Scribd Logo
Upload

Welcome to Scribd!

  • Segurança de Sistemas Informáticos: João Marco Silva Joaomarco@di - Uminho.pt

    Uploaded by

    Luis Ramos
    10 views19 pages
    This document is from the Department of Computer Science and covers concepts related to information security. It discusses key topics like confidentiality, integrity, availability and the CIA triangle. Additional concepts covered include assets, attacks, exploits, exposures, risks, threats and vulnerabilities. Specific vulnerabilities like CVE-2017-18249 are examined. Methods for scoring vulnerabilities like CVSS are presented. Resources for accessing vulnerability databases such as NVD and CVE details are provided. The document also discusses the Common Weakness Enumeration framework and the Exploit Database. It concludes with an exercise assignment related to the covered topics.

    Original Description:

    Aulas de ssi

    Original Title

    SSI_Aula_01

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document is from the Department of Computer Science and covers concepts related to information security. It discusses key topics like confidentiality, integrity, availability and the CIA triangle. Additional concepts covered include assets, attacks, exploits, exposures, risks, threats and vulnerabilities. Specific vulnerabilities like CVE-2017-18249 are examined. Methods for scoring vulnerabilities like CVSS are presented. Resources for accessing vulnerability databases such as NVD and CVE details are provided. The document also discusses the Common Weakness Enumeration framework and the Exploit Database. It concludes with an exercise assignment related to the covered topics.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    10 views19 pages

    Segurança de Sistemas Informáticos: João Marco Silva Joaomarco@di - Uminho.pt

    Uploaded by

    Luis Ramos
    This document is from the Department of Computer Science and covers concepts related to information security. It discusses key topics like confidentiality, integrity, availability and the CIA triangle. Additional concepts covered include assets, attacks, exploits, exposures, risks, threats and vulnerabilities. Specific vulnerabilities like CVE-2017-18249 are examined. Methods for scoring vulnerabilities like CVSS are presented. Resources for accessing vulnerability databases such as NVD and CVE details are provided. The document also discusses the Common Weakness Enumeration framework and the Exploit Database. It concludes with an exercise assignment related to the covered topics.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 19

    Departamento de Informática

    Segurança de
    Sistemas Informáticos
    João Marco Silva

    joaomarco@di.uminho.pt

    2020/2021
    Concepts
    • What is information security?

    • the protection of information and its critical elements,


    including the systems and hardware used to process,
    store, and transmit the information*.

    The C.I.A. triangle

    * Source: The Committee on National Security Systems (CNSS)


    MIEI/MEI - Segurança de Sistemas Informáticos - 2020/2021 2
    Concepts
    • Confidentiality

    • ensures that only users/systems with the rights and privileges to


    access information are able to do so

    • Integrity

    • ensures the authenticity of information

    • involves maintaining consistency, accuracy, and


    trustworthiness of data over its entire life cycle

    • Availability

    • ensures authorized users/systems to access information without


    interference or obstruction

    MIEI/MEI - Segurança de Sistemas Informáticos - 2020/2021 3


    Concepts

    • Additional key concepts

    • Asset: the resource being protected

    • Attack: intentional or unintentional act that can damage


    or otherwise compromise information and the systems
    that support it

    • Exploit: a technique used to compromise a system

    • Exposure: a condition or state of being exposed. It


    exists when a vulnerability is known to an attacker

    MIEI/MEI - Segurança de Sistemas Informáticos - 2020/2021 4


    Concepts

    • Additional key concepts

    • Risk: the probability of an unwanted occurrence

    • Threat: a category of objects, people, or other entities that


    represents a danger to an asset

    • Vulnerability: a weakness or fault in a system or protection


    mechanism that opens it to attack or damage

    MIEI/MEI - Segurança de Sistemas Informáticos - 2020/2021 5


    Vulnerabilities

    Do you know all the vulnerabilities your


    personal system is exposed to, right now?

    MIEI/MEI - Segurança de Sistemas Informáticos - 2020/2021 6


    Vulnerabilities

    Android’s security update summary

    MIEI/MEI - Segurança de Sistemas Informáticos - 2020/2021 7


    Vulnerabilities

    • CVE - Common Vulnerabilities and Exposures

    • a list of standardized names for vulnerabilities and


    other information related to publicly known security
    exposures

    • CVE is maintained by MITRE Corporation which is also


    responsible for moderating the Editorial Board

    • cve.mitre.org

    MIEI/MEI - Segurança de Sistemas Informáticos - 2020/2021 8


    Vulnerabilities
    • A closer look - CVE-2017-18249

    MIEI/MEI - Segurança de Sistemas Informáticos - 2020/2021 9


    Vulnerabilities
    • A closer look - CVE-2017-18249

    CVSS - Common Vulnerability Scoring System


    MIEI/MEI - Segurança de Sistemas Informáticos - 2020/2021 10
    Vulnerabilities
    • CVSS v3.1 Base Metric Group
    Attack vector (AV) Network (N); Adjacent (A); Local (L); Physical (P)

    Attack complexity (AC) Low (L); High (H)


    Exploitability metrics
    Privileges required (PR) None (N); Low (L); High (H)

    User interaction (UI) None (N); Required (R)

    Scope (S) Unchanged (U); Changed (C)

    Confidentiality impact (C) None (N); Low (L); High (H)

    Impact metrics Integrity impact (I) None (N); Low (L); High (H)

    Availability impact (A) None (N); Low (L); High (H)

    • See also Temporal Metrics & Environmental Metrics

    MIEI/MEI - Segurança de Sistemas Informáticos - 2020/2021 11


    Vulnerabilities
    • CVSS v3.1: Qualitative severity rating scale

    Rating CVSS Score

    None 0.0

    Low 0.1 - 3.9

    Medium 4.0 - 6.9

    High 7.0 - 8.9

    Critical 9.0 - 10.0

    MIEI/MEI - Segurança de Sistemas Informáticos - 2020/2021 12


    Vulnerabilities
    • Vulnerabilities databases

    • National Vulnerability Database - NVD

    • National Institute of Standards and Technology

    • nvd.nist.gov

    • MITRE

    • cve.mitre.org

    • CVE details

    • www.cvedetails.com

    • Rapid7

    • www.rapid7.com/db/vulnerabilities

    MIEI/MEI - Segurança de Sistemas Informáticos - 2020/2021 13


    Weaknesses

    • CWE - Common Weakness Enumeration

    • Community-developed list of software an hardware


    weakness types

    • Category system

    • A baseline for weakness identification, mitigation and


    prevention

    • CWE List v4.2 https://cwe.mitre.org/data/

    MIEI/MEI - Segurança de Sistemas Informáticos - 2020/2021 14


    Weaknesses
    • CWE - Common Weakness Enumeration

    • CWSS - Common Weakness Scoring System

    • Metric groups

    Source: cwe.mitre.org/cwss/cwss_v1.0.1.html

    MIEI/MEI - Segurança de Sistemas Informáticos - 2020/2021 15


    Exploits

    OpenSSL vulnerability

    Intel Advanced Encryption - New Instructions (AES-NI)

    MIEI/MEI - Segurança de Sistemas Informáticos - 2020/2021 16


    Exploits
    • Exploit Database - Exploit-DB

    • www.exploit-db.com

    MIEI/MEI - Segurança de Sistemas Informáticos - 2020/2021 17


    Exploits

    MIEI/MEI - Segurança de Sistemas Informáticos - 2020/2021 18


    Hands-on

    • Ficha de exercícios 1

    MIEI/MEI - Segurança de Sistemas Informáticos - 2020/2021 19

    You might also like