Full Transcript

Lecture 1: Introduction to Web Security INFO-3174: Web Security WEB DEVELOPMENT & INTERNET APPLICATIONS Internal First, a Course Introduction INFO3174 for 23F: 14 Week Course in IWD2 School code: ITY, Office: Online...

Lecture 1: Introduction to Web Security INFO-3174: Web Security WEB DEVELOPMENT & INTERNET APPLICATIONS Internal First, a Course Introduction INFO3174 for 23F: 14 Week Course in IWD2 School code: ITY, Office: Online Lecture format: In person Internal About Your Prof BrettMcFadden Email: [email protected] Please email from inside the course FOL page and add a meaningful subject Target response time: less than 48 hours Office hours: currently unscheduled. I will try to be available as needed, but will also work with you to set scheduled times. Internal Important Course Outline details.. Missed Tests Students are not entitled to complete missed tests In case of a significant event supported by documentation AND professor’s approval AND prior notification, a missed test maybe completed Detailed Content Re-writes & extra grade items Students will not be permitted to rewrite tests Students will not be entitled to extra work or assignments in order to raise a grade Internal INFO-3174 Evaluations Course Outline / Course Plan Will be uploaded to the top of FOLcontent Evaluations Labs: 6% x 10 60% Test 1 10% Test 2 10% Test 3 20% Total 100% Internal INFO-3174 Missed Evaluations Missed Evaluations Policy Labs: Handled case by case. Late: deducted 50% Missed tests: Must be for approved event (severe Illness, Death in immediate family) Must have documentation of the event. Always notify me in advance if possible Internal Lab Format Labs will be available as FOL quizzes Labs are to be completed by their posted due time and date. Internal Tests Tests will also be conducted as FOL quizzes Tests will be scheduled in-session Internal Student Responsibilities There is no text at this time Content is subject to change, but not without warning (watch announcements/email) Submit ALL assigned work All evaluations are individual! There is no group work at this time; however, group discussion of concepts, techniques, topics, etc. is encouraged. Internal Course Objectives Understand common threats, vulnerabilities, tools, and techniques Develop software that is more secure Understand how to quantify and mitigate risk Understand how to securely handle information Internal Learning Outcomes Describe the common terms used in system security Summarize several methods of hackers to explore and exploit information systems Identify various types of web attacks Demonstrate various types of web attacks with a focus on common application vulnerabilities Demonstrate basic cryptography concepts Experiment with the security hardening of Linux and Windows Servers Define an Internet Architecture including Internet clients and servers Internal Final Notes My approach, conventions, practices: Key terms and concepts will be bolded and may embed an external link Unless otherwise stated, information arising from non-lecture discussions will not be required knowledge for exams – no information to succeed will be restricted from you For technical difficulties with labs/exercises, my time will be prioritized on issues not easily resolved by a quick search My goal is to provide you with up-to-date, practical knowledge and skills and evaluations will reflect this (no “gotcha” tricks) My secondary goal is to make the course interesting Internal Introduction to Information Security INFO-3174: WEB SECURITY Internal What is security? Internal What is security? A continuous process and practice of mitigating risk What is risk? Internal What is risk? Internal What is risk? The possibility of a threat exploiting a vulnerability within an asset Threat: an unavoidable occurrence that exploits risk. Vulnerability: an exposure or weakness Can we quantify this possibility? Risk = (likelihood of event) x (impact) By minimizing the likelihood and impact, risk is avoidable! What is the impact when we are concerned with systems of information? Internal The CIA Triad Unrelated to the other “CIA” Stands for: Confidentiality Integrity Availability Internal What is security? A continuous process and practice of mitigating risk posed to the confidentiality, integrity, and availability of our information The identification of risk by enumerating important assets and quantifying the vulnerabilities and their impact therein The employment of risk mitigation strategies by modeling threats and prioritizing defenses according to risk and resources available Internal Security in Real Life Perfect security is impossible Being the most secure is a pretty good alternative Internal Information Security Domains Physical Security Communications Security Emissions Security Computer/Host Security Network Security Application Security Internal Fundamental Security Principles The Principle of Least Privilege Separation of Duties Security Through Obscurity Defense-in-Depth Failing Securely Open Design Internal Virtualization The creation of a virtual version of IT services/applications/resources Examples: Cloud computing (AWS, Azure, VPS) Exception: Bare-metal cloud services Virtual machines (VirtualBox, VMWare) Any other examples? How might this impact security? Internal Threat Actors (Hackers) Individuals, groups, or even states What might their motivation be? Internal Source: Verizon’s 2021 Data Breach Investigations Report Internal Source: Verizon’s 2021 Data Breach Investigations Report Internal The Money is in the computer? 1. Perform Attack 2. ??? 3. Profit Internal Step 2. ??? Information resale User Credentials (username and password) CCs PII Strategic Ransomware/Cryptoware Botnet worker Performing privileged/unauthorized operations Transfer/purchase Application misuse (example: census) Impacting the competition Internal Consider an E-commerce Application Let’s return to the CIA triad. Why would an attacker want to subvert the following to profit: Confidentiality Integrity Accessibility Internal Threat Actors – how do they do it? Reconnaissance Identify assets and services Fingerprint (determine software in use) Gather intelligence (OSINT) Exploitation Exploit known vulnerability Identify novel issue Social engineering Post-Exploitation Enumerate network information Pivot on network, escalate privileges Steal, destroy, encrypt data Clean up Internal Threat Actor Trends Growing Incident Frequency Growing number of vulnerabilities catalogued See US-based NVD Both targeted and non-targeted attacks are common Major attack chains are increasingly advanced Breaches involved applications are increasing Internal What Makes a Secure Application? Users can only perform tasks they are authorized to do Users can only access the information they are authorized to have Applications themselves can only perform the actions intended on the data intended Applications remain available and stable for their intended users However, applications do not stand on their own… Internal What Makes an Insecure Application? Important concepts: Complexity generally increases risk Most web security issues arise from mishandling untrusted data Internal Why Does Host Security Matter? Applications are only as secure as the systems they run on Possible issues that can impact an application that developers may not control: Hardware/software failures, natural disasters, or power outages Denial of service (DoS) attacks Exploitation of non-application service (SSH, for example) Side channel, physical attacks, or.. Other? Internal How Do We Stay Safe? How do we know what attackers are doing? Security research at public and private institutions Vulnerabilities and breaches disclosed by organizations Penetration testers and reverse engineers emulating attacks Community participation and organizations (conferences, OWASP, etc.) Internal Vulnerabilities Can think about these as the weak points in a system Though they may be a bug or misconfiguration, they can often be by design – both intended and needed for business use We will focus on web application vulnerabilities for this course Internal Developing a Security Strategy Must know what you are protecting Must know your exposure and weaknesses Need to develop a threat model (consider both internal and external threats) Internal Example: Insecure Deserialization (PHP) Internal INFO3174 – Web Security LAB1 Internal LAB 1 – Setting Up Our Envrionemnt Following the instructions within the first FOL Lab quiz and answer the associated questions You will have one week! Internal

Use Quizgecko on...
Browser
Browser