CSSLP Study Notes - Domain 3. Secure Software Design
Domain 3. Secure Software Design
Security Design Concepts
- Least Privileged: min privilege in min time necessary for operation
- Separation of Duties (Compartmentalisation): single task dependent upon two or more conditions
- Defence in Depth: single points of compromise eliminated by multiple layers of countermeasures
- Fail Secure: maintain CIA by defaulting to a secure state on failure
- Economy of Mechanisms: reduce attackability using Keep It Simple principle
- Complete Mediation: access is mediated each time, every time and cannot be bypassed or circumvented
- Open Design: implementation and design are independent, knowing the design should not result in the compromise
- Least Common Mechanisms: disallows sharing of common mechanisms to user / process at different privilege level
- Psycological Acceptability: maximizing adoption of security through ease of use and transparency
- Weakest Link: resiliency depends on the protection of the weakest components
- Leveraging Existing Components: reuse components to avoid introducing new attack surface
The Need for Secure Design
- Benefits of designing security early in SDLC:
- Resilient and recoverable software
- Quality, maintainable software that is less prone to errors
- Minimal redesign and consistency
- Identify business logic flaws
- Flaws & Bugs:
- Flaws: design and architectural defects that can result in errors.
- Flaws are broad classes of vulnerabilities
- Syntactic: syntax errors
- Semantic: logic errors
- Countermeasures:
- Architecture review
- Design review
- Attack surface evaluation
- Threat modelling
- Misuse modelling
- Bugs: coding/implementation constructs that can cause a security breach.
- A bug can be specific or architectural:
- e.g insufficient input validation, improper error and session management
- Countermeasure:
- Architecture review
- Code Review
- Pen-test
- A bug can be specific or architectural:
- Flaws: design and architectural defects that can result in errors.
Architecting Software with Core Security Concepts
Confidentiality
- During design
- Determine elements that need to be secured
- Determine what state they are in
- Determine authorised parties
- Cryptographic and masking: protect against disclosure
- Cryptographic: data in transit and at rest
- Overt: encryption, hashing
- Hashing can be deterministic (same input, same digest) or non-deterministic
- Covert: steganography, digital watermarking
- Overt: encryption, hashing
- Masking: data displayed on screen, printed forms
- Masking doesn’t use any overt crypto (encryption/decryption, hashing) or covert operations (steganography)
- Cryptographic: data in transit and at rest
- Cryptanalysis: the science of finding vulnerabilities in cryptographic protection mechanisms
- Goal: ensure attacker’s effort (work factor) is huge, makes subversion/evasion impossible, deterrent
- Work factor: attacker’s effort to breach, depend on key size
- Key: a sequence of symbols that controls the encryption and decryption operations of a cryptographic algorithm
- Key size: the length of the key used in the algorithm
- Pne-time pad: an algorithm that is provably unbreakable by brute-force attacks
- Key must be truely random
- Key must be discarded after use
- Key size equals to message size
- Goal: ensure attacker’s effort (work factor) is huge, makes subversion/evasion impossible, deterrent
- Key management life cycle:
- Generation
- Exchange
- Storage: access control needed when stored in config file or hardware security modules
- Rotation:
- Expiration for current key
- Generation, exchange and storage for new key
- Archiving
- Destruction
- Symmetric Algorithms
- Same key for encryption/decryption
- Advantages: fast, efficient for large volumn in a short period of time
- Disadvantages:
- Key exchange and Management
- Scalability: complexity n(n-1)/2
- Non-repudiation not provided
Alg | Key | Strength |
---|---|---|
DES | 56 | Weak |
Skipjack | 80 | Medium |
IDEA | 128 | Strong |
Blowfish | 128 | Strong |
3DES | 168 | Strong |
Twofish | 256 | Very strong |
AES / Rijndael | 256 | Very strong |
RC2-40 | 40 | Weak |
RC2-128 | 128 | Strong |
RC6 | 256 | Very strong |
- Asymmetric Algorithms
- Consist of a public and private key pair
- Should be computationally infeasible to derive the private key from the public key
- Provides Confidentiality and Non-repudiation
- Other benefits:
- Access control: private key is limited to one person
- Authentication: the identity of the sender is validated
- Integrity assurance: unless key pair lost, otherwise cannot decrypt and modify
- Advantages:
- Easier Key exchange and Management
- Public Key Infrastructure, through digital certificates
- Scalability: 2n
- Non-repudiation
- Easier Key exchange and Management
- Disadvantages:
- Computationally intensive
- Examples:
- RSA
- El Gamal
- Diffie-Hellman: used only for key exchange and not data encryption
- Elliptic Curve Cryptosystem (ECC): ideal for small, hardware devices, e.g smart cards, mobile
- Digital Certificates
- Current standard: ITU X.509 version 3 (X.509 v3)
- Can be used to verify the authenticity of the certificate: contains certificate of the CA
- Structure:
- Required:
- Certificate: Version, Algorithm, Serial Number
- Issuer: CA
- Valid period
- Subject: Name, Public Key: Algorithm, Value
- Optional:
- Unique ID: Issuer, Subject
- Extensions: additional certificate and policy information
- Required:
- Types of digital certificates
- Personal: identify individuals and authenticate them with the server, e.g S-Mime
- Server: identify servers, e.g TLS
- Extended Validation: improve user confidence and reduce Phishing attack threats
- Traditionally certificates only protect communication between server and client
- EV also provide assurance on the legitimaty of the resource
- Undergoes more extensive validation on owner identity before issued, addresses MITM
- Software Publisher: sign software distributed on the Internet
- Does not assure the signed code is safe for execution, only informing it’s signed by a trusted software publisher’s CA
- Digital Signatures
- Certificates holds digital signatures of the CAs that verified and issued the digital certificates
- Provides identity verification, integrity and non-repudiation
Integrity
- Protecting data from unauthorized alteration (e.g altered, deleted)
- Control the access, e.g Access Control
- Detemining if data has been altered, e.g Hashing
- Hashing
- Important to ensure collision free
- Birthday attack: brute force, two random people may have the same birthday
- Dictionary attack: brute force using an exhaustive list
- Salting: a mechanism to assure collision free, prevent pre-built dictionary
- Department of Homeland Security considers MD family as cryptographically broken, move to SHA
Hash Function | Length |
---|---|
MD2,MD4,MD5 (not completely collision free) | 128 |
SHA | 160 |
HAVAL (user can choose rounds 3-5) | 128,160,192,224,256 |
- Referential Integrity
- Normalization
- Atomic operation
- Ensure data is not left in an orphaned state
- Cascading deletes: when referer is deleted, all refered items are also deleted
- Cascading updates: when parent changes, all subsequent records are also updated
- Resource Locking
- No two concurrent operations allowed on the same object until one finishes
- Deadlock: two operations waiting for each other to release the resource lock
Availability Design
- A system being available to authorized users when appropriate
- Define what aspects need availability protection and what aspects are not sensitive
- Business Impact Analysis (BIA) can be used to determine the requirements
- The key is in determining the specifics of the availability need and expressing them in a requirement
- Backups, Data Replication
- Replication:
- Single point of failure: no redundancy capabilities
- Master-slave: master populates data, secondary is passive/inactive
- Active/Active replication: updates made on both at the same time
- Active/Passive replication: uddate made on master, replicated to slave
- Need to take care of data integrity
- Failover:
- Automatic switching from an active system to a standby (or redundant) system
- Failover vs switchover: failover is automatic, switchover is manual
- In HA, need to identify and address all single point of failures
- Scalability
- The ability to handle increasing (or growing) amount of work without degradation in its functionality or performance:
- Each copy of software/system is referred as a node
- Vertical scaling (also known as Scaling Up): more resource added to the node, i.e, db connection pool
- Horizontal scaling (also known as Scaling Out): more nodes are created
- caching improved performance, but need to be carefully designed to prevent disclosure and integrity issues
- should consider TTL setting for cache
Authentication
- The process used to verify one’s claim of identity.
- Key question: the level of assurance needed with respect to authentication.
- Whenever possible, leave authentication to established systems
- Consider SSO and multi-factor authentication
Authorization
- The process used to verify one’s claim of access to a resource.
- More complex than authentication, can be difficult to implement correctly
- Whenever possible, utilising existing capabilities in established systems
- RBAC is common in most apps
- Make sure no conflicting roles that circumvent SoD
- Attention needed on:
- Performance
- Separation of duty
- Least privilege
- Entitlement management: gives granular access control
- Authorization as a shared service: e.g micro services, cloud
- Authorization as a built-in component: e.g mobile
- Benefits:
- Centralised access control
- Cross platforms
- Risk: centralise risk at the entitlement service
Accountability
- The function of measuring specific activities.
- Basic rules:
- Include error trapping for debugging
- Protect logs
- Not to expose sensitive data in the log
- If need to log sensitive data, encrypt it
- Minimum requirement: who, what, where, when
- Should not contradict external audit regulations with log retention
- Protect the log and ensure it’s admissible in court (e.g hashing)
- Preferrably to use built-in timestamp, rather than self defined
Architecting Software
- Common software security issues:
- Improper implementation of least privilege
- Software fails insecurely
- Authentication mechanisms are easily bypassed
- Security through obscurity
- Improper error handling
- Weak input validation
- Pay attention to critical foundational elements:
- Configuration management
- Exception management
- Session management
- Notes:
- Attack surface analysis and threat model provide information as to the elements that need to be secured.
- Legacy code could be designed without secure SDLC, hence should be reviewed; all code should receive the same scrutiny.
- Interconnectivity: software, devices
- Session Management
- The management of the communication channel itself on a conversation basis
- Session management is the use of controls to secure a channel on a conversation-by-conversation basis
- Individual communications should be separately encrypted so cross-party disclosures do not occur
- Major design consideration: where to employ these methods
- Overemployment can make a system unnecessarily complex
- Underemployment leaves a system open to hijacking
- Exception Management
- The management of errors and the recording of critical information for troubleshooting efforts
- Consider the process of failures and communications associated with them
- Failures should be anticipated, and planned response mechanisms should be part of the overall system design
- A secure exception management process improves overall usability and security
- Configuration Management
- The application of control principles to the actual operational configuration of an application system
- Configuration aspect of the application needs to be considered from a security point of view
- e.g: Initialization parameters, connection strings, paths, keys, and other associated variables
- Session Management
- User Interface
- Clark and Wilson model: access triple model, subject to object access must be mediated via a program
- Disclosure protection, masking, restrict insider threats
- Consider interfaces for data access
- In-band management offers more simplicity in terms of communications
- Limitation: exposed to the same threats as the communication channel itself
- Out-of-band management interfaces use a separate communication channel
- Properly provisioned, out-of-band management allows management even under conditions where the app itself is under attack, Reduce operational risks
- Disadvantage: separate, secure communication channels need to be designed
- Creating a separate management interface for security requires additional resources
- Advantage: interface can be designed to make the best presentation of the material associated with the application
- Limitation: this information is in isolation and is not naturally integrated with other pertinent security information
- Integration into the enterprise security management system increases operational efficiency.
- API: allows interoperability
- Security Management Interfaces (SMI): configure and manage the security of the software.
- In-band interfaces: having a managed agent in computer, management controller communicates with the agent
- Out-of-Band Interface: when computer turned off or in sleep, admin can access through out-of-band, Lights Out Management (LOM)
- Available directly on motherboard, remote management card
- Notes:
- Avoid remote connectivity and administration, requiring administrators to log on locally
- Implement data protection in transit, protection measures at transport (e.g., SSL) or network (e.g., IPSec) layer
- Use least privilege accounts, RBAC and entitlement management services to control access
- Log and audit access to the SMI
- The best place for Configurable settings for logging exceptions, auditing and credential management
- Log Interfaces: environments, events, verbosity
- Should only be appended, not overwritten
- Shouldn’t design an UI that allows deletion
- Secure Design and Architecture Review
- Review needs to be conducted after design
- Take into account:
- Security policies
- Target environment
- Take into account:
- Consider design principles
- Consider network/host level protections
- Review needs to be conducted after design
Secure Design Principles
- Good Enough Security
- Security should be designed to counter the specific security issue at correct level, no excessive security is necessary
- Least Privilege
- Need-to-know: based on sensitivity level and clearance level
- Better to have many admins instead of one super user
- Modular programming: Single Responsibility Principle
- Cohesive: each module is designed to perform one operation
- Coupling: degree of dependencies between modules
- Non-administrative accounts: use data reader/writer to access DB instead of admin
- Need-to-know: based on sensitivity level and clearance level
- Separation of Duties
- All conditions need to be satisfied before operation can be completed
- eg: splitting keys
- Separation of roles in dev team: implement, review, deploy separated
- All conditions need to be satisfied before operation can be completed
- Defense in Depth
- Breach of a single vulnerability in the software does not result in complete or total compromise
- Can be used as a deterrent for the curious and non-determined attackers
- Fail Secure
- Rapidly recoverable into a normal business and secure state when failed, aims at maintaining the resiliency (i.e CIA)
- Primarily an availability design consideration
- Implies SD3: secure by design, secure by default, and secure by deployment
- Economy of Mechanisms
- Keep It Simple Stupid
- The more complex the design of the software, the more likely there is of vulnerabilities
- Refer to requirements traceability matrix to identify unnecessary functionalities
- Bells-and-whistles: unnecessary functionalities
- Considerations
- Unnecessary functionality or unneeded security mechanisms should be avoided
- Strive for simplicity
- Strive for operational ease of use
- Complete Mediation
- Access need to be mediated every time so that authority is not circumvented
- Caching can therefore lead to an increased security risk
- Identify privileged code paths
- Open Design
- Security should not be dependent on the secrecy of the design
- Security through obscurity should be avoided
- Design of protection mechanisms should be open for scrutiny by members of the community
- Least Common Mechanisms
- Mechanisms common to more than one user or process are designed not to be shared
- Psychological Acceptability
- Security mechanisms should be designed to maximize usage, adoption, and automatic application
- Are easy to use,
- Do not affect accessibility
- Are transparent to the user
- Security mechanisms should be designed to maximize usage, adoption, and automatic application
- Weakest Link
- Related concept: Single Point of Failure
- Super user can be a weak link
- Leveraging Existing Components
- Re-use of existing components rather than writing one’s own
- Benefits of reuse:
- Attack surface not increased
- Increased productivity
- Single Point of Failure
- A single failure should not result in system-wide failure.
Design Processes
Attack Surface Evaluation
- Measure the exposure in its entry and exit points.
- A representation of items available to attack, not a representation of quality.
- Determining the entry and exit points that can lead to exploits.
- Enumerate through a list of features, assign priority (Attack Bias)
- The number of modules a program is composed of does not factor directly into attack surface calculations.
- Relative Attack Surface Quotient (RASQ): relative attackability, likely opportunities for attack against software in comparison to a baseline instead of code level bugs.
- Three measurement dimensions:
- Targets and enablers: resources attacker can leverage to construct an attack, two kinds: processes and data
- Identify: number of potential process and data targets and enablers and likely opportunities
- Channels and protocols: mechanisms allowing communication between two parties
- Channel: a mean for sender (attacker) to communication with a receiver (target)
- Message-passing channel and shared-memory channel
- Protocol: the rule by which information is exchanged
- Processes: endpoints of the channel
- Identify: channel types, instances, protocols, processes, access rights
- Channel: a mean for sender (attacker) to communication with a receiver (target)
- Access rights: privileges associated with each resource, i.e CRUD
- Targets and enablers: resources attacker can leverage to construct an attack, two kinds: processes and data
- Evaluate weight of each instance of type
- chtypes = { socket, endpoint, namedpipe, nullsession }
- weight(s: socket) = 1
- weight(e: endpoint) = 0.9
- weight(n: namedpipe) = 0.8
- weight(n: nullsession) = 0.9
- pttypes = { service, webhandler, isapi, dynpage }
- weight(s: service) = 0.4 + default (s) + admin (s)
- where default (s) = 0.8 if s = default, 0 otherwise
- admin (s) = 0.9 if s = admin, 0 otherwise
- weight(w: webhandler) = 1.0
- weight(i: isapi) = 1.0
- weight(d: dynpage) = 0.6
- weight(s: service) = 0.4 + default (s) + admin (s)
- dttypes = { accounts, files, regkeys, shares, vdirs}
- weight(a: account) = 0.7 + admin(a) + guest(a)
- where admin(a) = 0.9 if a ∈ AdminGroup, 0 otherwise
- guest(a) = 0.9 if a.name = “Guest”, 0 otherwise.
- weight(f: file) = 0.7 if weakACL(f), 0 otherwise
- weight(r: regkey) = 0.4 if weakACL(r), 0 otherwise
- weight(s: share) = 0.9 if weakACL(s), 0 otherwise
- weight(v: vdir) = 1.0 if v is executable, 0 otherwise
- weight(a: account) = 0.7 + admin(a) + guest(a)
- chtypes = { socket, endpoint, namedpipe, nullsession }
- RASQ: the sum of independent contributions from a set of channels types, a set of process target types, a set of data target types, a set of process enablers, all subject to the constraints of the access rights relation, A.
- RASQ = surf_ch + surf_pt + surf_dt + surf_pe
- surf_ch = channel surface
- surf_pt = process target surface
- surf_dt = data target surface
- surf_pe = process enablers
- RASQ = surf_ch + surf_pt + surf_dt + surf_pe
- Three measurement dimensions:
- Sources:
- Microsoft list of Attack Surface Elements
- Known vulnerabilities
- A list of features
- Attack Surface Minimisation:
- A form of Least Privilege
- Determine design baseline
- Need design effort
Code Reuse
- Old code should be considered in Attack Surface Evaluation and minimisation
- Old code should be subjected to all of the same security steps and tests as new code.
Design and Architecture Technical Review
- Purpose: assess the efficacy of the SDL
- Primary function of review: ensure security activity is at desired level.
- If not, should block advancement under the SDL process until it’s properly done.
- Primary function of review: ensure security activity is at desired level.
- Review should cover:
- Security progress
- Code walkthroughs
- Design reviews
- Examination of the attack surface area
- Threat modeling documentation
- Effort is required from both development and security team
Threat Modeling
- Goal:
- Identify security objectives
- Identify threats and vulnerabilities
- Prerequisites:
- Clearly defined infosec policies and standards
- Be aware of compliance and regulatory
- A clearly defined and mature SDLC process
- A plan to act on the threat model
- Benefits:
- Design flaws can be addressed before a single line of code is written
- Reducing the need to redesign and fix security issues in code at a later time
- Challenges:
- Time consumming
- Requires a mature SDLC
- Requires training
- Deemed to be not preferential
- Not directly related to business return
Threat Modeling Process
- Define security objectives
- Sources:
- Internal company policies and standards
- Regulations, compliance and privacy requirements
- Business and functional requirements
- Can include both security and privacy
- Document business’s rationale for:
- Data collection, storage, usage
- Legal and regulatory implication
- Corporate standards
- Common mistakes
- Leaving data protection/classification to the dev team
- Examples:
- Prevention of data theft
- Protection of intellectual property
- Provide high availability
- Sources:
- Model Application Architecture
- Identify Physical Topology
- e.g: on-premise, cloud
- Identify Logical Topology (include logical tiers)
- Determine components, services, protocols, and ports, developed/configured
- Identify the identities, determine authentication: basic, SSO etc
- Identify Human and Non-Human Actors of the System
- e.g: customers, sales agents, system admins, database admins
- Identify Data Elements
- e.g: product information, customer information
- Generate a Data Access Control Matrix
- Identify the technologies that will be used in building the application
- Identify external dependencies
- Choices: UML, use cases, misuse cases, data flow diagrams
- Identify process, data stores, data flows, trust boundaries (most important)
- For large systems, breakdown to scenario-based pieces
- Document baselines: assumptions, dependencies
- Identify Physical Topology
- Identify Threats
- Identify Trust Boundaries: where trust level or privilege changes
- Identify Entry Points: items that take in user input
- Identify Exit Points: items that display information from the system
- Identify Data Flows: a graphical representation of the flow of data, the backend data storage elements, and relationships between the data sources and destinations
- Identify Privileged Functionality
- Introduce Mis-Actors: starting point of threat modelling
- Determine Potential and Applicable Threats
- Think Like an Attacker:
- Brainstorming
- Using Attack Trees: hierarchical tree, with attacker’s objective or type of attack
- Objective based:
- Lv1. objective
- Lv2, methods to achieve it
- Attack based:
- Lv1, attack vector
- Lv2, vulnerability condition
- Lv3, mitigated condition
- Objective based:
- Can use OWASP top 10, CWE/SANS top 25 as a starting point
- Use Categorized Threat Lists
- NSA IAM
- OCTAVE risk modelling
- STRIDE
- Think Like an Attacker:
- Using a threat model (e.g STRIDE) repeatedly at every elements
- Avoid issues where the application cannot control
- e.g: sysadmin intentionally violating the system
- Document the identified threats in a managed approach
- Identify, Prioritize and Implement Controls
- Priority should be afforded to any security control that exists in the enterprise.
- controls only reduce risks, not eliminate threats
- Controls need to align with the corporate
- Bug bars or bug band: qualitative bands
- Delphi Ranking: each member states a risk level without being questioned
- Members with professional expertise facilitate
- Avoid dominance influence
- Predefine ranking criteria and a list of identified threats
- May not provide a complete picture of the risk, should be used with other methods
- Average Ranking: DREAD, use smaller range, take numeric average, DREAD/5
- (D)amage Potential
- (A)ffected Users
- (R)eproducibility
- (E)xploitability
- (D)iscoverability
- only gives averaged impact, no insight into the deviation
- Probability x Impact (P x I) Ranking
- Risk = (Rvalue + Evalue + DIvalue) X (Dvalue + Avalue)
- Gives insight to both probability and impact
- Better to see where the mitigation effort should be allocated
- Mitigation types:
- Redesign to eliminate vulnerability
- Better if early in the SDLC
- Apply a standard mitigation
- Advantages:
- Known to be effective
- Applicable to many vulnerable points
- Advantages:
- Invent a new mitigation
- Riskier and more costly
- Accept the vulnerability
- Least desirable
- Redesign to eliminate vulnerability
- Threat model and mitigation are dynamic
- Using Attack Tree
- Putting attack objective as the root node
- Putting attack paths as leaves joint using logic gates
- Risk evaluation:
- Risk, Impact, Likelihood
- DREAD model
- Document and Validate
- Allocate security gates at each SDLC stage for validation
- Purpose:
- Assess the quality of threats and mitigations
- Communicate essential information across the development team
- Threat: validate the contextual relevance of impact
- Mitigation: validate the contextual relavance to threats
- Document all dependencies, assumptions
- Diagrammatic documentation provides a context for the threats
- Textual documentation allows for more detailed documentation of each threat
- Threat doc:
- Type of threat
- ID
- Description
- Threat target
- Attack techniques
- Impact
- Likelihood
- Control doc:
- ID
- Description
- Controls to implement
- Validations:
- The application architecture that is modeled (diagrammed) is accurate and contextually current (up-to-date).
- The threats are identified across each trust boundary and for data element.
- Each threat has been explicitly considered and controls for mitigation, acceptance or avoidance have been identified and mapped to the threats they address.
- If the threat is being accepted, then the residual risk of that threat should be determined and formally accepted by the business owner.
Threat Sources/Agents
- Human:
- Ignorant User
- Accidental Discoverer
- Curious Attacker
- Script Kiddies
- Insider
- Organized Cybercriminals
- Third Party/Supplier
- Malware:
- Proliferative
- Virus: infect program or host for their malicious operations
- Worm: does not require the infected victim to survive
- Stealthware: exploiting weaknesses in the operating system
- Spyware: harvest sensitive and private information
- Adware: redirecting users to marketing displays
- Trojan horse: appear to be innocuous, carry malicious payload, covert channel, e.g bot
- Rootkit: a set of programs allow maintaining to root access
- Might be deployed on purpose for law enforcement purpose
- Blended threats: show characteristics of two or more kinds of malware, e.g rootkit
- Ransomeware
- Proliferative
- Advanced Persistent Threats: leverages both human and non-human, attacks that exploit the target over a long period of time undetected, while the threat agent (malware) is in the victim’s computing environment
Architectures
- Open Systems Interconnect (OSI), ISO/IEC 7498-1:1994
- Benefits:
- Protection against architecture (flaws) and implementation (bugs)
- Common security solutions across the enterprise
- Interoperability
- Better and quicker security decisions
- Leveraging best practices
- e.g OWASP Enterprise Security Application Programming Interface (ESAPI)
- https://www.owasp.org/index.php/ESAPI_Secure_Coding_Guideline
Distributed Computing
- Client/Server
- Thin v.s thick client
- N-Tier architecture
- 1-tier: spaghetti code, unstracutred code mixed
- 2-tier: client and server, changes are difficult (i.e all-or-nothing), hard to maintain and scale
- 3-tier: presentation, business, data
- Independent changes
- Encapsulates internal markup, contract-based interafaces between tiers
- Multiple points of failure
- Cloud is an extreme case of n-tier model, SaaS, PaaS, IaaS
- Major risk: Client-side exploits
- Peer-to-Peer
- Each program has ability to act as a peer, management is not centralised, but uniformly spread among the resources.
- e.g: file sharing, instant messaging
- Considerations needed:
- Channel security: SSL, IPSec
- Data confidentiality/integrity: cryptography, hashing
- Call stack/flow security: check at various points
- Security zone: trust boundaries
- Each program has ability to act as a peer, management is not centralised, but uniformly spread among the resources.
Message Queuing
- Challenges in messaging:
- Throughput
- Delivery
- MQ uses intermediate server that mediates transmission and delivery
- Guarantee delivery
- Logging
- Security of data flow
Service Oriented Architecture (SOA)
- Distributed, modular applications that are platform neutral and have automated interfaces
- Characteristics:
- Platform Neutrality
- Interoperability
- Modularity and Reusability
- Abstracted business functionality
- Contract-Based interfaces (abstracted implementation)
- Discoverability
- Technologies:
- Remote Procedure Call (RPC), older
- Component Object Model (COM), older
- Distributed Component Object Model (DCOM), older
- Common Object Request Broker Architecture (CORBA), older
- Enterprise Service Bus (ESB)
- Web services (WS)
- REST
- Java: Java Remote Method Invocation API
- Microsoft: Windows Communication Foundation (WCF)
Enterprise Service Bus (ESB)
- A specific form of SOA
- ESB acts as
- an abstraction layer for interprocess communication services
- the conduit between all types of protocols
- Facilitates communication between mutually interacting software applications
- Enterprise Application Integration (EAI)
- Asynchronous
- Often done via a form of message queuing services
- Key characteristic: the use of a bus-based architecture
- Allows: XML, EDI, WSDL, REST, DCOM, CORBA
- ESB acts as
- Services provided by ESB:
- Protocol conversion, communication transformation
- Handling defined events
- MQ and data flow mapping
- Benefits:
- Security control can be centrally implemented
- ESB can act as the reference monitor
- Supports complete mediation
- Mediate modules exmaple:
- Authentication modules that can leverage directory services
- Authorization modules that can leverage access management software and services
- Logging modules that can be used to log message that are input into and output from the ESB.
- Availability modules that monitor capacity, network flow, etc.
- Validation modules that make sure that perform ingress and egress filtering of messages that come into or leave the ESB. It can also be used to guarantee delivery of messages.
- Cryptographic modules that provided encryption, decryption and hashing services.
- Challenges:
- single point of failure, suggested to implement defence in depth
- in ESB architecture, Security Zone and DMZ are usually not separated, suggested to have an external and internal ESB and securely bridged
Web Services (WS)
- A software system designed to support interoperable machine-tomachine interaction over a network
- Web Services Description Language (WSDL): XML-based interface description language, describes the functionality of a web service.
- Machine readable description of the interface
- Provide platform and vendor neutrality
- Performance and implementation immaturity issues can be introduced
- Originally designed with Simple Object Access Protocol (SOAP), uses XML but without security in mind, now favours REST
- Representational State Transfer (REST)
- Allow text-based access of web resources in a stateless manner
- Variant of SOA, a.k.a Resource Oriented Architecture (ROA)
- RESTful Web service
- Has a unique Resource Address or Base URI (e.g., http://isc2.org/resources/)
- Supports media type of the data supported by the Web service (e.g., XML, JSON, etc.)
- Uses HTTP Methods for its operations (e.g., GET, PUT, POST, or DELETE)
- Advantages:
- Platform/language independent
- Not strongly typed
- Doesn’t require a message header from service provider
- Faster
- No built-in security measures
- Reduces coupling
- JavaScript Object Notation (JSON), built on two data structures
- A collection of name/value pairs
- An ordered list of values
- Universal Description, Discovery and Interface (UDDI)
- By Organization for the Advancement of Structured Information Standards (OASIS)
- A universal platform-independent method for enterprises to dynamically discover web services
- Designed as a protocol-based registry through which services worldwide can list themselves on the Internet
- Only used inside organisations instead of across the world
- Appropriate applications:
- Where reliability and speed are not assured (for example, the Internet)
- Where managing the requestor and provider agents need to be upgraded at once
- Where the distributed computing components run on different platforms
- When deployment cannot be managed centrally
- When products from different vendors need to interoperate
- When an existing functionality can be wrapped using a contract-based interface and needs to be exposed over the internet
- Considerations
- Secure Messaging
- XML Encryption and XML Signature
- TLS/SSL
- Resource Protection
- Services need to be identity-aware
- Services need to identify and authenticate one another
- Identification and authentication can be achieved using token-based authentication, the SOAP authentication header, or transport layer authentication
- Contract Negotiation
- WSDL: XML based, describe service contracts and allowed operations
- Need to protect against scanning and enumeration
- Trust Relationships
- Pairwise Trust Model: each service is provided a list of other trusted services, not scalable
- Brokered Trust Model: independent 3rd party provides service information
- Federated Trust Model: trust established between two separate companies, a pre-definition of contracts, protocols and interfaces is needed. the place that maintains the trust relationship needs to be protected
- Proxy Trust Model: using perimeter defence devices, can be single point of failure
- Secure Messaging
Rich Internet Applications
- Bring the richness of the desktop environment and software onto the Web, e.g: Facebook and Twitter
- Frameworks used: AJAX, Abode Flash/Flex/AIR, Microsoft Silverlight, and JavaFX
- an architecture that can mimic desktop applications in usability and function
- Same Origin Policy:
- Prevent a resource from one source to interact with resources in another
- Orgin determined by protocol, host, port (i.e document.domain)
- Sandbox: run within broswer, restricted from accessing system resources unless explicitly granted
- RIA increases attack surface
- Client-Side Exploits or Threats
- Remote Code Execution
- Consequence of the architectural decision in which there is not a distinction between code and data
- Protections:
- Data encryption and encoding
- Determine the actual origin, not just the last referrer
Pervasive/Ubiquitous Computing
- Main objective: construct an environment where connectivity is unobtrusive
- Two elements of pervasive computing (ubiquitous computing):
- Pervasive computation: anything embedded with a chip can be a part of the network
- Pervasive communication: anything on a pervasive network can communicate with each other
- Pervasive network is heterogeneous in nature
- Trusted Platform Module (TPM) chip on the device is better than Media Access Control (MAC)
- Mobile Device Management (MDM) needs to be considered
- Required to protect against physical threats, e.g auto-erase
- Biometric is recommended over PIN-based
- Important design concepts: defence in depth, fail secure, complete mediation
- Each element needs to be self-sufficient and self-reliant for security, safety and stability
Wireless Networking and Communications
- Most wireless network configurations are with default values
- SSID cloaking: SSID is not broadcast
- The Wired Equivalent Privacy (WEP): 40-bit RC4 stream cipher for cryptographic protection, weak
- Wi-Fi Protected Access (WPA and WPA2) is recommended
- Attacks againt bluetooth: Bluesnarfing, Bluejacking, Bluebugging
- Other attacks:
- Eavesdropping
- Traffic analysis
- Wireless Address Resolution Protocol (ARP) spoofing
- Disclosure and MITM (spoofing) attacks
- Message injection or deletion
- Jamming
- Constant Connectivity: everything is always connected
- Location Based Services (LBS)
- Geofencing: the triggering of an action as a mobile device crosses a boundary
- Developers must ensure:
- User is notified of being potentially tracked
- User consent is obtained before leveraging location tracking functionality
- Software should be designed to allow toggle of location tracking
- Examples:
- Global Positioning Systems (GPS)
- Geographic Information Systems (GIS)
- Network-based Position System
- Control plane location
- Global Subscriber Module (GSM)
Radio Frequency Identification (RFID)
- Battery assisted tags (BATs) (Active)
- Magnetic field powered tags (Passive)
- Must ensure:
- Anonymity: preventing unauthorized identification of users
- Unlinkability: preventing unauthorized tracing of tags and linking their communication
- Location privacy: preventing unauthorized access to user-profile data
Near Field Communication (NFC)
- NFC: a wireless short-range communications technology for closerange/contactless transactions
- Threats:
- Message interception and manipulation
- Man-in-the-Middle (MITM)
- Eavesdropping (low possibility due to shortrange)
- Mitigation:
- Establish a secure channel
- End-points must be validated for their authenticity
Sensor Networks
- Challenges:
- Limited power and storage
- Unreliable connection
- Physical thefting
- Key considerations:
- Data disclosure
- Alteration
- Time synchronisation
- Most notable threat: availability
- Threats:
- Node takeovers
- Addressing (routing) protocol attacks
- Eavesdropping
- Traffic analysis
- Spoofing
- Sybil attack: a rogue device assumes different identities of a legitimate sensor node
- Best practices:
- Physical security protections
- Change default configurations
- Do not broadcast SSID
- SSL/TLS
- Use a shared-secret authentication mechanism to keep rogue devices from hopping onto your network
- Use device-based authentication for internal application on the network
- Use biometric authentication for user access to the device, if feasible
- Disable or remove primitive services, e.g Telnet, FTP
- Auto-erase capability
- Regular audit and monitoring
Mainframe Architecture
- Capable of bulk data processing with great computation speed and efficiency
- Speed meansured in Millions of Instructions Per Second (MIPS)
- Evaluation Assurance Level of 5, highest
- Avoid rewriting applications, mainframe Job Control Language (JCL), and network infrastructure scripts
- Challenge: people skilled in the operational procedures and security reducing
Mobile Applications
Architecture
- Frontend, middleware and backend
- Thick clients: “rich” clients, business/data layer on the frontend
- Thin clients: business/data layer on backend
- Components:
- Client Hardware (Cellular, GPS, Sensor, Touch Screen, Camera, etc.)
- Client Software (Operating System, VM runtime, Mobile Application, etc.)
- Interfaces (NFC, RFID, 802.11x, Bluetooth, etc.)
- Endpoints (App Stores, Web sites/services, Corporate, etc.)
- Carrier Networks (Voice, Data, SMS, etc.)
- Data Storage (Local, Cloud, Flash, Removable, etc.) and
- Data Transmission
- Types:
- Native apps: installed on the client device
- Limited to no connectivity to the backend
- Browser based apps: web based mobile applications
- Installed on the client device
- Similar to traditional desktop web applications
- Rich Internet mobile apps: deployed on the client but leverage the backend
- A service layer that is usually implemented using SOAP or REST
- Hybrid apps: blend between native apps and browser based
- App itself hosts a browser, user interacts with the browser in the native app
- Native apps: installed on the client device
- Mobile OS: understand and be familiar with the inherent security capabilities and weaknesses
- iOS: a multi-tasking feature known as backgrounding, iOS takes a screenshot of the application before minimizing it to run in the background. However, when this occurs, it is important to ensure that no sensitive data that is presented on the screen is captured in the screenshot.
Security in Mobile Applications
- Information Disclosure: predominant security concern
- Lost or Stolen Devices
- Important to design in remote wipe
- Insecure Data Storage in Local or Cloud Databases
- Mobile local storage not as mature as desktop
- Cloud, lack of data separation/remanence
- No sensitive data should be stored unprotected
- Must not be stored indefinitely
- Insufficient Protection of Data Transmission
- Lack of end-to-end/data-in-motion protection
- Broken Cryptography:
- Custom cryptography
- Hardcoding of keys
- Recommended to use platform provided encryption APIs
- For key management, secure containers should be used
- Lost or Stolen Devices
- Side Channel Data Leakage: sensitive data disclosed from unintended locations
- e.g web caches, temporary directories, log files, screenshots
- Threat agents: iOS backgrounding, jail break, keylogging
- Mitigation:
- Cache encryption
- Anti-caching directives
- Communication channel audits
- Avoid logging credentials
- Remove sensitive information before app transition
- Disable field keystorke logging
- Debug the app to understand file operations
- Reverse Engineering (Decompilation, Debugging, Disassembly):
- Mitigation:
- Code obfuscation
- Avoid hardcoding sensitive information
- Mitigation:
- Mobile DoS/DDoS
- Transferring tools to mobile is easy:
- Low Orbit Ion Cannon (LOIC) made into a PUP (Potentially Unwanted Program) easily
- Taking advantage of Carrier Network
- e.g, Android.DDoS.1.origin: a malware disguised as a legitimate Google Play app, backend controlled by a hacker, instruction received through SMS, configuration identified and packets sent, crashing the device and flooding the network
- Push Notification flooding attack/fake update attack
- Transferring tools to mobile is easy:
- Broken Authentication
- Root cause: insecure design and insecure code
- e.g: basic auth, cleartext password, spoofing of unique IDs.
- Universally Unique Identifiers (UUIDs)
- International Mobile Equipment Identification (IMEI), physical device
- International Mobile Subscriber Identification (IMSI), SIM card
- Mitigation:
- Encrypt credentials
- Layered auth checking
- Avoid using easily spoofable data as authenticator
- Re-auth often if needed
- Complete mediation
- Do not ingnore certificate validation warnings
- Bypassing Authorization
- URL crafting to open another app
- Insecure payment card storage
- Circumventing licensing check
- Must modally check permission at input boundaries
- Improper Session Management
- MITMo: intercept and replay session tokens in the mobile, sometimes leverage malware
- Mitigation:
- Data/session protection
- Least privilege
- Transaction verification (i.e user receives a unique code through an out-of-band channel to verify the transaction)
- Avoid using device ID as auth token
- Implement session token revocation
- Client-Side Injection
- Unlike the conventional injection flaw, code is submitted to the client, instead of the server
- Can be thought of as a variant of the Web DOM-based Cross-Site Scripting (XSS)
- Mitigation:
- Input validation (primary)
- Use cloud storage
- Utilised libraries for input validation
- Use prepared statements/stored procedures
- Check runtime errors/exploits
- Jailbreaking and Sideloading
- Jailbreaking: exploits vulnerabilities in the OS, tampered so that unauthorised apps can be installed, for closed source OS
- Sideloading: for open source OS, can be done through configuration
- Risks:
- Decreased Stability
- Voided Warranty
- Bricked Device
- Lock-Out from official store, Cydia: an alternative to the Apple App Store
- Loss of trust
- Should prevent jailbroken device to access infrastructure
- If need jailbreak, need to change root password
- Mobile Malware
- SDK simplifies malware making
- Exploits used to jailbreak can also install rootkit
- e.g: Ikee worm, Duh malware
- Trojans can disguise itself
- Jailbroken devices are more susceptible to attacks
Secure Development Guidelines and Design Principles
- Smartphone Secure Development Guidelines for App Developers: European Network and Information Security Agency (ENISA)
- Identify/protect sensitive data on the mobile device
- Handle password credentials securely on the device
- Ensure sensitive data is protected in transit
- Implement authentication/authorization and session management correctly
- Keep the backend APIs and the platform secure
- Secure data integration with 3rd party services/applications
- Pay attention to the consent for the collection/use of user’s data.
- Implement controls to prevent unauthorized access to paid resources (e.g., wallet, SMS, calls)
- Ensure secure distribution/provisioning of mobile applications
- Carefully check any runtime interpretation of code for errors
Integration with Existing Architectures
- Façade programming makes integration with existing architecture possible
- Need to determine backward security compatibility
Cloud Computing
- NIST definition: cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
- Drivers
- Primary driver: cost savings
- Interoperability
- Multi-tenancy
- Device independence
- Portable services
- Measurable usage
- Benefits:
- Reduced Cost
- Reduced Time to Market
- Integrity of Software Versions
- Characteristics:
- On-demand self-service: provision without provider’s interaction
- Broad network access: high connectivity
- Resource Pooling: shared resource pool
- Rapid Elasticity: dynamically provisioned
- Measured Service: automatically monitored and charged
- Types of cloud
- Public cloud: provided to multiple tenants, tenants have little to no control on infrastructure, platform, software
- Advantages: reduced upfront cost, easy to scale, no maintenance cost
- Disadvantages: lack of control
- e.g: Amazon Elastic Cloud Compute service, Google AppEngine, IBM Blue Cloud, Sun Cloud
- Private cloud: provided to a single tenant, usually internal to a company, managed by the company
- Advantages: max control over resource
- Disadvantages: difficult to scale, upfront cost, setup time
- Community cloud: multi-tenancy for related entities, tenants have common requirements
- Share the advantages and disadvantages of both public and private cloud
- Hybrid cloud: combines two or more of the above, assurance mechanism can be granuarly managed
- Public cloud: provided to multiple tenants, tenants have little to no control on infrastructure, platform, software
- Service Models
- Primary service models
- SaaS: data hosting, software applications
- a.k.a: web-based software model, on-demand model, hosted software model
- Distinction to traditional approach: software owned/maintained by publisher
- Data security is a legitimate issue in SaaS
- PaaS: operating systems, middleware, runtime
- A selected collection of elements into a designed solution stack for a specific problem. This may include apps, databases, web services, storage, and other items that are offered as a service.
- IaaS: networking equipment, storage, servers, virtual machines
- A form of cloud computing that offers a complete platform as a provisioning solution to a computing need
- a customer can deploy and operate arbitrary software across a cloud-based platform without worrying about the specifics of the environment
- SaaS: data hosting, software applications
- Multi-tenancy: one code to serve all customers, centralised administration, centralised responsibility and control
- Primary service models
Security in Cloud Computing
- Data Disclosure, Loss and/or Remanence (Primary threat):
- Including data leakage and loss
- Data owner is the tenant
- Data custodian is the provider
- Ideally, sensitive data shouldn’t be stored in public, community, hybrid cloud. If have to, the data need to be encrypted
- Cryptographic agility: ensures the algorithm can be easily changed when needed
- Data remanence when resource re-provisioned to another tenant
- Need Data Loss Prevention, Media Sanitisation
- Unauthorized Access:
- Next only to Confidentiality
- Data to one tenant should not be accessible to another tenant
- Brewer & Nash (Chinese wall model): no information can flow between parties that result in a conflict of interests
- SSO needs to be implemented with security in mind
- Mitigations: ACL and system hardening
- Man-in-the-Middle and Traffic Hijacking:
- Due to the fact that data owner doesn’t control the infrastructure, platform and software
- Mitigations: strong password rules/management, secure user/session management
- Insecure and Proprietary API:
- Understanding the APIs and the dependency chain of the APIs
- Consider the use of non-standard APIs, avoid vendor dependency/lock-in
- Perform a ROI analysis before using the APIs
- Service Interruptions:
- Centralisation introduced a single-point-of-failure
- Need to understand the SLA, growing data needs, redundancy, backup, max downtime
- Malicious Personnel (Insiders):
- Should always know the risk profile of the provider: processes, technologies, people, administrative controls
- Control over financial reporting:
- Statement on Auditing Standards No. 70 (SAS 70): an audit usually used for control over financial reporting.
- Being replaced by Statement on Standards for Attestation Engagements (SSAE) No. 16, a.k.a Reporting on Controls at a Service Organization
- Statement on Auditing Standards No. 70 (SAS 70): an audit usually used for control over financial reporting.
- Control over financial reporting:
- Cloud Control Matrix, by Cloud Security Alliance (CSA):
- Provide fundamental security principles to guide cloud service providers of the needed controls.
- Risk based approach to address cloud threats and vulnerabilities
- Can be used by tenants as a common criteria/framework when assessing cloud providers
- Mitigation: identity management, auditing, training
- Useful skills for development staff:
- Contract negotiation
- Supplier risk assessment
- Secure development
- Secure operation
- Should always know the risk profile of the provider: processes, technologies, people, administrative controls
- Cloud Abuse:
- Leveraging the cloud for unintended purpose
- e.g DDoS, propagating malware, piracy, reverse-crypto
- Mitigation: determine norm and monitor
- Leveraging the cloud for unintended purpose
- Nefarious Use of Shared Computing/Technology Resources:
- Cloud Security Alliance’s “Top Threats to Cloud Computing”, “Notorious Nine”
- e.g: cracking and/or malicious software, hypervisor exploits
- Cloud bursting: private burst to public, make it a hybrid cloud, maybe caused due to workload demand
- Cloud isolation is used to prevent IP/MAC spoofing
- Secure communication between public and private clouds
- Hardening, sandboxing
- Insufficient Due Diligence / Unknown Risk Profile:
- Must understand the contractual terms, enforcement, liability coverage, risk profile of provider
- Cloud service provider’s internal working processes should be transparent to the tenant
Challenges
- Primary challenge: enforceability of governance, regulations, compliance and privacy (GRC+P)
- Shared: assurance responsibilities, liability(more on the tenants)
- Tenants: appropriate level of controls, effective operation for protection
- Best practice:
- Establishing enforceable contracts
- Periodic assessment
- Continuous monitoring
- Conduct verification on the provider’s claims
- Cyberforensics:
- Collection of physical evidence from cloud virtual environment, due to rapid elasticity
- No full understanding of infrastructure, content and IDS logs on both the tenant and provider must be taken into account
- Visualisation of physical/logical data location might be necessary
- Partnership between government and industry might be needed
Technologies
- Holistic security: security for interconnected systems, people, process, technology
- Security Support Provider Interface (SSPI)/Generic Security Service API (GSSAPI): an implementation of the IETF RFCs 2743 and 2744
- Abstract authentication calls
- Support interoperability
- Include protocols to negotiate the best security protocol (SPNEGO), delegate (Kerberos), securely transmit (SChannel)
- Protect credentials using hashes (Digest)
Identity Management
- Identity Management (IDM): the combination of policies, processes and technologies for managing digital identity information.
- Who or what is requesting access?
- How are they authenticated?
- What level of access can be granted based on the security policy?
- IDM life cycle:
- Provisioning:
- Creation of digital identities
- Entitlement: the privileges in an application
- Roles: a set of entitlements
- Extends RBAC, consolidate individual system entitlements into fewer business roles
- Management
- Renaming
- Addition/Removal of roles, Rights and Privileges
- Changes in regulatory requirements and policies
- Auditing access requests
- Synchronisation of multiple identities for access to multiple systems
- Maintaining history (important for non-repudiation)
- De-provisioning
- Termination Access Control (TAC)
- Some may require deactivation to be the only option, instead of delete, can pose a threat
- Deactivated accounts should be archived and maintained offline
- Companies are required to provide auditable evidence for effective access control
- SarbanesOxley (SOX) 404 section mandates annual review
- Access certification: business engagement in reviewing and approving access entitlements
- Termination Access Control (TAC)
- Provisioning:
- Common technologies for IDM:
- Directories: the repository of identities
- Lightweight Directory Access Protocol (LDAP): replaced X.500 protocol
- e.g: IBM (Tivoli), Sun ONE, Oracle Internet Directory (OID), Microsoft Active Directory, Novell eDirectory, OpenLDAP, Red Hat Directory Server
- Metadirectories and Virtual Directories
- Propagation and Synchronisation of identity changes
- Simplifies administration
- Shortfall: no interface, give rise to virtual-directory (provides a service interface)
- Virtual directories provide more assurance than metadirectories, function as gatekeepers for compliance
- e.g: Human Resources (HR), Customer Records Management (CRM) systems, Corporate Directory, Microsoft Identity Lifecycle Management
- Directories: the repository of identities
- Identity management reduces risks:
- Consistently automating, applying and enforcing identification, authentication, and authorization security policies
- De-provisioning identities to avoid lingering identities past their allowed time
- Mitigating the possibility of a user or application gaining unauthorized access to privileged resources
- Supporting regulatory compliance requirements by providing auditing and reporting capabilities
- Leveraging common security architecture across all applications
- Federated ID systems: allows user to connect through a known system, e.g Facebook login to another system
- Two main aspects:
- Relying party (RP)
- Identity provider (IdP)
- A trust relationship exists between RP and IdP
- Two main aspects:
OpenID and OAuth
- OpenID: created for federated authentication (authentication)
- Allow a third party to authenticate your users by using accounts that user already has
- Enables websites or applications (consumers) to grant access to their own applications by using another service or application (provider) for authentication
- Can use without pre-arranged IdP-RP trust relationship
- Define universal identifier
- Allow a third party to authenticate your users by using accounts that user already has
- OAuth: created so that users don’t need to share their passwords with third party applications (authorisation)
- Pre-arranged IdP-RP trust relationship required
- Access to key user groups
- Common part:
- Achieves SSO attribute transfer with trust relationship
- Access to broad user populations
- Leverage UX and account-linking best practices
- Difference:
- OpenID is limited to “this is who I am” assertion
- OAuth provides an access_token that can be exchanged for any supported assertion via an API
Credential Management
- Process:
- Generation
- Storage
- Synchronisation
- Reset
- Revocation
- Password Management
- Passwords should be complex
- Passwords should not be hard coded
- Passwords should be encrypted when stored
- Remembering password is not a good security practice
- Ask for old password to reset to a new one
- Password change synchronisation, e.g SSO
- Password reset request needs to be validated
- Passwords should have expiry dates, enforce One-Time Passwords (OTP)
- Lightweight Directory Access Protocol (LDAP) can be used to enforce policies and manage passwords
- X.509 Credentials
- X.509: a series of standards associated with the manipulation of certificates used to transfer asymmetric keys between parties in a verifiable manner
- A digital certificate binds an individual’s identity to a public key
- Registration Authority (RA): verifies an individual’s identity
- Certificate Authority (CA): generates digital certificate
- PKIX: Public-Key Infrastructure (X.509)
- A secure PKI solution requires
- CA
- RA
- Certificate revocation mechanism
- Either Certificate Revocation List or Online Certificate Status Protocol
- Certificate Management
- Can be used for authentication
- Public Key Infrastructure (PKI)
- Manages the generation and distribution of public/private key pairs
- Publishes the public keys as certificates
- Registration Authority (RA): a verifier for the CA before a digital certificate is issued by the CA to the requestor.
- Certificate Authority (CA): trusted entity that issues the digital certificate that holds the public key and related information of the subject.
- Revocation:
- CA publishes the Certificate Revocation Lists (CRLs) (certificates revoked by the CA)
- Validite public key of CA (CA has its own certificate, self-signed i.e subject same as authority) against CA’s CRL
- PKI management:
- Creation of public/private key pairs
- Public key certificate creation
- Private key revocation and listing in CRL when the private key is compromised
- Storage and archival of keys and certificates
- Destruction of certificates
- PKI gives:
- Inter-company trust
- Enforcement of restrictions on usage
- X.509 gives strong authorisation capabilities
- Privilege Management Infrastructure (PMI):
- X.509 attribute certificates
- Attribute authorities
- Target gateways
- Authorization policies
- Can define user access privileges among multiple apps and vendors
- Privilege Management Infrastructure (PMI):
- Single Sign On (SSO)
- SSO usually implemented together with Kerberos and Secure Assertion Markup Language (SAML)
- Kerberos:
- User authenticate -> Ticket Granting Server (TGS) gives Ticket Granting Ticket (TGT)
- User access to app -> TGT to TGS -> TGS returns a ticket specific to app
- Tickets saved in ticket cache in the local system
- Can also be used within the same domain of TGS/TGT, primarily used for intranet, easier than SSO in internet
- SAML (WS-Security specification recommended):
- Allows auth in one domain and use resources in another
- Primarily for web-based environments
- Exchanges authentication and authorisation data, user profile etc
- Authorisation decisions:
- SAML tokens are the de-facto means for SOA
- OASIS eXtensible Access Control Markup Language (XACML) can also be used as an alternative
- Federation (key concept): extends SSO across enterprises
- An individual can log into one site and access services at another affiliated site, mainly for convenience
- Primary objective: user convenience
- Need legal protection between enterprises
- Three primary protocols before SAML 2.0
- OASIS SAML 1.0: B2B
- Liberty Alliance ID-FF 1.1 and 1.2: B2C
- Shibboleth: education institutes that required anonymity in feberation
- Fast Identity Online (FIDO) Alliance:
- To address the lack of interoperability among strong authentication devices
- To alleviate the problems of multiple usernames and passwords
- To develop an open, scalable and interoperable specification with less reliance on passwords
- Proposed FIDO-enabled BYOD to attest tokens that are discovered dynamically at the end-points
- An individual can log into one site and access services at another affiliated site, mainly for convenience
- SAML 2.0:
- Open standard for web-based SSO service
- Reduced complexity, removed protocol negotiation, mapping and translation
- SSO considerations:
- Establish trust between entities
- Single point of failure
- A source for DoS
- Deployment and integration cost can be excessive
Flow Control
- Firewalls (network layer firewalls) separate internal/external sub-networks
- Security policy enforcer at perimeter
- Limitation: governed by network architecture
- Packet Filtering (1st gen)
- Content-based filtering, stateless, check headers but not payloads
- Commonly implemented using Access Control Lists (ACLs)
- Independent, scalable, faster, provides little security, defenseless against malware
- Proxy (2nd gen)
- Middleman between internal trusted networks and the outside untrusted
- Don’t allow direct connection between untrusted and trusted systems
- Stateful (3rd gen)
- Track dialog, maintain a state and data context
- Not as resource intensive
- Usually transparent to the user
- Application Layer (Trendy)
- Application Level Firewall uses information gathered at application level to make decisions
- Intercept data and examine for malicious content
- Contain/terminate on threat detection, or redirect to honeypot
- PCI DSS Req 6.6: either have a (web) application firewall or perform application code reviews
- Middleware
- Facilitate communication/flow between components
- Counters single point of failure
- Queuing Infrastructure and Technology
- Prevent network congestion
- Microsoft Message Queuing (MSMQ)
- Oracle Advance Queuing (AQ)
- IBM MQ Series
Auditing (Logging)
- Required by Sarbanes Oxley (SOX), HIPAA and PCI DSS, EOC
- Log location
- Local: simeple, quick, but implies another log to secure and to integrate
- Incident response usually follows Auditing.
- Examine logs across applications for user events and activities
- Deciding what to log:
- When and what information is needed
- When security is needed for the logged information
- Important:
- Log consolidation
- Time synchronisation
- Logs need to be protected (stored/in transit), admin/users shouldn’t have access to logs.
- Other relevant controls:
- Log Management Service (LMS)
- Intrusion Detection Systems (IDS)
- Intrusion Protection Systems (IPS)
Syslog
- Syslog is used to describe the protocol/application that receives and sends, as well as the logs
- IETF-approved protocol for log messaging
- Provide a UNIX centric format for log transfer
- Ensure reception and order
- de facto for linux, no equivalent in Microsoft
- Protocol: a client/server protocol used to transmit the logs
- UDP or TCP, transmit in clear text, can be used with TLS
- Weakness:
- Syslog transmits in clear text, TLS/SSL must be used
- Integrity protection is necessary
- Syslog-NG (New Generation): open source implementation of syslog
- NIST SP 800-92 provides guidance on Computer Security Log Management and how to use syslog
Application Event Logs
- Detect exploits, mis-behaviour, violation
- Establish performance baseline
- Recommended to log all security events
- Common issue:
- Event logging is often disables, missing or poorly configured
- Application event logging bare minimum:
- Security breaches
- Critical business processes e.g., order processing, password change, etc.
- Performance metrics e.g., load time, timeouts, etc.
- Compliance related events
Data Loss Prevention (DLP)
- Data: second only to people
- DLP: the technology that provides egress filtration, prevents data from leaving the network
- Not allow classified data to be attached or copied
- Brings mandatory (labeling) and discretionary (based on discretion of the owner) security
- Tagging: the process of labelling data that is classified with its appropriate level
- Can be overwhelming, requires planning, strategy and management support
- Business owner is ultimately responsible
- Endpoint devices, e.g USB
- Top breach: emails with sensitive data attached
- DLP through technology:
- Monitor tagged data, detecting and preventing loss, and remediation
- Protect gateways (control usually applied here) and channels
- Uneducated people could breach DLP
- DLP through policy:
- Mandates shredding
- Disallow printing and storing in storage devices
- Storage on cloud requires:
- Cryptography
- Access control
- Leakage protection
- DLP solutions common approach:
- Screen traffic
- Examine for traffic that meets profile parameters
- Challenges:
- Detection location is important
- Visibility into the data
Virtualization
- Divides a physical resource into multiple virtual resources, abstracts resources and produces the physical characters.
- e.g: VMWare, Microsoft Hyper-V, and Xen
- Platform virtualisation: single physical server to run multiple OS/sessions
- Storage Area Networks (SAN): an example of storage virtualisation
- Benefits:
- Reduced cost (by consolidating physical resources)
- Operational flexibility
- Green computing; reduced power and cooling
- Easier deployment and administration
- Improvded portability
- Isolation of application, data, and platforms
- Increased agility to scale IT environment and services to the business
- Need to determine security and securability before selecting virtualisation products
- Argument 1: virtualisation increases security through isolation
- Argument 2: virtualisation increates attack surface (hypervisor)
- Security considerations
- Implement all of the security controls as in a physical environment
- Protect VM and images
- Patch management for all VM appliances
- VM jail-breaking protection
- Inspect inter-VM traffic by IDS and IPS
- Implement defense-in-depth safeguard controls
- Control VM sprawl (i.e uncontrolled proliferation of multiple VM instances)
- VM security management technologies are still immature:
- VM security API: leverage security functionality and introspection ability within the virtualization products
Intrusion Detection System (IDS)
- Used to detect potential threats and suspicious activities, I/O bound
- IDS are not firewalls but can be used with one
- IDS more useful for insider threats
- When implemented with logging, an IDS can be used to provide audit
- Types:
- Device
- NIDS
- HIDS
- Main challenge: encrypted payload
- Implementation:
- Signature-based
- Weakness: new/unknown threats
- e.g Snort: open-source, signature-based
- Anomaly-based (behavioral): compare against a baseline
- Advantage: detect/discover newer threats
- Rule-based: based on programmed rules, (e.g IF-THEN-ELSE)
- Signature-based
Intrusion Prevention System (IPS)
- IDS mostly passvie, some are reactive
- IPS: contain the threats and prevent it from being manifested
- Essentially a firewall with network/app level filtering
- When implemented with logging, an IPS can be used to provide auditing capabilities
- e.g blocking further traffic from the source IP address, locking out the account on brute-force
Digital Rights Management (DRM)
- Digital rights management (DRM): technologies employed so that content owners can exert control over the digital content.
- Objective: protect IP in the digital world
- Coverage:
- Copy protection
- Usage rights
- Authenticity
- Integrity
- DRM: protect IP and content usage of digital works using technological controls
- Forward locking: a liability protection measure against violators who cannot claim ignorance of the consequences of their violating act, e.g FBI warning before a video starts
- Can be configured to provide useage right, authenticity, integrity
- e.g sharing file with external, you have no control, but still want to control the use of the file
- Provides OSI layer 6 (presentation) security: prevent unauthorised user from viewing
- Assures content authenticity/integrity
- e.g tie a file to a unique device id so that even if copied, user still cannot use it, iTunes
- Copyright law: deterrent control, against someone who wishes to make a copy of a protected file/resource, cannot prevent
- Copyright law permits all that which is not forbidden, DRM forbids all that which is not permitted
- Three core entities:
- Users: can create/use content, can be grated rights over content
- Content: the protected resource
- Rights: permissions, constraints, obligations
- Rights Expression Language (REL), e.g:
- ccREL An RDF schema used by the Creative Commons project and the GNU project to express their general public license (GPL) in machine-readable form
- Open Digital Rights Language (ODRL) - generalized, open standard under development that expresses rights using XML.
- eXtensible rights Markup Language (XrML) - generalized REL that is more abstract than ODRL. XrML is more of a metalanguage that can be used for developing other RELs.
- MPEG-21 Part 5 of this MPEG standard includes an REL
- Publishing Requirements for Industry Standard Metadata (PRISM) - Primarily used in B2B, express rights specific to a task and is used for syndication of print media content such as newspapers and magazines.
- REL can express right, but cannot enforce rights, leave to software to protect
- Rights Expression Language (REL), e.g:
- Challenges:
- Using hardware property is recommended but may cause DoS when the hardware is replaced.
- Tying rights to a person alleviates this concern, but need to ensure the individual’s identity.
- Using personal data lead to privacy concerns e.g Sony rootkit music CD
- DRM forbids both illegal and legal copying, affecting Fair Use
- Using hardware property is recommended but may cause DoS when the hardware is replaced.
Trusted Computing
- Trusted Computing (TC):
- Technologies developed and promoted by the Trusted Computing Group.
- Ensure the computer behaves in a consistent and expected manner.
- Trusted Computing Base (TCB): the totality that is critical to its security.
- TCB is not just a concept, but also creates the foundation for security principles.
- Trusted Platform Module (TPM)
- Ensure protection against disclosure and implementation of the spec (v1.2, TPM chip)
- TPM provides generation and tamper-proof storage of cryptographic keys.
- Can uniquely identify a device
- Complements smartcards/biometrics
- Enhanced security against external software and physical attacks
- Stored information are still vulnerable to disclosure if the requesting software is not secure
- e.g cold boot side channel attack
- TPM Features:
- Hash generator
- RSA key generator
- Random Number Generator
- Encrytion/Decryption Signature Engine
- Manufacturer’s Key in the storage
- Ensure protection against disclosure and implementation of the spec (v1.2, TPM chip)
- TCG’s Trusted Software Stack (TSS) interface specification: for software design
- Trusted Server specification: for server security
- Trusted Network Connect architecture: for network security
- Mobile Trusted Module: for mobile computing security
- Concerns: TPM could be used to secure a computer from its owner
Anti-Malware
- Malware: software that has malicious intent.
- Malware requires a vulnerability in a software system to gain its initial infection vector
- May hide in PDF
- Trustworthiness: a composition of reliability, security and privacy.
- A holistic multi-pronged program should include:
- The implementation of anti-malware engine (technology)
- An educated anti-malware research team (people)
- An update mechanism (process)
- Client-side anti-malware engine: the software that detects, contains and removes the malware.
- Scanning: monitor different locations on the system, should ensure performance
- Detection:
- Two primary techniques:
- Pattern
- Behaviour
- Kernel-mode rootkits
- Subject Matter Experts (SME): a person who has special skills or knowledge on a particular job or topic.
- Two primary techniques:
- Handling:
- Quarantine, remove: when handling a rootkit, engine cannot trust the OS, tunnelling signature can help engine to detect inconsistencies and uncover rootkit modifications
- Restore
- Essential to have a team to focus on malware
- Anaylysis process:
- Unpacking
- Deobfuscating
- Decrypting
- Reverse engineering
- Static analysis: inspects the instructions of the malware to identify and counteract the techniques used in its obfuscation
- Dynamic analysis: examines the malware behavior by emulating the malware in a VM
- Polymorphic malware: signature changes everytime it runs
- Update the singature/malware definition list through a formalise process
- Anaylysis process:
- Anti-malware technologies: provides insight into the security state of the computing ecosystem
- On access protection
- Real Time protections
Code signing
- The application of digital signature technology to computer code
- Establishes the provider or author of the software
- Deliver information as to the integrity level of the code
Database Security
- Key: define the level of protection needed, not all data have the same level of sensitivity.
- Regulations GLBA, HIPAA, and PCI DSS can impose protection requirements around certain data elements
- HIPAA and GLBA require protection on stored PII
- Consequence: willful neglect lead to fines, incarceration of officers, and regulatory oversight
- Attacks:
- Application layer is a channel for injection attacks
- Inference attack: confidentiality, steal data through data mining on hidden and trivial info
- Aggregation attack: non-sensitive information made sensitive when joined together
- e.g lat/lng + supplies-and-delivery -> army location
Countermeasure
Polyinstantiation
- Multiple instances, visibility determined by user’s clearance level
- Address inference attack by hidding info through classification
- Address aggregation attack by labeling dfifferent aggregations of data separately
Database Encryption
- Initiative: perimeter defenses powerless to protect stored data to internal threats.
- Encryption is a preventive control against disclosure/alteration
- Aspects to consider:
- Encryption, secure the key
- Access control
- Auditing for security
- Logging of privilege database operations and events
- Capacity planning:
- Performance, e.g indexing
- Padding/truncation issues
- Data size may increase due to encryption
- Two ways
- Native Database Management System (DBMS) encryption
- Transparent Database Encryption (TDE), transparent to application layer
- Benefit: minimal impact on application, but can impact performance
- Drawback: inherent weakness in key storage, dependent on the strength of the DBMS protection mechanisms
- External cryptographic resources
- Recommended from security standpoint, increases work factor for attacker
- Keys can be stored in Hardware Security Modules (HSM)
- Move computation overhead away from DBMS
- Drawback: need to modify the design and communication
- Native Database Management System (DBMS) encryption
- Primary keys are used for joining tables, hence is not usually encrypted, therefore should not use PII as primary keys
Normalization
- Normalization: a technique used to organize data, remove redundancy and inconsistency.
- Maintainability and security of db are directly proportional to its organization of data
- Redundant data increases attack surface
- Organisation of data based on rules (a.k.a normal form)
- Three data organization or normalization rules
- 1NF: “No Repeating Groups” rule
- No repeating fields or groups of fields in a table
- 2NF: “Eliminate Redundant Data” rule
- Duplicate data are removed
- 3NF: “Eliminate Non-Key-Dependent Duplicate Data” rule
- A logical extension of the 2NF and for a table to be in 3NF, must first be in 2NF. Data that are not dependent on the uniquely identifying PK of that table are eliminated and maintained in tables of their own
- 1NF: “No Repeating Groups” rule
- Database design is said to be in the normal form that corresponds to the number of rules the design complies with
- Three data organization or normalization rules
- Benefits:
- Elimination of redundancy and reduction of inconsistency issues
- Security benefits
- Data integrity
- Granular permission control
- Drawback: degraded performance
- Need to take time to read from multiple tables
- May need to denormalise a database, a denormalized database is not the same as a database that has never been normalized
Triggers
- A special type of procedure executed upon certain conditions are met, differs in invocation.
- Regular procedures are explicitly run by user, app, trigger
- A trigger is run implicitly by db
- Events that run a trigger:
- Data Manipulation Language (DML), e.g INSERT, UPDATE and DELETE
- Data Definition Language (DDL) for administration, e.g auditing, regulating db operations
- Error events (OnError)
- System events, such as Start, Shutdown, Restart
- User events, such as Logon, Logoff
- Triggers can be used to:
- Enforce complex business rules
- Prevent invalid transactions
- Ensure referential integrity operations
- Provide automated, transparent auditing and event-logging capabilities
- Enforce complex security privileges and rights
- Synchronise data (accuracy and integrity) across replications
- Drawbacks:
- Excessive use of trigger may result in overly complex design
- Triggers are responsive to events, therefore no commit or rollback
- Interdependency due to cascaded triggers
Views
- A view is dynamically constructed when the query to generate the view is executed
- Giving different parties different levels of access to the data
- Customised presentation of data, the output of a query
- Virtual, no physical storage allocated, only space to hold the query is allocated
- view can be customised based on user’s privilege, supports need-to-know
- Can be used to abstract internal db structure, e.g
- Joined tables
- Rename columns against reconnaissance
- Save complex queries
- Operations performed on the view affect the base tables serving the data
Stored Procedures
- Limit access to only specific elements based on the pre-defined rules
Backup and Replication
- Provide improved availability and redundancy
Privilege Management
- A privilege is the right to perform an operation
- Permissions are granted to users/roles, processes, objects
- With roles, software needs to have Least Privilege and Separation of Duties
- Not recommended to grant privilege to a user directly
Programming Language Environment
- Managed v.s Unmanaged programming language
- Using wrappers for unmanaged code, apply defense-in-depth
- Prefer strongly typed languages
- Need to understand permissible operations on each data type
- Widening conversion (a.k.a expansion)
- Loss of precision
- Narrowing conversion (a.k.a truncation)
- Loss of information
- Considerations
- Proper casting
- Length/range validation, i.e using regex/maxlength restrictions
- Exception management
- Widening conversion (a.k.a expansion)
Languages
Compiled language
- Compiling: converting textual source code to instruction code (object code)
- Linking: combining necessary dependencies to executable
- Static linking: copy all required elements into one executable
- Advantage: faster, portable
- Disadvantage: size
- Dynamic linking: placing names and relative locations of dependencies, resolve at runtime
- Advantage: less space
- Disadvantage: missing dependencies, dependency hijack
- Need careful security thinking for this option
- Static linking: copy all required elements into one executable
- e.g: COBOL, Fortran, BASIC, Pascal, C, C++ and Visual Basic
Interpreted language
- Instructions are interpreted by a mediator line by line
- Advantage:
- Faster code change
- No need for recompiling/relinking
- Disadvantage: Slower execution
- e.g REXX, PostScript, Perl, Ruby, Python
Main types of languages
- Unmanaged: C/C++
- Code execution directly managed by OS
- Need to be compiled
- Memory allocation unmanaged, pointers can be directly controlled
- Requires routines to handle
- Memory allocation
- Check array bounds
- Handle data type conversions explicitly
- Force garbage collection
- Benefit: performance
- Managed: python, javascript, Java (JVM), MS .NET (CLR)
- Code execution managed by runtime environment
- Not compiled into native code
- Memory allocation managed by runtime
- Time to develop software is relatively shorter
- Benefits:
- Sandboxing
- Garbage collection
- Index checking
- Type safe
- Memory management
- Multiplatform capability
Compiler Switches
- /GS flag and StackGuard
- Protect against memory corruption, buffer overflows
- Prevent malicious execution and untrusted code
- Executables can detect/mitigate buffer overflow of return address pointer
- Security cookie allocated before return address post to function load, after exiting, check cookie
- StackGuard: A patch of GNU gcc, detect/defeat stack memory overflow
- Provide code pointer integrity check
- Provide return address integrity protection
- Placing a canary before return address which is checked before executing the return address
- Attacker can forge a canary in the overflow exploit
- Prevention
- Terminator canary: common termination symbols for C standard, when attacker specifies these, execution terminates
- Random canary: 32-bit random number set on function entry, maintained for the time frame of function call
- /SAFEH: enables a safe exception handling table option that can be checked at run time
Environments
Common Language Runtime (CLR)
- Common Language Runtime (CLR) for .Net, by Microsoft Common Language Infrastructure (CLI)
- Can compiles a range of lanuages into a Common Intermediate Language (CIL, i.e managed code)
- CLR’s Just-In-Time (JIT) compiler transforms CIL into machine instructions
- Provides memory management, type safety, code access security, garbage collection, exception handling
- .Net CLR has its own security execution model separated from OS
- Unlike traditional user-based model, CLR can enforce a policy-based model
- Code access control: calculate permissions and evidence based on attributes of the code (e.g URL, Site, Application Directory, Zone, Strong name, Publisher, Hash, etc) as oppose to the user
Java Virtual Machine (JVM)
- Java Runtime Environment (JRE), primary component: Java Virtual Machine (JVM)
- Libraries: Java Package classes
- JVM: an implementation of the Java Machine Specification, important security aspects:
- Java Class file format
- Defines the format
- Mandated to be in this format
- Java Bytecode language and instruction set
- Includes instruction sets to perform low level machine operations
- Class Loader
- A Java runtime object, load Java classes into the JVM
- Checks class loaded is not spoofed or redefined
- Bytecode Verifier (arguably most important component)
- Called after Class Loader load all classes into JVM
- Ensure consistency:
- Class files are in the right format
- No malicious instructions, gatekeeper
- If successful, Bytecode is compiled Just-in-Time (JIT) to run
- Java Security Manager (JSM)
- If calls native OS, JSM monitors and mediates access, allow/deny
- Garbage collector
- Reclaiming unreachable objects in memory
- Java Class file format
Sandboxing
- Execution of computer code in an environment designed to isolate the code from direct contact with the target system.
- Used to execute untrusted code, code from guests, and unverified programs.
Systems
Operating Systems
- Code Access Security (CAS), prevents code from:
- Untrustworthy/unknown source from having run time permissions for privileged operations
- Trusted sources from inadvertently or intentionally compromising security
- Address Space Layout Randomization (ASLR)
- Due to principle of locality (temporal primarily), programs load the same memory upon each run
- ASLR a memory manangement technique to protect against memory location discovery
- Randomise and move the function entry points
- DLL can load into any of the 256 memory locations, chance to guess is 1/256
- Available in Windows, Linux
- Data Execution Prevention (DEP)/Executable Space Protection (ESP)
- Data Execution Prevention (DEP): prevent memory manipulation in an unsafe manner, a.k.a No-Execute (NX)
- Marks injected data segment as no-execute
- Can be implemented in hardware or software
- Executable Space Protection (ESP) is the Unix or Linux equivalent
- Data Execution Prevention (DEP): prevent memory manipulation in an unsafe manner, a.k.a No-Execute (NX)
Embedded Systems
- Increased reliability over a general purpose system
- Governed by events in real time
- Tamper resistant sensor
- Standards for embedded system security
- ISO 15408 (Common Criteria) standard
- Multiple Independent Levels of Security (MILS) standard
- Attacks:
- Primarily disclosure attacks
- Side channel
- Fault injection
- Control: auto-erase
- Physical deterrent controls:
- Seals
- Conformal coatings
- Tapes
- Signal physical breach or tampering activities in software
- Hide critical signals in the internal board layers
- OpenOS, 3rd party apps need to be isolated, limited to access owner’s private data
- TPM chip: can be used for node-to-node authentication, provide tamper resistant storage
- Threat agents are usually more sophisticated than average hackers
Control Systems
- SCADA systems: monitor and control physical processes, primary target for hackers
- Technologies were mostly proprietary, promoted the security through obscurity
- Systems were physically secured and disconnected, adoption of open standards make them targets
- SCADA was not originally designed with security in mind
- Predominant threat: unauthorized access to the control software
- Packet control protocol is rudimentary or lacking
- Attacks tend to be overflow/injection types
- Physical breach by insider
- Mandates end-to-end authentication and authorization
- Programmable Logic Controller (PLC)
- Remote Terminal Unit (RTU)
Firmware
- Software code held in a device
- Read-only chips (not programmable by end-user) or flash memory chips
- Expect future improvement in security
- e.g BIOS
Examples
Design principle
- Defense in Depth
- Use of input validation along with prepared statements or stored procedures, disallowing dynamic query constructions using user input to defend against injection attacks.
- Disallowing active scripting in conjunction with output encoding and input or request validation to defend against Cross-Site Scripting (XSS).
- The use of security zones, which separates the different levels of access according to the zone that the software or person is authorized to access.
- Fail secure
- The user is denied access by default and the account is locked out after the maximum number (clipping level) of access attempts is tried.
- Not designing the software to ignore the error and resume next operation.
- Errors and exceptions are explicitly handled and the error messages are non-verbose in nature. This ensures that system exception information, along with the stack trace, is not bubbled up to the client in raw form, which an attacker can use to determine the internal makeup of the software and launch attacks accordingly to circumvent the security protection mechanisms or take advantage of vulnerabilities in the software. Secure software design will take into account the logging of the error content into a support database and the bubbling up of only a reference value (such as error ID) to the user with instructions to contact the support team for additional support.
Microsoft list of Attack Surface Elements
- Open sockets
- Open remote procedure call (RPC) endpoints
- Open named pipes
- Services
- Services running by default
- Services running as SYSTEM
- Active web handlers (ASP files, HTR files, and so on)
- Active Internet Server Application Programming Interface (ISAPI) filters
- Dynamic webpages (ASP and such)
- Executable virtual directories
- Enabled accounts
- Enabled accounts in admin group
- Null sessions to pipes and shares
- Guest account enabled
- Weak ACLs in the file system
- Weak ACLs in the registry
- Weak ACLs on shares
Database security considerations
- What is the level of risk classification associated with the data?
- What is the usage pattern of the data-how is it protected in transit and in use?
- What is the differing classification across elements of the data-are some more sensitive than others?
- How is encryption being handled in the enterprise for other projects?
- What are the available encryption options to the development team?
Database encryption design questions
- Where the data should be encrypted
- What should be the minimum level of data classification
- Is the database designed to handle data sizes upon encryption?
- Is the business aware of the performance impact?
- Where will the keys used for cryptography operations be stored?
- What authentication and access control measures will be implemented?
- Are the individuals who have access to the database controlled and monitored?
- Are there logging available to prevent insider threats?
- Is there an incident management plan?