ITSS 4360 Network Security Midterm

Characteristics of ransomware

-Based first on how it spreads or propagates to reach the desired targets -Then on the actions or payloads it performs once a target is reached Also classified by: •Those that need a host program (parasitic code such as viruses) •Those that are independent, self-contained programs (worms, trojans, and bots) •Malware that does not replicate (trojans and spam e-mail)•Malware that does replicate (viruses and worms)

Class of intruders , their characteristics and what they can be capable of it

-Cyber Criminals Individuals or members of an organized crime group Young hackers, often from Eastern European, Russian, or southeast Asian They meet in underground forums to trade tips and data and coordinate attacks Their goal is obtain financial reward Well equipped in hacking methodology Their activities may include: Identity theft Theft of financial credentials Corporate espionage Data theft Data ransoming -Activists Are either individuals, usually working as insiders or large group of outsider attacks Outside attackers who are motivated by social or political causes Aim of their attacks is often to promote and publicize their cause known as hacktivists Skill level is often quite low Their activities may include: Website defacement Denial of service attacks Theft and distribution of data that results in negative publicity Create compromise of their targets -State-Sponsored Organizations Groups of hackers sponsored by governments Main goal to conduct espionage or sabotage activities They are also known as Advanced Persistent Threats (APTs)• They are patient and coverted in nature to stay longer to cause extensive damage Their activities may include: They will use standard attack methodologies used by cyber criminals Usually involve targeted phishing emails followed by use of recent, known exploits Once they were in system they do following to penetrate other systems: Stick mostly to using administrator tools like normal system administrators Go to ground in a persistent, long term, and relatively quiet persist in their targets networks without their knowledge Causes much impact for months to years before discovery -Others ( classic hackers wants to show off, hobby hackers..etc.) Hackers with motivations other than those previously listed Who are motivated by technical challenge or by peer-group esteem and reputation • There is a pool of "hobby hackers" using tool kits to explore systems • They are also called Script kidde

SQL attack counter measures

-Defensive Coding Manual defensive coding practices Parameterized query insertion SQL DOM -Detection Signature based Anomaly based Code analysis -Run-time prevention Check queries at runtime to see if they conform to a model of expected queries

Password attack Vulnerabilities

-Many researchers show that people pick easy to guess passwords They are used too often, have many of them and used in many places 85% of all passwords could be trivially broken through a simple exhaustive search One of the weakest links of computer security system If password is easy, prone to attacks but people tend to forget hard password Specific account attack Popular password attack Password guessing against single user Workstation hijacking Exploiting user mistakes Exploiting multiple password use Electronic monitoring

Different type of Password Attacks

-Offline dictionary attack: Hacker obtains password file which has username and password hash. Countermeasure: Intrusion detection, Strong protection of the file, Rapid reissue of password. -Specific account attack: The attacker targets a specific account and submits password guesses. Countermeasure:account lockout mechanism, number of failed login attempts. -Popular password attack: Hackers use a popular password to get accessExample : Welcome1, qwerty..etc. Countermeasure: Stronger Passwords, IP scanning of requests. -Password guessing against single user: Hackers gets knowledge about single user account/ popular username : support, devel etc.. Countermeasure: Training employee to not share, Set minimum length; expiry, avoid popular usernames. -Workstation hijacking: The attacker waits until a logged-in workstation is unattended. Countermeasure: Automatically locking after being inactive, Intrusion detection. -Exploiting user mistakes: User writing password share with users social engineering. Countermeasure: User training, Intrusion detection, Simple password with salt. -Exploiting multiple password use: having same password for multiple sites with in company / network. Countermeasure: Use single sign on, Force users to have different password for each network. -Electronic monitoring: Remote login communication enables hacker to eavesdropping. Countermeasure: Strong encryption during travel. -Dictionary attack • Develop a large dictionary of possible passwords and try each against the password file • Each password must be hashed using each salt value and then compared to stored hash values -Brute Force Attack Tries every possible combination of characters up to a given length Trial and error method Less Efficient and requires more compute power with high compute power, it will hack all easy passwords quickly -Rainbow Attack Pre-compute tables of hash values for all salts A mammoth table of hash values Can be countered by using a sufficiently large salt value and a sufficiently large hash length Tries every possible combination of characters up to a given length -John the Ripper Open-source password cracker first developed in in 1996 Uses a combination of brute-force and dictionary techniques Used for penetration testing to verify the security level of password •

SQL Injection Attack

-One of the most prevalent and dangerous network-based security threats -Designed to exploit the nature of Web application pages -Sends malicious SQL commands to the database server -Most common attack goal is bulk extraction of data -Depending on the environment SQL injection can also be exploited to: -Modify or delete data -Execute arbitrary operating system commands -Launch denial-of-service (DoS) attacks

List of Database Attacks

-SQL injection via webpages -Inference Attack -Weak authentication, default credentials and roles -Excess privileges and privilege elevation -Database system vulnerabilities -Denial of service -Unprotected, unencrypted backups

Hypervisor Types and functions

-Software that sits between the hardware and the VMs -Acts as a resource broker -It allows multiple VMs to safely coexist on a single physical server host -Each VM includes an OS, called the guest OS -This OS may be the same as the host OS, if present, or a different one The principal functions performed by a hypervisor are: -Execution management of VMs -Devices emulation and access control -Execution of privileged operations by hypervisor for guest VMs -Management of VMs (also called VM lifecycle management) -Administration of hypervisor platform and hypervisor software

Database characteristics

-Structured collection of data stored for use by one or more applications -Contains the relationships between data items and groups of data items -Can sometimes contain sensitive data that needs to be secured -Considered as Crown Jewel of Information System

Example of social Engineering

-Tricking" users to assist in the compromise of their own systems -Spam Unsolicited bulk e-mail Significant carrier of malware Used for phishing attacks -Trojan horse Program or utility containing harmful hidden code Used to accomplish functions that the attacker could not accomplish directly -Mobile phone Trojans First appeared in 2004 (Skuller) Target is the smartphone

OS Security Layers

-User Applications and Utilities -Operating System Kernel -Physical Hardware

Malware Main types

-Virus: Malware that inserts a copy of itself into another file, typically a program. Typically is dormant while waiting for its host file to execute. Requires external transmission of the host file to propagate. -Trojan: Malware designed to breach a security system yet appear to perform some benign and maybe even useful function. Trojans do not replicate: humans are tricked into running 'em Worm: Stand-alone code that replicates and propagates itself by exploiting a software vulnerability or via social engineering. -Ransomware: Ransomware is a type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid -Malicious Bot: Stand-alone code, propagates like a worm, collection of bots capable of acting in a coordinated manner.

Virtualization

A technology that provides an abstraction of the resources used by some software which runs in a simulated environment called a virtual machine (VM) -Benefits include better efficiency in the use of the physical system resources -Provides support for multiple distinct operating systems and associated applications on one physical system -Raises additional security concerns

Various attack using Denial of Service

An action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU), memory, bandwidth, and disk space." -DOS Attack is a malicious attempt by a single person or a group of people to cause the victim, site or node to deny service to it customers. What it does ? -Purpose is to shut down a site, not penetrate it Purpose may be vandalism, extortion or social action Attack occurs when an attacker floods a network server with traffic The attacker sends several requests to the target server, overloading it with traffic As the junk requests are processed constantly, the server is overwhelmed A form of attack on the availability of some service: Categories of services: -Network bandwidth -System resources -Application resources Classic DoS Attack: -Aim of this attack is to overwhelm the capacity of the network connection to the target organization -Traffic can be handled by higher capacity links on the path, but packets are discarded as capacity decreases -Source of the attack is clearly identified unless a spoofed address is used -Network performance is noticeably affected Source Address Spoofing: -Use forged source addresses -Usually via the raw socket interface on operating systems -Makes attacking systems harder to identify -Attacker generates large volumes of packets that have the target system as the destination address -Congestion would result in the router connected to the final, lower capacity link -Requires network engineers to specifically query flow information from their routers -Backscatter traffic - Advertise routes to unused IP addresses to monitor attack traffic SYN Spoofing: -Common DoS attack -Attacks the ability of a server to respond to future connection requests by overflowing the tables used to manage them -Thus legitimate users are denied access to the server -Hence an attack on system resources, specifically the network handling code in the operating system Flooding Attacks -Classified based on network protocol used Intent is to overload the network capacity on some link to a server -Virtually any type of network packet can be used -Attacker sends an overwhelming number of messages at your machine; great congestion -The congestion may occur in the path before your machine -Messages from legitimate users are crowded out -Usually called a Denial of Service (DoS) attack, because that's the effect. -Usually involves a large number of machines, hence Distributed Denial of Service (DDoS) attack Distributed Denial of Service(DDoS) Attacks -Use of multiple systems to generate attacks -Attacker uses a flaw in operating system or in a common application to gain access and installs their program on it (zombie) -Large collections of such systems under the control of one attacker's control can be created, forming a botnet Hypertext Transfer Protocol (HTTP) Based Attacks -Attack that bombards Web servers with HTTP requests -Consumes considerable resources -Attempts to monopolize by sending HTTP requests that never complete -Eventually consumes Web server's connection capacity -Utilizes legitimate HTTP traffic Reflection Attacks -Attacker sends packets to a known service on the intermediary with a spoofed source address of the actual target system -When intermediary responds, the response is sent to the target -"Reflects"the attack off the intermediary(reflector) -Goal is to generate enough volumes of packets to flood the link to the target system without alerting the intermediary -The basic defense against these attacks is blocking spoofed-source packets DNS Amplification Attacks -Attacker creates a series of DNS requests containing the spoofed source address of the target system -Exploit DNS behavior to convert a small request to a much larger response (amplification) -Target is flooded with responses -Basic defense against this attack is to prevent the use of spoofed source addresses

Intrusion Analysis Approaches

Anomaly detection: Involves the collection of data relating to the behavior of legitimate users over a period of time Current observed behavior is analyzed to determine whether this behavior is that of a legitimate user or that of an intruder Statistical: • Analysis of the observed behavior using univariate, multivariate, or time-series models of observed metrics Knowledge based: -Approaches use an expert system that classifies observed behavior according to a set of rules that model legitimate behavior Machine-learning: -Approaches automatically determine a suitable classification model from the training data using data mining techniques Signature/Heuristic detection: Uses a set of known malicious data patterns or attack rules that are compared with current behavior Also known as misuse detection Can only identify known attacks for which it has patterns or rules

Data Backup and Archive

Backup -The process of making copies of data at regular intervals -Performing regular backups of data is a critical control for maintaining the integrity -May be legal or operational requirements for the retention of data -Kept online or offline -Stored locally or transported to a remote site -Trade-offs include ease of implementation and cost versus greater security and robustness against different threats Archive -process of retaining copies of data over extended periods of time in order to meet legal and operational requirements to access past data

Vulnerabilities, Threats and Attacks

Categories of vulnerabilities • Corrupted (loss of integrity) • Leaky (loss of confidentiality) • Unavailable or very slow (loss of availability) Threats • Capable of exploiting vulnerabilities • Represent potential security harm to an asset Attacks (threats carried out) and Attacks Passive - attempt to learn or make use of information from the system that does not affect system resources. Eavesdropping on, or monitoring of, transmissions. Goal of attacker is to obtain information that is being transmitted. (Release of message contents, Traffic analysis) Active - attempt to alter system resources or affect their operation. Involve some modification of the data stream or the creation of a false stream. (Replay, Masquerade Modification of messages, Denial of service) Insider - initiated by an entity inside the security parameter Outsider - initiated from outside the perimeter

Three Key Objectives of Computer Security

Confidentiality Data confidentiality assures that private or confidential information is not made available or disclosed to unauthorized individuals. Privacy assures that individuals control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed. Integrity Data integrity assures that information and programs are changed only in a specified and authorized manner. System integrity assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system. Availability assures that systems work promptly and service is not denied to authorized users. Authenticity: The property of being genuine and being able to be verified and trusted; Accountability: The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity.

Various Encryption standards ( DES, AES ..etc) and it is strength and weakness

Data Encryption Standard ( DES): Goal of DES is to completely scramble the data Every bit of cipher text depends on every bit of data and every bit of key Until recently was the most widely used encryption scheme Uses 64 bit plaintext block and 56 bit key to produce a 64 bit ciphertext block Standard approved by US National Bureau of Standards for Commercial and non- classified US government use in 1993 Advanced Encryption Standard ( AES): Repeats basic DES algorithm three times using either two or three unique keysAES data encryption is a more mathematically efficient and elegant cryptographic algorithm main strength rests in the option for various key lengths AES allows you to choose a 128-bit, 192-bit or 256-bit key, making it exponentially stronger than the 56-bit key of DES. Weakness: Attacks on Symmetric Encryption: Any exposure to the secret key compromises secrecy of ciphertext A key needs to be delivered to the recipient of the coded message for it to be deciphered. Potential for eavesdropping attack during transmission of key. Keys must be distributed in secret. If a key is compromised, eavesdropper can decrypt any message, or pretend to be one of the parties. A network requires a great number of keys Asymmetric Encryption Drawbacks: Slow (~1000 times slower than the symmetric) Vulnerable to chosen-plaintext attacks Costly Maintenance Keys has to be distributed with digital signature

Example of Authentication Methods

Digital Signature: Public-key encryption can be used for authentication with a technique known as the digital signature Provides a mechanism for verifying origin authentication, data integrity A digital signature is a data-dependent bit pattern, generated by an agent as a function of a file, message, or other form of data block. It can Use of the three algorithm Public Key Certificate Public key Certificate Contains Public key User ID of the key owner Whole block signed by a trusted third party. Includes some information about the third party plus an indication of the period of validity of the certificate. certificate authority (CA) that is trusted by the user community, such as a government agency or a financial institute

Authentication security Issues

Eavesdropping: Adversary attempts to learn the password by some sort of attack that involves the physical proximity of user and adversary. Host attacks: Directed at the user file at he host where passwords, token passcodes, or biometric templates are stored. Replay: Adversary repeats a previously captured user response. Client Attacks: Adversary attempts to achieve user authentication without access to the remote host of the intervening communications path. Trojan Horse: An application or physical device masquerades as an authentic application or device for the purpose of capturing a user password, passcode, or biometric. Denial-of-Service: Attempts to disable a user authentication service by flooding the service with numerous authentication attempts.

Strength and weakness of each type of firewalls

FIREWALL TYPES Packet Filtering -Applies rules to each incoming and outgoing IP packet -Typically a list of rules based on matches in the IP or TCP header -Forwards or discards the packet based on rules match Filtering rules are based on information contained in a network packet -Source IP address -Destination IP address -Source and destination transport-level address -IP protocol field -Interface Adv: -Simplicity -Typically transparent to users and are very fast Disadv: -Cannot prevent attacks that employ application specific vulnerabilities or functions -Limited logging functionality -Do not support advanced user authentication -Vulnerable to attacks on TCP/IP protocol bugs -Improper configuration can lead to breaches Stateful Inspection: -Tightens rules for TCP traffic by creating a directory of outbound TCP connections -There is an entry for each currently established connection -Reviews packet information but also records information about TCP connections -Prevent attacks that depend on the TCP sequence number -Inspects data for protocols like FTP, IM and SIPS commands Application Gateway: -Also called an application proxy -Acts as a relay of application-level traffic -Must have proxy code for each application -Tend to be more secure than packet filters -Disadvantage is the additional processing overhead on each connection Circuit level proxy: -Sets up two TCP connections, one between itself and a TCP user on an inner host and one on an outside host -Relays TCP segments from one connection to the other without examining contents -Security function consists of determining which connections will be allowed May use application-level gateway inbound and circuit-level gateway outbound -Lower overheads -Typically used when inside users are trusted Host based Firewalls -Used to secure an individual host -Available in operating systems or can be provided as an add-on package -Filter and restrict packet flows -Common location is a server

Different types of firewall filters

Firewall Filter Characteristics -IP Address -Protocol ( TCP, UDP) -Application Protocol (SMTP, HTTP) -User Identity -Network Activity Firewall Filter - By IP Address and Protocol Values -IP Address and Protocol Values -Controls access based on the source or destination addresses -Based on port numbers -Based on direction of flow being inbound or outbound -Normally used to limit access to Specific services Firewall Filter by Application protocol -Control access on the basis of authorized application protocol -Example : SMTP email program -HTTP Web Requests Firewall Filter by User Identity -Control based on User Identity -Inside users who identify themselves using some form secure authentication Firewall Filter by Network Activity -Controls access based on the time -Controls access based on the request -Activity patterns

Malware prevention and counter measures

Four Main elements of Prevention • Policy • Awareness • Vulnerability mitigation • Threat mitigation Malware countermeasure approaches: -Patches are up to date -Appropriate Access Control -Equip users to be more aware of the social engineering attack -Closing unused ports -Change the default ports Threat Mitigation Options -Detection: Once the infection has occurred, determine that it has occurred and locate the malware. -Identification: Once detection has been achieved, identify the specific malware that has infected the system. -Removal: Once the specific malware has been identified, remove all traces of malware virus from all infected systems so that it cannot spread further.

Four strategy for OS Hardening

Hardening of the OS is the act of configuring an OS securely, updating it, creating rules and policies to help govern the system in a secure manner, and removing unnecessary applications and services. This is done to minimize a computer OS's exposure to threats and to mitigate possible risk. -White-list approved applications -Patch third-party applications and operating system vulnerabilities -Restrict administrative privileges -Create a defense-in-depth system

Assets of a Computer

Hardware Equipment is stolen or disabled, thus denying service. An unencrypted CD- ROM or DVD is stolen. Software Programs are deleted, denying access to users. An unauthorized copy of software is made. A working program is modified, either to cause it to fail during execution or to cause it to do some unintended task. Data Files are deleted, denying access to users. An unauthorized read of data is performed. An analysis of statistical data reveals underlying data. Existing files are modified or new files are fabricated. Communication Lines and Networks Messages are destroyed or deleted. Communication lines or networks are rendered unavailable. Messages are read. The traffic pattern of messages is observed. Messages are modified, delayed, reordered, or duplicated. False messages are fabricated.

Use of Hashes in Cryptograph

Hash Algorithm Application Used Alone: -File Integrity verification -Password comparison -Public Key fingerprint Combined with Encryption Functions -Message Authentication Code (MAC) -Digital signature Hash - File Integrity • Hash value should match before and after Hash - Password Comparison • Password always stored as hash value in both database and Unix Hash - Message Authentication Both Encryption and Hash in play here. Protects message integrity and authenticity

Characteristics of Hash Algorithm

Hash function creates a unique digital fingerprint of data. Digital fingerprint called digest or message digest or hash. Hash algorithm is primary used for comparison purpose not for encryption. Hash Algorithm - Characteristics -Non Reversible -Fixed Size -Has to be unique Strength of hash function depends solely on the length of the hash code produced by the algorithm

How infection starts and how that infections affects

How infections start ? -As an email attachment code is executed when opened -As an auto runfile on a USB stick -By executing a game -By visiting a website that has been compromised What Infection does ? -Steal personal information -Steal software serial numbers -Seek and disable anti-virus protection & network (no updates) -Find and modify logs -Find and maybe modify sensitive information -Erase files -Attempt to replicate and spread -Denial of Service Attack Sources -Politically Motivated attackers -Criminals -Organized crime -Organizations that sell their services to companies and Nations -National government Agencies

Basic steps for OS Hardening

Install and patch the operating system 2. Removing unnecessary services, applications, and protocol 3. Configuring users, groups, and permission 4. Configuring resource controls 5. Install and configure additional security controls( host-based firewalls and IDC) 6. Test the security of the basic operating system

Linux and Unix Security

Linux/Unix Security Patch management: -Keeping security patches up to date is a widely recognized and critical control for maintaining security -Automated patch should be configured -Monitor any new Security Patch released and keep those up to date -Periodically review the current patch inventory and identified threats agains Application and service configuration: -Most commonly implemented using separate text files for each application and service -Generally located either in the /etc directory or in the installation tree for a specific application -Individual user configurations that can override the system defaults are located in hidden "dot" files in each user's home directory -Most important changes needed to improve system security are to disable services and applications that are not required Users, groups, and permissions • Access control for owner, group, and others for each resource • Appropriate permission for critical directories and files for each user • Review the Software vulnerability that can be exploited by an attacker to gain elevated privileges • Review Software vulnerability in a network server that could be triggered by a remote attacker Remote access controls: • Several host firewall programs may be used • Most systems provide an administrative utility to select which services will be permitted to access the system Logging and log rotation: • Should not assume that the default setting is necessarily appropriate chroot jail: -Restricts the server's view of the file system to just a specified portion -Uses chroot system call to confine a process by mapping the root of the filesystem to some other directory -File directories outside the chroot jail aren't visible or reachable -Main disadvantage is added complexity

Type of Firewalls

Need for Firewalls -Internet connectivity is essential, but threat always is there -Effective means of protecting LANs Inserted between the premises network and the Internet -Used as a perimeter defense Network Firewall -Device that provides secure connectivity between networks -Used to implement and enforce a security policy for communication between networks -Firewalls can either be hardware and/or software based. -Firewalls can be composed of a single router, multiple routers, a single host system -They vary greatly in design, functionality, architecture, and cost. Firewall - Examples Software • Zone alarm • COMoDO • PeerBlock • Windows Defendor • Glasswire etc. Hardware • Cisco PIX • Juniper • Checkpoint • Barracuda • Etc.. Firewall Characteristics -All traffic from inside to outside, and vice versa, must pass through firewall -Only authorized traffic will be allowed to pass -The firewall itself is immune to penetration

Computer Security Strategy ( Four Components )

Security Policy: Formal statement of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources. Security Implementation: Involves four complementary courses of action: Prevention, Detection, Response, Recovery. Assurance: Encompassing both system design and system implementation, assurance is an attribute of an information system that provides grounds for having confidence that the system operates such that the system's security policy is enforced. Evaluation: Process of examining a computer product or system with respect to certain criteria. Involves testing and may also involve formal analytic or mathematical techniques.

Characteristics of rootkit

Set of hidden programs installed on a system to maintain covert access to that system Hides by subverting the mechanisms that monitor and report on the processes, files, and registries on a computer Gives administrator (or root) privileges to attacker Can add or change programs and files, monitor processes, send and receive network traffic, and get backdoor access on demand -Persistent Activates each time the system boots.The rootkit must store code in a persistent store, such as the registry or file system, and configure a method by which the code executes without user intervention.This means it is easier to detect, as the copy in persistent storage can potentially be scanned -Memory based Has no persistent code and therefore cannot survive a reboot. However, because it is only in memory, it can be harder to detect. -User mode Intercepts calls to APIs (application program interfaces) and modifies returned results.For example, when an application performs a directorylisting, the return results don't include entries identifying the files associated with the rootkit. -Kernel Mode Can intercept calls to native APIs in kernel mode. The rootkitcan also hide the presence of a malware process by removing it from the kernel's list of active processes. -Virtual Machine Mode This type of rootkit installs a lightweight virtualmachine monitor, and then runs the operating system in a virtual machine above it. The rootkit can then transparently intercept and modify states and events occurring in the virtualized system. -External Mode The malware is located outside the normal operation modeof the targeted system, in BIOS or system management mode, where it can directly access hardware.

Symmetric and Asymmetric Encryption and Its examples

Symmetric Encryption: The universal technique for providing confidentiality for transmitted or stored data. Also referred to as conventional encryption or single-key encryption. Two requirements for secure use: -Need a strong encryption algorithm -Sender and receiver must have obtained copies of the secret key in a secure fashion and must keep the key secure Two Types of Symmetric Encryption: • Classical -Transposition Cipher -Substitution Cipher • Modern -Data Encryption Service -3DES -AES Asymmetric Cryptography: (Public Key Encryption Structure) -first publicly proposed by Diffie and Hellman in 1976 [DIFF76] Revolutionary advance in encryption Concept: Public-key algorithms are based on mathematical functions. Public-key cryptography is asymmetric, involving the use of two separate keys. Asymmetric key cryptography uses two separate keys: one private and one public. Diffie and Hellman: Public-key encryption, first publicly proposed by Diffie and Hellman in 1976 [DIFF76] Revolutionary advance in encryption Concept: Public-key algorithms are based on mathematical functions public-key cryptography is asymmetric, involving the use of two separate keys RSA:Invented by Rivest/Shamir/Adelman (1978), First asymmetric encryption algorithm. Most widely known public key cryptosystem. Used in many protocols, security based on difficulty of factoring large prime numbers, 1024, 2048, 4096-bit keys common ECC: Elliptic Curve Cryptography Invented by N. Koblitz & V. Miller (1985) Based on hardness of elliptic curve discrete log problem Standardized by NIST, ANSI, IEEE for government, financial use Small keys: 163 bits (<< 1024-bit RSA keys)

The four means of authenticating user identity are based on:

The four means of authenticating user identity are based on: -Something the individual knows: • Password, PIN, answers to prearranged questions -Something the individual possesses (token) • Smartcard, keycard, physical key -Something the individual is (static biometrics) • Fingerprint, electronic retina, face -Something the individual does • Voice pattern, handwriting, typing rhythm

Inference Attacks

There is no actual transfer of data, but the attacker is able to reconstruct the information by sending particular requests and observing the resulting behavior of the Website/database server Include: -Illegal/logically incorrect queries: -This attack lets an attacker gather important information about the type and structure of the backend database of a Web application -The attack is considered a preliminary, information-gathering step for other attacks -Blind SQL injection: -Allows attackers to infer the data present in a database system even when the system is sufficiently secure to not display any erroneous information back to the attacker

SQL Access Control

Two commands for managing access rights: • Grant -Used to grant one or more access rights or can be used to assign a user to a role • Revoke -Revokes the access rights Typical access rights are: • Select • Insert • Update • Delete • References

Types of threats

Unauthorized Disclosure A circumstance or event whereby an entity gains access to data for which the entity is not authorized. Exposure: Sensitive data are directly released to an unauthorized entity. Interception: An unauthorized entity directly accesses sensitive data traveling between authorized sources and destinations. Inference: A threat action whereby an unauthorized entity indirectly accesses sensitive data (but not necessarily the data contained in the communication) by reasoning from characteristics or byproducts of communications. Intrusion: An unauthorized entity gains access to sensitive data by circumventing a system 's security protections. Deception A circumstance or event that m ay result in an authorized entity receiving false data and believing it to be Masquerade: An unauthorized entity gains access to a system or performs a malicious act by posing as an authorized entity. Falsification: False data deceive an authorized entity. Repudiation: An entity deceives another by falsely denying responsibility for an act. true. Disruption A circumstance or event that interrupts or prevents the correct operation of system services and functions. Incapacitation: Prevents or interrupts system operation by disabling a system component. Corruption: Undesirably alters system operation by adversely modifying system functions or data. Obstruction: A threat action that interrupts delivery of system services by hindering system operation. Usurpation A circumstance or event that results in control of system services or functions by an unauthorized entity. Misappropriation: An entity assumes unauthorized logical or physical control of a system resource. Misuse: Causes a system component to perform a function or service that is detrimental to system security.

Examples of Intrusion

Unauthorized act of bypassing the security mechanisms of a system -Remote root compromise -Web server defacement -Guessing/cracking passwords -Copying databases containing credit card numbers -Viewing sensitive data without authorization -Running a packet sniffer -Distributing pirated software -Using an unsecured modem to access internal network -Impersonating an executive to get information -Using an unattended workstation