Cyber security for system design

Cyber Security for
System Design
Cyber Security Awareness means that you must be aware of threats and
build systems with adequate defenses
For information on the MS in Computing
thomas.Kaczmarek@mu.edu
Marquette.edu/computing

Cyber Security Horror Stories

Data Breaches: Veteran's Administration
• 26.5 million records (Name, SSN, & DoB)
• Employee took the material home

Data Breaches: Sony Pictures
• Malware Attack by hackers
• New movie release stolen ($44 million production cost)
• “Trade secrets” – schedules, plans, contacts, scripts
• Employee information
• Stolen or insider credentials

Data Breaches: Target
• Attack by hackers
• FireEye reported suspicions
• 40 million customer credit information
• 70 million emails
• $148 million
• Contractors stolen user id gave access to Target’s internal systems
• Malware loaded inside Target systems
• Other compromised computers used as data drops

Data Breaches: TJX & Heartland
• T.J. Maxx, Marshalls’ Office Max, Barnes& Noble (Credit cards)
• Heartland Payment Systems (Credit cards)
• 130 million credit cards compromised
• Surveillance of Fortune 500 companies
• Exploited vulnerabilities – SQL injection
• Sold stolen credit cards

Cyber Security Awareness
• Understand Threats and Defenses
• Encourage Personal Responsibility
• All aspects of computing
• Personal habits
• Professional habits

Insider Threats Dominate Attacks
• Insider – 55% according to IBM study
• Careless behavior
• Intentional behavior including disgruntled employee attack
• Contractor
• Hacker
• Defenses
• security strategy and regulations
• comprehensive data on user and system behavior
• advanced analytic tools
• automated incident-response.

SANS Institute
• Established in 1989
• Cooperative research and education organization
• more than 165,000 security professionals around the world
• Ranges from auditors and network administrators, to chief information
security officers
• Sharing the lessons learned and are finding solutions to the challenges
• Many security practitioners in varied global organizations from
corporations to universities
• Largest source for information security training and security certification

SANS - Top 25 Software Errors
• Insecure Interaction Between Components (6 errors)
• Risky Resource Management (8 errors)
• Porous Defenses (11 errors)

Insecure Interaction Between Components
• Improper Neutralization of Special Elements used in an SQL
Command ('SQL Injection')
• Improper Neutralization of Special Elements used in an OS Command
('OS Command Injection')
• Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')
• Unrestricted Upload of File with Dangerous Type
• Cross-Site Request Forgery (CSRF)
• URL Redirection to Untrusted Site ('Open Redirect')

Risky Resource Management
• Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
• Improper Limitation of a Pathname to a Restricted Directory ('Path
Traversal')
• Download of Code Without Integrity Check
• Inclusion of Functionality from Untrusted Control Sphere
• Use of Potentially Dangerous Function
• Incorrect Calculation of Buffer Size
• Uncontrolled Format String
• Integer Overflow or Wraparound

Porous Defenses
• Missing Authentication for Critical Function
• Missing Authorization
• Use of Hard-coded Credentials
• Missing Encryption of Sensitive Data
• Reliance on Untrusted Inputs in a Security Decision
• Execution with Unnecessary Privileges
• Incorrect Authorization
• Incorrect Permission Assignment for Critical Resource
• Use of a Broken or Risky Cryptographic Algorithm
• Improper Restriction of Excessive Authentication Attempts
• Use of a One-Way Hash without a Salt

Takeover process
• Attack and obtain access
• Exploit a known vulnerability
• Credentials obtained by
• cracking
• social engineering
• phishing, spear phishing, clone phishing, Whaling
• Install malware/rootkit

Hacking Kits

Aircrack-Ng Suite of Wi-Fi Hacking Tools
• Airmon-Ng
• Promiscuous mode – receives all traffic
• Airodump-Ng
• Captures packets
• Aircrack-Ng
• statistical techniques (WEP)
• dictionary cracks for WPA and WPA2 after capturing the WPA handshake
• Aireplay-Ng
• Attacks such as Address Resolution Protocol injection or redirection
• Airdecap-Ng
• Decrypt wireless traffic

What are the problems?

Problems
• Poor Habits
• Personal habits of development team
• Poor Development Practices
• SDLC fails to make security a concern
• Poor Architecture
• Architectural standards do not include security concerns
• Poor Coding
• Programming standards are absent or ignored
• Poor Service Management/Service Transition and Operations
• Lack of attention, patching, monitoring and analysis

Poor Habits
Personal habits of development team

VA Breach
• 26.5 million records(Name, SSN, & DoB)
• Employee took the material home
• Don’t use actual sensitive data in a test

Personal Habits
• What you know is valuable
• What you have stored is valuable
• Protect yourself

Poor Practices
SDLC fails to make security a concern

Development cycle problems
• Rush to bring web-based products online
• Is security being considered?
• Mobile applications without security cautions
• Unique issues with mobile
• Prototyping with sensitive data
• SANS Institute
• “… small amount of security testing is done by the development team (21.6
percent) or quality assurance personnel (22.percent) – while the internal
security team accounts for most (83.2 percent) of the testing.”

An old problem
• Industry overly focused on testing and scanning
• Inspection mentality that was abandoned by most quality systems
• Application security has to be part of the early stages of the SDLC
• Teach developers how to write secure code and build secure systems

Poor Architecture
Architectural standards do not include security concerns

Biggest mistakes
• Poor threat understanding
• False reliance on perimeter protection and products (e.g., anti-virus)
• Failure to classify and protect sensitive data
• Insecure storage of Personal Identifier Information (PII)
• PII emailed as plain text
• Web folders with PII in them
• Files with PII in same web folder as the form
• Insufficient separation
• Networks, file systems, folders, etc.
• Authority

Data Breaches: TJX and Heartland
• Tools to detect compromised accounts had many false positives
• Solution: CCFinder developed
• Identifies how stolen numbers are traded
• Include stronger component in the architecture
• Also include monitoring in the architecture
• Two-factor identification
• What you have
• What you know
• What are you physical characteristics

Data Breaches: Sony Pictures
• Malware Attack by hackers
• Stolen or insider credentials
• Defenses
• Encrypt all sensitive data
• Store passwords in a separate location
• Two-factor authentication avoids stolen or insider credentials problem
• Store PII someplace separate
• Regular security checks and monitoring

Data Breaches: Target
• No two-factor identification
• Access to one system opened the door to others
• Identity and Access Management

Component Architecture Problem
• 84% of attacks occur in the application layer
• CISCO 215 Annual Security Report:
• “Application-level components built by developers are often riddled with vulnerabilities.”
04 Oct 2016 Animas OneTouch Ping insulin pump contains multiple vulnerabilities Multiple CVEs
30 Sep 2016 U by BB&T iOS banking application fails to properly validate SSL certificates CVE-2016-6550
28 Sep 2016 Aternity version 9 vulnerable to cross-site scripting and remote code
execution
Multiple CVEs
13 Sep 2016 AVer Information EH6108H+ hybrid DVR contains multiple vulnerabilities Multiple CVEs
07 Sep 2016 DEXIS Imaging Suite 10 contains hard-coded credentials CVE-2016-6532
06 Sep 2016 Dentsply Sirona CDR DICOM contains multiple hard-coded credentials CVE-2016-6530
06 Sep 2016 Open Dental uses blank database password by default CVE-2016-6531
06 Sep 2016 Fortinet FortiWAN load balancer appliance contains multiple vulnerabilities Multiple CVEs
Recent CERT Vulnerability Database Entries

Poor Coding
Programming standards are absent or ignored

Development cycle problems
• SANS Institute
• “most software developers don’t understand security”
• “… small amount of security testing is done by the development team (21.6
percent) or quality assurance personnel (22.percent) – while the internal
security team accounts for most (83.2 percent) of the testing.”

CERT division of SEI
• Study and solve problems with widespread cybersecurity implications
• Research security vulnerabilities in software products,
• Contribute to long-term changes in networked systems
• Develop cutting-edge information and training to help improve
cybersecurity.

CERT Division of the SEI:
Anticipating and Solving the Nation’s Cybersecurity Challenges
• Cyber Risk and Resilience Management
• Cybersecurity Engineering
• Digital Intelligence and Investigation
• Incident Management
• Insider Threat
• Network Situational Awareness
• Secure Coding
• Vulnerability Analysis

CERT Information for Developers
• Secure Coding Standards Research and Development
• Secure Lifecycle Solutions
• Complexity Modeling and Analysis
• Software Security Assurance Measurement and Analysis
• Supply Chain Assurance
• Survivability Analysis Framework
• Security Quality Requirements Engineering
• Software Security Engineering:
• A Guide for Project Managers

CERT Secure Coding Standards wiki.
• https://www.securecoding.cert.org/confluence/display/seccode/SEI+
CERT+Coding+Standards

Avoid unintentional truncation when using fgets() or fgetws()
#include <stdbool.h>
#include <stdio.h>
bool get_data(char *buffer, int size) {
if (fgets(buffer, size, stdin)) {
return true;
}
return false;
}
void func(void) {
char buf[8];
if (get_data(buf, sizeof(buf))) {
printf("The user input %sn", buf);
} else {
printf("Error getting data from the usern");
}
}
Copies an input string into a buffer

#include <stdio.h>
return true;
}
return false;
}
void func(void) {
char buf[8];
} else {
}
}
Copies an input string into a buffer and
assumes it captured all of the user’s input

#include <stdio.h>
return true;
}
return false;
}
void func(void) {
char buf[8];
} else {
}
}
Copies an input string into a buffer and
assumes it captured all of the user’s input
If the last character in the buffer in not a
newline and the stream is not at the end-of-
file marker, the buffer was too small to
contain all of the data from the users.

Compliant solution
#include <stdio.h>
#include <string.h>
size_t len = strlen(buffer);
return feof(stdin) || (len != 0 && buffer[len-1] == 'n');
}
return false;
}
void func(void) {
char buf[8];
} else {
}
}

Poor Service Management
Service Transition and Operations
Lack of attention, patching, monitoring and analysis

Service Transition
• Security cautions during transition
• Moving sensitive data
• Exposing sensitive data

Service Operations
• Sony Breach
• Lack of updates
• TJX and Heartland
• Digital Intelligence and Investigation analysis led to solution
• Target
• Tool in the architecture produced an alert
• Practice or policy not in place to respond
• To share or not to share
• Cybersecurity Information Sharing Act

Resources
• CERT Division of SEI
• US-CERT
• National Vulnerabilities Database
• OVAL - Open Vulnerability and Assessment Language
• SANS Institute
• InfraGard
• NIST

Cyber security for system design

More Related Content

What's hot (19)

Viewers also liked (17)

Similar to Cyber security for system design (20)

Recently uploaded (20)

Cyber security for system design