Professional Documents
Culture Documents
IT 223 Information Security Fundamentals Data and Application Security
IT 223 Information Security Fundamentals Data and Application Security
Lecture 11
3 Categories …
The 3 approaches
Defensive measures
Stack overflow
• A technically inclined user may exploit stack-based buffer overflows
to manipulate the program to their advantage in one of several ways:
• By overwriting a local variable that is located near the vulnerable buffer
on the stack, in order to change the behavior of the program
• By overwriting the return address in a stack frame. Once the function
returns, execution will resume at the return address as specified by
the attacker - usually a user-input filled buffer.
Heap-based exploitation
A buffer overflow occurring in the heap data area is referred to as a heap overflow
and is exploitable in a manner different from that of stack-based overflows. Memory
on the heap is dynamically allocated by the application at run-time and typically
contains program data. Exploitation is performed by corrupting this data in specific
ways to cause the application to overwrite internal structures such as linked list
pointers. The canonical heap overflow technique overwrites dynamic memory
allocation linkage (such as malloc meta data) and uses the resulting pointer
exchange to overwrite a program function pointer.
Redirection
• http://www.examp1e.com/home.php
• and on clicking it will bring you to
• http://www.examp1e.com/home.php
• This page could lead to a malicious page that
resembles the original, and tries to trick the
user into giving their credentials. Notice the “l”
and “1″, which can catch some unwary users
off- guard. This is a URL redirection attack.
• MITM attacks
• It is what it sounds like, but the results
can be disastrous – personal information
can be captured in real-time.
• SSL protects against this … mostly.
(more later)
An SQL injection attack occurs when an attacker “injects” SQL code of his choosing
into an SQL query within an application (IE, Safari, Mozilla are applications)
The injected code may modify the existing query and or concatenate additional
queries.
SQL injection
example
$query = "select DESC, PRICE from PRODUCTS
• SQL query in where
server-side code:
ID='$product_id'";
Email Security
SMTP
• Operates on port 25
• Has a set of commands associated with the protocol –
such as: HELO, EHLO, MAIL, TO:, FROM:, VRFY,
EXPN
SMTP
COOP
• COOP exercises
– Business rehearse major incidents with
“continuity of operations” (COOP) exercises.
– In these instances, employees report to an
offsite location, as determined by their
employer to attempt to function as a working
team, and to attempt to keep operations
functioning.
• Speed of recovery is key here.
– Speedy response can prevent further
damage
Copyright © 2016 Thomas G. Winston All rights reserved. 33
i IT 223
Lecture 12
COOP
• COOP exercises
– Accuracy of recovery matters as much
as speed.
– Take your time quickly!
• Plan ahead
– Decide what to do ahead of time
– Have time to consider matters thoroughly and without the
time pressure of a crisis
– (During an attack, human decision-making skills degrade)
– Incident response is reacting to incidents according to plan
– Within the plan, need to have flexibility to adapt
– Best to adapt within a plan than to improvise completely
Copyright © 2016 Thomas G. Winston All rights reserved. 34
i IT 223
Lecture 12
COOP
• Need a policy dictating a process in
place for incidents of varying levels of
severity.
• All levels of employees have to
be involved in exercises
• Complex scenario creation
require planning and time
Postmortem Evaluation
• What can be done differently to
prevent repeats?
• CSIRTs play critical role, and
response after discovery of incident is
critical.
Documented and policy based steps are
key – and these steps require buy-in
from all levels of organization
CSIRT Organization
• Senior management has to be leading
the team.
– Line operations team members
– IT security staff may manage day-to
day operations
– PR, for media releases
– Legal Counsel for legal issues
– HR if sanctions or firings needed.
Legal Considerations
• Cyberlaw
– Laws dealing with information technology
or computers, some date back to the
1980s.
• Jurisdiction
– Varies greatly –but determines where
governments can make and enforce law
and where they cannot.
Legal Considerations
Dimension Criminal Law Civil Law
Deals with Viola.ons of criminal statutes Interpretations of rights and duties
that companies or individuals have
relative to each other
Penalties Jail time and fines Monetary penalties and orders to
parties to take or not take certain
actions
Cases brought by Prosecutors Plaintiff is one of the two parties
Requires mens rea (guilty mind) Usually Rarely, although may affect the
imposed penalty
Applicable to IT security Yes. To prosecute aNackers and to
avoid breaking the law Yes. To avoid or minimize civil trials
and judgments
Legal Considerations
• US Federal Judicial System
– 94 US District Courts
– Decisions made in trials or only binding
on litigants
• US Circuit Court of Appeal
– 13 in US - No trials
– Reviews district court decisions, and
decisions are precedents only for
district courts under the circuit court
making the decision.
Copyright © 2016 Thomas G. Winston All rights reserved. 47
i IT 223
Lecture 12
Legal Considerations
• US Supreme Court
– Final arbiter of US federal law
– Only hears about 100 cases / year
– Reviews cases that involve conflicts
between appellate court precedents and
important constitutional issues
– Justices are appointed for life
Legal Considerations
• Cyber crime usually falls under state
laws
– Local PD investigates for local and
state jurisdictions
– US allows states to control this aspect of
law enforcement
– But cyber crimes that affect interstate
commerce may be reviewed by higher courts.
International Law
• Important to multinational firms
• Changing rapidly, trying to keep pace
with technology
• Even domestic firms with suppliers and
or buyers OCONUS, or for that matter
attackers may be internationally located
• International treaties are nascent
IT Disaster Recovery
• Need offsite backups
– Continuous data protection
• An offsite work location – hot site,
rapid readiness at high cost
– Have to keep software at hot site in sync
with software at regular place of operation
• High cost – b/c need duplicate
systems/ operating environments
IT Disaster Recovery
• Test the IT Disaster Recovery plan
– Time consuming and expensive, but
very necessary
– Keep an open mind. Things may take
some time to recover to a normal state of
operation.