Chao-Hsien Chu, Ph.D.College of Information Sciences and Technology

The Pennsylvania State UniversityUniversity Park, PA 16802

chu@ist.psu.edu

Application SecurityApplication Security

LearningbyDoing

Theo

ry

Practi

ce

IST 515

Castle AnalogueCastle Analogue

We can learn a lot from building Castle. • Build with security in mind

• Have defense in depth, not just from the outside

• May have to give up some efficiency to have good security

• Hard to add on later, if don’t start first

ObjectivesObjectives

• Understand the principles related to designing secure information system / applications.

• Understand the security and controls that should be included in system development process, databases, data warehousing, knowledge-based systems, and web applications.

• What are the proper and secure means of designing and controlling applications.

• Understand malicious code and software, such as computer viruses and how they can be introduced into the computing environment.

• Understand mechanisms that can be used to prevent, detect, and correct malicious code and their attacks.

Readings (1)Readings (1)

• Tipton, H. and Henry, K. (Eds.), Official (ISC)2 Guide to the CISSP CBK, Domain 8 - “Application Security,” (Required). By Robert M. Slade. Auerbach, 2007.

• Amer, S. H., Humphries, J. W. and Hamilton, Jr, J. A., “Survey: Security in the System Development Life Cycle,” Proceedings of the 2005 IEEE Workshop on lnfomation Assurance and Security, United States Military Academy, West Point, NY, pp. 310-316. (Required).

• Baskerville, R., “Information Systems Security Design Methods: Implications for Information Systems Development,” ACM Computing Surveys, Vol. 25, No 4, December 1993, pp. 375-414.

• Wikipedia, “Application Security.” (Required) http://en.wikipedia.org/wiki/Application_security.

Readings (2)Readings (2)

• Wikipedia, “Software engineering.” http://en.wikipedia.org/wiki/Software_engineering.

• Wikipedia, “Capability Maturity Model.” http://en.wikipedia.org/wiki/Capability_Maturity_Model.

• Wikipedia, “Systems Development Life Cycle.” http://en.wikipedia.org/wiki/Systems_Development_Life_Cycle.

• Wikipedia, “Object-oriented Programming.” http://en.wikipedia.org/wiki/Object-oriented_programming

• Wikipedia, “Buffer Overflow.” http://en.wikipedia.org/wiki/Buffer_overflow.

Readings (3)Readings (3)

• Wikipedia, “Covert Channel.” http://en.wikipedia.org/wiki/Covert_channel.

• Wikipedia, “Malware”. http://en.wikipedia.org/wiki/Malware

• The Department of Homeland Security and SRI International, “The Crimeware Landscape: Malware, Phishing, Identity Theft and Beyond,” http://www.antiphishing.org/reports/APWG_CrimewareReport.pdf

• Wikipedia, “Database security.” http://en.wikipedia.org/wiki/Database_security.

Scope of Application SecurityScope of Application Security

The domain covers the following topics:

• The processes and activities regarding the planning, programming and management of software and systems.

• The controls that may be installed within software systems to ensure the confidentiality, integrity and availability of either software or data under processing.

• The concepts involved in databases and database management and web applications.

• The proper and secure means of designing and controlling applications.

• Malicious Software - Malware.

Current Situations (1)Current Situations (1)

• Information security has traditionally emphasized the system level access controls, recent has focused attention on applications.

• Software security is a major problem. A great many of information security incidents involve software vulnerabilities in one form or another.

• Few security professionals have significant systems development or programming background. At the same time, training in programming and development tends to emphasize speed and productivity over quality, let alone considerations of security.

Current Situations (2)Current Situations (2)

• A troublesome characteristic of application software may affect the computing and business environment broadly.

• Legacy code, as well as design decisions taken decades ago, are still involved in current systems and interact with new technologies and operations in ways that may open additional vulnerabilities.

• Malware is much more than a mere nuisance: it is now a major security risk. A recent FBI computer crime survey indicated that malware accounted for a third of the total cost to business of all reported incidents.

Threats to the Software EnvironmentThreats to the Software Environment

• Buffer Overflow. • Citizen Programmers.• Covert Channel.• Malicious Code/Malware.• Memory Reuse (Object Reuse).• Executable Content/Mobile Code.• Social Engineering.• Time of Check/Time of Use (TOC/TOU).• Trapdoor/Backdoor.

Buffer OverflowBuffer Overflow

Buffer overflow problem occurs when a program fills up its buffer of memory with

more data than the buffer can hold. When the program begins to write beyond the end of

the buffer, the program’s execution path can be changed. This can lead to the insertion of malicious code (e.g., patch the kernel) that

can be used to destroy data or to gain administrative privileges on the program or

machine.

How a Buffer Overflow WorksHow a Buffer Overflow Works

• A program that is the target of an attack is provided with more data than the application was intended or expected to handle.

• The attacked program (target) overruns the memory allocated for input data, and writes the excess data into the system memory.

• The excess data can contain machine language instructions so that when the next step is executed, the attack code, like a Trojan horse or other type of malicious code, is run.

Citizen ProgrammersCitizen Programmers

• Citizen programmers refer to the cases in which casual users are allowed access to programming languages in order to modify the software program. Visual Basic, included in the Microsoft Office suite, is often used by citizen programmers to develop their applications or extend existing ones.

• Citizen programmers are unlikely to be trained in, or bound by, system development practices that involve proper application design, change control, and support for the application. Therefore, application development in such a manner is likely to be chaotic and lack any form of assurance in regard to security.

Covert ChannelCovert Channel

• A covert channel or confinement problem is an information flow issue. It is a communication channel allowing two cooperating processes to transfer information in such a way that it violates the system’s security policy.

• It is any flow of information -- intentional or inadvertent -- that enables an observer not authorized to have the information to infer what it is or that it exists. This is primarily a concern in systems containing highly sensitive information.

Types of Covert ChannelsTypes of Covert Channels• A covert storage channel involves the direct or

indirect reading of a storage location by one process and a direct or indirect reading of the same storage location by another process. Typically, a covert storage channel involves a finite resource, such as a sector on a disk that is shared by two subjects at different security levels.

• A covert timing channel depends upon being able to influence the rate that some other process is able to acquire resources such as the CPU, memory, or I/O devices. The variation in rate may be used to pass signals. Timing channels are normally considerably less efficient than storage channels because they have reduced bandwidth and are usually more difficult to control.

Memory Reuse (Object Reuse)Memory Reuse (Object Reuse)

• This is a problem related to memory management. The problem occurs because residual information remain in memory when a section of memory is reassigned to a new process after a previous process is finished with it, a security violation may occur.

• Memory management involves sections of memory allocated to one process for awhile, then deallocated, then reallocated to another process. When memory is reallocated, the operating system should ensure that memory is zeroed out or completely overwritten before it can be accessed by a new process. Thus, there is no residual information in memory carrying over from one process to another.

Mobile Code• "Mobile Code" is computer code sourced from remote, possibly

"untrusted" systems, but executed on your local system. The concept of "mobile code" has been called by many names: mobile agents, mobile code, downloadable code, executable content, active capsules, remote code, and others. All these deal with the local execution of remotely sourced code.

• Examples of mobile code include scripts (JavaScript, VBScript), Java applets, ActiveX controls, Flash animations, Shockwave movies (and Xtras), and macros embedded within Microsoft Office documents.

• Mobile code can also download and execute in the client workstation via email. Mobile code may download via an email attachment (e.g., macro in a Word file) or via an HTML email body (e.g., JavaScript). For example, the ILOVEYOU, TRUELOVE, and AnnaK email viruses/worms all were implemented as mobile code (VBScript in a .vbs email attachment that executed in Windows Scripting Host).

Social Engineering

• Social engineering is the act of manipulating a person to accomplish goals that may or may not be in the target’s best interest. This may include obtaining information, gaining access, or getting the target to take certain action.

• Every time you try to get someone to do something that is in your interest, you are engaging in social engineering. From children trying to get a toy from their parents to adults trying to land a job or score the big promotion, all of it is a form of social engineering.

• Due to the mystery surrounding this dark art many people are afraid of it, or they feel they will never be able to accomplish a successful social engineering test.

Time of Check/Time of Use (TOC/TOU)Time of Check/Time of Use (TOC/TOU)

• This is a type of asynchronous attack that occurs when some control information is changed between the time the system security functions check the contents of variables and the time the variables actually are used during operations.

• For example, a user logs on to a system in the morning and is fired later in the day. As a result of the termination, the security administrator removes the user from the user database. Because the user did not log off, he or she still has access to the system and might try to disrupt operations or cause damage.

Trapdoor/Backdoor (1)Trapdoor/Backdoor (1)

A trapdoor or backdoor is a hidden mechanism that bypasses access control measures. It is an entry point into a program that is inserted in

software by programmers during the program’s development to provide a method of gaining

access into the program for modification if the access control mechanism malfunctions and locks them out. (In this situation, it may also be called a

maintenance hook.)

Trapdoor/Backdoor (2)Trapdoor/Backdoor (2)

They can be useful for error correction, but they are dangerous opportunities for unauthorized

access if left in a production system. A programmer or someone who knows about the backdoor can exploit the trapdoor as a covert means of access after the program has been

implemented in the system. An unauthorized user may also discover the entry point while trying to

penetrate the system

Software EngineeringSoftware Engineering

• Software development and maintenance is the dominant expenditure in information systems. Because of the expenses associated with software development, industry research began to provide the best methods of reducing costs, which subsequently led to the discipline of software engineering.

• Software engineering simply stated that software products had to be planned, designed, constructed, and released according to engineering principles. It included software metrics, modeling, methods, and techniques associated with the designing of the system before it was developed, tracking project progress through the entire development process.

Software Capability Maturity Model (CMM)Software Capability Maturity Model (CMM)

• Developed by Carnegie Mellon Software Engineering Institute (SEI) in 1986.

• The SW-CMM framework establishes a basis for evaluation of the reliability of the development environment.

• It is assumed that good practices can be repeated. If an activity is not repeated, there is no reason to improve it.

• Theory suggests that the more mature the development process, the more likely it is to have more robust and security software.

Software Capability Maturity ModelSoftware Capability Maturity Model

• Organizations must commit to having policies, procedures, and practices and to using them so that the organization can perform in a consistent manner.

• Practices need to be defined in such a manner as to allow for transfer across project boundaries.

• Quantitative objectives are established for tasks. Measures are established, done, and maintained to form a baseline from which an assessment is possible.

• Practices are continuously improved to enhance capability (optimizing).

Five CMM Maturity LevelsFive CMM Maturity Levels

• Level 1 - Initiating - Informal processes, ad hoc development, competent people and heroics.

• Level 2 - Repeatable - Project management process and practices are institutionalized.

• Level 3 - Defined - Integration of technical and management processes, organizational support.

• Level 4 - Managed - Product and process improvement, quantitatively controlled.

• Level 5 - Optimizing - Continuous process improvement is institutionalized.

Benefits of Higher Level CMMBenefits of Higher Level CMM

• Improved software quality

• Reduced life cycle time

• More accurate scheduling and meeting milestones

• Proactive planning and tracking

• Better security, fewer bugs, if institutionalized

Software Development PhasesSoftware Development Phases

• Project initiation and planning• Functional requirements definition• System design specifications• Build (develop) and document• Acceptance• Transition to production (installation)• Operations and maintenance support (post-

installation)• Revisions and system replacement

Security in Project Initiation PhaseSecurity in Project Initiation Phase

Identify Security Needs:•Classification and criticality of•information/applications•Basic security objectives •Security controls workload

Initial Risk Analysis:•Threats/Vulnerabilities/Risks•Analyze technical, operational, and economical feasibility of security alternatives•Estimate security-related costs/benefits

Identify Security Framework:•Essential security issues and risks•Determination of service level agreements

Identify User Needs

Evaluate Alternatives

Select/Approve Approach

Notice

Because of the time constraint, I will not continue to cover the remaining slides. As you can see, there are more materials that we can

cover in a class lesson. If you are interested in the topic, please read the materials by yourself

Security in Project Initiation PhaseSecurity in Project Initiation Phase

• Does particular information have special value or require special protection?

• Has the system owner determined the information’s value? What are the assigned classifications?

• Will application operation risk exposure of sensitive information?

• Will control of output displays or reports require special measures?

• Will data be generated in public or semipublic places? Are controlled areas required for operation?

Security in Functional Requirements PhaseSecurity in Functional Requirements Phase

Security Areas in Project Plan:•Configuration and access controls•Audit trails

Define Security Requirements:•Tied into the risk analysis and contingency plan•Threats, vulnerabilities, risks•Security control points•Preliminary contingency planning

Preliminary Security Test Plan:•Test methods and resources•Identify evaluation criteria and controls to be tested

Include Security Requirements in RFP and Contracts:•Ensure service level agreement and maintenance contracts meet security•Hardware and software backups and escrow

Functional Baseline Has Security Requirements

PrepareProject Plan

Develop Functional Requirements

Preliminary Test Plan

Select Acquisition Strategy

Establish FormalFunctional Baseline

Security in Design PhaseSecurity in Design Phase

Define Security Specifications :•System/subsystem/interface•Program/database/hardware and firmware/ network

Develop Detailed Design

Update Testing Goals and Plans

Establish FormalBaseline/quality

Controls and Requirements

Update Security Test Plan :•Develop security test procedure•Test security under abnormal and illegal circumstances

Include security area in formal baseline documentation and quality assurances

Security in Deployment PhaseSecurity in Deployment Phase

Write or procure and install security-related code:•Control access to code•Identify/document code

Construct Source Code From Detailed

Design Specifications

Perform and Evaluate Unit Tests

Implement Detailed Design into Final

System

Perform unit tests and evaluate security-related code

Ensure approved security components in formal baseline are included

Security in Acceptance PhaseSecurity in Acceptance Phase

Test security components

Test security in integrated system•Assess functional operations and performance•Identify test failures•Analyze test results against security requirements

Document security controls•User guides must specify access control and protection requirements for sensitive data•Operations/Maintenance manuals

Conduct acceptance test:•Last chance to detect security weakness or vulnerabilities

Accept/verify project security

Test System Components

Validate System Performance

Install System

Prepare Project Manuals

Perform Acceptance Test

Accept System

Install security code with necessary modifications

System Development MethodsSystem Development Methods

• Waterfall Models:

- Structured programming development (SDM).

- Spiral Model.

- Cleanroom

• Iterative Development:

- Prototyping.

- Modified Prototype Model (MPM).

- Rapid Application Development (RAD).

- Joint Analysis Development (JAD).

- Exploratory Model.

System Development MethodsSystem Development Methods

• Other Methods and Models:

- Computer-aided Software Engineering (CASE).

- Component-based Development.

- Reuse Model.

- Extreme Programming.

Waterfall ModelWaterfall Model

• The waterfall method is the oldest method for developing software systems.

• Each phase contains a list of activities that must be performed and documented before the next phase begins.

• The disadvantage of the model is that it demands a heavy overhead in planning and administration, and requires patience in the early stages of a project. Also, because each phase must be completed before the next, it can inhibit a development team from pursuing concurrent phases or activities.

Waterfall ModelWaterfall Model

• Usually, this method is not good for projects that must be developed in quick turnaround time periods (generally less than six months).

• The waterfall model is considered to be the paradigm for the styles known as noniterative models.

• From the perspective of security, noniterative models are preferred for systems development.

Waterfall Method SDLCWaterfall Method SDLC

1. System requirements (Validation)

2. Software requirements (Validation)

3. Analysis (Verification)

4. Program design (Verification)

5. Coding (Unit test)

6. Product Integration (Verification)

7. Implementation (System test)

8. Operations & maintenance (Revalidation)

Spiral ModelSpiral Model

• Progress – Angular dimension• Cost – Radial dimension• Plans – Lower left quadrant• Objectives, means and constrains - Upper

left quadrant• Prototyping, modeling and simulations –

Upper right quadrant• Final development stages - Lower right

quadrant

Threats to the Software EnvironmentThreats to the Software Environment

• Buffer Overflow. • Citizen Programmers.• Covert Channel.• Malicious Code/Malware.• Memory Reuse (Object Reuse).• Executable Content/Mobile Code.• Social Engineering.• Time of Check/Time of Use (TOC/TOU).• Trapdoor/Backdoor.

Special ConsiderationsSpecial Considerations

• Java Security• Object-oriented

Programming• Distributed Object-

oriented Systems• Database Security• Knowledge-based

systems security• Web Application

Security

• Software Protection Mechanisms

• Audit Assurance Mechanisms.

• Configuration Management

• Certification• Accreditation• Security Controls

Java Security (1)Java Security (1)

• The Java programming language implements some specific security provisions.

1. Verifier (or interpreter), which helps to ensure type safety. It is primarily responsible for memory and bounds checking.

2. Class loader, which loads and unloads classes dynamically from the Java runtime environment.

3. Security manager, which acts as a security gatekeeper protecting against rogue functionality.

Java Security (2)Java Security (2)

• Java Certification Path API for building and validating certification paths and managing certificate revocation lists.

• Java GSS-API for securely exchanging messages between communication applications using Kerberos. Support for single sign-on using Kerberos is also included.

• Java Authentication and Authorization Service (JASS), which enables services to authenticate and enforce access controls upon users.

Java Security (3)Java Security (3)

• Java Cryptography Extension (JCE) provides a framework and implementation for encryption, key generation, and key agreement, and message authentication code (MAC) algorithms.

• Java Secure Socket Extension (JSSE) enables secure Internet connections. It implements a Java version of the Secure Socket Layer (SSL) and Transport Layer Security (TLS) protocols and includes functionality for data encryption, server authentication, message integrity, and optional client authentication.

Object Oriented ProgrammingObject Oriented Programming

• OOP is a programming method that makes a self-sufficient object.

• The object is a block of preassembled programming code in a self-contained module.

• The module encapsulates both data and the processing instructions that may be called to process the data. Once a block of programming code is written, it can be reused in any number of programs.

OO TermsOO Terms

• Message• Method• Behavior• Class• Instance• Inheritance• Delegation• Polymorphism• Polyinstantiation

Object-Oriented Security (1)Object-Oriented Security (1)

• In object-oriented systems, objects are encapsulated. Encapsulation protects the object by denying access to view what is located inside the object.

• Encapsulation of the object does provide protection of private data from outside access. For security purposes, no object should be able to access another object’s internal data.

• On the other hand, it could be difficult for system administrators to apply the proper policies to an object if they cannot identify what the object contains.

Object-Oriented Security (2)Object-Oriented Security (2)

• Some of the security issues can be found in the use of polyinstantiation, polymorphism, and inheritance.

• Polyinstantiation allows for iteratively producing a more defined version of an object by replacing variables with values (or other variables). Thus, multiple distant differences between data within objects are done to discourage low-level objects from gaining information at a high level of security.

• It is also the technique used to avoid covert channels based on inference by causing the same information to exist at different classification levels.

Object-Oriented Security (3)Object-Oriented Security (3)

• Polymorphism refers to a programming language’s ability to process objects differently depending on their data type.

• The term is sometimes used to describe a variable that may refer to objects whose class is not known at compile time, but will respond at runtime according to the actual class of the object to which they refer.

• Even though polymorphism seems straightforward, if used incorrectly, it can lead to security problems.

Object-Oriented Security (4)Object-Oriented Security (4)

• Inheritance allows a programmer to build a new class similar to an existing class without duplicating all the code. The new class inherits the old class’s definitions and adds to them. This can help decrease program development time — what works for the superclass will also work for the subclass.

• Multiple inheritances can introduce complexity and may result in security breaches for object accesses. Issues such as name clashes and ambiguities must be resolved by the programming language to avoid a subclass inheriting inappropriate privileges from a superclass.

Key Characteristics of OOP (1)

• Encapsulation (Also Known as Data Hiding). A class defines only the data it needs to be concerned with. When an instance of that class (i.e., an object) is run, the code will not be able to accidentally access other data, which is generally seen as positive in terms of security.

• Polymorphism. Objects may be processed differently depending on their data type. Unfortunately, this has implications for security that must be carefully assessed.

Key Characteristics of OOP (2)

• Inheritance. The concept of a data class makes it possible to define subclasses of data objects that share some or all of the main (or super) class characteristics. If security is properly implemented in the high-level class, then subclasses should inherit that security.

• Polyinstantiation. Specific objects, instantiated from a higher class, may vary their behavior depending upon the data they contain. Therefore, it may be difficult to verify that inherited security properties are valid for all objects. However, polyinstantiation can also be used to prevent inference attacks against databases, because it allows different versions of the same information to exist at different classification levels.

Distributed Object-Oriented SystemsDistributed Object-Oriented Systems

• Distributed development architectures allow applications to be divided into pieces that are called components, and each component can exist in different locations. This development paradigm allows programs to download code from remote machines onto a user’s local host in a seamless manner to the user.

• Common Object Request Broker Architecture (CORBA), Java Remote Method Invocation (JRMI), Enterprise JavaBean (EJB), and Distributed Component Object Model (DCOM).

Software Protection MechanismsSoftware Protection Mechanisms

• Security Kernels.

• Processor Privilege States.

• Security Controls for Buffer Overflows.

• Controls for Incomplete Parameter Check and Enforcement.

• Memory Protection.

• Covert Channel Controls.

• Cryptography.

• Password Protection Techniques.

Software Protection MechanismsSoftware Protection Mechanisms

• Inadequate Granularity of Controls.• Control and Separation of Environments.• Time of Check/Time of Use (TOC/TOU).• Social Engineering.• Backup Controls.• Software Forensics.• Malicious Code/Malware Controls.• Virus Protection Controls.• Mobile Code Controls.• Sandbox.• Programming Language Support.

Audit and Assurance MechanismsAudit and Assurance Mechanisms

• Information Integrity.

• Information Accuracy.

• Information Auditing.

• Certification and Accreditation.

• Information Protection Management.

• Change Management.

• Configuration Management.

Certification (1)Certification (1)

• Certification is the technical evaluation of security compliance of the information system within its operational environment: the endorsement by the users and managers that the system/application meets their functional requirements.

• Certification also involves how well the system performs its intended functional requirements.

Certification (2)Certification (2)

• The certification or evaluation document should contain an analysis of the technical and nontechnical security features and countermeasures and the extent to which the software or system meets the security requirements for its mission and operational environment

• The certification process is followed by accreditation.

AccreditationAccreditation

• The accreditation process reviews the certification information and grants the official authorization to place the information system into operational use. It is the formal approval by senior management.

• The U.S. National Institute of Standards and Technology (NIST) has developed a document (SP 800-37) that recommends a certification and accreditation process and procedures.

Vulnerabilities of CertificationVulnerabilities of Certification

• Organizations and users cannot count on the certified product being free of security flaws. Because new vulnerabilities are always being discovered, no product is ever completely secure.

• Most software products must be securely configured to meet certain protection mechanisms.

• Certifications are not the definitive answer to security. Information system security depends on more than just technical software protection mechanisms, such as personnel and physical security measures.

Configuration ManagementConfiguration Management

• Identifying and controlling components of an every evolving systems

– Configuration item

– Version

– Building

– Build list

– Software Library

Malicious Code/MalwareMalicious Code/Malware

• Software designed specifically to include functions for penetrating a system, breaking security policies, or to carry malicious or damaging payloads.

• “… a huge category of unwanted code…. Electronic burglar tools like password crackers, traffic sniffers, keystroke loggers, data scroungers and remote access Trojans (RATs) are being used by attackers both inside and outside organizations to capture passwords, spy on network traffic, record private communications, and stealthily receive and transmit unauthorized commands to and from remote hosts.”

Types of Malicious CodeTypes of Malicious Code

• Virus:

• File infector or file-infecting virus.

• Boot sector infector or virus.

• System infector.

• Multipartite virus.

• Email virus.

• Macro virus.

• Script virus.

• Worms.

• Hoax.

• Trojan horses.

• Remote Access Trojan (RAT).

• Rootkits.

• DDoS Zombies

• Logic Bomb.

• Spyware and Adware.

• Pranks.

Malware ProtectionMalware Protection

• Do not double-click on attachments.• When sending attachments, provide a clear and

specific description as to the content of the attachment.

• Do not blindly use the most widely used products as a company standard.

• Disable Windows Script Host, ActiveX, VBScript, and JavaScript. Do not send HTML-formatted e-mail.

• Use more than one scanner, and scan everything.

Malware Protective ToolsMalware Protective Tools

• Scanners.• Activity Monitors.• Heuristic Scanners.• Change Detection.• Antimalware Policies.

Database Vulnerabilities and ThreatsDatabase Vulnerabilities and Threats

• Aggregation.

• Bypass attacks.

• Compromising database views used for access control.

• Concurrency.

• Data contamination.

• Deadlocking.

• Denial-of-service.

• Improper modification of information.

• Inference.

• Interception of data.

• Polyinstantiation.

• Query attacks.

• Server access.

• Time of check/time of use (TOC/TOU).

• Web security.

• Unauthorized access.

DBMS ControlsDBMS Controls

Lock Controls:

• Page locking: an entire memory page is locked.

• Table locking: an entire table is locked.

• Row locking: a row of data is locked.

• Field locking: the single field that is being changed is locked.

Access Controls:

• Discretionary Access Controls (DACs).

• Mandatory Access Controls (MACs).

• Access Matrix.

• View-Based Access Controls.

• Grant and Revoke Access Controls.

Aggregation and InferenceAggregation and Inference

• Aggregation - users combine individual pieces of information

• Inference - using the clues to figure out the larger story

Preventing Aggregation andPreventing Aggregation andInference in databasesInference in databases

• Containers - placing data in logical containers and controlling access rights

• Cell Suppression - hiding cells that contain sensitive info (Salary)

• Partitioning - implementing views with limited info• Noise and perturbation – Putting false/misleading info in

database• Context dependent access control - looks at previous

access and try to detect inference possibilities before allowing other access

• Zero Knowledge Proof - make sure information given does not give up other information

Knowledge ManagementKnowledge Management

• The application of artificial intelligence techniques to decision support.

• Workflow management.• Business process modeling.• Document management.• Databases and information systems.• Knowledge-based systems.• Knowledge discovery in databases (KDD).• Online analytical processing (OLAP).

Artificial IntelligenceArtificial Intelligence

• Expert systems - mimic human experts, based on knowledge of experts

– Cannot learn on own

– Need to make sure they don’t give away to much information

• Neural networks - based on human brain structure (neurons), pattern recognition

– Can apply more weights to different scenarios

– Can piece together patterns humans might miss

Security Controls for KMSecurity Controls for KM

• Protecting the knowledge base as you would any database.

• Routinely verifying the decisions based on what outcomes are expected from specific inputs.

• If using a rule-based approach, changes to the rules must go through a change control process.

• If the data output seems suspicious or out of the ordinary, perform additional and different queries to verify the information.

• Making risk management decisions because decisions that are based on data warehouse analysis techniques may be incorrect.

• Developing a baseline of expected performance from the analytical tool.

Web Application ThreatsWeb Application Threats

• Web applications are subject to all of the threats and protection mechanisms discussed elsewhere.

• Web applications are specifically vulnerable because of their accessibility, access to database information, or transaction processing.

• Most attacks are conducted at the application level, either against the Web server application itself, in-house scripts, or common front-end applications used for E-commerce.

Web Application ProtectionWeb Application Protection

• Having a particular assurance sign-off process for Web servers.

• Hardening the operating system used on such servers (removing default configurations and accounts, configuring permissions and privileges correctly, and keeping up to date with vendor patches).

• Extending Web and network vulnerability scans prior to deployment.

• Passively assessing intrusion detection system (IDS) and advanced intrusion prevention system (IPS) technology

• Using application proxy firewalls, and disabling any unnecessary documentation and libraries.

Web Application ProtectionWeb Application Protection

• Ensure that administrative interfaces are removed or secured appropriately.

• Only allow access from authorized hosts or net works, and use strong (possibly multifactor) user authentication.

• Do not hard code the authentication credentials into the application itself and ensure the security of the credentials.

• Use account lockout and extended logging and audit, and protect all authentication traffic with encryption.

• Ensure that the interface is at least as secure as the rest of the application, and most often secure it at a higher level.

Web Application ProtectionWeb Application Protection

• Ensure that the proxies are able to deal with problems of buffer overflows, authentication issues, scripting, submission of commands to the underlying platform, encoding issues (such as Unicode), and URL encoding and translation.

• The proxy firewall may have to address issues of data submission to in-house and custom software, ensuring validation of input to those systems.

• Cookies or URL data, which must be both protected and validated. If using cookies, always encrypt them.

• Validate all input and output.

• Fail secure (closed).

Web Application ProtectionWeb Application Protection

• Make your application or system as simple as possible.

• Use secure network design.

• Use defense in depth.

• Do not cache secure pages.

• Confirm that all encryption used meets industry standards.

• Monitor your code vendors for security alerts.

• Log any and all critical transactions and milestones.

• Handle exceptions properly

• Do not trust any data from the client.

• Do not automatically trust data from other servers, partners, or other parts of the application.