i IT 223

Lecture 11

IT 223 Information Security

Fundamentals

Data and Application Security

Some graphic elements copyright © 1987-2014 Microsoft Corporation.

Copyright © 2016 Thomas G. Winston All rights reserved.

i IT 223
Lecture 11

What is Application Security

•  Context:
–  Can run the gamut from hardware failures
that cause software problems, to human error
– it could be mis-configurations that cause
applications to fail, or poor coding that causes
leaky or buggy applications.
–  Administrators, or those with elevated
role based access could be the cause…

Copyright © 2016 Thomas G. Winston All rights reserved.

i IT 223
Lecture 11

What is Application Security

•  Application security covers a range
of topics…
–   Usually it involves coding of some sort, but not always.
–   Since the application layer is at the top (or bottom) depending
on how you see of the OSI reference model, we can assume
that applications have an effect on other network layers, it can
be a tcp/ip, kernel, rpc, or microcode programming error,

Copyright © 2016 Thomas G. Winston All rights reserved.

i IT 223
Lecture 11

Application Security Overview (cont.)

•  So, it’s the servers, the code that runs
on the servers and any code that
traverses networks between the servers.
•  At the heart of this conversation is
malware. Even some forensic analysis
skills can help…
–  Memory blocks
–  Ingress and Egress points, sockets,
stubs, etc…
–  Offensive too…SQL injections, Stuxnet,
Copyright © 2016 Thomas G. Winston All rights reserved. 4
i IT 223
Lecture 11

At the root of the issue…

•  If an attacker can get root access, then

the attacker can execute applications at
the highest most secure level. This is an
access control issue, that system
administrators must face.Host hardening
is included here too, and so is LAN, and
WAN security.

Copyright © 2016 Thomas G. Winston All rights reserved. 5

i IT 223
Lecture 11

3 Categories …

•  We will approach application security

defensively
– securing services, software and
network components
•  Forensically – application security can be
understood by malware analysis, b/c in that
analysis important information about
vulnerabilities is revealed
•  Offensively – SQL injections, and
database hacks
Copyright © 2016 Thomas G. Winston All rights reserved. 6
i IT 223
Lecture 11

The 3 approaches

•  Require understanding of defense-in-

depth, as well as systems administration,
programming, network security, and
policy based rules and roles.
•  While the layers may help prevent the
issues, ultimately it will be the players at
the layers (sysadmins, lawyers, network
engineers, etc.) who will have to deal
with them.
Copyright © 2016 Thomas G. Winston All rights reserved. 7
i IT 223
Lecture 11

Defensive measures

•  Secure system elevated roles accesses

–  # prompt in Cisco, or / in linux;
Administrator in Windows
–  Develop multi-tiered, multi-layered
defensive mechanism.
–  Always maintain command and control
(C2) over all working components. This will
not guarantee success however…

Copyright © 2016 Thomas G. Winston All rights reserved. 8

i IT 223
Lecture 11

Buffers and Overflows

•  Applications use temporary storage

areas in RAM called buffers. If attacker
sends code or a message that exceeds
the programmer’s allocated amount of
RAM it is an overflow. This can cause all
kinds of issues for an operating system –
ranging from little noticeable change to a
complete system crash.

Copyright © 2016 Thomas G. Winston All rights reserved. 10

i IT 223 Buffer overflows
Lecture 11 - Buffers

Two types of buffer overflows – Stack and Heap

Stack overflow
•  A technically inclined user may exploit stack-based buffer overflows
to manipulate the program to their advantage in one of several ways:
•  By overwriting a local variable that is located near the vulnerable buffer
on the stack, in order to change the behavior of the program
•  By overwriting the return address in a stack frame. Once the function
returns, execution will resume at the return address as specified by
the attacker - usually a user-input filled buffer.

Copyright © 2016 Thomas G. Winston All rights reserved.

i IT 223
Heap Overflows
Lecture 11

Heap-based exploitation
A buffer overflow occurring in the heap data area is referred to as a heap overflow
and is exploitable in a manner different from that of stack-based overflows. Memory
on the heap is dynamically allocated by the application at run-time and typically
contains program data. Exploitation is performed by corrupting this data in specific
ways to cause the application to overwrite internal structures such as linked list
pointers. The canonical heap overflow technique overwrites dynamic memory
allocation linkage (such as malloc meta data) and uses the resulting pointer
exchange to overwrite a program function pointer.

Copyright © 2016 Thomas G. Winston All rights reserved.

i IT 223
Lecture 11

Industrial Control Systems

These systems control pieces of a nation’s
critical infrastructure
•  They typically communicate using
proprietary and common
networking protocols
•  Each component in the system
has microcode that is associated
with it.
–  The microcode controls basic functions
of device in the system
Copyright © 2016 Thomas G. Winston All rights reserved. 12
i IT 223
Lecture 11

Web Sites and Web Servers

•  First, let’s consider web site application

vulnerabilities.Web sites are served by
applications running on a kind of platform.
•     Allowing Cross Site Scripting (XSS) where
one user’s input can appear on the page of
another user is a serious vulnerability
•  How to prevent https://www.owasp.org/index.php
/
XSS_(Cross_Site_Scripting)_Prevention_Cheat_
Sheet
Copyright © 2016 Thomas G. Winston All rights reserved. 13
i IT 223
Lecture 11

iFrames, Redirectors, MITM

•  Iframes can pop up on a web session

and not be noticed. When the pop up
they execute malicious code. Users do
not usually see them.

•  In this example, the frame will not

appear on the screen.

Copyright © 2016 Thomas G. Winston All rights reserved. 14

i IT 223
Lecture 11

Redirection

•  This attack is also unseen to the user, but can

have a more complicated attack vector. The
end result though is the same – User will visit
what appears to be the website they want, but in
reality is something else.
•  A URL Redirection Attack is a kind of
vulnerability that redirects you to another page
freely out of the original website when
accessed, usually integrated with a phishing
attack.
Copyright © 2016 Thomas G. Winston All rights reserved. 15
i IT 223
Lecture 11

URL Redirection (cont.)

•  http://www.examp1e.com/home.php
•  and on clicking it will bring you to
•  http://www.examp1e.com/home.php
•  This page could lead to a malicious page that
resembles the original, and tries to trick the
user into giving their credentials. Notice the “l”
and “1″, which can catch some unwary users
off- guard. This is a URL redirection attack.

Copyright © 2016 Thomas G. Winston All rights reserved. 30

i IT 223
Lecture 11

Man in the Middle

•  MITM attacks
•  It is what it sounds like, but the results
can be disastrous – personal information
can be captured in real-time.
•  SSL protects against this … mostly.
(more later)

Copyright © 2016 Thomas G. Winston All rights reserved. 17

i IT 223
Lecture 11

More Web Vulnerabilities

•  Carberp, ChromInject, Nuklus,

OddJob, SpyEye, Zeus
•  These are sometimes called MITB –
Man in the Browser attack vectors
•  Protection includes out of band
verification; man in the mobile;
and hardened software.

Copyright © 2016 Thomas G. Winston All rights reserved. 18

i IT 223
SQL injection
Lecture 11

Most modern applications that use databases use

Structured Query Language (SQL)
for database functions.

Typical queries include

•  SELECT (to retrieve columns from rows from tables)

•  INSERT (to add new rows)

•  UPDATE (to change columns in exisMng rows)

•  DELETE (to remove rows)

The row/s affected are typically limited by a WHERE condition

clause.

Copyright © 2016 Thomas G. Winston All rights reserved. 19

i IT 223
SQL injection
Lecture 11

An SQL injection attack occurs when an attacker “injects” SQL code of his choosing
into an SQL query within an application (IE, Safari, Mozilla are applications)

The injected code may modify the existing query and or concatenate additional
queries.

Copyright © 2016 Thomas G. Winston All rights reserved. 20

i IT 223
Lecture 11

SQL injection
example
$query = "select DESC, PRICE from PRODUCTS
•  SQL query in where
server-side code:
ID='$product_id'";

•  A typical user enters a product ID, e.g.

"ABC123".
The result page displays description, price
"' union enters
•  An attacker SQL injection
select PWHASH, code,
0.00 from e.g.
USERS
where ID='jsmith1' and 'A'='A"
The result page displays password hash and
$0.00 for this user ID (as if it was a product).
Copyright © 2016 Thomas G. Winston All rights reserved. 21
i IT 223
Lecture 11

The user entered

GOLD

Copyright © 2016 Thomas G. Winston/Mike Lyons All

i IT 223
Lecture 11

The user entered

' (a single quote)

Copyright © 2016 Thomas G. Winston/Mike Lyons All

i IT 223
Lecture 11

The user entered

' union select 'dummy', ID, PW_HASH from USER where ID='ABC

Copyright © 2016 Thomas G. Winston/Mike Lyons All

i IT 223
Lecture 11

SQL Injection – some more

thoughts

•  Input checking has to be done correctly

•  Use least privilege idea
•  Don't build queries as strings
using data from outside
- use parameterized queries
or stored procedures

Copyright © 2016 Thomas G. Winston All rights reserved. 25

i IT 223
Lecture 11

Email Security

•  Again, solid systems administration

skills can protect email.
•  Also vigilant use of email helps…
–  Spear-phishing
–  Social engineering

Copyright © 2016 Thomas G. Winston All rights reserved. 26

i IT 223
Lecture 11

Email

•  Email is governed by a protocol – the

Simple Mail Transfer Protocol
•  If a person can gain root access based on other
extant OS vulnerabilities, the attacker can
generate forged emails, or get information
about users on a system.
•     One such famous, and overused
vulnerability exists on Outlook Web Access
email systems (OWA)

Copyright © 2016 Thomas G. Winston All rights reserved. 27

i IT 223
Lecture 11

SMTP

•  Operates on port 25
•  Has a set of commands associated with the protocol –
such as: HELO, EHLO, MAIL, TO:, FROM:, VRFY,
EXPN

Copyright © 2016 Thomas G. Winston All rights reserved. 28

i IT 223
Lecture 11

SMTP

•  An example where an email message is generated from

the command line:
$ /usr/lib/sendmail -v someuser@pobox.com < /tmp/mtest
someuser@pobox.com... Connecting to mx1b.pobox.com. via
esmtp... 220 wormwood.pobox.com ESMTP Postfix >>> EHLO
myhost.3x.com 250-wormwood.pobox.com 250-PIPELINING 250-
SIZE 10240000 250-ETRN 250 8BITMIME >>> MAIL From:
SIZE=51 250 Ok >>> RCPT To: 250 Ok >>> DATA 354 End data
with . >>> . 250 Ok: queued as 0E3EA1D216
someuser@pobox.com... Sent (Ok: queued as 0E3EA1D216)
Closing connection to mx1b.pobox.com. >>> QUIT 221 Bye

Copyright © 2016 Thomas G. Winston All rights reserved. 29

i IT 223
Lecture 12

IT 223 Information Security

Fundamentals

Incident and Disaster Response

Some graphic elements copyright © 1987-2014 Microsoft Corporation.

Copyright © 2016 Thomas G. Winston All rights reserved. 3

i IT 223
Lecture 12

Bottom Line: Incidents

• Happen
Incidents Happen
–   Protections
inevitably break
down occasionally
–   Successful attacks are called security incidents, breaches,
or compromises
•  Incident Severity
–   False alarms
• 
Apparent
compromises are
not real
compromises
•  Also
called false
positives
•  G. Winston All rights reserved.
Copyright © 2016 Thomas 31
i IT 223
Lecture 12

Bottom Line: Incidents

• Happen
Must consider whether or not the on-call/duty staff can
manage the incident – if not, it is a severe or major
incident.
•  Convene a Computer Security Incident Response
Team (CSIRT)
•  This team needs more than IT personnel for top-cover
and to make quick changes that may require
management approvals.
•  Different organizations will react accordingly – depending
on several factors:
–   Type of Business
–   Data lost
–  Time to recover
Copyright © 2016 Thomas G. Winston All rights reserved. 32
i IT 223
Lecture 12

COOP
•  COOP exercises
–  Business rehearse major incidents with
“continuity of operations” (COOP) exercises.
–  In these instances, employees report to an
offsite location, as determined by their
employer to attempt to function as a working
team, and to attempt to keep operations
functioning.
•  Speed of recovery is key here.
–  Speedy response can prevent further
damage
Copyright © 2016 Thomas G. Winston All rights reserved. 33
i IT 223
Lecture 12

COOP
•  COOP exercises
–  Accuracy of recovery matters as much
as speed.
–  Take your time quickly!
•  Plan ahead
–   Decide what to do ahead of time
–   Have time to consider matters thoroughly and without the
time pressure of a crisis
–   (During an attack, human decision-making skills degrade)
–   Incident response is reacting to incidents according to plan
–   Within the plan, need to have flexibility to adapt
–  Best to adapt within a plan than to improvise completely
Copyright © 2016 Thomas G. Winston All rights reserved. 34
i IT 223
Lecture 12

COOP
•  Need a policy dictating a process in
place for incidents of varying levels of
severity.
•  All levels of employees have to
be involved in exercises
•  Complex scenario creation
require planning and time

Copyright © 2016 Thomas G. Winston All rights reserved. 35

i IT 223
Lecture 12

Incident Response Process

•  Major Incidents
•  Detection, analysis and escalation
–  Technology or people (or both) detect
an incident
–  Need good IDS technology
–  All employees must know their role
and responsibility for reporting an
incident

Copyright © 2016 Thomas G. Winston All rights reserved. 36

i IT 223
Lecture 12

Incident Response Process

•  Analysis
–  Has to be quick and comprehensive
–  Verify incident
–  Scope, who/what/where/how of the
attack (why can come later!)
–  Assess sophistication level
•  Be careful with this, as it is based on perception
at some level…

Copyright © 2016 Thomas G. Winston All rights reserved. 37

i IT 223
Lecture 12

Incident Response Process

•  Detection, Analysis and Escalation
–  If incident is severe, escalate
–  Pass to CSIRT, disaster response team,
or business continuity team.
–  Contain the incident – disconnect,
but judiciously. on
•  Get authorizations
•  Business NOT a technical decisi

Copyright © 2016 Thomas G. Winston All rights reserved. 38

i IT 223
Lecture 12

Incident Response Process

•  Containment
–  Black Hole the attacker
–  Collect data
•  Consider legal steps
•  Recovery
–  Repair during normal
operation
–  Rootkits, trojans, and many other things
will remain.
–  Possibly restore from backups
Copyright © 2016 Thomas G. Winston All rights reserved. 20
i IT 223
Lecture 12

Incident Response Process

•  Containment
–  Black Hole the attacker
–  Collect data
•  Consider legal steps
•  Recovery
–  Repair during normal
operation
–  Rootkits, trojans, and many other things
will remain.
–  Possibly restore from backups
Copyright © 2016 Thomas G. Winston All rights reserved. 40
i IT 223
Lecture 12

Incident Response Process

•  Disk image restoration
•  Overinstall, or reinstall
•  Explain – tell the truth, and explain
what actions will be taken to
compensate victims
•  Punish attackers – if it is an inside job
–  Employees are at-will
–  Some union agreements prevent firings

Copyright © 2016 Thomas G. Winston All rights reserved. 41

i IT 223
Lecture 12

Incident Response Process

•  Punishment is tricky…even with firings
–  Can be costly
–  Can be countersuits
–  There is cost and effort associated with it
–  Public reputation may be damaged if
incident becomes public
•  Collect Evidence…this is critical
–  Be sure to follow court rules, forensics,
chain of custody, documentation
Copyright © 2016 Thomas G. Winston All rights reserved. 42
i IT 223
Lecture 12

Postmortem Evaluation
•  What can be done differently to
prevent repeats?
•  CSIRTs play critical role, and
response after discovery of incident is
critical.
Documented and policy based steps are
key – and these steps require buy-in
from all levels of organization

Copyright © 2016 Thomas G. Winston All rights reserved. 43

i IT 223
Lecture 12

CSIRT Organization
•  Senior management has to be leading
the team.
–  Line operations team members
–  IT security staff may manage day-to
day operations
–  PR, for media releases
–  Legal Counsel for legal issues
–  HR if sanctions or firings needed.

Copyright © 2016 Thomas G. Winston All rights reserved. 44

i IT 223
Lecture 12

Legal Considerations
•  Cyberlaw
–  Laws dealing with information technology
or computers, some date back to the
1980s.
•  Jurisdiction
–  Varies greatly –but determines where
governments can make and enforce law
and where they cannot.

Copyright © 2016 Thomas G. Winston All rights reserved. 45

i IT 223
Lecture 12

Legal Considerations
Dimension Criminal Law Civil Law
Deals with Viola.ons of criminal statutes Interpretations of rights and duties
that companies or individuals have
relative to each other
Penalties Jail time and fines Monetary penalties and orders to
parties to take or not take certain
actions
Cases brought by Prosecutors Plaintiff is one of the two parties

Criterion for verdict Beyond a reasonable doubt Preponderance of the evidence

(usually)

Requires mens rea (guilty mind) Usually
Applicable to IT security Yes. To prosecute aNackers and to
avoid breaking the law
Rarely, although may affect the
imposed penalty
Yes. To avoid or minimize civil trials
and judgments

Copyright © 2016 Thomas G. Winston All rights reserved. 46

i IT 223
Lecture 12

Legal Considerations
•  US Federal Judicial System
–  94 US District Courts
–  Decisions made in trials or only binding
on litigants
•  US Circuit Court of Appeal
–  13 in US - No trials
–  Reviews district court decisions, and
decisions are precedents only for
district courts under the circuit court
making the decision.
Copyright © 2016 Thomas G. Winston All rights reserved. 47
i IT 223
Lecture 12

Legal Considerations
•  US Supreme Court
–  Final arbiter of US federal law
–  Only hears about 100 cases / year
–  Reviews cases that involve conflicts
between appellate court precedents and
important constitutional issues
–  Justices are appointed for life

Copyright © 2016 Thomas G. Winston All rights reserved. 30

i IT 223
Lecture 12

Legal Considerations
•  Cyber crime usually falls under state
laws
–  Local PD investigates for local and
state jurisdictions
–  US allows states to control this aspect of
law enforcement
–  But cyber crimes that affect interstate
commerce may be reviewed by higher courts.

Copyright © 2016 Thomas G. Winston All rights reserved. 49

i IT 223
Lecture 12

International Law
•  Important to multinational firms
•  Changing rapidly, trying to keep pace
with technology
•  Even domestic firms with suppliers and
or buyers OCONUS, or for that matter
attackers may be internationally located
•  International treaties are nascent

Copyright © 2016 Thomas G. Winston All rights reserved. 50

i IT 223
Lecture 12

Forensics and Evidence

•  Admissibility of evidence
–  Requires chain of custody proof
–  Keep unreliable evidence from juries
•  Federal Rules
–  Now there are strong rules in place
for admissibility of electronic evidence
•  Forensic Experts
–  Professionals trained to collect
electronic evidence likely to be
admissible in court
Copyright © 2016 Thomas G. Winston All rights reserved. 51
i IT 223
Lecture 12

Forensics and Evidence

•   Expert witnesses can help courts (a
jury) understand better intricacies of
collected electronic evidence, causal
factors, etc.
–  formal training
–  number of years of experience in the industry
–  law enforcement training
–  need to have a clean criminal history.
–  Even if you only plan to work on civil cases, if
you'll be testifying in court, anything in your
background that can be used to damage your
Copyright © 2016 Thomas G. Winston All rights reserved. 52
i IT 223
Lecture 12

Federal Cybercrime Laws

•  18 U.S.C 1030
•  US Code Title 18, part I (crimes)
section 1030
–  Prohibits
•  Hacking
•  Malware creation and or distribution
•  Denial of service of any type associated
with electronic media as described in law

Copyright © 2016 Thomas G. Winston All rights reserved. 53

i IT 223
Lecture 12

Federal Cybercrime Laws

•  18 U.S.C 1030
–  Protected computers
•  Government, financial institution, or any
computer used in interstate or foreign commerce
or communications
•  Damage threshold for prosecution – can
be determined by FBI
–  Prohibits interception of electronic
messages both en route and after the
message is received and stored

Copyright © 2016 Thomas G. Winston All rights reserved. 54

i IT 223
Lecture 12

Federal Cybercrime Laws

•  18 U.S.C 1030
–  Allows email providers (including
employers) to read employee mail if it owns
the system
•  Other federal laws
–  Those laws applying to other similar and
applicable issues such as fraud, extortion,
and theft of trade secrets apply to cyber
crimes
–  These laws have harsher consequences
than cybercrime legislation
Copyright © 2016 Thomas G. Winston All rights reserved. 55
i IT 223
Lecture 12

Business Continuity Planning

• A business continuity plan specifies how a
company plans to restore or maintain core
business operations when disasters occur
•  Disaster response is restoring IT services
•  Principles of Business Continuity
Management
Protect people first
–   Evacuation plans and drills
–   Never allow staff members back into unsafe
environments
–   Must have a systematic way to account for all employees and
notify loved ones / provide counseling if needed.
40
i IT 223
Lecture 12

Business Continuity Planning

•  People have reduced capacity in
decision making during a crisis
– Planning and rehearsal are critical
•  Avoid rigidity
– Unexpected situations will arise
– Communication will break down
and information will be unreliable
– Decision makers must have
the flexibility to act
41
i IT 223
Lecture 12

Business Continuity Planning

•  Communication
– Try to compensate for
inevitable breakdowns
– Have a backup communication
system
– Communicate constantly to
keep everybody “in the loop”

Copyright © 2016 Thomas G. Winston All rights reserved. 58

i IT 223
Lecture 12

Business Process Analysis

•  Identification of business processes
and their interrelationships
•  Prioritization of business processes
–  Downtime tolerance (in the extreme,
mean time to belly-up)
–  Importance to the firm
–  Required by higher-importance processes
•  Resource needs (must be shifted
during crises)
–  Cannot restore all business processes
Copyright © 2016 Thomas G. Winston All rights reserved. 59
i IT 223
Lecture 12

IT Disaster Recovery
•  Need offsite backups
–  Continuous data protection
•  An offsite work location – hot site,
rapid readiness at high cost
–  Have to keep software at hot site in sync
with software at regular place of operation
•  High cost – b/c need duplicate
systems/ operating environments

Copyright © 2016 Thomas G. Winston All rights reserved. 60

i IT 223
Lecture 12

IT Disaster Recovery
•  Test the IT Disaster Recovery plan
–  Time consuming and expensive, but
very necessary
–  Keep an open mind. Things may take
some time to recover to a normal state of
operation.

Copyright © 2016 Thomas G. Winston All rights reserved. 61