Subtopics: Malicious Software, Attacks on Web Applications, Secure System Development # How Computers Get Compromised: - Accessing malicious or infected websites - Downloading and installing malware from websites - Executing attachments to emails containing exploits and malware - Plugging in external devices infected with malware - Installing malware/infected software from media - Direct attacks from the internet exploiting vulnerabilities in OS or applications - Through delivery chain, during assembly or shipment ## Malware Types: - Backdoor/Trapdoor - Logic bomb - Trojan horse - Worm - Virus (polymorphic, metamorphic) - Stealth virus - Exploit ## Exploits: - Exploit software/hardware vulnerability - Carried in common data formats like PDF, office documents, media files - Contains corrupt data types - Causes unintended behavior on computers ## Backdoor/Trapdoor: - Provides remote control capabilities - Can reside on the system for long periods before being used - Installed by exploit or user (tricked into installing malicious program) - Can be installed during design for testing purposes, posing a threat if left in production software # The Cyber Kill Chain (Hutchins Et Al., 2011): - Reconnaissance, Weaponisation, Delivery, Exploitation, Installation, Command & Control (C&C), Action/Exfiltration - Timescale for each phase varies from days, months, hours to seconds. - Recon; Weaponisation; Delivery; Exploitation; Installation; Command & Control; Action/Exfil ## Web Application Security Challenge: - Firewall, App Server, Web Server, Hardened OS, Databases, Legacy Systems, Web Services, Directories, Human Resources, Billing, Custom-Developed Application Code - Network layer and application layer security are crucial # Application Attacks - Application attacks bypass traditional network security measures like firewalls ## SQL (Structured Query Language): - Interface to relational databases - Used for inserting, updating, deleting, and retrieving data in a database ### SQL Injection: - Databases system misinterpretation of input data - Attacker disguises SQL commands as data input - Vulnerability exists when web application fails to sanitise data input before sending it to the database ### Preventing SQL Injection and XSS - Validate all user-entered parameters (data types and lengths) - Disallow unwanted data (html tags, JS, SQL commands) - Escape questionable characters (ticks, --, semicolons, quotes, etc) - Hide information about error handling #### Stored XSS Input script to website disguised as user content Store and display script on page User accesses page Malicious script sent to user ## Broken Authentication and Session Management: - User authentication does not necessarily provide continuous assurance - Insecure implementation of session control with a static session ID passed in the URL - Recommendations for session IDs (OWASP) ### Method Log in to application Provide service, user stays logged in Email info about session ID Other user can access website as first user ### Fixes - Authentication linked to time - OWASP recommendations followed - Link session ID to IP address, TLS session, etc. Reconnaissance Assignment ## [OWASP Top-10](https://owasp.org/Top10/) Web Application Risks (as of 2017): - Injection, Broken Authentication, Sensitive Data Exposure, XML External Entity (XXE), Security Misconfiguration, Cross-Site Scripting (XSS), Insecure Deserialization, Using Components with Known Vulnerabilities, Insufficient Logging & Monitoring ## Waterfall SDLC vs. Agile Software Development vs. Secure Agile: - Waterfall SDLC: Sequential phases (Design, Requirements, Implementation, Verification, Maintenance) - Agile Software Development: Iterative sprint cycles based on user stories - Secure Agile: Includes additional security steps during project startup, each sprint cycle, and final test and validation - Threat modeling in Secure Agile: Identify, analyze, and describe relevant threats using STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) ### STRIDE Spoofing - Can an attacker gain access with a false identity? Tampering - Can an attacker modify data as an application runs? Repudiation - If an attacker denies interaction, can we prove it? Information Disclosure - Can an attacker gain PII? Denial of Service - Can an attacker crash or reduce availability? Elevation of Privilege - Can an attacker assume the identity of a privileged user?