Security Attacks PDF

Summary

This document discusses security objectives, attacks, and mechanisms. It covers topics such as confidentiality, integrity, and availability. It also touches upon security architecture and different types of attacks.

Full Transcript

IT2028

Security Attacks deliberate or inadvertent unauthorized manipulation of
Security Objectives (Torra, 2018) the system.
The identification of security objectives is the first step you can Availability ensures that systems work promptly and the service
take to help ensure the security of your application. is not denied to authorized users. A loss of availability is the
Security objectives are goals and constraints that affect the disruption of access to or use of information or an information
confidentiality, integrity, and availability of your data and system.
application. Authenticity: The property of being genuine and being able to
Although the use of the CIA triad to define security objectives is be verified and trusted; confidence in the validity of a
well established, many in the security field feel that additional transmission, a message, or a message originator. This means
concepts are needed to present a complete picture, as illustrated verifying that users are who they say they are and that each input
in Figure 1. arriving at the system came from a trusted source.
Accountability: The security goal that generates the
requirement for actions of an entity to be traced uniquely to that
entity. This supports nonrepudiation, deterrence, fault isolation,
intrusion detection and prevention, and after-action recovery and
legal action. Because truly secure systems are not yet an
achievable goal, it must be possible to trace a security breach to
a responsible party. Systems must keep records of their activities
to permit later forensic analysis to trace security breaches or to
aid in transaction disputes.

OSI Security Architecture (Torra, 2018)
The security architecture for Open Systems Interconnection
(OSI) defines a general security architecture that is useful to
managers as a way of organizing the task of providing security
This standardized architecture defines security requirements.
Figure 1. Security Objectives The key concepts that are covered in these sections are
summarized in Figures 2-3.
Confidentiality: Also known as data confidentiality, this property o Security attacks are any action that compromises the
means that information is not made available or disclosed to security of information owned by an organization.
unauthorized individuals, entities, or processes. A loss of o Security attacks attempt to gain unauthorized access to
confidentiality is the unauthorized disclosure of information. information resources or services, or cause harm or
Integrity: This term covers two (2) related concepts: damage to information systems.
o Data integrity ensures that data (both stored and is
transmitted packets) and programs are changed only in
a specified and authorized manner. A loss of data
integrity is the unauthorized modification or destruction
of information.
o System integrity ensures that a system performs its
intended function in an unimpaired manner, free from
03 Handout 1 *Property of STI
 [email protected] Page 1 of 3
 IT2028

unencrypted email or telephone call and intercept it for
sensitive information.
o Traffic analysis: In this type, an attacker monitors
communication channels to collect a range of
information, including human and machine identities,
locations of these identities, and types of encryption
used, if applicable.
Passive attacks are very difficult to detect because they do not
involve any alteration of the data.
Figure 2. Attacks The message traffic is sent and received in a normal fashion,
o Security mechanisms are technical tools and and neither the sender nor the receiver is aware that a third party
techniques that are used to implement security services has read the messages or observed the traffic pattern.
o A process that is designed to detect, prevent, or recover The best way to prevent a passive attack is by using strong
from a security attack. network encryption methods. This means that the original
o Security service is a processing or communication message should be well encrypted into an unintelligible
service that enhances the security of the data language at the sender’s end and should be decoded into an
processing systems, and the information transfers of an understandable language at the receiver’s end.
organization. Security services are intended to counter Active Attack (Torra, 2018)
security attacks, and they make use of security Active attacks involve some modification of stored or
mechanisms to provide the services. transmitted data or the creation of false data. There are four
categories of active attacks: replay, masquerade,
modification of messages, and denial of service.
o A masquerade takes place when one entity
pretends to be a different entity. A masquerade
attack usually includes one of the other forms of
active attack. For example, authentication
sequences can be captured and replayed after a
valid authentication sequence has taken place, thus
enabling an authorized entity with few privileges to
obtain extra privileges by impersonating an entity
that has those privileges.
Figure 3. Services o Replay involves the passive capture of a data unit
Passive Attack (Torra, 2018) and its subsequent retransmission to produce an
Passive attacks are like eavesdropping or monitoring unauthorized effect.
transmissions. The goal of the attacker is to obtain information o Data modification simply means that some portion
that is being transmitted. Two types of passive attacks are the of a legitimate message is altered or that messages
release of message contents and traffic analysis: are delayed or reordered to produce an
o Release of message contents: In this type, an attacker unauthorized effect. For example, a message
will monitor an unprotected communication medium like stating “Allow Kit Estrada to read confidential file,

03 Handout 1 *Property of STI
 [email protected] Page 2 of 3
 IT2028

Accounts” might be modified to say, “Allow Fred authentication service is to ensure the recipient that the
Brown to read confidential file, Accounts.” message is from the source that it claims to be from.
o A denial-of-service attack prevents or inhibits the Access control is the ability to limit and control access to
normal use or management of communication host systems and applications via communications links. To
facilities. Such an attack may have a specific target; achieve this, each entity trying to gain access must first be
for example, an entity may suppress all messages identified or authenticated so that access rights can be
directed to a particular destination (e.g., the security tailored to the individual.
audit service). Another form of service denial is the Data confidentiality is the protection of transmitted data
disruption of an entire network, either by disabling from passive attacks. Concerning the content of data
the network or by overloading it with messages to transmission, several levels of protection can be identified.
degrade performance. The broadest service protects all user data transmitted
between two users over a period. For example, when a
logical network connection is set up between two systems,
this broad protection prevents the release of any user data
transmitted over the connection.
Data integrity ensures that messages are received as sent,
with no duplication, insertion, modification, reordering, or
replays
Data integrity ensures that information is modified only in
appropriate ways by persons authorized to change it.
Nonrepudiation prevents either a sender or a receiver from
denying a transmitted message. Thus, when a message is
sent, the receiver can prove that the alleged sender sent the
message. Similarly, when a message is received, the sender
can prove that the alleged receiver received the message.
Availability service means that a system or a system
resource is accessible and usable upon demand by an
authorized system entity, according to performance
specifications for the system; that is, a system is available if
it provides services according to the system design
whenever users request them.

References:

Figure 4. Types of attacks in the context of a client/server Kumar, G., Saini, DK., Huy Cuong, NH. (2020). Cyber defense mechanisms: Security,
privacy, and challenges. CRC Press.
interaction. Stallings, W. (2019). Information privacy engineering and privacy by design:
Security Services (Torra, 2018) Understanding privacy threats, technologies, and regulations. Assison-Wesley
Authentication service is concerned with ensuring that Professional. Torra, V. (2018). Data privacy: foundations, new developments, and the
big data challenge. Springer International Publishing.
communication is authentic. In the case of a single message,
such as a warning or an alarm signal, the function of the
03 Handout 1 *Property of STI
 [email protected] Page 3 of 3
 IT2028

Online Privacy Data collectors collect information directly from their customers,
Online Ecosystem (Stallings, 2019) audience, or other types of users of their services.
Online privacy refers to privacy concerns related to user Data brokers compile large amounts of personal data from
interaction with Internet services through web servers and several data collectors and other data brokers without having
mobile apps. direct online contact with the individuals whose information is in
Websites collect personal information explicitly through a variety the collected data. Data brokers repackage and sell the collected
of means, including registration pages, user surveys, and online information to various data users, typically without the
contests, application forms, and order forms permission or input of the individuals involved. Because
It also collects personal information through means that are not consumers generally do not directly interact with data brokers,
obvious to consumers, such as cookies and other tracking they have no means of knowing the extent and nature of the
technologies. Figure 1 illustrates the many players involved in information that data brokers collect about them and share with
the online collection and use of personal data. others for their financial gain. Data brokers can collect
information about consumers from various public and nonpublic
sources, including courthouse records, website cookies, and
loyalty card programs. Typically, brokers create profiles of
individuals for marketing purposes and sell them to data users.
The data users category encompasses a broad range. One type
of data user is a business that wants to target its advertisements
and special offers. Other uses are fraud prevention and credit
risk assessment.

Web Security and Privacy (Stallings, 2019)
The WWW is fundamentally a client/server application running
over the Internet. The use of the Web presents several security
challenges:
o The Web is vulnerable to attacks on web servers over
the Internet.
o Casual and untrained (in security matters) users are
common clients for web-based services. Such users are
not necessarily aware of the security risks that exist and
do not have the tools or knowledge to take effective
countermeasures.
o A web server can be exploited as a launching pad into a
corporation’s or an agency’s entire computer complex.
Once a web server is subverted, an attacker may be
able to gain access to data and systems not part of the
Web itself but connected to the server at the local site.
A useful way of breaking down the issues involved is to consider
Figure 1. Personal Data Ecosystem the following classification of security and privacy issues:

04 Handout 1 *Property of STI
 [email protected] Page 1 of 4
 IT2028

o Web server security and privacy are concerned with Figure 2 shows the following elements in the ecosystem within
the vulnerabilities and threats associated with the which mobile device applications function:
platform that hosts a website, including the operating o Cellular and Wi-Fi infrastructure: Modern mobile
system (OS), file and database systems, and network devices are typically equipped with the capability to use
traffic. cellular and Wi-Fi networks to access the Internet and to
o Web application security and privacy are concerned place telephone calls. Cellular network cores also rely
with web software, including any applications accessible upon authentication servers to use and store customer
via the Web. authentication information.
o Web browser security and privacy are concerned with o Public application stores (public app stores): Public
the browser used from a client system to access a web app stores include native app stores; these are digital
server. distribution services operated and developed by mobile
OS vendors. For Android, the official app store is Google
Mobile Ecosystem Play, and for iOS, it is simply called the App Store. These
The execution of mobile applications on a mobile device may stores invest considerable effort in detecting and
involve communication across several networks and interaction thwarting malware and ensuring that the apps do not
with some systems owned and operated by a variety of parties. cause unwanted behavior on mobile devices. In
addition, there are numerous third-party app stores. The
danger with third-party stores is uncertainty about what
level of trust the user or the enterprise should have that
the apps are free of malware.
o Device and OS vendor infrastructure: Mobile device
and OS vendors host servers to provide updates and
patches to the OS and apps. Other cloud-based services
may be offered, such as storing user data and wiping a
missing device.
o Enterprise mobility management systems:
Enterprise mobility management (EMM) is a general
term that refers to everything involved in managing
mobile devices and related components (e.g., wireless
networks). EMM is much broader than just information
security; it includes mobile application management,
inventory management, and cost management.
Although EMM is not directly classified as a security
technology, it can help in deploying policies to an
enterprise’s device pool and monitoring a device’s state.

Figure 2. Mobile Ecosystem

04 Handout 1 *Property of STI
 [email protected] Page 2 of 4
 IT2028

Mobile Application Vetting evaluates additional criteria to determine if the app violates any
organization-specific security requirements that could not be
ascertained by the analyzers
The auditor then makes a recommendation to someone in the
organization who has the authority to approve or reject an app
for deployment on mobile devices. If the approver approves an
app, the administrator can then deploy the app on the
organization’s mobile devices.

Threats from Application
The first step in developing privacy by design and privacy
engineering solutions for online privacy is to define the threats to
online privacy. These threats are divided into two (2) areas: web
application privacy and mobile app privacy.
Web application privacy: The Open Web Application Security
Project (OWASP) top 10 privacy risks project provides a list of
the top privacy risks in web applications. The goal of the project
is to identify the most important technical and organizational
privacy risks for web applications from the perspectives of both
Figure 3. App Vetting Process the user (data subject) and the provider (data owner). The risks
are:
The process of evaluation and approval or rejection of apps o Web application vulnerabilities: Failing to suitable
within an organization, referred to as app vetting, is illustrated in design and implement an application, detect a problem,
Figure 3. The vetting process begins when an app is acquired or promptly apply a fix (patch), which is likely to result in
from a public or enterprise store or submitted by an in-house or a privacy breach. Vulnerability is a key problem in any
third-party developer. system that guards or operates on sensitive user data.
An administrator is a member of the organization who is o User-side data leakage: Failing to prevent the leakage
responsible for deploying, maintaining, and securing the of any information containing or related to user data, or
organization’s mobile devices as well as ensuring that deployed the data itself, to any unauthorized party resulting in loss
devices and their installed apps conform to the organization’s of data confidentiality. Leakage may be introduced due
security requirements. to either intentional malicious breach or mistake (e.g.,
The administrator submits the app to an app testing facility in caused by insufficient access management controls,
the organization that employs automated and/or human insecure storage, duplication of data, or a lack of
analyzers to evaluate the security characteristics of an app, awareness).
including searching for malware, identifying vulnerabilities, and o Insufficient data breach response: Not informing the
assessing risks. The resulting security report and risk affected persons (data subjects) about a possible
assessment are conveyed to an auditor or auditors. breach or data leak, resulting in either from intentional
The role of an auditor is to inspect reports and risk assessments or unintentional events; failure to remedy the situation
from one or more analyzers to ensure that an app meets the by fixing the cause; not attempting to limit the leaks.
security requirements of the organization. The auditor also
04 Handout 1 *Property of STI
 [email protected] Page 3 of 4
 IT2028

o Insufficient deletion of personal data: Failing to o Insecure network communications: Network traffic
delete personal data effectively and/or in a timely needs to be securely encrypted to prevent an adversary
fashion after the termination of the specified purpose or from eavesdropping. Apps need to properly authenticate
upon request. the remote server when connecting to prevent man-in-
o Non-transparent policies, terms, and conditions: Not the-middle attacks and connection to malicious servers.
providing sufficient information describing how data are o Web browser vulnerabilities: Adversaries can exploit
processed, such as their collection, storage, and vulnerabilities in mobile device web browser
processing. Failure to make this information easily applications as an entry point to gain access to a mobile
accessible and understandable for non-lawyers. device.
o Collection of data not required for the primary o Vulnerabilities in third-party libraries: Third-party
purpose: Collecting descriptive, demographic, or any software libraries are reusable components that may be
other user-related data that are not needed for the distributed freely or offered for a fee to other software
system. Applies also to data for which the user did not vendors. Software development by component or
provide consent. modules may be more efficient, and third-party libraries
o Sharing of data with a third party: Providing user data are routinely used across the industry. However, a
to a third party without obtaining the user’s consent. flawed library can introduce vulnerabilities in any app
Sharing results either due to transfer or exchanging for that includes or makes use of that library. Depending on
monetary compensation or otherwise due to the pervasiveness of the library, its use can potentially
inappropriate use of third-party resources included in affect thousands of apps and millions of users.
websites, such as widgets (e.g., maps, social networking
buttons), analytics, or web bugs.
o Outdated personal data: Using outdated, incorrect, or
bogus user data and failing to update or correct the data.
o Missing or insufficient session expiration: Failing to
effectively enforce session termination. May result in the
collection of additional user data without the user’s
consent or awareness.
o Insecure data transfer: Failing to provide data transfers
over encrypted and secured channels, excluding the
possibility of data leakage. Failing to enforce
mechanisms that limit the leaking surface (e.g., allowing
to infer any user data out of the mechanics of web
application operation).
Mobile app privacy: Legitimate mobile apps may be vulnerable References:
to several privacy and security threats, typically due to poor Kumar, G., Saini, DK., Huy Cuong, NH. (2020). Cyber defense mechanisms: Security,
coding practices used in app development or underlying privacy, and challenges. CRC Press.
vulnerabilities in the mobile device operating system. Consider Stallings, W. (2019). Information privacy engineering and privacy by design:
the following threats against vulnerable applications, Understanding privacy threats, technologies, and regulations. Assison-Wesley
Professional. Torra, V. (2018). Data privacy: Foundations, new developments, and the
encompassing both privacy and security threats: big data challenge. Springer International Publishing.

04 Handout 1 *Property of STI
 [email protected] Page 4 of 4