SUMRANA SIDDIQUI, ASSISTANT PROFESSOR, DCET

INFORMATION SECURITY

UNIT-1

Introduction: History, Critical Characteristics of Information, NSTISSC

Security Model, Components of an Information System, Securing the
Components, Balancing Security and Access, The SDLC, The Security
SDLC.
Need for Security: Business Needs, Threats, Attacks, and Secure Software
Development.

1|Page
 SUMRANA SIDDIQUI, ASSISTANT PROFESSOR, DCET

The History of Information Security

The history of information security begins with computer security. The need for computer securitythat
is, the need to secure physical locations, hardware, and software from threats arose when the first
mainframes were developed to aid computations for communication code breaking. Multiple levels of
security were implemented to protect these mainframes and maintain the integrity of their data.
Duringthese early years, information security was a straightforward process composed predominantly of
physical security and simple document classification schemes. The primary threats to security were
physical theft of equipment, espionage against the products of the systems, and sabotage.

The 1960s
The 1960s During the Cold War, many more mainframes were brought online to accomplish more
complex and sophisticated tasks. It became necessary to enable these mainframes to communicate. In
response to this need, the Department of Defense’s Advanced Research Project Agency (ARPA) began
examining the feasibility of a redundant, networked communications system to support the military’s
exchange of information. In 1968, Larry Roberts, known as the founder of the Internet, developed the
ARPANET which evolved into what we now know as Internet.

The 1970s and 80s

In 1973, Robert M. Metcalfeidentified the problems with ARPANET security. Individual remote sites
did not have sufficient controls and safeguards to protect data from unauthorized remote users. Other
problems abounded: vulnerability of password structure and formats; lack of safety procedures for dial-
up connections; and non-existent user identification and authorization to the system. Phone numbers
were widely distributed, giving hackers easy access to ARPANET. Because of the range and frequency
of computer security violations and the explosion in the numbers of hosts and users on ARPANET,
network security was referred to as network insecurity.
In 1978, a famous study entitled “Protection Analysis: Final Report” was published. The movement
toward security that went beyond protecting physical locations began with a single paper sponsored by
the Department of Defence, the Rand Report R-609. This paper signalled that the scope of computer
security expanded from the safety of physical locations and hardware to include the following:
• Securing the data
• Limiting random and unauthorized access to that data
• Involving personnel from multiple levels of the organization in matters pertaining to information
security
In the mid-1980s, the US government passed pieces of legislation that formalized the recognition of
computer security as a critical issue for federal information systems.
In 1988, the defence Advanced Research Projects Agency (DARPA) created the Computer Emergency
Response Team (CERT) to address network security.

The 1990s
At the close of the twentieth century, networks of computers became more common, as did the need to
connect these networks to each other. This gave rise to the Internet, the first global network of networks.
The Internet was made available to the general public in the 1990s, brought connectivity to virtually all
computers that could reach a phone line or an Internet-connected local area network (LAN). Since its
inception, the Internet has become an interconnection of millions of networks. The ability to physically
secure a networked computer was lost, and the stored information became more exposed to security
threats.
In 1993, the first DEFCON conference was held in Las Vegas, for people interested in information
security. Antivirus became popular and information security began to emerge as an independent
discipline.

2|Page
 SUMRANA SIDDIQUI, ASSISTANT PROFESSOR, DCET

2000 to present
Recent years have seen a growing awareness of the need to improve information security. The growing
threat of cyber-attacks have made governments and companies more aware of the need to defend the
computer-controlled control systems of utilities and other critical infrastructure. Another growing
concern is the threat of nation-states engaging in information warfare, and the possibility that business
and personal information systems could become casualties if they are undefended.The attack on the
world trade centres on September 11, 2001 resulted in major legislation changes related to computer
security.

What is Security?
Security is protection.Protection against adversaries—from those who would do harm, intentionally or
otherwise—is the objective. A successful organization should have the following multiple layers of
security in place to protect its operations:
• Physical security, to protect physical items, objects, or areas from unauthorized access and misuse
• Personnel security, to protect the individual or group of individuals who are authorized to access the
organization and its operations
• Operations security, to protect the details of a particular operation or series of activities
• Communications security, to protect communications media, technology, and content
• Network security, to protect networking components, connections, and contents
• Information security, to protect the confidentiality, integrity and availability of information assets,
whether in storage, processing, or transmission.

The Committee on National Security Systems (CNSS) defines “information security” as the
protection of information and its critical elements, including the systems and hardware that use, store,
and transmit that information.
The CNSS model of information security evolved from a concept developed by the computer security
industry called the C.I.A. triangle.

The C.I.A. triangle is based on the three characteristics of information that give it value to
organizations: confidentiality, integrity, and availability. The threats to the confidentiality, integrity, and
availability of information have evolved into a vast collection of events, including accidental or
intentional damage, destruction, theft, unintended or unauthorized modification, or other misuse from
human or nonhuman threats.

Critical characteristics of Information

The value of information comes from the characteristics it possesses. When a characteristic of
information changes, the value of that information either increases, or, more commonly, decreases. Each
critical characteristic of information in C.I.A. triangle is defined below:
3|Page
 SUMRANA SIDDIQUI, ASSISTANT PROFESSOR, DCET

Availability: Availability enables authorized users to access information without interference or

obstruction and to receive it in the required format.

Accuracy: Information has accuracy when it is free from mistakes or errors and it has the value that the
end user expects. If information has been intentionally or unintentionally modified, it is no longer
accurate.

Authenticity:Authenticity of information is the quality or state of being genuine or original, rather than
a reproduction or fabrication. Information is authentic when it is in the same state in which it was
created, placed, stored, or transferred. E-mail spoofing, the act of sending an e-mail message with a
modified field, is a problem for many people today, because often the modified field is the address of
the originator. Spoofing the sender’s address can fool e-mail recipients into thinking that messages are
legitimate traffic, thus inducing them to open e-mail they otherwise might not have. Another variation
on spoofing is phishing, when an attacker attempts to obtain personal or financial information using
fraudulent means, most often by posing as another individual or organization.

Confidentiality: Information has confidentiality when it is protected from disclosure or exposure to

unauthorized individuals or systems. Confidentiality ensures that only those with the rights and
privileges to access information are able to do so. When unauthorized individuals or systems can view
information, confidentiality is breached. To protect the confidentiality of information, a number of
measures can be taken:
• Information classification
• Secure document storage
• Application of general security policies
• Education of information custodians and end users
The value of confidentiality of information is especially high when it is personal information about
employees, customers, or patients. Individuals who transact with an organization expect that their
personal information will remain confidential, whether the organization is a federal agency, such as the
Internal Revenue Service, or a business. Problems arise when companies disclose confidential
information. Sometimes this disclosure is intentional, but there are times when disclosure of confidential
information happens by mistake. In information security, salami theft occurs when an employee steals a
few pieces of information at a time, knowing that taking more would be noticed—but eventually the
employee gets something complete or useable.

Integrity: Information has integrity when it is whole, complete, and uncorrupted. The integrity of
information is threatened when the information is exposed to corruption,damage, destruction, or other
disruption of its authentic state. Corruption can occur while information is being stored or transmitted.
Many computer viruses and worms are designed with the explicit purpose of corrupting data. For this
reason, a key method for detecting a virus or worm is to look for changes in file integrity as shown by
the size of the file. Another key method of assuring information integrity is file hashing, in which a file
is read by a special algorithm that uses the value of the bits in the file to compute a single large number
called a hash value. The hash value for any combination of bits is unique. If a computer system performs
the same hashing algorithm on a file and obtains a different number than the recorded hash value for that
file, the file has been compromised and the integrity of the information is lost. Information integrity is
the cornerstone of information systems, because information is of no value or use if users cannot verify
its integrity.

Utility: The utility of information is the quality or state of having value for some purpose or end.
Information has value when it can serve a purpose. If information is available, but is not in a format
meaningful to the end user, it is not useful.
4|Page
 SUMRANA SIDDIQUI, ASSISTANT PROFESSOR, DCET

Possession: The possession of information is the quality or state of ownership or control. Information is
said to be in one’s possession if one obtains it, independent of format or other characteristics. While a
breach of confidentiality always results in a breach of possession, a breach of possession does not
always result in a breach of confidentiality.

NSTISSC Security Model/CNSS Security Model

The definition of information security is based in part on the CNSS document called the National
Training Standard for Information Systems Security Professionals NSTISSI No. 4011. Since this
document was written, the NSTISSC was renamed the Committee on National Security Systems
(CNSS). This document presents a comprehensive information security model and has become a widely
accepted evaluation standard for the security of information systems.

The model, created by John McCumber in 1991, provides a graphical representation of the architectural
approach widely used in computer and information security; it is now known as the McCumber Cube.
The McCumberCube, shows three dimensions. If extrapolated, the three dimensions of each axis
become a 3 X 3 X 3 cube with 27 cells representing areas that must be addressed to secure today’s
information systems. To ensure system security, each of the 27 areas must be properly addressed during
the security process.
For example, the intersection between technology, integrity, and storage requires a control or safeguard
that addresses the need to use technology to protect the integrity of information while in storage. One
such control might be a system for detecting host intrusion that protects the integrity ofinformation by
alerting the security administrators to the potential modification of a critical file.

Components of an Information System and Securing the Components

An information system (IS) is much more than computer hardware; it is the entire set of software,
hardware, data, people, procedures, and networks that make possible the use of information resources in
the organization. Each of these IS components has its own strengths and weaknesses, as well as its own
characteristics and uses. Each component of the information system also has its own security
requirements. These six critical components enable information to be input, processed, output, and
stored.

5|Page
 SUMRANA SIDDIQUI, ASSISTANT PROFESSOR, DCET

1. Software: The software component of the IS comprises applications, operating systems, and
assorted command utilities. The exploitation of errors in software programming accounts for a
substantial portion of the attacks on information .Software is perhaps the most difficult IS
component to secure. Software carries the lifeblood of information through an organization.
Unfortunately, software programs are often created under the constraints of project management,
which limit time, cost, and manpower. Information security is all too often implemented as an
afterthought, rather than developed as an integral component from the beginning. In this way,
software programs become an easy target of accidental or intentional attacks.

2. Hardware: Hardware is the physical technology that houses and executes the software, stores and
transports the data, and provides interfaces for the entry and removal of information from the
system. Physical security policies deal with hardware as a physical asset and with the protection of
physical assets from harm or theft. Applying the traditional tools of physical security, such as locks
and keys, restricts access to and interaction with the hardware components of an information system.
Securing the physical location of computers and the computers themselves is important because a
breach of physical security can result in a loss of information.

3. Data: Data stored, processed, and transmitted by a computer system must be protected. Data is often
the most valuable asset possessed by an organization and it is the main target of intentional attacks.
Systems developed in recent years are likely to make use of databasemanagement systems. When
done properly, this should improve the security of the data and the application. Unfortunately, many
system development projects do not make full use of the database management system’s security
capabilities, and in some cases the database is implemented in ways that are less secure than
traditional file systems.

4. People:People have always been a threat to information security. And unless policy, education and
training, awareness, and technology are properly employed to prevent people from accidentally or
intentionally damaging or losing information, they will remain the weakest link. Social engineering
can prey on the tendency to cut corners and the commonplace nature of human error. It can be used
to manipulate the actions of people to obtain access information about a system.

5. Procedure:Procedures are written instructions for accomplishing a specific task. When an

unauthorized user obtains an organization’s procedures, this poses a threat to the integrity of the
information. Most organizations distribute procedures to their legitimate employees so they can
access the information system, but many of these companies often fail to provide proper education
on the protection of the procedures. Educating employees about safeguarding procedures is as
important as physically securing the information system. Therefore, knowledge of procedures, as
with all critical information, should be disseminated among members of the organization only on a
need-to-know basis.
6|Page
 SUMRANA SIDDIQUI, ASSISTANT PROFESSOR, DCET

6. Network:The IS component that created much of the need for increased computer and information
security is networking. When information systems are connected to each other to form local area
networks (LANs), and these LANs are connected to other networks such as the Internet, new
security challenges rapidly emerge. Applying the traditional tools of physical security, such as locks
and keys, to restrict access to and interaction with the hardware components of an information
system are still important; but when computer systems are networked, this approach is no longer
enough. Steps to provide networksecurity are essential, as is the implementation of alarm and
intrusion systems to make system owners aware of ongoing compromises.

Balancing information Security and Access

Information security cannot be absolute: it is a process, not a goal. It is possible to make a system
available to anyone, anywhere, anytime, through any means. However, such unrestricted access poses a
danger to the security of the information. A completely secure information system would not allow
anyone access.
To achieve balance—that is, to operate an information system that satisfies the user and the security
professional—the security level must allow reasonable access, yet protect against threats. An imbalance
can occur when the needs of the end user are undermined by too heavy a focus on protecting and
administering the information systems. Both information security technologists and end users must
recognize that both groups share the same overall goals of the organization—to ensure the data is
available when, where, and how it is needed, withminimal delays or obstacles.

The Systems Development Life Cycle

Information security must be managed in a manner similar to any other major system implemented in an
organization. One approach for implementing an information security systemis to use a variation of the
systems development life cycle (SDLC): the security systems development life cycle.

7|Page
 SUMRANA SIDDIQUI, ASSISTANT PROFESSOR, DCET

The systems development life cycle (SDLC) is a methodology for the design and implementation of an
information system.
The waterfall model illustrates that each phase begins with the results and information gained from the
previous phase. At the end of each phase comes a structured review or reality check. Once the system is
implemented, it is maintained over the remainder of its operational life.

The following describe each phase of the traditional SDLC:

• Investigation The first phase, investigation phase begins with an examination of the event or plan
that initiates the process. During the investigation phase, the objectives, constraints, and scope of the
project are specified. At the conclusion of this phase, and at every phase following, a feasibility
analysis assesses the economic, technical, and behavioural feasibilities of the process and ensures
that implementation is worth the organization’s time and effort.
• Analysis The analysis phase begins with the information gained during the investigation phase. This
phase consists primarily of assessments of the organization, its current systems, and its capability to
support the proposed systems. Analysts begin by determining what the new system is expected to do
and how it will interact with existing systems. This phase ends with the documentation of the
findings and an update of the feasibility analysis.
• Logical Design In the logical design phase, the information gained from the analysis phase is used
to begin creating a systems solution for a business problem. The logical design is the blueprint for
the desired solution. The logical design is implementation independent, meaning that it contains no
reference to specific technologies, vendors, or products. It addresses, how the proposed system will
solve the problem at hand. In this stage, analysts generate a number of alternative solutions, each
with corresponding strengths and weaknesses, and costs and benefits, allowing for a general
comparison of available options. At the end of this phase, another feasibility analysis is performed.
• Physical Design During the physical design phase, specific technologies are selected to support the
alternatives identified and evaluated in the logical design. The selected components are evaluated
based on a make-or-buy decision. Final designs integrate various components and technologies.
After yet another feasibility analysis, the entire solution is presented to the organizational
management for approval.
• Implementation In the implementation phase, any needed software is created. Components are
ordered, received, and tested. Afterward, users are trained and supporting documentation created.
Once all components are tested individually, they are installed and tested as a system. Again, a
feasibility analysis is prepared, and the sponsors are then presented with the system for a
performance review and acceptance test.
• Maintenance and Change The maintenance and change phase is the longest and most expensive
phase of the process. This phase consists of the tasks necessary to support and modify the system for
the remainder of its useful life cycle. At periodic points, the system is tested for compliance, and the
feasibility of continuance versus discontinuance is evaluated. Upgrades, updates, and patches are
managed. As the needs of the organization change, the systems that support the organization must
also change. When a current system can no longer support the evolving mission of the organization,
the project is terminated and a new project is implemented.

8|Page
 SUMRANA SIDDIQUI, ASSISTANT PROFESSOR, DCET

Securing the SDLC

Each of the phases of the SDLC should include consideration of the security of the system being
assembled as well as the information it uses.

Initiation
Key activities for this phase include:
• Initial delineation of business requirements in terms of confidentiality, integrity and availability
• Determination of information categorization and identification of known special handling
requirements to transmit, store or create information such as personally identifiable information
• Determination of any privacy requirements

Development/Acquisition
Key activities for this phase include:
• conduct the risk assessment and use the results to supplement the baseline security controls
• Analyse security requirements
• Perform functional and security testing
• Prepare initial documents for system certification and accreditation
• Design security architecture

Implementation /Assessment
Key activities for this phase include:
• Integrate the information system into its environment
• Plan and conduct system certification activities in synchronisation with testing of security
controls
• Complete system accreditation activities

Operations and Maintenance

Key activities for this phase include:
• Conduct an operation readiness review
• Manage the configuration of the system

9|Page
 SUMRANA SIDDIQUI, ASSISTANT PROFESSOR, DCET

• Institute process and procedures for assured operations and continuoes monitoring of the
information system security controls
• Perform reauthorization as required

Disposal
Key activities for this phase include:
• building and executing a disposal/transition plan
• archival of critical information
• sanitization of media
• disposal of hardware and software

The Security Systems Software Development Lifecycle

The same phases used in the traditional SDLC can be adapted to support the implementation of an
information security project.
• Investigation The investigation phase of the SecSDLC begins with a directive from upper
management, dictating the process, outcomes, and goals of the project, as well as its budget and
other constraints. Frequently, this phase begins with an enterprise information security policy
(EISP), which outlines the implementation of a security program within the organization. Teams of
responsible managers, employees, and contractors are organized; problems are analysed; and the
scope of the project, as well as specific goals and objectives and any additional constraints not
covered in the program policy, are defined. Finally, an organizational feasibility analysis is
performed to determine whether the organization has the resources and commitment necessary to
conduct a successful security analysis and design.

• Analysis In the analysis phase, the documents from the investigation phase are studied. The
development team conducts a preliminary analysis of existing security policies or programs, along
with that of documented current threats and associated controls. This phase also includes an analysis
of relevant legal issues that could affect the design of the security solution. Risk management also
begins in this stage. Risk management is the process of identifying, assessing, and evaluating the
levels of risk facing the organization, specifically the threats to the organization’s security and to the
information stored and processed by the organization.

• Logical Design The logical design phase creates and develops the blueprints for information
security, and examines and implements key policies that influence later decisions. The team plans
the incident response actions to be taken in the event of partial or catastrophic loss. The planning
answers the following questions:
➢ Continuity planning: How will business continue in the event of a loss?
➢ Incident response: What steps are taken when an attack occurs?
➢ Disaster recovery: What must be done to recover information and vital systems immediately
after a disastrous event?
➢ Feasibility analysis:Whether or not the project should be continued or be outsourced?

• Physical Design The physical design phase evaluates the information security technology needed to
support the blueprint, and determines a final design. The information security blueprint may be
revisited to keep it in line with the changes needed when the physical design is completed. Criteria
for determining the definition of successful solutions are also prepared during this phase. Included at
this time are the designs for physical security measures to support the proposed technological
solutions. At the end of this phase, a feasibility study determines the readiness of the organization

10 | P a g e
 SUMRANA SIDDIQUI, ASSISTANT PROFESSOR, DCET

for the proposed project, and then the champion and sponsors are presented with the design. At this
time, all parties involved have a chance to approve the project before implementation begins.

• ImplementationThe implementation phase acquires security solutions (made or bought), tested,

implemented, and tested again. Personnel issues are evaluated, and specific training and education
programs conducted. Finally, the entire tested package is presented to upper management for final
approval.

• Maintenance and Change Maintenance and change is the last, though perhaps most important,
phase, given the current ever-changing threat environment. In information security, the battle for
stable, reliable systems is a defensive one. Often, repairing damage and restoring information is a
constant effort against an unseen adversary. As new threats emerge and old threats evolve, the
information security profile of an organization must constantly adapt to prevent threats from
successfully penetrating sensitive data.

11 | P a g e
 SUMRANA SIDDIQUI, ASSISTANT PROFESSOR, DCET

The Need for Security: Business needs first

Information security performs four important functions for an organization:
1. Protecting the organization’s ability to function
2. Enabling the safe operation of applications running on the organization’s IT systems
3. Protecting the data, the organization collects and uses
4. Safeguarding the organization’s technology assets

Protecting the Functionality of an Organization Both general management and IT management are
responsible for implementing information security that protects the organization’s ability to function.
Each of an organization’s communities of interest must address information security in terms of
business impact and the cost of business interruption, rather than isolating security as a technical
problem.

Enabling the Safe Operation of Applications A modern organization needs to create an environment
that safeguards the applications, particularly those that are important elements of the organization’s
infrastructure—operating system platforms, electronic mail (e-mail), and instant messaging (IM)
applications. Organizations acquire these elements from a service provider or they build their own. Once
an organization’s infrastructure is in place, management must continue to oversee it, and not relegate its
management to the IT department.

Protecting Data that Organizations Collect and Use Without data, an organization loses its record of
transactions and/or its ability to deliver value to its customers. Even when transactions are not online,
information systems and the data they process enable the creation and movement of goods and services.
Therefore, protecting data in motion and data at rest are both critical aspects of information security.
The value of data motivates attackers to steal, sabotage, or corrupt it. An effective information security
program implemented by management protects the integrity and value of the organization’s data.

Safeguarding Technology Assets in Organizations To perform effectively, organizations must employ

secure infrastructure services appropriate to the size and scope of the enterprise. When an organization
grows, it must develop additional security services. In general, as an organization’s network grows to
accommodate changing needs, more robust technology solutions should replace security programs the
organization has outgrown. An example of a robust solution is a firewall, a mechanism that keeps
certain kinds of network traffic out of a private network.

Threats
In the context of information security, a threat is an object, person, or other entity that presents an
ongoing danger to an asset.

12 CATEGORIES OF THREATS

SNO CATEGORY OF THREAT EXAMPLES

1 Compromises to intellectual Piracy,copyright infringement
property
2 Deviations in quality of service Internet service provider,power,WAN service
problems
3 Espionage or trespass Unauthorized access and/or data collection
12 | P a g e
 SUMRANA SIDDIQUI, ASSISTANT PROFESSOR, DCET

4 Forces of Nature Fire, floods, earthquakes, lightning

5 Human error or failure Accidents, employee mistakes
6 Information extortion Blackmail, information disclosure
7 Sabotage or vandalism Destruction of systems or information
8 Software attacks Viruses,worms, macros, denial of service
9 Technical hardware failure or errors Equipment failure
10 Technical software failure or errors Bugs, code problems, unknown loopholes
11 Technological obsolescence Antiquated or outdated technologies
12 Theft Illegal confiscation of equipment or information

Compromises to Intellectual Property

Intellectual property IP is defined as “the ownership of ideas and control over the tangible or virtual
representation of those ideas.” IP can be trade secrets, copyrights, trademarks, and patents. The most
common IP breach is the unlawful use or duplication of software-based intellectual property, more
commonly known as software piracy. Most software is licensed to a particular purchaser, its use is
restricted to a single user or to a designated user in an organization. If the user copies the program to
another computer without securing another license or transferring the license, he or she has violated the
copyright. In addition to the laws against software piracy, two watchdog organizations investigate
allegations of software abuse:
• Software & Information Industry Association (SIIA)
• Business Software Alliance (BSA)
A number of technical mechanismshave been used to enforce copyright laws. The most common tool, a
license agreement window that usually pops up during the installation of new software, establishes that
the user has read and agrees to the license agreement. Another effort to combat piracy is the online
registration process. Individuals who install software are often asked or even required to register their
software to obtain technical support or the use of all features.

Deviations in Quality of Service

An organization’s information system depends on the successful operation of many interdependent
support systems, including power grids, telecom networks, parts suppliers, service vendors, and even the
janitorial staff and garbage haulers. Any one of these support systems can be interrupted by storms,
employee illnesses, or other unforeseen events. Deviations in quality of service can result from incidents
such as a backhoe taking out a fibre-optic link for an ISP. This degradation of service is a form of
availability disruption. Irregularities in Internet service, communications, and power supplies can
dramatically affect the availability of information and systems.
• Internet Service Issues: Internet service provider failures can considerably undermine the
availability of information. When an organization places its Web servers in the care of a Web
hosting provider, that provider assumes responsibility for all Internet services as well as for the
hardware and operating system software used to operate the Web site. These Web hosting
services are usually arranged with an agreement providing minimum service levels known as a
Service Level Agreement (SLA). When a service provider fails to meet the SLA, the provider
may accrue fines to cover losses incurred by the client, but these payments seldom cover the
losses generated by the outage.

• Communications and Other Service Provider Issues:Other utility services are telephone, water,
wastewater, trash pickup, cable television, natural or propane gas, and custodial services. The
loss of these services can impair the ability of an organization to function.

• Power Irregularities:Irregularities from power utilities are common and can lead to fluctuations
such as power excesses, power shortages, and power losses. This can pose problems for
organizations. When voltage levels spike, or surge, the extra voltage can severely damage or
13 | P a g e
 SUMRANA SIDDIQUI, ASSISTANT PROFESSOR, DCET

destroy equipment. Complete loss of power for a moment is known as a fault, and a lengthier
loss as a blackout. Because sensitive electronic equipment, computers, and computer-based
systemsare vulnerable to fluctuations, controls should be applied to manage power quality. The
more expensive uninterruptible power supply (UPS) can protect against spikes and surges as
well as against sags and even blackouts of limited duration.

Espionage or Trespass
Espionage or trespass is a well-known category of electronic and human activities that can breach the
confidentiality of information. When an unauthorized individual gains access to the information an
organization is trying to protect, that act is categorized as espionage or trespass. Attackers can use many
different methods to access the information stored in an information system. Some information
gathering techniques are quite legal, for example, to perform market research. These legal techniques
are called, collectively, competitive intelligence. When information gatherers employ techniques that
cross the threshold of what is legal or ethical, they are conducting industrial espionage.
• Shoulder surfing- is a technique used in public or semi-public settings when individuals gather
information, they are not authorized to have by looking over another individual’s shoulder or
viewing the information from a distance.
• Acts of trespass- can lead to unauthorized real or virtual actions that enable information gatherers to
enter premises or systems they have not been authorized to enter. Controls sometimes mark the
boundaries of an organization’s virtual territory. These boundaries give notice to trespassers that
they are encroaching on the organization’s cyberspace. Sound principles of authentication and
authorization can help organizations protect valuable information and systems. These control
methods and technologies employ multiple layers or factors to protect against unauthorized access.
• Hackers-are “people who use and create computer softwaregain access to information illegally.”
There are generally two skill levels among hackers. The first is the expert hacker, or elite hacker,
who develops software scripts and program exploits used by those in the second category, the novice
or unskilled hacker. Expert hackers, dissatisfied with attacking systems directly, have turned their
attention to writing software. These programs are automated exploits that allow novice hackers to
act as script kiddies—hackers of limited skill who use expertly written software to attack a system—
or packet monkeys—script kiddies who use automated exploits to engage in distributed denial-of-
service attacks. A professional hacker seeks to conduct attacks for personal benefit or the benefit of
an employer. The penetration tester has authorization from an organization to test its information
systems and network defence and is expected to provide detailed reports of the findings.
• Phreaker-hacks the public telephone network to make free calls or disrupt services. Phreakers grew
in fame in the 1970s when they developed devices called blue boxes that enabled free calls from pay
phones. Later, red boxes were developed to simulate the tones of coins falling in a pay phone, and
finally black boxes emulated the line voltage. With the advent of digital communications, these
boxes became practically obsolete. Even with the loss of the colored box technologies, phreakers
continue to cause problems for all telephone systems

Forces of Nature
Forces of nature, force majeure, or acts of God can present some of the most dangerous threats, because
they usually occur with very little warning and are beyond the control of people. These threats, which
include events such as fires, floods, earthquakes, and lightning as well as volcanic eruptions and insect
infestations, can disrupt not only the lives of individuals but also the storage, transmission, and use of
information.

Some of thecommon threats in this group are listed here:

• Fire:A structural fire that damages a building housing computing equipment that comprises all or
part of an information system, as well as smoke damage and/or water damage from sprinkler

14 | P a g e
 SUMRANA SIDDIQUI, ASSISTANT PROFESSOR, DCET

systems or firefighters. This threat can usually be mitigated with fire casualty insurance and/or
business interruption insurance.
• Flood: An overflowing of water onto an area that is normally dry, causing direct damage to all or
part of the information system or to the building that houses all or part of the information system. A
flood might also disrupt operations through interruptions in access to the buildings that house all or
part of the information system. This threat can sometimes be mitigated with flood insurance and/or
business interruption insurance.
• Earthquake: A sudden movement of the earth’s crust caused by the release of stress accumulated
along geologic faults or by volcanic activity. Earthquakes can cause direct damage to all or part of
the information system or, more often, to the building that houses it, and can also disrupt operations
through interruptions in access to the buildings that house all or part of the information system. This
threat can sometimes be mitigated with specific casualty insurance and/or business interruption
insurance, but is usually a separate policy.
• Lightning: An abrupt, discontinuous natural electric discharge in the atmosphere. Lightning usually
directly damages all or part of the information system and/or its power distribution components. It
can also cause fires or other damage to the building that houses all or part of the information system,
and disrupt operations by interfering with access to the buildings that house all or part of the
information system. This threat can usually be mitigated with multipurpose casualty insurance
and/or business interruption insurance.
• Landslide or mudslide: The downward sliding of a mass of earth and rock directly damaging all or
part of the information system or, more likely, the building that houses it. Land- or mudslides also
disrupt operations by interfering with access to the buildings that house all or part of the information
system. This threat can sometimes be mitigated with casualty insurance and/or business interruption
insurance.
• Tornado or severe windstorm: A rotating column of air ranging in width from a few yards to more
than a mile and whirling at destructively high speeds, usually accompanied by a funnel-shaped
downward extension of a cumulonimbus cloud. Storms can directly damage all or part of the
information system or, more likely, the building that houses it, and can also interrupt access to the
buildings that house all or part of the information system. This threat can sometimes be mitigated
with casualty insurance and/or business interruption insurance.
• Hurricane or typhoon: A severe tropical cyclone originating in the equatorial regions of the
Atlantic Ocean or Caribbean Sea or eastern regions of the Pacific Ocean (typhoon), traveling north,
northwest, or northeast from its point of origin, and usually involving heavy rains. These storms can
directly damage all or part of the information system or, more likely, the building that houses it.
These storms may also disrupt operations by interrupting access to the buildings that house all or
part of the information system. This threat can sometimes be mitigated with casualty insurance
and/or business interruption insurance.
• Tsunami: A very large ocean wave caused by an underwater earthquake or volcanic eruption. These
events can directly damage all or part of the information system or, more likely, the building that
houses it. Tsunamis may also cause disruption to operations through interruptions in access or
electrical power to the buildings that house all or part of the information system. This threat can
sometimes be mitigated with casualty insurance and/or business interruption insurance.
• Electrostatic discharge (ESD): Usually, static electricity and ESD are little more than a nuisance.
Unfortunately, however, the mild static shock we receive when walking across a carpet can be costly
or dangerous when it ignites flammable mixtures and damages costly electronic components. Static
electricity can draw dust into clean-room environments or cause products to stick together. Loss of
production time in information processing due to ESD impact is significant. While not usually
viewed as a threat, ESD can disrupt information systems, but it is not usually an insurable loss
unless covered by business interruption insurance.
• Dust contamination:Dustcontamination can shorten the life of information systems or cause
unplanned downtime; this threat can disrupt normal operations. Since it is not possible to avoid force
15 | P a g e
 SUMRANA SIDDIQUI, ASSISTANT PROFESSOR, DCET

of nature threats, organizations must implement controls to limit damage, and they must also prepare
contingency plans for continued operations, such as disaster recovery plans, business continuity
plans, and incident response plans.
• Solar activity: Solar activity such as radiation and solar flares can affect the power grids of the
communication satellites. Business communications that are heavily dependent on satellites should
consider the potential for disruption.

Human Error or Failure

This category includes acts performed without intent or malicious purpose by an authorized user. One of
the greatest threats to an organization’s information security is the organization’s own employees.
Employees are the threat agents closest to the organizational data. Because employees use data in
everyday activities to conduct the organization’s business, their mistakes represent a serious threat to the
confidentiality, integrity, and availability of data. This is because employee mistakes can easily lead to
the following: revelation of classified data, entry of erroneous data, accidental deletion or modification
of data, storage of data in unprotected areas, and failure to protect information. Leaving classified
information in unprotected areas, such as on a desktop, on a Web site, or even in the trash can, is as
much a threat to the protection of the information as is the individual who seeks to exploit the
information, because one person’s carelessness can create a vulnerability and thus an opportunity for an
attacker. Much human error or failure can be prevented with training and ongoing awareness activities,
but also with controls, ranging from simple procedures, such as requiring the user to type a critical
command twice, to more complex procedures, such as the verification of commands by a second party.
Much human error or failure can be prevented with training and ongoing awareness activities, but also
with controls, ranging from simple procedures, such as requiring the user to type a critical command
twice, to more complex procedures, such as the verification of commands by a second party.

Information Extortion
Information extortion occurs when an attacker or trusted insider steals information from a computer
system and demands compensation for its return or for an agreement not to disclose it. Extortion is
common in credit card number theft.
The latest type of attack in this category is known as ransomware. Ransomware is a malware attack on
the host system that denies access to the user and then offers to provide a key to allow access back to the
user’s system and data for a fee.
There are two types of ransomwares: Lock screen and encryption.
• Lock screen ransomware denies access to the user’s system by disabling access to the desktop
and preventing the user from bypassing the ransom screen that demands payment.
• Encryption ransomware, encrypts some or all of a user’s hard drive and then demands payment.

Sabotage or Vandalism
This category of threat involves the deliberate sabotage of a computer system or business, or acts of
vandalism to either destroy an asset or damage the image of an organization. These acts can range from
petty vandalism by employees to organized sabotage against an organization. Vandalism to a Web site
can erode consumer confidence, thus diminishing an organization’s sales and net worth, as well as its
reputation. Vandalism within a network is more malicious in intent and less public. A much more
sinister form of hacking is cyberterrorism. Cyberterrorists hack systems to conduct terrorist activities via
network or Internet pathways.

Software Attacks
Software attacks occur when an individual or group designs and deploys software to attack a system.
Most of this software is referred to as malicious code or malicious software, or sometimes malware.
These software components or programs are designed to damage, destroy, or deny service to the target
systems.
16 | P a g e
 SUMRANA SIDDIQUI, ASSISTANT PROFESSOR, DCET

Some of the more common instances of malicious code are viruses and worms, Trojan horses, logic
bombs, and back doors.

• Virus:A computer virus consists of segments of code that perform malicious actions. The code
attaches itself to an existing program and takes control of that program’s access to the targeted
computer. The virus-controlled target program then carries out the virus’s plan by replicating itself
into additional targeted systems. When these viruses infect a machine, they may immediately scan
the local machine for e-mail applications, or even send themselves to every user in the e-mail
address book. One of the most common methods of virus transmission is via e-mail attachment files.
Most organizations block e-mail attachments of certain types and also filter all e-mail for known
viruses. Among the most common types of information system viruses are the macro virus, which is
embedded in automatically executing macro code used by word processors, spread sheets, and
database applications, and the boot virus, which infects the key operating system files located in a
computer’s boot sector.

• Worms: A worm is a malicious program that replicates itself constantly, without requiring another
program environment. Worms can continue replicating themselves until they completely fill
available resources, such as memory, hard drive space, and network bandwidth. Code Red, Sircam,
Nimda, and Klez are examples of a class of worms that combines multiple modes of attack into a
single package. The complex behaviour of worms can be initiated with or without the user
downloading or executing the file. Once the worm has infected a computer, it can redistribute itself
to all e-mail addresses found on the infected system. Furthermore, a worm can deposit copies of
itself onto all Web servers that the infected system can reach, so that users who subsequently visit
those sites become infected. Worms also take advantage of open shares found on the network in
which an infected system is located, placing working copies of the worm code onto the server so that
users of those shares are likely to become infected.

• Trojan Horses:Trojan horses are software programs that hide their true nature and reveal their
designed behaviour only when activated. Trojan horses are frequently disguised as helpful,
interesting, or necessary pieces of software, such as readme.exe files often included with shareware
or freeware packages. Unfortunately, like their namesake in Greek legend, once Trojan horses are
brought into a system, they become activated and can wreak havoc on the unsuspecting user.

• Back Door or Trap Door: A virus or worm can have a payload that installs a back door or trap door
component in a system, which allows the attacker to access the system at will with special
privileges.

• Polymorphic Threats:A polymorphic threat is one that over time changes the way it appears to
antivirus software programs, making it undetectable by techniques that look for preconfigured
signatures. These viruses and worms actually evolve, changing their size and other external file
characteristics to elude detection by antivirus software programs.

• Virus and Worm Hoaxes: Well-meaning people can disrupt the harmony and flow of an organization
when they send group e-mails warning of supposedly dangerous viruses that don’t exist. When
people fail to follow virus-reporting procedures in response to a hoax, the network becomes
overloaded, and much time and energy is wasted as users forward the warning message to everyone
they know, post the message on bulletin boards, and try to update their antivirus protection software.
Some hoaxes are the chain letters or chain e-mails of the day, which are designed to annoy or
bemuse the reader. They are known as “weapons of mass distraction”. At one times, hoaxes
amounted to little or more than pranks, although occasionally a sting was attached. Criminals have
17 | P a g e
 SUMRANA SIDDIQUI, ASSISTANT PROFESSOR, DCET

been able to monetize the hoax virus by claiming that systems are infected with malware and then
selling a cure for a problem that does not exist. The perpetrator of the hoax may offer then offer to
sell a fake antivirus program to correct the fake malware.
Technical Hardware Failures or Errors
Technical hardware failures or errors occur when a manufacturer distributes equipment containing a
known or unknown flaw. Some errors are terminal—that is, they result in the unrecoverable loss of the
equipment. Some errors are intermittent, in that they only periodically manifest themselves, resulting in
faults that are not easily repeated, and thus, equipment can sometimes stop working, or work in
unexpected ways.
One of the best-known hardware failures is that of the Intel Pentium II chip, which had a defect that
resulted in a calculation error under certain circumstances.

Technical Software Failures or Errors

Large quantities of computer code are written, debugged, published, and sold before all their bugs are
detected and resolved. Sometimes, combinations of certain software and hardware reveal new bugs.
These failures range from bugs to untested failure conditions. Sometimes these bugs are not errors, but
rather purposeful shortcuts left by programmers for benign or malign reasons. Collectively, shortcut
access routes into programs that bypass security checks are called trap doors and can cause serious
security breaches. Software bugs are so commonplace that entire Web sites are dedicated to
documenting them.

Technological Obsolescence
Antiquated or outdated infrastructure can lead to unreliable and untrustworthy systems. Management
must recognize that when technology becomes outdated, there is a risk of loss of data integrity from
attacks. Ideally, proper planning by management shouldprevent technology from becoming obsolete, but
when obsolescence is manifest, management must take immediate action. IT professionals play a large
role in the identification of probable obsolescence.

Theft
The threat of theft—the illegal taking of another’s property, which can be physical, electronic, or
intellectual—is a constant. Physical theft can be controlled quite easily by means of a wide variety of
measures, from locked doors to trained security personnel and the installation of alarm systems.
Electronic theft, however, is a more complex problem to manage and control. When electronic
information is stolen, the crime is not always readily apparent.

Attacks
An attack is an act that takes advantage of a vulnerability to compromise a controlled system. It is
accomplished by a threat agent that damages or steals an organization’s information or physical asset. A
vulnerability is an identified weakness in a controlled system, where controls are not present or are no
longer effective. Unlike threats, which are always present, attacks only exist when a specific act may
cause a loss. For example, the threat of damage from a thunderstorm is present throughout the summer
in many places, but an attack and its associated risk of loss only exist for the duration of an actual
thunderstorm.

The following are the major types of attacks used against controlled systems.

Malicious Code
The malicious code attack includes the execution of viruses, worms, Trojan horses, and active Web
scripts with the intent to destroy or steal information.

18 | P a g e
 SUMRANA SIDDIQUI, ASSISTANT PROFESSOR, DCET

These attack programs use up to six known attack vectors to exploit a variety of vulnerabilities in
commonly found information system devices and they are as follows:

Vector Description
IP scan and The infected system scans a random or local range of IP addresses and targets
attack any of several vulnerabilities known to hackers or left over from previous
exploits.
Web browsing If the infected system has written access to any Web pages, it makes all Web
content filesinfectious, so that users who browse to those pages become
infected.
Virus Each infected machine infects certain common executable or script files on all
computers to which it can write with virus code that can cause infection.
Unprotected Using vulnerabilities in file systems and the way many organizations configure
shares them, the infected machine copies the viral component to all locations it can
reach
Mass mail By sending e-mail infections to addresses found in the address book, the
infected machine infects many users, whose mail-reading programs also
automatically run the program and infect other systems.
Simple Network By using the widely known and common passwords that were employed in
Protocol early versions of this protocol, the attacking program can gain control of the
Management device. Most vendors have closed these vulnerabilities with software upgrades.
(SNPM)

Other forms of malware include covert software applicationsthat are designed to work out of sight of
users or via an apparently innocuous user action are:

• Bot is an automated software program that executes certain commands when it receives a specific
input. Bots are often the technology used to implement Trojan horses, logic bombs, back doors, and
spyware.
• Spyware is any technology that aids in gathering information about a person or organization without
their knowledge. Spyware is placed on a computer to secretly gather information about the user and
report it.
• Adware is any software program intended for marketing purposes such as that used to deliver and
display advertising banners or popups to the user’s screen or tracking the user’s online usage or
purchasing activity.

Hoaxes
A more devious attack on computer systems is the transmission of a virus hoax with a real virus
attached. When the attack is masked in a seemingly legitimate message, unsuspecting users more readily
distribute it. Even though these users are trying to do the right thing to avoid infection, they end up
sending the attack on to their co-workers and friends and infecting many users along the way.

Back Doors
Using a known or previously unknown and newly discovered access mechanism, an attacker can gain
access to a system or network resource through a back door. Sometimes these entries are left behind by
system designers or maintenance staff, and thus are called trap doors. A trap door is hard to detect,
because very often the programmer who puts it in place also makes the access exempt from the usual
audit logging features of the system.

Password Crack

19 | P a g e
 SUMRANA SIDDIQUI, ASSISTANT PROFESSOR, DCET

Attempting to reverse-calculate a password is often called cracking. It is used when a copy of the
Security Account Manager (SAM) data file, which contains hashed representation of the user’s
password, can be obtained. A password can be hashed using the same algorithm and compared to the
hashed results. If they are the same, the password has been cracked.

Brute Force
The application of computing and network resources to try every possible password combination is
called a brute force attack. Since the brute force attack is often used to obtain passwords to commonly
used accounts, it is sometimes called a password attack. Password attacks are rarely successful against
systems that have adopted the manufacturer’s recommended security practices. Controls that limit the
number of unsuccessful access attempts allowed per unit of elapsed time are very effective against brute
force attacks.

Dictionary
The dictionary attack is a variation of the brute force attack which narrows the field by selecting specific
target accounts and using a list of commonly used passwords (the dictionary) instead of random
combinations. Organizations can use similar dictionaries to disallow passwords during the reset process
and thus guard against easy-to-guess passwords. In addition, rules requiring numbers and/or special
characters in passwords make the dictionary attack less effective.

Rainbow Tables
A more sophisticated and potentially faster password attack is possible if the attacker can gain access to
an encrypted password file, such as a Security Account Manager (SAM) data file. While these
passwords contain hashed representation of user password the hash values for a wide variety of
passwords can be looked up in a database known as rainbow table. These plain text files can be quickly
searched and a hash value and its corresponding plaintext value can be easily located.

Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS)

In a denial-of-service (DoS) attack, the attacker sends a large number of connection or information
requests to a target. So many requests are made that the target system becomes overloaded and cannot
respond to legitimate requests for service. The system may crash or simply become unable to perform
ordinary functions.
A distributed denialof-service (DDoS) is an attack in which a coordinated stream of requests is launched
against a target from many locations at the same time. Most DDoS attacks are preceded by a preparation
phase in which many systems, perhaps thousands, are compromised. The compromised machines are
turned into zombies, machines that are directed remotely by the attacker to participate in the attack.

Spoofing
Spoofing is a technique used to gain unauthorized access to computers, wherein the intruder sends
messages with a source IP address that has been forged to indicate that the messages are coming from a
trusted host. To engage in IP spoofing, hackers use a variety of techniques to obtain trusted IP
addresses, and then modify the packet headers to insert these forged addresses. Newer routers and
firewall arrangements can offer protection against IP spoofing.

Man-in-the-Middle
In the well-known man-in-the-middle or TCP hijacking attack, an attacker monitors (or sniffs) packets
from the network, modifies them, and inserts them back into the network. This type of attack uses IP
spoofing to enable an attacker to impersonate another entity on the network. It allows the attacker to
eavesdrop as well as to change, delete, reroute, add, forge, or divert data. A variant of TCP hijacking,
involves the interception of an encryption key exchange, which enables the hacker to act as an invisible
man-in-the-middle—that is, an eavesdropper—on encrypted communications.

20 | P a g e
 SUMRANA SIDDIQUI, ASSISTANT PROFESSOR, DCET

Spam
Spam is unsolicited commercial e-mail. While many consider spam a trivial nuisance rather than an
attack, it has been used as a means of enhancing malicious code attacks. Many organizations attempt to
cope with the flood of spam by using e-mail filtering technologies. Other organizations simply tell the
users of the mail system to delete unwanted messages.

Mail bombing
Another form of e-mail attack that is also a DoS is called a mail bomb, in which an attacker routes large
quantities of e-mail to the target. This can be accomplished by means of social engineering or by
exploiting various technical flaws in the Simple Mail Transport Protocol (SMTP). The target of the
attack receives an unmanageably large volume of unsolicited e-mail. By sending large e-mails with
forged header information, attackers can take advantage of poorly configured e-mail systems on the
Internet and trick them into sending many e-mails to an address chosen by the attacker. If many such
systems are tricked into participating in the event, the target e-mail address is buried under thousands or
even millions of unwanted e-mails.

Sniffers
A sniffer is a program or device that can monitor data traveling over a network. Sniffers can be used
both for legitimate network management functions and for stealing information. Unauthorized sniffers
can be extremely dangerous to a network’s security, because they are virtually impossible to detect and
can be inserted almost anywhere.Sniffers add risk to the network, because many systems and users send
information on local networks in clear text. A sniffer program shows all the data going by, including
passwords, the data inside files—such as word-processing documents—and screens full of sensitive data
from applications.

Social Engineering
Social engineering is the process of using social skills to convince people to reveal access credentials or
other valuable information to the attacker. There are several social engineering techniques, which
usually involve a perpetrator posing as a person higher in the organizational hierarchy than the victim.
To prepare for this false representation, the perpetrator may have used social engineering tactics against
others in the organization to collect seemingly unrelated information that, when used together, makes
the false representation more credible. Social engineering attacks may involve individuals posing as new
employees or as current employees requesting assistance to prevent getting fired.

Phishing
The Computer Emergency Response Team/Coordination Centre (CERT/CC) has received several
incident reports concerning users receiving requests to take an action that results in the capturing of their
password. The request could come in the form of an e-mail message, a broadcast, or a telephone call.
When the user executes the program, the user’s name and password are e-mailed to a remote site. These
messages can appear to be from a site administrator or root. In reality, they may have been sent by an
individual at a remote site, who is trying to gain access or additional access to the local machine via the
user’s account. These tricks and similar variants are called phishing attacks. Phishing is an attempt to
gain personal or financial information from an individual, usually by posing as a legitimate entity. A
variant is spear phishing, a label that applies to any highly targeted phishing attack. While normal
phishing attacks target as many recipients as possible, a spear phisher sends a message that appears to be
from an employer, a colleague, or other legitimate correspondent, to a small group or even one specific
person. This attack is sometimes used to target those who use a certain product or Web site. when the
attack is intended for a senior executive, it may be called whaling or whale phishing.
Phishing attacks use three primary techniques, often in combination with one another: URL
manipulation, Web site forgery, and phone phishing.

21 | P a g e
 SUMRANA SIDDIQUI, ASSISTANT PROFESSOR, DCET

• In URL manipulation, attackers send an HTML embedded e-mail message, or a hyperlink whose
HTML code opens a forged Web site.
• In the forged Web site, the page looks legitimate; indeed, when users click, they are directed to the
authentic bank Web page. When victims type their banking ID and password the attacker records
that information and displays a message that the Web site is now offline. The attackers can use the
recorded credentials to perform transactions, including funds transfers, bill payments, or loan
requests.
• Pretexting sometimes referred to as Phone phishing or voice phishing is pure social engineering. The
attacker calls a victim on the telephone and pretends to be someone they are not in order to gain
access to private or confidential information such as health or employment records or financial
information. They may impersonate someone who is known to the potential victim only by
reputation.

Pharming
Pharming is “the redirection of legitimate Web traffic to an illegitimate site for the purpose of obtaining
private information. Pharming often uses Trojans, worms, or other virus technologies to attack the
Internet browser’s address bar so that the valid URL typed by the user is modified to that of the
illegitimate Web site. Pharming mayalso exploit the Domain Name System (DNS) by causing it to
transform the legitimate host name into the invalid site’s IP address; this form of pharming is also
known as DNS cache poisoning.”

The key difference between pharming and the phishing is that the latter requires the user to actively
click a link or button to redirect to the illegitimate site, whereas pharming attacks modify the user’s
traffic without the user’s knowledge of active participation.

Timing Attack
A timing attack explores the contents of a Web browser’s cache and stores a malicious cookie on the
client’s system. The cookie can allow the designer to collect information on how to access password-
protected sites.

Secure Software Development

Systems consist of hardware, software, networks, data, procedures, and people using the system. Secure
systems require secure, or at least securable, software. The development of systems and the software
they use is often accomplished using a methodology, such as the systems development life cycle
(SDLC). This approach to software development is known as software assurance, or SA.

Software Assurance and the SA Common Body of Knowledge

Secure Software Assurance (SwA) Common Body of Knowledge (CBK) which is a work in progress,
contains the following sections:
• Nature of Dangers
• Fundamental Concepts and Principle
• Ethics, Law, and Governance
• Secure Software Requirements
• Secure Software Design
• Secure Software Construction
• Secure Software Verification, Validation, and Evaluation
• Secure Software Tools and Methods
22 | P a g e
 SUMRANA SIDDIQUI, ASSISTANT PROFESSOR, DCET

• Secure Software Processes

• Secure Software Project Management
• Acquisition of Secure Software
• Secure Software Sustainment.

The following sections provides insight into the stages that should be incorporated into the
software SDLC

Software Design Principles

• Economy of mechanism: Keep the design as simple and small as possible.

• Fail-safe defaults: Base access decisions on permission rather than exclusion.
• Complete mediation: Every access to every object must be checked for authority.
• Open design: The design should not be secret, but rather depend on the possession of keys or
passwords.
• Separation of privilege: Where feasible, a protection mechanism should require two keys to unlock,
rather than one.
• Least privilege: Every program and every user of the system should operate using the least set of
privileges necessary to complete the job.
• Least common mechanism: Minimize mechanismscommon to more than one user and depended on
by all users.
• Psychological acceptability: It is essential that the human interface be designed for ease of use, so
that users routinely and automatically apply the protection mechanisms correctly.

Software Development Security Problems

Some software development problems that result in software that is difficult or impossible to deploy in a
secure fashion have been identified as “deadly sins in software security.”
These twenty problem areas in software development were:
• Buffer Overruns: A buffer overrun (or buffer overflow) is an application error that occurs when
more data is sent to a program buffer than it is designed to handle. During a buffer overrun, an
attacker can make the target system execute instructions, or the attacker can take advantage of some
other unintended consequence of the failure. The data on the attacked system loses integrity.
• Command Injection:Command injection problems occur when user input is passed directly to a
compiler or interpreter. The underlying issue is the developer’s failure to ensure that command input
is validated before it is used in the program.
• Cross-site Scripting: Cross site scripting (or XSS) occurs when an application running on a Web
server gathers data from a user in order to steal it.This allows the attacker to acquire valuable
information, such as account credentials, account numbers, or other critical data. Often an attacker
encodes a malicious link and places it in the target server, making it look less suspicious. After the
data is collected by the hostile application, it sends what appears to be a valid response from the
intended server.
• Failure to Handle Errors: Failure to handle errors can cause a variety of unexpected system
behaviours. Programmers are expected to anticipate problems and prepare their application code to
handle them.
• Failure to Protect Network Traffic:Most wireless networks are installed and operated with little or
no protection for the information that is broadcast between the client and the network wireless
access point. Without appropriate encryption, attackers can intercept and viewdata. Traffic on a
wired network is also vulnerable to interception in some situations. On networks using hubs instead
23 | P a g e
 SUMRANA SIDDIQUI, ASSISTANT PROFESSOR, DCET

of switches, any user can install a packet sniffer and collect communications to and from users on
that network. Periodic scans for unauthorized packet sniffers, unauthorized connections to the
network, and general awareness of the threat can mitigate this problem.
• Failure to Store and Protect Data Securely: Programmers are responsible for integrating access
controls into, and keeping secret information out of, programs. Access controls, regulate who, what,
when, where, and how individuals and systems interact with data. Failure to properly implement
sufficiently strong access controls makes the data vulnerable. Overly strict access controls hinder
business users in the performance of their duties. The integration of secret information—such as the
“hard coding” of passwords, encryption keys, or other sensitive information—can put that
information at risk of disclosure.
• Failure to Use Cryptographically Strong Random Numbers:Most modern cryptosystems, like
many other computer systems, use random number generators. These “random” number generators
use a mathematical algorithm, based on a seed value and another other system component to
simulate a random number. Those who understand the workings of such a “random” number
generator can predict particular values at particular times.
• Format String Problems: The formatting instructions are usually written as a “format string.”An
attacker may embed characters that are meaningful as formatting directives into malicious input; if
this input is then interpreted by the program as formatting directives, the attacker may be able to
access information or overwrite very targeted portions of the program’s stack with data of the
attacker’s choosing.
• Neglecting Change Control:Developers use a process known as change control to ensure that the
working system delivered to users represents the intent of the developers. Early in the development
process, change control ensures that developers do not work at cross purposes by altering the same
programs or parts of programs at the same time. Once the system is in production, change control
processes ensure that only authorized changes are introduced and that all changes are adequately
tested before being released.
• Improper File Access: If an attacker changes the expected location of a file by intercepting and
modifying a program code call, the attacker can force a program to use files other than the ones the
program is supposed to use. This type of attack could be used to either substitute a bogus file for a
legitimate file (as in password files), or trick the system into running a malware executable. It is
critical to protect not only the location of the files but also the method and communications channels
by which these files are accessed.
• Improper Use of SSL:Programmers use Secure Sockets Layer (SSL) to transfer sensitive data, such
as credit card numbers and other personal information, between a client and server. SSL and its
successor, Transport Layer Security (TLS), both need certificate validation to be truly secure.
Failure to use Hypertext Transfer Protocol Secure (HTTPS), to validate the certificate authority and
then validate the certificate itself, or to validate the information against a certificate revocation list
(CRL), can compromise the security of SSL traffic.
• Information Leakage: One of the most common methods of obtaining inside and classified
information is directly or indirectly from an individual, usually an employee. By warning employees
against disclosing information, organizations can protect the secrecy of their operation.
• Integer Bugs (Overflows/Underflows): Integer bugs fall into four broad classes: overflows,
underflows, truncations, and signed errors. Integer bugs are usually exploited indirectly gaining
control of an application. The memory allocated for a value could be exceeded, if that value is
greater than expected, with the extra bits written into other locations. The system may then
experience unexpected consequences, which could be miscalculations, errors, crashing or other
problems. Even though integer bugs are often used to build a buffer overflow or other memory
corruption attack, integer bugs are not just a special case of memory corruption bugs.
• Race Conditions: A race condition is a failure of a program that occurs when an unexpected
ordering of events in the execution of the program results in a conflict over access to the same
system resource. A race condition occurs, when a program creates a temporary file, and an attacker
24 | P a g e
 SUMRANA SIDDIQUI, ASSISTANT PROFESSOR, DCET

is able to replace it between the time it is created and the time it is used. A race condition can also
occur when information is stored in multiple memory threads if one thread stores information in the
wrong memory location, by accident or intent.
• SQL Injection:SQL injection occurs when developers fail to properly validate user input before
using it to query a relational database. The possible effects of this “injection” of SQL code of the
attacker’s choosing into the program are not limited to improper access to information.
• Trusting Network Address Resolution:The Domain Name System (DNS) is a function of the
World Wide Web that converts a URL (Uniform Resource Locator) into the IP address of the Web
server host. This distributed model is vulnerable to attack or “poisoning.” DNS cache poisoning
involves compromising a DNS server and then changing the valid IP address associated with a
domain name into one which the attacker chooses, usually a fake Web site designed to obtain
personal information or one that accrues a benefit to the attacker. The DNS relies on a process of
automated updates which can be exploited. Attackers most commonly compromise segments of the
DNS by either attacking the name of the nameserver and substituting their own DNS primary name
server, by incorrectly updating an individual record, or by responding before an actual DNS can.
• Unauthenticated Key Exchange:One of the biggest challenges in private key systems, which
involve two users sharing the same key, is securely getting the key to the other party.Sometimes an
“out of band” courier is used, but other times a public key system, which uses both a public and
private key, is used to exchange the key.
• Use of Magic URLs and Hidden Forms: HTTP is a stateless protocol where the computer
programs on either end of the communication channel cannot rely on a guaranteed delivery of any
message. This makes it difficult for software developers to track a user’s exchanges with a Web site
over multiple interactions. Too often sensitive state information is simply included in a “magic”
URL or included in hidden form fields on the HTML page. If this information is stored as plain text,
an attacker can harvest the information from a magic URL as it travels across the network, or use
scripts on the client to modify information in hidden form fields. Depending on the structure of the
application, the harvested or modified information can be used in spoofing or hijacking attacks, or to
change the way the application operates.
• Use of Weak Password-Based Systems: Password policycan specify the number and type of
characters, the frequency of mandatory changes, and even the reusability of old passwords.
Similarly, a system administrator can regulate the permitted number of incorrect password entries
that are submitted and further improve the level of protection. Systems that do not validate
passwords, or store passwords in easy-to-access locations, are ripe for attack. Using non-standard
password components can greatly enhance the strength of the password.
• Poor Usability:Employees when faced with an “official way” of performing a task and an
“unofficial way”—which is easier—they prefer the easier method. The only way to address this
issue is to only provide one way—the secure way! Integrating security and usability, adding training
and awareness, and ensuring solid controls all contribute to the security of information. Allowing
users to default to easier, more usable solutions will inevitably lead to loss.

25 | P a g e