CS687 - Introduction - Winter 2024 - NP3
CS687 - Introduction - Winter 2024 - NP3
CS687 - Introduction - Winter 2024 - NP3
CS687
Information Systems
Security
HiLCoE School of CS & Technology
Outline
01
Introduction to ISS
06 Authorization/Access Control
07
Network Security
08
Firewall: Recording only, no assessment
Not Included in this Course
Risk Identification
01 02 03 04 05
Time Consuming
Expensive
Quantitative
Qualitative
Regular/Cyclical
Cyclical
The rapid growth of
changes in IT and thus in
assets and correspondin
g threats and controls
makes RA a cyclic
process and discourages
many in the industry.
Risk Assessment &Treatment (ISO27001/2)
AC: CA:
AU: IR:
03 Event Logging 06 Incident Handling
Risk Treatment
Avoid Transfer
A B
C D
Mitigate Accept
Residual Risk
A risk that an organization is willing to accept due to one or more of the
following reasons:
People
Software
02 OS, android os, ios, DBMS, 05 CEO, CIO, Teller, Clerk, Director,
Manager, Secretary, Security Guard,
applications, email servers, web Janitor, etc
servers, etc
Disclosure Disruption
Unauthorized access to
Interruption or prevention of
information. A B correct operation.
(Interception, Listening,
(Interruption, Corruption,
Wiretapping, Inference, etc)
Obstruction)
C
Deception
Falsification, Masquerade,
Modification, Repudiation
… Commonly Known By
Common configuration enumeration (CCE) – a list of system security configuration issues that
can be used to develop configuration guidance.
Common vulnerability scoring system (CVSS) – a scoring system that assign severity scores to
each defined vulnerability and is used to prioritize remediation efforts and resources according to the
threat.
CVE – Example
https://www.cvedetails.com/vulnerability-list/year-2022/month-1/January.html
CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Access Complexity
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication
5 CVE-2022-24130 120 Overflow 1/31/2022 2/16/2022 2.6None Remote High Not required
7 CVE-2022-24123 79 Exec Code XSS 1/29/2022 2/4/2022 6.8None Remote Medium Not required
12CVE-2022-23990 190 Overflow 1/26/2022 2/14/2022 7.5None Remote Low Not required
14 CVE-2022-23968 835 DoS 1/26/2022 2/3/2022 7.8None Remote Low Not required
15 CVE-2022-23967 787 Exec Code Overflow 1/26/2022 2/2/2022 7.5None Remote Low Not required
[2] CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 46.84 -1
[8] CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 14.69 4
(1) login_name
(2) enable/disable
CCE-20013-9 Application object owner accounts for a specified database should be enabled or disabled as appropriate. (1) ALTER LOGIN (3) default_database
(1)From the query prompt:
USE [database name]
SELECT DISTINCT u.name
FROM sysusers u, sysobjects o
WHERE u.uid = o.uid (1) set of accounts
CCE-19816-8 Application object owner accounts for a specified database should be configured appropriately. AND u.uid NOT IN ('1', '3', '4') (2) database name
(1) USE [database name]
SELECT USER_NAME(uid), name, crdate (1) list of permissons
Database application permissions allowing DDL statements to modify the application schema for a specified dat FROM sysobjects (2) set of accounts
CCE-19517-2 abase should be configured appropriately. WHERE uid NOT IN (1, 3, 4) (3) database name
Default demonstration and sample database objects and applications should be available or removed as approp (1) database_name
CCE-19147-8 riate. (1) DROP DATABASE (2) database_snapshot_name
CCE-19909-1 Required auditing parameters for database auditing should be set appropriately (1) EXEC SP_TRACE_SETSTATUS (1) TraceID
DBMS privileges to restore database data or other DBMS configurations, features or objects in a specified datab (1) database name
CCE-19687-3 ase should be configured appropriately. (1) Use the SQL command to assign permissions to the appropriate roles
CPE – Format
https://nvd.nist.gov/products/cpe
• cpe:/<part>:<vendor>:<product>:<version>:<update>:<edition>:<language>
• The <part> field can take on only three values: a for applications, h for hardware platforms, o
for operating systems.
• Example:
• cpe:/a:microsoft:sql_server:6.5 ➔ an application
• cpe:/h:asus:rt-n16 ➔ a hardware
• cpe:/o:freebsd:freebsd:3.5.1 ➔ an operating system
Exercise
while (1)
mkdir x; DoS
cd x;
end Attack
Rapid 7 BurpeSuite
TripWire
Goals of Security
System integrity
Refers to the proper function of a system according to
stated specification. This goal caters for threats such as
viruses, buffer overflow, etc.
Availability
Reduce a vulnerability
Management Technical
Security programs, security Login, Encryption,
policy, guidelines, Authentication protocol, Access co
standards, risk A B ntrol, Firewall, Intrusion
Assessment, … detection system, …
C D
Operational Physical/Environmental
Backup/Restore, Monitor audit
Fences, CCTV, ID badge, dogs,
Trials, Account/privilege
fire alarms, fire sprinklers, …
Management, Monitoring and
adjusting firewall, Media disposal,
Patching, Awareness training, …
Classification of Controls (2)
“
“If you think technology can solve your
security problems, then you don’t understan
“
d the problems and you don’t understand
the technology”
Security Policy …
The email shall not be used in a way that may be interpreted as insulting, disruptive or offensive
by any other person or company.
Example of prohibited material include: Sexual explicit messages, images, cartoons, or jokes; un
welcome propositions, requests for dates or love letters; ethnic, racial or religious slurs;
All email sent or received will be logged and when considered appropriate by the company, it
may be opened and read by duly authorized officer.
IT Security Standards
• Normalize/harmonize information security programs
Security Certification
▶ 4:48
1. Security and Risk Management (Security, Risk, Compliance, Law, Regulations, and Business
Continuity)
2. Asset Security (Protecting Security of Assets)
3. Security Engineering (Engineering and Management of Security)
4. Communication and Network Security (Designing and Protecting Network Security)
5. Identity and Access Management (Controlling Access and Managing Identity)
6. Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing)
7. Security Operations (Foundational Concepts, Investigations, Incident Management, and Disas
ter Recovery)
8. Software Development Security (Understanding, Applying, and Enforcing Software Security)
▶ 4:48
• Compliance
• Professional ethic
Asset Security
▶ 4:48
• Protect privacy
• Appropriate retention
Security Engineering
▶ 4:48
• Network attacks
▶ 4:48
Security Operations
▶ 4:48