the role that software plays

• in providing security
• as source of insecurity
• Principles, methods & technologies to make software more secure
• Practical experience with some of these Typical
threats & vulnerabilities in software, and
how to avoid them

2
❑ Software plays a major role in providing
security, and is a major source of security
problems
❑ Software security does not get much
attention
❑ We focus on software security, but don’t
forget that security is about many things:
❑ People
❑ Human Computer Interaction, HCI
❑ Attackers, Users, Employees, Sys-Admins, Programmers

❑ Access Control, Passwords, Biometrics

❑ Cryptology, Protocols
❑ Monitoring, Auditing, Risk Management
❑ Policy, Legislation

3
 Software and Security

❑ Security is about regulating access to assets

❑ E.g., information or functionality
❑ Software provides functionality
❑ E.g., on-line exam results
❑ This functionality comes with certain risks
❑ E.g., what are risks of on-line exam results?
❑ Privacy (score leakage); Modification
❑ Software security is about managing these
risks

4
 Software and Security

❑ Security is always a secondary concern

❑ Primary goal of software is to provide
functionalities or services
❑ Managing associated risks is a

derived/secondary concern
❑
Security achievement is hard to evaluate
when nothing bad happens

5
 Threats vs Security Requirements

• Information Disclosure
❑ Confidentiality
• Tampering with Information
❑ Integrity
• Denial-of-Service (DoS)
❑ Availability
• Spoofing
❑ Authentication
• Unauthorized Access
❑ Access Control
6
 Threat Modeling
❑ security/risk requirements analysis
❑ A first step, not just for software
❑ Identify assets & stakeholders
❑ Consider architecture of application & its
environment
❑ Brainstorm about known threats
❑ Define security assumptions
❑ Rank threats by risk
❑ ≈ impact x likelihood
❑ Decide which threats to respond to
❑ Decide how to mitigate these threats
❑ which techniques & technologies

7
 Example Techniques to Mitigate
Threats

❑ Spoofing Identity
❑ authentication, protect keys & passwords, ...
❑ Tampering with Data
❑ access control, hashes, digital signatures, MACs (message
authentication codes), write-once storage...
❑ Repudiation
❑ logging, audit trails, digital signatures, ...
❑ Information Disclosure
❑ access control, encryption, not storing secrets, ...
❑ Denial of Service
❑ graceful degradation, filtering, increase server resources
❑ Elevation of Privilege
❑ access control, sandboxing, ...

8
Example: Email System

9
 Potential threats to the e-mail system

❑ Eavesdropping on e-mail
❑ Communication over the Internet is relatively easy to eavesdrop
❑ Hence, content of e-mail is by no means confidential
❑ Critical information can be encrypted and in email attachment
❑ Modifying e-mail
❑ Interception of the communication (e.g. between the two MTS’s)
allows an attacker to modify the e-mail
❑ Hence, integrity of the e-mail is not guaranteed
❑ Spoofing e-mail
❑ MTS blindly believes other MTS about who the sender of the e-
mail is
❑ Hence, no guarantee about the identity of the sender
❑ Attacks against the mail servers
❑
Server is a “trusted software layer”, making a limited functionality
(sending/receiving mail) available to all clients
❑ Email as an attack dispersion channel

10
 Possible Defenses

❑ Many other threats

❑ Privacy threat: detecting when an e-mail is read
❑ Repudiation of sending: sender can deny having sent a
message
❑ Repudiation of receiving: receiver can deny having ever
received a particular message

❑
Eavesdropping and modification
❑ Can be countered by cryptographic techniques
❑ Spoofing
❑ Can be countered by strong authentication protocols
❑
Attacks against servers
❑ Can be countered by
❑ Careful software coding
❑ Clear access control model
❑ Strong authentication
❑
However, email spam, phishing are hard to defend
❑ Phishing: there are always users without security
knowledge! 11
Types of Attackers

▪ Amateurs
• Script kiddies with little or no skill
• Using existing tools or instructions found online for attacks
▪ Hackers - break into computers or networks to gain access
• White hats – break into system with permission to discover
weaknesses so that the security of these systems can be
improved
• Gray hats – compromise systems without permission
• Black hats - take advantage of any vulnerability for
illegal personal, financial or political gain
▪ Organized Hackers - organizations of cyber criminals,
hacktivists, terrorists, and state-sponsored hackers.

1
Internal and External Threats

2
What is a Blended Attack?
▪ Uses multiple techniques to compromise a target

▪ Uses a hybrid of worms, Trojan horses, spyware, keyloggers, spam and phishing schemes

▪ Common blended attack example

• spam email messages, instant messages or legitimate
websites to distribute links
• DDoS combined with phishing emails
▪ Examples: Nimbda, CodeRed, BugBear, Klez,
Slammer, Zeus and Conficker

3
 What is Impact Reduction?
▪ Communicate the issue

▪ Be sincere and accountable

▪ Provide details

▪ Understand the cause of the breach

▪ Take steps to avoid another similar breach in the future

▪ Ensure all systems are clean

▪ Educate employees, partners and customers

4
 Firewall Types
▪ Control or filter incoming or outgoing communications on a network or device

▪ Common firewall types

• Network Layer Firewall – source and destination IP addresses
• Transport Layer Firewall – source and destination data ports, connection states
• Application Layer Firewall – application, program or service
• Context Aware Application Firewall – user, device, role, application type, and threat profile
• Proxy Server –web content requests
• Reverse Proxy Server – protect, hide, offload,
and distribute access to web servers
• Network Address Translation (NAT) Firewall –
hides or masquerades the private addresses of
network hosts
• Host-based Firewall – filtering of ports and system
service calls on a single computer operating system
5
Security Appliances
▪ Security appliances fall into these general categories:
• Routers - can have many firewall capabilities:
traffic filtering, IPS, encryption, and VPN.
• Firewalls – may also have router capability,
advanced network management and analytics.
• IPS - dedicated to intrusion prevention.
• VPN - designed for secure encrypted tunneling.
• Malware/Antivirus - Cisco Advanced Malware Protection (AMP) comes in next generation Cisco routers,
firewalls, IPS devices, Web and Email Security Appliances and can also be installed as software in host
computers.
• Other Security Devices – includes web and email security appliances, decryption devices, client access
control servers, and security management systems.

6
Security Best Practices
▪ Some published Security Best Practices:
• Perform Risk Assessment – Knowing the value of what you are protecting will help in justifying security expenditures.
• Create a Security Policy – Create a policy that clearly outlines company rules, job duties, and expectations.
• Physical Security Measures – Restrict access to networking closets, server locations, as well as fire suppression.
• Human Resource Security Measures – Employees should be properly researched with background checks.
• Perform and Test Backups – Perform regular backups and test data recovery from backups.
• Maintain Security Patches and Updates – Regularly update server, client, and network device operating systems and
programs.
• Employ Access Controls – Configure user roles and privilege levels as well as strong user authentication.
• Regularly Test Incident Response – Employ an incident response team and test emergency response scenarios.
• Implement a Network Monitoring, Analytics and Management Tool - Choose a security monitoring solution that
integrates with other technologies.
• Implement Network Security Devices – Use next generation routers, firewalls, and other security appliances.
• Implement a Comprehensive Endpoint Security Solution – Use enterprise level antimalware and antivirus software.
• Educate Users – Educate users and employees in secure procedures.
• Encrypt data – Encrypt all sensitive company data including email.
7
The Kill Chain in Cyberdefense
Kill Chain is the stages of an information systems attack.
1. Reconnaissance – Gathers information
2. Weaponization - Creates targeted exploit
and malicious payload
3. Delivery - Sends the exploit and malicious
payload to the target
4. Exploitation – Executes the exploit
5. Installation - Installs malware and backdoors
6. Command and Control - Remote
control from a command and control channel
or server.
7. Action – Performs malicious actions
or additional attacks on other devices